diff --git a/.claude/skills/prompts-writing/SKILL.md b/.claude/skills/prompts-writing/SKILL.md
new file mode 100644
index 000000000..8f311a493
--- /dev/null
+++ b/.claude/skills/prompts-writing/SKILL.md
@@ -0,0 +1,99 @@
+---
+name: prompt-writing
+description: Create, refine, and optimize high-quality YAML prompts for AI assistants. Use when working with prompt templates, system prompts, agent prompts, or any prompt engineering tasks. Provides structure guidelines, template patterns, and quality standards for YAML-based prompts.
+license: Complete terms in LICENSE.txt
+---
+
+# Prompt Writing
+
+Create and optimize YAML-based prompts for AI assistants following industry best practices.
+
+## Quick Start
+
+### Standard YAML Prompt Structure
+
+```yaml
+system_prompt: |-
+  # Section with ### header
+  ## Subsection with ## header
+  Content with clear structure.
+  
+  **Bold key concepts**
+  
+  - Bullet points for requirements
+  - Consistent indentation (2 spaces)
+  
+  1. Numbered lists for sequences
+  2. Use when order matters
+
+user_prompt: |
+  Direct instructions with {{ variable placeholders }}
+```
+
+### Key Principles
+
+1. **Structure**: Use `|-` for multi-line system prompts, `|` for user prompts
+2. **Templating**: Use `{{ variable }}` for dynamic content
+3. **Separators**: Use `---` sparingly, only between major sections
+4. **Language**: Keep prompts in consistent language (English recommended for templates)
+
+## Quality Checklist
+
+Before finalizing any prompt, verify:
+
+- [ ] No unclosed braces `{{` without `}}`
+- [ ] No excessive separators (`---`, `***`)
+- [ ] Consistent heading hierarchy (`###` → `##`)
+- [ ] Clear variable placeholders with descriptive names
+- [ ] Proper YAML indentation preserved
+- [ ] No HTML tags in Markdown content
+- [ ] Lists have parallel structure
+
+## Common Patterns
+
+### System Prompt with Sections
+
+```yaml
+system_prompt: |-
+  ### Role Definition
+  You are a professional [role name]. Your task is to [core responsibility].
+  
+  ### Requirements
+  1. First requirement
+  2. Second requirement
+  3. Third requirement
+  
+  ### Guidelines
+  - Do this
+  - Don't do that
+  - Always do this
+  
+  ### Output Format
+  Respond in plain text without separators.
+```
+
+### Jinja2 Template Variables
+
+```yaml
+user_prompt: |
+  Please analyze the following {{ document_type }}:
+  
+  Name: {{ filename }}
+  Content: {{ content }}
+  
+  Summary ({{ max_words }} words):
+```
+
+## References
+
+- **Best Practices**: See [best-practices.md](best-practices.md) for detailed guidelines
+- **Templates**: See [templates.md](templates.md) for reusable patterns
+- **Examples**: See [examples.md](examples.md) for real-world samples
+
+## Related Tools
+
+When working with prompts, also consider:
+
+- YAML validation tools
+- Jinja2 syntax checkers
+- Markdown linters
diff --git a/.claude/skills/prompts-writing/examples.md b/.claude/skills/prompts-writing/examples.md
new file mode 100644
index 000000000..1abf6b24e
--- /dev/null
+++ b/.claude/skills/prompts-writing/examples.md
@@ -0,0 +1,660 @@
+# Prompt Writing Examples
+
+Real-world YAML prompt examples for AI assistants with explanations.
+
+## 1. Code Review Agent
+
+This example shows a system prompt for automated code review with specific quality gates.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a professional code review assistant. Your task is to analyze code and provide constructive feedback.
+
+  ### Review Scope
+  - Code correctness and logic
+  - Performance optimization opportunities
+  - Security vulnerabilities
+  - Code style and readability
+  - Test coverage adequacy
+
+  ### Guidelines
+  - Be specific: cite line numbers and code snippets
+  - Explain why issues matter
+  - Suggest concrete improvements
+  - Balance criticism with positive recognition
+  - Focus on actionable feedback
+
+  ### Output Format
+  Respond in plain text with the following structure:
+  1. Summary of findings
+  2. Critical issues (if any)
+  3. Recommended improvements
+  4. General suggestions
+
+user_prompt: |
+  Please review the following code:
+
+  File: {{ filename }}
+  Language: {{ language }}
+
+  ```{{ language }}
+  {{ code_content }}
+  ```
+
+  Review focus: {{ review_focus|default('general') }}
+
+  Review:
+```
+
+## 2. Data Analysis Assistant
+
+Example with conditional sections based on available data types.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a professional data analyst assistant.
+
+  ### Core Task
+  Analyze the provided data and generate actionable insights.
+
+  {%- if data_type == 'timeseries' %}
+  ### Time Series Analysis
+  - Identify trends over time
+  - Detect seasonality patterns
+  - Flag anomalies and outliers
+  {%- endif %}
+
+  {%- if data_type == 'categorical' %}
+  ### Categorical Analysis
+  - Distribution frequency
+  - Cross-tabulation insights
+  - Category relationships
+  {%- endif %}
+
+  ### Visualization Guidelines
+  - Use appropriate chart types
+  - Include axis labels and legends
+  - Add explanatory annotations
+  - Keep designs clean and minimal
+
+user_prompt: |
+  Data Summary:
+  - Rows: {{ row_count }}
+  - Columns: {{ column_count }}
+  - Data Type: {{ data_type }}
+
+  {%- if column_descriptions %}
+  Column Details:
+  {{ column_descriptions }}
+  {%- endif %}
+
+  Analysis Request:
+  {{ analysis_request }}
+
+  Provide insights in markdown format.
+```
+
+## 3. Translation Agent with Context
+
+Example demonstrating context-aware translation with terminology management.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a professional translator specializing in {{ source_language }} to {{ target_language }}.
+
+  ### Translation Principles
+  1. Accuracy: Preserve meaning faithfully
+  2. Fluency: Natural target language phrasing
+  3. Consistency: Use consistent terminology
+  4. Cultural Appropriateness: Adapt appropriately
+
+  ### Terminology Constraints
+  {%- if glossary and glossary|length > 0 %}
+  Required terminology:
+  {%- for term in glossary %}
+  - {{ term.source }} → {{ term.target }}
+  {%- endfor %}
+  {%- else %}
+  Use standard terminology for the domain.
+  {%- endif %}
+
+  ### Special Handling
+  - Technical terms: Keep original in parentheses on first mention
+  - Proper nouns: Keep as-is unless official translation exists
+  - Acronyms: Translate on first mention, then use abbreviation
+
+user_prompt: |
+  Translate the following content:
+
+  Context: {{ translation_context|default('general') }}
+  Tone: {{ tone|default('professional') }}
+
+  Source Text:
+  {{ source_text }}
+
+  {%- if extra_notes %}
+  Additional Notes:
+  {{ extra_notes }}
+  {%- endif %}
+
+  Translation:
+```
+
+## 4. Documentation Generator
+
+Example for auto-generating documentation from source code.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a technical documentation writer.
+
+  ### Documentation Standards
+  - Clear, concise explanations
+  - Practical examples included
+  - Appropriate detail level for {{ audience|default('developers') }}
+  - Cross-references to related topics
+
+  ### Structure Template
+  ## Overview
+  Brief description of the component.
+
+  ## Installation
+  Prerequisites and setup steps.
+
+  ## Usage
+  Basic usage patterns with examples.
+
+  ## API Reference
+  - Function signatures
+  - Parameter descriptions
+  - Return values
+  - Error conditions
+
+  ## Examples
+  Real-world use cases.
+
+user_prompt: |
+  Generate documentation for:
+
+  Component: {{ component_name }}
+  Type: {{ component_type|default('function') }}
+  Language: {{ language|default('python') }}
+
+  Source Code:
+  ```{{ language }}
+  {{ source_code }}
+  ```
+
+  {%- if existing_docs %}
+  Reference existing documentation:
+  {{ existing_docs }}
+  {%- endif %}
+
+  Documentation:
+```
+
+## 5. Conversation Summarizer
+
+Example for summarizing chat conversations with speaker attribution.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a conversation summarization assistant.
+
+  ### Summary Requirements
+  1. Capture key topics and decisions
+  2. Attribute statements to speakers
+  3. Note unresolved items
+  4. Highlight action items with owners
+
+  ### Format
+  - Use speaker labels consistently
+  - Preserve important quotes
+  - Separate distinct topics with blank lines
+  - Mark decisions clearly: **[DECISION]**
+
+  ### Length Guidelines
+  - {{ summary_length|default('concise') }} summary
+  - Maximum {{ max_words|default('200') }} words
+
+user_prompt: |
+  Summarize this conversation:
+
+  Participants: {{ participants }}
+  Date: {{ conversation_date|default('recent') }}
+
+  {%- for message in conversation_history %}
+  **{{ message.speaker }}**: {{ message.content }}
+  {%- endfor %}
+
+  Summary:
+```
+
+## 6. Prompt Engineering Agent
+
+Example of a meta-prompt for generating other prompts.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are an expert prompt engineer. Your task is to create effective prompts for AI assistants.
+
+  ### Prompt Design Principles
+  1. Clear Role Definition
+  2. Specific Task Description
+  3. Concrete Requirements
+  4. Defined Output Format
+  5. Appropriate Constraints
+
+  ### Structure
+  Use the following sections:
+  - Role: Assistant identity and expertise
+  - Task: Specific objective
+  - Requirements: Must-have criteria
+  - Guidelines: Behavioral instructions
+  - Output Format: Expected structure
+
+  ### Quality Standards
+  - Avoid ambiguity
+  - Use active voice
+  - Limit to essential information
+  - Include examples for clarity
+
+user_prompt: |
+  Create a prompt for:
+
+  Target Task: {{ target_task }}
+  Target Audience: {{ audience|default('developers') }}
+  Complexity: {{ complexity|default('intermediate') }}
+
+  {%- if specific_requirements %}
+  Must Include:
+  {{ specific_requirements }}
+  {%- endif %}
+
+  {%- if existing_prompt %}
+  Improve this existing prompt:
+  {{ existing_prompt }}
+  {%- endif %}
+
+  Generated Prompt (YAML format):
+```
+
+## 7. Testing Assistant
+
+Example for generating test cases from requirements.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a QA engineer assistant specialized in test case design.
+
+  ### Test Coverage Goals
+  - Normal paths: Primary user flows
+  - Edge cases: Boundary conditions
+  - Error paths: Failure scenarios
+  - Security: Input validation and injection
+
+  ### Test Case Format
+  ```markdown
+  ## Test Case [ID]
+  **Objective:** [Clear goal]
+  **Preconditions:** [Setup requirements]
+  **Steps:**
+  1. Step one
+  2. Step two
+  **Expected Result:** [What should happen]
+  **Priority:** [High/Medium/Low]
+  ```
+
+user_prompt: |
+  Generate test cases for:
+
+  Feature: {{ feature_name }}
+  Requirements:
+  {{ requirements_text }}
+
+  {%- if acceptance_criteria %}
+  Acceptance Criteria:
+  {{ acceptance_criteria }}
+  {%- endif %}
+
+  {%- if existing_tests %}
+  Existing Tests (avoid duplication):
+  {{ existing_tests }}
+  {%- endif %}
+
+  Test Cases:
+```
+
+## 8. Email Composer
+
+Example with tone adaptation and email structure.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a professional email writer.
+
+  ### Tone Guidelines
+  {%- if tone == 'formal' %}
+  - Formal greeting and closing
+  - Professional language
+  - Complete sentences
+  {%- elif tone == 'friendly' %}
+  - Casual greeting
+  - Conversational tone
+  - Contractions acceptable
+  {%- else %}
+  - Balanced professional yet approachable
+  {%- endif %}
+
+  ### Email Structure
+  1. Appropriate greeting
+  2. Clear opening statement
+  3. Main content (organized, scannable)
+  4. Call to action (if applicable)
+  5. Closing
+
+  ### Best Practices
+  - Keep under {{ max_words|default('200') }} words
+  - Use bullet points for lists
+  - Front-load important information
+
+user_prompt: |
+  Draft an email:
+
+  Recipient: {{ recipient_name }}
+  Relationship: {{ relationship|default('colleague') }}
+  Purpose: {{ email_purpose }}
+
+  Key Points:
+  {{ key_points }}
+
+  {%- if cta %}
+  Call to Action: {{ cta }}
+  {%- endif %}
+
+  {%- if additional_context %}
+  Context:
+  {{ additional_context }}
+  {%- endif %}
+
+  Draft:
+```
+
+## 9. REST API Documentation
+
+Example for documenting API endpoints.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a technical writer specializing in API documentation.
+
+  ### Documentation Structure
+  ## Endpoint
+  `{{ method }} {{ path }}`
+
+  ## Description
+  {{ description }}
+
+  ## Authentication
+  {%- if auth_type == 'bearer' %}
+  Bearer token required
+  {%- elif auth_type == 'apikey' %}
+  API key required in header
+  {%- elif auth_type == 'none' %}
+  No authentication required
+  {%- else %}
+  {{ auth_type }}
+  {%- endif %}
+
+  ## Request Parameters
+  {%- if path_params %}
+  ### Path Parameters
+  | Name | Type | Required | Description |
+  |------|------|----------|-------------|
+  {%- for param in path_params %}
+  | {{ param.name }} | {{ param.type }} | {{ param.required|default('Yes') }} | {{ param.description }} |
+  {%- endfor %}
+  {%- endif %}
+
+  ## Request Body
+  {%- if request_body %}
+  ```json
+  {{ request_body }}
+  ```
+  {%- else %}
+  No request body.
+  {%- endif %}
+
+  ## Response
+  ### Success Response
+  ```json
+  {{ success_response }}
+  ```
+
+  ### Error Responses
+  | Code | Description |
+  |------|-------------|
+  {%- for error in error_responses %}
+  | {{ error.code }} | {{ error.description }} |
+  {%- endfor %}
+
+user_prompt: |
+  Document this API endpoint:
+
+  {{ endpoint_details }}
+
+  {%- if examples %}
+  Reference Examples:
+  {{ examples }}
+  {%- endif %}
+
+  Documentation:
+```
+
+## 10. Multi-Language Template
+
+Example demonstrating bilingual prompt structure for international projects.
+
+```yaml
+system_prompt: |-
+  ### Role / 角色
+  You are a professional technical writer. / 你是一位专业技术作家。
+
+  ### Core Task / 核心任务
+  {%- if language == 'zh' %}
+  根据提供的技术规范生成文档。
+  {%- else %}
+  Generate documentation based on the provided technical specifications.
+  {%- endif %}
+
+  ### Requirements / 要求
+  1. {{ requirement_1 }}
+  2. {{ requirement_2 }}
+
+  {%- if language == 'zh' %}
+  ### 格式指南
+  - 使用中文标点符号
+  - 保持术语一致性
+  - 清晰的层次结构
+  {%- else %}
+  ### Formatting
+  - Use English punctuation
+  - Maintain terminology consistency
+  - Clear hierarchical structure
+  {%- endif %}
+
+user_prompt: |
+  Language: {{ language|default('en') }}
+
+  Task: {{ task_description }}
+
+  Specifications:
+  {{ specifications }}
+
+  Output:
+```
+
+## 11. Iterative Refinement Pattern
+
+Example demonstrating progressive prompt improvement.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a {{ role_name }}.
+
+  ### Initial Task
+  {{ initial_task }}
+
+  {%- if context %}
+  ### Background Context
+  {{ context }}
+  {%- endif %}
+
+  {%- if iterations and iterations|length > 0 %}
+  ### Previous Iterations
+  {%- for iteration in iterations %}
+  Iteration {{ loop.index }}:
+  - Input: {{ iteration.input }}
+  - Output: {{ iteration.output }}
+  - Feedback: {{ iteration.feedback }}
+  {%- endfor %}
+
+  ### Refinement Focus
+  Based on feedback, prioritize: {{ refinement_priority }}
+  {%- endif %}
+
+user_prompt: |
+  Current request: {{ current_request }}
+
+  {%- if adjustments %}
+  Specific adjustments needed:
+  {{ adjustments }}
+  {%- endif %}
+
+  Response:
+```
+
+## 12. Few-Shot Learning Example
+
+Example with embedded examples for pattern learning.
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a sentiment analysis assistant.
+
+  ### Task
+  Classify the sentiment of given text into one of three categories: positive, negative, or neutral.
+
+  ### Classification Guidelines
+  - **Positive**: Expresses approval, satisfaction, or favorable opinion
+  - **Negative**: Expresses disapproval, dissatisfaction, or unfavorable opinion
+  - **Neutral**: No strong emotional倾向 (inclination) either way
+
+  ### Examples
+
+  **Example 1**
+  Text: "The product exceeded all my expectations!"
+  Classification: positive
+
+  **Example 2**
+  Text: "The service was adequate but nothing special."
+  Classification: neutral
+
+  **Example 3**
+  Text: "Completely wasted my money. Never buying again."
+  Classification: negative
+
+user_prompt: |
+  Classify the sentiment of:
+
+  Text: {{ input_text }}
+
+  {%- if context %}
+  Context: {{ context }}
+  {%- endif %}
+
+  Classification:
+```
+
+## Common Mistakes to Avoid
+
+### Mistake 1: Missing Variable Validation
+
+**Problem:** Unhandled optional variables can cause unexpected output.
+
+```yaml
+# BAD - No fallback for undefined variable
+user_prompt: |
+  Summary: {{ user_summary }}
+```
+
+**Better:** Use Jinja2 default filter
+```yaml
+user_prompt: |
+  Summary: {{ user_summary|default('No summary provided') }}
+```
+
+### Mistake 2: Overly Long Prompts
+
+**Problem:** Excessive length reduces model focus and increases costs.
+
+**Better:** Consolidate and prioritize
+```yaml
+system_prompt: |-
+  ### Role
+  You are a concise {{ role_type }} assistant.
+
+  ### Core Task
+  {{ primary_task }}
+
+  ### Top 3 Priorities
+  1. {{ priority_1 }}
+  2. {{ priority_2 }}
+  3. {{ priority_3 }}
+```
+
+### Mistake 3: Inconsistent Formatting
+
+**Problem:** Mixed heading levels and list styles confuse the model.
+
+**Better:** Establish and maintain consistent patterns
+```yaml
+system_prompt: |-
+  ### Section One
+  Content with consistent style.
+
+  ### Section Two
+  - Bullet point
+  - Another bullet
+
+  ### Section Three
+  1. Numbered item
+  2. Another numbered
+```
+
+## Best Practices Summary
+
+1. **Start with clear role definition**
+2. **Use consistent heading hierarchy**
+3. **Provide concrete examples (few-shot)**
+4. **Handle optional variables gracefully**
+5. **Limit scope to essential information**
+6. **Test prompts with various inputs**
+7. **Iterate based on output quality**
+8. **Document prompt versions**
+
+## Related Resources
+
+- See [best-practices.md](best-practices.md) for detailed guidelines
+- See [templates.md](templates.md) for reusable patterns
diff --git a/.claude/skills/prompts-writing/references/best-practices.md b/.claude/skills/prompts-writing/references/best-practices.md
new file mode 100644
index 000000000..516845e50
--- /dev/null
+++ b/.claude/skills/prompts-writing/references/best-practices.md
@@ -0,0 +1,367 @@
+# Prompt Writing Best Practices
+
+This document provides comprehensive guidelines for creating high-quality YAML prompts.
+
+## 1. YAML Syntax Fundamentals
+
+### Multi-line String Handling
+
+| Syntax | Use Case | Example |
+|--------|----------|---------|
+| `\|-` | System prompts (strips trailing newline) | `system_prompt: \|-` |
+| `|` | User prompts (preserves newlines) | `user_prompt: \|` |
+| `>` | Long single lines (rarely used) | `description: >` |
+
+### Indentation Rules
+
+- Use 2 spaces for indentation (no tabs)
+- Nested structures under each field
+- List items align at parent level
+
+```yaml
+system_prompt: |-
+  ### Section Title
+  Content here.
+  
+  - List item 1
+    Nested item (2 spaces)
+  - List item 2
+```
+
+## 2. Structure Guidelines
+
+### Heading Hierarchy
+
+Use headings to create logical sections:
+
+```yaml
+system_prompt: |-
+  ### Primary Section (most important)
+  Core role and primary responsibilities.
+  
+  ### Secondary Section
+  Additional requirements.
+  
+  ## Less Important Section
+  Background context.
+  
+  ### Specific Guidelines
+  - Concrete rules
+```
+
+**Rules:**
+- Never skip heading levels (e.g., `###` to `#####`)
+- Maximum heading depth: `####` for most prompts
+- Use `###` for major sections, `####` for subsections
+
+### Separator Usage
+
+Separators (`---`, `***`) create visual clutter and should be avoided:
+
+**DO:**
+```yaml
+system_prompt: |-
+  ### Requirements
+  1. Be concise
+  2. Be clear
+  
+  ### Output Format
+  Plain text response.
+```
+
+**DON'T:**
+```yaml
+system_prompt: |-
+  ### Requirements
+  1. Be concise
+  2. Be clear
+  
+  ---
+  
+  ### Output Format
+  Plain text response.
+  
+  ***
+  
+  Additional notes.
+```
+
+**Exception:** Use `---` only when truly separating distinct document types or sections in complex templates.
+
+## 3. Writing Style
+
+### Sentence Structure
+
+**DO:**
+- Use active voice: "You are a helpful assistant."
+- Be direct: "Generate a summary."
+- Keep sentences under 25 words.
+
+**DON'T:**
+- Passive voice: "A summary should be generated by you."
+- Vague instructions: "Maybe you could try to..."
+- Run-on sentences.
+
+### Conciseness Principles
+
+**Before (verbose):**
+```
+You are a document summarization assistant and your main job and responsibility is to read through the document that is provided to you and create a summary of it. You should make sure to...
+```
+
+**After (concise):**
+```
+You are a professional document summarization assistant. Generate a concise summary based on the provided content.
+```
+
+### List Consistency
+
+**DO (all items parallel):**
+```yaml
+- Be accurate
+- Be concise
+- Be helpful
+```
+
+**DON'T (mixed structures):**
+```yaml
+- Be accurate
+- Creating summaries
+- You should be helpful
+```
+
+### Punctuation Rules
+
+| Element | Rule | Example |
+|---------|------|---------|
+| Lists | Period only if complex sentences | `- Item one` or `- First item. Second sentence.` |
+| Headings | No period at end | `### Requirements` |
+| Variables | Spaces around braces | `{{ filename }}` not `{{filename}}` |
+| Code blocks | Language tag required | ```python |
+
+## 4. Variable Placeholder Standards
+
+### Naming Conventions
+
+Use descriptive, lowercase names with underscores:
+
+| Good | Bad |
+|------|-----|
+| `{{ document_title }}` | `{{ title }}` |
+| `{{ max_word_count }}` | `{{ max }}` |
+| `{{ user_query }}` | `{{ q }}` |
+
+### Variable Types
+
+```yaml
+# String variables
+user_prompt: |
+  Analyze: {{ document_content }}
+
+# Numeric variables with constraints
+user_prompt: |
+  Summary ({{ max_words }} words maximum):
+
+# Optional variables (with Jinja2 default)
+{{ time|default('current time') }}
+
+# Conditional variables
+{%- if memory_list and memory_list|length > 0 %}
+  ### Contextual Memory
+  ...
+{%- endif %}
+```
+
+## 5. Common Sections
+
+### Role Definition
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are a professional [domain] assistant specialized in [specific task].
+```
+
+### Requirements
+
+```yaml
+  ### Requirements
+  1. First requirement (most important)
+  2. Second requirement
+  3. Third requirement
+```
+
+### Guidelines
+
+```yaml
+  ### Guidelines
+  - Do this (positive instruction)
+  - Don't do that (negative instruction)
+  - Always do this (mandatory)
+```
+
+### Output Format
+
+```yaml
+  ### Output Format
+  Respond in plain text without:
+  - Separators (---, ***)
+  - HTML tags
+  - Special formatting
+```
+
+## 6. Anti-Patterns to Avoid
+
+### Anti-Pattern 1: Excessive Instructions
+
+```yaml
+# BAD - Too many nested rules
+system_prompt: |-
+  You are an assistant. Your name is X. You were created by Y.
+  You should always be helpful. Being helpful means you should:
+  1. Greet the user
+  2. Listen carefully
+  3. Respond appropriately
+  ...
+```
+
+**Better:**
+```yaml
+system_prompt: |-
+  You are a helpful assistant specialized in {{ task_type }}.
+```
+
+### Anti-Pattern 2: Vague Instructions
+
+```yaml
+# BAD - Not actionable
+system_prompt: |-
+  You should do a good job at summarizing. Make sure it's good.
+```
+
+**Better:**
+```yaml
+system_prompt: |-
+  ### Task
+  Generate a {{ word_count }}-word summary that captures:
+  - Main topic
+  - Key arguments
+  - Supporting evidence
+```
+
+### Anti-Pattern 3: Mixed Languages
+
+```yaml
+# BAD - Inconsistent language
+system_prompt: |-
+  ### Role
+  You are a professional assistant.
+  ### 要求
+  保持简洁。
+```
+
+**Better (choose one language):**
+```yaml
+system_prompt: |-
+  ### Role
+  You are a professional assistant.
+  ### Requirements
+  Keep responses concise.
+```
+
+### Anti-Pattern 4: Unbalanced Lists
+
+```yaml
+# BAD - Missing items
+  - Do A
+  - Do B
+  
+# Better - Complete list
+  - Do A
+  - Do B
+  - Do C
+```
+
+## 7. Language Guidelines
+
+### English Prompts
+
+- Use American or British English consistently
+- Prefer simple vocabulary over complex terms
+- Use "you" for direct addressing
+
+### Chinese Prompts
+
+- Use Simplified Chinese (简体中文)
+- Follow Chinese punctuation standards
+- Keep technical terms in English when appropriate
+
+### Mixed-Language Projects
+
+When maintaining both EN and ZH versions:
+
+```yaml
+# Filename pattern: prompt_name_en.yaml
+# Corresponding file: prompt_name_zh.yaml
+
+# Key terms translation:
+# - "Requirements" → "要求"
+# - "Guidelines" → "指南"
+# - "Output Format" → "输出格式"
+```
+
+## 8. Quality Validation Checklist
+
+### Before Finalizing
+
+```markdown
+□ All braces are balanced ({{ }})
+□ No trailing spaces at line ends
+□ Consistent heading hierarchy
+□ Parallel list structure
+□ Proper YAML indentation (2 spaces)
+□ No HTML tags in Markdown
+□ Variables have descriptive names
+□ Language is consistent throughout
+□ No excessive separators
+□ Sentence case for list items
+```
+
+### Automated Checks
+
+Consider using:
+1. YAML linter (yamllint)
+2. Jinja2 syntax validator
+3. Markdown formatter
+
+## 9. Performance Considerations
+
+### Prompt Length
+
+- System prompts: 500-2000 tokens typical
+- User prompts: 100-500 tokens typical
+- Longer isn't always better—be concise
+
+### Token Efficiency
+
+- Avoid repetitive phrasing
+- Use variables for repeated content
+- Trim unnecessary sections
+
+## 10. Version Control
+
+### File Naming
+
+```yaml
+# Format: {purpose}_{lang}.yaml
+manager_system_prompt_template_en.yaml
+manager_system_prompt_template_zh.yaml
+document_summary_agent_en.yaml
+```
+
+### Changelog Practices
+
+When modifying prompts:
+1. Update file in place
+2. Document significant changes
+3. Consider version history for major revisions
diff --git a/.claude/skills/prompts-writing/references/templates.md b/.claude/skills/prompts-writing/references/templates.md
new file mode 100644
index 000000000..934643954
--- /dev/null
+++ b/.claude/skills/prompts-writing/references/templates.md
@@ -0,0 +1,323 @@
+# Prompt Templates
+
+This document provides reusable template patterns for YAML-based prompts.
+
+## 1. Agent System Prompt Template
+
+```yaml
+system_prompt: |-
+  ### Basic Information
+  You are {{APP_NAME}}, {{APP_DESCRIPTION}}, it is {{time|default('current time')}} now
+  
+  ### Core Responsibilities
+  {{ duty }}
+  
+  ### Principles
+  Legal Compliance: Strictly adhere to all laws and regulations;
+  Security Protection: Do not respond to dangerous requests;
+  Ethical Guidelines: Refuse harmful content.
+  
+  ### Execution Process
+  1. Think: Analyze the task and plan approach
+  2. Code: Execute using tools/agents
+  3. Observe Results: Review and iterate
+  
+  ### Available Resources
+  {%- if tools and tools.values() | list %}
+  - Available tools:
+  {%- for tool in tools.values() %}
+    - {{ tool.name }}: {{ tool.description }}
+  {%- endfor %}
+  {%- else %}
+  - No tools available
+  {%- endif %}
+  
+  ### Resource Usage Requirements
+  {{ constraint }}
+  
+  ### Example Templates
+  {{ few_shots }}
+
+managed_agent:
+  task: |-
+      You are '{{name}}'. Your manager has submitted this task:
+      ---
+      {{task}}
+      ---
+      Provide comprehensive assistance.
+  report: |-
+      {{final_answer}}
+
+planning:
+  initial_plan: |-
+  
+  update_plan_pre_messages: |-
+  
+  update_plan_post_messages: |-
+    
+final_answer:
+  pre_messages: |-
+  
+  post_messages: |-
+```
+
+## 2. Document Summary Agent Template
+
+```yaml
+system_prompt: |-
+  You are a professional document summarization assistant.
+  
+  **Summary Requirements:**
+  1. Extract main themes and key topics
+  2. Generate representative summary
+  3. Ensure accuracy and coherence
+  4. Respect word limit
+  
+  **Guidelines:**
+  - Focus on main themes
+  - Highlight important concepts
+  - Use clear, concise language
+  - Avoid redundancy
+  - **Important: No separators, plain text only**
+
+user_prompt: |
+  Generate a summary for:
+  
+  Document name: {{ filename }}
+  
+  Content snippets:
+  {{ content }}
+  
+  Summary (max {{ max_words }} words):
+```
+
+## 3. Cluster Summary Agent Template
+
+```yaml
+system_prompt: |-
+  You are a professional knowledge summarization assistant.
+  
+  **Summary Requirements:**
+  1. Analyze multiple documents
+  2. Extract common themes
+  3. Generate collective summary
+  4. Respect word limit
+  
+  **Guidelines:**
+  - Focus on shared themes
+  - Highlight key concepts
+  - Use concise language
+  - Avoid listing individual titles
+
+user_prompt: |
+  Summarize this document cluster:
+  
+  {{ cluster_content }}
+  
+  Summary ({{ max_words }} words):
+```
+
+## 4. Image Analysis Template
+
+```yaml
+image_analysis:
+  system_prompt: |-
+    The user asks: {{ query }}. Describe this image concisely (200 words max).
+    
+    **Requirements:**
+    1. Focus on question-relevant content
+    2. Keep descriptions clear and concise
+    3. Avoid irrelevant details
+    4. Maintain objective description
+    
+  user_prompt: |
+    Observe and describe this image for the user's question.
+```
+
+## 5. Long Text Analysis Template
+
+```yaml
+long_text_analysis:
+  system_prompt: |-
+    The user asks: {{ query }}. Summarize this text concisely (200 words max).
+    
+    **Requirements:**
+    1. Extract question-relevant content
+    2. Highlight core information
+    3. Preserve key viewpoints
+    4. Avoid redundancy
+    
+  user_prompt: |
+    Read and analyze this text:
+```
+
+## 6. Conditional Content Template
+
+```yaml
+system_prompt: |-
+  ### Basic Information
+  You are {{APP_NAME}}.
+  
+  {%- if memory_list and memory_list|length > 0 %}
+  ### Contextual Memory
+  {%- set level_order = ['tenant', 'user_agent', 'user', 'agent'] %}
+  {%- for level in level_order %}
+    {%- if level in memory_by_level %}
+  **{{ level|title }} Level Memory:**
+      {%- for item in memory_by_level[level] %}
+  - {{ item.memory }}
+      {%- endfor %}
+    {%- endif %}
+  {%- endfor %}
+  {%- endif %}
+  
+  ### Core Task
+  {{ duty }}
+```
+
+## 7. Tool-Only Agent Template
+
+```yaml
+system_prompt: |-
+  You have access to specific tools only.
+  
+  {%- if tools and tools.values() | list %}
+  ### Available Tools
+  {%- for tool in tools.values() %}
+  - {{ tool.name }}: {{ tool.description }}
+    Input: {{tool.inputs}}
+    Output: {{tool.output_type}}
+  {%- endfor %}
+  {%- else %}
+  - No tools available.
+  {%- endif %}
+  
+  ### Workflow
+  1. Understand the user's request
+  2. Select appropriate tools
+  3. Execute tool calls
+  4. Synthesize results
+  
+  ### Guidelines
+  - Call tools only when needed
+  - Use correct parameters
+  - Handle errors gracefully
+
+user_prompt: |
+  Task: {{ task }}
+  
+  {%- if context %}
+  Context:
+  {{ context }}
+  {%- endif %}
+  
+  Result:
+```
+
+## 8. Memory Integration Template
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are {{agent_name}}.
+  
+  {%- if memory_list and memory_list|length > 0 %}
+  ### Contextual Memory
+  {%- set level_order = ['tenant', 'user_agent', 'user', 'agent'] %}
+  {%- set memory_by_level = memory_list|groupby('memory_level') %}
+  {%- for level in level_order %}
+    {%- for group_level, memories in memory_by_level %}
+      {%- if group_level == level %}
+  
+  **{{ level|title }} Level Memory:**
+        {%- for item in memories %}
+  - {{ item.memory }} `({{ "%.2f"|format(item.score|float) }})`
+        {%- endfor %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endfor %}
+  
+  **Memory Usage:**
+  - Conflicts: Earlier items take precedence
+  - Integration: Weave memories naturally
+  {%- endif %}
+  
+  ### Task
+  {{ task }}
+```
+
+## 9. Output Format Specification Template
+
+```yaml
+system_prompt: |-
+  ### Role
+  You are {{role_name}}.
+  
+  ### Task
+  {{task_description}}
+  
+  ### Output Requirements
+  1. **Markdown Format:**
+     - Standard Markdown syntax
+     - Single blank line between paragraphs
+     - Inline formulas: $formula$
+     - Block formulas: $$formula$$
+  
+  2. **Reference Marks:**
+     - Format: `[[letter+number]]` (e.g., `[[a1]]`)
+     - Place after relevant sentences
+     - Multiple marks: `[[a1]][[b2]]`
+  
+  3. **Code:**
+     - Use language tags: ```python
+     - Maintain original format
+  
+  4. **Restrictions:**
+     - No HTML tags
+     - No separators
+     - No extra escape characters
+
+user_prompt: |
+  {{ user_input }}
+  
+  Response:
+```
+
+## 10. Minimal Template
+
+For simple, focused prompts:
+
+```yaml
+system_prompt: |-
+  You are a {{role_type}} assistant. Your task is to {{primary_task}}.
+  
+  Requirements:
+  1. {{requirement_1}}
+  2. {{requirement_2}}
+  
+  Guidelines:
+  - {{guideline_1}}
+  - {{guideline_2}}
+
+user_prompt: |
+  {{ input_content }}
+  
+  {{ output_instruction }}:
+```
+
+## Template Variables Summary
+
+| Variable | Type | Description | Example |
+|----------|------|-------------|---------|
+| `{{APP_NAME}}` | String | Application name | "Nexent" |
+| `{{APP_DESCRIPTION}}` | String | App description | "An AI assistant" |
+| `{{time}}` | String/datetime | Current time | "2024-01-01" |
+| `{{duty}}` | String | Core responsibilities | "Summarize documents" |
+| `{{constraint}}` | String | Resource constraints | "Max 500 words" |
+| `{{few_shots}}` | String | Example templates | "Q:... A:..." |
+| `{{filename}}` | String | Document filename | "report.pdf" |
+| `{{content}}` | String | Document content | "..." |
+| `{{max_words}}` | Integer | Word limit | 200 |
+| `{{task}}` | String | Task description | "Analyze..." |
+| `{{query}}` | String | User query | "..." |
+| `{{memory_list}}` | List | Context memories | [...] |
diff --git a/.claude/skills/skill-creator/.openskills.json b/.claude/skills/skill-creator/.openskills.json
new file mode 100644
index 000000000..a017de770
--- /dev/null
+++ b/.claude/skills/skill-creator/.openskills.json
@@ -0,0 +1,7 @@
+{
+  "source": "anthropics/skills",
+  "sourceType": "git",
+  "repoUrl": "https://github.com/anthropics/skills",
+  "subpath": "skills\\skill-creator",
+  "installedAt": "2026-02-04T07:52:42.984Z"
+}
\ No newline at end of file
diff --git a/.claude/skills/skill-creator/LICENSE.txt b/.claude/skills/skill-creator/LICENSE.txt
new file mode 100644
index 000000000..7a4a3ea24
--- /dev/null
+++ b/.claude/skills/skill-creator/LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
\ No newline at end of file
diff --git a/.claude/skills/skill-creator/SKILL.md b/.claude/skills/skill-creator/SKILL.md
new file mode 100644
index 000000000..b7f86598b
--- /dev/null
+++ b/.claude/skills/skill-creator/SKILL.md
@@ -0,0 +1,356 @@
+---
+name: skill-creator
+description: Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.
+license: Complete terms in LICENSE.txt
+---
+
+# Skill Creator
+
+This skill provides guidance for creating effective skills.
+
+## About Skills
+
+Skills are modular, self-contained packages that extend Claude's capabilities by providing
+specialized knowledge, workflows, and tools. Think of them as "onboarding guides" for specific
+domains or tasks—they transform Claude from a general-purpose agent into a specialized agent
+equipped with procedural knowledge that no model can fully possess.
+
+### What Skills Provide
+
+1. Specialized workflows - Multi-step procedures for specific domains
+2. Tool integrations - Instructions for working with specific file formats or APIs
+3. Domain expertise - Company-specific knowledge, schemas, business logic
+4. Bundled resources - Scripts, references, and assets for complex and repetitive tasks
+
+## Core Principles
+
+### Concise is Key
+
+The context window is a public good. Skills share the context window with everything else Claude needs: system prompt, conversation history, other Skills' metadata, and the actual user request.
+
+**Default assumption: Claude is already very smart.** Only add context Claude doesn't already have. Challenge each piece of information: "Does Claude really need this explanation?" and "Does this paragraph justify its token cost?"
+
+Prefer concise examples over verbose explanations.
+
+### Set Appropriate Degrees of Freedom
+
+Match the level of specificity to the task's fragility and variability:
+
+**High freedom (text-based instructions)**: Use when multiple approaches are valid, decisions depend on context, or heuristics guide the approach.
+
+**Medium freedom (pseudocode or scripts with parameters)**: Use when a preferred pattern exists, some variation is acceptable, or configuration affects behavior.
+
+**Low freedom (specific scripts, few parameters)**: Use when operations are fragile and error-prone, consistency is critical, or a specific sequence must be followed.
+
+Think of Claude as exploring a path: a narrow bridge with cliffs needs specific guardrails (low freedom), while an open field allows many routes (high freedom).
+
+### Anatomy of a Skill
+
+Every skill consists of a required SKILL.md file and optional bundled resources:
+
+```
+skill-name/
+├── SKILL.md (required)
+│   ├── YAML frontmatter metadata (required)
+│   │   ├── name: (required)
+│   │   └── description: (required)
+│   └── Markdown instructions (required)
+└── Bundled Resources (optional)
+    ├── scripts/          - Executable code (Python/Bash/etc.)
+    ├── references/       - Documentation intended to be loaded into context as needed
+    └── assets/           - Files used in output (templates, icons, fonts, etc.)
+```
+
+#### SKILL.md (required)
+
+Every SKILL.md consists of:
+
+- **Frontmatter** (YAML): Contains `name` and `description` fields. These are the only fields that Claude reads to determine when the skill gets used, thus it is very important to be clear and comprehensive in describing what the skill is, and when it should be used.
+- **Body** (Markdown): Instructions and guidance for using the skill. Only loaded AFTER the skill triggers (if at all).
+
+#### Bundled Resources (optional)
+
+##### Scripts (`scripts/`)
+
+Executable code (Python/Bash/etc.) for tasks that require deterministic reliability or are repeatedly rewritten.
+
+- **When to include**: When the same code is being rewritten repeatedly or deterministic reliability is needed
+- **Example**: `scripts/rotate_pdf.py` for PDF rotation tasks
+- **Benefits**: Token efficient, deterministic, may be executed without loading into context
+- **Note**: Scripts may still need to be read by Claude for patching or environment-specific adjustments
+
+##### References (`references/`)
+
+Documentation and reference material intended to be loaded as needed into context to inform Claude's process and thinking.
+
+- **When to include**: For documentation that Claude should reference while working
+- **Examples**: `references/finance.md` for financial schemas, `references/mnda.md` for company NDA template, `references/policies.md` for company policies, `references/api_docs.md` for API specifications
+- **Use cases**: Database schemas, API documentation, domain knowledge, company policies, detailed workflow guides
+- **Benefits**: Keeps SKILL.md lean, loaded only when Claude determines it's needed
+- **Best practice**: If files are large (>10k words), include grep search patterns in SKILL.md
+- **Avoid duplication**: Information should live in either SKILL.md or references files, not both. Prefer references files for detailed information unless it's truly core to the skill—this keeps SKILL.md lean while making information discoverable without hogging the context window. Keep only essential procedural instructions and workflow guidance in SKILL.md; move detailed reference material, schemas, and examples to references files.
+
+##### Assets (`assets/`)
+
+Files not intended to be loaded into context, but rather used within the output Claude produces.
+
+- **When to include**: When the skill needs files that will be used in the final output
+- **Examples**: `assets/logo.png` for brand assets, `assets/slides.pptx` for PowerPoint templates, `assets/frontend-template/` for HTML/React boilerplate, `assets/font.ttf` for typography
+- **Use cases**: Templates, images, icons, boilerplate code, fonts, sample documents that get copied or modified
+- **Benefits**: Separates output resources from documentation, enables Claude to use files without loading them into context
+
+#### What to Not Include in a Skill
+
+A skill should only contain essential files that directly support its functionality. Do NOT create extraneous documentation or auxiliary files, including:
+
+- README.md
+- INSTALLATION_GUIDE.md
+- QUICK_REFERENCE.md
+- CHANGELOG.md
+- etc.
+
+The skill should only contain the information needed for an AI agent to do the job at hand. It should not contain auxilary context about the process that went into creating it, setup and testing procedures, user-facing documentation, etc. Creating additional documentation files just adds clutter and confusion.
+
+### Progressive Disclosure Design Principle
+
+Skills use a three-level loading system to manage context efficiently:
+
+1. **Metadata (name + description)** - Always in context (~100 words)
+2. **SKILL.md body** - When skill triggers (<5k words)
+3. **Bundled resources** - As needed by Claude (Unlimited because scripts can be executed without reading into context window)
+
+#### Progressive Disclosure Patterns
+
+Keep SKILL.md body to the essentials and under 500 lines to minimize context bloat. Split content into separate files when approaching this limit. When splitting out content into other files, it is very important to reference them from SKILL.md and describe clearly when to read them, to ensure the reader of the skill knows they exist and when to use them.
+
+**Key principle:** When a skill supports multiple variations, frameworks, or options, keep only the core workflow and selection guidance in SKILL.md. Move variant-specific details (patterns, examples, configuration) into separate reference files.
+
+**Pattern 1: High-level guide with references**
+
+```markdown
+# PDF Processing
+
+## Quick start
+
+Extract text with pdfplumber:
+[code example]
+
+## Advanced features
+
+- **Form filling**: See [FORMS.md](FORMS.md) for complete guide
+- **API reference**: See [REFERENCE.md](REFERENCE.md) for all methods
+- **Examples**: See [EXAMPLES.md](EXAMPLES.md) for common patterns
+```
+
+Claude loads FORMS.md, REFERENCE.md, or EXAMPLES.md only when needed.
+
+**Pattern 2: Domain-specific organization**
+
+For Skills with multiple domains, organize content by domain to avoid loading irrelevant context:
+
+```
+bigquery-skill/
+├── SKILL.md (overview and navigation)
+└── reference/
+    ├── finance.md (revenue, billing metrics)
+    ├── sales.md (opportunities, pipeline)
+    ├── product.md (API usage, features)
+    └── marketing.md (campaigns, attribution)
+```
+
+When a user asks about sales metrics, Claude only reads sales.md.
+
+Similarly, for skills supporting multiple frameworks or variants, organize by variant:
+
+```
+cloud-deploy/
+├── SKILL.md (workflow + provider selection)
+└── references/
+    ├── aws.md (AWS deployment patterns)
+    ├── gcp.md (GCP deployment patterns)
+    └── azure.md (Azure deployment patterns)
+```
+
+When the user chooses AWS, Claude only reads aws.md.
+
+**Pattern 3: Conditional details**
+
+Show basic content, link to advanced content:
+
+```markdown
+# DOCX Processing
+
+## Creating documents
+
+Use docx-js for new documents. See [DOCX-JS.md](DOCX-JS.md).
+
+## Editing documents
+
+For simple edits, modify the XML directly.
+
+**For tracked changes**: See [REDLINING.md](REDLINING.md)
+**For OOXML details**: See [OOXML.md](OOXML.md)
+```
+
+Claude reads REDLINING.md or OOXML.md only when the user needs those features.
+
+**Important guidelines:**
+
+- **Avoid deeply nested references** - Keep references one level deep from SKILL.md. All reference files should link directly from SKILL.md.
+- **Structure longer reference files** - For files longer than 100 lines, include a table of contents at the top so Claude can see the full scope when previewing.
+
+## Skill Creation Process
+
+Skill creation involves these steps:
+
+1. Understand the skill with concrete examples
+2. Plan reusable skill contents (scripts, references, assets)
+3. Initialize the skill (run init_skill.py)
+4. Edit the skill (implement resources and write SKILL.md)
+5. Package the skill (run package_skill.py)
+6. Iterate based on real usage
+
+Follow these steps in order, skipping only if there is a clear reason why they are not applicable.
+
+### Step 1: Understanding the Skill with Concrete Examples
+
+Skip this step only when the skill's usage patterns are already clearly understood. It remains valuable even when working with an existing skill.
+
+To create an effective skill, clearly understand concrete examples of how the skill will be used. This understanding can come from either direct user examples or generated examples that are validated with user feedback.
+
+For example, when building an image-editor skill, relevant questions include:
+
+- "What functionality should the image-editor skill support? Editing, rotating, anything else?"
+- "Can you give some examples of how this skill would be used?"
+- "I can imagine users asking for things like 'Remove the red-eye from this image' or 'Rotate this image'. Are there other ways you imagine this skill being used?"
+- "What would a user say that should trigger this skill?"
+
+To avoid overwhelming users, avoid asking too many questions in a single message. Start with the most important questions and follow up as needed for better effectiveness.
+
+Conclude this step when there is a clear sense of the functionality the skill should support.
+
+### Step 2: Planning the Reusable Skill Contents
+
+To turn concrete examples into an effective skill, analyze each example by:
+
+1. Considering how to execute on the example from scratch
+2. Identifying what scripts, references, and assets would be helpful when executing these workflows repeatedly
+
+Example: When building a `pdf-editor` skill to handle queries like "Help me rotate this PDF," the analysis shows:
+
+1. Rotating a PDF requires re-writing the same code each time
+2. A `scripts/rotate_pdf.py` script would be helpful to store in the skill
+
+Example: When designing a `frontend-webapp-builder` skill for queries like "Build me a todo app" or "Build me a dashboard to track my steps," the analysis shows:
+
+1. Writing a frontend webapp requires the same boilerplate HTML/React each time
+2. An `assets/hello-world/` template containing the boilerplate HTML/React project files would be helpful to store in the skill
+
+Example: When building a `big-query` skill to handle queries like "How many users have logged in today?" the analysis shows:
+
+1. Querying BigQuery requires re-discovering the table schemas and relationships each time
+2. A `references/schema.md` file documenting the table schemas would be helpful to store in the skill
+
+To establish the skill's contents, analyze each concrete example to create a list of the reusable resources to include: scripts, references, and assets.
+
+### Step 3: Initializing the Skill
+
+At this point, it is time to actually create the skill.
+
+Skip this step only if the skill being developed already exists, and iteration or packaging is needed. In this case, continue to the next step.
+
+When creating a new skill from scratch, always run the `init_skill.py` script. The script conveniently generates a new template skill directory that automatically includes everything a skill requires, making the skill creation process much more efficient and reliable.
+
+Usage:
+
+```bash
+scripts/init_skill.py <skill-name> --path <output-directory>
+```
+
+The script:
+
+- Creates the skill directory at the specified path
+- Generates a SKILL.md template with proper frontmatter and TODO placeholders
+- Creates example resource directories: `scripts/`, `references/`, and `assets/`
+- Adds example files in each directory that can be customized or deleted
+
+After initialization, customize or remove the generated SKILL.md and example files as needed.
+
+### Step 4: Edit the Skill
+
+When editing the (newly-generated or existing) skill, remember that the skill is being created for another instance of Claude to use. Include information that would be beneficial and non-obvious to Claude. Consider what procedural knowledge, domain-specific details, or reusable assets would help another Claude instance execute these tasks more effectively.
+
+#### Learn Proven Design Patterns
+
+Consult these helpful guides based on your skill's needs:
+
+- **Multi-step processes**: See references/workflows.md for sequential workflows and conditional logic
+- **Specific output formats or quality standards**: See references/output-patterns.md for template and example patterns
+
+These files contain established best practices for effective skill design.
+
+#### Start with Reusable Skill Contents
+
+To begin implementation, start with the reusable resources identified above: `scripts/`, `references/`, and `assets/` files. Note that this step may require user input. For example, when implementing a `brand-guidelines` skill, the user may need to provide brand assets or templates to store in `assets/`, or documentation to store in `references/`.
+
+Added scripts must be tested by actually running them to ensure there are no bugs and that the output matches what is expected. If there are many similar scripts, only a representative sample needs to be tested to ensure confidence that they all work while balancing time to completion.
+
+Any example files and directories not needed for the skill should be deleted. The initialization script creates example files in `scripts/`, `references/`, and `assets/` to demonstrate structure, but most skills won't need all of them.
+
+#### Update SKILL.md
+
+**Writing Guidelines:** Always use imperative/infinitive form.
+
+##### Frontmatter
+
+Write the YAML frontmatter with `name` and `description`:
+
+- `name`: The skill name
+- `description`: This is the primary triggering mechanism for your skill, and helps Claude understand when to use the skill.
+  - Include both what the Skill does and specific triggers/contexts for when to use it.
+  - Include all "when to use" information here - Not in the body. The body is only loaded after triggering, so "When to Use This Skill" sections in the body are not helpful to Claude.
+  - Example description for a `docx` skill: "Comprehensive document creation, editing, and analysis with support for tracked changes, comments, formatting preservation, and text extraction. Use when Claude needs to work with professional documents (.docx files) for: (1) Creating new documents, (2) Modifying or editing content, (3) Working with tracked changes, (4) Adding comments, or any other document tasks"
+
+Do not include any other fields in YAML frontmatter.
+
+##### Body
+
+Write instructions for using the skill and its bundled resources.
+
+### Step 5: Packaging a Skill
+
+Once development of the skill is complete, it must be packaged into a distributable .skill file that gets shared with the user. The packaging process automatically validates the skill first to ensure it meets all requirements:
+
+```bash
+scripts/package_skill.py <path/to/skill-folder>
+```
+
+Optional output directory specification:
+
+```bash
+scripts/package_skill.py <path/to/skill-folder> ./dist
+```
+
+The packaging script will:
+
+1. **Validate** the skill automatically, checking:
+
+   - YAML frontmatter format and required fields
+   - Skill naming conventions and directory structure
+   - Description completeness and quality
+   - File organization and resource references
+
+2. **Package** the skill if validation passes, creating a .skill file named after the skill (e.g., `my-skill.skill`) that includes all files and maintains the proper directory structure for distribution. The .skill file is a zip file with a .skill extension.
+
+If validation fails, the script will report the errors and exit without creating a package. Fix any validation errors and run the packaging command again.
+
+### Step 6: Iterate
+
+After testing the skill, users may request improvements. Often this happens right after using the skill, with fresh context of how the skill performed.
+
+**Iteration workflow:**
+
+1. Use the skill on real tasks
+2. Notice struggles or inefficiencies
+3. Identify how SKILL.md or bundled resources should be updated
+4. Implement changes and test again
diff --git a/.claude/skills/skill-creator/references/output-patterns.md b/.claude/skills/skill-creator/references/output-patterns.md
new file mode 100644
index 000000000..073ddda5f
--- /dev/null
+++ b/.claude/skills/skill-creator/references/output-patterns.md
@@ -0,0 +1,82 @@
+# Output Patterns
+
+Use these patterns when skills need to produce consistent, high-quality output.
+
+## Template Pattern
+
+Provide templates for output format. Match the level of strictness to your needs.
+
+**For strict requirements (like API responses or data formats):**
+
+```markdown
+## Report structure
+
+ALWAYS use this exact template structure:
+
+# [Analysis Title]
+
+## Executive summary
+[One-paragraph overview of key findings]
+
+## Key findings
+- Finding 1 with supporting data
+- Finding 2 with supporting data
+- Finding 3 with supporting data
+
+## Recommendations
+1. Specific actionable recommendation
+2. Specific actionable recommendation
+```
+
+**For flexible guidance (when adaptation is useful):**
+
+```markdown
+## Report structure
+
+Here is a sensible default format, but use your best judgment:
+
+# [Analysis Title]
+
+## Executive summary
+[Overview]
+
+## Key findings
+[Adapt sections based on what you discover]
+
+## Recommendations
+[Tailor to the specific context]
+
+Adjust sections as needed for the specific analysis type.
+```
+
+## Examples Pattern
+
+For skills where output quality depends on seeing examples, provide input/output pairs:
+
+```markdown
+## Commit message format
+
+Generate commit messages following these examples:
+
+**Example 1:**
+Input: Added user authentication with JWT tokens
+Output:
+```
+feat(auth): implement JWT-based authentication
+
+Add login endpoint and token validation middleware
+```
+
+**Example 2:**
+Input: Fixed bug where dates displayed incorrectly in reports
+Output:
+```
+fix(reports): correct date formatting in timezone conversion
+
+Use UTC timestamps consistently across report generation
+```
+
+Follow this style: type(scope): brief description, then detailed explanation.
+```
+
+Examples help Claude understand the desired style and level of detail more clearly than descriptions alone.
diff --git a/.claude/skills/skill-creator/references/workflows.md b/.claude/skills/skill-creator/references/workflows.md
new file mode 100644
index 000000000..a350c3cc8
--- /dev/null
+++ b/.claude/skills/skill-creator/references/workflows.md
@@ -0,0 +1,28 @@
+# Workflow Patterns
+
+## Sequential Workflows
+
+For complex tasks, break operations into clear, sequential steps. It is often helpful to give Claude an overview of the process towards the beginning of SKILL.md:
+
+```markdown
+Filling a PDF form involves these steps:
+
+1. Analyze the form (run analyze_form.py)
+2. Create field mapping (edit fields.json)
+3. Validate mapping (run validate_fields.py)
+4. Fill the form (run fill_form.py)
+5. Verify output (run verify_output.py)
+```
+
+## Conditional Workflows
+
+For tasks with branching logic, guide Claude through decision points:
+
+```markdown
+1. Determine the modification type:
+   **Creating new content?** → Follow "Creation workflow" below
+   **Editing existing content?** → Follow "Editing workflow" below
+
+2. Creation workflow: [steps]
+3. Editing workflow: [steps]
+```
\ No newline at end of file
diff --git a/.claude/skills/skill-creator/scripts/init_skill.py b/.claude/skills/skill-creator/scripts/init_skill.py
new file mode 100644
index 000000000..329ad4e5a
--- /dev/null
+++ b/.claude/skills/skill-creator/scripts/init_skill.py
@@ -0,0 +1,303 @@
+#!/usr/bin/env python3
+"""
+Skill Initializer - Creates a new skill from template
+
+Usage:
+    init_skill.py <skill-name> --path <path>
+
+Examples:
+    init_skill.py my-new-skill --path skills/public
+    init_skill.py my-api-helper --path skills/private
+    init_skill.py custom-skill --path /custom/location
+"""
+
+import sys
+from pathlib import Path
+
+
+SKILL_TEMPLATE = """---
+name: {skill_name}
+description: [TODO: Complete and informative explanation of what the skill does and when to use it. Include WHEN to use this skill - specific scenarios, file types, or tasks that trigger it.]
+---
+
+# {skill_title}
+
+## Overview
+
+[TODO: 1-2 sentences explaining what this skill enables]
+
+## Structuring This Skill
+
+[TODO: Choose the structure that best fits this skill's purpose. Common patterns:
+
+**1. Workflow-Based** (best for sequential processes)
+- Works well when there are clear step-by-step procedures
+- Example: DOCX skill with "Workflow Decision Tree" → "Reading" → "Creating" → "Editing"
+- Structure: ## Overview → ## Workflow Decision Tree → ## Step 1 → ## Step 2...
+
+**2. Task-Based** (best for tool collections)
+- Works well when the skill offers different operations/capabilities
+- Example: PDF skill with "Quick Start" → "Merge PDFs" → "Split PDFs" → "Extract Text"
+- Structure: ## Overview → ## Quick Start → ## Task Category 1 → ## Task Category 2...
+
+**3. Reference/Guidelines** (best for standards or specifications)
+- Works well for brand guidelines, coding standards, or requirements
+- Example: Brand styling with "Brand Guidelines" → "Colors" → "Typography" → "Features"
+- Structure: ## Overview → ## Guidelines → ## Specifications → ## Usage...
+
+**4. Capabilities-Based** (best for integrated systems)
+- Works well when the skill provides multiple interrelated features
+- Example: Product Management with "Core Capabilities" → numbered capability list
+- Structure: ## Overview → ## Core Capabilities → ### 1. Feature → ### 2. Feature...
+
+Patterns can be mixed and matched as needed. Most skills combine patterns (e.g., start with task-based, add workflow for complex operations).
+
+Delete this entire "Structuring This Skill" section when done - it's just guidance.]
+
+## [TODO: Replace with the first main section based on chosen structure]
+
+[TODO: Add content here. See examples in existing skills:
+- Code samples for technical skills
+- Decision trees for complex workflows
+- Concrete examples with realistic user requests
+- References to scripts/templates/references as needed]
+
+## Resources
+
+This skill includes example resource directories that demonstrate how to organize different types of bundled resources:
+
+### scripts/
+Executable code (Python/Bash/etc.) that can be run directly to perform specific operations.
+
+**Examples from other skills:**
+- PDF skill: `fill_fillable_fields.py`, `extract_form_field_info.py` - utilities for PDF manipulation
+- DOCX skill: `document.py`, `utilities.py` - Python modules for document processing
+
+**Appropriate for:** Python scripts, shell scripts, or any executable code that performs automation, data processing, or specific operations.
+
+**Note:** Scripts may be executed without loading into context, but can still be read by Claude for patching or environment adjustments.
+
+### references/
+Documentation and reference material intended to be loaded into context to inform Claude's process and thinking.
+
+**Examples from other skills:**
+- Product management: `communication.md`, `context_building.md` - detailed workflow guides
+- BigQuery: API reference documentation and query examples
+- Finance: Schema documentation, company policies
+
+**Appropriate for:** In-depth documentation, API references, database schemas, comprehensive guides, or any detailed information that Claude should reference while working.
+
+### assets/
+Files not intended to be loaded into context, but rather used within the output Claude produces.
+
+**Examples from other skills:**
+- Brand styling: PowerPoint template files (.pptx), logo files
+- Frontend builder: HTML/React boilerplate project directories
+- Typography: Font files (.ttf, .woff2)
+
+**Appropriate for:** Templates, boilerplate code, document templates, images, icons, fonts, or any files meant to be copied or used in the final output.
+
+---
+
+**Any unneeded directories can be deleted.** Not every skill requires all three types of resources.
+"""
+
+EXAMPLE_SCRIPT = '''#!/usr/bin/env python3
+"""
+Example helper script for {skill_name}
+
+This is a placeholder script that can be executed directly.
+Replace with actual implementation or delete if not needed.
+
+Example real scripts from other skills:
+- pdf/scripts/fill_fillable_fields.py - Fills PDF form fields
+- pdf/scripts/convert_pdf_to_images.py - Converts PDF pages to images
+"""
+
+def main():
+    print("This is an example script for {skill_name}")
+    # TODO: Add actual script logic here
+    # This could be data processing, file conversion, API calls, etc.
+
+if __name__ == "__main__":
+    main()
+'''
+
+EXAMPLE_REFERENCE = """# Reference Documentation for {skill_title}
+
+This is a placeholder for detailed reference documentation.
+Replace with actual reference content or delete if not needed.
+
+Example real reference docs from other skills:
+- product-management/references/communication.md - Comprehensive guide for status updates
+- product-management/references/context_building.md - Deep-dive on gathering context
+- bigquery/references/ - API references and query examples
+
+## When Reference Docs Are Useful
+
+Reference docs are ideal for:
+- Comprehensive API documentation
+- Detailed workflow guides
+- Complex multi-step processes
+- Information too lengthy for main SKILL.md
+- Content that's only needed for specific use cases
+
+## Structure Suggestions
+
+### API Reference Example
+- Overview
+- Authentication
+- Endpoints with examples
+- Error codes
+- Rate limits
+
+### Workflow Guide Example
+- Prerequisites
+- Step-by-step instructions
+- Common patterns
+- Troubleshooting
+- Best practices
+"""
+
+EXAMPLE_ASSET = """# Example Asset File
+
+This placeholder represents where asset files would be stored.
+Replace with actual asset files (templates, images, fonts, etc.) or delete if not needed.
+
+Asset files are NOT intended to be loaded into context, but rather used within
+the output Claude produces.
+
+Example asset files from other skills:
+- Brand guidelines: logo.png, slides_template.pptx
+- Frontend builder: hello-world/ directory with HTML/React boilerplate
+- Typography: custom-font.ttf, font-family.woff2
+- Data: sample_data.csv, test_dataset.json
+
+## Common Asset Types
+
+- Templates: .pptx, .docx, boilerplate directories
+- Images: .png, .jpg, .svg, .gif
+- Fonts: .ttf, .otf, .woff, .woff2
+- Boilerplate code: Project directories, starter files
+- Icons: .ico, .svg
+- Data files: .csv, .json, .xml, .yaml
+
+Note: This is a text placeholder. Actual assets can be any file type.
+"""
+
+
+def title_case_skill_name(skill_name):
+    """Convert hyphenated skill name to Title Case for display."""
+    return ' '.join(word.capitalize() for word in skill_name.split('-'))
+
+
+def init_skill(skill_name, path):
+    """
+    Initialize a new skill directory with template SKILL.md.
+
+    Args:
+        skill_name: Name of the skill
+        path: Path where the skill directory should be created
+
+    Returns:
+        Path to created skill directory, or None if error
+    """
+    # Determine skill directory path
+    skill_dir = Path(path).resolve() / skill_name
+
+    # Check if directory already exists
+    if skill_dir.exists():
+        print(f"❌ Error: Skill directory already exists: {skill_dir}")
+        return None
+
+    # Create skill directory
+    try:
+        skill_dir.mkdir(parents=True, exist_ok=False)
+        print(f"✅ Created skill directory: {skill_dir}")
+    except Exception as e:
+        print(f"❌ Error creating directory: {e}")
+        return None
+
+    # Create SKILL.md from template
+    skill_title = title_case_skill_name(skill_name)
+    skill_content = SKILL_TEMPLATE.format(
+        skill_name=skill_name,
+        skill_title=skill_title
+    )
+
+    skill_md_path = skill_dir / 'SKILL.md'
+    try:
+        skill_md_path.write_text(skill_content)
+        print("✅ Created SKILL.md")
+    except Exception as e:
+        print(f"❌ Error creating SKILL.md: {e}")
+        return None
+
+    # Create resource directories with example files
+    try:
+        # Create scripts/ directory with example script
+        scripts_dir = skill_dir / 'scripts'
+        scripts_dir.mkdir(exist_ok=True)
+        example_script = scripts_dir / 'example.py'
+        example_script.write_text(EXAMPLE_SCRIPT.format(skill_name=skill_name))
+        example_script.chmod(0o755)
+        print("✅ Created scripts/example.py")
+
+        # Create references/ directory with example reference doc
+        references_dir = skill_dir / 'references'
+        references_dir.mkdir(exist_ok=True)
+        example_reference = references_dir / 'api_reference.md'
+        example_reference.write_text(EXAMPLE_REFERENCE.format(skill_title=skill_title))
+        print("✅ Created references/api_reference.md")
+
+        # Create assets/ directory with example asset placeholder
+        assets_dir = skill_dir / 'assets'
+        assets_dir.mkdir(exist_ok=True)
+        example_asset = assets_dir / 'example_asset.txt'
+        example_asset.write_text(EXAMPLE_ASSET)
+        print("✅ Created assets/example_asset.txt")
+    except Exception as e:
+        print(f"❌ Error creating resource directories: {e}")
+        return None
+
+    # Print next steps
+    print(f"\n✅ Skill '{skill_name}' initialized successfully at {skill_dir}")
+    print("\nNext steps:")
+    print("1. Edit SKILL.md to complete the TODO items and update the description")
+    print("2. Customize or delete the example files in scripts/, references/, and assets/")
+    print("3. Run the validator when ready to check the skill structure")
+
+    return skill_dir
+
+
+def main():
+    if len(sys.argv) < 4 or sys.argv[2] != '--path':
+        print("Usage: init_skill.py <skill-name> --path <path>")
+        print("\nSkill name requirements:")
+        print("  - Hyphen-case identifier (e.g., 'data-analyzer')")
+        print("  - Lowercase letters, digits, and hyphens only")
+        print("  - Max 40 characters")
+        print("  - Must match directory name exactly")
+        print("\nExamples:")
+        print("  init_skill.py my-new-skill --path skills/public")
+        print("  init_skill.py my-api-helper --path skills/private")
+        print("  init_skill.py custom-skill --path /custom/location")
+        sys.exit(1)
+
+    skill_name = sys.argv[1]
+    path = sys.argv[3]
+
+    print(f"🚀 Initializing skill: {skill_name}")
+    print(f"   Location: {path}")
+    print()
+
+    result = init_skill(skill_name, path)
+
+    if result:
+        sys.exit(0)
+    else:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/.claude/skills/skill-creator/scripts/package_skill.py b/.claude/skills/skill-creator/scripts/package_skill.py
new file mode 100644
index 000000000..5cd36cb16
--- /dev/null
+++ b/.claude/skills/skill-creator/scripts/package_skill.py
@@ -0,0 +1,110 @@
+#!/usr/bin/env python3
+"""
+Skill Packager - Creates a distributable .skill file of a skill folder
+
+Usage:
+    python utils/package_skill.py <path/to/skill-folder> [output-directory]
+
+Example:
+    python utils/package_skill.py skills/public/my-skill
+    python utils/package_skill.py skills/public/my-skill ./dist
+"""
+
+import sys
+import zipfile
+from pathlib import Path
+from quick_validate import validate_skill
+
+
+def package_skill(skill_path, output_dir=None):
+    """
+    Package a skill folder into a .skill file.
+
+    Args:
+        skill_path: Path to the skill folder
+        output_dir: Optional output directory for the .skill file (defaults to current directory)
+
+    Returns:
+        Path to the created .skill file, or None if error
+    """
+    skill_path = Path(skill_path).resolve()
+
+    # Validate skill folder exists
+    if not skill_path.exists():
+        print(f"❌ Error: Skill folder not found: {skill_path}")
+        return None
+
+    if not skill_path.is_dir():
+        print(f"❌ Error: Path is not a directory: {skill_path}")
+        return None
+
+    # Validate SKILL.md exists
+    skill_md = skill_path / "SKILL.md"
+    if not skill_md.exists():
+        print(f"❌ Error: SKILL.md not found in {skill_path}")
+        return None
+
+    # Run validation before packaging
+    print("🔍 Validating skill...")
+    valid, message = validate_skill(skill_path)
+    if not valid:
+        print(f"❌ Validation failed: {message}")
+        print("   Please fix the validation errors before packaging.")
+        return None
+    print(f"✅ {message}\n")
+
+    # Determine output location
+    skill_name = skill_path.name
+    if output_dir:
+        output_path = Path(output_dir).resolve()
+        output_path.mkdir(parents=True, exist_ok=True)
+    else:
+        output_path = Path.cwd()
+
+    skill_filename = output_path / f"{skill_name}.skill"
+
+    # Create the .skill file (zip format)
+    try:
+        with zipfile.ZipFile(skill_filename, 'w', zipfile.ZIP_DEFLATED) as zipf:
+            # Walk through the skill directory
+            for file_path in skill_path.rglob('*'):
+                if file_path.is_file():
+                    # Calculate the relative path within the zip
+                    arcname = file_path.relative_to(skill_path.parent)
+                    zipf.write(file_path, arcname)
+                    print(f"  Added: {arcname}")
+
+        print(f"\n✅ Successfully packaged skill to: {skill_filename}")
+        return skill_filename
+
+    except Exception as e:
+        print(f"❌ Error creating .skill file: {e}")
+        return None
+
+
+def main():
+    if len(sys.argv) < 2:
+        print("Usage: python utils/package_skill.py <path/to/skill-folder> [output-directory]")
+        print("\nExample:")
+        print("  python utils/package_skill.py skills/public/my-skill")
+        print("  python utils/package_skill.py skills/public/my-skill ./dist")
+        sys.exit(1)
+
+    skill_path = sys.argv[1]
+    output_dir = sys.argv[2] if len(sys.argv) > 2 else None
+
+    print(f"📦 Packaging skill: {skill_path}")
+    if output_dir:
+        print(f"   Output directory: {output_dir}")
+    print()
+
+    result = package_skill(skill_path, output_dir)
+
+    if result:
+        sys.exit(0)
+    else:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/.claude/skills/skill-creator/scripts/quick_validate.py b/.claude/skills/skill-creator/scripts/quick_validate.py
new file mode 100644
index 000000000..d9fbeb75e
--- /dev/null
+++ b/.claude/skills/skill-creator/scripts/quick_validate.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+"""
+Quick validation script for skills - minimal version
+"""
+
+import sys
+import os
+import re
+import yaml
+from pathlib import Path
+
+def validate_skill(skill_path):
+    """Basic validation of a skill"""
+    skill_path = Path(skill_path)
+
+    # Check SKILL.md exists
+    skill_md = skill_path / 'SKILL.md'
+    if not skill_md.exists():
+        return False, "SKILL.md not found"
+
+    # Read and validate frontmatter
+    content = skill_md.read_text()
+    if not content.startswith('---'):
+        return False, "No YAML frontmatter found"
+
+    # Extract frontmatter
+    match = re.match(r'^---\n(.*?)\n---', content, re.DOTALL)
+    if not match:
+        return False, "Invalid frontmatter format"
+
+    frontmatter_text = match.group(1)
+
+    # Parse YAML frontmatter
+    try:
+        frontmatter = yaml.safe_load(frontmatter_text)
+        if not isinstance(frontmatter, dict):
+            return False, "Frontmatter must be a YAML dictionary"
+    except yaml.YAMLError as e:
+        return False, f"Invalid YAML in frontmatter: {e}"
+
+    # Define allowed properties
+    ALLOWED_PROPERTIES = {'name', 'description', 'license', 'allowed-tools', 'metadata'}
+
+    # Check for unexpected properties (excluding nested keys under metadata)
+    unexpected_keys = set(frontmatter.keys()) - ALLOWED_PROPERTIES
+    if unexpected_keys:
+        return False, (
+            f"Unexpected key(s) in SKILL.md frontmatter: {', '.join(sorted(unexpected_keys))}. "
+            f"Allowed properties are: {', '.join(sorted(ALLOWED_PROPERTIES))}"
+        )
+
+    # Check required fields
+    if 'name' not in frontmatter:
+        return False, "Missing 'name' in frontmatter"
+    if 'description' not in frontmatter:
+        return False, "Missing 'description' in frontmatter"
+
+    # Extract name for validation
+    name = frontmatter.get('name', '')
+    if not isinstance(name, str):
+        return False, f"Name must be a string, got {type(name).__name__}"
+    name = name.strip()
+    if name:
+        # Check naming convention (hyphen-case: lowercase with hyphens)
+        if not re.match(r'^[a-z0-9-]+$', name):
+            return False, f"Name '{name}' should be hyphen-case (lowercase letters, digits, and hyphens only)"
+        if name.startswith('-') or name.endswith('-') or '--' in name:
+            return False, f"Name '{name}' cannot start/end with hyphen or contain consecutive hyphens"
+        # Check name length (max 64 characters per spec)
+        if len(name) > 64:
+            return False, f"Name is too long ({len(name)} characters). Maximum is 64 characters."
+
+    # Extract and validate description
+    description = frontmatter.get('description', '')
+    if not isinstance(description, str):
+        return False, f"Description must be a string, got {type(description).__name__}"
+    description = description.strip()
+    if description:
+        # Check for angle brackets
+        if '<' in description or '>' in description:
+            return False, "Description cannot contain angle brackets (< or >)"
+        # Check description length (max 1024 characters per spec)
+        if len(description) > 1024:
+            return False, f"Description is too long ({len(description)} characters). Maximum is 1024 characters."
+
+    return True, "Skill is valid!"
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: python quick_validate.py <skill_directory>")
+        sys.exit(1)
+    
+    valid, message = validate_skill(sys.argv[1])
+    print(message)
+    sys.exit(0 if valid else 1)
\ No newline at end of file
diff --git a/.cursor/rules/frontend/page_layer_rules.mdc b/.cursor/rules/frontend/page_layer_rules.mdc
index a9c499729..b660522da 100644
--- a/.cursor/rules/frontend/page_layer_rules.mdc
+++ b/.cursor/rules/frontend/page_layer_rules.mdc
@@ -21,6 +21,9 @@ description: Page layer rules for Next.js App Router pages and layouts
 
 - Client components: `const { t } = useTranslation('namespace')`
 - Server components: `getTranslations` from `next-intl`
+
+
+
 - Organize translation keys by feature/namespace
 
 ### Data Fetching
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 000000000..7798227b1
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,42 @@
+# AGENTS
+
+<!-- Skills section removed -->
+
+<skills_system priority="1">
+
+## Available Skills
+
+<!-- SKILLS_TABLE_START -->
+<usage>
+When users ask you to perform tasks, check if any of the available skills below can help complete the task more effectively. Skills provide specialized capabilities and domain knowledge.
+
+How to use skills:
+- Invoke: `npx openskills read <skill-name>` (run in your shell)
+  - For multiple: `npx openskills read skill-one,skill-two`
+- The skill content will load with detailed instructions on how to complete the task
+- Base directory provided in output for resolving bundled resources (references/, scripts/, assets/)
+
+Usage notes:
+- Only use skills listed in <available_skills> below
+- Do not invoke a skill that is already loaded in your context
+- Each skill invocation is stateless
+</usage>
+
+<available_skills>
+
+<skill>
+<name>prompts-writing</name>
+<description>Create, refine, and optimize high-quality YAML prompts for AI assistants. Use when working with prompt templates, system prompts, agent prompts, or any prompt engineering tasks. Provides structure guidelines, template patterns, and quality standards for YAML-based prompts.</description>
+<location>project</location>
+</skill>
+
+<skill>
+<name>skill-creator</name>
+<description>Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.</description>
+<location>project</location>
+</skill>
+
+</available_skills>
+<!-- SKILLS_TABLE_END -->
+
+</skills_system>
diff --git a/backend/agents/create_agent_info.py b/backend/agents/create_agent_info.py
index d09029a97..4fd2411a7 100644
--- a/backend/agents/create_agent_info.py
+++ b/backend/agents/create_agent_info.py
@@ -15,7 +15,6 @@
     get_vector_db_core,
     get_embedding_model,
 )
-from services.tenant_config_service import get_selected_knowledge_list, build_knowledge_name_mapping
 from services.remote_mcp_service import get_remote_mcp_server_list
 from services.memory_config_service import build_memory_context
 from services.image_service import get_vlm_model
@@ -146,20 +145,16 @@ async def create_agent_config(
     try:
         for tool in tool_list:
             if "KnowledgeBaseSearchTool" == tool.class_name:
-                knowledge_info_list = get_selected_knowledge_list(
-                    tenant_id=tenant_id, user_id=user_id)
-                if knowledge_info_list:
-                    for knowledge_info in knowledge_info_list:
-                        if knowledge_info.get('knowledge_sources') != 'elasticsearch':
-                            continue
-                        knowledge_name = knowledge_info.get("index_name")
+                index_names = tool.params.get("index_names")
+                if index_names:
+                    for index_name in index_names:
                         try:
-                            message = ElasticSearchService().get_summary(index_name=knowledge_name)
+                            message = ElasticSearchService().get_summary(index_name=index_name)
                             summary = message.get("summary", "")
-                            knowledge_base_summary += f"**{knowledge_name}**: {summary}\n\n"
+                            knowledge_base_summary += f"**{index_name}**: {summary}\n\n"
                         except Exception as e:
                             logger.warning(
-                                f"Failed to get summary for knowledge base {knowledge_name}: {e}")
+                                f"Failed to get summary for knowledge base {index_name}: {e}")
                 else:
                     # TODO: Prompt should be refactored to yaml file
                     knowledge_base_summary = "当前没有可用的知识库索引。\n" if language == 'zh' else "No knowledge base indexes are currently available.\n"
@@ -238,24 +233,9 @@ async def create_tool_config_list(agent_id, tenant_id, user_id):
 
         # special logic for knowledge base search tool
         if tool_config.class_name == "KnowledgeBaseSearchTool":
-            knowledge_info_list = get_selected_knowledge_list(
-                tenant_id=tenant_id, user_id=user_id)
-            index_names = [knowledge_info.get(
-                "index_name") for knowledge_info in knowledge_info_list if knowledge_info.get('knowledge_sources') == 'elasticsearch']
-            tool_config.metadata = {
-                "index_names": index_names,
+           tool_config.metadata = {
                 "vdb_core": get_vector_db_core(),
                 "embedding_model": get_embedding_model(tenant_id=tenant_id),
-                "name_resolver": build_knowledge_name_mapping(tenant_id=tenant_id, user_id=user_id),
-            }
-        elif tool_config.class_name == "DataMateSearchTool":
-            knowledge_info_list = get_selected_knowledge_list(
-                tenant_id=tenant_id, user_id=user_id)
-            index_names = [knowledge_info.get(
-                "index_name") for knowledge_info in knowledge_info_list if
-                knowledge_info.get('knowledge_sources') == 'datamate']
-            tool_config.metadata = {
-                "index_names": index_names,
             }
         elif tool_config.class_name == "AnalyzeTextFileTool":
             tool_config.metadata = {
diff --git a/backend/apps/agent_app.py b/backend/apps/agent_app.py
index 72fa198ca..7a9ce7d6d 100644
--- a/backend/apps/agent_app.py
+++ b/backend/apps/agent_app.py
@@ -2,9 +2,11 @@
 from http import HTTPStatus
 from typing import Optional
 
-from fastapi import APIRouter, Body, Header, HTTPException, Request
+from fastapi import APIRouter, Body, Header, HTTPException, Request, Query
+from fastapi.encoders import jsonable_encoder
+from starlette.responses import JSONResponse
 
-from consts.model import AgentRequest, AgentInfoRequest, AgentIDRequest, ConversationResponse, AgentImportRequest, AgentNameBatchCheckRequest, AgentNameBatchRegenerateRequest
+from consts.model import AgentRequest, AgentInfoRequest, AgentIDRequest, ConversationResponse, AgentImportRequest, AgentNameBatchCheckRequest, AgentNameBatchRegenerateRequest, VersionPublishRequest, VersionListResponse, VersionDetailResponse, VersionRollbackRequest, VersionStatusRequest, CurrentVersionResponse, VersionCompareRequest
 from services.agent_service import (
     get_agent_info_impl,
     get_creating_sub_agent_info_impl,
@@ -20,6 +22,18 @@
     get_agent_call_relationship_impl,
     clear_agent_new_mark_impl
 )
+from services.agent_version_service import (
+    publish_version_impl,
+    get_version_list_impl,
+    get_version_impl,
+    get_version_detail_impl,
+    rollback_version_impl,
+    update_version_status_impl,
+    delete_version_impl,
+    get_current_version_impl,
+    compare_versions_impl,
+    list_published_agents_impl,
+)
 from utils.auth_utils import get_current_user_info, get_current_user_id
 
 # Import monitoring utilities
@@ -63,13 +77,22 @@ async def agent_stop_api(conversation_id: int, authorization: Optional[str] = He
 
 
 @agent_config_router.post("/search_info")
-async def search_agent_info_api(agent_id: int = Body(...), authorization: Optional[str] = Header(None)):
+async def search_agent_info_api(
+    agent_id: int = Body(...),
+    version_no: int = Body(0),
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None)
+):
     """
-    Search agent info by agent_id
+    Search agent info by agent_id and version_no
+    version_no defaults to 0 (current/draft version)
     """
     try:
-        _, tenant_id = get_current_user_id(authorization)
-        return await get_agent_info_impl(agent_id, tenant_id)
+        _, auth_tenant_id = get_current_user_id(authorization)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        return await get_agent_info_impl(agent_id, effective_tenant_id, version_no)
     except Exception as e:
         logger.error(f"Agent search info error: {str(e)}")
         raise HTTPException(
@@ -104,12 +127,21 @@ async def update_agent_info_api(request: AgentInfoRequest, authorization: Option
 
 
 @agent_config_router.delete("")
-async def delete_agent_api(request: AgentIDRequest, authorization: Optional[str] = Header(None)):
+async def delete_agent_api(
+    request: AgentIDRequest,
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
+):
     """
     Delete an agent
     """
     try:
-        await delete_agent_impl(request.agent_id, authorization)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        await delete_agent_impl(request.agent_id, effective_tenant_id, user_id)
         return {}
     except Exception as e:
         logger.error(f"Agent delete error: {str(e)}")
@@ -195,13 +227,20 @@ async def regenerate_agent_name_batch_api(request: AgentNameBatchRegenerateReque
 
 
 @agent_config_router.get("/list")
-async def list_all_agent_info_api(authorization: Optional[str] = Header(None), request: Request = None):
+async def list_all_agent_info_api(
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    request: Request = None
+):
     """
     list all agent info
     """
     try:
-        _, tenant_id, _ = get_current_user_info(authorization, request)
-        return await list_all_agent_info_impl(tenant_id=tenant_id)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        return await list_all_agent_info_impl(tenant_id=effective_tenant_id, user_id=user_id)
     except Exception as e:
         logger.error(f"Agent list error: {str(e)}")
         raise HTTPException(
@@ -220,3 +259,251 @@ async def get_agent_call_relationship_api(agent_id: int, authorization: Optional
         logger.error(f"Agent call relationship error: {str(e)}")
         raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                             detail="Failed to get agent call relationship.")
+
+
+# Agent Version Management APIs
+# ---------------------------------------------------------------------------
+
+
+@agent_config_router.post("/{agent_id}/publish")
+async def publish_version_api(
+    agent_id: int,
+    request: VersionPublishRequest,
+    authorization: str = Header(None),
+):
+    """
+    Publish a new version
+    """
+    try:
+        user_id, tenant_id = get_current_user_id(authorization)
+        result = publish_version_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            user_id=user_id,
+            version_name=request.version_name,
+            release_note=request.release_note,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=result)
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
+    except Exception as e:
+        logger.error(f"Publish version error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Publish version error.")
+
+
+@agent_config_router.post("/{agent_id}/versions/compare")
+async def compare_versions_api(
+    agent_id: int,
+    request: VersionCompareRequest,
+    authorization: str = Header(None),
+):
+    """
+    Compare two versions and return their differences
+    """
+    try:
+        _, tenant_id = get_current_user_id(authorization)
+        result = compare_versions_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            version_no_a=request.version_no_a,
+            version_no_b=request.version_no_b,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=jsonable_encoder(result))
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
+    except Exception as e:
+        logger.error(f"Compare versions error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Compare versions error.")
+
+
+@agent_config_router.get("/{agent_id}/versions", response_model=VersionListResponse)
+async def get_version_list_api(
+    agent_id: int,
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    request: Request = None
+):
+    """
+    Get version list for an agent
+    """
+    try:
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        logger.info(f"Get version list for agent_id: {agent_id}, tenant_id: {effective_tenant_id}")
+        result = get_version_list_impl(
+            agent_id=agent_id,
+            tenant_id=effective_tenant_id,
+        )
+        logger.info(f"Version list: {result}")
+        return JSONResponse(status_code=HTTPStatus.OK, content=jsonable_encoder(result))
+    except Exception as e:
+        logger.error(f"Get version list error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Get version list error.")
+
+
+@agent_config_router.get("/{agent_id}/versions/{version_no}", response_model=VersionDetailResponse)
+async def get_version_api(
+    agent_id: int,
+    version_no: int,
+    authorization: str = Header(None),
+):
+    """
+    Get version
+    """
+    try:
+        _, tenant_id = get_current_user_id(authorization)
+        result = get_version_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            version_no=version_no,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=jsonable_encoder(result))
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail=str(e))
+    except Exception as e:
+        logger.error(f"Get version detail error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Get version detail error.")
+
+@agent_config_router.get("/{agent_id}/versions/{version_no}/detail", response_model=VersionDetailResponse)
+async def get_version_detail_api(
+    agent_id: int,
+    version_no: int,
+    authorization: str = Header(None),
+):
+    """
+    Get version detail including snapshot data
+    """
+    try:
+        _, tenant_id = get_current_user_id(authorization)
+        result = get_version_detail_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            version_no=version_no,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=jsonable_encoder(result))
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail=str(e))
+    except Exception as e:
+        logger.error(f"Get version detail error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Get version detail error.")
+
+
+@agent_config_router.post("/{agent_id}/versions/{version_no}/rollback")
+async def rollback_version_api(
+    agent_id: int,
+    version_no: int,
+    authorization: str = Header(None),
+):
+    """
+    Rollback to a specific version by updating current_version_no only.
+    This does NOT create a new version - the draft will point to the target version.
+    Use the publish endpoint to create an actual new version after rollback.
+    """
+    try:
+        _, tenant_id = get_current_user_id(authorization)
+        result = rollback_version_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            target_version_no=version_no,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=result)
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
+    except Exception as e:
+        logger.error(f"Rollback version error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Rollback version error.")
+
+
+@agent_config_router.patch("/{agent_id}/versions/{version_no}/status")
+async def update_version_status_api(
+    agent_id: int,
+    version_no: int,
+    request: VersionStatusRequest,
+    authorization: str = Header(None),
+):
+    """
+    Update version status (DISABLED / ARCHIVED)
+    """
+    try:
+        user_id, tenant_id = get_current_user_id(authorization)
+        result = update_version_status_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            user_id=user_id,
+            version_no=version_no,
+            status=request.status,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=result)
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
+    except Exception as e:
+        logger.error(f"Update version status error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Update version status error.")
+
+
+@agent_config_router.delete("/{agent_id}/versions/{version_no}")
+async def delete_version_api(
+    agent_id: int,
+    version_no: int,
+    authorization: str = Header(None),
+):
+    """
+    Delete a version (soft delete by setting delete_flag='Y')
+    """
+    try:
+        user_id, tenant_id = get_current_user_id(authorization)
+        result = delete_version_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+            user_id=user_id,
+            version_no=version_no,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=result)
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
+    except Exception as e:
+        logger.error(f"Delete version error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Delete version error.")
+
+
+@agent_config_router.get("/{agent_id}/current_version", response_model=CurrentVersionResponse)
+async def get_current_version_api(
+    agent_id: int,
+    authorization: str = Header(None),
+):
+    """
+    Get current published version
+    """
+    try:
+        _, tenant_id = get_current_user_id(authorization)
+        result = get_current_version_impl(
+            agent_id=agent_id,
+            tenant_id=tenant_id,
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content=jsonable_encoder(result))
+    except ValueError as e:
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail=str(e))
+    except Exception as e:
+        logger.error(f"Get current version error: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Get current version error.")
+
+
+@agent_config_router.get("/published_list")
+async def list_published_agents_api(
+    authorization: Optional[str] = Header(None),
+    request: Request = None,
+):
+    """
+    List all published agents with their current published version information.
+    """
+    try:
+        user_id, tenant_id, _ = get_current_user_info(authorization, request)
+        return await list_published_agents_impl(tenant_id=tenant_id, user_id=user_id)
+    except Exception as e:
+        logger.error(f"Published agents list error: {str(e)}")
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail="Published agents list error."
+        )
+
diff --git a/backend/apps/config_app.py b/backend/apps/config_app.py
index db979ac98..8691b15e0 100644
--- a/backend/apps/config_app.py
+++ b/backend/apps/config_app.py
@@ -8,6 +8,7 @@
 from apps.config_sync_app import router as config_sync_router
 from apps.datamate_app import router as datamate_router
 from apps.vectordatabase_app import router as vectordatabase_router
+from apps.dify_app import router as dify_router
 from apps.file_management_app import file_management_config_router as file_manager_router
 from apps.image_app import router as proxy_router
 from apps.knowledge_summary_app import router as summary_router
@@ -50,6 +51,7 @@
 app.include_router(file_manager_router)
 app.include_router(proxy_router)
 app.include_router(tool_config_router)
+app.include_router(dify_router)
 
 # Choose user management router based on IS_SPEED_MODE
 if IS_SPEED_MODE:
diff --git a/backend/apps/datamate_app.py b/backend/apps/datamate_app.py
index 8139b2982..ca88648a4 100644
--- a/backend/apps/datamate_app.py
+++ b/backend/apps/datamate_app.py
@@ -3,21 +3,31 @@
 
 from fastapi import APIRouter, Header, HTTPException, Path
 from fastapi.responses import JSONResponse
+from fastapi import Body
+from pydantic import BaseModel
 from http import HTTPStatus
 
 from services.datamate_service import (
     sync_datamate_knowledge_bases_and_create_records,
-    fetch_datamate_knowledge_base_file_list
+    fetch_datamate_knowledge_base_file_list,
+    check_datamate_connection
 )
 from utils.auth_utils import get_current_user_id
+from consts.exceptions import DataMateConnectionError
 
 router = APIRouter(prefix="/datamate")
 logger = logging.getLogger("datamate_app")
 
 
+class SyncDatamateRequest(BaseModel):
+    """Request body for syncing DataMate knowledge bases."""
+    datamate_url: Optional[str] = None
+
+
 @router.post("/sync_datamate_knowledges")
 async def sync_datamate_knowledges(
-    authorization: Optional[str] = Header(None)
+    authorization: Optional[str] = Header(None),
+    request: SyncDatamateRequest = Body(None)
 ):
     """Sync DataMate knowledge bases and create knowledge records in local database."""
     try:
@@ -25,8 +35,12 @@ async def sync_datamate_knowledges(
 
         return await sync_datamate_knowledge_bases_and_create_records(
             tenant_id=tenant_id,
-            user_id=user_id
+            user_id=user_id,
+            datamate_url=request.datamate_url if request else None
         )
+    except DataMateConnectionError as e:
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
     except Exception as e:
         raise HTTPException(
             status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=f"Error syncing DataMate knowledge bases and creating records: {str(e)}")
@@ -38,7 +52,7 @@ async def get_datamate_knowledge_base_files_endpoint(
                                   description="ID of the DataMate knowledge base"),
     authorization: Optional[str] = Header(None)
 ):
-    """Get all files from a DataMate knowledge base."""
+    """Get all files from a specific DataMate knowledge base."""
     try:
         user_id, tenant_id = get_current_user_id(authorization)
         result = await fetch_datamate_knowledge_base_file_list(knowledge_base_id, tenant_id)
@@ -46,3 +60,40 @@ async def get_datamate_knowledge_base_files_endpoint(
     except Exception as e:
         raise HTTPException(
             status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=f"Error fetching DataMate knowledge base files: {str(e)}")
+
+
+@router.post("/test_connection")
+async def test_datamate_connection_endpoint(
+    authorization: Optional[str] = Header(None),
+    request: SyncDatamateRequest = Body(None)
+):
+    """
+    Test connection to DataMate server.
+
+    Returns:
+        JSON with success status and message
+    """
+    try:
+        user_id, tenant_id = get_current_user_id(authorization)
+        datamate_url = request.datamate_url if request else None
+
+        # Test the connection
+        is_connected, error_message = await check_datamate_connection(tenant_id, datamate_url)
+
+        if is_connected:
+            return JSONResponse(
+                status_code=HTTPStatus.OK,
+                content={"success": True, "message": "Connection successful"}
+            )
+        else:
+            raise HTTPException(
+                status_code=HTTPStatus.BAD_REQUEST,
+                detail=f"Cannot connect to DataMate server: {error_message}"
+            )
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=f"Error testing DataMate connection: {str(e)}"
+        )
diff --git a/backend/apps/dify_app.py b/backend/apps/dify_app.py
new file mode 100644
index 000000000..c7d9321af
--- /dev/null
+++ b/backend/apps/dify_app.py
@@ -0,0 +1,71 @@
+"""
+Dify App Layer
+FastAPI endpoints for Dify knowledge base operations.
+
+This module provides API endpoints to interact with Dify's datasets API,
+including fetching knowledge bases and transforming responses to a format
+compatible with the frontend.
+"""
+import logging
+from http import HTTPStatus
+from typing import Optional
+
+from fastapi import APIRouter, Header, HTTPException, Query
+from fastapi.responses import JSONResponse
+
+from services.dify_service import fetch_dify_datasets_impl
+from utils.auth_utils import get_current_user_id
+
+router = APIRouter(prefix="/dify")
+logger = logging.getLogger("dify_app")
+
+
+@router.get("/datasets")
+async def fetch_dify_datasets_api(
+    dify_api_base: str = Query(..., description="Dify API base URL"),
+    api_key: str = Query(..., description="Dify API key"),
+    authorization: Optional[str] = Header(None)
+):
+    """
+    Fetch datasets (knowledge bases) from Dify API.
+
+    Returns knowledge bases in a format consistent with DataMate for frontend compatibility.
+    """
+    try:
+        # Normalize URL by removing trailing slash
+        dify_api_base = dify_api_base.rstrip('/')
+    except Exception as e:
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=f"Failed to fetch Dify datasets: {str(e)}"
+        )
+
+    try:
+        _, tenant_id = get_current_user_id(authorization)
+    except Exception as e:
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=f"Failed to fetch Dify datasets: {str(e)}"
+        )
+
+    try:
+        result = fetch_dify_datasets_impl(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+        )
+        return JSONResponse(
+            status_code=HTTPStatus.OK,
+            content=result
+        )
+    except ValueError as e:
+        logger.warning(f"Invalid Dify configuration: {e}")
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail=str(e)
+        )
+    except Exception as e:
+        logger.error(f"Failed to fetch Dify datasets: {e}")
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=f"Failed to fetch Dify datasets: {str(e)}"
+        )
diff --git a/backend/apps/invitation_app.py b/backend/apps/invitation_app.py
index 44d1e5934..2aa3edc9e 100644
--- a/backend/apps/invitation_app.py
+++ b/backend/apps/invitation_app.py
@@ -11,7 +11,7 @@
 from consts.model import (
     InvitationCreateRequest, InvitationUpdateRequest, InvitationListRequest
 )
-from consts.exceptions import NotFoundException, ValidationError, UnauthorizedError
+from consts.exceptions import NotFoundException, ValidationError, UnauthorizedError, DuplicateError
 from services.invitation_service import (
     create_invitation_code, update_invitation_code, get_invitation_by_code,
     check_invitation_available, use_invitation_code, update_invitation_code_status,
@@ -131,6 +131,12 @@ async def create_invitation_endpoint(
             status_code=HTTPStatus.BAD_REQUEST,
             detail=str(exc)
         )
+    except DuplicateError as exc:
+        logger.warning(f"Duplicate invitation code: {str(exc)}")
+        raise HTTPException(
+            status_code=HTTPStatus.CONFLICT,
+            detail=str(exc)
+        )
     except NotFoundException as exc:
         logger.warning(f"User not found during invitation creation: {str(exc)}")
         raise HTTPException(
@@ -279,6 +285,40 @@ async def get_invitation_endpoint(invitation_code: str) -> JSONResponse:
         )
 
 
+@router.get("/{invitation_code}/check")
+async def check_invitation_code_endpoint(invitation_code: str) -> JSONResponse:
+    """
+    Check if invitation code already exists
+
+    Args:
+        invitation_code: Invitation code to check
+
+    Returns:
+        JSONResponse: Check result with exists flag
+    """
+    try:
+        invitation_info = get_invitation_by_code(invitation_code)
+        exists = invitation_info is not None
+
+        return JSONResponse(
+            status_code=HTTPStatus.OK,
+            content={
+                "message": "Invitation code check completed",
+                "data": {
+                    "invitation_code": invitation_code,
+                    "exists": exists
+                }
+            }
+        )
+
+    except Exception as exc:
+        logger.error(f"Unexpected error checking invitation code {invitation_code}: {str(exc)}")
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail="Failed to check invitation code"
+        )
+
+
 @router.delete("/{invitation_code}")
 async def delete_invitation_endpoint(
     invitation_code: str,
diff --git a/backend/apps/mock_user_management_app.py b/backend/apps/mock_user_management_app.py
index 885d7e23c..8e9f6adc3 100644
--- a/backend/apps/mock_user_management_app.py
+++ b/backend/apps/mock_user_management_app.py
@@ -6,7 +6,9 @@
 from http import HTTPStatus
 
 from consts.const import MOCK_USER, MOCK_SESSION
+from consts.exceptions import UnauthorizedError
 from consts.model import UserSignInRequest, UserSignUpRequest
+from services.user_management_service import get_user_info
 
 logger = logging.getLogger("mock_user_management_app")
 router = APIRouter(prefix="/user", tags=["user"])
@@ -21,7 +23,7 @@ async def service_health():
         return JSONResponse(status_code=HTTPStatus.OK, content={"message": "Auth service is available"})
     except Exception as e:
         logger.error(f"Service health check failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="Service health check failed")
 
 
@@ -39,7 +41,7 @@ async def signup(request: UserSignUpRequest):
             success_message = "🎉 Admin account registered successfully! You now have system management permissions."
         else:
             success_message = "🎉 User account registered successfully! Please start experiencing the AI assistant service."
-        
+
         user_data = {
             "user": {
                 "id": MOCK_USER["id"],
@@ -54,12 +56,12 @@ async def signup(request: UserSignUpRequest):
             },
             "registration_type": "admin" if request.is_admin else "user"
         }
-        
+
         return JSONResponse(status_code=HTTPStatus.OK,
                             content={"message": success_message, "data": user_data})
     except Exception as e:
         logger.error(f"User signup failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="User registration failed")
 
 
@@ -88,11 +90,11 @@ async def signin(request: UserSignInRequest):
                 }
             }
         }
-        
+
         return JSONResponse(status_code=HTTPStatus.OK, content=signin_content)
     except Exception as e:
         logger.error(f"User signin failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="User login failed")
 
 
@@ -106,7 +108,7 @@ async def user_refresh_token(request: Request):
 
         # In speed/mock mode, extend for a very long time (10 years)
         new_expires_at = int((datetime.now() + timedelta(days=3650)).timestamp())
-        
+
         session_info = {
             "access_token": f"mock_access_token_{new_expires_at}",
             "refresh_token": f"mock_refresh_token_{new_expires_at}",
@@ -118,7 +120,7 @@ async def user_refresh_token(request: Request):
                             content={"message": "Token refresh successful", "data": {"session": session_info}})
     except Exception as e:
         logger.error(f"Token refresh failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="Token refresh failed")
 
 
@@ -134,7 +136,7 @@ async def logout(request: Request):
                             content={"message": "Logout successful"})
     except Exception as e:
         logger.error(f"User logout failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="User logout failed")
 
 
@@ -152,13 +154,13 @@ async def get_session(request: Request):
                 "role": MOCK_USER["role"]
             }
         }
-        
+
         return JSONResponse(status_code=HTTPStatus.OK,
                          content={"message": "Session is valid",
                                   "data": data})
     except Exception as e:
         logger.error(f"Session validation failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="Session validation failed")
 
 
@@ -174,5 +176,29 @@ async def get_user_id(request: Request):
                                      "data": {"user_id": MOCK_USER["id"]}})
     except Exception as e:
         logger.error(f"Get user ID failed: {str(e)}")
-        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, 
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                           detail="Failed to get user ID")
+
+
+@router.get("/current_user_info")
+async def get_user_information(request: Request):
+    """Get current user information including user ID, group IDs, tenant ID, and role"""
+    try:
+        # In mock mode, always get user ID by MOCK_USER
+        user_id = MOCK_USER["id"]
+        # Get user information
+        user_info = await get_user_info(user_id)
+        if not user_info:
+            raise UnauthorizedError("User information not found")
+
+        return JSONResponse(status_code=HTTPStatus.OK,
+                            content={"message": "Success",
+                                     "data": user_info})
+    except UnauthorizedError as e:
+        logging.error(f"Get user information unauthorized: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED,
+                            detail="User not logged in or session invalid")
+    except Exception as e:
+        logging.error(f"Get user information failed: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+                            detail="Get user information failed")
diff --git a/backend/apps/model_managment_app.py b/backend/apps/model_managment_app.py
index 0c3c7a8cf..0a5a04139 100644
--- a/backend/apps/model_managment_app.py
+++ b/backend/apps/model_managment_app.py
@@ -18,6 +18,15 @@
     BatchCreateModelsRequest,
     ModelRequest,
     ProviderModelRequest,
+    ManageTenantModelListRequest,
+    ManageTenantModelListResponse,
+    ManageTenantModelCreateRequest,
+    ManageTenantModelUpdateRequest,
+    ManageTenantModelDeleteRequest,
+    ManageTenantModelHealthcheckRequest,
+    ManageBatchCreateModelsRequest,
+    ManageProviderModelListRequest,
+    ManageProviderModelCreateRequest,
 )
 
 from fastapi import APIRouter, Header, Query, HTTPException
@@ -39,6 +48,7 @@
     delete_model_for_tenant,
     list_models_for_tenant,
     list_llm_models_for_tenant,
+    list_models_for_admin,
 )
 from utils.auth_utils import get_current_user_id
 
@@ -335,3 +345,319 @@ async def check_temporary_model_health(request: ModelRequest):
         logging.error(f"Failed to verify model connectivity: {str(e)}")
         raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                             detail=str(e))
+
+
+# Manage Tenant Model CRUD Endpoints
+# ---------------------------------------------------------------------------
+
+@router.post("/manage/healthcheck")
+async def manage_check_model_health(
+    request: ManageTenantModelHealthcheckRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """Check and update model connectivity for a specified tenant (admin/manage operation).
+
+    This endpoint allows checking connectivity for any tenant's model, typically used by super admins.
+
+    Args:
+        request: Query request with target tenant_id and model display_name.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        Connectivity check result with updated status.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to check model connectivity for tenant, user_id: {user_id}, "
+            f"target_tenant_id: {request.tenant_id}, display_name: {request.display_name}")
+
+        result = await check_model_connectivity(request.display_name, request.tenant_id)
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Successfully checked model connectivity",
+            "data": result
+        })
+    except LookupError as e:
+        logging.error(f"Failed to check model connectivity for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail=str(e))
+    except ValueError as e:
+        logging.error(f"Invalid model configuration: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=str(e))
+    except Exception as e:
+        logging.error(f"Failed to check model connectivity for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=str(e))
+
+
+@router.post("/manage/create")
+async def manage_create_model(
+    request: ManageTenantModelCreateRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """Create a model in a specified tenant (admin/manage operation).
+
+    This endpoint allows creating models for any tenant, typically used by super admins.
+
+    Args:
+        request: Model configuration with target tenant_id.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        Success message on successful creation.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to create model for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}")
+
+        model_data = request.model_dump(exclude={'tenant_id'})
+        await create_model_for_tenant(user_id, request.tenant_id, model_data)
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Model created successfully",
+            "data": {"tenant_id": request.tenant_id}
+        })
+    except ValueError as e:
+        logging.error(f"Failed to create model for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.CONFLICT, detail=str(e))
+    except Exception as e:
+        logging.error(f"Failed to create model for tenant: {str(e)}")
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=str(e))
+
+
+@router.post("/manage/update")
+async def manage_update_model(
+    request: ManageTenantModelUpdateRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """Update a model in a specified tenant (admin/manage operation).
+
+    This endpoint allows updating models for any tenant, typically used by super admins.
+
+    Args:
+        request: Update payload with target tenant_id and current display_name.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        Success message on successful update.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to update model for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}, "
+            f"current_display_name: {request.current_display_name}")
+
+        model_data = request.model_dump(exclude={'tenant_id', 'current_display_name'}, exclude_unset=True)
+        await update_single_model_for_tenant(
+            user_id, request.tenant_id, request.current_display_name, model_data
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Model updated successfully",
+            "data": {"tenant_id": request.tenant_id}
+        })
+    except LookupError as e:
+        logging.error(f"Failed to update model for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail=str(e))
+    except ValueError as e:
+        logging.error(f"Failed to update model for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.CONFLICT, detail=str(e))
+    except Exception as e:
+        logging.error(f"Failed to update model for tenant: {str(e)}")
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=str(e))
+
+
+@router.post("/manage/delete")
+async def manage_delete_model(
+    request: ManageTenantModelDeleteRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """Delete a model from a specified tenant (admin/manage operation).
+
+    This endpoint allows deleting models from any tenant, typically used by super admins.
+
+    Args:
+        request: Delete request with target tenant_id and display_name.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        Success message with deleted model name.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to delete model for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}, "
+            f"display_name: {request.display_name}")
+
+        model_name = await delete_model_for_tenant(
+            user_id, request.tenant_id, request.display_name
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Model deleted successfully",
+            "data": {
+                "tenant_id": request.tenant_id,
+                "display_name": model_name
+            }
+        })
+    except LookupError as e:
+        logging.error(f"Failed to delete model for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.NOT_FOUND, detail=str(e))
+    except Exception as e:
+        logging.error(f"Failed to delete model for tenant: {str(e)}")
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=str(e))
+
+
+@router.post("/manage/batch_create")
+async def manage_batch_create_models(
+    request: ManageBatchCreateModelsRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """Batch create/update models in a specified tenant (admin/manage operation).
+
+    This endpoint synchronizes provider models for any tenant by creating/updating/deleting records.
+    Typically used by super admins to bulk import models.
+
+    Args:
+        request: Batch payload with target tenant_id, provider, type, api_key, and models list.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        Success message on completion.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to batch create models for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}, "
+            f"provider: {request.provider}, type: {request.type}, models count: {len(request.models)}")
+
+        batch_model_config = request.model_dump()
+        await batch_create_models_for_tenant(user_id, request.tenant_id, batch_model_config)
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Batch create models successfully",
+            "data": {
+                "tenant_id": request.tenant_id,
+                "provider": request.provider,
+                "type": request.type,
+                "models_count": len(request.models)
+            }
+        })
+    except Exception as e:
+        logging.error(f"Failed to batch create models for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=str(e))
+
+
+@router.post("/manage/list", response_model=ManageTenantModelListResponse)
+async def manage_list_models(
+    request: ManageTenantModelListRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """List models for a specified tenant (admin/manage operation).
+
+    This endpoint allows querying models for any tenant, typically used by super admins.
+
+    Args:
+        request: Query request with target tenant_id and pagination params.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        Paginated model list for the specified tenant.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to list models for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}, "
+            f"page: {request.page}, page_size: {request.page_size}")
+
+        result = await list_models_for_admin(
+            request.tenant_id,
+            request.model_type,
+            request.page,
+            request.page_size
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Successfully retrieved model list",
+            "data": jsonable_encoder(result)
+        })
+    except Exception as e:
+        logging.error(f"Failed to list models for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+                            detail=str(e))
+
+
+@router.post("/manage/provider/list")
+async def manage_list_provider_models(
+    request: ManageProviderModelListRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """List provider models for a specified tenant (admin/manage operation).
+
+    This endpoint fetches persisted models from a provider for any tenant,
+    typically used by super admins when bulk importing models.
+
+    Args:
+        request: Query request with target tenant_id, provider, model_type.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        List of available provider models for the specified tenant.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to list provider models for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}, "
+            f"provider: {request.provider}, model_type: {request.model_type}")
+
+        model_list = await list_provider_models_for_tenant(
+            request.tenant_id, request.provider, request.model_type
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Successfully retrieved provider model list",
+            "data": jsonable_encoder(model_list)
+        })
+    except Exception as e:
+        logging.error(f"Failed to list provider models for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+                            detail=str(e))
+
+
+@router.post("/manage/provider/create")
+async def manage_create_provider_models(
+    request: ManageProviderModelCreateRequest,
+    authorization: Optional[str] = Header(None)
+):
+    """Create/fetch provider models for a specified tenant (admin/manage operation).
+
+    This endpoint fetches available models from a provider and prepares them for
+    bulk importing into a specific tenant, typically used by super admins.
+
+    Args:
+        request: Query request with target tenant_id, provider, model_type, and optional api_key/base_url.
+        authorization: Bearer token header used to derive `user_id`.
+
+    Returns:
+        List of available provider models for the specified tenant.
+    """
+    try:
+        user_id, _ = get_current_user_id(authorization)
+        logger.debug(
+            f"Start to create provider models for tenant, user_id: {user_id}, target_tenant_id: {request.tenant_id}, "
+            f"provider: {request.provider}, model_type: {request.model_type}")
+
+        # Build provider request dict for the service function
+        provider_request = {
+            "provider": request.provider,
+            "model_type": request.model_type,
+            "api_key": request.api_key,
+            "base_url": request.base_url,
+        }
+        model_list = await create_provider_models_for_tenant(
+            request.tenant_id, provider_request
+        )
+        return JSONResponse(status_code=HTTPStatus.OK, content={
+            "message": "Successfully created provider models",
+            "data": jsonable_encoder(model_list)
+        })
+    except Exception as e:
+        logging.error(f"Failed to create provider models for tenant: {str(e)}")
+        raise HTTPException(status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+                            detail=str(e))
diff --git a/backend/apps/remote_mcp_app.py b/backend/apps/remote_mcp_app.py
index 7fdb7159d..fe16fd9be 100644
--- a/backend/apps/remote_mcp_app.py
+++ b/backend/apps/remote_mcp_app.py
@@ -1,7 +1,7 @@
 import logging
 from typing import Optional
 
-from fastapi import APIRouter, Header, HTTPException, UploadFile, File, Form
+from fastapi import APIRouter, Header, HTTPException, UploadFile, File, Form, Query, Request
 from fastapi.responses import JSONResponse
 from http import HTTPStatus
 
@@ -16,11 +16,12 @@
     delete_mcp_by_container_id,
     upload_and_start_mcp_image,
     update_remote_mcp_server_list,
+    attach_mcp_container_permissions,
 )
 from database.remote_mcp_db import check_mcp_name_exists
 from services.tool_configuration_service import get_tool_from_remote_mcp_server
 from services.mcp_container_service import MCPContainerManager
-from utils.auth_utils import get_current_user_id
+from utils.auth_utils import get_current_user_info
 
 router = APIRouter(prefix="/mcp")
 logger = logging.getLogger("remote_mcp_app")
@@ -29,8 +30,7 @@
 @router.post("/tools")
 async def get_tools_from_remote_mcp(
     service_name: str,
-    mcp_url: str,
-    authorization: Optional[str] = Header(None)
+    mcp_url: str
 ):
     """ Used to list tool information from the remote MCP server """
     try:
@@ -54,12 +54,17 @@ async def get_tools_from_remote_mcp(
 async def add_remote_proxies(
     mcp_url: str,
     service_name: str,
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ Used to add a remote MCP server """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
-        await add_remote_mcp_server_list(tenant_id=tenant_id,
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        await add_remote_mcp_server_list(tenant_id=effective_tenant_id,
                                          user_id=user_id,
                                          remote_mcp_server=mcp_url,
                                          remote_mcp_server_name=service_name,
@@ -88,12 +93,17 @@ async def add_remote_proxies(
 async def delete_remote_proxies(
     service_name: str,
     mcp_url: str,
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ Used to delete a remote MCP server """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
-        await delete_remote_mcp_server_list(tenant_id=tenant_id,
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        await delete_remote_mcp_server_list(tenant_id=effective_tenant_id,
                                             user_id=user_id,
                                             remote_mcp_server=mcp_url,
                                             remote_mcp_server_name=service_name)
@@ -111,14 +121,19 @@ async def delete_remote_proxies(
 @router.put("/update")
 async def update_remote_proxy(
     update_data: MCPUpdateRequest,
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ Used to update an existing remote MCP server """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
         await update_remote_mcp_server_list(
             update_data=update_data,
-            tenant_id=tenant_id,
+            tenant_id=effective_tenant_id,
             user_id=user_id
         )
         return JSONResponse(
@@ -142,12 +157,20 @@ async def update_remote_proxy(
 
 @router.get("/list")
 async def get_remote_proxies(
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ Used to get the list of remote MCP servers """
     try:
-        _, tenant_id = get_current_user_id(authorization)
-        remote_mcp_server_list = await get_remote_mcp_server_list(tenant_id=tenant_id)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        remote_mcp_server_list = await get_remote_mcp_server_list(
+            tenant_id=effective_tenant_id,
+            user_id=user_id,
+        )
         return JSONResponse(
             status_code=HTTPStatus.OK,
             content={"remote_mcp_server_list": remote_mcp_server_list,
@@ -161,12 +184,21 @@ async def get_remote_proxies(
 
 
 @router.get("/healthcheck")
-async def check_mcp_health(mcp_url: str, service_name: str, authorization: Optional[str] = Header(None)):
+async def check_mcp_health(
+    mcp_url: str,
+    service_name: str,
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
+):
     """ Used to check the health of the MCP server, the front end can call it,
     and automatically update the database status """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
-        await check_mcp_health_and_update_db(mcp_url, service_name, tenant_id, user_id)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
+        await check_mcp_health_and_update_db(mcp_url, service_name, effective_tenant_id, user_id)
         return JSONResponse(
             status_code=HTTPStatus.OK,
             content={"status": "success"}
@@ -184,7 +216,10 @@ async def check_mcp_health(mcp_url: str, service_name: str, authorization: Optio
 @router.post("/add-from-config")
 async def add_mcp_from_config(
     mcp_config: MCPConfigRequest,
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """
     Add MCP server by starting a container with command+args config.
@@ -202,7 +237,9 @@ async def add_mcp_from_config(
     }
     """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
 
         # Initialize container manager
         try:
@@ -233,7 +270,7 @@ async def add_mcp_from_config(
                     continue
 
                 # Check if MCP service name already exists before starting container
-                if check_mcp_name_exists(mcp_name=service_name, tenant_id=tenant_id):
+                if check_mcp_name_exists(mcp_name=service_name, tenant_id=effective_tenant_id):
                     errors.append(f"{service_name}: MCP name already exists")
                     continue
 
@@ -256,7 +293,7 @@ async def add_mcp_from_config(
                 # Start container
                 container_info = await container_manager.start_mcp_container(
                     service_name=service_name,
-                    tenant_id=tenant_id,
+                    tenant_id=effective_tenant_id,
                     user_id=user_id,
                     env_vars=env_vars,
                     host_port=port,
@@ -266,7 +303,7 @@ async def add_mcp_from_config(
 
                 # Register to remote MCP server list
                 await add_remote_mcp_server_list(
-                    tenant_id=tenant_id,
+                    tenant_id=effective_tenant_id,
                     user_id=user_id,
                     remote_mcp_server=container_info["mcp_url"],
                     remote_mcp_server_name=service_name,
@@ -320,11 +357,16 @@ async def add_mcp_from_config(
 @router.delete("/container/{container_id}")
 async def stop_mcp_container(
     container_id: str,
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ Stop and remove MCP container """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
 
         try:
             container_manager = MCPContainerManager()
@@ -340,7 +382,7 @@ async def stop_mcp_container(
         if success:
             # Soft delete the corresponding MCP record (if any) by container ID
             await delete_mcp_by_container_id(
-                tenant_id=tenant_id,
+                tenant_id=effective_tenant_id,
                 user_id=user_id,
                 container_id=container_id,
             )
@@ -368,11 +410,16 @@ async def stop_mcp_container(
 
 @router.get("/containers")
 async def list_mcp_containers(
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ List all MCP containers for the current tenant """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
 
         try:
             container_manager = MCPContainerManager()
@@ -383,7 +430,12 @@ async def list_mcp_containers(
                 detail="Docker service unavailable"
             )
 
-        containers = container_manager.list_mcp_containers(tenant_id=tenant_id)
+        containers = container_manager.list_mcp_containers(tenant_id=effective_tenant_id)
+        containers = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id=effective_tenant_id,
+            user_id=user_id,
+        )
 
         return JSONResponse(
             status_code=HTTPStatus.OK,
@@ -406,11 +458,16 @@ async def list_mcp_containers(
 async def get_container_logs(
     container_id: str,
     tail: int = 100,
-    authorization: Optional[str] = Header(None)
+    tenant_id: Optional[str] = Query(
+        None, description="Tenant ID for filtering (uses auth if not provided)"),
+    authorization: Optional[str] = Header(None),
+    http_request: Request = None
 ):
     """ Get logs from MCP container """
     try:
-        user_id, tenant_id = get_current_user_id(authorization)
+        user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+        # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+        effective_tenant_id = tenant_id or auth_tenant_id
 
         try:
             container_manager = MCPContainerManager()
@@ -451,7 +508,10 @@ async def upload_mcp_image(
             None, description="Name for the MCP service (auto-generated if not provided)"),
         env_vars: Optional[str] = Form(
             None, description="Environment variables as JSON string"),
-        authorization: Optional[str] = Header(None)
+        tenant_id: Optional[str] = Form(
+            None, description="Tenant ID for filtering (uses auth if not provided)"),
+        authorization: Optional[str] = Header(None),
+        http_request: Request = None
     ):
         """
         Upload Docker image tar file and start MCP container.
@@ -459,14 +519,16 @@ async def upload_mcp_image(
         Container naming: {filename-without-extension}-{tenant-id[:8]}-{user-id[:8]}
         """
         try:
-            user_id, tenant_id = get_current_user_id(authorization)
+            user_id, auth_tenant_id, _ = get_current_user_info(authorization, http_request)
+            # Use explicit tenant_id if provided, otherwise fall back to auth tenant_id
+            effective_tenant_id = tenant_id or auth_tenant_id
 
             # Read file content
             content = await file.read()
 
             # Call service layer to handle the business logic
             result = await upload_and_start_mcp_image(
-                tenant_id=tenant_id,
+                tenant_id=effective_tenant_id,
                 user_id=user_id,
                 file_content=content,
                 filename=file.filename,
diff --git a/backend/apps/tenant_config_app.py b/backend/apps/tenant_config_app.py
index 371e3f864..cd67f0c8f 100644
--- a/backend/apps/tenant_config_app.py
+++ b/backend/apps/tenant_config_app.py
@@ -1,14 +1,10 @@
 import logging
 from http import HTTPStatus
-from typing import List, Optional
 
-from fastapi import APIRouter, Body, Header, HTTPException
+from fastapi import APIRouter, HTTPException
 from fastapi.responses import JSONResponse
 
 from consts.const import DEPLOYMENT_VERSION, APP_VERSION
-from consts.model import UpdateKnowledgeListRequest
-from services.tenant_config_service import get_selected_knowledge_list, update_selected_knowledge
-from utils.auth_utils import get_current_user_id
 
 logger = logging.getLogger("tenant_config_app")
 router = APIRouter(prefix="/tenant_config")
@@ -34,74 +30,4 @@ def get_deployment_version():
         )
 
 
-@router.get("/load_knowledge_list")
-def load_knowledge_list(
-    authorization: Optional[str] = Header(None)
-):
-    try:
-        user_id, tenant_id = get_current_user_id(authorization)
-        selected_knowledge_info = get_selected_knowledge_list(
-            tenant_id=tenant_id, user_id=user_id)
-
-        content = {"selectedKbNames": [item["index_name"] for item in selected_knowledge_info],
-                   "selectedKbModels": [item["embedding_model_name"] for item in selected_knowledge_info],
-                   "selectedKbSources": [item["knowledge_sources"] for item in selected_knowledge_info]}
-
-        return JSONResponse(
-            status_code=HTTPStatus.OK,
-            content={"content": content, "status": "success"}
-        )
-    except Exception as e:
-        logger.error(f"load knowledge list failed, error: {e}")
-        raise HTTPException(
-            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
-            detail="Failed to load configuration"
-        )
-
 
-@router.post("/update_knowledge_list")
-def update_knowledge_list(
-    authorization: Optional[str] = Header(None),
-    request: UpdateKnowledgeListRequest = Body(...)
-):
-    try:
-        user_id, tenant_id = get_current_user_id(authorization)
-
-        # Convert grouped request to flat lists
-        knowledge_list = []
-        knowledge_sources = []
-
-        if request.nexent:
-            knowledge_list.extend(request.nexent)
-            knowledge_sources.extend(["nexent"] * len(request.nexent))
-
-        if request.datamate:
-            knowledge_list.extend(request.datamate)
-            knowledge_sources.extend(["datamate"] * len(request.datamate))
-
-        result = update_selected_knowledge(
-            tenant_id=tenant_id, user_id=user_id, index_name_list=knowledge_list, knowledge_sources=knowledge_sources)
-        if result:
-            # Get updated knowledge base information
-            selected_knowledge_info = get_selected_knowledge_list(
-                tenant_id=tenant_id, user_id=user_id)
-
-            content = {"selectedKbNames": [item["index_name"] for item in selected_knowledge_info],
-                       "selectedKbModels": [item["embedding_model_name"] for item in selected_knowledge_info],
-                       "selectedKbSources": [item["knowledge_sources"] for item in selected_knowledge_info]}
-
-            return JSONResponse(
-                status_code=HTTPStatus.OK,
-                content={"content": content, "message": "update success", "status": "success"}
-            )
-        else:
-            raise HTTPException(
-                status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
-                detail="Failed to update configuration"
-            )
-    except Exception as e:
-        logger.error(f"update knowledge list failed, error: {e}")
-        raise HTTPException(
-            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
-            detail="Failed to update configuration"
-        )
diff --git a/backend/apps/user_app.py b/backend/apps/user_app.py
index 57cf3b19f..32591b01f 100644
--- a/backend/apps/user_app.py
+++ b/backend/apps/user_app.py
@@ -11,10 +11,10 @@
 from consts.model import (
     UserListRequest, UserUpdateRequest
 )
-from consts.exceptions import NotFoundException, ValidationError, UnauthorizedError
 from services.user_service import (
-    get_users, update_user, delete_user
+    get_users, update_user, delete_user_and_cleanup
 )
+from database.user_tenant_db import get_user_tenant_by_user_id
 from utils.auth_utils import get_current_user_id
 
 logger = logging.getLogger("user_app")
@@ -116,7 +116,13 @@ async def delete_user_endpoint(
     authorization: Optional[str] = Header(None)
 ) -> JSONResponse:
     """
-    Soft delete user and remove from all groups
+    Permanently delete user and all related data.
+
+    This performs complete cleanup including:
+    - Soft-delete user-tenant relationship and groups
+    - Soft-delete memory configs and conversations
+    - Clear user-level memories
+    - Permanently delete user from Supabase
 
     Args:
         user_id: User identifier
@@ -129,13 +135,17 @@ async def delete_user_endpoint(
         # Get current user ID from token for access control
         current_user_id, _ = get_current_user_id(authorization)
 
-        # Delete user (soft delete)
-        success = await delete_user(user_id, current_user_id)
+        # Get user tenant ID for cleanup operations
+        user_tenant = get_user_tenant_by_user_id(user_id)
+        if not user_tenant:
+            raise ValueError(f"User {user_id} not found")
+
+        tenant_id = user_tenant["tenant_id"]
 
-        if not success:
-            raise ValueError(f"Failed to delete user {user_id}")
+        # Perform complete user cleanup
+        await delete_user_and_cleanup(user_id, tenant_id)
 
-        logger.info(f"Soft deleted user {user_id} by user {current_user_id}")
+        logger.info(f"Permanently deleted user {user_id} by admin {current_user_id}")
 
         return JSONResponse(
             status_code=HTTPStatus.OK,
diff --git a/backend/apps/user_management_app.py b/backend/apps/user_management_app.py
index 5b5e0d3d7..1ebf0bace 100644
--- a/backend/apps/user_management_app.py
+++ b/backend/apps/user_management_app.py
@@ -11,7 +11,8 @@
 from consts.exceptions import NoInviteCodeException, IncorrectInviteCodeException, UserRegistrationException
 from services.user_management_service import get_authorized_client, validate_token, \
     check_auth_service_health, signup_user, signup_user_with_invitation, signin_user, refresh_user_token, \
-    get_session_by_authorization, revoke_regular_user, get_user_info
+    get_session_by_authorization, get_user_info
+from services.user_service import delete_user_and_cleanup
 from consts.exceptions import UnauthorizedError
 from utils.auth_utils import get_current_user_id
 
@@ -276,7 +277,7 @@ async def revoke_user_account(request: Request):
                                 detail="Admin account cannot be deleted via this endpoint")
 
         # Orchestrate revoke for regular user
-        await revoke_regular_user(user_id=user_id, tenant_id=tenant_id)
+        await delete_user_and_cleanup(user_id=user_id, tenant_id=tenant_id)
 
         return JSONResponse(status_code=HTTPStatus.OK, content={"message": "User account revoked"})
     except UnauthorizedError as e:
diff --git a/backend/apps/vectordatabase_app.py b/backend/apps/vectordatabase_app.py
index afcfb76a6..04ea9820f 100644
--- a/backend/apps/vectordatabase_app.py
+++ b/backend/apps/vectordatabase_app.py
@@ -53,14 +53,32 @@ def create_new_index(
         index_name: str = Path(..., description="Name of the index to create"),
         embedding_dim: Optional[int] = Query(
             None, description="Dimension of the embedding vectors"),
+        request: Dict[str, Any] = Body(
+            None, description="Request body with optional fields (ingroup_permission, group_ids)"),
         vdb_core: VectorDatabaseCore = Depends(get_vector_db_core),
         authorization: Optional[str] = Header(None)
 ):
     """Create a new vector index and store it in the knowledge table"""
     try:
         user_id, tenant_id = get_current_user_id(authorization)
+
+        # Extract optional fields from request body
+        ingroup_permission = None
+        group_ids = None
+        if request:
+            ingroup_permission = request.get("ingroup_permission")
+            group_ids = request.get("group_ids")
+
         # Treat path parameter as user-facing knowledge base name for new creations
-        return ElasticSearchService.create_knowledge_base(index_name, embedding_dim, vdb_core, user_id, tenant_id)
+        return ElasticSearchService.create_knowledge_base(
+            knowledge_name=index_name,
+            embedding_dim=embedding_dim,
+            vdb_core=vdb_core,
+            user_id=user_id,
+            tenant_id=tenant_id,
+            ingroup_permission=ingroup_permission,
+            group_ids=group_ids,
+        )
     except Exception as e:
         raise HTTPException(
             status_code=HTTPStatus.INTERNAL_SERVER_ERROR, detail=f"Error creating index: {str(e)}")
@@ -395,6 +413,7 @@ def create_chunk(
             chunk_request=payload,
             vdb_core=vdb_core,
             user_id=user_id,
+            tenant_id=tenant_id,
         )
         return JSONResponse(status_code=HTTPStatus.OK, content=result)
     except ValueError as e:
diff --git a/backend/consts/const.py b/backend/consts/const.py
index f09ae9cf4..96c937ef0 100644
--- a/backend/consts/const.py
+++ b/backend/consts/const.py
@@ -64,6 +64,14 @@ class VectorDatabaseType(str, Enum):
 DEFAULT_USER_ID = "user_id"
 DEFAULT_TENANT_ID = "tenant_id"
 
+# Roles that can edit all resources within a tenant (permission = EDIT).
+# Keep this centralized to avoid drifting role logic across modules.
+CAN_EDIT_ALL_USER_ROLES = {"SU", "ADMIN", "SPEED"}
+
+# Permission constants used by list endpoints (e.g., /agent/list, /mcp/list).
+PERMISSION_READ = "READ_ONLY"
+PERMISSION_EDIT = "EDIT"
+
 
 # Deployment Version Configuration
 DEPLOYMENT_VERSION = os.getenv("DEPLOYMENT_VERSION", "speed")
@@ -184,7 +192,8 @@ class VectorDatabaseType(str, Enum):
 DEBUG_JWT_EXPIRE_SECONDS = int(os.getenv('DEBUG_JWT_EXPIRE_SECONDS', '0') or 0)
 
 # User info query source control: "supabase" or "pg" (default: "supabase" for backward compatibility)
-USER_INFO_QUERY_SOURCE = os.getenv('USER_INFO_QUERY_SOURCE', 'supabase').lower()
+USER_INFO_QUERY_SOURCE = os.getenv(
+    'USER_INFO_QUERY_SOURCE', 'supabase').lower()
 
 # Memory Search Status Messages (for i18n placeholders)
 MEMORY_SEARCH_START_MSG = "<MEM_START>"
@@ -294,4 +303,4 @@ class VectorDatabaseType(str, Enum):
 MODEL_ENGINE_ENABLED = os.getenv("MODEL_ENGINE_ENABLED")
 
 # APP Version
-APP_VERSION = "v1.7.10"
+APP_VERSION = "v1.8.0"
diff --git a/backend/consts/exceptions.py b/backend/consts/exceptions.py
index 815ed0eef..94b1f770d 100644
--- a/backend/consts/exceptions.py
+++ b/backend/consts/exceptions.py
@@ -27,7 +27,7 @@ class MemoryPreparationException(Exception):
     """Raised when memory preprocessing or retrieval fails prior to agent run."""
     pass
 
-  
+
 class MCPConnectionError(Exception):
     """Raised when MCP connection fails."""
     pass
@@ -101,4 +101,14 @@ class ToolExecutionException(Exception):
 
 class MCPContainerError(Exception):
     """Raised when MCP container operation fails."""
-    pass
\ No newline at end of file
+    pass
+
+
+class DuplicateError(Exception):
+    """Raised when a duplicate resource already exists."""
+    pass
+
+
+class DataMateConnectionError(Exception):
+    """Raised when DataMate connection fails or URL is not configured."""
+    pass
diff --git a/backend/consts/model.py b/backend/consts/model.py
index 089c09b27..a4862cd59 100644
--- a/backend/consts/model.py
+++ b/backend/consts/model.py
@@ -279,6 +279,7 @@ class AgentInfoRequest(BaseModel):
     enabled_tool_ids: Optional[List[int]] = None
     related_agent_ids: Optional[List[int]] = None
     group_ids: Optional[List[int]] = None
+    version_no: int = 0
 
 
 class AgentIDRequest(BaseModel):
@@ -290,6 +291,7 @@ class ToolInstanceInfoRequest(BaseModel):
     agent_id: int
     params: Dict[str, Any]
     enabled: bool
+    version_no: int = 0
 
 
 class ToolInstanceSearchRequest(BaseModel):
@@ -633,3 +635,166 @@ class InvitationUseResponse(BaseModel):
     code_type: str = Field(..., description="Code type")
     group_ids: Optional[List[int]] = Field(
         None, description="Associated group IDs")
+
+
+# Manage Tenant Model Data Models
+# ---------------------------------------------------------------------------
+class ManageTenantModelListRequest(BaseModel):
+    """Request model for listing models in a specific tenant (manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to query models for")
+    model_type: Optional[str] = Field(
+        None, description="Filter by model type (e.g., 'llm', 'embedding')")
+    page: int = Field(1, ge=1, description="Page number for pagination")
+    page_size: int = Field(20, ge=1, le=100, description="Items per page")
+
+
+class ManageTenantModelListResponse(BaseModel):
+    """Response model for tenant model list query"""
+    tenant_id: str = Field(..., description="Tenant identifier")
+    tenant_name: str = Field(..., description="Tenant display name")
+    models: List[Dict[str, Any]] = Field(
+        default_factory=list, description="List of models for this tenant")
+    total: int = Field(0, description="Total number of models")
+    page: int = Field(1, description="Current page number")
+    page_size: int = Field(20, description="Items per page")
+    total_pages: int = Field(0, description="Total number of pages")
+
+
+class ManageTenantModelCreateRequest(BaseModel):
+    """Request model for creating a model in a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to create model for")
+    model_repo: Optional[str] = Field('', description="Model repository path")
+    model_name: str = Field(..., description="Model name")
+    model_type: str = Field(..., description="Model type (e.g., 'llm', 'embedding', 'vlm', 'tts', 'stt')")
+    api_key: Optional[str] = Field('', description="API key for the model")
+    base_url: Optional[str] = Field('', description="Base URL for the model API")
+    max_tokens: Optional[int] = Field(0, description="Maximum tokens for the model")
+    display_name: Optional[str] = Field('', description="Display name for the model")
+    expected_chunk_size: Optional[int] = Field(None, description="Expected chunk size for embedding models")
+    maximum_chunk_size: Optional[int] = Field(None, description="Maximum chunk size for embedding models")
+    chunk_batch: Optional[int] = Field(None, description="Batch size for chunking")
+
+
+class ManageTenantModelUpdateRequest(BaseModel):
+    """Request model for updating a model in a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to update model for")
+    current_display_name: str = Field(..., description="Current display name of the model to update")
+    model_repo: Optional[str] = Field(None, description="Model repository path")
+    model_name: Optional[str] = Field(None, description="Model name")
+    model_type: Optional[str] = Field(None, description="Model type")
+    api_key: Optional[str] = Field(None, description="API key for the model")
+    base_url: Optional[str] = Field(None, description="Base URL for the model API")
+    max_tokens: Optional[int] = Field(None, description="Maximum tokens for the model")
+    display_name: Optional[str] = Field(None, description="New display name for the model")
+    expected_chunk_size: Optional[int] = Field(None, description="Expected chunk size for embedding models")
+    maximum_chunk_size: Optional[int] = Field(None, description="Maximum chunk size for embedding models")
+    chunk_batch: Optional[int] = Field(None, description="Batch size for chunking")
+
+
+class ManageTenantModelDeleteRequest(BaseModel):
+    """Request model for deleting a model from a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to delete model from")
+    display_name: str = Field(..., description="Display name of the model to delete")
+
+
+class ManageTenantModelHealthcheckRequest(BaseModel):
+    """Request model for checking model connectivity in a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to check model connectivity")
+    display_name: str = Field(..., description="Display name of the model to check")
+
+
+class ManageBatchCreateModelsRequest(BaseModel):
+    """Request model for batch creating/updating models in a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to batch create models for")
+    provider: str = Field(..., description="Model provider (e.g., 'silicon', 'modelengine')")
+    type: str = Field(..., description="Model type (e.g., 'llm', 'embedding')")
+    api_key: str = Field('', description="API key for the models")
+    models: List[Dict[str, Any]] = Field(default_factory=list, description="List of models to create/update")
+
+
+class ManageProviderModelListRequest(BaseModel):
+    """Request model for listing provider models in a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to query provider models for")
+    provider: str = Field(..., description="Model provider (e.g., 'silicon', 'modelengine')")
+    model_type: str = Field(..., description="Model type (e.g., 'llm', 'embedding')")
+
+
+class ManageProviderModelCreateRequest(BaseModel):
+    """Request model for creating provider models in a specific tenant (admin/manage operation)"""
+    tenant_id: str = Field(..., min_length=1, description="Target tenant ID to create provider models for")
+    provider: str = Field(..., description="Model provider (e.g., 'silicon', 'modelengine')")
+    model_type: str = Field(..., description="Model type (e.g., 'llm', 'embedding')")
+    api_key: Optional[str] = Field('', description="API key for the provider")
+    base_url: Optional[str] = Field('', description="Base URL for the provider API")
+
+
+# Agent Version Management Data Models
+# ---------------------------------------------------------------------------
+class VersionPublishRequest(BaseModel):
+    """Request model for publishing a new version"""
+    version_name: Optional[str] = Field(None, description="User-defined version name for display")
+    release_note: Optional[str] = Field(None, description="Release notes / publish remarks")
+
+
+class VersionListItemResponse(BaseModel):
+    """Response model for version list item"""
+    id: int = Field(..., description="Version record ID")
+    version_no: int = Field(..., description="Version number")
+    version_name: Optional[str] = Field(None, description="User-defined version name")
+    release_note: Optional[str] = Field(None, description="Release notes")
+    source_version_no: Optional[int] = Field(None, description="Source version number if rollback")
+    source_type: Optional[str] = Field(None, description="Source type: NORMAL / ROLLBACK")
+    status: str = Field(..., description="Version status: RELEASED / DISABLED / ARCHIVED")
+    created_by: str = Field(..., description="User who published this version")
+    create_time: Optional[str] = Field(None, description="Publish timestamp")
+
+
+class VersionListResponse(BaseModel):
+    """Response model for version list"""
+    items: List[VersionListItemResponse] = Field(..., description="Version list items")
+    total: int = Field(..., description="Total count")
+
+
+class VersionDetailResponse(BaseModel):
+    """Response model for version detail including snapshot data"""
+    id: int = Field(..., description="Version record ID")
+    version_no: int = Field(..., description="Version number")
+    version_name: Optional[str] = Field(None, description="User-defined version name")
+    release_note: Optional[str] = Field(None, description="Release notes")
+    source_version_no: Optional[int] = Field(None, description="Source version number")
+    source_type: Optional[str] = Field(None, description="Source type")
+    status: str = Field(..., description="Version status")
+    created_by: str = Field(..., description="User who published this version")
+    create_time: Optional[str] = Field(None, description="Publish timestamp")
+    agent_info: Optional[dict] = Field(None, description="Agent info snapshot")
+    tool_instances: List[dict] = Field(default_factory=list, description="Tool instance snapshots")
+    relations: List[dict] = Field(default_factory=list, description="Relation snapshots")
+
+
+class VersionRollbackRequest(BaseModel):
+    """Request model for rollback to a specific version"""
+    version_name: Optional[str] = Field(None, description="New version name for the rollback version")
+    release_note: Optional[str] = Field(None, description="Release notes for the rollback version")
+
+
+class VersionStatusRequest(BaseModel):
+    """Request model for updating version status"""
+    status: str = Field(..., description="New status: DISABLED / ARCHIVED")
+
+
+class VersionCompareRequest(BaseModel):
+    """Request model for comparing two versions"""
+    version_no_a: int = Field(..., description="First version number for comparison")
+    version_no_b: int = Field(..., description="Second version number for comparison")
+
+
+class CurrentVersionResponse(BaseModel):
+    """Response model for current published version"""
+    version_no: int = Field(..., description="Current published version number")
+    version_name: Optional[str] = Field(None, description="Version name")
+    status: str = Field(..., description="Version status")
+    source_type: Optional[str] = Field(None, description="Source type")
+    source_version_no: Optional[int] = Field(None, description="Source version number")
+    release_note: Optional[str] = Field(None, description="Release notes")
+    created_by: str = Field(..., description="User who published this version")
+    create_time: Optional[str] = Field(None, description="Publish timestamp")
diff --git a/backend/database/agent_db.py b/backend/database/agent_db.py
index 6ed3a1f6e..3ced7625b 100644
--- a/backend/database/agent_db.py
+++ b/backend/database/agent_db.py
@@ -9,14 +9,21 @@
 logger = logging.getLogger("agent_db")
 
 
-def search_agent_info_by_agent_id(agent_id: int, tenant_id: str):
+def search_agent_info_by_agent_id(agent_id: int, tenant_id: str, version_no: int = 0):
     """
-    Search agent info by agent_id
+    Search agent info by agent_id.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        agent_id: Agent ID
+        tenant_id: Tenant ID
+        version_no: Version number to filter. Default 0 = draft/editing state
     """
     with get_db_session() as session:
         agent = session.query(AgentInfo).filter(
             AgentInfo.agent_id == agent_id,
             AgentInfo.tenant_id == tenant_id,
+            AgentInfo.version_no == version_no,
             AgentInfo.delete_flag != 'Y'
         ).first()
 
@@ -28,27 +35,40 @@ def search_agent_info_by_agent_id(agent_id: int, tenant_id: str):
         return agent_dict
 
 
-def search_agent_id_by_agent_name(agent_name: str, tenant_id: str):
+def search_agent_id_by_agent_name(agent_name: str, tenant_id: str, version_no: int = 0):
     """
-    Search agent id by agent name
+    Search agent id by agent name.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        agent_name: Agent name
+        tenant_id: Tenant ID
+        version_no: Version number to filter. Default 0 = draft/editing state
     """
     with get_db_session() as session:
         agent = session.query(AgentInfo).filter(
             AgentInfo.name == agent_name,
             AgentInfo.tenant_id == tenant_id,
+            AgentInfo.version_no == version_no,
             AgentInfo.delete_flag != 'Y').first()
         if not agent:
             raise ValueError("agent not found")
         return agent.agent_id
 
 
-def search_blank_sub_agent_by_main_agent_id(tenant_id: str):
+def search_blank_sub_agent_by_main_agent_id(tenant_id: str, version_no: int = 0):
     """
-    Search blank sub agent by main agent id
+    Search blank sub agent by main agent id.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        tenant_id: Tenant ID
+        version_no: Version number to filter. Default 0 = draft/editing state
     """
     with get_db_session() as session:
         sub_agent = session.query(AgentInfo).filter(
             AgentInfo.tenant_id == tenant_id,
+            AgentInfo.version_no == version_no,
             AgentInfo.delete_flag != 'Y',
             AgentInfo.enabled == False
         ).first()
@@ -58,28 +78,39 @@ def search_blank_sub_agent_by_main_agent_id(tenant_id: str):
             return None
 
 
-def query_sub_agents_id_list(main_agent_id: int, tenant_id: str):
+def query_sub_agents_id_list(main_agent_id: int, tenant_id: str, version_no: int = 0):
     """
-    Query the sub agent id list by main agent id
+    Query the sub agent id list by main agent id.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        main_agent_id: Parent agent ID
+        tenant_id: Tenant ID
+        version_no: Version number to filter. Default 0 = draft/editing state
     """
     with get_db_session() as session:
-        query = session.query(AgentRelation).filter(AgentRelation.parent_agent_id == main_agent_id,
-                                                    AgentRelation.tenant_id == tenant_id,
-                                                    AgentRelation.delete_flag != 'Y')
+        query = session.query(AgentRelation).filter(
+            AgentRelation.parent_agent_id == main_agent_id,
+            AgentRelation.tenant_id == tenant_id,
+            AgentRelation.version_no == version_no,
+            AgentRelation.delete_flag != 'Y')
         relations = query.all()
         return [relation.selected_agent_id for relation in relations]
 
 
-def clear_agent_new_mark(agent_id: int, tenant_id: str, user_id: str):
+def clear_agent_new_mark(agent_id: int, tenant_id: str, user_id: str, version_no: int = 0):
     """
-    Clear the NEW mark for an agent
+    Clear the NEW mark for an agent.
+    This clears the NEW mark for ALL versions of the agent, regardless of version_no parameter.
 
     Args:
         agent_id (int): Agent ID
         tenant_id (str): Tenant ID
         user_id (str): User ID (for audit purposes)
+        version_no: Version number (kept for API compatibility, but always clears all versions)
     """
     with get_db_session() as session:
+        # Clear NEW mark for ALL versions of this agent
         result = session.execute(
             update(AgentInfo)
             .where(
@@ -93,9 +124,16 @@ def clear_agent_new_mark(agent_id: int, tenant_id: str, user_id: str):
         return result.rowcount
 
 
-def mark_agents_as_new(agent_ids: list[int], tenant_id: str, user_id: str):
+def mark_agents_as_new(agent_ids: list[int], tenant_id: str, user_id: str, version_no: int = 0):
     """
-    Mark a list of agents as new (is_new = True)
+    Mark a list of agents as new.
+    This marks ALL versions of the specified agents as new, regardless of version_no parameter.
+
+    Args:
+        agent_ids: List of Agent IDs
+        tenant_id: Tenant ID
+        user_id: User ID
+        version_no: Version number (kept for API compatibility, but always marks all versions)
     """
     if not agent_ids:
         return
@@ -113,7 +151,7 @@ def mark_agents_as_new(agent_ids: list[int], tenant_id: str, user_id: str):
 
 def create_agent(agent_info, tenant_id: str, user_id: str):
     """
-    Create a new agent in the database.
+    Create a new agent in the database (draft version, version_no=0).
     :param agent_info: Dictionary containing agent information
     :param tenant_id:
     :param user_id:
@@ -123,6 +161,7 @@ def create_agent(agent_info, tenant_id: str, user_id: str):
     info_with_metadata.setdefault("max_steps", 5)
     info_with_metadata.update({
         "tenant_id": tenant_id,
+        "version_no": 0,  # Default to draft version
         "created_by": user_id,
         "updated_by": user_id,
         "is_new": True,  # Mark new agents as new
@@ -133,24 +172,58 @@ def create_agent(agent_info, tenant_id: str, user_id: str):
         session.add(new_agent)
         session.flush()
 
-        return as_dict(new_agent)
+        # Directly extract agent_id and return as dict
+        result = {
+            "agent_id": new_agent.agent_id,
+            "tenant_id": new_agent.tenant_id,
+            "name": new_agent.name,
+            "display_name": new_agent.display_name,
+            "description": new_agent.description,
+            "author": new_agent.author,
+            "model_id": new_agent.model_id,
+            "model_name": new_agent.model_name,
+            "max_steps": new_agent.max_steps,
+            "duty_prompt": new_agent.duty_prompt,
+            "constraint_prompt": new_agent.constraint_prompt,
+            "few_shots_prompt": new_agent.few_shots_prompt,
+            "parent_agent_id": new_agent.parent_agent_id,
+            "enabled": new_agent.enabled,
+            "provide_run_summary": new_agent.provide_run_summary,
+            "business_description": new_agent.business_description,
+            "business_logic_model_id": new_agent.business_logic_model_id,
+            "business_logic_model_name": new_agent.business_logic_model_name,
+            "group_ids": new_agent.group_ids,
+            "is_new": new_agent.is_new,
+            "current_version_no": new_agent.current_version_no,
+            "version_no": new_agent.version_no,
+            "created_by": new_agent.created_by,
+            "updated_by": new_agent.updated_by,
+            "delete_flag": new_agent.delete_flag,
+        }
+        return result
 
 
-def update_agent(agent_id, agent_info, tenant_id, user_id):
+def update_agent(agent_id, agent_info, user_id, version_no: int = 0):
     """
     Update an existing agent in the database.
-    :param agent_id: ID of the agent to update
-    :param agent_info: Dictionary containing updated agent information
-    :param tenant_id: tenant ID
-    :param user_id: Optional user ID
-    :return: Updated agent object
+    Default version_no=0 updates the draft version.
+
+    Args:
+        agent_id: ID of the agent to update
+        agent_info: Dictionary containing updated agent information
+        tenant_id: Tenant ID
+        user_id: Optional user ID
+        version_no: Version number to filter. Default 0 = draft/editing state
+    Returns:
+        Updated agent object
     """
     with (get_db_session() as session):
         # update ag_tenant_agent_t
-        agent = session.query(AgentInfo).filter(AgentInfo.agent_id == agent_id,
-                                                AgentInfo.tenant_id == tenant_id,
-                                                AgentInfo.delete_flag != 'Y'
-                                                ).first()
+        agent = session.query(AgentInfo).filter(
+            AgentInfo.agent_id == agent_id,
+            AgentInfo.version_no == version_no,
+            AgentInfo.delete_flag != 'Y'
+        ).first()
         if not agent:
             raise ValueError("ag_tenant_agent_t Agent not found")
 
@@ -165,40 +238,73 @@ def update_agent(agent_id, agent_info, tenant_id, user_id):
 
 def delete_agent_by_id(agent_id, tenant_id: str, user_id: str):
     """
-    Delete an agent in the database.
+    Delete an agent in the database (all versions).
     :param agent_id: ID of the agent to delete
     :param tenant_id: Tenant ID for filtering, mandatory
     :param user_id: Optional user ID for filtering
     :return: None
     """
+    from sqlalchemy import update as sqlalchemy_update
+
     with get_db_session() as session:
-        session.query(AgentInfo).filter(AgentInfo.agent_id == agent_id,
-                                        AgentInfo.tenant_id == tenant_id).update(
-            {AgentInfo.delete_flag: 'Y', 'updated_by': user_id})
-        session.query(ToolInstance).filter(ToolInstance.agent_id == agent_id,
-                                           ToolInstance.tenant_id == tenant_id).update(
-            {ToolInstance.delete_flag: 'Y', 'updated_by': user_id})
-        session.commit()
+        # Soft delete all agent versions (version_no >= 0)
+        session.execute(
+            sqlalchemy_update(AgentInfo)
+            .where(
+                AgentInfo.agent_id == agent_id,
+                AgentInfo.tenant_id == tenant_id
+            )
+            .values(delete_flag='Y', updated_by=user_id)
+        )
+        # Soft delete all tool instances (all versions)
+        session.execute(
+            sqlalchemy_update(ToolInstance)
+            .where(
+                ToolInstance.agent_id == agent_id,
+                ToolInstance.tenant_id == tenant_id
+            )
+            .values(delete_flag='Y', updated_by=user_id)
+        )
 
 
-def query_all_agent_info_by_tenant_id(tenant_id: str):
+def query_all_agent_info_by_tenant_id(tenant_id: str, version_no: int = 0):
     """
-    Query all agent info by tenant id
+    Query all agent info by tenant id.
+    Default version_no=0 queries all draft versions.
+
+    Args:
+        tenant_id: Tenant ID
+        version_no: Version number to filter. Default 0 = draft/editing state
     """
     with get_db_session() as session:
-        agents = session.query(AgentInfo).filter(AgentInfo.tenant_id == tenant_id,
-                                                 AgentInfo.delete_flag != 'Y').order_by(AgentInfo.create_time.desc()).all()
+        agents = session.query(AgentInfo).filter(
+            AgentInfo.tenant_id == tenant_id,
+            AgentInfo.version_no == version_no,
+            AgentInfo.delete_flag != 'Y'
+        ).order_by(AgentInfo.create_time.desc()).all()
         return [as_dict(agent) for agent in agents]
 
 
-def insert_related_agent(parent_agent_id: int, child_agent_id: int, tenant_id: str) -> bool:
+def insert_related_agent(parent_agent_id: int, child_agent_id: int, tenant_id: str, user_id: str, version_no: int = 0) -> bool:
+    """
+    Insert a related agent.
+    Default version_no=0 creates the draft version.
+
+    Args:
+        parent_agent_id: Parent agent ID
+        child_agent_id: Child agent ID
+        tenant_id: Tenant ID
+        user_id: User ID
+        version_no: Version number. Default 0 = draft/editing state
+    """
     try:
         relation_info = {
             "parent_agent_id": parent_agent_id,
             "selected_agent_id": child_agent_id,
             "tenant_id": tenant_id,
-            "created_by": tenant_id,
-            "updated_by": tenant_id
+            "version_no": version_no,
+            "created_by": user_id,
+            "updated_by": user_id
         }
         with get_db_session() as session:
             new_relation = AgentRelation(
@@ -211,34 +317,53 @@ def insert_related_agent(parent_agent_id: int, child_agent_id: int, tenant_id: s
         return False
 
 
-def delete_related_agent(parent_agent_id: int, child_agent_id: int, tenant_id: str) -> bool:
+def delete_related_agent(parent_agent_id: int, child_agent_id: int, tenant_id: str, user_id: str, version_no: int = 0) -> bool:
+    """
+    Delete a related agent.
+    Default version_no=0 deletes the draft version.
+
+    Args:
+        parent_agent_id: Parent agent ID
+        child_agent_id: Child agent ID
+        tenant_id: Tenant ID
+        user_id: User ID
+        version_no: Version number to filter. Default 0 = draft/editing state
+    """
     try:
         with get_db_session() as session:
-            session.query(AgentRelation).filter(AgentRelation.parent_agent_id == parent_agent_id,
-                                                AgentRelation.selected_agent_id == child_agent_id,
-                                                AgentRelation.tenant_id == tenant_id).update(
-                {AgentRelation.delete_flag: 'Y', 'updated_by': tenant_id})
+            session.query(AgentRelation).filter(
+                AgentRelation.parent_agent_id == parent_agent_id,
+                AgentRelation.selected_agent_id == child_agent_id,
+                AgentRelation.tenant_id == tenant_id,
+                AgentRelation.version_no == version_no
+            ).update(
+                {AgentRelation.delete_flag: 'Y', 'updated_by': user_id})
             return True
     except Exception as e:
         logger.error(f"Failed to delete related agent: {str(e)}")
         return False
 
 
-def update_related_agents(parent_agent_id: int, related_agent_ids: List[int], tenant_id: str, user_id: str):
+def update_related_agents(parent_agent_id: int, related_agent_ids: List[int], tenant_id: str, user_id: str, version_no: int = 0):
     """
     Update related agents for a parent agent by replacing all existing relations.
+    Default version_no=0 updates the draft version.
+
     This function handles both creation and deletion of relations in a single transaction.
-    :param parent_agent_id: ID of the parent agent
-    :param related_agent_ids: List of child agent IDs to be related
-    :param tenant_id: Tenant ID
-    :param user_id: User ID for audit trail
-    :return: None
+
+    Args:
+        parent_agent_id: ID of the parent agent
+        related_agent_ids: List of child agent IDs to be related
+        tenant_id: Tenant ID
+        user_id: User ID for audit trail
+        version_no: Version number to filter. Default 0 = draft/editing state
     """
     with get_db_session() as session:
         # Get current relations
         current_relations = session.query(AgentRelation).filter(
             AgentRelation.parent_agent_id == parent_agent_id,
             AgentRelation.tenant_id == tenant_id,
+            AgentRelation.version_no == version_no,
             AgentRelation.delete_flag != 'Y'
         ).all()
 
@@ -257,7 +382,8 @@ def update_related_agents(parent_agent_id: int, related_agent_ids: List[int], te
             session.query(AgentRelation).filter(
                 AgentRelation.parent_agent_id == parent_agent_id,
                 AgentRelation.selected_agent_id.in_(ids_to_delete),
-                AgentRelation.tenant_id == tenant_id
+                AgentRelation.tenant_id == tenant_id,
+                AgentRelation.version_no == version_no
             ).update(
                 {AgentRelation.delete_flag: 'Y', 'updated_by': user_id},
                 synchronize_session=False
@@ -269,6 +395,7 @@ def update_related_agents(parent_agent_id: int, related_agent_ids: List[int], te
                 "parent_agent_id": parent_agent_id,
                 "selected_agent_id": child_agent_id,
                 "tenant_id": tenant_id,
+                "version_no": version_no,
                 "created_by": user_id,
                 "updated_by": user_id
             }
@@ -276,15 +403,28 @@ def update_related_agents(parent_agent_id: int, related_agent_ids: List[int], te
                 **filter_property(relation_info, AgentRelation))
             session.add(new_relation)
 
-        session.commit()
 
+def delete_agent_relationship(agent_id: int, tenant_id: str, user_id: str, version_no: int = 0):
+    """
+    Delete all relationships for an agent.
+    Default version_no=0 deletes the draft version.
 
-def delete_agent_relationship(agent_id: int, tenant_id: str, user_id: str):
+    Args:
+        agent_id: Agent ID
+        tenant_id: Tenant ID
+        user_id: User ID
+        version_no: Version number to filter. Default 0 = draft/editing state
+    """
     with get_db_session() as session:
-        session.query(AgentRelation).filter(AgentRelation.parent_agent_id == agent_id,
-                                            AgentRelation.tenant_id == tenant_id).update(
+        session.query(AgentRelation).filter(
+            AgentRelation.parent_agent_id == agent_id,
+            AgentRelation.tenant_id == tenant_id,
+            AgentRelation.version_no == version_no
+        ).update(
             {AgentRelation.delete_flag: 'Y', 'updated_by': user_id})
-        session.query(AgentRelation).filter(AgentRelation.selected_agent_id == agent_id,
-                                            AgentRelation.tenant_id == tenant_id).update(
+        session.query(AgentRelation).filter(
+            AgentRelation.selected_agent_id == agent_id,
+            AgentRelation.tenant_id == tenant_id,
+            AgentRelation.version_no == version_no
+        ).update(
             {AgentRelation.delete_flag: 'Y', 'updated_by': user_id})
-        session.commit()
diff --git a/backend/database/agent_version_db.py b/backend/database/agent_version_db.py
new file mode 100644
index 000000000..1f36383f8
--- /dev/null
+++ b/backend/database/agent_version_db.py
@@ -0,0 +1,373 @@
+import logging
+from typing import List, Optional, Tuple
+from sqlalchemy import select, insert, update, func
+
+from database.client import get_db_session, as_dict
+from database.db_models import AgentInfo, ToolInstance, AgentRelation, AgentVersion
+
+logger = logging.getLogger("agent_version_db")
+
+# Version source types
+SOURCE_TYPE_NORMAL = "NORMAL"
+SOURCE_TYPE_ROLLBACK = "ROLLBACK"
+
+# Version statuses
+STATUS_RELEASED = "RELEASED"
+STATUS_DISABLED = "DISABLED"
+STATUS_ARCHIVED = "ARCHIVED"
+
+
+def search_version_by_version_no(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+) -> Optional[dict]:
+    """
+    Search version metadata by version_no
+    """
+    with get_db_session() as session:
+        version = session.query(AgentVersion).filter(
+            AgentVersion.agent_id == agent_id,
+            AgentVersion.tenant_id == tenant_id,
+            AgentVersion.version_no == version_no,
+            AgentVersion.delete_flag == 'N',
+        ).first()
+        return as_dict(version) if version else None
+
+
+def search_version_by_id(
+    version_id: int,
+    tenant_id: str,
+) -> Optional[dict]:
+    """
+    Search version metadata by id
+    """
+    with get_db_session() as session:
+        version = session.query(AgentVersion).filter(
+            AgentVersion.id == version_id,
+            AgentVersion.tenant_id == tenant_id,
+            AgentVersion.delete_flag == 'N',
+        ).first()
+        return as_dict(version) if version else None
+
+def query_version_list(
+    agent_id: int,
+    tenant_id: str,
+) -> List[dict]:
+    """
+    Query version list for an agent
+    """
+    with get_db_session() as session:
+        versions = session.query(AgentVersion).filter(
+            AgentVersion.agent_id == agent_id,
+            AgentVersion.tenant_id == tenant_id,
+            AgentVersion.delete_flag == 'N',
+        ).order_by(AgentVersion.version_no.desc()).all()
+
+        return [as_dict(v) for v in versions]
+
+
+def query_current_version_no(
+    agent_id: int,
+    tenant_id: str,
+) -> Optional[int]:
+    """
+    Query current published version_no from agent draft (version_no=0)
+    """
+    with get_db_session() as session:
+        agent = session.query(AgentInfo).filter(
+            AgentInfo.agent_id == agent_id,
+            AgentInfo.tenant_id == tenant_id,
+            AgentInfo.version_no == 0,
+            AgentInfo.delete_flag == 'N',
+        ).first()
+        return agent.current_version_no if agent else None
+
+
+def query_agent_snapshot(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+) -> Tuple[Optional[dict], List[dict], List[dict]]:
+    """
+    Query agent snapshot data (agent_info, tools, relations) for a specific version
+    """
+    with get_db_session() as session:
+        # Query agent info snapshot
+        agent = session.query(AgentInfo).filter(
+            AgentInfo.agent_id == agent_id,
+            AgentInfo.tenant_id == tenant_id,
+            AgentInfo.version_no == version_no,
+            AgentInfo.delete_flag == 'N',
+        ).first()
+
+        # Query tool instances snapshot
+        tools = session.query(ToolInstance).filter(
+            ToolInstance.agent_id == agent_id,
+            ToolInstance.tenant_id == tenant_id,
+            ToolInstance.version_no == version_no,
+            ToolInstance.delete_flag == 'N',
+        ).all()
+
+        # Query relations snapshot
+        relations = session.query(AgentRelation).filter(
+            AgentRelation.parent_agent_id == agent_id,
+            AgentRelation.tenant_id == tenant_id,
+            AgentRelation.version_no == version_no,
+            AgentRelation.delete_flag == 'N',
+        ).all()
+
+        agent_dict = as_dict(agent) if agent else None
+        tools_list = [as_dict(t) for t in tools]
+        relations_list = [as_dict(r) for r in relations]
+
+        return agent_dict, tools_list, relations_list
+
+
+def query_agent_draft(
+    agent_id: int,
+    tenant_id: str,
+) -> Tuple[Optional[dict], List[dict], List[dict]]:
+    """
+    Query agent draft data (version_no=0)
+    """
+    return query_agent_snapshot(agent_id, tenant_id, version_no=0)
+
+
+def insert_version(
+    version_data: dict,
+) -> int:
+    """
+    Insert a new version metadata record
+    Returns: version id
+    """
+    with get_db_session() as session:
+        result = session.execute(
+            insert(AgentVersion).values(**version_data).returning(AgentVersion.id)
+        )
+        return result.scalar_one()
+
+
+def update_version_status(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+    status: str,
+    updated_by: str,
+) -> int:
+    """
+    Update version status
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        result = session.execute(
+            update(AgentVersion)
+            .where(
+                AgentVersion.agent_id == agent_id,
+                AgentVersion.tenant_id == tenant_id,
+                AgentVersion.version_no == version_no,
+                AgentVersion.delete_flag == 'N',
+            )
+            .values(status=status, updated_by=updated_by, update_time=func.now())
+        )
+        return result.rowcount
+
+
+def update_agent_current_version(
+    agent_id: int,
+    tenant_id: str,
+    current_version_no: int,
+) -> int:
+    """
+    Update agent draft's current_version_no
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        result = session.execute(
+            update(AgentInfo)
+            .where(
+                AgentInfo.agent_id == agent_id,
+                AgentInfo.tenant_id == tenant_id,
+                AgentInfo.version_no == 0,
+                AgentInfo.delete_flag == 'N',
+            )
+            .values(current_version_no=current_version_no)
+        )
+        return result.rowcount
+
+
+def insert_agent_snapshot(
+    agent_data: dict,
+) -> None:
+    """
+    Insert agent snapshot (copy from draft to new version)
+    """
+    with get_db_session() as session:
+        session.execute(insert(AgentInfo).values(**agent_data))
+
+
+def insert_tool_snapshot(
+    tool_data: dict,
+) -> None:
+    """
+    Insert tool instance snapshot
+    """
+    with get_db_session() as session:
+        session.execute(insert(ToolInstance).values(**tool_data))
+
+
+def insert_relation_snapshot(
+    relation_data: dict,
+) -> None:
+    """
+    Insert relation snapshot
+    """
+    with get_db_session() as session:
+        session.execute(insert(AgentRelation).values(**relation_data))
+
+
+def update_agent_snapshot(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+    agent_data: dict,
+) -> int:
+    """
+    Update agent snapshot data (used for rollback restore)
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        result = session.execute(
+            update(AgentInfo)
+            .where(
+                AgentInfo.agent_id == agent_id,
+                AgentInfo.tenant_id == tenant_id,
+                AgentInfo.version_no == version_no,
+                AgentInfo.delete_flag == 'N',
+            )
+            .values(**agent_data)
+        )
+        return result.rowcount
+
+
+def delete_agent_snapshot(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+    deleted_by: str,
+) -> int:
+    """
+    Soft delete agent snapshot for a version
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        result = session.execute(
+            update(AgentInfo)
+            .where(
+                AgentInfo.agent_id == agent_id,
+                AgentInfo.tenant_id == tenant_id,
+                AgentInfo.version_no == version_no,
+                AgentInfo.delete_flag == 'N',
+            )
+            .values(delete_flag='Y', updated_by=deleted_by, update_time=func.now())
+        )
+        return result.rowcount
+
+
+def delete_tool_snapshot(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+    deleted_by: str = None,
+) -> int:
+    """
+    Delete all tool snapshots for a version (used before restoring from rollback)
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        values = {'delete_flag': 'Y'}
+        if deleted_by:
+            values['updated_by'] = deleted_by
+            values['update_time'] = func.now()
+        result = session.execute(
+            update(ToolInstance)
+            .where(
+                ToolInstance.agent_id == agent_id,
+                ToolInstance.tenant_id == tenant_id,
+                ToolInstance.version_no == version_no,
+                ToolInstance.delete_flag == 'N',
+            )
+            .values(**values)
+        )
+        return result.rowcount
+
+
+def delete_relation_snapshot(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+    deleted_by: str = None,
+) -> int:
+    """
+    Delete all relation snapshots for a version (used before restoring from rollback)
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        values = {'delete_flag': 'Y'}
+        if deleted_by:
+            values['updated_by'] = deleted_by
+            values['update_time'] = func.now()
+        result = session.execute(
+            update(AgentRelation)
+            .where(
+                AgentRelation.parent_agent_id == agent_id,
+                AgentRelation.tenant_id == tenant_id,
+                AgentRelation.version_no == version_no,
+                AgentRelation.delete_flag == 'N',
+            )
+            .values(**values)
+        )
+        return result.rowcount
+
+
+def get_next_version_no(
+    agent_id: int,
+    tenant_id: str,
+) -> int:
+    """
+    Calculate the next version number for an agent
+    """
+    with get_db_session() as session:
+        max_version = session.query(func.max(AgentInfo.version_no)).filter(
+            AgentInfo.agent_id == agent_id,
+            AgentInfo.tenant_id == tenant_id,
+            AgentInfo.delete_flag == 'N',
+        ).scalar()
+        return (max_version or 0) + 1
+
+
+def delete_version(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+    deleted_by: str,
+) -> int:
+    """
+    Soft delete a version by setting delete_flag='Y'
+    Returns: number of rows affected
+    """
+    with get_db_session() as session:
+        logger.info(f"Attempting to delete version: agent_id={agent_id}, tenant_id={tenant_id}, version_no={version_no}, deleted_by={deleted_by}")
+        result = session.execute(
+            update(AgentVersion)
+            .where(
+                AgentVersion.agent_id == agent_id,
+                AgentVersion.tenant_id == tenant_id,
+                AgentVersion.version_no == version_no,
+                AgentVersion.delete_flag == 'N',
+            )
+            .values(delete_flag='Y', updated_by=deleted_by, update_time=func.now())
+        )
+        rows_affected = result.rowcount
+        logger.info(f"Delete version result: rows_affected={rows_affected} for agent_id={agent_id}, tenant_id={tenant_id}, version_no={version_no}")
+        return rows_affected
\ No newline at end of file
diff --git a/backend/database/db_models.py b/backend/database/db_models.py
index 7e6be7a3a..8649b6ae8 100644
--- a/backend/database/db_models.py
+++ b/backend/database/db_models.py
@@ -1,4 +1,4 @@
-from sqlalchemy import BigInteger, Boolean, Column, Integer, JSON, Numeric, Sequence, String, Text, TIMESTAMP
+from sqlalchemy import BigInteger, Boolean, Column, Integer, JSON, Numeric, PrimaryKeyConstraint, Sequence, String, Text, TIMESTAMP
 from sqlalchemy.orm import DeclarativeBase
 from sqlalchemy.sql import func
 
@@ -201,7 +201,9 @@ class AgentInfo(TableBase):
     __tablename__ = "ag_tenant_agent_t"
     __table_args__ = {"schema": SCHEMA}
 
-    agent_id = Column(Integer, primary_key=True, nullable=False, doc="ID")
+    agent_id = Column(Integer, Sequence(
+        "ag_tenant_agent_t_agent_id_seq", schema=SCHEMA), nullable=False, primary_key=True, autoincrement=True, doc="ID")
+    version_no = Column(Integer, default=0, nullable=False, primary_key=True, doc="Version number. 0 = draft/editing state, >=1 = published snapshot")
     name = Column(String(100), doc="Agent name")
     display_name = Column(String(100), doc="Agent display name")
     description = Column(Text, doc="Description")
@@ -223,6 +225,7 @@ class AgentInfo(TableBase):
     business_logic_model_id = Column(Integer, doc="Model ID used for business logic prompt generation, foreign key reference to model_record_t.model_id")
     group_ids = Column(String, doc="Agent group IDs list")
     is_new = Column(Boolean, default=False, doc="Whether this agent is marked as new for the user")
+    current_version_no = Column(Integer, nullable=True, doc="Current published version number. NULL means no version published yet")
 
 
 class ToolInstance(TableBase):
@@ -240,6 +243,7 @@ class ToolInstance(TableBase):
     user_id = Column(String(100), doc="User ID")
     tenant_id = Column(String(100), doc="Tenant ID")
     enabled = Column(Boolean, doc="Enabled")
+    version_no = Column(Integer, default=0, nullable=False, doc="Version number. 0 = draft/editing state, >=1 = published snapshot")
 
 
 class KnowledgeRecord(TableBase):
@@ -342,11 +346,11 @@ class AgentRelation(TableBase):
     __tablename__ = "ag_agent_relation_t"
     __table_args__ = {"schema": SCHEMA}
 
-    relation_id = Column(Integer, primary_key=True,
-                         nullable=False, doc="Relationship ID, primary key")
-    selected_agent_id = Column(Integer, doc="Selected agent ID")
+    relation_id = Column(Integer, primary_key=True, autoincrement=True, nullable=False, doc="Relationship ID, primary key")
+    selected_agent_id = Column(Integer, primary_key=True, doc="Selected agent ID")
     parent_agent_id = Column(Integer, doc="Parent agent ID")
     tenant_id = Column(String(100), doc="Tenant ID")
+    version_no = Column(Integer, default=0, nullable=False, doc="Version number. 0 = draft/editing state, >=1 = published snapshot")
 
 
 class PartnerMappingId(TableBase):
@@ -449,3 +453,22 @@ class RolePermission(SimpleTableBase):
     permission_category = Column(String(30), doc="Permission category")
     permission_type = Column(String(30), doc="Permission type")
     permission_subtype = Column(String(30), doc="Permission subtype")
+
+
+class AgentVersion(TableBase):
+    """
+    Agent version metadata table. Stores version info, release notes, and version lineage.
+    """
+    __tablename__ = "ag_tenant_agent_version_t"
+    __table_args__ = {"schema": SCHEMA}
+
+    id = Column(BigInteger, Sequence("ag_tenant_agent_version_t_id_seq", schema=SCHEMA),
+                primary_key=True, nullable=False, doc="Primary key, auto-increment")
+    tenant_id = Column(String(100), nullable=False, doc="Tenant ID")
+    agent_id = Column(Integer, nullable=False, doc="Agent ID")
+    version_no = Column(Integer, nullable=False, doc="Version number, starts from 1. Does not include 0 (draft)")
+    version_name = Column(String(100), doc="User-defined version name for display")
+    release_note = Column(Text, doc="Release notes / publish remarks")
+    source_version_no = Column(Integer, doc="Source version number. If this version is a rollback, record the source version")
+    source_type = Column(String(30), doc="Source type: NORMAL (normal publish) / ROLLBACK (rollback and republish)")
+    status = Column(String(30), default="RELEASED", doc="Version status: RELEASED / DISABLED / ARCHIVED")
diff --git a/backend/database/group_db.py b/backend/database/group_db.py
index c6a7c1e3a..c222bd489 100644
--- a/backend/database/group_db.py
+++ b/backend/database/group_db.py
@@ -149,7 +149,7 @@ def modify_group(group_id: int, updates: Dict[str, Any], updated_by: Optional[st
 
 def remove_group(group_id: int, updated_by: Optional[str] = None) -> bool:
     """
-    Remove group (soft delete)
+    Remove group (soft delete) and all its user relationships
 
     Args:
         group_id (int): Group ID
@@ -163,11 +163,18 @@ def remove_group(group_id: int, updated_by: Optional[str] = None) -> bool:
         if updated_by:
             update_data["updated_by"] = updated_by
 
+        # Soft delete the group
         result = session.query(TenantGroupInfo).filter(
             TenantGroupInfo.group_id == group_id,
             TenantGroupInfo.delete_flag == "N"
         ).update(update_data, synchronize_session=False)
 
+        # Soft delete all user-group relationships for this group
+        session.query(TenantGroupUser).filter(
+            TenantGroupUser.group_id == group_id,
+            TenantGroupUser.delete_flag == "N"
+        ).update(update_data, synchronize_session=False)
+
         return result > 0
 
 
@@ -322,6 +329,30 @@ def count_group_users(group_id: int) -> int:
         return result
 
 
+def remove_group_users(group_id: int, removed_by: Optional[str] = None) -> int:
+    """
+    Remove all users from a group (soft delete all group-user relationships)
+
+    Args:
+        group_id (int): Group ID
+        removed_by (Optional[str]): User who performed the removal
+
+    Returns:
+        int: Number of group memberships removed
+    """
+    with get_db_session() as session:
+        update_data: Dict[str, Any] = {"delete_flag": "Y"}
+        if removed_by:
+            update_data["updated_by"] = removed_by
+
+        result = session.query(TenantGroupUser).filter(
+            TenantGroupUser.group_id == group_id,
+            TenantGroupUser.delete_flag == "N"
+        ).update(update_data, synchronize_session=False)
+
+        return result
+
+
 def remove_user_from_all_groups(user_id: str, removed_by: str) -> int:
     """
     Remove user from all groups (soft delete)
@@ -344,3 +375,30 @@ def remove_user_from_all_groups(user_id: str, removed_by: str) -> int:
         })
 
         return result
+
+
+def check_group_name_exists(tenant_id: str, group_name: str, exclude_group_id: Optional[int] = None) -> bool:
+    """
+    Check if a group with the given name already exists in the tenant
+
+    Args:
+        tenant_id (str): Tenant ID
+        group_name (str): Group name to check
+        exclude_group_id (Optional[int]): Group ID to exclude (for update operations)
+
+    Returns:
+        bool: True if group name exists, False otherwise
+    """
+    with get_db_session() as session:
+        query = session.query(TenantGroupInfo).filter(
+            TenantGroupInfo.tenant_id == tenant_id,
+            TenantGroupInfo.group_name == group_name,
+            TenantGroupInfo.delete_flag == "N"
+        )
+
+        # Exclude specific group ID for update operations
+        if exclude_group_id is not None:
+            query = query.filter(TenantGroupInfo.group_id != exclude_group_id)
+
+        result = query.first()
+        return result is not None
\ No newline at end of file
diff --git a/backend/database/model_management_db.py b/backend/database/model_management_db.py
index 257320499..cb1c6c69f 100644
--- a/backend/database/model_management_db.py
+++ b/backend/database/model_management_db.py
@@ -1,6 +1,6 @@
 from typing import Any, Dict, List, Optional
 
-from sqlalchemy import and_, func, insert, select, update
+from sqlalchemy import and_, desc, func, insert, select, update
 
 from consts.const import DEFAULT_EXPECTED_CHUNK_SIZE, DEFAULT_MAXIMUM_CHUNK_SIZE
 from .client import as_dict, db_client, get_db_session
@@ -147,6 +147,9 @@ def get_model_records(filters: Optional[Dict[str, Any]], tenant_id: str) -> List
                     conditions.append(getattr(ModelRecord, key) == value)
             stmt = stmt.where(and_(*conditions))
 
+        # Order by creation time descending (newest first)
+        stmt = stmt.order_by(desc(ModelRecord.create_time))
+
         # Execute the query
         records = session.scalars(stmt).all()
 
diff --git a/backend/database/tenant_config_db.py b/backend/database/tenant_config_db.py
index 0de398af6..d21572b2e 100644
--- a/backend/database/tenant_config_db.py
+++ b/backend/database/tenant_config_db.py
@@ -1,6 +1,7 @@
 import logging
 from typing import Any, Dict
 
+from sqlalchemy import func
 from sqlalchemy.exc import SQLAlchemyError
 
 from database.client import get_db_session
@@ -141,14 +142,22 @@ def update_config_by_tenant_config_id_and_data(tenant_config_id: int, insert_dat
 
 def get_all_tenant_ids():
     """
-    Get all tenant IDs that have tenant configurations
+    Get all tenant IDs that have tenant configurations, sorted by creation time descending (newest first).
 
     Returns:
-        List[str]: List of tenant IDs
+        List[str]: List of tenant IDs sorted by creation time (newest first)
     """
     with get_db_session() as session:
-        result = session.query(TenantConfig.tenant_id).filter(
+        # Query tenant_ids grouped by tenant_id, ordered by maximum create_time (newest config creation)
+        result = session.query(
+            TenantConfig.tenant_id,
+            func.max(TenantConfig.create_time).label("max_create_time")
+        ).filter(
             TenantConfig.delete_flag == "N"
-        ).distinct().all()
+        ).group_by(
+            TenantConfig.tenant_id
+        ).order_by(
+            func.max(TenantConfig.create_time).desc()
+        ).all()
 
         return [row[0] for row in result]
diff --git a/backend/database/tool_db.py b/backend/database/tool_db.py
index ff9c1488c..0001315a7 100644
--- a/backend/database/tool_db.py
+++ b/backend/database/tool_db.py
@@ -6,31 +6,44 @@
 from database.db_models import ToolInstance, ToolInfo
 
 
-def create_tool(tool_info):
+def create_tool(tool_info, version_no: int = 0):
     """
-    Create ToolInstance in the database based on tenant_id and agent_id, optional user_id.
-    :param tool_info: Dictionary containing tool information
+    Create ToolInstance in the database.
+    Default version_no=0 creates the draft version.
 
-    :return: Created or updated ToolInstance object
+    Args:
+        tool_info: Dictionary containing tool information
+        version_no: Version number. Default 0 = draft/editing state
+
+    Returns:
+        Created ToolInstance object
     """
+    tool_info_dict = tool_info.copy()
+    tool_info_dict.setdefault("version_no", version_no)
+
     with get_db_session() as session:
         # Create a new ToolInstance
         new_tool_instance = ToolInstance(
-            **filter_property(tool_info, ToolInstance))
+            **filter_property(tool_info_dict, ToolInstance))
         session.add(new_tool_instance)
 
 
-def create_or_update_tool_by_tool_info(tool_info, tenant_id: str, user_id: str):
+def create_or_update_tool_by_tool_info(tool_info, tenant_id: str, user_id: str, version_no: int = 0):
     """
-    Create or update a ToolInstance in the database based on tenant_id and agent_id, optional user_id.
+    Create or update a ToolInstance in the database.
+    Default version_no=0 operates on the draft version.
+
+    Args:
+        tool_info: Dictionary containing tool information
+        tenant_id: Tenant ID for filtering, mandatory
+        user_id: Optional user ID for filtering
+        version_no: Version number to filter. Default 0 = draft/editing state
 
-    :param tool_info: Dictionary containing tool information
-    :param tenant_id: Tenant ID for filtering, mandatory
-    :param user_id: Optional user ID for filtering
-    :return: Created or updated ToolInstance object
+    Returns:
+        Created or updated ToolInstance object
     """
     tool_info_dict = tool_info.__dict__ | {
-        "tenant_id": tenant_id, "user_id": user_id}
+        "tenant_id": tenant_id, "user_id": user_id, "version_no": version_no}
 
     with get_db_session() as session:
         # Query if there is an existing ToolInstance
@@ -39,7 +52,8 @@ def create_or_update_tool_by_tool_info(tool_info, tenant_id: str, user_id: str):
             ToolInstance.user_id == user_id,
             ToolInstance.agent_id == tool_info_dict['agent_id'],
             ToolInstance.delete_flag != 'Y',
-            ToolInstance.tool_id == tool_info_dict['tool_id']
+            ToolInstance.tool_id == tool_info_dict['tool_id'],
+            ToolInstance.version_no == version_no
         )
         tool_instance = query.first()
         if tool_instance:
@@ -48,7 +62,7 @@ def create_or_update_tool_by_tool_info(tool_info, tenant_id: str, user_id: str):
                 if hasattr(tool_instance, key):
                     setattr(tool_instance, key, value)
         else:
-            create_tool(tool_info_dict)
+            create_tool(tool_info_dict, version_no)
         return tool_instance
 
 
@@ -67,19 +81,26 @@ def query_all_tools(tenant_id: str):
         return [as_dict(tool) for tool in tools]
 
 
-def query_tool_instances_by_id(agent_id: int, tool_id: int, tenant_id: str):
+def query_tool_instances_by_id(agent_id: int, tool_id: int, tenant_id: str, version_no: int = 0):
     """
-    Query ToolInstance in the database based on tenant_id and agent_id, optional user_id.
-    :param agent_id: Agent ID for filtering, mandatory
-    :param tool_id: Tool ID for filtering, mandatory
-    :param tenant_id: Tenant ID for filtering, mandatory
-    :return: List of ToolInstance objects
+    Query ToolInstance in the database.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        agent_id: Agent ID for filtering, mandatory
+        tool_id: Tool ID for filtering, mandatory
+        tenant_id: Tenant ID for filtering, mandatory
+        version_no: Version number to filter. Default 0 = draft/editing state
+
+    Returns:
+        ToolInstance object or None
     """
     with get_db_session() as session:
         query = session.query(ToolInstance).filter(
             ToolInstance.tenant_id == tenant_id,
             ToolInstance.agent_id == agent_id,
             ToolInstance.tool_id == tool_id,
+            ToolInstance.version_no == version_no,
             ToolInstance.delete_flag != 'Y')
         tool_instance = query.first()
         if tool_instance:
@@ -100,16 +121,23 @@ def query_tools_by_ids(tool_id_list: List[int]):
         return [as_dict(tool) for tool in tools]
 
 
-def query_all_enabled_tool_instances(agent_id: int, tenant_id: str):
+def query_all_enabled_tool_instances(agent_id: int, tenant_id: str, version_no: int = 0):
     """
-    Query ToolInstance in the database based on tenant_id and agent_id, optional user_id.
-    :param tenant_id: Tenant ID for filtering, mandatory
-    :param agent_id: Optional agent ID for filtering
-    :return: List of ToolInstance objects
+    Query enabled ToolInstance in the database.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        agent_id: Agent ID for filtering, mandatory
+        tenant_id: Tenant ID for filtering, mandatory
+        version_no: Version number to filter. Default 0 = draft/editing state
+
+    Returns:
+        List of ToolInstance objects
     """
     with get_db_session() as session:
         query = session.query(ToolInstance).filter(
             ToolInstance.tenant_id == tenant_id,
+            ToolInstance.version_no == version_no,
             ToolInstance.delete_flag != 'Y',
             ToolInstance.enabled,
             ToolInstance.agent_id == agent_id)
@@ -117,6 +145,48 @@ def query_all_enabled_tool_instances(agent_id: int, tenant_id: str):
         return [as_dict(tool) for tool in tools]
 
 
+def query_tool_instances_by_agent_id(agent_id: int, tenant_id: str, version_no: int = 0):
+    """
+    Query all ToolInstance for an agent (regardless of enabled status).
+    Default version_no=0 queries the draft version.
+
+    Args:
+        agent_id: Agent ID for filtering, mandatory
+        tenant_id: Tenant ID for filtering, mandatory
+        version_no: Version number to filter. Default 0 = draft/editing state
+
+    Returns:
+        List of ToolInstance objects
+    """
+    with get_db_session() as session:
+        query = session.query(ToolInstance).filter(
+            ToolInstance.tenant_id == tenant_id,
+            ToolInstance.agent_id == agent_id,
+            ToolInstance.version_no == version_no,
+            ToolInstance.delete_flag != 'Y')
+        tools = query.all()
+        return [as_dict(tool) for tool in tools]
+
+
+def check_tool_list_initialized(tenant_id: str) -> bool:
+    """
+    Check if tool list has been initialized for the tenant.
+
+    Args:
+        tenant_id: Tenant ID to check
+
+    Returns:
+        True if tools have been initialized, False otherwise
+    """
+    with get_db_session() as session:
+        # Check if any tools exist for this tenant
+        count = session.query(ToolInfo).filter(
+            ToolInfo.delete_flag != 'Y',
+            ToolInfo.author == tenant_id
+        ).count()
+        return count > 0
+
+
 def update_tool_table_from_scan_tool_list(tenant_id: str, user_id: str, tool_list: List[ToolInfo]):
     """
     scan all tools and update the tool table in PG database, remove the duplicate tools
@@ -175,12 +245,25 @@ def add_tool_field(tool_info):
         return tool_info
 
 
-def search_tools_for_sub_agent(agent_id, tenant_id):
+def search_tools_for_sub_agent(agent_id, tenant_id, version_no: int = 0):
+    """
+    Query enabled tools for a sub-agent.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        agent_id: Agent ID
+        tenant_id: Tenant ID
+        version_no: Version number to filter. Default 0 = draft/editing state
+
+    Returns:
+        List of tool instance dictionaries
+    """
     with get_db_session() as session:
         # query if there is an existing ToolInstance
         query = session.query(ToolInstance).filter(
             ToolInstance.agent_id == agent_id,
             ToolInstance.tenant_id == tenant_id,
+            ToolInstance.version_no == version_no,
             ToolInstance.delete_flag != 'Y',
             ToolInstance.enabled
         )
@@ -205,22 +288,47 @@ def check_tool_is_available(tool_id_list: List[int]):
         return [tool.is_available for tool in tools]
 
 
-def delete_tools_by_agent_id(agent_id, tenant_id, user_id):
+def delete_tools_by_agent_id(agent_id, tenant_id, user_id, version_no: int = 0):
+    """
+    Delete all tool instances for an agent.
+    Default version_no=0 deletes the draft version.
+
+    Args:
+        agent_id: Agent ID
+        tenant_id: Tenant ID
+        user_id: User ID
+        version_no: Version number to filter. Default 0 = draft/editing state
+    """
     with get_db_session() as session:
         session.query(ToolInstance).filter(
             ToolInstance.agent_id == agent_id,
-            ToolInstance.tenant_id == tenant_id
+            ToolInstance.tenant_id == tenant_id,
+            ToolInstance.version_no == version_no
         ).update({
             ToolInstance.delete_flag: 'Y', 'updated_by': user_id
         })
 
-def search_last_tool_instance_by_tool_id(tool_id: int, tenant_id: str, user_id: str):
+def search_last_tool_instance_by_tool_id(tool_id: int, tenant_id: str, user_id: str, version_no: int = 0):
+    """
+    Query the latest ToolInstance by tool_id.
+    Default version_no=0 queries the draft version.
+
+    Args:
+        tool_id: Tool ID
+        tenant_id: Tenant ID
+        user_id: User ID
+        version_no: Version number to filter. Default 0 = draft/editing state
+
+    Returns:
+        ToolInstance object or None
+    """
     with get_db_session() as session:
         query = session.query(ToolInstance).filter(
             ToolInstance.tool_id == tool_id,
             ToolInstance.tenant_id == tenant_id,
             ToolInstance.user_id == user_id,
+            ToolInstance.version_no == version_no,
             ToolInstance.delete_flag != 'Y'
-        ).order_by(ToolInstance.update_time.desc()) 
+        ).order_by(ToolInstance.update_time.desc())
         tool_instance = query.first()
         return as_dict(tool_instance) if tool_instance else None
\ No newline at end of file
diff --git a/backend/prompts/analyze_file.yaml b/backend/prompts/analyze_file_zh.yaml
similarity index 100%
rename from backend/prompts/analyze_file.yaml
rename to backend/prompts/analyze_file_zh.yaml
diff --git a/backend/prompts/cluster_summary_agent.yaml b/backend/prompts/cluster_summary_agent_en.yaml
similarity index 100%
rename from backend/prompts/cluster_summary_agent.yaml
rename to backend/prompts/cluster_summary_agent_en.yaml
diff --git a/backend/prompts/cluster_summary_agent_zh.yaml b/backend/prompts/cluster_summary_agent_zh.yaml
new file mode 100644
index 000000000..6c643a789
--- /dev/null
+++ b/backend/prompts/cluster_summary_agent_zh.yaml
@@ -0,0 +1,24 @@
+system_prompt: |-
+  你是一个专业的知识总结助手。你的任务是根据多个文档生成一个简洁的总结。
+  
+  **总结要求：**
+  1. 输入包含多个文档（每个文档有标题和内容片段）
+  2. 你需要提取这些文档的共同主题和关键话题
+  3. 生成一个总结，代表这组文档的集体内容
+  4. 总结应准确、连贯且自然语言
+  5. 保持在指定的字数限制内
+  
+  **指导原则：**
+  - 专注于识别共同主题和话题
+  - 突出关键概念、领域或主题
+  - 使用清晰简洁的语言
+  - 除非必要，避免列出单个文档标题
+  - 总结应帮助用户理解这组文档涵盖的内容
+
+user_prompt: |
+  请生成以下文档簇的简洁总结：
+  
+  {{ cluster_content }}
+  
+  总结（{{ max_words }}字）：
+
diff --git a/backend/prompts/cluster_summary_reduce.yaml b/backend/prompts/cluster_summary_reduce_en.yaml
similarity index 61%
rename from backend/prompts/cluster_summary_reduce.yaml
rename to backend/prompts/cluster_summary_reduce_en.yaml
index ece360813..f860720d5 100644
--- a/backend/prompts/cluster_summary_reduce.yaml
+++ b/backend/prompts/cluster_summary_reduce_en.yaml
@@ -1,31 +1,30 @@
 system_prompt: |-
-  You are a professional cluster summarization assistant. Your task is to merge multiple document summaries into a cohesive cluster summary.
-  
+  You are a professional summary assistant. Your task is to merge multiple document summaries into a coherent summary.
+
   **Summary Requirements:**
-  1. The input contains summaries of multiple documents that belong to the same cluster
-  2. These documents share similar themes or topics (grouped by clustering)
+  1. The input contains summaries of multiple documents that are related
+  2. These documents share similar themes or topics
   3. You need to synthesize a unified summary that captures the collective content
   4. The summary should highlight common themes and key information across documents
   5. Keep the summary within the specified word limit
-  
+
   **Guidelines:**
   - Identify shared themes and topics across documents
   - Highlight common concepts and subject matter
   - Use clear and concise language
   - Avoid listing individual document titles unless necessary
   - Focus on what this group of documents collectively covers
-  - The summary should be coherent and represent the cluster's unified content
+  - The summary should be coherent and represent the unified content
   - **Important: Do not use any separators (like ---, ***, etc.), generate plain text summary only**
 
 user_prompt: |
-  Please generate a unified summary of the following document cluster based on individual document summaries:
-  
+  Please generate a unified summary of the following documents based on individual document summaries:
+
   {{ document_summaries }}
-  
+
   **Important Reminders:**
   - Do not use any separators (like ---, ***, ===, etc.)
   - Do not include document titles or filenames
   - Generate plain text summary content only
-  
-  Cluster Summary ({{ max_words }} words):
 
+  Summary (no more than {{ max_words }} words):
\ No newline at end of file
diff --git a/backend/prompts/cluster_summary_reduce_zh.yaml b/backend/prompts/cluster_summary_reduce_zh.yaml
index f6ef4a641..59a50b025 100644
--- a/backend/prompts/cluster_summary_reduce_zh.yaml
+++ b/backend/prompts/cluster_summary_reduce_zh.yaml
@@ -1,9 +1,9 @@
 system_prompt: |-
-  你是一个专业的簇总结助手。你的任务是将多个文档总结合并为一个连贯的簇总结。
+  你是一个专业的总结助手。你的任务是将多个文档总结合并为一个连贯的总结。
   
   **总结要求：**
-  1. 输入包含属于同一簇的多个文档的总结
-  2. 这些文档共享相似的主题或话题（通过聚类分组）
+  1. 输入包含属于同一主题的多个文档的总结
+  2. 这些文档共享相似的主题或话题
   3. 你需要综合成一个统一的总结，捕捉集合内容
   4. 总结应突出文档间的共同主题和关键信息
   5. 保持在指定的字数限制内
@@ -12,14 +12,14 @@ system_prompt: |-
   - 识别文档间的共同主题和话题
   - 突出共同概念和主题内容
   - 使用清晰简洁的语言
-  - 除非必要，避免列出单个文档标题
+  - 避免列出单个文档标题
   - 专注于这组文档共同涵盖的内容
-  - 总结应连贯且代表簇的统一内容
+  - 总结应连贯且代表所有文档的统一内容
   - 确保准确、全面，明确关键实体，不要遗漏重要信息
   - **重要：不要使用任何分隔符（如---、***等），直接生成纯文本总结**
 
 user_prompt: |
-  请根据以下文档总结生成统一的学生簇总结：
+  请根据以下文档总结生成统一的整体总结：
   
   {{ document_summaries }}
   
@@ -28,5 +28,5 @@ user_prompt: |
   - 不要包含文档标题或文件名
   - 直接生成纯文本总结内容
   
-  簇总结（{{ max_words }}字）：
+  总结（不超过{{ max_words }}字）：
 
diff --git a/backend/prompts/document_summary_agent.yaml b/backend/prompts/document_summary_agent_en.yaml
similarity index 95%
rename from backend/prompts/document_summary_agent.yaml
rename to backend/prompts/document_summary_agent_en.yaml
index 88b4d9a93..e27d3037e 100644
--- a/backend/prompts/document_summary_agent.yaml
+++ b/backend/prompts/document_summary_agent_en.yaml
@@ -24,5 +24,5 @@ user_prompt: |
   Content snippets:
   {{ content }}
   
-  Summary ({{ max_words }} words):
+  Summary (no more than {{ max_words }} words):
 
diff --git a/backend/prompts/document_summary_agent_zh.yaml b/backend/prompts/document_summary_agent_zh.yaml
index 4f443ca38..5819459d3 100644
--- a/backend/prompts/document_summary_agent_zh.yaml
+++ b/backend/prompts/document_summary_agent_zh.yaml
@@ -25,5 +25,5 @@ user_prompt: |
   内容片段：
   {{ content }}
   
-  总结（{{ max_words }}字）：
+  总结（不超过{{ max_words }}字）：
 
diff --git a/backend/prompts/knowledge_summary_agent.yaml b/backend/prompts/knowledge_summary_agent_zh.yaml
similarity index 100%
rename from backend/prompts/knowledge_summary_agent.yaml
rename to backend/prompts/knowledge_summary_agent_zh.yaml
diff --git a/backend/prompts/managed_system_prompt_template.yaml b/backend/prompts/managed_system_prompt_template_zh.yaml
similarity index 100%
rename from backend/prompts/managed_system_prompt_template.yaml
rename to backend/prompts/managed_system_prompt_template_zh.yaml
diff --git a/backend/prompts/manager_system_prompt_template.yaml b/backend/prompts/manager_system_prompt_template_zh.yaml
similarity index 100%
rename from backend/prompts/manager_system_prompt_template.yaml
rename to backend/prompts/manager_system_prompt_template_zh.yaml
diff --git a/backend/prompts/utils/file_processing_messages.yaml b/backend/prompts/utils/file_processing_messages.yaml
deleted file mode 100644
index 04c0f188c..000000000
--- a/backend/prompts/utils/file_processing_messages.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-FILE_CONTENT_SUCCESS: "文件 {filename} 内容: {content}"
-FILE_CONTENT_ERROR: "文件 {filename} 内容: 处理文本文件 {filename} 时出错: {error}"
-FILE_PROCESSING_ERROR: "文件处理失败 (状态码: {status_code}): {error_detail}"
-IMAGE_CONTENT_SUCCESS: "图片文件 {filename} 内容: {content}"
-IMAGE_CONTENT_ERROR: "图片文件 {filename} 内容: 处理图片文件 {filename} 时出错: {error}"
diff --git a/backend/prompts/utils/file_processing_messages_en.yaml b/backend/prompts/utils/file_processing_messages_en.yaml
deleted file mode 100644
index 31e3af5d7..000000000
--- a/backend/prompts/utils/file_processing_messages_en.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-FILE_CONTENT_SUCCESS: "File {filename} content: {content}"
-FILE_CONTENT_ERROR: "File {filename} content: Error processing text file {filename}: {error}"
-FILE_PROCESSING_ERROR: "File processing failed (status code: {status_code}): {error_detail}"
-IMAGE_CONTENT_SUCCESS: "Image file {filename} content: {content}"
-IMAGE_CONTENT_ERROR: "Image file {filename} content: Error processing image file {filename}: {error}"
diff --git a/backend/prompts/utils/generate_title.yaml b/backend/prompts/utils/generate_title_zh.yaml
similarity index 100%
rename from backend/prompts/utils/generate_title.yaml
rename to backend/prompts/utils/generate_title_zh.yaml
diff --git a/backend/prompts/utils/prompt_generate.yaml b/backend/prompts/utils/prompt_generate_zh.yaml
similarity index 100%
rename from backend/prompts/utils/prompt_generate.yaml
rename to backend/prompts/utils/prompt_generate_zh.yaml
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index af0d10ef4..65e27107a 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -25,7 +25,8 @@ data-process = [
     "celery>=5.3.6",
     "flower>=2.0.1",
     "nest_asyncio>=1.5.6",
-    "unstructured[csv,docx,pdf,pptx,xlsx,md]==0.18.14"
+    "unstructured[csv,docx,pdf,pptx,xlsx,md]==0.18.14",
+    "huggingface_hub>=0.19.0,<0.21.0"
 ]
 test = [
     "pytest",
diff --git a/backend/services/agent_service.py b/backend/services/agent_service.py
index 868f5076b..8acdd8b28 100644
--- a/backend/services/agent_service.py
+++ b/backend/services/agent_service.py
@@ -15,7 +15,9 @@
 from agents.agent_run_manager import agent_run_manager
 from agents.create_agent_info import create_agent_run_info, create_tool_config_list
 from agents.preprocess_manager import preprocess_manager
-from consts.const import MEMORY_SEARCH_START_MSG, MEMORY_SEARCH_DONE_MSG, MEMORY_SEARCH_FAIL_MSG, TOOL_TYPE_MAPPING, LANGUAGE, MESSAGE_ROLE, MODEL_CONFIG_MAPPING
+from services.agent_version_service import publish_version_impl
+from consts.const import MEMORY_SEARCH_START_MSG, MEMORY_SEARCH_DONE_MSG, MEMORY_SEARCH_FAIL_MSG, TOOL_TYPE_MAPPING, \
+    LANGUAGE, MESSAGE_ROLE, MODEL_CONFIG_MAPPING, CAN_EDIT_ALL_USER_ROLES, PERMISSION_EDIT, PERMISSION_READ
 from consts.exceptions import MemoryPreparationException
 from consts.model import (
     AgentInfoRequest,
@@ -52,9 +54,11 @@
     query_all_enabled_tool_instances,
     query_all_tools,
     query_tool_instances_by_id,
+    query_tool_instances_by_agent_id,
     search_tools_for_sub_agent
 )
 from database.group_db import query_group_ids_by_user
+from database.user_tenant_db import get_user_tenant_by_user_id
 from utils.str_utils import convert_list_to_string, convert_string_to_list
 from services.conversation_management_service import save_conversation_assistant, save_conversation_user
 from services.memory_config_service import build_memory_context
@@ -704,9 +708,9 @@ async def get_creating_sub_agent_id_service(tenant_id: str, user_id: str = None)
         return create_agent(agent_info={"enabled": False}, tenant_id=tenant_id, user_id=user_id)["agent_id"]
 
 
-async def get_agent_info_impl(agent_id: int, tenant_id: str):
+async def get_agent_info_impl(agent_id: int, tenant_id: str, version_no: int = 0):
     try:
-        agent_info = search_agent_info_by_agent_id(agent_id, tenant_id)
+        agent_info = search_agent_info_by_agent_id(agent_id, tenant_id, version_no)
     except Exception as e:
         logger.error(f"Failed to get agent info: {str(e)}")
         raise ValueError(f"Failed to get agent info: {str(e)}")
@@ -824,7 +828,7 @@ async def update_agent_info_impl(request: AgentInfoRequest, authorization: str =
             agent_id = created["agent_id"]
         else:
             # Update agent
-            update_agent(agent_id, request, tenant_id, user_id)
+            update_agent(agent_id, request, user_id)
     except Exception as e:
         logger.error(f"Failed to update agent info: {str(e)}")
         raise ValueError(f"Failed to update agent info: {str(e)}")
@@ -833,23 +837,40 @@ async def update_agent_info_impl(request: AgentInfoRequest, authorization: str =
     try:
         if request.enabled_tool_ids is not None and agent_id is not None:
             enabled_set = set(request.enabled_tool_ids)
-            # Get all tools for current tenant
-            all_tools = query_all_tools(tenant_id=tenant_id)
-            for tool in all_tools:
-                tool_id = tool.get("tool_id")
-                if tool_id is None:
-                    continue
+            # Query existing tool instances for this agent
+            existing_instances = query_tool_instances_by_agent_id(
+                agent_id, tenant_id)
+
+            # Handle unselected tool（already exist instance）→ enabled=False
+            for instance in existing_instances:
+                inst_tool_id = instance.get("tool_id")
+                if inst_tool_id is not None and inst_tool_id not in enabled_set:
+                    create_or_update_tool_by_tool_info(
+                        tool_info=ToolInstanceInfoRequest(
+                            tool_id=inst_tool_id,
+                            agent_id=agent_id,
+                            params=instance.get("params", {}),
+                            enabled=False
+                        ),
+                        tenant_id=tenant_id,
+                        user_id=user_id
+                    )
+
+            # Handle selected tool → enabled=True（create or update）
+            for tool_id in enabled_set:
                 # Keep existing params if any
-                existing_instance = query_tool_instances_by_id(
-                    agent_id, tool_id, tenant_id)
-                params = (existing_instance or {}).get(
-                    "params", {}) if existing_instance else {}
+                existing_instance = next(
+                    (inst for inst in existing_instances
+                     if inst.get("tool_id") == tool_id),
+                    None
+                )
+                params = (existing_instance or {}).get("params", {})
                 create_or_update_tool_by_tool_info(
                     tool_info=ToolInstanceInfoRequest(
                         tool_id=tool_id,
                         agent_id=agent_id,
                         params=params,
-                        enabled=(tool_id in enabled_set)
+                        enabled=True,
                     ),
                     tenant_id=tenant_id,
                     user_id=user_id
@@ -895,9 +916,15 @@ async def update_agent_info_impl(request: AgentInfoRequest, authorization: str =
     return {"agent_id": agent_id}
 
 
-async def delete_agent_impl(agent_id: int, authorization: str = Header(None)):
-    user_id, tenant_id, _ = get_current_user_info(authorization)
+async def delete_agent_impl(agent_id: int, tenant_id: str, user_id: str):
+    """
+    Delete an agent and all related data.
 
+    Args:
+        agent_id: Agent ID to delete
+        tenant_id: Tenant ID
+        user_id: User ID performing the deletion
+    """
     try:
         delete_agent_by_id(agent_id, tenant_id, user_id)
         delete_agent_relationship(agent_id, tenant_id, user_id)
@@ -1210,6 +1237,17 @@ async def import_agent_by_agent_id(
         tool.agent_id = new_agent_id
         create_or_update_tool_by_tool_info(
             tool_info=tool, tenant_id=tenant_id, user_id=user_id)
+    # Auto-publish initial version v1 for market-imported agents
+    try:
+        publish_version_impl(
+            agent_id=new_agent_id,
+            tenant_id=tenant_id,
+            user_id=user_id,
+            version_name="v1",
+            release_note="Initial version from Agent Market"
+        )
+    except Exception as e:
+        logger.warning(f"Failed to auto-publish version v1 for agent {new_agent_id}: {str(e)}")
     return new_agent_id
 
 
@@ -1244,12 +1282,13 @@ async def clear_agent_new_mark_impl(agent_id: int, tenant_id: str, user_id: str)
 
 
 
-async def list_all_agent_info_impl(tenant_id: str) -> list[dict]:
+async def list_all_agent_info_impl(tenant_id: str, user_id: str) -> list[dict]:
     """
     list all agent info
 
     Args:
         tenant_id (str): tenant id
+        user_id (str): user id (used for permission calculation and filtering)
 
     Raises:
         ValueError: failed to query all agent info
@@ -1258,6 +1297,22 @@ async def list_all_agent_info_impl(tenant_id: str) -> list[dict]:
         list: list of agent info
     """
     try:
+        user_tenant_record = get_user_tenant_by_user_id(user_id) or {}
+        user_role = str(user_tenant_record.get("user_role") or "").upper()
+
+        can_edit_all = user_role in CAN_EDIT_ALL_USER_ROLES
+
+        # For DEV/USER, restrict visible agents to those whose group_ids overlap user's groups.
+        user_group_ids: set[int] = set()
+        if not can_edit_all:
+            try:
+                user_group_ids = set(query_group_ids_by_user(user_id) or [])
+            except Exception as e:
+                logger.warning(
+                    f"Failed to query user group ids for filtering: user_id={user_id}, err={str(e)}"
+                )
+                user_group_ids = set()
+
         agent_list = query_all_agent_info_by_tenant_id(tenant_id=tenant_id)
 
         model_cache: Dict[int, Optional[dict]] = {}
@@ -1267,6 +1322,12 @@ async def list_all_agent_info_impl(tenant_id: str) -> list[dict]:
             if not agent["enabled"]:
                 continue
 
+            # Apply visibility filter for DEV/USER based on group overlap
+            if not can_edit_all:
+                agent_group_ids = set(convert_string_to_list(agent.get("group_ids")))
+                if len(user_group_ids.intersection(agent_group_ids)) == 0:
+                    continue
+
             # Use shared availability check function
             _, unavailable_reasons = check_agent_availability(
                 agent_id=agent["agent_id"],
@@ -1297,6 +1358,8 @@ async def list_all_agent_info_impl(tenant_id: str) -> list[dict]:
                     model_cache[model_id] = get_model_by_model_id(model_id, tenant_id)
                 model_info = model_cache.get(model_id)
 
+            permission = PERMISSION_EDIT if can_edit_all or str(agent.get("created_by")) == str(user_id) else PERMISSION_READ
+
             simple_agent_list.append({
                 "agent_id": agent["agent_id"],
                 "name": agent["name"] if agent["name"] else agent["display_name"],
@@ -1309,7 +1372,9 @@ async def list_all_agent_info_impl(tenant_id: str) -> list[dict]:
                 "is_available": len(unavailable_reasons) == 0,
                 "unavailable_reasons": unavailable_reasons,
                 "is_new": agent.get("is_new", False),
-                "group_ids": convert_string_to_list(agent.get("group_ids"))
+                "group_ids": convert_string_to_list(agent.get("group_ids")),
+                "permission": permission,
+                "is_published": agent.get("current_version_no") is not None,
             })
 
         return simple_agent_list
diff --git a/backend/services/agent_version_service.py b/backend/services/agent_version_service.py
new file mode 100644
index 000000000..6e013307c
--- /dev/null
+++ b/backend/services/agent_version_service.py
@@ -0,0 +1,744 @@
+import logging
+from typing import Optional, Tuple, List, Dict, Any
+from sqlalchemy import update
+
+from database.client import get_db_session, as_dict
+from database.db_models import AgentInfo, ToolInstance, AgentRelation
+from database.agent_version_db import (
+    search_version_by_version_no,
+    query_version_list,
+    query_current_version_no,
+    query_agent_snapshot,
+    query_agent_draft,
+    insert_version,
+    update_version_status,
+    update_agent_current_version,
+    insert_agent_snapshot,
+    insert_tool_snapshot,
+    insert_relation_snapshot,
+    delete_agent_snapshot,
+    delete_tool_snapshot,
+    delete_relation_snapshot,
+    get_next_version_no,
+    delete_version,
+    SOURCE_TYPE_NORMAL,
+    SOURCE_TYPE_ROLLBACK,
+    STATUS_RELEASED,
+    STATUS_DISABLED,
+    STATUS_ARCHIVED,
+)
+from database.model_management_db import get_model_by_model_id
+from utils.str_utils import convert_string_to_list
+
+logger = logging.getLogger("agent_version_service")
+
+
+def _remove_audit_fields_for_insert(data: dict) -> None:
+    """
+    Remove audit fields that should not be copied during snapshot
+    """
+    data.pop('create_time', None)
+    data.pop('update_time', None)
+    data.pop('created_by', None)
+    data.pop('updated_by', None)
+    data.pop('delete_flag', None)
+
+
+def publish_version_impl(
+    agent_id: int,
+    tenant_id: str,
+    user_id: str,
+    version_name: Optional[str] = None,
+    release_note: Optional[str] = None,
+    source_type: str = SOURCE_TYPE_NORMAL,
+    source_version_no: Optional[int] = None,
+) -> dict:
+    """
+    Publish a new version
+    1. Copy draft data (version_no=0) to new version
+    2. Create version metadata record
+    3. Update current_version_no
+    """
+    # Get draft data
+    agent_draft, tools_draft, relations_draft = query_agent_draft(agent_id, tenant_id)
+    if not agent_draft:
+        raise ValueError("Agent draft not found")
+
+    # Calculate new version number
+    new_version_no = get_next_version_no(agent_id, tenant_id)
+
+    # Prepare agent snapshot data
+    agent_snapshot = agent_draft.copy()
+    agent_snapshot.pop('version_no', None)
+    agent_snapshot.pop('current_version_no', None)
+    agent_snapshot['version_no'] = new_version_no
+    _remove_audit_fields_for_insert(agent_snapshot)
+
+    # Insert agent snapshot
+    insert_agent_snapshot(agent_snapshot)
+
+    # Insert tool snapshots
+    for tool in tools_draft:
+        tool_snapshot = tool.copy()
+        tool_snapshot.pop('version_no', None)
+        tool_snapshot['version_no'] = new_version_no
+        _remove_audit_fields_for_insert(tool_snapshot)
+        insert_tool_snapshot(tool_snapshot)
+
+    # Insert relation snapshots
+    for rel in relations_draft:
+        rel_snapshot = rel.copy()
+        rel_snapshot.pop('version_no', None)
+        rel_snapshot['version_no'] = new_version_no
+        _remove_audit_fields_for_insert(rel_snapshot)
+        insert_relation_snapshot(rel_snapshot)
+
+    # Create version metadata
+    version_data = {
+        'tenant_id': tenant_id,
+        'agent_id': agent_id,
+        'version_no': new_version_no,
+        'version_name': version_name,
+        'release_note': release_note,
+        'source_type': source_type,
+        'source_version_no': source_version_no,
+        'status': STATUS_RELEASED,
+        'created_by': user_id,
+    }
+    version_id = insert_version(version_data)
+
+    # Update current_version_no in draft
+    update_agent_current_version(agent_id, tenant_id, new_version_no)
+
+    return {
+        "id": version_id,
+        "version_no": new_version_no,
+        "message": "Version published successfully",
+    }
+
+
+def get_version_list_impl(
+    agent_id: int,
+    tenant_id: str,
+) -> dict:
+    """
+    Get version list for an agent
+    """
+    items = query_version_list(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+    )
+    total = len(items)
+    return {
+        "items": items,
+        "total": total,
+    }
+
+
+def get_version_impl(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+) -> dict:
+    """
+    Get version
+    """
+    return search_version_by_version_no(agent_id, tenant_id, version_no)
+
+
+def get_version_detail_impl(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+) -> dict:
+    """
+    Get version detail including snapshot data, structured like agent info.
+    Returns agent info with tools, sub_agents, availability, etc.
+    """
+    result: Dict[str, Any] = {}
+
+    # Get version metadata first
+    version = search_version_by_version_no(agent_id, tenant_id, version_no)
+    if not version:
+        raise ValueError(f"Version {version_no} not found")
+
+    # Add version metadata as a nested object
+    result['version'] = {
+        'version_name': version.get('version_name'),
+        'version_status': version.get('status'),
+        'release_note': version.get('release_note'),
+        'source_type': version.get('source_type'),
+        'source_version_no': version.get('source_version_no'),
+    }
+
+    # Get snapshot data
+    agent_snapshot, tools_snapshot, relations_snapshot = query_agent_snapshot(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        version_no=version_no,
+    )
+
+    if not agent_snapshot:
+        raise ValueError(f"Agent snapshot for version {version_no} not found")
+
+    # Copy all fields from agent_snapshot (excluding current_version_no as it has no meaning for version snapshot)
+    for key, value in agent_snapshot.items():
+        if key != 'current_version_no':
+            result[key] = value
+
+    # Add tools
+    result['tools'] = tools_snapshot
+
+    # Extract sub_agent_id_list from relations
+    result['sub_agent_id_list'] = [r['selected_agent_id'] for r in relations_snapshot]
+
+    # Get model name from model_id
+    if result.get('model_id') is not None and result['model_id'] != 0:
+        model_info = get_model_by_model_id(result['model_id'])
+        result['model_name'] = model_info.get('display_name', None) if model_info else None
+    else:
+        result['model_name'] = None
+
+    # Get business logic model name
+    if result.get('business_logic_model_id') is not None and result['business_logic_model_id'] != 0:
+        business_logic_model_info = get_model_by_model_id(result['business_logic_model_id'])
+        result['business_logic_model_name'] = business_logic_model_info.get('display_name', None) if business_logic_model_info else None
+    else:
+        result['business_logic_model_name'] = None
+
+    # Convert group_ids string to list
+    if result.get('group_ids') is not None:
+        result['group_ids'] = convert_string_to_list(result.get('group_ids', ''))
+    else:
+        result['group_ids'] = []
+
+    # Build tool instances list for availability check
+    tool_instances_for_check = []
+    for tool in tools_snapshot:
+        tool_instance = {
+            'id': tool.get('tool_id'),
+            'enabled': tool.get('enabled', True),
+            'tool_id': tool.get('tool_id'),
+        }
+        tool_instances_for_check.append(tool_instance)
+
+    # Check agent availability
+    is_available, unavailable_reasons = _check_version_snapshot_availability(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        agent_info=result,
+        tool_instances=tool_instances_for_check,
+    )
+    result['is_available'] = is_available
+    result['unavailable_reasons'] = unavailable_reasons
+
+    return result
+
+
+def _check_version_snapshot_availability(
+    agent_id: int,
+    tenant_id: str,
+    agent_info: dict,
+    tool_instances: List[dict],
+) -> Tuple[bool, List[str]]:
+    """
+    Check if a version snapshot agent is available.
+    Simplified version of check_agent_availability for snapshots.
+    """
+    unavailable_reasons: List[str] = []
+
+    # Check if agent info exists
+    if not agent_info:
+        return False, ["agent_not_found"]
+
+    # Check model availability
+    model_id = agent_info.get('model_id')
+    if model_id is None or model_id == 0:
+        unavailable_reasons.append("model_not_configured")
+
+    # Check tools availability
+    if not tool_instances:
+        unavailable_reasons.append("no_tools")
+    else:
+        # Check if at least one tool is enabled
+        has_enabled_tool = any(t.get('enabled', True) for t in tool_instances)
+        if not has_enabled_tool:
+            unavailable_reasons.append("all_tools_disabled")
+
+    return len(unavailable_reasons) == 0, unavailable_reasons
+
+
+def rollback_version_impl(
+    agent_id: int,
+    tenant_id: str,
+    target_version_no: int,
+) -> dict:
+    """
+    Rollback to a specific version by updating current_version_no only.
+    This does NOT create a new version - it simply points the draft to an existing version.
+    The actual version creation happens when user clicks "publish".
+
+    Args:
+        agent_id: Agent ID
+        tenant_id: Tenant ID
+        target_version_no: The version number to rollback to
+
+    Returns:
+        Success message with target version info
+    """
+    # Verify the target version exists
+    version = search_version_by_version_no(agent_id, tenant_id, target_version_no)
+    if not version:
+        raise ValueError(f"Version {target_version_no} not found")
+
+    # Update current_version_no in draft to point to target version
+    rows_affected = update_agent_current_version(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        current_version_no=target_version_no,
+    )
+
+    if rows_affected == 0:
+        raise ValueError("Agent draft not found")
+
+    return {
+        "message": f"Successfully rolled back to version {target_version_no}",
+        "version_no": target_version_no,
+        "version_name": version.get("version_name"),
+    }
+
+
+def update_version_status_impl(
+    agent_id: int,
+    tenant_id: str,
+    user_id: str,
+    version_no: int,
+    status: str,
+) -> dict:
+    """
+    Update version status (DISABLED / ARCHIVED)
+    """
+    valid_statuses = [STATUS_DISABLED, STATUS_ARCHIVED]
+    if status not in valid_statuses:
+        raise ValueError(f"Invalid status. Must be one of: {valid_statuses}")
+
+    rows_affected = update_version_status(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        version_no=version_no,
+        status=status,
+        updated_by=user_id,
+    )
+
+    if rows_affected == 0:
+        raise ValueError(f"Version {version_no} not found")
+
+    return {"message": "Status updated successfully"}
+
+
+def delete_version_impl(
+    agent_id: int,
+    tenant_id: str,
+    user_id: str,
+    version_no: int,
+) -> dict:
+    """
+    Soft delete a version by setting delete_flag='Y'
+    Also soft deletes all related snapshot data (agent, tools, relations) for this version
+    """
+    # Check if version exists
+    version = search_version_by_version_no(agent_id, tenant_id, version_no)
+    if not version:
+        raise ValueError(f"Version {version_no} not found")
+
+    # Prevent deleting the current published version
+    current_version_no = query_current_version_no(agent_id, tenant_id)
+    if current_version_no == version_no:
+        raise ValueError("Cannot delete the current published version")
+
+    # Prevent deleting draft version (version_no=0)
+    if version_no == 0:
+        raise ValueError("Cannot delete draft version")
+
+    # Soft delete version metadata
+    rows_affected = delete_version(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        version_no=version_no,
+        deleted_by=user_id,
+    )
+
+    if rows_affected == 0:
+        raise ValueError(f"Version {version_no} not found")
+
+    # Soft delete all related snapshot data for this version
+    # 1. Delete agent snapshot
+    delete_agent_snapshot(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        version_no=version_no,
+        deleted_by=user_id,
+    )
+
+    # 2. Delete tool snapshots
+    delete_tool_snapshot(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        version_no=version_no,
+        deleted_by=user_id,
+    )
+
+    # 3. Delete relation snapshots
+    delete_relation_snapshot(
+        agent_id=agent_id,
+        tenant_id=tenant_id,
+        version_no=version_no,
+        deleted_by=user_id,
+    )
+
+    logger.info(f"Successfully deleted version {version_no} and all related snapshots for agent_id={agent_id}, tenant_id={tenant_id}")
+
+    return {"message": f"Version {version_no} deleted successfully"}
+
+
+def get_current_version_impl(
+    agent_id: int,
+    tenant_id: str,
+) -> dict:
+    """
+    Get current published version
+    """
+    current_version_no = query_current_version_no(agent_id, tenant_id)
+    if current_version_no is None:
+        raise ValueError("No published version")
+
+    version = search_version_by_version_no(agent_id, tenant_id, current_version_no)
+    if not version:
+        raise ValueError(f"Version {current_version_no} not found")
+
+    return {
+        "version_no": current_version_no,
+        "version_name": version.get('version_name'),
+        "status": version.get('status'),
+        "source_type": version.get('source_type'),
+        "source_version_no": version.get('source_version_no'),
+        "release_note": version.get('release_note'),
+        "created_by": version.get('created_by'),
+        "create_time": version.get('create_time'),
+    }
+
+
+def compare_versions_impl(
+    agent_id: int,
+    tenant_id: str,
+    version_no_a: int,
+    version_no_b: int,
+) -> dict:
+    """
+    Compare two versions and return their differences.
+    Returns detailed comparison data for both versions.
+    Handles version 0 as draft data.
+    """
+    # Get version A detail (handles version 0 as draft)
+    version_a = _get_version_detail_or_draft(agent_id, tenant_id, version_no_a)
+    # Get version B detail (handles version 0 as draft)
+    version_b = _get_version_detail_or_draft(agent_id, tenant_id, version_no_b)
+
+    # Calculate differences
+    differences = []
+
+    # Compare name
+    if version_a.get('name') != version_b.get('name'):
+        differences.append({
+            'field': 'name',
+            'label': 'Name',
+            'value_a': version_a.get('name'),
+            'value_b': version_b.get('name'),
+        })
+
+    # Compare model_name
+    if version_a.get('model_name') != version_b.get('model_name'):
+        differences.append({
+            'field': 'model_name',
+            'label': 'Model',
+            'value_a': version_a.get('model_name'),
+            'value_b': version_b.get('model_name'),
+        })
+
+    # Compare max_steps
+    if version_a.get('max_steps') != version_b.get('max_steps'):
+        differences.append({
+            'field': 'max_steps',
+            'label': 'Max Steps',
+            'value_a': version_a.get('max_steps'),
+            'value_b': version_b.get('max_steps'),
+        })
+
+    # Compare description
+    if version_a.get('description') != version_b.get('description'):
+        differences.append({
+            'field': 'description',
+            'label': 'Description',
+            'value_a': version_a.get('description'),
+            'value_b': version_b.get('description'),
+        })
+
+    # Compare duty_prompt
+    if version_a.get('duty_prompt') != version_b.get('duty_prompt'):
+        differences.append({
+            'field': 'duty_prompt',
+            'label': 'Duty Prompt',
+            'value_a': version_a.get('duty_prompt'),
+            'value_b': version_b.get('duty_prompt'),
+        })
+
+    # Compare tools count
+    tools_a_count = len(version_a.get('tools', []))
+    tools_b_count = len(version_b.get('tools', []))
+    if tools_a_count != tools_b_count:
+        differences.append({
+            'field': 'tools_count',
+            'label': 'Tools Count',
+            'value_a': tools_a_count,
+            'value_b': tools_b_count,
+        })
+
+    # Compare sub_agents count
+    sub_agents_a_count = len(version_a.get('sub_agent_id_list', []))
+    sub_agents_b_count = len(version_b.get('sub_agent_id_list', []))
+    if sub_agents_a_count != sub_agents_b_count:
+        differences.append({
+            'field': 'sub_agents_count',
+            'label': 'Sub Agents Count',
+            'value_a': sub_agents_a_count,
+            'value_b': sub_agents_b_count,
+        })
+
+    return {
+        'version_a': version_a,
+        'version_b': version_b,
+        'differences': differences,
+    }
+
+
+def _get_version_detail_or_draft(
+    agent_id: int,
+    tenant_id: str,
+    version_no: int,
+) -> dict:
+    """
+    Get version detail for published versions, or draft data for version 0.
+    Returns structured agent info similar to get_version_detail_impl.
+    """
+    result: Dict[str, Any] = {}
+
+    if version_no == 0:
+        # Get draft data for version 0
+        agent_draft, tools_draft, relations_draft = query_agent_draft(agent_id, tenant_id)
+        if not agent_draft:
+            raise ValueError(f"Draft version not found")
+
+        # Copy draft data
+        for key, value in agent_draft.items():
+            if key != 'current_version_no':
+                result[key] = value
+
+        result['tools'] = tools_draft
+        result['sub_agent_id_list'] = [r['selected_agent_id'] for r in relations_draft]
+        result['version'] = {
+            'version_name': 'Draft',
+            'version_status': 'DRAFT',
+            'release_note': '',
+            'source_type': 'DRAFT',
+            'source_version_no': 0,
+        }
+    else:
+        # Get published version detail
+        result = get_version_detail_impl(agent_id, tenant_id, version_no)
+
+    # Get model name from model_id
+    if result.get('model_id') is not None and result['model_id'] != 0:
+        model_info = get_model_by_model_id(result['model_id'])
+        result['model_name'] = model_info.get('display_name', None) if model_info else None
+    else:
+        result['model_name'] = None
+
+    # Get business logic model name
+    if result.get('business_logic_model_id') is not None and result['business_logic_model_id'] != 0:
+        business_logic_model_info = get_model_by_model_id(result['business_logic_model_id'])
+        result['business_logic_model_name'] = business_logic_model_info.get('display_name', None) if business_logic_model_info else None
+    else:
+        result['business_logic_model_name'] = None
+
+    # Convert group_ids string to list (only if it's not already a list)
+    group_ids = result.get('group_ids')
+    if group_ids is not None:
+        # If already a list, keep it as is; otherwise convert from string
+        if isinstance(group_ids, list):
+            result['group_ids'] = group_ids
+        else:
+            result['group_ids'] = convert_string_to_list(str(group_ids))
+    else:
+        result['group_ids'] = []
+
+    return result
+
+
+async def list_published_agents_impl(
+    tenant_id: str,
+    user_id: str,
+) -> list[dict]:
+    """
+    List all published agents with their current published version information.
+    1. Query all agents with version_no=0 (draft versions)
+    2. For each agent with current_version_no > 0, get the published version snapshot
+    3. Return the list of published agents
+
+    Args:
+        tenant_id (str): Tenant ID
+        user_id (str): User ID (for permission calculation and filtering)
+
+    Returns:
+        list[dict]: List of published agent info
+    """
+    try:
+        from database.agent_db import (
+            query_all_agent_info_by_tenant_id,
+        )
+        from services.agent_service import (
+            CAN_EDIT_ALL_USER_ROLES,
+            get_user_tenant_by_user_id,
+            query_group_ids_by_user,
+            PERMISSION_EDIT,
+            PERMISSION_READ,
+            get_model_by_model_id,
+            check_agent_availability,
+            _apply_duplicate_name_availability_rules,
+        )
+        from database.agent_version_db import query_agent_snapshot
+
+        # Get user role for permission check
+        user_tenant_record = get_user_tenant_by_user_id(user_id) or {}
+        user_role = str(user_tenant_record.get("user_role") or "").upper()
+        can_edit_all = user_role in CAN_EDIT_ALL_USER_ROLES
+
+        # Get user's group IDs for filtering
+        user_group_ids: set[int] = set()
+        if not can_edit_all:
+            try:
+                user_group_ids = set(query_group_ids_by_user(user_id) or [])
+            except Exception as e:
+                logger.warning(
+                    f"Failed to query user group ids for filtering: user_id={user_id}, err={str(e)}"
+                )
+                user_group_ids = set()
+
+        # Get all draft agents (version_no=0)
+        agent_list = query_all_agent_info_by_tenant_id(tenant_id=tenant_id)
+
+        model_cache: Dict[int, Optional[dict]] = {}
+        enriched_agents: list[dict] = []
+
+        for agent in agent_list:
+            # Filter out disabled agents
+            if not agent.get("enabled"):
+                continue
+
+            # Apply visibility filter for DEV/USER based on group overlap
+            if not can_edit_all:
+                agent_group_ids = set(convert_string_to_list(agent.get("group_ids")))
+                if len(user_group_ids.intersection(agent_group_ids)) == 0:
+                    continue
+
+            agent_id = agent.get("agent_id")
+            current_version_no = agent.get("current_version_no")
+
+            # Only include agents that have a published version (current_version_no > 0)
+            if not current_version_no or current_version_no <= 0:
+                continue
+
+            # Get the published version snapshot
+            agent_snapshot, tools_snapshot, relations_snapshot = query_agent_snapshot(
+                agent_id=agent_id,
+                tenant_id=tenant_id,
+                version_no=current_version_no,
+            )
+
+            if not agent_snapshot:
+                logger.warning(
+                    f"Published version snapshot not found for agent_id={agent_id}, version_no={current_version_no}"
+                )
+                continue
+
+            # Build the agent info from snapshot
+            agent_info: Dict[str, Any] = {}
+
+            # Copy all fields from snapshot (excluding current_version_no as it's not meaningful for version)
+            for key, value in agent_snapshot.items():
+                if key != 'current_version_no':
+                    agent_info[key] = value
+
+            # Add tools
+            agent_info['tools'] = tools_snapshot
+
+            # Extract sub_agent_id_list from relations
+            agent_info['sub_agent_id_list'] = [r['selected_agent_id'] for r in relations_snapshot]
+
+            # Add published version info
+            agent_info['published_version_no'] = current_version_no
+
+            # Check agent availability using the shared function
+            _, unavailable_reasons = check_agent_availability(
+                agent_id=agent_id,
+                tenant_id=tenant_id,
+                agent_info=agent_info,
+                model_cache=model_cache
+            )
+
+            # Preserve the raw data so we can adjust availability for duplicates
+            enriched_agents.append({
+                "raw_agent": agent_info,
+                "unavailable_reasons": unavailable_reasons,
+            })
+
+        # Handle duplicate name/display_name: keep the earliest created agent available,
+        # mark later ones as unavailable due to duplication.
+        _apply_duplicate_name_availability_rules(enriched_agents)
+
+        # Build the final simple agent list
+        simple_agent_list: list[dict] = []
+        for entry in enriched_agents:
+            agent = entry["raw_agent"]
+            unavailable_reasons = list(dict.fromkeys(entry["unavailable_reasons"]))
+
+            model_id = agent.get("model_id")
+            model_info = None
+            if model_id is not None:
+                if model_id not in model_cache:
+                    model_cache[model_id] = get_model_by_model_id(model_id, tenant_id)
+                model_info = model_cache.get(model_id)
+
+            permission = PERMISSION_EDIT if can_edit_all or str(agent.get("created_by")) == str(user_id) else PERMISSION_READ
+
+            simple_agent_list.append({
+                "agent_id": agent.get("agent_id"),
+                "name": agent.get("name") if agent.get("name") else agent.get("display_name"),
+                "display_name": agent.get("display_name") if agent.get("display_name") else agent.get("name"),
+                "description": agent.get("description"),
+                "author": agent.get("author"),
+                "model_id": model_id,
+                "model_name": model_info.get("model_name") if model_info is not None else agent.get("model_name"),
+                "model_display_name": model_info.get("display_name") if model_info is not None else None,
+                "is_available": len(unavailable_reasons) == 0,
+                "unavailable_reasons": unavailable_reasons,
+                "is_new": agent.get("is_new", False),
+                "group_ids": agent.get("group_ids", []),
+                "permission": permission,
+                "published_version_no": agent.get("published_version_no"),
+            })
+
+        return simple_agent_list
+
+    except Exception as e:
+        logger.error(f"Failed to list published agents: {str(e)}")
+        raise ValueError(f"Failed to list published agents: {str(e)}")
diff --git a/backend/services/datamate_service.py b/backend/services/datamate_service.py
index 314c410f2..776e0eb1d 100644
--- a/backend/services/datamate_service.py
+++ b/backend/services/datamate_service.py
@@ -5,7 +5,7 @@
 This service layer uses the DataMate SDK client to interact with DataMate APIs.
 """
 import logging
-from typing import Dict, List, Any
+from typing import Dict, List, Any, Optional
 import asyncio
 
 from consts.const import DATAMATE_URL
@@ -75,17 +75,26 @@ async def _create_datamate_knowledge_records(knowledge_base_ids: List[str],
     return created_records
 
 
-def _get_datamate_core(tenant_id: str) -> DataMateCore:
-    """Get DataMate core instance."""
-    datamate_url = tenant_config_manager.get_app_config(
+def _get_datamate_core(tenant_id: str, datamate_url: Optional[str] = None) -> DataMateCore:
+    """
+    Get DataMate core instance.
+
+    Args:
+        tenant_id: Tenant ID for configuration lookup
+        datamate_url: Optional DataMate server URL (for dynamic configuration)
+
+    Returns:
+        DataMateCore instance
+    """
+    datamate_server_url = datamate_url if datamate_url else tenant_config_manager.get_app_config(
         DATAMATE_URL, tenant_id=tenant_id)
-    if not datamate_url:
+    if not datamate_server_url:
         raise ValueError(f"DataMate URL not configured for tenant {tenant_id}")
 
     # For HTTPS URLs with self-signed certificates, disable SSL verification
-    verify_ssl = not datamate_url.startswith("https://")
+    verify_ssl = not datamate_server_url.startswith("https://")
 
-    return DataMateCore(base_url=datamate_url, verify_ssl=verify_ssl)
+    return DataMateCore(base_url=datamate_server_url, verify_ssl=verify_ssl)
 
 
 async def fetch_datamate_knowledge_base_file_list(knowledge_base_id: str, tenant_id: str) -> Dict[str, Any]:
@@ -121,32 +130,27 @@ async def fetch_datamate_knowledge_base_file_list(knowledge_base_id: str, tenant
             f"Failed to fetch file list for knowledge base {knowledge_base_id}: {str(e)}")
 
 
-async def sync_datamate_knowledge_bases_and_create_records(tenant_id: str, user_id: str) -> Dict[str, Any]:
+async def sync_datamate_knowledge_bases_and_create_records(
+    tenant_id: str,
+    user_id: str,
+    datamate_url: Optional[str] = None
+) -> Dict[str, Any]:
     """
     Sync all DataMate knowledge bases and create knowledge records in local database.
 
     Args:
         tenant_id: Tenant ID for creating knowledge records
         user_id: User ID for creating knowledge records
+        datamate_url: Optional DataMate server URL from request (for dynamic configuration)
 
     Returns:
         Dictionary containing knowledge bases list and created records.
     """
-    # Check if ModelEngine is enabled
-    if str(MODEL_ENGINE_ENABLED).lower() != "true":
-        logger.info(
-            f"ModelEngine is disabled (MODEL_ENGINE_ENABLED={MODEL_ENGINE_ENABLED}), skipping DataMate sync")
-        return {
-            "indices": [],
-            "count": 0,
-            "indices_info": [],
-            "created_records": []
-        }
-
-    # Verify DataMate URL is configured before proceeding
-    datamate_url = tenant_config_manager.get_app_config(
+    # Use provided datamate_url from request, fallback to tenant config
+    effective_datamate_url = datamate_url if datamate_url else tenant_config_manager.get_app_config(
         DATAMATE_URL, tenant_id=tenant_id)
-    if not datamate_url:
+
+    if not effective_datamate_url:
         logger.warning(
             f"DataMate URL not configured for tenant {tenant_id}, skipping sync")
         return {
@@ -157,13 +161,20 @@ async def sync_datamate_knowledge_bases_and_create_records(tenant_id: str, user_
         }
 
     logger.info(
-        f"Starting DataMate sync for tenant {tenant_id} using URL: {datamate_url}")
+        f"Starting DataMate sync for tenant {tenant_id} using URL: {effective_datamate_url}")
 
     try:
-        core = _get_datamate_core(tenant_id)
+        core = _get_datamate_core(tenant_id, effective_datamate_url)
+
+        # Run synchronous SDK calls in executor to avoid blocking event loop
+        loop = asyncio.get_event_loop()
+
+        # Step 1: Get knowledge base ids
+        knowledge_base_ids = await loop.run_in_executor(
+            None,
+            core.get_user_indices
+        )
 
-        # Step 1: Get knowledge base id
-        knowledge_base_ids = core.get_user_indices()
         if not knowledge_base_ids:
             return {
                 "indices": [],
@@ -171,8 +182,10 @@ async def sync_datamate_knowledge_bases_and_create_records(tenant_id: str, user_
             }
 
         # Step 2: Get detailed information for all knowledge bases
-        details, knowledge_base_names = core.get_indices_detail(
-            knowledge_base_ids)
+        details, knowledge_base_names = await loop.run_in_executor(
+            None,
+            lambda: core.get_indices_detail(knowledge_base_ids)
+        )
 
         response = {
             "indices": knowledge_base_names,
@@ -246,3 +259,67 @@ async def sync_datamate_knowledge_bases_and_create_records(tenant_id: str, user_
             "indices": [],
             "count": 0,
         }
+
+
+async def check_datamate_connection(
+    tenant_id: str,
+    datamate_url: Optional[str] = None
+) -> tuple:
+    """
+    Test connection to DataMate server.
+
+    Args:
+        tenant_id: Tenant ID for configuration lookup.
+        datamate_url: Optional DataMate server URL from request (for dynamic configuration).
+
+    Returns:
+        Tuple of (is_connected: bool, error_message: str).
+        is_connected is True if connection successful, False otherwise.
+        error_message contains error details if connection failed, empty string if successful.
+    """
+    # Check if ModelEngine is enabled
+    if str(MODEL_ENGINE_ENABLED).lower() != "true":
+        logger.info(
+            f"ModelEngine is disabled (MODEL_ENGINE_ENABLED={MODEL_ENGINE_ENABLED}), skipping DataMate connection test")
+        return (False, "ModelEngine is disabled")
+
+    # Use provided datamate_url from request, fallback to tenant config
+    effective_datamate_url = datamate_url if datamate_url else tenant_config_manager.get_app_config(
+        DATAMATE_URL, tenant_id=tenant_id)
+
+    if not effective_datamate_url:
+        logger.warning(
+            f"DataMate URL not configured for tenant {tenant_id}")
+        return (False, "DataMate URL not configured")
+
+    logger.info(
+        f"Testing DataMate connection for tenant {tenant_id} using URL: {effective_datamate_url}")
+
+    try:
+        core = _get_datamate_core(tenant_id, effective_datamate_url)
+
+        # Run synchronous SDK call in executor to avoid blocking event loop
+        loop = asyncio.get_event_loop()
+
+        # Test connection by fetching user indices
+        await loop.run_in_executor(
+            None,
+            core.get_user_indices
+        )
+
+        logger.info(
+            f"DataMate connection test successful for tenant {tenant_id}")
+        return (True, "")
+
+    except ValueError as e:
+        # Configuration error (e.g., missing DataMate URL)
+        error_msg = str(e)
+        logger.error(
+            f"DataMate connection test failed (configuration error) for tenant {tenant_id}: {error_msg}")
+        return (False, error_msg)
+
+    except Exception as e:
+        error_msg = str(e)
+        logger.error(
+            f"DataMate connection test failed for tenant {tenant_id}: {error_msg}")
+        return (False, error_msg)
diff --git a/backend/services/dify_service.py b/backend/services/dify_service.py
new file mode 100644
index 000000000..14e3a4d6f
--- /dev/null
+++ b/backend/services/dify_service.py
@@ -0,0 +1,171 @@
+"""
+Dify Service Layer
+Handles API calls to Dify for knowledge base operations.
+
+This service layer provides functionality to interact with Dify's API,
+including fetching datasets (knowledge bases) and transforming responses
+to DataMate-compatible format for frontend compatibility.
+"""
+import json
+import logging
+from typing import Any, Dict
+
+import httpx
+
+from nexent.utils.http_client_manager import http_client_manager
+
+logger = logging.getLogger("dify_service")
+
+
+def fetch_dify_datasets_impl(
+        dify_api_base: str,
+        api_key: str,
+) -> Dict[str, Any]:
+    """
+    Fetch datasets (knowledge bases) from Dify API and transform to DataMate-compatible format.
+
+    Args:
+        dify_api_base: Dify API base URL
+        api_key: Dify API key with Bearer token
+
+    Returns:
+        Dictionary containing knowledge bases in DataMate-compatible format:
+        {
+            "indices": ["dataset_id_1", "dataset_id_2", ...],
+            "count": 2,
+            "indices_info": [
+                {
+                    "name": "dataset_id_1",
+                    "display_name": "知识库名称",
+                    "stats": {
+                        "base_info": {
+                            "doc_count": 10,
+                            "chunk_count": 100,
+                            "store_size": "",
+                            "process_source": "Dify",
+                            "embedding_model": "",
+                            "embedding_dim": 0,
+                            "creation_date": timestamp,
+                            "update_date": timestamp
+                        },
+                        "search_performance": {
+                            "total_search_count": 0,
+                            "hit_count": 0
+                        }
+                    }
+                },
+                ...
+            ],
+            "pagination": {
+                "embedding_available": False
+            }
+        }
+
+    Raises:
+        ValueError: If invalid parameters provided
+        Exception: If API request fails
+    """
+    # Validate inputs
+    if not dify_api_base or not isinstance(dify_api_base, str):
+        raise ValueError(
+            "dify_api_base is required and must be a non-empty string")
+
+    if not api_key or not isinstance(api_key, str):
+        raise ValueError("api_key is required and must be a non-empty string")
+
+    # Normalize API base URL
+    api_base = dify_api_base.rstrip("/")
+
+    # Remove /v1 suffix if present to avoid URL duplication
+    # E.g., "https://api.dify.ai/v1" -> "https://api.dify.ai"
+    if api_base.endswith("/v1"):
+        api_base = api_base[:-3]
+
+    # Build request URL with pagination
+    url = f"{api_base}/v1/datasets"
+
+    headers = {
+        "Authorization": f"Bearer {api_key}",
+        "Content-Type": "application/json"
+    }
+
+    logger.info(f"Fetching Dify datasets from: {url}")
+
+    try:
+        # Use shared HttpClientManager for connection pooling
+        client = http_client_manager.get_sync_client(
+            base_url=api_base,
+            timeout=30.0,
+            verify_ssl=False
+        )
+        response = client.get(url, headers=headers)
+        response.raise_for_status()
+
+        result = response.json()
+
+        # Parse Dify API response
+        datasets_data = result.get("data", [])
+
+        # Transform to DataMate-compatible format
+        indices = []
+        indices_info = []
+        embedding_available = False  # Default value if no datasets or all skipped
+
+        for dataset in datasets_data:
+            dataset_id = dataset.get("id", "")
+            dataset_name = dataset.get("name", "")
+            document_count = dataset.get("document_count", 0)
+            created_at = dataset.get("created_at", 0)
+            updated_at = dataset.get("updated_at", 0)
+            embedding_available = dataset.get("embedding_available", False)
+
+            if not dataset_id:
+                continue
+
+            indices.append(dataset_id)
+
+            # Create indices_info entry (compatible with DataMate format)
+            indices_info.append({
+                "name": dataset_id,
+                "display_name": dataset_name,
+                "stats": {
+                    "base_info": {
+                        "doc_count": document_count,
+                        "chunk_count": 0,  # Dify doesn't provide chunk count directly
+                        "store_size": "",
+                        "process_source": "Dify",
+                        "embedding_model": dataset.get("embedding_model", ""),
+                        "embedding_dim": 0,
+                        "creation_date": created_at * 1000 if created_at else 0,  # Convert to milliseconds
+                        "update_date": updated_at * 1000 if updated_at else 0
+                    },
+                    "search_performance": {
+                        "total_search_count": 0,
+                        "hit_count": 0
+                    }
+                }
+            })
+
+        return {
+            "indices": indices,
+            "count": len(indices),
+            "indices_info": indices_info,
+            "pagination": {
+                "embedding_available": embedding_available
+            }
+        }
+
+    except httpx.RequestError as e:
+        logger.error(f"Dify API request failed: {str(e)}")
+        raise Exception(f"Dify API request failed: {str(e)}")
+    except httpx.HTTPStatusError as e:
+        logger.error(f"Dify API HTTP error: {str(e)}")
+        raise Exception(f"Dify API HTTP error: {str(e)}")
+    except json.JSONDecodeError as e:
+        logger.error(f"Failed to parse Dify API response: {str(e)}")
+        raise Exception(f"Failed to parse Dify API response: {str(e)}")
+    except KeyError as e:
+        logger.error(
+            f"Unexpected Dify API response format: missing key {str(e)}")
+        raise Exception(
+            f"Unexpected Dify API response format: missing key {str(e)}")
diff --git a/backend/services/group_service.py b/backend/services/group_service.py
index 7a3951618..a8c0c585d 100644
--- a/backend/services/group_service.py
+++ b/backend/services/group_service.py
@@ -16,7 +16,8 @@
     query_groups_by_user,
     query_group_ids_by_user,
     check_user_in_group,
-    count_group_users
+    count_group_users,
+    check_group_name_exists
 )
 from database.user_tenant_db import get_user_tenant_by_user_id
 from database.tenant_config_db import get_single_config_info, insert_config, update_config_by_tenant_config_id
@@ -207,6 +208,7 @@ def create_group(tenant_id: str, group_name: str, group_description: Optional[st
     Raises:
         NotFoundException: When user not found
         UnauthorizedError: When user doesn't have permission
+        ValidationError: When group name already exists in the tenant
     """
     # Check user permission
     if user_id:
@@ -218,6 +220,10 @@ def create_group(tenant_id: str, group_name: str, group_description: Optional[st
         if user_role not in ["SU", "ADMIN"]:
             raise UnauthorizedError(f"User role {user_role} not authorized to create groups")
 
+    # Check if group name already exists in the tenant
+    if check_group_name_exists(tenant_id, group_name):
+        raise ValidationError(f"Group name '{group_name}' already exists in this tenant")
+
     # Create group
     group_id = add_group(
         tenant_id=tenant_id,
@@ -250,6 +256,7 @@ def update_group(group_id: int, updates: Dict[str, Any], user_id: str) -> bool:
     Raises:
         NotFoundException: When user or group not found
         UnauthorizedError: When user doesn't have permission
+        ValidationError: When group name already exists in the tenant
     """
     # Check user permission
     user_info = get_user_tenant_by_user_id(user_id)
@@ -265,6 +272,13 @@ def update_group(group_id: int, updates: Dict[str, Any], user_id: str) -> bool:
     if not group:
         raise NotFoundException(f"Group {group_id} not found")
 
+    tenant_id = group.get("tenant_id")
+
+    # Check if new group name already exists in the tenant (when updating group_name)
+    if "group_name" in updates and updates["group_name"]:
+        if check_group_name_exists(tenant_id, updates["group_name"], exclude_group_id=group_id):
+            raise ValidationError(f"Group name '{updates['group_name']}' already exists in this tenant")
+
     # Update group
     success = modify_group(
         group_id=group_id,
@@ -281,7 +295,6 @@ def update_group(group_id: int, updates: Dict[str, Any], user_id: str) -> bool:
 def delete_group(group_id: int, user_id: str) -> bool:
     """
     Delete group.
-    TODO: Clear user-group relationship, knowledgebases, agents, invitation codes under the group
 
     Args:
         group_id (int): Group ID
diff --git a/backend/services/invitation_service.py b/backend/services/invitation_service.py
index 13add6dd2..58a45d369 100644
--- a/backend/services/invitation_service.py
+++ b/backend/services/invitation_service.py
@@ -19,7 +19,7 @@
 )
 from database.user_tenant_db import get_user_tenant_by_user_id
 from database.group_db import query_group_ids_by_user
-from consts.exceptions import NotFoundException, UnauthorizedError
+from consts.exceptions import NotFoundException, UnauthorizedError, DuplicateError
 from services.group_service import get_tenant_default_group_id
 from utils.str_utils import convert_string_to_list
 
@@ -93,6 +93,10 @@ def create_invitation_code(
         # Change to upper case by default
         invitation_code = invitation_code.upper()
 
+    # Check if invitation code already exists
+    if query_invitation_by_code(invitation_code):
+        raise DuplicateError(f"Invitation code '{invitation_code}' already exists")
+
     # Create invitation (status will be set automatically)
     invitation_id = add_invitation(
         tenant_id=tenant_id,
@@ -298,7 +302,8 @@ def _calculate_current_status(invitation_data: Dict[str, Any]) -> Dict[str, Any]
             else:
                 expiry_datetime = datetime.fromisoformat(
                     str(expiry_date).replace('Z', '+00:00'))
-            if current_time > expiry_datetime:
+            # Treat same date as not expired - only expire when current date is strictly after expiry date
+            if current_time.date() > expiry_datetime.date():
                 new_status = "EXPIRE"
         except (ValueError, AttributeError, TypeError):
             logger.warning(f"Invalid expiry_date format for invitation {invitation_id}: {expiry_date}")
@@ -417,7 +422,8 @@ def update_invitation_code_status(invitation_id: int) -> bool:
             else:
                 expiry_datetime = datetime.fromisoformat(
                     str(expiry_date).replace('Z', '+00:00'))
-            if current_time > expiry_datetime:
+            # Treat same date as not expired - only expire when current date is strictly after expiry date
+            if current_time.date() > expiry_datetime.date():
                 new_status = "EXPIRE"
         except (ValueError, AttributeError, TypeError):
             logger.warning(f"Invalid expiry_date format for invitation {invitation_id}: {expiry_date}")
diff --git a/backend/services/model_management_service.py b/backend/services/model_management_service.py
index dc38026d8..4b8265028 100644
--- a/backend/services/model_management_service.py
+++ b/backend/services/model_management_service.py
@@ -1,5 +1,5 @@
 import logging
-from typing import List, Dict, Any
+from typing import List, Dict, Any, Optional
 
 from consts.const import LOCALHOST_IP, LOCALHOST_NAME, DOCKER_INTERNAL_HOST
 from consts.model import ModelConnectStatusEnum
@@ -398,5 +398,84 @@ async def list_llm_models_for_tenant(tenant_id: str):
         raise Exception(f"Failed to retrieve model list: {str(e)}")
 
 
+async def list_models_for_admin(
+    tenant_id: str,
+    model_type: Optional[str] = None,
+    page: int = 1,
+    page_size: int = 20
+) -> Dict[str, Any]:
+    """Get models for a specified tenant (admin operation) with pagination.
+
+    Args:
+        tenant_id: Target tenant ID to query models for
+        model_type: Optional model type filter (e.g., 'llm', 'embedding')
+        page: Page number for pagination (1-indexed)
+        page_size: Number of items per page
+
+    Returns:
+        Dict containing tenant_id, tenant_name, paginated models list, and pagination info
+    """
+    try:
+        # Build filters
+        filters = None
+        if model_type:
+            filters = {"model_type": model_type}
+
+        # Get model records for the specified tenant
+        records = get_model_records(filters, tenant_id)
+
+        # Type mapping for backwards compatibility
+        type_map = {
+            "chat": "llm",
+        }
+
+        # Normalize model records
+        normalized_models: List[Dict[str, Any]] = []
+        for record in records:
+            record["model_name"] = add_repo_to_name(
+                model_repo=record["model_repo"],
+                model_name=record["model_name"],
+            )
+            record["connect_status"] = ModelConnectStatusEnum.get_value(
+                record.get("connect_status"))
+
+            # Map model_type if necessary
+            if record.get("model_type") in type_map:
+                record["model_type"] = type_map[record["model_type"]]
+
+            normalized_models.append(record)
+
+        # Calculate pagination
+        total = len(normalized_models)
+        total_pages = (total + page_size - 1) // page_size if page_size > 0 else 0
+        start_index = (page - 1) * page_size
+        end_index = start_index + page_size
+        paginated_models = normalized_models[start_index:end_index]
+
+        # Get tenant name
+        from services.tenant_service import get_tenant_info
+        try:
+            tenant_info = get_tenant_info(tenant_id)
+            tenant_name = tenant_info.get("tenant_name", "")
+        except Exception:
+            tenant_name = ""
+
+        result = {
+            "tenant_id": tenant_id,
+            "tenant_name": tenant_name,
+            "models": paginated_models,
+            "total": total,
+            "page": page,
+            "page_size": page_size,
+            "total_pages": total_pages
+        }
+
+        logging.debug(f"Successfully retrieved admin model list for tenant: {tenant_id}, page: {page}, page_size: {page_size}")
+        return result
+    except Exception as e:
+        logging.error(f"Failed to retrieve admin model list: {str(e)}")
+        raise Exception(f"Failed to retrieve admin model list: {str(e)}")
+
+
 
 
diff --git a/backend/services/model_provider_service.py b/backend/services/model_provider_service.py
index 3e67a804f..a302eb999 100644
--- a/backend/services/model_provider_service.py
+++ b/backend/services/model_provider_service.py
@@ -1,144 +1,52 @@
 import logging
-from abc import ABC, abstractmethod
-from typing import Dict, List
-
-import httpx
-import aiohttp
+from typing import List
 
 from consts.const import (
-    DEFAULT_LLM_MAX_TOKENS,
     DEFAULT_EXPECTED_CHUNK_SIZE,
     DEFAULT_MAXIMUM_CHUNK_SIZE,
 )
 from consts.model import ModelConnectStatusEnum, ModelRequest
-from consts.provider import SILICON_GET_URL, ProviderEnum
+from consts.provider import ProviderEnum
 from database.model_management_db import get_models_by_tenant_factory_type
 from services.model_health_service import embedding_dimension_check
+from services.providers.base import AbstractModelProvider
+from services.providers.silicon_provider import SiliconModelProvider
+from services.providers.modelengine_provider import ModelEngineProvider, get_model_engine_raw_url, MODEL_ENGINE_NORTH_PREFIX
 from utils.model_name_utils import split_repo_name, add_repo_to_name
 
-logger = logging.getLogger("model_provider_service")
-
-MODEL_ENGINE_NORTH_PREFIX = "open/router/v1"
-
-class AbstractModelProvider(ABC):
-    """Common interface that all model provider integrations must implement."""
-
-    @abstractmethod
-    async def get_models(self, provider_config: Dict) -> List[Dict]:
-        """Return a list of models provided by the concrete provider."""
-        raise NotImplementedError
-
-
-class SiliconModelProvider(AbstractModelProvider):
-    """Concrete implementation for SiliconFlow provider."""
-
-    async def get_models(self, provider_config: Dict) -> List[Dict]:
-        try:
-            model_type: str = provider_config["model_type"]
-            model_api_key: str = provider_config["api_key"]
-
-            headers = {"Authorization": f"Bearer {model_api_key}"}
-
-            # Choose endpoint by model type
-            if model_type in ("llm", "vlm"):
-                silicon_url = f"{SILICON_GET_URL}?sub_type=chat"
-            elif model_type in ("embedding", "multi_embedding"):
-                silicon_url = f"{SILICON_GET_URL}?sub_type=embedding"
-            else:
-                silicon_url = SILICON_GET_URL
-
-            async with httpx.AsyncClient(verify=False) as client:
-                response = await client.get(silicon_url, headers=headers)
-                response.raise_for_status()
-                model_list: List[Dict] = response.json()["data"]
-
-            # Annotate models with canonical fields expected downstream
-            if model_type in ("llm", "vlm"):
-                for item in model_list:
-                    item["model_tag"] = "chat"
-                    item["model_type"] = model_type
-                    item["max_tokens"] = DEFAULT_LLM_MAX_TOKENS
-            elif model_type in ("embedding", "multi_embedding"):
-                for item in model_list:
-                    item["model_tag"] = "embedding"
-                    item["model_type"] = model_type
-
-            return model_list
-        except Exception as e:
-            logger.error(f"Error getting models from silicon: {e}")
-            return []
-
-
-class ModelEngineProvider(AbstractModelProvider):
-    """Concrete implementation for ModelEngine provider."""
-
-    async def get_models(self, provider_config: Dict) -> List[Dict]:
-        """
-        Fetch models from ModelEngine API.
-
-        Args:
-            provider_config: Configuration dict containing model_type
-
-        Returns:
-            List of models with canonical fields
-        """
-        try:
-            model_type: str = provider_config.get("model_type", "")
-            host = provider_config.get("base_url")
-            api_key = provider_config.get("api_key")
-            model_engine_url = get_model_engine_raw_url(host)
-            if not host or not api_key:
-                logger.warning("ModelEngine host or api key not configured")
-                return []
-
-            headers = {"Authorization": f"Bearer {api_key}"}
-
-            async with aiohttp.ClientSession(
-                timeout=aiohttp.ClientTimeout(total=30),
-                connector=aiohttp.TCPConnector(ssl=False)
-            ) as session:
-                async with session.get(
-                    f"{model_engine_url.rstrip('/')}/{MODEL_ENGINE_NORTH_PREFIX}/models",
-                    headers=headers
-                ) as response:
-                    response.raise_for_status()
-                    data = await response.json()
-                    all_models = data.get("data", [])
-
-            # Type mapping from ModelEngine to internal types
-            type_map = {
-                "embed": "embedding",
-                "chat": "llm",
-                "asr": "stt",
-                "tts": "tts",
-                "rerank": "rerank",
-                "multimodal": "vlm",
-            }
-
-            # Filter models by type if specified
-            filtered_models = []
-            for model in all_models:
-                me_type = model.get("type", "")
-                internal_type = type_map.get(me_type)
-
-                # If model_type filter is provided, only include matching models
-                if model_type and internal_type != model_type:
-                    continue
-
-                if internal_type:
-                    filtered_models.append({
-                        "id": model.get("id", ""),
-                        "model_type": internal_type,
-                        "model_tag": me_type,
-                        "max_tokens": DEFAULT_LLM_MAX_TOKENS if internal_type in ("llm", "vlm") else 0,
-                        "base_url": host,
-                        "api_key": api_key,
-                    })
-
-            return filtered_models
-        except Exception as e:
-            logger.error(f"Error getting models from ModelEngine: {e}")
-            return []
+logger = logging.getLogger("model_provider")
+
+
+# =============================================================================
+# Provider Factory and Public API
+# =============================================================================
+
+
+async def get_provider_models(model_data: dict) -> List[dict]:
+    """
+    Get model list based on provider.
+
+    Args:
+        model_data: Model data containing provider information
+
+    Returns:
+        List of models from the specified provider
+    """
+    model_list = []
+
+    if model_data["provider"] == ProviderEnum.SILICON.value:
+        provider = SiliconModelProvider()
+        model_list = await provider.get_models(model_data)
+    elif model_data["provider"] == ProviderEnum.MODELENGINE.value:
+        provider = ModelEngineProvider()
+        model_list = await provider.get_models(model_data)
+
+    return model_list
+
+
+# =============================================================================
+# Model Dictionary Preparation
+# =============================================================================
 
 
 async def prepare_model_dict(provider: str, model: dict, model_url: str, model_api_key: str) -> dict:
@@ -157,7 +65,6 @@ async def prepare_model_dict(provider: str, model: dict, model_url: str, model_a
     Returns:
         A dictionary ready to be passed to *create_model_record*.
     """
-
     # Split repo/name once so it can be reused multiple times.
     model_repo, model_name = split_repo_name(model["id"])
     model_display_name = add_repo_to_name(model_repo, model_name)
@@ -169,8 +76,10 @@ async def prepare_model_dict(provider: str, model: dict, model_url: str, model_a
 
     # For embedding models, apply default values when chunk sizes are null
     if model["model_type"] in ["embedding", "multi_embedding"]:
-        expected_chunk_size = model.get("expected_chunk_size", DEFAULT_EXPECTED_CHUNK_SIZE)
-        maximum_chunk_size = model.get("maximum_chunk_size", DEFAULT_MAXIMUM_CHUNK_SIZE)
+        expected_chunk_size = model.get(
+            "expected_chunk_size", DEFAULT_EXPECTED_CHUNK_SIZE)
+        maximum_chunk_size = model.get(
+            "maximum_chunk_size", DEFAULT_MAXIMUM_CHUNK_SIZE)
         chunk_batch = model.get("chunk_batch", 10)
 
     # For ModelEngine provider, extract the host from model's base_url
@@ -234,7 +143,7 @@ async def prepare_model_dict(provider: str, model: dict, model_url: str, model_a
 
 def merge_existing_model_tokens(model_list: List[dict], tenant_id: str, provider: str, model_type: str) -> List[dict]:
     """
-    Merge existing model's max_tokens attribute into the model list
+    Merge existing model's max_tokens attribute into the model list.
 
     Args:
         model_list: List of models
@@ -270,31 +179,13 @@ def merge_existing_model_tokens(model_list: List[dict], tenant_id: str, provider
     return model_list
 
 
-async def get_provider_models(model_data: dict) -> List[dict]:
-    """
-    Get model list based on provider
-
-    Args:
-        model_data: Model data containing provider information
-
-    Returns:
-        List[dict]: Model list
-    """
-    model_list = []
-
-    if model_data["provider"] == ProviderEnum.SILICON.value:
-        provider = SiliconModelProvider()
-        model_list = await provider.get_models(model_data)
-    elif model_data["provider"] == ProviderEnum.MODELENGINE.value:
-        provider = ModelEngineProvider()
-        model_list = await provider.get_models(model_data)
-
-    return model_list
-
-def get_model_engine_raw_url(model_engine_url: str) -> str:
-    # Strip any existing path to get just the host
-    model_engine_raw_url = model_engine_url
-    if model_engine_url:
-        # Remove any trailing /open/router/v1 or similar paths to get base host
-        model_engine_raw_url = model_engine_url.split("/open/")[0] if "/open/" in model_engine_url else model_engine_url
-    return model_engine_raw_url
+# Re-export provider classes for backward compatibility
+__all__ = [
+    "AbstractModelProvider",
+    "SiliconModelProvider",
+    "ModelEngineProvider",
+    "prepare_model_dict",
+    "merge_existing_model_tokens",
+    "get_provider_models",
+    "get_model_engine_raw_url",
+]
diff --git a/backend/services/prompt_service.py b/backend/services/prompt_service.py
index f1eb16e03..a505f28f4 100644
--- a/backend/services/prompt_service.py
+++ b/backend/services/prompt_service.py
@@ -198,23 +198,6 @@ def generate_and_save_system_prompt_impl(agent_id: int,
     else:
         logger.info(
             "Updating agent with business_description and prompt segments")
-
-        agent_info = AgentInfoRequest(
-            agent_id=agent_id,
-            business_description=task_description,
-            duty_prompt=final_results["duty"],
-            constraint_prompt=final_results["constraint"],
-            few_shots_prompt=final_results["few_shots"],
-            name=final_results["agent_var_name"],
-            display_name=final_results["agent_display_name"],
-            description=final_results["agent_description"]
-        )
-        update_agent(
-            agent_id=agent_id,
-            agent_info=agent_info,
-            tenant_id=tenant_id,
-            user_id=user_id
-        )
         logger.info("Prompt generation and agent update completed successfully")
 
 
diff --git a/backend/services/providers/__init__.py b/backend/services/providers/__init__.py
new file mode 100644
index 000000000..9478043c2
--- /dev/null
+++ b/backend/services/providers/__init__.py
@@ -0,0 +1,11 @@
+# Provider exports
+from services.providers.base import AbstractModelProvider
+from services.providers.silicon_provider import SiliconModelProvider
+from services.providers.modelengine_provider import ModelEngineProvider, get_model_engine_raw_url
+
+__all__ = [
+    "AbstractModelProvider",
+    "SiliconModelProvider",
+    "ModelEngineProvider",
+    "get_model_engine_raw_url",
+]
diff --git a/backend/services/providers/base.py b/backend/services/providers/base.py
new file mode 100644
index 000000000..4756bf6ad
--- /dev/null
+++ b/backend/services/providers/base.py
@@ -0,0 +1,150 @@
+import logging
+from abc import ABC, abstractmethod
+from typing import Dict, List
+
+import aiohttp
+
+logger = logging.getLogger("model_provider")
+
+
+# =============================================================================
+# Provider Error Handling Utilities
+# =============================================================================
+
+
+def _create_error_response(error_code: str, message: str, http_code: int = None) -> List[Dict]:
+    """
+    Create a standardized error response for provider API failures.
+
+    Args:
+        error_code: Machine-readable error code (e.g., 'authentication_failed')
+        message: Human-readable error message
+        http_code: HTTP status code if available
+
+    Returns:
+        List containing a single error dict with standardized format
+    """
+    error_dict = {"_error": error_code, "_message": message}
+    if http_code:
+        error_dict["_http_code"] = http_code
+    return [error_dict]
+
+
+def _classify_provider_error(
+        provider_name: str,
+        status_code: int = None,
+        error_message: str = None,
+        exception: Exception = None
+) -> List[Dict]:
+    """
+    Classify provider errors and return standardized error response.
+
+    This function centralizes error classification logic for all model providers,
+    ensuring consistent error codes and messages across different providers.
+
+    Args:
+        provider_name: Name of the provider (for logging and messages)
+        status_code: HTTP status code if available
+        error_message: Error message from API if available
+        exception: Exception object if available
+
+    Returns:
+        List containing a single error dict with standardized format
+    """
+    # Classify by HTTP status code
+    if status_code:
+        if status_code == 401:
+            logger.error(
+                f"{provider_name} API authentication failed: Invalid API key")
+            return _create_error_response(
+                "authentication_failed",
+                "Invalid API key or authentication failed",
+                status_code
+            )
+        elif status_code == 403:
+            logger.error(
+                f"{provider_name} API access forbidden: Insufficient permissions")
+            return _create_error_response(
+                "access_forbidden",
+                "Access forbidden. Please check your permissions",
+                status_code
+            )
+        elif status_code == 404:
+            logger.error(
+                f"{provider_name} API endpoint not found: URL may be incorrect")
+            return _create_error_response(
+                "endpoint_not_found",
+                "API endpoint not found. Please verify the URL",
+                status_code
+            )
+        elif status_code >= 500:
+            logger.error(f"{provider_name} server error: HTTP {status_code}")
+            return _create_error_response(
+                "server_error",
+                f"Server error (HTTP {status_code})",
+                status_code
+            )
+        elif status_code >= 400:
+            logger.error(
+                f"{provider_name} API error (HTTP {status_code}): {error_message}")
+            return _create_error_response(
+                "api_error",
+                f"API error (HTTP {status_code})",
+                status_code
+            )
+
+    # Classify by exception type
+    if exception:
+        # aiohttp exceptions
+        if isinstance(exception, aiohttp.ClientConnectorError):
+            error_str = str(exception).lower()
+            if "certificate" in error_str or "ssl" in error_str:
+                logger.error(
+                    f"{provider_name} SSL certificate error: {exception}")
+                return _create_error_response(
+                    "ssl_error",
+                    "SSL certificate error. Please check the URL and SSL configuration"
+                )
+            else:
+                logger.error(f"{provider_name} connection failed: {exception}")
+                return _create_error_response(
+                    "connection_failed",
+                    f"Failed to connect to {provider_name}. Please check the URL and network connection"
+                )
+        elif isinstance(exception, aiohttp.ServerTimeoutError):
+            logger.error(f"{provider_name} server timeout: {exception}")
+            return _create_error_response(
+                "timeout",
+                "Connection timed out. Please check the URL and network connection"
+            )
+        elif isinstance(exception, aiohttp.ServerDisconnectedError):
+            logger.error(f"{provider_name} server disconnected: {exception}")
+            return _create_error_response(
+                "connection_failed",
+                f"Connection to {provider_name} was interrupted. Please try again"
+            )
+        elif isinstance(exception, aiohttp.ContentTypeError):
+            logger.error(
+                f"{provider_name} invalid response format: {exception}")
+            return _create_error_response(
+                "invalid_response",
+                "Invalid response from provider API"
+            )
+
+    # Generic connection error fallback
+    error_msg = error_message or str(
+        exception) if exception else "Unknown error"
+    logger.error(f"{provider_name} error: {error_msg}")
+    return _create_error_response(
+        "connection_failed",
+        f"Failed to connect to {provider_name}. Please check the URL and network connection"
+    )
+
+
+class AbstractModelProvider(ABC):
+    """Common interface that all model provider integrations must implement."""
+
+    @abstractmethod
+    async def get_models(self, provider_config: Dict) -> List[Dict]:
+        """Return a list of models provided by the concrete provider."""
+        raise NotImplementedError
diff --git a/backend/services/providers/modelengine_provider.py b/backend/services/providers/modelengine_provider.py
new file mode 100644
index 000000000..276f84378
--- /dev/null
+++ b/backend/services/providers/modelengine_provider.py
@@ -0,0 +1,110 @@
+import logging
+from typing import Dict, List
+
+import aiohttp
+
+from consts.const import DEFAULT_LLM_MAX_TOKENS
+from services.providers.base import AbstractModelProvider, _classify_provider_error
+
+logger = logging.getLogger("model_provider")
+
+MODEL_ENGINE_NORTH_PREFIX = "open/router/v1"
+
+
+def get_model_engine_raw_url(model_engine_url: str) -> str:
+    """
+    Extract the raw base URL from a ModelEngine URL by stripping any API paths.
+
+    Args:
+        model_engine_url: Full ModelEngine URL potentially containing API paths
+
+    Returns:
+        Base URL without trailing paths
+    """
+    if not model_engine_url:
+        return ""
+    # Remove any trailing /open/router/v1 or similar paths to get base host
+    raw_url = model_engine_url.split(
+        "/open/")[0] if "/open/" in model_engine_url else model_engine_url
+    # Remove trailing slash if present
+    return raw_url.rstrip('/')
+
+
+class ModelEngineProvider(AbstractModelProvider):
+    """Concrete implementation for ModelEngine provider."""
+
+    async def get_models(self, provider_config: Dict) -> List[Dict]:
+        """
+        Fetch models from ModelEngine API.
+
+        Args:
+            provider_config: Configuration dict containing model_type, base_url, and api_key
+
+        Returns:
+            List of models with canonical fields. Returns error dict if API call fails.
+        """
+        try:
+            model_type: str = provider_config.get("model_type", "")
+            host = provider_config.get("base_url")
+            api_key = provider_config.get("api_key")
+            model_engine_url = get_model_engine_raw_url(host)
+            if not host or not api_key:
+                logger.warning("ModelEngine host or api key not configured")
+                return []
+
+            headers = {"Authorization": f"Bearer {api_key}"}
+
+            async with aiohttp.ClientSession(
+                timeout=aiohttp.ClientTimeout(total=30),
+                connector=aiohttp.TCPConnector(ssl=False)
+            ) as session:
+                async with session.get(
+                    f"{model_engine_url.rstrip('/')}/{MODEL_ENGINE_NORTH_PREFIX}/models",
+                    headers=headers
+                ) as response:
+                    # Use centralized error classification
+                    if response.status >= 400:
+                        error_text = await response.text()
+                        return _classify_provider_error(
+                            "ModelEngine",
+                            status_code=response.status,
+                            error_message=error_text
+                        )
+
+                    data = await response.json()
+                    all_models = data.get("data", [])
+                    logger.info(
+                        f"ModelEngine API returned {len(all_models)} models")
+
+            # Type mapping from ModelEngine to internal types
+            type_map = {
+                "embed": "embedding",
+                "chat": "llm",
+                "asr": "stt",
+                "tts": "tts",
+                "rerank": "rerank",
+                "multimodal": "vlm",
+            }
+
+            filtered_models = []
+            for model in all_models:
+                me_type = model.get("type", "")
+                internal_type = type_map.get(me_type)
+
+                # If model_type filter is provided, only include matching models
+                if model_type and internal_type != model_type:
+                    continue
+
+                if internal_type:
+                    filtered_models.append({
+                        "id": model.get("id", ""),
+                        "model_type": internal_type,
+                        "model_tag": me_type,
+                        "max_tokens": DEFAULT_LLM_MAX_TOKENS if internal_type in ("llm", "vlm") else 0,
+                        "base_url": host,
+                        "api_key": api_key,
+                    })
+
+            return filtered_models
+        except Exception as e:
+            return _classify_provider_error("ModelEngine", exception=e)
diff --git a/backend/services/providers/silicon_provider.py b/backend/services/providers/silicon_provider.py
new file mode 100644
index 000000000..29de51fce
--- /dev/null
+++ b/backend/services/providers/silicon_provider.py
@@ -0,0 +1,58 @@
+import httpx
+from typing import Dict, List
+
+from consts.const import DEFAULT_LLM_MAX_TOKENS
+from consts.provider import SILICON_GET_URL
+from services.providers.base import AbstractModelProvider, _classify_provider_error
+
+
+class SiliconModelProvider(AbstractModelProvider):
+    """Concrete implementation for SiliconFlow provider."""
+
+    async def get_models(self, provider_config: Dict) -> List[Dict]:
+        """
+        Fetch models from SiliconFlow API.
+
+        Args:
+            provider_config: Configuration dict containing model_type and api_key
+
+        Returns:
+            List of models with canonical fields. Returns error dict if API call fails.
+        """
+        try:
+            model_type: str = provider_config["model_type"]
+            model_api_key: str = provider_config["api_key"]
+
+            headers = {"Authorization": f"Bearer {model_api_key}"}
+
+            # Choose endpoint by model type
+            if model_type in ("llm", "vlm"):
+                silicon_url = f"{SILICON_GET_URL}?sub_type=chat"
+            elif model_type in ("embedding", "multi_embedding"):
+                silicon_url = f"{SILICON_GET_URL}?sub_type=embedding"
+            else:
+                silicon_url = SILICON_GET_URL
+
+            async with httpx.AsyncClient(verify=False) as client:
+                response = await client.get(silicon_url, headers=headers)
+                response.raise_for_status()
+                model_list: List[Dict] = response.json()["data"]
+
+            # Annotate models with canonical fields expected downstream
+            if model_type in ("llm", "vlm"):
+                for item in model_list:
+                    item["model_tag"] = "chat"
+                    item["model_type"] = model_type
+                    item["max_tokens"] = DEFAULT_LLM_MAX_TOKENS
+            elif model_type in ("embedding", "multi_embedding"):
+                for item in model_list:
+                    item["model_tag"] = "embedding"
+                    item["model_type"] = model_type
+
+            # Return empty list to indicate successful API call but no models
+            if not model_list:
+                return []
+
+            return model_list
+        except (httpx.HTTPStatusError, httpx.ConnectTimeout, httpx.ConnectError, Exception) as e:
+            return _classify_provider_error("SiliconFlow", exception=e)
diff --git a/backend/services/remote_mcp_service.py b/backend/services/remote_mcp_service.py
index 543536e66..0c8e4576f 100644
--- a/backend/services/remote_mcp_service.py
+++ b/backend/services/remote_mcp_service.py
@@ -4,6 +4,7 @@
 
 from fastmcp import Client
 
+from consts.const import CAN_EDIT_ALL_USER_ROLES, PERMISSION_EDIT, PERMISSION_READ
 from consts.exceptions import MCPConnectionError, MCPNameIllegal
 from database.remote_mcp_db import (
     create_mcp_record,
@@ -14,6 +15,7 @@
     update_mcp_status_by_name_and_url,
     update_mcp_record_by_name_and_url,
 )
+from database.user_tenant_db import get_user_tenant_by_user_id
 from services.mcp_container_service import MCPContainerManager
 
 logger = logging.getLogger("remote_mcp_service")
@@ -122,19 +124,83 @@ async def update_remote_mcp_server_list(
     )
 
 
-async def get_remote_mcp_server_list(tenant_id: str):
+async def get_remote_mcp_server_list(tenant_id: str, user_id: str | None = None) -> list[dict]:
     mcp_records = get_mcp_records_by_tenant(tenant_id=tenant_id)
     mcp_records_list = []
+    can_edit_all = False
+    if user_id:
+        user_tenant_record = get_user_tenant_by_user_id(user_id) or {}
+        user_role = str(user_tenant_record.get("user_role") or "").upper()
+        can_edit_all = user_role in CAN_EDIT_ALL_USER_ROLES
 
     for record in mcp_records:
+        created_by = record.get("created_by") or record.get("user_id")
+        if user_id is None:
+            permission = PERMISSION_READ
+        else:
+            permission = PERMISSION_EDIT if can_edit_all or str(
+                created_by) == str(user_id) else PERMISSION_READ
+
         mcp_records_list.append({
             "remote_mcp_server_name": record["mcp_name"],
             "remote_mcp_server": record["mcp_server"],
-            "status": record["status"]
+            "status": record["status"],
+            "permission": permission,
         })
     return mcp_records_list
 
 
+def attach_mcp_container_permissions(
+    *,
+    containers: list[dict],
+    tenant_id: str,
+    user_id: str | None = None,
+) -> list[dict]:
+    """
+    Attach permission (EDIT/READ) to each MCP container entry.
+
+    Rules:
+    - If user's role is in CAN_EDIT_ALL_USER_ROLES => EDIT for all containers
+    - Otherwise => EDIT only if the container is associated with an MCP record created by this user
+    - If association cannot be determined => default to READ
+    """
+    if not containers:
+        return []
+    can_edit_all = False
+    if user_id:
+        user_tenant_record = get_user_tenant_by_user_id(user_id) or {}
+        user_role = str(user_tenant_record.get("user_role") or "").upper()
+        can_edit_all = user_role in CAN_EDIT_ALL_USER_ROLES
+
+    created_by_by_container_id: dict[str, str] = {}
+    try:
+        for record in get_mcp_records_by_tenant(tenant_id=tenant_id) or []:
+            cid = record.get("container_id")
+            if not cid:
+                continue
+            created_by_by_container_id[str(cid)] = str(
+                record.get("created_by") or record.get("user_id") or ""
+            )
+    except Exception as e:
+        logger.warning(f"Failed to load MCP records for permission mapping: {e}")
+
+    enriched: list[dict] = []
+    for container in containers:
+        container_id = str(container.get("container_id") or "")
+        created_by = created_by_by_container_id.get(container_id, "")
+
+        if user_id is None:
+            permission = PERMISSION_READ
+        else:
+            permission = PERMISSION_EDIT if can_edit_all or (
+                created_by and str(created_by) == str(user_id)
+            ) else PERMISSION_READ
+
+        enriched.append({**container, "permission": permission})
+
+    return enriched
+
+
 async def check_mcp_health_and_update_db(mcp_url, service_name, tenant_id, user_id):
     # check the health of the MCP server
     try:
diff --git a/backend/services/tenant_config_service.py b/backend/services/tenant_config_service.py
deleted file mode 100644
index c0e4d4afb..000000000
--- a/backend/services/tenant_config_service.py
+++ /dev/null
@@ -1,94 +0,0 @@
-import logging
-from typing import List, Optional
-
-from database.knowledge_db import get_knowledge_info_by_knowledge_ids, get_knowledge_ids_by_index_names
-from database.tenant_config_db import get_tenant_config_info, insert_config, delete_config_by_tenant_config_id
-
-logger = logging.getLogger("tenant_config_service")
-
-
-def get_selected_knowledge_list(tenant_id: str, user_id: str):
-    record_list = get_tenant_config_info(
-        tenant_id=tenant_id, user_id=user_id, select_key="selected_knowledge_id")
-    if len(record_list) == 0:
-        return []
-    knowledge_id_list = [record["config_value"] for record in record_list]
-    knowledge_info = get_knowledge_info_by_knowledge_ids(knowledge_id_list)
-    return knowledge_info
-
-
-def update_selected_knowledge(tenant_id: str, user_id: str, index_name_list: List[str], knowledge_sources: Optional[List[str]] = None):
-    # Validate that knowledge_sources length matches index_name_list if provided
-    if knowledge_sources and len(knowledge_sources) != len(index_name_list):
-        logger.error(
-            f"Knowledge sources length mismatch: sources={len(knowledge_sources)}, names={len(index_name_list)}")
-        return False
-
-    logger.info(
-        f"Updating knowledge list for tenant {tenant_id}, user {user_id}: "
-        f"names={index_name_list}, sources={knowledge_sources}")
-
-    knowledge_ids = get_knowledge_ids_by_index_names(index_name_list)
-    record_list = get_tenant_config_info(
-        tenant_id=tenant_id, user_id=user_id, select_key="selected_knowledge_id")
-    record_ids = [record["tenant_config_id"] for record in record_list]
-
-    # if knowledge_ids is not in record_list, insert the record of knowledge_ids
-    for knowledge_id in knowledge_ids:
-        if knowledge_id not in record_ids:
-            result = insert_config({
-                "user_id": user_id,
-                "tenant_id": tenant_id,
-                "config_key": "selected_knowledge_id",
-                "config_value": knowledge_id,
-                "value_type": "multi"
-            })
-            if not result:
-                logger.error(
-                    f"insert_config failed, tenant_id: {tenant_id}, user_id: {user_id}, knowledge_id: {knowledge_id}")
-                return False
-
-    # if record_list is not in knowledge_ids, delete the record of record_list
-    for record in record_list:
-        if record["config_value"] not in knowledge_ids:
-            result = delete_config_by_tenant_config_id(
-                record["tenant_config_id"])
-            if not result:
-                logger.error(
-                    f"delete_config_by_tenant_config_id failed, tenant_id: {tenant_id}, user_id: {user_id}, knowledge_id: {record['config_value']}")
-                return False
-
-    return True
-
-
-def delete_selected_knowledge_by_index_name(tenant_id: str, user_id: str, index_name: str):
-    knowledge_ids = get_knowledge_ids_by_index_names([index_name])
-    record_list = get_tenant_config_info(
-        tenant_id=tenant_id, user_id=user_id, select_key="selected_knowledge_id")
-
-    for record in record_list:
-        if record["config_value"] == str(knowledge_ids[0]):
-            result = delete_config_by_tenant_config_id(
-                record["tenant_config_id"])
-            if not result:
-                logger.error(
-                    f"delete_config_by_tenant_config_id failed, tenant_id: {tenant_id}, user_id: {user_id}, knowledge_id: {record['config_value']}")
-                return False
-
-    return True
-
-
-def build_knowledge_name_mapping(tenant_id: str, user_id: str):
-    """
-    Build mapping from user-facing knowledge_name to internal index_name for the selected knowledge bases.
-    Falls back to using index_name as key when knowledge_name is missing for backward compatibility.
-    """
-    knowledge_info_list = get_selected_knowledge_list(
-        tenant_id=tenant_id, user_id=user_id)
-    mapping = {}
-    for info in knowledge_info_list:
-        key = info.get("knowledge_name") or info.get("index_name")
-        value = info.get("index_name")
-        if key and value:
-            mapping[key] = value
-    return mapping
diff --git a/backend/services/tenant_service.py b/backend/services/tenant_service.py
index b58ffc8b2..0da209b76 100644
--- a/backend/services/tenant_service.py
+++ b/backend/services/tenant_service.py
@@ -23,19 +23,25 @@ def get_tenant_info(tenant_id: str) -> Dict[str, Any]:
     """
     Get tenant information by tenant ID
 
+    If TENANT_NAME config is missing, automatically create one with default name.
+
     Args:
         tenant_id (str): Tenant ID
 
     Returns:
         Dict[str, Any]: Tenant information
-
-    Raises:
-        NotFoundException: When tenant not found
     """
+    if not tenant_id:
+        return {}
+
     # Get tenant name
     name_config = get_single_config_info(tenant_id, TENANT_NAME)
     if not name_config:
-        logging.warning(f"The name of tenant {tenant_id} not found.")
+        logger.warning(f"The name of tenant {tenant_id} not found, creating default config.")
+        # Auto-create TENANT_NAME config with default name
+        _ensure_tenant_name_config(tenant_id)
+        # Re-fetch after creation
+        name_config = get_single_config_info(tenant_id, TENANT_NAME)
 
     group_config = get_single_config_info(tenant_id, DEFAULT_GROUP_ID)
 
@@ -48,6 +54,64 @@ def get_tenant_info(tenant_id: str) -> Dict[str, Any]:
     return tenant_info
 
 
+def _ensure_tenant_name_config(tenant_id: str) -> bool:
+    """
+    Ensure TENANT_NAME config exists for the tenant.
+    Creates a default name config if it doesn't exist.
+
+    Args:
+        tenant_id: Tenant ID
+
+    Returns:
+        bool: True if config exists or was created successfully, False otherwise
+    """
+    # Check if already exists (double-check in case of race condition)
+    existing = get_single_config_info(tenant_id, TENANT_NAME)
+    if existing:
+        return True
+
+    # Create default TENANT_NAME config
+    tenant_name_data = {
+        "tenant_id": tenant_id,
+        "config_key": TENANT_NAME,
+        "config_value": "Unnamed Tenant",
+        "created_by": "system_auto_create",
+        "updated_by": "system_auto_create"
+    }
+    success = insert_config(tenant_name_data)
+    if success:
+        logger.info(f"Auto-created TENANT_NAME config for tenant {tenant_id}")
+    else:
+        logger.error(f"Failed to auto-create TENANT_NAME config for tenant {tenant_id}")
+    return success
+
+
+def check_tenant_name_exists(tenant_name: str, exclude_tenant_id: Optional[str] = None) -> bool:
+    """
+    Check if a tenant with the given name already exists
+
+    Args:
+        tenant_name (str): Tenant name to check
+        exclude_tenant_id (Optional[str]): Tenant ID to exclude from check (for rename operations)
+
+    Returns:
+        bool: True if tenant name already exists, False otherwise
+    """
+    all_tenant_ids = get_all_tenant_ids()
+
+    for tid in all_tenant_ids:
+        # Skip if this is the tenant being updated
+        if exclude_tenant_id and tid == exclude_tenant_id:
+            continue
+
+        # Check if this tenant has the given name
+        name_config = get_single_config_info(tid, TENANT_NAME)
+        if name_config and name_config.get("config_value") == tenant_name:
+            return True
+
+    return False
+
+
 def get_all_tenants() -> List[Dict[str, Any]]:
     """
     Get all tenants
@@ -87,24 +151,19 @@ def create_tenant(tenant_name: str, created_by: Optional[str] = None) -> Dict[st
         Dict[str, Any]: Created tenant information
 
     Raises:
-        ValidationError: When tenant creation fails
+        ValidationError: When tenant creation fails or tenant name already exists
     """
     # Generate a random UUID for tenant_id
     tenant_id = str(uuid.uuid4())
 
-    # Check if tenant already exists (extremely unlikely with UUID, but good practice)
-    try:
-        existing_tenant = get_tenant_info(tenant_id)
-        if existing_tenant:
-            raise ValidationError(f"Tenant {tenant_id} already exists")
-    except NotFoundException:
-        # Tenant doesn't exist, which is what we want
-        pass
-
     # Validate tenant name
     if not tenant_name or not tenant_name.strip():
         raise ValidationError("Tenant name cannot be empty")
 
+    # Check if tenant name already exists
+    if check_tenant_name_exists(tenant_name.strip()):
+        raise ValidationError(f"Tenant with name '{tenant_name.strip()}' already exists")
+
     try:
         # Create default group first
         default_group_id = _create_default_group_for_tenant(tenant_id, created_by)
@@ -163,6 +222,8 @@ def update_tenant_info(tenant_id: str, tenant_name: str, updated_by: Optional[st
     """
     Update tenant information
 
+    If TENANT_NAME config doesn't exist, creates it with the provided name.
+
     Args:
         tenant_id (str): Tenant ID
         tenant_name (str): New tenant name
@@ -172,25 +233,39 @@ def update_tenant_info(tenant_id: str, tenant_name: str, updated_by: Optional[st
         Dict[str, Any]: Updated tenant information
 
     Raises:
-        NotFoundException: When tenant not found
-        ValidationError: When tenant name is invalid
+        ValidationError: When tenant name is invalid or update fails
     """
-    # Check if tenant exists and get current name config
-    name_config = get_single_config_info(tenant_id, TENANT_NAME)
-    if not name_config:
-        raise NotFoundException(f"Tenant {tenant_id} not found")
-
     # Validate tenant name
     if not tenant_name or not tenant_name.strip():
         raise ValidationError("Tenant name cannot be empty")
 
-    # Update tenant name
-    success = update_config_by_tenant_config_id(
-        name_config["tenant_config_id"],
-        tenant_name.strip()
-    )
-    if not success:
-        raise ValidationError("Failed to update tenant name")
+    # Check if tenant name already exists (exclude current tenant)
+    if check_tenant_name_exists(tenant_name.strip(), exclude_tenant_id=tenant_id):
+        raise ValidationError(f"Tenant with name '{tenant_name.strip()}' already exists")
+
+    # Check if tenant name config exists
+    name_config = get_single_config_info(tenant_id, TENANT_NAME)
+    if not name_config:
+        # Tenant config doesn't exist, create it with the provided name
+        logger.info(f"TENANT_NAME config not found for {tenant_id}, creating new config.")
+        tenant_name_data = {
+            "tenant_id": tenant_id,
+            "config_key": TENANT_NAME,
+            "config_value": tenant_name.strip(),
+            "created_by": updated_by,
+            "updated_by": updated_by
+        }
+        success = insert_config(tenant_name_data)
+        if not success:
+            raise ValidationError("Failed to create tenant name configuration")
+    else:
+        # Update existing config
+        success = update_config_by_tenant_config_id(
+            name_config["tenant_config_id"],
+            tenant_name.strip()
+        )
+        if not success:
+            raise ValidationError("Failed to update tenant name")
 
     # Return updated tenant information
     updated_tenant = get_tenant_info(tenant_id)
diff --git a/backend/services/tool_configuration_service.py b/backend/services/tool_configuration_service.py
index 9ee122757..588d2467e 100644
--- a/backend/services/tool_configuration_service.py
+++ b/backend/services/tool_configuration_service.py
@@ -1,4 +1,3 @@
-import asyncio
 import importlib
 import inspect
 import json
@@ -21,11 +20,10 @@
     query_tool_instances_by_id,
     update_tool_table_from_scan_tool_list,
     search_last_tool_instance_by_tool_id,
+    check_tool_list_initialized,
 )
 from services.file_management_service import get_llm_model
 from services.vectordatabase_service import get_embedding_model, get_vector_db_core
-from services.tenant_config_service import get_selected_knowledge_list, build_knowledge_name_mapping
-from database.knowledge_db import get_index_name_by_knowledge_name
 from database.client import minio_client
 from services.image_service import get_vlm_model
 
@@ -258,6 +256,8 @@ def update_tool_info_impl(tool_info: ToolInstanceInfoRequest, tenant_id: str, us
 
     Args:
         tool_info: ToolInstanceInfoRequest containing tool configuration data
+        tenant_id: Tenant ID
+        user_id: User ID
 
     Returns:
         Dictionary containing the updated tool instance
@@ -265,8 +265,10 @@ def update_tool_info_impl(tool_info: ToolInstanceInfoRequest, tenant_id: str, us
     Raises:
         ValueError: If database update fails
     """
+    # Use version_no from request if provided, otherwise default to 0
+    version_no = getattr(tool_info, 'version_no', 0)
     tool_instance = create_or_update_tool_by_tool_info(
-        tool_info, tenant_id, user_id)
+        tool_info, tenant_id, user_id, version_no=version_no)
     return {
         "tool_instance": tool_instance
     }
@@ -316,6 +318,28 @@ async def get_tool_from_remote_mcp_server(mcp_server_name: str, remote_mcp_serve
             f"failed to get tool from remote MCP server, detail: {e}")
 
 
+async def init_tool_list_for_tenant(tenant_id: str, user_id: str):
+    """
+    Initialize tool list for a new tenant.
+    This function scans and populates available tools from local, MCP, and LangChain sources.
+
+    Args:
+        tenant_id: Tenant ID for MCP tools (required for MCP tools)
+        user_id: User ID for tracking who initiated the scan
+
+    Returns:
+        Dictionary containing initialization result with tool count
+    """
+    # Check if tools have already been initialized for this tenant
+    if check_tool_list_initialized(tenant_id):
+        logger.info(f"Tool list already initialized for tenant {tenant_id}, skipping")
+        return {"status": "already_initialized", "message": "Tool list already exists"}
+
+    logger.info(f"Initializing tool list for new tenant: {tenant_id}")
+    await update_tool_list(tenant_id=tenant_id, user_id=user_id)
+    return {"status": "success", "message": "Tool list initialized successfully"}
+
+
 async def update_tool_list(tenant_id: str, user_id: str):
     """
         Scan and gather all available tools from both local and MCP sources
@@ -540,57 +564,14 @@ def _validate_local_tool(
                     instantiation_params[param_name] = param.default
 
         if tool_name == "knowledge_base_search":
-            if not tenant_id or not user_id:
-                raise ToolExecutionException(
-                    f"Tenant ID and User ID are required for {tool_name} validation")
-            knowledge_info_list = get_selected_knowledge_list(
-                tenant_id=tenant_id, user_id=user_id)
-            index_names = [knowledge_info.get("index_name") for knowledge_info in knowledge_info_list if knowledge_info.get(
-                'knowledge_sources') == 'elasticsearch']
-            name_resolver = build_knowledge_name_mapping(
-                tenant_id=tenant_id, user_id=user_id)
-
-            # Fallback: if user provided index_names in inputs, try to resolve them even when no selection stored
-            if (not index_names) and inputs and inputs.get("index_names"):
-                raw_names = inputs.get("index_names")
-                if isinstance(raw_names, str):
-                    raw_names = [raw_names]
-                resolved_indices = []
-                for raw in raw_names:
-                    try:
-                        resolved = get_index_name_by_knowledge_name(
-                            raw, tenant_id=tenant_id)
-                        name_resolver[raw] = resolved
-                        resolved_indices.append(resolved)
-                    except Exception:
-                        # If not found as knowledge_name, assume it's already an index_name
-                        resolved_indices.append(raw)
-                index_names = resolved_indices
-
             embedding_model = get_embedding_model(tenant_id=tenant_id)
             vdb_core = get_vector_db_core()
             params = {
                 **instantiation_params,
-                'index_names': index_names,
-                'name_resolver': name_resolver,
                 'vdb_core': vdb_core,
                 'embedding_model': embedding_model,
             }
             tool_instance = tool_class(**params)
-        elif tool_name == "datamate_search":
-            if not tenant_id or not user_id:
-                raise ToolExecutionException(
-                    f"Tenant ID and User ID are required for {tool_name} validation")
-            knowledge_info_list = get_selected_knowledge_list(
-                tenant_id=tenant_id, user_id=user_id)
-            index_names = [knowledge_info.get("index_name") for knowledge_info in knowledge_info_list if
-                           knowledge_info.get('knowledge_sources') == 'datamate']
-
-            params = {
-                **instantiation_params,
-                'index_names': index_names,
-            }
-            tool_instance = tool_class(**params)
         elif tool_name == "analyze_image":
             if not tenant_id or not user_id:
                 raise ToolExecutionException(
diff --git a/backend/services/user_management_service.py b/backend/services/user_management_service.py
index 8ba133fad..bb27ca13d 100644
--- a/backend/services/user_management_service.py
+++ b/backend/services/user_management_service.py
@@ -8,7 +8,6 @@
 
 from utils.auth_utils import (
     get_supabase_client,
-    get_supabase_admin_client,
     calculate_expires_at,
     get_jwt_expiry_seconds,
 )
@@ -16,16 +15,14 @@
 from consts.exceptions import NoInviteCodeException, IncorrectInviteCodeException, UserRegistrationException, UnauthorizedError
 
 from database.model_management_db import create_model_record
-from database.user_tenant_db import insert_user_tenant, soft_delete_user_tenant_by_user_id, get_user_tenant_by_user_id
-from database.memory_config_db import soft_delete_all_configs_by_user_id
-from database.conversation_db import soft_delete_all_conversations_by_user
+from database.user_tenant_db import insert_user_tenant, get_user_tenant_by_user_id
 from database.group_db import query_group_ids_by_user
 from database.client import as_dict, get_db_session
 from database.db_models import RolePermission
-from utils.memory_utils import build_memory_config
-from nexent.memory.memory_service import clear_memory
 from services.invitation_service import use_invitation_code, check_invitation_available, get_invitation_by_code
 from services.group_service import add_user_to_groups
+from services.tool_configuration_service import init_tool_list_for_tenant
+
 
 
 logging.getLogger("user_management_service").setLevel(logging.DEBUG)
@@ -157,6 +154,9 @@ async def signup_user(email: EmailStr,
         if is_admin:
             await generate_tts_stt_4_admin(tenant_id, user_id)
 
+        # Initialize tool list for the new tenant (only once per tenant)
+        await init_tool_list_for_tenant(tenant_id, user_id)
+
         return await parse_supabase_response(is_admin, response, user_role)
     else:
         logging.error(
@@ -271,6 +271,9 @@ async def signup_user_with_invitation(email: EmailStr,
         if user_role == "ADMIN":
             await generate_tts_stt_4_admin(tenant_id, user_id)
 
+        # Initialize tool list for the new tenant (only once per tenant)
+        await init_tool_list_for_tenant(tenant_id, user_id)
+
         return await parse_supabase_response(False, response, user_role)
     else:
         logging.error(
@@ -428,78 +431,6 @@ async def get_session_by_authorization(authorization):
         raise UnauthorizedError("Session is invalid or expired")
 
 
-async def revoke_regular_user(user_id: str, tenant_id: str) -> None:
-    """Revoke a regular user's account and purge related data.
-
-    Steps:
-    1) Soft-delete user-tenant relation rows and memory user configs, and all conversations for the user in PostgreSQL.
-    2) Clear user-level memories in memory store (levels: "user" and "user_agent").
-    3) Permanently delete the user from Supabase using service role key (admin API).
-    """
-    try:
-        logging.debug(f"Start deleting user {user_id} related data...")
-        # 1) PostgreSQL soft-deletes
-        try:
-            soft_delete_user_tenant_by_user_id(user_id, actor=user_id)
-            logging.debug("\tTenant relationship deleted.")
-        except Exception as e:
-            logging.error(
-                f"Failed soft-deleting user-tenant for user {user_id}: {e}")
-
-        try:
-            soft_delete_all_configs_by_user_id(user_id, actor=user_id)
-            logging.debug("\tMemory user configs deleted.")
-        except Exception as e:
-            logging.error(
-                f"Failed soft-deleting memory user configs for user {user_id}: {e}")
-
-        try:
-            deleted_convs = soft_delete_all_conversations_by_user(user_id)
-            logging.debug(f"\t{deleted_convs} conversations deleted")
-        except Exception as e:
-            logging.error(
-                f"Failed soft-deleting conversations for user {user_id}: {e}")
-
-        # 2) Clear memory records
-        try:
-            memory_config = build_memory_config(tenant_id)
-            # Clear user-level memory
-            await clear_memory(
-                memory_level="user",
-                memory_config=memory_config,
-                tenant_id=tenant_id,
-                user_id=user_id,
-            )
-            # Also clear user_agent-level memory for all agents (API clears by user + any agent)
-            await clear_memory(
-                memory_level="user_agent",
-                memory_config=memory_config,
-                tenant_id=tenant_id,
-                user_id=user_id,
-            )
-            logging.debug(
-                "\tMemories under current embedding configuration deleted")
-        except Exception as e:
-            logging.error(f"Failed clearing memory for user {user_id}: {e}")
-
-        # 3) Delete Supabase user using admin API
-        try:
-            admin_client = get_supabase_admin_client()
-            if admin_client and hasattr(admin_client.auth, "admin"):
-                admin_client.auth.admin.delete_user(user_id)
-            else:
-                raise RuntimeError("Supabase admin client not available")
-            logging.debug("\tUser account deleted.")
-        except Exception as e:
-            logging.error(f"Failed deleting supabase user {user_id}: {e}")
-            # prior steps already purged local data
-        logging.info(f"Account {user_id} has been successfully deleted")
-    except Exception as e:
-        logging.error(
-            f"Unexpected error in revoke_regular_user for {user_id}: {e}")
-        # swallow to keep idempotent behavior
-
-
 async def get_user_info(user_id: str) -> Optional[Dict[str, Any]]:
     """
     Get user information including user ID, group IDs, tenant ID, user role, permissions, and accessible routes.
@@ -521,6 +452,7 @@ async def get_user_info(user_id: str) -> Optional[Dict[str, Any]]:
 
         tenant_id = user_tenant["tenant_id"]
         user_role = user_tenant["user_role"]
+        user_email = user_tenant["user_email"]
 
         # Get group IDs
         group_ids = query_group_ids_by_user(user_id)
@@ -534,10 +466,6 @@ async def get_user_info(user_id: str) -> Optional[Dict[str, Any]]:
 
         permissions_data = format_role_permissions(permissions)
 
-        # Get user email from Supabase (placeholder for now)
-        # TODO: Implement user email retrieval from Supabase user object
-        user_email = "user@example.com"  # Placeholder
-
         return {
             "user": {
                 "user_id": user_id,
diff --git a/backend/services/user_service.py b/backend/services/user_service.py
index 7b42e0d16..74e99c69c 100644
--- a/backend/services/user_service.py
+++ b/backend/services/user_service.py
@@ -10,8 +10,11 @@
     soft_delete_user_tenant_by_user_id
 )
 from database.group_db import remove_user_from_all_groups
-from services.tenant_service import get_tenant_info
+from database.memory_config_db import soft_delete_all_configs_by_user_id
+from database.conversation_db import soft_delete_all_conversations_by_user
 from utils.auth_utils import get_supabase_admin_client
+from utils.memory_utils import build_memory_config
+from nexent.memory.memory_service import clear_memory
 
 logger = logging.getLogger(__name__)
 
@@ -105,37 +108,80 @@ async def update_user(user_id: str, update_data: Dict[str, Any], updated_by: str
         raise
 
 
-async def delete_user(user_id: str, deleted_by: str) -> bool:
+async def delete_user_and_cleanup(user_id: str, tenant_id: str) -> None:
     """
-    Soft delete user and remove from all groups
+    Permanently delete user account and all related data.
+
+    This performs complete cleanup:
+    1) Soft-delete user-tenant relation and remove from all groups
+    2) Soft-delete memory user configs and all conversations
+    3) Clear user-level memories in memory store
+    4) Permanently delete user from Supabase
 
     Args:
         user_id (str): User ID to delete
-        deleted_by (str): ID of the user performing the deletion
-
-    Returns:
-        bool: True if deletion successful
-
-    Raises:
-        ValueError: When user not found
+        tenant_id (str): Tenant ID for memory operations
     """
     try:
-        # Soft delete user-tenant relationship
-        tenant_deleted = soft_delete_user_tenant_by_user_id(user_id, deleted_by)
+        logger.debug(f"Start permanently deleting user {user_id} and all related data...")
+
+        # 1) Core user deletion (soft-delete user-tenant and groups)
+        try:
+            tenant_deleted = soft_delete_user_tenant_by_user_id(user_id, user_id)
+            if not tenant_deleted:
+                raise ValueError(f"User {user_id} not found in any tenant")
+
+            remove_user_from_all_groups(user_id, user_id)
+            logger.debug("\tUser tenant relationship and groups deleted.")
+        except Exception as e:
+            logger.error(f"Failed core deletion for user {user_id}: {e}")
+
+        # 2) Soft-delete memory configs
+        try:
+            soft_delete_all_configs_by_user_id(user_id, actor=user_id)
+            logger.debug("\tMemory user configs deleted.")
+        except Exception as e:
+            logger.error(f"Failed deleting configs for user {user_id}: {e}")
 
-        if not tenant_deleted:
-            raise ValueError(f"User {user_id} not found in any tenant")
+        # 3) Soft-delete conversations
+        try:
+            deleted_convs = soft_delete_all_conversations_by_user(user_id)
+            logger.debug(f"\t{deleted_convs} conversations deleted.")
+        except Exception as e:
+            logger.error(f"Failed deleting conversations for user {user_id}: {e}")
 
-        # Remove user from all groups
+        # 4) Clear memory records
+        try:
+            memory_config = build_memory_config(tenant_id)
+            await clear_memory(
+                memory_level="user",
+                memory_config=memory_config,
+                tenant_id=tenant_id,
+                user_id=user_id,
+            )
+            await clear_memory(
+                memory_level="user_agent",
+                memory_config=memory_config,
+                tenant_id=tenant_id,
+                user_id=user_id,
+            )
+            logger.debug("\tUser memories cleared.")
+        except Exception as e:
+            logger.error(f"Failed clearing memory for user {user_id}: {e}")
+
+        # 5) Delete from Supabase
         try:
-            remove_user_from_all_groups(user_id, deleted_by)
-        except Exception as group_exc:
-            # Log the error but don't fail the entire deletion
-            logger.warning(f"Failed to remove user {user_id} from groups: {str(group_exc)}")
+            admin_client = get_supabase_admin_client()
+            if admin_client and hasattr(admin_client.auth, "admin"):
+                admin_client.auth.admin.delete_user(user_id)
+                logger.debug("\tSupabase user deleted.")
+            else:
+                raise RuntimeError("Supabase admin client not available")
+        except Exception as e:
+            logger.error(f"Failed deleting Supabase user {user_id}: {e}")
 
-        logger.info(f"Soft deleted user {user_id} by user {deleted_by}")
-        return True
+        logger.info(f"Permanently deleted user {user_id} and all related data.")
 
     except Exception as exc:
-        logger.error(f"Failed to delete user {user_id}: {str(exc)}")
+        logger.error(f"Unexpected error in delete_user_and_cleanup for {user_id}: {str(exc)}")
         raise
diff --git a/backend/services/vectordatabase_service.py b/backend/services/vectordatabase_service.py
index c2c61408e..e4f51e15c 100644
--- a/backend/services/vectordatabase_service.py
+++ b/backend/services/vectordatabase_service.py
@@ -25,7 +25,7 @@
 from nexent.vector_database.elasticsearch_core import ElasticSearchCore
 from nexent.vector_database.datamate_core import DataMateCore
 
-from consts.const import DATAMATE_URL, ES_API_KEY, ES_HOST, LANGUAGE, VectorDatabaseType, IS_SPEED_MODE
+from consts.const import DATAMATE_URL, ES_API_KEY, ES_HOST, LANGUAGE, VectorDatabaseType, IS_SPEED_MODE, PERMISSION_EDIT, PERMISSION_READ
 from consts.model import ChunkCreateRequest, ChunkUpdateRequest
 from database.attachment_db import delete_file
 from database.knowledge_db import (
@@ -39,6 +39,7 @@
 from utils.str_utils import convert_list_to_string
 from database.user_tenant_db import get_user_tenant_by_user_id
 from database.group_db import query_group_ids_by_user
+from database.model_management_db import get_model_records
 from services.redis_service import get_redis_service
 from services.group_service import get_tenant_default_group_id
 from utils.config_utils import tenant_config_manager, get_model_name_from_config
@@ -170,8 +171,46 @@ def check_knowledge_base_exist_impl(knowledge_name: str, vdb_core: VectorDatabas
     return {"status": "available"}
 
 
-def get_embedding_model(tenant_id: str):
-    # Get the tenant config
+def get_embedding_model(tenant_id: str, model_name: Optional[str] = None):
+    """
+    Get the embedding model for the tenant, optionally using a specific model name.
+
+    Args:
+        tenant_id: Tenant ID
+        model_name: Optional specific model name to use (format: "model_repo/model_name" or just "model_name")
+                   If provided, will try to find the model in the tenant's model list.
+
+    Returns:
+        Embedding model instance or None
+    """
+    # If model_name is provided, try to find it in the tenant's models
+    if model_name:
+        try:
+            models = get_model_records({"model_type": "embedding"}, tenant_id)
+            for model in models:
+                model_display_name = model.get("model_repo") + "/" + model["model_name"] if model.get("model_repo") else model["model_name"]
+                if model_display_name == model_name:
+                    # Found the model, create embedding instance
+                    model_config = {
+                        "model_repo": model.get("model_repo", ""),
+                        "model_name": model["model_name"],
+                        "api_key": model.get("api_key", ""),
+                        "base_url": model.get("base_url", ""),
+                        "model_type": "embedding",
+                        "max_tokens": model.get("max_tokens", 1024),
+                        "ssl_verify": model.get("ssl_verify", True),
+                    }
+                    return OpenAICompatibleEmbedding(
+                        api_key=model_config.get("api_key", ""),
+                        base_url=model_config.get("base_url", ""),
+                        model_name=get_model_name_from_config(model_config) or "",
+                        embedding_dim=model_config.get("max_tokens", 1024),
+                        ssl_verify=model_config.get("ssl_verify", True),
+                    )
+        except Exception as e:
+            logger.warning(f"Failed to get embedding model by name {model_name}: {e}")
+
+    # Fall back to default embedding model (current behavior)
     model_config = tenant_config_manager.get_model_config(
         key="EMBEDDING_ID", tenant_id=tenant_id)
 
@@ -350,6 +389,8 @@ def create_knowledge_base(
             vdb_core: VectorDatabaseCore,
             user_id: Optional[str],
             tenant_id: Optional[str],
+            ingroup_permission: Optional[str] = None,
+            group_ids: Optional[List[int]] = None,
     ):
         """
         Create a new knowledge base with a user-facing name and an internal Elasticsearch index name.
@@ -373,6 +414,13 @@ def create_knowledge_base(
                 "tenant_id": tenant_id,
                 "embedding_model_name": embedding_model.model if embedding_model else None,
             }
+
+            # Add group permission and group IDs if provided
+            if ingroup_permission is not None:
+                knowledge_data["ingroup_permission"] = ingroup_permission
+            if group_ids is not None:
+                knowledge_data["group_ids"] = group_ids
+
             record_info = create_knowledge_record(knowledge_data)
             index_name = record_info["index_name"]
 
@@ -574,14 +622,14 @@ def list_indices(
 
             if effective_user_role in ["SU", "ADMIN", "SPEED"]:
                 # SU, ADMIN and SPEED roles can see all knowledgebases
-                permission = "EDIT"
+                permission = PERMISSION_EDIT
             elif effective_user_role in ["USER", "DEV"]:
                 # USER/DEV need group-based permission checking
                 kb_group_ids_str = record.get("group_ids")
                 kb_group_ids = convert_string_to_list(kb_group_ids_str or "")
                 kb_created_by = record.get("created_by")
                 kb_ingroup_permission = record.get(
-                    "ingroup_permission") or "READ_ONLY"
+                    "ingroup_permission") or PERMISSION_READ
 
                 # Check if user belongs to any of the knowledgebase groups
                 # Compatibility logic for legacy data:
@@ -602,17 +650,17 @@ def list_indices(
 
                 if has_group_intersection:
                     # Determine permission level
-                    permission = "READ_ONLY"  # Default
+                    permission = PERMISSION_READ  # Default
 
                     # User is creator: creator permission
                     if kb_created_by == user_id:
                         permission = "CREATOR"
                     # Group permission allows editing
-                    elif kb_ingroup_permission == "EDIT":
-                        permission = "EDIT"
+                    elif kb_ingroup_permission == PERMISSION_EDIT:
+                        permission = PERMISSION_EDIT
                     # Group permission is read-only: already set
-                    elif kb_ingroup_permission == "READ_ONLY":
-                        permission = "READ_ONLY"
+                    elif kb_ingroup_permission == PERMISSION_READ:
+                        permission = PERMISSION_READ
                     # Group permission is private: not visible
                     elif kb_ingroup_permission == "PRIVATE":
                         permission = None
@@ -1426,11 +1474,43 @@ def create_chunk(
         chunk_request: ChunkCreateRequest,
         vdb_core: VectorDatabaseCore = Depends(get_vector_db_core),
         user_id: Optional[str] = None,
+        tenant_id: Optional[str] = None,
     ):
         """
         Create a manual chunk entry in the specified index.
+        Automatically generates and stores embedding for semantic search.
         """
         try:
+            # Get knowledge base's embedding model name
+            embedding_model_name = None
+            if tenant_id:
+                try:
+                    knowledge_record = get_knowledge_record({
+                        "index_name": index_name,
+                        "tenant_id": tenant_id
+                    })
+                    embedding_model_name = knowledge_record.get("embedding_model_name") if knowledge_record else None
+                except Exception as e:
+                    logger.warning(f"Failed to get embedding model name for index {index_name}: {e}")
+
+            # Generate embedding if we have content and can get embedding model
+            embedding_vector = None
+            if chunk_request.content:
+                try:
+                    embedding_model = get_embedding_model(tenant_id, embedding_model_name) if tenant_id else None
+                    if embedding_model:
+                        embeddings = embedding_model.get_embeddings(chunk_request.content)
+                        if embeddings and len(embeddings) > 0:
+                            embedding_vector = embeddings[0]
+                            logger.debug(f"Generated embedding for chunk in index {index_name}")
+                        else:
+                            logger.warning(f"Failed to generate embedding for chunk in index {index_name}")
+                    else:
+                        logger.warning(f"No embedding model available for index {index_name}")
+                except Exception as e:
+                    logger.warning(f"Failed to generate embedding for chunk: {e}")
+
+            # Build chunk payload
             chunk_payload = ElasticSearchService._build_chunk_payload(
                 base_fields={
                     "id": chunk_request.chunk_id or ElasticSearchService._generate_chunk_id(),
@@ -1443,6 +1523,13 @@ def create_chunk(
                 metadata=chunk_request.metadata,
                 ensure_create_time=True,
             )
+
+            # Add embedding if generated
+            if embedding_vector:
+                chunk_payload["embedding"] = embedding_vector
+                if embedding_model_name:
+                    chunk_payload["embedding_model_name"] = embedding_model_name
+
             result = vdb_core.create_chunk(index_name, chunk_payload)
             return {
                 "status": "success",
diff --git a/backend/utils/prompt_template_utils.py b/backend/utils/prompt_template_utils.py
index dfbb2c89c..b3fb9cc6e 100644
--- a/backend/utils/prompt_template_utils.py
+++ b/backend/utils/prompt_template_utils.py
@@ -20,7 +20,6 @@ def get_prompt_template(template_type: str, language: str = LANGUAGE["ZH"], **kw
             - 'knowledge_summary': Knowledge summary template
             - 'analyze_file': File analysis template
             - 'generate_title': Title generation template
-            - 'file_processing_messages': File processing messages template
             - 'document_summary': Document summary template (Map stage)
             - 'cluster_summary_reduce': Cluster summary reduce template (Reduce stage)
             - 'cluster_summary_agent': Cluster summary agent template (legacy)
@@ -36,13 +35,13 @@ def get_prompt_template(template_type: str, language: str = LANGUAGE["ZH"], **kw
     # Define template path mapping
     template_paths = {
         'prompt_generate': {
-            LANGUAGE["ZH"]: 'backend/prompts/utils/prompt_generate.yaml',
+            LANGUAGE["ZH"]: 'backend/prompts/utils/prompt_generate_zh.yaml',
             LANGUAGE["EN"]: 'backend/prompts/utils/prompt_generate_en.yaml'
         },
         'agent': {
             LANGUAGE["ZH"]: {
-                'manager': 'backend/prompts/manager_system_prompt_template.yaml',
-                'managed': 'backend/prompts/managed_system_prompt_template.yaml'
+                'manager': 'backend/prompts/manager_system_prompt_template_zh.yaml',
+                'managed': 'backend/prompts/managed_system_prompt_template_zh.yaml'
             },
             LANGUAGE["EN"]: {
                 'manager': 'backend/prompts/manager_system_prompt_template_en.yaml',
@@ -50,32 +49,28 @@ def get_prompt_template(template_type: str, language: str = LANGUAGE["ZH"], **kw
             }
         },
         'knowledge_summary': {
-            LANGUAGE["ZH"]: 'backend/prompts/knowledge_summary_agent.yaml',
+            LANGUAGE["ZH"]: 'backend/prompts/knowledge_summary_agent_zh.yaml',
             LANGUAGE["EN"]: 'backend/prompts/knowledge_summary_agent_en.yaml'
         },
         'analyze_file': {
-            LANGUAGE["ZH"]: 'backend/prompts/analyze_file.yaml',
+            LANGUAGE["ZH"]: 'backend/prompts/analyze_file_zh.yaml',
             LANGUAGE["EN"]: 'backend/prompts/analyze_file_en.yaml'
         },
         'generate_title': {
-            LANGUAGE["ZH"]: 'backend/prompts/utils/generate_title.yaml',
+            LANGUAGE["ZH"]: 'backend/prompts/utils/generate_title_zh.yaml',
             LANGUAGE["EN"]: 'backend/prompts/utils/generate_title_en.yaml'
         },
-        'file_processing_messages': {
-            LANGUAGE["ZH"]: 'backend/prompts/utils/file_processing_messages.yaml',
-            LANGUAGE["EN"]: 'backend/prompts/utils/file_processing_messages_en.yaml'
-        },
         'document_summary': {
             LANGUAGE["ZH"]: 'backend/prompts/document_summary_agent_zh.yaml',
-            LANGUAGE["EN"]: 'backend/prompts/document_summary_agent.yaml'
+            LANGUAGE["EN"]: 'backend/prompts/document_summary_agent_en.yaml'
         },
         'cluster_summary_reduce': {
             LANGUAGE["ZH"]: 'backend/prompts/cluster_summary_reduce_zh.yaml',
-            LANGUAGE["EN"]: 'backend/prompts/cluster_summary_reduce.yaml'
+            LANGUAGE["EN"]: 'backend/prompts/cluster_summary_reduce_en.yaml'
         },
         'cluster_summary_agent': {
-            LANGUAGE["ZH"]: 'backend/prompts/cluster_summary_agent.yaml',
-            LANGUAGE["EN"]: 'backend/prompts/cluster_summary_agent.yaml'
+            LANGUAGE["ZH"]: 'backend/prompts/cluster_summary_agent_zh.yaml',
+            LANGUAGE["EN"]: 'backend/prompts/cluster_summary_agent_en.yaml'
         }
     }
 
@@ -168,19 +163,6 @@ def get_generate_title_prompt_template(language: str = 'zh') -> Dict[str, Any]:
     return get_prompt_template('generate_title', language)
 
 
-def get_file_processing_messages_template(language: str = 'zh') -> Dict[str, Any]:
-    """
-    Get file processing messages template
-
-    Args:
-        language: Language code ('zh' or 'en')
-
-    Returns:
-        dict: Loaded file processing messages configuration
-    """
-    return get_prompt_template('file_processing_messages', language)
-
-
 def get_document_summary_prompt_template(language: str = LANGUAGE["ZH"]) -> Dict[str, Any]:
     """
     Get document summary prompt template (Map stage)
diff --git a/docker/create-su.sh b/docker/create-su.sh
new file mode 100644
index 000000000..8d290a726
--- /dev/null
+++ b/docker/create-su.sh
@@ -0,0 +1,157 @@
+#!/bin/bash
+
+# Script to create super admin user and insert into user_tenant_t table
+# This script should be called from deploy.sh with necessary environment variables
+
+# Note: We don't use set -e here because we want to handle errors gracefully
+# and return appropriate exit codes from functions
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source environment variables if .env file exists
+if [ -f "$SCRIPT_DIR/.env" ]; then
+  set -a
+  source "$SCRIPT_DIR/.env"
+  set +a
+fi
+
+generate_random_password() {
+  # Generate a URL/JSON safe random password (alphanumeric only)
+  local pwd=""
+  if command -v openssl >/dev/null 2>&1; then
+    pwd=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 20)
+  else
+    pwd=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 20)
+  fi
+  if [ -z "$pwd" ]; then
+    # Fallback (should be extremely rare)
+    pwd=$(date +%s%N | tr -dc '0-9' | head -c 20)
+  fi
+  echo "$pwd"
+}
+
+wait_for_postgresql_ready() {
+  # Function to wait for PostgreSQL to become ready
+  local retries=0
+  local max_retries=${1:-30}  # Default 5 minutes, can be overridden
+  while [ $retries -lt $max_retries ]; do
+      if docker exec nexent-postgresql pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" >/dev/null 2>&1; then
+          echo "   ✅ PostgreSQL is now ready!"
+          return 0
+      fi
+      echo "⏳ Waiting for PostgreSQL to become ready... (attempt $((retries + 1))/$max_retries)"
+      sleep 10
+      retries=$((retries + 1))
+  done
+
+  if [ $retries -eq $max_retries ]; then
+      echo "   ⚠️  Warning: PostgreSQL did not become ready within expected time"
+      echo "     You may need to check the container logs and try again"
+      return 1
+  fi
+}
+
+create_default_super_admin_user() {
+  local email="suadmin@nexent.com"
+  local password
+  password="$(generate_random_password)"
+
+  echo "🔧 Creating super admin user..."
+  RESPONSE=$(docker exec nexent-config bash -c "curl -s -X POST http://kong:8000/auth/v1/signup -H \"apikey: ${SUPABASE_KEY}\" -H \"Authorization: Bearer ${SUPABASE_KEY}\" -H \"Content-Type: application/json\" -d '{\"email\":\"${email}\",\"password\":\"${password}\",\"email_confirm\":true}'" 2>/dev/null)
+
+  if [ -z "$RESPONSE" ]; then
+    echo "   ❌ No response received from Supabase."
+    return 1
+  elif echo "$RESPONSE" | grep -q '"access_token"' && echo "$RESPONSE" | grep -q '"user"'; then
+    echo "   ✅ Default super admin user has been successfully created."
+    echo ""
+    echo "      Please save the following credentials carefully, which would ONLY be shown once."
+    echo "   📧 Email:    ${email}"
+    echo "   🔏 Password: ${password}"
+
+    # Extract user.id from RESPONSE JSON
+    local user_id
+    # Try using Python to parse JSON (most reliable)
+    user_id=$(echo "$RESPONSE" | docker exec -i nexent-config python3 -c "import sys, json; data = json.load(sys.stdin); print(data.get('user', {}).get('id', ''))" 2>/dev/null)
+
+    # Fallback to jq if Python fails
+    if [ -z "$user_id" ] && command -v jq >/dev/null 2>&1; then
+      user_id=$(echo "$RESPONSE" | jq -r '.user.id // empty' 2>/dev/null)
+    fi
+
+    # Final fallback: use grep and sed
+    if [ -z "$user_id" ]; then
+      user_id=$(echo "$RESPONSE" | grep -o '"user"[^}]*"id":"[^"]*"' | sed -n 's/.*"id":"\([^"]*\)".*/\1/p' 2>/dev/null)
+    fi
+
+    if [ -z "$user_id" ]; then
+      echo "   ⚠️  Warning: Could not extract user.id from response. Skipping database insertion."
+    else
+      # Wait for PostgreSQL to be ready
+      echo "   ⏳ Waiting for PostgreSQL to be ready..."
+      if ! wait_for_postgresql_ready; then
+        echo "   ⚠️  Warning: PostgreSQL is not ready. Skipping database insertion."
+        return 0
+      fi
+
+      # Insert user_tenant_t record
+      echo "   🔧 Inserting super admin user into user_tenant_t table..."
+      local sql="INSERT INTO nexent.user_tenant_t (user_id, tenant_id, user_role, user_email, created_by, updated_by) VALUES ('${user_id}', '', 'SU', '${email}', 'system', 'system') ON CONFLICT (user_id, tenant_id) DO NOTHING;"
+
+      if docker exec -i nexent-postgresql psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "$sql" >/dev/null 2>&1; then
+        echo "   ✅ Super admin user inserted into user_tenant_t table successfully."
+      else
+        echo "   ⚠️  Warning: Failed to insert super admin user into user_tenant_t table."
+      fi
+    fi
+  elif echo "$RESPONSE" | grep -q '"error_code":"user_already_exists"' || echo "$RESPONSE" | grep -q '"code":422'; then
+    echo "   🚧 Default super admin user already exists. Skipping creation."
+    echo "   📧 Email:    ${email}"
+
+    # Even if user already exists, try to ensure the user_tenant_t record exists
+    # Get user_id from Supabase auth.users table
+    echo "   🔧 Retrieving user_id from Supabase database..."
+    local user_id
+    if [ "$DEPLOYMENT_VERSION" = "full" ] && docker ps | grep -q "supabase-db-mini"; then
+      # Query Supabase auth.users table to get user_id by email
+      user_id=$(docker exec supabase-db-mini psql -U postgres -d "$SUPABASE_POSTGRES_DB" -t -c "SELECT id FROM auth.users WHERE email = '${email}' LIMIT 1;" 2>/dev/null | tr -d '[:space:]')
+    fi
+
+    if [ -z "$user_id" ]; then
+      echo "   ⚠️  Warning: Could not retrieve user_id. Skipping database insertion."
+      echo "   💡 Note: If user_tenant_t record is missing, you may need to insert it manually."
+      return 0
+    fi
+
+    # Wait for PostgreSQL to be ready
+    echo "   ⏳ Waiting for PostgreSQL to be ready..."
+    if ! wait_for_postgresql_ready; then
+      echo "   ⚠️  Warning: PostgreSQL is not ready. Skipping database insertion."
+      return 0
+    fi
+
+    # Insert user_tenant_t record
+    echo "   🔧 Inserting super admin user into user_tenant_t table..."
+    local sql="INSERT INTO nexent.user_tenant_t (user_id, tenant_id, user_role, user_email, created_by, updated_by) VALUES ('${user_id}', '', 'SU', '${email}', 'system', 'system') ON CONFLICT (user_id, tenant_id) DO NOTHING;"
+
+    if docker exec -i nexent-postgresql psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "$sql" >/dev/null 2>&1; then
+      echo "   ✅ Super admin user inserted into user_tenant_t table successfully."
+    else
+      echo "   ⚠️  Warning: Failed to insert super admin user into user_tenant_t table."
+    fi
+  else
+    echo "   ❌ Response from Supabase does not contain 'access_token' or 'user'."
+    return 1
+  fi
+
+  echo ""
+  echo "--------------------------------"
+  echo ""
+}
+
+# Main execution
+if create_default_super_admin_user; then
+  exit 0
+else
+  exit 1
+fi
diff --git a/docker/deploy.sh b/docker/deploy.sh
index 2545bf2dc..83d3f7947 100755
--- a/docker/deploy.sh
+++ b/docker/deploy.sh
@@ -475,18 +475,18 @@ select_deployment_mode() {
   MODE_CHOICE_SAVED="$mode_choice"
 
   case $mode_choice in
-      2)
+      2|"infrastructure")
           export DEPLOYMENT_MODE="infrastructure"
           export COMPOSE_FILE_SUFFIX=".yml"
           echo "✅ Selected infrastructure mode 🏗️"
           ;;
-      3)
+      3|"production")
           export DEPLOYMENT_MODE="production"
           export COMPOSE_FILE_SUFFIX=".prod.yml"
           disable_dashboard
           echo "✅ Selected production mode 🚀"
           ;;
-      *)
+      1|"development"|*)
           export DEPLOYMENT_MODE="development"
           export COMPOSE_FILE_SUFFIX=".yml"
           echo "✅ Selected development mode 🛠️"
@@ -604,6 +604,11 @@ prepare_directory_and_data() {
   chmod -R 775 $ROOT_DIR/volumes
   echo "   📁 Directory $ROOT_DIR/volumes has been created and permissions set to 775."
 
+  # Copy sync_user_supabase2pg.py to ROOT_DIR for container access
+  cp -rn scripts $ROOT_DIR
+  chmod 644 "$ROOT_DIR/scripts/sync_user_supabase2pg.py"
+  echo "   📁 update scripts copied to $ROOT_DIR"
+
   # Create nexent user workspace directory
   NEXENT_USER_DIR="$HOME/nexent"
   create_dir_with_permission "$NEXENT_USER_DIR" 775
@@ -686,11 +691,11 @@ select_deployment_version() {
   version_choice=$(sanitize_input "$version_choice")
   VERSION_CHOICE_SAVED="${version_choice}"
   case $version_choice in
-      2)
+      2|"full")
           export DEPLOYMENT_VERSION="full"
           echo "✅ Selected complete version 🎯"
           ;;
-      *)
+      1|"speed"|*)
           export DEPLOYMENT_VERSION="speed"
           echo "✅ Selected speed version ⚡️"
           ;;
@@ -755,6 +760,7 @@ wait_for_elasticsearch_healthy() {
   fi
 }
 
+
 select_terminal_tool() {
     # Function to ask if user wants to create Terminal tool container
     echo "🔧 Terminal Tool Container Setup:"
@@ -859,29 +865,46 @@ select_terminal_tool() {
     echo ""
 }
 
-create_default_admin_user() {
-  echo "🔧 Creating admin user..."
-  RESPONSE=$(docker exec nexent-config bash -c "curl -X POST http://kong:8000/auth/v1/signup -H \"apikey: ${SUPABASE_KEY}\" -H \"Authorization: Bearer ${SUPABASE_KEY}\" -H \"Content-Type: application/json\" -d '{\"email\":\"nexent@example.com\",\"password\":\"nexent@4321\",\"email_confirm\":true,\"data\":{\"role\":\"admin\"}}'" 2>/dev/null)
+generate_random_password() {
+  # Generate a URL/JSON safe random password (alphanumeric only)
+  local pwd=""
+  if command -v openssl >/dev/null 2>&1; then
+    pwd=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 20)
+  else
+    pwd=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 20)
+  fi
+  if [ -z "$pwd" ]; then
+    # Fallback (should be extremely rare)
+    pwd=$(date +%s%N | tr -dc '0-9' | head -c 20)
+  fi
+  echo "$pwd"
+}
+
+create_default_super_admin_user() {
+  # Call the dedicated script for creating super admin user
+  local script_path="$SCRIPT_DIR/create-su.sh"
 
-  if [ -z "$RESPONSE" ]; then
-    echo "   ❌ No response received from Supabase."
+  if [ ! -f "$script_path" ]; then
+    echo "   ❌ ERROR create-su.sh not found at $script_path"
     return 1
-  elif echo "$RESPONSE" | grep -q '"access_token"' && echo "$RESPONSE" | grep -q '"user"'; then
-    echo "   ✅ Default admin user has been successfully created."
-    echo ""
-    echo "      Please save the following credentials carefully, which would ONLY be shown once."
-    echo "   📧 Email:    nexent@example.com"
-    echo "   🔏 Password: nexent@4321"
-  elif echo "$RESPONSE" | grep -q '"error_code":"user_already_exists"' || echo "$RESPONSE" | grep -q '"code":422'; then
-    echo "   🚧 Default admin user already exists. Skipping creation."
+  fi
+
+  # Make sure the script is executable
+  chmod +x "$script_path"
+
+  # Export necessary environment variables for the script
+  export SUPABASE_KEY
+  export POSTGRES_USER
+  export POSTGRES_DB
+  export DEPLOYMENT_VERSION
+  export SUPABASE_POSTGRES_DB
+
+  # Execute the script with current environment variables
+  if bash "$script_path"; then
+    return 0
   else
-    echo "   ❌ Response from Supabase does not contain 'access_token' or 'user'."
     return 1
   fi
-
-  echo ""
-  echo "--------------------------------"
-  echo ""
 }
 
 choose_image_env() {
@@ -981,9 +1004,9 @@ main_deploy() {
   echo "--------------------------------"
   echo ""
 
-  # Create default admin user
+  # Create default super admin user
   if [ "$DEPLOYMENT_VERSION" = "full" ]; then
-    create_default_admin_user || { echo "❌ Default admin user creation failed"; exit 1; }
+    create_default_super_admin_user || { echo "❌ Default super admin user creation failed"; exit 1; }
   fi
 
   persist_deploy_options
diff --git a/docker/docker-compose.prod.yml b/docker/docker-compose.prod.yml
index 71042c3ef..e9d344461 100644
--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -76,6 +76,8 @@ services:
     volumes:
       - ${NEXENT_USER_DIR:-$HOME/nexent}:/mnt/nexent
       - ${ROOT_DIR}/openssh-server/ssh-keys:/opt/ssh-keys:ro
+      - ${ROOT_DIR}/scripts/sync_user_supabase2pg.py:/opt/sync_user_supabase2pg.py:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro # Docker socket for MCP container management
     environment:
       <<: [*minio-vars, *es-vars]
       skip_proxy: "true"
@@ -298,4 +300,4 @@ networks:
     driver: bridge
 
 volumes:
-  redis_data:
\ No newline at end of file
+  redis_data:
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 36f1129b2..221ff0c89 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -87,6 +87,7 @@ services:
     volumes:
       - ${NEXENT_USER_DIR:-$HOME/nexent}:/mnt/nexent
       - ${ROOT_DIR}/openssh-server/ssh-keys:/opt/ssh-keys:ro
+      - ${ROOT_DIR}/scripts/sync_user_supabase2pg.py:/opt/sync_user_supabase2pg.py:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro # Docker socket for MCP container management
     environment:
       <<: [*minio-vars, *es-vars]
diff --git a/docker/init.sql b/docker/init.sql
index c7e372ca5..73c35ac77 100644
--- a/docker/init.sql
+++ b/docker/init.sql
@@ -296,7 +296,7 @@ COMMENT ON COLUMN nexent.ag_tool_info_t.delete_flag IS 'Whether it is deleted. O
 
 -- Create the ag_tenant_agent_t table in the nexent schema
 CREATE TABLE IF NOT EXISTS nexent.ag_tenant_agent_t (
-    agent_id SERIAL PRIMARY KEY NOT NULL,
+    agent_id INTEGER NOT NULL,
     name VARCHAR(100),
     display_name VARCHAR(100),
     description VARCHAR,
@@ -316,11 +316,14 @@ CREATE TABLE IF NOT EXISTS nexent.ag_tenant_agent_t (
     enabled BOOLEAN DEFAULT FALSE,
     is_new BOOLEAN DEFAULT FALSE,
     provide_run_summary BOOLEAN DEFAULT FALSE,
+    version_no INTEGER DEFAULT 0 NOT NULL,
+    current_version_no INTEGER NULL,
     create_time TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     update_time TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     created_by VARCHAR(100),
     updated_by VARCHAR(100),
-    delete_flag VARCHAR(1) DEFAULT 'N'
+    delete_flag VARCHAR(1) DEFAULT 'N',
+    PRIMARY KEY (agent_id, version_no)
 );
 
 -- Create a function to update the update_time column
@@ -366,6 +369,8 @@ COMMENT ON COLUMN nexent.ag_tenant_agent_t.created_by IS 'Creator';
 COMMENT ON COLUMN nexent.ag_tenant_agent_t.updated_by IS 'Updater';
 COMMENT ON COLUMN nexent.ag_tenant_agent_t.delete_flag IS 'Whether it is deleted. Optional values: Y/N';
 COMMENT ON COLUMN nexent.ag_tenant_agent_t.is_new IS 'Whether this agent is marked as new for the user';
+COMMENT ON COLUMN nexent.ag_tenant_agent_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+COMMENT ON COLUMN nexent.ag_tenant_agent_t.current_version_no IS 'Current published version number. NULL means no version published yet';
 
 -- Create index for is_new queries
 CREATE INDEX IF NOT EXISTS idx_ag_tenant_agent_t_is_new
@@ -375,18 +380,20 @@ WHERE delete_flag = 'N';
 
 -- Create the ag_tool_instance_t table in the nexent schema
 CREATE TABLE IF NOT EXISTS nexent.ag_tool_instance_t (
-    tool_instance_id SERIAL PRIMARY KEY NOT NULL,
+    tool_instance_id INTEGER NOT NULL,
     tool_id INTEGER,
     agent_id INTEGER,
     params JSON,
     user_id VARCHAR(100),
     tenant_id VARCHAR(100),
     enabled BOOLEAN DEFAULT FALSE,
+    version_no INTEGER DEFAULT 0 NOT NULL,
     create_time TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     update_time TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     created_by VARCHAR(100),
     updated_by VARCHAR(100),
-    delete_flag VARCHAR(1) DEFAULT 'N'
+    delete_flag VARCHAR(1) DEFAULT 'N',
+    PRIMARY KEY (tool_instance_id, version_no)
 );
 
 -- Add comment to the table
@@ -400,6 +407,7 @@ COMMENT ON COLUMN nexent.ag_tool_instance_t.params IS 'Parameter configuration';
 COMMENT ON COLUMN nexent.ag_tool_instance_t.user_id IS 'User ID';
 COMMENT ON COLUMN nexent.ag_tool_instance_t.tenant_id IS 'Tenant ID';
 COMMENT ON COLUMN nexent.ag_tool_instance_t.enabled IS 'Enable flag';
+COMMENT ON COLUMN nexent.ag_tool_instance_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
 COMMENT ON COLUMN nexent.ag_tool_instance_t.create_time IS 'Creation time';
 COMMENT ON COLUMN nexent.ag_tool_instance_t.update_time IS 'Update time';
 
@@ -554,15 +562,17 @@ COMMENT ON COLUMN nexent.user_tenant_t.delete_flag IS 'Delete flag, Y/N';
 
 -- Create the ag_agent_relation_t table in the nexent schema
 CREATE TABLE IF NOT EXISTS nexent.ag_agent_relation_t (
-    relation_id SERIAL PRIMARY KEY NOT NULL,
+    relation_id INTEGER NOT NULL,
     selected_agent_id INTEGER,
     parent_agent_id INTEGER,
     tenant_id VARCHAR(100),
+    version_no INTEGER DEFAULT 0 NOT NULL,
     create_time TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     update_time TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     created_by VARCHAR(100),
     updated_by VARCHAR(100),
-    delete_flag VARCHAR(1) DEFAULT 'N'
+    delete_flag VARCHAR(1) DEFAULT 'N',
+    PRIMARY KEY (relation_id, version_no)
 );
 
 -- Create a function to update the update_time column
@@ -588,6 +598,7 @@ COMMENT ON COLUMN nexent.ag_agent_relation_t.relation_id IS 'Relationship ID, pr
 COMMENT ON COLUMN nexent.ag_agent_relation_t.selected_agent_id IS 'Selected agent ID';
 COMMENT ON COLUMN nexent.ag_agent_relation_t.parent_agent_id IS 'Parent agent ID';
 COMMENT ON COLUMN nexent.ag_agent_relation_t.tenant_id IS 'Tenant ID';
+COMMENT ON COLUMN nexent.ag_agent_relation_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
 COMMENT ON COLUMN nexent.ag_agent_relation_t.create_time IS 'Creation time, audit field';
 COMMENT ON COLUMN nexent.ag_agent_relation_t.update_time IS 'Update time, audit field';
 COMMENT ON COLUMN nexent.ag_agent_relation_t.created_by IS 'Creator ID, audit field';
@@ -782,14 +793,7 @@ COMMENT ON COLUMN nexent.tenant_group_user_t.created_by IS 'Created by';
 COMMENT ON COLUMN nexent.tenant_group_user_t.updated_by IS 'Updated by';
 COMMENT ON COLUMN nexent.tenant_group_user_t.delete_flag IS 'Delete flag, Y/N';
 
--- 5. Add fields to user_tenant_t table
-ALTER TABLE nexent.user_tenant_t
-ADD COLUMN IF NOT EXISTS user_role VARCHAR(30);
-
--- Add comments for new fields in user_tenant_t table
-COMMENT ON COLUMN nexent.user_tenant_t.user_role IS 'User role: SU, ADMIN, DEV, USER';
-
--- 6. Create role_permission_t table for role permissions
+-- 5. Create role_permission_t table for role permissions
 CREATE TABLE IF NOT EXISTS nexent.role_permission_t (
     role_permission_id SERIAL PRIMARY KEY,
     user_role VARCHAR(30) NOT NULL,
@@ -806,225 +810,238 @@ COMMENT ON COLUMN nexent.role_permission_t.permission_category IS 'Permission ca
 COMMENT ON COLUMN nexent.role_permission_t.permission_type IS 'Permission type';
 COMMENT ON COLUMN nexent.role_permission_t.permission_subtype IS 'Permission subtype';
 
--- Add primary key constraint for role_permission_t table
-ALTER TABLE nexent.role_permission_t ADD CONSTRAINT role_permission_t_pkey PRIMARY KEY (role_permission_id);
-
+-- 6. Insert role permission data after clearing old data
+DELETE FROM nexent.role_permission_t;
 
--- Insert role permission data with conflict handling
 INSERT INTO nexent.role_permission_t (role_permission_id, user_role, permission_category, permission_type, permission_subtype) VALUES
 (1, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
-(2, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
-(3, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
-(4, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
-(5, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
-(6, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
-(7, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
-(8, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
-(9, 'SU', 'RESOURCE', 'AGENT', 'READ'),
-(10, 'SU', 'RESOURCE', 'AGENT', 'DELETE'),
-(11, 'SU', 'RESOURCE', 'KB', 'READ'),
-(12, 'SU', 'RESOURCE', 'KB', 'DELETE'),
-(13, 'SU', 'RESOURCE', 'KB.GROUPS', 'READ'),
-(14, 'SU', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
-(15, 'SU', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
-(16, 'SU', 'RESOURCE', 'USER.ROLE', 'READ'),
-(17, 'SU', 'RESOURCE', 'USER.ROLE', 'UPDATE'),
-(18, 'SU', 'RESOURCE', 'USER.ROLE', 'DELETE'),
-(19, 'SU', 'RESOURCE', 'MCP', 'READ'),
-(20, 'SU', 'RESOURCE', 'MCP', 'DELETE'),
-(21, 'SU', 'RESOURCE', 'MEM.SETTING', 'READ'),
-(22, 'SU', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
-(23, 'SU', 'RESOURCE', 'MEM.AGENT', 'READ'),
-(24, 'SU', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
-(25, 'SU', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
-(26, 'SU', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
-(27, 'SU', 'RESOURCE', 'MODEL', 'CREATE'),
-(28, 'SU', 'RESOURCE', 'MODEL', 'READ'),
-(29, 'SU', 'RESOURCE', 'MODEL', 'UPDATE'),
-(30, 'SU', 'RESOURCE', 'MODEL', 'DELETE'),
-(31, 'SU', 'RESOURCE', 'TENANT', 'CREATE'),
-(32, 'SU', 'RESOURCE', 'TENANT', 'READ'),
-(33, 'SU', 'RESOURCE', 'TENANT', 'UPDATE'),
-(34, 'SU', 'RESOURCE', 'TENANT', 'DELETE'),
-(35, 'SU', 'RESOURCE', 'TENANT.INFO', 'READ'),
-(36, 'SU', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
-(37, 'SU', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
-(38, 'SU', 'RESOURCE', 'TENANT.INVITE', 'READ'),
-(39, 'SU', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
-(40, 'SU', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
-(41, 'SU', 'RESOURCE', 'GROUP', 'CREATE'),
-(42, 'SU', 'RESOURCE', 'GROUP', 'READ'),
-(43, 'SU', 'RESOURCE', 'GROUP', 'UPDATE'),
-(44, 'SU', 'RESOURCE', 'GROUP', 'DELETE'),
-(45, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
-(46, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
-(47, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
-(48, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
-(49, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
-(50, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
-(51, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
-(52, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
-(53, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
-(54, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
-(55, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
-(56, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
-(57, 'ADMIN', 'RESOURCE', 'AGENT', 'CREATE'),
-(58, 'ADMIN', 'RESOURCE', 'AGENT', 'READ'),
-(59, 'ADMIN', 'RESOURCE', 'AGENT', 'UPDATE'),
-(60, 'ADMIN', 'RESOURCE', 'AGENT', 'DELETE'),
-(61, 'ADMIN', 'RESOURCE', 'KB', 'CREATE'),
-(62, 'ADMIN', 'RESOURCE', 'KB', 'READ'),
-(63, 'ADMIN', 'RESOURCE', 'KB', 'UPDATE'),
-(64, 'ADMIN', 'RESOURCE', 'KB', 'DELETE'),
-(65, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'READ'),
-(66, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
-(67, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
-(68, 'ADMIN', 'RESOURCE', 'USER.ROLE', 'READ'),
-(69, 'ADMIN', 'RESOURCE', 'MCP', 'CREATE'),
-(70, 'ADMIN', 'RESOURCE', 'MCP', 'READ'),
-(71, 'ADMIN', 'RESOURCE', 'MCP', 'UPDATE'),
-(72, 'ADMIN', 'RESOURCE', 'MCP', 'DELETE'),
-(73, 'ADMIN', 'RESOURCE', 'MEM.SETTING', 'READ'),
-(74, 'ADMIN', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
-(75, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'CREATE'),
-(76, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'READ'),
-(77, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
-(78, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
-(79, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
-(80, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
-(81, 'ADMIN', 'RESOURCE', 'MODEL', 'CREATE'),
-(82, 'ADMIN', 'RESOURCE', 'MODEL', 'READ'),
-(83, 'ADMIN', 'RESOURCE', 'MODEL', 'UPDATE'),
-(84, 'ADMIN', 'RESOURCE', 'MODEL', 'DELETE'),
-(85, 'ADMIN', 'RESOURCE', 'TENANT.INFO', 'READ'),
-(86, 'ADMIN', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
-(87, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
-(88, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'READ'),
-(89, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
-(90, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
-(91, 'ADMIN', 'RESOURCE', 'GROUP', 'CREATE'),
-(92, 'ADMIN', 'RESOURCE', 'GROUP', 'READ'),
-(93, 'ADMIN', 'RESOURCE', 'GROUP', 'UPDATE'),
-(94, 'ADMIN', 'RESOURCE', 'GROUP', 'DELETE'),
-(95, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
-(96, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
-(97, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
-(98, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
-(99, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
-(100, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
-(101, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
-(102, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
-(103, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
-(104, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
-(105, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
-(106, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
-(107, 'DEV', 'RESOURCE', 'AGENT', 'CREATE'),
-(108, 'DEV', 'RESOURCE', 'AGENT', 'READ'),
-(109, 'DEV', 'RESOURCE', 'AGENT', 'UPDATE'),
-(110, 'DEV', 'RESOURCE', 'AGENT', 'DELETE'),
-(111, 'DEV', 'RESOURCE', 'KB', 'CREATE'),
-(112, 'DEV', 'RESOURCE', 'KB', 'READ'),
-(113, 'DEV', 'RESOURCE', 'KB', 'UPDATE'),
-(114, 'DEV', 'RESOURCE', 'KB', 'DELETE'),
-(115, 'DEV', 'RESOURCE', 'KB.GROUPS', 'READ'),
-(116, 'DEV', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
-(117, 'DEV', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
-(118, 'DEV', 'RESOURCE', 'USER.ROLE', 'READ'),
-(119, 'DEV', 'RESOURCE', 'MCP', 'CREATE'),
-(120, 'DEV', 'RESOURCE', 'MCP', 'READ'),
-(121, 'DEV', 'RESOURCE', 'MCP', 'UPDATE'),
-(122, 'DEV', 'RESOURCE', 'MCP', 'DELETE'),
-(123, 'DEV', 'RESOURCE', 'MEM.SETTING', 'READ'),
-(124, 'DEV', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
-(125, 'DEV', 'RESOURCE', 'MEM.AGENT', 'READ'),
-(126, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
-(127, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
-(128, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
-(129, 'DEV', 'RESOURCE', 'MODEL', 'READ'),
-(130, 'DEV', 'RESOURCE', 'TENANT.INFO', 'READ'),
-(131, 'DEV', 'RESOURCE', 'GROUP', 'READ'),
-(132, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
-(133, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
-(134, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
-(135, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
-(136, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
-(137, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
-(138, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
-(139, 'USER', 'RESOURCE', 'AGENT', 'READ'),
-(140, 'USER', 'RESOURCE', 'KB', 'CREATE'),
-(141, 'USER', 'RESOURCE', 'KB', 'READ'),
-(142, 'USER', 'RESOURCE', 'KB', 'UPDATE'),
-(143, 'USER', 'RESOURCE', 'KB', 'DELETE'),
-(144, 'USER', 'RESOURCE', 'KB.GROUPS', 'READ'),
-(145, 'USER', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
-(146, 'USER', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
-(147, 'USER', 'RESOURCE', 'USER.ROLE', 'READ'),
-(148, 'USER', 'RESOURCE', 'MCP', 'CREATE'),
-(149, 'USER', 'RESOURCE', 'MCP', 'READ'),
-(150, 'USER', 'RESOURCE', 'MCP', 'UPDATE'),
-(151, 'USER', 'RESOURCE', 'MCP', 'DELETE'),
-(152, 'USER', 'RESOURCE', 'MEM.SETTING', 'READ'),
-(153, 'USER', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
-(154, 'USER', 'RESOURCE', 'MEM.AGENT', 'READ'),
-(155, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
-(156, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
-(157, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
-(158, 'USER', 'RESOURCE', 'MODEL', 'READ'),
-(159, 'USER', 'RESOURCE', 'TENANT.INFO', 'READ'),
-(160, 'USER', 'RESOURCE', 'GROUP', 'READ'),
-(161, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
-(162, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
-(163, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
-(164, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
-(165, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
-(166, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
-(167, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
-(168, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
-(169, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
-(170, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
-(171, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
-(172, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
-(173, 'SPEED', 'RESOURCE', 'AGENT', 'CREATE'),
-(174, 'SPEED', 'RESOURCE', 'AGENT', 'READ'),
-(175, 'SPEED', 'RESOURCE', 'AGENT', 'UPDATE'),
-(176, 'SPEED', 'RESOURCE', 'AGENT', 'DELETE'),
-(177, 'SPEED', 'RESOURCE', 'KB', 'CREATE'),
-(178, 'SPEED', 'RESOURCE', 'KB', 'READ'),
-(179, 'SPEED', 'RESOURCE', 'KB', 'UPDATE'),
-(180, 'SPEED', 'RESOURCE', 'KB', 'DELETE'),
-(181, 'SPEED', 'RESOURCE', 'KB.GROUPS', 'READ'),
-(182, 'SPEED', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
-(183, 'SPEED', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
-(184, 'SPEED', 'RESOURCE', 'USER.ROLE', 'READ'),
-(185, 'SPEED', 'RESOURCE', 'MCP', 'CREATE'),
-(186, 'SPEED', 'RESOURCE', 'MCP', 'READ'),
-(187, 'SPEED', 'RESOURCE', 'MCP', 'UPDATE'),
-(188, 'SPEED', 'RESOURCE', 'MCP', 'DELETE'),
-(189, 'SPEED', 'RESOURCE', 'MEM.SETTING', 'READ'),
-(190, 'SPEED', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
-(191, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'CREATE'),
-(192, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'READ'),
-(193, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
-(194, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
-(195, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
-(196, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
-(197, 'SPEED', 'RESOURCE', 'MODEL', 'CREATE'),
-(198, 'SPEED', 'RESOURCE', 'MODEL', 'READ'),
-(199, 'SPEED', 'RESOURCE', 'MODEL', 'UPDATE'),
-(200, 'SPEED', 'RESOURCE', 'MODEL', 'DELETE'),
-(201, 'SPEED', 'RESOURCE', 'TENANT.INFO', 'READ'),
-(202, 'SPEED', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
-(203, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
-(204, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'READ'),
-(205, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
-(206, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
-(207, 'SPEED', 'RESOURCE', 'GROUP', 'CREATE'),
-(208, 'SPEED', 'RESOURCE', 'GROUP', 'READ'),
-(209, 'SPEED', 'RESOURCE', 'GROUP', 'UPDATE'),
-(210, 'SPEED', 'RESOURCE', 'GROUP', 'DELETE')
-ON CONFLICT (role_permission_id) DO NOTHING;
+(2, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(3, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/tenant-resources'),
+(4, 'SU', 'RESOURCE', 'AGENT', 'READ'),
+(5, 'SU', 'RESOURCE', 'AGENT', 'DELETE'),
+(6, 'SU', 'RESOURCE', 'KB', 'READ'),
+(7, 'SU', 'RESOURCE', 'KB', 'DELETE'),
+(8, 'SU', 'RESOURCE', 'KB.GROUPS', 'READ'),
+(9, 'SU', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
+(10, 'SU', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
+(11, 'SU', 'RESOURCE', 'USER.ROLE', 'READ'),
+(12, 'SU', 'RESOURCE', 'USER.ROLE', 'UPDATE'),
+(13, 'SU', 'RESOURCE', 'USER.ROLE', 'DELETE'),
+(14, 'SU', 'RESOURCE', 'MCP', 'READ'),
+(15, 'SU', 'RESOURCE', 'MCP', 'DELETE'),
+(16, 'SU', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(17, 'SU', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(18, 'SU', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(19, 'SU', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
+(20, 'SU', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(21, 'SU', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(22, 'SU', 'RESOURCE', 'MODEL', 'CREATE'),
+(23, 'SU', 'RESOURCE', 'MODEL', 'READ'),
+(24, 'SU', 'RESOURCE', 'MODEL', 'UPDATE'),
+(25, 'SU', 'RESOURCE', 'MODEL', 'DELETE'),
+(26, 'SU', 'RESOURCE', 'TENANT', 'CREATE'),
+(27, 'SU', 'RESOURCE', 'TENANT', 'READ'),
+(28, 'SU', 'RESOURCE', 'TENANT', 'UPDATE'),
+(29, 'SU', 'RESOURCE', 'TENANT', 'DELETE'),
+(30, 'SU', 'RESOURCE', 'TENANT.LIST', 'READ'),
+(31, 'SU', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(32, 'SU', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
+(33, 'SU', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
+(34, 'SU', 'RESOURCE', 'TENANT.INVITE', 'READ'),
+(35, 'SU', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
+(36, 'SU', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
+(37, 'SU', 'RESOURCE', 'GROUP', 'CREATE'),
+(38, 'SU', 'RESOURCE', 'GROUP', 'READ'),
+(39, 'SU', 'RESOURCE', 'GROUP', 'UPDATE'),
+(40, 'SU', 'RESOURCE', 'GROUP', 'DELETE'),
+(41, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(42, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(43, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
+(44, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
+(45, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
+(46, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
+(47, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
+(48, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
+(49, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(50, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
+(51, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(52, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
+(53, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/tenant-resources'),
+(54, 'ADMIN', 'RESOURCE', 'AGENT', 'CREATE'),
+(55, 'ADMIN', 'RESOURCE', 'AGENT', 'READ'),
+(56, 'ADMIN', 'RESOURCE', 'AGENT', 'UPDATE'),
+(57, 'ADMIN', 'RESOURCE', 'AGENT', 'DELETE'),
+(58, 'ADMIN', 'RESOURCE', 'KB', 'CREATE'),
+(59, 'ADMIN', 'RESOURCE', 'KB', 'READ'),
+(60, 'ADMIN', 'RESOURCE', 'KB', 'UPDATE'),
+(61, 'ADMIN', 'RESOURCE', 'KB', 'DELETE'),
+(62, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'READ'),
+(63, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
+(64, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
+(65, 'ADMIN', 'RESOURCE', 'USER.ROLE', 'READ'),
+(66, 'ADMIN', 'RESOURCE', 'MCP', 'CREATE'),
+(67, 'ADMIN', 'RESOURCE', 'MCP', 'READ'),
+(68, 'ADMIN', 'RESOURCE', 'MCP', 'UPDATE'),
+(69, 'ADMIN', 'RESOURCE', 'MCP', 'DELETE'),
+(70, 'ADMIN', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(71, 'ADMIN', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(72, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'CREATE'),
+(73, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(74, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
+(75, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(76, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(77, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(78, 'ADMIN', 'RESOURCE', 'MODEL', 'CREATE'),
+(79, 'ADMIN', 'RESOURCE', 'MODEL', 'READ'),
+(80, 'ADMIN', 'RESOURCE', 'MODEL', 'UPDATE'),
+(81, 'ADMIN', 'RESOURCE', 'MODEL', 'DELETE'),
+(82, 'ADMIN', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(83, 'ADMIN', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
+(84, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
+(85, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'READ'),
+(86, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
+(87, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
+(88, 'ADMIN', 'RESOURCE', 'GROUP', 'CREATE'),
+(89, 'ADMIN', 'RESOURCE', 'GROUP', 'READ'),
+(90, 'ADMIN', 'RESOURCE', 'GROUP', 'UPDATE'),
+(91, 'ADMIN', 'RESOURCE', 'GROUP', 'DELETE'),
+(92, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(93, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(94, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
+(95, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
+(96, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
+(97, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
+(98, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
+(99, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
+(100, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(101, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
+(102, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(103, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
+(104, 'DEV', 'RESOURCE', 'AGENT', 'CREATE'),
+(105, 'DEV', 'RESOURCE', 'AGENT', 'READ'),
+(106, 'DEV', 'RESOURCE', 'AGENT', 'UPDATE'),
+(107, 'DEV', 'RESOURCE', 'AGENT', 'DELETE'),
+(108, 'DEV', 'RESOURCE', 'KB', 'CREATE'),
+(109, 'DEV', 'RESOURCE', 'KB', 'READ'),
+(110, 'DEV', 'RESOURCE', 'KB', 'UPDATE'),
+(111, 'DEV', 'RESOURCE', 'KB', 'DELETE'),
+(112, 'DEV', 'RESOURCE', 'KB.GROUPS', 'READ'),
+(113, 'DEV', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
+(114, 'DEV', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
+(115, 'DEV', 'RESOURCE', 'USER.ROLE', 'READ'),
+(116, 'DEV', 'RESOURCE', 'MCP', 'CREATE'),
+(117, 'DEV', 'RESOURCE', 'MCP', 'READ'),
+(118, 'DEV', 'RESOURCE', 'MCP', 'UPDATE'),
+(119, 'DEV', 'RESOURCE', 'MCP', 'DELETE'),
+(120, 'DEV', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(121, 'DEV', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(122, 'DEV', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(123, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(124, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(125, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(126, 'DEV', 'RESOURCE', 'MODEL', 'READ'),
+(127, 'DEV', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(128, 'DEV', 'RESOURCE', 'GROUP', 'READ'),
+(129, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(130, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(131, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(132, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
+(133, 'USER', 'RESOURCE', 'AGENT', 'READ'),
+(134, 'USER', 'RESOURCE', 'USER.ROLE', 'READ'),
+(135, 'USER', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(136, 'USER', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(137, 'USER', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(138, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(139, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(140, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(141, 'USER', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(142, 'USER', 'RESOURCE', 'GROUP', 'READ'),
+(143, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(144, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(145, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
+(146, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
+(147, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
+(148, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
+(149, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
+(150, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
+(151, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(152, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
+(153, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(154, 'SPEED', 'RESOURCE', 'AGENT', 'CREATE'),
+(155, 'SPEED', 'RESOURCE', 'AGENT', 'READ'),
+(156, 'SPEED', 'RESOURCE', 'AGENT', 'UPDATE'),
+(157, 'SPEED', 'RESOURCE', 'AGENT', 'DELETE'),
+(158, 'SPEED', 'RESOURCE', 'KB', 'CREATE'),
+(159, 'SPEED', 'RESOURCE', 'KB', 'READ'),
+(160, 'SPEED', 'RESOURCE', 'KB', 'UPDATE'),
+(161, 'SPEED', 'RESOURCE', 'KB', 'DELETE'),
+(166, 'SPEED', 'RESOURCE', 'MCP', 'CREATE'),
+(167, 'SPEED', 'RESOURCE', 'MCP', 'READ'),
+(168, 'SPEED', 'RESOURCE', 'MCP', 'UPDATE'),
+(169, 'SPEED', 'RESOURCE', 'MCP', 'DELETE'),
+(170, 'SPEED', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(171, 'SPEED', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(172, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'CREATE'),
+(173, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(174, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
+(175, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(176, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(177, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(178, 'SPEED', 'RESOURCE', 'MODEL', 'CREATE'),
+(179, 'SPEED', 'RESOURCE', 'MODEL', 'READ'),
+(180, 'SPEED', 'RESOURCE', 'MODEL', 'UPDATE'),
+(181, 'SPEED', 'RESOURCE', 'MODEL', 'DELETE'),
+(182, 'SPEED', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(183, 'SPEED', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
+(184, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
+(185, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'READ'),
+(186, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
+(187, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
 
 -- Insert SPEED role user into user_tenant_t table if not exists
 INSERT INTO nexent.user_tenant_t (user_id, tenant_id, user_role, user_email, created_by, updated_by)
-VALUES ('user_id', 'tenant_id', 'SPEED', NULL, 'system', 'system')
+VALUES ('user_id', 'tenant_id', 'SPEED', '', 'system', 'system')
 ON CONFLICT (user_id, tenant_id) DO NOTHING;
+
+-- Create the ag_tenant_agent_version_t table for agent version management
+CREATE TABLE IF NOT EXISTS nexent.ag_tenant_agent_version_t (
+    id BIGSERIAL PRIMARY KEY,
+    tenant_id VARCHAR(100) NOT NULL,
+    agent_id INTEGER NOT NULL,
+    version_no INTEGER NOT NULL,
+    version_name VARCHAR(100),
+    release_note TEXT,
+    source_version_no INTEGER NULL,
+    source_type VARCHAR(30) NULL,
+    status VARCHAR(30) DEFAULT 'RELEASED',
+    created_by VARCHAR(100) NOT NULL,
+    create_time TIMESTAMP(6) DEFAULT CURRENT_TIMESTAMP,
+    updated_by VARCHAR(100),
+    update_time TIMESTAMP(6) DEFAULT CURRENT_TIMESTAMP,
+    delete_flag VARCHAR(1) DEFAULT 'N'
+);
+
+ALTER TABLE nexent.ag_tenant_agent_version_t OWNER TO "root";
+
+-- Add comments for version fields in existing tables
+COMMENT ON COLUMN nexent.ag_tenant_agent_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+COMMENT ON COLUMN nexent.ag_tenant_agent_t.current_version_no IS 'Current published version number. NULL means no version published yet';
+COMMENT ON COLUMN nexent.ag_tool_instance_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+COMMENT ON COLUMN nexent.ag_agent_relation_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+
+-- Add comments for ag_tenant_agent_version_t table
+COMMENT ON TABLE nexent.ag_tenant_agent_version_t IS 'Agent version metadata table. Stores version info, release notes, and version lineage.';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.id IS 'Primary key, auto-increment';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.tenant_id IS 'Tenant ID';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.agent_id IS 'Agent ID';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.version_no IS 'Version number, starts from 1. Does not include 0 (draft)';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.version_name IS 'User-defined version name for display (e.g., "Stable v2.1", "Hotfix-001"). NULL means use version_no as display.';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.release_note IS 'Release notes / publish remarks';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.source_version_no IS 'Source version number. If this version is a rollback, record the source version number.';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.source_type IS 'Source type: NORMAL (normal publish) / ROLLBACK (rollback and republish).';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.status IS 'Version status: RELEASED / DISABLED / ARCHIVED';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.created_by IS 'User who published this version';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.create_time IS 'Version creation timestamp';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.updated_by IS 'Last user who updated this version';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.update_time IS 'Last update timestamp';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.delete_flag IS 'Soft delete flag: Y/N';
diff --git a/docker/scripts/sync_user_supabase2pg.py b/docker/scripts/sync_user_supabase2pg.py
new file mode 100644
index 000000000..43c3b2e15
--- /dev/null
+++ b/docker/scripts/sync_user_supabase2pg.py
@@ -0,0 +1,585 @@
+#!/usr/bin/env python3
+"""
+Update user data script for v1.8.0 upgrade.
+This script updates user_email and user_role in the user_tenant_t table.
+
+Usage (run inside nexent-config container):
+    python sync_user_supabase2pg.py [--dry-run]
+
+Options:
+    --dry-run: Show what would be updated without making changes
+    --verbose: Enable verbose debug output
+
+Environment variables are loaded from Docker container environment.
+"""
+
+import os
+import sys
+import argparse
+import logging
+import requests
+
+# Setup logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+# Constants
+DEFAULT_TENANT_ID = "tenant_id"
+DEFAULT_USER_ID = "user_id"
+LEGACY_ADMIN_EMAIL = "nexent@example.com"
+
+
+def check_docker_containers():
+    """Check if required Docker containers are running"""
+    try:
+        import subprocess
+        result = subprocess.run(
+            ['docker', 'ps', '--format', '{{.Names}}'],
+            capture_output=True,
+            text=True,
+            timeout=10
+        )
+
+        if result.returncode == 0:
+            containers = result.stdout.strip().split('\n')
+            logger.info(f"Running containers: {containers}")
+
+            required_containers = ['nexent-postgresql']
+            missing = [c for c in required_containers if c not in containers]
+
+            if missing:
+                logger.warning(f"Missing required containers: {missing}")
+                logger.info("Please ensure Docker containers are running with: docker compose up -d")
+                return False
+
+            return True
+        else:
+            logger.warning("Could not query Docker containers")
+            return None
+    except FileNotFoundError:
+        logger.warning("Docker not available on this system")
+        return None
+    except Exception as e:
+        logger.warning(f"Error checking Docker containers: {e}")
+        return None
+
+
+def test_connection_with_psql(conn_params):
+    """Test connection using psql command if available"""
+    try:
+        import subprocess
+
+        password = conn_params.get('password', '')
+        env = os.environ.copy()
+
+        cmd = [
+            'psql',
+            '-h', conn_params.get('host', 'localhost'),
+            '-p', str(conn_params.get('port', 5434)),
+            '-U', conn_params.get('user', 'nexent'),
+            '-d', conn_params.get('database', 'nexent'),
+            '-c', 'SELECT 1;'
+        ]
+
+        if password:
+            env['PGPASSWORD'] = password
+
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=10,
+            env=env
+        )
+
+        if result.returncode == 0:
+            logger.info("psql connection test: SUCCESS")
+            return True
+        else:
+            logger.warning(f"psql connection test failed: {result.stderr}")
+            return False
+    except FileNotFoundError:
+        logger.debug("psql not available, skipping command-line test")
+        return None
+    except Exception as e:
+        logger.debug(f"psql test error: {e}")
+        return None
+
+
+def load_environment_from_container():
+    """
+    Validate and display environment variables from container environment.
+    Environment variables are already set by Docker via env_file directive.
+    """
+    required_vars = [
+        'POSTGRES_DB',
+        'POSTGRES_USER',
+        'NEXENT_POSTGRES_PASSWORD',
+        'POSTGRES_HOST',
+        'POSTGRES_PORT',
+        'SERVICE_ROLE_KEY'
+    ]
+
+    missing = [var for var in required_vars if not os.getenv(var)]
+    if missing:
+        logger.error(f"Missing required environment variables: {missing}")
+        return False
+
+    logger.info("Environment variables loaded from container")
+    return True
+
+
+def get_postgres_connection_params():
+    """Get PostgreSQL connection parameters from environment"""
+    # Validate environment variables are set
+    load_environment_from_container()
+
+    # Default port for docker-compose is 5434
+    params = {
+        'host': os.getenv('POSTGRES_HOST', '127.0.0.1'),
+        'port': os.getenv('POSTGRES_PORT', '5434'),
+        'database': os.getenv('POSTGRES_DB', 'nexent'),
+        'user': os.getenv('POSTGRES_USER', 'nexent'),
+        'password': os.getenv('NEXENT_POSTGRES_PASSWORD', '')
+    }
+
+    logger.info("Database connection parameters:")
+    logger.info(f"  Host: {params['host']}")
+    logger.info(f"  Port: {params['port']}")
+    logger.info(f"  Database: {params['database']}")
+    logger.info(f"  User: {params['user']}")
+    logger.info(f"  Password: {'*' * len(params['password']) if params['password'] else '(empty)'}")
+
+    return params
+
+
+def get_supabase_params():
+    """Get Supabase connection parameters from environment"""
+    service_role_key = os.getenv('SERVICE_ROLE_KEY', '')
+    service_role_key = service_role_key.strip('"').strip("'")
+
+    supabase_url = os.getenv('SUPABASE_URL', 'http://127.0.0.1:8000')
+
+    params = {
+        'url': supabase_url,
+        'key': service_role_key
+    }
+
+    if not params['key']:
+        logger.warning("SERVICE_ROLE_KEY is not set")
+
+    return params
+
+
+def get_db_connection(conn_params):
+    """Get database connection"""
+    import psycopg2
+    try:
+        # First test basic connectivity
+        logger.info(f"Attempting to connect to PostgreSQL at {conn_params.get('host')}:{conn_params.get('port')}...")
+        conn = psycopg2.connect(**conn_params)
+        logger.info("Database connection established successfully")
+        return conn
+    except psycopg2.OperationalError as e:
+        logger.error(f"Database connection failed: {e}")
+        logger.error("Please check:")
+        logger.error("  1. PostgreSQL is running")
+        logger.error("  2. Host/port configuration is correct")
+        logger.error("  3. Credentials are correct")
+        logger.error("  4. Network is accessible")
+        return None
+    except Exception as e:
+        logger.error(f"Unexpected database error: {e}")
+        return None
+
+
+def fetch_all_user_tenant_records(conn):
+    """Fetch all user_tenant records from database"""
+    try:
+        cursor = conn.cursor()
+        query = """
+                SELECT user_id, tenant_id, user_role, user_email
+                FROM nexent.user_tenant_t
+                WHERE delete_flag = 'N'
+                ORDER BY user_id \
+                """
+        cursor.execute(query)
+        records = cursor.fetchall()
+        cursor.close()
+
+        # Convert to list of dicts
+        result = []
+        for row in records:
+            result.append({
+                'user_id': row[0],
+                'tenant_id': row[1],
+                'user_role': row[2],
+                'user_email': row[3]
+            })
+
+        logger.info(f"Fetched {len(result)} user_tenant records from database")
+        return result
+    except Exception as e:
+        logger.error(f"Failed to fetch user_tenant records: {e}")
+        return []
+
+
+def get_user_email_from_supabase(user_id, supabase_url, service_role_key):
+    """
+    Get user email from Supabase by user ID using REST API.
+
+    Args:
+        user_id: The user's UUID
+        supabase_url: Supabase API URL
+        service_role_key: Service role key for admin access
+
+    Returns:
+        User's email address or None if not found
+
+    Note: SPEED system user (user_id="user_id") is virtual and doesn't exist in Supabase.
+    """
+    # Skip Supabase lookup for virtual SPEED system user
+    if user_id == DEFAULT_USER_ID:
+        logger.debug(f"User {user_id} is virtual SPEED user, skipping Supabase lookup")
+        return None
+
+    if not supabase_url or not service_role_key:
+        logger.warning("Supabase URL or service role key not configured")
+        return None
+
+    # Clean up URL (remove trailing slash)
+    supabase_url = supabase_url.rstrip('/')
+
+    try:
+        headers = {
+            'Authorization': f'Bearer {service_role_key}',
+            'apikey': service_role_key,
+            'Content-Type': 'application/json'
+        }
+
+        # Get user by ID via REST API
+        response = requests.get(
+            f'{supabase_url}/auth/v1/admin/users/{user_id}',
+            headers=headers,
+            timeout=10
+        )
+
+        if response.status_code == 200:
+            user_data = response.json()
+            email = user_data.get('email')
+            if email:
+                logger.debug(f"Fetched email for user {user_id}: {email}")
+                return email
+            else:
+                logger.warning(f"User {user_id} has no email in Supabase")
+                return None
+        elif response.status_code == 404:
+            logger.warning(f"User {user_id} not found in Supabase")
+            return None
+        elif response.status_code == 401:
+            logger.error("Unauthorized: Check your SERVICE_ROLE_KEY")
+            return None
+        else:
+            logger.warning(f"Failed to fetch user {user_id}: HTTP {response.status_code} - {response.text}")
+            return None
+
+    except requests.exceptions.ConnectionError as e:
+        logger.warning(f"Cannot connect to Supabase for user {user_id}: {e}")
+        return None
+    except requests.exceptions.Timeout as e:
+        logger.warning(f"Request timeout for user {user_id}: {e}")
+        return None
+    except Exception as e:
+        logger.warning(f"Error fetching user {user_id} from Supabase: {e}")
+        return None
+
+
+def determine_user_role(user_id, tenant_id, user_email):
+    """
+    Determine user_role based on rules:
+    1. Special case: user_id == "user_id" AND tenant_id == "tenant_id" → SPEED (default system user)
+    2. If user_id == tenant_id → ADMIN
+    3. If user_email == LEGACY_ADMIN_EMAIL → ADMIN
+    4. Otherwise → USER
+    """
+    # Rule 0: Default system user (user_id="user_id", tenant_id="tenant_id") → SPEED
+    if user_id == DEFAULT_USER_ID and tenant_id == DEFAULT_TENANT_ID:
+        return "SPEED"
+
+    # Rule 1: user_id == tenant_id → ADMIN
+    if user_id == tenant_id:
+        return "ADMIN"
+
+    # Rule 2: Special admin email → ADMIN
+    if user_email and user_email.lower() == LEGACY_ADMIN_EMAIL.lower():
+        return "ADMIN"
+
+    # Default: USER
+    return "USER"
+
+
+def update_user_record(conn, user_id, user_email, user_role):
+    """Update a single user record in database"""
+    try:
+        cursor = conn.cursor()
+        query = """
+                UPDATE nexent.user_tenant_t
+                SET user_email  = %s,
+                    user_role   = %s,
+                    updated_by  = 'system',
+                    update_time = NOW()
+                WHERE user_id = %s \
+                  AND delete_flag = 'N' \
+                """
+        cursor.execute(query, (user_email, user_role, user_id))
+        affected = cursor.rowcount
+        cursor.close()
+        conn.commit()
+        return affected > 0
+    except Exception as e:
+        logger.error(f"Failed to update user {user_id}: {e}")
+        conn.rollback()
+        return False
+
+
+def process_user_records(conn, supabase_params, records, dry_run=False):
+    """
+    Process all user records:
+    1. Fetch email from Supabase (if not already set or overwrite is True)
+    2. Determine user_role based on rules
+    3. Update database
+    """
+    supabase_url = supabase_params['url']
+    service_role_key = supabase_params['key']
+
+    results = {
+        'total': len(records),
+        'updated': 0,
+        'skipped': 0,
+        'failed': 0,
+        'details': []
+    }
+
+    for record in records:
+        user_id = record['user_id']
+        tenant_id = record['tenant_id']
+        old_email = record.get('user_email')
+        old_role = record.get('user_role')
+
+        # Get email from Supabase using REST API
+        user_email = get_user_email_from_supabase(user_id, supabase_url, service_role_key)
+
+        if not user_email:
+            # Keep existing email if no new email from Supabase
+            user_email = old_email
+            if not old_email:
+                logger.warning(f"Could not fetch email from Supabase for user {user_id}, and no existing email")
+
+        # Determine user_role
+        user_role = determine_user_role(user_id, tenant_id, user_email)
+
+        # Check if update is needed
+        email_changed = user_email != old_email
+        role_changed = user_role != old_role
+
+        if not email_changed and not role_changed:
+            results['skipped'] += 1
+            results['details'].append({
+                'user_id': user_id,
+                'status': 'skipped',
+                'reason': 'No changes needed'
+            })
+            continue
+
+        if dry_run:
+            logger.info(f"[DRY-RUN] Would update user {user_id}:")
+            logger.info(f"  Email: {old_email} -> {user_email}")
+            logger.info(f"  Role: {old_role} -> {user_role}")
+            results['updated'] += 1
+            results['details'].append({
+                'user_id': user_id,
+                'status': 'dry-run',
+                'old_email': old_email,
+                'new_email': user_email,
+                'old_role': old_role,
+                'new_role': user_role
+            })
+        else:
+            if update_user_record(conn, user_id, user_email, user_role):
+                logger.info(f"Updated user {user_id}: email={user_email}, role={user_role}")
+                results['updated'] += 1
+                results['details'].append({
+                    'user_id': user_id,
+                    'status': 'success',
+                    'old_email': old_email,
+                    'new_email': user_email,
+                    'old_role': old_role,
+                    'new_role': user_role
+                })
+            else:
+                results['failed'] += 1
+                results['details'].append({
+                    'user_id': user_id,
+                    'status': 'failed',
+                    'reason': 'Update failed'
+                })
+
+    return results
+
+
+def print_results(results):
+    """Print processing results"""
+    logger.info("=" * 60)
+    logger.info("Processing Results:")
+    logger.info(f"  Total records: {results['total']}")
+    logger.info(f"  Updated: {results['updated']}")
+    logger.info(f"  Skipped: {results['skipped']}")
+    logger.info(f"  Failed: {results['failed']}")
+    logger.info("=" * 60)
+
+    # Print details for updated records
+    if results['details']:
+        logger.info("\nUpdated/Skipped Records:")
+        for detail in results['details']:
+            if detail['status'] in ['success', 'dry-run']:
+                logger.info(f"  User {detail['user_id']}:")
+                if 'new_email' in detail:
+                    logger.info(f"    Email: {detail['old_email']} -> {detail['new_email']}")
+                if 'new_role' in detail:
+                    logger.info(f"    Role: {detail['old_role']} -> {detail['new_role']}")
+
+
+def test_supabase_connection(supabase_params):
+    """Test Supabase connection by listing users"""
+    supabase_url = supabase_params['url'].rstrip('/')
+    service_role_key = supabase_params['key']
+
+    try:
+        headers = {
+            'Authorization': f'Bearer {service_role_key}',
+            'apikey': service_role_key,
+            'Content-Type': 'application/json'
+        }
+
+        # Test by listing users (limit 1)
+        response = requests.get(
+            f'{supabase_url}/auth/v1/admin/users?page=1&per_page=1',
+            headers=headers,
+            timeout=10
+        )
+
+        if response.status_code == 200:
+            logger.info("Supabase connection test: SUCCESS")
+            return True
+        elif response.status_code == 401:
+            logger.error("Supabase connection test: FAILED (401 Unauthorized)")
+            logger.error("Please check your SERVICE_ROLE_KEY")
+            return False
+        else:
+            logger.warning(f"Supabase connection test: HTTP {response.status_code}")
+            return False
+
+    except requests.exceptions.ConnectionError as e:
+        logger.error(f"Cannot connect to Supabase: {e}")
+        return False
+    except Exception as e:
+        logger.error(f"Supabase connection test failed: {e}")
+        return False
+
+
+def main():
+    """Main function"""
+    parser = argparse.ArgumentParser(
+        description='Update user data for v2 upgrade'
+    )
+    parser.add_argument(
+        '--dry-run',
+        action='store_true',
+        help='Show what would be updated without making changes'
+    )
+    parser.add_argument(
+        '--verbose',
+        action='store_true',
+        help='Enable verbose debug output'
+    )
+    args = parser.parse_args()
+
+    if args.verbose:
+        logging.getLogger().setLevel(logging.DEBUG)
+
+    logger.info("=" * 60)
+    logger.info("User Data Update Script (v2 upgrade)")
+    logger.info("=" * 60)
+
+    if args.dry_run:
+        logger.info("Mode: DRY-RUN (no changes will be made)")
+
+    # Step 0: Check Docker containers
+    logger.info("\n[Step 0/6] Checking Docker containers...")
+    docker_status = check_docker_containers()
+    if docker_status is False:
+        logger.error("Required Docker containers are not running")
+        logger.info("Ensure nexent-postgresql container is running")
+        sys.exit(1)
+
+    # Step 1: Validate environment variables
+    logger.info("\n[Step 1/6] Loading environment variables...")
+    if not load_environment_from_container():
+        logger.error("Failed to load environment variables")
+        sys.exit(1)
+
+    # Step 2: Get Supabase parameters and test connection
+    logger.info("\n[Step 2/6] Testing Supabase connection...")
+    supabase_params = get_supabase_params()
+    if not supabase_params['url'] or not supabase_params['key']:
+        logger.error("SUPABASE_URL and SERVICE_ROLE_KEY must be set in environment")
+        sys.exit(1)
+
+    logger.info(f"  Supabase URL: {supabase_params['url']}")
+    logger.info(f"  Service Role Key: {supabase_params['key'][:20]}...{supabase_params['key'][-10:]}")
+
+    if not test_supabase_connection(supabase_params):
+        logger.error("Failed to connect to Supabase")
+        sys.exit(1)
+
+    # Step 3: Connect to database
+    logger.info("\n[Step 3/6] Connecting to PostgreSQL database...")
+    conn_params = get_postgres_connection_params()
+    conn = get_db_connection(conn_params)
+    if not conn:
+        logger.error("Failed to connect to database")
+        # Try psql as fallback
+        test_connection_with_psql(conn_params)
+        sys.exit(1)
+
+    try:
+        # Step 4: Fetch all user_tenant records
+        logger.info("\n[Step 4/6] Fetching user_tenant records...")
+        records = fetch_all_user_tenant_records(conn)
+        if not records:
+            logger.warning("No user_tenant records found")
+            return
+
+        # Step 5: Process records
+        logger.info("\n[Step 5/6] Processing records...")
+        results = process_user_records(conn, supabase_params, records, dry_run=args.dry_run)
+        print_results(results)
+
+        # Step 6: Summary
+        logger.info("\n[Step 6/6] Upgrade completed")
+
+        if args.dry_run:
+            logger.info("\nTo apply these changes, run without --dry-run flag")
+
+    finally:
+        # Close database connection
+        if conn:
+            conn.close()
+            logger.info("\nDatabase connection closed")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/docker/scripts/v180_sync_user_metadata.sh b/docker/scripts/v180_sync_user_metadata.sh
new file mode 100644
index 000000000..7a89e03af
--- /dev/null
+++ b/docker/scripts/v180_sync_user_metadata.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+#
+# v1.8.0 User Metadata Sync Script
+# This script executes the user data update script inside the nexent-config container.
+#
+# Usage:
+#   ./v180_sync_user_metadata.sh [--dry-run]
+#
+# Options:
+#   --dry-run    Show what would be updated without making changes
+#
+
+set -e
+
+CONTAINER_NAME="nexent-config"
+SCRIPT_PATH="/opt/sync_user_supabase2pg.py"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+log_info() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+log_warn() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Clear Windows Git Bash path variables that cause path resolution issues in containers
+# These variables contain Windows-style paths (e.g., C:/Program Files/Git) which break
+# container execution when inherited
+
+# Check if nexent-config container is running
+DRY_RUN=false
+for arg in "$@"; do
+    case $arg in
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        *)
+            ;;
+    esac
+done
+
+# Check if nexent-config container is running
+log_info "Checking if container '$CONTAINER_NAME' is running..."
+if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
+    log_error "Container '$CONTAINER_NAME' is not running"
+    log_info "Please start the containers with: cd docker && docker compose up -d"
+    exit 1
+fi
+
+log_info "Container '$CONTAINER_NAME' is running"
+
+# Execute the script inside the container
+log_info "Executing sync script inside container..."
+
+# Use 'sh -c' wrapper to execute the command inside the container.
+# This is a workaround for Windows Git Bash's execve() argument parsing issue
+# where paths containing forward slashes get incorrectly interpreted.
+# By wrapping the command in 'sh -c', the container's shell handles argument parsing.
+if [ "$DRY_RUN" = true ]; then
+    log_info "Mode: DRY-RUN (no changes will be made)"
+    docker exec "$CONTAINER_NAME" sh -c "python $SCRIPT_PATH --dry-run"
+else
+    docker exec "$CONTAINER_NAME" sh -c "python $SCRIPT_PATH"
+fi
+
+EXIT_CODE=$?
+
+if [ $EXIT_CODE -eq 0 ]; then
+    log_info "Script executed successfully"
+else
+    log_error "Script failed with exit code: $EXIT_CODE"
+    exit $EXIT_CODE
+fi
\ No newline at end of file
diff --git a/docker/sql/v1.7.9.3_0123_add_speed_user_tenant_t.sql b/docker/sql/v1.7.9.3_0123_add_speed_user_tenant_t.sql
index 5740ec9cd..e0d5b3ce6 100644
--- a/docker/sql/v1.7.9.3_0123_add_speed_user_tenant_t.sql
+++ b/docker/sql/v1.7.9.3_0123_add_speed_user_tenant_t.sql
@@ -1,15 +1,10 @@
 -- Add user_email column to user_tenant_t table
 ALTER TABLE nexent.user_tenant_t
-ADD COLUMN user_email VARCHAR(255);
+ADD COLUMN IF NOT EXISTS user_email VARCHAR(255);
 
 -- Add comment to the new column
 COMMENT ON COLUMN nexent.user_tenant_t.user_email IS 'User email address';
 
--- Create index on user_email for faster queries (optional)
-CREATE INDEX IF NOT EXISTS idx_user_tenant_t_user_email
-ON nexent.user_tenant_t(user_email);
-
-
 INSERT INTO nexent.user_tenant_t (user_id, tenant_id, user_role, user_email, created_by, updated_by)
 VALUES ('user_id', 'tenant_id', 'SPEED', NULL, 'system', 'system')
 ON CONFLICT (user_id, tenant_id) DO NOTHING;
diff --git a/docker/sql/v1.8.0_0204_init_tenant_group.sql b/docker/sql/v1.8.0_0204_init_tenant_group.sql
new file mode 100644
index 000000000..fde946cb9
--- /dev/null
+++ b/docker/sql/v1.8.0_0204_init_tenant_group.sql
@@ -0,0 +1,76 @@
+-- Initialize tenant group and default configuration for existing tenants
+-- This migration adds default group and basic config for tenants that lack them
+-- Trigger condition: tenant has no TENANT_ID config_key in tenant_config_t
+
+DO $$
+DECLARE
+    target_tenant_id VARCHAR(100);
+    new_group_id INTEGER;
+BEGIN
+    -- Loop through each distinct tenant_id from user_tenant_t
+    FOR target_tenant_id IN
+        SELECT DISTINCT tenant_id
+        FROM nexent.user_tenant_t
+        WHERE tenant_id IS NOT NULL
+    LOOP
+        -- Check if tenant already has TENANT_ID config_key
+        IF NOT EXISTS (
+            SELECT 1 FROM nexent.tenant_config_t
+            WHERE tenant_id = target_tenant_id
+              AND config_key = 'TENANT_ID'
+              AND delete_flag = 'N'
+        ) THEN
+            -- Insert TENANT_ID config
+            INSERT INTO nexent.tenant_config_t (
+                tenant_id, user_id, value_type, config_key, config_value,
+                create_time, update_time, created_by, updated_by, delete_flag
+            ) VALUES (
+                target_tenant_id, NULL, 'single', 'TENANT_ID', target_tenant_id,
+                NOW(), NOW(), 'system', 'system', 'N'
+            );
+
+            -- Insert TENANT_NAME config if not exists
+            IF NOT EXISTS (
+                SELECT 1 FROM nexent.tenant_config_t
+                WHERE tenant_id = target_tenant_id
+                  AND config_key = 'TENANT_NAME'
+                  AND delete_flag = 'N'
+            ) THEN
+                INSERT INTO nexent.tenant_config_t (
+                    tenant_id, user_id, value_type, config_key, config_value,
+                    create_time, update_time, created_by, updated_by, delete_flag
+                ) VALUES (
+                    target_tenant_id, NULL, 'single', 'TENANT_NAME', 'Unnamed Tenant',
+                    NOW(), NOW(), 'system', 'system', 'N'
+                );
+            END IF;
+
+            -- Check if tenant already has a group
+            IF NOT EXISTS (
+                SELECT 1 FROM nexent.tenant_group_info_t
+                WHERE tenant_id = target_tenant_id
+                  AND delete_flag = 'N'
+            ) THEN
+                -- Insert default group
+                INSERT INTO nexent.tenant_group_info_t (
+                    tenant_id, group_name, group_description,
+                    create_time, update_time, created_by, updated_by, delete_flag
+                ) VALUES (
+                    target_tenant_id, 'Default Group', 'Default group for tenant',
+                    NOW(), NOW(), 'system', 'system', 'N'
+                ) RETURNING group_id INTO new_group_id;
+
+                -- Insert DEFAULT_GROUP_ID config
+                IF new_group_id IS NOT NULL THEN
+                    INSERT INTO nexent.tenant_config_t (
+                        tenant_id, user_id, value_type, config_key, config_value,
+                        create_time, update_time, created_by, updated_by, delete_flag
+                    ) VALUES (
+                        target_tenant_id, NULL, 'single', 'DEFAULT_GROUP_ID', new_group_id::VARCHAR,
+                        NOW(), NOW(), 'system', 'system', 'N'
+                    );
+                END IF;
+            END IF;
+        END IF;
+    END LOOP;
+END $$;
diff --git a/docker/sql/v1.8.0_0206_add_ag_tenant_agent_version_t .sql b/docker/sql/v1.8.0_0206_add_ag_tenant_agent_version_t .sql
new file mode 100644
index 000000000..40fc22df0
--- /dev/null
+++ b/docker/sql/v1.8.0_0206_add_ag_tenant_agent_version_t .sql	
@@ -0,0 +1,84 @@
+-- 步骤 1：添加 nullable 的 version_no 字段（不设默认值，让显式赋值）
+ALTER TABLE nexent.ag_tenant_agent_t
+ADD COLUMN IF NOT EXISTS version_no INTEGER NULL;
+
+ALTER TABLE nexent.ag_tool_instance_t
+ADD COLUMN IF NOT EXISTS version_no INTEGER NULL;
+
+ALTER TABLE nexent.ag_agent_relation_t
+ADD COLUMN IF NOT EXISTS version_no INTEGER NULL;
+
+-- 步骤 2：更新所有历史数据的 version_no 为 0
+UPDATE nexent.ag_tenant_agent_t SET version_no = 0 WHERE version_no IS NULL;
+UPDATE nexent.ag_tool_instance_t SET version_no = 0 WHERE version_no IS NULL;
+UPDATE nexent.ag_agent_relation_t SET version_no = 0 WHERE version_no IS NULL;
+
+-- 步骤 3：将字段设为 NOT NULL，并设置默认值 0
+ALTER TABLE nexent.ag_tenant_agent_t ALTER COLUMN version_no SET NOT NULL;
+ALTER TABLE nexent.ag_tenant_agent_t ALTER COLUMN version_no SET DEFAULT 0;
+
+ALTER TABLE nexent.ag_tool_instance_t ALTER COLUMN version_no SET NOT NULL;
+ALTER TABLE nexent.ag_tool_instance_t ALTER COLUMN version_no SET DEFAULT 0;
+
+ALTER TABLE nexent.ag_agent_relation_t ALTER COLUMN version_no SET NOT NULL;
+ALTER TABLE nexent.ag_agent_relation_t ALTER COLUMN version_no SET DEFAULT 0;
+
+-- 步骤 4：为 ag_tenant_agent_t 添加 current_version_no 字段
+ALTER TABLE nexent.ag_tenant_agent_t
+ADD COLUMN IF NOT EXISTS current_version_no INTEGER NULL;
+
+-- 步骤5：修改主键
+ALTER TABLE nexent.ag_tenant_agent_t DROP CONSTRAINT ag_tenant_agent_t_pkey;
+ALTER TABLE nexent.ag_tenant_agent_t ADD CONSTRAINT ag_tenant_agent_t_pkey PRIMARY KEY (agent_id, version_no);
+
+ALTER TABLE nexent.ag_tool_instance_t DROP CONSTRAINT ag_tool_instance_t_pkey;
+ALTER TABLE nexent.ag_tool_instance_t ADD CONSTRAINT ag_tool_instance_t_pkey PRIMARY KEY (tool_instance_id, version_no);
+
+ALTER TABLE nexent.ag_agent_relation_t DROP CONSTRAINT ag_agent_relation_t_pkey;
+ALTER TABLE nexent.ag_agent_relation_t ADD CONSTRAINT ag_agent_relation_t_pkey PRIMARY KEY (relation_id, version_no);
+
+-- 步骤6：新增agent版本管理表
+CREATE TABLE IF NOT EXISTS nexent.ag_tenant_agent_version_t (
+    id BIGSERIAL PRIMARY KEY,
+    tenant_id VARCHAR(100) NOT NULL,
+    agent_id INTEGER NOT NULL,
+    version_no INTEGER NOT NULL,
+    version_name VARCHAR(100),                    -- 用户自定义版本名称
+    release_note TEXT,                            -- 发布备注
+
+    source_version_no INTEGER NULL,               -- 来源版本号（回滚时记录）
+    source_type VARCHAR(30) NULL,                 -- 来源类型：NORMAL(正常发布) / ROLLBACK(回滚产生)
+
+    status VARCHAR(30) DEFAULT 'RELEASED',        -- 版本状态：RELEASED / DISABLED / ARCHIVED
+
+    created_by VARCHAR(100) NOT NULL,
+    create_time TIMESTAMP(6) DEFAULT CURRENT_TIMESTAMP,
+    updated_by VARCHAR(100),
+    update_time TIMESTAMP(6) DEFAULT CURRENT_TIMESTAMP,
+    delete_flag VARCHAR(1) DEFAULT 'N'
+);
+
+ALTER TABLE nexent.ag_tenant_agent_version_t OWNER TO "root";
+
+-- 步骤 7：添加COMMENT
+COMMENT ON COLUMN nexent.ag_tenant_agent_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+COMMENT ON COLUMN nexent.ag_tenant_agent_t.current_version_no IS 'Current published version number. NULL means no version published yet';
+COMMENT ON COLUMN nexent.ag_tool_instance_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+COMMENT ON COLUMN nexent.ag_agent_relation_t.version_no IS 'Version number. 0 = draft/editing state, >=1 = published snapshot';
+
+COMMENT ON TABLE nexent.ag_tenant_agent_version_t IS 'Agent version metadata table. Stores version info, release notes, and version lineage.';
+
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.id IS 'Primary key, auto-increment';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.tenant_id IS 'Tenant ID';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.agent_id IS 'Agent ID';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.version_no IS 'Version number, starts from 1. Does not include 0 (draft)';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.version_name IS 'User-defined version name for display (e.g., "Stable v2.1", "Hotfix-001"). NULL means use version_no as display.';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.release_note IS 'Release notes / publish remarks';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.source_version_no IS 'Source version number. If this version is a rollback, record the source version number.';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.source_type IS 'Source type: NORMAL (normal publish) / ROLLBACK (rollback and republish).';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.status IS 'Version status: RELEASED / DISABLED / ARCHIVED';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.created_by IS 'User who published this version';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.create_time IS 'Version creation timestamp';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.updated_by IS 'Last user who updated this version';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.update_time IS 'Last update timestamp';
+COMMENT ON COLUMN nexent.ag_tenant_agent_version_t.delete_flag IS 'Soft delete flag: Y/N';
diff --git a/docker/sql/v1.8.0_0206_init_role_permission_t.sql b/docker/sql/v1.8.0_0206_init_role_permission_t.sql
new file mode 100644
index 000000000..6b9409503
--- /dev/null
+++ b/docker/sql/v1.8.0_0206_init_role_permission_t.sql
@@ -0,0 +1,186 @@
+DELETE FROM nexent.role_permission_t;
+
+INSERT INTO nexent.role_permission_t (role_permission_id, user_role, permission_category, permission_type, permission_subtype) VALUES
+(1, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(2, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(3, 'SU', 'VISIBILITY', 'LEFT_NAV_MENU', '/tenant-resources'),
+(4, 'SU', 'RESOURCE', 'AGENT', 'READ'),
+(5, 'SU', 'RESOURCE', 'AGENT', 'DELETE'),
+(6, 'SU', 'RESOURCE', 'KB', 'READ'),
+(7, 'SU', 'RESOURCE', 'KB', 'DELETE'),
+(8, 'SU', 'RESOURCE', 'KB.GROUPS', 'READ'),
+(9, 'SU', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
+(10, 'SU', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
+(11, 'SU', 'RESOURCE', 'USER.ROLE', 'READ'),
+(12, 'SU', 'RESOURCE', 'USER.ROLE', 'UPDATE'),
+(13, 'SU', 'RESOURCE', 'USER.ROLE', 'DELETE'),
+(14, 'SU', 'RESOURCE', 'MCP', 'READ'),
+(15, 'SU', 'RESOURCE', 'MCP', 'DELETE'),
+(16, 'SU', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(17, 'SU', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(18, 'SU', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(19, 'SU', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
+(20, 'SU', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(21, 'SU', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(22, 'SU', 'RESOURCE', 'MODEL', 'CREATE'),
+(23, 'SU', 'RESOURCE', 'MODEL', 'READ'),
+(24, 'SU', 'RESOURCE', 'MODEL', 'UPDATE'),
+(25, 'SU', 'RESOURCE', 'MODEL', 'DELETE'),
+(26, 'SU', 'RESOURCE', 'TENANT', 'CREATE'),
+(27, 'SU', 'RESOURCE', 'TENANT', 'READ'),
+(28, 'SU', 'RESOURCE', 'TENANT', 'UPDATE'),
+(29, 'SU', 'RESOURCE', 'TENANT', 'DELETE'),
+(30, 'SU', 'RESOURCE', 'TENANT.LIST', 'READ'),
+(31, 'SU', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(32, 'SU', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
+(33, 'SU', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
+(34, 'SU', 'RESOURCE', 'TENANT.INVITE', 'READ'),
+(35, 'SU', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
+(36, 'SU', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
+(37, 'SU', 'RESOURCE', 'GROUP', 'CREATE'),
+(38, 'SU', 'RESOURCE', 'GROUP', 'READ'),
+(39, 'SU', 'RESOURCE', 'GROUP', 'UPDATE'),
+(40, 'SU', 'RESOURCE', 'GROUP', 'DELETE'),
+(41, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(42, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(43, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
+(44, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
+(45, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
+(46, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
+(47, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
+(48, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
+(49, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(50, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
+(51, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(52, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
+(53, 'ADMIN', 'VISIBILITY', 'LEFT_NAV_MENU', '/tenant-resources'),
+(54, 'ADMIN', 'RESOURCE', 'AGENT', 'CREATE'),
+(55, 'ADMIN', 'RESOURCE', 'AGENT', 'READ'),
+(56, 'ADMIN', 'RESOURCE', 'AGENT', 'UPDATE'),
+(57, 'ADMIN', 'RESOURCE', 'AGENT', 'DELETE'),
+(58, 'ADMIN', 'RESOURCE', 'KB', 'CREATE'),
+(59, 'ADMIN', 'RESOURCE', 'KB', 'READ'),
+(60, 'ADMIN', 'RESOURCE', 'KB', 'UPDATE'),
+(61, 'ADMIN', 'RESOURCE', 'KB', 'DELETE'),
+(62, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'READ'),
+(63, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
+(64, 'ADMIN', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
+(65, 'ADMIN', 'RESOURCE', 'USER.ROLE', 'READ'),
+(66, 'ADMIN', 'RESOURCE', 'MCP', 'CREATE'),
+(67, 'ADMIN', 'RESOURCE', 'MCP', 'READ'),
+(68, 'ADMIN', 'RESOURCE', 'MCP', 'UPDATE'),
+(69, 'ADMIN', 'RESOURCE', 'MCP', 'DELETE'),
+(70, 'ADMIN', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(71, 'ADMIN', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(72, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'CREATE'),
+(73, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(74, 'ADMIN', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
+(75, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(76, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(77, 'ADMIN', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(78, 'ADMIN', 'RESOURCE', 'MODEL', 'CREATE'),
+(79, 'ADMIN', 'RESOURCE', 'MODEL', 'READ'),
+(80, 'ADMIN', 'RESOURCE', 'MODEL', 'UPDATE'),
+(81, 'ADMIN', 'RESOURCE', 'MODEL', 'DELETE'),
+(82, 'ADMIN', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(83, 'ADMIN', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
+(84, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
+(85, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'READ'),
+(86, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
+(87, 'ADMIN', 'RESOURCE', 'TENANT.INVITE', 'DELETE'),
+(88, 'ADMIN', 'RESOURCE', 'GROUP', 'CREATE'),
+(89, 'ADMIN', 'RESOURCE', 'GROUP', 'READ'),
+(90, 'ADMIN', 'RESOURCE', 'GROUP', 'UPDATE'),
+(91, 'ADMIN', 'RESOURCE', 'GROUP', 'DELETE'),
+(92, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(93, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(94, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
+(95, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
+(96, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
+(97, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
+(98, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
+(99, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
+(100, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(101, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
+(102, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(103, 'DEV', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
+(104, 'DEV', 'RESOURCE', 'AGENT', 'CREATE'),
+(105, 'DEV', 'RESOURCE', 'AGENT', 'READ'),
+(106, 'DEV', 'RESOURCE', 'AGENT', 'UPDATE'),
+(107, 'DEV', 'RESOURCE', 'AGENT', 'DELETE'),
+(108, 'DEV', 'RESOURCE', 'KB', 'CREATE'),
+(109, 'DEV', 'RESOURCE', 'KB', 'READ'),
+(110, 'DEV', 'RESOURCE', 'KB', 'UPDATE'),
+(111, 'DEV', 'RESOURCE', 'KB', 'DELETE'),
+(112, 'DEV', 'RESOURCE', 'KB.GROUPS', 'READ'),
+(113, 'DEV', 'RESOURCE', 'KB.GROUPS', 'UPDATE'),
+(114, 'DEV', 'RESOURCE', 'KB.GROUPS', 'DELETE'),
+(115, 'DEV', 'RESOURCE', 'USER.ROLE', 'READ'),
+(116, 'DEV', 'RESOURCE', 'MCP', 'CREATE'),
+(117, 'DEV', 'RESOURCE', 'MCP', 'READ'),
+(118, 'DEV', 'RESOURCE', 'MCP', 'UPDATE'),
+(119, 'DEV', 'RESOURCE', 'MCP', 'DELETE'),
+(120, 'DEV', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(121, 'DEV', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(122, 'DEV', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(123, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(124, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(125, 'DEV', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(126, 'DEV', 'RESOURCE', 'MODEL', 'READ'),
+(127, 'DEV', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(128, 'DEV', 'RESOURCE', 'GROUP', 'READ'),
+(129, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(130, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(131, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(132, 'USER', 'VISIBILITY', 'LEFT_NAV_MENU', '/users'),
+(133, 'USER', 'RESOURCE', 'AGENT', 'READ'),
+(134, 'USER', 'RESOURCE', 'USER.ROLE', 'READ'),
+(135, 'USER', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(136, 'USER', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(137, 'USER', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(138, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(139, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(140, 'USER', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(141, 'USER', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(142, 'USER', 'RESOURCE', 'GROUP', 'READ'),
+(143, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/'),
+(144, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/chat'),
+(145, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/setup'),
+(146, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/space'),
+(147, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/market'),
+(148, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/agents'),
+(149, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/knowledges'),
+(150, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/mcp-tools'),
+(151, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/monitoring'),
+(152, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/models'),
+(153, 'SPEED', 'VISIBILITY', 'LEFT_NAV_MENU', '/memory'),
+(154, 'SPEED', 'RESOURCE', 'AGENT', 'CREATE'),
+(155, 'SPEED', 'RESOURCE', 'AGENT', 'READ'),
+(156, 'SPEED', 'RESOURCE', 'AGENT', 'UPDATE'),
+(157, 'SPEED', 'RESOURCE', 'AGENT', 'DELETE'),
+(158, 'SPEED', 'RESOURCE', 'KB', 'CREATE'),
+(159, 'SPEED', 'RESOURCE', 'KB', 'READ'),
+(160, 'SPEED', 'RESOURCE', 'KB', 'UPDATE'),
+(161, 'SPEED', 'RESOURCE', 'KB', 'DELETE'),
+(166, 'SPEED', 'RESOURCE', 'MCP', 'CREATE'),
+(167, 'SPEED', 'RESOURCE', 'MCP', 'READ'),
+(168, 'SPEED', 'RESOURCE', 'MCP', 'UPDATE'),
+(169, 'SPEED', 'RESOURCE', 'MCP', 'DELETE'),
+(170, 'SPEED', 'RESOURCE', 'MEM.SETTING', 'READ'),
+(171, 'SPEED', 'RESOURCE', 'MEM.SETTING', 'UPDATE'),
+(172, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'CREATE'),
+(173, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'READ'),
+(174, 'SPEED', 'RESOURCE', 'MEM.AGENT', 'DELETE'),
+(175, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'CREATE'),
+(176, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'READ'),
+(177, 'SPEED', 'RESOURCE', 'MEM.PRIVATE', 'DELETE'),
+(178, 'SPEED', 'RESOURCE', 'MODEL', 'CREATE'),
+(179, 'SPEED', 'RESOURCE', 'MODEL', 'READ'),
+(180, 'SPEED', 'RESOURCE', 'MODEL', 'UPDATE'),
+(181, 'SPEED', 'RESOURCE', 'MODEL', 'DELETE'),
+(182, 'SPEED', 'RESOURCE', 'TENANT.INFO', 'READ'),
+(183, 'SPEED', 'RESOURCE', 'TENANT.INFO', 'UPDATE'),
+(184, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'CREATE'),
+(185, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'READ'),
+(186, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'UPDATE'),
+(187, 'SPEED', 'RESOURCE', 'TENANT.INVITE', 'DELETE')
diff --git a/docker/upgrade.sh b/docker/upgrade.sh
index 821636485..38684dae0 100644
--- a/docker/upgrade.sh
+++ b/docker/upgrade.sh
@@ -9,6 +9,8 @@ CONST_FILE="$PROJECT_ROOT/backend/consts/const.py"
 DEPLOY_SCRIPT="$SCRIPT_DIR/deploy.sh"
 SQL_DIR="$SCRIPT_DIR/sql"
 ENV_FILE="$SCRIPT_DIR/.env"
+V180_SCRIPT="$SCRIPT_DIR/scripts/v180_sync_user_metadata.sh"
+V180_VERSION="1.8.0"
 
 declare -A DEPLOY_OPTIONS
 UPGRADE_SQL_FILES=()
@@ -64,12 +66,12 @@ prompt_option_value() {
     read -rp "${prompt_msg}: " input
 
     input="$(trim_quotes "$input")"
-    
+
     # Handle yes/no type inputs
     if [[ "$input_type" == "boolean" ]]; then
       # Convert to uppercase for consistency
       input=$(echo "$input" | tr '[:lower:]' '[:upper:]')
-      
+
       # Validate input
       if [[ "$input" =~ ^[YN]$ ]]; then
         DEPLOY_OPTIONS[$key]="$input"
@@ -233,6 +235,47 @@ update_option_value() {
   fi
 }
 
+# Check if the upgrade version span includes v1.8.0
+# Returns 0 (success) if span includes v1.8.0, 1 otherwise
+check_version_spans_v180() {
+  local cmp_with_v180
+  local cmp_current
+
+  # Check if current version is less than v1.8.0
+  cmp_current="$(compare_versions "$CURRENT_APP_VERSION" "$V180_VERSION")"
+  if [ "$cmp_current" -ge 0 ]; then
+    # Current version is >= v1.8.0, no need to run v180 sync
+    return 1
+  fi
+
+  # Check if target version is >= v1.8.0
+  cmp_with_v180="$(compare_versions "$NEW_APP_VERSION" "$V180_VERSION")"
+  if [ "$cmp_with_v180" -lt 0 ]; then
+    # Target version is < v1.8.0, no need to run v180 sync
+    return 1
+  fi
+
+  # Version span includes v1.8.0
+  return 0
+}
+
+# Execute the v1.8.0 user metadata sync script
+run_v180_sync_script() {
+  if [ ! -f "$V180_SCRIPT" ]; then
+    log "WARN" "⚠️  v180_sync_user_metadata.sh not found, skipping v1.8.0 metadata sync."
+    return
+  fi
+
+  log "INFO" "🗄️  Detected version span includes v1.8.0, executing user metadata sync script..."
+
+  if ! bash "$V180_SCRIPT"; then
+    log "ERROR" "❌ Failed to execute v180_sync_user_metadata.sh, please verify the script."
+    exit 1
+  fi
+
+  log "INFO" "✅ v1.8.0 user metadata sync completed successfully."
+}
+
 
 prompt_deploy_options() {
   # Only prompt for options that already exist in DEPLOY_OPTIONS
@@ -275,7 +318,7 @@ _get_option_description() {
 _get_option_value_description() {
   local key="$1"
   local value="$2"
-  
+
   case "$key" in
     "MODE_CHOICE")
       case "$value" in
@@ -299,7 +342,7 @@ _get_option_value_description() {
 main() {
   ensure_docker
   load_options
-  
+
   # Ensure required options are present
   require_option "APP_VERSION" "APP_VERSION not detected, please enter the current deployed version"
   require_option "ROOT_DIR" "ROOT_DIR not detected, please enter the absolute deployment directory path"
@@ -332,12 +375,12 @@ main() {
         max_desc_width=$desc_length
       fi
     done
-    
+
     # Ensure minimum width for better readability
     if (( max_desc_width < 20 )); then
       max_desc_width=20
     fi
-    
+
     # Display current deployment options in a readable format
     log "INFO" "📋 Current deployment options:"
     echo ""
@@ -348,7 +391,7 @@ main() {
       printf "   • %-${max_desc_width}s : %s\n" "$desc" "$value_desc"
     done
     echo ""
-    
+
     read -rp "🔄 Do you want to inherit previous deployment options? [Y/N] (default: Y): " inherit_choice
     inherit_choice="${inherit_choice:-Y}"
     inherit_choice="$(trim_quotes "$inherit_choice")"
@@ -361,6 +404,12 @@ main() {
 
   build_deploy_args
   run_deploy
+
+  # Check if version span includes v1.8.0 and run sync script if needed
+  if check_version_spans_v180; then
+    run_v180_sync_script
+  fi
+
   collect_upgrade_sqls
   run_sql_scripts
 
diff --git a/frontend/app/[locale]/agents/AgentVersionCard.tsx b/frontend/app/[locale]/agents/AgentVersionCard.tsx
new file mode 100644
index 000000000..bc38ad7c8
--- /dev/null
+++ b/frontend/app/[locale]/agents/AgentVersionCard.tsx
@@ -0,0 +1,634 @@
+"use client";
+import { useMemo, useState } from "react";
+import {
+  CheckCircle,
+  Archive,
+  Clock,
+  ChevronDown,
+  ChevronRight,
+  Rocket,
+  RotateCcw,
+  Eye,
+  Wrench,
+  Network,
+  AlertTriangle,
+  EllipsisVertical,
+  Trash2,
+  ArchiveRestore
+} from "lucide-react";
+import { useTranslation } from "react-i18next";
+import {
+  Flex,
+  Button,
+  Tag,
+  Typography,
+  Card,
+  Descriptions,
+  DescriptionsProps,
+  Modal,
+  Space,
+  Spin,
+  Empty,
+  Table,
+  Dropdown,
+  theme
+} from "antd";
+import { ExclamationCircleFilled } from '@ant-design/icons';
+
+const { useToken } = theme;
+import type { AgentVersion, Agent as AgentVersionAgent, ToolInstance, AgentVersionDetail, VersionCompareResponse } from "@/services/agentVersionService";
+import type { Agent, Tool } from "@/types/agentConfig";
+import { useToolList } from "@/hooks/agent/useToolList";
+import { useAgentList } from "@/hooks/agent/useAgentList";
+import { useAgentVersionList } from "@/hooks/agent/useAgentVersionList";
+import { useAgentInfo } from "@/hooks/agent/useAgentInfo";
+import { useAgentVersionDetail } from "@/hooks/agent/useAgentVersionDetail";
+import { rollbackVersion, compareVersions, deleteVersion } from "@/services/agentVersionService";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import log from "@/lib/logger";
+import { message } from "antd";
+import { useQueryClient } from "@tanstack/react-query";
+
+const { Text } = Typography;
+
+const formatter = new Intl.DateTimeFormat('zh-CN', {
+  year: 'numeric',
+  month: '2-digit',
+  day: '2-digit',
+  hour: '2-digit',
+  minute: '2-digit',
+  second: '2-digit',
+  hour12: false
+});
+
+/**
+ * Get status configuration based on isCurrentVersion flag
+ */
+function getStatusConfig(isCurrentVersion: boolean) {
+  if (isCurrentVersion) {
+    return {
+      color: "green",
+      icon: (
+        <div className="w-8 h-8 rounded-full bg-green-50 flex items-center justify-center">
+          <CheckCircle className="text-green-500" size={16} />
+        </div>
+      ),
+      labelKey: "agent.version.currentVersion",
+    };
+  }
+
+  return {
+    color: "default",
+    icon: (
+      <div className="w-8 h-8 rounded-full bg-gray-100 flex items-center justify-center">
+        <Archive className="text-gray-400" size={16} />
+      </div>
+    ),
+    labelKey: "",
+  };
+}
+
+/**
+ * Version card item component
+ */
+export function VersionCardItem({
+  version,
+  agentId,
+  currentVersionNo,
+}: {
+  version: AgentVersion;
+  agentId: number;
+  currentVersionNo?: number;
+}) {
+  // Calculate isCurrentVersion based on version.version_no and currentVersionNo
+  const isCurrentVersion = currentVersionNo === version.version_no;
+  const statusConfig = getStatusConfig(isCurrentVersion);
+  const { t } = useTranslation("common");
+
+  // Local expanded state for this version card
+  const [isExpanded, setIsExpanded] = useState(false);
+
+  // Get user context for tenantId
+  const { user } = useAuthorizationContext();
+  const queryClient = useQueryClient();
+
+  // Get invalidate functions for refreshing data
+  const { invalidate: invalidateAgentVersionList } = useAgentVersionList(agentId);
+  const { invalidate: invalidateAgentInfo } = useAgentInfo(agentId);
+
+  // Fetch version detail when expanded
+  const { agentVersionDetail } = useAgentVersionDetail(
+    agentId,
+    isExpanded ? version.version_no : null
+  );
+
+  const { tools: toolList } = useToolList();
+  const { agents: agentList } = useAgentList(user?.tenantId ?? null);
+
+  // Modal state
+  const [compareModalOpen, setCompareModalOpen] = useState(false);
+  const [deleteModalOpen, setDeleteModalOpen] = useState(false);
+  const [loading, setLoading] = useState(false);
+  const [rollbackLoading, setRollbackLoading] = useState(false);
+  const [deleteLoading, setDeleteLoading] = useState(false);
+  const [compareData, setCompareData] = useState<VersionCompareResponse | null>(null);
+
+  // Get theme token for styling
+  const { token } = theme.useToken();
+
+  // Generate display date and operator from version data
+  const displayDate = useMemo(() => {
+    return formatter.format(new Date(version.create_time));
+  }, [version.create_time]);
+
+  /**
+   * Handle rollback button click - show comparison modal
+   */
+  const handleRollbackClick = async () => {
+    if (!agentId || agentId === 0) {
+      message.error(t("agent.error.agentNotFound"));
+      return;
+    }
+    setCompareModalOpen(true);
+    await loadComparison();
+  };
+
+  /**
+   * Load version comparison data between current version and selected version
+   */
+  const loadComparison = async () => {
+    setLoading(true);
+    try {
+      // Compare current version (currentVersionNo) with the version being rolled back to (version.version_no)
+      const versionNoA = currentVersionNo || 0; // Use current version, fallback to 0 (draft) if not available
+      const versionNoB = version.version_no;
+      const result = await compareVersions(agentId, versionNoA, versionNoB);
+      setCompareData(result);
+    } catch (error) {
+      log.error("Failed to load version comparison:", error);
+      message.error(t("agent.version.compareError"));
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  /**
+   * Handle rollback confirmation
+   * Rollback updates current_version_no to point to the target version
+   * The user can then click publish to create an actual new version
+   */
+  const handleRollbackConfirm = async () => {
+    setRollbackLoading(true);
+    try {
+      const result = await rollbackVersion(agentId, version.version_no);
+
+      if (result.success) {
+        message.success(t("agent.version.rollbackSuccess"));
+        setCompareModalOpen(false);
+        invalidateAgentVersionList?.();
+        invalidateAgentInfo?.();
+        queryClient.invalidateQueries({ queryKey: ["agents"] });
+      } else {
+        message.error(result.message || t("agent.version.rollbackError"));
+      }
+    } catch (error) {
+      log.error("Failed to rollback version:", error);
+      message.error(t("agent.version.rollbackError"));
+    } finally {
+      setRollbackLoading(false);
+    }
+  };
+
+  /**
+   * Handle delete version button click - show confirmation modal
+   */
+  const handleDeleteClick = () => {
+    if (!agentId || agentId === 0) {
+      message.error(t("agent.error.agentNotFound"));
+      return;
+    }
+    setDeleteModalOpen(true);
+  };
+
+  /**
+   * Handle delete confirmation - actually delete the version
+   */
+  const handleDeleteConfirm = async () => {
+    setDeleteLoading(true);
+    try {
+      const result = await deleteVersion(agentId, version.version_no);
+
+      if (result.success) {
+        message.success(t("agent.version.deleteSuccess"));
+        setDeleteModalOpen(false);
+        invalidateAgentVersionList?.();
+        invalidateAgentInfo?.();
+        queryClient.invalidateQueries({ queryKey: ["agents"] });
+      } else {
+        message.error(result.message || t("agent.version.deleteError"));
+      }
+    } catch (error) {
+      log.error("Failed to delete version:", error);
+      message.error(t("agent.version.deleteError"));
+    } finally {
+      setDeleteLoading(false);
+    }
+  };
+
+  const agentConfigurationItems: DescriptionsProps['items'] = [
+    {
+      key: '1',
+      label: t("agent.version.field.name"),
+      children: <span>{agentVersionDetail?.name}</span>,
+    },
+    {
+      key: '2',
+      label: t("agent.version.field.modelName"),
+      children: <span>{agentVersionDetail?.model_name}</span>,
+    },
+  ];
+
+  return (
+    <div className="pb-6 last:pb-0">
+      <Card
+        className={`w-full transition-all duration-200 ${isExpanded ? "ring-2 ring-blue-100" : ""} ${isCurrentVersion ? "border border-green-400" : ""}`}
+        styles={{ body: { padding: "12px 16px" } }}
+        size="small"
+      >
+        <Flex className="h-full" gap={12}>
+          {/* Left: Status icon with timeline */}
+          <Flex align="center" justify="center" vertical className="flex-shrink-0">
+            <Flex align="center" justify="center" className="flex-shrink-0">
+              {statusConfig.icon}
+            </Flex>
+            <div className="w-px h-full bg-gray-200" />
+          </Flex>
+
+          {/* Middle: Version info */}
+          <Flex
+            vertical
+            gap={4}
+            className="flex-1 min-w-0"
+          >
+            <Flex align="center" gap={8}>
+              <Text strong className="text-base">
+                {version.version_name || `V${version.version_no}`}
+              </Text>
+              <Tag color={statusConfig.color} className="m-0">
+                {t(statusConfig.labelKey)}
+              </Tag>
+            </Flex>
+
+            <Flex align="center" gap={12} className="text-gray-500 text-xs">
+              <Flex align="center" gap={4}>
+                <Clock size={12} />
+                <Text type="secondary" className="text-xs">
+                  {displayDate}
+                </Text>
+              </Flex>
+
+            </Flex>
+
+            {version.release_note && (
+              <Text
+                type="secondary"
+                className="text-sm mt-1 line-clamp-2"
+                ellipsis={{ tooltip: version.release_note }}
+              >
+                {version.release_note}
+              </Text>
+            )}
+          </Flex>
+
+          {/* Right: Actions */}
+          <Flex align="start" justify="center" gap={8} className="flex-shrink-0">
+            <Button
+              type="text"
+              size="small"
+              icon={isExpanded ? <ChevronDown size={18} /> : <ChevronRight size={18} />}
+              onClick={() => setIsExpanded(!isExpanded)}
+              className="text-gray-400 hover:text-gray-600"
+            />
+            <Dropdown
+              menu={{
+                items: [
+                  {
+                    key: 'rollback',
+                    label: t("agent.version.rollback"),
+                    icon: <RotateCcw size={14} />,
+                    disabled: isCurrentVersion || version.status.toLowerCase() === "disabled",
+                    onClick: handleRollbackClick
+                  },
+                  {
+                    type: 'divider',
+                  },
+                  {
+                    key: 'delete',
+                    label: t("common.delete"),
+                    icon: <Trash2 size={14} />,
+                    disabled: isCurrentVersion,
+                    danger: true,
+                    onClick: handleDeleteClick,
+                  },
+                ],
+              }}
+              trigger={['click']}
+            >
+              <Button
+                type="text"
+                size="small"
+                icon={<EllipsisVertical size={18} />}
+                className="text-gray-400 hover:text-gray-600"
+              />
+            </Dropdown>
+          </Flex>
+
+        </Flex>
+
+        {/* Expanded content */}
+        {isExpanded && (
+          <div className="mt-4 pt-4 border-t border-gray-100">
+            <Flex vertical gap={16}>
+
+              <Descriptions
+                title={
+                  <Flex align="center" gap={8}>
+                    <Eye size={14} className="text-blue-500" />
+                    <span className="text-sm">{t("agent.version.configuration")}</span>
+                  </Flex>
+                }
+                items={agentConfigurationItems}
+                classNames={{ header: "!mb-2" }}
+                column={1}
+                className="[&_.ant-descriptions-item]:!pb-0"
+              />
+
+              {/* Tools detail */}
+              {agentVersionDetail?.tools && agentVersionDetail.tools.length > 0 && (
+                <Descriptions
+                  title={
+                    <Flex align="center" gap={8}>
+                      <Wrench size={14} className="text-blue-500" />
+                      <span className="text-sm">{t("agent.version.tools")}</span>
+                    </Flex>
+                  }
+                  items={[
+                    {
+                      key: '1',
+                      children: (
+                        <Flex wrap gap={6}>
+                          {agentVersionDetail.tools.map((tool) => {
+                            const fullTool = toolList.find((t: Tool) => t.id === String(tool.tool_id));
+                            return (
+                              <Tag key={tool.tool_id} color="blue">
+                                {fullTool?.name}
+                              </Tag>
+                            );
+                          })}
+                        </Flex>
+                      ),
+                    },
+                  ]}
+                  classNames={{ header: "!mb-2" }}
+                  className="[&_.ant-descriptions-item]:!pb-0"
+                />
+              )}
+
+
+              {/* Related agents detail */}
+              {agentVersionDetail?.sub_agent_id_list && agentVersionDetail.sub_agent_id_list.length > 0 && (
+                <Descriptions
+                  title={
+                    <Flex align="center" gap={8}>
+                      <Network size={14} className="text-blue-500" />
+                      <span className="text-sm">{t("agent.version.relatedAgents")}</span>
+                    </Flex>
+                  }
+                  items={[
+                    {
+                      key: '1',
+                      children: (
+                        <Flex wrap gap={6}>
+                          {agentVersionDetail.sub_agent_id_list.map((subAgentId) => {
+                            const subAgent = agentList.find((a: Agent) => a.id === String(subAgentId));
+                            return (
+                              <Tag key={subAgentId} color="purple">
+                                {subAgent?.display_name || subAgent?.name || `Agent ${subAgentId}`}
+                              </Tag>
+                            );
+                          })}
+                        </Flex>
+                      ),
+                    },
+                  ]}
+                  classNames={{ header: "!mb-2" }}
+                  className="[&_.ant-descriptions-item]:!pb-0"
+                />
+              )}
+            </Flex>
+          </div>
+        )}
+      </Card>
+
+      {/* Version Comparison Modal */}
+      <Modal
+        title={
+          <Flex align="center" gap={8}>
+            <AlertTriangle className="text-orange-500" size={18} />
+            <span>{t("agent.version.rollbackCompareTitle")}</span>
+          </Flex>
+        }
+        open={compareModalOpen}
+        onCancel={() => setCompareModalOpen(false)}
+        footer={[
+          <Button key="cancel" onClick={() => setCompareModalOpen(false)}>
+            {t("common.cancel")}
+          </Button>,
+          <Button
+            key="confirm"
+            type="primary"
+            danger
+            icon={<RotateCcw size={14} />}
+            loading={rollbackLoading}
+            onClick={handleRollbackConfirm}
+          >
+            {t("agent.version.confirmRollback")}
+          </Button>,
+        ]}
+        width={800}
+        centered
+      >
+        <Spin spinning={loading}>
+          {compareData?.success && compareData?.data ? (
+            <Flex vertical gap={16}>
+              {/* Comparison Table */}
+              {(() => {
+                const { version_a, version_b } = compareData.data;
+
+                const columns = [
+                  {
+                    title: t("agent.version.versionName"),
+                    dataIndex: 'field',
+                    key: 'field',
+                    width: '25%',
+                    className: 'bg-gray-50 text-gray-600 font-medium',
+                  },
+                  {
+                    title: version_a.version.version_name,
+                    dataIndex: 'current',
+                    key: 'current',
+                    width: '37%',
+                  },
+                  {
+                    title: version_b.version.version_name,
+                    dataIndex: 'version',
+                    key: 'version',
+                    width: '38%',
+                  },
+                ];
+
+                const data = [
+                  {
+                    key: 'name',
+                    field: t("agent.version.field.name"),
+                    current: (
+                      <span className={version_a.name !== version_b.name ? "text-orange-500 font-medium" : "text-gray-600"}>
+                        {version_a.name}
+                      </span>
+                    ),
+                    version: (
+                      <span className={version_a.name !== version_b.name ? "text-green-500 font-medium" : "text-gray-600"}>
+                        {version_b.name}
+                      </span>
+                    ),
+                  },
+                  {
+                    key: 'model_name',
+                    field: t("agent.version.field.modelName"),
+                    current: (
+                      <span className={version_a.model_name !== version_b.model_name ? "text-orange-500 font-medium" : "text-gray-600"}>
+                        {version_a.model_name || '-'}
+                      </span>
+                    ),
+                    version: (
+                      <span className={version_a.model_name !== version_b.model_name ? "text-green-500 font-medium" : "text-gray-600"}>
+                        {version_b.model_name || '-'}
+                      </span>
+                    ),
+                  },
+                  {
+                    key: 'description',
+                    field: t("agent.version.field.description"),
+                    current: (
+                      <Text type="secondary" className={`text-xs ${version_a.description !== version_b.description ? "text-orange-500" : ""}`}>
+                        {version_a.description || '-'}
+                      </Text>
+                    ),
+                    version: (
+                      <Text type="secondary" className={`text-xs ${version_a.description !== version_b.description ? "text-green-500" : ""}`}>
+                        {version_b.description || '-'}
+                      </Text>
+                    ),
+                  },
+                  {
+                    key: 'duty_prompt',
+                    field: t("agent.version.field.dutyPrompt"),
+                    current: (
+                      <Text type="secondary" className={`text-xs ${version_a.duty_prompt !== version_b.duty_prompt ? "text-orange-500" : ""}`}>
+                        {version_a.duty_prompt?.slice(0, 100) || '-'}
+                        {version_a.duty_prompt && version_a.duty_prompt.length > 100 && '...'}
+                      </Text>
+                    ),
+                    version: (
+                      <Text type="secondary" className={`text-xs ${version_a.duty_prompt !== version_b.duty_prompt ? "text-green-500" : ""}`}>
+                        {version_b.duty_prompt?.slice(0, 100) || '-'}
+                        {version_b.duty_prompt && version_b.duty_prompt.length > 100 && '...'}
+                      </Text>
+                    ),
+                  },
+                  {
+                    key: 'tools',
+                    field: t("agent.version.field.tools"),
+                    current: (
+                      <Tag color={version_a.tools?.length !== version_b.tools?.length ? "orange" : "default"}>
+                        {version_a.tools?.length || 0}
+                      </Tag>
+                    ),
+                    version: (
+                      <Tag color={version_a.tools?.length !== version_b.tools?.length ? "green" : "default"}>
+                        {version_b.tools?.length || 0}
+                      </Tag>
+                    ),
+                  },
+                  {
+                    key: 'sub_agents',
+                    field: t("agent.version.field.subAgents"),
+                    current: (
+                      <Tag color={version_a.sub_agent_id_list?.length !== version_b.sub_agent_id_list?.length ? "orange" : "default"}>
+                        {version_a.sub_agent_id_list?.length || 0}
+                      </Tag>
+                    ),
+                    version: (
+                      <Tag color={version_a.sub_agent_id_list?.length !== version_b.sub_agent_id_list?.length ? "green" : "default"}>
+                        {version_b.sub_agent_id_list?.length || 0}
+                      </Tag>
+                    ),
+                  },
+                ];
+
+                return (
+                  <Table
+                    dataSource={data}
+                    columns={columns}
+                    pagination={false}
+                    size="small"
+                    bordered
+                  />
+                );
+              })()}
+            </Flex>
+          ) : (
+            <Empty description={t("agent.version.compareFailed")} />
+          )}
+        </Spin>
+      </Modal>
+
+      {/* Delete Version Confirmation Modal */}
+      <Modal
+        title={t("agent.version.deleteConfirmTitle")}
+        open={deleteModalOpen}
+        onCancel={() => setDeleteModalOpen(false)}
+        footer={[
+          <Button key="cancel" onClick={() => setDeleteModalOpen(false)}>
+            {t("common.cancel")}
+          </Button>,
+          <Button
+            key="confirm"
+            type="primary"
+            danger
+            icon={<Trash2 size={14} />}
+            loading={deleteLoading}
+            onClick={handleDeleteConfirm}
+          >
+            {t("common.delete")}
+          </Button>,
+        ]}
+        centered
+      >
+        <Flex align="start" gap={12}>
+          <div className="mt-1">
+            <ExclamationCircleFilled style={{ color: token.colorWarning, fontSize: '22px' }} />
+          </div>
+          <div>
+            <div className="font-medium mb-2">
+              {t("agent.version.deleteConfirmContent", { versionName: version.version_name || `V${version.version_no}` })}
+            </div>
+            <div className="text-sm text-gray-500">
+              {t("agent.version.deleteWarning")}
+            </div>
+          </div>
+        </Flex>
+      </Modal>
+    </div>
+  );
+}
diff --git a/frontend/app/[locale]/agents/AgentVersionManage.tsx b/frontend/app/[locale]/agents/AgentVersionManage.tsx
new file mode 100644
index 000000000..38f13eca5
--- /dev/null
+++ b/frontend/app/[locale]/agents/AgentVersionManage.tsx
@@ -0,0 +1,197 @@
+"use client";
+import { useState } from "react";
+import {
+  GitBranch,
+  GitCompare,
+  Rocket,
+} from "lucide-react";
+import { useTranslation } from "react-i18next";
+import {
+  Card,
+  Flex,
+  Button,
+  Tag,
+  Typography,
+  Empty,
+  Spin,
+  Modal,
+  Form,
+  Input,
+  message,
+} from "antd";
+import { useAgentVersionList } from "@/hooks/agent/useAgentVersionList";
+import { publishVersion } from "@/services/agentVersionService";
+import { useAgentInfo } from "@/hooks/agent/useAgentInfo";
+import { useAgentConfigStore } from "@/stores/agentConfigStore";
+import { VersionCardItem } from "./AgentVersionCard";
+import log from "@/lib/logger";
+import { useQueryClient } from "@tanstack/react-query";
+
+const { TextArea } = Input;
+
+export default function AgentVersionManage() {
+  const { t } = useTranslation("common");
+  const queryClient = useQueryClient();
+
+  const currentAgentId = useAgentConfigStore((state) => state.currentAgentId);
+
+  const { agentVersionList, total, isLoading, invalidate: invalidateAgentVersionList } = useAgentVersionList(currentAgentId);
+  const { agentInfo, invalidate: invalidateAgentInfo } = useAgentInfo(currentAgentId);
+
+
+  const [isPublishModalOpen, setIsPublishModalOpen] = useState(false);
+  const [isPublishing, setIsPublishing] = useState(false);
+  const [publishForm] = Form.useForm();
+
+  // Open publish modal
+  const handlePublishClick = () => {
+    setIsPublishModalOpen(true);
+  };
+
+  // Handle publish version
+  const handlePublish = async (values: { version_name?: string; release_note?: string }) => {
+    if (!currentAgentId) {
+      message.error(t("agent.error.agentNotFound"));
+      return;
+    }
+
+    // Prevent duplicate submissions
+    if (isPublishing) {
+      log.warn("Publish request already in progress, ignoring duplicate click");
+      return;
+    }
+
+    try {
+      setIsPublishing(true);
+      await publishVersion(currentAgentId, values);
+      message.success(t("agent.version.publishSuccess"));
+      setIsPublishModalOpen(false);
+      publishForm.resetFields();
+      invalidateAgentVersionList();
+      invalidateAgentInfo();
+      queryClient.invalidateQueries({ queryKey: ["agents"] });
+    } catch (error) {
+      log.error("Failed to publish version:", error);
+      message.error(t("agent.version.publishFailed"));
+    } finally {
+      setIsPublishing(false);
+    }
+  };
+
+  const footer = [
+    <Flex
+      align="center"
+      justify="space-between"
+      gap={8}
+      className="pl-4"
+      key="actions"
+    >
+      <Tag color="blue">
+        {t("agent.version.totalVersions", { count: total })}
+      </Tag>
+      <Button
+        type="text"
+        icon={<GitCompare size={16} />}
+        onClick={() => {
+          log.info("Version comparison");
+        }}
+      >
+        {t("agent.version.compare")}
+      </Button>
+    </Flex>,
+  ];
+
+  return (
+    <>
+      <Card
+        className="h-full min-h-0"
+        style={{ minHeight: 400, height: "100%" }}
+        title={
+          <Flex align="center" gap={8}>
+            <GitBranch size={16} />
+            {t("agent.version.manage")}
+          </Flex>
+        }
+        extra={
+          <Button
+            type="primary"
+            icon={<Rocket size={16} />}
+            onClick={handlePublishClick}
+          >
+            {t("agent.version.publish")}
+          </Button>
+        }
+        actions={footer}
+        styles={{
+          body: {
+            height: "calc(100% - 112px)",
+            overflow: "auto",
+          },
+        }}
+      >
+        {/* Desktop: Timeline style version list */}
+        <div className="w-full h-full">
+          <Spin spinning={isLoading}>
+            {agentVersionList.length === 0 ? (
+              <Flex align="center" justify="center" className="h-full">
+                <Empty />
+              </Flex>
+            ) : (
+              <Flex vertical >
+                {agentVersionList.map((version) => (
+                  <VersionCardItem
+                    key={version.version_no}
+                    version={version}
+                    agentId={currentAgentId || 0}
+                    currentVersionNo={agentInfo?.current_version_no}
+                  />
+                ))}
+              </Flex>
+            )}
+          </Spin>
+        </div>
+      </Card>
+
+      {/* Publish Version Modal */}
+      <Modal
+        centered
+        title={t("agent.version.publish")}
+        open={isPublishModalOpen}
+        onCancel={() => setIsPublishModalOpen(false)}
+        footer={null}
+        destroyOnHidden
+      >
+        <Form
+          form={publishForm}
+          layout="vertical"
+          onFinish={handlePublish}
+        >
+          <Form.Item
+            label={t("agent.version.versionName")}
+            name="version_name"
+            rules={[{ required: true, message: t("agent.version.versionNameRequired") }]}
+          >
+            <Input placeholder={t("agent.version.versionNamePlaceholder")} />
+          </Form.Item>
+          <Form.Item
+            label={t("agent.version.releaseNote")}
+            name="release_note"
+          >
+            <TextArea
+              rows={4}
+              placeholder={t("agent.version.releaseNotePlaceholder")}
+            />
+          </Form.Item>
+          <Form.Item className="mb-0 flex justify-end gap-2">
+            <Button onClick={() => setIsPublishModalOpen(false)} disabled={isPublishing}>
+              {t("common.cancel")}
+            </Button>
+            <Button type="primary" htmlType="submit" loading={isPublishing} disabled={isPublishing}>
+              {t("common.confirm")}
+            </Button>
+          </Form.Item>
+        </Form>
+      </Modal>
+    </>
+  );
+}
diff --git a/frontend/app/[locale]/agents/components/AgentConfigComp.tsx b/frontend/app/[locale]/agents/components/AgentConfigComp.tsx
index b510b120a..dc87104b5 100644
--- a/frontend/app/[locale]/agents/components/AgentConfigComp.tsx
+++ b/frontend/app/[locale]/agents/components/AgentConfigComp.tsx
@@ -24,8 +24,6 @@ export default function AgentConfigComp({}: AgentConfigCompProps) {
 
   const isCreatingMode = useAgentConfigStore((state) => state.isCreatingMode);
 
-  const editable = currentAgentId || isCreatingMode;
-
   const [isMcpModalOpen, setIsMcpModalOpen] = useState(false);
   const [isRefreshing, setIsRefreshing] = useState(false);
 
diff --git a/frontend/app/[locale]/agents/components/AgentInfoComp.tsx b/frontend/app/[locale]/agents/components/AgentInfoComp.tsx
index 2a047f851..0114fd5d0 100644
--- a/frontend/app/[locale]/agents/components/AgentInfoComp.tsx
+++ b/frontend/app/[locale]/agents/components/AgentInfoComp.tsx
@@ -1,9 +1,10 @@
 "use client";
 
-import { useState } from "react";
+import { useState, useEffect } from "react";
 import { useTranslation } from "react-i18next";
-import { Row, Col, Flex, Badge, Divider, Button, Drawer, App } from "antd";
-import { Bug, Save, Info } from "lucide-react";
+import { Row, Col, Flex, Badge, Divider, Button, Drawer, Tooltip, Tag } from "antd";
+import { useQueryClient } from "@tanstack/react-query";
+import { Bug, Save, Info, GitBranch, History } from "lucide-react";
 
 import { AGENT_SETUP_LAYOUT_DEFAULT } from "@/const/agentConfig";
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
@@ -12,21 +13,45 @@ import { AgentBusinessInfo, AgentProfileInfo } from "@/types/agentConfig";
 
 import AgentGenerateDetail from "./agentInfo/AgentGenerateDetail";
 import DebugConfig from "./agentInfo/DebugConfig";
+import { useAgentVersionList } from "@/hooks/agent/useAgentVersionList";
+import { useAgentVersionDetail } from "@/hooks/agent/useAgentVersionDetail";
+import { useAgentInfo } from "@/hooks/agent/useAgentInfo";
+
+export interface AgentInfoCompProps {
+  isShowVersionManagePanel: boolean;
+  openVersionManagePanel: () => void;
+  closeVersionManagementPanel: () => void;
+}
 
-export interface AgentInfoCompProps {}
-
-export default function AgentInfoComp({}: AgentInfoCompProps) {
+export default function AgentInfoComp({
+  isShowVersionManagePanel,
+  openVersionManagePanel,
+  closeVersionManagementPanel,
+}: AgentInfoCompProps) {
   const { t } = useTranslation("common");
 
   // Get data from store
-  const { editedAgent, updateBusinessInfo, updateProfileInfo, isCreatingMode } =
-    useAgentConfigStore();
+  const {
+    editedAgent,
+    updateBusinessInfo,
+    updateProfileInfo,
+    isCreatingMode,
+    currentAgentPermission,
+  } = useAgentConfigStore();
 
-  // Get state from store
   const currentAgentId = useAgentConfigStore((state) => state.currentAgentId);
 
-  const editable =
-    (currentAgentId != null && currentAgentId != undefined) || isCreatingMode;
+  const isPanelActive = (currentAgentId != null && currentAgentId != undefined) || isCreatingMode;
+  const { agentVersionList, total } = useAgentVersionList(currentAgentId)
+
+  const { agentInfo } = useAgentInfo(currentAgentId);
+
+  const { agentVersionDetail } = useAgentVersionDetail(
+    currentAgentId, agentInfo?.current_version_no
+  );
+    
+  const isReadOnly = isPanelActive && !isCreatingMode && currentAgentPermission === "READ_ONLY";
+  const isEditable = isPanelActive && !isReadOnly;
 
   // Save guard hook
   const saveGuard = useSaveGuard();
@@ -52,28 +77,60 @@ export default function AgentInfoComp({}: AgentInfoCompProps) {
       {
         <Flex vertical className="h-full overflow-hidden">
           <Row>
-            <Col>
+            <Col className="w-full">
               <Flex
-                justify="flex-start"
+                justify="space-between"
                 align="center"
                 gap={8}
                 style={{ marginBottom: "4px" }}
+                className="w-full"
               >
-                <Badge count={3} color="blue" />
-                <h2 className="text-lg font-medium">
-                  {t("guide.steps.describeBusinessLogic.title")}
-                </h2>
+                <Flex justify="flex-start" align="center" gap={8}>
+                  <Badge count={3} color="blue" />
+                  <h2 className="text-lg font-medium">
+                    {t("guide.steps.describeBusinessLogic.title")}
+                  </h2>
+                </Flex>
+                <Button
+                  icon={<GitBranch size={16} />}
+                  onClick={isShowVersionManagePanel ? closeVersionManagementPanel : openVersionManagePanel}
+                  type={isShowVersionManagePanel ? "primary" : "default"}
+                >
+                  {t("agent.version.manage")}
+                </Button>
               </Flex>
             </Col>
           </Row>
 
           <Divider style={{ margin: "10px 0" }} />
+          {!isCreatingMode && agentInfo?.current_version_no !== 0 && total > 0 && (
+            <Row style={{ marginBottom: "8px" }}>
+              <Col className="w-full">
+                <Flex
+                  justify="space-between"
+                  align="center"
+                  className="w-full py-2 px-4 bg-gray-100 rounded-lg text-gray-700"
+                >
+                  <Flex justify="start" align="center" gap={4}>
+                    <History size={16} />
+                    <span className="text-sm">
+                      {t("agent.version.currentVersion")} :
+                    </span>
+                    <Tag color="cyan" variant="outlined" className="rounded-md font-mono text-sm"> {agentVersionDetail?.version.version_name}</Tag>
+                  </Flex>
+                  <Flex justify="end" align="center" gap={8} >
+                    {t("agent.version.totalVersions", { count: total ?? 0 })}
+                  </Flex>
+                </Flex>
+              </Col>
+            </Row>
+          )}
 
           <Row className="flex-1 min-h-0 h-full">
             <Col xs={24} className="h-full">
               <Flex vertical className="h-full min-h-0 w-full min-w-0">
                 <AgentGenerateDetail
-                  editable={editable}
+                  editable={isEditable}
                   editedAgent={editedAgent}
                   currentAgentId={currentAgentId}
                   onUpdateProfile={handleUpdateProfile}
@@ -103,23 +160,27 @@ export default function AgentInfoComp({}: AgentInfoCompProps) {
                 {t("systemPrompt.button.debug")}
               </Button>
 
-              <Button
-                icon={<Save size={16} />}
-                color="green"
-                variant="solid"
-                onClick={saveGuard.save}
-                size="middle"
-                title={t("common.save")}
-                disabled={isGenerating}
-              >
-                {t("common.save")}
-              </Button>
+              <Tooltip title={isReadOnly ? t("agent.noEditPermission") : undefined}>
+                <span>
+                  <Button
+                    icon={<Save size={16} />}
+                    color="green"
+                    variant="solid"
+                    onClick={saveGuard.save}
+                    size="middle"
+                    title={t("common.save")}
+                    disabled={isGenerating || isReadOnly}
+                  >
+                    {t("common.save")}
+                  </Button>
+                </span>
+              </Tooltip>
             </Col>
           </Row>
         </Flex>
       }
 
-      {!editable && (
+      {!isPanelActive && (
         <Flex>
           <div className="absolute inset-0 bg-white bg-opacity-95 flex items-center justify-center z-50 transition-all duration-300 ease-out animate-in fade-in-0">
             <div className="space-y-3 animate-in fade-in-50 duration-400 delay-50 text-center">
diff --git a/frontend/app/[locale]/agents/components/AgentManageComp.tsx b/frontend/app/[locale]/agents/components/AgentManageComp.tsx
index ce0f36525..c636486ab 100644
--- a/frontend/app/[locale]/agents/components/AgentManageComp.tsx
+++ b/frontend/app/[locale]/agents/components/AgentManageComp.tsx
@@ -4,74 +4,36 @@ import { useTranslation } from "react-i18next";
 import { App, Row, Col, Flex, Tooltip, Badge, Divider } from "antd";
 import { FileInput, Plus, X } from "lucide-react";
 
-import { Agent } from "@/types/agentConfig";
 import AgentList from "./agentManage/AgentList";
-import { useSaveGuard } from "@/hooks/agent/useSaveGuard";
-import { useCallback } from "react";
+
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
 import { importAgent } from "@/services/agentConfigService";
 import { useMutation, useQueryClient } from "@tanstack/react-query";
 import { useAgentList } from "@/hooks/agent/useAgentList";
-import { useAgentInfo } from "@/hooks/agent/useAgentInfo";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
 import log from "@/lib/logger";
-import { useState, useEffect } from "react";
+import { useState } from "react";
 import { ImportAgentData } from "@/hooks/useAgentImport";
 import AgentImportWizard from "@/components/agent/AgentImportWizard";
-import { clearAgentNewMark } from "@/services/agentConfigService";
-import { clearAgentAndSync } from "@/lib/agentNewUtils";
+
 
 export default function AgentManageComp() {
   const { t } = useTranslation("common");
   const { message } = App.useApp();
+  const { user } = useAuthorizationContext();
 
   // Get state from store
-  const currentAgentId = useAgentConfigStore((state) => state.currentAgentId);
-  const hasUnsavedChanges = useAgentConfigStore(
-    (state) => state.hasUnsavedChanges
-  );
   const isCreatingMode = useAgentConfigStore((state) => state.isCreatingMode);
-  const setCurrentAgent = useAgentConfigStore((state) => state.setCurrentAgent);
   const enterCreateMode = useAgentConfigStore((state) => state.enterCreateMode);
   const reset = useAgentConfigStore((state) => state.reset);
 
-  // Unsaved changes guard
-  const checkUnsavedChanges = useSaveGuard();
-
-  // Handle unsaved changes check and agent switching
-  const handleAgentSwitch = useCallback(
-    async (agentDetail: any) => {
-      const canSwitch = await checkUnsavedChanges.saveWithModal();
-      if (canSwitch) {
-        setCurrentAgent(agentDetail);
-      }
-    },
-    [checkUnsavedChanges]
-  );
-
-  const editable = currentAgentId || isCreatingMode;
-
-  // Shared agent list via React Query
-  const { agents: agentList, isLoading: loading, refetch } = useAgentList();
-  const queryClient = useQueryClient();
-
-  // State for selected agent info loading
-  const [selectedAgentId, setSelectedAgentId] = useState<number | null>(null);
-
   // Import wizard state
   const [importWizardVisible, setImportWizardVisible] = useState(false);
   const [importWizardData, setImportWizardData] =
     useState<ImportAgentData | null>(null);
 
-  const {
-    data: agentDetail,
-    isLoading: agentInfoLoading,
-    error: agentInfoError,
-  } = useAgentInfo(selectedAgentId);
-
-  const importAgentMutation = useMutation({
-    mutationFn: (agentData: any) => importAgent(agentData),
-    onSuccess: () => queryClient.invalidateQueries({ queryKey: ["agents"] }),
-  });
+  // Shared agent list via React Query
+  const { agents: agentList, isLoading: loading, refetch } = useAgentList(user?.tenantId ?? null);
 
   // Handle import agent for space view - open wizard instead of direct import
   const handleImportAgent = () => {
@@ -117,63 +79,6 @@ export default function AgentManageComp() {
     fileInput.click();
   };
 
-  // Handle agent detail loading completion
-  useEffect(() => {
-    if (
-      selectedAgentId &&
-      agentDetail &&
-      !agentInfoLoading &&
-      !agentInfoError
-    ) {
-      // Handle agent switch with unsaved changes check
-      handleAgentSwitch(agentDetail);
-      setSelectedAgentId(null);
-    } else if (selectedAgentId && agentInfoError && !agentInfoLoading) {
-      // Handle error
-      log.error("Failed to load agent detail:", agentInfoError);
-      message.error(t("agentConfig.agents.detailsLoadFailed"));
-      setSelectedAgentId(null);
-    }
-  }, [
-    selectedAgentId,
-    agentDetail,
-    agentInfoLoading,
-    agentInfoError,
-    handleAgentSwitch,
-    message,
-    t,
-  ]);
-
-  // Handle select agent
-  const handleSelectAgent = async (agent: Agent) => {
-    // If already selected, deselect it
-    if (
-      currentAgentId !== null &&
-      String(currentAgentId) === String(agent.id)
-    ) {
-      const canDeselect = await checkUnsavedChanges.saveWithModal();
-      if (canDeselect) {
-        setCurrentAgent(null);
-      }
-      return;
-    }
-
-    // Clear NEW mark when agent is selected for editing (only if marked as new)
-    if (agent.is_new === true) {
-      try {
-        const res = await clearAgentAndSync(agent.id, queryClient);
-        if (!res?.success) {
-          log.warn("Failed to clear NEW mark on select:", res);
-        }
-      } catch (err) {
-        log.error("Failed to clear NEW mark on select:", err);
-      }
-    }
-
-    // Set selected agent id to trigger the hook
-    setSelectedAgentId(Number(agent.id));
-  };
-
   return (
     <>
       {/* Import handled by Ant Design Upload (no hidden input required) */}
@@ -283,17 +188,7 @@ export default function AgentManageComp() {
         </Row>
 
         <div className="flex-1 min-h-0">
-          <AgentList
-            agentList={agentList}
-            currentAgentId={currentAgentId}
-            hasUnsavedChanges={hasUnsavedChanges}
-            onSelectAgent={handleSelectAgent}
-            onAgentDeleted={(agentId) => {
-              if (currentAgentId === agentId) {
-                setCurrentAgent(null);
-              }
-            }}
-          />
+          <AgentList agentList={agentList} />
         </div>
       </Flex>
 
diff --git a/frontend/app/[locale]/agents/components/agentConfig/CollaborativeAgent.tsx b/frontend/app/[locale]/agents/components/agentConfig/CollaborativeAgent.tsx
index b39da4580..c21f8d612 100644
--- a/frontend/app/[locale]/agents/components/agentConfig/CollaborativeAgent.tsx
+++ b/frontend/app/[locale]/agents/components/agentConfig/CollaborativeAgent.tsx
@@ -8,23 +8,31 @@ import { Agent } from "@/types/agentConfig";
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
 import { useAgentList } from "@/hooks/agent/useAgentList";
 import { useAgentInfo } from "@/hooks/agent/useAgentInfo";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
 
 interface CollaborativeAgentProps {}
 
 export default function CollaborativeAgent({}: CollaborativeAgentProps) {
   const { t } = useTranslation("common");
   const { message } = App.useApp();
+  const { user } = useAuthorizationContext();
 
   const currentAgentId = useAgentConfigStore((state) => state.currentAgentId);
   const isCreatingMode = useAgentConfigStore((state) => state.isCreatingMode);
+  const currentAgentPermission = useAgentConfigStore(
+    (state) => state.currentAgentPermission
+  );
   const editedAgent = useAgentConfigStore((state) => state.editedAgent);
   const updateSubAgentIds = useAgentConfigStore(
     (state) => state.updateSubAgentIds
   );
 
-  const { availableAgents } = useAgentList();
+  const { availableAgents } = useAgentList(user?.tenantId ?? null);
 
-  const editable = currentAgentId || isCreatingMode;
+  const editable =
+    !!isCreatingMode ||
+    ((currentAgentId != null && currentAgentId != undefined) &&
+      currentAgentPermission !== "READ_ONLY");
 
   // Get related agents - use edited agent state (which includes current agent data when editing)
   const relatedAgentIds = Array.isArray(editedAgent?.sub_agent_id_list)
diff --git a/frontend/app/[locale]/agents/components/agentConfig/McpConfigModal.tsx b/frontend/app/[locale]/agents/components/agentConfig/McpConfigModal.tsx
index b7a02d384..dedf946d8 100644
--- a/frontend/app/[locale]/agents/components/agentConfig/McpConfigModal.tsx
+++ b/frontend/app/[locale]/agents/components/agentConfig/McpConfigModal.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import { useState, useEffect } from "react";
+import { useState, useEffect, type ComponentProps } from "react";
 import { useTranslation } from "react-i18next";
 import {
   Modal,
@@ -100,6 +100,37 @@ export default function McpConfigModal({
   const [uploadServiceName, setUploadServiceName] = useState("");
 
   const actionsLocked = updatingTools || addingContainer || uploadingImage;
+  const noMcpEditPermissionTitle = t("mcpConfig.permission.noEdit");
+
+  const renderPermissionControlledButton = (props: {
+    isReadOnly: boolean;
+    button: Omit<ComponentProps<typeof Button>, "disabled" | "onClick"> & {
+      disabled?: boolean;
+      onClick?: (() => void) | undefined;
+    };
+  }) => {
+    const { isReadOnly, button } = props;
+    const { onClick, disabled, ...rest } = button;
+
+    const finalDisabled = Boolean(disabled) || isReadOnly;
+    const finalOnClick = finalDisabled ? undefined : onClick;
+
+    const element = (
+      <Button
+        {...rest}
+        onClick={finalOnClick}
+        disabled={finalDisabled}
+      />
+    );
+
+    if (!isReadOnly) return element;
+
+    return (
+      <Tooltip title={noMcpEditPermissionTitle}>
+        <span style={{ display: "inline-flex" }}>{element}</span>
+      </Tooltip>
+    );
+  };
 
   // Data loading is handled by React Query (enabled: visible)
 
@@ -393,6 +424,7 @@ export default function McpConfigModal({
       width: "35%",
       render: (_: any, record: any) => {
         const key = `${record.service_name}__${record.mcp_url}`;
+        const isReadOnly = record.permission === "READ_ONLY";
         return (
           <Space size="small">
             <Button
@@ -425,30 +457,36 @@ export default function McpConfigModal({
                 title={t("mcpConfig.serverList.button.viewToolsDisabledHint")}
                 placement="top"
               >
-                <Button type="link" icon={<Eye size={16} />} size="small" disabled>
-                  {t("mcpConfig.serverList.button.viewTools")}
-                </Button>
+                  <span style={{ display: "inline-flex" }}>
+                    <Button type="link" icon={<Eye size={16} />} size="small" disabled>
+                      {t("mcpConfig.serverList.button.viewTools")}
+                    </Button>
+                  </span>
               </Tooltip>
             )}
-            <Button
-              type="link"
-              icon={<Settings size={16} />}
-              onClick={() => onEditServer(record)}
-              size="small"
-              disabled={actionsLocked}
-            >
-              {t("mcpConfig.serverList.button.edit")}
-            </Button>
-            <Button
-              type="link"
-              danger
-              icon={<Trash size={16} />}
-              onClick={() => onDeleteServer(record)}
-              size="small"
-              disabled={actionsLocked}
-            >
-              {t("mcpConfig.serverList.button.delete")}
-            </Button>
+            {renderPermissionControlledButton({
+              isReadOnly,
+              button: {
+                type: "link",
+                icon: <Settings size={16} />,
+                onClick: () => onEditServer(record),
+                size: "small",
+                disabled: actionsLocked,
+                children: t("mcpConfig.serverList.button.edit"),
+              },
+            })}
+            {renderPermissionControlledButton({
+              isReadOnly,
+              button: {
+                type: "link",
+                danger: true,
+                icon: <Trash size={16} />,
+                onClick: () => onDeleteServer(record),
+                size: "small",
+                disabled: actionsLocked,
+                children: t("mcpConfig.serverList.button.delete"),
+              },
+            })}
           </Space>
         );
       },
@@ -500,29 +538,34 @@ export default function McpConfigModal({
       title: t("mcpConfig.containerList.column.action"),
       key: "action",
       width: "25%",
-      render: (_: any, record: any) => (
-        <Space size="small">
-          <Button
-            type="link"
-            icon={<FileText className="size-4" />}
-            onClick={() => onViewLogs(record.container_id)}
-            size="small"
-            disabled={updatingTools}
-          >
-            {t("mcpConfig.containerList.button.viewLogs")}
-          </Button>
-          <Button
-            type="link"
-            danger
-            icon={<Trash className="size-4" />}
-            onClick={() => onDeleteContainer(record)}
-            size="small"
-            disabled={actionsLocked}
-          >
-            {t("mcpConfig.containerList.button.delete")}
-          </Button>
-        </Space>
-      ),
+      render: (_: any, record: any) => {
+        const isReadOnly = record.permission === "READ_ONLY";
+        return (
+          <Space size="small">
+            <Button
+              type="link"
+              icon={<FileText className="size-4" />}
+              onClick={() => onViewLogs(record.container_id)}
+              size="small"
+              disabled={updatingTools}
+            >
+              {t("mcpConfig.containerList.button.viewLogs")}
+            </Button>
+            {renderPermissionControlledButton({
+              isReadOnly,
+              button: {
+                type: "link",
+                danger: true,
+                icon: <Trash className="size-4" />,
+                onClick: () => onDeleteContainer(record),
+                size: "small",
+                disabled: actionsLocked,
+                children: t("mcpConfig.containerList.button.delete"),
+              },
+            })}
+          </Space>
+        );
+      },
     },
   ];
 
diff --git a/frontend/app/[locale]/agents/components/agentConfig/ToolManagement.tsx b/frontend/app/[locale]/agents/components/agentConfig/ToolManagement.tsx
index 02ad0e8f6..e9ba86212 100644
--- a/frontend/app/[locale]/agents/components/agentConfig/ToolManagement.tsx
+++ b/frontend/app/[locale]/agents/components/agentConfig/ToolManagement.tsx
@@ -4,9 +4,12 @@ import { useState, useEffect, useCallback } from "react";
 import { useTranslation } from "react-i18next";
 import ToolConfigModal from "./tool/ToolConfigModal";
 import { ToolGroup, Tool, ToolParam } from "@/types/agentConfig";
-import { Tabs, Collapse } from "antd";
+import { Tabs, Collapse, message } from "antd";
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
 import { useToolList } from "@/hooks/agent/useToolList";
+import { usePrefetchKnowledgeBases } from "@/hooks/useKnowledgeBaseSelector";
+import { updateToolConfig } from "@/services/agentConfigService";
+import { useQueryClient } from "@tanstack/react-query";
 
 import { Settings } from "lucide-react";
 
@@ -16,6 +19,22 @@ interface ToolManagementProps {
   currentAgentId?: number | undefined;
 }
 
+// Tool types that require knowledge base selection
+const TOOLS_REQUIRING_KB_SELECTION = [
+  "knowledge_base_search",
+  "dify_search",
+  "datamate_search",
+];
+
+function getToolKbType(
+  toolName: string
+): "knowledge_base_search" | "dify_search" | "datamate_search" | null {
+  if (!TOOLS_REQUIRING_KB_SELECTION.includes(toolName)) return null;
+  if (toolName === "dify_search") return "dify_search";
+  if (toolName === "datamate_search") return "datamate_search";
+  return "knowledge_base_search";
+}
+
 /**
  * ToolManagement - Component for displaying tools in tabs
  * Provides a tabbed interface for tool organization
@@ -26,6 +45,7 @@ export default function ToolManagement({
   currentAgentId,
 }: ToolManagementProps) {
   const { t } = useTranslation("common");
+  const queryClient = useQueryClient();
 
   const editable = currentAgentId || isCreatingMode;
 
@@ -42,6 +62,9 @@ export default function ToolManagement({
   // Use tool list hook for data management
   const { availableTools } = useToolList();
 
+  // Prefetch knowledge bases for KB tools
+  const { prefetchKnowledgeBases } = usePrefetchKnowledgeBases();
+
   const [activeTabKey, setActiveTabKey] = useState<string>("");
   const [expandedCategories, setExpandedCategories] = useState<Set<string>>(
     new Set()
@@ -96,6 +119,12 @@ export default function ToolManagement({
   }, [toolGroups, activeTabKey]);
 
   const handleToolSettingsClick = async (tool: Tool) => {
+    // Prefetch knowledge bases for KB tools
+    const kbType = getToolKbType(tool.name);
+    if (kbType) {
+      prefetchKnowledgeBases(kbType);
+    }
+
     // Get latest tools directly from store to avoid stale closure issues
     const currentTools = useAgentConfigStore.getState().editedAgent.tools;
     const configuredTool = currentTools.find(
@@ -124,6 +153,12 @@ export default function ToolManagement({
 
     if (!tool) return;
 
+    // Prefetch knowledge bases for KB tools
+    const kbType = getToolKbType(tool.name);
+    if (kbType) {
+      prefetchKnowledgeBases(kbType);
+    }
+
     // Get latest tools directly from store to avoid stale closure issues
     const currentSelectdTools =
       useAgentConfigStore.getState().editedAgent.tools;
@@ -178,6 +213,42 @@ export default function ToolManagement({
           },
         ];
         updateTools(newSelectedTools);
+
+        // In non-creating mode, immediately save tool config to backend
+        if (!isCreatingMode && currentAgentId) {
+          try {
+            // Convert params to backend format
+            const paramsObj = mergedParams.reduce(
+              (acc, param) => {
+                acc[param.name] = param.value;
+                return acc;
+              },
+              {} as Record<string, any>
+            );
+
+            const isEnabled = true; // New tool is enabled by default
+            const result = await updateToolConfig(
+              numericId,
+              currentAgentId,
+              paramsObj,
+              isEnabled
+            );
+
+            if (result.success) {
+              // Invalidate queries to refresh tool info
+              queryClient.invalidateQueries({
+                queryKey: ["toolInfo", numericId, currentAgentId],
+              });
+            } else {
+              message.error(
+                result.message || t("toolConfig.message.saveError")
+              );
+            }
+          } catch (error) {
+            console.error("Failed to save tool config:", error);
+            message.error(t("toolConfig.message.saveError"));
+          }
+        }
       }
     }
   };
diff --git a/frontend/app/[locale]/agents/components/agentConfig/tool/ToolConfigModal.tsx b/frontend/app/[locale]/agents/components/agentConfig/tool/ToolConfigModal.tsx
index 57d1d2aa0..7276e2c67 100644
--- a/frontend/app/[locale]/agents/components/agentConfig/tool/ToolConfigModal.tsx
+++ b/frontend/app/[locale]/agents/components/agentConfig/tool/ToolConfigModal.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import { useState, useEffect } from "react";
+import { useState, useEffect, useCallback, useMemo } from "react";
 import { useTranslation } from "react-i18next";
 import {
   Modal,
@@ -11,14 +11,25 @@ import {
   Form,
   message,
   Select,
+  Skeleton,
 } from "antd";
 import { useQueryClient } from "@tanstack/react-query";
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
+import { CloseOutlined } from "@ant-design/icons";
+import { ConfigStore } from "@/lib/config";
 
 import { TOOL_PARAM_TYPES, getToolParamOptions } from "@/const/agentConfig";
 import { ToolParam, Tool } from "@/types/agentConfig";
+import { KnowledgeBase } from "@/types/knowledgeBase";
 import ToolTestPanel from "./ToolTestPanel";
 import { updateToolConfig } from "@/services/agentConfigService";
+import KnowledgeBaseSelectorModal from "@/components/tool-config/KnowledgeBaseSelectorModal";
+import {
+  useKnowledgeBasesForToolConfig,
+  useSyncKnowledgeBases,
+} from "@/hooks/useKnowledgeBaseSelector";
+import { API_ENDPOINTS } from "@/services/api";
+import log from "@/lib/logger";
 
 export interface ToolConfigModalProps {
   isOpen: boolean;
@@ -31,6 +42,13 @@ export interface ToolConfigModalProps {
   currentAgentId?: number;
 }
 
+// Tool types that require knowledge base selection
+const TOOLS_REQUIRING_KB_SELECTION = [
+  "knowledge_base_search",
+  "dify_search",
+  "datamate_search",
+];
+
 export default function ToolConfigModal({
   isOpen,
   onCancel,
@@ -50,8 +68,381 @@ export default function ToolConfigModal({
 
   // Tool test panel visibility state
   const [testPanelVisible, setTestPanelVisible] = useState(false);
-  // Initialize with provided params
+
+  // Knowledge base selector state
+  const [kbSelectorVisible, setKbSelectorVisible] = useState(false);
+  const [currentKbParamIndex, setCurrentKbParamIndex] = useState<number | null>(
+    null
+  );
+  const [selectedKbIds, setSelectedKbIds] = useState<string[]>([]);
+  const [selectedKbDisplayNames, setSelectedKbDisplayNames] = useState<
+    string[]
+  >([]);
+  // Track if user has attempted to submit the form
+  const [hasSubmitted, setHasSubmitted] = useState(false);
+
+  // Dify configuration state
+  const [difyConfig, setDifyConfig] = useState<{
+    serverUrl: string;
+    apiKey: string;
+  }>({
+    serverUrl: "",
+    apiKey: "",
+  });
+
+  // DataMate URL from knowledge base configuration
+  const [knowledgeBaseDataMateUrl, setKnowledgeBaseDataMateUrl] =
+    useState<string>("");
+  // Track if user has manually modified the datamate URL field
+  const [hasUserModifiedDatamateUrl, setHasUserModifiedDatamateUrl] =
+    useState(false);
+
+  // Helper function to get authorization headers
+  const getAuthHeaders = () => {
+    const session =
+      typeof window !== "undefined" ? localStorage.getItem("session") : null;
+    const sessionObj = session ? JSON.parse(session) : null;
+    return {
+      "Content-Type": "application/json",
+      "User-Agent": "AgentFrontEnd/1.0",
+      ...(sessionObj?.access_token && {
+        Authorization: `Bearer ${sessionObj.access_token}`,
+      }),
+    };
+  };
+
+  // Load DataMate URL from knowledge base configuration
+  const loadKnowledgeBaseDataMateUrl = useCallback(async () => {
+    try {
+      const response = await fetch(API_ENDPOINTS.config.load, {
+        method: "GET",
+        headers: getAuthHeaders(),
+      });
+
+      if (response.ok) {
+        const result = await response.json();
+        const config = result.config;
+        if (
+          config &&
+          config.app &&
+          typeof config.app.datamateUrl === "string"
+        ) {
+          setKnowledgeBaseDataMateUrl(config.app.datamateUrl);
+        }
+      }
+    } catch (error) {
+      log.error(
+        "Failed to load DataMate URL from knowledge base config:",
+        error
+      );
+    }
+  }, []);
+
+  // Check if current tool requires knowledge base selection (must be declared before toolKbType)
+  const toolRequiresKbSelection = useMemo(() => {
+    return TOOLS_REQUIRING_KB_SELECTION.includes(tool?.name);
+  }, [tool?.name]);
+
+  // Get tool type for knowledge base selection
+  const toolKbType = useMemo(():
+    | "knowledge_base_search"
+    | "dify_search"
+    | "datamate_search"
+    | null => {
+    if (!toolRequiresKbSelection) return null;
+    const name = tool?.name;
+    if (name === "dify_search") return "dify_search";
+    if (name === "datamate_search") return "datamate_search";
+    return "knowledge_base_search";
+  }, [tool?.name, toolRequiresKbSelection]);
+
+  // Get Dify configuration from initial params
+  const difyServerUrlParam = useMemo(() => {
+    return currentParams.find((param) => param.name === "server_url");
+  }, [currentParams]);
+
+  const difyApiKeyParam = useMemo(() => {
+    return currentParams.find((param) => param.name === "api_key");
+  }, [currentParams]);
+
+  // Initialize Dify config from params
+  useEffect(() => {
+    if (toolKbType === "dify_search") {
+      const serverUrl = difyServerUrlParam?.value || "";
+      const apiKey = difyApiKeyParam?.value || "";
+
+      setDifyConfig({
+        serverUrl,
+        apiKey,
+      });
+    }
+  }, [toolKbType, difyServerUrlParam, difyApiKeyParam]);
+
+  // Fetch knowledge bases for tool config based on tool type (now uses React Query caching)
+  // For datamate_search, use the server_url from the form as config
+  const datamateServerUrl = useMemo(() => {
+    if (toolKbType === "datamate_search") {
+      const serverUrlParam = currentParams.find((p) => p.name === "server_url");
+      return serverUrlParam?.value || "";
+    }
+    return "";
+  }, [toolKbType, currentParams]);
+
+  const {
+    data: knowledgeBases = [],
+    isLoading: kbLoading,
+    refetch: refetchKnowledgeBases,
+  } = useKnowledgeBasesForToolConfig(
+    toolKbType,
+    toolKbType === "dify_search"
+      ? difyConfig
+      : toolKbType === "datamate_search"
+        ? { serverUrl: datamateServerUrl }
+        : undefined
+  );
+
+  // Sync knowledge bases hook
+  const { syncKnowledgeBases, isSyncing } = useSyncKnowledgeBases();
+
+  // Get current embedding model from config for model matching
+  const currentEmbeddingModel = useMemo(() => {
+    try {
+      const configStore = ConfigStore.getInstance();
+      const modelConfig = configStore.getModelConfig();
+      // Use modelName if available, otherwise try displayName
+      return (
+        modelConfig.embedding?.modelName ||
+        modelConfig.embedding?.displayName ||
+        null
+      );
+    } catch {
+      return null;
+    }
+  }, []);
+
+  // Check if a knowledge base can be selected
+  const canSelectKnowledgeBase = useCallback(
+    (kb: KnowledgeBase): boolean => {
+      // Empty knowledge bases cannot be selected
+      const isEmpty =
+        (kb.documentCount || 0) === 0 && (kb.chunkCount || 0) === 0;
+      if (isEmpty) {
+        return false;
+      }
+
+      // For nexent source, check model matching
+      if (kb.source === "nexent" && currentEmbeddingModel) {
+        if (
+          kb.embeddingModel &&
+          kb.embeddingModel !== "unknown" &&
+          kb.embeddingModel !== currentEmbeddingModel
+        ) {
+          return false;
+        }
+      }
+
+      return true;
+    },
+    [currentEmbeddingModel]
+  );
+
+  // Track whether this is the first time opening the modal (reset when modal closes)
+  const [modalOpened, setModalOpened] = useState(false);
+
+  // Reset modal state when modal closes
+  useEffect(() => {
+    if (!isOpen) {
+      setModalOpened(false);
+      setKnowledgeBaseDataMateUrl("");
+    }
+  }, [isOpen]);
+
+  // Initialize with provided params and sync display names when knowledgeBases is ready
+  useEffect(() => {
+    // Load DataMate URL from knowledge base configuration
+    // This should run every time the modal opens for datamate_search tool
+    if (tool?.name === "datamate_search" && isOpen && !modalOpened) {
+      loadKnowledgeBaseDataMateUrl().then(() => {
+        // After loading, check if we need to apply the URL
+        // The other useEffect will handle the application
+      });
+    }
+  }, [tool?.name, isOpen, modalOpened]);
+
+  // Apply DataMate URL default value for datamate_search tool
+  // This should only run ONCE when modal first opens
+  useEffect(() => {
+    if (!isOpen || !tool || tool.name !== "datamate_search") {
+      return;
+    }
+
+    // Mark modal as opened
+    if (!modalOpened) {
+      setModalOpened(true);
+    }
+
+    // Only apply default URL if:
+    // 1. server_url has NO saved value (empty)
+    // 2. knowledgeBaseDataMateUrl IS available
+    // 3. This is the first time opening (modalOpened is false)
+    const serverUrlParam = initialParams.find((p) => p.name === "server_url");
+
+    // If server_url already has a saved value, use it
+    if (serverUrlParam?.value) {
+      // Initialize form with saved values (including server_url)
+      setCurrentParams(initialParams);
+      const formValues: Record<string, any> = {};
+      initialParams.forEach((param, index) => {
+        formValues[`param_${index}`] = param.value;
+      });
+      form.setFieldsValue(formValues);
+
+      // Parse initial index_names/dataset_ids value for knowledge base selection
+      const kbParam = initialParams.find(
+        (p) => p.name === "index_names" || p.name === "dataset_ids"
+      );
+      if (kbParam?.value) {
+        let ids: string[] = [];
+        if (Array.isArray(kbParam.value)) {
+          ids = kbParam.value.map(String);
+        } else if (typeof kbParam.value === "string") {
+          try {
+            const parsed = JSON.parse(kbParam.value);
+            if (Array.isArray(parsed)) {
+              ids = parsed.map(String);
+            }
+          } catch {
+            ids = kbParam.value.split(",").filter(Boolean);
+          }
+        }
+        if (ids.length > 0) {
+          setSelectedKbIds(ids);
+        }
+      }
+      return;
+    }
+
+    // If we reach here, server_url has no saved value
+    // Apply default from knowledgeBaseDataMateUrl if available
+    // Only apply if user has NOT manually modified the URL field
+    if (knowledgeBaseDataMateUrl && !hasUserModifiedDatamateUrl) {
+      const updatedParams = initialParams.map((param) => {
+        if (param.name === "server_url") {
+          return { ...param, value: knowledgeBaseDataMateUrl };
+        }
+        return param;
+      });
+
+      setCurrentParams(updatedParams);
+
+      const formValues: Record<string, any> = {};
+      updatedParams.forEach((param, index) => {
+        formValues[`param_${index}`] = param.value;
+      });
+      form.setFieldsValue(formValues);
+    } else {
+      // Either no default available OR user has modified the URL, initialize with initialParams
+      setCurrentParams(initialParams);
+      const formValues: Record<string, any> = {};
+      initialParams.forEach((param, index) => {
+        formValues[`param_${index}`] = param.value;
+      });
+      form.setFieldsValue(formValues);
+    }
+
+    // Parse initial index_names/dataset_ids value for knowledge base selection
+    const kbParam = initialParams.find(
+      (p) => p.name === "index_names" || p.name === "dataset_ids"
+    );
+    if (kbParam?.value) {
+      let ids: string[] = [];
+      if (Array.isArray(kbParam.value)) {
+        ids = kbParam.value.map(String);
+      } else if (typeof kbParam.value === "string") {
+        try {
+          const parsed = JSON.parse(kbParam.value);
+          if (Array.isArray(parsed)) {
+            ids = parsed.map(String);
+          }
+        } catch {
+          ids = kbParam.value.split(",").filter(Boolean);
+        }
+      }
+      if (ids.length > 0) {
+        setSelectedKbIds(ids);
+      }
+    }
+  }, [
+    isOpen,
+    tool,
+    initialParams,
+    knowledgeBaseDataMateUrl,
+    form,
+    modalOpened,
+  ]);
+
+  // When knowledgeBaseDataMateUrl is loaded, check if we need to apply it to the form
+  // This handles the case where the URL was loaded after the initial form setup
   useEffect(() => {
+    // Only run for datamate_search tool when modal is open
+    if (!isOpen || !tool || tool.name !== "datamate_search") {
+      return;
+    }
+
+    // Skip if server_url already has a saved value
+    const serverUrlParam = initialParams.find((p) => p.name === "server_url");
+    if (serverUrlParam?.value) {
+      return;
+    }
+
+    // Skip if no knowledgeBaseDataMateUrl available
+    if (!knowledgeBaseDataMateUrl) {
+      return;
+    }
+
+    // Skip if user has manually modified the URL field
+    if (hasUserModifiedDatamateUrl) {
+      return;
+    }
+
+    // Skip if form is already initialized with this URL
+    const existingUrlParam = currentParams.find((p) => p.name === "server_url");
+    if (existingUrlParam?.value === knowledgeBaseDataMateUrl) {
+      return;
+    }
+
+    // Apply the loaded URL to the form
+    const updatedParams = initialParams.map((param) => {
+      if (param.name === "server_url") {
+        return { ...param, value: knowledgeBaseDataMateUrl };
+      }
+      return param;
+    });
+
+    setCurrentParams(updatedParams);
+
+    const formValues: Record<string, any> = {};
+    updatedParams.forEach((param, index) => {
+      formValues[`param_${index}`] = param.value;
+    });
+    form.setFieldsValue(formValues);
+  }, [
+    isOpen,
+    tool,
+    initialParams,
+    knowledgeBaseDataMateUrl,
+    form,
+    currentParams,
+    hasUserModifiedDatamateUrl,
+  ]);
+
+  // Initialize form values for non-datamate tools
+  useEffect(() => {
+    // Skip if it's datamate_search tool (handled by other useEffects above)
+    if (tool?.name === "datamate_search") {
+      return;
+    }
+
     // Initialize form values
     setCurrentParams(initialParams);
     const formValues: Record<string, any> = {};
@@ -59,7 +450,74 @@ export default function ToolConfigModal({
       formValues[`param_${index}`] = param.value;
     });
     form.setFieldsValue(formValues);
-  }, [initialParams]);
+
+    // Parse initial index_names/dataset_ids value for knowledge base selection
+    if (toolRequiresKbSelection) {
+      // Support both index_names and dataset_ids
+      const kbParam = initialParams.find(
+        (p) => p.name === "index_names" || p.name === "dataset_ids"
+      );
+      if (kbParam?.value) {
+        let ids: string[] = [];
+        // Value can be an array or a JSON string
+        if (Array.isArray(kbParam.value)) {
+          ids = kbParam.value.map(String);
+        } else if (typeof kbParam.value === "string") {
+          try {
+            const parsed = JSON.parse(kbParam.value);
+            if (Array.isArray(parsed)) {
+              ids = parsed.map(String);
+            }
+          } catch {
+            ids = kbParam.value.split(",").filter(Boolean);
+          }
+        }
+
+        if (ids.length > 0) {
+          setSelectedKbIds(ids);
+          // If knowledgeBases is already loaded, sync display names immediately
+          if (knowledgeBases.length > 0) {
+            const displayNames = ids.map((id) => {
+              const kb = knowledgeBases.find((k) => k.id === id);
+              return kb?.display_name || kb?.name || id;
+            });
+            setSelectedKbDisplayNames(displayNames);
+          }
+        }
+      }
+    }
+  }, [initialParams, toolRequiresKbSelection, tool?.name, form]);
+
+  // Sync selectedKbDisplayNames when knowledgeBases or selectedKbIds changes
+  useEffect(() => {
+    if (selectedKbIds.length > 0 && knowledgeBases.length > 0) {
+      const displayNames = selectedKbIds.map((id) => {
+        const kb = knowledgeBases.find((k) => k.id === id);
+        return kb?.display_name || kb?.name || id;
+      });
+      setSelectedKbDisplayNames(displayNames);
+    }
+  }, [knowledgeBases, selectedKbIds]);
+
+  // Trigger refetch when opening for knowledge base tools (with loading state support)
+  useEffect(() => {
+    if (toolRequiresKbSelection && isOpen) {
+      // For Dify, only refetch if we have valid config
+      if (toolKbType === "dify_search") {
+        if (difyConfig.serverUrl && difyConfig.apiKey) {
+          refetchKnowledgeBases();
+        }
+      } else {
+        refetchKnowledgeBases();
+      }
+    }
+  }, [
+    toolRequiresKbSelection,
+    isOpen,
+    refetchKnowledgeBases,
+    toolKbType,
+    difyConfig,
+  ]);
 
   // Watch all form values and sync to currentParams
   const formValues = Form.useWatch([], form);
@@ -77,11 +535,46 @@ export default function ToolConfigModal({
   }, [formValues]);
 
   const handleSave = async () => {
+    // Mark that user has attempted to submit the form
+    setHasSubmitted(true);
+
     try {
+      // Force sync form values to currentParams before validation
+      const latestFormValues = form.getFieldsValue();
+      if (latestFormValues) {
+        const newParams = [...currentParams];
+        Object.entries(latestFormValues).forEach(([fieldName, value]) => {
+          const index = parseInt(fieldName.replace("param_", ""));
+          if (!isNaN(index) && newParams[index]) {
+            newParams[index] = { ...newParams[index], value };
+          }
+        });
+        setCurrentParams(newParams);
+      }
+
       await form.validateFields();
-      if (!selectedTool) return;
 
-      // Convert params to backend format
+      // Check if knowledge base selector has valid selection (for index_names/dataset_ids fields)
+      // Since these fields use custom UI without form control, we need manual validation
+      if (toolRequiresKbSelection && selectedKbIds.length === 0) {
+        const kbParam = currentParams.find(
+          (p) =>
+            p.required && (p.name === "index_names" || p.name === "dataset_ids")
+        );
+        if (kbParam) {
+          message.error(t("toolConfig.validation.selectKb"));
+          return;
+        }
+      }
+
+      // Use selectedTool if available, otherwise use tool
+      const toolToSave = selectedTool || tool;
+      if (!toolToSave) {
+        message.error("No tool selected");
+        return;
+      }
+
+      // Convert params to backend format (use the synced params)
       const paramsObj = currentParams.reduce(
         (acc, param) => {
           acc[param.name] = param.value;
@@ -91,7 +584,7 @@ export default function ToolConfigModal({
       );
 
       // Update local state: Add tool to selected tools with updated params
-      const updatedTool = { ...selectedTool, initParams: currentParams };
+      const updatedTool = { ...toolToSave, initParams: currentParams };
       const currentTools = useAgentConfigStore.getState().editedAgent.tools;
 
       // Check if tool already exists, if so replace it, otherwise add it
@@ -109,51 +602,68 @@ export default function ToolConfigModal({
         newSelectedTools = [...currentTools, updatedTool];
       }
 
+      // For editing mode (when currentAgentId exists), always call API
+      // For creating mode (isCreatingMode=true), update local state only
       if (isCreatingMode) {
         // In creating mode, just update local state
         updateTools(newSelectedTools);
         message.success(t("toolConfig.message.saveSuccess"));
         handleClose(); // Close modal
-      } else if (currentAgentId) {
-        try {
-          const isEnabled = true; //  New tool is enabled by default
-          const result = await updateToolConfig(
-            parseInt(selectedTool.id),
-            currentAgentId,
-            paramsObj,
-            isEnabled
-          );
+        return;
+      }
 
-          if (result.success) {
-            // Update local state and invalidate queries
-            updateTools(newSelectedTools);
-            queryClient.invalidateQueries({
-              queryKey: ["toolInfo", parseInt(selectedTool.id), currentAgentId],
-            });
-            message.success(t("toolConfig.message.saveSuccess"));
-            handleClose(); // Close modal
-          } else {
-            message.error(result.message || t("toolConfig.message.saveError"));
-          }
-        } catch (error) {
-          message.error(t("toolConfig.message.saveError"));
+      if (!currentAgentId) {
+        // Should not happen in normal editing mode, but handle gracefully
+        updateTools(newSelectedTools);
+        message.success(t("toolConfig.message.saveSuccess"));
+        handleClose(); // Close modal
+        return;
+      }
+
+      // Edit mode: call API to persist changes
+      try {
+        setIsLoading(true);
+        const isEnabled = true; //  New tool is enabled by default
+        const result = await updateToolConfig(
+          parseInt(toolToSave.id),
+          currentAgentId,
+          paramsObj,
+          isEnabled
+        );
+        setIsLoading(false);
+
+        if (result.success) {
+          // Update local state and invalidate queries
+          updateTools(newSelectedTools);
+          queryClient.invalidateQueries({
+            queryKey: ["toolInfo", parseInt(toolToSave.id), currentAgentId],
+          });
+          message.success(t("toolConfig.message.saveSuccess"));
+          handleClose(); // Close modal
+        } else {
+          message.error(result.message || t("toolConfig.message.saveError"));
         }
+      } catch (error) {
+        setIsLoading(false);
+        message.error(t("toolConfig.message.saveError"));
       }
 
       // Call original onSave if provided
       if (onSave) {
         onSave(currentParams);
       }
-    } catch (error) {
+    } catch {
       // Form validation failed, error will be shown by antd Form
-      message.error("Form validation failed:");
     }
   };
 
   const handleClose = () => {
     setTestPanelVisible(false);
+    // Reset user modification tracking state for datamate URL
+    setHasUserModifiedDatamateUrl(false);
     onCancel();
   };
+
   // Handle tool testing - toggle test panel
   const handleTestTool = () => {
     setTestPanelVisible(!testPanelVisible);
@@ -164,6 +674,212 @@ export default function ToolConfigModal({
     setTestPanelVisible(false);
   };
 
+  // Open knowledge base selector
+  const openKbSelector = (paramIndex: number) => {
+    setCurrentKbParamIndex(paramIndex);
+    setKbSelectorVisible(true);
+  };
+
+  // Handle knowledge base selection confirm
+  const handleKbConfirm = (selectedKnowledgeBases: KnowledgeBase[]) => {
+    const ids = selectedKnowledgeBases.map((kb) => kb.id);
+    // Use display_name if available, otherwise fall back to name
+    const displayNames = selectedKnowledgeBases.map(
+      (kb) => kb.display_name || kb.name
+    );
+
+    setSelectedKbIds(ids);
+    setSelectedKbDisplayNames(displayNames);
+    // Reset submit state when user makes a selection
+    setHasSubmitted(false);
+
+    // Update form value
+    if (currentKbParamIndex !== null) {
+      const param = currentParams[currentKbParamIndex];
+      if (param) {
+        // Store as array
+        const formFieldName = `param_${currentKbParamIndex}`;
+        form.setFieldValue(formFieldName, ids);
+
+        // Also update currentParams directly since Form.Item has no name for index_names/dataset_ids
+        const updatedParams = [...currentParams];
+        updatedParams[currentKbParamIndex] = {
+          ...updatedParams[currentKbParamIndex],
+          value: ids,
+        };
+        setCurrentParams(updatedParams);
+      }
+    }
+
+    setKbSelectorVisible(false);
+    setCurrentKbParamIndex(null);
+  };
+
+  // Remove a single knowledge base from selection
+  const removeKbFromSelection = (indexToRemove: number, paramIndex: number) => {
+    const newIds = selectedKbIds.filter((_, i) => i !== indexToRemove);
+    const newDisplayNames = selectedKbDisplayNames.filter(
+      (_, i) => i !== indexToRemove
+    );
+
+    setSelectedKbIds(newIds);
+    setSelectedKbDisplayNames(newDisplayNames);
+    // Reset submit state when user modifies selection
+    setHasSubmitted(false);
+
+    // Update form value
+    const formFieldName = `param_${paramIndex}`;
+    form.setFieldValue(formFieldName, newIds);
+
+    // Also update currentParams directly since Form.Item has no name for index_names/dataset_ids
+    const updatedParams = [...currentParams];
+    updatedParams[paramIndex] = {
+      ...updatedParams[paramIndex],
+      value: newIds,
+    };
+    setCurrentParams(updatedParams);
+  };
+
+  // Get tool type for knowledge base selector
+  const getToolType = ():
+    | "knowledge_base_search"
+    | "dify_search"
+    | "datamate_search" => {
+    return toolKbType || "knowledge_base_search";
+  };
+
+  // Render knowledge base selector input (no button, just clickable input)
+  const renderKbSelectorInput = useCallback(
+    (param: ToolParam, index: number) => {
+      const fieldName = `param_${index}`;
+      const formValue = form.getFieldValue(fieldName);
+
+      // Get display names based on current form value and knowledgeBases
+      let displayNames: string[] = [];
+      let ids: string[] = [];
+      if (formValue) {
+        // Value can be an array or a JSON string
+        if (Array.isArray(formValue)) {
+          ids = formValue.map((id) => String(id));
+        } else if (typeof formValue === "string") {
+          try {
+            const parsed = JSON.parse(formValue);
+            if (Array.isArray(parsed)) {
+              ids = parsed.map((id) => String(id));
+            }
+          } catch {
+            ids = formValue.split(",").filter(Boolean);
+          }
+        }
+
+        // Map IDs to display names
+        if (ids.length > 0 && knowledgeBases.length > 0) {
+          displayNames = ids.map((id) => {
+            const cleanId = id.trim();
+            const kb = knowledgeBases.find((k) => k.id === cleanId);
+            return kb?.display_name || kb?.name || cleanId;
+          });
+        }
+      }
+
+      // Fallback to selectedKbDisplayNames if displayNames is empty
+      if (displayNames.length === 0 && selectedKbDisplayNames.length > 0) {
+        displayNames = selectedKbDisplayNames;
+        ids = selectedKbIds;
+      }
+
+      // Use the actual ids and displayNames for rendering
+      const tagsToRender = ids.length > 0 ? ids : [];
+      const namesToRender = displayNames;
+
+      const placeholder = t(
+        "toolConfig.input.knowledgeBaseSelector.placeholder",
+        {
+          name: param.description || param.name,
+        }
+      );
+
+      // Check if this field has validation error
+      // Only show error after user has attempted to submit the form
+      const hasError =
+        hasSubmitted && param.required && selectedKbIds.length === 0;
+
+      return (
+        <div>
+          <div
+            className={`cursor-pointer bg-white border rounded px-3 py-2 transition-colors ${
+              hasError
+                ? "border-red-500 hover:border-red-500"
+                : "border-gray-300 hover:border-blue-400"
+            }`}
+            onClick={() => openKbSelector(index)}
+            style={{
+              width: "100%",
+              minHeight: "32px",
+              display: "flex",
+              flexWrap: "wrap",
+              alignItems: "center",
+              gap: "4px",
+            }}
+            title={namesToRender.join(", ")}
+          >
+            {kbLoading && knowledgeBases.length === 0 ? (
+              // Show skeleton loading when fetching knowledge bases
+              <div className="flex items-center gap-2 w-full">
+                <Skeleton.Input active size="small" style={{ width: "60%" }} />
+              </div>
+            ) : namesToRender.length > 0 ? (
+              namesToRender.map((name, i) => (
+                <Tag
+                  key={tagsToRender[i]}
+                  closeIcon={
+                    <span className="ant-tag-close-icon">
+                      <CloseOutlined style={{ fontSize: "10px" }} />
+                    </span>
+                  }
+                  onClose={(e) => {
+                    e.stopPropagation();
+                    removeKbFromSelection(i, index);
+                  }}
+                  style={{
+                    marginRight: 0,
+                    display: "inline-flex",
+                    alignItems: "center",
+                    lineHeight: "20px",
+                    padding: "0 8px",
+                    fontSize: "13px",
+                  }}
+                >
+                  {name}
+                </Tag>
+              ))
+            ) : (
+              <span className="text-gray-400 text-sm">{placeholder}</span>
+            )}
+          </div>
+          {/* Show error message when validation fails */}
+          {hasError && (
+            <div
+              className="ant-form-item-explain-error"
+              style={{ marginTop: "4px" }}
+            >
+              {t("toolConfig.validation.selectKb")}
+            </div>
+          )}
+        </div>
+      );
+    },
+    [
+      form,
+      knowledgeBases,
+      selectedKbIds,
+      selectedKbDisplayNames,
+      kbLoading,
+      hasSubmitted,
+      t,
+    ]
+  );
+
   const renderParamInput = (param: ToolParam, index: number) => {
     // Get options from frontend configuration based on tool name and parameter name
     const options = getToolParamOptions(tool.name, param.name);
@@ -204,6 +920,19 @@ export default function ToolConfigModal({
         case TOOL_PARAM_TYPES.ARRAY:
         case TOOL_PARAM_TYPES.OBJECT:
         default:
+          // Check if parameter name contains "password" for secure input
+          const isPasswordType = param.name.toLowerCase().includes("password");
+
+          if (isPasswordType) {
+            return (
+              <Input.Password
+                placeholder={t("toolConfig.input.string.placeholder", {
+                  name: param.description,
+                })}
+              />
+            );
+          }
+
           // Default TextArea for all text-like types and unknown types
           return (
             <Input.TextArea
@@ -266,7 +995,9 @@ export default function ToolConfigModal({
                 disabled={!tool}
                 className="flex items-center justify-center px-4 py-2 text-sm border border-gray-300 text-gray-700 rounded hover:bg-gray-50 transition-colors duration-200 h-8 mr-auto"
               >
-                {testPanelVisible ? t("toolConfig.button.closeTest") : t("toolConfig.button.testTool")}
+                {testPanelVisible
+                  ? t("toolConfig.button.closeTest")
+                  : t("toolConfig.button.testTool")}
               </button>
             }
             <div className="flex gap-2">
@@ -301,6 +1032,24 @@ export default function ToolConfigModal({
               labelAlign="left"
               labelCol={{ span: 6 }}
               wrapperCol={{ span: 18 }}
+              onValuesChange={(changedValues, allValues) => {
+                // Track if user has modified the datamate server_url field
+                if (
+                  tool?.name === "datamate_search" &&
+                  knowledgeBaseDataMateUrl &&
+                  !hasUserModifiedDatamateUrl
+                ) {
+                  const serverUrlFieldIndex = currentParams.findIndex(
+                    (p) => p.name === "server_url"
+                  );
+                  if (serverUrlFieldIndex >= 0) {
+                    const fieldName = `param_${serverUrlFieldIndex}`;
+                    if (changedValues[fieldName] !== undefined) {
+                      setHasUserModifiedDatamateUrl(true);
+                    }
+                  }
+                }
+              }}
             >
               <div className="pr-2 mt-3">
                 {currentParams.map((param, index) => {
@@ -311,9 +1060,58 @@ export default function ToolConfigModal({
                   if (param.required) {
                     rules.push({
                       required: true,
-                      message: t("toolConfig.validation.required", {
-                        name: param.name,
-                      }),
+                      message: t("toolConfig.validation.required"),
+                    });
+                  }
+
+                  // Add URL validation for server_url parameter
+                  if (param.name === "server_url") {
+                    rules.push({
+                      validator: async (_: any, value: any) => {
+                        if (!value) return Promise.resolve();
+                        try {
+                          // Check if value is a valid URL
+                          let url: URL;
+                          try {
+                            url = new URL(value);
+                          } catch {
+                            return Promise.reject(
+                              t("knowledgeBase.error.invalidUrlFormat")
+                            );
+                          }
+                          // Check if protocol is http or https
+                          if (url.protocol !== "http:" && url.protocol !== "https:") {
+                            return Promise.reject(
+                              t("knowledgeBase.error.invalidUrlProtocol")
+                            );
+                          }
+                          return Promise.resolve();
+                        } catch {
+                          return Promise.reject(
+                            t("knowledgeBase.error.invalidUrlFormat")
+                          );
+                        }
+                      },
+                    });
+                  }
+
+                  // Add custom validator for knowledge base selector fields (index_names/dataset_ids)
+                  // Since these fields use custom display without form control, we need custom validation
+                  if (
+                    toolRequiresKbSelection &&
+                    (param.name === "index_names" ||
+                      param.name === "dataset_ids")
+                  ) {
+                    rules.push({
+                      validator: async () => {
+                        // Check if any knowledge base has been selected
+                        if (selectedKbIds.length === 0) {
+                          return Promise.reject(
+                            t("toolConfig.validation.selectKb")
+                          );
+                        }
+                        return Promise.resolve();
+                      },
                     });
                   }
 
@@ -321,7 +1119,7 @@ export default function ToolConfigModal({
                   switch (param.type) {
                     case TOOL_PARAM_TYPES.ARRAY:
                       rules.push({
-                        validator: (_: any, value: any) => {
+                        validator: async (_: any, value: any) => {
                           if (!value) return Promise.resolve();
                           try {
                             const parsed =
@@ -333,6 +1131,7 @@ export default function ToolConfigModal({
                                 t("toolConfig.validation.array.invalid")
                               );
                             }
+                            return Promise.resolve();
                           } catch {
                             return Promise.reject(
                               t("toolConfig.validation.array.invalid")
@@ -343,7 +1142,7 @@ export default function ToolConfigModal({
                       break;
                     case TOOL_PARAM_TYPES.OBJECT:
                       rules.push({
-                        validator: (_: any, value: any) => {
+                        validator: async (_: any, value: any) => {
                           if (!value) return Promise.resolve();
                           try {
                             const parsed =
@@ -372,6 +1171,7 @@ export default function ToolConfigModal({
                   return (
                     <Form.Item
                       key={param.name}
+                      required={param.required}
                       label={
                         <span
                           className="inline-block w-full truncate"
@@ -380,7 +1180,13 @@ export default function ToolConfigModal({
                           {param.name}
                         </span>
                       }
-                      name={fieldName}
+                      name={
+                        toolRequiresKbSelection &&
+                        (param.name === "index_names" ||
+                          param.name === "dataset_ids")
+                          ? undefined
+                          : fieldName
+                      }
                       rules={rules}
                       tooltip={{
                         title: param.description,
@@ -388,7 +1194,12 @@ export default function ToolConfigModal({
                         styles: { root: { maxWidth: 400 } },
                       }}
                     >
-                      {renderParamInput(param, index)}
+                      {/* For KB selector, use custom display (Form.Item doesn't control value) */}
+                      {toolRequiresKbSelection &&
+                      (param.name === "index_names" ||
+                        param.name === "dataset_ids")
+                        ? renderKbSelectorInput(param, index)
+                        : renderParamInput(param, index)}
                     </Form.Item>
                   );
                 })}
@@ -408,6 +1219,37 @@ export default function ToolConfigModal({
         </div>
       </Modal>
 
+      {/* Knowledge Base Selector Modal */}
+      <KnowledgeBaseSelectorModal
+        isOpen={kbSelectorVisible}
+        onClose={() => setKbSelectorVisible(false)}
+        onConfirm={handleKbConfirm}
+        selectedIds={selectedKbIds}
+        toolType={getToolType()}
+        knowledgeBases={knowledgeBases}
+        isLoading={kbLoading}
+        showCheckbox={true}
+        onSync={(toolType) =>
+          syncKnowledgeBases(
+            toolType,
+            toolType === "datamate_search"
+              ? { serverUrl: datamateServerUrl }
+              : toolType === "dify_search"
+                ? difyConfig
+                : undefined
+          )
+        }
+        syncLoading={isSyncing === getToolType()}
+        isSelectable={canSelectKnowledgeBase}
+        currentEmbeddingModel={currentEmbeddingModel}
+        difyConfig={
+          toolKbType === "dify_search"
+            ? difyConfig
+            : toolKbType === "datamate_search"
+              ? { serverUrl: datamateServerUrl }
+              : undefined
+        }
+      />
     </>
   );
 }
diff --git a/frontend/app/[locale]/agents/components/agentInfo/AgentGenerateDetail.tsx b/frontend/app/[locale]/agents/components/agentInfo/AgentGenerateDetail.tsx
index 58183cee5..6f52f52a0 100644
--- a/frontend/app/[locale]/agents/components/agentInfo/AgentGenerateDetail.tsx
+++ b/frontend/app/[locale]/agents/components/agentInfo/AgentGenerateDetail.tsx
@@ -1,9 +1,10 @@
 "use client";
 
-import { useState, useEffect, useRef } from "react";
+import { useState, useEffect, useMemo } from "react";
 import { useTranslation } from "react-i18next";
 import {
   Button,
+  Tooltip,
   Tabs,
   Form,
   Input,
@@ -32,8 +33,13 @@ import {
   GENERATE_PROMPT_STREAM_TYPES,
 } from "@/const/agentConfig";
 import { generatePromptStream } from "@/services/promptService";
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { useModelList } from "@/hooks/model/useModelList";
+import { useTenantList } from "@/hooks/tenant/useTenantList";
+import { useGroupList } from "@/hooks/group/useGroupList";
+import { USER_ROLES } from "@/const/auth";
+import { Can } from "@/components/permission/Can";
 import ExpandEditModal from "./ExpandEditModal";
 
 const { TextArea } = Input;
@@ -59,12 +65,19 @@ export default function AgentGenerateDetail({
 }: AgentGenerateDetailProps) {
   const { t } = useTranslation("common");
   const { message } = App.useApp();
-  const { user, isSpeedMode } = useAuth();
+  const { user, groupIds: allowedGroupIds } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
   const [form] = Form.useForm();
 
   // Model data from React Query
   const { availableLlmModels, defaultLlmModel, isLoading: loadingModels } = useModelList();
 
+  // Tenant & group data for group selection
+  const { data: tenantData } = useTenantList();
+  const tenantId = user?.tenantId ?? tenantData?.[0]?.tenant_id ?? null;
+  const { data: groupData } = useGroupList(tenantId, 1, 100);
+  const groups = groupData?.groups || [];
+
   // State management
   const [activeTab, setActiveTab] = useState<string>("agent-info");
 
@@ -72,6 +85,32 @@ export default function AgentGenerateDetail({
   const [expandModalOpen, setExpandModalOpen] = useState(false);
   const [expandModalType, setExpandModalType] = useState<'duty' | 'constraint' | 'few-shots' | null>(null);
 
+  // Only show "no edit permission" tooltip when the panel is active and agent is read-only.
+  // Note: when no agent is selected, AgentInfoComp shows an overlay and we should not show
+  // this tooltip in that state.
+  const showNoEditPermissionTip =
+    !editable && currentAgentId !== null && currentAgentId !== undefined;
+
+  const noEditPermissionTitle = showNoEditPermissionTip
+    ? t("agent.noEditPermission")
+    : undefined;
+
+  const wrapNoEditTooltipBlock = (node: React.ReactNode) => {
+    return (
+      <Tooltip title={noEditPermissionTitle}>
+        <span style={{ display: "block" }}>{node}</span>
+      </Tooltip>
+    );
+  };
+
+  const wrapNoEditTooltipInline = (node: React.ReactNode) => {
+    return (
+      <Tooltip title={noEditPermissionTitle}>
+        <span style={{ display: "inline-block" }}>{node}</span>
+      </Tooltip>
+    );
+  };
+
 
   // Ensure tenant config is loaded for default model selection
   useEffect(() => {
@@ -120,21 +159,74 @@ export default function AgentGenerateDetail({
     businessLogicModelId: 0,
   });
 
+  const normalizeNumberArray = (value: unknown): number[] => {
+    const arr = Array.isArray(value) ? value : [];
+    return Array.from(
+      new Set(arr.map((id) => Number(id)).filter((id) => Number.isFinite(id)))
+    ).sort((a, b) => a - b);
+  };
+
+  const groupSelectOptions = useMemo(() => {
+    const selectedIds = normalizeNumberArray(editedAgent.group_ids || []);
+    const allowedSet = new Set(normalizeNumberArray(allowedGroupIds || []));
+    const canSelectAllGroups =
+      user?.role === USER_ROLES.SU ||
+      user?.role === USER_ROLES.ADMIN ||
+      user?.role === USER_ROLES.SPEED;
+
+    const baseGroups = canSelectAllGroups
+      ? groups
+      : groups.filter((g) => allowedSet.has(g.group_id));
+
+    const baseSet = new Set(baseGroups.map((g) => g.group_id));
+    const groupById = new Map(groups.map((g) => [g.group_id, g] as const));
+
+    const options: Array<{ label: string; value: number; disabled?: boolean }> =
+      baseGroups.map((g) => ({
+        label: g.group_name,
+        value: g.group_id,
+      }));
+
+    // Keep already-selected groups visible even if they are not selectable (disabled).
+    for (const id of selectedIds) {
+      if (baseSet.has(id)) continue;
+      const g = groupById.get(id);
+      options.push({
+        label: g?.group_name ?? `Group ${id}`,
+        value: id,
+        disabled: true,
+      });
+    }
+
+    return options;
+  }, [allowedGroupIds, editedAgent.group_ids, groups, user?.role]);
+
   // Initialize form values when component mounts or currentAgentId changes
   useEffect(() => {
-    const initialAgentInfo = {
+    const isCreateMode = editable && (currentAgentId === null || currentAgentId === undefined);
+
+    // Note:
+    // In create mode, do not set group_ids here. Otherwise, when switching from an existing
+    // agent to create mode (currentAgentId changes to null), this initializer can overwrite
+    // the default-group selection effect and leave group_ids empty.
+    const initialAgentInfo: Record<string, any> = {
       agentName: editedAgent.name || "",
       agentDisplayName: editedAgent.display_name || "",
-      agentAuthor: editedAgent.author || "",
+      agentAuthor: editedAgent.author || user?.email || (isSpeedMode ? "Default User" : ""),
       mainAgentModel:
         editedAgent.model || defaultLlmModel?.displayName || "",
       mainAgentMaxStep: editedAgent.max_step || 5,
       agentDescription: editedAgent.description || "",
+      group_ids: normalizeNumberArray(editedAgent.group_ids || []),
       dutyPrompt: editedAgent.duty_prompt || "",
       constraintPrompt: editedAgent.constraint_prompt || "",
       fewShotsPrompt: editedAgent.few_shots_prompt || "",
     };
 
+    if (isCreateMode) {
+      delete initialAgentInfo.group_ids;
+    }
+
     const initialBusinessInfo = {
       businessDescription: editedAgent.business_description || "",
       businessLogicModelName:
@@ -148,7 +240,44 @@ export default function AgentGenerateDetail({
     setBusinessInfo(initialBusinessInfo);
 
     form.setFieldsValue(initialAgentInfo);
-  }, [currentAgentId, editedAgent, availableLlmModels, defaultLlmModel]);
+    // Sync model to store if not already set (e.g., in create mode with default model)
+    if ((isCreateMode || !editedAgent.model) && defaultLlmModel) {
+      onUpdateProfile({
+        model: defaultLlmModel.displayName || "",
+        model_id: defaultLlmModel.id || 0,
+      });
+    }
+    // We intentionally initialize the form only when switching agent (or when default model becomes available),
+    // otherwise it can create update loops with Form-controlled fields updating the store.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [currentAgentId, defaultLlmModel?.id]);
+
+  // Default to selecting all groups when creating a new agent.
+  // Only applies when groups are loaded and no group is selected yet.
+  useEffect(() => {
+    const isCreateMode = editable && (currentAgentId === null || currentAgentId === undefined);
+    if (!isCreateMode) return;
+    if (!groups || groups.length === 0) return;
+
+    const currentGroupIds = normalizeNumberArray(editedAgent.group_ids || []);
+    if (currentGroupIds.length > 0) return;
+
+    const allowedSet = new Set(normalizeNumberArray(allowedGroupIds || []));
+    const canSelectAllGroups =
+      user?.role === USER_ROLES.SU ||
+      user?.role === USER_ROLES.ADMIN ||
+      user?.role === USER_ROLES.SPEED;
+    const selectableGroups = canSelectAllGroups
+      ? groups
+      : groups.filter((g) => allowedSet.has(g.group_id));
+
+    const allGroupIds = normalizeNumberArray(selectableGroups.map((g) => g.group_id));
+    if (allGroupIds.length === 0) return;
+
+    form.setFieldsValue({ group_ids: allGroupIds });
+    onUpdateProfile({ group_ids: allGroupIds });
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [editable, currentAgentId, groups, allowedGroupIds, user?.role]);
 
   // Handle business description change
   const handleBusinessDescriptionChange = (value: string) => {
@@ -164,6 +293,12 @@ export default function AgentGenerateDetail({
     const selectedModel = availableLlmModels.find(
       (m) => m.name === modelName || m.displayName === modelName
     );
+    // Update local state so the Select component reflects the change
+    setBusinessInfo((prev) => ({
+      ...prev,
+      businessLogicModelName: modelName,
+      businessLogicModelId: selectedModel?.id || 0,
+    }));
     onUpdateBusinessInfo({
       business_description: businessInfo.businessDescription || "",
       business_logic_model_id: selectedModel?.id || 0,
@@ -173,10 +308,61 @@ export default function AgentGenerateDetail({
 
   // Handle expand modal functions
   const handleOpenExpandModal = (type: 'duty' | 'constraint' | 'few-shots') => {
+    if (!editable) return;
     setExpandModalType(type);
     setExpandModalOpen(true);
   };
 
+  const renderExpandButton = (type: "duty" | "constraint" | "few-shots") => {
+    return wrapNoEditTooltipInline(
+      <Button
+        onClick={() => handleOpenExpandModal(type)}
+        title={t("systemPrompt.button.expand")}
+        icon={<Maximize2 size={12} />}
+        size="small"
+        type="text"
+        disabled={!editable}
+      />
+    );
+  };
+
+  const promptEditorStyle: React.CSSProperties = {
+    width: "100%",
+    height: "100%",
+    resize: "none",
+    border: "none",
+    outline: "none",
+    boxShadow: "none",
+    display: "block",
+    flex: 1,
+    minHeight: 0,
+  };
+
+  const renderPromptEditor = (
+    fieldName: "dutyPrompt" | "constraintPrompt" | "fewShotsPrompt",
+    placeholder: string,
+    onBlurUpdate: (value: string) => void
+  ) => {
+    const item = (
+      <Form.Item name={fieldName} className="mb-0 h-full">
+        <TextArea
+          placeholder={placeholder}
+          style={promptEditorStyle}
+          disabled={!editable}
+          onBlur={(e) => onBlurUpdate(e.target.value)}
+        />
+      </Form.Item>
+    );
+
+    return showNoEditPermissionTip ? (
+      <Tooltip title={t("agent.noEditPermission")}>
+        <div className="h-full">{item}</div>
+      </Tooltip>
+    ) : (
+      item
+    );
+  };
+
   const handleCloseExpandModal = () => {
     setExpandModalOpen(false);
     setExpandModalType(null);
@@ -304,7 +490,7 @@ export default function AgentGenerateDetail({
         },
         (data) => {
           // Process streaming response data
-          
+
           switch (data.type) {
             case GENERATE_PROMPT_STREAM_TYPES.DUTY:
               form.setFieldsValue({ dutyPrompt: data.content });
@@ -313,7 +499,7 @@ export default function AgentGenerateDetail({
               form.setFieldsValue({ constraintPrompt: data.content });
               break;
             case GENERATE_PROMPT_STREAM_TYPES.FEW_SHOTS:
-              
+
               form.setFieldsValue({ fewShotsPrompt: data.content });
               break;
             case GENERATE_PROMPT_STREAM_TYPES.AGENT_VAR_NAME:
@@ -382,7 +568,8 @@ export default function AgentGenerateDetail({
         <div className="overflow-y-auto overflow-x-hidden h-full px-3">
           <Row gutter={[16, 16]}>
             <Col span={24}>
-              <Form form={form} layout="vertical" disabled={!editable}>
+              {wrapNoEditTooltipBlock(
+                <Form form={form} layout="vertical" disabled={!editable}>
                 <Form.Item
                   name="agentDisplayName"
                   label={t("agent.displayName")}
@@ -431,18 +618,43 @@ export default function AgentGenerateDetail({
                   />
                 </Form.Item>
 
+                <Can permission="group:read">
+                  <Form.Item
+                    name="group_ids"
+                    label={t("agent.userGroup")}
+                    className="mb-3"
+                  >
+                    <Select
+                      mode="multiple"
+                      placeholder={t("agent.userGroup")}
+                      options={groupSelectOptions}
+                      allowClear
+                      onChange={(value) => {
+                        const nextGroupIds = normalizeNumberArray(value || []);
+                        const currentGroupIds = normalizeNumberArray(
+                          editedAgent.group_ids || []
+                        );
+                        if (
+                          JSON.stringify(nextGroupIds) ===
+                          JSON.stringify(currentGroupIds)
+                        ) {
+                          return;
+                        }
+                        onUpdateProfile({ group_ids: nextGroupIds });
+                      }}
+                    />
+                  </Form.Item>
+                </Can>
+
                 <Form.Item
                   name="agentAuthor"
                   label={t("agent.author")}
-                  help={
-                    !isSpeedMode &&
-                    !form.getFieldValue("agentAuthor") &&
-                    user?.email &&
-                    t("agent.author.hint", {
-                      defaultValue: "Default: {{email}}",
-                      email: user.email,
-                    })
-                  }
+                  rules={[
+                    {
+                      required: true,
+                      message: t("agent.authorPlaceholder"),
+                    },
+                  ]}
                   className="mb-3"
                 >
                   <Input
@@ -533,6 +745,7 @@ export default function AgentGenerateDetail({
                   />
                 </Form.Item>
               </Form>
+              )}
             </Col>
           </Row>
         </div>
@@ -544,36 +757,18 @@ export default function AgentGenerateDetail({
       children: (
         <div className="overflow-y-auto overflow-x-hidden h-full relative">
           <div className="absolute top-2 right-2 z-10">
-            <Button
-              onClick={() => handleOpenExpandModal('duty')}
-              title={t("systemPrompt.button.expand")}
-              icon={<Maximize2 size={12} />}
-              size="small"
-              type="text"
-            />
+            {renderExpandButton("duty")}
           </div>
           <Form
             form={form}
             layout="vertical"
             className="h-full agent-config-form"
           >
-            <Form.Item name="dutyPrompt" className="mb-0 h-full">
-              <TextArea
-                placeholder={t("systemPrompt.card.duty.title")}
-                style={{
-                  width: "100%",
-                  height: "100%",
-                  resize: "none",
-                  border: "none",
-                  outline: "none",
-                  boxShadow: "none",
-                  display: "block",
-                  flex: 1,
-                  minHeight: 0,
-                }}
-                onBlur={(e) => onUpdateProfile({ duty_prompt: e.target.value })}
-              />
-            </Form.Item>
+            {renderPromptEditor(
+              "dutyPrompt",
+              t("systemPrompt.card.duty.title"),
+              (value) => onUpdateProfile({ duty_prompt: value })
+            )}
           </Form>
         </div>
       ),
@@ -584,38 +779,18 @@ export default function AgentGenerateDetail({
       children: (
         <div className="overflow-y-auto overflow-x-hidden h-full relative">
           <div className="absolute top-2 right-2 z-10">
-            <Button
-              onClick={() => handleOpenExpandModal('constraint')}
-              title={t("systemPrompt.button.expand")}
-              icon={<Maximize2 size={12} />}
-              size="small"
-              type="text"
-            />
+            {renderExpandButton("constraint")}
           </div>
           <Form
             form={form}
             layout="vertical"
             className="h-full agent-config-form"
           >
-            <Form.Item name="constraintPrompt" className="mb-0 h-full">
-              <TextArea
-                placeholder={t("systemPrompt.card.constraint.title")}
-                style={{
-                  width: "100%",
-                  height: "100%",
-                  resize: "none",
-                  border: "none",
-                  outline: "none",
-                  boxShadow: "none",
-                  display: "block",
-                  flex: 1,
-                  minHeight: 0,
-                }}
-                onBlur={(e) =>
-                  onUpdateProfile({ constraint_prompt: e.target.value })
-                }
-              />
-            </Form.Item>
+            {renderPromptEditor(
+              "constraintPrompt",
+              t("systemPrompt.card.constraint.title"),
+              (value) => onUpdateProfile({ constraint_prompt: value })
+            )}
           </Form>
         </div>
       ),
@@ -626,38 +801,18 @@ export default function AgentGenerateDetail({
       children: (
         <div className="overflow-y-auto overflow-x-hidden h-full relative">
           <div className="absolute top-2 right-2 z-10">
-            <Button
-              onClick={() => handleOpenExpandModal('few-shots')}
-              title={t("systemPrompt.button.expand")}
-              icon={<Maximize2 size={12} />}
-              size="small"
-              type="text"
-            />
+            {renderExpandButton("few-shots")}
           </div>
           <Form
             form={form}
             layout="vertical"
             className="h-full agent-config-form"
           >
-            <Form.Item name="fewShotsPrompt" className="mb-0 h-full">
-              <TextArea
-                placeholder={t("systemPrompt.card.fewShots.title")}
-                style={{
-                  width: "100%",
-                  height: "100%",
-                  resize: "none",
-                  border: "none",
-                  outline: "none",
-                  boxShadow: "none",
-                  display: "block",
-                  flex: 1,
-                  minHeight: 0,
-                }}
-                onBlur={(e) =>
-                  onUpdateProfile({ few_shots_prompt: e.target.value })
-                }
-              />
-            </Form.Item>
+            {renderPromptEditor(
+              "fewShotsPrompt",
+              t("systemPrompt.card.fewShots.title"),
+              (value) => onUpdateProfile({ few_shots_prompt: value })
+            )}
           </Form>
         </div>
       ),
@@ -679,34 +834,36 @@ export default function AgentGenerateDetail({
               className="w-full rounded-md"
               styles={{ body: { padding: "16px" } }}
             >
-              <Input.TextArea
-                value={businessInfo.businessDescription}
-                onChange={(e) =>
-                  setBusinessInfo((prev) => ({
-                    ...prev,
-                    businessDescription: e.target.value,
-                  }))
-                }
-                onBlur={() =>
-                  handleBusinessDescriptionChange(
-                    businessInfo.businessDescription
-                  )
-                }
-                placeholder={t("businessLogic.placeholder")}
-                className="w-full resize-none text-sm mb-2"
-                style={{
-                  minHeight: "80px",
-                  maxHeight: "160px",
-                  border: "none",
-                  boxShadow: "none",
-                  padding: 0,
-                  background: "transparent",
-                  overflowX: "hidden",
-                  overflowY: "auto",
-                }}
-                autoSize={false}
-                disabled={!editable}
-              />
+              {wrapNoEditTooltipBlock(
+                <Input.TextArea
+                  value={businessInfo.businessDescription}
+                  onChange={(e) =>
+                    setBusinessInfo((prev) => ({
+                      ...prev,
+                      businessDescription: e.target.value,
+                    }))
+                  }
+                  onBlur={() =>
+                    handleBusinessDescriptionChange(
+                      businessInfo.businessDescription
+                    )
+                  }
+                  placeholder={t("businessLogic.placeholder")}
+                  className="w-full resize-none text-sm mb-2"
+                  style={{
+                    minHeight: "80px",
+                    maxHeight: "160px",
+                    border: "none",
+                    boxShadow: "none",
+                    padding: 0,
+                    background: "transparent",
+                    overflowX: "hidden",
+                    overflowY: "auto",
+                  }}
+                  autoSize={false}
+                  disabled={!editable}
+                />
+              )}
 
               {/* Control area */}
               <Flex style={{ width: "100%" }} align="center">
@@ -733,19 +890,21 @@ export default function AgentGenerateDetail({
                   />
                 </div>
                 <div style={{ marginLeft: 12 }}>
-                   <Button
-                    type="primary"
-                    size="middle"
-                    onClick={handleGenerateAgent}
-                    disabled={!editable || loadingModels || isGenerating}
-                    icon={<Zap size={16} />}
-                  >
-                    <span className="button-text-full">
-                      {isGenerating
-                        ? t("businessLogic.config.button.generating")
-                        : t("businessLogic.config.button.generatePrompt")}
-                    </span>
-                  </Button>
+                  {wrapNoEditTooltipInline(
+                    <Button
+                      type="primary"
+                      size="middle"
+                      onClick={handleGenerateAgent}
+                      disabled={!editable || loadingModels || isGenerating}
+                      icon={<Zap size={16} />}
+                    >
+                      <span className="button-text-full">
+                        {isGenerating
+                          ? t("businessLogic.config.button.generating")
+                          : t("businessLogic.config.button.generatePrompt")}
+                      </span>
+                    </Button>
+                  )}
                 </div>
               </Flex>
             </Card>
diff --git a/frontend/app/[locale]/agents/components/agentInfo/ExpandEditModal.tsx b/frontend/app/[locale]/agents/components/agentInfo/ExpandEditModal.tsx
index 17ef4b2c9..4ef03289d 100644
--- a/frontend/app/[locale]/agents/components/agentInfo/ExpandEditModal.tsx
+++ b/frontend/app/[locale]/agents/components/agentInfo/ExpandEditModal.tsx
@@ -1,6 +1,6 @@
 import { useState, useEffect } from "react";
 import { useTranslation } from "react-i18next";
-import { Modal, Input, Badge } from "antd";
+import { Modal, Input, Badge, Button } from "antd";
 
 export interface ExpandEditModalProps {
   open: boolean;
@@ -8,6 +8,7 @@ export interface ExpandEditModalProps {
   content: string;
   onClose: () => void;
   onSave: (content: string) => void;
+  readOnly?: boolean;
 }
 
 export default function ExpandEditModal({
@@ -16,6 +17,7 @@ export default function ExpandEditModal({
   content,
   onClose,
   onSave,
+  readOnly = false,
 }:ExpandEditModalProps) {
   const { t } = useTranslation("common");
   const [editContent, setEditContent] = useState(content);
@@ -26,7 +28,9 @@ export default function ExpandEditModal({
   }, [content]);
 
   const handleSave = () => {
-    onSave(editContent);
+    if (!readOnly) {
+      onSave(editContent);
+    }
     onClose();
   };
 
@@ -47,13 +51,19 @@ export default function ExpandEditModal({
       open={open}
       onCancel={handleClose}
       footer={
-        <button
-        onClick={handleSave}
-        className="px-4 py-1.5 rounded-md text-sm bg-blue-500 text-white hover:bg-blue-600"
-        style={{ border: "none" }}
-      >
-        {t("common.confirm")}
-      </button>
+        readOnly ? (
+          <Button onClick={handleClose}>
+            {t("common.cancel")}
+          </Button>
+        ) : (
+          <button
+            onClick={handleSave}
+            className="px-4 py-1.5 rounded-md text-sm bg-blue-500 text-white hover:bg-blue-600"
+            style={{ border: "none" }}
+          >
+            {t("common.confirm")}
+          </button>
+        )
       }
       width={1000}
       styles={{
@@ -66,7 +76,9 @@ export default function ExpandEditModal({
           <Input.TextArea
             value={editContent}
             onChange={(e) => {
-              setEditContent(e.target.value);
+              if (!readOnly) {
+                setEditContent(e.target.value);
+              }
             }}
             style={{
               width: "100%",
@@ -74,6 +86,7 @@ export default function ExpandEditModal({
               resize: "vertical"
             }}
             bordered={true}
+            readOnly={readOnly}
           />
         </div>
       </div>
diff --git a/frontend/app/[locale]/agents/components/agentManage/AgentList.tsx b/frontend/app/[locale]/agents/components/agentManage/AgentList.tsx
index 00975441d..9b8ecdf55 100644
--- a/frontend/app/[locale]/agents/components/agentManage/AgentList.tsx
+++ b/frontend/app/[locale]/agents/components/agentManage/AgentList.tsx
@@ -1,6 +1,7 @@
 "use client";
 
-import React, { useState, useEffect } from "react";
+import React from "react";
+import { useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Button, Col, Flex, Tooltip, Divider, Table, theme, App } from "antd";
 import { ExclamationCircleOutlined } from "@ant-design/icons";
@@ -17,24 +18,17 @@ import {
   exportAgent,
   updateToolConfig,
 } from "@/services/agentConfigService";
+import { useAgentConfigStore } from "@/stores/agentConfigStore";
+import { useSaveGuard } from "@/hooks/agent/useSaveGuard";
 import { clearAgentNewMark } from "@/services/agentConfigService";
 import log from "@/lib/logger";
-import { clearAgentAndSync } from "@/lib/agentNewUtils";
 
 interface AgentListProps {
   agentList: Agent[];
-  currentAgentId: number | null;
-  hasUnsavedChanges: boolean;
-  onSelectAgent: (agent: Agent) => void;
-  onAgentDeleted?: (agentId: number) => void;
 }
 
 export default function AgentList({
   agentList,
-  currentAgentId,
-  hasUnsavedChanges,
-  onSelectAgent,
-  onAgentDeleted,
 }: AgentListProps) {
   const { t } = useTranslation();
   const { token } = theme.useToken();
@@ -42,33 +36,17 @@ export default function AgentList({
   const confirm = useConfirmModal();
   const queryClient = useQueryClient();
 
-  // Note: rely on agent.is_new from agentList (single source of truth).
-  // Clear NEW mark when agent is selected (sync with selection visual feedback)
-  useEffect(() => {
-    if (currentAgentId) {
-      const agentId = String(currentAgentId);
-      const agent = agentList.find(a => String(a.id) === agentId);
-      if (agent?.is_new === true) {
-        (async () => {
-          try {
-            const res = await clearAgentAndSync(agentId, queryClient);
-            if (!res?.success) {
-              log.warn("Failed to clear NEW mark for agent:", agentId, res);
-            }
-          } catch (err) {
-            log.error("Error clearing NEW mark:", err);
-          }
-        })();
-      }
-    }
-  }, [currentAgentId, agentList]);
-
   // Call relationship modal state
   const [callRelationshipModalVisible, setCallRelationshipModalVisible] =
     useState(false);
   const [selectedAgentForRelationship, setSelectedAgentForRelationship] =
     useState<Agent | null>(null);
 
+  // Get state from store
+  const currentAgentId = useAgentConfigStore((state) => state.currentAgentId);
+  const setCurrentAgent = useAgentConfigStore((state) => state.setCurrentAgent);
+  const hasUnsavedChanges = useAgentConfigStore((state) => state.hasUnsavedChanges);
+
   // Mutations
   const updateAgentMutation = useMutation({
     mutationFn: (payload: any) => updateAgentInfo(payload),
@@ -78,6 +56,9 @@ export default function AgentList({
     mutationFn: (agentId: number) => deleteAgent(agentId),
   });
 
+    // Unsaved changes guard
+  const checkUnsavedChanges = useSaveGuard();
+
   // Handle view call relationship
   const handleViewCallRelationship = (agent: Agent) => {
     setSelectedAgentForRelationship(agent);
@@ -89,6 +70,59 @@ export default function AgentList({
     setSelectedAgentForRelationship(null);
   };
 
+  // Handle select agent
+  const handleSelectAgent = async (agent: Agent) => {
+    // Clear NEW mark when agent is selected for editing (only if marked as new)
+    if (agent.is_new === true) {
+      try {
+        const res = await clearAgentNewMark(agent.id);
+        if (res?.success) {
+          log.warn("Failed to clear NEW mark on select:", res);
+          queryClient.invalidateQueries({ queryKey: ["agents"] });
+        }
+      } catch (err) {
+        log.error("Failed to clear NEW mark on select:", err);
+      }
+    }
+
+    // If already selected, deselect it
+    if (
+      currentAgentId !== null &&
+      String(currentAgentId) === String(agent.id)
+    ) {
+      const canDeselect = await checkUnsavedChanges.saveWithModal();
+      if (canDeselect) {
+        setCurrentAgent(null);
+      }
+      return;
+    }
+
+    // Load agent detail and set as current
+    try {
+      const result = await searchAgentInfo(Number(agent.id));
+      if (result.success && result.data) {
+        // Get permission from agent list (agentList prop contains permission from /agent/list)
+        const permissionFromList = agent.permission ?? undefined;
+        // Merge permission into agent detail before setting as current
+        setCurrentAgent({
+          ...result.data,
+          permission: permissionFromList,
+        });
+      } else {
+        message.error(result.message || t("agentConfig.agents.detailsLoadFailed"));
+      }
+    } catch (error) {
+      log.error("Failed to load agent detail:", error);
+      message.error(t("agentConfig.agents.detailsLoadFailed"));
+    }
+
+    // Check if can switch (has unsaved changes)
+    const canSwitch = await checkUnsavedChanges.saveWithModal();
+    if (!canSwitch) {
+      return;
+    }
+  };
+
   // Handle export agent
   const handleExportAgent = async (agent: Agent) => {
     try {
@@ -244,12 +278,12 @@ export default function AgentList({
           })
         );
 
-        // Notify parent component if this was the current agent
+        // Clear current agent if this was the selected agent
         if (
           currentAgentId !== null &&
           String(currentAgentId) === String(agent.id)
         ) {
-          onAgentDeleted?.(Number(agent.id));
+          setCurrentAgent(null);
         }
 
         // Refresh agent list
@@ -287,14 +321,15 @@ export default function AgentList({
             pagination={false}
             showHeader={false}
             rowClassName={(agent: any) => {
+              const isSelected =
+                currentAgentId !== null &&
+                String(currentAgentId) === String(agent.id);
               return `py-3 px-4 transition-colors border-gray-200 h-[80px] ${
                 agent.is_available === false
                   ? "opacity-60 cursor-not-allowed"
                   : "hover:bg-gray-50 cursor-pointer"
               } ${
-                currentAgentId !== null &&
-                String(currentAgentId) === String(agent.id)
-                  ? "bg-blue-50 selected-row pl-3"
+                isSelected ? "bg-blue-50 selected-row pl-3"
                   : ""
               }`;
             }}
@@ -302,7 +337,7 @@ export default function AgentList({
               onClick: (e: any) => {
                 e.preventDefault();
                 e.stopPropagation();
-                onSelectAgent(agent);
+                handleSelectAgent(agent);
               },
             })}
             columns={[
diff --git a/frontend/app/[locale]/agents/page.tsx b/frontend/app/[locale]/agents/page.tsx
index da6e85420..9cade7ff4 100644
--- a/frontend/app/[locale]/agents/page.tsx
+++ b/frontend/app/[locale]/agents/page.tsx
@@ -1,8 +1,9 @@
 "use client";
 
-import { Card, Row, Col, Flex } from "antd";
+import { Card, Row, Col, Flex, Button } from "antd";
 import { useSearchParams } from "next/navigation";
-import { useEffect } from "react";
+import { useEffect, useState } from "react";
+
 
 import { useSetupFlow } from "@/hooks/useSetupFlow";
 import { motion } from "framer-motion";
@@ -10,13 +11,16 @@ import AgentManageComp from "./components/AgentManageComp";
 import AgentConfigComp from "./components/AgentConfigComp";
 import AgentInfoComp from "./components/AgentInfoComp";
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
+import AgentVersionManage from "./AgentVersionManage";
 
 export default function AgentSetupOrchestrator() {
-  const { pageVariants, pageTransition, canAccessProtectedData } =
-    useSetupFlow();
+  const { pageVariants, pageTransition } = useSetupFlow();
   const searchParams = useSearchParams();
   const enterCreateMode = useAgentConfigStore((state) => state.enterCreateMode);
 
+  // Local UI state for version panel
+  const [isShowVersionManagePanel, setIsShowVersionManagePanel] = useState(false);
+
   // Handle auto-create mode from URL params
   useEffect(() => {
     const create = searchParams.get('create');
@@ -29,76 +33,85 @@ export default function AgentSetupOrchestrator() {
   }, [searchParams, enterCreateMode]);
 
   return (
-    <>
-      {canAccessProtectedData ? (
-        <Flex
-          justify="center"
-          align="center"
-          className="py-8 px-16 h-full w-full"
-        >
-          <motion.div
-            initial="initial"
-            animate="in"
-            exit="out"
-            variants={pageVariants}
-            transition={pageTransition}
-            style={{ width: "100%", height: "100%" }}
+    <div className="w-full h-full p-8">
+      <motion.div
+        initial="initial"
+        animate="in"
+        exit="out"
+        variants={pageVariants}
+        transition={pageTransition}
+        style={{ width: "100%", height: "100%" }}
+      >
+        {/* Main content area with adaptive width */}
+        <Flex className="h-full w-full" gap={16}>
+          <Card
+            className="h-full min-h-0 flex-1"
+            style={{ minHeight: 400, overflow: "hidden" }}
           >
-            <Card
-              className="h-full min-h-0 w-full min-w-0"
-              style={{ minHeight: 400, maxHeight: "80vh" }}
+            <style jsx global>{`
+              .ant-card-body {
+                height: 100%;
+              }
+            `}</style>
+            {/* Three-column layout using Ant Design Grid */}
+            <Row
+              gutter={[16, 16]}
+              className="h-full min-h-0 w-full"
+              align="stretch"
             >
-              <style jsx global>{`
-                .ant-card-body {
-                  height: 100%;
-                }
-              `}</style>
-              {/* Three-column layout using Ant Design Grid */}
-              <Row
-                gutter={[16, 16]}
-                className="h-full min-h-0 w-full min-w-0"
-                align="stretch"
+              {/* Left column: Agent Management */}
+              <Col
+                xs={24}
+                sm={24}
+                md={24}
+                lg={8}
+                className="flex flex-col h-full w-full"
+              >
+                <AgentManageComp />
+              </Col>
+
+              {/* Middle column: Agent Config */}
+              <Col
+                xs={24}
+                sm={24}
+                md={24}
+                lg={8}
+                className="flex flex-col h-full w-full"
               >
-                {/* Left column: Agent Management */}
-                <Col
-                  xs={24}
-                  sm={24}
-                  md={24}
-                  lg={24}
-                  xl={8}
-                  className="flex flex-col h-full w-full"
-                >
-                  <AgentManageComp />
-                </Col>
+                <AgentConfigComp />
+              </Col>
 
-                {/* Middle column: Agent Config */}
-                <Col
-                  xs={24}
-                  sm={24}
-                  md={24}
-                  lg={24}
-                  xl={8}
-                  className="flex flex-col h-full w-full"
-                >
-                  <AgentConfigComp />
-                </Col>
+              {/* Right column: Agent Info */}
+              <Col
+                xs={24}
+                sm={24}
+                md={24}
+                lg={8}
+                className="flex flex-col h-full w-full"
+              >
+                <AgentInfoComp
+                  isShowVersionManagePanel={isShowVersionManagePanel}
+                  openVersionManagePanel={() => setIsShowVersionManagePanel(true)}
+                  closeVersionManagementPanel={() => setIsShowVersionManagePanel(false)}
+                />
+              </Col>
+            </Row>
+          </Card>
 
-                {/* Right column: Agent Info */}
-                <Col
-                  xs={24}
-                  sm={24}
-                  md={24}
-                  lg={24}
-                  xl={8}
-                  className="flex flex-col h-full w-full"
-                >
-                  <AgentInfoComp />
-                </Col>
-              </Row>
-            </Card>
-          </motion.div>
+          {/* Version Management Panel - Fixed width */}
+          {isShowVersionManagePanel && (
+            <motion.div
+              initial={{ opacity: 0, x: 20 }}
+              animate={{ opacity: 1, x: 0 }}
+              exit={{ opacity: 0, x: 20 }}
+              transition={{ duration: 0.2 }}
+              style={{ width: 400, height: "100%", flexShrink: 0 }}
+            >
+              <AgentVersionManage />
+            </motion.div>
+          )}
         </Flex>
-      ) : null}
-    </>
-  );
+      </motion.div>
+    </div>
+  )
 }
diff --git a/frontend/app/[locale]/chat/components/chatAgentSelector.tsx b/frontend/app/[locale]/chat/components/chatAgentSelector.tsx
index e0f5927c6..b67aa491e 100644
--- a/frontend/app/[locale]/chat/components/chatAgentSelector.tsx
+++ b/frontend/app/[locale]/chat/components/chatAgentSelector.tsx
@@ -5,24 +5,20 @@ import { createPortal } from "react-dom";
 import { useTranslation } from "react-i18next";
 import { ChevronDown, MousePointerClick, AlertCircle } from "lucide-react";
 
-import { fetchAllAgents } from "@/services/agentConfigService";
 import { getUrlParam } from "@/lib/utils";
 import log from "@/lib/logger";
-import { Agent, ChatAgentSelectorProps } from "@/types/chat";
+import { ChatAgentSelectorProps } from "@/types/chat";
+import { Agent } from "@/types/agentConfig";
 import { clearAgentNewMark } from "@/services/agentConfigService";
-import { useQueryClient } from "@tanstack/react-query";
-import { clearAgentAndSync } from "@/lib/agentNewUtils";
+import { usePublishedAgentList } from "@/hooks/agent/usePublishedAgentList";
 
 export function ChatAgentSelector({
   selectedAgentId,
   onAgentSelect,
   disabled = false,
   isInitialMode = false,
-  agents: propAgents,
 }: ChatAgentSelectorProps) {
-  const [agents, setAgents] = useState<Agent[]>([]);
   const [isOpen, setIsOpen] = useState(false);
-  const [isLoading, setIsLoading] = useState(false);
   const [dropdownPosition, setDropdownPosition] = useState({
     top: 0,
     left: 0,
@@ -32,20 +28,19 @@ export function ChatAgentSelector({
   const [isAutoSelectInit, setIsAutoSelectInit] = useState(false);
   const { t } = useTranslation("common");
   const buttonRef = useRef<HTMLDivElement>(null);
-
+  const { agents, invalidate, isLoading } = usePublishedAgentList();
 
   const selectedAgent = agents.find(
-    (agent) => agent.agent_id === selectedAgentId
+    (agent: Agent) => agent.id === String(selectedAgentId)
   );
-  const queryClient = useQueryClient();
 
   // Detect duplicate agent names and mark later-added agents as disabled
   // For agents with the same name, keep the first one (smallest ID) enabled, disable the rest
   const duplicateAgentInfo = useMemo(() => {
     // Create a map to track agents by name
     const nameToAgents = new Map<string, Agent[]>();
-    
-    agents.forEach((agent) => {
+
+    agents.forEach((agent: Agent) => {
       const agentName = agent.name;
       if (!nameToAgents.has(agentName)) {
         nameToAgents.set(agentName, []);
@@ -55,16 +50,16 @@ export function ChatAgentSelector({
 
     // For each group of agents with the same name, sort by ID (smallest first)
     // Mark all except the first one as disabled
-    const disabledAgentIds = new Set<number>();
-    
+    const disabledAgentIds = new Set<string>();
+
     nameToAgents.forEach((agents, name) => {
       if (agents.length > 1) {
-        // Sort by agent_id (smallest first)
-        const sortedAgents = [...agents].sort((a, b) => a.agent_id - b.agent_id);
-        
+        // Sort by id (smallest first)
+        const sortedAgents = [...agents].sort((a, b) => Number(a.id) - Number(b.id));
+
         // Mark all except the first one as disabled
         for (let i = 1; i < sortedAgents.length; i++) {
-          disabledAgentIds.add(sortedAgents[i].agent_id);
+          disabledAgentIds.add(sortedAgents[i].id);
         }
       }
     });
@@ -79,30 +74,25 @@ export function ChatAgentSelector({
     if (agents.length === 0 || isAutoSelectInit) return;
 
     // Get agent_id parameter from URL
-    const agentId = getUrlParam("agent_id", null as number | null, (str) =>
-      str ? Number(str) : null
+    const agentId = getUrlParam("agent_id", null as string | null, (str) =>
+      str ? str : null
     );
     if (agentId === null) return;
 
     // Check if agentId is a valid and effectively available agent
-    const agent = agents.find((a) => a.agent_id === agentId);
+    const agent = agents.find((a: Agent) => a.id === agentId);
     if (agent) {
       const isAvailableTool = agent.is_available !== false;
-      const isDuplicateDisabled = duplicateAgentInfo.disabledAgentIds.has(agent.agent_id);
+      const isDuplicateDisabled = duplicateAgentInfo.disabledAgentIds.has(agent.id);
       const isEffectivelyAvailable = isAvailableTool && !isDuplicateDisabled;
-      
+
       if (isEffectivelyAvailable) {
-        handleAgentSelect(agentId);
+        handleAgentSelect(agent.id);
         setIsAutoSelectInit(true);
       }
     }
   };
 
-  useEffect(() => {
-    // Only load agents if not provided via props or if props is explicitly empty
-      setAgents(propAgents || []);
-  }, [propAgents]);
-
   // Execute auto-selection logic when agents are loaded
   useEffect(() => {
     handleAutoSelectAgent();
@@ -188,27 +178,13 @@ export function ChatAgentSelector({
     };
   }, [isOpen]);
 
-  const loadAgents = async () => {
-    setIsLoading(true);
-    try {
-      const result = await fetchAllAgents();
-      if (result.success) {
-        setAgents(result.data);
-      }
-    } catch (error) {
-      log.error("Failed to load Agent list:", error);
-    } finally {
-      setIsLoading(false);
-    }
-  };
-
-  const handleAgentSelect = async (agentId: number | null) => {
+  const handleAgentSelect = async (agentId: string | null) => {
     // Only effectively available agents can be selected
     if (agentId !== null) {
-      const agent = agents.find((a) => a.agent_id === agentId);
+      const agent = agents.find((a: Agent) => a.id === agentId);
       if (agent) {
         const isAvailableTool = agent.is_available !== false;
-        const isDuplicateDisabled = duplicateAgentInfo.disabledAgentIds.has(agent.agent_id);
+        const isDuplicateDisabled = duplicateAgentInfo.disabledAgentIds.has(agent.id);
         const isEffectivelyAvailable = isAvailableTool && !isDuplicateDisabled;
 
         if (!isEffectivelyAvailable) {
@@ -218,14 +194,10 @@ export function ChatAgentSelector({
         // Clear NEW mark when agent is selected for chat (only if marked as new)
         if (agent.is_new === true) {
           try {
-            const res = await clearAgentAndSync(agentId, queryClient);
+            const res = await clearAgentNewMark(Number(agentId));
             if (res?.success) {
-              // update local agents state to reflect cleared NEW mark immediately
-              setAgents((prev) =>
-                prev.map((a) =>
-                  a.agent_id === agentId ? { ...a, is_new: false } : a
-                )
-              );
+              // Invalidate the query to refresh agents list
+              invalidate();
             } else {
               log.warn("Failed to clear NEW mark on select:", res);
             }
@@ -243,7 +215,7 @@ export function ChatAgentSelector({
     if (window.self !== window.top) {
       try {
         const selectedAgent = agents.find(
-          (agent) => agent.agent_id === agentId
+          (agent: Agent) => agent.id === agentId
         );
         const message = {
           type: "agent_selected",
@@ -372,11 +344,11 @@ export function ChatAgentSelector({
                     )}
                   </div>
                 ) : (
-                  allAgents.map((agent, idx) => {
+                  allAgents.map((agent: Agent, idx: number) => {
                     const isAvailableTool = agent.is_available !== false;
-                    const isDuplicateDisabled = duplicateAgentInfo.disabledAgentIds.has(agent.agent_id);
+                    const isDuplicateDisabled = duplicateAgentInfo.disabledAgentIds.has(agent.id);
                     const isEffectivelyAvailable = isAvailableTool && !isDuplicateDisabled;
-                    
+
                     // Determine the reason for unavailability
                     let unavailableReason: string | null = null;
                     if (!isEffectivelyAvailable) {
@@ -389,28 +361,28 @@ export function ChatAgentSelector({
 
                     return (
                       <div
-                        key={agent.agent_id}
+                        key={agent.id}
                         className={`
                         flex items-start gap-3 px-3.5 py-2.5 text-sm
                         transition-all duration-150 ease-in-out
                         ${
                           isEffectivelyAvailable
                             ? `hover:bg-slate-50 cursor-pointer ${
-                                selectedAgentId === agent.agent_id
+                                selectedAgentId === agent.id
                                   ? "bg-blue-50/70 text-blue-600 hover:bg-blue-50/70"
                                   : ""
                               }`
                             : "opacity-60 cursor-not-allowed bg-slate-50/50"
                         }
                         ${
-                          selectedAgentId === agent.agent_id
+                          selectedAgentId === agent.id
                             ? "shadow-[inset_2px_0_0_0] shadow-blue-500"
                             : ""
                         }
                         ${idx !== 0 ? "border-t border-slate-100" : ""}
                       `}
                         onClick={() =>
-                          isEffectivelyAvailable && handleAgentSelect(agent.agent_id)
+                          isEffectivelyAvailable && handleAgentSelect(agent.id)
                         }
                       >
                         {/* Agent Icon */}
@@ -418,7 +390,7 @@ export function ChatAgentSelector({
                           {isEffectivelyAvailable ? (
                             <MousePointerClick
                               className={`h-4 w-4 ${
-                                selectedAgentId === agent.agent_id
+                                selectedAgentId === agent.id
                                   ? "text-blue-500"
                                   : "text-slate-500"
                               }`}
@@ -433,7 +405,7 @@ export function ChatAgentSelector({
                           <div
                             className={`font-medium truncate ${
                               isEffectivelyAvailable
-                                ? selectedAgentId === agent.agent_id
+                                ? selectedAgentId === agent.id
                                   ? "text-blue-600"
                                   : "text-slate-700 hover:text-slate-900"
                                 : "text-slate-400"
@@ -463,7 +435,7 @@ export function ChatAgentSelector({
                           <div
                             className={`text-xs mt-1 leading-relaxed ${
                               isEffectivelyAvailable
-                                ? selectedAgentId === agent.agent_id
+                                ? selectedAgentId === agent.id
                                   ? "text-blue-500"
                                   : "text-slate-500"
                                 : "text-slate-400"
diff --git a/frontend/app/[locale]/chat/components/chatHeader.tsx b/frontend/app/[locale]/chat/components/chatHeader.tsx
index 9aae7b75b..858fe9199 100644
--- a/frontend/app/[locale]/chat/components/chatHeader.tsx
+++ b/frontend/app/[locale]/chat/components/chatHeader.tsx
@@ -9,8 +9,9 @@ import { loadMemoryConfig, setMemorySwitch } from "@/services/memoryService";
 import { configStore } from "@/lib/config";
 import log from "@/lib/logger";
 import { useRouter } from "next/navigation";
-import { useAuth } from "@/hooks/useAuth";
-import { USER_ROLES } from "@/const/modelConfig";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { USER_ROLES } from "@/const/auth";
 import { saveView } from "@/lib/viewPersistence";
 import { useConfirmModal } from "@/hooks/useConfirmModal";
 
@@ -27,7 +28,8 @@ export function ChatHeader({ title, onRename }: ChatHeaderProps) {
 
   const inputRef = useRef<HTMLInputElement>(null);
   const { t, i18n } = useTranslation("common");
-  const { user, isSpeedMode } = useAuth();
+  const { user } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
   const { confirm } = useConfirmModal();
   const isAdmin = isSpeedMode || user?.role === USER_ROLES.ADMIN;
 
diff --git a/frontend/app/[locale]/chat/components/chatInput.tsx b/frontend/app/[locale]/chat/components/chatInput.tsx
index 9a5caf5d3..7665b934c 100644
--- a/frontend/app/[locale]/chat/components/chatInput.tsx
+++ b/frontend/app/[locale]/chat/components/chatInput.tsx
@@ -23,7 +23,7 @@ import { useConfig } from "@/hooks/useConfig";
 import { extractColorsFromUri } from "@/lib/avatar";
 import log from "@/lib/logger";
 import { chatConfig } from "@/const/chatConfig";
-import { FilePreview, Agent } from "@/types/chat";
+import { FilePreview } from "@/types/chat";
 
 import { ChatAgentSelector } from "./chatAgentSelector";
 
@@ -303,9 +303,8 @@ interface ChatInputProps {
   onImageUpload?: (file: File) => void;
   attachments?: FilePreview[];
   onAttachmentsChange?: (attachments: FilePreview[]) => void;
-  selectedAgentId?: number | null;
-  onAgentSelect?: (agentId: number | null) => void;
-  cachedAgents?: Agent[]; // Optional cached agents to avoid repeated API calls
+  selectedAgentId?: string | null;
+  onAgentSelect?: (agentId: string | null) => void;
 }
 
 export function ChatInput({
@@ -318,7 +317,6 @@ export function ChatInput({
   onStop,
   onKeyDown,
   onRecordingStatusChange,
-  cachedAgents,
   onFileUpload,
   onImageUpload,
   attachments = [],
@@ -1023,7 +1021,6 @@ export function ChatInput({
             onAgentSelect={onAgentSelect || (() => {})}
             disabled={isLoading || isStreaming}
             isInitialMode={isInitialMode}
-            agents={cachedAgents}
           />
         </div>
 
diff --git a/frontend/app/[locale]/chat/components/chatLeftSidebar.tsx b/frontend/app/[locale]/chat/components/chatLeftSidebar.tsx
index d93122654..baf569c36 100644
--- a/frontend/app/[locale]/chat/components/chatLeftSidebar.tsx
+++ b/frontend/app/[locale]/chat/components/chatLeftSidebar.tsx
@@ -14,7 +14,6 @@ import { Button, Dropdown } from "antd";
 import { Input } from "@/components/ui/input";
 import { Tooltip, TooltipProvider } from "@/components/ui/tooltip";
 import { StaticScrollArea } from "@/components/ui/scrollArea";
-import { USER_ROLES } from "@/const/modelConfig";
 import { useTranslation } from "react-i18next";
 import { useConfirmModal } from "@/hooks/useConfirmModal";
 import { ConversationListItem, ChatSidebarProps } from "@/types/chat";
@@ -94,13 +93,11 @@ export function ChatSidebar({
   onRename,
   onDelete,
   onSettingsClick,
-  settingsMenuItems,
   onDropdownOpenChange,
   onToggleSidebar,
   expanded,
   userEmail,
-  userAvatarUrl,
-  userRole = USER_ROLES.USER,
+  userAvatarUrl
 }: ChatSidebarProps) {
   const { t } = useTranslation();
   const { confirm } = useConfirmModal();
diff --git a/frontend/app/[locale]/chat/internal/chatInterface.tsx b/frontend/app/[locale]/chat/internal/chatInterface.tsx
index 46a3ecfd1..2bbdc7ff3 100644
--- a/frontend/app/[locale]/chat/internal/chatInterface.tsx
+++ b/frontend/app/[locale]/chat/internal/chatInterface.tsx
@@ -7,13 +7,14 @@ import { useRouter } from "next/navigation";
 import { v4 as uuidv4 } from "uuid";
 import { useTranslation } from "react-i18next";
 
-import { chatConfig, MESSAGE_ROLES } from "@/const/chatConfig";
+import { ROLE_ASSISTANT } from "@/const/agentConfig";
+import { MESSAGE_ROLES } from "@/const/chatConfig";
 import { useConfig } from "@/hooks/useConfig";
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { conversationService } from "@/services/conversationService";
 import { storageService, convertImageUrlToApiUrl } from "@/services/storageService";
 import { useConversationManagement } from "@/hooks/chat/useConversationManagement";
-import { fetchAllAgents } from "@/services/agentConfigService";
 
 import { ChatSidebar } from "../components/chatLeftSidebar";
 import { FilePreview } from "@/types/chat";
@@ -55,7 +56,8 @@ const getI18nKeyByType = (type: string): string => {
 
 export function ChatInterface() {
   const router = useRouter();
-  const { user, isSpeedMode } = useAuth(); // Get user information
+  const { user } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
   const [input, setInput] = useState("");
   // Replace the original messages state
   const [sessionMessages, setSessionMessages] = useState<{
@@ -130,19 +132,14 @@ export function ChatInterface() {
   const [shouldScrollToBottom, setShouldScrollToBottom] = useState(false);
 
   // Add agent selection state
-  const [selectedAgentId, setSelectedAgentId] = useState<number | null>(null);
-
-  // Add global cache states to avoid repeated API calls
-  const [cachedAgents, setCachedAgents] = useState<any[]>([]);
-  const [agentsLoaded, setAgentsLoaded] = useState(false);
-  const [deploymentVersionLoaded, setDeploymentVersionLoaded] = useState(false);
+  const [selectedAgentId, setSelectedAgentId] = useState<string | null>(null);
 
   useEffect(() => {
     const agentId = sessionStorage.getItem("selectedAgentId");
-    // Set selected agent ID from sessionStorage if it exists and is a valid number
+    // Set selected agent ID from sessionStorage if it exists
     if (agentId) {
-        setSelectedAgentId(Number(agentId));
-        sessionStorage.removeItem("selectedAgentId");
+      setSelectedAgentId(agentId);
+      sessionStorage.removeItem("selectedAgentId");
     }
   },[]);
 
@@ -186,24 +183,6 @@ export function ChatInterface() {
     setSidebarOpen(!sidebarOpen);
   };
 
-  // Load agents only once and cache the result
-  const loadAgentsOnce = async () => {
-    if (agentsLoaded) return; // Already loaded, skip
-
-    try {
-      const result = await fetchAllAgents();
-      if (result.success) {
-        setCachedAgents(result.data);
-        setAgentsLoaded(true);
-        log.log("Agent list loaded and cached successfully");
-      } else {
-        log.error("Failed to load agent list:", result.message);
-      }
-    } catch (error) {
-      log.error("Failed to load agent list:", error);
-    }
-  };
-
   // Handle right panel toggle - keep it simple and clear
   const toggleRightPanel = () => {
     setShowRightPanel(!showRightPanel);
@@ -213,11 +192,6 @@ export function ChatInterface() {
     if (!conversationManagement.initialized.current) {
       conversationManagement.initialized.current = true;
 
-      // Load agent list only once when component initializes
-      if (!agentsLoaded) {
-        loadAgentsOnce();
-      }
-
       // Get conversation history list, but don't auto-select the latest conversation
       conversationManagement.fetchConversationList()
         .then((dialogData) => {
@@ -365,7 +339,7 @@ export function ChatInterface() {
     const assistantMessageId = uuidv4();
     const initialAssistantMessage: ChatMessageType = {
       id: assistantMessageId,
-      role: MESSAGE_ROLES.ASSISTANT,
+      role: ROLE_ASSISTANT,
       content: "",
       timestamp: new Date(),
       isComplete: false,
@@ -513,7 +487,7 @@ export function ChatInterface() {
           .map((msg) => ({
             role: msg.role,
             content:
-              msg.role === MESSAGE_ROLES.ASSISTANT
+              msg.role === ROLE_ASSISTANT
                 ? msg.finalAnswer?.trim() || msg.content || ""
                 : msg.content || "",
           })),
@@ -540,7 +514,7 @@ export function ChatInterface() {
 
       // Only add agent_id if it's not null
       if (selectedAgentId !== null) {
-        runAgentParams.agent_id = selectedAgentId;
+        runAgentParams.agent_id = Number(selectedAgentId);
       }
 
       const reader = await conversationService.runAgent(
@@ -597,7 +571,7 @@ export function ChatInterface() {
                   newMessages[currentConversationId]?.[
                     newMessages[currentConversationId].length - 1
                   ];
-                if (lastMsg && lastMsg.role === MESSAGE_ROLES.ASSISTANT) {
+                if (lastMsg && lastMsg.role === ROLE_ASSISTANT) {
                   lastMsg.error = t("chatInterface.requestTimeoutRetry");
                   lastMsg.isComplete = true;
                   lastMsg.thinking = undefined;
@@ -689,7 +663,7 @@ export function ChatInterface() {
             newMessages[currentConversationId]?.[
               newMessages[currentConversationId].length - 1
             ];
-          if (lastMsg && lastMsg.role === MESSAGE_ROLES.ASSISTANT) {
+          if (lastMsg && lastMsg.role === ROLE_ASSISTANT) {
             lastMsg.content = t("chatInterface.conversationStopped");
             lastMsg.isComplete = true;
             lastMsg.thinking = undefined; // Explicitly clear thinking state
@@ -706,7 +680,7 @@ export function ChatInterface() {
             newMessages[currentConversationId]?.[
               newMessages[currentConversationId].length - 1
             ];
-          if (lastMsg && lastMsg.role === MESSAGE_ROLES.ASSISTANT) {
+          if (lastMsg && lastMsg.role === ROLE_ASSISTANT) {
             lastMsg.content = errorMessage;
             lastMsg.isComplete = true;
             lastMsg.error = errorMessage;
@@ -1019,7 +993,7 @@ export function ChatInterface() {
                   conversationData.create_time
                 );
               formattedMessages.push(formattedUserMsg);
-            } else if (dialog_msg.role === MESSAGE_ROLES.ASSISTANT) {
+            } else if (dialog_msg.role === ROLE_ASSISTANT) {
               const formattedAssistantMsg: ChatMessageType =
                 extractAssistantMsgFromResponse(
                   dialog_msg,
@@ -1203,7 +1177,7 @@ export function ChatInterface() {
       const lastMsg =
         newMessages[conversationManagement.conversationId]?.[newMessages[conversationManagement.conversationId].length - 1];
 
-      if (lastMsg && lastMsg.role === MESSAGE_ROLES.ASSISTANT && lastMsg.images) {
+      if (lastMsg && lastMsg.role === ROLE_ASSISTANT && lastMsg.images) {
         // Filter out failed images
         lastMsg.images = lastMsg.images.filter((url) => url !== imageUrl);
       }
@@ -1256,7 +1230,7 @@ export function ChatInterface() {
         const newMessages = { ...prev };
         const lastMsg =
           newMessages[conversationManagement.conversationId]?.[newMessages[conversationManagement.conversationId].length - 1];
-        if (lastMsg && lastMsg.role === MESSAGE_ROLES.ASSISTANT) {
+        if (lastMsg && lastMsg.role === ROLE_ASSISTANT) {
           lastMsg.isComplete = true;
           lastMsg.thinking = undefined; // Explicitly clear thinking state
         }
@@ -1287,7 +1261,7 @@ export function ChatInterface() {
         const newMessages = { ...prev };
         const lastMsg =
           newMessages[conversationManagement.conversationId]?.[newMessages[conversationManagement.conversationId].length - 1];
-        if (lastMsg && lastMsg.role === MESSAGE_ROLES.ASSISTANT) {
+        if (lastMsg && lastMsg.role === ROLE_ASSISTANT) {
           lastMsg.isComplete = true;
           lastMsg.thinking = undefined; // Explicitly clear thinking state
           lastMsg.error = t(
@@ -1385,41 +1359,7 @@ export function ChatInterface() {
     // Both admin and regular users now use dropdown menus
   };
 
-  // Settings menu items based on user role (speed mode is treated as admin)
-  const settingsMenuItems = (isSpeedMode || user?.role === "admin") ? [
-    // Admin has three options
-    {
-      key: "models",
-      label: t("chatLeftSidebar.settingsMenu.modelConfig"),
-      onClick: () => {
-        localStorage.setItem("show_page", "1");
-        router.push("/setup/models");
-      },
-    },
-    {
-      key: "knowledges",
-      label: t("chatLeftSidebar.settingsMenu.knowledgeConfig"),
-      onClick: () => {
-        router.push("/setup/knowledges");
-      },
-    },
-    {
-      key: "agents",
-      label: t("chatLeftSidebar.settingsMenu.agentConfig"),
-      onClick: () => {
-        router.push("/setup/agents");
-      },
-    },
-  ] : [
-    // Regular user only has knowledge base configuration
-    {
-      key: "knowledges",
-      label: t("chatLeftSidebar.settingsMenu.knowledgeConfig"),
-      onClick: () => {
-        router.push("/setup/knowledges");
-      },
-    },
-  ];
+
 
   return (
     <>
@@ -1435,14 +1375,13 @@ export function ChatInterface() {
           onRename={handleConversationRename}
           onDelete={handleConversationDeleteClick}
           onSettingsClick={handleSettingsClick}
-          settingsMenuItems={settingsMenuItems}
           onDropdownOpenChange={(open: boolean, id: string | null) =>
             setOpenDropdownId(open ? id : null)
           }
           onToggleSidebar={toggleSidebar}
           expanded={sidebarOpen}
           userEmail={user?.email}
-          userAvatarUrl={user?.avatar_url}
+          userAvatarUrl={user?.avatarUrl}
           userRole={user?.role}
         />
 
@@ -1482,7 +1421,6 @@ export function ChatInterface() {
                 onAgentSelect={setSelectedAgentId}
                 onCitationHover={clearCompletedIndicator}
                 onScroll={clearCompletedIndicator}
-                cachedAgents={cachedAgents}
               />
             </div>
 
diff --git a/frontend/app/[locale]/chat/page.tsx b/frontend/app/[locale]/chat/page.tsx
index 5349f5cd7..b92b158f6 100644
--- a/frontend/app/[locale]/chat/page.tsx
+++ b/frontend/app/[locale]/chat/page.tsx
@@ -1,10 +1,10 @@
 "use client";
 
 import { useEffect, useRef } from "react";
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { useConfig } from "@/hooks/useConfig";
 import { configService } from "@/services/configService";
-import { EVENTS } from "@/const/auth";
 import { ChatInterface } from "./internal/chatInterface";
 
 /**
@@ -13,49 +13,15 @@ import { ChatInterface } from "./internal/chatInterface";
  */
 export default function ChatContent() {
   const { appConfig } = useConfig();
-  const { user, isLoading: userLoading, isSpeedMode } = useAuth();
-  const canAccessProtectedData = isSpeedMode || (!userLoading && !!user);
-  const sessionExpiredTriggeredRef = useRef(false);
 
   useEffect(() => {
-    if (!canAccessProtectedData) {
-      return;
-    }
     // Load config from backend when entering chat page
     configService.loadConfigToFrontend();
 
     if (appConfig.appName) {
       document.title = `${appConfig.appName}`;
     }
-  }, [appConfig.appName, canAccessProtectedData]);
-
-  // Require login on chat page when unauthenticated (full mode only)
-  // Trigger SESSION_EXPIRED event to show "Login Expired" modal instead of directly opening login modal
-  useEffect(() => {
-    if (isSpeedMode) {
-      sessionExpiredTriggeredRef.current = false;
-      return;
-    }
-
-    if (user) {
-      sessionExpiredTriggeredRef.current = false;
-      return;
-    }
-
-    if (!userLoading && !sessionExpiredTriggeredRef.current) {
-      sessionExpiredTriggeredRef.current = true;
-      window.dispatchEvent(
-        new CustomEvent(EVENTS.SESSION_EXPIRED, {
-          detail: { message: "Session expired, please sign in again" },
-        })
-      );
-    }
-  }, [isSpeedMode, user, userLoading]);
-
-  // Avoid rendering and backend calls when unauthenticated (full mode only)
-  if (!canAccessProtectedData) {
-    return null;
-  }
+  }, [appConfig.appName]);
 
   return (
     <div className="flex h-full w-full flex-col overflow-hidden">
diff --git a/frontend/app/[locale]/chat/streaming/chatStreamMain.tsx b/frontend/app/[locale]/chat/streaming/chatStreamMain.tsx
index 543c5b0a8..ec3d0a7fa 100644
--- a/frontend/app/[locale]/chat/streaming/chatStreamMain.tsx
+++ b/frontend/app/[locale]/chat/streaming/chatStreamMain.tsx
@@ -38,7 +38,6 @@ export function ChatStreamMain({
   onAgentSelect,
   onCitationHover,
   onScroll,
-  cachedAgents,
 }: ChatStreamMainProps) {
   const { t } = useTranslation();
   // Animation variants for ChatInput
@@ -373,7 +372,6 @@ export function ChatStreamMain({
                         onImageUpload={onImageUpload}
                         selectedAgentId={selectedAgentId}
                         onAgentSelect={onAgentSelect}
-                        cachedAgents={cachedAgents}
                       />
                     </motion.div>
                   </AnimatePresence>
@@ -471,7 +469,6 @@ export function ChatStreamMain({
               onImageUpload={onImageUpload}
               selectedAgentId={selectedAgentId}
               onAgentSelect={onAgentSelect}
-              cachedAgents={cachedAgents}
             />
           </motion.div>
         </AnimatePresence>
diff --git a/frontend/app/[locale]/chat/streaming/messageTransformer.ts b/frontend/app/[locale]/chat/streaming/messageTransformer.ts
index c92d2b10c..713a22e70 100644
--- a/frontend/app/[locale]/chat/streaming/messageTransformer.ts
+++ b/frontend/app/[locale]/chat/streaming/messageTransformer.ts
@@ -1,5 +1,4 @@
 import { chatConfig, MESSAGE_ROLES } from "@/const/chatConfig";
-import { USER_ROLES } from "@/const/modelConfig";
 import { ChatMessageType, TaskMessageType } from "@/types/chat";
 
 /**
@@ -26,7 +25,7 @@ export function transformMessagesToTaskMessages(
 
   // First preprocess, find all user message IDs and initialize task groups
   messages.forEach((message) => {
-    if (message.role === USER_ROLES.USER && message.id) {
+    if (message.role === MESSAGE_ROLES.USER && message.id) {
       conversationGroups.set(message.id, []);
       truncationBuffer.set(message.id, []);
     }
@@ -37,7 +36,7 @@ export function transformMessagesToTaskMessages(
   // Process all messages
   messages.forEach((message) => {
     // User messages - record the ID for associating subsequent tasks
-    if (message.role === USER_ROLES.USER && message.id) {
+    if (message.role === MESSAGE_ROLES.USER && message.id) {
       currentUserMsgId = message.id;
     }
     // Assistant messages - extract task messages from steps
diff --git a/frontend/app/[locale]/knowledges/KnowledgeBaseConfiguration.tsx b/frontend/app/[locale]/knowledges/KnowledgeBaseConfiguration.tsx
index c790d0f32..4987b1c06 100644
--- a/frontend/app/[locale]/knowledges/KnowledgeBaseConfiguration.tsx
+++ b/frontend/app/[locale]/knowledges/KnowledgeBaseConfiguration.tsx
@@ -1,7 +1,13 @@
 "use client";
 
 import type React from "react";
-import { useState, useEffect, useRef, useLayoutEffect } from "react";
+import {
+  useState,
+  useEffect,
+  useRef,
+  useLayoutEffect,
+  useCallback,
+} from "react";
 import { useTranslation } from "react-i18next";
 
 import { App, Modal, Row, Col, theme, Button, Input, Form } from "antd";
@@ -199,14 +205,10 @@ function DataConfig({ isActive }: DataConfigProps) {
     fetchKnowledgeBases,
     createKnowledgeBase,
     deleteKnowledgeBase,
-    selectKnowledgeBase,
     setActiveKnowledgeBase,
-    isKnowledgeBaseSelectable,
     hasKnowledgeBaseModelMismatch,
     refreshKnowledgeBaseData,
     refreshKnowledgeBaseDataWithDataMate,
-    loadUserSelectedKnowledgeBases,
-    saveUserSelectedKnowledgeBases,
     dispatch: kbDispatch,
   } = useKnowledgeBaseContext();
 
@@ -226,6 +228,8 @@ function DataConfig({ isActive }: DataConfigProps) {
   // Create mode state
   const [isCreatingMode, setIsCreatingMode] = useState(false);
   const [newKbName, setNewKbName] = useState("");
+  const [newKbIngroupPermission, setNewKbIngroupPermission] = useState<string>("READ_ONLY");
+  const [newKbGroupIds, setNewKbGroupIds] = useState<number[]>([]);
   const [uploadFiles, setUploadFiles] = useState<File[]>([]);
   const [hasClickedUpload, setHasClickedUpload] = useState(false);
   const [showEmbeddingWarning, setShowEmbeddingWarning] = useState(false);
@@ -278,11 +282,7 @@ function DataConfig({ isActive }: DataConfigProps) {
   // User configuration loading and saving logic based on isActive state
   const prevIsActiveRef = useRef<boolean | null>(null); // Initialize as null to distinguish first render
   const hasLoadedRef = useRef(false); // Track whether configuration has been loaded
-  const savedSelectedIdsRef = useRef<string[]>([]); // Save currently selected knowledge base IDs
-  const savedKnowledgeBasesRef = useRef<any[]>([]); // Save current knowledge base list
-  const hasUserInteractedRef = useRef(false); // Track whether user has interacted (prevent saving empty state during initial load)
   const hasCleanedRef = useRef(false); // Ensure auto-deselect runs only once per entry
-  const shouldPersistSelectionRef = useRef(false); // Flag to persist selection after change
 
   // Listen for isActive state changes
   useLayoutEffect(() => {
@@ -295,41 +295,13 @@ function DataConfig({ isActive }: DataConfigProps) {
     // Mark ready to load when entering second page
     if ((prevIsActive === null || !prevIsActive) && isActive) {
       hasLoadedRef.current = false; // Reset loading state
-      hasUserInteractedRef.current = false; // Reset interaction state to prevent incorrect saving
       hasCleanedRef.current = false; // Reset auto-clean flag on entering
     }
 
-    // Save user configuration when leaving second page
-    if (prevIsActive === true && !isActive) {
-      // Only save after user has interacted to prevent saving empty state during initial load
-      if (hasUserInteractedRef.current) {
-        const saveConfig = async () => {
-          localStorage.removeItem("preloaded_kb_data");
-          localStorage.removeItem("kb_cache");
-
-          try {
-            await saveUserSelectedKnowledgeBases();
-          } catch (error) {
-            log.error("保存用户配置失败:", error);
-          }
-        };
-
-        saveConfig();
-      }
-
-      hasLoadedRef.current = false; // Reset loading state
-    }
-
     // Update ref
     prevIsActiveRef.current = isActive;
   }, [isActive]);
 
-  // Save current state to ref in real-time to ensure access during unmount
-  useEffect(() => {
-    savedSelectedIdsRef.current = kbState.selectedIds;
-    savedKnowledgeBasesRef.current = kbState.knowledgeBases;
-  }, [kbState.selectedIds, kbState.knowledgeBases]);
-
   // Helper function to get authorization headers
   const getAuthHeaders = () => {
     const session =
@@ -344,47 +316,6 @@ function DataConfig({ isActive }: DataConfigProps) {
     };
   };
 
-  // Save logic when component unmounts
-  useEffect(() => {
-    return () => {
-      // When component unmounts, if previously active and user has interacted, execute save
-      if (prevIsActiveRef.current === true && hasUserInteractedRef.current) {
-        // Use saved state instead of current potentially cleared state
-        const selectedKnowledgeBases = savedKnowledgeBasesRef.current.filter(
-          (kb) => savedSelectedIdsRef.current.includes(kb.id)
-        );
-
-        // Group knowledge bases by source
-        const knowledgeBySource: { nexent?: string[]; datamate?: string[] } =
-          {};
-        selectedKnowledgeBases.forEach((kb) => {
-          const source = kb.source as keyof typeof knowledgeBySource;
-          if (!knowledgeBySource[source]) {
-            knowledgeBySource[source] = [];
-          }
-          knowledgeBySource[source]!.push(kb.id);
-        });
-
-        try {
-          // Use fetch with keepalive to ensure request can be sent during page unload
-          fetch(API_ENDPOINTS.tenantConfig.updateKnowledgeList, {
-            method: "POST",
-            headers: {
-              "Content-Type": "application/json",
-              ...getAuthHeaders(),
-            },
-            body: JSON.stringify(knowledgeBySource),
-            keepalive: true,
-          }).catch((error) => {
-            log.error("卸载时保存失败:", error);
-          });
-        } catch (error) {
-          log.error("卸载时保存请求异常:", error);
-        }
-      }
-    };
-  }, []);
-
   // Separately listen for knowledge base loading state, load user configuration when knowledge base loading is complete and in active state
   useEffect(() => {
     // Only execute when second page is active, knowledge base is loaded, and user configuration hasn't been loaded yet
@@ -394,16 +325,7 @@ function DataConfig({ isActive }: DataConfigProps) {
       !kbState.isLoading &&
       !hasLoadedRef.current
     ) {
-      const loadConfig = async () => {
-        try {
-          await loadUserSelectedKnowledgeBases();
-          hasLoadedRef.current = true;
-        } catch (error) {
-          log.error("加载用户配置失败:", error);
-        }
-      };
-
-      loadConfig();
+      hasLoadedRef.current = true;
     }
   }, [isActive, kbState.knowledgeBases.length, kbState.isLoading]);
 
@@ -422,43 +344,6 @@ function DataConfig({ isActive }: DataConfigProps) {
     if (embeddingName) allowedModels.add(embeddingName);
     if (multiEmbeddingName) allowedModels.add(multiEmbeddingName);
 
-    const currentSelected = kbState.selectedIds;
-    if (currentSelected.length === 0) {
-      hasCleanedRef.current = true;
-      return;
-    }
-
-    // If both empty, clear all
-    if (allowedModels.size === 0) {
-      shouldPersistSelectionRef.current = true;
-      kbDispatch({
-        type: KNOWLEDGE_BASE_ACTION_TYPES.SELECT_KNOWLEDGE_BASE,
-        payload: [],
-      });
-      hasUserInteractedRef.current = true;
-      setShowAutoDeselectModal(true);
-      hasCleanedRef.current = true;
-      return;
-    }
-
-    const filtered = currentSelected.filter((id) => {
-      const kb = kbState.knowledgeBases.find((k) => k.id === id);
-      if (!kb) return false;
-      // DataMate knowledge bases are always allowed (skip model check)
-      if (kb.source === "datamate") return true;
-      return allowedModels.has(kb.embeddingModel);
-    });
-
-    if (filtered.length !== currentSelected.length) {
-      shouldPersistSelectionRef.current = true;
-      kbDispatch({
-        type: KNOWLEDGE_BASE_ACTION_TYPES.SELECT_KNOWLEDGE_BASE,
-        payload: filtered,
-      });
-      hasUserInteractedRef.current = true;
-      setShowAutoDeselectModal(true);
-    }
-
     hasCleanedRef.current = true;
   }, [
     isActive,
@@ -495,7 +380,6 @@ function DataConfig({ isActive }: DataConfigProps) {
   ) => {
     // Only reset creation mode when user clicks
     if (fromUserClick) {
-      hasUserInteractedRef.current = true; // Mark user interaction
       setIsCreatingMode(false); // Reset creating mode
       setHasClickedUpload(false); // Reset upload button click state
     }
@@ -595,8 +479,6 @@ function DataConfig({ isActive }: DataConfigProps) {
 
   // Handle knowledge base deletion
   const handleDelete = (id: string) => {
-    hasUserInteractedRef.current = true; // Mark user interaction
-
     // Find the knowledge base to check its source
     const kb = kbState.knowledgeBases.find((kb) => kb.id === id);
 
@@ -658,12 +540,14 @@ function DataConfig({ isActive }: DataConfigProps) {
       // Use unified success message
       message.success(t("knowledgeBase.message.syncSuccess"));
     } catch (error) {
-      // Use unified error message
-      message.error(
-        t("knowledgeBase.message.syncError", {
-          error: (error as Error)?.message || t("common.unknownError"),
-        })
-      );
+      // Check if it's a DataMate sync error
+      if (error instanceof Error && error.name === "DataMateSyncError") {
+        // Show DataMate-specific friendly error message
+        message.error(t("knowledgeBase.message.syncDataMateError"));
+      } else {
+        // Use unified error message
+        message.error(t("knowledgeBase.message.syncError"));
+      }
     } finally {
       // Clear sync loading state
       kbDispatch({
@@ -676,11 +560,46 @@ function DataConfig({ isActive }: DataConfigProps) {
   // Handle DataMate configuration
   const [showDataMateConfigModal, setShowDataMateConfigModal] = useState(false);
   const [dataMateUrl, setDataMateUrl] = useState("");
+  const [dataMateUrlError, setDataMateUrlError] = useState<string | null>(null);
   const configStore = ConfigStore.getInstance();
 
-  // Monitor DataMate URL changes
+  /**
+   * Validate DataMate URL format
+   * @param url URL to validate
+   * @returns Error message if invalid, null if valid
+   */
+  const validateDataMateUrl = useCallback(
+    (url: string): string | null => {
+      if (!url || url.trim() === "") {
+        return null; // Empty URL is valid (optional field)
+      }
+
+      // Check if URL has http:// or https:// protocol
+      if (!url.startsWith("http://") && !url.startsWith("https://")) {
+        return t("knowledgeBase.error.invalidUrlProtocol");
+      }
+
+      // Check if URL is a valid format (has hostname)
+      try {
+        const urlObj = new URL(url);
+        if (!urlObj.hostname || urlObj.hostname.trim() === "") {
+          return t("knowledgeBase.error.invalidUrlFormat");
+        }
+      } catch {
+        return t("knowledgeBase.error.invalidUrlFormat");
+      }
+
+      return null; // Valid URL
+    },
+    [t]
+  );
+
+  // Monitor DataMate URL changes and validate
   useEffect(() => {
-    console.log("DataMate URL changed to:", dataMateUrl);
+    // Clear error when URL changes
+    if (dataMateUrlError) {
+      setDataMateUrlError(null);
+    }
   }, [dataMateUrl]);
 
   const handleDataMateConfig = () => {
@@ -688,6 +607,38 @@ function DataConfig({ isActive }: DataConfigProps) {
   };
 
   const handleDataMateConfigSave = async () => {
+    // Validate URL format before saving
+    const urlError = validateDataMateUrl(dataMateUrl);
+    if (urlError) {
+      setDataMateUrlError(urlError);
+      return;
+    }
+
+    // Test connection and sync if URL is provided (non-empty)
+    if (dataMateUrl.trim() !== "") {
+      setDataMateUrlError(t("knowledgeBase.message.testingConnection"));
+      try {
+        // First test basic connection
+        const connectionResult =
+          await knowledgeBaseService.testDataMateConnection(dataMateUrl);
+        if (!connectionResult.success) {
+          setDataMateUrlError(t("knowledgeBase.error.connectionFailed"));
+          return;
+        }
+
+        // Then test the actual sync endpoint (sync_datamate_knowledge)
+        // This is the actual operation that will be used when syncing knowledge bases
+        setDataMateUrlError(t("knowledgeBase.message.testingSync"));
+        await knowledgeBaseService.syncDataMateAndCreateRecords(dataMateUrl);
+      } catch (error) {
+        setDataMateUrlError(t("knowledgeBase.error.syncFailed"));
+        return;
+      }
+    }
+
+    // Clear any previous error and proceed with saving
+    setDataMateUrlError(null);
+
     try {
       console.log("Saving DataMate URL:", dataMateUrl);
 
@@ -739,10 +690,11 @@ function DataConfig({ isActive }: DataConfigProps) {
 
   // Handle new knowledge base creation
   const handleCreateNew = () => {
-    hasUserInteractedRef.current = true; // Mark user interaction
     // Generate default knowledge base name
     const defaultName = generateUniqueKbName(kbState.knowledgeBases);
     setNewKbName(defaultName);
+    setNewKbIngroupPermission("READ_ONLY");
+    setNewKbGroupIds([]);
     setIsCreatingMode(true);
     setHasClickedUpload(false); // Reset upload button click state
     setUploadFiles([]); // Reset upload files array, clear all pending upload files
@@ -803,7 +755,9 @@ function DataConfig({ isActive }: DataConfigProps) {
         const newKB = await createKnowledgeBase(
           newKbName.trim(),
           t("knowledgeBase.description.default"),
-          "elasticsearch"
+          "elasticsearch",
+          newKbIngroupPermission,
+          newKbGroupIds
         );
 
         if (!newKB) {
@@ -920,46 +874,6 @@ function DataConfig({ isActive }: DataConfigProps) {
     }
   }, [newlyCreatedKbId, viewingDocuments.length]);
 
-  // Handle knowledge base selection
-  const handleSelectKnowledgeBase = (id: string) => {
-    hasUserInteractedRef.current = true; // Mark user interaction
-    selectKnowledgeBase(id);
-    // Persist selection immediately after reducer updates state
-    shouldPersistSelectionRef.current = true;
-
-    // When selecting knowledge base also get latest data (low priority background operation)
-    setTimeout(async () => {
-      try {
-        // Use lower priority to refresh data as this is not a critical operation
-        await refreshKnowledgeBaseData(true);
-      } catch (error) {
-        log.error("刷新知识库数据失败:", error);
-        // Error doesn't affect user experience
-      }
-    }, 500); // Delay execution, lower priority
-  };
-
-  // Persist user selection changes immediately when flagged
-  useEffect(() => {
-    if (!isActive) return;
-    if (!shouldPersistSelectionRef.current) return;
-    let cancelled = false;
-    (async () => {
-      try {
-        await saveUserSelectedKnowledgeBases();
-      } catch (error) {
-        log.error("保存用户选择的知识库失败:", error);
-      } finally {
-        if (!cancelled) {
-          shouldPersistSelectionRef.current = false;
-        }
-      }
-    })();
-    return () => {
-      cancelled = true;
-    };
-  }, [kbState.selectedIds, isActive, saveUserSelectedKnowledgeBases]);
-
   // Update active knowledge base ID in polling service when component initializes or active knowledge base changes
   useEffect(() => {
     if (kbState.activeKnowledgeBase) {
@@ -1042,19 +956,16 @@ function DataConfig({ isActive }: DataConfigProps) {
           >
             <KnowledgeBaseList
               knowledgeBases={kbState.knowledgeBases}
-              selectedIds={kbState.selectedIds}
               activeKnowledgeBase={kbState.activeKnowledgeBase}
               currentEmbeddingModel={kbState.currentEmbeddingModel}
               isLoading={kbState.isLoading}
               syncLoading={kbState.syncLoading}
-              onSelect={handleSelectKnowledgeBase}
               onClick={handleKnowledgeBaseClick}
               onDelete={handleDelete}
               onSync={handleSync}
               onCreateNew={handleCreateNew}
               onDataMateConfig={handleDataMateConfig}
               showDataMateConfig={modelEngineEnabled}
-              isSelectable={isKnowledgeBaseSelectable}
               getModelDisplayName={(modelId) => modelId}
               containerHeight={SETUP_PAGE_CONTAINER.MAIN_CONTENT_HEIGHT}
               onKnowledgeBaseChange={() => {}} // No need to trigger repeatedly here as it's already handled in handleKnowledgeBaseClick
@@ -1095,6 +1006,11 @@ function DataConfig({ isActive }: DataConfigProps) {
                 onNameChange={handleNameChange}
                 containerHeight={SETUP_PAGE_CONTAINER.MAIN_CONTENT_HEIGHT}
                 hasDocuments={hasClickedUpload || docState.isUploading}
+                // Group permission and user groups for create mode
+                ingroupPermission={newKbIngroupPermission}
+                onIngroupPermissionChange={setNewKbIngroupPermission}
+                selectedGroupIds={newKbGroupIds}
+                onSelectedGroupIdsChange={setNewKbGroupIds}
                 // Upload related props
                 isDragging={uiState.isDragging}
                 onDragOver={handleDragOver}
@@ -1128,6 +1044,10 @@ function DataConfig({ isActive }: DataConfigProps) {
                 containerHeight={SETUP_PAGE_CONTAINER.MAIN_CONTENT_HEIGHT}
                 hasDocuments={viewingDocuments.length > 0}
                 isNewlyCreatedAndWaiting={isNewlyCreatedAndWaiting}
+                onChunkCountChange={() => {
+                  // Trigger knowledge base list update to refresh chunk count
+                  knowledgeBasePollingService.triggerKnowledgeBaseListUpdate(true);
+                }}
                 // Upload related props
                 isDragging={uiState.isDragging}
                 onDragOver={handleDragOver}
@@ -1196,6 +1116,8 @@ function DataConfig({ isActive }: DataConfigProps) {
         onOk={handleDataMateConfigSave}
         onCancel={() => {
           setShowDataMateConfigModal(false);
+          // Clear error state
+          setDataMateUrlError(null);
           // Reload config to ensure we have the latest values
           loadDataMateConfig();
         }}
@@ -1210,10 +1132,19 @@ function DataConfig({ isActive }: DataConfigProps) {
             {t("knowledgeBase.modal.dataMateConfig.description")}
           </div>
           <Form layout="vertical">
-            <Form.Item label={t("knowledgeBase.modal.dataMateConfig.urlLabel")}>
+            <Form.Item
+              label={t("knowledgeBase.modal.dataMateConfig.urlLabel")}
+              help={dataMateUrlError}
+              validateStatus={dataMateUrlError ? "error" : undefined}
+            >
               <Input
                 value={dataMateUrl}
                 onChange={(e) => setDataMateUrl(e.target.value)}
+                onBlur={() => {
+                  // Validate on blur
+                  const error = validateDataMateUrl(dataMateUrl);
+                  setDataMateUrlError(error);
+                }}
                 placeholder={t(
                   "knowledgeBase.modal.dataMateConfig.urlPlaceholder"
                 )}
diff --git a/frontend/app/[locale]/knowledges/components/document/DocumentChunk.tsx b/frontend/app/[locale]/knowledges/components/document/DocumentChunk.tsx
index 7d40b0df7..3f1ca9ed6 100644
--- a/frontend/app/[locale]/knowledges/components/document/DocumentChunk.tsx
+++ b/frontend/app/[locale]/knowledges/components/document/DocumentChunk.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import React, { useState, useEffect } from "react";
+import React, { useState, useEffect, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import {
   Tabs,
@@ -12,7 +12,6 @@ import {
   Tag,
   Form,
   Modal,
-  Tooltip as AntdTooltip,
   Pagination,
   Input,
 } from "antd";
@@ -60,6 +59,7 @@ interface DocumentChunkProps {
   getFileIcon: (type: string) => string;
   currentEmbeddingModel?: string | null;
   knowledgeBaseEmbeddingModel?: string;
+  onChunkCountChange?: () => void; // Callback when chunk count changes (for updating KnowledgeBaseList)
 }
 
 const PAGE_SIZE = 10;
@@ -75,6 +75,7 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
   getFileIcon,
   currentEmbeddingModel = null,
   knowledgeBaseEmbeddingModel = "",
+  onChunkCountChange,
 }) => {
   const { t } = useTranslation();
   const { message } = App.useApp();
@@ -106,6 +107,9 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
   const [editingChunk, setEditingChunk] = useState<Chunk | null>(null);
   const [chunkForm] = Form.useForm<ChunkFormValues>();
   const [tooltipResetKey, setTooltipResetKey] = useState(0);
+  // Ref for scrolling to bottom after creating new chunk
+  const contentScrollRef = useRef<HTMLDivElement>(null);
+  const [scrollToBottomAfterLoad, setScrollToBottomAfterLoad] = useState(false);
 
   const resetChunkSearch = React.useCallback(() => {
     setChunkSearchResult(null);
@@ -122,7 +126,19 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
     setTooltipResetKey((prev) => prev + 1);
   }, []);
 
-  // Determine if in read-only mode
+  // Determine if embedding models mismatch (specific condition for tooltip)
+  const isEmbeddingModelMismatch = React.useMemo(() => {
+    if (!currentEmbeddingModel || !knowledgeBaseEmbeddingModel) {
+      return false;
+    }
+    if (knowledgeBaseEmbeddingModel === "unknown") {
+      return false;
+    }
+    return currentEmbeddingModel !== knowledgeBaseEmbeddingModel;
+  }, [currentEmbeddingModel, knowledgeBaseEmbeddingModel]);
+
+  // Determine if in read-only mode (embedding model mismatch OR other read-only reasons)
+  // Note: isReadOnlyMode is broader, includes model mismatch and other conditions
   const isReadOnlyMode = React.useMemo(() => {
     if (!currentEmbeddingModel || !knowledgeBaseEmbeddingModel) {
       return false;
@@ -133,6 +149,17 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
     return currentEmbeddingModel !== knowledgeBaseEmbeddingModel;
   }, [currentEmbeddingModel, knowledgeBaseEmbeddingModel]);
 
+  // Disabled tooltip message when embedding model mismatch
+  const disabledTooltipMessage = React.useMemo(() => {
+    if (isEmbeddingModelMismatch && currentEmbeddingModel && knowledgeBaseEmbeddingModel && knowledgeBaseEmbeddingModel !== "unknown") {
+      return t("document.chunk.tooltip.disabledDueToModelMismatch", {
+        currentModel: currentEmbeddingModel,
+        knowledgeBaseModel: knowledgeBaseEmbeddingModel
+      });
+    }
+    return "";
+  }, [isEmbeddingModelMismatch, currentEmbeddingModel, knowledgeBaseEmbeddingModel, t]);
+
   // Set active document when documents change
   useEffect(() => {
     if (documents.length === 0) {
@@ -169,12 +196,25 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
         activeDocumentKey
       );
 
-      setChunks(result.chunks || []);
+      const loadedChunks = result.chunks || [];
       setTotal(result.total || 0);
       setDocumentChunkCounts((prev) => ({
         ...prev,
         [activeDocumentKey]: result.total || 0,
       }));
+
+      setChunks(loadedChunks);
+
+      // Scroll to bottom after loading if requested (e.g., after creating new chunk)
+      if (scrollToBottomAfterLoad) {
+        setScrollToBottomAfterLoad(false);
+        // Use setTimeout to ensure DOM is updated
+        setTimeout(() => {
+          if (contentScrollRef.current) {
+            contentScrollRef.current.scrollTop = contentScrollRef.current.scrollHeight;
+          }
+        }, 100);
+      }
     } catch (error) {
       log.error("Failed to load chunks:", error);
       message.error(t("document.chunk.error.loadFailed"));
@@ -186,6 +226,7 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
     activeDocumentKey,
     pagination.page,
     pagination.pageSize,
+    scrollToBottomAfterLoad,
     message,
     t,
   ]);
@@ -262,6 +303,15 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
       return;
     }
 
+    // Check embedding model consistency before searching
+    if (isEmbeddingModelMismatch && currentEmbeddingModel && knowledgeBaseEmbeddingModel && knowledgeBaseEmbeddingModel !== "unknown") {
+      message.error(t("document.chunk.error.searchFailed", {
+        currentModel: currentEmbeddingModel,
+        knowledgeBaseModel: knowledgeBaseEmbeddingModel
+      }));
+      return;
+    }
+
     if (!knowledgeBaseName) {
       message.error(t("document.chunk.error.searchFailed"));
       return;
@@ -306,11 +356,15 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
     }
   }, [
     knowledgeBaseName,
+    knowledgeBaseId,
     message,
     pagination.pageSize,
     resetChunkSearch,
     searchValue,
     t,
+    isEmbeddingModelMismatch,
+    currentEmbeddingModel,
+    knowledgeBaseEmbeddingModel,
   ]);
 
   const refreshChunks = React.useCallback(async () => {
@@ -390,6 +444,20 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
       return;
     }
 
+    // Check embedding model consistency before creating chunk
+    if (chunkModalMode === "create") {
+      if (knowledgeBaseEmbeddingModel &&
+        knowledgeBaseEmbeddingModel !== "unknown" &&
+        currentEmbeddingModel &&
+        currentEmbeddingModel !== knowledgeBaseEmbeddingModel) {
+        message.error(t("document.chunk.error.createFailed", {
+          currentModel: currentEmbeddingModel,
+          knowledgeBaseModel: knowledgeBaseEmbeddingModel
+        }));
+        return;
+      }
+    }
+
     try {
       const values = await chunkForm.validateFields();
       setChunkSubmitting(true);
@@ -401,6 +469,14 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
         });
         message.success(t("document.chunk.success.create"));
         resetChunkSearch();
+
+        // Navigate to the last page to show the new chunk at the bottom
+        const lastPage = Math.ceil((total + 1) / pagination.pageSize);
+        setPagination((prev) => ({ ...prev, page: lastPage }));
+        // Trigger scroll to bottom after data loads
+        setScrollToBottomAfterLoad(true);
+        // Notify parent to update knowledge base list (chunk count)
+        onChunkCountChange?.();
       } else {
         if (!editingChunk?.id) {
           message.error(t("document.chunk.error.missingChunkId"));
@@ -463,6 +539,17 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
           await knowledgeBaseService.deleteChunk(knowledgeBaseName, chunk.id);
           message.success(t("document.chunk.success.delete"));
           forceCloseTooltips();
+          // Update chunk count immediately for better UX
+          setTotal((prevTotal) => Math.max(0, prevTotal - 1));
+          setDocumentChunkCounts((prev) => ({
+            ...prev,
+            [chunk.path_or_url || activeDocumentKey]: Math.max(
+              0,
+              (prev[chunk.path_or_url || activeDocumentKey] || 1) - 1
+            ),
+          }));
+          // Notify parent to update knowledge base list (chunk count)
+          onChunkCountChange?.();
           await refreshChunks();
         } catch (error) {
           log.error("Failed to delete chunk:", error);
@@ -483,7 +570,7 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
     const displayName = getDisplayName(doc.name || "");
 
     return (
-      <AntdTooltip title={displayName} placement="top" arrow>
+      <Tooltip title={displayName} placement="top">
         <div className="flex w-full items-center justify-between gap-2 min-w-0">
           <div className="flex items-center gap-1.5 min-w-0">
             <span>{getFileIcon(doc.type)}</span>
@@ -498,7 +585,7 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
             className="flex-shrink-0 chunk-count-badge"
           />
         </div>
-      </AntdTooltip>
+      </Tooltip>
     );
   };
 
@@ -547,7 +634,7 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
       label: renderDocumentLabel(doc, chunkCount),
       children: (
         <div className="flex h-full flex-col min-h-0 overflow-hidden">
-          <div className="flex-1 min-h-0 overflow-y-auto p-4 pb-8">
+          <div ref={contentScrollRef} className="flex-1 min-h-0 overflow-y-auto p-4 pb-8">
             {showLoadingState ? (
               <div className="flex h-52 items-center justify-center">
                 <Spin size="large" />
@@ -698,47 +785,69 @@ const DocumentChunk: React.FC<DocumentChunkProps> = ({
         {/* Search and Add Button Bar */}
         <div className="flex items-center justify-end gap-2 px-2 py-3 border-b border-gray-200 shrink-0">
           <div className="flex items-center gap-2">
-            <Input
-              placeholder={t("document.chunk.search.placeholder")}
-              value={searchValue}
-              onChange={(e) => setSearchValue(e.target.value)}
-              onPressEnter={() => {
-                void handleSearch();
-              }}
-              style={{ width: 320 }}
-              suffix={
-                <div className="flex items-center gap-1">
-                  {searchValue && (
-                    <Button
-                      type="text"
-                      icon={<X size={16} />}
-                      onClick={handleClearSearch}
-                      size="small"
-                      className="text-gray-500 hover:text-gray-700"
-                    />
-                  )}
-                  <Button
-                    type="text"
-                    icon={<Search size={16} />}
-                    onClick={() => {
+            {/* Wrap search input with tooltip when model mismatch */}
+            {isEmbeddingModelMismatch ? (
+              <Tooltip title={disabledTooltipMessage}>
+                <span className="inline-block">
+                  <Input
+                    placeholder={t("document.chunk.search.placeholder")}
+                    value={searchValue}
+                    onChange={(e) => setSearchValue(e.target.value)}
+                    onPressEnter={() => {
                       void handleSearch();
                     }}
-                    size="small"
-                    loading={chunkSearchLoading}
+                    style={{ width: 320 }}
+                    disabled={true}
                   />
-                </div>
-              }
-            />
+                </span>
+              </Tooltip>
+            ) : (
+                <Input
+                  placeholder={t("document.chunk.search.placeholder")}
+                  value={searchValue}
+                  onChange={(e) => setSearchValue(e.target.value)}
+                  onPressEnter={() => {
+                    void handleSearch();
+                  }}
+                  style={{ width: 320 }}
+                  disabled={isReadOnlyMode}
+                  suffix={
+                    <div className="flex items-center gap-1">
+                      {searchValue && (
+                        <Button
+                          type="text"
+                          icon={<X size={16} />}
+                          onClick={handleClearSearch}
+                          size="small"
+                          className="text-gray-500 hover:text-gray-700"
+                        />
+                      )}
+                      <Button
+                        type="text"
+                        icon={<Search size={16} />}
+                        onClick={() => {
+                          void handleSearch();
+                        }}
+                        size="small"
+                        loading={chunkSearchLoading}
+                        disabled={isReadOnlyMode}
+                      />
+                    </div>
+                  }
+                />
+            )}
           </div>
-          {!isReadOnlyMode && (
-            <Tooltip title={t("document.chunk.tooltip.create")}>
+          {/* Show Create Chunk button with tooltip only when model mismatch; hide in other read-only scenarios */}
+          {!isReadOnlyMode || isEmbeddingModelMismatch ? (
+            <Tooltip title={isEmbeddingModelMismatch ? disabledTooltipMessage : undefined}>
               <Button
                 type="text"
                 icon={<FilePlus2 size={16} />}
                 onClick={openCreateChunkModal}
+                disabled={isEmbeddingModelMismatch}
               ></Button>
             </Tooltip>
-          )}
+          ) : null}
         </div>
 
         <Tabs
diff --git a/frontend/app/[locale]/knowledges/components/document/DocumentList.tsx b/frontend/app/[locale]/knowledges/components/document/DocumentList.tsx
index d8b09f9e7..abf0c1501 100644
--- a/frontend/app/[locale]/knowledges/components/document/DocumentList.tsx
+++ b/frontend/app/[locale]/knowledges/components/document/DocumentList.tsx
@@ -9,7 +9,7 @@ import { useTranslation } from "react-i18next";
 
 import { Input, Button, App, Select } from "antd";
 import { InfoCircleFilled } from "@ant-design/icons";
-import { BookText, Pilcrow } from "lucide-react";
+import { BookText, Pilcrow, PencilRuler, Eye, Glasses, CircleOff } from "lucide-react";
 import { MarkdownRenderer } from "@/components/ui/markdownRenderer";
 
 import {
@@ -21,17 +21,20 @@ import {
 } from "@/const/knowledgeBase";
 import knowledgeBaseService from "@/services/knowledgeBaseService";
 import { modelService } from "@/services/modelService";
+import { getTenantDefaultGroupId } from "@/services/groupService";
 import { Document } from "@/types/knowledgeBase";
 import { ModelOption } from "@/types/modelConfig";
 import { formatFileSize } from "@/lib/utils";
 import log from "@/lib/logger";
 import { useConfig } from "@/hooks/useConfig";
+import { useGroupList } from "@/hooks/group/useGroupList";
 
 import DocumentStatus from "./DocumentStatus";
 import DocumentChunk from "./DocumentChunk";
 import UploadArea from "../upload/UploadArea";
 import { useKnowledgeBaseContext } from "../../contexts/KnowledgeBaseContext";
 import { useDocumentContext } from "../../contexts/DocumentContext";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
 
 const CONTAINER_HEIGHT_CLASS_MAP: Record<string, string> = {
   "83vh": "h-[83vh]",
@@ -62,6 +65,13 @@ interface DocumentListProps {
   onNameChange?: (name: string) => void;
   hasDocuments?: boolean;
   isNewlyCreatedAndWaiting?: boolean; // New prop to track newly created KB waiting for documents
+  onChunkCountChange?: () => void; // Callback when chunk count changes
+
+  // Group permission and user groups for create mode
+  ingroupPermission?: string;
+  onIngroupPermissionChange?: (value: string) => void;
+  selectedGroupIds?: number[];
+  onSelectedGroupIdsChange?: (values: number[]) => void;
 
   // Upload related props
   isDragging?: boolean;
@@ -94,6 +104,12 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
       onNameChange,
       hasDocuments = false,
       isNewlyCreatedAndWaiting = false, // New prop
+      onChunkCountChange,
+      // Group permission and user groups for create mode
+      ingroupPermission,
+      onIngroupPermissionChange,
+      selectedGroupIds,
+      onSelectedGroupIdsChange,
 
       // Upload related props
       isDragging = false,
@@ -110,6 +126,18 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
     const uploadAreaRef = useRef<any>(null);
     const { state: docState } = useDocumentContext();
     const { modelConfig } = useConfig();
+    const { user } = useAuthorizationContext();
+    const tenantId = user?.tenantId || null;
+
+    // Fetch groups for group selection
+    const { data: groupData } = useGroupList(tenantId, 1, 100);
+    const groups = groupData?.groups || [];
+
+    // Create group name mapping
+    const groupOptions = groups.map((group) => ({
+      label: group.group_name,
+      value: group.group_id,
+    }));
 
     // Use fixed height instead of percentage
     const titleBarHeight = UI_CONFIG.TITLE_BAR_HEIGHT;
@@ -140,6 +168,25 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
       }
     };
 
+    // Get permission icon for dropdown options
+    const getPermissionIcon = (permission: string) => {
+      const iconProps = {
+        size: 16,
+        className: "text-gray-500",
+      };
+
+      switch (permission) {
+        case "EDIT":
+          return <PencilRuler {...iconProps} />;
+        case "READ_ONLY":
+          return <Eye {...iconProps} />;
+        case "PRIVATE":
+          return <Glasses {...iconProps} />;
+        default:
+          return <CircleOff {...iconProps} />;
+      }
+    };
+
     // Build model mismatch info
     const getMismatchInfo = (): string => {
       if (embeddingModelInfo) return embeddingModelInfo;
@@ -164,10 +211,40 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
     const [selectedModel, setSelectedModel] = useState<number>(0);
     const [availableModels, setAvailableModels] = useState<ModelOption[]>([]);
     const [isLoadingModels, setIsLoadingModels] = useState(false);
-    const {} = useKnowledgeBaseContext();
     const { t } = useTranslation();
     const isDataMate = (knowledgeBaseSource || "").toLowerCase() === "datamate";
 
+    // Permission options with icons shown inside dropdown
+    const permissionOptions = [
+      {
+        value: "EDIT",
+        label: (
+          <span className="flex items-center gap-2">
+            {getPermissionIcon("EDIT")}
+            <span>{t("tenantResources.knowledgeBase.permission.EDIT")}</span>
+          </span>
+        ),
+      },
+      {
+        value: "READ_ONLY",
+        label: (
+          <span className="flex items-center gap-2">
+            {getPermissionIcon("READ_ONLY")}
+            <span>{t("tenantResources.knowledgeBase.permission.READ_ONLY")}</span>
+          </span>
+        ),
+      },
+      {
+        value: "PRIVATE",
+        label: (
+          <span className="flex items-center gap-2">
+            {getPermissionIcon("PRIVATE")}
+            <span>{t("tenantResources.knowledgeBase.permission.PRIVATE")}</span>
+          </span>
+        ),
+      },
+    ];
+
     // Reset showDetail and showChunk state when knowledge base name changes
     React.useEffect(() => {
       setShowDetail(false);
@@ -175,6 +252,23 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
       setSummary("");
     }, [knowledgeBaseName]);
 
+    // Initialize default group ID when entering create mode
+    React.useEffect(() => {
+      if (isCreatingMode && tenantId && onSelectedGroupIdsChange) {
+        const initDefaultGroup = async () => {
+          try {
+            const defaultGroupId = await getTenantDefaultGroupId(tenantId);
+            if (defaultGroupId) {
+              onSelectedGroupIdsChange([defaultGroupId]);
+            }
+          } catch (error) {
+            log.error("Failed to get tenant default group:", error);
+          }
+        };
+        initDefaultGroup();
+      }
+    }, [isCreatingMode, tenantId]);
+
     // Load available models when showing detail
     useEffect(() => {
       const loadModels = async () => {
@@ -347,39 +441,47 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
         <div
           className={`${LAYOUT.KB_HEADER_PADDING} border-b border-gray-200 flex-shrink-0 flex items-center ${titleBarHeightClass}`}
         >
-          <div className="flex items-center justify-between w-full">
-            <div className="flex items-center">
+          <div className="flex items-center justify-between w-full" style={{ width: "100%" }}>
+            <div className="flex items-center" style={{width: "100%"}}>
               {isCreatingMode ? (
-                false ? (
-                  <div className="flex items-center">
-                    <span className="text-blue-600 mr-2">📚</span>
-                    <h3
-                      className={`${LAYOUT.KB_TITLE_MARGIN} ${LAYOUT.KB_TITLE_SIZE} font-semibold text-gray-800`}
-                    >
-                      {knowledgeBaseName}
-                    </h3>
-                    {isUploading && (
-                      <div className="ml-3 px-2 py-0.5 bg-blue-50 text-blue-600 text-xs font-medium rounded-md border border-blue-100">
-                        {t("document.status.creating")}
-                      </div>
-                    )}
-                  </div>
-                ) : (
+                <div className="flex items-center flex-1" style={{ width: "100%" }}>
                   <Input
                     value={knowledgeBaseName}
                     onChange={(e) =>
                       onNameChange && onNameChange(e.target.value)
                     }
                     placeholder={t("document.input.knowledgeBaseName")}
-                    className={`${LAYOUT.KB_TITLE_MARGIN} w-[320px] font-medium my-[2px]`}
+                    className={`${LAYOUT.KB_TITLE_MARGIN} w-[240px] font-medium my-[2px]`}
                     size="large"
                     prefix={<span className="text-blue-600">📚</span>}
                     autoFocus
                     disabled={
                       hasDocuments || isUploading || docState.isLoadingDocuments
-                    } // Disable editing name if there are documents or uploading
+                    }
                   />
-                )
+                  {/* Right-aligned container for dropdowns */}
+                  <div className="flex items-center ml-auto justify-end" style={{ gap: "12px", justifyContent: "flex-end", alignItems: "flex-end", width: "100%" }}>
+                    {/* User groups multi-select - first position */}
+                    <Select
+                      mode="multiple"
+                      value={selectedGroupIds}
+                      onChange={onSelectedGroupIdsChange}
+                      style={{ minWidth: 200, justifyContent: "center", alignItems: "flex-end" }}
+                      placeholder={t("knowledgeBase.create.permission.groupPlaceholder")}
+                      options={groupOptions}
+                      maxTagCount={2}
+                      allowClear
+                    />
+                    {/* Group permission dropdown - second position */}
+                    <Select
+                      value={ingroupPermission}
+                      onChange={onIngroupPermissionChange}
+                      style={{ width: 160, justifyContent: "center", alignItems: "flex-end" }}
+                      placeholder={t("knowledgeBase.ingroup.permission.DEFAULT")}
+                      options={permissionOptions}
+                    />
+                  </div>
+                </div>
               ) : (
                 <h3
                   className={`${LAYOUT.KB_TITLE_MARGIN} ${LAYOUT.KB_TITLE_SIZE} font-semibold text-blue-500 flex items-center`}
@@ -464,6 +566,7 @@ const DocumentListContainer = forwardRef<DocumentListRef, DocumentListProps>(
                 getFileIcon={getFileIcon}
                 currentEmbeddingModel={currentModel}
                 knowledgeBaseEmbeddingModel={knowledgeBaseModel}
+                onChunkCountChange={onChunkCountChange}
               />
             </div>
           ) : showDetail ? (
diff --git a/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseEditModal.tsx b/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseEditModal.tsx
new file mode 100644
index 000000000..b2ac36577
--- /dev/null
+++ b/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseEditModal.tsx
@@ -0,0 +1,128 @@
+"use client";
+
+import React from "react";
+import { useTranslation } from "react-i18next";
+import { Modal, Form, Input, Select, message } from "antd";
+import { useGroupList } from "@/hooks/group/useGroupList";
+import { Can } from "@/components/permission/Can";
+import knowledgeBaseService from "@/services/knowledgeBaseService";
+import knowledgeBasePollingService from "@/services/knowledgeBasePollingService";
+import { KnowledgeBase } from "@/types/knowledgeBase";
+
+interface KnowledgeBaseEditModalProps {
+  open: boolean;
+  knowledgeBase: KnowledgeBase | null;
+  tenantId: string | null;
+  onCancel: () => void;
+  onSuccess: () => void;
+}
+
+export function KnowledgeBaseEditModal({
+  open,
+  knowledgeBase,
+  tenantId,
+  onCancel,
+  onSuccess,
+}: KnowledgeBaseEditModalProps) {
+  const { t } = useTranslation("common");
+  const [form] = Form.useForm();
+
+  // Fetch groups for group selection
+  const { data: groupData } = useGroupList(tenantId, 1, 100);
+  const groups = groupData?.groups || [];
+
+  // Reset form when knowledge base changes
+  React.useEffect(() => {
+    if (knowledgeBase && open) {
+      form.setFieldsValue({
+        knowledge_name: knowledgeBase.name,
+        ingroup_permission: knowledgeBase.ingroup_permission || "READ_ONLY",
+        group_ids: knowledgeBase.group_ids || [],
+      });
+    }
+  }, [knowledgeBase, open, form]);
+
+  // Handle form submission
+  const handleSubmit = async () => {
+    try {
+      const values = await form.validateFields();
+
+      if (!knowledgeBase) return;
+
+      await knowledgeBaseService.updateKnowledgeBase(knowledgeBase.id, {
+        knowledge_name: values.knowledge_name,
+        ingroup_permission: values.ingroup_permission,
+        group_ids: values.group_ids,
+      });
+
+      message.success(t("tenantResources.knowledgeBase.updated"));
+
+      // Trigger knowledge base list refresh to seamlessly update UI
+      knowledgeBasePollingService.triggerKnowledgeBaseListUpdate(true);
+
+      onSuccess();
+      onCancel();
+    } catch (error: any) {
+      if (error.errorFields) {
+        return; // Form validation error
+      }
+      message.error(error.message || t("tenantResources.knowledgeBase.updateFailed"));
+    }
+  };
+
+  return (
+    <Modal
+      title={t("tenantResources.knowledgeBase.edit")}
+      open={open}
+      onOk={handleSubmit}
+      onCancel={onCancel}
+      okText={t("common.confirm")}
+      cancelText={t("common.cancel")}
+      width={500}
+    >
+      <Form form={form} layout="vertical">
+        <Form.Item
+          name="knowledge_name"
+          label={t("common.name")}
+          rules={[
+            { required: true, message: t("tenantResources.knowledgeBase.nameRequired") },
+          ]}
+        >
+          <Input placeholder={t("tenantResources.knowledgeBase.enterName")} />
+        </Form.Item>
+
+        <Can permission="kb.groups:read">
+          <Form.Item
+            name="ingroup_permission"
+            label={t("tenantResources.knowledgeBase.permission")}
+            rules={[
+              { required: true, message: t("tenantResources.knowledgeBase.permissionRequired") },
+            ]}
+          >
+            <Select
+              placeholder={t("tenantResources.knowledgeBase.permission")}
+              options={[
+                { value: "EDIT", label: t("tenantResources.knowledgeBase.permission.EDIT") },
+                { value: "READ_ONLY", label: t("tenantResources.knowledgeBase.permission.READ_ONLY") },
+                { value: "PRIVATE", label: t("tenantResources.knowledgeBase.permission.PRIVATE") },
+              ]}
+            />
+          </Form.Item>
+        </Can>
+
+        <Can permission="group:read">
+          <Form.Item name="group_ids" label={t("tenantResources.knowledgeBase.groupNames")}>
+            <Select
+              mode="multiple"
+              placeholder={t("tenantResources.knowledgeBase.groupNames")}
+              options={groups.map((group) => ({
+                label: group.group_name,
+                value: group.group_id,
+              }))}
+            />
+          </Form.Item>
+        </Can>
+      </Form>
+    </Modal>
+  );
+}
diff --git a/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseList.tsx b/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseList.tsx
index 86f3605d7..6f2791210 100644
--- a/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseList.tsx
+++ b/frontend/app/[locale]/knowledges/components/knowledge/KnowledgeBaseList.tsx
@@ -1,7 +1,9 @@
 import React, { useState, useMemo } from "react";
 import { useTranslation } from "react-i18next";
 
-import { Button, Checkbox, ConfigProvider, Input, Select, Space } from "antd";
+import log from "@/lib/logger";
+
+import { Button, Input, Select } from "antd";
 import {
   SyncOutlined,
   PlusOutlined,
@@ -9,56 +11,35 @@ import {
   SearchOutlined,
   FilterOutlined,
 } from "@ant-design/icons";
+import {
+  PencilRuler,
+  Eye,
+  Glasses,
+  Trash2,
+  SquarePen,
+  CircleOff,
+} from "lucide-react";
+import { Tooltip } from "@/components/ui/tooltip";
+import { Can } from "@/components/permission/Can";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useGroupList } from "@/hooks/group/useGroupList";
+import { KnowledgeBaseEditModal } from "./KnowledgeBaseEditModal";
 
 import { KnowledgeBase } from "@/types/knowledgeBase";
-
-// Knowledge base layout constants configuration
-const KB_LAYOUT = {
-  // Knowledge base row height configuration
-  ROW_PADDING: "py-4", // Row vertical padding
-  HEADER_PADDING: "p-3", // List header padding
-  BUTTON_PADDING: "p-2", // Create button area padding
-  TAG_SPACING: "gap-0.5", // Spacing between tags
-  TAG_MARGIN: "mt-2.5", // Tag container top margin
-  // Tag related configuration
-  TAG_PADDING: "px-1.5 py-0.5", // Tag padding
-  TAG_TEXT: "text-xs font-medium", // Tag text style
-  TAG_ROUNDED: "rounded-md", // Tag rounded corners
-  // Line break related configuration
-  TAG_BREAK_HEIGHT: "h-0.5", // Line break interval height
-  SECOND_ROW_TAG_MARGIN: "mt-0.5", // Second row tag top margin
-  // Other layout configuration
-  TITLE_MARGIN: "ml-2", // Title left margin
-  EMPTY_STATE_PADDING: "py-4", // Empty state padding
-  // Title related configuration
-  TITLE_TEXT: "text-xl font-bold", // Title text style
-  KB_NAME_TEXT: "text-lg font-medium", // Knowledge base name text style
-  // Knowledge base name configuration
-  KB_NAME_MAX_WIDTH: "220px", // Knowledge base name max width
-  KB_NAME_OVERFLOW: {
-    // Knowledge base name overflow style
-    textOverflow: "ellipsis",
-    whiteSpace: "nowrap",
-    overflow: "hidden",
-    display: "block",
-  },
-};
+import { KB_LAYOUT, KB_TAG_VARIANTS } from "@/const/knowledgeBaseLayout";
 
 interface KnowledgeBaseListProps {
   knowledgeBases: KnowledgeBase[];
-  selectedIds: string[];
   activeKnowledgeBase: KnowledgeBase | null;
   currentEmbeddingModel: string | null;
   isLoading?: boolean;
   syncLoading?: boolean;
-  onSelect: (id: string) => void;
   onClick: (kb: KnowledgeBase) => void;
   onDelete: (id: string) => void;
   onSync: () => void;
   onCreateNew: () => void;
   onDataMateConfig?: () => void;
   showDataMateConfig?: boolean; // Control whether to show DataMate config button
-  isSelectable: (kb: KnowledgeBase) => boolean;
   getModelDisplayName: (modelId: string) => string;
   containerHeight?: string; // Container total height, consistent with DocumentList
   onKnowledgeBaseChange?: () => void; // New: callback function when knowledge base switches
@@ -73,19 +54,16 @@ interface KnowledgeBaseListProps {
 
 const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
   knowledgeBases,
-  selectedIds,
   activeKnowledgeBase,
   currentEmbeddingModel,
   isLoading = false,
   syncLoading = false,
-  onSelect,
   onClick,
   onDelete,
   onSync,
   onCreateNew,
   onDataMateConfig,
   showDataMateConfig = false,
-  isSelectable,
   getModelDisplayName,
   containerHeight = "70vh", // Default container height consistent with DocumentList
   onKnowledgeBaseChange, // New: callback function when knowledge base switches
@@ -98,11 +76,77 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
 }) => {
   const { t } = useTranslation();
 
+  // Get user info for tenant ID
+  const { user } = useAuthorizationContext();
+  const tenantId = user?.tenantId || null;
+
+  // Fetch groups for group name mapping
+  const { data: groupData } = useGroupList(tenantId, 1, 100);
+  const groups = groupData?.groups || [];
+
+  // Create group name mapping from group_id to group_name
+  const groupNameMap = useMemo(() => {
+    const map = new Map<number, string>();
+    groups.forEach((group) => {
+      map.set(group.group_id, group.group_name);
+    });
+    return map;
+  }, [groups]);
+
+  // Get group names for knowledge base
+  const getGroupNames = (groupIds?: number[]) => {
+    if (!groupIds || groupIds.length === 0) return [];
+    return groupIds
+      .map((id) => groupNameMap.get(id))
+      .filter((name): name is string => !!name);
+  };
+
+  // Get permission icon based on ingroup_permission type
+  const getPermissionIcon = (permission: string) => {
+    const iconProps = {
+      size: 14,
+      className: "text-gray-500",
+    };
+
+    switch (permission) {
+      case "EDIT":
+        return <PencilRuler {...iconProps} />;
+      case "READ_ONLY":
+        return <Eye {...iconProps} />;
+      case "PRIVATE":
+        return <Glasses {...iconProps} />;
+      default:
+        return <CircleOff {...iconProps} />;
+    }
+  };
+
+  // Get permission tooltip key
+  const getPermissionTooltipKey = (permission: string) => {
+    return `knowledgeBase.ingroup.permission.${permission || "DEFAULT"}`;
+  };
+
   // Search and filter states
   const [searchKeyword, setSearchKeyword] = useState("");
   const [selectedSources, setSelectedSources] = useState<string[]>([]);
   const [selectedModels, setSelectedModels] = useState<string[]>([]);
 
+  // Edit modal states
+  const [editModalVisible, setEditModalVisible] = useState(false);
+  const [editingKnowledge, setEditingKnowledge] =
+    useState<KnowledgeBase | null>(null);
+
+  // Open edit modal
+  const openEditModal = (kb: KnowledgeBase) => {
+    setEditingKnowledge(kb);
+    setEditModalVisible(true);
+  };
+
+  // Close edit modal
+  const closeEditModal = () => {
+    setEditModalVisible(false);
+    setEditingKnowledge(null);
+  };
+
   // Effective (controlled or uncontrolled) values
   const effectiveSearchKeyword =
     typeof searchQuery !== "undefined" ? searchQuery : searchKeyword;
@@ -186,16 +230,25 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
 
   // Filter knowledge bases based on search and filters
   const filteredKnowledgeBases = useMemo(() => {
-    return sortedKnowledgeBases.filter((kb) => {
+    log.log("Filtering knowledge bases:", {
+      totalCount: knowledgeBases.length,
+      searchKeyword: effectiveSearchKeyword,
+      sourceFilter: effectiveSelectedSources,
+      modelFilter: effectiveSelectedModels,
+    });
+
+    const result = sortedKnowledgeBases.filter((kb) => {
       // Keyword search: match name, description, or nickname
       const keyword = effectiveSearchKeyword || "";
+      const kbName = kb.name || "";
+      const kbDescription = kb.description || "";
+      const kbNickname = kb.nickname || "";
+
       const matchesSearch =
         !keyword ||
-        kb.name.toLowerCase().includes(keyword.toLowerCase()) ||
-        (kb.description &&
-          kb.description.toLowerCase().includes(keyword.toLowerCase())) ||
-        (kb.nickname &&
-          kb.nickname.toLowerCase().includes(keyword.toLowerCase()));
+        kbName.toLowerCase().includes(keyword.toLowerCase()) ||
+        kbDescription.toLowerCase().includes(keyword.toLowerCase()) ||
+        kbNickname.toLowerCase().includes(keyword.toLowerCase());
 
       // Source filter
       const matchesSource =
@@ -207,8 +260,24 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
         effectiveSelectedModels.length === 0 ||
         effectiveSelectedModels.includes(kb.embeddingModel);
 
-      return matchesSearch && matchesSource && matchesModel;
+      const matches = matchesSearch && matchesSource && matchesModel;
+
+      if (!matches) {
+        log.log("KB filtered out:", {
+          name: kb.name,
+          source: kb.source,
+          embeddingModel: kb.embeddingModel,
+          matchesSearch,
+          matchesSource,
+          matchesModel,
+        });
+      }
+
+      return matches;
     });
+
+    log.log("Filtered result:", result.length, "items");
+    return result;
   }, [
     sortedKnowledgeBases,
     effectiveSearchKeyword,
@@ -351,67 +420,11 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
         </div>
       </div>
 
-      {/* Fixed selection status area */}
-      <div className="border-b border-gray-200 shrink-0 relative z-10 shadow-md">
-        <div className="px-5 py-2 bg-blue-50">
-          <div className="flex items-center">
-            <span className="font-medium text-blue-700">
-              {t("knowledgeBase.selected.prefix")}{" "}
-            </span>
-            <span className="mx-1 text-blue-600 font-bold text-lg">
-              {selectedIds.length}
-            </span>
-            <span className="font-medium text-blue-700">
-              {t("knowledgeBase.selected.suffix")}
-            </span>
-          </div>
-
-          {selectedIds.length > 0 && (
-            <div className="flex flex-wrap gap-1.5 mt-2 mb-1">
-              {selectedIds.map((id) => {
-                const kb = knowledgeBases.find((kb) => kb.id === id);
-                return kb ? (
-                  <span
-                    key={id}
-                    className="inline-flex items-center justify-center bg-blue-100 text-blue-800 rounded text-sm font-medium group"
-                    style={{ maxWidth: "fit-content", padding: "2px 6px" }}
-                  >
-                    <span
-                      className="truncate"
-                      style={{
-                        maxWidth: "150px",
-                        ...KB_LAYOUT.KB_NAME_OVERFLOW,
-                      }}
-                      title={kb.name}
-                    >
-                      {kb.name}
-                    </span>
-                    <button
-                      className="ml-1.5 text-blue-600 hover:text-blue-800 flex-shrink-0 text-sm leading-none"
-                      onClick={() => onSelect(id)}
-                      aria-label={t("knowledgeBase.button.removeKb", {
-                        name: kb.name,
-                      })}
-                    >
-                      ×
-                    </button>
-                  </span>
-                ) : null;
-              })}
-            </div>
-          )}
-        </div>
-      </div>
-
-      {/* Scrollable knowledge base list area */}
       <div className="flex-1 overflow-y-auto overflow-x-hidden">
         {filteredKnowledgeBases.length > 0 ? (
           <div className="divide-y-0">
             {filteredKnowledgeBases.map((kb, index) => {
-              const canSelect = isSelectable(kb);
-              const isSelected = selectedIds.includes(kb.id);
               const isActive = activeKnowledgeBase?.id === kb.id;
-              const isMismatchedAndSelected = isSelected && !canSelect;
 
               return (
                 <div
@@ -435,79 +448,74 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
                   }}
                 >
                   <div className="flex items-start">
-                    <div className="flex-shrink-0">
-                      <div
-                        className="px-2"
-                        onClick={(e) => {
-                          e.stopPropagation();
-                          if (canSelect || isSelected) {
-                            onSelect(kb.id);
-                          }
-                        }}
-                        style={{
-                          minWidth: "40px",
-                          minHeight: "40px",
-                          display: "flex",
-                          alignItems: "flex-start",
-                          justifyContent: "center",
-                        }}
-                      >
-                        <ConfigProvider
-                          theme={{
-                            token: {
-                              // If selected with model mismatch, use light blue, otherwise default blue
-                              colorPrimary: isMismatchedAndSelected
-                                ? "#90caf9"
-                                : "#1677ff",
-                            },
-                          }}
-                        >
-                          <Checkbox
-                            checked={isSelected}
-                            onChange={(e) => {
-                              e.stopPropagation();
-                              onSelect(kb.id);
-                            }}
-                            disabled={!canSelect && !isSelected}
-                            style={{
-                              cursor:
-                                canSelect || isSelected
-                                  ? "pointer"
-                                  : "not-allowed",
-                              transform: "scale(1.5)",
-                            }}
-                          />
-                        </ConfigProvider>
-                      </div>
-                    </div>
                     <div className="flex-1 min-w-0">
                       <div className="flex items-center justify-between">
-                        <p
-                          className="text-base font-medium text-gray-800 truncate"
-                          style={{
-                            maxWidth: KB_LAYOUT.KB_NAME_MAX_WIDTH,
-                            ...KB_LAYOUT.KB_NAME_OVERFLOW,
-                          }}
-                          title={kb.name}
-                        >
-                          {kb.name}
-                        </p>
-                        <button
-                          className="text-red-500 hover:text-red-700 text-xs font-medium ml-2"
-                          onClick={(e) => {
-                            e.stopPropagation();
-                            onDelete(kb.id);
-                          }}
-                        >
-                          {t("common.delete")}
-                        </button>
+                        <div className="flex items-center flex-1 min-w-0">
+                          <p
+                            className="text-base font-medium text-gray-800 truncate"
+                            style={{
+                              maxWidth: KB_LAYOUT.KB_NAME_MAX_WIDTH,
+                              ...KB_LAYOUT.KB_NAME_OVERFLOW,
+                            }}
+                            title={kb.name}
+                          >
+                            {kb.name}
+                          </p>
+                          {/* Permission icon with tooltip */}
+                          <Can permission="kb.groups:read">
+                            <Tooltip
+                              title={t(getPermissionTooltipKey(kb.ingroup_permission || ""))}
+                              placement="top"
+                            >
+                              <div className="ml-3 flex-shrink-0 cursor-pointer">
+                                <div className="flex items-center justify-center w-5 h-5 rounded-full bg-gray-200 hover:bg-gray-300 transition-all duration-200 hover:shadow-sm">
+                                  {getPermissionIcon(kb.ingroup_permission || "")}
+                                </div>
+                              </div>
+                            </Tooltip>
+                          </Can>
+                        </div>
+                          <div className="flex items-center ml-2">
+                          <Can permission="kb:update">
+                            {/* Edit button - only show for Nexent (local) sources */}
+                            {(!kb.source || kb.source === "nexent" || kb.source === "elasticsearch") && (
+                              <Tooltip title={t("common.edit")}>
+                                <Button
+                                  type="text"
+                                  icon={<SquarePen className="h-4 w-4" />}
+                                  onClick={(e) => {
+                                    e.stopPropagation();
+                                    openEditModal(kb);
+                                  }}
+                                  size="small"
+                                />
+                              </Tooltip>
+                            )}
+                            </Can>
+                          <Can permission="kb:delete">
+                              {/* Delete button */}
+                              <Tooltip title={t("common.delete")}>
+                                <Button
+                                  type="text"
+                                  danger
+                                  icon={<Trash2 className="h-4 w-4" />}
+                                  onClick={(e) => {
+                                    e.stopPropagation();
+                                    onDelete(kb.id);
+                                  }}
+                                  size="small"
+                                />
+                              </Tooltip>
+                            </Can>
+                          </div>
+
                       </div>
                       <div
                         className={`flex flex-wrap items-center ${KB_LAYOUT.TAG_MARGIN} ${KB_LAYOUT.TAG_SPACING}`}
                       >
                         {/* Document count tag */}
                         <span
-                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} bg-gray-200 text-gray-800 border border-gray-200 mr-1`}
+                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.light} mr-1`}
                         >
                           {t("knowledgeBase.tag.documents", {
                             count: kb.documentCount || 0,
@@ -516,7 +524,7 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
 
                         {/* Chunk count tag */}
                         <span
-                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} bg-gray-200 text-gray-800 border border-gray-200 mr-1`}
+                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.light} mr-1`}
                         >
                           {t("knowledgeBase.tag.chunks", {
                             count: kb.chunkCount || 0,
@@ -525,7 +533,7 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
 
                         {/* Always show source tag regardless of document/chunk count */}
                         <span
-                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} bg-gray-200 text-gray-800 border border-gray-200 mr-1`}
+                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.light} mr-1`}
                         >
                           {t("knowledgeBase.tag.source", {
                             source: kb.source,
@@ -538,7 +546,7 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
                           <>
                             {/* Creation date tag - only show date */}
                             <span
-                              className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} bg-gray-200 text-gray-800 border border-gray-200 mr-1`}
+                              className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.light} mr-1`}
                             >
                               {t("knowledgeBase.tag.createdAt", {
                                 date: formatDate(kb.createdAt),
@@ -553,7 +561,7 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
                             {/* Model tag - only show when model is not "unknown" */}
                             {kb.embeddingModel !== "unknown" && (
                               <span
-                                className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_LAYOUT.SECOND_ROW_TAG_MARGIN} bg-green-100 text-green-800 border border-green-200 mr-1`}
+                                className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_LAYOUT.SECOND_ROW_TAG_MARGIN} ${KB_TAG_VARIANTS.model} mr-1`}
                               >
                                 {t("knowledgeBase.tag.model", {
                                   model: getModelDisplayName(kb.embeddingModel),
@@ -564,11 +572,23 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
                               kb.embeddingModel !== currentEmbeddingModel &&
                               kb.source !== "datamate" && (
                                 <span
-                                  className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_LAYOUT.SECOND_ROW_TAG_MARGIN} bg-yellow-100 text-yellow-800 border border-yellow-200 mr-1`}
+                                  className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_LAYOUT.SECOND_ROW_TAG_MARGIN} ${KB_TAG_VARIANTS.warning} mr-1`}
                                 >
                                   {t("knowledgeBase.tag.modelMismatch")}
                                 </span>
                               )}
+
+                            {/* User group tags */}
+                            <Can permission="group:read">
+                              {getGroupNames(kb.group_ids).map((groupName, idx) => (
+                                <span
+                                  key={idx}
+                                  className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_LAYOUT.SECOND_ROW_TAG_MARGIN} bg-blue-100 text-blue-800 border border-blue-200 mr-1`}
+                                >
+                                  {groupName}
+                                </span>
+                              ))}
+                            </Can>
                           </>
                         )}
                       </div>
@@ -590,6 +610,15 @@ const KnowledgeBaseList: React.FC<KnowledgeBaseListProps> = ({
           </div>
         )}
       </div>
+
+      {/* Edit Knowledge Base Modal */}
+      <KnowledgeBaseEditModal
+        open={editModalVisible}
+        knowledgeBase={editingKnowledge}
+        tenantId={tenantId}
+        onCancel={closeEditModal}
+        onSuccess={() => {}}
+      />
     </div>
   );
 };
diff --git a/frontend/app/[locale]/knowledges/contexts/KnowledgeBaseContext.tsx b/frontend/app/[locale]/knowledges/contexts/KnowledgeBaseContext.tsx
index d96c8fa33..a9dbd2daa 100644
--- a/frontend/app/[locale]/knowledges/contexts/KnowledgeBaseContext.tsx
+++ b/frontend/app/[locale]/knowledges/contexts/KnowledgeBaseContext.tsx
@@ -12,12 +12,12 @@ import {
 import { useTranslation } from "react-i18next";
 
 import knowledgeBaseService from "@/services/knowledgeBaseService";
-import { userConfigService } from "@/services/userConfigService";
 
 import {
   KnowledgeBase,
   KnowledgeBaseState,
   KnowledgeBaseAction,
+  DataMateSyncError,
 } from "@/types/knowledgeBase";
 import { KNOWLEDGE_BASE_ACTION_TYPES } from "@/const/knowledgeBase";
 
@@ -81,6 +81,11 @@ const knowledgeBaseReducer = (
         ...state,
         syncLoading: action.payload,
       };
+    case KNOWLEDGE_BASE_ACTION_TYPES.SET_DATA_MATE_SYNC_ERROR:
+      return {
+        ...state,
+        dataMateSyncError: action.payload,
+      };
     case KNOWLEDGE_BASE_ACTION_TYPES.ERROR:
       return {
         ...state,
@@ -102,7 +107,9 @@ export const KnowledgeBaseContext = createContext<{
   createKnowledgeBase: (
     name: string,
     description: string,
-    source?: string
+    source?: string,
+    ingroup_permission?: string,
+    group_ids?: number[]
   ) => Promise<KnowledgeBase | null>;
   deleteKnowledgeBase: (id: string) => Promise<boolean>;
   selectKnowledgeBase: (id: string) => void;
@@ -111,8 +118,6 @@ export const KnowledgeBaseContext = createContext<{
   hasKnowledgeBaseModelMismatch: (kb: KnowledgeBase) => boolean;
   refreshKnowledgeBaseData: (forceRefresh?: boolean) => Promise<void>;
   refreshKnowledgeBaseDataWithDataMate: () => Promise<void>;
-  loadUserSelectedKnowledgeBases: () => Promise<void>;
-  saveUserSelectedKnowledgeBases: () => Promise<boolean>;
 }>({
   state: {
     knowledgeBases: [],
@@ -133,8 +138,6 @@ export const KnowledgeBaseContext = createContext<{
   hasKnowledgeBaseModelMismatch: () => false,
   refreshKnowledgeBaseData: async () => {},
   refreshKnowledgeBaseDataWithDataMate: async () => {},
-  loadUserSelectedKnowledgeBases: async () => {},
-  saveUserSelectedKnowledgeBases: async () => false,
 });
 
 // Custom hook for using the context
@@ -157,6 +160,7 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
     isLoading: false,
     syncLoading: false,
     error: null,
+    dataMateSyncError: undefined,
   });
 
   // Check if knowledge base is selectable - memoized with useCallback
@@ -205,49 +209,6 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
     [state.currentEmbeddingModel]
   );
 
-  // Load user selected knowledge bases from backend
-  const loadUserSelectedKnowledgeBases = useCallback(async () => {
-    try {
-      const userConfig = await userConfigService.loadKnowledgeList();
-      if (userConfig) {
-        let allSelectedNames: string[] = [];
-
-        // Handle new format (selectedKbNames array)
-        if (
-          userConfig.selectedKbNames &&
-          userConfig.selectedKbNames.length > 0
-        ) {
-          allSelectedNames = userConfig.selectedKbNames;
-        }
-        // Fallback to legacy grouped format for backward compatibility
-        else if (userConfig.nexent || userConfig.datamate) {
-          allSelectedNames = [
-            ...(userConfig.nexent || []),
-            ...(userConfig.datamate || []),
-          ];
-        }
-
-        if (allSelectedNames.length > 0) {
-          // Find matching knowledge base IDs based on index names
-          const selectedIds = state.knowledgeBases
-            .filter((kb) => allSelectedNames.includes(kb.id))
-            .map((kb) => kb.id);
-
-          dispatch({
-            type: KNOWLEDGE_BASE_ACTION_TYPES.SELECT_KNOWLEDGE_BASE,
-            payload: selectedIds,
-          });
-        }
-      }
-    } catch (error) {
-      log.error(t("knowledgeBase.error.loadSelected"), error);
-      dispatch({
-        type: KNOWLEDGE_BASE_ACTION_TYPES.ERROR,
-        payload: t("knowledgeBase.error.loadSelectedRetry"),
-      });
-    }
-  }, [state.knowledgeBases]);
-
   // Load knowledge base data (supports force fetch from server and load selected status) - optimized with useCallback
   const fetchKnowledgeBases = useCallback(
     async (
@@ -261,27 +222,42 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
       }
 
       dispatch({ type: KNOWLEDGE_BASE_ACTION_TYPES.LOADING, payload: true });
+      // Clear previous DataMate sync error
+      dispatch({
+        type: KNOWLEDGE_BASE_ACTION_TYPES.SET_DATA_MATE_SYNC_ERROR,
+        payload: undefined,
+      });
       try {
         // Clear possible cache interference
         localStorage.removeItem("preloaded_kb_data");
         localStorage.removeItem("kb_cache");
 
         // Get knowledge base list data directly from server
-        const kbs = await knowledgeBaseService.getKnowledgeBasesInfo(
+        const result = await knowledgeBaseService.getKnowledgeBasesInfo(
           skipHealthCheck,
           includeDataMateSync
         );
 
         dispatch({
           type: KNOWLEDGE_BASE_ACTION_TYPES.FETCH_SUCCESS,
-          payload: kbs,
+          payload: result.knowledgeBases,
         });
 
-        // After loading knowledge bases, automatically load user's selected knowledge bases if requested
-        if (shouldLoadSelected && kbs.length > 0) {
-          await loadUserSelectedKnowledgeBases();
+        // Set DataMate sync error if present and throw to trigger error handling
+        if (result.dataMateSyncError) {
+          dispatch({
+            type: KNOWLEDGE_BASE_ACTION_TYPES.SET_DATA_MATE_SYNC_ERROR,
+            payload: result.dataMateSyncError,
+          });
+          // Throw DataMateSyncError to signal failure to the caller
+          throw new DataMateSyncError(result.dataMateSyncError);
         }
       } catch (error) {
+        // Check if it's a DataMate sync error
+        if (error instanceof DataMateSyncError) {
+          // Re-throw DataMateSyncError to be handled by the caller
+          throw error;
+        }
         log.error(t("knowledgeBase.error.fetchList"), error);
         dispatch({
           type: KNOWLEDGE_BASE_ACTION_TYPES.ERROR,
@@ -291,7 +267,7 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
         dispatch({ type: KNOWLEDGE_BASE_ACTION_TYPES.LOADING, payload: false });
       }
     },
-    [state.isLoading, t, loadUserSelectedKnowledgeBases]
+    [state.isLoading, t]
   );
 
   // Select knowledge base - memoized with useCallback
@@ -335,7 +311,9 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
     async (
       name: string,
       description: string,
-      source: string = "elasticsearch"
+      source: string = "elasticsearch",
+      ingroup_permission?: string,
+      group_ids?: number[]
     ) => {
       try {
         const newKB = await knowledgeBaseService.createKnowledgeBase({
@@ -344,6 +322,8 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
           source,
           embeddingModel:
             state.currentEmbeddingModel || "text-embedding-3-small",
+          ingroup_permission,
+          group_ids,
         });
         return newKB;
       } catch (error) {
@@ -402,50 +382,29 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
     [state.knowledgeBases, state.selectedIds, state.activeKnowledgeBase]
   );
 
-  // Save user selected knowledge bases to backend
-  const saveUserSelectedKnowledgeBases = useCallback(async () => {
-    try {
-      // Get selected knowledge bases grouped by source
-      const selectedKnowledgeBases = state.knowledgeBases.filter((kb) =>
-        state.selectedIds.includes(kb.id)
-      );
-
-      // Group knowledge bases by source
-      const knowledgeBySource: { nexent?: string[]; datamate?: string[] } = {};
-      selectedKnowledgeBases.forEach((kb) => {
-        const source = kb.source as keyof typeof knowledgeBySource;
-        if (!knowledgeBySource[source]) {
-          knowledgeBySource[source] = [];
-        }
-        knowledgeBySource[source]!.push(kb.id);
-      });
-
-      const result =
-        await userConfigService.updateKnowledgeList(knowledgeBySource);
-      if (!result) {
-        dispatch({
-          type: KNOWLEDGE_BASE_ACTION_TYPES.ERROR,
-          payload: t("knowledgeBase.error.saveSelected"),
-        });
-        return false;
-      }
-      return true;
-    } catch (error) {
-      log.error(t("knowledgeBase.error.saveSelected"), error);
-      dispatch({
-        type: KNOWLEDGE_BASE_ACTION_TYPES.ERROR,
-        payload: t("knowledgeBase.error.saveSelectedRetry"),
-      });
-      return false;
-    }
-  }, [state.knowledgeBases, state.selectedIds, t]);
-
   // Add a function to refresh the knowledge base data
   const refreshKnowledgeBaseData = useCallback(
     async (forceRefresh = false) => {
       try {
-        // Get latest knowledge base data directly from server, but don't reload user selections, include DataMate sync to prevent DataMate KBs from disappearing
-        await fetchKnowledgeBases(false, false, true);
+        // Directly call service to fetch knowledge base data, bypassing fetchKnowledgeBases
+        // This ensures sync operations always execute even during initial loading
+        const result = await knowledgeBaseService.getKnowledgeBasesInfo(
+          false, // skipHealthCheck
+          true // includeDataMateSync
+        );
+
+        dispatch({
+          type: KNOWLEDGE_BASE_ACTION_TYPES.FETCH_SUCCESS,
+          payload: result.knowledgeBases,
+        });
+
+        // Handle DataMate sync error
+        if (result.dataMateSyncError) {
+          dispatch({
+            type: KNOWLEDGE_BASE_ACTION_TYPES.SET_DATA_MATE_SYNC_ERROR,
+            payload: result.dataMateSyncError,
+          });
+        }
 
         // If there is an active knowledge base, also refresh its document information
         if (state.activeKnowledgeBase) {
@@ -476,15 +435,33 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
         });
       }
     },
-    [fetchKnowledgeBases, state.activeKnowledgeBase]
+    [state.activeKnowledgeBase]
   );
 
   // Add a function to refresh the knowledge base data with DataMate sync and create records
   const refreshKnowledgeBaseDataWithDataMate = useCallback(async () => {
     try {
-      // Get latest knowledge base data directly from server, which includes DataMate sync
-      // The getKnowledgeBasesInfo method already handles syncDataMateAndCreateRecords internally
-      await fetchKnowledgeBases(false, false, true);
+      // Directly call service to fetch knowledge base data, bypassing fetchKnowledgeBases
+      // This ensures sync operations always execute even during initial loading
+      const result = await knowledgeBaseService.getKnowledgeBasesInfo(
+        false, // skipHealthCheck
+        true // includeDataMateSync
+      );
+
+      dispatch({
+        type: KNOWLEDGE_BASE_ACTION_TYPES.FETCH_SUCCESS,
+        payload: result.knowledgeBases,
+      });
+
+      // Handle DataMate sync error
+      if (result.dataMateSyncError) {
+        dispatch({
+          type: KNOWLEDGE_BASE_ACTION_TYPES.SET_DATA_MATE_SYNC_ERROR,
+          payload: result.dataMateSyncError,
+        });
+        // Throw DataMateSyncError to signal failure to the caller
+        throw new DataMateSyncError(result.dataMateSyncError);
+      }
 
       // If there is an active knowledge base, also refresh its document information
       if (state.activeKnowledgeBase) {
@@ -508,13 +485,17 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
         }
       }
     } catch (error) {
+      // Check if it's a DataMate sync error - re-throw to be handled by caller
+      if (error instanceof DataMateSyncError) {
+        throw error;
+      }
       log.error("Failed to refresh knowledge base data with DataMate:", error);
       dispatch({
         type: KNOWLEDGE_BASE_ACTION_TYPES.ERROR,
         payload: "Failed to refresh knowledge base data with DataMate",
       });
     }
-  }, [fetchKnowledgeBases, state.activeKnowledgeBase]);
+  }, [state.activeKnowledgeBase]);
 
   // Initial data loading - with optimized dependencies
   useEffect(() => {
@@ -624,8 +605,6 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
       hasKnowledgeBaseModelMismatch,
       refreshKnowledgeBaseData,
       refreshKnowledgeBaseDataWithDataMate,
-      loadUserSelectedKnowledgeBases,
-      saveUserSelectedKnowledgeBases,
     }),
     [
       state,
@@ -637,8 +616,6 @@ export const KnowledgeBaseProvider: React.FC<KnowledgeBaseProviderProps> = ({
       isKnowledgeBaseSelectable,
       refreshKnowledgeBaseData,
       refreshKnowledgeBaseDataWithDataMate,
-      loadUserSelectedKnowledgeBases,
-      saveUserSelectedKnowledgeBases,
     ]
   );
 
diff --git a/frontend/app/[locale]/knowledges/page.tsx b/frontend/app/[locale]/knowledges/page.tsx
index 835018df3..ee1780307 100644
--- a/frontend/app/[locale]/knowledges/page.tsx
+++ b/frontend/app/[locale]/knowledges/page.tsx
@@ -4,10 +4,13 @@ import React, { useEffect } from "react";
 import { motion } from "framer-motion";
 
 import { useSetupFlow } from "@/hooks/useSetupFlow";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { configService } from "@/services/configService";
 import { configStore } from "@/lib/config";
-import { USER_ROLES } from "@/const/modelConfig";
+import { USER_ROLES } from "@/const/auth";
 import log from "@/lib/logger";
+import knowledgeBaseService from "@/services/knowledgeBaseService";
 
 import DataConfig from "./KnowledgeBaseConfiguration";
 
@@ -16,16 +19,15 @@ import DataConfig from "./KnowledgeBaseConfiguration";
  * Can be used in setup flow or as standalone page
  */
 export default function KnowledgesContent() {
+  // Get user and deployment state from respective hooks
+  const { user } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
+
   // Use custom hook for common setup flow logic
   const {
-    user,
-    isSpeedMode,
     pageVariants,
     pageTransition,
-    canAccessProtectedData,
-  } = useSetupFlow({
-    requireAdmin: false, // Knowledge base accessible to all users
-  });
+  } = useSetupFlow();
 
   // Knowledge base specific initialization
   useEffect(() => {
@@ -36,6 +38,15 @@ export default function KnowledgesContent() {
       })
     );
 
+    // Load knowledge base list from API
+    const loadKnowledgeBaseList = async () => {
+      try {
+        await knowledgeBaseService.getKnowledgeBases(true);
+      } catch (error) {
+        log.error("Failed to load knowledge base list:", error);
+      }
+    };
+
     // Load config for normal user
     const loadConfigForNormalUser = async () => {
       if (!isSpeedMode && user && user.role !== USER_ROLES.ADMIN) {
@@ -48,26 +59,25 @@ export default function KnowledgesContent() {
       }
     };
 
+    loadKnowledgeBaseList();
     loadConfigForNormalUser();
-  }, []);
+  }, [isSpeedMode, user]);
 
   return (
     <>
       <div className="w-full h-full p-8">
-        {canAccessProtectedData ? (
-          <motion.div
-            initial="initial"
-            animate="in"
-            exit="out"
-            variants={pageVariants}
-            transition={pageTransition}
-            style={{ width: "100%", height: "100%" }}
-          >
-            <div className="w-full h-full flex items-center justify-center">
-              <DataConfig isActive={true} />
-            </div>
-          </motion.div>
-        ) : null}
+        <motion.div
+          initial="initial"
+          animate="in"
+          exit="out"
+          variants={pageVariants}
+          transition={pageTransition}
+          style={{ width: "100%", height: "100%" }}
+        >
+          <div className="w-full h-full flex items-center justify-center">
+            <DataConfig isActive={true} />
+          </div>
+        </motion.div>
       </div>
     </>
   );
diff --git a/frontend/app/[locale]/layout.client.tsx b/frontend/app/[locale]/layout.client.tsx
index 6bb748a48..75b49d111 100644
--- a/frontend/app/[locale]/layout.client.tsx
+++ b/frontend/app/[locale]/layout.client.tsx
@@ -1,7 +1,8 @@
 "use client";
 
 import { ReactNode, useState } from "react";
-import { Layout, Button } from "antd";
+import { usePathname } from "next/navigation";
+import { Layout, Button, Spin } from "antd";
 import { TopNavbar } from "@/components/navigation/TopNavbar";
 import { SideNavigation } from "@/components/navigation/SideNavigation";
 import { FooterLayout } from "@/components/navigation/FooterLayout";
@@ -10,23 +11,28 @@ import {
   FOOTER_CONFIG,
   SIDER_CONFIG,
 } from "@/const/layoutConstants";
-import { AuthDialogs } from "@/components/homepage/AuthDialogs";
-import { useAuth } from "@/hooks/useAuth";
+import { AuthDialogs } from "@/components/auth/AuthDialogs";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
 import { ChevronLeft, ChevronRight } from "lucide-react";
-import { usePathname } from "next/navigation";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { getEffectiveRoutePath } from "@/lib/auth";
 
 const { Header, Sider, Content, Footer } = Layout;
 
 export function ClientLayout({ children }: { children: ReactNode }) {
-  const { user, openLoginModal, openRegisterModal, isSpeedMode } = useAuth();
   const pathname = usePathname();
+  const { isAuthenticated } = useAuthenticationContext();
+  const { isAuthorized } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
 
   // Check if current route is setup page
   const isSetupPage = pathname?.includes("/setup");
 
-  // Authentication dialog states
-  const [loginPromptOpen, setLoginPromptOpen] = useState(false);
-  const [adminRequiredPromptOpen, setAdminRequiredPromptOpen] = useState(false);
+  const isChatPage = pathname?.includes("/chat");
+
+  // Home page does not require authorization
+  const isHomePage = getEffectiveRoutePath(pathname) === "/";
 
   // Sidebar collapse state
   const [collapsed, setCollapsed] = useState(false);
@@ -85,6 +91,7 @@ export function ClientLayout({ children }: { children: ReactNode }) {
   };
 
   const contentStyle: React.CSSProperties = {
+    height: "100%",
     overflowY: "auto",
     overflowX: "hidden",
     position: "relative",
@@ -94,26 +101,10 @@ export function ClientLayout({ children }: { children: ReactNode }) {
     backgroundColor: "#fff",
   };
 
-  // Authentication handlers
-  const handleAuthRequired = () => {
-    if (!isSpeedMode && !user) {
-      setLoginPromptOpen(true);
-    }
-  };
-
-  const handleAdminRequired = () => {
-    if (!isSpeedMode && user?.role !== "admin") {
-      setAdminRequiredPromptOpen(true);
-    }
-  };
-
-  const handleCloseLoginPrompt = () => setLoginPromptOpen(false);
-  const handleCloseAdminPrompt = () => setAdminRequiredPromptOpen(false);
-
   return (
     <Layout style={layoutStyle}>
       <Header style={headerStyle}>
-        <TopNavbar />
+        <TopNavbar isChatPage={isChatPage}/>
       </Header>
 
       <Layout>
@@ -127,11 +118,7 @@ export function ClientLayout({ children }: { children: ReactNode }) {
           className="dark:bg-slate-900/95 border-r border-slate-200 dark:border-slate-700 backdrop-blur-sm shadow-sm"
         >
           <div style={siderInnerStyle}>
-            <SideNavigation
-              onAuthRequired={handleAuthRequired}
-              onAdminRequired={handleAdminRequired}
-              collapsed={collapsed}
-            />
+            <SideNavigation collapsed={collapsed} />
           </div>
           <Button
             type="primary"
@@ -156,7 +143,16 @@ export function ClientLayout({ children }: { children: ReactNode }) {
           />
         </Sider>
 
-        <Content style={contentStyle}>{children}</Content>
+        {/* Don't render children until authorization is complete (except home page) */}
+        <Content style={contentStyle}>
+          {isHomePage || isAuthorized ? (
+            children
+          ) : (
+            <div className="flex items-center justify-center h-full w-full">
+              <Spin/>
+            </div>
+          )}
+        </Content>
       </Layout>
 
       {/* Conditionally render footer */}
@@ -169,22 +165,7 @@ export function ClientLayout({ children }: { children: ReactNode }) {
       {/* Global authentication dialogs */}
       {!isSpeedMode && (
         <>
-          <AuthDialogs
-            loginPromptOpen={loginPromptOpen}
-            adminPromptOpen={adminRequiredPromptOpen}
-            onCloseLoginPrompt={handleCloseLoginPrompt}
-            onCloseAdminPrompt={handleCloseAdminPrompt}
-            onLoginClick={() => {
-              setLoginPromptOpen(false);
-              setAdminRequiredPromptOpen(false);
-              openLoginModal();
-            }}
-            onRegisterClick={() => {
-              setLoginPromptOpen(false);
-              setAdminRequiredPromptOpen(false);
-              openRegisterModal();
-            }}
-          />
+          <AuthDialogs />
         </>
       )}
     </Layout>
diff --git a/frontend/app/[locale]/layout.tsx b/frontend/app/[locale]/layout.tsx
index 0926c189b..33509e8fa 100644
--- a/frontend/app/[locale]/layout.tsx
+++ b/frontend/app/[locale]/layout.tsx
@@ -1,6 +1,6 @@
 import type { Metadata } from "next";
 import { Inter } from "next/font/google";
-import { ReactNode } from "react";
+import React, { ReactNode } from "react";
 import { RootProvider } from "@/components/providers/rootProvider";
 import { DeploymentProvider } from "@/components/providers/deploymentProvider";
 import { ThemeProvider as NextThemesProvider } from "next-themes";
diff --git a/frontend/app/[locale]/market/page.tsx b/frontend/app/[locale]/market/page.tsx
index a59465d70..dad9328f3 100644
--- a/frontend/app/[locale]/market/page.tsx
+++ b/frontend/app/[locale]/market/page.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import React, { useState, useEffect, useRef } from "react";
+import { useRouter } from "next/navigation";
 import { motion } from "framer-motion";
 import { useTranslation } from "react-i18next";
 import { ShoppingBag, Search, RefreshCw, ChevronLeft, ChevronRight } from "lucide-react";
@@ -27,6 +28,7 @@ import "./MarketContent.css";
  * Browse and download pre-built agents from the marketplace
  */
 export default function MarketContent() {
+  const router = useRouter();
   const { t, i18n } = useTranslation("common");
   const { message } = App.useApp();
   const isZh = i18n.language === "zh" || i18n.language === "zh-CN";
@@ -250,15 +252,28 @@ export default function MarketContent() {
   };
 
   /**
-   * Handle install complete
+   * Handle install complete - Shows success message with navigation to agent space
    */
   const handleInstallComplete = () => {
     setInstallModalVisible(false);
     setInstallAgent(null);
-    // Optionally reload agents or show success message
-    message.success(
-      t("market.install.success", "Agent installed successfully!")
-    );
+    
+    // Show success message with clickable link to agent space
+    message.success({
+      content: (
+        <span>
+          {t("market.install.success.viewSpace.prefix")}
+          <button
+            onClick={() => router.push("/space")}
+            className="text-blue-600 dark:text-blue-400 font-bold hover:text-blue-700 dark:hover:text-blue-300 cursor-pointer transition-colors"
+          >
+            {t("market.install.success.viewSpace.link")}
+          </button>
+          {t("market.install.success.viewSpace.suffix")}
+        </span>
+      ),
+      duration: 4,
+    });
   };
 
   /**
@@ -539,6 +554,8 @@ export default function MarketContent() {
                     agent_id: installAgent.agent_id,
                     agent_info: installAgent.agent_json.agent_info,
                     mcp_info: installAgent.agent_json.mcp_info,
+                    business_logic_model_id: installAgent.business_logic_model_id,
+                    business_logic_model_name: installAgent.business_logic_model_name,
                   } as ImportAgentData)
                 : null
             }
diff --git a/frontend/app/[locale]/memory/page.tsx b/frontend/app/[locale]/memory/page.tsx
index 0828e9af1..62d1d52fa 100644
--- a/frontend/app/[locale]/memory/page.tsx
+++ b/frontend/app/[locale]/memory/page.tsx
@@ -19,10 +19,11 @@ import {
 } from "lucide-react";
 import { useTranslation, Trans } from "react-i18next";
 
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { useMemory } from "@/hooks/useMemory";
 import { useSetupFlow } from "@/hooks/useSetupFlow";
-import { USER_ROLES, MEMORY_TAB_KEYS, MemoryTabKey } from "@/const/modelConfig";
+import { MEMORY_TAB_KEYS, MemoryTabKey } from "@/const/modelConfig";
 import {
   MEMORY_SHARE_STRATEGY,
   MemoryShareStrategy,
@@ -39,21 +40,12 @@ import { MemoryMenuList } from "./MemoryMenuList";
 export default function MemoryContent() {
   const { message } = App.useApp();
   const { t } = useTranslation("common");
-  const { user, isSpeedMode } = useAuth();
+  const { user } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
   const { confirm } = useConfirmModal();
 
   // Use custom hook for common setup flow logic
-  const { canAccessProtectedData, pageVariants, pageTransition } = useSetupFlow(
-    {
-      requireAdmin: false,
-    }
-  );
-
-  const role: (typeof USER_ROLES)[keyof typeof USER_ROLES] = (
-    isSpeedMode || user?.role === USER_ROLES.ADMIN
-      ? USER_ROLES.ADMIN
-      : USER_ROLES.USER
-  ) as (typeof USER_ROLES)[keyof typeof USER_ROLES];
+  const { pageVariants, pageTransition } = useSetupFlow();
 
   // Mock user and tenant IDs (should come from context)
   const currentUserId = "user1";
@@ -305,8 +297,7 @@ export default function MemoryContent() {
       ),
       children: renderBaseSettings(),
     },
-    ...(role === USER_ROLES.ADMIN
-      ? [
+ [
           {
             key: MEMORY_TAB_KEYS.TENANT,
             label: (
@@ -331,8 +322,7 @@ export default function MemoryContent() {
               !memory.memoryEnabled ||
               memory.shareOption === MEMORY_SHARE_STRATEGY.NEVER,
           },
-        ]
-      : []),
+        ],
     {
       key: MEMORY_TAB_KEYS.USER_PERSONAL,
       label: (
@@ -368,7 +358,7 @@ export default function MemoryContent() {
           transition={pageTransition}
           style={{ width: "100%", height: "100%" }}
         >
-          {canAccessProtectedData ? (
+
             <div className="w-full h-full flex items-center justify-center">
               <div
                 className="w-full mx-auto"
@@ -386,7 +376,7 @@ export default function MemoryContent() {
                 >
                   <Tabs
                     size="middle"
-                    items={tabItems}
+                    items={tabItems as any}
                     activeKey={memory.activeTabKey}
                     onChange={(key) => memory.setActiveTabKey(key)}
                     tabBarStyle={{
@@ -396,7 +386,6 @@ export default function MemoryContent() {
                 </div>
               </div>
             </div>
-          ) : null}
         </motion.div>
       </div>
     </>
diff --git a/frontend/app/[locale]/models/ModelConfiguration.tsx b/frontend/app/[locale]/models/ModelConfiguration.tsx
index 1fe154a76..0fb82db31 100644
--- a/frontend/app/[locale]/models/ModelConfiguration.tsx
+++ b/frontend/app/[locale]/models/ModelConfiguration.tsx
@@ -22,14 +22,12 @@ const { Title } = Typography;
 // Add interface definition
 interface AppModelConfigProps {
   skipModelVerification?: boolean;
-  canAccessProtectedData?: boolean;
   // Expose a ref from parent to allow programmatic dropdown change
   forwardedRef?: React.Ref<ModelConfigSectionRef>;
 }
 
 export default function AppModelConfig({
   skipModelVerification = false,
-  canAccessProtectedData = false,
   forwardedRef,
 }: AppModelConfigProps) {
   const { t } = useTranslation();
@@ -133,7 +131,6 @@ export default function AppModelConfig({
                   <ModelConfigSection
                     ref={modelConfigRef as any}
                     skipVerification={skipModelVerification}
-                    canAccessProtectedData={canAccessProtectedData}
                   />
                 </div>
               </div>
diff --git a/frontend/app/[locale]/models/components/model/ModelAddDialog.tsx b/frontend/app/[locale]/models/components/model/ModelAddDialog.tsx
index 4a2c3bf97..28eea0834 100644
--- a/frontend/app/[locale]/models/components/model/ModelAddDialog.tsx
+++ b/frontend/app/[locale]/models/components/model/ModelAddDialog.tsx
@@ -7,7 +7,7 @@ import {
   LoaderCircle,
   ChevronRight,
   ChevronDown,
-  Settings
+  Settings,
 } from "lucide-react";
 
 import { useConfig } from "@/hooks/useConfig";
@@ -38,8 +38,29 @@ interface ModelAddDialogProps {
   onSuccess: (model?: AddedModel) => Promise<void>;
   defaultProvider?: string; // Default provider to select when dialog opens
   defaultIsBatchImport?: boolean;
+  tenantId?: string; // Optional tenant ID for manage operations
 }
 
+// Default form state for resetting
+const DEFAULT_FORM_STATE = {
+  type: MODEL_TYPES.LLM as ModelType,
+  name: "",
+  displayName: "",
+  url: "",
+  apiKey: "",
+  maxTokens: "4096",
+  isMultimodal: false,
+  isBatchImport: false,
+  provider: "modelengine",
+  modelEngineUrl: "",
+  vectorDimension: "1024",
+  chunkSizeRange: [DEFAULT_EXPECTED_CHUNK_SIZE, DEFAULT_MAXIMUM_CHUNK_SIZE] as [
+    number,
+    number,
+  ],
+  chunkingBatchSize: "10",
+};
+
 // Connectivity status type comes from utils
 
 // Helper function to translate error messages from backend
@@ -123,6 +144,39 @@ const translateError = (
     return t("model.dialog.error.invalidConfiguration", { error: configError });
   }
 
+  // ModelEngine specific errors
+  if (
+    errorLower.includes("authentication failed") ||
+    errorLower.includes("invalid api key")
+  ) {
+    return t("model.dialog.error.apiConnectionFailed");
+  }
+  if (
+    errorLower.includes("access forbidden") ||
+    errorLower.includes("insufficient permissions")
+  ) {
+    return t("model.dialog.error.apiConnectionFailed");
+  }
+  if (
+    errorLower.includes("endpoint not found") ||
+    errorLower.includes("url may be incorrect")
+  ) {
+    return t("model.dialog.error.apiConnectionFailed");
+  }
+  if (errorLower.includes("server error") || errorLower.includes("http 5")) {
+    return t("model.dialog.error.serverError");
+  }
+  if (
+    errorLower.includes("connection failed") ||
+    errorLower.includes("network") ||
+    errorLower.includes("timeout")
+  ) {
+    return t("model.dialog.error.apiConnectionFailed");
+  }
+  if (errorLower.includes("ssl certificate")) {
+    return t("model.dialog.error.apiConnectionFailed");
+  }
+
   // Return original error if no pattern matches
   return errorMessage;
 };
@@ -133,6 +187,7 @@ export const ModelAddDialog = ({
   onSuccess,
   defaultProvider,
   defaultIsBatchImport,
+  tenantId,
 }: ModelAddDialogProps) => {
   const { t } = useTranslation();
   const { message } = App.useApp();
@@ -160,26 +215,8 @@ export const ModelAddDialog = ({
     // For other errors, return generic error key without showing backend details
     return { key: "model.dialog.error.addFailed" };
   };
-  const [form, setForm] = useState({
-    type: MODEL_TYPES.LLM as ModelType,
-    name: "",
-    displayName: "",
-    url: "",
-    apiKey: "",
-    maxTokens: "4096",
-    isMultimodal: false,
-    // Whether to import multiple models at once
-    isBatchImport: false,
-    provider: "modelengine",
-    modelEngineUrl: "",
-    vectorDimension: "1024",
-    // Default chunk size range for embedding models
-    chunkSizeRange: [
-      DEFAULT_EXPECTED_CHUNK_SIZE,
-      DEFAULT_MAXIMUM_CHUNK_SIZE,
-    ] as [number, number],
-    chunkingBatchSize: "10",
-  });
+  // Form state - initialize with default values
+  const [form, setForm] = useState(DEFAULT_FORM_STATE);
   const [loading, setLoading] = useState(false);
   const [verifyingConnectivity, setVerifyingConnectivity] = useState(false);
   const [connectivityStatus, setConnectivityStatus] = useState<{
@@ -223,8 +260,25 @@ export const ModelAddDialog = ({
     setSelectedModelIds,
     setShowModelList,
     setLoadingModelList,
+    tenantId,
   });
 
+  // Reset form to default state
+  const resetForm = useCallback(() => {
+    setForm(DEFAULT_FORM_STATE);
+    setConnectivityStatus({ status: null, message: "" });
+    setModelList([]);
+    setModelSearchTerm("");
+    setSelectedModelIds(new Set());
+    setShowModelList(false);
+  }, []);
+
+  // Wrap onClose to reset form before closing
+  const handleClose = useCallback(() => {
+    resetForm();
+    onClose();
+  }, [onClose, resetForm]);
+
   // When dialog opens, apply default provider and optional default batch mode
   useEffect(() => {
     if (!isOpen) return;
@@ -289,10 +343,21 @@ export const ModelAddDialog = ({
     setForm((prev) => ({
       ...prev,
       [field]: value,
+      // When provider changes, clear provider-related fields
+      ...(field === "provider"
+        ? {
+            url: "",
+            apiKey: "",
+            modelEngineUrl: "",
+          }
+        : {}),
     }));
     // If the key configuration item changes, clear the verification status
     if (
-      ["type", "url", "apiKey", "maxTokens", "vectorDimension"].includes(field)
+      ["type", "url", "apiKey", "maxTokens", "vectorDimension"].includes(
+        field
+      ) ||
+      field === "provider"
     ) {
       setConnectivityStatus({ status: null, message: "" });
     }
@@ -300,6 +365,11 @@ export const ModelAddDialog = ({
     if (field === "type") {
       setModelSearchTerm("");
     }
+    // Clear model list when provider changes
+    if (field === "provider") {
+      setModelList([]);
+      setSelectedModelIds(new Set());
+    }
   };
 
   // Verify if the vector dimension is valid
@@ -354,46 +424,69 @@ export const ModelAddDialog = ({
           ? (MODEL_TYPES.MULTI_EMBEDDING as ModelType)
           : form.type;
 
-      const config = {
-        modelName: form.name,
-        modelType: modelType,
-        baseUrl: form.url,
-        apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-        maxTokens:
-          form.type === MODEL_TYPES.EMBEDDING
-            ? parseInt(form.vectorDimension)
-            : parseInt(form.maxTokens),
-        embeddingDim:
-          form.type === MODEL_TYPES.EMBEDDING
-            ? parseInt(form.vectorDimension)
-            : undefined,
-      };
-
-      const result = await modelService.verifyModelConfigConnectivity(config);
+      // Use manage interface if tenantId is provided
+      if (tenantId) {
+        // Call backend healthcheck API for tenant management
+        const result = await modelService.checkManageTenantModelConnectivity(
+          tenantId,
+          form.displayName || form.name
+        );
 
-      // Set connectivity status
-      if (result.connectivity) {
-        setConnectivityStatus({
-          status: "available",
-          message: t("model.dialog.connectivity.status.available"),
-        });
+        // Set connectivity status
+        if (result) {
+          setConnectivityStatus({
+            status: "available",
+            message: t("model.dialog.connectivity.status.available"),
+          });
+        } else {
+          setConnectivityStatus({
+            status: "unavailable",
+            message: t("model.dialog.connectivity.status.unavailable"),
+          });
+        }
       } else {
-        // Set status to unavailable
-        setConnectivityStatus({
-          status: "unavailable",
-          message: t("model.dialog.connectivity.status.unavailable"),
-        });
-        // Show detailed error message using internationalized component (same as add failure)
-        if (result.error) {
-          const translatedError = translateError(result.error, t);
-          // Ensure translatedError is a valid string, fallback to original error if needed
-          const errorText =
-            translatedError && translatedError.length > 0
-              ? translatedError
-              : result.error || "Unknown error";
-          message.error(
-            t("model.dialog.error.connectivityFailed", { error: errorText })
-          );
+        // Use local config verification for non-tenant operations
+        const config = {
+          modelName: form.name,
+          modelType: modelType,
+          baseUrl: form.url,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          maxTokens:
+            form.type === MODEL_TYPES.EMBEDDING
+              ? parseInt(form.vectorDimension)
+              : parseInt(form.maxTokens),
+          embeddingDim:
+            form.type === MODEL_TYPES.EMBEDDING
+              ? parseInt(form.vectorDimension)
+              : undefined,
+        };
+
+        const result = await modelService.verifyModelConfigConnectivity(config);
+
+        // Set connectivity status
+        if (result.connectivity) {
+          setConnectivityStatus({
+            status: "available",
+            message: t("model.dialog.connectivity.status.available"),
+          });
+        } else {
+          // Set status to unavailable
+          setConnectivityStatus({
+            status: "unavailable",
+            message: t("model.dialog.connectivity.status.unavailable"),
+          });
+          // Show detailed error message using internationalized component (same as add failure)
+          if (result.error) {
+            const translatedError = translateError(result.error, t);
+            // Ensure translatedError is a valid string, fallback to original error if needed
+            const errorText =
+              translatedError && translatedError.length > 0
+                ? translatedError
+                : result.error || "Unknown error";
+            message.error(
+              t("model.dialog.error.connectivityFailed", { error: errorText })
+            );
+          }
         }
       }
     } catch (error) {
@@ -434,36 +527,59 @@ export const ModelAddDialog = ({
       const isEmbeddingType =
         modelType === MODEL_TYPES.EMBEDDING ||
         modelType === MODEL_TYPES.MULTI_EMBEDDING;
-      const result = await modelService.addBatchCustomModel({
-        api_key: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-        provider: form.provider,
-        type: modelType,
-        models: enabledModels.map((model: any) => {
-          // For embedding/multi_embedding models, explicitly exclude max_tokens as backend will set it via connectivity check
-          if (isEmbeddingType) {
-            const { max_tokens, ...modelWithoutMaxTokens } = model;
-            return {
-              ...modelWithoutMaxTokens,
-              // Add chunk size range for embedding models
-              ...(isEmbeddingModel
-                ? {
-                    expected_chunk_size: form.chunkSizeRange[0],
-                    maximum_chunk_size: form.chunkSizeRange[1],
-                    chunk_batch: parseInt(form.chunkingBatchSize) || 10,
-                  }
-                : {}),
-            };
-          } else {
-            return {
-              ...model,
-              max_tokens: model.max_tokens || parseInt(form.maxTokens) || 4096,
-            };
-          }
-        }),
+
+      // Prepare the model data
+      const modelsData = enabledModels.map((model: any) => {
+        // For embedding/multi_embedding models, explicitly exclude max_tokens as backend will set it via connectivity check
+        if (isEmbeddingType) {
+          const { max_tokens, ...modelWithoutMaxTokens } = model;
+          return {
+            ...modelWithoutMaxTokens,
+            // Add chunk size range for embedding models
+            ...(isEmbeddingModel
+              ? {
+                  expected_chunk_size: form.chunkSizeRange[0],
+                  maximum_chunk_size: form.chunkSizeRange[1],
+                  chunk_batch: parseInt(form.chunkingBatchSize) || 10,
+                }
+              : {}),
+          };
+        } else {
+          return {
+            ...model,
+            max_tokens: model.max_tokens || parseInt(form.maxTokens) || 4096,
+          };
+        }
       });
-      if (result === 200) {
-        onSuccess();
+
+      // Use manage interface if tenantId is provided (for super admin), otherwise use current tenant
+      if (tenantId) {
+        await modelService.batchCreateManageTenantModels({
+          tenantId,
+          provider: form.provider,
+          type: modelType,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          models: modelsData,
+        });
+      } else {
+        await modelService.addBatchCustomModel({
+          api_key: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          provider: form.provider,
+          type: modelType,
+          models: modelsData,
+        });
       }
+
+      // Reset form state and close dialog on success
+      resetForm();
+      handleClose();
+
+      // Notify parent to refresh model list - batch add returns all added models
+      const addedModels: AddedModel[] = enabledModels.map((model: any) => ({
+        name: model.displayName || model.id,
+        type: modelType,
+      }));
+      await onSuccess(addedModels.length > 0 ? addedModels[0] : undefined);
     } catch (error: any) {
       const errorMessage =
         error?.message || t("model.dialog.error.addFailedLog");
@@ -472,13 +588,6 @@ export const ModelAddDialog = ({
         t("model.dialog.error.addFailed", { error: translatedError })
       );
     }
-
-    setForm((prev) => ({
-      ...prev,
-      isBatchImport: false,
-    }));
-
-    onClose();
   };
 
   // Handle settings button click
@@ -534,23 +643,44 @@ export const ModelAddDialog = ({
         maxTokensValue = 0;
       }
 
-      // Add to the backend service
-      await modelService.addCustomModel({
-        name: form.name,
-        type: modelType,
-        url: form.url,
-        apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-        maxTokens: maxTokensValue,
-        displayName: form.displayName || form.name,
-        // Send chunk size range for embedding models
-        ...(isEmbeddingModel
-          ? {
-              expectedChunkSize: form.chunkSizeRange[0],
-              maximumChunkSize: form.chunkSizeRange[1],
-              chunkingBatchSize: parseInt(form.chunkingBatchSize) || 10,
-            }
-          : {}),
-      });
+      // Add to the backend service - use manage interface if tenantId is provided
+      if (tenantId) {
+        await modelService.createManageTenantModel({
+          tenantId,
+          name: form.name,
+          type: modelType,
+          url: form.url,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          maxTokens: maxTokensValue,
+          displayName: form.displayName || form.name,
+          expectedChunkSize: isEmbeddingModel
+            ? form.chunkSizeRange[0]
+            : undefined,
+          maximumChunkSize: isEmbeddingModel
+            ? form.chunkSizeRange[1]
+            : undefined,
+          chunkingBatchSize: isEmbeddingModel
+            ? parseInt(form.chunkingBatchSize) || 10
+            : undefined,
+        });
+      } else {
+        await modelService.addCustomModel({
+          name: form.name,
+          type: modelType,
+          url: form.url,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          maxTokens: maxTokensValue,
+          displayName: form.displayName || form.name,
+          // Send chunk size range for embedding models
+          ...(isEmbeddingModel
+            ? {
+                expectedChunkSize: form.chunkSizeRange[0],
+                maximumChunkSize: form.chunkSizeRange[1],
+                chunkingBatchSize: parseInt(form.chunkingBatchSize) || 10,
+              }
+            : {}),
+        });
+      }
 
       // Create the model configuration object
       const modelConfig: SingleModelConfig = {
@@ -604,34 +734,14 @@ export const ModelAddDialog = ({
         type: modelType,
       };
 
-      // Reset the form
-      setForm({
-        type: form.type,
-        name: "",
-        displayName: "",
-        url: "",
-        apiKey: "",
-        maxTokens: "4096",
-        isMultimodal: false,
-        isBatchImport: false,
-        provider: "silicon",
-        modelEngineUrl: "",
-        vectorDimension: "1024",
-        chunkSizeRange: [
-          DEFAULT_EXPECTED_CHUNK_SIZE,
-          DEFAULT_MAXIMUM_CHUNK_SIZE,
-        ],
-        chunkingBatchSize: "10",
-      });
-
-      // Reset the connectivity status
-      setConnectivityStatus({ status: null, message: "" });
+      // Reset form state
+      resetForm();
 
       // Call the success callback, pass the new added model information
       await onSuccess(addedModel);
 
       // Close the dialog
-      onClose();
+      handleClose();
     } catch (error) {
       const errorMessage =
         error instanceof Error ? error.message : String(error);
@@ -651,7 +761,7 @@ export const ModelAddDialog = ({
     <Modal
       title={t("model.dialog.title")}
       open={isOpen}
-      onCancel={onClose}
+      onCancel={handleClose}
       footer={null}
       destroyOnHidden
     >
@@ -686,7 +796,9 @@ export const ModelAddDialog = ({
               value={form.provider}
               onChange={(value) => handleFormChange("provider", value)}
             >
-              <Option value="modelengine">{t("model.provider.modelengine")}</Option>
+              <Option value="modelengine">
+                {t("model.provider.modelengine")}
+              </Option>
               <Option value="silicon">{t("model.provider.silicon")}</Option>
             </Select>
             {/* ModelEngine URL input (only when provider is ModelEngine) */}
@@ -868,7 +980,9 @@ export const ModelAddDialog = ({
               min="1"
               placeholder="10"
               value={form.chunkingBatchSize}
-              onChange={(e) => handleFormChange("chunkingBatchSize", e.target.value)}
+              onChange={(e) =>
+                handleFormChange("chunkingBatchSize", e.target.value)
+              }
             />
           </div>
         )}
@@ -953,9 +1067,15 @@ export const ModelAddDialog = ({
                 className="flex items-center focus:outline-none"
               >
                 {showModelList ? (
-                  <ChevronDown className="text-sm text-gray-700 mr-1" size={14} />
+                  <ChevronDown
+                    className="text-sm text-gray-700 mr-1"
+                    size={14}
+                  />
                 ) : (
-                  <ChevronRight className="text-sm text-gray-700 mr-1" size={14} />
+                  <ChevronRight
+                    className="text-sm text-gray-700 mr-1"
+                    size={14}
+                  />
                 )}
                 <span className="text-sm font-medium text-gray-700">
                   {t("model.dialog.modelList.title")}
@@ -1173,7 +1293,11 @@ export const ModelAddDialog = ({
               {form.type === "llm" && !form.isBatchImport && (
                 <>
                   <Tooltip title="OpenAI">
-                    <a href={PROVIDER_LINKS.openai} target="_blank" rel="noopener noreferrer">
+                    <a
+                      href={PROVIDER_LINKS.openai}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
                       <img
                         src="/openai.png"
                         alt="OpenAI"
@@ -1182,12 +1306,24 @@ export const ModelAddDialog = ({
                     </a>
                   </Tooltip>
                   <Tooltip title="Kimi">
-                    <a href={PROVIDER_LINKS.kimi} target="_blank" rel="noopener noreferrer">
-                      <img src="/kimi.png" alt="Kimi" className="h-4 ml-1.5 cursor-pointer" />
+                    <a
+                      href={PROVIDER_LINKS.kimi}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
+                      <img
+                        src="/kimi.png"
+                        alt="Kimi"
+                        className="h-4 ml-1.5 cursor-pointer"
+                      />
                     </a>
                   </Tooltip>
                   <Tooltip title="Deepseek">
-                    <a href={PROVIDER_LINKS.deepseek} target="_blank" rel="noopener noreferrer">
+                    <a
+                      href={PROVIDER_LINKS.deepseek}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
                       <img
                         src="/deepseek.png"
                         alt="Deepseek"
@@ -1196,8 +1332,16 @@ export const ModelAddDialog = ({
                     </a>
                   </Tooltip>
                   <Tooltip title="Qwen">
-                    <a href={PROVIDER_LINKS.qwen} target="_blank" rel="noopener noreferrer">
-                      <img src="/qwen.png" alt="Qwen" className="h-4 ml-1.5 cursor-pointer" />
+                    <a
+                      href={PROVIDER_LINKS.qwen}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
+                      <img
+                        src="/qwen.png"
+                        alt="Qwen"
+                        className="h-4 ml-1.5 cursor-pointer"
+                      />
                     </a>
                   </Tooltip>
                   <span className="ml-1.5">...</span>
@@ -1206,7 +1350,11 @@ export const ModelAddDialog = ({
               {form.type === "embedding" && !form.isBatchImport && (
                 <>
                   <Tooltip title="OpenAI">
-                    <a href={PROVIDER_LINKS.openai} target="_blank" rel="noopener noreferrer">
+                    <a
+                      href={PROVIDER_LINKS.openai}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
                       <img
                         src="/openai.png"
                         alt="OpenAI"
@@ -1215,18 +1363,42 @@ export const ModelAddDialog = ({
                     </a>
                   </Tooltip>
                   <Tooltip title="Qwen">
-                    <a href={PROVIDER_LINKS.qwen} target="_blank" rel="noopener noreferrer">
-                      <img src="/qwen.png" alt="Qwen" className="h-4 ml-1.5 cursor-pointer" />
+                    <a
+                      href={PROVIDER_LINKS.qwen}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
+                      <img
+                        src="/qwen.png"
+                        alt="Qwen"
+                        className="h-4 ml-1.5 cursor-pointer"
+                      />
                     </a>
                   </Tooltip>
                   <Tooltip title="Jina">
-                    <a href={PROVIDER_LINKS.jina} target="_blank" rel="noopener noreferrer">
-                      <img src="/jina.png" alt="Jina" className="h-4 ml-1.5 cursor-pointer" />
+                    <a
+                      href={PROVIDER_LINKS.jina}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
+                      <img
+                        src="/jina.png"
+                        alt="Jina"
+                        className="h-4 ml-1.5 cursor-pointer"
+                      />
                     </a>
                   </Tooltip>
                   <Tooltip title="Baai">
-                    <a href={PROVIDER_LINKS.baai} target="_blank" rel="noopener noreferrer">
-                      <img src="/baai.png" alt="Baai" className="h-4 ml-1.5 cursor-pointer" />
+                    <a
+                      href={PROVIDER_LINKS.baai}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
+                      <img
+                        src="/baai.png"
+                        alt="Baai"
+                        className="h-4 ml-1.5 cursor-pointer"
+                      />
                     </a>
                   </Tooltip>
                   <span className="ml-1.5">...</span>
@@ -1235,12 +1407,24 @@ export const ModelAddDialog = ({
               {form.type === "vlm" && !form.isBatchImport && (
                 <>
                   <Tooltip title="Qwen">
-                    <a href={PROVIDER_LINKS.qwen} target="_blank" rel="noopener noreferrer">
-                      <img src="/qwen.png" alt="Qwen" className="h-4 ml-1.5 cursor-pointer" />
+                    <a
+                      href={PROVIDER_LINKS.qwen}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
+                      <img
+                        src="/qwen.png"
+                        alt="Qwen"
+                        className="h-4 ml-1.5 cursor-pointer"
+                      />
                     </a>
                   </Tooltip>
                   <Tooltip title="Deepseek">
-                    <a href={PROVIDER_LINKS.deepseek} target="_blank" rel="noopener noreferrer">
+                    <a
+                      href={PROVIDER_LINKS.deepseek}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                    >
                       <img
                         src="/deepseek.png"
                         alt="Deepseek"
@@ -1257,7 +1441,7 @@ export const ModelAddDialog = ({
 
         {/* Footer Buttons */}
         <div className="flex justify-end space-x-3">
-          <Button onClick={onClose}>{t("common.button.cancel")}</Button>
+          <Button onClick={handleClose}>{t("common.button.cancel")}</Button>
           <Button
             type="primary"
             onClick={handleAddModel}
diff --git a/frontend/app/[locale]/models/components/model/ModelEditDialog.tsx b/frontend/app/[locale]/models/components/model/ModelEditDialog.tsx
index fc4991f0b..ebd7097d8 100644
--- a/frontend/app/[locale]/models/components/model/ModelEditDialog.tsx
+++ b/frontend/app/[locale]/models/components/model/ModelEditDialog.tsx
@@ -19,6 +19,7 @@ interface ModelEditDialogProps {
   model: ModelOption | null;
   onClose: () => void;
   onSuccess: () => Promise<void>;
+  tenantId?: string; // Optional tenant ID for manage operations
 }
 
 export const ModelEditDialog = ({
@@ -26,6 +27,7 @@ export const ModelEditDialog = ({
   model,
   onClose,
   onSuccess,
+  tenantId,
 }: ModelEditDialogProps) => {
   const { t } = useTranslation();
   const { message } = App.useApp();
@@ -105,36 +107,60 @@ export const ModelEditDialog = ({
     try {
       const modelType = form.type as ModelType;
 
-      const config = {
-        modelName: form.name,
-        modelType: modelType,
-        baseUrl: form.url,
-        apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-        maxTokens:
-          form.type === MODEL_TYPES.EMBEDDING
-            ? parseInt(form.vectorDimension)
-            : parseInt(form.maxTokens),
-        embeddingDim:
-          form.type === MODEL_TYPES.EMBEDDING
-            ? parseInt(form.vectorDimension)
-            : undefined,
-      };
-
-      const result = await modelService.verifyModelConfigConnectivity(config);
+      // Use manage interface if tenantId is provided
+      if (tenantId) {
+        // Call backend healthcheck API for tenant management
+        const result = await modelService.checkManageTenantModelConnectivity(
+          tenantId,
+          form.displayName || form.name
+        );
 
-      // Set connectivity status
-      let connectivityMessage = "";
-      if (result.connectivity) {
-        connectivityMessage = t("model.dialog.connectivity.status.available");
+        // Set connectivity status
+        let connectivityMessage = "";
+        if (result) {
+          connectivityMessage = t("model.dialog.connectivity.status.available");
+        } else {
+          connectivityMessage = t("model.dialog.connectivity.status.unavailable");
+        }
+        setConnectivityStatus({
+          status: result
+            ? MODEL_STATUS.AVAILABLE
+            : MODEL_STATUS.UNAVAILABLE,
+          message: connectivityMessage,
+        });
       } else {
-        connectivityMessage = t("model.dialog.connectivity.status.unavailable");
+        // Use local config verification for non-tenant operations
+        const config = {
+          modelName: form.name,
+          modelType: modelType,
+          baseUrl: form.url,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          maxTokens:
+            form.type === MODEL_TYPES.EMBEDDING
+              ? parseInt(form.vectorDimension)
+              : parseInt(form.maxTokens),
+          embeddingDim:
+            form.type === MODEL_TYPES.EMBEDDING
+              ? parseInt(form.vectorDimension)
+              : undefined,
+        };
+
+        const result = await modelService.verifyModelConfigConnectivity(config);
+
+        // Set connectivity status
+        let connectivityMessage = "";
+        if (result.connectivity) {
+          connectivityMessage = t("model.dialog.connectivity.status.available");
+        } else {
+          connectivityMessage = t("model.dialog.connectivity.status.unavailable");
+        }
+        setConnectivityStatus({
+          status: result.connectivity
+            ? MODEL_STATUS.AVAILABLE
+            : MODEL_STATUS.UNAVAILABLE,
+          message: connectivityMessage,
+        });
       }
-      setConnectivityStatus({
-        status: result.connectivity
-          ? MODEL_STATUS.AVAILABLE
-          : MODEL_STATUS.UNAVAILABLE,
-        message: connectivityMessage,
-      });
     } catch (error) {
       setConnectivityStatus({
         status: "unavailable",
@@ -159,25 +185,40 @@ export const ModelEditDialog = ({
       const originalDisplayName = model.displayName || model.name;
       const newDisplayName = form.displayName;
 
-      await modelService.updateSingleModel({
-        currentDisplayName: originalDisplayName,
-        // Only send displayName if it changed
-        ...(newDisplayName !== originalDisplayName
-          ? { displayName: newDisplayName }
-          : {}),
-        url: form.url,
-        apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-        ...(maxTokensValue !== 0 ? { maxTokens: maxTokensValue } : {}),
-        source: model.source,
-        // Send chunk size range for embedding models
-        ...(isEmbeddingModel
-          ? {
-              expectedChunkSize: form.chunkSizeRange[0],
-              maximumChunkSize: form.chunkSizeRange[1],
-              chunkingBatchSize: parseInt(form.chunkingBatchSize) || 10,
-            }
-          : {}),
-      });
+      // Use manage interface if tenantId is provided
+      if (tenantId) {
+        await modelService.updateManageTenantModel({
+          tenantId,
+          currentDisplayName: originalDisplayName,
+          displayName: newDisplayName !== originalDisplayName ? newDisplayName : undefined,
+          url: form.url,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          maxTokens: maxTokensValue !== 0 ? maxTokensValue : undefined,
+          expectedChunkSize: isEmbeddingModel ? form.chunkSizeRange[0] : undefined,
+          maximumChunkSize: isEmbeddingModel ? form.chunkSizeRange[1] : undefined,
+          chunkingBatchSize: isEmbeddingModel ? parseInt(form.chunkingBatchSize) || 10 : undefined,
+        });
+      } else {
+        await modelService.updateSingleModel({
+          currentDisplayName: originalDisplayName,
+          // Only send displayName if it changed
+          ...(newDisplayName !== originalDisplayName
+            ? { displayName: newDisplayName }
+            : {}),
+          url: form.url,
+          apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          ...(maxTokensValue !== 0 ? { maxTokens: maxTokensValue } : {}),
+          source: model.source,
+          // Send chunk size range for embedding models
+          ...(isEmbeddingModel
+            ? {
+                expectedChunkSize: form.chunkSizeRange[0],
+                maximumChunkSize: form.chunkSizeRange[1],
+                chunkingBatchSize: parseInt(form.chunkingBatchSize) || 10,
+              }
+            : {}),
+        });
+      }
 
       // Update local configuration (only when currently edited model is selected in configuration)
       const modelConfigKeyMap: Record<ModelType, string> = {
diff --git a/frontend/app/[locale]/models/components/modelConfig.tsx b/frontend/app/[locale]/models/components/modelConfig.tsx
index 628f52392..2588ebf76 100644
--- a/frontend/app/[locale]/models/components/modelConfig.tsx
+++ b/frontend/app/[locale]/models/components/modelConfig.tsx
@@ -28,6 +28,7 @@ import { ModelListCard } from "./model/ModelListCard";
 import { ModelAddDialog } from "./model/ModelAddDialog";
 import { ModelDeleteDialog } from "./model/ModelDeleteDialog";
 import { useConfirmModal } from "@/hooks/useConfirmModal";
+import { Can } from "@/components/permission/Can";
 
 // ModelConnectStatus type definition
 type ModelConnectStatus = (typeof MODEL_STATUS)[keyof typeof MODEL_STATUS];
@@ -86,7 +87,6 @@ export interface ModelConfigSectionRef {
 
 interface ModelConfigSectionProps {
   skipVerification?: boolean;
-  canAccessProtectedData?: boolean;
 }
 
 export const ModelConfigSection = forwardRef<
@@ -95,9 +95,11 @@ export const ModelConfigSection = forwardRef<
 >((props, ref): ReactNode => {
   const { t } = useTranslation();
   const { message } = App.useApp();
-  const { skipVerification = false, canAccessProtectedData = false } = props;
+
+  const { skipVerification = false } = props;
   const { modelConfig, updateModelConfig, appConfig } = useConfig();
   const modelEngineEnable = appConfig.modelEngineEnabled;
+
   const modelData = getModelData(t);
   const { confirm } = useConfirmModal();
 
@@ -152,9 +154,6 @@ export const ModelConfigSection = forwardRef<
 
   // Initialize loading
   useEffect(() => {
-    if (!canAccessProtectedData) {
-      return;
-    }
     // Load configuration from backend first, then load model lists when component mounts
     const fetchData = async () => {
       await configService.loadConfigToFrontend();
@@ -163,7 +162,7 @@ export const ModelConfigSection = forwardRef<
     };
 
     fetchData();
-  }, [canAccessProtectedData, skipVerification]);
+  }, [skipVerification]);
 
   // Listen to field error highlight events
   useEffect(() => {
@@ -853,37 +852,41 @@ export const ModelConfigSection = forwardRef<
                 </Button>
               </Col>
             )}
-            <Col xs={24} sm={12} md={6} lg={6} xl={6}>
-              <Button
-                type="primary"
-                size="middle"
-                icon={<Plus size={16} />}
-                onClick={() => {
-                  setAddModalDefaultIsBatch(false);
-                  setIsAddModalOpen(true);
-                }}
-                style={{ width: "100%" }}
-                block
-              >
-                <span className="button-text-full">
-                  {t("modelConfig.button.addCustomModel")}
-                </span>
-              </Button>
-            </Col>
-            <Col xs={24} sm={12} md={6} lg={6} xl={6}>
-              <Button
-                type="primary"
-                size="middle"
-                icon={<PenLine size={16} />}
-                onClick={() => setIsDeleteModalOpen(true)}
-                style={{ width: "100%" }}
-                block
-              >
-                <span className="button-text-full">
-                  {t("modelConfig.button.editCustomModel")}
-                </span>
-              </Button>
-            </Col>
+            <Can permission="model:create">
+              <Col xs={24} sm={12} md={6} lg={6} xl={6}>
+                <Button
+                  type="primary"
+                  size="middle"
+                  icon={<Plus size={16} />}
+                  onClick={() => {
+                    setAddModalDefaultIsBatch(false);
+                    setIsAddModalOpen(true);
+                  }}
+                  style={{ width: "100%" }}
+                  block
+                >
+                  <span className="button-text-full">
+                    {t("modelConfig.button.addCustomModel")}
+                  </span>
+                </Button>
+              </Col>
+            </Can>
+            <Can permission="model:update">
+              <Col xs={24} sm={12} md={6} lg={6} xl={6}>
+                <Button
+                  type="primary"
+                  size="middle"
+                  icon={<PenLine size={16} />}
+                  onClick={() => setIsDeleteModalOpen(true)}
+                  style={{ width: "100%" }}
+                  block
+                >
+                  <span className="button-text-full">
+                    {t("modelConfig.button.editCustomModel")}
+                  </span>
+                </Button>
+              </Col>
+            </Can>
             <Col xs={24} sm={12} md={6} lg={6} xl={6}>
               <Button
                 type="primary"
diff --git a/frontend/app/[locale]/models/page.tsx b/frontend/app/[locale]/models/page.tsx
index ca81be7ac..72fb78f00 100644
--- a/frontend/app/[locale]/models/page.tsx
+++ b/frontend/app/[locale]/models/page.tsx
@@ -14,36 +14,26 @@ import { ModelConfigSectionRef } from "./components/modelConfig";
  */
 export default function ModelsContent() {
   // Use custom hook for common setup flow logic
-  const { canAccessProtectedData, pageVariants, pageTransition } = useSetupFlow(
-    {
-      requireAdmin: true,
-      nonAdminRedirect: "/setup/knowledges",
-    }
-  );
+  const { pageVariants, pageTransition } = useSetupFlow({});
 
   const modelConfigSectionRef = useRef<ModelConfigSectionRef | null>(null);
 
   return (
-    <>
-      <div className="w-full h-full p-8">
-        <motion.div
-          initial="initial"
-          animate="in"
-          exit="out"
-          variants={pageVariants}
-          transition={pageTransition}
-          style={{ width: "100%", height: "100%" }}
-        >
-          <div className="w-full h-full flex items-center justify-center">
-            {canAccessProtectedData ? (
-              <AppModelConfig
-                forwardedRef={modelConfigSectionRef}
-                canAccessProtectedData={canAccessProtectedData}
-              />
-            ) : null}
-          </div>
-        </motion.div>
-      </div>
-    </>
+    <div className="w-full h-full p-8">
+      <motion.div
+        initial="initial"
+        animate="in"
+        exit="out"
+        variants={pageVariants}
+        transition={pageTransition}
+        style={{ width: "100%", height: "100%" }}
+      >
+        <div className="w-full h-full flex items-center justify-center">
+          <AppModelConfig
+            forwardedRef={modelConfigSectionRef}
+          />
+        </div>
+      </motion.div>
+    </div>
   );
 }
diff --git a/frontend/app/[locale]/page.tsx b/frontend/app/[locale]/page.tsx
index 5a6d8d835..d56e06728 100644
--- a/frontend/app/[locale]/page.tsx
+++ b/frontend/app/[locale]/page.tsx
@@ -15,6 +15,8 @@ import { Button } from "antd";
 import { Card, CardContent } from "@/components/ui/card";
 import { motion } from "framer-motion";
 import { useDeployment } from "@/components/providers/deploymentProvider";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
 
 /**
  * Homepage main content component
@@ -22,11 +24,35 @@ import { useDeployment } from "@/components/providers/deploymentProvider";
 export default function Homepage() {
   const { t } = useTranslation("common");
   const { isSpeedMode } = useDeployment();
+  const { isAuthenticated, openAuthPromptModal } = useAuthenticationContext();
+  const { canAccessRoute, openAuthzPromptModal } = useAuthorizationContext();
   const router = useRouter();
 
-  const onChatNavigate = () => router.push("/chat");
-  const onSetupNavigate = () => router.push("/setup");
-  const onSpaceNavigate = () => router.push("/space");
+  /**
+ * Navigate to a route with permission pre-check
+ * Returns true if navigation is allowed, false if permission is denied
+ */
+  const navigateWithPermissionCheck = (route: string): boolean => {
+    // Check authentication first
+    if (!isAuthenticated && !isSpeedMode) {
+      openAuthPromptModal();
+      return false;
+    }
+
+    // Check authorization - if user is authenticated but doesn't have route access
+    if (isAuthenticated && !canAccessRoute(route)) {
+      openAuthzPromptModal();
+      return false;
+    }
+
+    // User has permission, navigate
+    router.push(route);
+    return true;
+  };
+
+  const navigateToChat = () => navigateWithPermissionCheck("/chat");
+  const navigateToSetup = () => navigateWithPermissionCheck("/setup");
+  const navigateToSpace = () => navigateWithPermissionCheck("/space");
 
   return (
     <div className="w-full h-full flex flex-col items-center justify-center">
@@ -63,7 +89,7 @@ export default function Homepage() {
         >
           
           <Button
-            onClick={onChatNavigate}
+            onClick={navigateToChat}
             className="bg-blue-600 hover:bg-blue-700 text-white px-8 py-6 rounded-full text-lg font-medium shadow-lg hover:shadow-xl transition-all duration-300 group"
           >
             <Bot className="mr-2 h-5 w-5 group-hover:animate-pulse" />
@@ -71,7 +97,7 @@ export default function Homepage() {
           </Button>
 
           <Button
-            onClick={onSetupNavigate}
+            onClick={navigateToSetup}
             className="bg-blue-600 hover:bg-blue-700 text-white px-8 py-6 rounded-full text-lg font-medium shadow-lg hover:shadow-xl transition-all duration-300 group"
           >
             <Zap className="mr-2 h-5 w-5 group-hover:animate-pulse" />
@@ -79,7 +105,7 @@ export default function Homepage() {
           </Button>
 
           <Button
-            onClick={onSpaceNavigate}
+            onClick={navigateToSpace}
             className="bg-blue-600 hover:bg-blue-700 text-white px-8 py-6 rounded-full text-lg font-medium shadow-lg hover:shadow-xl transition-all duration-300 group"
           >
             <Globe className="mr-2 h-5 w-5 group-hover:animate-pulse" />
diff --git a/frontend/app/[locale]/setup/page.tsx b/frontend/app/[locale]/setup/page.tsx
index d24e5af40..fb06ba386 100644
--- a/frontend/app/[locale]/setup/page.tsx
+++ b/frontend/app/[locale]/setup/page.tsx
@@ -1,10 +1,11 @@
 "use client";
 
 import { useState } from "react";
-import { USER_ROLES } from "@/const/modelConfig";
 import { Steps, Button } from "antd";
 import { ChevronLeft, ChevronRight, Check } from "lucide-react";
 import { useSetupFlow } from "@/hooks/useSetupFlow";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import ModelsContent from "../models/page";
 import KnowledgesContent from "../knowledges/page";
 import AgentSetupOrchestrator from "../agents/page";
@@ -12,14 +13,11 @@ import AgentSetupOrchestrator from "../agents/page";
 type SetupStep = "models" | "knowledges" | "agents";
 
 export default function SetupPage() {
-  const { t, router, canAccessProtectedData, isSpeedMode, user } = useSetupFlow(
-    {
-      requireAdmin: true,
-      nonAdminRedirect: "/setup/knowledges",
-    }
-  );
+  const { t, router } = useSetupFlow({});
 
-  const isAdmin = isSpeedMode || user?.role === USER_ROLES.ADMIN;
+  // Get auth state directly from providers
+  const { isSpeedMode } = useDeployment();
+  const { user } = useAuthorizationContext();
 
   const [currentStepIndex, setCurrentStepIndex] = useState<number>(0);
   const [isSaving, setIsSaving] = useState(false);
@@ -91,10 +89,6 @@ export default function SetupPage() {
     }
   };
 
-  // 如果没有访问权限，返回 null 让 SESSION_EXPIRED 事件处理登录弹窗
-  if (!canAccessProtectedData || !isAdmin) {
-    return null;
-  }
 
   return (
     <div className="w-full h-full flex flex-col bg-slate-50 dark:bg-slate-900 font-sans overflow-hidden">
diff --git a/frontend/app/[locale]/space/components/AgentCard.tsx b/frontend/app/[locale]/space/components/AgentCard.tsx
index 749280ea2..9b9cff7a0 100644
--- a/frontend/app/[locale]/space/components/AgentCard.tsx
+++ b/frontend/app/[locale]/space/components/AgentCard.tsx
@@ -15,7 +15,6 @@ import {
   Sparkles,
 } from "lucide-react";
 import { useQueryClient } from "@tanstack/react-query";
-import { clearAgentAndSync } from "@/lib/agentNewUtils";
 
 import { Avatar } from "antd";
 import AgentCallRelationshipModal from "@/components/ui/AgentCallRelationshipModal";
@@ -27,9 +26,10 @@ import {
   clearAgentNewMark,
 } from "@/services/agentConfigService";
 import { generateAvatarFromName } from "@/lib/avatar";
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { useConfirmModal } from "@/hooks/useConfirmModal";
-import { USER_ROLES } from "@/const/modelConfig";
+import { USER_ROLES } from "@/const/auth";
 import { Agent } from "@/types/agentConfig";
 import log from "@/lib/logger";
 
@@ -41,7 +41,8 @@ interface AgentCardProps {
 export default function AgentCard({ agent, onRefresh }: AgentCardProps) {
   const { t } = useTranslation("common");
   const { message } = App.useApp();
-  const { user, isSpeedMode } = useAuth();
+  const { user } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment();
   const { confirm } = useConfirmModal();
   const router = useRouter();
 
@@ -52,8 +53,6 @@ export default function AgentCard({ agent, onRefresh }: AgentCardProps) {
   const [agentDetails, setAgentDetails] = useState<any>(null);
   const [isLoadingDetails, setIsLoadingDetails] = useState(false);
 
-  // Check if user is admin (or in speed mode where all features are available)
-  const isAdmin = isSpeedMode || user?.role === USER_ROLES.ADMIN;
 
   // Generate avatar URL from agent name
   const avatarUrl = generateAvatarFromName(agent.display_name || agent.name);
@@ -152,9 +151,10 @@ export default function AgentCard({ agent, onRefresh }: AgentCardProps) {
     // Mark agent as viewed (clear NEW marker in database)
     if (isNewAgent) {
       try {
-        const result = await clearAgentAndSync(agent.id, queryClient);
+        const result = await clearAgentNewMark(agent.id);
         if (result?.success) {
           setIsNewAgent(false); 
+          queryClient.invalidateQueries({ queryKey: ["agents"] });
         } else {
           log.warn("Failed to clear NEW mark for agent", agent.id, result);
         }
@@ -247,8 +247,8 @@ export default function AgentCard({ agent, onRefresh }: AgentCardProps) {
 
         {/* Action buttons */}
         <div className="flex items-center justify-end gap-2 pt-2 border-t border-slate-200 dark:border-slate-700">
-          {/* Edit button - only for admin */}
-          {isAdmin && (
+
+
             <button
               onClick={(e) => {
                 e.stopPropagation();
@@ -259,10 +259,8 @@ export default function AgentCard({ agent, onRefresh }: AgentCardProps) {
             >
               <Edit className="h-4 w-4" />
             </button>
-          )}
 
-          {/* Delete button - only for admin */}
-          {isAdmin && (
+
             <button
               onClick={(e) => {
                 e.stopPropagation();
@@ -274,7 +272,6 @@ export default function AgentCard({ agent, onRefresh }: AgentCardProps) {
             >
               <Trash2 className="h-4 w-4" />
             </button>
-          )}
 
           <button
             onClick={(e) => {
diff --git a/frontend/app/[locale]/space/components/AgentDetailModal.tsx b/frontend/app/[locale]/space/components/AgentDetailModal.tsx
index e07c12132..79c62c7fd 100644
--- a/frontend/app/[locale]/space/components/AgentDetailModal.tsx
+++ b/frontend/app/[locale]/space/components/AgentDetailModal.tsx
@@ -91,18 +91,15 @@ export default function AgentDetailModal({
       children: (
         <div className="space-y-4">
           <Descriptions column={1} bordered labelStyle={{ fontWeight: 600, whiteSpace: 'nowrap' }}>
+          <Descriptions.Item label={t("space.detail.businessLogicModel", "Business Logic Model")}>
+              {agentDetails?.business_logic_model_name || "-"}
+            </Descriptions.Item>
             <Descriptions.Item label={t("space.detail.model", "Model Name")}>
               {agentDetails?.model || "-"}
             </Descriptions.Item>
             <Descriptions.Item label={t("space.detail.maxStep", "Max Steps")}>
               {agentDetails?.max_step || 0}
             </Descriptions.Item>
-            <Descriptions.Item label={t("space.detail.businessLogicModel", "Business Logic Model")}>
-              {agentDetails?.business_logic_model_name || "-"}
-            </Descriptions.Item>
-            <Descriptions.Item label={t("space.detail.businessLogicModelId", "Business Logic Model ID")}>
-              {agentDetails?.business_logic_model_id || "-"}
-            </Descriptions.Item>
             <Descriptions.Item label={t("space.detail.provideRunSummary", "Provide Run Summary")}>
               {agentDetails?.provide_run_summary ? (
                 <Tag color="green">{t("common.yes", "Yes")}</Tag>
diff --git a/frontend/app/[locale]/space/page.tsx b/frontend/app/[locale]/space/page.tsx
index 3b1f168a3..9bc72eb90 100644
--- a/frontend/app/[locale]/space/page.tsx
+++ b/frontend/app/[locale]/space/page.tsx
@@ -6,10 +6,9 @@ import { useTranslation } from "react-i18next";
 import { motion } from "framer-motion";
 import { App } from "antd";
 import { Plus, RefreshCw, Upload } from "lucide-react";
-import { USER_ROLES } from "@/const/modelConfig";
-import { useAuth } from "@/hooks/useAuth";
+
 import { useSetupFlow } from "@/hooks/useSetupFlow";
-import { useAgentList } from "@/hooks/agent/useAgentList";
+import { usePublishedAgentList } from "@/hooks/agent/usePublishedAgentList";
 import { Agent } from "@/types/agentConfig";
 import AgentCard from "./components/AgentCard";
 import { ImportAgentData } from "@/hooks/useAgentImport";
@@ -25,22 +24,15 @@ export default function SpacePage() {
 
   const { t } = useTranslation("common");
   const { message } = App.useApp();
-  const { user, isSpeedMode } = useAuth();
-  const { canAccessProtectedData, pageVariants, pageTransition } = useSetupFlow(
-    {
-      requireAdmin: false,
-    }
-  );
+  const { pageVariants, pageTransition } = useSetupFlow();
   const [isImporting, setIsImporting] = useState(false);
-  const { agents, isLoading, invalidate } = useAgentList();
+  const { agents, isLoading, invalidate } = usePublishedAgentList();
 
   // Import wizard state
   const [importWizardVisible, setImportWizardVisible] = useState(false);
   const [importWizardData, setImportWizardData] =
     useState<ImportAgentData | null>(null);
 
-  // Check if user is admin (or in speed mode where all features are available)
-  const isAdmin = isSpeedMode || user?.role === USER_ROLES.ADMIN;
 
   const handleCreateAgent = () => {
     router.push("/agents?create=true");
@@ -93,9 +85,6 @@ export default function SpacePage() {
     fileInput.click();
   };
 
-  if (!canAccessProtectedData) {
-    return null;
-  }
 
   return (
     <div className="w-full h-full">
@@ -153,7 +142,6 @@ export default function SpacePage() {
             className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4 pb-8"
           >
             {/* Create/Import agent card - only for admin */}
-            {isAdmin && (
               <motion.div
                 initial={{ opacity: 0, scale: 0.9 }}
                 animate={{ opacity: 1, scale: 1 }}
@@ -191,7 +179,6 @@ export default function SpacePage() {
                   </button>
                 </div>
               </motion.div>
-            )}
 
             {/* Agent cards */}
             {agents.map((agent: Agent, index: number) => (
diff --git a/frontend/app/[locale]/tenant-resources/components/UserManageComp.tsx b/frontend/app/[locale]/tenant-resources/components/UserManageComp.tsx
index 74d60edb4..a8ba0035f 100644
--- a/frontend/app/[locale]/tenant-resources/components/UserManageComp.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/UserManageComp.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import React, { useState } from "react";
+import React, { useState, useEffect, useRef } from "react";
 import {
   Row,
   Col,
@@ -15,14 +15,12 @@ import {
 } from "antd";
 import { motion } from "framer-motion";
 import { useTranslation } from "react-i18next";
-import { Users, Plus, Edit, Trash2, Building2 } from "lucide-react";
-import { useAuth } from "@/hooks/useAuth";
+import { Users, Plus, Edit, Edit2, Building2 } from "lucide-react";
 import { useTenantList } from "@/hooks/tenant/useTenantList";
 import {
   type Tenant,
   createTenant,
   updateTenant,
-  deleteTenant,
 } from "@/services/tenantService";
 import UserList from "./resources/UserList";
 import GroupList from "./resources/GroupList";
@@ -32,7 +30,9 @@ import InvitationList from "./resources/InvitationList";
 import AgentList from "./resources/AgentList";
 import McpList from "./resources/McpList";
 import { useDeployment } from "@/components/providers/deploymentProvider";
-import { USER_ROLES } from "@/const/modelConfig";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { USER_ROLES } from "@/const/auth";
+import { Can } from "@/components/permission/Can";
 
 // Removed mockTenants - now using real data from API
 
@@ -69,6 +69,8 @@ function TenantList({
     setModalVisible(true);
   };
 
+  // Tenant deletion not yet implemented
+  /*
   const handleDelete = async (tenantId: string) => {
     try {
       await deleteTenant(tenantId);
@@ -83,6 +85,7 @@ function TenantList({
       message.error(t("tenantResources.tenantDeleteFailed"));
     }
   };
+  */
 
   const handleSubmit = async () => {
     try {
@@ -102,8 +105,20 @@ function TenantList({
         message.success(t("tenantResources.tenants.created"));
       }
       setModalVisible(false);
-    } catch (err) {
-      message.error(t("tenantResources.tenantOperationFailed"));
+    } catch (err: any) {
+      const errorMessage = err?.response?.data?.message || err?.message || "";
+      const nameConflictMatch = errorMessage.match(/Tenant with name '(.*)' already exists/i);
+
+      if (nameConflictMatch && nameConflictMatch[1]) {
+        // Extract the duplicate name and show translated error
+        message.error(t("tenantResources.tenants.nameExists", { name: nameConflictMatch[1] }));
+      } else if (errorMessage.includes("Tenant name cannot be empty")) {
+        // Handle empty name error
+        message.error(t("tenantResources.tenants.nameRequired"));
+      } else {
+        // Show generic error for other cases
+        message.error(t("tenantResources.tenantOperationFailed"));
+      }
     }
   };
 
@@ -156,16 +171,20 @@ function TenantList({
                     }}
                     className="p-1 hover:bg-gray-200 rounded"
                   />
+                  {/* Delete button hidden - tenant deletion not yet implemented */}
+                  {/*
                   <Popconfirm
                     title={t("tenantResources.tenants.confirmDelete", {
                       name: tenant.tenant_name,
                     })}
-                    description="This action cannot be undone."
+                    description={t("common.cannotBeUndone")}
                     onConfirm={(e) => {
                       e?.stopPropagation();
                       handleDelete(tenant.tenant_id);
                     }}
                     onCancel={(e) => e?.stopPropagation()}
+                    okText={t("common.confirm")}
+                    cancelText={t("common.cancel")}
                   >
                     <Button
                       type="text"
@@ -175,6 +194,7 @@ function TenantList({
                       className="p-1 hover:bg-red-100 text-red-500 hover:text-red-600 rounded"
                     />
                   </Popconfirm>
+                  */}
                 </div>
               </div>
             </div>
@@ -192,6 +212,8 @@ function TenantList({
         open={modalVisible}
         onOk={handleSubmit}
         onCancel={() => setModalVisible(false)}
+        okText={t("common.confirm")}
+        cancelText={t("common.cancel")}
       >
         <Form layout="vertical" form={form}>
           <Form.Item
@@ -215,11 +237,11 @@ function TenantList({
 export default function UserManageComp() {
   const { t } = useTranslation("common");
   const { message } = App.useApp();
+  const { user } = useAuthorizationContext();
   const { isSpeedMode } = useDeployment();
-  const { user } = useAuth()
 
   // Check if user is super admin (speed mode or admin role)
-  const isSuperAdmin = isSpeedMode || user?.role === USER_ROLES.ADMIN;
+  const isSuperAdmin = isSpeedMode || user?.role === USER_ROLES.SU;
 
   // Get real tenant data from API
   const {
@@ -232,13 +254,71 @@ export default function UserManageComp() {
   // Tenant management state for super admin operations
   const [tenantsState, setTenantsState] = useState<Tenant[]>([]);
 
-  // For non-super admins, use their current tenant (from user metadata or default)
-  const [tenantId, setTenantId] = useState<string | null>(tenants[0]?.tenant_id || null);
+  // For non-super admins, automatically select their own tenant based on user.tenantId
+  const [tenantId, setTenantId] = useState<string | null>(null);
+  useEffect(() => {
+    if (!isSuperAdmin && user?.tenantId && !tenantId) {
+      setTenantId(user.tenantId);
+    }
+  }, [isSuperAdmin, tenantId, user?.tenantId]);
 
   // Get current tenant name
   const currentTenant = tenants.find((t) => t.tenant_id === tenantId);
   const currentTenantName = currentTenant?.tenant_name || t("tenantResources.tenants.unnamed");
 
+  // Tenant name editing states
+  const [isEditingTenantName, setIsEditingTenantName] = useState(false);
+  const [editingTenantName, setEditingTenantName] = useState("");
+  const tenantNameInputRef = useRef<any>(null);
+
+  // Start editing tenant name
+  const startEditingTenantName = () => {
+    if (!tenantId) return;
+    setEditingTenantName(currentTenantName);
+    setIsEditingTenantName(true);
+    // Focus input after render
+    setTimeout(() => {
+      tenantNameInputRef.current?.focus();
+    }, 0);
+  };
+
+  // Save tenant name
+  const saveTenantName = async () => {
+    if (!tenantId) return;
+    const trimmedName = editingTenantName.trim();
+    if (!trimmedName) {
+      message.error(t("tenantResources.tenants.nameRequired"));
+      return;
+    }
+    if (trimmedName === currentTenantName) {
+      setIsEditingTenantName(false);
+      return;
+    }
+    try {
+      await updateTenant(tenantId, { tenant_name: trimmedName });
+      await refetchTenants();
+      message.success(t("tenantResources.tenants.updated"));
+      setIsEditingTenantName(false);
+    } catch (error) {
+      message.error(t("tenantResources.tenantOperationFailed"));
+    }
+  };
+
+  // Cancel editing tenant name
+  const cancelEditingTenantName = () => {
+    setEditingTenantName("");
+    setIsEditingTenantName(false);
+  };
+
+  // Handle input key events
+  const handleTenantNameKeyDown = (e: React.KeyboardEvent) => {
+    if (e.key === "Enter") {
+      saveTenantName();
+    } else if (e.key === "Escape") {
+      cancelEditingTenantName();
+    }
+  };
+
   return (
     <div className="w-full h-full">
       {/* Page header: grouped header without dividing line */}
@@ -266,36 +346,57 @@ export default function UserManageComp() {
           </motion.div>
         </div>
       </div>
-      <Row className="h-full">
-        <Col className="h-full" style={{ width: 300 }}>
-          <div className="h-full pr-6">
-            <div className="sticky top-6">
-              <div className="bg-white dark:bg-gray-800 rounded-md shadow-sm p-3">
-                <TenantList
-                  selected={tenantId}
-                  onSelect={(id) => setTenantId(id)}
-                  tenants={tenants}
-                  onTenantsChange={setTenantsState}
-                  onTenantsRefetch={refetchTenants}
-                  loading={tenantsLoading}
-                  t={t}
-                />
+      <Row className="flex-1 min-h-0 h-full" align="stretch">
+        <Can permission="tenant.list:read">
+          <Col className="flex flex-col h-full" style={{ width: 300 }}>
+            <div className="h-full pr-6">
+              <div className="sticky top-6">
+                <div className="bg-white dark:bg-gray-800 rounded-md shadow-sm p-3">
+                  <TenantList
+                    selected={tenantId}
+                    onSelect={(id) => setTenantId(id)}
+                    tenants={tenants}
+                    onTenantsChange={setTenantsState}
+                    onTenantsRefetch={refetchTenants}
+                    loading={tenantsLoading}
+                    t={t}
+                  />
+                </div>
               </div>
             </div>
-          </div>
-        </Col>
-        <Col className="flex-1 p-6">
-          <div className="bg-white dark:bg-gray-800 rounded-md shadow-sm p-4 min-h-[300px]">
+          </Col>
+        </Can>
+        <Col className="flex-1 flex flex-col p-6 overflow-hidden">
+          <div className="bg-white dark:bg-gray-800 rounded-md shadow-sm p-4 h-full flex flex-col overflow-hidden">
             {/* Tenant name header */}
-            <div className="mb-4 pb-2 border-b border-gray-200 dark:border-gray-700">
-              <h2 className="text-lg font-semibold text-gray-900 dark:text-gray-100">
-                {currentTenantName}
-              </h2>
+            <div className="mb-4 pb-2 border-b border-gray-200 dark:border-gray-700 flex-shrink-0">
+              {isEditingTenantName ? (
+                <Input
+                  ref={tenantNameInputRef}
+                  value={editingTenantName}
+                  onChange={(e) => setEditingTenantName(e.target.value)}
+                  onBlur={saveTenantName}
+                  onKeyDown={handleTenantNameKeyDown}
+                  className="text-lg font-semibold text-gray-900 dark:text-gray-100"
+                  placeholder={t("tenantResources.tenants.name")}
+                />
+              ) : (
+                <div
+                  className="flex items-center gap-2 group cursor-pointer"
+                  onClick={startEditingTenantName}
+                >
+                  <h2 className="text-lg font-semibold text-gray-900 dark:text-gray-100">
+                    {currentTenantName}
+                  </h2>
+                  <Edit2 className="h-4 w-4 text-gray-400 opacity-0 group-hover:opacity-100 transition-opacity" />
+                </div>
+              )}
             </div>
 
             {tenantId ? (
               <Tabs
                 defaultActiveKey="users"
+                className="h-full flex flex-col"
                 items={[
                   {
                     key: "users",
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/AgentList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/AgentList.tsx
index 5c854a5b2..499c6e297 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/AgentList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/AgentList.tsx
@@ -17,19 +17,22 @@ import {
   Spin,
 } from "antd";
 import {
-  Edit,
   Trash2,
   Maximize2,
-  CircleCheck,
+  CheckCircle,
   CircleSlash,
+  Clock,
+  Eye,
 } from "lucide-react";
 import { useQueryClient } from "@tanstack/react-query";
 
 import { useAgentList } from "@/hooks/agent/useAgentList";
 import { useGroupList } from "@/hooks/group/useGroupList";
-import { deleteAgent, searchAgentInfo, updateAgentInfo } from "@/services/agentConfigService";
+import { deleteAgent, searchAgentInfo } from "@/services/agentConfigService";
+import { fetchAgentVersionList } from "@/services/agentVersionService";
 import { Agent } from "@/types/agentConfig";
 import ExpandEditModal from "@/app/agents/components/agentInfo/ExpandEditModal";
+import type { AgentVersion } from "@/services/agentVersionService";
 
 const { Text } = Typography;
 const { TextArea } = Input;
@@ -48,15 +51,10 @@ type AgentListRow = Pick<
   model_id?: number;
   model_name?: string;
   model_display_name?: string;
+  is_published?: boolean;
+  current_version_no?: number;
 };
 
-// Fullscreen edit modal state interface
-interface FullscreenEditState {
-  visible: boolean;
-  field: "description" | "duty_prompt" | "constraint_prompt" | "few_shots_prompt" | null;
-  title: string;
-  value: string;
-}
 
 export default function AgentList({ tenantId }: { tenantId: string | null }) {
   const { t } = useTranslation("common");
@@ -79,23 +77,31 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
     }
   };
 
-  // Edit modal state
+  // View modal state
   const [editModalVisible, setEditModalVisible] = useState(false);
   const [editingAgent, setEditingAgent] = useState<AgentListRow | null>(null);
   const [isLoadingDetail, setIsLoadingDetail] = useState(false);
-  const [isSaving, setIsSaving] = useState(false);
 
-  // Fullscreen edit modal state
-  const [fullscreenEdit, setFullscreenEdit] = useState<FullscreenEditState>({
+  // Fullscreen view modal state
+  const [fullscreenEdit, setFullscreenEdit] = useState<{
+    visible: boolean;
+    field: "description" | "duty_prompt" | "constraint_prompt" | "few_shots_prompt" | null;
+    title: string;
+    value: string;
+  }>({
     visible: false,
     field: null,
     title: "",
     value: "",
   });
 
-  const { agents, isLoading, refetch } = useAgentList({
-    staleTime: 0, // Always fetch fresh data for admin view
-  });
+  // Version list state for each agent
+  const [agentVersions, setAgentVersions] = useState<Map<number, AgentVersion[]>>(new Map());
+  const [loadingVersions, setLoadingVersions] = useState<Map<number, boolean>>(new Map());
+  // Selected version for each agent (0 means current version)
+  const [selectedVersions, setSelectedVersions] = useState<Map<number, number>>(new Map());
+
+  const { agents, isLoading, refetch } = useAgentList(tenantId);
 
   // Fetch groups for group name mapping and selection
   const { data: groupData } = useGroupList(tenantId, 1, 100);
@@ -119,7 +125,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
   const handleDelete = async (agent: AgentListRow) => {
     try {
       // Agent ID is string in frontend type but number in backend service
-      const res = await deleteAgent(Number(agent.id));
+      const res = await deleteAgent(Number(agent.id), tenantId ?? undefined);
       if (res.success) {
         message.success(t("businessLogic.config.error.agentDeleteSuccess"));
         queryClient.invalidateQueries({ queryKey: ["agents"] });
@@ -137,7 +143,10 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
     setEditModalVisible(true);
 
     try {
-      const res = await searchAgentInfo(Number(agent.id));
+      const agentId = Number(agent.id);
+      // Get selected version for this agent (default to 0 for current version)
+      const selectedVersionNo = selectedVersions.get(agentId) ?? 0;
+      const res = await searchAgentInfo(agentId, tenantId ?? undefined, selectedVersionNo);
       if (res.success && res.data) {
         const detail = res.data;
         setEditingAgent(agent);
@@ -161,50 +170,13 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
     }
   };
 
-  const handleEditSubmit = async () => {
-    if (!editingAgent) return;
-
-    try {
-      const values = await form.validateFields();
-      setIsSaving(true);
-
-      const groupIds = (values.group_ids || [])
-        .map((id: unknown) => Number(id))
-        .filter((id: number) => Number.isFinite(id));
-
-      const res = await updateAgentInfo({
-        agent_id: Number(editingAgent.id),
-        name: editingAgent.name,
-        display_name: values.display_name,
-        description: values.description,
-        duty_prompt: values.duty_prompt,
-        constraint_prompt: values.constraint_prompt,
-        few_shots_prompt: values.few_shots_prompt,
-        group_ids: groupIds,
-        author: editingAgent.author,
-      });
-
-      if (res.success) {
-        message.success(t("businessLogic.config.message.agentSaveSuccess"));
-        setEditModalVisible(false);
-        queryClient.invalidateQueries({ queryKey: ["agents"] });
-      } else {
-        message.error(res.message || t("businessLogic.config.error.saveFailed"));
-      }
-    } catch (error) {
-      message.error(t("businessLogic.config.error.saveFailed"));
-    } finally {
-      setIsSaving(false);
-    }
-  };
-
   const handleEditModalCancel = () => {
     setEditModalVisible(false);
     setEditingAgent(null);
     form.resetFields();
   };
 
-  // Fullscreen edit handlers
+  // Fullscreen view handlers
   const openFullscreenEdit = (
     field: "description" | "duty_prompt" | "constraint_prompt" | "few_shots_prompt",
     title: string
@@ -219,30 +191,51 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
   };
 
   const handleFullscreenSave = (value: string) => {
-    if (fullscreenEdit.field) {
-      form.setFieldValue(fullscreenEdit.field, value);
-    }
+    // In view mode, don't save changes, just close
     setFullscreenEdit({ visible: false, field: null, title: "", value: "" });
   };
 
+  // Load agent versions when dropdown is opened
+  const handleVersionDropdownOpen = async (agentId: number, open: boolean) => {
+    if (open && !agentVersions.has(agentId)) {
+      setLoadingVersions(prev => new Map(prev).set(agentId, true));
+      try {
+        const res = await fetchAgentVersionList(agentId, tenantId ?? undefined);
+        if (res.success && res.data) {
+          setAgentVersions(prev => new Map(prev).set(agentId, res.data.items || []));
+        } else {
+          message.error(res.message || t("common.unknownError"));
+        }
+      } catch (error) {
+        message.error(t("common.unknownError"));
+      } finally {
+        setLoadingVersions(prev => {
+          const newMap = new Map(prev);
+          newMap.delete(agentId);
+          return newMap;
+        });
+      }
+    }
+  };
+
   const columns = [
     {
       title: t("agent.displayName"),
       dataIndex: "display_name",
       key: "display_name",
-      width: "15%",
+      width: "14%",
       render: (text: string) => <Text strong>{text}</Text>,
     },
     {
       title: t("agent.name"),
       dataIndex: "name",
       key: "name",
-      width: "15%",
+      width: "14%",
     },
     {
       title: t("agent.llmModel"),
       key: "llm_model",
-      width: "20%",
+      width: "18%",
       render: (_: unknown, record: AgentListRow) => {
         const primary = record.model_display_name || record.model_name || "-";
         const secondary = record.model_name || "";
@@ -282,11 +275,70 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
         );
       },
     },
+    {
+      title: t("agent.version"),
+      key: "version",
+      width: "10%",
+      render: (_: unknown, record: AgentListRow) => {
+        const agentId = Number(record.id);
+        const versions = agentVersions.get(agentId) || [];
+        const isLoading = loadingVersions.get(agentId) || false;
+        // Default to 0 (current version) if not selected
+        const selectedVersionNo = selectedVersions.has(agentId)
+          ? selectedVersions.get(agentId)!
+          : 0;
+
+        // Build options: current version (0) first, then other versions
+        const options = [
+          {
+            label: t("agent.version.current"),
+            value: 0,
+          },
+          ...versions.map((version) => ({
+            label: version.version_name,
+            value: version.version_no,
+          })),
+        ];
+
+        return (
+          <Select
+            placeholder={t("agent.version.current")}
+            value={selectedVersionNo}
+            loading={isLoading}
+            onDropdownVisibleChange={(open) => handleVersionDropdownOpen(agentId, open)}
+            onChange={(value) => {
+              setSelectedVersions(prev => new Map(prev).set(agentId, value));
+            }}
+            style={{ width: "100%" }}
+            options={options}
+          />
+        );
+      },
+    },
     {
       title: t("common.status"),
       key: "status",
-      width: "15%",
+      width: "10%",
       render: (_: unknown, record: AgentListRow) => {
+        const isPublished = record.is_published === true;
+
+        // If not published, only show unpublished status
+        if (!isPublished) {
+          return (
+            <div className="flex items-center gap-2 min-w-0">
+              <Tag
+                color="#AEB6BF"
+                className="inline-flex items-center"
+                variant="solid"
+              >
+                <Clock className="w-3 h-3 mr-1" />
+                {t("agent.status.unpublished")}
+              </Tag>
+            </div>
+          );
+        }
+
+        // If published, show available/unavailable status
         const isAvailable = record.is_available !== false;
         const reasons = Array.isArray(record.unavailable_reasons)
           ? record.unavailable_reasons.filter((r) => Boolean(r))
@@ -297,11 +349,11 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
           <div className="flex items-center gap-2 min-w-0">
             {isAvailable ? (
               <Tag
-                color="success"
+                color="#229954"
                 className="inline-flex items-center"
                 variant="solid"
               >
-                <CircleCheck className="mr-1" size={12} />
+                <CheckCircle className="w-3 h-3 mr-1" />
                 {t("mcpConfig.status.available")}
               </Tag>
             ) : (
@@ -310,11 +362,11 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
                 placement="top"
               >
                 <Tag
-                  color="error"
+                  color="#E74C3C"
                   className="inline-flex items-center"
                   variant="solid"
                 >
-                  <CircleSlash className="mr-1" size={12} />
+                  <CircleSlash className="w-3.5 h-3 mr-1" />
                   {t("mcpConfig.status.unavailable")}
                 </Tag>
               </Tooltip>
@@ -326,13 +378,13 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
     {
       title: t("common.actions"),
       key: "action",
-      width: "25%",
+      width: "14%",
       render: (_: any, record: AgentListRow) => (
         <div className="flex items-center space-x-2">
-          <Tooltip title={t("common.edit")}>
+          <Tooltip title={t("agent.action.view")}>
             <Button
               type="text"
-              icon={<Edit className="h-4 w-4" />}
+              icon={<Eye className="h-4 w-4" />}
               onClick={() => openEditModal(record)}
               size="small"
             />
@@ -341,7 +393,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
             title={t("businessLogic.config.modal.deleteTitle")}
             description={t("businessLogic.config.modal.deleteContent", { name: record.display_name })}
             onConfirm={() => handleDelete(record)}
-            okText={t("common.delete")}
+            okText={t("common.confirm")}
             cancelText={t("common.cancel")}
           >
             <Tooltip title={t("common.delete")}>
@@ -359,9 +411,9 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
   ];
 
   return (
-    <div className="flex flex-col">
-      <div className="space-y-6">
-        <div>
+    <div className="h-full flex flex-col overflow-hidden">
+      <div className="space-y-6 flex-1 overflow-auto">
+        <div className="min-w-0">
           <Table
             columns={columns}
             dataSource={agents as AgentListRow[]}
@@ -375,16 +427,17 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
         </div>
       </div>
 
-      {/* Edit Modal */}
+      {/* View Modal */}
       <Modal
-        title={t("agent.action.modify")}
+        title={t("agent.action.view")}
         open={editModalVisible}
-        onOk={handleEditSubmit}
         onCancel={handleEditModalCancel}
-        okText={t("common.confirm")}
-        cancelText={t("common.cancel")}
+        footer={[
+          <Button key="close" onClick={handleEditModalCancel}>
+            {t("common.cancel")}
+          </Button>
+        ]}
         width={700}
-        confirmLoading={isSaving}
         maskClosable={false}
       >
         <Spin spinning={isLoadingDetail}>
@@ -393,7 +446,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
               name="display_name"
               label={t("agent.displayName")}
             >
-              <Input placeholder={t("agent.displayNamePlaceholder")} />
+              <Input placeholder={t("agent.displayNamePlaceholder")} readOnly />
             </Form.Item>
 
             <Form.Item
@@ -411,6 +464,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
                       placeholder={t("agent.descriptionPlaceholder")}
                       autoSize={{ minRows: 4, maxRows: 6 }}
                       style={{ resize: "none", paddingRight: 32 }}
+                      readOnly
                     />
                     <Tooltip title={t("common.fullscreen")}>
                       <Button
@@ -445,6 +499,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
                       placeholder={t("agent.dutyPromptPlaceholder")}
                       autoSize={{ minRows: 5, maxRows: 8 }}
                       style={{ resize: "none", paddingRight: 32 }}
+                      readOnly
                     />
                     <Tooltip title={t("common.fullscreen")}>
                       <Button
@@ -479,6 +534,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
                       placeholder={t("agent.constraintPromptPlaceholder")}
                       autoSize={{ minRows: 5, maxRows: 8 }}
                       style={{ resize: "none", paddingRight: 32 }}
+                      readOnly
                     />
                     <Tooltip title={t("common.fullscreen")}>
                       <Button
@@ -513,6 +569,7 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
                       placeholder={t("agent.fewShotsPromptPlaceholder")}
                       autoSize={{ minRows: 5, maxRows: 8 }}
                       style={{ resize: "none", paddingRight: 32 }}
+                      readOnly
                     />
                     <Tooltip title={t("common.fullscreen")}>
                       <Button
@@ -543,20 +600,37 @@ export default function AgentList({ tenantId }: { tenantId: string | null }) {
                   label: group.group_name,
                   value: group.group_id,
                 }))}
-                allowClear
+                open={false}
+                onDropdownVisibleChange={() => false}
+                onClick={(e) => e.preventDefault()}
+                onFocus={(e) => e.target.blur()}
+                tagRender={(props) => {
+                  const { label } = props;
+                  return (
+                    <Tag
+                      style={{
+                        margin: "2px",
+                        border: "1px solid #d9d9d9",
+                      }}
+                    >
+                      {label}
+                    </Tag>
+                  );
+                }}
               />
             </Form.Item>
           </Form>
         </Spin>
       </Modal>
 
-      {/* Fullscreen Edit Modal */}
+      {/* Fullscreen View Modal */}
       <ExpandEditModal
         open={fullscreenEdit.visible}
         title={fullscreenEdit.title}
         content={fullscreenEdit.value}
         onClose={() => setFullscreenEdit({ visible: false, field: null, title: "", value: "" })}
         onSave={handleFullscreenSave}
+        readOnly={true}
       />
     </div>
   );
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/GroupList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/GroupList.tsx
index 56957aab9..6aa1e6a08 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/GroupList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/GroupList.tsx
@@ -2,6 +2,7 @@
 
 import React, { useMemo, useState } from "react";
 import { useTranslation } from "react-i18next";
+import { useQueryClient } from "@tanstack/react-query";
 import {
   Table,
   Button,
@@ -33,6 +34,7 @@ import { type User } from "@/services/userService";
 
 export default function GroupList({ tenantId }: { tenantId: string | null }) {
   const { t } = useTranslation("common");
+  const queryClient = useQueryClient();
   const { data, isLoading, refetch } = useGroupList(tenantId);
   const { data: userData, refetch: refetchUsers } = useUserList(
     tenantId,
@@ -48,6 +50,11 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
     useState<Group | null>(null);
   const [groupUsers, setGroupUsers] = useState<User[]>([]);
   const [availableUsers, setAvailableUsers] = useState<User[]>([]);
+  const [editFormInitialValues, setEditFormInitialValues] = useState<{
+    name: string;
+    description: string;
+    members: string[];
+  } | null>(null);
 
   const [form] = Form.useForm();
   const [editGroupForm] = Form.useForm();
@@ -59,31 +66,34 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
   };
 
   const openEdit = async (g: Group) => {
-    setEditingGroup(g);
-    // Load current group members first
     try {
       const members = await getGroupMembers(g.group_id);
       setGroupUsers(members);
-      // Available users are all users minus current members
       const memberIds = new Set(members.map((u) => u.id));
       setAvailableUsers(allUsers.filter((u) => !memberIds.has(u.id)));
 
-      // Set form values after loading members
-      editGroupForm.setFieldsValue({
-        name: g.group_name,
-        description: g.group_description || "",
+      const formValues = {
+        name: g.group_name || "",
+        description: (g.group_description || "").toString(),
         members: members.map((u) => u.id),
-      });
+      };
+      setEditFormInitialValues(formValues);
+      setEditingGroup(g);
+      editGroupForm.resetFields();
+      editGroupForm.setFieldsValue(formValues);
     } catch (error) {
       message.error("Failed to load group members");
       setGroupUsers([]);
       setAvailableUsers(allUsers);
-      // Set form values even if member loading fails
-      editGroupForm.setFieldsValue({
-        name: g.group_name,
-        description: g.group_description || "",
+      const formValues = {
+        name: g.group_name || "",
+        description: (g.group_description || "").toString(),
         members: [],
-      });
+      };
+      setEditFormInitialValues(formValues);
+      setEditingGroup(g);
+      editGroupForm.resetFields();
+      editGroupForm.setFieldsValue(formValues);
     }
 
     setModalVisible(true);
@@ -105,7 +115,8 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
     try {
       await deleteGroup(id);
       message.success("Group deleted");
-      refetch();
+      // Invalidate all group queries to ensure all components get updated data
+      queryClient.invalidateQueries({ queryKey: ["groups"] });
     } catch (err: any) {
       if (err.response?.data?.message) {
         message.error(err.response.data.message);
@@ -123,6 +134,7 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
       if (editingGroup) {
         const updateData: UpdateGroupRequest = {
           group_name: values.name,
+          group_description: values.description,
         };
         await updateGroup(editingGroup.group_id, updateData);
         message.success("Group updated");
@@ -135,9 +147,16 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
         message.success("Group created");
       }
       setModalVisible(false);
-      refetch();
+      // Invalidate all group queries to ensure all components get updated data
+      queryClient.invalidateQueries({ queryKey: ["groups"] });
     } catch (err: any) {
-      if (err.response?.data?.message) {
+      const errorMessage = err?.response?.data?.message || err?.message || "";
+      const nameConflictMatch = errorMessage.match(/Group with name '(.*)' already exists/i) ||
+                                errorMessage.match(/Group name '(.*)' already exists/i);
+
+      if (nameConflictMatch && nameConflictMatch[1]) {
+        message.error(t("tenantResources.groups.duplicateName"));
+      } else if (err.response?.data?.message) {
         message.error(err.response.data.message);
       }
     }
@@ -145,29 +164,35 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
 
   const handleEditGroupSubmit = async () => {
     try {
-      const values = await editGroupForm.validateFields();
       if (!editingGroup) return;
 
-      // Update group info
+      await editGroupForm.validateFields();
+      const values = editGroupForm.getFieldsValue(true);
+
       const updateData: UpdateGroupRequest = {
         group_name: values.name,
         group_description: values.description,
       };
       await updateGroup(editingGroup.group_id, updateData);
 
-      // Update group members using batch API
       const newMemberIds = (values.members as string[]) || [];
       await updateGroupMembers(editingGroup.group_id, newMemberIds);
 
       message.success(t("tenantResources.groups.updated"));
       setModalVisible(false);
 
-      // Force refresh group list to update user counts
-      await refetch();
+      // Invalidate all group queries to ensure all components get updated data
+      queryClient.invalidateQueries({ queryKey: ["groups"] });
       // Refresh user list in case user roles/status changed
       await refetchUsers();
     } catch (err: any) {
-      if (err.response?.data?.message) {
+      const errorMessage = err?.response?.data?.message || err?.message || "";
+      const nameConflictMatch = errorMessage.match(/Group with name '(.*)' already exists/i) ||
+                                errorMessage.match(/Group name '(.*)' already exists/i);
+
+      if (nameConflictMatch && nameConflictMatch[1]) {
+        message.error(t("tenantResources.groups.duplicateName"));
+      } else if (err.response?.data?.message) {
         message.error(err.response.data.message);
       } else {
         message.error("Failed to update group");
@@ -218,6 +243,8 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
                 name: record.group_name,
               })}
               onConfirm={() => handleDelete(record.group_id)}
+              okText={t("common.confirm")}
+              cancelText={t("common.cancel")}
             >
               <Tooltip title={t("tenantResources.groups.deleteGroup")}>
                 <Button
@@ -236,8 +263,8 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
   );
 
   return (
-    <div>
-      <div className="flex items-center justify-between mb-4">
+    <div className="h-full flex flex-col overflow-hidden">
+      <div className="flex items-center justify-between mb-4 flex-shrink-0">
         <div />
         <div>
           <Button type="primary" onClick={openCreate}>
@@ -252,6 +279,8 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
         rowKey={(r) => String(r.group_id)}
         loading={isLoading}
         pagination={{ pageSize: 10 }}
+        scroll={{ x: true }}
+        className="flex-1"
       />
 
       {/* Create/Edit Group Modal */}
@@ -263,11 +292,21 @@ export default function GroupList({ tenantId }: { tenantId: string | null }) {
         }
         open={modalVisible}
         onOk={editingGroup ? handleEditGroupSubmit : handleSubmit}
-        onCancel={() => setModalVisible(false)}
+        onCancel={() => {
+          setModalVisible(false);
+          editGroupForm.resetFields();
+        }}
+        destroyOnClose
+        okText={t("common.confirm")}
+        cancelText={t("common.cancel")}
         width={editingGroup ? 600 : 400}
       >
         {editingGroup ? (
-          <Form layout="vertical" form={editGroupForm}>
+          <Form
+            key={editingGroup.group_id}
+            layout="vertical"
+            form={editGroupForm}
+          >
             <Form.Item
               name="name"
               label={t("tenantResources.tenants.name")}
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/InvitationList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/InvitationList.tsx
index 4a107ea3a..c0f5b2aeb 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/InvitationList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/InvitationList.tsx
@@ -2,6 +2,7 @@
 
 import React, { useMemo, useState } from "react";
 import { useTranslation } from "react-i18next";
+import dayjs from "dayjs";
 import {
   Table,
   Button,
@@ -25,13 +26,14 @@ import {
   createInvitation,
   updateInvitation,
   deleteInvitation,
+  checkInvitationCodeExists,
   type Invitation,
   type CreateInvitationRequest,
   type UpdateInvitationRequest,
 } from "@/services/invitationService";
 import { Plus, Edit, Trash2, CheckCircle, Clock, XCircle, Copy, CircleSlash } from "lucide-react";
 import { Tooltip } from "@/components/ui/tooltip";
-import dayjs from "dayjs";
+import { formatDate } from "@/lib/date";
 
 const { Panel } = Collapse;
 
@@ -126,11 +128,17 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
         return;
       }
 
+      // Format expiry_date from dayjs to string
+      const formattedExpiryDate =
+        values.expiry_date && dayjs(values.expiry_date).isValid()
+          ? dayjs(values.expiry_date).format("YYYY-MM-DD")
+          : undefined;
+
       if (editingInvitation) {
         // Update invitation
         const updateData: UpdateInvitationRequest = {
           capacity: values.capacity,
-          expiry_date: values.expiry_date ? values.expiry_date.format("YYYY-MM-DD") : undefined,
+          expiry_date: formattedExpiryDate,
           group_ids: values.group_ids || [],
         };
         await updateInvitation(editingInvitation.invitation_code, updateData);
@@ -143,7 +151,7 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
           invitation_code: values.invitation_code?.toUpperCase(),
           capacity: values.capacity,
           group_ids: values.group_ids || [],
-          expiry_date: values.expiry_date ? values.expiry_date.format("YYYY-MM-DD") : undefined,
+          expiry_date: formattedExpiryDate,
         };
         await createInvitation(createData);
         message.success(t("tenantResources.invitation.invitationCreated"));
@@ -239,7 +247,7 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
         key: "expiry_date",
         width: 120,
         render: (date: string) =>
-          date ? dayjs(date).format("YYYY-MM-DD") : <span className="text-gray-400">{t("tenantResources.invitation.noExpiry")}</span>,
+          date ? formatDate(date) : <span className="text-gray-400">{t("tenantResources.invitation.noExpiry")}</span>,
       },
       {
         title: t("tenantResources.invitation.groupNames"),
@@ -314,6 +322,8 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
               title={t("tenantResources.invitation.confirmDeleteInvitation", { code: record.invitation_code })}
               description={t("common.cannotBeUndone")}
               onConfirm={() => handleDelete(record.invitation_code)}
+              okText={t("common.confirm")}
+              cancelText={t("common.cancel")}
             >
               <Tooltip title={t("tenantResources.invitation.deleteInvitation")}>
                 <Button
@@ -347,8 +357,8 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
   }, [invitations, tenantId]);
 
   return (
-    <div>
-      <div className="mb-4 flex justify-between items-center">
+    <div className="h-full flex flex-col overflow-hidden">
+      <div className="mb-4 flex justify-between items-center flex-shrink-0">
         <div />
         <div>
           <Button type="primary" onClick={openCreate} icon={<Plus className="h-4 w-4"/>}>
@@ -366,6 +376,7 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
           rowKey="invitation_id"
           pagination={{ pageSize: 10 }}
           scroll={{ x: 1000 }}
+          className="flex-1"
         />
       ) : (
         // Multi-tenant view with collapse
@@ -388,7 +399,13 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
 
       {/* Create/Edit Modal */}
       <Modal
-        title={editingInvitation ? t("tenantResources.invitation.editInvitation") : t("tenantResources.invitation.createInvitation")}
+        title={
+          <span>
+            {editingInvitation
+              ? `${t("tenantResources.invitation.editInvitation")}: ${editingInvitation.invitation_code}`
+              : t("tenantResources.invitation.createInvitation")}
+          </span>
+        }
         open={modalVisible}
         onOk={handleSubmit}
         onCancel={() => setModalVisible(false)}
@@ -398,17 +415,59 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
         maskClosable={false}
       >
         <Form form={form} layout="vertical">
-          <Form.Item
-            name="code_type"
-            label={t("tenantResources.invitation.codeType")}
-            rules={[{ required: true, message: t("tenantResources.invitation.codeTypeRequired") }]}
-          >
-            <Select placeholder={t("tenantResources.invitation.codeType")}>
-              <Select.Option value="ADMIN_INVITE">{t("tenantResources.invitation.codeType.ADMIN_INVITE")}</Select.Option>
-              <Select.Option value="DEV_INVITE">{t("tenantResources.invitation.codeType.DEV_INVITE")}</Select.Option>
-              <Select.Option value="USER_INVITE">{t("tenantResources.invitation.codeType.USER_INVITE")}</Select.Option>
-            </Select>
-          </Form.Item>
+          {!editingInvitation && (
+            <Form.Item
+              name="code_type"
+              label={t("tenantResources.invitation.codeType")}
+              rules={[{ required: true, message: t("tenantResources.invitation.codeTypeRequired") }]}
+            >
+              <Select
+                placeholder={t("tenantResources.invitation.codeType")}
+                options={[
+                  { value: "ADMIN_INVITE", label: t("tenantResources.invitation.codeType.ADMIN_INVITE") },
+                  { value: "DEV_INVITE", label: t("tenantResources.invitation.codeType.DEV_INVITE") },
+                  { value: "USER_INVITE", label: t("tenantResources.invitation.codeType.USER_INVITE") },
+                ]}
+              />
+            </Form.Item>
+          )}
+
+          {!editingInvitation && (
+            <Form.Item
+              name="invitation_code"
+              label={t("tenantResources.invitation.invitationCode")}
+              rules={[
+                {
+                  pattern: /^[A-Z0-9]*$/,
+                  message: t("tenantResources.invitation.invitationCodeInvalid")
+                },
+                {
+                  validator: async (_, value) => {
+                    if (!value) {
+                      return Promise.reject(new Error("Required"));
+                    }
+                    try {
+                      const exists = await checkInvitationCodeExists(value);
+                      if (exists) {
+                        return Promise.reject(new Error(t("tenantResources.invitation.alreadyExists")));
+                      }
+                      return Promise.resolve();
+                    } catch {
+                      return Promise.reject(new Error("Failed to check invitation code"));
+                    }
+                  },
+                }
+              ]}
+            >
+              <Input
+                placeholder={t("tenantResources.invitation.invitationCode")}
+                onChange={(e) => {
+                  const value = e.target.value.toUpperCase().replace(/[^A-Z0-9]/g, "");
+                  form.setFieldsValue({ invitation_code: value });
+                }}
+              />
+            </Form.Item>
+          )}
 
           <Form.Item
             name="capacity"
@@ -430,26 +489,6 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
             <Input type="number" placeholder={t("tenantResources.invitation.capacity")} min={1} />
           </Form.Item>
 
-          <Form.Item
-            name="invitation_code"
-            label={t("tenantResources.invitation.invitationCode")}
-            rules={[
-              {
-                pattern: /^[A-Z0-9]*$/,
-                message: t("tenantResources.invitation.invitationCodeInvalid")
-              }
-            ]}
-          >
-            <Input
-              placeholder={t("tenantResources.invitation.invitationCode")}
-              onChange={(e) => {
-                // Convert to uppercase and filter invalid characters
-                const value = e.target.value.toUpperCase().replace(/[^A-Z0-9]/g, "");
-                form.setFieldsValue({ invitation_code: value });
-              }}
-            />
-          </Form.Item>
-
           <Form.Item name="group_ids" label={t("tenantResources.invitation.groupNames")}>
             <Select
               mode="multiple"
@@ -466,6 +505,10 @@ export default function InvitationList({ tenantId }: { tenantId: string | null }
               format="YYYY-MM-DD"
               placeholder={t("tenantResources.invitation.expiryDate")}
               style={{ width: "100%" }}
+              disabledDate={(current) => {
+                if (!current) return false;
+                return current < dayjs().startOf('day');
+              }}
             />
           </Form.Item>
         </Form>
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/KnowledgeList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/KnowledgeList.tsx
index 411facc66..06323cfbf 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/KnowledgeList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/KnowledgeList.tsx
@@ -2,7 +2,7 @@
 
 import React, { useMemo, useState } from "react";
 import { useTranslation } from "react-i18next";
-import { Table, Popconfirm, message, Button, Modal, Form, Select, Tag, Input } from "antd";
+import { Table, Popconfirm, message, Button, Modal, Tag } from "antd";
 import { ColumnsType } from "antd/es/table";
 import { Edit, Trash2, BookOpen } from "lucide-react";
 import { Tooltip } from "@/components/ui/tooltip";
@@ -10,6 +10,7 @@ import { useKnowledgeList } from "@/hooks/knowledge/useKnowledgeList";
 import { useGroupList } from "@/hooks/group/useGroupList";
 import knowledgeBaseService from "@/services/knowledgeBaseService";
 import { type KnowledgeBase } from "@/types/knowledgeBase";
+import { KnowledgeBaseEditModal } from "../../../knowledges/components/knowledge/KnowledgeBaseEditModal";
 
 export default function KnowledgeList({
   tenantId,
@@ -29,7 +30,6 @@ export default function KnowledgeList({
   const [summaryModalVisible, setSummaryModalVisible] = useState(false);
   const [summaryLoading, setSummaryLoading] = useState(false);
   const [summaryContent, setSummaryContent] = useState<string>("");
-  const [form] = Form.useForm();
 
   // Create group name mapping
   const groupNameMap = useMemo(() => {
@@ -58,37 +58,9 @@ export default function KnowledgeList({
 
   const openEdit = (knowledge: KnowledgeBase) => {
     setEditingKnowledge(knowledge);
-    form.setFieldsValue({
-      knowledge_name: knowledge.name,
-      ingroup_permission: knowledge.ingroup_permission || "READ_ONLY",
-      group_ids: knowledge.group_ids || [],
-    });
     setModalVisible(true);
   };
 
-  const handleSubmit = async () => {
-    try {
-      const values = await form.validateFields();
-
-      if (!editingKnowledge) return;
-
-      await knowledgeBaseService.updateKnowledgeBase(editingKnowledge.id, {
-        knowledge_name: values.knowledge_name,
-        ingroup_permission: values.ingroup_permission,
-        group_ids: values.group_ids,
-      });
-
-      message.success(t("tenantResources.knowledgeBase.updated"));
-      setModalVisible(false);
-      refetch();
-    } catch (error: any) {
-      if (error.errorFields) {
-        return; // Form validation error
-      }
-      message.error(error.message || t("tenantResources.knowledgeBase.updateFailed"));
-    }
-  };
-
   const openEditSummary = async (knowledge: KnowledgeBase) => {
     setEditingKnowledge(knowledge);
     setSummaryLoading(true);
@@ -126,6 +98,12 @@ export default function KnowledgeList({
     return size;
   };
 
+  // Check if knowledge base is from external source (not Nexent)
+  const isExternalSource = (record: KnowledgeBase) => {
+    const source = record.source || record.knowledge_sources;
+    return source && source !== "nexent" && source !== "elasticsearch";
+  };
+
   const columns: ColumnsType<KnowledgeBase> = [
     {
       title: t("common.name"),
@@ -227,45 +205,56 @@ export default function KnowledgeList({
       key: "actions",
       width: 140,
       fixed: "right",
-      render: (_, record: KnowledgeBase) => (
-        <div className="flex items-center space-x-2">
-          <Tooltip title={t("common.edit")}>
-            <Button
-              type="text"
-              icon={<Edit className="h-4 w-4" />}
-              onClick={() => openEdit(record)}
-              size="small"
-            />
-          </Tooltip>
-          <Tooltip title={t("tenantResources.knowledgeBase.viewSummary")}>
-            <Button
-              type="text"
-              icon={<BookOpen className="h-4 w-4" />}
-              onClick={() => openEditSummary(record)}
-              size="small"
-            />
-          </Tooltip>
-          <Popconfirm
-            title={t("knowledgeBase.modal.deleteConfirm.title")}
-            description={t("common.cannotBeUndone")}
-            onConfirm={() => handleDelete(record.id)}
-          >
-            <Tooltip title={t("common.delete")}>
+      render: (_, record: KnowledgeBase) => {
+        if (isExternalSource(record)) {
+          return (
+            <span className="text-gray-400 text-sm">
+              {t("tenantResources.knowledgeBase.externalSourceDisabled")}
+            </span>
+          );
+        }
+        return (
+          <div className="flex items-center space-x-2">
+            <Tooltip title={t("common.edit")}>
               <Button
                 type="text"
-                danger
-                icon={<Trash2 className="h-4 w-4" />}
+                icon={<Edit className="h-4 w-4" />}
+                onClick={() => openEdit(record)}
                 size="small"
               />
             </Tooltip>
-          </Popconfirm>
-        </div>
-      ),
+            <Tooltip title={t("tenantResources.knowledgeBase.viewSummary")}>
+              <Button
+                type="text"
+                icon={<BookOpen className="h-4 w-4" />}
+                onClick={() => openEditSummary(record)}
+                size="small"
+              />
+            </Tooltip>
+            <Popconfirm
+              title={t("knowledgeBase.modal.deleteConfirm.title")}
+              description={t("common.cannotBeUndone")}
+              onConfirm={() => handleDelete(record.id)}
+              okText={t("common.confirm")}
+              cancelText={t("common.cancel")}
+            >
+              <Tooltip title={t("common.delete")}>
+                <Button
+                  type="text"
+                  danger
+                  icon={<Trash2 className="h-4 w-4" />}
+                  size="small"
+                />
+              </Tooltip>
+            </Popconfirm>
+          </div>
+        );
+      },
     },
   ];
 
   return (
-    <>
+    <div className="h-full flex flex-col overflow-hidden">
       <Table
         columns={columns}
         dataSource={knowledgeBases}
@@ -273,54 +262,17 @@ export default function KnowledgeList({
         rowKey="id"
         pagination={{ pageSize: 10 }}
         scroll={{ x: 1400 }}
+        className="flex-1"
       />
 
-      <Modal
-        title={t("tenantResources.knowledgeBase.edit")}
+      {/* Edit Knowledge Base Modal */}
+      <KnowledgeBaseEditModal
         open={modalVisible}
-        onOk={handleSubmit}
+        knowledgeBase={editingKnowledge}
+        tenantId={tenantId}
         onCancel={() => setModalVisible(false)}
-        okText={t("common.confirm")}
-        cancelText={t("common.cancel")}
-        width={500}
-      >
-        <Form form={form} layout="vertical">
-          <Form.Item
-            name="knowledge_name"
-            label={t("common.name")}
-            rules={[
-              { required: true, message: t("tenantResources.knowledgeBase.nameRequired") },
-            ]}
-          >
-            <Input placeholder={t("tenantResources.knowledgeBase.enterName")} />
-          </Form.Item>
-
-          <Form.Item
-            name="ingroup_permission"
-            label={t("tenantResources.knowledgeBase.permission")}
-            rules={[
-              { required: true, message: t("tenantResources.knowledgeBase.permissionRequired") },
-            ]}
-          >
-            <Select placeholder={t("tenantResources.knowledgeBase.permission")}>
-              <Select.Option value="EDIT">{t("tenantResources.knowledgeBase.permission.EDIT")}</Select.Option>
-              <Select.Option value="READ_ONLY">{t("tenantResources.knowledgeBase.permission.READ_ONLY")}</Select.Option>
-              <Select.Option value="PRIVATE">{t("tenantResources.knowledgeBase.permission.PRIVATE")}</Select.Option>
-            </Select>
-          </Form.Item>
-
-          <Form.Item name="group_ids" label={t("tenantResources.knowledgeBase.groupNames")}>
-            <Select
-              mode="multiple"
-              placeholder={t("tenantResources.knowledgeBase.groupNames")}
-              options={groups.map((group) => ({
-                label: group.group_name,
-                value: group.group_id,
-              }))}
-            />
-          </Form.Item>
-        </Form>
-      </Modal>
+        onSuccess={() => refetch()}
+      />
 
       <Modal
         title={t("tenantResources.knowledgeBase.viewSummary")}
@@ -342,6 +294,6 @@ export default function KnowledgeList({
           <div className="text-gray-400 italic">{t("tenantResources.knowledgeBase.noSummary")}</div>
         )}
       </Modal>
-    </>
+    </div>
   );
 }
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/McpList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/McpList.tsx
index 5b6de5b3e..23b578b63 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/McpList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/McpList.tsx
@@ -29,7 +29,7 @@ import {
   Upload as UploadIcon,
   Unplug,
   Edit,
-  CircleCheck,
+  CheckCircle,
   CircleX,
   AlertCircle,
 } from "lucide-react";
@@ -66,7 +66,7 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
     handleUploadImage,
     handleDeleteContainer,
     handleViewLogs,
-  } = useMcpConfig({ enabled: true });
+  } = useMcpConfig({ enabled: true, tenantId });
 
   // Add Modal State
   const [addModalVisible, setAddModalVisible] = useState(false);
@@ -358,16 +358,16 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
         const key = `${record.service_name}__${record.mcp_url}`;
         return (
           <Tag
-            color={isAvailable ? "success" : "error"}
+            color={healthCheckLoading[key] ? "#2E4053" : isAvailable ? "#229954" : "#E74C3C"}
             className="inline-flex items-center"
             variant="solid"
           >
             {healthCheckLoading[key] ? (
-              <LoaderCircle className="animate-spin mr-1" size={12} />
+              <LoaderCircle className="w-3 h-3 animate-spin mr-1" />
             ) : isAvailable ? (
-              <CircleCheck className="mr-1" size={12} />
+              <CheckCircle className="w-3 h-3 mr-1" />
             ) : (
-              <CircleX className="mr-1" size={12} />
+              <CircleX className="w-3 h-3 mr-1" />
             )}
             {t(isAvailable ? "mcpConfig.status.available" : "mcpConfig.status.unavailable")}
           </Tag>
@@ -416,7 +416,7 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
               title={t("mcpConfig.delete.confirmTitle")}
               description={t("mcpConfig.delete.confirmContent", { name: record.service_name })}
               onConfirm={() => onDeleteServer(record)}
-              okText={t("common.delete")}
+              okText={t("common.confirm")}
               cancelText={t("common.cancel")}
             >
               <Tooltip title={t("mcpConfig.serverList.button.delete")}>
@@ -467,13 +467,13 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
       width: "15%",
       render: (status: string) => {
         const statusConfig: Record<string, { color: string; icon: React.ReactNode }> = {
-          running: { color: "success", icon: <CircleCheck size={12} /> },
-          exited: { color: "error", icon: <CircleX size={12} /> },
-          created: { color: "processing", icon: <LoaderCircle size={12} className="animate-spin" /> },
-          paused: { color: "warning", icon: <AlertCircle size={12} /> },
-          restarting: { color: "processing", icon: <LoaderCircle size={12} className="animate-spin" /> },
+          running: { color: "#229954", icon: <CheckCircle className="w-3 h-3" /> },
+          exited: { color: "#E74C3C", icon: <CircleX className="w-3 h-3" /> },
+          created: { color: "#2E4053", icon: <LoaderCircle className="w-3 h-3 animate-spin" /> },
+          paused: { color: "#AEB6BF", icon: <AlertCircle className="w-3 h-3" /> },
+          restarting: { color: "#2E4053", icon: <LoaderCircle className="w-3 h-3 animate-spin" /> },
         };
-        const config = statusConfig[status || ""] || { color: "default", icon: <AlertCircle size={12} /> };
+        const config = statusConfig[status || ""] || { color: "#2E4053", icon: <AlertCircle className="w-3 h-3" /> };
         return (
           <Tag color={config.color} className="inline-flex items-center" variant="solid">
             <span className="mr-1">{config.icon}</span>
@@ -501,7 +501,7 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
             title={t("mcpConfig.deleteContainer.confirmTitle")}
             description={t("mcpConfig.deleteContainer.confirmContent", { name: record.name || record.container_id })}
             onConfirm={() => onDeleteContainer(record)}
-            okText={t("common.delete")}
+            okText={t("common.confirm")}
             cancelText={t("common.cancel")}
           >
             <Tooltip title={t("mcpConfig.containerList.button.delete")}>
@@ -520,16 +520,16 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
   ];
 
   return (
-    <div className="flex flex-col">
-      <div className="flex justify-between items-center mb-4">
+    <div className="h-full flex flex-col overflow-hidden">
+      <div className="flex justify-between items-center mb-4 flex-shrink-0">
         <div />
         <Button type="primary" icon={<Plus size={16} />} onClick={() => setAddModalVisible(true)}>
           {t("tenantResources.mcp.addService")}
         </Button>
       </div>
 
-      <div className="space-y-6">
-        <div>
+      <div className="space-y-6 flex-1 overflow-auto">
+        <div className="min-w-0">
           <Title level={5} style={{ marginBottom: 12 }}>{t("mcpConfig.serverList.title")}</Title>
           <Table
             columns={serverColumns}
@@ -543,7 +543,7 @@ export default function McpList({ tenantId }: { tenantId: string | null }) {
           />
         </div>
 
-        <div>
+        <div className="min-w-0">
           <Title level={5} style={{ marginBottom: 12 }}>{t("mcpConfig.containerList.title")}</Title>
           <Table
             columns={containerColumns}
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/ModelList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/ModelList.tsx
index 67296b044..b2db4f846 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/ModelList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/ModelList.tsx
@@ -2,11 +2,11 @@
 
 import React, { useState } from "react";
 import { useTranslation } from "react-i18next";
-import { Table, Button, Popconfirm, message, Tag } from "antd";
-import { Edit, Trash2 } from "lucide-react";
+import { Table, Button, Popconfirm, message, Tag, Pagination } from "antd";
+import { Edit, Trash2, RefreshCw } from "lucide-react";
 import { Tooltip } from "@/components/ui/tooltip";
 import { ColumnsType } from "antd/es/table";
-import { useModelList } from "@/hooks/model/useModelList";
+import { useManageTenantModels } from "@/hooks/model/useManageTenantModels";
 import { modelService } from "@/services/modelService";
 import { type ModelOption, type ModelType } from "@/types/modelConfig";
 import { ModelAddDialog } from "../../../models/components/model/ModelAddDialog";
@@ -15,11 +15,30 @@ import { CheckCircle, CircleSlash, XCircle, CircleEllipsis, CircleHelp } from "l
 
 export default function ModelList({ tenantId }: { tenantId: string | null }) {
   const { t } = useTranslation("common");
-  const { data: models = [], isLoading, refetch } = useModelList();
+
+  // Pagination state
+  const [page, setPage] = useState(1);
+  const [pageSize, setPageSize] = useState(10);
+
+  // Use manage API to get models for the specified tenant
+  const {
+    models = [],
+    total = 0,
+    isLoading,
+    refetch,
+  } = useManageTenantModels({
+    tenantId: tenantId || "",
+    page,
+    pageSize,
+  });
+
   const [editingModel, setEditingModel] = useState<ModelOption | null>(null);
   const [addDialogVisible, setAddDialogVisible] = useState(false);
   const [editDialogVisible, setEditDialogVisible] = useState(false);
 
+  // Track which models are being checked for connectivity
+  const [checkingConnectivity, setCheckingConnectivity] = useState<Set<string>>(new Set());
+
   const openCreate = () => {
     setAddDialogVisible(true);
   };
@@ -49,17 +68,64 @@ export default function ModelList({ tenantId }: { tenantId: string | null }) {
     setEditDialogVisible(true);
   };
 
-  const handleDelete = async (modelId: string, provider?: string) => {
+  const handleDelete = async (displayName: string, _provider?: string) => {
+    if (!tenantId) {
+      message.error("Tenant ID is required");
+      return;
+    }
     try {
-      await modelService.deleteCustomModel(modelId, provider);
-      message.success("Model deleted");
+      await modelService.deleteManageTenantModel({
+        tenantId,
+        displayName,
+      });
+      message.success(t("tenantResources.models.deleteSuccess"));
       refetch();
     } catch (error: any) {
       if (error.response?.data?.message) {
         message.error(error.response.data.message);
       } else {
-        message.error("Delete failed");
+        message.error(t("tenantResources.models.deleteFailed"));
+      }
+    }
+  };
+
+  // Handle checking model connectivity
+  const handleCheckConnectivity = async (displayName: string) => {
+    if (!tenantId) {
+      message.error("Tenant ID is required");
+      return;
+    }
+
+    setCheckingConnectivity((prev) => new Set(prev).add(displayName));
+    try {
+      const isConnected = await modelService.checkManageTenantModelConnectivity(
+        tenantId,
+        displayName
+      );
+      if (isConnected) {
+        message.success(t("tenantResources.models.connectivitySuccess"));
+      } else {
+        message.warning(t("tenantResources.models.connectivityFailed"));
       }
+      // Refresh the model list to get updated connectivity status
+      refetch();
+    } catch (error) {
+      message.error(t("tenantResources.models.connectivityError"));
+    } finally {
+      setCheckingConnectivity((prev) => {
+        const next = new Set(prev);
+        next.delete(displayName);
+        return next;
+      });
+    }
+  };
+
+  // Handle pagination change
+  const handlePageChange = (newPage: number, newPageSize: number) => {
+    setPage(newPage);
+    if (newPageSize !== pageSize) {
+      setPageSize(newPageSize);
+      setPage(1);
     }
   };
 
@@ -122,9 +188,18 @@ export default function ModelList({ tenantId }: { tenantId: string | null }) {
     {
       title: t("common.actions"),
       key: "actions",
-      width: 250,
+      width: 300,
       render: (_, record: ModelOption) => (
         <div className="flex items-center space-x-2">
+          <Tooltip title={t("tenantResources.models.checkConnectivity")}>
+            <Button
+              type="text"
+              icon={checkingConnectivity.has(record.displayName) ? <RefreshCw className="h-4 w-4 animate-spin" /> : <RefreshCw className="h-4 w-4" />}
+              onClick={() => handleCheckConnectivity(record.displayName)}
+              size="small"
+              loading={checkingConnectivity.has(record.displayName)}
+            />
+          </Tooltip>
           <Tooltip title={t("tenantResources.models.editModel")}>
             <Button
               type="text"
@@ -135,8 +210,10 @@ export default function ModelList({ tenantId }: { tenantId: string | null }) {
           </Tooltip>
           <Popconfirm
             title={t("tenantResources.models.confirmDelete")}
-            description="This action cannot be undone."
+            description={t("common.cannotBeUndone")}
             onConfirm={() => handleDelete(record.displayName, record.source)}
+            okText={t("common.confirm")}
+            cancelText={t("common.cancel")}
           >
             <Tooltip title={t("tenantResources.models.deleteModel")}>
               <Button
@@ -153,8 +230,8 @@ export default function ModelList({ tenantId }: { tenantId: string | null }) {
   ];
 
   return (
-    <div>
-      <div className="flex items-center justify-between mb-4">
+    <div className="h-full flex flex-col overflow-hidden">
+      <div className="flex items-center justify-between mb-4 flex-shrink-0">
         <div />
         <div>
           <Button type="primary" onClick={openCreate}>
@@ -169,12 +246,15 @@ export default function ModelList({ tenantId }: { tenantId: string | null }) {
         loading={isLoading}
         rowKey="id"
         pagination={{ pageSize: 10 }}
+        scroll={{ x: true }}
+        className="flex-1"
       />
 
       <ModelAddDialog
         isOpen={addDialogVisible}
         onClose={handleAddDialogClose}
         onSuccess={handleAddDialogSuccess}
+        tenantId={tenantId || undefined}
       />
 
       <ModelEditDialog
@@ -182,6 +262,7 @@ export default function ModelList({ tenantId }: { tenantId: string | null }) {
         model={editingModel}
         onClose={handleEditDialogClose}
         onSuccess={handleEditDialogSuccess}
+        tenantId={tenantId || undefined}
       />
     </div>
   );
diff --git a/frontend/app/[locale]/tenant-resources/components/resources/UserList.tsx b/frontend/app/[locale]/tenant-resources/components/resources/UserList.tsx
index 784baed47..0b0302b4f 100644
--- a/frontend/app/[locale]/tenant-resources/components/resources/UserList.tsx
+++ b/frontend/app/[locale]/tenant-resources/components/resources/UserList.tsx
@@ -164,6 +164,8 @@ export default function UserList({ tenantId }: { tenantId: string | null }) {
                 name: record.username,
               })}
               onConfirm={() => handleDelete(record.id)}
+              okText={t("common.confirm")}
+              cancelText={t("common.cancel")}
             >
               <Tooltip title={t("tenantResources.users.deleteUser")}>
                 <Button
@@ -182,13 +184,15 @@ export default function UserList({ tenantId }: { tenantId: string | null }) {
   );
 
   return (
-    <div>
+    <div className="h-full flex flex-col overflow-hidden">
       <Table
         dataSource={users}
         columns={columns}
         rowKey={(r) => String(r.id)}
         loading={isLoading}
         pagination={{ pageSize: 10 }}
+        scroll={{ x: true }}
+        className="flex-1"
       />
 
       <Modal
@@ -196,6 +200,8 @@ export default function UserList({ tenantId }: { tenantId: string | null }) {
         open={modalVisible}
         onOk={handleSubmit}
         onCancel={() => setModalVisible(false)}
+        okText={t("common.confirm")}
+        cancelText={t("common.cancel")}
       >
         <Form layout="vertical" form={form}>
           <Form.Item name="username" label={t("common.email")}>
@@ -222,6 +228,8 @@ export default function UserList({ tenantId }: { tenantId: string | null }) {
         open={createGroupModalVisible}
         onOk={handleCreateGroup}
         onCancel={() => setCreateGroupModalVisible(false)}
+        okText={t("common.confirm")}
+        cancelText={t("common.cancel")}
       >
         <Form layout="vertical" form={groupForm}>
           <Form.Item
diff --git a/frontend/app/[locale]/tenant-resources/page.tsx b/frontend/app/[locale]/tenant-resources/page.tsx
index f9231085b..8469187b7 100644
--- a/frontend/app/[locale]/tenant-resources/page.tsx
+++ b/frontend/app/[locale]/tenant-resources/page.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import React from "react";
+import { Flex } from "antd";
 import { useSetupFlow } from "@/hooks/useSetupFlow";
 import UserManageComp from "./components/UserManageComp";
 
@@ -10,16 +11,19 @@ import UserManageComp from "./components/UserManageComp";
  * Notes:
  * - The backend APIs may be unavailable during development; the UI uses
  *   hooks/services that provide mock data until real endpoints are wired.
- * - Layout follows the tenant-resource pattern used by the `agents` pages.
+ * - Layout uses Flex for responsive design and proper content flow.
  */
 export default function TenantResourcesPage() {
-  const { canAccessProtectedData } = useSetupFlow({
-    requireAdmin: true,
-  });
 
-  if (!canAccessProtectedData) {
-    return null;
-  }
-
-  return <UserManageComp />;
+  return (
+    <>
+      <Flex
+        vertical
+        style={{ width: "100%", height: "100%" }}
+        className="h-full w-full overflow-hidden"
+      >
+        <UserManageComp />
+      </Flex>
+    </>
+  );
 }
diff --git a/frontend/app/[locale]/users/components/UserProfileComp.tsx b/frontend/app/[locale]/users/components/UserProfileComp.tsx
index 9d2fc1169..4dce6731e 100644
--- a/frontend/app/[locale]/users/components/UserProfileComp.tsx
+++ b/frontend/app/[locale]/users/components/UserProfileComp.tsx
@@ -11,6 +11,8 @@ import {
   App,
   Flex,
   Alert,
+  Tag,
+  Tooltip,
 } from "antd";
 import { motion } from "framer-motion";
 import { useTranslation } from "react-i18next";
@@ -25,8 +27,11 @@ import {
   AlertTriangle,
   ChevronRight,
 } from "lucide-react";
-import { useAuth } from "@/hooks/useAuth";
 import { USER_ROLES } from "@/const/modelConfig";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useGroupList } from "@/hooks/group/useGroupList";
+import { useMemo } from "react";
 
 const { Text, Paragraph } = Typography;
 
@@ -43,7 +48,31 @@ const { Text, Paragraph } = Typography;
 export default function UserProfileComp() {
   const { t } = useTranslation("common");
   const { message: antdMessage } = App.useApp();
-  const { user, logout, revoke, isLoading } = useAuth();
+  const { logout, revoke, isLoading } = useAuthenticationContext()
+  const { user, groupIds } = useAuthorizationContext()
+
+  // Fetch groups for group name mapping
+  const { data: groupData } = useGroupList(user?.tenantId || null, 1, 100);
+  const groups = groupData?.groups || [];
+
+  // Create group name mapping from group_id to group_name
+  const groupNameMap = useMemo(() => {
+    const map = new Map<number, string>();
+    groups.forEach((group) => {
+      map.set(group.group_id, group.group_name);
+    });
+    return map;
+  }, [groups]);
+
+  // Get user's group names
+  const userGroupNames = useMemo(() => {
+    if (!groupIds || groupIds.length === 0) return [];
+    return groupIds.map((id) => ({
+      id,
+      name: groupNameMap.get(id) || t("common.unknown"),
+      description: groups.find((g) => g.group_id === id)?.group_description || "",
+    }));
+  }, [groupIds, groupNameMap, groups, t]);
 
   // Modal states
   const [isEditModalOpen, setIsEditModalOpen] = useState(false);
@@ -57,8 +86,16 @@ export default function UserProfileComp() {
   // Get role display name
   const getRoleDisplayName = (role: string) => {
     switch (role) {
+      case USER_ROLES.SPEED:
+        return t("auth.speed");
+      case USER_ROLES.SU:
+        return t("auth.su");
       case USER_ROLES.ADMIN:
         return t("auth.admin");
+      case USER_ROLES.DEV:
+        return t("auth.dev");
+      case USER_ROLES.USER:
+        return t("auth.user");
       default:
         return t("auth.user");
     }
@@ -167,6 +204,32 @@ export default function UserProfileComp() {
                     {getRoleDisplayName(user?.role || "user")}
                   </span>
                 </div>
+                <div className="px-6 py-3 flex items-center justify-between">
+                  <span className="text-gray-500 dark:text-gray-400 text-sm">
+                    {t("agent.userGroup") || "User Group"}
+                  </span>
+                  <div className="flex flex-wrap gap-1 justify-end max-w-[50%]">
+                    {userGroupNames.length > 0 ? (
+                      userGroupNames.map((group) => (
+                        <Tooltip
+                            key={group.id}
+                            title={group.description || t("tenantResources.groups.noDescription")}
+                          >
+                          <Tag
+                            color="blue"
+                            className="cursor-pointer hover:opacity-80 transition-opacity"
+                          >
+                            <span className="font-medium">{group.name}</span>
+                          </Tag>
+                        </Tooltip>
+                      ))
+                    ) : (
+                      <span className="text-gray-400 text-sm">
+                        {t("agent.userGroup.empty")}
+                      </span>
+                    )}
+                  </div>
+                </div>
               </div>
             </div>
           </motion.div>
diff --git a/frontend/app/[locale]/users/page.tsx b/frontend/app/[locale]/users/page.tsx
index 690294cc6..ccac12e52 100644
--- a/frontend/app/[locale]/users/page.tsx
+++ b/frontend/app/[locale]/users/page.tsx
@@ -2,7 +2,6 @@
 
 import React from "react";
 import { Flex } from "antd";
-import { useSetupFlow } from "@/hooks/useSetupFlow";
 import UserProfileComp from "./components/UserProfileComp";
 
 /**
@@ -14,20 +13,15 @@ import UserProfileComp from "./components/UserProfileComp";
  * - Layout uses Flex for responsive design and proper content flow.
  */
 export default function UsersPage() {
-  const { canAccessProtectedData } = useSetupFlow({
-    requireAdmin: false,
-  });
 
   return (
     <>
-      {canAccessProtectedData ? (
-        <Flex
-          vertical
-          className="h-full w-full overflow-hidden"
-        >
-          <UserProfileComp />
-        </Flex>
-      ) : null}
+      <Flex
+        vertical
+        className="h-full w-full overflow-hidden"
+      >
+        <UserProfileComp />
+      </Flex>
     </>
   );
 }
diff --git a/frontend/components/agent/AgentImportWizard.tsx b/frontend/components/agent/AgentImportWizard.tsx
index 2de633b33..e2f3a6636 100644
--- a/frontend/components/agent/AgentImportWizard.tsx
+++ b/frontend/components/agent/AgentImportWizard.tsx
@@ -820,8 +820,11 @@ export default function AgentImportWizard({
         ),
         okText: t("market.install.warning.continue", "Continue Anyway"),
         cancelText: t("market.install.warning.goBack", "Go Back to Configure"),
+        cancelButtonProps: {
+          type: "primary",
+        },
         okButtonProps: {
-          className: "bg-blue-600 hover:bg-blue-700 border-blue-600 hover:border-blue-700 text-white",
+          type: "default",
         },
         onOk: async () => {
           await performImport();
@@ -879,6 +882,10 @@ export default function AgentImportWizard({
     // Clone agent data structure
     const agentJson = JSON.parse(JSON.stringify(initialData));
 
+    // Preserve business logic model fields from initial data (passed from market)
+    const preservedBusinessLogicModelId = initialData.business_logic_model_id;
+    const preservedBusinessLogicModelName = initialData.business_logic_model_name;
+
     // Update all agents' name/display_name if renamed
     Object.entries(agentNameConflicts).forEach(([agentKey, conflict]) => {
       if (agentJson.agent_info[agentKey]) {
@@ -897,10 +904,6 @@ export default function AgentImportWizard({
       Object.entries(agentJson.agent_info).forEach(([agentKey, agentInfo]: [string, any]) => {
         agentInfo.model_id = selectedModelId;
         agentInfo.model_name = selectedModelName;
-
-        // Clear business logic model fields
-        agentInfo.business_logic_model_id = null;
-        agentInfo.business_logic_model_name = null;
       });
     } else {
       // Individual mode: apply models to all agents
@@ -909,14 +912,16 @@ export default function AgentImportWizard({
         if (modelSelection && modelSelection.modelId && modelSelection.modelName) {
           agentInfo.model_id = modelSelection.modelId;
           agentInfo.model_name = modelSelection.modelName;
-
-          // Clear business logic model fields
-          agentInfo.business_logic_model_id = null;
-          agentInfo.business_logic_model_name = null;
         }
       });
     }
 
+    // Apply business logic model fields to all agents
+    Object.values(agentJson.agent_info).forEach((agentInfo: any) => {
+      agentInfo.business_logic_model_id = preservedBusinessLogicModelId ?? null;
+      agentInfo.business_logic_model_name = preservedBusinessLogicModelName ?? null;
+    });
+
     // Update config fields for all agents (main + sub-agents)
     configFields.forEach(field => {
       const value = configValues[field.valueKey];
diff --git a/frontend/components/auth/AuthDialogs.tsx b/frontend/components/auth/AuthDialogs.tsx
new file mode 100644
index 000000000..bc5e016c3
--- /dev/null
+++ b/frontend/components/auth/AuthDialogs.tsx
@@ -0,0 +1,161 @@
+"use client";
+
+import { useTranslation } from "react-i18next";
+import { Modal, Button } from "antd";
+import { GithubOutlined } from "@ant-design/icons";
+import { ExclamationCircleOutlined } from "@ant-design/icons";
+import { UserPlus, LogIn } from "lucide-react";
+import Image from "next/image";
+
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+
+/**
+ * Authentication dialogs component
+ * Contains login prompt, permission denied, and session expired modals
+ */
+export function AuthDialogs() {
+  const { t } = useTranslation("common");
+
+  const {
+    isAuthPromptModalOpen,
+    isSessionExpiredModalOpen,
+    closeSessionExpiredModal,
+    closeAuthPromptModal,
+    openLoginModal,
+    openRegisterModal,
+  } = useAuthenticationContext();
+
+  const {
+    isAuthzPromptModalOpen,
+    closeAuthzPromptModal,
+  } = useAuthorizationContext();
+
+  return (
+    <>
+      {/* Login prompt dialog - shown when user is not authenticated */}
+      <Modal
+        open={isAuthPromptModalOpen}
+        onCancel={closeAuthPromptModal}
+        footer={null}
+        centered
+        closable
+        width={480}
+        maskClosable={false}
+      >
+        <div className="relative bg-white p-4 rounded-2xl">
+          {/* Logo */}
+          <div className="flex justify-center mb-6">
+            <Image
+              src="/modelengine-logo.png"
+              alt="ModelEngine Logo"
+              width={80}
+              height={80}
+              className="object-contain"
+            />
+          </div>
+
+          {/* Title */}
+          <h2 className="text-3xl font-bold text-center mb-2 text-gray-900">
+            {t("page.loginPrompt.title")}
+          </h2>
+
+          {/* Subtitle */}
+          <p className="text-center text-gray-500 mb-8 mt-4 ml-10 mr-10 text-sm">
+            {t(
+              "A powerful AI agent platform for intelligent conversations and automation"
+            )}
+          </p>
+
+          {/* Action buttons */}
+          <div className="flex flex-col gap-3 mb-6">
+            {/* Login button */}
+            <Button
+              onClick={() => {
+                closeAuthPromptModal();
+                openLoginModal();
+              }}
+              className="w-full h-12 rounded-lg font-medium flex items-center justify-center gap-2 shadow-sm"
+              size="large"
+              type="primary"
+            >
+              <LogIn className="h-5 w-5" />
+              {t("page.loginPrompt.login")}
+            </Button>
+
+            {/* Register button */}
+            <Button
+              onClick={() => {
+                closeAuthPromptModal();
+                openRegisterModal();
+              }}
+              type="default"
+              className="w-full h-12 border border-gray-300 rounded-lg font-medium flex items-center justify-center gap-2"
+              size="large"
+            >
+              <UserPlus className="h-5 w-5" />
+              {t("page.loginPrompt.register")}
+            </Button>
+          </div>
+
+          {/* GitHub support */}
+          <div className="flex items-center justify-center gap-2 text-gray-500 text-sm">
+            <GithubOutlined className="text-base" />
+            <a
+              href="https://github.com/ModelEngine-Group/nexent"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              {t("page.loginPrompt.githubSupport")}
+            </a>
+            <span></span>
+          </div>
+        </div>
+      </Modal>
+
+      {/* Permission denied dialog - shown when user is not authorized */}
+      <Modal
+        title={t("page.permissionDenied.title")}
+        open={isAuthzPromptModalOpen}
+        onCancel={closeAuthzPromptModal}
+        footer={[
+          <Button key="confirm" onClick={closeAuthzPromptModal} type="primary">
+            {t("common.confirm")}
+          </Button>,
+        ]}
+        centered
+        closable={false}
+      >
+        <div style={{ display: "flex", alignItems: "center", gap: "8px" }}>
+          <ExclamationCircleOutlined
+            style={{ color: "#faad14", fontSize: "20px" }}
+          />
+          <span>{t("page.permissionDenied.content")}</span>
+        </div>
+      </Modal>
+
+      {/* Session expired dialog - shown when user session has expired */}
+      <Modal
+        title={t("login.expired.title")}
+        open={isSessionExpiredModalOpen}
+        onOk={() => {
+          closeSessionExpiredModal();
+          openLoginModal();
+        }}
+        onCancel={closeSessionExpiredModal}
+        okText={t("login.expired.okText")}
+        cancelText={t("login.expired.cancelText")}
+        centered
+        closable={false}
+        okButtonProps={{ type: "primary" }}
+      >
+        <div style={{ display: "flex", alignItems: "center", gap: "8px" }}>
+          <ExclamationCircleOutlined
+            style={{ color: "#faad14", fontSize: "20px" }}
+          />
+          <span>{t("login.expired.content")}</span>
+        </div>
+      </Modal>
+    </>
+  );
+}
diff --git a/frontend/components/auth/avatarDropdown.tsx b/frontend/components/auth/avatarDropdown.tsx
index 19301c9e5..b41309dfd 100644
--- a/frontend/components/auth/avatarDropdown.tsx
+++ b/frontend/components/auth/avatarDropdown.tsx
@@ -3,25 +3,30 @@
 import React, { useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Dropdown, Avatar, Spin, Button, Tag, ConfigProvider } from "antd";
-import { UserRound, LogOut, LogIn, UserRoundPlus, UserCircle } from "lucide-react";
+import { UserRound, LogOut, LogIn, UserRoundPlus, UserCircle, Power } from "lucide-react";
 import type { ItemType } from "antd/es/menu/interface";
 import Link from "next/link";
+import { App } from "antd";
 
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
 import { useConfirmModal } from "@/hooks/useConfirmModal";
 import { getRoleColor } from "@/lib/auth";
+import { USER_ROLES } from "@/const/auth";
 
 export function AvatarDropdown() {
-  const { user, isLoading, logout, openLoginModal, openRegisterModal } =
-    useAuth();
+  const { user, isAuthzReady } = useAuthorizationContext();
+  const { isLoading, logout, revoke, openLoginModal, openRegisterModal } =
+    useAuthenticationContext();
   const [dropdownOpen, setDropdownOpen] = useState(false);
   const { t } = useTranslation("common");
+  const { modal } = App.useApp();
   const { confirm } = useConfirmModal();
 
+  // Show loading while authentication is in progress
   if (isLoading) {
     return <Spin size="small" />;
   }
-
   if (!user) {
     const items: ItemType[] = [
       {
@@ -91,7 +96,7 @@ export function AvatarDropdown() {
           <div className="font-medium">{user.email}</div>
           <div className="mt-1">
             <Tag color={getRoleColor(user.role)}>
-              {t(user.role === "admin" ? "auth.admin" : "auth.user")}
+              {t(`auth.${(user.role).toLowerCase()}`)}
             </Tag>
           </div>
         </div>
@@ -130,6 +135,31 @@ export function AvatarDropdown() {
         });
       },
     },
+    {
+      key: "revoke",
+      icon: <Power size={16} />,
+      label: t("auth.revoke"),
+      // danger: true,
+      className: "hover:!bg-red-100 focus:!bg-red-400 focus:!text-white",
+      onClick: () => {
+        if (user.role === USER_ROLES.ADMIN) {
+          modal.error({
+            title: t("auth.refuseRevoke"),
+            content: t("auth.refuseRevokePrompt"),
+            okText: t("auth.confirm"),
+          });
+        } else {
+          confirm({
+            title: t("auth.confirmRevoke"),
+            content: t("auth.confirmRevokePrompt"),
+            okText: t("auth.confirmRevokeOk"),
+            onOk: () => {
+              revoke();
+            },
+          });
+        }
+      },
+    },
   ];
 
   return (
@@ -145,7 +175,7 @@ export function AvatarDropdown() {
         )}
       >
         <Avatar
-          src={user.avatar_url}
+          src={user.avatarUrl}
           className="cursor-pointer"
           size="default"
           icon={<UserRound size={18} />}
diff --git a/frontend/components/auth/index.ts b/frontend/components/auth/index.ts
index 4987e4d15..be67fe0a7 100644
--- a/frontend/components/auth/index.ts
+++ b/frontend/components/auth/index.ts
@@ -5,4 +5,3 @@
 export * from "./avatarDropdown";
 export * from "./loginModal";
 export * from "./registerModal";
-export * from "./sessionListeners";
diff --git a/frontend/components/auth/loginModal.tsx b/frontend/components/auth/loginModal.tsx
index b53c8adb0..9b0f43256 100644
--- a/frontend/components/auth/loginModal.tsx
+++ b/frontend/components/auth/loginModal.tsx
@@ -1,12 +1,15 @@
 "use client";
 
+import { useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Modal, Form, Input, Button, Typography, Space } from "antd";
 import { UserRound, LockKeyhole } from "lucide-react";
+import { usePathname, useRouter } from "next/navigation";
 
-import { useAuth } from "@/hooks/useAuth";
-import { useAuthForm } from "@/hooks/useAuthForm";
-import { EVENTS } from "@/const/auth";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { getEffectiveRoutePath } from "@/lib/auth";
+import log from "@/lib/logger";
 
 const { Text } = Typography;
 
@@ -19,27 +22,44 @@ export function LoginModal() {
   // Authentication state and methods from useAuth hook
   const {
     isLoginModalOpen,
+    isAuthenticated,
     closeLoginModal,
     openRegisterModal,
     login,
-    isFromSessionExpired,
-    setIsFromSessionExpired,
     authServiceUnavailable,
-  } = useAuth();
+  } = useAuthenticationContext();
+  const { isSpeedMode } = useDeployment();
 
-  // Form state and validation methods from useAuthForm hook
-  const {
-    form,
-    isLoading,
-    setIsLoading,
-    emailError,
-    passwordError,
-    setEmailError,
-    setPasswordError,
-    handleEmailChange,
-    handlePasswordChange,
-    resetForm,
-  } = useAuthForm();
+  const router = useRouter();
+  const pathname = usePathname();
+  const [form] = Form.useForm();
+  const [isLoading, setIsLoading] = useState(false);
+  const [emailError, setEmailError] = useState("");
+  const [passwordError, setPasswordError] = useState(false);
+
+  const resetForm = () => {
+    setEmailError("");
+    setPasswordError(false);
+    form.resetFields();
+  };
+
+  const handleEmailChange = () => {
+    if (emailError) {
+      setEmailError("");
+      form.setFields([
+        {
+          name: "email",
+          errors: [],
+        },
+      ]);
+    }
+  };
+
+  const handlePasswordChange = () => {
+    if (passwordError) {
+      setPasswordError(false);
+    }
+  };
 
   // Internationalization hook for multi-language support
   const { t } = useTranslation("common");
@@ -58,15 +78,12 @@ export function LoginModal() {
       // Attempt to login with provided credentials
       await login(values.email, values.password);
 
-      // Reset session expired flag after successful login
-      setIsFromSessionExpired(false);
-
-      // Reset modal control state to prevent session expired modal from triggering again
-      // Small delay ensures proper state synchronization
       setTimeout(() => {
-        document.dispatchEvent(new CustomEvent("modalClosed"));
+        // Close the login modal after successful login
+        closeLoginModal();
       }, 200);
     } catch (error: any) {
+      log.error("Login failed", error);
       // Clear email error and set password error flag
       setEmailError("");
       setPasswordError(true);
@@ -137,113 +154,108 @@ export function LoginModal() {
     resetForm();
     closeLoginModal();
 
-    // If login modal was opened due to session expiration,
-    // reset modal state and re-trigger the session expired event
-    if (isFromSessionExpired) {
-      // Reset modal state so session expired modal can be shown again
-      document.dispatchEvent(new CustomEvent("modalClosed"));
-      setTimeout(() => {
-        window.dispatchEvent(
-          new CustomEvent(EVENTS.SESSION_EXPIRED, {
-            detail: { message: t("auth.sessionExpired") },
-          })
-        );
-      }, 100);
+    // If user manually cancels login from a protected page,
+    // redirect back to home instead of keeping them on the restricted page
+    if (!isAuthenticated && !isSpeedMode) {
+      const effectivePath = pathname ? getEffectiveRoutePath(pathname) : "/";
+      if (effectivePath !== "/") {
+        router.push("/");
+      }
     }
   };
 
   return (
     <Modal
       title={
-        <div className="text-center text-xl font-bold">
+        <div className="text-center text-xl font-bold mt-3">
           {t("auth.loginTitle")}
         </div>
       }
       open={isLoginModalOpen}
       onCancel={handleCancel}
       footer={null}
-      width={400}
+      width={420}
       centered
       forceRender
-      // Prevent modal from being closed by clicking mask when session is expired
-      // But allow close button to be visible so user can return to session expired prompt
-      maskClosable={!isFromSessionExpired}
+      maskClosable={false}
       closable={true}
     >
-      <Form
-        id="login-form"
-        form={form}
-        layout="vertical"
-        onFinish={handleSubmit}
-        className="mt-6"
-        autoComplete="off"
-      >
-        {/* Email input field */}
-        <Form.Item
-          name="email"
-          label={t("auth.emailLabel")}
-          validateStatus={emailError ? "error" : ""}
-          help={emailError}
-          rules={[{ required: true, message: t("auth.emailRequired") }]}
-        >
-          <Input
-            prefix={<UserRound className="text-gray-400" size={16} />}
-            placeholder={t("auth.emailPlaceholder")}
-            onChange={handleEmailChange}
-            size="large"
-          />
-        </Form.Item>
-
-        {/* Password input field */}
-        <Form.Item
-          name="password"
-          label={t("auth.passwordLabel")}
-          validateStatus={passwordError ? "error" : ""}
-          help={
-            passwordError || authServiceUnavailable
-              ? authServiceUnavailable
-                ? t("auth.authServiceUnavailable")
-                : t("auth.invalidCredentials")
-              : ""
-          }
-          rules={[{ required: true, message: t("auth.passwordRequired") }]}
+      <div className="relative bg-white p-4 rounded-2xl">
+        <Form
+          id="login-form"
+          form={form}
+          layout="vertical"
+          onFinish={handleSubmit}
+          className="mt-6"
+          autoComplete="off"
         >
-          <Input.Password
-            prefix={<LockKeyhole className="text-gray-400" size={16} />}
-            placeholder={t("auth.passwordRequired")}
-            onChange={handlePasswordChange}
-            size="large"
-            status={passwordError ? "error" : ""}
-          />
-        </Form.Item>
-
-        {/* Submit button */}
-        <Form.Item>
-          <Button
-            type="primary"
-            htmlType="submit"
-            loading={isLoading}
-            block
-            size="large"
-            className="mt-2"
-            disabled={authServiceUnavailable}
+          {/* Email input field */}
+          <Form.Item
+            name="email"
+            label={t("auth.emailLabel")}
+            validateStatus={emailError ? "error" : ""}
+            help={emailError}
+            rules={[{ required: true, message: t("auth.emailRequired") }]}
           >
-            {isLoading ? t("auth.loggingIn") : t("auth.login")}
-          </Button>
-        </Form.Item>
-
-        {/* Registration link section (hidden when opened from session expired flow) */}
-        {!isFromSessionExpired && (
-          <div className="text-center">
-            <Space>
-              <Text type="secondary">{t("auth.noAccount")}</Text>
-              <Button type="link" onClick={handleRegisterClick} className="p-0">
-                {t("auth.registerNow")}
-              </Button>
-            </Space>
-          </div>
-        )}
-      </Form>
+            <Input
+              prefix={<UserRound className="text-gray-400" size={16} />}
+              placeholder={t("auth.emailPlaceholder")}
+              onChange={handleEmailChange}
+              size="large"
+            />
+          </Form.Item>
+
+          {/* Password input field */}
+          <Form.Item
+            name="password"
+            label={t("auth.passwordLabel")}
+            validateStatus={passwordError ? "error" : ""}
+            help={
+              passwordError || authServiceUnavailable
+                ? authServiceUnavailable
+                  ? t("auth.authServiceUnavailable")
+                  : t("auth.invalidCredentials")
+                : ""
+            }
+            rules={[{ required: true, message: t("auth.passwordRequired") }]}
+          >
+            <Input.Password
+              prefix={<LockKeyhole className="text-gray-400" size={16} />}
+              placeholder={t("auth.passwordRequired")}
+              onChange={handlePasswordChange}
+              size="large"
+              status={passwordError ? "error" : ""}
+            />
+          </Form.Item>
+
+          {/* Submit button */}
+          <Form.Item>
+            <Button
+              type="primary"
+              htmlType="submit"
+              loading={isLoading}
+              block
+              size="large"
+              className="mt-2"
+              disabled={authServiceUnavailable}
+            >
+              {isLoading ? t("auth.loggingIn") : t("auth.login")}
+            </Button>
+          </Form.Item>
+
+          {/* Registration link section (hidden when opened from session expired flow) */}
+          
+            <div className="text-center">
+              <Space>
+                <Text type="secondary">{t("auth.noAccount")}</Text>
+                <Button type="link" onClick={handleRegisterClick} className="p-0">
+                  {t("auth.registerNow")}
+                </Button>
+              </Space>
+            </div>
+
+        </Form>
+      </div>
     </Modal>
   );
 }
diff --git a/frontend/components/auth/registerModal.tsx b/frontend/components/auth/registerModal.tsx
index f63dfab96..fcfa6cb01 100644
--- a/frontend/components/auth/registerModal.tsx
+++ b/frontend/components/auth/registerModal.tsx
@@ -2,6 +2,7 @@
 
 import { useState } from "react";
 import { useTranslation } from "react-i18next";
+import { usePathname, useRouter } from "next/navigation";
 import {
   Modal,
   Form,
@@ -10,21 +11,23 @@ import {
   Typography,
   Space,
   Switch,
-  Divider,
   App,
+  Popover,
 } from "antd";
 import {
   UserRound,
   LockKeyhole,
   ShieldCheck,
   KeyRound,
-  Crown,
   BookMarked,
+  HelpCircle,
+  Users,
 } from "lucide-react";
 
-import { useAuth } from "@/hooks/useAuth";
-import { AuthFormValues } from "@/types/auth"
-import { useAuthForm } from "@/hooks/useAuthForm";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { AuthFormValues } from "@/types/auth";
+import { getEffectiveRoutePath } from "@/lib/auth";
 import log from "@/lib/logger";
 
 const { Text } = Typography;
@@ -32,24 +35,23 @@ const { Text } = Typography;
 export function RegisterModal() {
   const {
     isRegisterModalOpen,
+    isAuthenticated,
     closeRegisterModal,
     openLoginModal,
     register,
     authServiceUnavailable,
-  } = useAuth();
-  const {
-    form,
-    isLoading,
-    setIsLoading,
-    emailError,
-    setEmailError,
-    resetForm,
-  } = useAuthForm();
+  } = useAuthenticationContext();
+  const { isSpeedMode } = useDeployment();
+
+  const router = useRouter();
+  const pathname = usePathname();
+  const [form] = Form.useForm<AuthFormValues>();
+  const [isLoading, setIsLoading] = useState(false);
+  const [emailError, setEmailError] = useState("");
   const [passwordError, setPasswordError] = useState<{
     target: "password" | "confirmPassword" | "";
     message: string;
   }>({ target: "", message: "" });
-  const [isAdminMode, setIsAdminMode] = useState(false);
   const { t } = useTranslation("common");
   const { message } = App.useApp();
 
@@ -66,6 +68,12 @@ export function RegisterModal() {
     return !!(password && password.length >= 6);
   };
 
+  const resetForm = () => {
+    setEmailError("");
+    setPasswordError({ target: "", message: "" });
+    form.resetFields();
+  };
+
   const handleSubmit = async (values: AuthFormValues) => {
     setIsLoading(true);
     setEmailError(""); // Reset error state
@@ -98,13 +106,12 @@ export function RegisterModal() {
       await register(
         values.email,
         values.password,
-        isAdminMode,
-        values.inviteCode
+        values.inviteCode,
+        true,
       );
 
       // Reset form and clear error states
       resetForm();
-      setIsAdminMode(false);
     } catch (error: any) {
       log.error("Registration error details:", error);
 
@@ -211,7 +218,10 @@ export function RegisterModal() {
         ]);
       }
       // Registration service error
-      else if (errorType === "REGISTRATION_SERVICE_ERROR" || httpStatusCode === 500) {
+      else if (
+        errorType === "REGISTRATION_SERVICE_ERROR" ||
+        httpStatusCode === 500
+      ) {
         const errorMsg = t("auth.registrationServiceError");
         message.error(errorMsg);
         setEmailError(errorMsg);
@@ -223,7 +233,10 @@ export function RegisterModal() {
         setEmailError(errorMsg);
       }
       // Auth service unavailable
-      else if (httpStatusCode === 503 || errorType === "AUTH_SERVICE_UNAVAILABLE") {
+      else if (
+        httpStatusCode === 503 ||
+        errorType === "AUTH_SERVICE_UNAVAILABLE"
+      ) {
         const errorMsg = t("auth.authServiceUnavailable");
         message.error(errorMsg);
         setEmailError(errorMsg);
@@ -242,7 +255,6 @@ export function RegisterModal() {
   const handleLoginClick = () => {
     resetForm();
     setPasswordError({ target: "", message: "" });
-    setIsAdminMode(false);
     closeRegisterModal();
     openLoginModal();
   };
@@ -250,8 +262,16 @@ export function RegisterModal() {
   const handleCancel = () => {
     resetForm();
     setPasswordError({ target: "", message: "" });
-    setIsAdminMode(false);
     closeRegisterModal();
+
+    // If user manually cancels registration from a protected page,
+    // redirect back to home instead of keeping them on the restricted page
+    if (!isAuthenticated && !isSpeedMode) {
+      const effectivePath = pathname ? getEffectiveRoutePath(pathname) : "/";
+      if (effectivePath !== "/") {
+        router.push("/");
+      }
+    }
   };
 
   // Handle email input change - real-time email format validation
@@ -320,274 +340,283 @@ export function RegisterModal() {
   return (
     <Modal
       title={
-        <div className="text-center text-xl font-bold">
+        <div className="text-center text-xl font-bold mt-3">
           {t("auth.registerTitle")}
         </div>
       }
       open={isRegisterModalOpen}
       onCancel={handleCancel}
       footer={null}
-      width={400}
+      width={420}
       centered
       forceRender
     >
-      <Form
-        id="register-form"
-        form={form}
-        layout="vertical"
-        onFinish={handleSubmit}
-        className="mt-6"
-        autoComplete="off"
-      >
-        <Form.Item
-          name="email"
-          label={t("auth.emailLabel")}
-          validateStatus={emailError ? "error" : ""}
-          help={emailError}
-          rules={[
-            { required: true, message: t("auth.emailRequired") },
-            {
-              validator: (_, value) => {
-                if (!value) return Promise.resolve();
-                if (!validateEmail(value)) {
-                  return Promise.reject(
-                    new Error(t("auth.invalidEmailFormat"))
-                  );
-                }
-                return Promise.resolve();
-              },
-            },
-          ]}
+      <div className="relative bg-white p-4 rounded-2xl">
+        <Form
+          id="register-form"
+          form={form}
+          layout="vertical"
+          onFinish={handleSubmit}
+          className="mt-6"
+          autoComplete="off"
         >
-          <Input
-            prefix={<UserRound className="text-gray-400" size={16} />}
-            placeholder="your@email.com"
-            size="large"
-            onChange={handleEmailInputChange}
-          />
-        </Form.Item>
-
-        <Form.Item
-          name="password"
-          label={t("auth.passwordLabel")}
-          validateStatus={
-            passwordError.target === "password" &&
-            !form.getFieldError("password").length
-              ? "error"
-              : ""
-          }
-          help={
-            form.getFieldError("password").length
-              ? undefined
-              : passwordError.target === "password"
-              ? passwordError.message
-              : authServiceUnavailable
-              ? t("auth.authServiceUnavailable")
-              : undefined
-          }
-          rules={[
-            { required: true, message: t("auth.passwordRequired") },
-            {
-              validator: (_, value) => {
-                if (!value) return Promise.resolve();
-                if (!validatePassword(value)) {
-                  return Promise.reject(new Error(t("auth.passwordMinLength")));
-                }
-                return Promise.resolve();
+          <Form.Item
+            name="email"
+            label={t("auth.emailLabel")}
+            validateStatus={emailError ? "error" : ""}
+            help={emailError}
+            rules={[
+              { required: true, message: t("auth.emailRequired") },
+              {
+                validator: (_, value) => {
+                  if (!value) return Promise.resolve();
+                  if (!validateEmail(value)) {
+                    return Promise.reject(
+                      new Error(t("auth.invalidEmailFormat"))
+                    );
+                  }
+                  return Promise.resolve();
+                },
               },
-            },
-          ]}
-          hasFeedback
-        >
-          <Input.Password
-            id="register-password"
-            prefix={<LockKeyhole className="text-gray-400" size={16} />}
-            placeholder={t("auth.passwordRequired")}
-            size="large"
-            onChange={handlePasswordChange}
-          />
-        </Form.Item>
-
-        <Form.Item
-          name="confirmPassword"
-          label={t("auth.confirmPasswordLabel")}
-          validateStatus={
-            passwordError.target === "confirmPassword" &&
-            !form.getFieldError("confirmPassword").length
-              ? "error"
-              : ""
-          }
-          help={
-            form.getFieldError("confirmPassword").length
-              ? undefined
-              : passwordError.target === "confirmPassword"
-              ? passwordError.message
-              : authServiceUnavailable
-              ? t("auth.authServiceUnavailable")
-              : undefined
-          }
-          dependencies={["password"]}
-          hasFeedback
-          rules={[
-            { required: true, message: t("auth.confirmPasswordRequired") },
-            ({ getFieldValue }) => ({
-              validator(_, value) {
-                const password = getFieldValue("password");
-                // First check password length using validation function
-                if (password && !validatePassword(password)) {
-                  setPasswordError({
-                    target: "password",
-                    message: t("auth.passwordMinLength"),
-                  });
-                  return Promise.reject(new Error(t("auth.passwordMinLength")));
-                }
-                // Then check password match
-                if (!value || getFieldValue("password") === value) {
-                  setPasswordError({ target: "", message: "" });
+            ]}
+          >
+            <Input
+              prefix={<UserRound className="text-gray-400" size={16} />}
+              placeholder="your@email.com"
+              size="large"
+              onChange={handleEmailInputChange}
+            />
+          </Form.Item>
+
+          <Form.Item
+            name="password"
+            label={t("auth.passwordLabel")}
+            validateStatus={
+              passwordError.target === "password" &&
+                !form.getFieldError("password").length
+                ? "error"
+                : ""
+            }
+            help={
+              form.getFieldError("password").length
+                ? undefined
+                : passwordError.target === "password"
+                  ? passwordError.message
+                  : authServiceUnavailable
+                    ? t("auth.authServiceUnavailable")
+                    : undefined
+            }
+            rules={[
+              { required: true, message: t("auth.passwordRequired") },
+              {
+                validator: (_, value) => {
+                  if (!value) return Promise.resolve();
+                  if (!validatePassword(value)) {
+                    return Promise.reject(new Error(t("auth.passwordMinLength")));
+                  }
                   return Promise.resolve();
-                }
-                setPasswordError({
-                  target: "confirmPassword",
-                  message: t("auth.passwordsDoNotMatch"),
-                });
-                return Promise.reject(new Error(t("auth.passwordsDoNotMatch")));
+                },
               },
-            }),
-          ]}
-        >
-          <Input.Password
-            id="register-confirm-password"
-            prefix={<ShieldCheck className="text-gray-400" size={16} />}
-            placeholder={t("auth.confirmPasswordRequired")}
-            size="large"
-            onChange={handleConfirmPasswordChange}
-          />
-        </Form.Item>
-
-        <Divider />
-
-        <Form.Item className="mb-4">
-          <div className="flex items-center justify-between">
-            <div className="flex items-center gap-2">
-              <Crown className="text-amber-500" size={18} />
-              <span className="font-medium">{t("auth.adminAccount")}</span>
-            </div>
-            <Switch
-              checked={isAdminMode}
-              onChange={setIsAdminMode}
-              checkedChildren={t("auth.admin")}
-              unCheckedChildren={t("auth.user")}
+            ]}
+            hasFeedback
+          >
+            <Input.Password
+              id="register-password"
+              prefix={<LockKeyhole className="text-gray-400" size={16} />}
+              placeholder={t("auth.passwordRequired")}
+              size="large"
+              onChange={handlePasswordChange}
             />
-          </div>
-          <Text type="secondary" className="text-sm mt-1 block">
-            {t("auth.adminAccountDescription")}
-          </Text>
-        </Form.Item>
-
-        {isAdminMode && (
-          <>
-            <div className="mb-4 p-3 bg-blue-50 dark:bg-blue-900/20 border border-blue-200 dark:border-blue-800 rounded-lg">
-              <div className="text-sm text-blue-800 dark:text-blue-200">
-                <div className="font-medium mb-2">
-                  {t("auth.inviteCodeHint.title")}
-                </div>
-                <div className="space-y-1">
-                  <div>
-                    ✨ {t("auth.inviteCodeHint.step1")}
-                    <a
-                      href="https://github.com/ModelEngine-Group/nexent"
-                      target="_blank"
-                      rel="noopener noreferrer"
-                      className="text-blue-600 dark:text-blue-400 hover:underline font-medium"
-                    >
-                      {t("auth.inviteCodeHint.projectLink")}
-                    </a>
-                    {t("auth.inviteCodeHint.starAction")}
-                  </div>
-                  <div>
-                    💬 {t("auth.inviteCodeHint.step2")}
-                    <a
-                      href={t("auth.inviteCodeHint.contributionWallUrl")}
-                      target="_blank"
-                      rel="noopener noreferrer"
-                      className="text-blue-600 dark:text-blue-400 hover:underline font-medium"
-                    >
-                      {t("auth.inviteCodeHint.contributionWallLink")}
-                    </a>
-                    {t("auth.inviteCodeHint.step2Action")}
-                    <a
-                      href={t("auth.inviteCodeHint.documentationUrl")}
-                      target="_blank"
-                      rel="noopener noreferrer"
-                      className="ml-2 text-blue-600 dark:text-blue-400 hover:underline"
-                      title={t("auth.inviteCodeHint.viewDocumentation")}
-                    >
-                      <BookMarked size={16} />
-                    </a>
+          </Form.Item>
+
+          <Form.Item
+            name="confirmPassword"
+            label={t("auth.confirmPasswordLabel")}
+            validateStatus={
+              passwordError.target === "confirmPassword" &&
+                !form.getFieldError("confirmPassword").length
+                ? "error"
+                : ""
+            }
+            help={
+              form.getFieldError("confirmPassword").length
+                ? undefined
+                : passwordError.target === "confirmPassword"
+                  ? passwordError.message
+                  : authServiceUnavailable
+                    ? t("auth.authServiceUnavailable")
+                    : undefined
+            }
+            dependencies={["password"]}
+            hasFeedback
+            rules={[
+              { required: true, message: t("auth.confirmPasswordRequired") },
+              ({ getFieldValue }) => ({
+                validator(_, value) {
+                  const password = getFieldValue("password");
+                  // First check password length using validation function
+                  if (password && !validatePassword(password)) {
+                    setPasswordError({
+                      target: "password",
+                      message: t("auth.passwordMinLength"),
+                    });
+                    return Promise.reject(new Error(t("auth.passwordMinLength")));
+                  }
+                  // Then check password match
+                  if (!value || getFieldValue("password") === value) {
+                    setPasswordError({ target: "", message: "" });
+                    return Promise.resolve();
+                  }
+                  setPasswordError({
+                    target: "confirmPassword",
+                    message: t("auth.passwordsDoNotMatch"),
+                  });
+                  return Promise.reject(new Error(t("auth.passwordsDoNotMatch")));
+                },
+              }),
+            ]}
+          >
+            <Input.Password
+              id="register-confirm-password"
+              prefix={<ShieldCheck className="text-gray-400" size={16} />}
+              placeholder={t("auth.confirmPasswordRequired")}
+              size="large"
+              onChange={handleConfirmPasswordChange}
+            />
+          </Form.Item>
+
+          <Form.Item
+            name="inviteCode"
+            label={t("auth.inviteCodeLabel")}
+            rules={[{ required: true, message: t("auth.inviteCodeRequired") }]}
+          >
+            <Input
+              prefix={<KeyRound className="text-gray-400" size={16} />}
+              placeholder={t("auth.inviteCodePlaceholder")}
+              size="large"
+            />
+          </Form.Item>
+
+          <Form.Item>
+            <Popover
+              content={
+                <div className="max-w-sm">
+                  {/* Method 1: Open Source Contribution */}
+                  <div className="bg-white dark:bg-gray-800 rounded-lg p-3 mb-3">
+                    <div className="font-medium text-sm text-gray-900 dark:text-gray-100 mb-2">
+                      {t("auth.inviteCodeHint.method1.title")}
+                    </div>
+                    <div className="space-y-2">
+                      <div className="flex items-start">
+                        <span className="mr-1 leading-none">✨</span>
+                        <div className="text-sm text-gray-600 dark:text-gray-400">
+                          {t("auth.inviteCodeHint.step1")}
+                          <a
+                            href="https://github.com/ModelEngine-Group/nexent"
+                            target="_blank"
+                            rel="noopener noreferrer"
+                            className="text-blue-600 dark:text-blue-400 hover:underline font-medium"
+                          >
+                            {t("auth.inviteCodeHint.projectLink")}
+                          </a>
+                          {t("auth.inviteCodeHint.starAction")}
+                        </div>
+                      </div>
+                      <div className="flex items-start">
+                        <span className="mr-1 leading-none">💬</span>
+                        <div className="text-sm text-gray-600 dark:text-gray-400">
+                          {t("auth.inviteCodeHint.step2")}
+                          <a
+                            href={t("auth.inviteCodeHint.contributionWallUrl")}
+                            target="_blank"
+                            rel="noopener noreferrer"
+                            className="text-blue-600 dark:text-blue-400 hover:underline font-medium"
+                          >
+                            {t("auth.inviteCodeHint.contributionWallLink")}
+                          </a>
+                          {t("auth.inviteCodeHint.step2Action")}
+                          <a
+                            href={t("auth.inviteCodeHint.documentationUrl")}
+                            target="_blank"
+                            rel="noopener noreferrer"
+                            className="ml-1 text-blue-600 dark:text-blue-400 hover:underline inline-flex items-center"
+                            title={t("auth.inviteCodeHint.viewDocumentation")}
+                          >
+                            <BookMarked size={16} />
+                          </a>
+                        </div>
+                      </div>
+                      <div className="flex items-start">
+                        <span className="mr-1 leading-none">🎁</span>
+                        <div className="text-sm text-gray-600 dark:text-gray-400">
+                          {t("auth.inviteCodeHint.step3")}
+                          <a
+                            href="http://nexent.tech/contact"
+                            target="_blank"
+                            rel="noopener noreferrer"
+                            className="text-blue-600 dark:text-blue-400 hover:underline font-medium"
+                          >
+                            {t("auth.inviteCodeHint.communityLink")}
+                          </a>
+                          {t("auth.inviteCodeHint.step3Action")}
+                        </div>
+                      </div>
+                    </div>
                   </div>
-                  <div>
-                    🎁 {t("auth.inviteCodeHint.step3")}
-                    <a
-                      href="http://nexent.tech/contact"
-                      target="_blank"
-                      rel="noopener noreferrer"
-                      className="text-blue-600 dark:text-blue-400 hover:underline font-medium"
-                    >
-                      {t("auth.inviteCodeHint.communityLink")}
-                    </a>
-                    {t("auth.inviteCodeHint.step3Action")}
+
+                  {/* Method 2: Contact Tenant Administrator */}
+                  <div className="bg-white dark:bg-gray-800 rounded-lg p-3">
+                    <div className="font-medium text-sm text-gray-900 dark:text-gray-100 mb-2">
+                      {t("auth.inviteCodeHint.method2.title")}
+                    </div>
+                    <div className="space-y-2">
+                      <div className="flex items-start">
+                        <Users size={16} className="text-blue-600 dark:text-blue-400 mr-1 mt-0.5" />
+                        <div className="text-sm text-gray-600 dark:text-gray-400">
+                          {t("auth.inviteCodeHint.method2.description")}
+                        </div>
+                      </div>
+                    </div>
                   </div>
                 </div>
+              }
+              title={t("auth.inviteCodeHint.popoverTitle")}
+              trigger="hover"
+              mouseEnterDelay={0.3}
+              overlayClassName="max-w-xs"
+            >
+              <div className="flex items-center text-blue-600 dark:text-blue-400 hover:text-blue-700 dark:hover:text-blue-300 cursor-pointer text-sm">
+                <HelpCircle size={16} className="mr-1" />
+                {t("auth.inviteCodeHint.howToGetCode")}
               </div>
-            </div>
-            <Form.Item
-              name="inviteCode"
-              label={t("auth.inviteCodeLabel")}
-              rules={[
-                {
-                  required: isAdminMode,
-                  message: t("auth.inviteCodeRequired"),
-                },
-              ]}
+            </Popover>
+          </Form.Item>
+
+
+          <Form.Item>
+            <Button
+              type="primary"
+              htmlType="submit"
+              loading={isLoading}
+              block
+              size="large"
+              className="mt-2"
+              disabled={authServiceUnavailable}
             >
-              <Input
-                prefix={<KeyRound className="text-gray-400" size={16} />}
-                placeholder={t("auth.inviteCodeRequired")}
-                size="large"
-              />
-            </Form.Item>
-          </>
-        )}
-
-        <Form.Item>
-          <Button
-            type="primary"
-            htmlType="submit"
-            loading={isLoading}
-            block
-            size="large"
-            className="mt-2"
-            disabled={authServiceUnavailable}
-          >
-            {isLoading
-              ? isAdminMode
-                ? t("auth.registeringAdmin")
-                : t("auth.registering")
-              : isAdminMode
-              ? t("auth.registerAdmin")
-              : t("auth.register")}
-          </Button>
-        </Form.Item>
-
-        <div className="text-center">
-          <Space>
-            <Text type="secondary">{t("auth.hasAccount")}</Text>
-            <Button type="link" onClick={handleLoginClick} className="p-0">
-              {t("auth.loginNow")}
+              {isLoading? t("auth.registering"): t("auth.register")}
             </Button>
-          </Space>
-        </div>
-      </Form>
+          </Form.Item>
+
+          <div className="text-center">
+            <Space>
+              <Text type="secondary">{t("auth.hasAccount")}</Text>
+              <Button type="link" onClick={handleLoginClick} className="p-0">
+                {t("auth.loginNow")}
+              </Button>
+            </Space>
+          </div>
+        </Form>
+      </div>
     </Modal>
   );
 }
diff --git a/frontend/components/auth/sessionListeners.tsx b/frontend/components/auth/sessionListeners.tsx
deleted file mode 100644
index bf23079e8..000000000
--- a/frontend/components/auth/sessionListeners.tsx
+++ /dev/null
@@ -1,230 +0,0 @@
-"use client";
-
-import { useEffect, useRef } from "react";
-import { useRouter, usePathname } from "next/navigation";
-import { useTranslation } from "react-i18next";
-import { App, Modal } from "antd";
-import { ExclamationCircleOutlined } from "@ant-design/icons";
-
-import { useAuth } from "@/hooks/useAuth";
-import { useConfirmModal } from "@/hooks/useConfirmModal";
-import { authService } from "@/services/authService";
-import { sessionService } from "@/services/sessionService";
-import { getSessionFromStorage } from "@/lib/auth";
-import { EVENTS } from "@/const/auth";
-import {
-  TOKEN_REFRESH_BEFORE_EXPIRY_MS,
-  MIN_ACTIVITY_CHECK_INTERVAL_MS,
-} from "@/const/constants";
-import log from "@/lib/logger";
-import { saveView } from "@/lib/viewPersistence";
-
-/**
- * Session management component
- * Handles session expiration, session refresh and other functions
- */
-export function SessionListeners() {
-  const router = useRouter();
-  const pathname = usePathname();
-  const { t } = useTranslation("common");
-  const { openLoginModal, setIsFromSessionExpired, clearLocalSession, isSpeedMode } =
-    useAuth();
-  const { modal } = App.useApp();
-  const { confirm } = useConfirmModal();
-  const modalShownRef = useRef<boolean>(false);
-
-  const isLocaleHomePath = (path?: string | null) => {
-    if (!path) return false;
-    const segments = path.split("/").filter(Boolean);
-    return segments.length <= 1;
-  };
-
-  /**
-   * Show "Login Expired" confirmation modal
-   * This function handles debounce logic to prevent modal from appearing repeatedly
-   */
-  const showSessionExpiredModal = () => {
-    // If already shown, return directly
-    if (modalShownRef.current) return;
-    modalShownRef.current = true;
-
-    modal.confirm({
-      title: t("login.expired.title"),
-      icon: <ExclamationCircleOutlined />,
-      content: t("login.expired.content"),
-      okText: t("login.expired.okText"),
-      cancelText: t("login.expired.cancelText"),
-      centered: true,
-      closable: false,
-      okButtonProps: { 
-        type: "primary"
-      },
-      onOk() {
-        // Clear local session state (session already expired on backend)
-        clearLocalSession();
-        // Mark the source as session expired
-        setIsFromSessionExpired(true);
-        Modal.destroyAll();
-        openLoginModal();
-        setTimeout(() => (modalShownRef.current = false), 500);
-      },
-      onCancel() {
-        // Clear local session state (session already expired on backend)
-        clearLocalSession();
-        saveView("home");
-        router.push("/");
-        setTimeout(() => (modalShownRef.current = false), 500);
-      },
-    });
-  };
-
-  // Listen for events after successful login, reset modalShown state
-  useEffect(() => {
-    const handleModalClosed = () => {
-      modalShownRef.current = false;
-    };
-
-    // Add event listener
-    document.addEventListener("modalClosed", handleModalClosed);
-
-    // Cleanup function
-    return () => {
-      document.removeEventListener("modalClosed", handleModalClosed);
-    };
-  }, []);
-
-  // Listen for session expiration events (skip in speed mode)
-  useEffect(() => {
-    if (isSpeedMode) return;
-    const handleSessionExpired = (event: CustomEvent) => {
-      // Directly call the wrapper function
-      showSessionExpiredModal();
-    };
-
-    // Add event listener
-    window.addEventListener(
-      EVENTS.SESSION_EXPIRED,
-      handleSessionExpired as EventListener
-    );
-
-    // Cleanup function
-    return () => {
-      window.removeEventListener(
-        EVENTS.SESSION_EXPIRED,
-        handleSessionExpired as EventListener
-      );
-    };
-    // Remove confirm from dependency array to avoid duplicate registration due to function reference changes
-  }, [isSpeedMode]);
-
-  // When component first mounts, if no local session is found, show modal immediately
-  useEffect(() => {
-    // Skip in speed mode
-    if (isSpeedMode) return;
-  }, []);
-
-  // Session status check
-  useEffect(() => {
-    // Skip in speed mode
-    if (isSpeedMode) return;
-    // Check session status on first load
-    const checkSession = async () => {
-      try {
-        // Capture whether there was a local session before validation
-        const hadLocalSession =
-          typeof window !== "undefined" && !!localStorage.getItem("session");
-
-        // Try to get current session
-        const session = await authService.getSession();
-
-        // Only show session expired modal if a prior session existed and is now invalid
-        if ((!session && hadLocalSession) || (!session && !hadLocalSession && !isLocaleHomePath(pathname))) {
-          window.dispatchEvent(
-            new CustomEvent(EVENTS.SESSION_EXPIRED, {
-              detail: { message: "Session expired, please sign in again" },
-            })
-          );
-        }
-      } catch (error) {
-        log.error("Error checking session status:", error);
-      }
-    };
-
-    checkSession();
-  }, [pathname, isSpeedMode]);
-
-  // Sliding expiration: refresh token shortly before expiry on user activity (skip in speed mode)
-  useEffect(() => {
-    if (isSpeedMode) return;
-
-    let lastActivityCheckAt = 0;
-
-    const maybeRefreshOnActivity = async () => {
-      try {
-        // Throttle activity-driven checks
-        const now = Date.now();
-        if (now - lastActivityCheckAt < MIN_ACTIVITY_CHECK_INTERVAL_MS) return;
-        lastActivityCheckAt = now;
-
-        // Do not run when page is hidden
-        if (typeof document !== "undefined" && document.hidden) return;
-
-        const sessionObj = getSessionFromStorage();
-        if (!sessionObj?.expires_at) return;
-
-        const msUntilExpiry = sessionObj.expires_at * 1000 - now;
-        if (msUntilExpiry <= TOKEN_REFRESH_BEFORE_EXPIRY_MS) {
-          const ok = await sessionService.checkAndRefreshToken();
-          if (!ok) {
-            // If refresh failed and token is already expired, raise expired flow
-            if (msUntilExpiry <= 0) {
-              window.dispatchEvent(
-                new CustomEvent(EVENTS.SESSION_EXPIRED, {
-                  detail: { message: "Session expired, please sign in again" },
-                })
-              );
-            }
-          }
-        }
-      } catch (error) {
-        log.error("Activity-based refresh check failed:", error);
-      }
-    };
-
-    const events: (keyof DocumentEventMap | keyof WindowEventMap)[] = [
-      "click",
-      "keydown",
-      "mousemove",
-      "touchstart",
-      "focus",
-      "visibilitychange",
-    ];
-
-    const handler = () => {
-      // Wrap to avoid passing the event into async function
-      void maybeRefreshOnActivity();
-    };
-
-    events.forEach((evt) => {
-      // Use window for focus/visibility, document for input/mouse
-      if (evt === "focus" || evt === "visibilitychange") {
-        window.addEventListener(evt as any, handler, { passive: true });
-      } else {
-        document.addEventListener(evt as any, handler, { passive: true });
-      }
-    });
-
-    return () => {
-      events.forEach((evt) => {
-        if (evt === "focus" || evt === "visibilitychange") {
-          window.removeEventListener(evt as any, handler as any);
-        } else {
-          document.removeEventListener(evt as any, handler as any);
-        }
-      });
-    };
-  }, [isSpeedMode]);
-
-  // This component doesn't render UI elements
-  return null;
-}
diff --git a/frontend/components/homepage/AuthDialogs.tsx b/frontend/components/homepage/AuthDialogs.tsx
deleted file mode 100644
index dcb66b917..000000000
--- a/frontend/components/homepage/AuthDialogs.tsx
+++ /dev/null
@@ -1,186 +0,0 @@
-"use client";
-
-import { useTranslation, Trans } from "react-i18next";
-import { Modal, Button } from "antd";
-
-interface AuthDialogsProps {
-  loginPromptOpen: boolean;
-  adminPromptOpen: boolean;
-  onCloseLoginPrompt: () => void;
-  onCloseAdminPrompt: () => void;
-  onLoginClick: () => void;
-  onRegisterClick: () => void;
-}
-
-/**
- * Authentication dialogs component
- * Contains login prompt and admin prompt modals
- */
-export function AuthDialogs({
-  loginPromptOpen,
-  adminPromptOpen,
-  onCloseLoginPrompt,
-  onCloseAdminPrompt,
-  onLoginClick,
-  onRegisterClick,
-}: AuthDialogsProps) {
-  const { t } = useTranslation("common");
-
-  return (
-    <>
-      {/* Login prompt dialog */}
-      <Modal
-        title={t("page.loginPrompt.title")}
-        open={loginPromptOpen}
-        onCancel={onCloseLoginPrompt}
-        footer={[
-          <Button
-            key="register"
-            variant="link"
-            onClick={onRegisterClick}
-            className="bg-white mr-2"
-          >
-            {t("page.loginPrompt.register")}
-          </Button>,
-          <Button
-            key="login"
-            onClick={onLoginClick}
-            className="bg-blue-600 text-white hover:bg-blue-700"
-          >
-            {t("page.loginPrompt.login")}
-          </Button>,
-        ]}
-        centered
-      >
-        <div className="py-2">
-          <h3 className="text-base font-medium mb-2">
-            {t("page.loginPrompt.header")}
-          </h3>
-          <p className="text-gray-600 mb-3">
-            {t("page.loginPrompt.intro")}
-          </p>
-
-          <div className="rounded-md mb-6 mt-3">
-            <h3 className="text-base font-medium mb-1">
-              {t("page.loginPrompt.benefitsTitle")}
-            </h3>
-            <ul className="text-gray-600 pl-5 list-disc">
-              {(
-                t("page.loginPrompt.benefits", {
-                  returnObjects: true,
-                }) as string[]
-              ).map((benefit, i) => (
-                <li key={i}>{benefit}</li>
-              ))}
-            </ul>
-          </div>
-
-          <div className="mt-4">
-            <p className="text-base font-medium">
-              <Trans i18nKey="page.loginPrompt.githubSupport">
-                ⭐️ Nexent is still growing, please help me by starring on
-                <a
-                  href="https://github.com/ModelEngine-Group/nexent"
-                  target="_blank"
-                  rel="noopener noreferrer"
-                  className="text-blue-600 hover:text-blue-700 font-bold"
-                >
-                  GitHub
-                </a>
-                , thank you.
-              </Trans>
-            </p>
-          </div>
-          <br />
-
-          <p className="text-gray-500 text-xs">
-            {t("page.loginPrompt.noAccount")}
-          </p>
-        </div>
-      </Modal>
-
-      {/* Admin prompt dialog */}
-      <Modal
-        title={t("page.adminPrompt.title")}
-        open={adminPromptOpen}
-        onCancel={onCloseAdminPrompt}
-        footer={[
-          <Button
-            key="register"
-            variant="link"
-            onClick={onRegisterClick}
-            className="bg-white mr-2"
-          >
-            {t("page.loginPrompt.register")}
-          </Button>,
-          <Button
-            key="login"
-            onClick={onLoginClick}
-            className="bg-blue-600 text-white hover:bg-blue-700"
-          >
-            {t("page.loginPrompt.login")}
-          </Button>,
-        ]}
-        centered
-      >
-        <div className="py-2">
-          <p className="text-gray-600">{t("page.adminPrompt.intro")}</p>
-        </div>
-        <div className="py-2">
-          <h3 className="text-base font-medium mb-2">
-            {t("page.adminPrompt.unlockHeader")}
-          </h3>
-          <p className="text-gray-600 mb-3">
-            {t("page.adminPrompt.unlockIntro")}
-          </p>
-          <div className="rounded-md mb-6 mt-3">
-            <h3 className="text-base font-medium mb-1">
-              {t("page.adminPrompt.permissionsTitle")}
-            </h3>
-            <ul className="text-gray-600 pl-5 list-disc">
-              {(
-                t("page.adminPrompt.permissions", {
-                  returnObjects: true,
-                }) as string[]
-              ).map((permission, i) => (
-                <li key={i}>{permission}</li>
-              ))}
-            </ul>
-          </div>
-          <div className="mt-4">
-            <p className="text-base font-medium">
-              <Trans i18nKey="page.adminPrompt.githubSupport">
-                ⭐️ Nexent is still growing, please help me by starring on
-                <a
-                  href="https://github.com/ModelEngine-Group/nexent"
-                  target="_blank"
-                  rel="noopener noreferrer"
-                  className="text-blue-600 hover:text-blue-700 font-bold"
-                >
-                  GitHub
-                </a>
-                , thank you.
-              </Trans>
-              <br />
-              <br />
-              <Trans i18nKey="page.adminPrompt.becomeAdmin">
-                💡 Want to become an administrator? Please visit the
-                <a
-                  href="http://nexent.tech/contact"
-                  target="_blank"
-                  rel="noopener noreferrer"
-                  className="text-blue-600 hover:text-blue-700 font-bold"
-                >
-                  official contact page
-                </a>
-                to apply for an administrator account.
-              </Trans>
-            </p>
-          </div>
-          <br />
-        </div>
-      </Modal>
-    </>
-  );
-}
-
diff --git a/frontend/components/navigation/ChatTopNavContent.tsx b/frontend/components/navigation/ChatTopNavContent.tsx
new file mode 100644
index 000000000..c93e60555
--- /dev/null
+++ b/frontend/components/navigation/ChatTopNavContent.tsx
@@ -0,0 +1,48 @@
+"use client";
+
+import { useConfig } from "@/hooks/useConfig";
+import { extractColorsFromUri } from "@/lib/avatar";
+import { useRouter } from "next/navigation";
+import { useTranslation } from "react-i18next";
+
+/**
+ * ChatTopNavContent - Displays app logo and name in the top navbar for chat page
+ */
+export function ChatTopNavContent() {
+  const router = useRouter();
+  const { i18n } = useTranslation();
+  const { appConfig, getAppAvatarUrl } = useConfig();
+  const sidebarAvatarUrl = getAppAvatarUrl(16);
+  
+  // Static font-size for top navbar (no responsive sizing required)
+
+  const colors = extractColorsFromUri(appConfig.avatarUri || "");
+  const mainColor = colors.mainColor || "273746";
+  const secondaryColor = colors.secondaryColor || mainColor;
+
+  return (
+    <div
+      className="flex items-center cursor-pointer hover:opacity-80 transition-opacity"
+      onClick={() => router.push(`/${i18n.language}`)}
+    >
+      <div className="h-6 w-6 rounded-full overflow-hidden mr-2">
+        <img
+          src={sidebarAvatarUrl}
+          alt={appConfig.appName}
+          className="h-full w-full object-cover"
+        />
+      </div>
+      <span
+        className="font-bold truncate bg-clip-text text-transparent"
+        style={{
+          fontSize: '16px',
+          lineHeight: '20px',
+          backgroundImage: `linear-gradient(180deg, #${mainColor} 0%, #${secondaryColor} 100%)`,
+        }}
+      >
+        {appConfig.appName}
+      </span>
+    </div>
+  );
+}
+
diff --git a/frontend/components/navigation/SideNavigation.tsx b/frontend/components/navigation/SideNavigation.tsx
index 50dcea1ee..77671114b 100644
--- a/frontend/components/navigation/SideNavigation.tsx
+++ b/frontend/components/navigation/SideNavigation.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import { useState, useEffect } from "react";
+import { useState, useEffect, useMemo } from "react";
 import { useTranslation } from "react-i18next";
 import { useRouter, usePathname } from "next/navigation";
 import { Menu, ConfigProvider } from "antd";
@@ -20,132 +20,144 @@ import {
   Building2,
 } from "lucide-react";
 import type { MenuProps } from "antd";
-import { useAuth } from "@/hooks/useAuth";
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useAuthenticationContext } from "@/components/providers/AuthenticationProvider";
+import { useDeployment } from "@/components/providers/deploymentProvider";
 import { SIDER_CONFIG } from "@/const/layoutConstants";
+import { AUTH_EVENTS } from "@/const/auth";
+import { getEffectiveRoutePath } from "@/lib/auth";
+import { authEvents } from "@/lib/authEvents";
 
 interface SideNavigationProps {
-  onAuthRequired?: () => void;
-  onAdminRequired?: () => void;
   collapsed?: boolean;
 }
 
+/**
+ * Route configuration interface for menu items
+ */
+interface RouteConfig {
+  path: string;
+  Icon: React.ComponentType<{ className?: string }>;
+  labelKey: string;
+  order: number;
+}
+
+/**
+ * Static route configuration mapping
+ * All available routes with their metadata
+ */
+const ROUTE_CONFIG: RouteConfig[] = [
+  { path: "/", Icon: Home, labelKey: "sidebar.homePage", order: 0 },
+  { path: "/chat", Icon: Bot, labelKey: "sidebar.startChat", order: 1 },
+  { path: "/setup", Icon: Zap, labelKey: "sidebar.quickConfig", order: 2 },
+  { path: "/space", Icon: Globe, labelKey: "sidebar.agentSpace", order: 3 },
+  { path: "/market", Icon: ShoppingBag, labelKey: "sidebar.agentMarket", order: 4 },
+  { path: "/agents", Icon: Code, labelKey: "sidebar.agentDev", order: 5 },
+  { path: "/knowledges", Icon: BookOpen, labelKey: "sidebar.knowledgeBase", order: 6 },
+  { path: "/mcp-tools", Icon: Puzzle, labelKey: "sidebar.mcpToolsManagement", order: 7 },
+  { path: "/monitoring", Icon: Activity, labelKey: "sidebar.monitoringManagement", order: 8 },
+  { path: "/models", Icon: Settings, labelKey: "sidebar.modelManagement", order: 9 },
+  { path: "/memory", Icon: Database, labelKey: "sidebar.memoryManagement", order: 10 },
+  { path: "/users", Icon: User, labelKey: "sidebar.userManagement", order: 11 },
+  { path: "/tenant-resources", Icon: Building2, labelKey: "sidebar.tenantResources", order: 12 },
+];
+
+/**
+ * Extract all available route paths from ROUTE_CONFIG
+ */
+const ROUTE_PATHS = ROUTE_CONFIG.map((route) => route.path);
+
 /**
  * Side navigation component with collapsible menu
- * Displays main navigation items for the application
+ * Displays main navigation items for the application based on user's accessible routes
  */
 export function SideNavigation({
-  onAuthRequired,
-  onAdminRequired,
   collapsed,
 }: SideNavigationProps) {
   const { t } = useTranslation("common");
-  const { user, isSpeedMode } = useAuth();
+  const { accessibleRoutes } = useAuthorizationContext();
+  const { isAuthenticated, openAuthPromptModal } = useAuthenticationContext();
+  const { isSpeedMode } = useDeployment();
   const router = useRouter();
   const pathname = usePathname();
 
-  const [selectedKey, setSelectedKey] = useState("home");
+  const [selectedKey, setSelectedKey] = useState("/");
+  const [pendingNavigationPath, setPendingNavigationPath] = useState<string | null>(null);
   const isCollapsed = typeof collapsed === "boolean" ? collapsed : false;
 
-  // Add path to key mapping
-  const pathToKeyMap: Record<string, string> = {
-    "/": "home",
-    "/chat": "chat",
-    "/setup": "setup",
-    "/space": "space",
-    "/market": "market",
-    "/agents": "agents",
-    "/knowledges": "knowledges",
-    "/mcp-tools": "mcp-tools",
-    "/monitoring": "monitoring",
-    "/models": "models",
-    "/memory": "memory",
-  };
+  // Update selected key when pathname changes
+  useEffect(() => {
+    const currentPath = getEffectiveRoutePath(pathname);
+    const matchedKey = ROUTE_PATHS.includes(currentPath) ? currentPath : "/";
+    setSelectedKey(matchedKey);
+  }, [pathname]);
 
-  // Add useEffect to listen to pathname changes and update selectedKey
+  // Listen for login success event and navigate to pending path
   useEffect(() => {
-    // Extract actual path from pathname (remove locale prefix)
-    const segments = pathname.split("/").filter(Boolean);
-    // If the first segment is locale (zh or en), remove it
-    if (segments.length > 0 && (segments[0] === "zh" || segments[0] === "en")) {
-      segments.shift();
+    const handleLoginSuccess = () => {
+      if (pendingNavigationPath && isAuthenticated) {
+        // Small delay to ensure authentication state is fully updated
+        setTimeout(() => {
+          router.push(pendingNavigationPath);
+          setPendingNavigationPath(null);
+        }, 200);
+      }
+    };
+
+    const cleanup = authEvents.on(AUTH_EVENTS.LOGIN_SUCCESS, handleLoginSuccess);
+    return cleanup;
+  }, [pendingNavigationPath, isAuthenticated, router]);
+
+  // Listen for back-to-home event and reset selected key
+  useEffect(() => {
+    const handleBackToHome = () => {
+      setSelectedKey("/");
+    };
+
+    const cleanup = authEvents.on(AUTH_EVENTS.BACK_TO_HOME, handleBackToHome);
+    return cleanup;
+  }, []);
+
+  // Filter and sort routes based on accessibleRoutes from authorization context
+  const accessibleMenuItems = useMemo((): RouteConfig[] => {
+    if (!accessibleRoutes || accessibleRoutes.length === 0) {
+      // If no accessibleRoutes available, show all routes (fallback)
+      return [];
     }
-    // Rebuild path
-    const currentPath = "/" + segments.join("/");
 
-    // Find corresponding key, default to home if not found
-    const matchedKey = pathToKeyMap[currentPath] || "home";
-    setSelectedKey(matchedKey);
-  }, [pathname]);
+    return ROUTE_CONFIG.filter((route) =>
+      accessibleRoutes.includes(route.path)
+    ).sort((a, b) => a.order - b.order);
+  }, [accessibleRoutes]);
 
-  // Helper function to create menu item with consistent icon styling
+  /**
+   * Create a menu item from route configuration
+   * Pre-check authentication before navigation to avoid unnecessary route changes
+   */
   const createMenuItem = (
-    key: string,
-    path: string,
-    Icon: any,
-    labelKey: string,
-    requiresAuth = false,
-    requiresAdmin = false
-  ) => ({
-    key,
-    path,
-    icon: <Icon className="w-4 h-4" />,
-    label: t(labelKey),
-    onClick: () => {
-      if (!isSpeedMode && requiresAdmin && user?.role !== "admin") {
-        onAdminRequired?.();
-      } else if (!isSpeedMode && requiresAuth && !user) {
-        onAuthRequired?.();
-      } else {
-        setSelectedKey(key);
-        if (path) {
-          router.push(path);
+    route: RouteConfig
+  ): NonNullable<MenuProps["items"]>[number] => {
+    return {
+      key: route.path,
+      icon: <route.Icon className="w-4 h-4" />,
+      label: t(route.labelKey),
+      onClick: () => {
+        setSelectedKey(route.path);
+
+        // Pre-check authentication - show auth prompt if user is not authenticated
+        if (!isAuthenticated && !isSpeedMode && route.path !== "/") {
+          setPendingNavigationPath(route.path);
+          openAuthPromptModal();
+          return; // Prevent navigation
         }
-      }
-    },
-  });
-
-  // Menu items configuration - paths without locale prefix (middleware will add it)
-  const menuItems: MenuProps["items"] = [
-    createMenuItem("0", "/", Home, "sidebar.homePage"),
-    createMenuItem("1", "/chat", Bot, "sidebar.startChat", true),
-    createMenuItem("2", "/setup", Zap, "sidebar.quickConfig", false, true),
-    createMenuItem("3", "/space", Globe, "sidebar.agentSpace", true),
-    createMenuItem("4", "/market", ShoppingBag, "sidebar.agentMarket", true),
-    createMenuItem("5", "/agents", Code, "sidebar.agentDev", false, true),
-    createMenuItem("6", "/knowledges", BookOpen, "sidebar.knowledgeBase", true),
-    createMenuItem(
-      "10",
-      "/mcp-tools",
-      Puzzle,
-      "sidebar.mcpToolsManagement",
-      false,
-      true
-    ),
-    createMenuItem(
-      "11",
-      "/monitoring",
-      Activity,
-      "sidebar.monitoringManagement",
-      false,
-      true
-    ),
-    createMenuItem(
-      "7",
-      "/models",
-      Settings,
-      "sidebar.modelManagement",
-      false,
-      true
-    ),
-    createMenuItem(
-      "8",
-      "/memory",
-      Database,
-      "sidebar.memoryManagement",
-      false,
-      true
-    ),
-  ];
+
+        router.push(route.path);
+      },
+    };
+  };
+
+  // Generate menu items from accessible routes
+  const menuItems: MenuProps["items"] = accessibleMenuItems.map(createMenuItem);
 
   return (
     <ConfigProvider>
diff --git a/frontend/components/navigation/TopNavbar.tsx b/frontend/components/navigation/TopNavbar.tsx
index 2cc5a28f4..2fbeee744 100644
--- a/frontend/components/navigation/TopNavbar.tsx
+++ b/frontend/components/navigation/TopNavbar.tsx
@@ -3,7 +3,6 @@
 import { Button } from "antd";
 import { AvatarDropdown } from "@/components/auth/avatarDropdown";
 import { useTranslation } from "react-i18next";
-import { useAuth } from "@/hooks/useAuth";
 import { ChevronDown, Globe } from "lucide-react";
 import { Dropdown } from "antd";
 import Link from "next/link";
@@ -11,24 +10,16 @@ import { HEADER_CONFIG, SIDER_CONFIG } from "@/const/layoutConstants";
 import { languageOptions } from "@/const/constants";
 import { useLanguageSwitch } from "@/lib/language";
 import React from "react";
-import { Flex, Layout } from 'antd';
+import { Flex, Layout } from "antd";
+import { ChatTopNavContent } from "./ChatTopNavContent";
+import { useAuthorizationContext } from "../providers/AuthorizationProvider";
+import { useDeployment } from "../providers/deploymentProvider";
 const { Header } = Layout;
 
-interface TopNavbarProps {
-  /** Additional title text to display after logo (separated by |) */
-  additionalTitle?: React.ReactNode;
-  /** Additional content to insert before default right nav items */
-  additionalRightContent?: React.ReactNode;
-}
-
-/**
- * Top navigation bar component
- * Displays logo, language switcher, and user authentication status
- * Can be customized with additionalTitle and additionalRightContent props
- */
-export function TopNavbar({ additionalTitle, additionalRightContent }: TopNavbarProps) {
+export function TopNavbar({ isChatPage }: { isChatPage: boolean }) {
   const { t } = useTranslation("common");
-  const { user, isLoading: userLoading, isSpeedMode } = useAuth();
+  const { user, isLoading } = useAuthorizationContext();
+  const { isSpeedMode } = useDeployment()
   const { currentLanguage, handleLanguageChange } = useLanguageSwitch();
 
   // Left content - Logo + optional additional title (aligned with sidebar width)
@@ -38,20 +29,16 @@ export function TopNavbar({ additionalTitle, additionalRightContent }: TopNavbar
       <Link
         href="/"
         className="cursor-pointer hover:opacity-80 transition-opacity flex-shrink-0 "
-        style={{ width: SIDER_CONFIG.EXPANDED_WIDTH-17 }}
+        style={{ width: SIDER_CONFIG.EXPANDED_WIDTH - 17 }}
       >
         <Flex align="center" gap={8}>
-          <img
-            src="/modelengine-logo2.png"
-            alt="ModelEngine"
-            className="h-7"
-          />
+          <img src="/modelengine-logo2.png" alt="ModelEngine" className="h-7" />
           <span
             className="text-blue-600 dark:text-blue-500 font-bold"
             style={{
-              fontSize: '20px',
-              lineHeight: '24px',
-              height: '22px',
+              fontSize: "20px",
+              lineHeight: "24px",
+              height: "22px",
             }}
           >
             {t("assistant.name")}
@@ -60,11 +47,11 @@ export function TopNavbar({ additionalTitle, additionalRightContent }: TopNavbar
       </Link>
 
       {/* Additional title with separator - outside of sidebar width */}
-      {additionalTitle && (
+      {isChatPage && (
         <Flex align="center" gap={12}>
           <div className="h-6 border-l border-slate-300 dark:border-slate-600"></div>
           <div className="text-slate-600 dark:text-slate-400">
-            {additionalTitle}
+            <ChatTopNavContent />
           </div>
         </Flex>
       )}
@@ -74,8 +61,6 @@ export function TopNavbar({ additionalTitle, additionalRightContent }: TopNavbar
   // Right content - Additional content + default navigation items
   const rightContent = (
     <Flex align="center" gap={16} className="hidden md:flex">
-      {/* Additional right content (e.g., status badge) */}
-      {additionalRightContent}
 
       {/* GitHub link */}
       <Link
@@ -129,7 +114,7 @@ export function TopNavbar({ additionalTitle, additionalRightContent }: TopNavbar
       {/* User status - only shown in full version */}
       {!isSpeedMode && (
         <Flex align="center" gap={8}>
-          {userLoading ? (
+          {isLoading ? (
             <span className="text-xs font-medium text-slate-600">
               {t("common.loading")}...
             </span>
@@ -179,4 +164,3 @@ export function TopNavbar({ additionalTitle, additionalRightContent }: TopNavbar
     </Header>
   );
 }
-
diff --git a/frontend/components/permission/Can.tsx b/frontend/components/permission/Can.tsx
new file mode 100644
index 000000000..1658112ea
--- /dev/null
+++ b/frontend/components/permission/Can.tsx
@@ -0,0 +1,36 @@
+"use client";
+
+import React from "react";
+import { usePermission } from "@/hooks/permission/usePermission";
+
+interface CanProps {
+  permission: string | string[];
+  children: React.ReactNode;
+  fallback?: React.ReactNode;
+}
+
+/**
+ * Render children only when user HAS the permission
+ * 
+ * @example
+ * ```tsx
+ * <Can permission="kb:create">
+ *   <Button>Create k</Button>
+ * </Can>
+ * 
+ * <Can permission={["kb:delete", "kb.groups:delete"]}>
+ *   <DeleteButton />
+ * </Can>
+ * ```
+ */
+export function Can({ permission, children, fallback = null }: CanProps) {
+  const { isReady, can, canAny } = usePermission();
+
+  if (!isReady) return null;
+
+  const hasPermission = Array.isArray(permission)
+    ? canAny(permission)
+    : can(permission);
+
+  return hasPermission ? <>{children}</> : <>{fallback}</>;
+}
diff --git a/frontend/components/permission/Cannot.tsx b/frontend/components/permission/Cannot.tsx
new file mode 100644
index 000000000..be59c080c
--- /dev/null
+++ b/frontend/components/permission/Cannot.tsx
@@ -0,0 +1,32 @@
+"use client";
+
+import React from "react";
+import { usePermission } from "@/hooks/permission/usePermission";
+
+interface CannotProps {
+  permission: string | string[];
+  children: React.ReactNode;
+  fallback?: React.ReactNode;
+}
+
+/**
+ * Render children only when user does NOT have the permission
+ * 
+ * @example
+ * ```tsx
+ * <Cannot permission="kb:delete">
+ *   <Button disabled>Delete</Button>
+ * </Cannot>
+ * ```
+ */
+export function Cannot({ permission, children, fallback = null }: CannotProps) {
+  const { isReady, can, canAny } = usePermission();
+
+  if (!isReady) return null;
+
+  const hasPermission = Array.isArray(permission)
+    ? canAny(permission)
+    : can(permission);
+
+  return !hasPermission ? <>{children}</> : <>{fallback}</>;
+}
diff --git a/frontend/components/providers/AuthenticationProvider.tsx b/frontend/components/providers/AuthenticationProvider.tsx
new file mode 100644
index 000000000..cbf2ce9d8
--- /dev/null
+++ b/frontend/components/providers/AuthenticationProvider.tsx
@@ -0,0 +1,42 @@
+"use client";
+
+import React, { createContext, useContext, ReactNode } from "react";
+import { useAuthentication } from "@/hooks/auth/useAuthentication";
+import { AuthenticationContextType } from "@/types/auth";
+
+/**
+ * Authentication Context
+ */
+const AuthenticationContext = createContext<
+  AuthenticationContextType | undefined
+>(undefined);
+
+/**
+ * Authentication Provider Component
+ * Provides authentication state and methods to the component tree
+ */
+export function AuthenticationProvider({ children }: { children?: ReactNode }) {
+  const authValue = useAuthentication();
+
+  return (
+    <AuthenticationContext.Provider value={authValue}>
+      {children}
+    </AuthenticationContext.Provider>
+  );
+}
+
+/**
+ * Hook to use authentication context
+ */
+export function useAuthenticationContext(): AuthenticationContextType {
+  const context = useContext(AuthenticationContext);
+  if (context === undefined) {
+    throw new Error(
+      "useAuthenticationContext must be used within an AuthenticationProvider"
+    );
+  }
+  return context;
+}
+
+// Export context for advanced use cases
+export { AuthenticationContext };
diff --git a/frontend/components/providers/AuthorizationProvider.tsx b/frontend/components/providers/AuthorizationProvider.tsx
new file mode 100644
index 000000000..b597cfcd2
--- /dev/null
+++ b/frontend/components/providers/AuthorizationProvider.tsx
@@ -0,0 +1,42 @@
+"use client";
+
+import React, { createContext, useContext, ReactNode } from "react";
+import { useAuthorization } from "@/hooks/auth/useAuthorization";
+import { AuthorizationContextType } from "@/types/auth";
+
+/**
+ * Authorization Context
+ */
+const AuthorizationContext = createContext<
+  AuthorizationContextType | undefined
+>(undefined);
+
+/**
+ * Authorization Provider Component
+ * Provides authorization state and methods to the component tree
+ */
+export function AuthorizationProvider({ children }: { children?: ReactNode }) {
+  const authzValue = useAuthorization();
+
+  return (
+    <AuthorizationContext.Provider value={authzValue}>
+      {children}
+    </AuthorizationContext.Provider>
+  );
+}
+
+/**
+ * Hook to use authorization context
+ */
+export function useAuthorizationContext(): AuthorizationContextType {
+  const context = useContext(AuthorizationContext);
+  if (context === undefined) {
+    throw new Error(
+      "useAuthorizationContext must be used within an AuthorizationProvider"
+    );
+  }
+  return context;
+}
+
+// Export context for advanced use cases
+export { AuthorizationContext };
diff --git a/frontend/components/providers/deploymentProvider.tsx b/frontend/components/providers/deploymentProvider.tsx
index 2612f2b9d..8cb7dfe57 100644
--- a/frontend/components/providers/deploymentProvider.tsx
+++ b/frontend/components/providers/deploymentProvider.tsx
@@ -1,6 +1,12 @@
 "use client";
 
-import { createContext, useContext, useState, useEffect, ReactNode } from "react";
+import {
+  createContext,
+  useContext,
+  useState,
+  useEffect,
+  ReactNode,
+} from "react";
 import { API_ENDPOINTS } from "@/services/api";
 import log from "@/lib/logger";
 
@@ -21,14 +27,17 @@ export function DeploymentProvider({ children }: { children: ReactNode }) {
   useEffect(() => {
     const checkDeploymentVersion = async () => {
       try {
-        const response = await fetch(API_ENDPOINTS.tenantConfig.deploymentVersion);
+        const response = await fetch(
+          API_ENDPOINTS.tenantConfig.deploymentVersion
+        );
         if (response.ok) {
           const data = await response.json();
-          const version = data.content?.deployment_version || data.deployment_version;
-          setIsSpeedMode(version === 'speed');
+          const version =
+            data.content?.deployment_version || data.deployment_version;
+          setIsSpeedMode(version === "speed");
         }
       } catch (error) {
-        log.error('Failed to check deployment version:', error);
+        log.error("Failed to check deployment version:", error);
         setIsSpeedMode(false);
       } finally {
         setIsDeploymentReady(true);
@@ -46,4 +55,3 @@ export function DeploymentProvider({ children }: { children: ReactNode }) {
 }
 
 export const useDeployment = () => useContext(DeploymentContext);
-
diff --git a/frontend/components/providers/rootProvider.tsx b/frontend/components/providers/rootProvider.tsx
index 463cff979..e2bf1ac86 100644
--- a/frontend/components/providers/rootProvider.tsx
+++ b/frontend/components/providers/rootProvider.tsx
@@ -5,23 +5,43 @@ import { ConfigProvider, App } from "antd";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 
 import {
-  AuthProvider,
-  AuthContext,
-  useAuth,
-} from "@/hooks/useAuth";
+  AuthenticationProvider,
+  useAuthenticationContext,
+} from "@/components/providers/AuthenticationProvider";
+import {
+  AuthorizationProvider,
+  useAuthorizationContext,
+} from "@/components/providers/AuthorizationProvider";
 
-import { LoginModal, RegisterModal, SessionListeners } from "@/components/auth";
+import { LoginModal } from "@/components/auth/loginModal";
+import { RegisterModal } from "@/components/auth/registerModal";
 import { FullScreenLoading } from "@/components/ui/loading";
 import { useDeployment } from "./deploymentProvider";
+import { useSessionManager } from "@/hooks/auth/useSessionManager";
+
+function AppReadyWrapper({ children }: { children?: ReactNode }) {
+  useSessionManager();
 
-function AppReadyWrapper({ children }: { children: ReactNode }) {
-  const { isDeploymentReady } = useDeployment();
-  const auth = useAuth();
-  const isAuthReady = (auth as any).isAuthReady;
+  const { isDeploymentReady, isSpeedMode } = useDeployment();
+  const auth = useAuthenticationContext();
+  const authz = useAuthorizationContext();
 
-  const isAppReady = isDeploymentReady && isAuthReady;
+  // In speed mode, skip auth checks since authentication is bypassed
+  // isAuthChecking: allow rendering during auth state check to avoid blocking UI
+  const isAuthReady = isSpeedMode || !auth.isLoading || auth.isAuthenticated || auth.isAuthChecking;
+  const isAuthzReady = isSpeedMode || !authz.isLoading || auth.isAuthenticated || auth.isAuthChecking;
+  const isAppReady = isDeploymentReady && isAuthReady && isAuthzReady;
 
-  return isAppReady ? <>{children}</> : <FullScreenLoading />;
+  // If login or register modal is open, user is performing an operation,
+  // don't show full screen loading (they can already see the page)
+  const isUserOperating = auth.isLoginModalOpen || auth.isRegisterModalOpen;
+  
+  // Only show FullScreenLoading during initial load, not during user operations
+  if (isAppReady || isUserOperating) {
+    return <>{children}</>;
+  }
+  
+  return <FullScreenLoading />;
 }
 
 /**
@@ -33,20 +53,15 @@ export function RootProvider({ children }: { children: ReactNode }) {
     <ConfigProvider getPopupContainer={() => document.body}>
       <QueryClientProvider client={queryClient}>
         <App>
-          <AuthProvider>
-            {(authContextValue) => (
-              <AuthContext.Provider value={authContextValue}>
+            <AuthenticationProvider>
+              <AuthorizationProvider>
                 <AppReadyWrapper>
-                  <>
-                    {children}
-                    <SessionListeners />
-                  </>
+                  <>{children}</>
                 </AppReadyWrapper>
                 <LoginModal />
                 <RegisterModal />
-              </AuthContext.Provider>
-            )}
-          </AuthProvider>
+              </AuthorizationProvider>
+            </AuthenticationProvider>
         </App>
       </QueryClientProvider>
     </ConfigProvider>
diff --git a/frontend/components/tool-config/KnowledgeBaseSelectorModal.tsx b/frontend/components/tool-config/KnowledgeBaseSelectorModal.tsx
new file mode 100644
index 000000000..36900ea13
--- /dev/null
+++ b/frontend/components/tool-config/KnowledgeBaseSelectorModal.tsx
@@ -0,0 +1,685 @@
+"use client";
+
+import React, { useState, useMemo, useCallback, useEffect } from "react";
+import { useTranslation } from "react-i18next";
+
+import {
+  Modal,
+  Button,
+  Input,
+  Select,
+  Spin,
+  Checkbox,
+  ConfigProvider,
+} from "antd";
+import {
+  SearchOutlined,
+  SyncOutlined,
+} from "@ant-design/icons";
+
+import { KnowledgeBase } from "@/types/knowledgeBase";
+import {
+  KnowledgeBaseSelectorProps,
+  getKnowledgeBaseSourcesForTool,
+} from "./index";
+import { KB_LAYOUT, KB_TAG_VARIANTS } from "@/const/knowledgeBaseLayout";
+
+interface KnowledgeBaseSelectorModalProps extends KnowledgeBaseSelectorProps {
+  knowledgeBases: KnowledgeBase[];
+  isLoading?: boolean;
+  getModelDisplayName?: (modelId: string) => string;
+  onSync?: (
+    toolType: string,
+    difyConfig?: { serverUrl?: string; apiKey?: string }
+  ) => void;
+  showCheckbox?: boolean;
+  onSyncComplete?: (knowledgeBases: KnowledgeBase[]) => void;
+  syncLoading?: boolean; // Loading state for sync button
+  // Selection validation props
+  isSelectable?: (kb: KnowledgeBase) => boolean;
+  currentEmbeddingModel?: string | null;
+  // Dify configuration for fetching Dify knowledge bases
+  difyConfig?: {
+    serverUrl?: string;
+    apiKey?: string;
+  };
+}
+
+export default function KnowledgeBaseSelectorModal({
+  isOpen,
+  onClose,
+  onConfirm,
+  selectedIds,
+  toolType,
+  title,
+  maxSelect,
+  knowledgeBases,
+  isLoading = false,
+  getModelDisplayName = (modelId: string) => modelId,
+  onSync,
+  showCheckbox = true,
+  onSyncComplete,
+  syncLoading = false,
+  isSelectable,
+  currentEmbeddingModel = null,
+  difyConfig,
+}: KnowledgeBaseSelectorModalProps) {
+  const { t } = useTranslation("common");
+
+  // Selection state (kept for internal logic but not displayed)
+  const [tempSelectedIds, setTempSelectedIds] = useState<string[]>([]);
+  // Search and filter state
+  const [searchKeyword, setSearchKeyword] = useState("");
+  const [selectedSources, setSelectedSources] = useState<string[]>([]);
+  const [selectedModels, setSelectedModels] = useState<string[]>([]);
+
+  // Initialize selection state when modal opens
+  useEffect(() => {
+    if (isOpen) {
+      setTempSelectedIds(selectedIds);
+      setSearchKeyword("");
+      setSelectedSources([]);
+      setSelectedModels([]);
+    }
+  }, [isOpen, selectedIds]);
+
+  // Get allowed sources for the tool type
+  const allowedSources = useMemo(() => {
+    return getKnowledgeBaseSourcesForTool(toolType);
+  }, [toolType]);
+
+  // Calculate available filter options based on actual knowledge bases
+  const availableSources = useMemo(() => {
+    const sources = new Set(knowledgeBases.map((kb) => kb.source));
+    return Array.from(sources)
+      .filter((source) => source && allowedSources.includes(source))
+      .sort();
+  }, [knowledgeBases, allowedSources]);
+
+  const availableModels = useMemo(() => {
+    const models = new Set(knowledgeBases.map((kb) => kb.embeddingModel));
+    return Array.from(models)
+      .filter((model) => model && model !== "unknown")
+      .sort();
+  }, [knowledgeBases]);
+
+  // Format date function, only keep date part
+  const formatDate = useCallback((dateValue: any) => {
+    try {
+      const date =
+        typeof dateValue === "number"
+          ? new Date(dateValue)
+          : new Date(dateValue);
+      return isNaN(date.getTime())
+        ? String(dateValue ?? "")
+        : date.toISOString().split("T")[0];
+    } catch (e) {
+      return String(dateValue ?? "");
+    }
+  }, []);
+
+  // Check if a knowledge base can be selected
+  const checkCanSelect = useCallback(
+    (kb: KnowledgeBase): boolean => {
+      // If custom isSelectable function is provided, use it
+      if (isSelectable) {
+        return isSelectable(kb);
+      }
+
+      // Default selection logic:
+      // 1. Empty knowledge bases cannot be selected
+      const isEmpty =
+        (kb.documentCount || 0) === 0 && (kb.chunkCount || 0) === 0;
+      if (isEmpty) {
+        return false;
+      }
+
+      // 2. For nexent source, check model matching
+      if (kb.source === "nexent" && currentEmbeddingModel) {
+        if (
+          kb.embeddingModel &&
+          kb.embeddingModel !== "unknown" &&
+          kb.embeddingModel !== currentEmbeddingModel
+        ) {
+          return false;
+        }
+      }
+
+      return true;
+    },
+    [isSelectable, currentEmbeddingModel]
+  );
+
+  // Check if a knowledge base has model mismatch (for display purposes)
+  const checkModelMismatch = useCallback(
+    (kb: KnowledgeBase): boolean => {
+      if (kb.source !== "nexent" || !currentEmbeddingModel) {
+        return false;
+      }
+      const embeddingModel = kb.embeddingModel;
+      return Boolean(
+        embeddingModel &&
+        embeddingModel !== "unknown" &&
+        embeddingModel !== currentEmbeddingModel
+      );
+    },
+    [currentEmbeddingModel]
+  );
+
+  // Filter knowledge bases based on tool type, search, and filters
+  const filteredKnowledgeBases = useMemo(() => {
+    let filtered = knowledgeBases.filter((kb) => {
+      // Filter by tool type source
+      if (!allowedSources.includes(kb.source)) {
+        return false;
+      }
+
+      // Keyword search
+      const keyword = searchKeyword.trim();
+      if (keyword) {
+        const matchesSearch =
+          kb.name.toLowerCase().includes(keyword.toLowerCase()) ||
+          (kb.description &&
+            kb.description.toLowerCase().includes(keyword.toLowerCase())) ||
+          (kb.nickname &&
+            kb.nickname.toLowerCase().includes(keyword.toLowerCase()));
+        if (!matchesSearch) return false;
+      }
+
+      // Source filter
+      if (selectedSources.length > 0 && !selectedSources.includes(kb.source)) {
+        return false;
+      }
+
+      // Model filter
+      if (
+        selectedModels.length > 0 &&
+        !selectedModels.includes(kb.embeddingModel)
+      ) {
+        return false;
+      }
+
+      return true;
+    });
+
+    // Sort by update time (latest first)
+    filtered = [...filtered].sort((a, b) => {
+      const aTime = a.updatedAt ? new Date(a.updatedAt).getTime() : 0;
+      const bTime = b.updatedAt ? new Date(b.updatedAt).getTime() : 0;
+      return bTime - aTime;
+    });
+
+    return filtered;
+  }, [
+    knowledgeBases,
+    allowedSources,
+    searchKeyword,
+    selectedSources,
+    selectedModels,
+  ]);
+
+  // Toggle selection (still needed for confirm)
+  const toggleSelection = useCallback(
+    (id: string) => {
+      // Find the knowledge base
+      const kb = knowledgeBases.find((k) => k.id === id);
+      if (!kb) return;
+
+      // Check if can be selected
+      if (!checkCanSelect(kb)) {
+        return;
+      }
+
+      setTempSelectedIds((prev) => {
+        if (prev.includes(id)) {
+          return prev.filter((itemId) => itemId !== id);
+        }
+
+        // Check max select limit
+        if (maxSelect && prev.length >= maxSelect) {
+          return prev;
+        }
+
+        return [...prev, id];
+      });
+    },
+    [knowledgeBases, maxSelect, checkCanSelect]
+  );
+
+  // Clear all selections
+  const clearAllSelections = useCallback(() => {
+    setTempSelectedIds([]);
+  }, []);
+
+  // Handle confirm
+  const handleConfirm = useCallback(() => {
+    const selectedKnowledgeBases = knowledgeBases.filter((kb) =>
+      tempSelectedIds.includes(kb.id)
+    );
+    onConfirm(selectedKnowledgeBases);
+    onClose();
+  }, [knowledgeBases, tempSelectedIds, onConfirm, onClose]);
+
+  // Handle cancel
+  const handleCancel = useCallback(() => {
+    setTempSelectedIds(selectedIds);
+    onClose();
+  }, [selectedIds, onClose]);
+
+  // Default title based on tool type
+  const defaultTitle = useMemo(() => {
+    const titles: Record<string, string> = {
+      knowledge_base_search: t("toolConfig.knowledgeBaseSelector.title.local"),
+      dify_search: t("toolConfig.knowledgeBaseSelector.title.dify"),
+      datamate_search: t("toolConfig.knowledgeBaseSelector.title.datamate"),
+    };
+    return (
+      titles[toolType] || t("toolConfig.knowledgeBaseSelector.title.default")
+    );
+  }, [toolType, t]);
+
+  return (
+    <Modal
+      title={title || defaultTitle}
+      open={isOpen}
+      onCancel={handleCancel}
+      onOk={handleConfirm}
+      okText={t("common.confirm")}
+      cancelText={t("common.cancel")}
+      width={800}
+      className="knowledge-base-selector-modal"
+      styles={{
+        body: {
+          maxHeight: "70vh",
+          overflow: "hidden",
+          display: "flex",
+          flexDirection: "column",
+          padding: 0,
+        },
+      }}
+    >
+      {/* Fixed header area - consistent with KnowledgeBaseList */}
+      <div
+        className={`${KB_LAYOUT.HEADER_PADDING} border-b border-gray-200 shrink-0 bg-white`}
+      >
+        <div className="flex items-center justify-between">
+          <div>
+            <h3
+              className={`${KB_LAYOUT.TITLE_MARGIN} ${KB_LAYOUT.TITLE_TEXT} text-gray-800`}
+            >
+              {t("knowledgeBase.list.title")}
+            </h3>
+          </div>
+          <div className="flex items-center" style={{ gap: "8px" }}>
+            <Button
+              style={{
+                padding: "4px 15px",
+                display: "inline-flex",
+                alignItems: "center",
+                justifyContent: "center",
+                gap: "8px",
+                backgroundColor: "#1677ff",
+                color: "white",
+                border: "none",
+              }}
+              className="hover:!bg-blue-600"
+              type="primary"
+              onClick={() => {
+                // Call the onSync callback with difyConfig and notify parent when complete
+                const syncResult = onSync?.(toolType, difyConfig);
+                // Check if the result is a Promise-like object
+                if (
+                  syncResult &&
+                  typeof (syncResult as Promise<void>).then === "function"
+                ) {
+                  (syncResult as Promise<void>).then(() => {
+                    // After sync completes, trigger onSyncComplete if provided
+                    // The parent will refresh the knowledgeBases list
+                    onSyncComplete?.(knowledgeBases);
+                  });
+                } else {
+                  // If onSync doesn't return a promise, still call onSyncComplete
+                  onSyncComplete?.(knowledgeBases);
+                }
+              }}
+            >
+              <span
+                style={{
+                  display: "inline-flex",
+                  alignItems: "center",
+                  justifyContent: "center",
+                  width: "14px",
+                  height: "14px",
+                }}
+              >
+                <SyncOutlined spin={syncLoading} style={{ color: "white" }} />
+              </span>
+              <span>{t("knowledgeBase.button.sync")}</span>
+            </Button>
+          </div>
+        </div>
+
+        {/* Search and filter area */}
+        <div className="mt-3 flex items-center gap-3">
+          <Input
+            placeholder={t("knowledgeBase.search.placeholder")}
+            prefix={<SearchOutlined />}
+            value={searchKeyword}
+            onChange={(e) => setSearchKeyword(e.target.value)}
+            style={{ width: 250 }}
+            allowClear
+          />
+
+          {availableSources.length > 0 && (
+            <Select
+              mode="multiple"
+              placeholder={t("knowledgeBase.filter.source.placeholder")}
+              value={selectedSources}
+              onChange={setSelectedSources}
+              style={{ minWidth: 150 }}
+              allowClear
+              maxTagCount={2}
+            >
+              {availableSources.map((source) => (
+                <Select.Option key={source} value={source}>
+                  {t(`knowledgeBase.source.${source}`, {
+                    defaultValue: source,
+                  })}
+                </Select.Option>
+              ))}
+            </Select>
+          )}
+
+          {availableModels.length > 0 && (
+            <Select
+              mode="multiple"
+              placeholder={t("knowledgeBase.filter.model.placeholder")}
+              value={selectedModels}
+              onChange={setSelectedModels}
+              style={{ minWidth: 180 }}
+              allowClear
+              maxTagCount={2}
+            >
+              {availableModels.map((model) => (
+                <Select.Option key={model} value={model}>
+                  {getModelDisplayName(model)}
+                </Select.Option>
+              ))}
+            </Select>
+          )}
+        </div>
+      </div>
+
+      {/* Fixed selection status area */}
+      <div className="border-b border-gray-200 shrink-0 relative z-10 shadow-md">
+        <div className="px-5 py-2 bg-blue-50">
+          <div className="flex items-center justify-between">
+            <div className="flex items-center">
+              <span className="font-medium text-blue-700">
+                {t("knowledgeBase.selected.prefix")}{" "}
+              </span>
+              <span className="mx-1 text-blue-600 font-bold text-lg">
+                {tempSelectedIds.length}
+              </span>
+              <span className="font-medium text-blue-700">
+                {t("knowledgeBase.selected.suffix")}
+              </span>
+            </div>
+            <div className="flex items-center gap-2">
+              {/* Select All button */}
+              {filteredKnowledgeBases.length > 0 &&
+                tempSelectedIds.length < filteredKnowledgeBases.length && (
+                  <Button
+                    type="link"
+                    size="small"
+                    className="text-blue-600 font-medium p-0 h-auto"
+                    onClick={() => {
+                      // Only select knowledge bases that can be selected
+                      const selectableIds = filteredKnowledgeBases
+                        .filter((kb) => checkCanSelect(kb))
+                        .map((kb) => kb.id);
+
+                      // Apply maxSelect limit if set
+                      if (maxSelect) {
+                        const remainingSlots =
+                          maxSelect - tempSelectedIds.length;
+                        if (remainingSlots > 0) {
+                          // Add selectable IDs that aren't already selected
+                          const availableToAdd = selectableIds.filter(
+                            (id) => !tempSelectedIds.includes(id)
+                          );
+                          // Limit to remaining slots
+                          const newIds = availableToAdd.slice(
+                            0,
+                            remainingSlots
+                          );
+                          setTempSelectedIds([...tempSelectedIds, ...newIds]);
+                          return;
+                        }
+                      }
+
+                      setTempSelectedIds(selectableIds);
+                    }}
+                  >
+                    {t("knowledgeBase.button.selectAll")}
+                  </Button>
+                )}
+              {/* Clear Selection button */}
+              {tempSelectedIds.length > 0 && (
+                <Button
+                  type="link"
+                  size="small"
+                  danger
+                  className="font-medium p-0 h-auto"
+                  onClick={clearAllSelections}
+                >
+                  {t("knowledgeBase.button.clearSelection")}
+                </Button>
+              )}
+            </div>
+          </div>
+
+          {tempSelectedIds.length > 0 && (
+            <div className="flex flex-wrap gap-1.5 mt-2 mb-1">
+              {tempSelectedIds.map((id) => {
+                const kb = knowledgeBases.find((kb) => kb.id === id);
+                return kb ? (
+                  <span
+                    key={id}
+                    className="inline-flex items-center justify-center bg-blue-100 text-blue-800 rounded text-sm font-medium group"
+                    style={{ maxWidth: "fit-content", padding: "2px 6px" }}
+                  >
+                    <span
+                      className="truncate"
+                      style={{
+                        maxWidth: "150px",
+                        ...KB_LAYOUT.KB_NAME_OVERFLOW,
+                      }}
+                      title={kb.name}
+                    >
+                      {kb.name}
+                    </span>
+                    <button
+                      className="ml-1.5 text-blue-600 hover:text-blue-800 flex-shrink-0 text-sm leading-none"
+                      onClick={() => toggleSelection(id)}
+                      aria-label={t("knowledgeBase.button.removeKb", {
+                        name: kb.name,
+                      })}
+                    >
+                      ×
+                    </button>
+                  </span>
+                ) : null;
+              })}
+            </div>
+          )}
+        </div>
+      </div>
+
+      {/* Knowledge base list - consistent with KnowledgeBaseList */}
+      <div className="flex-1 overflow-y-auto overflow-x-hidden bg-white">
+        {isLoading ? (
+          <div className="flex items-center justify-center h-full">
+            <Spin tip={t("common.loading")} />
+          </div>
+        ) : filteredKnowledgeBases.length > 0 ? (
+          <div className="divide-y-0">
+            {filteredKnowledgeBases.map((kb, index) => {
+              const isSelected = tempSelectedIds.includes(kb.id);
+              const canSelect = checkCanSelect(kb);
+              const hasModelMismatch = checkModelMismatch(kb);
+
+              return (
+                <div
+                  key={kb.id}
+                  className={`${KB_LAYOUT.ROW_PADDING} px-2 hover:bg-gray-50 transition-colors ${!canSelect ? "opacity-60" : ""}`}
+                  onClick={() => canSelect && toggleSelection(kb.id)}
+                >
+                  <div className="flex items-start">
+                    {showCheckbox && (
+                      <div
+                        className="kb-checkbox-wrapper px-2"
+                        onClick={(e) => {
+                          e.stopPropagation();
+                        }}
+                        style={{
+                          minWidth: "40px",
+                          minHeight: "40px",
+                          display: "flex",
+                          alignItems: "flex-start",
+                          justifyContent: "center",
+                        }}
+                      >
+                        <ConfigProvider
+                          theme={{
+                            token: {
+                              colorPrimary:
+                                canSelect || isSelected ? "#1677ff" : "#90caf9",
+                            },
+                          }}
+                        >
+                          <Checkbox
+                            checked={isSelected}
+                            disabled={!canSelect && !isSelected}
+                            onChange={(e) => {
+                              e.stopPropagation();
+                              toggleSelection(kb.id);
+                            }}
+                            style={{
+                              cursor:
+                                canSelect || isSelected
+                                  ? "pointer"
+                                  : "not-allowed",
+                              transform: "scale(1.5)",
+                            }}
+                          />
+                        </ConfigProvider>
+                      </div>
+                    )}
+                    <div className="flex-1 min-w-0">
+                      {/* First row: Name */}
+                      <div className="flex items-center justify-between">
+                        <p
+                          className={`${KB_LAYOUT.KB_NAME_TEXT} ${!canSelect ? "text-gray-400" : "text-gray-800"} truncate`}
+                          style={{
+                            maxWidth: KB_LAYOUT.KB_NAME_MAX_WIDTH,
+                            ...KB_LAYOUT.KB_NAME_OVERFLOW,
+                          }}
+                          title={kb.name}
+                        >
+                          {kb.name}
+                        </p>
+                      </div>
+
+                      {/* First row: Basic info tags */}
+                      <div
+                        className={`flex flex-wrap items-center ${KB_LAYOUT.TAG_MARGIN} ${KB_LAYOUT.TAG_SPACING}`}
+                      >
+                        {/* Document count tag */}
+                        <span
+                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.default} mr-1`}
+                        >
+                          {t("knowledgeBase.tag.documents", {
+                            count: kb.documentCount || 0,
+                          })}
+                        </span>
+
+                        {/* Chunk count tag */}
+                        <span
+                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.default} mr-1`}
+                        >
+                          {t("knowledgeBase.tag.chunks", {
+                            count: kb.chunkCount || 0,
+                          })}
+                        </span>
+
+                        {/* Source tag */}
+                        <span
+                          className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.default} mr-1`}
+                        >
+                          {t("knowledgeBase.tag.source", {
+                            source: t(`knowledgeBase.source.${kb.source}`, {
+                              defaultValue: kb.source,
+                            }),
+                          })}
+                        </span>
+
+                        {/* Creation date - only show when there are documents or chunks */}
+                        {((kb.documentCount || 0) > 0 ||
+                          (kb.chunkCount || 0) > 0) && (
+                          <span
+                            className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.default} mr-1`}
+                          >
+                            {t("knowledgeBase.tag.createdAt", {
+                              date: formatDate(kb.createdAt),
+                            })}
+                          </span>
+                        )}
+                      </div>
+
+                      {/* Second row: Model tags */}
+                      <div
+                        className={`flex flex-wrap items-center ${KB_LAYOUT.SECOND_ROW_TAG_MARGIN} ${KB_LAYOUT.TAG_SPACING}`}
+                      >
+                        {/* Model tag - only show when model is not "unknown" and there are documents or chunks */}
+                        {((kb.documentCount || 0) > 0 ||
+                          (kb.chunkCount || 0) > 0) &&
+                          kb.embeddingModel &&
+                          kb.embeddingModel !== "unknown" && (
+                            <span
+                              className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.model} mr-1`}
+                            >
+                              {getModelDisplayName(kb.embeddingModel)}
+                              {t("knowledgeBase.tag.model", {
+                                model: "",
+                              })}
+                            </span>
+                          )}
+                        {/* Model mismatch tag - only for nexent source */}
+                        {hasModelMismatch && (
+                          <span
+                            className={`inline-flex items-center ${KB_LAYOUT.TAG_PADDING} ${KB_LAYOUT.TAG_ROUNDED} ${KB_LAYOUT.TAG_TEXT} ${KB_TAG_VARIANTS.warning} mr-1`}
+                          >
+                            {t("knowledgeBase.tag.modelMismatch")}
+                          </span>
+                        )}
+                      </div>
+                    </div>
+                  </div>
+                </div>
+              );
+            })}
+          </div>
+        ) : (
+          <div
+            className={`${KB_LAYOUT.EMPTY_STATE_PADDING} text-center text-gray-500`}
+          >
+            {searchKeyword || selectedSources.length > 0
+              ? t("knowledgeBase.list.noResults")
+              : t("knowledgeBase.list.empty")}
+          </div>
+        )}
+      </div>
+    </Modal>
+  );
+}
diff --git a/frontend/components/tool-config/index.ts b/frontend/components/tool-config/index.ts
new file mode 100644
index 000000000..b424b3225
--- /dev/null
+++ b/frontend/components/tool-config/index.ts
@@ -0,0 +1,38 @@
+// Tool configuration related types and interfaces
+
+import { KnowledgeBase } from "@/types/knowledgeBase";
+
+// Knowledge base selector component props
+export interface KnowledgeBaseSelectorProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onConfirm: (selectedKnowledgeBases: KnowledgeBase[]) => void;
+  selectedIds: string[];
+  toolType: "knowledge_base_search" | "dify_search" | "datamate_search";
+  title?: string;
+  maxSelect?: number;
+  showCreateButton?: boolean;
+  showDeleteButton?: boolean;
+  showCheckbox?: boolean;
+  // Dify configuration for fetching Dify knowledge bases
+  difyConfig?: {
+    serverUrl?: string;
+    apiKey?: string;
+  };
+}
+
+// Get supported knowledge base sources for a tool type
+export function getKnowledgeBaseSourcesForTool(
+  toolType: "knowledge_base_search" | "dify_search" | "datamate_search"
+): string[] {
+  switch (toolType) {
+    case "knowledge_base_search":
+      return ["nexent"];
+    case "dify_search":
+      return ["dify"];
+    case "datamate_search":
+      return ["datamate"];
+    default:
+      return ["nexent"];
+  }
+}
diff --git a/frontend/components/ui/markdownRenderer.tsx b/frontend/components/ui/markdownRenderer.tsx
index b2d45af82..06aaa2bef 100644
--- a/frontend/components/ui/markdownRenderer.tsx
+++ b/frontend/components/ui/markdownRenderer.tsx
@@ -551,7 +551,9 @@ const HoverableText = ({
   return (
     <TooltipProvider>
       <Tooltip
-        styles={{ root: { padding: 0, background: "transparent", boxShadow: "none" } }}
+        styles={{
+          container: { padding: 0, background: "transparent", boxShadow: "none" },
+        }}
         title={
           <div
             className="z-[9999] bg-white px-3 py-2 text-sm border border-gray-200 rounded-md shadow-md max-w-xl overflow-hidden"
diff --git a/frontend/const/auth.ts b/frontend/const/auth.ts
index eb0f66c4b..bfad78f84 100644
--- a/frontend/const/auth.ts
+++ b/frontend/const/auth.ts
@@ -9,7 +9,7 @@ export enum USER_ROLES {
 
 export const STATUS_CODES = {
   SUCCESS: 200,
-  
+
   UNAUTHORIZED_HTTP: 401,
   REQUEST_ENTITY_TOO_LARGE: 413,
 
@@ -27,8 +27,21 @@ export const STORAGE_KEYS = {
   SESSION: "session",
 };
 
-// Custom events
-export const EVENTS = {
-  SESSION_EXPIRED: "session-expired",
-  STORAGE_CHANGE: "storage",
-};
+// Type-safe authentication events (used with authEvents emitter)
+export const AUTH_EVENTS = {
+  LOGIN_SUCCESS: "auth:login-success",
+  REGISTER_SUCCESS: "auth:register-success",
+  LOGOUT: "auth:logout",
+  SESSION_EXPIRED: "auth:session-expired",  // Deprecated: this is an authorization event; prefer AUTHZ_EVENTS.PERMISSION_DENIED.
+  TOKEN_REFRESHED: "auth:token-refreshed",
+  SERVICE_UNAVAILABLE: "auth:service-unavailable",
+  BACK_TO_HOME: "nav:back-to-home",
+} as const;
+
+// Type-safe authorization events (used with authzEvents emitter)
+export const AUTHZ_EVENTS = {
+  PERMISSION_DENIED: "authz:permission-denied",
+  PERMISSIONS_READY: "authz:permissions-ready",
+  PERMISSIONS_UPDATED: "authz:permissions-updated",
+} as const;
+
diff --git a/frontend/const/knowledgeBase.ts b/frontend/const/knowledgeBase.ts
index 3ed72bd0f..03238b1f1 100644
--- a/frontend/const/knowledgeBase.ts
+++ b/frontend/const/knowledgeBase.ts
@@ -3,7 +3,7 @@
 // Document status constants
 export const DOCUMENT_STATUS = {
   WAIT_FOR_PROCESSING: "WAIT_FOR_PROCESSING",
-  WAIT_FOR_FORWARDING: "WAIT_FOR_FORWARDING", 
+  WAIT_FOR_FORWARDING: "WAIT_FOR_FORWARDING",
   PROCESSING: "PROCESSING",
   FORWARDING: "FORWARDING",
   COMPLETED: "COMPLETED",
@@ -13,16 +13,16 @@ export const DOCUMENT_STATUS = {
 
 // Non-terminal statuses (still processing)
 export const NON_TERMINAL_STATUSES: string[] = [
-  DOCUMENT_STATUS.WAIT_FOR_PROCESSING, 
-  DOCUMENT_STATUS.PROCESSING, 
-  DOCUMENT_STATUS.WAIT_FOR_FORWARDING, 
-  DOCUMENT_STATUS.FORWARDING
+  DOCUMENT_STATUS.WAIT_FOR_PROCESSING,
+  DOCUMENT_STATUS.PROCESSING,
+  DOCUMENT_STATUS.WAIT_FOR_FORWARDING,
+  DOCUMENT_STATUS.FORWARDING,
 ];
 
 // Document action type constants
 export const DOCUMENT_ACTION_TYPES = {
   FETCH_SUCCESS: "FETCH_SUCCESS",
-  SELECT_DOCUMENT: "SELECT_DOCUMENT", 
+  SELECT_DOCUMENT: "SELECT_DOCUMENT",
   SELECT_DOCUMENTS: "SELECT_DOCUMENTS",
   SELECT_ALL: "SELECT_ALL",
   SET_UPLOAD_FILES: "SET_UPLOAD_FILES",
@@ -31,7 +31,7 @@ export const DOCUMENT_ACTION_TYPES = {
   DELETE_DOCUMENT: "DELETE_DOCUMENT",
   SET_LOADING_KB_ID: "SET_LOADING_KB_ID",
   CLEAR_DOCUMENTS: "CLEAR_DOCUMENTS",
-  ERROR: "ERROR"
+  ERROR: "ERROR",
 } as const;
 
 // Knowledge base action type constants
@@ -44,7 +44,8 @@ export const KNOWLEDGE_BASE_ACTION_TYPES = {
   ADD_KNOWLEDGE_BASE: "ADD_KNOWLEDGE_BASE",
   LOADING: "LOADING",
   SET_SYNC_LOADING: "SET_SYNC_LOADING",
-  ERROR: "ERROR"
+  SET_DATA_MATE_SYNC_ERROR: "SET_DATA_MATE_SYNC_ERROR",
+  ERROR: "ERROR",
 } as const;
 
 // UI layout configuration, internally manages height ratios of each section
@@ -99,7 +100,7 @@ export const UI_ACTION_TYPES = {
   TOGGLE_CREATE_MODAL: "TOGGLE_CREATE_MODAL",
   TOGGLE_DOC_MODAL: "TOGGLE_DOC_MODAL",
   ADD_NOTIFICATION: "ADD_NOTIFICATION",
-  REMOVE_NOTIFICATION: "REMOVE_NOTIFICATION"
+  REMOVE_NOTIFICATION: "REMOVE_NOTIFICATION",
 } as const;
 
 // Notification type constants
@@ -107,31 +108,31 @@ export const NOTIFICATION_TYPES = {
   SUCCESS: "success",
   ERROR: "error",
   INFO: "info",
-  WARNING: "warning"
+  WARNING: "warning",
 } as const;
 
 // File extension constants
 export const FILE_EXTENSIONS = {
-  PDF: 'pdf',
-  DOC: 'doc',
-  DOCX: 'docx',
-  XLS: 'xls',
-  XLSX: 'xlsx',
-  PPT: 'ppt',
-  PPTX: 'pptx',
-  TXT: 'txt',
-  MD: 'md'
+  PDF: "pdf",
+  DOC: "doc",
+  DOCX: "docx",
+  XLS: "xls",
+  XLSX: "xlsx",
+  PPT: "ppt",
+  PPTX: "pptx",
+  TXT: "txt",
+  MD: "md",
 } as const;
 
 // File type constants
 export const FILE_TYPES = {
-  PDF: 'PDF',
-  WORD: 'Word',
-  EXCEL: 'Excel',
-  POWERPOINT: 'PowerPoint',
-  TEXT: 'Text',
-  MARKDOWN: 'Markdown',
-  UNKNOWN: 'Unknown'
+  PDF: "PDF",
+  WORD: "Word",
+  EXCEL: "Excel",
+  POWERPOINT: "PowerPoint",
+  TEXT: "Text",
+  MARKDOWN: "Markdown",
+  UNKNOWN: "Unknown",
 } as const;
 
 // File extension to type mapping
@@ -144,5 +145,5 @@ export const EXTENSION_TO_TYPE_MAP = {
   [FILE_EXTENSIONS.PPT]: FILE_TYPES.POWERPOINT,
   [FILE_EXTENSIONS.PPTX]: FILE_TYPES.POWERPOINT,
   [FILE_EXTENSIONS.TXT]: FILE_TYPES.TEXT,
-  [FILE_EXTENSIONS.MD]: FILE_TYPES.MARKDOWN
+  [FILE_EXTENSIONS.MD]: FILE_TYPES.MARKDOWN,
 } as const;
diff --git a/frontend/const/knowledgeBaseLayout.ts b/frontend/const/knowledgeBaseLayout.ts
new file mode 100644
index 000000000..082c40be5
--- /dev/null
+++ b/frontend/const/knowledgeBaseLayout.ts
@@ -0,0 +1,59 @@
+/**
+ * Knowledge Base List Layout Constants
+ *
+ * Shared layout configuration for knowledge base list components.
+ * Used by both KnowledgeBaseList (standalone page) and KnowledgeBaseSelectorModal (popup).
+ */
+
+// Knowledge base layout constants configuration
+export const KB_LAYOUT = {
+  // Row padding
+  ROW_PADDING: "py-3",
+  // Header padding
+  HEADER_PADDING: "p-3",
+  // Button area padding
+  BUTTON_AREA_PADDING: "p-2",
+  // Tag spacing
+  TAG_SPACING: "gap-1",
+  // Tag margin
+  TAG_MARGIN: "mt-1.5",
+  // Tag padding
+  TAG_PADDING: "px-2 py-0.5",
+  // Tag text style
+  TAG_TEXT: "text-xs font-medium",
+  // Tag rounded corners
+  TAG_ROUNDED: "rounded-md",
+  // Line break height
+  TAG_BREAK_HEIGHT: "h-0.5",
+  // Second row tag margin
+  SECOND_ROW_TAG_MARGIN: "mt-1",
+  // Title margin
+  TITLE_MARGIN: "ml-2",
+  // Empty state padding
+  EMPTY_STATE_PADDING: "py-4",
+  // Title text style
+  TITLE_TEXT: "text-lg font-bold",
+  // Knowledge base name text style
+  KB_NAME_TEXT: "text-base font-medium",
+  // Knowledge base name max width
+  KB_NAME_MAX_WIDTH: "220px",
+  // Knowledge base name overflow style
+  KB_NAME_OVERFLOW: {
+    textOverflow: "ellipsis",
+    whiteSpace: "nowrap",
+    overflow: "hidden",
+    display: "block",
+  },
+} as const;
+
+// Tag style variants for different contexts
+export const KB_TAG_VARIANTS = {
+  // Default gray tag (used in modal)
+  default: "bg-gray-100 text-gray-600 border border-gray-200",
+  // Light gray tag (used in list)
+  light: "bg-gray-200 text-gray-800 border border-gray-200",
+  // Green tag for model
+  model: "bg-green-50 text-green-700 border border-green-200",
+  // Yellow tag for model mismatch
+  warning: "bg-yellow-100 text-yellow-800 border border-yellow-200",
+} as const;
diff --git a/frontend/const/modelConfig.ts b/frontend/const/modelConfig.ts
index 075b546ff..490cf2d87 100644
--- a/frontend/const/modelConfig.ts
+++ b/frontend/const/modelConfig.ts
@@ -87,8 +87,11 @@ export const PROVIDER_LINKS: Record<string, string> = {
 
 // User role constants
 export const USER_ROLES = {
-  USER: "user",
-  ADMIN: "admin",
+  SPEED: "SPEED",
+  SU: "SU",
+  ADMIN: "ADMIN",
+  DEV: "DEV",
+  USER: "USER",
 } as const;
 
 // Memory tab key constants
diff --git a/frontend/hooks/agent/useAgentInfo.ts b/frontend/hooks/agent/useAgentInfo.ts
index 908b5e904..f348437da 100644
--- a/frontend/hooks/agent/useAgentInfo.ts
+++ b/frontend/hooks/agent/useAgentInfo.ts
@@ -1,8 +1,11 @@
 import { useQuery } from "@tanstack/react-query";
+import { useQueryClient } from "@tanstack/react-query";
 import { searchAgentInfo } from "@/services/agentConfigService";
 
 export function useAgentInfo(agentId: number | null) {
-	return useQuery({
+	const queryClient = useQueryClient();
+
+	const query = useQuery({
 		queryKey: ["agentInfo", agentId],
 		queryFn: async () => {
 			if (!agentId) return null;
@@ -15,4 +18,12 @@ export function useAgentInfo(agentId: number | null) {
 		enabled: !!agentId,
 		staleTime: 60_000,
 	});
+
+	const agentInfo = query.data ?? null;
+
+	return {
+		...query,
+		agentInfo,
+		invalidate: () => queryClient.invalidateQueries({ queryKey: ["agentInfo"] }),
+	};
 }
diff --git a/frontend/hooks/agent/useAgentList.ts b/frontend/hooks/agent/useAgentList.ts
index 5b2d8ec4b..be0fed130 100644
--- a/frontend/hooks/agent/useAgentList.ts
+++ b/frontend/hooks/agent/useAgentList.ts
@@ -1,46 +1,30 @@
 import { useQuery, useQueryClient } from "@tanstack/react-query";
 import { fetchAgentList as fetchAgentListService } from "@/services/agentConfigService";
 import { useMemo, useEffect } from "react";
+import { Agent } from "@/types/agentConfig";
 
-export function useAgentList(options?: { enabled?: boolean; staleTime?: number }) {
+export function useAgentList(tenantId: string | null) {
 	const queryClient = useQueryClient();
 
 	const query = useQuery({
-		queryKey: ["agents"],
+		queryKey: ["agents", tenantId],
 		queryFn: async () => {
-			const res = await fetchAgentListService();
+			const res = await fetchAgentListService(tenantId ?? undefined);
 			if (!res || !res.success) {
 				throw new Error(res?.message || "Failed to fetch agents");
 			}
 			return res.data || [];
 		},
-		staleTime: options?.staleTime ?? 60_000,
-		enabled: options?.enabled ?? true,
+		staleTime: 60_000,
+		enabled: !!tenantId,
 	});
 
 	const agents = query.data ?? [];
 
 	const availableAgents = useMemo(() => {
-		return (agents as any[]).filter((a) => a.is_available !== false);
+		return (agents as Agent[]).filter((a) => a.is_available !== false);
 	}, [agents]);
-	// Listen for cross-tab agent updates via BroadcastChannel
-	useEffect(() => {
-		let bc: BroadcastChannel | null = null;
-		try {
-			bc = new BroadcastChannel("nexent-agent-updates");
-			bc.onmessage = (ev) => {
-				if (ev?.data?.type === "agents_updated") {
-					queryClient.invalidateQueries({ queryKey: ["agents"] });
-				}
-			};
-		} catch (e) {
-			// ignore if unsupported
-		}
-		return () => {
-			if (bc) bc.close();
-		};
-		// eslint-disable-next-line react-hooks/exhaustive-deps
-	}, []);
+
 	return {
 		...query,
 		agents,
diff --git a/frontend/hooks/agent/useAgentVersion.ts b/frontend/hooks/agent/useAgentVersion.ts
new file mode 100644
index 000000000..aedc9a39b
--- /dev/null
+++ b/frontend/hooks/agent/useAgentVersion.ts
@@ -0,0 +1,46 @@
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import { fetchAgentVersion, type AgentVersion } from "@/services/agentVersionService";
+
+
+/**
+ * Hook to fetch agent version info using React Query
+ * @param options - Configuration options including agentId, versionNo and query settings
+ * @returns Query result containing version data and utilities
+ */
+export function useAgentVersion(agentId: number | null, versionNo: number) {
+
+  const queryClient = useQueryClient();
+
+  const isEnabled = agentId !== undefined && agentId !== null && versionNo !== undefined && versionNo !== null;
+
+  const query = useQuery({
+    queryKey: ["agentVersion", agentId, versionNo],
+    queryFn: async () => {
+      console.log("queryFn executed! agentId:", agentId, "versionNo:", versionNo); // 调试日志
+      if (agentId === undefined || agentId === null) {
+        throw new Error("Agent ID is required");
+      }
+      if (versionNo === undefined || versionNo === null) {
+        throw new Error("Version number is required");
+      }
+      const res = await fetchAgentVersion(agentId, versionNo);
+
+      if (!res.success) {
+        throw new Error(res.message || "Failed to fetch agent version info");
+      }
+      return res.data as AgentVersion;
+    },
+    staleTime: 0,  // 改为 0，确保每次都重新获取
+    gcTime: 0,  // 缓存立即过期
+    enabled: isEnabled,
+  });
+
+  const agentVersionInfo = query.data ?? null;
+
+  return {
+    ...query,
+    agentVersionInfo,
+    invalidate: () =>
+      queryClient.invalidateQueries({ queryKey: ["agentVersion", agentId, versionNo] }),
+  };
+}
diff --git a/frontend/hooks/agent/useAgentVersionDetail.ts b/frontend/hooks/agent/useAgentVersionDetail.ts
new file mode 100644
index 000000000..7e55c1a2f
--- /dev/null
+++ b/frontend/hooks/agent/useAgentVersionDetail.ts
@@ -0,0 +1,44 @@
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import { AgentVersionDetail, fetchAgentVersionDetail, type AgentVersion } from "@/services/agentVersionService";
+
+
+/**
+ * Hook to fetch agent version info using React Query
+ * @param options - Configuration options including agentId, versionNo and query settings
+ * @returns Query result containing version data and utilities
+ */
+export function useAgentVersionDetail(agentId: number | null, versionNo: number | null) {
+
+  const queryClient = useQueryClient();
+
+  const isEnabled = agentId !== undefined && agentId !== null && versionNo !== undefined && versionNo !== null;
+
+  const query = useQuery({
+    queryKey: ["agentVersionDetail", agentId, versionNo],
+    queryFn: async () => {
+      if (agentId === undefined || agentId === null) {
+        throw new Error("Agent ID is required");
+      }
+      if (versionNo === undefined || versionNo === null) {
+        throw new Error("Version number is required");
+      }
+      const res = await fetchAgentVersionDetail(agentId, versionNo);
+      if (!res.success) {
+        throw new Error(res.message || "Failed to fetch agent version detail");
+      }
+      return res.data as AgentVersionDetail;
+    },
+    staleTime: 0,  // 改为 0，确保每次都重新获取
+    gcTime: 0,  // 缓存立即过期
+    enabled: isEnabled,
+  });
+
+  const agentVersionDetail = query.data ?? null;
+
+  return {
+    ...query,
+    agentVersionDetail,
+    invalidate: () =>
+      queryClient.invalidateQueries({ queryKey: ["agentVersionDetail", agentId, versionNo] }),
+  };
+}
diff --git a/frontend/hooks/agent/useAgentVersionList.ts b/frontend/hooks/agent/useAgentVersionList.ts
new file mode 100644
index 000000000..0881d1ce0
--- /dev/null
+++ b/frontend/hooks/agent/useAgentVersionList.ts
@@ -0,0 +1,42 @@
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import {
+  fetchAgentVersionList,
+  type AgentVersion,
+} from "@/services/agentVersionService";
+
+/**
+ * Hook to fetch agent version list using React Query
+ * @param agentId The agent ID to fetch versions for
+ * @param tenantId optional tenant ID for filtering
+ * @returns Query result containing version list data and utilities
+ */
+export function useAgentVersionList(agentId: number | null, tenantId?: string) {
+  const queryClient = useQueryClient();
+
+  const query = useQuery({
+    queryKey: ["agentVersions", agentId, tenantId],
+    queryFn: async () => {
+      if (agentId === undefined || agentId === null) {
+        throw new Error("Agent ID is required");
+      }
+      const res = await fetchAgentVersionList(agentId, tenantId);
+      if (!res.success) {
+        throw new Error(res.message || "Failed to fetch agent versions");
+      }
+      return res.data;
+    },
+    staleTime: 60_000,
+    enabled: agentId !== undefined && agentId !== null,
+  });
+
+  const agentVersionList = query.data?.items ?? [];
+  const total = query.data?.total ?? 0;
+
+  return {
+    ...query,
+    agentVersionList,
+    total,
+    invalidate: () =>
+      queryClient.invalidateQueries({ queryKey: ["agentVersions", agentId, tenantId] }),
+  };
+}
diff --git a/frontend/hooks/agent/usePublishedAgentList.ts b/frontend/hooks/agent/usePublishedAgentList.ts
new file mode 100644
index 000000000..91e26fa6e
--- /dev/null
+++ b/frontend/hooks/agent/usePublishedAgentList.ts
@@ -0,0 +1,34 @@
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import { fetchPublishedAgentList as fetchPublishedAgentListService } from "@/services/agentConfigService";
+import { useMemo, useEffect } from "react";
+import { Agent } from "@/types/agentConfig";
+
+export function usePublishedAgentList() {
+	const queryClient = useQueryClient();
+
+	const query = useQuery({
+		queryKey: ["publishedAgentsList"],
+		queryFn: async () => {
+			const res = await fetchPublishedAgentListService();
+			if (!res || !res.success) {
+				throw new Error(res?.message || "Failed to fetch published agents");
+			}
+			return res.data || [];
+		},
+		staleTime: 60_000,
+		enabled: true,
+	});
+
+	const agents = query.data ?? [];
+
+	const availableAgents = useMemo(() => {
+		return (agents as Agent[]).filter((a) => a.is_available !== false);
+	}, [agents]);
+
+	return {
+		...query,
+		agents,
+		availableAgents,
+		invalidate: () => queryClient.invalidateQueries({ queryKey: ["publishedAgents"] }),
+	};
+}
diff --git a/frontend/hooks/agent/useSaveGuard.ts b/frontend/hooks/agent/useSaveGuard.ts
index a8ab6c09d..e41b4e0b1 100644
--- a/frontend/hooks/agent/useSaveGuard.ts
+++ b/frontend/hooks/agent/useSaveGuard.ts
@@ -6,6 +6,7 @@ import { useConfirmModal } from "../useConfirmModal";
 import { useAgentConfigStore } from "@/stores/agentConfigStore";
 import { updateAgentInfo, updateToolConfig } from "@/services/agentConfigService";
 import { Agent } from "@/types/agentConfig";
+import log from "@/lib/logger";
 
 /**
  * Hook for handling agent save guard logic
@@ -43,12 +44,17 @@ export const useSaveGuard = () => {
         .map((id: any) => Number(id))
         .filter((id: number) => Number.isFinite(id));
 
+      const groupIds = (currentEditedAgent.group_ids || [])
+        .map((id: any) => Number(id))
+        .filter((id: number) => Number.isFinite(id));
+
       const result = await updateAgentInfo({
         agent_id: currentAgentId ?? undefined, // undefined=create, number=update
         name: currentEditedAgent.name,
         display_name: currentEditedAgent.display_name,
         description: currentEditedAgent.description,
         author: currentEditedAgent.author,
+        group_ids: groupIds,
         model_name: currentEditedAgent.model,
         model_id: currentEditedAgent.model_id ?? undefined,
         max_steps: currentEditedAgent.max_step,
@@ -65,7 +71,7 @@ export const useSaveGuard = () => {
       });
 
       if (result.success) {
-        useAgentConfigStore.getState().markAsSaved(); // 标记为已保存
+        useAgentConfigStore.getState().markAsSaved(); // Mark as saved
         message.success(
             t("businessLogic.config.message.agentSaveSuccess")
         );
@@ -92,7 +98,7 @@ export const useSaveGuard = () => {
               try {
                 await updateToolConfig(toolId, agentIdNumber, params, isEnabled);
               } catch (error) {
-                console.error(`Failed to save tool config for tool ${toolId}:`, error);
+                log.error(`Failed to save tool config for tool ${toolId}:`, error);
                 // Continue with other tools even if one fails
               }
             }
@@ -108,7 +114,7 @@ export const useSaveGuard = () => {
         });
         // Get the updated agent data from the refreshed cache
         let updatedAgent = queryClient.getQueryData(["agentInfo", finalAgentId]) as Agent;
-        
+
         // For new agents, the cache might not be populated yet
         // Construct a minimal Agent object from the edited data
         if (!updatedAgent && finalAgentId) {
@@ -130,9 +136,10 @@ export const useSaveGuard = () => {
             business_logic_model_name: currentEditedAgent.business_logic_model_name,
             business_logic_model_id: currentEditedAgent.business_logic_model_id,
             sub_agent_id_list: currentEditedAgent.sub_agent_id_list,
+            group_ids: currentEditedAgent.group_ids || [],
           };
         }
-        
+
         if (updatedAgent) {
           useAgentConfigStore.getState().setCurrentAgent(updatedAgent);
         }
diff --git a/frontend/hooks/auth/useAuthentication.ts b/frontend/hooks/auth/useAuthentication.ts
new file mode 100644
index 000000000..b360d613e
--- /dev/null
+++ b/frontend/hooks/auth/useAuthentication.ts
@@ -0,0 +1,55 @@
+"use client";
+
+import { useAuthenticationState } from "@/hooks/auth/useAuthenticationState";
+import { useAuthenticationUI } from "@/hooks/auth/useAuthenticationUI";
+import { AuthenticationContextType } from "@/types/auth";
+
+/**
+ * Custom hook for authentication management
+ * Combines useAuthenticationState and useAuthenticationUI to provide full authentication functionality
+ */
+export function useAuthentication(): AuthenticationContextType {
+  const authState = useAuthenticationState();
+  // Pass auth state to useAuthenticationUI to avoid circular dependency
+  const authUI = useAuthenticationUI({
+    isAuthenticated: authState.isAuthenticated,
+    isAuthChecking: authState.isAuthChecking,
+    clearLocalSession: authState.clearLocalSession,
+  });
+
+  return {
+    // Authentication state
+    isAuthenticated: authState.isAuthenticated,
+    isAuthChecking: authState.isAuthChecking,
+    isLoading: authState.isLoading,
+    session: authState.session,
+
+    authServiceUnavailable: authState.authServiceUnavailable,
+
+    // Methods
+    login: authState.login,
+    register: authState.register,
+    logout: authState.logout,
+    clearLocalSession: authState.clearLocalSession,
+    revoke: authState.revoke,
+
+    // UI state
+    isLoginModalOpen: authUI.isLoginModalOpen,
+    isRegisterModalOpen: authUI.isRegisterModalOpen,
+    isAuthPromptModalOpen: authUI.isAuthPromptModalOpen,
+    isSessionExpiredModalOpen: authUI.isSessionExpiredModalOpen,
+
+    // UI methods
+    openLoginModal: authUI.openLoginModal,
+    closeLoginModal: authUI.closeLoginModal,
+
+    openRegisterModal: authUI.openRegisterModal,
+    closeRegisterModal: authUI.closeRegisterModal,
+
+    openAuthPromptModal: authUI.openAuthPromptModal,
+    closeAuthPromptModal: authUI.closeAuthPromptModal,
+
+    openSessionExpiredModal: authUI.openSessionExpiredModal,
+    closeSessionExpiredModal: authUI.closeSessionExpiredModal
+  };
+}
diff --git a/frontend/hooks/auth/useAuthenticationState.ts b/frontend/hooks/auth/useAuthenticationState.ts
new file mode 100644
index 000000000..c9fdad6bd
--- /dev/null
+++ b/frontend/hooks/auth/useAuthenticationState.ts
@@ -0,0 +1,234 @@
+"use client";
+
+import { useState, useEffect, useCallback } from "react";
+import { useTranslation } from "react-i18next";
+import { App } from "antd";
+
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { authService } from "@/services/authService";
+import { getSessionFromStorage, removeSessionFromStorage, checkSessionValid } from "@/lib/session";
+import { Session, AuthenticationStateReturn, AuthenticationContextType } from "@/types/auth";
+import { STATUS_CODES } from "@/const/auth";
+import { authEventUtils } from "@/lib/authEvents";
+import log from "@/lib/logger";
+
+/**
+ * Custom hook for authentication state management
+ * Handles JWT tokens, login/logout, session restoration, and modal states
+ */
+export function useAuthenticationState(): AuthenticationStateReturn {
+  const { t } = useTranslation("common");
+  const { message } = App.useApp();
+  const { isSpeedMode } = useDeployment();
+
+  // Authentication state
+  const [isAuthenticated, setIsAuthenticated] = useState<boolean>(false);
+  const [isAuthChecking, setIsAuthChecking] = useState<boolean>(true);
+  const [isLoading, setIsLoading] = useState<boolean>(false);
+  const [session, setSession] = useState<Session | null>(null);
+  const [authServiceUnavailable, setAuthServiceUnavailable] =
+    useState<boolean>(false);
+
+  // Speed mode: skip authentication checks, consider user as authenticated
+  useEffect(() => {
+    if (isSpeedMode) {
+      // In speed mode, user is considered authenticated without session
+      setIsAuthenticated(true);
+    } else {
+      if (checkSessionValid()) {
+        const storedSession = getSessionFromStorage();
+        if (storedSession) {
+          setSession(storedSession);
+        }
+        setIsAuthenticated(true);
+      } else {
+        setSession(null);
+        setIsAuthenticated(false);
+      }
+    }
+    setIsAuthChecking(false);
+  }, [isSpeedMode]);
+
+  const clearLocalSession = useCallback(() => {
+    removeSessionFromStorage();
+    setSession(null);
+    setIsAuthenticated(false);
+  }, []);
+
+  // Login method
+  const login = useCallback(
+    async (
+      email: string,
+      password: string,
+      options: { showSuccessMessage?: boolean } = {}
+    ) => {
+      const { showSuccessMessage = true } = options;
+
+      setIsLoading(true);
+
+      try {
+        // First check auth service availability
+        const isAuthServiceAvailable =
+          await authService.checkAuthServiceAvailable();
+        if (!isAuthServiceAvailable) {
+          const error = new Error(t("auth.authServiceUnavailable"));
+          (error as any).code = STATUS_CODES.AUTH_SERVICE_UNAVAILABLE;
+          setAuthServiceUnavailable(true);
+          throw error;
+        }
+
+        setAuthServiceUnavailable(false);
+
+        const { data, error } = await authService.signIn(email, password);
+
+        if (error) {
+          log.error("Login failed: ", error.message);
+          throw error;
+        }
+
+        if (data?.session) {
+          // Update authentication state
+          setSession(data.session);
+          setIsAuthenticated(true);
+
+          // Delay to ensure UI updates
+          setTimeout(() => {
+            if (showSuccessMessage) {
+              message.success(t("auth.loginSuccess"));
+            }
+
+            authEventUtils.emitLoginSuccess();
+          }, 150);
+        }
+      } catch (error: any) {
+        log.error("Error during login process:", error.message);
+        throw error;
+      } finally {
+        setIsLoading(false);
+      }
+    },
+    []
+  );
+
+  // Register method
+  const register = useCallback(
+    async (
+      email: string,
+      password: string,
+      inviteCode?: string,
+      withNewInvitation?: boolean
+    ) => {
+      setIsLoading(true);
+
+      try {
+        const { data, error } = await authService.signUp(
+          email,
+          password,
+          inviteCode,
+          withNewInvitation
+        );
+
+        if (error) {
+          log.error("Registration failed: ", error.message);
+          throw error;
+        }
+
+        if (data?.session) {
+          setSession(data.session);
+          setIsAuthenticated(true);
+
+          setTimeout(() => {
+            message.success(t("auth.registerSuccessAutoLogin"));
+
+            // Emit register success event to close register modal
+            authEventUtils.emitRegisterSuccess();
+            // Emit login success event for permission fetching
+            authEventUtils.emitLoginSuccess();
+          }, 150);
+        }
+      } catch (error: any) {
+        log.error("Error during registration process:", error.message);
+        throw error;
+      } finally {
+        setIsLoading(false);
+      }
+    },
+    []
+  );
+
+  // Logout method
+  const logout = useCallback(
+    async (options: { silent?: boolean } = {}) => {
+      const { silent = false } = options;
+
+      try {
+        setIsLoading(true);
+
+        if (!silent) {
+          // Call logout API
+          await authService.signOut();
+        }
+
+        // Clear local session
+        removeSessionFromStorage();
+        setSession(null);
+        setIsAuthenticated(false);
+
+        if (!silent) {
+          message.success(t("auth.logoutSuccess"));
+        }
+
+        // Emit logout event
+        authEventUtils.emitLogout();
+      } catch (error: any) {
+        log.error("Logout failed:", error?.message || error);
+        // Even if API call fails, clear local session
+        removeSessionFromStorage();
+        setSession(null);
+        setIsAuthenticated(false);
+
+        if (!silent) {
+          message.error(t("auth.logoutFailed"));
+        }
+      } finally {
+        setIsLoading(false);
+      }
+    },
+    []
+  );
+
+  // Revoke method
+  const revoke = useCallback(async () => {
+    try {
+      setIsLoading(true);
+
+      await authService.revoke();
+
+      clearLocalSession();
+      message.success(t("auth.revokeSuccess"));
+
+      authEventUtils.emitLogout();
+    } catch (error: any) {
+      log.error("Revoke failed:", error?.message || error);
+      message.error(t("auth.revokeFailed"));
+    } finally {
+      setIsLoading(false);
+    }
+  }, [clearLocalSession]);
+
+  return {
+    // Authentication state
+    isAuthenticated,
+    isAuthChecking,
+    isLoading,
+    session,
+    authServiceUnavailable,
+
+    // Methods
+    login,
+    register,
+    logout,
+    clearLocalSession,
+    revoke
+  };
+}
diff --git a/frontend/hooks/auth/useAuthenticationUI.ts b/frontend/hooks/auth/useAuthenticationUI.ts
new file mode 100644
index 000000000..c158b2d8d
--- /dev/null
+++ b/frontend/hooks/auth/useAuthenticationUI.ts
@@ -0,0 +1,164 @@
+"use client";
+
+import { useState, useCallback, useRef, useEffect } from "react";
+import { useRouter, usePathname } from "next/navigation";
+import { useTranslation } from "react-i18next";
+
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { AUTH_EVENTS } from "@/const/auth";
+import { getEffectiveRoutePath } from "@/lib/auth";
+import { authEvents, authEventUtils } from "@/lib/authEvents";
+import { AuthenticationUIReturn } from "@/types/auth";
+import log from "@/lib/logger";
+
+/**
+ * Custom hook for authentication UI management
+ * Handles login/register modals, auth prompt modals, and session expired modal
+ * Must be used within AuthenticationProvider
+ */
+export function useAuthenticationUI({
+  isAuthenticated,
+  isAuthChecking,
+  clearLocalSession,
+}: {
+  isAuthenticated: boolean;
+  isAuthChecking: boolean;
+  clearLocalSession: () => void;
+}): AuthenticationUIReturn {
+  const router = useRouter();
+  const pathname = usePathname();
+  const { t } = useTranslation("common");
+  const { isSpeedMode } = useDeployment();
+
+  // UI state for modals - managed locally within the hook
+  const [isLoginModalOpen, setIsLoginModalOpen] = useState(false);
+  const [isRegisterModalOpen, setIsRegisterModalOpen] = useState(false);
+  const [isAuthPromptModalOpen, setIsAuthPromptModalOpen] = useState(false);
+  const [isSessionExpiredModalOpen, setIsSessionExpiredModalOpen] = useState(false);
+
+  const handleUnauthenticatedModalClose = (() => {
+    // Only emit back to home event and redirect if user is not authenticated
+    if (!isAuthenticated && !isSpeedMode) {
+        
+      // Emit event to notify SideNavigation to reset selected key
+      authEventUtils.emitBackToHome();
+      // Redirect to home page if not already there
+      const effectivePath = pathname ? getEffectiveRoutePath(pathname) : "/";
+      if (effectivePath !== "/") {
+        router.push("/");
+      }
+    }
+  });
+
+  // Modal control functions
+  const openLoginModal = useCallback(() => setIsLoginModalOpen(true), []);
+
+  const closeLoginModal = useCallback(() => {
+    setIsLoginModalOpen(false);
+    handleUnauthenticatedModalClose();
+  }, [handleUnauthenticatedModalClose]);
+
+  const openRegisterModal = useCallback(() => setIsRegisterModalOpen(true), []);
+
+  const closeRegisterModal = useCallback(() => {
+    setIsRegisterModalOpen(false);
+    handleUnauthenticatedModalClose();
+  }, [handleUnauthenticatedModalClose]);
+
+  const openAuthPromptModal = useCallback(() => setIsAuthPromptModalOpen(true), []);
+
+  const closeAuthPromptModal = useCallback(() => {
+    setIsAuthPromptModalOpen(false);
+    handleUnauthenticatedModalClose();
+  }, [handleUnauthenticatedModalClose]);
+
+  const openSessionExpiredModal = useCallback(() => setIsSessionExpiredModalOpen(true), []);
+
+  const closeSessionExpiredModal = useCallback(() => {
+    clearLocalSession();
+    setIsSessionExpiredModalOpen(false);
+    handleUnauthenticatedModalClose();
+  }, [handleUnauthenticatedModalClose]);
+
+  /**
+   * Check if current path is home page
+   * Home page paths: "/", "/zh", "/en"
+   */
+  const isLocaleHomePath = (path?: string | null) => {
+    if (!path) return false;
+    const segments = path.split("/").filter(Boolean);
+    return segments.length <= 1;
+  };
+
+  useEffect(() => {
+    if (isSpeedMode) return;
+
+    const handleSessionExpired = () => {
+      setIsSessionExpiredModalOpen(true);
+    };
+
+    const handleRegisterSuccess = () => {
+      setIsRegisterModalOpen(false);
+    };
+
+    // Add event listener using type-safe auth events
+    const cleanup = authEvents.on(
+      AUTH_EVENTS.SESSION_EXPIRED,
+      handleSessionExpired
+    );
+    const cleanupRegister = authEvents.on(
+      AUTH_EVENTS.REGISTER_SUCCESS,
+      handleRegisterSuccess
+    );
+
+    // Return cleanup function
+    return () => {
+      cleanup();
+      cleanupRegister();
+    };
+  }, [isSpeedMode, setIsSessionExpiredModalOpen]);
+
+
+
+  // Route guard for unauthenticated users - check when pathname changes
+  useEffect(() => {
+    if (isSpeedMode) return;
+    // Skip while checking auth state
+    if (isAuthChecking) return;
+    // Skip if user is authenticated
+    if (isAuthenticated) return;
+    // Skip if session expired modal is already showing (avoid duplicate modals)
+    if (isSessionExpiredModalOpen) return;
+    if (isLoginModalOpen) return;
+    if (isRegisterModalOpen) return;
+    // Skip if already on home page
+    if (isLocaleHomePath(pathname)) return;
+
+    // For unauthenticated users accessing protected routes, show auth prompt
+    const effectivePath = getEffectiveRoutePath(pathname);
+    if (effectivePath !== "/") {
+      openAuthPromptModal();
+    }
+  }, [pathname, isAuthenticated, isSpeedMode, isAuthChecking, isSessionExpiredModalOpen, openAuthPromptModal]);
+
+
+  return {
+    // Login/Register Modal
+    isLoginModalOpen,
+    openLoginModal,
+    closeLoginModal,
+    isRegisterModalOpen,
+    openRegisterModal,
+    closeRegisterModal,
+
+    // Auth prompt modal
+    isAuthPromptModalOpen,
+    openAuthPromptModal,
+    closeAuthPromptModal,
+
+    // Session expired modal
+    isSessionExpiredModalOpen,
+    openSessionExpiredModal,
+    closeSessionExpiredModal,
+  };
+}
diff --git a/frontend/hooks/auth/useAuthorization.ts b/frontend/hooks/auth/useAuthorization.ts
new file mode 100644
index 000000000..2ba912a04
--- /dev/null
+++ b/frontend/hooks/auth/useAuthorization.ts
@@ -0,0 +1,228 @@
+"use client";
+
+import { useState, useEffect, useLayoutEffect, useCallback } from "react";
+import { useQuery } from "@tanstack/react-query";
+import { useRouter, usePathname } from "next/navigation";
+import { User, AuthInfoResponse, AuthorizationContextType } from "@/types/auth";
+import { authService } from "@/services/authService";
+import { authEvents, authzEventUtils } from "@/lib/authEvents";
+import { AUTH_EVENTS} from "@/const/auth";
+import { getEffectiveRoutePath } from "@/lib/auth";
+import log from "@/lib/logger";
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { checkSessionValid } from "@/lib/session";
+
+/**
+ * Custom hook for authorization management
+ * Handles user permissions, accessible routes, and React Query caching
+ */
+export function useAuthorization(): AuthorizationContextType {
+  const router = useRouter();
+  const pathname = usePathname();
+  const { isSpeedMode } = useDeployment();
+
+  // Authorization state
+  const [user, setUser] = useState<User | null>(null);
+  const [groupIds, setGroupIds] = useState<number[]>([]);
+  const [permissions, setPermissions] = useState<string[]>([]);
+  const [accessibleRoutes, setAccessibleRoutes] = useState<string[]>([]);
+  const [lastCheckedPath, setLastCheckedPath] = useState<string | null>(null);
+  const [isAuthzReady, setIsAuthzReady] = useState(false);
+
+  // Authz prompt modal state
+  const [isAuthzPromptModalOpen, setIsAuthzPromptModalOpen] = useState(false);
+
+  // Query for current user authorization info
+  const {
+    data: currentUserInfo,
+    isLoading,
+    error,
+    refetch,
+  } = useQuery({
+    queryKey: ["currentUserInfo"],
+    queryFn: async (): Promise<AuthInfoResponse> => {
+      const result = await authService.getCurrentUserInfo();
+      if (!result) {
+        throw new Error("Failed to fetch user info");
+      }
+      return result;
+    },
+    enabled: false,
+    staleTime: 5 * 60 * 1000,
+    gcTime: 10 * 60 * 1000,
+    // Prevent unnecessary refetches when disabled
+    refetchInterval: false,
+    refetchOnWindowFocus: false,
+    refetchOnMount: false,
+    refetchOnReconnect: false,
+  });
+
+  // Apply authorization data to state
+  const applyAuthzData = useCallback(
+    (data: AuthInfoResponse) => {
+      const { user: userData } = data;
+      if (!userData) {
+        log.warn("No user data in authorization response");
+        return false;
+      }
+
+      const { permissions, accessibleRoutes, groupIds, ...userInfo } = userData;
+      if (!permissions || !accessibleRoutes) {
+        log.warn("Missing permissions or accessibleRoutes", {
+          hasPermissions: !!permissions,
+          hasAccessibleRoutes: !!accessibleRoutes,
+        });
+        return false;
+      }
+
+      setUser(userInfo as User);
+      setGroupIds(groupIds);
+      setPermissions(permissions);
+      setAccessibleRoutes(accessibleRoutes);
+      setIsAuthzReady(true);
+
+      authzEventUtils.emitPermissionsReady({
+        ...userInfo,
+        permissions,
+        accessibleRoutes,
+      });
+
+      return true;
+    },
+    []
+  );
+
+  // Clear authorization data from state
+  const clearAuthzData = useCallback(() => {
+    setUser(null);
+    setGroupIds([]);
+    setPermissions([]);
+    setAccessibleRoutes([]);
+    setIsAuthzReady(false);
+  }, []);
+
+  // Fetch authorization data
+  const fetchAuthzData = useCallback(() => {
+    refetch()
+      .then((result) => {
+        if (result.data && (result.status === 'success' || result.isSuccess)) {
+          applyAuthzData(result.data);
+        }
+      })
+      .catch((err) => {
+        log.error("Failed to fetch authorization data:", err);
+      });
+  }, [refetch, applyAuthzData]);
+
+  // Initialize authorization on mount
+  useEffect(() => {
+
+    // In speed mode, fetch authorization data immediately
+    if (isSpeedMode) {
+      log.info("Speed mode: fetching authorization info...");
+      fetchAuthzData();
+      return;
+    }
+
+    // On page refresh, if there is a valid session in storage,
+    // proactively load authorization info so that user/permissions are ready.
+    if (checkSessionValid()) {
+      log.info(
+        "Valid session detected on mount, fetching authorization info..."
+      );
+      fetchAuthzData();
+    }
+  }, [isSpeedMode, fetchAuthzData]);
+
+  // Listen for authentication events
+  useEffect(() => {
+    if (isSpeedMode) return;
+
+    // Handle login success - fetch authorization data
+    const handleLoginSuccess = () => {
+      log.info("Login success: fetching authorization info...");
+      fetchAuthzData();
+    };
+
+    // Handle logout - clear authorization data
+    const handleLogout = () => {
+      log.info("User logged out: clearing authorization data...");
+      clearAuthzData();
+    };
+
+    // Handle session expired - clear authorization data
+    const handleSessionExpired = () => {
+      log.info("Session expired: clearing authorization data...");
+      clearAuthzData();
+    };
+
+    const cleanupLogin = authEvents.on(AUTH_EVENTS.LOGIN_SUCCESS, handleLoginSuccess);
+    const cleanupLogout = authEvents.on(AUTH_EVENTS.LOGOUT, handleLogout);
+    const cleanupSessionExpired = authEvents.on(AUTH_EVENTS.SESSION_EXPIRED, handleSessionExpired);
+
+    return () => {
+      cleanupLogin();
+      cleanupLogout();
+      cleanupSessionExpired();
+    };
+  }, [isSpeedMode, fetchAuthzData, clearAuthzData]);
+
+  // Authz prompt modal control functions
+  const openAuthzPromptModal = useCallback(() => setIsAuthzPromptModalOpen(true), []);
+  const closeAuthzPromptModal = useCallback(() => setIsAuthzPromptModalOpen(false), []);
+
+  // Check if current route has access
+  const cleanPath = getEffectiveRoutePath(pathname);
+  const hasAccess = accessibleRoutes.includes(cleanPath);
+
+  // Route guard
+  useLayoutEffect(() => {
+    if (isLoading || !user || accessibleRoutes.length === 0 || pathname === lastCheckedPath) {
+      return;
+    }
+
+    if (!hasAccess) {
+      log.warn("Access denied to route:", { pathname: cleanPath, accessibleRoutes });
+      if (user) {
+        openAuthzPromptModal();
+      }
+      setTimeout(() => {
+        router.replace("/");
+      }, 0);
+      return;
+    }
+
+    setLastCheckedPath(pathname);
+  }, [pathname, isLoading, user, accessibleRoutes, lastCheckedPath, hasAccess, cleanPath, router, openAuthzPromptModal]);
+
+  // Permission checking utilities
+  const hasPermission = useCallback((permission: string): boolean => {
+    return permissions.includes(permission);
+  }, [permissions]);
+
+  const hasAnyPermission = useCallback((requiredPermissions: string[]): boolean => {
+    return requiredPermissions.some((p) => permissions.includes(p));
+  }, [permissions]);
+
+  const canAccessRoute = useCallback((route: string): boolean => {
+    return accessibleRoutes.includes(route);
+  }, [accessibleRoutes]);
+
+  return {
+    user,
+    groupIds,
+    permissions,
+    accessibleRoutes,
+    isLoading,
+    error: error as Error | null,
+    isAuthorized: !isLoading && !!user && hasAccess,
+    isAuthzReady,
+    refetch,
+    hasPermission,
+    hasAnyPermission,
+    canAccessRoute,
+    isAuthzPromptModalOpen,
+    openAuthzPromptModal,
+    closeAuthzPromptModal,
+  };
+}
diff --git a/frontend/hooks/auth/useSessionManager.ts b/frontend/hooks/auth/useSessionManager.ts
new file mode 100644
index 000000000..a04fef43e
--- /dev/null
+++ b/frontend/hooks/auth/useSessionManager.ts
@@ -0,0 +1,254 @@
+"use client";
+
+import { useCallback, useEffect, useRef } from "react";
+
+import { useDeployment } from "@/components/providers/deploymentProvider";
+import { sessionService } from "@/services/sessionService";
+import {
+  getSessionFromStorage,
+  saveSessionToStorage,
+  checkSessionValid,
+  checkSessionExpired,
+  handleSessionExpired,
+} from "@/lib/session";
+import {
+  TOKEN_REFRESH_BEFORE_EXPIRY_MS,
+  MIN_ACTIVITY_CHECK_INTERVAL_MS,
+} from "@/const/constants";
+import log from "@/lib/logger";
+
+import type { Session } from "@/types/auth";
+
+/**
+ * Check if token is expiring soon (within threshold)
+ */
+export const isSessionExpiringSoon = (): boolean => {
+  const session = getSessionFromStorage();
+  if (!session?.expires_at) return false;
+
+  const now = Date.now();
+  const msUntilExpiry = session.expires_at * 1000 - now;
+
+  // Token must not be already expired, and remaining time must be within threshold
+  return msUntilExpiry > 0 && msUntilExpiry <= TOKEN_REFRESH_BEFORE_EXPIRY_MS;
+};
+
+/**
+ * Refresh session if needed (token expiring soon)
+ * Uses refresh_token to get new access_token
+ * @returns Whether refresh was successful
+ */
+export const refreshSession = async (): Promise<boolean> => {
+  const session = getSessionFromStorage();
+  if (!session?.refresh_token) {
+    return false;
+  }
+
+  const newSession = await sessionService.refreshToken(session.refresh_token);
+  if (newSession) {
+    saveSessionToStorage(newSession);
+    log.info("Session refreshed successfully");
+    return true;
+  }
+
+  log.warn("Session refresh failed");
+  return false;
+};
+
+  // ============================================================================
+  // Hook implementation
+  // ============================================================================
+
+export function useSessionManager() {
+  const { isSpeedMode, isDeploymentReady } = useDeployment();
+  const reconcileExpiryRef = useRef<() => void>(() => {});
+
+  // Initialize session management when hook is used
+  useEffect(() => {
+    // In speed mode or before deployment is ready, skip session validation
+    // This prevents the modal from showing when isSpeedMode is initially false
+    // and then becomes true after API returns deployment_version
+    if (isSpeedMode || !isDeploymentReady) return;
+
+    const session = getSessionFromStorage();
+    if (!session) {
+      return;
+    }
+
+    if (checkSessionValid()) {
+      // Session is valid, no action needed
+      return;
+    }
+
+    // Session is expired or invalid
+    handleSessionExpired();
+  }, [isSpeedMode, isDeploymentReady]);
+
+  /**
+   * Proactive session expiry watcher
+   * Triggers session-expired even if user does not make any API request
+   */
+  useEffect(() => {
+    // In speed mode or before deployment is ready, skip session watching
+    if (isSpeedMode || !isDeploymentReady) return;
+
+    let timeoutId: number | null = null;
+    let intervalId: number | null = null;
+
+    const clearTimers = () => {
+      if (timeoutId !== null) {
+        window.clearTimeout(timeoutId);
+        timeoutId = null;
+      }
+      if (intervalId !== null) {
+        window.clearInterval(intervalId);
+        intervalId = null;
+      }
+    };
+
+    const scheduleExpiryCheck = () => {
+      clearTimers();
+
+      const session = getSessionFromStorage();
+      if (!session?.expires_at) {
+        return;
+      }
+
+      const now = Date.now();
+      const delayMs = session.expires_at * 1000 - now;
+
+      if (delayMs <= 0) {
+        handleSessionExpired();
+        return;
+      }
+
+      // Schedule an accurate one-shot check at expiry time
+      timeoutId = window.setTimeout(() => {
+        if (!checkSessionValid()) {
+          handleSessionExpired();
+        }
+      }, delayMs);
+
+      // Also reschedule periodically to account for token refresh extending expires_at
+      intervalId = window.setInterval(() => {
+        const s = getSessionFromStorage();
+        if (!s) {
+          clearTimers();
+          return;
+        }
+        if (!checkSessionValid()) {
+          handleSessionExpired();
+          return;
+        }
+        if (s.expires_at !== session.expires_at) {
+          scheduleExpiryCheck();
+        }
+      }, 30_000);
+    };
+
+    const reconcileExpiry = () => {
+      if (typeof document !== "undefined" && document.hidden) return;
+      if (!checkSessionValid() && getSessionFromStorage()) {
+        handleSessionExpired();
+        return;
+      }
+      scheduleExpiryCheck();
+    };
+
+    reconcileExpiryRef.current = reconcileExpiry;
+    scheduleExpiryCheck();
+
+    return () => {
+      reconcileExpiryRef.current = () => {};
+      clearTimers();
+    };
+  }, [isSpeedMode]);
+
+  /**
+   * Setup automatic token refresh on user activity
+   * Refreshes token before expiry to implement sliding expiration
+   */
+  const setupTokenAutoRefresh = useCallback(() => {
+    // Skip in speed mode
+    if (isSpeedMode) return () => {};
+
+    let lastActivityCheckAt = 0;
+
+    const maybeRefreshOnActivity = async () => {
+      try {
+        // Keep expiry timer in sync when the page becomes active again
+        reconcileExpiryRef.current();
+
+        // Throttle activity-driven checks
+        const now = Date.now();
+        if (now - lastActivityCheckAt < MIN_ACTIVITY_CHECK_INTERVAL_MS) return;
+        lastActivityCheckAt = now;
+
+        // Do not run when page is hidden
+        if (typeof document !== "undefined" && document.hidden) return;
+
+        // Check if token is expiring soon
+        if (isSessionExpiringSoon()) {
+          const success = await refreshSession();
+
+          // If refresh failed, it means refresh_token is also invalid
+          // The session will be cleared when backend returns 401 or when fetchWithAuth checks
+          if (!success) {
+            log.debug("Token refresh failed, waiting for 401 from backend");
+          }
+        }
+      } catch (error) {
+        log.error("Activity-based refresh check failed:", error);
+      }
+    };
+
+    const events: (keyof DocumentEventMap | keyof WindowEventMap)[] = [
+      "click",
+      "keydown",
+      "mousemove",
+      "touchstart",
+      "focus",
+      "visibilitychange",
+    ];
+
+    const handler = () => {
+      void maybeRefreshOnActivity();
+    };
+
+    events.forEach((evt) => {
+      if (evt === "focus" || evt === "visibilitychange") {
+        window.addEventListener(evt as any, handler, { passive: true });
+      } else {
+        document.addEventListener(evt as any, handler, { passive: true });
+      }
+    });
+
+    return () => {
+      events.forEach((evt) => {
+        if (evt === "focus" || evt === "visibilitychange") {
+          window.removeEventListener(evt as any, handler);
+        } else {
+          document.removeEventListener(evt as any, handler);
+        }
+      });
+    };
+  }, [isSpeedMode]);
+
+  // Setup auto refresh
+  useEffect(() => {
+    const cleanupAutoRefresh = setupTokenAutoRefresh();
+    return () => {
+      cleanupAutoRefresh?.();
+    };
+  }, [setupTokenAutoRefresh]);
+
+  return {
+    isSessionExpiringSoon,
+
+    // Business logic
+    refreshSession,
+
+    // Legacy functions
+    setupTokenAutoRefresh,
+  };
+}
diff --git a/frontend/hooks/knowledge/useKnowledgeList.ts b/frontend/hooks/knowledge/useKnowledgeList.ts
index e7f51b6e6..72c967009 100644
--- a/frontend/hooks/knowledge/useKnowledgeList.ts
+++ b/frontend/hooks/knowledge/useKnowledgeList.ts
@@ -7,9 +7,9 @@ export function useKnowledgeList(tenantId: string | null) {
   return useQuery({
     queryKey: ["knowledgeBases", tenantId],
     queryFn: async () => {
-      const data = await knowledgeBaseService.getKnowledgeBasesInfo(false, true, tenantId ?? undefined);
+      const result = await knowledgeBaseService.getKnowledgeBasesInfo(false, true, tenantId ?? undefined);
       // Sort by updatedAt descending
-      return data.sort((a, b) => {
+      return result.knowledgeBases.sort((a, b) => {
         const dateA = a.updatedAt ? new Date(a.updatedAt).getTime() : 0;
         const dateB = b.updatedAt ? new Date(b.updatedAt).getTime() : 0;
         return dateB - dateA;
diff --git a/frontend/hooks/mcp/useMcpContainerList.ts b/frontend/hooks/mcp/useMcpContainerList.ts
index 417a8eca7..c413d5aab 100644
--- a/frontend/hooks/mcp/useMcpContainerList.ts
+++ b/frontend/hooks/mcp/useMcpContainerList.ts
@@ -5,19 +5,19 @@ import { McpContainer } from "@/types/agentConfig";
 
 export const MCP_CONTAINERS_QUERY_KEY = ["mcp", "containers"] as const;
 
-export function useMcpContainerList(options?: { enabled?: boolean; staleTime?: number }) {
+export function useMcpContainerList(options?: { enabled?: boolean; staleTime?: number; tenantId?: string | null }) {
   const queryClient = useQueryClient();
 
   const fetchContainerList = useCallback(async () => {
-    const res = await getMcpContainers();
+    const res = await getMcpContainers(options?.tenantId);
     if (!res || !res.success) {
       throw new Error(res?.message || "Failed to load MCP container list");
     }
     return res;
-  }, []);
+  }, [options?.tenantId]);
 
   const query = useQuery({
-    queryKey: MCP_CONTAINERS_QUERY_KEY,
+    queryKey: [...MCP_CONTAINERS_QUERY_KEY, options?.tenantId],
     queryFn: fetchContainerList,
     staleTime: options?.staleTime ?? 60_000,
     enabled: options?.enabled ?? true,
diff --git a/frontend/hooks/mcp/useMcpServerList.ts b/frontend/hooks/mcp/useMcpServerList.ts
index f30b64ec5..8a1a44fa8 100644
--- a/frontend/hooks/mcp/useMcpServerList.ts
+++ b/frontend/hooks/mcp/useMcpServerList.ts
@@ -5,19 +5,19 @@ import { McpServer } from "@/types/agentConfig";
 
 export const MCP_SERVERS_QUERY_KEY = ["mcp", "servers"] as const;
 
-export function useMcpServerList(options?: { enabled?: boolean; staleTime?: number }) {
+export function useMcpServerList(options?: { enabled?: boolean; staleTime?: number; tenantId?: string | null }) {
   const queryClient = useQueryClient();
 
   const fetchServerList = useCallback(async () => {
-    const res = await getMcpServerList();
+    const res = await getMcpServerList(options?.tenantId);
     if (!res || !res.success) {
       throw new Error(res?.message || "Failed to load MCP server list");
     }
     return res;
-  }, []);
+  }, [options?.tenantId]);
 
   const query = useQuery({
-    queryKey: MCP_SERVERS_QUERY_KEY,
+    queryKey: [...MCP_SERVERS_QUERY_KEY, options?.tenantId],
     queryFn: fetchServerList,
     staleTime: options?.staleTime ?? 60_000,
     enabled: options?.enabled ?? true,
diff --git a/frontend/hooks/model/useManageTenantModels.ts b/frontend/hooks/model/useManageTenantModels.ts
new file mode 100644
index 000000000..3a1c8456e
--- /dev/null
+++ b/frontend/hooks/model/useManageTenantModels.ts
@@ -0,0 +1,64 @@
+import { useQuery } from "@tanstack/react-query";
+import { modelService } from "@/services/modelService";
+import { ModelOption } from "@/types/modelConfig";
+
+export interface ManageTenantModelResult {
+  models: ModelOption[];
+  total: number;
+  page: number;
+  pageSize: number;
+  totalPages: number;
+  tenantName: string;
+  isLoading: boolean;
+  isError: boolean;
+  error: Error | null;
+  refetch: () => Promise<void>;
+}
+
+export function useManageTenantModels(options: {
+  tenantId: string;
+  modelType?: string;
+  page?: number;
+  pageSize?: number;
+  enabled?: boolean;
+}): ManageTenantModelResult {
+  const { tenantId, modelType, page = 1, pageSize = 20, enabled = true } = options;
+
+  const query = useQuery({
+    queryKey: ["manage-tenant-models", tenantId, modelType, page, pageSize],
+    queryFn: async (): Promise<{
+      models: ModelOption[];
+      total: number;
+      page: number;
+      pageSize: number;
+      totalPages: number;
+      tenantName: string;
+    }> => {
+      const result = await modelService.getManageTenantModels({
+        tenantId,
+        modelType,
+        page,
+        pageSize,
+      });
+      return result;
+    },
+    enabled: enabled && !!tenantId,
+    staleTime: 30_000, // 30 seconds default
+  });
+
+  return {
+    models: query.data?.models ?? [],
+    total: query.data?.total ?? 0,
+    page: query.data?.page ?? 1,
+    pageSize: query.data?.pageSize ?? 20,
+    totalPages: query.data?.totalPages ?? 0,
+    tenantName: query.data?.tenantName ?? "",
+    isLoading: query.isLoading,
+    isError: query.isError,
+    error: query.error as Error | null,
+    refetch: async () => {
+      await query.refetch();
+    },
+  };
+}
+
diff --git a/frontend/hooks/model/useSiliconModelList.ts b/frontend/hooks/model/useSiliconModelList.ts
index d82d1d51e..4e2fa864a 100644
--- a/frontend/hooks/model/useSiliconModelList.ts
+++ b/frontend/hooks/model/useSiliconModelList.ts
@@ -1,23 +1,25 @@
-import { useEffect } from 'react'
-import { message } from 'antd'
-import { useTranslation } from 'react-i18next'
-import { modelService } from '@/services/modelService'
-import { ModelType } from '@/types/modelConfig'
+import { useEffect } from "react";
+import { message } from "antd";
+import { useTranslation } from "react-i18next";
+import { modelService } from "@/services/modelService";
+import { ModelType } from "@/types/modelConfig";
+import { processProviderResponse } from "@/lib/providerError";
 import log from "@/lib/logger";
 
 interface UseSiliconModelListProps {
   form: {
-    type: ModelType
-    isBatchImport: boolean
-    apiKey: string
-    provider: string
-    maxTokens: string
-    isMultimodal: boolean
-  }
-  setModelList: (models: any[]) => void
-  setSelectedModelIds: (ids: Set<string>) => void
-  setShowModelList: (show: boolean) => void
-  setLoadingModelList: (loading: boolean) => void
+    type: ModelType;
+    isBatchImport: boolean;
+    apiKey: string;
+    provider: string;
+    maxTokens: string;
+    isMultimodal: boolean;
+  };
+  setModelList: (models: any[]) => void;
+  setSelectedModelIds: (ids: Set<string>) => void;
+  setShowModelList: (show: boolean) => void;
+  setLoadingModelList: (loading: boolean) => void;
+  tenantId?: string; // Optional tenant ID for manage operations
 }
 
 export const useSiliconModelList = ({
@@ -25,67 +27,103 @@ export const useSiliconModelList = ({
   setModelList,
   setSelectedModelIds,
   setShowModelList,
-  setLoadingModelList
+  setLoadingModelList,
+  tenantId,
 }: UseSiliconModelListProps) => {
-  const { t } = useTranslation()
+  const { t } = useTranslation();
 
   const getModelList = async () => {
-    setShowModelList(true)
-    setLoadingModelList(true)
-    const modelType = form.type === "embedding" && form.isMultimodal ?
-        "multi_embedding" as ModelType :
-        form.type
+    setShowModelList(true);
+    setLoadingModelList(true);
+    const modelType =
+      form.type === "embedding" && form.isMultimodal
+        ? ("multi_embedding" as ModelType)
+        : form.type;
     try {
-      const result = await modelService.addProviderModel({
-        provider: form.provider,
-        type: modelType,
-        apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-        baseUrl:
-          form.provider === "modelengine" && form.apiKey.trim() !== ""
-            ? (form as any).modelEngineUrl || ""
-            : undefined,
-      })
+      // Use manage interface if tenantId is provided (for super admin)
+      const result = tenantId
+        ? await modelService.addManageProviderModel({
+            tenantId,
+            provider: form.provider,
+            type: modelType,
+            apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+            baseUrl:
+              form.provider === "modelengine" && form.apiKey.trim() !== ""
+                ? (form as any).modelEngineUrl || ""
+                : undefined,
+          })
+        : await modelService.addProviderModel({
+            provider: form.provider,
+            type: modelType,
+            apiKey: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+            baseUrl:
+              form.provider === "modelengine" && form.apiKey.trim() !== ""
+                ? (form as any).modelEngineUrl || ""
+                : undefined,
+          });
+
+      // Use centralized error processing
+      const { models, error } = processProviderResponse(
+        result,
+        form.provider,
+        t
+      );
+
+      if (error) {
+        message.error(error);
+        setModelList([]);
+        setSelectedModelIds(new Set());
+        setLoadingModelList(false);
+        return;
+      }
+
       // Ensure each model has a default max_tokens value
-      const modelsWithDefaults = result.map((model: any) => ({
+      const modelsWithDefaults = models.map((model: any) => ({
         ...model,
-        max_tokens: model.max_tokens || parseInt(form.maxTokens) || 4096
-      }))
-      setModelList(modelsWithDefaults)
-      if (!result || result.length === 0) {
-        message.error(t('model.dialog.error.noModelsFetched'))
-      }
-      const selectedModels = await getProviderSelectedModalList() || []
+        max_tokens: model.max_tokens || parseInt(form.maxTokens) || 4096,
+      }));
+      setModelList(modelsWithDefaults);
+
+      const selectedModels = (await getProviderSelectedModalList()) || [];
       // Key logic
       if (!selectedModels.length) {
         // Select none
-        setSelectedModelIds(new Set())
+        setSelectedModelIds(new Set());
       } else {
         // Only select selectedModels
-        setSelectedModelIds(new Set(selectedModels.map((m: any) => m.id)))
+        setSelectedModelIds(new Set(selectedModels.map((m: any) => m.id)));
       }
     } catch (error) {
-      message.error(t('model.dialog.error.addFailed', { error }))
-      log.error(t('model.dialog.error.addFailedLog'), error)
+      message.error(t("model.dialog.error.addFailed", { error }));
+      log.error(t("model.dialog.error.addFailedLog"), error);
     } finally {
-      setLoadingModelList(false)
+      setLoadingModelList(false);
     }
-  }
+  };
 
   const getProviderSelectedModalList = async () => {
-    const modelType = form.type === "embedding" && form.isMultimodal ?
-        "multi_embedding" as ModelType :
-        form.type
-    const result = await modelService.getProviderSelectedModalList({
-      provider: form.provider,
-      type: modelType,
-      api_key: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
-      baseUrl:
-        form.provider === "modelengine" && form.apiKey.trim() !== ""
-          ? (form as any).modelEngineUrl || ""
-          : undefined,
-    })
-    return result
-  }
+    const modelType =
+      form.type === "embedding" && form.isMultimodal
+        ? ("multi_embedding" as ModelType)
+        : form.type;
+    // Use manage interface if tenantId is provided (for super admin)
+    const result = tenantId
+      ? await modelService.getManageProviderSelectedModalList({
+          tenantId,
+          provider: form.provider,
+          type: modelType,
+        })
+      : await modelService.getProviderSelectedModalList({
+          provider: form.provider,
+          type: modelType,
+          api_key: form.apiKey.trim() === "" ? "sk-no-api-key" : form.apiKey,
+          baseUrl:
+            form.provider === "modelengine" && form.apiKey.trim() !== ""
+              ? (form as any).modelEngineUrl || ""
+              : undefined,
+        });
+    return result;
+  };
 
   // Auto-fetch model list when batch import is enabled and API key is provided
   useEffect(() => {
@@ -95,13 +133,13 @@ export const useSiliconModelList = ({
         : true;
 
     if (form.isBatchImport && form.apiKey.trim() !== "" && requiresUrl) {
-      getModelList()
+      getModelList();
     }
     // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [form.type, form.isBatchImport])
+  }, [form.type, form.isBatchImport]);
 
   return {
     getModelList,
-    getProviderSelectedModalList
-  }
-}
+    getProviderSelectedModalList,
+  };
+};
diff --git a/frontend/hooks/permission/usePermission.ts b/frontend/hooks/permission/usePermission.ts
new file mode 100644
index 000000000..b8640f29c
--- /dev/null
+++ b/frontend/hooks/permission/usePermission.ts
@@ -0,0 +1,35 @@
+"use client";
+
+import { useAuthorizationContext } from "@/components/providers/AuthorizationProvider";
+import { useAuthentication } from "@/hooks/auth/useAuthentication";
+
+export function usePermission() {
+  const { hasPermission, hasAnyPermission, isAuthzReady, isLoading } = useAuthorizationContext();
+  const { isAuthenticated } = useAuthentication();
+
+  return {
+    isReady: isAuthzReady,
+    isAuthenticated,
+    isLoading,
+
+    can: (permission: string): boolean => {
+      if (!isAuthenticated || !isAuthzReady) return false;
+      return hasPermission(permission);
+    },
+
+    cannot: (permission: string): boolean => {
+      if (!isAuthenticated || !isAuthzReady) return true;
+      return !hasPermission(permission);
+    },
+
+    canAny: (perms: string[]): boolean => {
+      if (!isAuthenticated || !isAuthzReady) return false;
+      return hasAnyPermission(perms);
+    },
+
+    canAll: (perms: string[]): boolean => {
+      if (!isAuthenticated || !isAuthzReady) return false;
+      return perms.every(p => hasPermission(p));
+    },
+  };
+}
diff --git a/frontend/hooks/useAgentImport.ts b/frontend/hooks/useAgentImport.ts
index 0aff99e82..39107a8d0 100644
--- a/frontend/hooks/useAgentImport.ts
+++ b/frontend/hooks/useAgentImport.ts
@@ -13,6 +13,8 @@ export interface ImportAgentData {
     mcp_server_name: string;
     mcp_url: string;
   }>;
+  business_logic_model_id?: number | null;
+  business_logic_model_name?: string | null;
 }
 
 export interface UseAgentImportOptions {
diff --git a/frontend/hooks/useAuth.ts b/frontend/hooks/useAuth.ts
deleted file mode 100644
index 5b2f1074f..000000000
--- a/frontend/hooks/useAuth.ts
+++ /dev/null
@@ -1,376 +0,0 @@
-"use client"
-
-import { useState, useEffect, useContext, createContext, type ReactNode } from "react"
-import { usePathname } from "next/navigation"
-import { useTranslation } from "react-i18next"
-
-import { App } from "antd"
-import { USER_ROLES } from "@/const/modelConfig"
-
-import { authService } from "@/services/authService"
-import { configService } from "@/services/configService"
-import { User, AuthContextType } from "@/types/auth"
-import { EVENTS, STATUS_CODES } from "@/const/auth"
-import { getSessionFromStorage, removeSessionFromStorage } from "@/lib/auth"
-import log from "@/lib/logger"
-import { useDeployment } from "@/components/providers/deploymentProvider"
-
-// Create auth context
-const AuthContext = createContext<AuthContextType | undefined>(undefined)
-
-// Auth provider component
-export function AuthProvider({ children }: { children: (value: AuthContextType) => ReactNode }) {
-  const { t } = useTranslation('common');
-  const { message } = App.useApp();
-  const { isSpeedMode } = useDeployment(); // 从 deployment context 获取
-  const [user, setUser] = useState<User | null>(null)
-  const [isLoading, setIsLoading] = useState(true)
-  const [isLoginModalOpen, setIsLoginModalOpen] = useState(false)
-  const [isRegisterModalOpen, setIsRegisterModalOpen] = useState(false)
-  const [isFromSessionExpired, setIsFromSessionExpired] = useState(false)
-  const [shouldCheckSession, setShouldCheckSession] = useState(false)
-  const [authServiceUnavailable, setAuthServiceUnavailable] = useState(false)
-  const pathname = usePathname()
-
-  // Check auth service availability
-  const checkAuthService = async () => {
-    const isAvailable = await authService.checkAuthServiceAvailable()
-    setAuthServiceUnavailable(!isAvailable)
-    return isAvailable
-  }
-
-  // When login or register modal is opened, check auth service availability
-  useEffect(() => {
-    if (isLoginModalOpen || isRegisterModalOpen) {
-      checkAuthService()
-    }
-  }, [isLoginModalOpen, isRegisterModalOpen]);
-
-  // Auto login function (for speed mode)
-  const performAutoLogin = async () => {
-    try {
-      // Use mock credentials for auto login
-      await login('mock@example.com', 'mockpassword', false);
-    } catch (error) {
-      log.error('Auto-login failed:', error);
-    }
-  };
-
-  // When initializing, check user session (only read from local storage, not request backend)
-  useEffect(() => {
-    const syncUserFromLocalStorage = () => {
-      const storedSession = typeof window !== "undefined" ? localStorage.getItem("session") : null;
-      if (storedSession) {
-        try {
-          const session = JSON.parse(storedSession);
-          
-          // Check if token is expired before setting user
-          if (session?.expires_at) {
-            const now = Date.now();
-            const expiresAt = session.expires_at * 1000;
-            if (expiresAt <= now) {
-              // Token expired, clear session and don't set user
-              log.warn("Token expired on initialization, clearing session");
-              removeSessionFromStorage();
-              setUser(null);
-              setShouldCheckSession(false);
-              return;
-            }
-          }
-          
-          if (session?.user) {
-            const safeUser: User = {
-              id: session.user.id,
-              email: session.user.email,
-              role: session.user.role === USER_ROLES.ADMIN ? USER_ROLES.ADMIN : USER_ROLES.USER,
-              avatar_url: session.user.avatar_url
-            };
-            setUser(safeUser);
-            setShouldCheckSession(true); // When there is a user, enable session check
-            return;
-          }
-        } catch (e) {
-          // ignore parse error
-        }
-      }
-      setUser(null);
-      setShouldCheckSession(false); // When there is no user, disable session check
-    };
-
-    setIsLoading(true);
-    syncUserFromLocalStorage();
-    setIsLoading(false);
-
-    // Listen to local session change
-    const handleStorage = (event: StorageEvent) => {
-      if (event.key === "session") {
-        syncUserFromLocalStorage();
-      }
-    };
-    window.addEventListener("storage", handleStorage);
-    return () => {
-      window.removeEventListener("storage", handleStorage);
-    };
-  }, []);
-
-  // Check user login status (skip in speed mode)
-  useEffect(() => {
-    if (isSpeedMode) return;
-    if (!isLoading && !user) {
-      // When page is loaded, if not logged in, trigger session expired event
-      // Only trigger on non-home path, and only when there is a session before
-      if (pathname && pathname !== '/' && !pathname.startsWith('/?') && shouldCheckSession) {
-        window.dispatchEvent(new CustomEvent(EVENTS.SESSION_EXPIRED, {
-          detail: { message: t('auth.sessionExpired') }
-        }));
-        setShouldCheckSession(false); // After triggering the expired event, disable session check
-      }
-    }
-  }, [user, isLoading, pathname, shouldCheckSession, t, isSpeedMode]);
-
-  // Session validity check, ensure the session in local storage is not expired (skip in speed mode)
-  useEffect(() => {
-    if (isSpeedMode || !user || isLoading || !shouldCheckSession) return;
-
-    const verifySession = () => {
-      const lastVerifyTime = Number(localStorage.getItem('lastSessionVerifyTime') || 0);
-      const now = Date.now();
-      // If the last verification is less than 10 seconds, skip
-      if (now - lastVerifyTime < 10000) {
-        return;
-      }
-
-      try {
-        const sessionObj = getSessionFromStorage();
-        if (!sessionObj || sessionObj.expires_at * 1000 <= now) {
-          // Session does not exist or has expired
-          window.dispatchEvent(new CustomEvent(EVENTS.SESSION_EXPIRED, {
-            detail: { message: t('auth.sessionExpired') }
-          }));
-          setShouldCheckSession(false);
-        }
-
-        localStorage.setItem('lastSessionVerifyTime', now.toString());
-      } catch (error) {
-        log.error('Session validation failed:', error);
-      }
-    };
-
-    // Immediately execute once
-    verifySession();
-
-    // Poll every 10 seconds
-    const intervalId = setInterval(verifySession, 10000);
-
-    return () => clearInterval(intervalId);
-  }, [isSpeedMode, user, isLoading, shouldCheckSession, t]);
-
-  const openLoginModal = () => {
-    setIsRegisterModalOpen(false)
-    setIsLoginModalOpen(true)
-  }
-
-  const closeLoginModal = () => {
-    setIsLoginModalOpen(false)
-  }
-
-  const openRegisterModal = () => {
-    setIsLoginModalOpen(false)
-    setIsRegisterModalOpen(true)
-  }
-
-  const closeRegisterModal = () => {
-    setIsRegisterModalOpen(false)
-  }
-
-  const login = async (email: string, password: string, showSuccessMessage: boolean = true) => {
-    try {
-      setIsLoading(true)
-      
-      // First check auth service availability
-      const isAuthServiceAvailable = await authService.checkAuthServiceAvailable()
-      if (!isAuthServiceAvailable) {
-        const error = new Error(t('auth.authServiceUnavailable'))
-        ;(error as any).code = STATUS_CODES.AUTH_SERVICE_UNAVAILABLE
-        throw error
-      }
-      
-      const { data, error } = await authService.signIn(email, password)
-
-      if (error) {
-        log.error("Login failed: ", error.message)
-        throw error
-      }
-
-      if (data?.session?.user) {
-        // Ensure role field is "user" or "admin"
-        const safeUser: User = {
-          id: data.session.user.id,
-          email: data.session.user.email,
-          role: data.session.user.role === USER_ROLES.ADMIN ? USER_ROLES.ADMIN : USER_ROLES.USER,
-          avatar_url: data.session.user.avatar_url
-        }
-        setUser(safeUser)
-        setShouldCheckSession(true) // After login, enable session check
-        
-        // Add delay to ensure local storage operation is completed
-        setTimeout(() => {
-          configService.loadConfigToFrontend()
-          closeLoginModal()
-
-          if (showSuccessMessage) {
-            message.success(t('auth.loginSuccess'))
-          }
-          // Manually trigger storage event
-          window.dispatchEvent(new StorageEvent("storage", { key: "session", newValue: localStorage.getItem("session") }))
-          
-          // If on the chat page, trigger conversation list update
-          if (pathname.includes('/chat')) {
-            window.dispatchEvent(new CustomEvent('conversationListUpdated'))
-          }
-        }, 150)
-      }
-    } catch (error: any) {
-      log.error("Error during login process:", error.message)
-      throw error
-    } finally {
-      setIsLoading(false)
-    }
-  }
-
-  const register = async (email: string, password: string, isAdmin?: boolean, inviteCode?: string) => {
-    try {
-      setIsLoading(true)
-      
-      // First check auth service availability
-      const isAuthServiceAvailable = await authService.checkAuthServiceAvailable()
-      if (!isAuthServiceAvailable) {
-        const error = new Error(t('auth.authServiceUnavailable'))
-        ;(error as any).code = STATUS_CODES.AUTH_SERVICE_UNAVAILABLE
-        throw error
-      }
-      
-      const { data, error } = await authService.signUp(email, password, isAdmin, inviteCode)
-
-      if (error) {
-        throw error
-      }
-
-      if (data?.user) {
-        // Ensure role field is "user" or "admin"
-        const safeUser: User = {
-          id: data.user.id,
-          email: data.user.email,
-          role: data.user.role === USER_ROLES.ADMIN ? USER_ROLES.ADMIN : USER_ROLES.USER,
-          avatar_url: data.user.avatar_url
-        }
-
-        if (data.session) {
-          // Register and login successfully
-          setUser(safeUser)
-          configService.loadConfigToFrontend()
-          closeRegisterModal()
-          const successMessage = isAdmin ? t('auth.adminRegisterSuccessAutoLogin') : t('auth.registerSuccessAutoLogin')
-          message.success(successMessage)
-          // Manually trigger storage event
-          window.dispatchEvent(new StorageEvent("storage", { key: "session", newValue: localStorage.getItem("session") }))
-        } else {
-          // Register successfully but need to manually login
-          closeRegisterModal()
-          openLoginModal()
-          const successMessage = isAdmin ? t('auth.adminRegisterSuccessManualLogin') : t('auth.registerSuccessManualLogin')
-          message.success(successMessage)
-        }
-      }
-    } catch (error: any) {
-      throw error
-    } finally {
-      setIsLoading(false)
-    }
-  }
-
-  // Clear local session state without calling backend API
-  // Used when session is already expired on the backend
-  const clearLocalSession = () => {
-    removeSessionFromStorage()
-    setUser(null)
-    setShouldCheckSession(false)
-    // Manually trigger storage event
-    window.dispatchEvent(new StorageEvent("storage", { key: "session", newValue: null }))
-  }
-
-  const logout = async (options?: { silent?: boolean }) => {
-    try {
-      setIsLoading(true)
-      await authService.signOut()
-      setUser(null)
-      // When logging out, disable session check
-      setShouldCheckSession(false)
-      // Only show message when user actively logout
-      if (!options?.silent) {
-        message.success(t("auth.logoutSuccess"))
-      }
-      // Manually trigger storage event
-      window.dispatchEvent(new StorageEvent("storage", { key: "session", newValue: null }))
-    } catch (error: any) {
-      log.error("Logout failed:", error.message)
-      message.error(t('auth.logoutFailed'))
-    } finally {
-      setIsLoading(false)
-    }
-  }
-
-  const revoke = async () => {
-    try {
-      setIsLoading(true);
-      await authService.revoke();
-      setUser(null);
-      setShouldCheckSession(false);
-      message.success(t("auth.revokeSuccess"));
-      // Manually trigger storage event
-      window.dispatchEvent(
-        new StorageEvent("storage", { key: "session", newValue: null })
-      );
-    } catch (error: any) {
-      log.error("Revoke failed:", error?.message || error);
-      message.error(t("auth.revokeFailed"));
-    } finally {
-      setIsLoading(false);
-    }
-  };
-
-  const contextValue: AuthContextType = {
-    user,
-    isLoading,
-    isLoginModalOpen,
-    isRegisterModalOpen,
-    isFromSessionExpired,
-    authServiceUnavailable,
-    isSpeedMode,
-    isAuthReady: true, // 认证部分总是就绪
-    openLoginModal,
-    closeLoginModal,
-    openRegisterModal,
-    closeRegisterModal,
-    setIsFromSessionExpired,
-    login,
-    register,
-    logout,
-    clearLocalSession,
-    revoke,
-  };
-
-  return children(contextValue);
-}
-
-// Custom hook for accessing auth context
-export function useAuth(): AuthContextType {
-  const context = useContext(AuthContext)
-  if (context === undefined) {
-    throw new Error("useAuth must be used within an AuthProvider")
-  }
-  return context
-}
-
-// Export auth context for Provider use
-export { AuthContext } 
\ No newline at end of file
diff --git a/frontend/hooks/useAuthForm.ts b/frontend/hooks/useAuthForm.ts
deleted file mode 100644
index b802e2f20..000000000
--- a/frontend/hooks/useAuthForm.ts
+++ /dev/null
@@ -1,70 +0,0 @@
-"use client";
-
-import { useState, useEffect, useRef } from "react";
-
-import { Form } from "antd";
-import { AuthFormValues } from "@/types/auth";
-
-export function useAuthForm() {
-  const [form] = Form.useForm<AuthFormValues>();
-  const [isLoading, setIsLoading] = useState(false);
-  const [emailError, setEmailError] = useState("");
-  const [passwordError, setPasswordError] = useState(false);
-  const isMountedRef = useRef(true);
-
-  // Cleanup on unmount
-  useEffect(() => {
-    return () => {
-      isMountedRef.current = false;
-    };
-  }, []);
-
-  // Reset all errors
-  const resetErrors = () => {
-    setEmailError("");
-    setPasswordError(false);
-  };
-
-  // Handle email input change
-  const handleEmailChange = () => {
-    if (!isMountedRef.current) return;
-    if (emailError) {
-      setEmailError("");
-      form.setFields([
-        {
-          name: "email",
-          errors: [],
-        },
-      ]);
-    }
-  };
-
-  // Handle password input change
-  const handlePasswordChange = () => {
-    if (!isMountedRef.current) return;
-    if (passwordError) {
-      setPasswordError(false);
-    }
-  };
-
-  // Reset form
-  const resetForm = () => {
-    if (!isMountedRef.current) return;
-    resetErrors();
-    form.resetFields();
-  };
-
-  return {
-    form,
-    isLoading,
-    setIsLoading,
-    emailError,
-    setEmailError,
-    passwordError,
-    setPasswordError,
-    resetErrors,
-    handleEmailChange,
-    handlePasswordChange,
-    resetForm,
-  };
-}
diff --git a/frontend/hooks/useKnowledgeBaseSelector.ts b/frontend/hooks/useKnowledgeBaseSelector.ts
new file mode 100644
index 000000000..b3f5de554
--- /dev/null
+++ b/frontend/hooks/useKnowledgeBaseSelector.ts
@@ -0,0 +1,339 @@
+"use client";
+
+import { useState, useCallback } from "react";
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+
+import knowledgeBaseService from "@/services/knowledgeBaseService";
+import { KnowledgeBase } from "@/types/knowledgeBase";
+import log from "@/lib/logger";
+
+/**
+ * Query key factory for knowledge bases
+ */
+export const knowledgeBaseKeys = {
+  all: ["knowledgeBases"] as const,
+  lists: () => [...knowledgeBaseKeys.all, "list"] as const,
+  list: (toolType: string, difyServerUrl?: string) =>
+    difyServerUrl
+      ? ([...knowledgeBaseKeys.lists(), toolType, difyServerUrl] as const)
+      : ([...knowledgeBaseKeys.lists(), toolType] as const),
+};
+
+/**
+ * Hook for fetching knowledge bases based on tool type with React Query caching
+ * Uses cache to avoid repeated API calls on the same page
+ */
+export function useKnowledgeBasesForToolConfig(
+  toolType:
+    | "knowledge_base_search"
+    | "dify_search"
+    | "datamate_search"
+    | null = null,
+  config?: {
+    serverUrl?: string;
+    apiKey?: string;
+  }
+) {
+  // Support both difyConfig and datamateConfig naming conventions
+  const difyConfig = config;
+  const datamateConfig = config;
+
+  const query = useQuery({
+    queryKey: knowledgeBaseKeys.list(
+      toolType || "default",
+      difyConfig?.serverUrl || ""
+    ),
+    queryFn: async () => {
+      let kbs: KnowledgeBase[] = [];
+
+      // Fetch knowledge bases based on tool type
+      if (toolType === "datamate_search") {
+        // Sync DataMate knowledge bases with optional URL from config
+        const syncResult =
+          await knowledgeBaseService.syncDataMateAndCreateRecords(
+            datamateConfig?.serverUrl
+          );
+        if (syncResult.indices_info) {
+          kbs = syncResult.indices_info.map((indexInfo: any) => {
+            const stats = indexInfo.stats?.base_info || {};
+            const kbId = indexInfo.name;
+            const kbName = indexInfo.display_name || indexInfo.name;
+
+            return {
+              id: kbId,
+              name: kbName,
+              display_name: indexInfo.display_name || indexInfo.name,
+              description: "DataMate knowledge base",
+              documentCount: stats.doc_count || 0,
+              chunkCount: stats.chunk_count || 0,
+              createdAt: stats.creation_date || null,
+              updatedAt: stats.update_date || stats.creation_date || null,
+              embeddingModel: stats.embedding_model || "unknown",
+              knowledge_sources: indexInfo.knowledge_sources || "datamate",
+              ingroup_permission: indexInfo.ingroup_permission || "",
+              group_ids: indexInfo.group_ids || [],
+              store_size: stats.store_size || "",
+              process_source: stats.process_source || "",
+              avatar: "",
+              chunkNum: 0,
+              language: "",
+              nickname: "",
+              parserId: "",
+              permission: indexInfo.permission || "",
+              tokenNum: 0,
+              source: "datamate",
+              tenant_id: indexInfo.tenant_id,
+            };
+          });
+        }
+      } else if (toolType === "dify_search") {
+        // For Dify, fetch knowledge bases using provided config
+        if (difyConfig?.serverUrl && difyConfig?.apiKey) {
+          try {
+            kbs = await knowledgeBaseService.getDifyKnowledgeBases(
+              difyConfig.serverUrl,
+              difyConfig.apiKey
+            );
+          } catch (error) {
+            log.error("Failed to fetch Dify knowledge bases:", error);
+            kbs = [];
+          }
+        } else {
+          // No Dify config provided, return empty
+          kbs = [];
+        }
+      } else {
+        // Default: knowledge_base_search or unknown - only get Nexent knowledge bases
+        const result = await knowledgeBaseService.getKnowledgeBasesInfo(false, false);
+        kbs = result.knowledgeBases;
+      }
+
+      // Sort by updatedAt descending
+      return kbs.sort((a, b) => {
+        const dateA = a.updatedAt ? new Date(a.updatedAt).getTime() : 0;
+        const dateB = b.updatedAt ? new Date(b.updatedAt).getTime() : 0;
+        return dateB - dateA;
+      });
+    },
+    enabled: !!toolType,
+    staleTime: 30_000, // Cache for 30 seconds to reduce API calls
+    gcTime: 5 * 60_000, // Keep in cache for 5 minutes
+    refetchOnMount: false, // Only refetch if data is stale
+    refetchOnWindowFocus: false, // Don't refetch on window focus
+  });
+
+  return query;
+}
+
+/**
+ * Prefetch knowledge bases for a specific tool type
+ * Call this when the user navigates to the agent config page
+ */
+export function usePrefetchKnowledgeBases() {
+  const queryClient = useQueryClient();
+
+  const prefetchKnowledgeBases = useCallback(
+    async (
+      toolType:
+        | "knowledge_base_search"
+        | "dify_search"
+        | "datamate_search"
+        | null,
+      difyConfig?: {
+        serverUrl?: string;
+        apiKey?: string;
+      }
+    ) => {
+      if (!toolType) return;
+
+      await queryClient.prefetchQuery({
+        queryKey: knowledgeBaseKeys.list(
+          toolType,
+          difyConfig?.serverUrl || ""
+        ),
+        queryFn: async () => {
+          let kbs: KnowledgeBase[] = [];
+
+          if (toolType === "datamate_search") {
+            const syncResult =
+              await knowledgeBaseService.syncDataMateAndCreateRecords();
+            if (syncResult.indices_info) {
+              kbs = syncResult.indices_info.map((indexInfo: any) => {
+                const stats = indexInfo.stats?.base_info || {};
+                return {
+                  id: indexInfo.name,
+                  name: indexInfo.display_name || indexInfo.name,
+                  display_name: indexInfo.display_name || indexInfo.name,
+                  description: "DataMate knowledge base",
+                  documentCount: stats.doc_count || 0,
+                  chunkCount: stats.chunk_count || 0,
+                  createdAt: stats.creation_date || null,
+                  updatedAt: stats.update_date || stats.creation_date || null,
+                  embeddingModel: stats.embedding_model || "unknown",
+                  knowledge_sources: indexInfo.knowledge_sources || "datamate",
+                  ingroup_permission: indexInfo.ingroup_permission || "",
+                  group_ids: indexInfo.group_ids || [],
+                  store_size: stats.store_size || "",
+                  process_source: stats.process_source || "",
+                  avatar: "",
+                  chunkNum: 0,
+                  language: "",
+                  nickname: "",
+                  parserId: "",
+                  permission: indexInfo.permission || "",
+                  tokenNum: 0,
+                  source: "datamate",
+                  tenant_id: indexInfo.tenant_id,
+                };
+              });
+            }
+          } else if (toolType === "dify_search") {
+            if (difyConfig?.serverUrl && difyConfig?.apiKey) {
+              try {
+                kbs = await knowledgeBaseService.getDifyKnowledgeBases(
+                  difyConfig.serverUrl,
+                  difyConfig.apiKey
+                );
+              } catch (error) {
+                log.error("Failed to prefetch Dify knowledge bases:", error);
+                kbs = [];
+              }
+            } else {
+              kbs = [];
+            }
+          } else {
+            const result = await knowledgeBaseService.getKnowledgeBasesInfo(false, false);
+            kbs = result.knowledgeBases;
+          }
+
+          return kbs.sort((a, b) => {
+            const dateA = a.updatedAt ? new Date(a.updatedAt).getTime() : 0;
+            const dateB = b.updatedAt ? new Date(b.updatedAt).getTime() : 0;
+            return dateB - dateA;
+          });
+        },
+        staleTime: 30_000,
+      });
+    },
+    [queryClient]
+  );
+
+  return { prefetchKnowledgeBases };
+}
+
+/**
+ * Hook for syncing knowledge bases by tool type
+ */
+export function useSyncKnowledgeBases() {
+  const [isSyncing, setIsSyncing] = useState<string | null>(null);
+
+  const syncKnowledgeBases = useCallback(
+    async (
+      toolType: string,
+      config?: {
+        serverUrl?: string;
+        apiKey?: string;
+      }
+    ): Promise<void> => {
+      setIsSyncing(toolType);
+      try {
+        switch (toolType) {
+          case "knowledge_base_search":
+            // Sync only Nexent knowledge bases (exclude DataMate)
+            await knowledgeBaseService.getKnowledgeBasesInfo(false, false);
+            break;
+          case "datamate_search":
+            // Sync only DataMate knowledge bases with optional URL from config
+            await knowledgeBaseService.syncDataMateAndCreateRecords(
+              config?.serverUrl
+            );
+            break;
+          case "dify_search":
+            // Dify sync requires API credentials
+            if (config?.serverUrl && config?.apiKey) {
+              await knowledgeBaseService.getDifyKnowledgeBases(
+                config.serverUrl,
+                config.apiKey
+              );
+            }
+            break;
+          default:
+            // Default sync behavior - sync Nexent only
+            await knowledgeBaseService.getKnowledgeBasesInfo(false, false);
+        }
+      } finally {
+        setIsSyncing(null);
+      }
+    },
+    []
+  );
+
+  return {
+    syncKnowledgeBases,
+    isSyncing,
+  };
+}
+
+/**
+ * Hook for managing knowledge base selection in tool configuration
+ */
+export function useKnowledgeBaseSelection(initialSelectedIds: string[] = []) {
+  const [selectedIds, setSelectedIds] = useState<string[]>(initialSelectedIds);
+  const [selectedKnowledgeBases, setSelectedKnowledgeBases] = useState<
+    KnowledgeBase[]
+  >([]);
+
+  // Update selected knowledge bases when IDs change
+  const updateSelectedKnowledgeBases = useCallback((kbs: KnowledgeBase[]) => {
+    setSelectedKnowledgeBases(kbs);
+  }, []);
+
+  // Select a knowledge base by ID
+  const selectKnowledgeBase = useCallback((id: string) => {
+    setSelectedIds((prev) => {
+      if (prev.includes(id)) {
+        return prev;
+      }
+      return [...prev, id];
+    });
+  }, []);
+
+  // Deselect a knowledge base by ID
+  const deselectKnowledgeBase = useCallback((id: string) => {
+    setSelectedIds((prev) => prev.filter((itemId) => itemId !== id));
+  }, []);
+
+  // Toggle selection of a knowledge base
+  const toggleKnowledgeBase = useCallback((id: string) => {
+    setSelectedIds((prev) => {
+      if (prev.includes(id)) {
+        return prev.filter((itemId) => itemId !== id);
+      }
+      return [...prev, id];
+    });
+  }, []);
+
+  // Clear all selections
+  const clearSelection = useCallback(() => {
+    setSelectedIds([]);
+    setSelectedKnowledgeBases([]);
+  }, []);
+
+  // Set selected IDs (e.g., from initial value)
+  const setSelection = useCallback((ids: string[]) => {
+    setSelectedIds(ids);
+  }, []);
+
+  return {
+    selectedIds,
+    selectedKnowledgeBases,
+    setSelectedIds: setSelection,
+    updateSelectedKnowledgeBases,
+    selectKnowledgeBase,
+    deselectKnowledgeBase,
+    toggleKnowledgeBase,
+    clearSelection,
+    hasSelection: selectedIds.length > 0,
+    selectionCount: selectedIds.length,
+  };
+}
diff --git a/frontend/hooks/useMcpConfig.ts b/frontend/hooks/useMcpConfig.ts
index 8aaeb8b9d..4bdd199a4 100644
--- a/frontend/hooks/useMcpConfig.ts
+++ b/frontend/hooks/useMcpConfig.ts
@@ -21,6 +21,7 @@ import { useMcpContainerList } from "@/hooks/mcp/useMcpContainerList";
 
 export interface UseMcpConfigOptions {
   enabled?: boolean;
+  tenantId?: string | null;
   onServerAdded?: () => void;
   onServerDeleted?: () => void;
   onServerUpdated?: () => void;
@@ -61,14 +62,14 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
     isLoading: loadingServers,
     refetch: refetchMcpServers,
     invalidate: invalidateMcpServers,
-  } = useMcpServerList({ enabled: options.enabled ?? true, staleTime: 60_000 });
+  } = useMcpServerList({ enabled: options.enabled ?? true, staleTime: 60_000, tenantId: options.tenantId });
 
   const {
     containerList,
     isLoading: loadingContainers,
     refetch: refetchMcpContainers,
     invalidate: invalidateMcpContainers,
-  } = useMcpContainerList({ enabled: options.enabled ?? true, staleTime: 60_000 });
+  } = useMcpContainerList({ enabled: options.enabled ?? true, staleTime: 60_000, tenantId: options.tenantId });
 
   const loading = loadingServers || loadingContainers;
 
@@ -117,7 +118,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
   // Add MCP server
   const handleAddServer = useCallback(async (url: string, name: string) => {
     try {
-      const result = await addMcpServer(url, name);
+      const result = await addMcpServer(url, name, options.tenantId);
       if (result.success) {
         invalidateMcpServers();
         await refreshToolsAndAgents();
@@ -135,7 +136,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
   // Delete MCP server
   const handleDeleteServer = useCallback(async (server: McpServer) => {
     try {
-      const result = await deleteMcpServer(server.mcp_url, server.service_name);
+      const result = await deleteMcpServer(server.mcp_url, server.service_name, options.tenantId);
       if (result.success) {
         invalidateMcpServers();
         refreshToolsAndAgents().catch(e => log.error("Refresh failed:", e));
@@ -170,7 +171,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
     const key = `${server.service_name}__${server.mcp_url}`;
     setHealthCheckLoading(prev => ({ ...prev, [key]: true }));
     try {
-      const result = await checkMcpServerHealth(server.mcp_url, server.service_name);
+      const result = await checkMcpServerHealth(server.mcp_url, server.service_name, options.tenantId);
       invalidateMcpServers();
       invalidateMcpContainers();
       await refreshToolsAndAgents();
@@ -188,7 +189,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
     } finally {
       setHealthCheckLoading(prev => ({ ...prev, [key]: false }));
     }
-  }, [invalidateMcpServers, invalidateMcpContainers, refreshToolsAndAgents]);
+  }, [invalidateMcpServers, invalidateMcpContainers, refreshToolsAndAgents, options.tenantId]);
 
   // Update MCP server
   const handleUpdateServer = useCallback(async (
@@ -198,10 +199,10 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
     newUrl: string
   ) => {
     try {
-      const result = await updateMcpServer(oldName, oldUrl, newName, newUrl);
+      const result = await updateMcpServer(oldName, oldUrl, newName, newUrl, options.tenantId);
       if (result.success) {
         // Best-effort optimistic status update for UI responsiveness
-        queryClient.setQueryData(MCP_SERVERS_QUERY_KEY, (prev: any) => {
+        queryClient.setQueryData([...MCP_SERVERS_QUERY_KEY, options.tenantId], (prev: any) => {
           if (!prev?.data) return prev;
           return {
             ...prev,
@@ -221,7 +222,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
       log.error("Failed to update server:", error);
       return { success: false, message: "Failed to update server", messageKey: "mcpService.message.updateServerFailed" };
     }
-  }, [invalidateMcpServers, refreshToolsAndAgents, queryClient, options, MCP_SERVERS_QUERY_KEY]);
+  }, [invalidateMcpServers, refreshToolsAndAgents, queryClient, options]);
 
   // Add container
   const handleAddContainer = useCallback(async (config: any, port: number) => {
@@ -244,7 +245,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
     }, 3000);
 
     try {
-      const result = await addMcpFromConfig(configWithPorts as any);
+      const result = await addMcpFromConfig(configWithPorts as any, options.tenantId);
       if (result.success) {
         invalidateMcpContainers();
         invalidateMcpServers();
@@ -267,7 +268,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
     serviceName?: string
   ) => {
     try {
-      const result = await uploadMcpImage(file, port, serviceName);
+      const result = await uploadMcpImage(file, port, serviceName, undefined, options.tenantId);
       if (result.success) {
         invalidateMcpContainers();
         invalidateMcpServers();
@@ -280,12 +281,12 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
       log.error("Failed to upload image:", error);
       return { success: false, message: "Failed to upload image", messageKey: "mcpConfig.message.uploadImageFailed" };
     }
-  }, [invalidateMcpContainers, invalidateMcpServers, refreshToolsAndAgents]);
+  }, [invalidateMcpContainers, invalidateMcpServers, refreshToolsAndAgents, options.tenantId]);
 
   // Delete container
   const handleDeleteContainer = useCallback(async (container: McpContainer) => {
     try {
-      const result = await deleteMcpContainer(container.container_id);
+      const result = await deleteMcpContainer(container.container_id, options.tenantId);
       if (result.success) {
         invalidateMcpContainers();
         invalidateMcpServers();
@@ -304,7 +305,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
   // View container logs
   const handleViewLogs = useCallback(async (containerId: string, maxLines: number = 500) => {
     try {
-      const result = await getMcpContainerLogs(containerId, maxLines);
+      const result = await getMcpContainerLogs(containerId, maxLines, options.tenantId);
       if (result.success) {
         return { success: true, data: result.data };
       } else {
@@ -314,7 +315,7 @@ export function useMcpConfig(options: UseMcpConfigOptions = {}) {
       log.error("Failed to get logs:", error);
       return { success: false, data: "Failed to get logs", messageKey: "mcpConfig.message.getContainerLogsFailed" };
     }
-  }, []);
+  }, [options.tenantId]);
 
   return {
     // State
diff --git a/frontend/hooks/useSetupFlow.ts b/frontend/hooks/useSetupFlow.ts
index 3a03d7582..82e1e741f 100644
--- a/frontend/hooks/useSetupFlow.ts
+++ b/frontend/hooks/useSetupFlow.ts
@@ -1,26 +1,11 @@
-import {useState, useEffect, useRef} from "react";
 import {useRouter} from "next/navigation";
 import {useTranslation} from "react-i18next";
 
-import {useAuth} from "@/hooks/useAuth";
-import {
-  USER_ROLES,
-} from "@/const/modelConfig";
-import {EVENTS} from "@/const/auth";
-
 interface UseSetupFlowOptions {
-  /** Whether admin role is required to access this page */
-  requireAdmin?: boolean;
-  /** Redirect path for non-admin users */
-  nonAdminRedirect?: string;
+  // Options reserved for future use
 }
 
 interface UseSetupFlowReturn {
-  // Auth related
-  user: any;
-  isLoading: boolean;
-  isSpeedMode: boolean;
-  canAccessProtectedData: boolean;
 
   // Animation config
   pageVariants: {
@@ -33,7 +18,7 @@ interface UseSetupFlowReturn {
     ease: "anticipate";
     duration: number;
   };
-  
+
   // Utilities
   router: ReturnType<typeof useRouter>;
   t: ReturnType<typeof useTranslation>["t"];
@@ -41,70 +26,21 @@ interface UseSetupFlowReturn {
 
 /**
  * useSetupFlow - Custom hook for setup flow pages
- * 
+ *
  * Provides common functionality for setup pages including:
- * - Authentication and permission checks
- * - Session expiration handling
  * - Page transition animations
- * 
+ * - Common utilities (router, translation, user info)
+ *
+ * Note: Authentication and authorization are handled by the global
+ * useAuthentication and useAuthorization hooks via route guards.
+ *
  * @param options - Configuration options
  * @returns Setup flow utilities and state
  */
 export function useSetupFlow(options: UseSetupFlowOptions = {}): UseSetupFlowReturn {
-  const {
-    requireAdmin = false,
-    nonAdminRedirect = "/setup/knowledges",
-  } = options;
 
   const router = useRouter();
   const {t} = useTranslation();
-  const {user, isLoading: userLoading, isSpeedMode} = useAuth();
-  const sessionExpiredTriggeredRef = useRef(false);
-
-  // Calculate if user can access protected data
-  const canAccessProtectedData = isSpeedMode || (!userLoading && !!user);
-
-
-
-  // Check login status and handle session expiration
-  useEffect(() => {
-    if (isSpeedMode) {
-      sessionExpiredTriggeredRef.current = false;
-      return;
-    }
-
-    if (user) {
-      sessionExpiredTriggeredRef.current = false;
-      return;
-    }
-
-    // Trigger session expired event if user is not logged in
-    if (!userLoading && !sessionExpiredTriggeredRef.current) {
-      sessionExpiredTriggeredRef.current = true;
-      window.dispatchEvent(
-        new CustomEvent(EVENTS.SESSION_EXPIRED, {
-          detail: {message: "Session expired, please sign in again"},
-        })
-      );
-    }
-  }, [isSpeedMode, user, userLoading]);
-
-  // Check admin permission if required
-  useEffect(() => {
-    if (!requireAdmin) return;
-    
-    // Only check after user is loaded
-    if (userLoading) return;
-
-    // Speed mode always has access
-    if (isSpeedMode) return;
-
-    // Check if user has admin role
-    if (user && user.role !== USER_ROLES.ADMIN) {
-      router.push(nonAdminRedirect);
-    }
-  }, [requireAdmin, isSpeedMode, user, userLoading, router, nonAdminRedirect]);
-
 
   // Animation variants for smooth page transitions
   const pageVariants = {
@@ -129,12 +65,6 @@ export function useSetupFlow(options: UseSetupFlowOptions = {}): UseSetupFlowRet
   };
 
   return {
-    // Auth
-    user,
-    isLoading: userLoading,
-    isSpeedMode,
-    canAccessProtectedData,
-
     // Animation
     pageVariants,
     pageTransition,
diff --git a/frontend/lib/agentNewUtils.ts b/frontend/lib/agentNewUtils.ts
deleted file mode 100644
index c49cb273f..000000000
--- a/frontend/lib/agentNewUtils.ts
+++ /dev/null
@@ -1,27 +0,0 @@
-import { clearAgentNewMark } from "@/services/agentConfigService";
-import type { QueryClient } from "@tanstack/react-query";
-
-export async function clearAgentAndSync(agentId: string | number, queryClient: QueryClient) {
-  try {
-    const res = await clearAgentNewMark(agentId);
-    if (res?.success) {
-      // invalidate agents so all components refetch
-      queryClient.invalidateQueries({ queryKey: ["agents"] });
-      // broadcast to other tabs
-      try {
-        const bc = new BroadcastChannel("nexent-agent-updates");
-        bc.postMessage({ type: "agents_updated", agent_id: Number(agentId), timestamp: Date.now() });
-        bc.close();
-      } catch (e) {
-        // BroadcastChannel may not be available in all envs; ignore errors
-      }
-      return { success: true, data: res.data };
-    } else {
-      return { success: false, data: res?.data, message: res?.message || "Failed to clear NEW mark" };
-    }
-  } catch (error) {
-    return { success: false, error };
-  }
-}
-
-
diff --git a/frontend/lib/auth.ts b/frontend/lib/auth.ts
index 6510f8ebd..6f19f1499 100644
--- a/frontend/lib/auth.ts
+++ b/frontend/lib/auth.ts
@@ -2,21 +2,35 @@
  * Authentication utilities
  */
 
-import { fetchWithErrorHandling, ApiError } from "@/services/api";
-import { STORAGE_KEYS, STATUS_CODES } from "@/const/auth";
-import { Session } from "@/types/auth";
+import { ApiError, fetchWithErrorHandling } from "@/services/api";
+import { STORAGE_KEYS } from "@/const/auth";
 import { generateAvatarUrl as generateAvatar } from "@/lib/avatar";
-import log from "@/lib/logger";
+import { USER_ROLES } from "@/const/auth";
+import { STATUS_CODES } from "@/const/auth";
+import {
+  checkSessionValid,
+  getSessionFromStorage,
+  handleSessionExpired,
+} from "@/lib/session";
 
-// Get color corresponding to user role
+/**
+ * Role color mapping - Ant Design color presets
+ */
+const ROLE_COLORS: Record<string, string> = {
+  [USER_ROLES.SU]: "red",
+  [USER_ROLES.ADMIN]: "purple",
+  [USER_ROLES.DEV]: "cyan",
+  [USER_ROLES.USER]: "geekblue",
+  [USER_ROLES.SPEED]: "green",
+};
+
+/**
+ * Get color corresponding to user role
+ * @param role - User role string
+ * @returns Ant Design color preset name
+ */
 export function getRoleColor(role: string): string {
-  switch (role) {
-    case "admin":
-      return "purple"
-    case "user":
-    default:
-      return "geekblue"
-  }
+  return ROLE_COLORS[role] || ROLE_COLORS[USER_ROLES.USER];
 }
 
 // Generate avatar based on email (re-export from avatar.tsx for backward compatibility)
@@ -26,37 +40,30 @@ export function generateAvatarUrl(email: string): string {
 
 /**
  * Request with authorization headers
- * Checks token expiration before sending request to prevent sending expired tokens
+ * Only builds the request with auth token - no expiration checking
+ * Expiration should be handled when backend returns 401
  */
 export const fetchWithAuth = async (url: string, options: RequestInit = {}) => {
-  const session = typeof window !== "undefined" ? localStorage.getItem(STORAGE_KEYS.SESSION) : null;
-  const sessionObj = session ? JSON.parse(session) : null;
-
-  // Check if token is expired before sending request
-  if (sessionObj?.access_token) {
-    const now = Date.now();
-    const expiresAt = sessionObj.expires_at ? sessionObj.expires_at * 1000 : 0;
-    
-    // If token is expired, clear session and throw error
-    if (expiresAt > 0 && expiresAt <= now) {
-      log.warn("Token expired, clearing session before request");
-      removeSessionFromStorage();
-      
-      // Dispatch session expired event
-      if (typeof window !== "undefined" && window.dispatchEvent) {
-        window.dispatchEvent(new CustomEvent('session-expired', {
-          detail: { message: "Login expired, please login again" }
-        }));
-      }
-      
-      throw new ApiError(STATUS_CODES.TOKEN_EXPIRED, "Login expired, please login again");
+  // Frontend pre-check: detect session expiry without hitting backend
+  if (typeof window !== "undefined") {
+    const session = getSessionFromStorage();
+    if (session && !checkSessionValid()) {
+      handleSessionExpired();
+      throw new ApiError(
+        STATUS_CODES.TOKEN_EXPIRED,
+        "Login expired, please login again"
+      );
     }
   }
 
+  const sessionObj = getSessionFromStorage();
+
   const isFormData = options.body instanceof FormData;
   const headers = {
     ...(isFormData ? {} : { "Content-Type": "application/json" }),
-    ...(sessionObj?.access_token && { "Authorization": `Bearer ${sessionObj.access_token}` }),
+    ...(sessionObj?.access_token && {
+      Authorization: `Bearer ${sessionObj.access_token}`,
+    }),
     ...options.headers,
   };
 
@@ -67,50 +74,31 @@ export const fetchWithAuth = async (url: string, options: RequestInit = {}) => {
   });
 };
 
-/**
- * Save session to local storage
- */
-export const saveSessionToStorage = (session: Session) => {
-  if (typeof window !== "undefined") {
-    localStorage.setItem(STORAGE_KEYS.SESSION, JSON.stringify(session));
-  }
-};
-
-/**
- * Remove session from local storage
- */
-export const removeSessionFromStorage = () => {
-  if (typeof window !== "undefined") {
-    localStorage.removeItem(STORAGE_KEYS.SESSION);
-  }
-};
-
-/**
- * Get session from local storage
- */
-export const getSessionFromStorage = (): Session | null => {
-  try {
-    const storedSession = typeof window !== "undefined" ? localStorage.getItem(STORAGE_KEYS.SESSION) : null;
-    if (!storedSession) return null;
-
-    return JSON.parse(storedSession);
-  } catch (error) {
-    log.error("Failed to parse session info:", error);
-    return null;
-  }
-};
-
 /**
  * Get the authorization header information for API requests
  * @returns HTTP headers object containing authentication and content type information
  */
 export const getAuthHeaders = () => {
-  const session = typeof window !== "undefined" ? localStorage.getItem("session") : null;
+  const session =
+    typeof window !== "undefined" ? localStorage.getItem("session") : null;
   const sessionObj = session ? JSON.parse(session) : null;
 
   return {
-    'Content-Type': 'application/json',
-    'User-Agent': 'AgentFrontEnd/1.0',
-    ...(sessionObj?.access_token && { "Authorization": `Bearer ${sessionObj.access_token}` }),
+    "Content-Type": "application/json",
+    "User-Agent": "AgentFrontEnd/1.0",
+    ...(sessionObj?.access_token && {
+      Authorization: `Bearer ${sessionObj.access_token}`,
+    }),
   };
-};
\ No newline at end of file
+};
+
+/**
+ * Remove locale prefix from pathname to get effective route
+ */
+export function getEffectiveRoutePath(pathname: string): string {
+  const segments = pathname.split("/").filter(Boolean);
+  if (segments.length > 0 && (segments[0] === "zh" || segments[0] === "en")) {
+    segments.shift();
+  }
+  return "/" + (segments.join("/") || "");
+}
\ No newline at end of file
diff --git a/frontend/lib/authEvents.ts b/frontend/lib/authEvents.ts
new file mode 100644
index 000000000..f886630c2
--- /dev/null
+++ b/frontend/lib/authEvents.ts
@@ -0,0 +1,83 @@
+/**
+ * Authentication and Authorization Event System
+ * Provides type-safe event communication between authentication and authorization modules
+ */
+
+import log from "@/lib/logger";
+import { AUTH_EVENTS, AUTHZ_EVENTS } from "@/const/auth";
+
+// Event emitter for authentication events
+class AuthEventEmitter {
+  emit<K extends keyof import("@/types/auth").AuthEvents>(
+    event: K,
+    data?: import("@/types/auth").AuthEvents[K]
+  ) {
+    log.debug(`Auth event emitted: ${event}`, data);
+    window.dispatchEvent(new CustomEvent(event, { detail: data }));
+  }
+
+  on<K extends keyof import("@/types/auth").AuthEvents>(
+    event: K,
+    handler: (data?: import("@/types/auth").AuthEvents[K]) => void
+  ) {
+    const listener = (e: CustomEvent) => handler(e.detail);
+    window.addEventListener(event, listener as EventListener);
+
+    // Return cleanup function
+    return () => {
+      window.removeEventListener(event, listener as EventListener);
+    };
+  }
+}
+
+// Event emitter for authorization events
+class AuthzEventEmitter {
+  emit<K extends keyof import("@/types/auth").AuthzEvents>(
+    event: K,
+    data?: import("@/types/auth").AuthzEvents[K]
+  ) {
+    log.debug(`Authz event emitted: ${event}`, data);
+    window.dispatchEvent(new CustomEvent(event, { detail: data }));
+  }
+
+  on<K extends keyof import("@/types/auth").AuthzEvents>(
+    event: K,
+    handler: (data?: import("@/types/auth").AuthzEvents[K]) => void
+  ) {
+    const listener = (e: CustomEvent) => handler(e.detail);
+    window.addEventListener(event, listener as EventListener);
+
+    // Return cleanup function
+    return () => {
+      window.removeEventListener(event, listener as EventListener);
+    };
+  }
+}
+
+// Global instances
+export const authEvents = new AuthEventEmitter();
+export const authzEvents = new AuthzEventEmitter();
+
+// Utility functions for common auth events
+export const authEventUtils = {
+  emitLoginSuccess: () => authEvents.emit(AUTH_EVENTS.LOGIN_SUCCESS),
+  emitRegisterSuccess: () => authEvents.emit(AUTH_EVENTS.REGISTER_SUCCESS),
+  emitLogout: () => authEvents.emit(AUTH_EVENTS.LOGOUT),
+  emitSessionExpired: () => authEvents.emit(AUTH_EVENTS.SESSION_EXPIRED),
+  emitTokenRefreshed: () => authEvents.emit(AUTH_EVENTS.TOKEN_REFRESHED),
+  emitServiceUnavailable: () =>
+    authEvents.emit(AUTH_EVENTS.SERVICE_UNAVAILABLE),
+  emitBackToHome: () =>
+    authEvents.emit(AUTH_EVENTS.BACK_TO_HOME),
+};
+
+export const authzEventUtils = {
+  emitPermissionsReady: (
+    userData: import("@/types/auth").User & {
+      permissions: string[];
+      accessibleRoutes: string[];
+    }
+  ) => authzEvents.emit(AUTHZ_EVENTS.PERMISSIONS_READY, userData),
+  emitPermissionsUpdated: () =>
+    authzEvents.emit(AUTHZ_EVENTS.PERMISSIONS_UPDATED),
+};
diff --git a/frontend/lib/date.ts b/frontend/lib/date.ts
new file mode 100644
index 000000000..77c889cf4
--- /dev/null
+++ b/frontend/lib/date.ts
@@ -0,0 +1,21 @@
+/**
+ * Format a date string or Date object to YYYY-MM-DD format
+ * @param date - Date string (ISO format or other formats) or Date object
+ * @returns Formatted date string in YYYY-MM-DD format, or undefined if input is invalid
+ */
+export function formatDate(date: string | Date | null | undefined): string | undefined {
+  if (!date) {
+    return undefined;
+  }
+
+  const dateObj = new Date(date);
+  if (isNaN(dateObj.getTime())) {
+    return undefined;
+  }
+
+  const year = dateObj.getFullYear();
+  const month = String(dateObj.getMonth() + 1).padStart(2, "0");
+  const day = String(dateObj.getDate()).padStart(2, "0");
+
+  return `${year}-${month}-${day}`;
+}
diff --git a/frontend/lib/providerError.ts b/frontend/lib/providerError.ts
new file mode 100644
index 000000000..a9eb6e806
--- /dev/null
+++ b/frontend/lib/providerError.ts
@@ -0,0 +1,237 @@
+/**
+ * Provider Error Utility
+ *
+ * Centralized error handling and translation for model providers.
+ * Provides consistent error messages across different providers (ModelEngine, SiliconFlow, etc.)
+ */
+
+import type { TFunction } from "i18next";
+
+/**
+ * Error types returned by provider APIs
+ */
+export type ProviderErrorType =
+  | "no_models"
+  | "connection_failed"
+  | "authentication_failed"
+  | "access_denied"
+  | "endpoint_not_found"
+  | "server_error"
+  | "timeout"
+  | "ssl_error"
+  | "unknown";
+
+/**
+ * Provider error information
+ */
+export interface ProviderError {
+  type: ProviderErrorType;
+  message: string;
+  provider?: string;
+  httpCode?: number;
+}
+
+/**
+ * Provider display names (for error messages)
+ */
+export const PROVIDER_DISPLAY_NAMES: Record<string, string> = {
+  modelengine: "ModelEngine",
+  silicon: "SiliconFlow",
+  openai: "OpenAI",
+  default: "Provider",
+};
+
+/**
+ * Detect error type from error response or message
+ */
+export function detectProviderError(errorResponse: unknown): ProviderErrorType {
+  if (!errorResponse || typeof errorResponse !== "object") {
+    return "unknown";
+  }
+
+  const error = errorResponse as Record<string, unknown>;
+  const errorCode = error._error as string;
+  const errorMessage = ((error._message as string) || "").toLowerCase();
+  const httpCode = error.httpCode as number;
+
+  // Check error code first
+  if (errorCode) {
+    switch (errorCode) {
+      case "authentication_failed":
+        return "authentication_failed";
+      case "access_forbidden":
+        return "access_denied";
+      case "endpoint_not_found":
+        return "endpoint_not_found";
+      case "server_error":
+        return "server_error";
+      case "connection_failed":
+        return "connection_failed";
+      case "timeout":
+        return "timeout";
+      case "ssl_error":
+        return "ssl_error";
+    }
+  }
+
+  // Check HTTP status code
+  if (httpCode) {
+    if (httpCode === 401) {
+      return "authentication_failed";
+    } else if (httpCode === 403) {
+      return "access_denied";
+    } else if (httpCode === 404) {
+      return "endpoint_not_found";
+    } else if (httpCode >= 500) {
+      return "server_error";
+    } else if (httpCode >= 400) {
+      return "connection_failed";
+    }
+  }
+
+  // Check error message patterns
+  if (
+    errorMessage.includes("authentication") ||
+    errorMessage.includes("invalid api key") ||
+    errorMessage.includes("unauthorized")
+  ) {
+    return "authentication_failed";
+  }
+
+  if (
+    errorMessage.includes("access denied") ||
+    errorMessage.includes("forbidden") ||
+    errorMessage.includes("permission")
+  ) {
+    return "access_denied";
+  }
+
+  if (
+    errorMessage.includes("endpoint") ||
+    errorMessage.includes("not found") ||
+    errorMessage.includes("404")
+  ) {
+    return "endpoint_not_found";
+  }
+
+  if (errorMessage.includes("timeout") || errorMessage.includes("timed out")) {
+    return "timeout";
+  }
+
+  if (errorMessage.includes("ssl") || errorMessage.includes("certificate")) {
+    return "ssl_error";
+  }
+
+  if (
+    errorMessage.includes("server error") ||
+    errorMessage.includes("http 5")
+  ) {
+    return "server_error";
+  }
+
+  if (
+    errorMessage.includes("connection") ||
+    errorMessage.includes("network") ||
+    errorMessage.includes("failed to connect")
+  ) {
+    return "connection_failed";
+  }
+
+  return "unknown";
+}
+
+/**
+ * Translate provider error to user-friendly message
+ */
+export function translateProviderError(
+  error: ProviderError,
+  provider: string,
+  t: TFunction
+): string {
+  const displayName =
+    PROVIDER_DISPLAY_NAMES[provider.toLowerCase()] ||
+    PROVIDER_DISPLAY_NAMES.default;
+
+  switch (error.type) {
+    case "no_models":
+      return t("model.dialog.error.provider.noModels", {
+        provider: displayName,
+      });
+
+    case "authentication_failed":
+      return t("model.dialog.error.provider.authenticationFailed", {
+        provider: displayName,
+      });
+
+    case "access_denied":
+      return t("model.dialog.error.provider.accessDenied");
+
+    case "endpoint_not_found":
+      return t("model.dialog.error.provider.endpointNotFound");
+
+    case "server_error":
+      return t("model.dialog.error.provider.serverError", {
+        provider: displayName,
+        code: error.httpCode || 500,
+      });
+
+    case "timeout":
+      return t("model.dialog.error.provider.timeout");
+
+    case "ssl_error":
+      return t("model.dialog.error.provider.sslError");
+
+    case "connection_failed":
+      return t("model.dialog.error.provider.connectionFailed", {
+        provider: displayName,
+      });
+
+    case "unknown":
+    default:
+      // Use the original message if available, otherwise use generic connection failed
+      if (error.message) {
+        return error.message;
+      }
+      return t("model.dialog.error.provider.connectionFailed", {
+        provider: displayName,
+      });
+  }
+}
+
+/**
+ * Process provider API response and return user-friendly error if applicable
+ */
+export function processProviderResponse<T extends Record<string, unknown>>(
+  response: T[],
+  provider: string,
+  t: TFunction
+): { models: T[]; error?: string } {
+  // Check if response contains error indicator
+  if (response && response.length > 0 && response[0]._error) {
+    const errorType = detectProviderError(response[0]);
+    const error: ProviderError = {
+      type: errorType,
+      message: response[0]._message as string,
+      provider,
+      httpCode: response[0].httpCode as number,
+    };
+    return {
+      models: [],
+      error: translateProviderError(error, provider, t),
+    };
+  }
+
+  // Check for empty response (successful call but no models)
+  if (!response || response.length === 0) {
+    return {
+      models: [],
+      error: translateProviderError(
+        { type: "no_models", message: "" },
+        provider,
+        t
+      ),
+    };
+  }
+
+  return { models: response };
+}
diff --git a/frontend/lib/session.ts b/frontend/lib/session.ts
new file mode 100644
index 000000000..fe27bc4ea
--- /dev/null
+++ b/frontend/lib/session.ts
@@ -0,0 +1,94 @@
+/**
+ * Session utilities
+ * Pure functions for session management - no React dependencies
+ */
+
+import { STORAGE_KEYS } from "@/const/auth";
+import { Session } from "@/types/auth";
+import { authEventUtils } from "@/lib/authEvents";
+import log from "@/lib/logger";
+
+// Flag to prevent duplicate session expiration handling
+let isHandlingSessionExpired = false;
+
+/**
+ * Save session to local storage
+ */
+export const saveSessionToStorage = (session: Session): void => {
+  if (typeof window !== "undefined") {
+    localStorage.setItem(STORAGE_KEYS.SESSION, JSON.stringify(session));
+  }
+};
+
+/**
+ * Remove session from local storage
+ */
+export const removeSessionFromStorage = (): void => {
+  if (typeof window !== "undefined") {
+    localStorage.removeItem(STORAGE_KEYS.SESSION);
+  }
+};
+
+/**
+ * Get session from local storage
+ */
+export const getSessionFromStorage = (): Session | null => {
+  try {
+    const storedSession =
+      typeof window !== "undefined"
+        ? localStorage.getItem(STORAGE_KEYS.SESSION)
+        : null;
+    if (!storedSession) return null;
+
+    return JSON.parse(storedSession);
+  } catch (error) {
+    log.error("Failed to parse session info:", error);
+    return null;
+  }
+};
+
+/**
+ * Check if session is valid (exists and not expired)
+ */
+export const checkSessionValid = (): boolean => {
+  const session = getSessionFromStorage();
+  if (!session?.access_token || !session?.expires_at) {
+    return false;
+  }
+
+  const now = Date.now();
+  return session.expires_at * 1000 > now;
+};
+
+/**
+ * Check if session has expired
+ */
+export const checkSessionExpired = (): boolean => {
+  return !checkSessionValid();
+};
+
+/**
+ * Clear session and emit expired event
+ * Unified handling for session expiration with duplicate prevention
+ */
+export const handleSessionExpired = (): void => {
+  // Prevent duplicate triggers
+  if (isHandlingSessionExpired) {
+    return;
+  }
+  isHandlingSessionExpired = true;
+
+  log.info("Session expired, clearing and emitting event");
+  removeSessionFromStorage();
+
+  // Emit event asynchronously to ensure isAuthenticated state has been updated
+  // This fixes the closure trap where showSessionExpiredModal captures stale isAuthenticated value
+  setTimeout(() => {
+    authEventUtils.emitSessionExpired();
+  }, 0);
+
+  // Reset flag after 300ms to allow future triggers
+  setTimeout(() => {
+    isHandlingSessionExpired = false;
+  }, 300);
+};
diff --git a/frontend/package.json b/frontend/package.json
index 0a706bdf6..ba8ce8a67 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -25,6 +25,7 @@
     "bootstrap-icons": "^1.11.3",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
+    "dayjs": "^1.11.19",
     "dicebear": "^9.2.2",
     "dotenv": "^16.4.7",
     "framer-motion": "^12.23.6",
diff --git a/frontend/public/locales/en/common.json b/frontend/public/locales/en/common.json
index 8d154e3e9..0c374735e 100644
--- a/frontend/public/locales/en/common.json
+++ b/frontend/public/locales/en/common.json
@@ -164,11 +164,9 @@
     "Full access to enterprise knowledge base",
     "More accurate Q&A experience"
   ],
-  "page.loginPrompt.githubSupport": "⭐️ Nexent is still growing, please help me by starring on <1>GitHub</1>, thank you.",
+  "page.loginPrompt.githubSupport": "Support us on GitHub",
   "page.loginPrompt.noAccount": "Don't have an account yet? Click the \"Register\" button to create your exclusive account~",
-  "page.adminPrompt.title": "Oh, you are not an administrator",
   "page.adminPrompt.close": "OK",
-  "page.adminPrompt.intro": "Only administrators can adjust the configuration, please log in as an administrator first~",
   "page.adminPrompt.unlockHeader": "🌟 Become an administrator and unlock more capabilities!",
   "page.adminPrompt.unlockIntro": "After becoming an administrator, you can:",
   "page.adminPrompt.permissionsTitle": "✨ Administrator exclusive permissions:",
@@ -291,13 +289,16 @@
   "agent.displayName": "Agent Name",
   "agent.displayNamePlaceholder": "Please enter agent name",
   "agent.author": "Author",
-  "agent.authorPlaceholder": "Please enter author name (optional)",
+  "agent.authorPlaceholder": "Please enter author name",
   "agent.author.hint": "Default: {{email}}",
   "agent.description": "Agent Description",
   "agent.descriptionPlaceholder": "Please enter agent description",
   "agent.userGroup": "User Group",
   "agent.userGroup.empty": "No user group",
   "agent.llmModel": "LLM Model",
+  "agent.version": "Version",
+  "agent.version.current": "Current Version",
+  "agent.status.unpublished": "Unpublished",
   "agent.unavailableReasons.duplicate_name": "Duplicate Agent Variable Name",
   "agent.unavailableReasons.duplicate_display_name": "Duplicate Agent Name",
   "agent.unavailableReasons.tool_unavailable": "Tool Unavailable",
@@ -310,8 +311,11 @@
   "agent.error.fetchAgentList": "Failed to get agent list",
   "agent.error.fetchAgentListRetry": "Failed to get agent list, please try again later",
   "agent.debug.title": "Agent Debug",
+  "agent.noEditPermission": "No permission to edit this agent",
+  "mcpConfig.permission.noEdit": "No permission to edit MCP",
   "agent.action.create": "Create Agent",
   "agent.action.modify": "Edit Agent Information",
+  "agent.action.view": "View Agent Information",
   "agent.action.viewCallRelationship": "View Call Relationship",
   "agent.error.nameExists": "Agent var name {{name}} already exists, please modify",
   "agent.error.displayNameExists": "Agent name {{displayName}} already exists, please modify",
@@ -391,6 +395,9 @@
   "toolConfig.input.model.placeholder": "Please select model",
   "toolConfig.input.string.placeholder": "Please enter {{name}}",
   "toolConfig.input.array.placeholder": "Please enter JSON array",
+  "toolConfig.placeholder.selectKb": "Please select knowledge bases",
+  "toolConfig.validation.selectKb": "Please select at least one knowledge base",
+  "toolConfig.validation.required": "This field is required",
   "toolConfig.input.object.placeholder": "Please enter JSON object",
   "toolConfig.toolTest.toolInfo": "Tool Information",
   "toolConfig.toolTest.configParams": "Parameter Configuration",
@@ -402,6 +409,12 @@
   "toolConfig.button.closeTest": "Close Test Tool",
   "toolConfig.toolTest.manualInput": "Manual Input",
   "toolConfig.toolTest.parseMode": "Parse Mode",
+  "toolConfig.button.selectKnowledgeBases": "Select Knowledge Bases",
+  "toolConfig.input.knowledgeBaseSelector.placeholder": "Click to select {{name}}",
+  "toolConfig.knowledgeBaseSelector.title.default": "Select Knowledge Base",
+  "toolConfig.knowledgeBaseSelector.title.local": "Select Nexent Knowledge Base",
+  "toolConfig.knowledgeBaseSelector.title.dify": "Select Dify Knowledge Base",
+  "toolConfig.knowledgeBaseSelector.title.datamate": "Select DataMate Knowledge Base",
   "toolPool.title": "Select tools",
   "toolPool.loading": "Loading...",
   "toolPool.loadingTools": "Loading tools...",
@@ -455,12 +468,21 @@
   "knowledgeBase.error.loadSelectedRetry": "Failed to load selected knowledge bases, please try again later",
   "knowledgeBase.error.saveSelected": "Failed to save selected knowledge bases",
   "knowledgeBase.error.saveSelectedRetry": "Failed to save selected knowledge bases, please try again later",
+  "knowledgeBase.error.invalidUrlProtocol": "URL must start with http:// or https://",
+  "knowledgeBase.error.invalidUrlFormat": "Invalid URL format, please check your input",
+  "knowledgeBase.error.connectionFailed": "Cannot connect to DataMate server",
+  "knowledgeBase.error.syncFailed": "Failed to sync DataMate knowledge bases",
+  "knowledgeBase.message.testingConnection": "Testing connection...",
+  "knowledgeBase.message.testingSync": "Syncing knowledge bases...",
   "knowledgeBase.list.title": "Knowledge Base List",
   "knowledgeBase.button.create": "Create",
   "knowledgeBase.button.sync": "Sync",
   "knowledgeBase.button.syncDataMate": "Sync DataMate Knowledge Bases",
   "knowledgeBase.selected.prefix": "Selected",
   "knowledgeBase.selected.suffix": "knowledge bases for retrieval",
+  "knowledgeBase.selected.count": "{{count}} selected",
+  "knowledgeBase.button.clearSelection": "Clear Selection",
+  "knowledgeBase.button.selectAll": "Select All",
   "knowledgeBase.button.removeKb": "Remove knowledge base {{name}}",
   "knowledgeBase.tag.documents": "{{count}} Documents",
   "knowledgeBase.tag.chunks": "{{count}} Chunks",
@@ -477,6 +499,8 @@
   "knowledgeBase.filter.clear": "Clear filters",
   "knowledgeBase.source.nexent": "Nexent",
   "knowledgeBase.source.datamate": "DataMate",
+  "knowledgeBase.source.dify": "Dify",
+  "knowledgeBase.datamate.editDisabled": "Nexent is unable to upload files to the DataMate knowledge base. Please go to the DataMate page to perform the operation.",
   "knowledgeBase.filter.allSources": "All Sources",
   "knowledgeBase.filter.allModels": "All Models",
   "knowledgeBase.filter.source": "Source",
@@ -488,9 +512,9 @@
   "knowledgeBase.message.deleteSuccess": "Knowledge base deleted successfully",
   "knowledgeBase.message.deleteError": "Failed to delete knowledge base",
   "knowledgeBase.message.syncSuccess": "Knowledge base synchronized successfully",
-  "knowledgeBase.message.syncError": "Failed to synchronize knowledge base: {{error}}",
+  "knowledgeBase.message.syncError": "Failed to synchronize knowledge base",
   "knowledgeBase.message.syncDataMateSuccess": "DataMate knowledge bases synchronized successfully",
-  "knowledgeBase.message.syncDataMateError": "Failed to synchronize DataMate knowledge bases: {{error}}",
+  "knowledgeBase.message.syncDataMateError": "Failed to synchronize DataMate knowledge bases, please check the URL validity",
   "knowledgeBase.button.dataMateConfig": "DataMate Config",
   "knowledgeBase.message.dataMateConfigSaved": "DataMate configuration saved successfully",
   "knowledgeBase.message.dataMateConfigError": "Failed to save DataMate configuration",
@@ -512,6 +536,11 @@
   "knowledgeBase.summary.notGenerated": "Knowledge base summary was not generated, please change model configuration and retry",
   "knowledgeBase.name.new": "new_base",
   "knowledgeBase.message.getDocumentsFailed": "Failed to get documents",
+  "knowledgeBase.create.permission.groupPlaceholder": "User groups of this knowledge base",
+  "knowledgeBase.ingroup.permission.EDIT": "In Group Read/Write",
+  "knowledgeBase.ingroup.permission.READ_ONLY": "In Group Read Only",
+  "knowledgeBase.ingroup.permission.PRIVATE": "Personal Private",
+  "knowledgeBase.ingroup.permission.DEFAULT": "In Group Read Only (Default)",
 
   "document.error.fetch": "Failed to fetch documents",
   "document.error.load": "Failed to load documents",
@@ -592,6 +621,7 @@
   "document.chunk.error.updateFailed": "Failed to update chunk",
   "document.chunk.error.deleteFailed": "Failed to delete chunk",
   "document.chunk.error.missingChunkId": "Chunk identifier is missing",
+  "document.chunk.tooltip.disabledDueToModelMismatch": "The currently configured embedding model ({{currentModel}}) does not match the knowledge base model ({{knowledgeBaseModel}}). You cannot create chunks or perform retrieval until you use the same embedding model as the knowledge base.",
   "document.chunk.form.createTitle": "Create chunk",
   "document.chunk.form.editTitle": "Edit chunk",
   "document.chunk.form.documentName": "Document",
@@ -667,7 +697,18 @@
   "model.dialog.error.unsupportedModelType": "Unsupported model type: {{type}}",
   "model.dialog.error.invalidConfiguration": "Invalid configuration: {{error}}",
   "model.dialog.error.addFailedLog": "Failed to add model",
-  "model.dialog.error.noModelsFetched": "Operation failed! Please check your API key and network connectivity",
+  "model.dialog.error.noModelsFetched": "No models retrieved. Please check if models are deployed on ModelEngine",
+  "model.dialog.error.provider": {
+    "title": "Model Provider Connection Failed",
+    "noModels": "No models retrieved. Please check if models are deployed on {{provider}}",
+    "connectionFailed": "Failed to connect to {{provider}}. Please verify the URL and API Key",
+    "authenticationFailed": "{{provider}} authentication failed. Please verify the API Key",
+    "accessDenied": "Access denied. Please check your permissions",
+    "endpointNotFound": "API endpoint not found. Please verify the URL configuration",
+    "serverError": "{{provider}} server error (HTTP {{code}}). Please try again later",
+    "timeout": "Connection timed out. Please check the network connection",
+    "sslError": "SSL certificate error. Please verify the URL and SSL configuration"
+  },
   "model.dialog.message.noModels": "Please fetch models first",
   "model.dialog.success.updateSuccess": "Updated successfully",
   "model.dialog.editTitle": "Edit Model",
@@ -812,6 +853,9 @@
   "login.expired.okText": "Login Now",
   "login.expired.cancelText": "Back to Home",
 
+  "page.permissionDenied.title": "Access Denied",
+  "page.permissionDenied.content": "Please switch to an account with access permissions or visit another page.",
+
   "auth.notLoggedIn": "You are not logged in",
   "auth.login": "Login",
   "auth.register": "Register",
@@ -865,7 +909,8 @@
   "auth.dev": "Developer",
   "auth.speed": "Default Role",
   "auth.inviteCodeLabel": "Invite Code",
-  "auth.inviteCodeRequired": "Please enter administrator invite code",
+  "auth.inviteCodeRequired": "Invite code is required",
+  "auth.inviteCodePlaceholder": "Please enter invite code",
   "auth.registerAdmin": "Register Administrator Account",
   "auth.inviteCodeNotConfigured": "Admin invite code is not configured yet. Please contact system admin for help.",
   "auth.inviteCodeInvalid": "Invalid administrator invite code, please check and try again",
@@ -882,12 +927,17 @@
   "auth.inviteCodeHint.starAction": " and give us a Star",
   "auth.inviteCodeHint.step2Action": " leave a trace to become a co-creator",
   "auth.inviteCodeHint.step3Action": " and get your exclusive invite code",
+  "auth.inviteCodeHint.popoverTitle": "How to Get Invite Code",
+  "auth.inviteCodeHint.howToGetCode": "How to get invite code?",
   "auth.inviteCodeHint.communityLink": "technical community",
   "auth.inviteCodeHint.projectLink": "project page",
   "auth.inviteCodeHint.contributionWallLink": "contribution wall",
   "auth.inviteCodeHint.contributionWallUrl": "https://github.com/ModelEngine-Group/nexent/blob/develop/doc/docs/en/opensource-memorial-wall.md",
   "auth.inviteCodeHint.documentationUrl": "https://modelengine-group.github.io/nexent/en/contributing.html#%F0%9F%8C%9F-quick-memorial-wall-contribution",
   "auth.inviteCodeHint.viewDocumentation": "View Documentation",
+  "auth.inviteCodeHint.method1.title": "Method 1: Open Source Community Contribution",
+  "auth.inviteCodeHint.method2.title": "Method 2: Contact Tenant Administrator",
+  "auth.inviteCodeHint.method2.description": "Contact your tenant administrator to obtain your exclusive invitation code.",
 
   "toolManagement.refresh.title": "Refresh Tools List",
   "toolManagement.refresh.button.refreshing": "Refreshing",
@@ -1185,7 +1235,7 @@
   "space.detail.model": "Model Name",
   "space.detail.modelId": "Model ID",
   "space.detail.maxStep": "Max Steps",
-  "space.detail.businessLogicModel": "Business Logic Model",
+  "space.detail.businessLogicModel": "Business Logic Model Name",
   "space.detail.businessLogicModelId": "Business Logic Model ID",
   "space.detail.provideRunSummary": "Provide Run Summary",
   "space.detail.dutyPrompt": "Duty Prompt",
@@ -1245,6 +1295,7 @@
   "tenantResources.groups.totalMembers": "Total Members",
   "tenantResources.groups.updated": "Group updated",
   "tenantResources.groups.noDescription": "No Description",
+  "tenantResources.groups.duplicateName": "Group name already exists, please use a different name",
 
   "tenantResources.knowledgeBases.enterDescription": "Optional description",
   "tenantResources.knowledgeBases.enterName": "e.g., Company Documents",
@@ -1277,45 +1328,13 @@
   "tenantResources.knowledgeBase.getSummaryFailed": "Failed to get knowledge base summary",
   "tenantResources.knowledgeBase.noSummary": "This knowledge base has no summary",
   "tenantResources.knowledgeBase.viewSummary": "Summary Overview",
+  "tenantResources.knowledgeBase.externalSourceDisabled": "External knowledge base - operation disabled",
 
   "tenantResources.models.status.available": "Available",
   "tenantResources.models.status.unavailable": "Unavailable",
   "tenantResources.models.status.detecting": "Detecting",
   "tenantResources.models.status.not_detected": "Not Detected",
 
-  "tenantResources.knowledgeBase.sources": "Source",
-  "tenantResources.knowledgeBase.permission": "Group Permission",
-  "tenantResources.knowledgeBase.permission.EDIT": "Editable",
-  "tenantResources.knowledgeBase.permission.READ_ONLY": "Read Only",
-  "tenantResources.knowledgeBase.permission.PRIVATE": "Private",
-  "tenantResources.knowledgeBase.permission.DEFAULT": "Read Only (Default)",
-  "tenantResources.knowledgeBase.groupNames": "User Groups",
-  "tenantResources.knowledgeBase.documents": "Documents",
-  "tenantResources.knowledgeBase.chunks": "Chunks",
-  "tenantResources.knowledgeBase.storeSize": "Storage",
-  "tenantResources.knowledgeBase.processSource": "Process Source",
-  "tenantResources.knowledgeBase.noGroups": "No user groups",
-  "tenantResources.knowledgeBase.edit": "Edit Knowledge Base",
-  "tenantResources.knowledgeBase.updated": "Knowledge base updated",
-  "tenantResources.knowledgeBase.deleted": "Knowledge base deleted",
-  "tenantResources.knowledgeBase.updateFailed": "Failed to update knowledge base",
-  "tenantResources.knowledgeBase.deleteFailed": "Failed to delete knowledge base",
-  "tenantResources.knowledgeBase.nameRequired": "Please enter knowledge base name",
-  "tenantResources.knowledgeBase.permissionRequired": "Please select group permission",
-  "tenantResources.knowledgeBase.enterName": "Enter knowledge base name",
-  "tenantResources.knowledgeBase.editSummary": "Edit Summary",
-  "tenantResources.knowledgeBase.summary": "Knowledge Base Summary",
-  "tenantResources.knowledgeBase.enterSummary": "Enter knowledge base summary",
-  "tenantResources.knowledgeBase.summaryRequired": "Please enter knowledge base summary",
-  "tenantResources.knowledgeBase.summaryUpdated": "Summary updated successfully",
-  "tenantResources.knowledgeBase.getSummaryFailed": "Failed to get knowledge base summary",
-  "tenantResources.knowledgeBase.noSummary": "This knowledge base has no summary",
-  "tenantResources.knowledgeBase.viewSummary": "Summary Overview",
-
-  "tenantResources.models.status.available": "Available",
-  "tenantResources.models.status.unavailable": "Unavailable",
-  "tenantResources.models.status.detecting": "Detecting",
-  "tenantResources.models.status.not_detected": "Not Detected",
   "tenantResources.models.type.llm": "Large Language Model",
   "tenantResources.models.type.embedding": "Embedding Model",
   "tenantResources.models.type.multi_embedding": "Multi-Modal Embedding Model",
@@ -1325,6 +1344,14 @@
   "tenantResources.models.type.vlm": "Visual Language Model",
 
   "tenantResources.models.confirmDelete": "Delete model?",
+  "tenantResources.models.editModel": "Edit Model",
+  "tenantResources.models.deleteModel": "Delete Model",
+  "tenantResources.models.deleteSuccess": "Model deleted",
+  "tenantResources.models.deleteFailed": "Delete failed",
+  "tenantResources.models.checkConnectivity": "Check Connectivity",
+  "tenantResources.models.connectivitySuccess": "Model connectivity is healthy",
+  "tenantResources.models.connectivityFailed": "Model cannot connect",
+  "tenantResources.models.connectivityError": "Error checking connectivity",
   "tenantResources.models.enterDescription": "Enter model description",
   "tenantResources.models.enterName": "Enter model name",
 
@@ -1338,6 +1365,8 @@
   "tenantResources.tenants.tenants": "Tenants",
   "tenantResources.tenants.unnamed": "Unnamed Tenant",
   "tenantResources.tenants.updated": "Tenant updated",
+  "tenantResources.tenants.nameExists": "Tenant name '{{name}}' already exists, please use a different name",
+  "tenantResources.tenants.nameRequired": "Please enter a tenant name",
 
   "tenantResources.users.confirmDelete": "Delete user \"{{name}}\"?",
   "tenantResources.users.deleteUser": "Delete User",
@@ -1375,6 +1404,7 @@
   "tenantResources.invitation.invitationCodeInvalid": "Invitation code can only contain letters and numbers",
   "tenantResources.invitation.noGroups": "No groups",
   "tenantResources.invitation.noExpiry": "Permenant",
+  "tenantResources.invitation.alreadyExists": "Invitation code already exists",
 
   "tenantResources.invitation.codeType.ADMIN_INVITE": "Admin Invite",
   "tenantResources.invitation.codeType.DEV_INVITE": "Dev Invite",
@@ -1452,7 +1482,7 @@
   "market.detail.modelId": "Model ID",
   "market.detail.maxSteps": "Max Steps",
   "market.detail.recommendedModel": "Recommended Model",
-  "market.detail.businessLogicModel": "Business Logic Model",
+  "market.detail.businessLogicModel": "Business Logic Model Name",
   "market.detail.businessLogicModelId": "Business Logic Model ID",
   "market.detail.provideRunSummary": "Provide Run Summary",
   "market.detail.dutyPrompt": "Duty Prompt",
@@ -1545,6 +1575,9 @@
   "market.install.success.nameRegeneratedAndResolved": "Agent names regenerated successfully and all conflicts resolved",
   "market.install.info.notImplemented": "Installation will be implemented in next phase",
   "market.install.success": "Agent installed successfully!",
+  "market.install.success.viewSpace.prefix": "Agent installed successfully. You can ",
+  "market.install.success.viewSpace.link": "Go to Agent Space",
+  "market.install.success.viewSpace.suffix": " to view and use it.",
   "market.install.warning.title": "Agent May Be Unusable",
   "market.install.warning.description": "The following issues may make the Agent unusable:",
   "market.install.warning.nameConflict": "Unresolved name conflicts exist",
@@ -1642,5 +1675,64 @@
   "profile.deleteWarning1": "Your account will be permanently deleted",
   "profile.deleteWarning2": "All your conversations and data will be removed",
   "profile.deleteWarning3": "This action cannot be reversed",
-  "profile.adminRestrictionTitle": "Administrator Restriction"
+  "profile.adminRestrictionTitle": "Administrator Restriction",
+
+  "agent.version.manage": "Version Management",
+  "agent.version.currentVersion": "Current Version",
+  "agent.version.totalVersions": "Total {{count}} versions",
+  "agent.version.count": "{{count}} versions",
+  "agent.version.compare": "Compare Versions",
+  "agent.version.publish": "Publish",
+  "agent.version.status.disabled": "Disabled",
+  "agent.version.status.published": "Published",
+  "agent.version.status.archived": "Archived",
+  "agent.version.status.unknown": "Unknown",
+  "agent.version.releaseNote": "Release Note",
+  "agent.version.publishSuccess": "Version published successfully",
+  "agent.version.publishFailed": "Failed to publish version",
+  "agent.version.versionName": "Version Name",
+  "agent.version.versionNameRequired": "Please enter a version name",
+  "agent.version.versionNamePlaceholder": "Enter version name",
+  "agent.version.releaseNotePlaceholder": "Enter release note (optional)",
+  "agent.version.viewDetail": "View Details",
+  "agent.version.duplicate": "Duplicate Version",
+  "agent.version.archive": "Archive",
+  "agent.version.viewConfiguration": "View Configuration",
+  "agent.version.viewPrompt": "View Prompt",
+  "agent.version.viewTools": "View Tools",
+  "agent.version.rollback": "Rollback",
+  "agent.version.noVersions": "No versions yet",
+  "agent.version.createFirstVersion": "Create First Version",
+  "agent.version.configuration": "Configuration",
+  "agent.version.agentName": "Agent Name",
+  "agent.version.modelName": "Model Name",
+  "agent.version.tools": "Tools",
+  "agent.version.relatedAgents": "Related Agents",
+  "agent.version.field.name": "Name",
+  "agent.version.field.modelName": "Model",
+  "agent.version.field.maxSteps": "Max Steps",
+  "agent.version.field.description": "Description",
+  "agent.version.field.dutyPrompt": "Duty Prompt",
+  "agent.version.field.tools": "Tools",
+  "agent.version.field.subAgents": "Sub Agents",
+  "agent.version.rollbackSuccess": "Version rolled back successfully",
+  "agent.version.rollbackError": "Failed to rollback version",
+  "agent.version.rollbackCompareTitle": "Rollback Version Comparison",
+  "agent.version.confirmRollback": "Confirm Rollback",
+  "agent.version.rollbackNote": "Rollback from V{{fromVersion}} to V{{toVersion}}",
+  "agent.version.loadingComparison": "Loading comparison...",
+  "agent.version.compareError": "Failed to load version comparison",
+  "agent.version.compareFailed": "Failed to compare versions",
+  "agent.version.rollbackWarningTitle": "Warning",
+  "agent.version.rollbackWarningContent": "You are about to rollback to {{versionName}}. This will create a new version based on the selected version.",
+  "agent.version.draftVersion": "Draft",
+  "agent.version.restore": "Restore",
+  "agent.version.deleteSuccess": "Version deleted successfully",
+  "agent.version.deleteError": "Failed to delete version",
+  "agent.version.deleteConfirmTitle": "Delete Version",
+  "agent.version.deleteConfirmContent": "Are you sure you want to delete version \"{{versionName}}\"?",
+  "agent.version.deleteWarning": "This action cannot be undone.",
+  "agent.version.statusUpdateSuccess": "Version status updated successfully",
+  "agent.version.statusUpdateError": "Failed to update version status",
+  "agent.error.agentNotFound": "Agent not found"
 }
diff --git a/frontend/public/locales/zh/common.json b/frontend/public/locales/zh/common.json
index 344d3ed79..90b616b75 100644
--- a/frontend/public/locales/zh/common.json
+++ b/frontend/public/locales/zh/common.json
@@ -152,11 +152,6 @@
   ],
   "page.copyright": "Nexent © {{year}}",
   "page.termsOfUse": "使用条款",
-  "page.loginPrompt.title": "登录账号",
-  "page.loginPrompt.register": "注册",
-  "page.loginPrompt.login": "立即登录",
-  "page.loginPrompt.header": "🚀 准备启航！",
-  "page.loginPrompt.intro": "登录您的账户，开启智能问答之旅~",
   "page.loginPrompt.benefitsTitle": "✨ 登录后您将获得：",
   "page.loginPrompt.benefits": [
     "专属的对话历史记录",
@@ -164,11 +159,13 @@
     "企业知识库完整访问权限",
     "更精准的问答体验"
   ],
-  "page.loginPrompt.githubSupport": "⭐️ Nexent还在成长中，帮帮我到<1>GitHub</1>加星支持我吧，谢谢你。",
+  "page.loginPrompt.title": "欢迎使用 Nexent",
+  "page.loginPrompt.register": "注册账户",
+  "page.loginPrompt.login": "登录账户",
+  "page.loginPrompt.intro": "请登录您的账户以访问此页面。",
+  "page.loginPrompt.githubSupport": "在 GitHub 上支持我们",
   "page.loginPrompt.noAccount": "还没有账号？点击\"注册\"按钮创建您的专属账号~",
-  "page.adminPrompt.title": "啊哦，您不是管理员",
   "page.adminPrompt.close": "好的",
-  "page.adminPrompt.intro": "只有管理员可以调整配置，请先登录为管理员账号~",
   "page.adminPrompt.unlockHeader": "🌟 成为管理员，解锁更多能力！",
   "page.adminPrompt.unlockIntro": "成为管理员后，您可以：",
   "page.adminPrompt.permissionsTitle": "✨ 管理员专属权限：",
@@ -177,6 +174,9 @@
     "制作和发布专属智能体",
     "集成和配置自有工具"
   ],
+  "page.adminPrompt.title": "暂无权限",
+  "page.adminPrompt.intro": "您暂时没有权限访问该页面，请联系管理员为您提升权限。",
+  "page.adminPrompt.githubSupport": "在 GitHub 上支持我们",
   "page.adminPrompt.becomeAdmin": "💡 想成为管理员？请访问<1>官网联系页</1>，申请管理员账号。",
 
   "chatStreamMessage.appIconAlt": "应用图标",
@@ -292,12 +292,15 @@
   "agent.displayName": "智能体名称",
   "agent.displayNamePlaceholder": "请输入智能体名称",
   "agent.author": "作者",
-  "agent.authorPlaceholder": "请输入作者名称（可选）",
+  "agent.authorPlaceholder": "请输入作者名称",
   "agent.author.hint": "默认：{{email}}",
   "agent.description": "智能体描述",
   "agent.userGroup": "用户组",
   "agent.userGroup.empty": "暂无用户组",
   "agent.llmModel": "大语言模型",
+  "agent.version": "版本",
+  "agent.version.current": "当前版本",
+  "agent.status.unpublished": "未发布",
   "agent.unavailableReasons.duplicate_name": "智能体变量名重复",
   "agent.unavailableReasons.duplicate_display_name": "智能体名称重复",
   "agent.unavailableReasons.tool_unavailable": "工具不可用",
@@ -311,8 +314,11 @@
   "agent.error.fetchAgentList": "获取智能体列表失败",
   "agent.error.fetchAgentListRetry": "获取智能体列表失败，请稍后重试",
   "agent.debug.title": "智能体调试",
+  "agent.noEditPermission": "无智能体编辑权限",
+  "mcpConfig.permission.noEdit": "无MCP编辑权限",
   "agent.action.create": "创建智能体",
   "agent.action.modify": "编辑智能体信息",
+  "agent.action.view": "查看智能体信息",
   "agent.action.viewCallRelationship": "查看调用关系",
   "agent.error.nameExists": "智能体变量名{{name}}已存在，请修改",
   "agent.error.displayNameExists": "智能体名称{{displayName}}已存在，请修改",
@@ -392,6 +398,9 @@
   "toolConfig.input.model.placeholder": "请选择模型",
   "toolConfig.input.string.placeholder": "请输入{{name}}",
   "toolConfig.input.array.placeholder": "请输入JSON数组",
+  "toolConfig.placeholder.selectKb": "请选择知识库",
+  "toolConfig.validation.selectKb": "请选择至少一个知识库",
+  "toolConfig.validation.required": "此字段为必填项",
   "toolConfig.input.object.placeholder": "请输入JSON对象",
   "toolConfig.toolTest.toolInfo": "工具信息",
   "toolConfig.toolTest.configParams": "配置参数",
@@ -403,6 +412,12 @@
   "toolConfig.button.closeTest": "关闭工具测试",
   "toolConfig.toolTest.manualInput": "手动输入",
   "toolConfig.toolTest.parseMode": "解析模式",
+  "toolConfig.button.selectKnowledgeBases": "选择知识库",
+  "toolConfig.input.knowledgeBaseSelector.placeholder": "点击选择{{name}}",
+  "toolConfig.knowledgeBaseSelector.title.default": "选择知识库",
+  "toolConfig.knowledgeBaseSelector.title.local": "选择 Nexent 知识库",
+  "toolConfig.knowledgeBaseSelector.title.dify": "选择 Dify 知识库",
+  "toolConfig.knowledgeBaseSelector.title.datamate": "选择 DataMate 知识库",
   "toolPool.title": "选择智能体的工具",
   "toolPool.loading": "加载中...",
   "toolPool.loadingTools": "加载工具中...",
@@ -456,12 +471,21 @@
   "knowledgeBase.error.loadSelectedRetry": "加载已选知识库失败，请稍后重试",
   "knowledgeBase.error.saveSelected": "保存已选知识库失败",
   "knowledgeBase.error.saveSelectedRetry": "保存已选知识库失败，请稍后重试",
+  "knowledgeBase.error.invalidUrlProtocol": "URL 必须以 http:// 或 https:// 开头",
+  "knowledgeBase.error.invalidUrlFormat": "URL 格式无效，请检查输入",
+  "knowledgeBase.error.connectionFailed": "无法连接到 DataMate 服务器",
+  "knowledgeBase.error.syncFailed": "同步 DataMate 知识库失败",
+  "knowledgeBase.message.testingConnection": "正在测试连接...",
+  "knowledgeBase.message.testingSync": "正在同步知识库...",
   "knowledgeBase.list.title": "知识库列表",
   "knowledgeBase.button.create": "创建知识库",
   "knowledgeBase.button.sync": "同步知识库",
   "knowledgeBase.button.syncDataMate": "同步DataMate知识库",
   "knowledgeBase.selected.prefix": "已选择",
   "knowledgeBase.selected.suffix": "个知识库用于知识检索",
+  "knowledgeBase.selected.count": "已选择 {{count}} 个",
+  "knowledgeBase.button.clearSelection": "清除选择",
+  "knowledgeBase.button.selectAll": "全选",
   "knowledgeBase.button.removeKb": "移除知识库 {{name}}",
   "knowledgeBase.tag.documents": "{{count}} 文档",
   "knowledgeBase.tag.chunks": "{{count}} 分块",
@@ -477,6 +501,8 @@
   "knowledgeBase.filter.model.placeholder": "筛选模型",
   "knowledgeBase.source.nexent": "Nexent",
   "knowledgeBase.source.datamate": "DataMate",
+  "knowledgeBase.source.dify": "Dify",
+  "knowledgeBase.datamate.editDisabled": "Nexent无法上传文件至DataMate知识库，请前往DataMate页面进行操作。",
   "knowledgeBase.filter.allSources": "全部来源",
   "knowledgeBase.filter.allModels": "全部模型",
   "knowledgeBase.filter.source": "来源",
@@ -488,9 +514,9 @@
   "knowledgeBase.message.deleteSuccess": "删除知识库成功",
   "knowledgeBase.message.deleteError": "删除知识库失败",
   "knowledgeBase.message.syncSuccess": "同步知识库成功",
-  "knowledgeBase.message.syncError": "同步知识库失败：{{error}}",
+  "knowledgeBase.message.syncError": "同步知识库失败",
   "knowledgeBase.message.syncDataMateSuccess": "同步DataMate知识库成功",
-  "knowledgeBase.message.syncDataMateError": "同步DataMate知识库失败：{{error}}",
+  "knowledgeBase.message.syncDataMateError": "同步DataMate知识库失败，请检查URL的正确性",
   "knowledgeBase.button.dataMateConfig": "DataMate配置",
   "knowledgeBase.message.dataMateConfigSaved": "DataMate配置已保存",
   "knowledgeBase.message.dataMateConfigError": "DataMate配置保存失败",
@@ -512,6 +538,11 @@
   "knowledgeBase.summary.notGenerated": "未生成知识库总结，请更换模型配置重试",
   "knowledgeBase.name.new": "新知识库",
   "knowledgeBase.message.getDocumentsFailed": "获取文档列表失败",
+  "knowledgeBase.create.permission.groupPlaceholder": "该知识库所属用户组",
+  "knowledgeBase.ingroup.permission.EDIT": "同组可编辑",
+  "knowledgeBase.ingroup.permission.READ_ONLY": "同组只读",
+  "knowledgeBase.ingroup.permission.PRIVATE": "私有",
+  "knowledgeBase.ingroup.permission.DEFAULT": "同组只读 (默认)",
 
   "document.error.fetch": "获取文档失败",
   "document.error.load": "加载文档失败",
@@ -592,6 +623,7 @@
   "document.chunk.error.updateFailed": "分片更新失败",
   "document.chunk.error.deleteFailed": "分片删除失败",
   "document.chunk.error.missingChunkId": "缺少分片 ID",
+  "document.chunk.tooltip.disabledDueToModelMismatch": "当前配置的向量模型 ({{currentModel}}) 与创建知识库所用模型 ({{knowledgeBaseModel}}) 不一致，无法创建分片或召回检索。",
   "document.chunk.form.createTitle": "新建分片",
   "document.chunk.form.editTitle": "编辑分片",
   "document.chunk.form.documentName": "所属文档",
@@ -666,7 +698,19 @@
   "model.dialog.error.unsupportedModelType": "不支持的模型类型：{{type}}",
   "model.dialog.error.invalidConfiguration": "配置无效：{{error}}",
   "model.dialog.error.addFailedLog": "添加模型失败",
-  "model.dialog.error.noModelsFetched": "操作失败！请检查相关API Key以及网络连通性",
+  "model.dialog.error.noModelsFetched": "未获取到任何模型，请检查 ModelEngine 上是否部署了模型",
+  "model.dialog.error.apiConnectionFailed": "无法连接到 ModelEngine，请检查 URL 和 API Key 是否正确",
+  "model.dialog.error.provider": {
+    "title": "模型提供商连接失败",
+    "noModels": "未获取到任何模型，请检查 {{provider}} 上是否部署了模型",
+    "connectionFailed": "无法连接到 {{provider}}，请检查 URL 和 API Key 是否正确",
+    "authenticationFailed": "{{provider}} 身份验证失败，请检查 API Key 是否正确",
+    "accessDenied": "访问被拒绝，请检查您的权限配置",
+    "endpointNotFound": "API 端点未找到，请检查 URL 配置是否正确",
+    "serverError": "{{provider}} 服务器错误 (HTTP {{code}})，请稍后重试",
+    "timeout": "连接超时，请检查网络连接",
+    "sslError": "SSL 证书错误，请检查 URL 和 SSL 配置"
+  },
   "model.dialog.message.noModels": "请先获取模型",
   "model.dialog.editTitle": "编辑模型",
   "model.dialog.editSuccess": "模型更新成功",
@@ -811,6 +855,9 @@
   "login.expired.okText": "立即登录",
   "login.expired.cancelText": "返回首页",
 
+  "page.permissionDenied.title": "无权限访问",
+  "page.permissionDenied.content": "请切换有权限访问该页面的账号或访问其他页面。",
+
   "auth.notLoggedIn": "您尚未登录",
   "auth.login": "登录",
   "auth.register": "注册",
@@ -864,7 +911,8 @@
   "auth.dev": "开发者",
   "auth.speed": "默认角色",
   "auth.inviteCodeLabel": "邀请码",
-  "auth.inviteCodeRequired": "请输入管理员邀请码",
+  "auth.inviteCodeRequired": "请输入邀请码",
+  "auth.inviteCodePlaceholder": "请输入邀请码",
   "auth.registerAdmin": "注册管理员账号",
   "auth.inviteCodeNotConfigured": "管理员注册功能暂未开放，请联系系统管理员配置邀请码",
   "auth.inviteCodeInvalid": "管理员邀请码错误，请检查后重新输入",
@@ -881,12 +929,17 @@
   "auth.inviteCodeHint.starAction": "并为我们点一个 Star",
   "auth.inviteCodeHint.step2Action": "留下痕迹成为共创者",
   "auth.inviteCodeHint.step3Action": "获取专属邀请码",
+  "auth.inviteCodeHint.popoverTitle": "如何获取邀请码",
+  "auth.inviteCodeHint.howToGetCode": "如何获取邀请码？",
   "auth.inviteCodeHint.communityLink": "官方技术交流群",
   "auth.inviteCodeHint.projectLink": "项目地址",
   "auth.inviteCodeHint.contributionWallLink": "贡献墙",
   "auth.inviteCodeHint.contributionWallUrl": "https://github.com/ModelEngine-Group/nexent/blob/develop/doc/docs/zh/opensource-memorial-wall.md",
   "auth.inviteCodeHint.documentationUrl": "https://modelengine-group.github.io/nexent/zh/contributing.html#%F0%9F%8C%9F-%E5%BC%80%E6%BA%90%E7%BA%AA%E5%BF%B5%E5%A2%99%E5%BF%AB%E9%80%9F%E8%B4%A1%E7%8C%AE",
   "auth.inviteCodeHint.viewDocumentation": "查看说明文档",
+  "auth.inviteCodeHint.method1.title": "方式一：开源社区贡献",
+  "auth.inviteCodeHint.method2.title": "方式二：联系租户管理员",
+  "auth.inviteCodeHint.method2.description": "联系您的租户管理员，获取专属邀请码",
 
   "toolManagement.refresh.title": "刷新工具列表",
   "toolManagement.refresh.button.refreshing": "刷新中",
@@ -1184,7 +1237,7 @@
   "space.detail.model": "模型名称",
   "space.detail.modelId": "模型 ID",
   "space.detail.maxStep": "最大步数",
-  "space.detail.businessLogicModel": "业务逻辑模型",
+  "space.detail.businessLogicModel": "业务逻辑模型名称",
   "space.detail.businessLogicModelId": "业务逻辑模型 ID",
   "space.detail.provideRunSummary": "提供运行摘要",
   "space.detail.dutyPrompt": "职责提示词",
@@ -1244,6 +1297,7 @@
   "tenantResources.groups.totalMembers": "总成员数",
   "tenantResources.groups.updated": "用户组已更新",
   "tenantResources.groups.noDescription": "无描述",
+  "tenantResources.groups.duplicateName": "用户组名称已存在，请使用其他名称",
 
   "tenantResources.knowledgeBases.enterDescription": "可选描述",
   "tenantResources.knowledgeBases.enterName": "例如：公司文档",
@@ -1276,45 +1330,13 @@
   "tenantResources.knowledgeBase.getSummaryFailed": "获取知识库摘要失败",
   "tenantResources.knowledgeBase.noSummary": "该知识库尚无摘要",
   "tenantResources.knowledgeBase.viewSummary": "摘要概览",
+  "tenantResources.knowledgeBase.externalSourceDisabled": "不可操作外部知识库",
 
   "tenantResources.models.status.available": "可用",
   "tenantResources.models.status.unavailable": "不可用",
   "tenantResources.models.status.detecting": "检测中",
   "tenantResources.models.status.not_detected": "未检测",
 
-  "tenantResources.knowledgeBase.sources": "知识库来源",
-  "tenantResources.knowledgeBase.permission": "组内权限",
-  "tenantResources.knowledgeBase.permission.EDIT": "可编辑",
-  "tenantResources.knowledgeBase.permission.READ_ONLY": "只读",
-  "tenantResources.knowledgeBase.permission.PRIVATE": "私有",
-  "tenantResources.knowledgeBase.permission.DEFAULT": "只读 (默认)",
-  "tenantResources.knowledgeBase.groupNames": "用户组",
-  "tenantResources.knowledgeBase.documents": "文档数",
-  "tenantResources.knowledgeBase.chunks": "分块数",
-  "tenantResources.knowledgeBase.storeSize": "占用空间",
-  "tenantResources.knowledgeBase.processSource": "处理核心",
-  "tenantResources.knowledgeBase.noGroups": "暂无用户组",
-  "tenantResources.knowledgeBase.edit": "编辑知识库",
-  "tenantResources.knowledgeBase.updated": "知识库已更新",
-  "tenantResources.knowledgeBase.deleted": "知识库已删除",
-  "tenantResources.knowledgeBase.updateFailed": "知识库更新失败",
-  "tenantResources.knowledgeBase.deleteFailed": "知识库删除失败",
-  "tenantResources.knowledgeBase.nameRequired": "请输入知识库名称",
-  "tenantResources.knowledgeBase.permissionRequired": "请选择组内权限",
-  "tenantResources.knowledgeBase.enterName": "请输入知识库名称",
-  "tenantResources.knowledgeBase.editSummary": "编辑摘要",
-  "tenantResources.knowledgeBase.summary": "知识库摘要",
-  "tenantResources.knowledgeBase.enterSummary": "请输入知识库摘要",
-  "tenantResources.knowledgeBase.summaryRequired": "请输入知识库摘要",
-  "tenantResources.knowledgeBase.summaryUpdated": "摘要更新成功",
-  "tenantResources.knowledgeBase.getSummaryFailed": "获取知识库摘要失败",
-  "tenantResources.knowledgeBase.noSummary": "该知识库尚无摘要",
-  "tenantResources.knowledgeBase.viewSummary": "摘要概览",
-
-  "tenantResources.models.status.available": "可用",
-  "tenantResources.models.status.unavailable": "不可用",
-  "tenantResources.models.status.detecting": "检测中",
-  "tenantResources.models.status.not_detected": "未检测",
   "tenantResources.models.type.llm": "大语言模型",
   "tenantResources.models.type.embedding": "向量化模型",
   "tenantResources.models.type.multi_embedding": "多模态向量化模型",
@@ -1324,6 +1346,14 @@
   "tenantResources.models.type.vlm": "视觉语言模型",
 
   "tenantResources.models.confirmDelete": "删除模型？",
+  "tenantResources.models.editModel": "编辑模型",
+  "tenantResources.models.deleteModel": "删除模型",
+  "tenantResources.models.deleteSuccess": "模型已删除",
+  "tenantResources.models.deleteFailed": "删除模型失败",
+  "tenantResources.models.checkConnectivity": "检查连通性",
+  "tenantResources.models.connectivitySuccess": "模型连通性正常",
+  "tenantResources.models.connectivityFailed": "模型无法连接",
+  "tenantResources.models.connectivityError": "检查连通性时发生错误",
   "tenantResources.models.enterDescription": "输入模型描述",
   "tenantResources.models.enterName": "输入模型名称",
 
@@ -1337,6 +1367,8 @@
   "tenantResources.tenants.tenants": "租户",
   "tenantResources.tenants.unnamed": "未命名租户",
   "tenantResources.tenants.updated": "租户已更新",
+  "tenantResources.tenants.nameExists": "租户名称 '{{name}}' 已存在，请使用其他名称",
+  "tenantResources.tenants.nameRequired": "请输入租户名称",
 
   "tenantResources.users.confirmDelete": "删除用户\"{{name}}\"？",
   "tenantResources.users.deleteUser": "删除用户",
@@ -1374,6 +1406,7 @@
   "tenantResources.invitation.invitationCodeInvalid": "邀请码只能包含字母和数字",
   "tenantResources.invitation.noGroups": "暂无用户组",
   "tenantResources.invitation.noExpiry": "永久有效",
+  "tenantResources.invitation.alreadyExists": "邀请码已存在",
 
   "tenantResources.invitation.codeType.ADMIN_INVITE": "管理员邀请",
   "tenantResources.invitation.codeType.DEV_INVITE": "开发者邀请",
@@ -1430,7 +1463,7 @@
   "market.detail.modelId": "模型 ID",
   "market.detail.maxSteps": "最大步数",
   "market.detail.recommendedModel": "建议模型",
-  "market.detail.businessLogicModel": "业务逻辑模型",
+  "market.detail.businessLogicModel": "业务逻辑模型名称",
   "market.detail.businessLogicModelId": "业务逻辑模型 ID",
   "market.detail.provideRunSummary": "提供运行摘要",
   "market.detail.dutyPrompt": "职责提示词",
@@ -1523,6 +1556,9 @@
   "market.install.success.nameRegeneratedAndResolved": "智能体名称重新生成成功，且所有冲突已解决",
   "market.install.info.notImplemented": "安装功能将在下一阶段实现",
   "market.install.success": "智能体安装成功！",
+  "market.install.success.viewSpace.prefix": "智能体安装成功，您可",
+  "market.install.success.viewSpace.link": "前往智能体空间",
+  "market.install.success.viewSpace.suffix": "查看与使用",
   "market.install.warning.title": "智能体可能不可用",
   "market.install.warning.description": "以下问题可能导致智能体不可用：",
   "market.install.warning.nameConflict": "存在未解决的名称冲突",
@@ -1641,5 +1677,64 @@
   "profile.deleteWarning1": "您的账户将被永久删除",
   "profile.deleteWarning2": "所有对话和数据将被移除",
   "profile.deleteWarning3": "此操作无法恢复",
-  "profile.adminRestrictionTitle": "管理员限制"
+  "profile.adminRestrictionTitle": "管理员限制",
+
+  "agent.version.manage": "版本管理",
+  "agent.version.currentVersion": "当前版本",
+  "agent.version.totalVersions": "共 {{count}} 个版本",
+  "agent.version.count": "{{count}} 个版本",
+  "agent.version.compare": "版本对比",
+  "agent.version.publish": "发布",
+  "agent.version.status.disabled": "已禁用",
+  "agent.version.status.published": "已发布",
+  "agent.version.status.archived": "已归档",
+  "agent.version.status.unknown": "未知",
+  "agent.version.releaseNote": "发布说明",
+  "agent.version.publishSuccess": "版本发布成功",
+  "agent.version.publishFailed": "版本发布失败",
+  "agent.version.versionName": "版本名称",
+  "agent.version.versionNameRequired": "请输入版本名称",
+  "agent.version.versionNamePlaceholder": "请输入版本名称",
+  "agent.version.releaseNotePlaceholder": "请输入发布说明（可选）",
+  "agent.version.viewDetail": "查看详情",
+  "agent.version.duplicate": "复制版本",
+  "agent.version.archive": "归档",
+  "agent.version.viewConfiguration": "查看配置",
+  "agent.version.viewPrompt": "查看提示词",
+  "agent.version.viewTools": "查看工具",
+  "agent.version.rollback": "回滚",
+  "agent.version.noVersions": "暂无版本",
+  "agent.version.createFirstVersion": "创建第一个版本",
+  "agent.version.configuration": "配置",
+  "agent.version.agentName": "智能体名称",
+  "agent.version.modelName": "模型名称",
+  "agent.version.tools": "工具",
+  "agent.version.relatedAgents": "关联智能体",
+  "agent.version.field.name": "名称",
+  "agent.version.field.modelName": "模型",
+  "agent.version.field.maxSteps": "最大步数",
+  "agent.version.field.description": "描述",
+  "agent.version.field.dutyPrompt": "职责提示词",
+  "agent.version.field.tools": "工具",
+  "agent.version.field.subAgents": "子智能体",
+  "agent.version.rollbackSuccess": "版本回滚成功",
+  "agent.version.rollbackError": "版本回滚失败",
+  "agent.version.rollbackCompareTitle": "回滚版本对比",
+  "agent.version.confirmRollback": "确认回滚",
+  "agent.version.rollbackNote": "从 V{{fromVersion}} 回滚到 V{{toVersion}}",
+  "agent.version.loadingComparison": "正在加载对比...",
+  "agent.version.compareError": "加载版本对比失败",
+  "agent.version.compareFailed": "版本对比失败",
+  "agent.version.rollbackWarningTitle": "警告",
+  "agent.version.rollbackWarningContent": "您即将回滚到 {{versionName}}。这将基于所选版本创建一个新版本。",
+  "agent.version.draftVersion": "草稿",
+  "agent.version.restore": "恢复",
+  "agent.version.deleteSuccess": "版本删除成功",
+  "agent.version.deleteError": "删除版本失败",
+  "agent.version.deleteConfirmTitle": "删除版本",
+  "agent.version.deleteConfirmContent": "确定要删除版本 \"{{versionName}}\" 吗？",
+  "agent.version.deleteWarning": "此操作无法撤销。",
+  "agent.version.statusUpdateSuccess": "版本状态更新成功",
+  "agent.version.statusUpdateError": "更新版本状态失败",
+  "agent.error.agentNotFound": "未找到智能体"
 }
diff --git a/frontend/services/agentConfigService.ts b/frontend/services/agentConfigService.ts
index 949edb950..c2269199e 100644
--- a/frontend/services/agentConfigService.ts
+++ b/frontend/services/agentConfigService.ts
@@ -98,11 +98,15 @@ export const fetchTools = async () => {
 
 /**
  * get agent list from backend (basic info only)
+ * @param tenantId optional tenant ID for filtering
  * @returns list of agents with basic info (id, name, description, is_available)
  */
-export const fetchAgentList = async () => {
+export const fetchAgentList = async (tenantId?: string) => {
   try {
-    const response = await fetch(API_ENDPOINTS.agent.list, {
+    const url = tenantId
+      ? `${API_ENDPOINTS.agent.list}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.agent.list;
+    const response = await fetch(url, {
       headers: getAuthHeaders(),
     });
     if (!response.ok) {
@@ -124,6 +128,9 @@ export const fetchAgentList = async () => {
       unavailable_reasons: agent.unavailable_reasons || [],
       group_ids: agent.group_ids || [],
       is_new: agent.is_new || false,
+      permission: agent.permission,
+      is_published: agent.is_published,
+      current_version_no: agent.current_version_no,
     }));
 
     return {
@@ -141,6 +148,55 @@ export const fetchAgentList = async () => {
   }
 };
 
+/**
+ * Fetch published agent list - gets agents with their current published version info
+ * First queries all agents with version_no=0, then retrieves the published version snapshot
+ * for each agent that has current_version_no > 0
+ * @returns list of published agents with version information
+ */
+export const fetchPublishedAgentList = async () => {
+  try {
+    const response = await fetch(API_ENDPOINTS.agent.publishedList, {
+      headers: getAuthHeaders(),
+    });
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+    const data = await response.json();
+
+    // Convert backend data to frontend format
+    const formattedAgents = data.map((agent: any) => ({
+      id: String(agent.agent_id),
+      name: agent.name,
+      display_name: agent.display_name || agent.name,
+      description: agent.description,
+      author: agent.author,
+      model_id: agent.model_id,
+      model_name: agent.model_name,
+      model_display_name: agent.model_display_name,
+      is_available: agent.is_available,
+      unavailable_reasons: agent.unavailable_reasons || [],
+      group_ids: agent.group_ids || [],
+      is_new: agent.is_new || false,
+      permission: agent.permission,
+      published_version_no: agent.published_version_no,
+    }));
+
+    return {
+      success: true,
+      data: formattedAgents,
+      message: "",
+    };
+  } catch (error) {
+    log.error("Failed to fetch published agent list:", error);
+    return {
+      success: false,
+      data: [],
+      message: "agentConfig.agents.publishedListFetchFailed",
+    };
+  }
+};
+
 /**
  * get creating sub agent id
  * @param mainAgentId current main agent id
@@ -368,11 +424,15 @@ export const updateAgentInfo = async (payload: UpdateAgentInfoPayload) => {
 /**
  * Delete Agent
  * @param agentId agent id
+ * @param tenantId optional tenant ID for filtering (uses auth if not provided)
  * @returns delete result
  */
-export const deleteAgent = async (agentId: number) => {
+export const deleteAgent = async (agentId: number, tenantId?: string) => {
   try {
-    const response = await fetch(API_ENDPOINTS.agent.delete, {
+    const url = tenantId
+      ? `${API_ENDPOINTS.agent.delete}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.agent.delete;
+    const response = await fetch(url, {
       method: "DELETE",
       headers: getAuthHeaders(),
       body: JSON.stringify({ agent_id: agentId }),
@@ -583,14 +643,22 @@ export const regenerateAgentNameBatch = async (payload: {
 /**
  * search agent info by agent id
  * @param agentId agent id
+ * @param tenantId optional tenant ID for filtering
+ * @param versionNo optional version number (default 0 for current/draft version)
  * @returns agent detail info
  */
-export const searchAgentInfo = async (agentId: number) => {
+export const searchAgentInfo = async (agentId: number, tenantId?: string, versionNo?: number) => {
   try {
-    const response = await fetch(API_ENDPOINTS.agent.searchInfo, {
+    const url = tenantId 
+      ? `${API_ENDPOINTS.agent.searchInfo}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.agent.searchInfo;
+    const response = await fetch(url, {
       method: "POST",
       headers: getAuthHeaders(),
-      body: JSON.stringify(agentId),
+      body: JSON.stringify({
+        agent_id: agentId,
+        version_no: versionNo ?? 0,
+      }),
     });
 
     if (!response.ok) {
@@ -647,6 +715,7 @@ export const searchAgentInfo = async (agentId: number) => {
             };
           })
         : [],
+      current_version_no: data.current_version_no
     };
 
     return {
diff --git a/frontend/services/agentVersionService.ts b/frontend/services/agentVersionService.ts
new file mode 100644
index 000000000..1e3f4a724
--- /dev/null
+++ b/frontend/services/agentVersionService.ts
@@ -0,0 +1,446 @@
+import { API_ENDPOINTS } from "./api";
+import log from "@/lib/logger";
+import { getAuthHeaders } from "@/lib/auth";
+
+/**
+ * Tool instance from API response
+ */
+export interface ToolInstance {
+  tool_instance_id: number;
+  tool_id: number;
+  agent_id: number;
+  params: Record<string, any>;
+  user_id: string;
+  tenant_id: string;
+  enabled: boolean;
+  version_no: number;
+  delete_flag: string;
+}
+
+export interface Agent {
+  agent_id: number;
+  name: string;
+  display_name?: string;
+  description: string;
+  author?: string;
+  model_name?: string;
+  model_id?: number;
+  max_steps: number;
+  duty_prompt?: string;
+  constraint_prompt?: string;
+  few_shots_prompt?: string;
+  parent_agent_id?: number;
+  tenant_id: string;
+  enabled: boolean;
+  provide_run_summary: boolean;
+  business_description?: string;
+  business_logic_model_name?: string;
+  business_logic_model_id?: number;
+  group_ids?: number[];
+  is_new?: boolean;
+  version_no?: number;
+  current_version_no?: number;
+  sub_agent_id_list?: number[];
+  is_available?: boolean;
+  unavailable_reasons?: string[];
+  tools: ToolInstance[];
+}
+
+export interface AgentVersion { 
+  version_no: number;
+  version_name: string;
+  release_note: string;
+  source_type: string;
+  source_version_no: number;
+  status: string;
+  create_time: string;
+  update_time: string;
+}
+
+export interface AgentVersionResponse {
+  code: number;
+  message: string;
+  data: AgentVersion;
+}
+
+export interface FetchAgentVersionResult {
+  success: boolean;
+  data: AgentVersion;
+  message: string;
+}
+
+/**
+ * Agent version detail - extends Agent with version metadata
+ */
+export interface AgentVersionDetail extends Agent {
+  version: AgentVersion;
+}
+
+export interface AgentVersionDetailResponse {
+  code: number;
+  message: string;
+  data: AgentVersionDetail;
+}
+
+export interface FetchAgentVersionDetailResult {
+  success: boolean;
+  data: AgentVersionDetail;
+  message: string;
+}
+
+/**
+ * Agent version list
+ */
+export interface AgentVersionListData {
+  items: AgentVersion[];
+  total: number;
+}
+
+export interface AgentVersionListResponse {
+  success: boolean;
+  data: AgentVersionListData;
+  message: string;
+}
+
+export interface FetchAgentVersionListResult {
+  success: boolean;
+  data: AgentVersionListData;
+  message: string;
+}
+
+/**
+ * Request model for publishing a version
+ */
+export interface VersionPublishRequest {
+  version_name?: string;
+  release_note?: string;
+}
+
+/**
+ * Response model for publish version
+ */
+export interface VersionPublishResponse {
+  success: boolean;
+  message: string;
+  data?: AgentVersion;
+}
+
+/**
+ * Request model for rollback version
+ */
+export interface VersionRollbackRequest {
+  version_name?: string;
+  release_note?: string;
+}
+
+/**
+ * Response model for rollback version
+ */
+export interface VersionRollbackResponse {
+  success: boolean;
+  message: string;
+  data?: AgentVersion;
+}
+
+/**
+ * Request model for version comparison
+ */
+export interface VersionCompareRequest {
+  version_no_a: number;
+  version_no_b: number;
+}
+
+/**
+ * Response model for version comparison
+ */
+export interface VersionCompareResponse {
+  success: boolean;
+  message: string;
+  data?: {
+    version_a: AgentVersionDetail;
+    version_b: AgentVersionDetail;
+    differences: VersionDifference[];
+  };
+}
+
+/**
+ * Version difference item
+ */
+export interface VersionDifference {
+  field: string;
+  label: string;
+  value_a: any;
+  value_b: any;
+}
+
+/**
+ * Fetch agent version from backend
+ * @param agentId The agent ID
+ * @param versionNo The version number to fetch
+ * @returns Promise containing the version response
+ */
+export async function fetchAgentVersion(
+  agentId: number,
+  versionNo: number
+): Promise<FetchAgentVersionResult> {
+  try {
+    const response = await fetch(API_ENDPOINTS.agent.versions.version(agentId, versionNo), {
+      method: "GET",
+      headers: getAuthHeaders(),
+    });
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    const data: AgentVersion = await response.json();
+    return {
+      success: true,
+      data: data || {},
+      message: "",
+    };
+  } catch (error) {
+    log.error("Failed to fetch agent version:", error);
+    return {
+      success: false,
+      data: {} as AgentVersion,
+      message: "Failed to fetch agent version",
+    };
+  }
+}
+
+/**
+ * Fetch agent version detail from backend
+ * @param agentId The agent ID
+ * @param versionNo The version number to fetch
+ * @returns Promise containing the version detail response
+ */
+export async function fetchAgentVersionDetail(
+  agentId: number,
+  versionNo: number
+): Promise<FetchAgentVersionDetailResult> {
+  try {
+    const response = await fetch(
+      API_ENDPOINTS.agent.versions.detail(agentId, versionNo),
+      {
+        method: "GET",
+        headers: getAuthHeaders(),
+      }
+    );
+
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    const data: AgentVersionDetail = await response.json();
+    return {
+      success: true,
+      data: data || {},
+      message: "",
+    };
+  } catch (error) {
+    log.error("Failed to fetch agent version info:", error);
+    return {
+      success: false,
+      data: {} as AgentVersionDetail,
+      message: "Failed to fetch agent version info",
+    };
+  }
+}
+
+/**
+ * Fetch agent version list from backend
+ * @param agentId The agent ID to fetch versions for
+ * @param tenantId optional tenant ID for filtering
+ * @returns Promise containing the version list response
+ */
+export async function fetchAgentVersionList(
+  agentId: number,
+  tenantId?: string
+): Promise<FetchAgentVersionListResult> {
+  try {
+    const url = tenantId
+      ? `${API_ENDPOINTS.agent.versions.list(agentId)}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.agent.versions.list(agentId);
+    const response = await fetch(url, {
+      method: "GET",
+      headers: getAuthHeaders(),
+    });
+
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    const data: AgentVersionListData = await response.json();
+    return {
+      success: true,
+      data: data || { items: [], total: 0 },
+      message: "",
+    };
+  } catch (error) {
+    log.error("Failed to fetch agent version list:", error);
+    return {
+      success: false,
+      data: { items: [], total: 0 },
+      message: "Failed to fetch agent version list",
+    };
+  }
+}
+
+/**
+ * Publish a new version of an agent
+ * @param agentId The agent ID to publish
+ * @param request Version publish request containing version_name and release_note
+ * @returns Promise containing the publish result
+ */
+export async function publishVersion(
+  agentId: number,
+  request: VersionPublishRequest
+): Promise<VersionPublishResponse> {
+  try {
+    const response = await fetch(API_ENDPOINTS.agent.publish(agentId), {
+      method: "POST",
+      headers: {
+        ...getAuthHeaders(),
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(request),
+    });
+
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    const data: AgentVersion = await response.json();
+    return {
+      success: true,
+      message: "Version published successfully",
+      data: data,
+    };
+  } catch (error) {
+    log.error("Failed to publish agent version:", error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : "Failed to publish version",
+    };
+  }
+}
+
+/**
+ * Rollback to a specific version by updating current_version_no only
+ * This does NOT create a new version - the draft will point to the target version
+ * Use publishVersion to create an actual new version after rollback
+ * @param agentId The agent ID to rollback
+ * @param sourceVersionNo The source version number to rollback to
+ * @returns Promise containing the rollback result
+ */
+export async function rollbackVersion(
+  agentId: number,
+  sourceVersionNo: number
+): Promise<VersionRollbackResponse> {
+  try {
+    const response = await fetch(
+      API_ENDPOINTS.agent.versions.rollback(agentId, sourceVersionNo),
+      {
+        method: "POST",
+        headers: getAuthHeaders(),
+      }
+    );
+
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    const data: AgentVersion = await response.json();
+    return {
+      success: true,
+      message: "Version rolled back successfully",
+      data: data,
+    };
+  } catch (error) {
+    log.error("Failed to rollback agent version:", error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : "Failed to rollback version",
+    };
+  }
+}
+
+/**
+ * Compare two versions and return their differences
+ * @param agentId The agent ID
+ * @param versionNoA First version number for comparison
+ * @param versionNoB Second version number for comparison
+ * @returns Promise containing the comparison result
+ */
+export async function compareVersions(
+  agentId: number,
+  versionNoA: number,
+  versionNoB: number
+): Promise<VersionCompareResponse> {
+  try {
+    const response = await fetch(API_ENDPOINTS.agent.versions.compare(agentId), {
+      method: "POST",
+      headers: {
+        ...getAuthHeaders(),
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        version_no_a: versionNoA,
+        version_no_b: versionNoB,
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    const data = await response.json();
+    return {
+      success: true,
+      message: "Version comparison successful",
+      data: data,
+    };
+  } catch (error) {
+    log.error("Failed to compare agent versions:", error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : "Failed to compare versions",
+    };
+  }
+}
+
+/**
+ * Delete a specific version
+ * @param agentId The agent ID
+ * @param versionNo The version number to delete
+ * @returns Promise containing the delete result
+ */
+export async function deleteVersion(
+  agentId: number,
+  versionNo: number
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const response = await fetch(
+      API_ENDPOINTS.agent.versions.delete(agentId, versionNo),
+      {
+        method: "DELETE",
+        headers: getAuthHeaders(),
+      }
+    );
+
+    if (!response.ok) {
+      throw new Error(`Request failed: ${response.status}`);
+    }
+
+    return {
+      success: true,
+      message: "Version deleted successfully",
+    };
+  } catch (error) {
+    log.error("Failed to delete agent version:", error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : "Failed to delete version",
+    };
+  }
+}
\ No newline at end of file
diff --git a/frontend/services/api.ts b/frontend/services/api.ts
index 32fbf2eea..29b676e16 100644
--- a/frontend/services/api.ts
+++ b/frontend/services/api.ts
@@ -1,4 +1,5 @@
 import { STATUS_CODES } from "@/const/auth";
+import { handleSessionExpired } from "@/lib/session";
 import log from "@/lib/logger";
 import type { MarketAgentListParams } from "@/types/market";
 
@@ -12,6 +13,7 @@ export const API_ENDPOINTS = {
     logout: `${API_BASE_URL}/user/logout`,
     session: `${API_BASE_URL}/user/session`,
     currentUserId: `${API_BASE_URL}/user/current_user_id`,
+    currentUserInfo: `${API_BASE_URL}/user/current_user_info`,
     serviceHealth: `${API_BASE_URL}/user/service_health`,
     revoke: `${API_BASE_URL}/user/revoke`,
   },
@@ -32,6 +34,7 @@ export const API_ENDPOINTS = {
     run: `${API_BASE_URL}/agent/run`,
     update: `${API_BASE_URL}/agent/update`,
     list: `${API_BASE_URL}/agent/list`,
+    publishedList: `${API_BASE_URL}/agent/published_list`,
     delete: `${API_BASE_URL}/agent`,
     getCreatingSubAgentId: `${API_BASE_URL}/agent/get_creating_sub_agent_id`,
     stop: (conversationId: number) =>
@@ -43,6 +46,16 @@ export const API_ENDPOINTS = {
     searchInfo: `${API_BASE_URL}/agent/search_info`,
     callRelationship: `${API_BASE_URL}/agent/call_relationship`,
     clearNew: (agentId: string | number) => `${API_BASE_URL}/agent/clear_new/${agentId}`,
+    publish: (agentId: number) => `${API_BASE_URL}/agent/${agentId}/publish`,
+    versions: {
+      version: (agentId: number, versionNo: number) => `${API_BASE_URL}/agent/${agentId}/versions/${versionNo}`,
+      detail: (agentId: number, versionNo: number) => `${API_BASE_URL}/agent/${agentId}/versions/${versionNo}/detail`,
+      list: (agentId: number) => `${API_BASE_URL}/agent/${agentId}/versions`,
+      current: (agentId: number) => `${API_BASE_URL}/agent/${agentId}/current_version`,
+      rollback: (agentId: number, versionNo: number) => `${API_BASE_URL}/agent/${agentId}/versions/${versionNo}/rollback`,
+      compare: (agentId: number) => `${API_BASE_URL}/agent/${agentId}/versions/compare`,
+      delete: (agentId: number, versionNo: number) => `${API_BASE_URL}/agent/${agentId}/versions/${versionNo}`,
+    },
   },
   tool: {
     list: `${API_BASE_URL}/tool/list`,
@@ -122,6 +135,17 @@ export const API_ENDPOINTS = {
     updateBatchModel: `${API_BASE_URL}/model/batch_update`,
     // LLM model list for generation
     llmModelList: `${API_BASE_URL}/model/llm_list`,
+    // Manage tenant model operations
+    manageModelList: `${API_BASE_URL}/model/manage/list`,
+    manageModelCreate: `${API_BASE_URL}/model/manage/create`,
+    manageModelBatchCreate: `${API_BASE_URL}/model/manage/batch_create`,
+    manageModelHealthcheck: `${API_BASE_URL}/model/manage/healthcheck`,
+    manageModelUpdate: (displayName: string) =>
+      `${API_BASE_URL}/model/manage/update?display_name=${encodeURIComponent(displayName)}`,
+    manageModelDelete: (displayName: string) =>
+      `${API_BASE_URL}/model/manage/delete?display_name=${encodeURIComponent(displayName)}`,
+    manageProviderModelList: `${API_BASE_URL}/model/manage/provider/list`,
+    manageProviderModelCreate: `${API_BASE_URL}/model/manage/provider/create`,
   },
   knowledgeBase: {
     // Elasticsearch service
@@ -137,8 +161,7 @@ export const API_ENDPOINTS = {
     chunkDetail: (indexName: string, chunkId: string) =>
       `${API_BASE_URL}/indices/${indexName}/chunk/${chunkId}`,
     // Update knowledge base info
-    updateIndex: (indexName: string) =>
-      `${API_BASE_URL}/indices/${indexName}`,
+    updateIndex: (indexName: string) => `${API_BASE_URL}/indices/${indexName}`,
     searchHybrid: `${API_BASE_URL}/indices/search/hybrid`,
     summary: (indexName: string) =>
       `${API_BASE_URL}/summary/${indexName}/auto_summary`,
@@ -156,8 +179,12 @@ export const API_ENDPOINTS = {
         pathOrUrl
       )}/error-info`,
   },
+  dify: {
+    datasets: `${API_BASE_URL}/dify/datasets`,
+  },
   datamate: {
     syncDatamateKnowledges: `${API_BASE_URL}/datamate/sync_datamate_knowledges`,
+    testConnection: `${API_BASE_URL}/datamate/test_connection`,
     files: (knowledgeBaseId: string) =>
       `${API_BASE_URL}/datamate/${knowledgeBaseId}/files`,
   },
@@ -254,13 +281,18 @@ export const API_ENDPOINTS = {
     addMember: (groupId: number) => `${API_BASE_URL}/groups/${groupId}/members`,
     removeMember: (groupId: number, userId: string) =>
       `${API_BASE_URL}/groups/${groupId}/members/${userId}`,
-    default: (tenantId: string) => `${API_BASE_URL}/groups/tenants/${tenantId}/default`,
+    default: (tenantId: string) =>
+      `${API_BASE_URL}/groups/tenants/${tenantId}/default`,
   },
   invitations: {
     list: `${API_BASE_URL}/invitations/list`,
     create: `${API_BASE_URL}/invitations`,
-    update: (invitationCode: string) => `${API_BASE_URL}/invitations/${invitationCode}`,
-    delete: (invitationCode: string) => `${API_BASE_URL}/invitations/${invitationCode}`,
+    update: (invitationCode: string) =>
+      `${API_BASE_URL}/invitations/${invitationCode}`,
+    delete: (invitationCode: string) =>
+      `${API_BASE_URL}/invitations/${invitationCode}`,
+    check: (invitationCode: string) =>
+      `${API_BASE_URL}/invitations/${invitationCode}/check`,
   },
 };
 
@@ -360,36 +392,6 @@ export const fetchWithErrorHandling = async (
   }
 };
 
-// Method to handle session expiration
-function handleSessionExpired() {
-  // Prevent duplicate triggers
-  if (window.__isHandlingSessionExpired) {
-    return;
-  }
-
-  // Mark as processing
-  window.__isHandlingSessionExpired = true;
-
-  // Clear locally stored session information
-  if (typeof window !== "undefined") {
-    localStorage.removeItem("session");
-
-    // Use custom events to notify other components in the app (such as SessionExpiredListener)
-    if (window.dispatchEvent) {
-      // Ensure using event name consistent with EVENTS.SESSION_EXPIRED constant
-      window.dispatchEvent(
-        new CustomEvent("session-expired", {
-          detail: { message: "Login expired, please login again" },
-        })
-      );
-    }
-
-    // Reset flag after 300ms to allow future triggers
-    setTimeout(() => {
-      window.__isHandlingSessionExpired = false;
-    }, 300);
-  }
-}
 
 // Add global interface extensions for TypeScript
 declare global {
diff --git a/frontend/services/authService.ts b/frontend/services/authService.ts
index cc724661f..a99870142 100644
--- a/frontend/services/authService.ts
+++ b/frontend/services/authService.ts
@@ -1,15 +1,15 @@
 /**
  * Authentication service
  */
-import { USER_ROLES } from "@/const/modelConfig";
 import { API_ENDPOINTS } from "@/services/api";
 import { sessionService } from "@/services/sessionService";
 
-import { Session, User, SessionResponse } from "@/types/auth";
+import { Session, User, SessionResponse, AuthInfoResponse } from "@/types/auth";
 import { STATUS_CODES } from "@/const/auth";
 
-import { generateAvatarUrl, removeSessionFromStorage } from "@/lib/auth"
-import { fetchWithAuth, getSessionFromStorage, saveSessionToStorage } from "@/lib/auth";
+import { generateAvatarUrl } from "@/lib/auth";
+import { fetchWithAuth } from "@/lib/auth";
+import { removeSessionFromStorage, getSessionFromStorage, saveSessionToStorage } from "@/lib/session";
 import log from "@/lib/logger";
 
 
@@ -22,13 +22,6 @@ export const authService = {
       const sessionObj = getSessionFromStorage();
       if (!sessionObj?.access_token) return null;
 
-      // Check if the token is about to expire, if so, try to refresh
-      const isTokenValid = await sessionService.checkAndRefreshToken();
-      if (!isTokenValid) {
-        log.warn("Token is invalid or refresh failed");
-        // We do not immediately clear the session, but wait for subsequent operations to fail
-      }
-
       try {
         // Verify if the session is valid
         const response = await fetchWithAuth(API_ENDPOINTS.user.session);
@@ -52,20 +45,6 @@ export const authService = {
           return sessionObj;
         }
 
-        const data = await response.json();
-
-        // Update user information (possibly changed on the backend)
-        if (data.data?.user) {
-          sessionObj.user = {
-            ...sessionObj.user,
-            ...data.data.user,
-            avatar_url: sessionObj.user.avatar_url, // Keep avatar
-          };
-
-          // Update stored session
-          saveSessionToStorage(sessionObj);
-        }
-
         return sessionObj;
       } catch (error) {
         log.error("Error verifying session:", error);
@@ -157,7 +136,7 @@ export const authService = {
         id: data.data.user.id,
         email: data.data.user.email,
         role: data.data.user.role,
-        avatar_url,
+        avatarUrl: avatar_url,
       };
 
       // Build session object
@@ -202,8 +181,8 @@ export const authService = {
   signUp: async (
     email: string,
     password: string,
-    isAdmin?: boolean,
-    inviteCode?: string
+    inviteCode?: string,
+    withNewInvitation?: boolean
   ): Promise<SessionResponse> => {
     try {
       const response = await fetch(API_ENDPOINTS.user.signup, {
@@ -214,8 +193,8 @@ export const authService = {
         body: JSON.stringify({
           email,
           password,
-          is_admin: isAdmin || false,
           invite_code: inviteCode || null,
+          with_new_invitation: withNewInvitation || false,
         }),
       });
 
@@ -232,16 +211,6 @@ export const authService = {
         };
       }
 
-      // Generate avatar URL
-      const avatar_url = generateAvatarUrl(email);
-
-      // Build user object
-      const user: User = {
-        id: data.data.user.id,
-        email: data.data.user.email,
-        role: data.data.user.role || USER_ROLES.USER,
-        avatar_url,
-      };
 
       // If the session information is not returned when registering, try to login
       if (!data.data.session || !data.data.session.access_token) {
@@ -258,12 +227,11 @@ export const authService = {
 
         if (!loginResponse.ok) {
           // Return the result with only the user and no session
-          return { data: { user, session: null }, error: null };
+          return { data: { session: null }, error: null };
         }
 
         // Build complete session
         const session: Session = {
-          user,
           access_token: loginData.data.session.access_token,
           refresh_token: loginData.data.session.refresh_token,
           expires_at: loginData.data.session.expires_at,
@@ -272,11 +240,10 @@ export const authService = {
         // Save session to local storage
         saveSessionToStorage(session);
 
-        return { data: { user, session }, error: null };
+        return { data: { session }, error: null };
       } else {
         // Use the session information returned by the registration interface
         const session: Session = {
-          user,
           access_token: data.data.session.access_token,
           refresh_token: data.data.session.refresh_token,
           expires_at: data.data.session.expires_at,
@@ -285,7 +252,7 @@ export const authService = {
         // Save session to local storage
         saveSessionToStorage(session);
 
-        return { data: { user, session }, error: null };
+        return { data: { session }, error: null };
       }
     } catch (error) {
       log.error("Registration failed:", error);
@@ -343,9 +310,48 @@ export const authService = {
       return null;
     }
   },
+  getCurrentUserInfo: async (): Promise<AuthInfoResponse | null> => {
+    try {
+      const response = await fetchWithAuth(API_ENDPOINTS.user.currentUserInfo);
+      // Check HTTP status code instead of data.code
+      if (!response.ok) {
+        log.warn("Failed to get user Info, HTTP status code:", response.status);
+        return null;
+      }
+
+      const data = await response.json();
 
+      if (!data.data) {
+        return null;
+      }
+      const userData = {
+        user: {
+          id: data.data.user.user_id,
+          groupIds: data.data.user.group_ids,
+          tenantId: data.data.user.tenant_id,
+          email: data.data.user.user_email,
+          role: data.data.user.user_role,
+          avatarUrl: data.data.user.avatarUrl,
+          permissions: data.data.user.permissions.map((permission:string) => permission.toLowerCase()),
+          accessibleRoutes: data.data.user.accessibleRoutes.map((router:string) => router.toLowerCase()),
+        }
+      }
+      return userData as AuthInfoResponse;
+    } catch (error) {
+      log.error("Failed to get user Info:", error);
+      return null;
+    }
+  },
   // Refresh token
   refreshToken: async (): Promise<boolean> => {
-    return await sessionService.checkAndRefreshToken();
+    const sessionObj = getSessionFromStorage();
+    if (!sessionObj?.refresh_token) return false;
+
+    const newSession = await sessionService.refreshToken(sessionObj.refresh_token);
+    if (newSession) {
+      saveSessionToStorage(newSession);
+      return true;
+    }
+    return false;
   },
 }; 
\ No newline at end of file
diff --git a/frontend/services/invitationService.ts b/frontend/services/invitationService.ts
index 07aa1fce8..2cb885c9a 100644
--- a/frontend/services/invitationService.ts
+++ b/frontend/services/invitationService.ts
@@ -152,3 +152,30 @@ export async function deleteInvitation(invitationCode: string): Promise<void> {
     throw new ApiError(500, "Failed to delete invitation");
   }
 }
+
+/**
+ * Check if invitation code already exists
+ */
+export async function checkInvitationCodeExists(invitationCode: string): Promise<boolean> {
+  try {
+    const response = await fetchWithAuth(API_ENDPOINTS.invitations.check(invitationCode), {
+      method: "GET",
+    });
+
+    if (!response.ok) {
+      // If 404, code doesn't exist
+      if (response.status === 404) {
+        return false;
+      }
+      throw new ApiError(response.status, "Failed to check invitation code");
+    }
+
+    const result = await response.json();
+    return result.data?.exists ?? false;
+  } catch (error) {
+    if (error instanceof ApiError) {
+      throw error;
+    }
+    throw new ApiError(500, "Failed to check invitation code");
+  }
+}
\ No newline at end of file
diff --git a/frontend/services/knowledgeBasePollingService.ts b/frontend/services/knowledgeBasePollingService.ts
index b899d8bdf..5d78a13e7 100644
--- a/frontend/services/knowledgeBasePollingService.ts
+++ b/frontend/services/knowledgeBasePollingService.ts
@@ -175,7 +175,8 @@ class KnowledgeBasePollingService {
       let count = 0;
       const checkForStats = async () => {
         try {
-          const kbs = await knowledgeBaseService.getKnowledgeBasesInfo(true) as KnowledgeBase[];
+          const result = await knowledgeBaseService.getKnowledgeBasesInfo(true);
+          const kbs = result.knowledgeBases;
           const kb = kbs.find(k => k.id === kbId || k.name === kbName);
 
           // Check if KB exists and its stats are populated
diff --git a/frontend/services/knowledgeBaseService.ts b/frontend/services/knowledgeBaseService.ts
index 5fa9f4921..0fe76ced7 100644
--- a/frontend/services/knowledgeBaseService.ts
+++ b/frontend/services/knowledgeBaseService.ts
@@ -10,8 +10,11 @@ import {
   Document,
   KnowledgeBase,
   KnowledgeBaseCreateParams,
+  KnowledgeBasesWithDataMateStatus,
+  DataMateSyncError,
 } from "@/types/knowledgeBase";
 import { getAuthHeaders, fetchWithAuth } from "@/lib/auth";
+import { configStore } from "@/lib/config";
 import log from "@/lib/logger";
 
 // @ts-ignore
@@ -41,19 +44,112 @@ class KnowledgeBaseService {
     }
   }
 
+  // Sync Dify knowledge bases
+  async syncDifyKnowledgeBases(
+    difyApiBase: string,
+    apiKey: string
+  ): Promise<{
+    indices: string[];
+    count: number;
+    indices_info: any[];
+  }> {
+    try {
+      // Call backend proxy endpoint to avoid CORS issues
+      const url = new URL(API_ENDPOINTS.dify.datasets, window.location.origin);
+      url.searchParams.set("dify_api_base", difyApiBase);
+      url.searchParams.set("api_key", apiKey);
+
+      const response = await fetch(url.toString(), {
+        method: "GET",
+        headers: getAuthHeaders(),
+      });
+
+      if (!response.ok) {
+        const errorData = await response.json();
+        throw new Error(errorData.detail || "Failed to fetch Dify datasets");
+      }
+
+      const result = await response.json();
+      return {
+        indices: result.indices || [],
+        count: result.count || 0,
+        indices_info: result.indices_info || [],
+      };
+    } catch (error) {
+      log.error("Failed to sync Dify knowledge bases:", error);
+      throw error;
+    }
+  }
+
+  // Get Dify knowledge bases as KnowledgeBase array
+  async getDifyKnowledgeBases(
+    difyApiBase: string,
+    apiKey: string
+  ): Promise<KnowledgeBase[]> {
+    try {
+      const syncResult = await this.syncDifyKnowledgeBases(difyApiBase, apiKey);
+
+      if (!syncResult.indices_info || syncResult.indices_info.length === 0) {
+        return [];
+      }
+
+      // Transform to KnowledgeBase format
+      const difyKnowledgeBases: KnowledgeBase[] = syncResult.indices_info.map(
+        (indexInfo: any) => {
+          const stats = indexInfo.stats?.base_info || {};
+          return {
+            id: indexInfo.name,
+            name: indexInfo.display_name || indexInfo.name,
+            display_name: indexInfo.display_name || indexInfo.name,
+            description: "Dify knowledge base",
+            documentCount: stats.doc_count || 0,
+            chunkCount: stats.chunk_count || 0,
+            createdAt: stats.creation_date || null,
+            updatedAt: stats.update_date || stats.creation_date || null,
+            embeddingModel: stats.embedding_model || "unknown",
+            knowledge_sources: "dify",
+            ingroup_permission: "",
+            group_ids: [],
+            store_size: stats.store_size || "",
+            process_source: stats.process_source || "Dify",
+            avatar: "",
+            chunkNum: 0,
+            language: "",
+            nickname: "",
+            parserId: "",
+            permission: "",
+            tokenNum: 0,
+            source: "dify",
+            tenant_id: "",
+          };
+        }
+      );
+
+      return difyKnowledgeBases;
+    } catch (error) {
+      log.error("Failed to get Dify knowledge bases:", error);
+      throw error;
+    }
+  }
+
   // Sync DataMate knowledge bases and create local records
-  async syncDataMateAndCreateRecords(): Promise<{
+  async syncDataMateAndCreateRecords(datamateUrl?: string): Promise<{
     indices: string[];
     count: number;
     indices_info: any[];
     created_records: any[];
   }> {
     try {
+      const body = datamateUrl
+        ? JSON.stringify({ datamate_url: datamateUrl })
+        : undefined;
+
       const response = await fetch(
         API_ENDPOINTS.datamate.syncDatamateKnowledges,
         {
           method: "POST",
           headers: getAuthHeaders(),
+          ...(body && { body }),
         }
       );
 
@@ -76,14 +172,125 @@ class KnowledgeBaseService {
     }
   }
 
+  /**
+   * Test connection to DataMate server
+   * @param datamateUrl Optional DataMate URL to test (uses configured URL if not provided)
+   * @returns Promise<{success: boolean, error?: string}>
+   */
+  async testDataMateConnection(
+    datamateUrl?: string
+  ): Promise<{ success: boolean; error?: string }> {
+    try {
+      const body = datamateUrl
+        ? JSON.stringify({ datamate_url: datamateUrl })
+        : undefined;
+
+      const response = await fetch(API_ENDPOINTS.datamate.testConnection, {
+        method: "POST",
+        headers: getAuthHeaders(),
+        ...(body && { body }),
+      });
+
+      if (response.ok) {
+        return { success: true };
+      }
+
+      const errorData = await response.json();
+      return {
+        success: false,
+        error: errorData.detail || "Connection failed",
+      };
+    } catch (error) {
+      log.error("Failed to test DataMate connection:", error);
+      return {
+        success: false,
+        error:
+          error instanceof Error ? error.message : "Connection test failed",
+      };
+    }
+  }
+
+  // Sync Dify knowledge bases
+  async syncDifyDatasets(
+    difyApiBase: string,
+    apiKey: string
+  ): Promise<{
+    indices: string[];
+    count: number;
+    indices_info: any[];
+  }> {
+    try {
+      // Normalize URL by removing trailing slash
+      const normalizedApiBase = difyApiBase.replace(/\/+$/, "");
+      const url = `${normalizedApiBase}/v1/datasets`;
+
+      const response = await fetch(url, {
+        method: "GET",
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          "Content-Type": "application/json",
+        },
+      });
+
+      if (!response.ok) {
+        throw new Error(`Dify API error: ${response.status}`);
+      }
+
+      const result = await response.json();
+      const datasetsData = result.data || [];
+
+      // Transform to internal format
+      const indices: string[] = [];
+      const indices_info: any[] = [];
+
+      for (const dataset of datasetsData) {
+        const datasetId = dataset.id;
+        if (!datasetId) continue;
+
+        indices.push(datasetId);
+
+        indices_info.push({
+          name: datasetId,
+          display_name: dataset.name,
+          stats: {
+            base_info: {
+              doc_count: dataset.document_count || 0,
+              chunk_count: 0,
+              store_size: "",
+              process_source: "Dify",
+              embedding_model: dataset.embedding_model || "",
+              embedding_dim: 0,
+              creation_date: (dataset.created_at || 0) * 1000,
+              update_date: (dataset.updated_at || 0) * 1000,
+            },
+            search_performance: {
+              total_search_count: 0,
+              hit_count: 0,
+            },
+          },
+        });
+      }
+
+      return {
+        indices,
+        count: indices.length,
+        indices_info,
+      };
+    } catch (error) {
+      log.error("Failed to sync Dify datasets:", error);
+      throw error;
+    }
+  }
+
   // Get knowledge bases with stats from all sources (very slow, don't use it)
   async getKnowledgeBasesInfo(
     skipHealthCheck = false,
     includeDataMateSync = true,
     tenantId: string | null = null
-  ): Promise<KnowledgeBase[]> {
+  ): Promise<KnowledgeBasesWithDataMateStatus> {
     try {
       const knowledgeBases: KnowledgeBase[] = [];
+      let dataMateSyncError: string | undefined;
 
       // Get knowledge bases from Elasticsearch
       try {
@@ -106,7 +313,14 @@ class KnowledgeBaseService {
             });
             const data = await response.json();
 
+            log.log("Elasticsearch indices response:", data);
+
             if (data.indices && data.indices_info) {
+              log.log(
+                "Processing indices_info:",
+                data.indices_info.length,
+                "items"
+              );
               // Convert Elasticsearch indices to knowledge base format
               const esKnowledgeBases = data.indices_info.map(
                 (indexInfo: any) => {
@@ -121,14 +335,20 @@ class KnowledgeBaseService {
                   return {
                     id: kbId,
                     name: kbName,
+                    display_name: indexInfo.display_name || indexInfo.name,
                     description: "Elasticsearch index",
                     documentCount: stats.doc_count || 0,
                     chunkCount: stats.chunk_count || 0,
                     createdAt: stats.creation_date || null,
                     // Use update_time from database for sorting, fallback to ES update_date
-                    updatedAt: indexInfo.update_time || stats.update_date || stats.creation_date || null,
+                    updatedAt:
+                      indexInfo.update_time ||
+                      stats.update_date ||
+                      stats.creation_date ||
+                      null,
                     embeddingModel: stats.embedding_model || "unknown",
-                    knowledge_sources: indexInfo.knowledge_sources || "elasticsearch",
+                    knowledge_sources:
+                      indexInfo.knowledge_sources || "elasticsearch",
                     ingroup_permission: indexInfo.ingroup_permission || "",
                     group_ids: indexInfo.group_ids || [],
                     store_size: stats.store_size || "",
@@ -145,7 +365,20 @@ class KnowledgeBaseService {
                   };
                 }
               );
+              log.log("Converted knowledge bases:", esKnowledgeBases);
               knowledgeBases.push(...esKnowledgeBases);
+            } else {
+              log.log(
+                "Skipping indices processing:",
+                "indices exists:",
+                !!data.indices,
+                "indices_info exists:",
+                !!data.indices_info,
+                "indices length:",
+                data.indices?.length,
+                "indices_info length:",
+                data.indices_info?.length
+              );
             }
           }
         }
@@ -153,51 +386,71 @@ class KnowledgeBaseService {
         log.error("Failed to get Elasticsearch indices:", error);
       }
 
-      // Sync DataMate knowledge bases and get the synced data (only if enabled)
+      // Sync DataMate knowledge bases and get the synced data (only if enabled and URL is configured)
       if (includeDataMateSync) {
-        try {
-          const syncResult = await this.syncDataMateAndCreateRecords();
-          if (syncResult.indices_info) {
-            // Convert synced DataMate indices to knowledge base format
-            const datamateKnowledgeBases: KnowledgeBase[] =
-              syncResult.indices_info.map((indexInfo: any) => {
-                const stats = indexInfo.stats?.base_info || {};
-                const kbId = indexInfo.name;
-                const kbName = indexInfo.display_name || indexInfo.name;
-
-                return {
-                  id: kbId,
-                  name: kbName,
-                  description: "DataMate knowledge base",
-                  documentCount: stats.doc_count || 0,
-                  chunkCount: stats.chunk_count || 0,
-                  createdAt: stats.creation_date || null,
-                  updatedAt: stats.update_date || stats.creation_date || null,
-                  embeddingModel: stats.embedding_model || "unknown",
-                  knowledge_sources: indexInfo.knowledge_sources || "datamate",
-                  ingroup_permission: indexInfo.ingroup_permission || "",
-                  group_ids: indexInfo.group_ids || [],
-                  store_size: stats.store_size || "",
-                  process_source: stats.process_source || "",
-                  avatar: "",
-                  chunkNum: 0,
-                  language: "",
-                  nickname: "",
-                  parserId: "",
-                  permission: indexInfo.permission || "",
-                  tokenNum: 0,
-                  source: "datamate",
-                  tenant_id: indexInfo.tenant_id,
-                };
-              });
-            knowledgeBases.push(...datamateKnowledgeBases);
+        // Check if DataMate URL is configured before attempting sync
+        const config = configStore.getConfig();
+        const currentDataMateUrl = config.app?.datamateUrl;
+
+        if (!currentDataMateUrl || currentDataMateUrl.trim() === "") {
+          // Skip DataMate sync if URL is not configured
+          log.info(
+            "DataMate URL not configured, skipping DataMate knowledge base sync"
+          );
+        } else {
+          try {
+            const syncResult = await this.syncDataMateAndCreateRecords();
+            if (syncResult.indices_info) {
+              // Convert synced DataMate indices to knowledge base format
+              const datamateKnowledgeBases: KnowledgeBase[] =
+                syncResult.indices_info.map((indexInfo: any) => {
+                  const stats = indexInfo.stats?.base_info || {};
+                  const kbId = indexInfo.name;
+                  const kbName = indexInfo.display_name || indexInfo.name;
+
+                  return {
+                    id: kbId,
+                    name: kbName,
+                    display_name: indexInfo.display_name || indexInfo.name,
+                    description: "DataMate knowledge base",
+                    documentCount: stats.doc_count || 0,
+                    chunkCount: stats.chunk_count || 0,
+                    createdAt: stats.creation_date || null,
+                    updatedAt: stats.update_date || stats.creation_date || null,
+                    embeddingModel: stats.embedding_model || "unknown",
+                    knowledge_sources:
+                      indexInfo.knowledge_sources || "datamate",
+                    ingroup_permission: indexInfo.ingroup_permission || "",
+                    group_ids: indexInfo.group_ids || [],
+                    store_size: stats.store_size || "",
+                    process_source: stats.process_source || "",
+                    avatar: "",
+                    chunkNum: 0,
+                    language: "",
+                    nickname: "",
+                    parserId: "",
+                    permission: indexInfo.permission || "",
+                    tokenNum: 0,
+                    source: "datamate",
+                    tenant_id: indexInfo.tenant_id,
+                  };
+                });
+              knowledgeBases.push(...datamateKnowledgeBases);
+            }
+          } catch (error) {
+            // Store the error message for DataMate sync failure
+            const errorMessage =
+              error instanceof Error ? error.message : String(error);
+            dataMateSyncError = errorMessage;
+            log.error("Failed to sync DataMate knowledge bases:", error);
           }
-        } catch (error) {
-          log.error("Failed to sync DataMate knowledge bases:", error);
         }
       }
 
-      return knowledgeBases;
+      return {
+        knowledgeBases,
+        dataMateSyncError,
+      };
     } catch (error) {
       log.error("Failed to get knowledge base list:", error);
       throw error;
@@ -283,16 +536,33 @@ class KnowledgeBaseService {
         );
       }
 
+      // Build request body with optional group permission and user groups
+      const requestBody: {
+        name: string;
+        description: string;
+        embeddingModel?: string;
+        ingroup_permission?: string;
+        group_ids?: number[];
+      } = {
+        name: params.name,
+        description: params.description || "",
+        embeddingModel: params.embeddingModel || "",
+      };
+
+      // Include group permission and user groups if provided
+      if (params.ingroup_permission) {
+        requestBody.ingroup_permission = params.ingroup_permission;
+      }
+      if (params.group_ids && params.group_ids.length > 0) {
+        requestBody.group_ids = params.group_ids;
+      }
+
       const response = await fetch(
         API_ENDPOINTS.knowledgeBase.indexDetail(params.name),
         {
           method: "POST",
           headers: getAuthHeaders(), // Add user authentication information to obtain the user id
-          body: JSON.stringify({
-            name: params.name,
-            description: params.description || "",
-            embeddingModel: params.embeddingModel || "",
-          }),
+          body: JSON.stringify(requestBody),
         }
       );
 
@@ -318,7 +588,7 @@ class KnowledgeBaseService {
         parserId: "",
         permission: "",
         tokenNum: 0,
-        source: params.source || "elasticsearch"
+        source: params.source || "elasticsearch",
       };
     } catch (error) {
       log.error("Failed to create knowledge base:", error);
@@ -954,7 +1224,9 @@ class KnowledgeBaseService {
       const result = await response.json();
 
       if (!response.ok) {
-        throw new Error(result.detail || result.message || "Failed to update knowledge base");
+        throw new Error(
+          result.detail || result.message || "Failed to update knowledge base"
+        );
       }
     } catch (error) {
       log.error("Failed to update knowledge base:", error);
diff --git a/frontend/services/mcpService.ts b/frontend/services/mcpService.ts
index 4d4577977..975a6c4d4 100644
--- a/frontend/services/mcpService.ts
+++ b/frontend/services/mcpService.ts
@@ -24,9 +24,12 @@ const getAuthHeaders = () => {
 /**
  * Get MCP server list
  */
-export const getMcpServerList = async () => {
+export const getMcpServerList = async (tenantId?: string | null) => {
   try {
-    const response = await fetch(API_ENDPOINTS.mcp.list, {
+    const url = tenantId 
+      ? `${API_ENDPOINTS.mcp.list}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.mcp.list;
+    const response = await fetch(url, {
       headers: getAuthHeaders(),
     });
 
@@ -39,7 +42,8 @@ export const getMcpServerList = async () => {
         return {
           service_name: server.remote_mcp_server_name,
           mcp_url: server.remote_mcp_server,
-          status: server.status || false
+          status: server.status || false,
+          permission: server.permission,
         };
       });
 
@@ -83,10 +87,17 @@ export const getMcpServerList = async () => {
 /**
  * Add MCP server
  */
-export const addMcpServer = async (mcpUrl: string, serviceName: string) => {
+export const addMcpServer = async (mcpUrl: string, serviceName: string, tenantId?: string | null) => {
   try {
+    const params = new URLSearchParams({
+      mcp_url: mcpUrl,
+      service_name: serviceName,
+    });
+    if (tenantId) {
+      params.append('tenant_id', tenantId);
+    }
     const response = await fetch(
-      `${API_ENDPOINTS.mcp.add}?mcp_url=${encodeURIComponent(mcpUrl)}&service_name=${encodeURIComponent(serviceName)}`,
+      `${API_ENDPOINTS.mcp.add}?${params.toString()}`,
       {
         method: 'POST',
         headers: getAuthHeaders(),
@@ -136,10 +147,14 @@ export const updateMcpServer = async (
   currentServiceName: string,
   currentMcpUrl: string,
   newServiceName: string,
-  newMcpUrl: string
+  newMcpUrl: string,
+  tenantId?: string | null
 ) => {
   try {
-    const response = await fetch(API_ENDPOINTS.mcp.update, {
+    const url = tenantId 
+      ? `${API_ENDPOINTS.mcp.update}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.mcp.update;
+    const response = await fetch(url, {
       method: "PUT",
       headers: getAuthHeaders(),
       body: JSON.stringify({
@@ -190,10 +205,17 @@ export const updateMcpServer = async (
 /**
  * Delete MCP server
  */
-export const deleteMcpServer = async (mcpUrl: string, serviceName: string) => {
+export const deleteMcpServer = async (mcpUrl: string, serviceName: string, tenantId?: string | null) => {
   try {
+    const params = new URLSearchParams({
+      mcp_url: mcpUrl,
+      service_name: serviceName,
+    });
+    if (tenantId) {
+      params.append('tenant_id', tenantId);
+    }
     const response = await fetch(
-      `${API_ENDPOINTS.mcp.delete}?mcp_url=${encodeURIComponent(mcpUrl)}&service_name=${encodeURIComponent(serviceName)}`,
+      `${API_ENDPOINTS.mcp.delete}?${params.toString()}`,
       {
         method: 'DELETE',
         headers: getAuthHeaders(),
@@ -339,10 +361,17 @@ export const updateToolList = async () => {
 /**
  * checkMcpServerHealth
  */
-export const checkMcpServerHealth = async (mcpUrl: string, serviceName: string) => {
+export const checkMcpServerHealth = async (mcpUrl: string, serviceName: string, tenantId?: string | null) => {
   try {
+    const params = new URLSearchParams({
+      mcp_url: mcpUrl,
+      service_name: serviceName,
+    });
+    if (tenantId) {
+      params.append('tenant_id', tenantId);
+    }
     const response = await fetch(
-      `${API_ENDPOINTS.mcp.healthcheck}?mcp_url=${encodeURIComponent(mcpUrl)}&service_name=${encodeURIComponent(serviceName)}`,
+      `${API_ENDPOINTS.mcp.healthcheck}?${params.toString()}`,
       {
         headers: getAuthHeaders(),
       }
@@ -380,9 +409,12 @@ export const checkMcpServerHealth = async (mcpUrl: string, serviceName: string)
 /**
  * Add MCP server from container configuration
  */
-export const addMcpFromConfig = async (mcpConfig: { mcpServers: Record<string, { command: string; args?: string[]; env?: Record<string, string>; port?: number; image?: string }> }) => {
+export const addMcpFromConfig = async (mcpConfig: { mcpServers: Record<string, { command: string; args?: string[]; env?: Record<string, string>; port?: number; image?: string }> }, tenantId?: string | null) => {
   try {
-    const response = await fetch(API_ENDPOINTS.mcp.addFromConfig, {
+    const url = tenantId 
+      ? `${API_ENDPOINTS.mcp.addFromConfig}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.mcp.addFromConfig;
+    const response = await fetch(url, {
       method: 'POST',
       headers: getAuthHeaders(),
       body: JSON.stringify(mcpConfig),
@@ -424,9 +456,12 @@ export const addMcpFromConfig = async (mcpConfig: { mcpServers: Record<string, {
 /**
  * Get MCP container list
  */
-export const getMcpContainers = async () => {
+export const getMcpContainers = async (tenantId?: string | null) => {
   try {
-    const response = await fetch(API_ENDPOINTS.mcp.containers, {
+    const url = tenantId 
+      ? `${API_ENDPOINTS.mcp.containers}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.mcp.containers;
+    const response = await fetch(url, {
       headers: getAuthHeaders(),
     });
 
@@ -464,10 +499,16 @@ export const getMcpContainers = async () => {
 /**
  * Get MCP container logs
  */
-export const getMcpContainerLogs = async (containerId: string, tail: number = 100) => {
+export const getMcpContainerLogs = async (containerId: string, tail: number = 100, tenantId?: string | null) => {
   try {
+    const params = new URLSearchParams({
+      tail: tail.toString(),
+    });
+    if (tenantId) {
+      params.append('tenant_id', tenantId);
+    }
     const response = await fetch(
-      `${API_ENDPOINTS.mcp.containerLogs(containerId)}?tail=${tail}`,
+      `${API_ENDPOINTS.mcp.containerLogs(containerId)}?${params.toString()}`,
       {
         headers: getAuthHeaders(),
       }
@@ -509,7 +550,7 @@ export const getMcpContainerLogs = async (containerId: string, tail: number = 10
 /**
  * Upload MCP image and start container
  */
-export const uploadMcpImage = async (file: File, port: number, serviceName?: string, envVars?: string) => {
+export const uploadMcpImage = async (file: File, port: number, serviceName?: string, envVars?: string, tenantId?: string | null) => {
   try {
     const formData = new FormData();
     formData.append('file', file);
@@ -520,6 +561,9 @@ export const uploadMcpImage = async (file: File, port: number, serviceName?: str
     if (envVars) {
       formData.append('env_vars', envVars);
     }
+    if (tenantId) {
+      formData.append('tenant_id', tenantId);
+    }
 
     const authHeaders = getAuthHeaders();
     // Remove Content-Type header for FormData - let browser set it with boundary
@@ -572,9 +616,12 @@ export const uploadMcpImage = async (file: File, port: number, serviceName?: str
 /**
  * Delete MCP container
  */
-export const deleteMcpContainer = async (containerId: string) => {
+export const deleteMcpContainer = async (containerId: string, tenantId?: string | null) => {
   try {
-    const response = await fetch(API_ENDPOINTS.mcp.deleteContainer(containerId), {
+    const url = tenantId 
+      ? `${API_ENDPOINTS.mcp.deleteContainer(containerId)}?tenant_id=${encodeURIComponent(tenantId)}`
+      : API_ENDPOINTS.mcp.deleteContainer(containerId);
+    const response = await fetch(url, {
       method: 'DELETE',
       headers: getAuthHeaders(),
     });
diff --git a/frontend/services/modelService.ts b/frontend/services/modelService.ts
index e329db237..a52b29b75 100644
--- a/frontend/services/modelService.ts
+++ b/frontend/services/modelService.ts
@@ -237,6 +237,49 @@ export const modelService = {
     }
   },
 
+  // List provider models for a specific tenant (admin/manage operation)
+  getManageProviderModelList: async (params: {
+    tenantId: string;
+    provider: string;
+    modelType: string;
+    apiKey?: string;
+    baseUrl?: string;
+  }): Promise<any[]> => {
+    try {
+      const response = await fetch(
+        API_ENDPOINTS.model.manageProviderModelList,
+        {
+          method: "POST",
+          headers: {
+            ...getAuthHeaders(),
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            tenant_id: params.tenantId,
+            provider: params.provider,
+            model_type: params.modelType,
+            ...(params.apiKey ? { api_key: params.apiKey } : {}),
+            ...(params.baseUrl ? { base_url: params.baseUrl } : {}),
+          }),
+        }
+      );
+      log.log("getManageProviderModelList response", response);
+      const result = await response.json();
+      log.log("getManageProviderModelList result", result);
+      if (response.status !== 200) {
+        throw new ModelError(
+          result.detail || result.message || "Failed to get provider model list",
+          response.status
+        );
+      }
+      return result.data || [];
+    } catch (error) {
+      log.log("getManageProviderModelList error", error);
+      if (error instanceof ModelError) throw error;
+      throw new ModelError("Failed to get provider model list", 500);
+    }
+  },
+
   updateSingleModel: async (model: {
     currentDisplayName: string;
     displayName?: string;
@@ -381,6 +424,41 @@ export const modelService = {
     }
   },
 
+  // Check model connectivity for a specific tenant (admin/manage operation)
+  checkManageTenantModelConnectivity: async (
+    tenantId: string,
+    displayName: string,
+    signal?: AbortSignal
+  ): Promise<boolean> => {
+    try {
+      if (!displayName) return false;
+      const response = await fetch(API_ENDPOINTS.model.manageModelHealthcheck, {
+        method: "POST",
+        headers: {
+          ...getAuthHeaders(),
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          tenant_id: tenantId,
+          display_name: displayName,
+        }),
+        signal,
+      });
+      const result = await response.json();
+      if (response.status === 200 && result.data) {
+        return result.data.connectivity;
+      }
+      return false;
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        log.warn(`验证模型 ${displayName} (租户: ${tenantId}) 连接被取消`);
+        throw error;
+      }
+      log.error(`验证模型 ${displayName} (租户: ${tenantId}) 连接失败:`, error);
+      return false;
+    }
+  },
+
   // Verify model configuration connectivity before adding it
   verifyModelConfigConnectivity: async (
     config: {
@@ -466,6 +544,332 @@ export const modelService = {
       return [];
     }
   },
+
+  // Manage tenant models (for admin operations with tenant_id)
+  getManageTenantModels: async (params: {
+    tenantId: string;
+    modelType?: string;
+    page?: number;
+    pageSize?: number;
+  }): Promise<{
+    models: ModelOption[];
+    total: number;
+    page: number;
+    pageSize: number;
+    totalPages: number;
+    tenantName: string;
+  }> => {
+    try {
+      const response = await fetch(API_ENDPOINTS.model.manageModelList, {
+        method: "POST",
+        headers: {
+          ...getAuthHeaders(),
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          tenant_id: params.tenantId,
+          model_type: params.modelType,
+          page: params.page || 1,
+          page_size: params.pageSize || 20,
+        }),
+      });
+      const result = await response.json();
+
+      if (response.status === STATUS_CODES.SUCCESS && result.data) {
+        return {
+          models: result.data.models.map((model: any) => ({
+            id: model.model_id,
+            name: model.model_name,
+            type: model.model_type as ModelType,
+            maxTokens: model.max_tokens || 0,
+            source: model.model_factory as ModelSource,
+            apiKey: model.api_key || "",
+            apiUrl: model.base_url || "",
+            displayName: model.display_name || model.model_name,
+            connect_status: model.connect_status as ModelConnectStatus,
+            expectedChunkSize: model.expected_chunk_size,
+            maximumChunkSize: model.maximum_chunk_size,
+            chunkingBatchSize: model.chunk_batch,
+          })),
+          total: result.data.total || 0,
+          page: result.data.page || 1,
+          pageSize: result.data.page_size || 20,
+          totalPages: result.data.total_pages || 0,
+          tenantName: result.data.tenant_name || "",
+        };
+      }
+
+      return {
+        models: [],
+        total: 0,
+        page: 1,
+        pageSize: 20,
+        totalPages: 0,
+        tenantName: "",
+      };
+    } catch (error) {
+      log.warn("Failed to load manage tenant models:", error);
+      return {
+        models: [],
+        total: 0,
+        page: 1,
+        pageSize: 20,
+        totalPages: 0,
+        tenantName: "",
+      };
+    }
+  },
+
+  // Create model for a specific tenant
+  createManageTenantModel: async (params: {
+    tenantId: string;
+    name: string;
+    type: ModelType;
+    url: string;
+    apiKey: string;
+    maxTokens?: number;
+    displayName?: string;
+    expectedChunkSize?: number;
+    maximumChunkSize?: number;
+    chunkingBatchSize?: number;
+  }): Promise<void> => {
+    try {
+      const response = await fetch(API_ENDPOINTS.model.manageModelCreate, {
+        method: "POST",
+        headers: {
+          ...getAuthHeaders(),
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          tenant_id: params.tenantId,
+          model_repo: "",
+          model_name: params.name,
+          model_type: params.type,
+          base_url: params.url,
+          api_key: params.apiKey,
+          max_tokens: params.maxTokens || 4096,
+          display_name: params.displayName || params.name,
+          expected_chunk_size: params.expectedChunkSize,
+          maximum_chunk_size: params.maximumChunkSize,
+          chunk_batch: params.chunkingBatchSize,
+        }),
+      });
+
+      const result = await response.json();
+      if (response.status !== STATUS_CODES.SUCCESS) {
+        throw new ModelError(
+          result.detail || result.message || "Failed to create model for tenant",
+          response.status
+        );
+      }
+    } catch (error) {
+      if (error instanceof ModelError) throw error;
+      log.warn("Failed to create manage tenant model:", error);
+      throw new ModelError("Failed to create model for tenant", 500);
+    }
+  },
+
+  // Update model for a specific tenant
+  updateManageTenantModel: async (params: {
+    tenantId: string;
+    currentDisplayName: string;
+    displayName?: string;
+    url: string;
+    apiKey: string;
+    maxTokens?: number;
+    expectedChunkSize?: number;
+    maximumChunkSize?: number;
+    chunkingBatchSize?: number;
+  }): Promise<void> => {
+    try {
+      const response = await fetch(
+        API_ENDPOINTS.model.manageModelUpdate(params.currentDisplayName),
+        {
+          method: "POST",
+          headers: {
+            ...getAuthHeaders(),
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            tenant_id: params.tenantId,
+            current_display_name: params.currentDisplayName,
+            ...(params.displayName !== undefined ? { display_name: params.displayName } : {}),
+            base_url: params.url,
+            api_key: params.apiKey,
+            ...(params.maxTokens !== undefined ? { max_tokens: params.maxTokens } : {}),
+            ...(params.expectedChunkSize !== undefined ? { expected_chunk_size: params.expectedChunkSize } : {}),
+            ...(params.maximumChunkSize !== undefined ? { maximum_chunk_size: params.maximumChunkSize } : {}),
+            ...(params.chunkingBatchSize !== undefined ? { chunk_batch: params.chunkingBatchSize } : {}),
+          }),
+        }
+      );
+
+      const result = await response.json();
+      if (response.status !== STATUS_CODES.SUCCESS) {
+        throw new ModelError(
+          result.detail || result.message || "Failed to update model for tenant",
+          response.status
+        );
+      }
+    } catch (error) {
+      if (error instanceof ModelError) throw error;
+      log.warn("Failed to update manage tenant model:", error);
+      throw new ModelError("Failed to update model for tenant", 500);
+    }
+  },
+
+  // Delete model from a specific tenant
+  deleteManageTenantModel: async (params: {
+    tenantId: string;
+    displayName: string;
+  }): Promise<void> => {
+    try {
+      const response = await fetch(
+        API_ENDPOINTS.model.manageModelDelete(params.displayName),
+        {
+          method: "POST",
+          headers: {
+            ...getAuthHeaders(),
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            tenant_id: params.tenantId,
+            display_name: params.displayName,
+          }),
+        }
+      );
+
+      const result = await response.json();
+      if (response.status !== STATUS_CODES.SUCCESS) {
+        throw new ModelError(
+          result.detail || result.message || "Failed to delete model for tenant",
+          response.status
+        );
+      }
+    } catch (error) {
+      if (error instanceof ModelError) throw error;
+      log.warn("Failed to delete manage tenant model:", error);
+      throw new ModelError("Failed to delete model for tenant", 500);
+    }
+  },
+
+  // Batch create models for a specific tenant
+  batchCreateManageTenantModels: async (params: {
+    tenantId: string;
+    provider: string;
+    type: string;
+    apiKey: string;
+    models: Array<{
+      id: string;
+      object?: string;
+      created?: number;
+      owned_by?: string;
+      max_tokens?: number;
+    }>;
+  }): Promise<{ tenantId: string; provider: string; type: string; modelsCount: number }> => {
+    try {
+      const response = await fetch(API_ENDPOINTS.model.manageModelBatchCreate, {
+        method: "POST",
+        headers: {
+          ...getAuthHeaders(),
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          tenant_id: params.tenantId,
+          provider: params.provider,
+          type: params.type,
+          api_key: params.apiKey,
+          models: params.models,
+        }),
+      });
+
+      const result = await response.json();
+      if (response.status !== STATUS_CODES.SUCCESS) {
+        throw new ModelError(
+          result.detail || result.message || "Failed to batch create models for tenant",
+          response.status
+        );
+      }
+      return {
+        tenantId: result.data.tenant_id,
+        provider: result.data.provider,
+        type: result.data.type,
+        modelsCount: result.data.models_count,
+      };
+    } catch (error) {
+      if (error instanceof ModelError) throw error;
+      log.warn("Failed to batch create manage tenant models:", error);
+      throw new ModelError("Failed to batch create models for tenant", 500);
+    }
+  },
+
+  // Create/fetch provider models for a specific tenant (admin/manage operation)
+  addManageProviderModel: async (params: {
+    tenantId: string;
+    provider: string;
+    type: ModelType;
+    apiKey: string;
+    baseUrl?: string;
+  }): Promise<any[]> => {
+    try {
+      const response = await fetch(API_ENDPOINTS.model.manageProviderModelCreate, {
+        method: "POST",
+        headers: {
+          ...getAuthHeaders(),
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          tenant_id: params.tenantId,
+          provider: params.provider,
+          model_type: params.type,
+          api_key: params.apiKey,
+          ...(params.baseUrl ? { base_url: params.baseUrl } : {}),
+        }),
+      });
+
+      const result = await response.json();
+      if (response.status !== STATUS_CODES.SUCCESS) {
+        throw new ModelError(result.detail || result.message || "Failed to create provider models for tenant", response.status);
+      }
+      return result.data || [];
+    } catch (error) {
+      if (error instanceof ModelError) throw error;
+      log.warn("Failed to create manage provider models:", error);
+      throw new ModelError("Failed to create provider models for tenant", 500);
+    }
+  },
+
+  // Get provider selected modal list for a specific tenant (admin/manage operation)
+  getManageProviderSelectedModalList: async (params: {
+    tenantId: string;
+    provider: string;
+    type: ModelType;
+  }): Promise<any[]> => {
+    try {
+      const response = await fetch(API_ENDPOINTS.model.manageProviderModelList, {
+        method: "POST",
+        headers: {
+          ...getAuthHeaders(),
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          tenant_id: params.tenantId,
+          provider: params.provider,
+          model_type: params.type,
+        }),
+      });
+
+      const result = await response.json();
+      if (response.status !== STATUS_CODES.SUCCESS) {
+        throw new ModelError(result.detail || result.message || "Failed to get provider selected list for tenant", response.status);
+      }
+      return result.data || [];
+    } catch (error) {
+      if (error instanceof ModelError) throw error;
+      log.warn("Failed to get manage provider selected list:", error);
+      throw new ModelError("Failed to get provider selected list for tenant", 500);
+    }
+  },
 };
 
 // -------- Provider detection helpers (for UI rendering) --------
diff --git a/frontend/services/sessionService.ts b/frontend/services/sessionService.ts
index 056b9cb3c..87f2fc472 100644
--- a/frontend/services/sessionService.ts
+++ b/frontend/services/sessionService.ts
@@ -1,86 +1,33 @@
 /**
  * Session management service
+ * Pure API layer for session operations
  */
 
-import { TOKEN_REFRESH_CD } from "@/const/constants";
 import { API_ENDPOINTS } from "./api";
-
-import { fetchWithAuth, saveSessionToStorage, removeSessionFromStorage, getSessionFromStorage } from "@/lib/auth";
-import log from "@/lib/logger";
-
-// Record the time of the last token refresh
-let lastTokenRefreshTime = 0;
+import { fetchWithAuth } from "@/lib/auth";
+import { Session } from "@/types/auth";
 
 /**
- * Check and refresh token (if needed)
+ * Call backend refresh token API
+ * @param refreshToken - refresh token string
+ * @returns new session or null if failed
  */
 export const sessionService = {
-  checkAndRefreshToken: async (): Promise<boolean> => {
+  refreshToken: async (refreshToken: string): Promise<Session | null> => {
     try {
-      const sessionObj = getSessionFromStorage();
-      if (!sessionObj) return false;
-      
-      const now = Date.now();
-      
-      // Check if the token is in the refresh cooldown period
-      const timeSinceLastRefresh = now - lastTokenRefreshTime;
-      if (timeSinceLastRefresh < TOKEN_REFRESH_CD) {
-        return true; // In cooldown period, default token is valid
-      }
-      
-      // Check if the token has expired
-      const expiresAt = sessionObj.expires_at * 1000; // Convert to milliseconds
-      if (expiresAt > now) {
-        // Token not expired, try to refresh
-        // Update the last refresh time, even if it hasn't succeeded, record the attempt time to avoid frequent requests
-        lastTokenRefreshTime = now;
-        
-        // Call the refresh token API
-        const response = await fetchWithAuth(API_ENDPOINTS.user.refreshToken, {
-          method: "POST",
-          body: JSON.stringify({
-            refresh_token: sessionObj.refresh_token
-          })
-        });
-        
-        // Check HTTP status code instead of data.code
-        if (!response.ok) {
-          log.warn("Token refresh failed, HTTP status code:", response.status);
-          
-          // HTTP 401 means the token is expired
-          if (response.status === 401) {
-            removeSessionFromStorage();
-          }
-          
-          return false;
-        }
-        
-        const data = await response.json();
-        
-        if (data.data?.session) {
-          // Update the session information in local storage
-          const updatedSession = {
-            ...sessionObj,
-            access_token: data.data.session.access_token,
-            refresh_token: data.data.session.refresh_token,
-            expires_at: data.data.session.expires_at,
-          };
-          
-          saveSessionToStorage(updatedSession);
-          return true;
-        } else {
-          log.warn("Token refresh failed: incorrect response data format");
-          return false;
-        }
-      } else {
-        // Token expired, clear the session
-        log.warn("Token expired");
-        removeSessionFromStorage();
-        return false;
+      const response = await fetchWithAuth(API_ENDPOINTS.user.refreshToken, {
+        method: "POST",
+        body: JSON.stringify({ refresh_token: refreshToken })
+      });
+
+      if (!response.ok) {
+        return null;
       }
-    } catch (error) {
-      log.error("Check token status failed:", error);
-      return false;
+
+      const data = await response.json();
+      return data.data?.session || null;
+    } catch {
+      return null;
     }
   }
-}; 
\ No newline at end of file
+};
diff --git a/frontend/services/userConfigService.ts b/frontend/services/userConfigService.ts
deleted file mode 100644
index 99f4d70c0..000000000
--- a/frontend/services/userConfigService.ts
+++ /dev/null
@@ -1,59 +0,0 @@
-import { API_ENDPOINTS } from './api';
-import { UserKnowledgeConfig, UpdateKnowledgeListRequest } from '../types/knowledgeBase';
-
-import { fetchWithAuth, getAuthHeaders } from '@/lib/auth';
-// @ts-ignore
-const fetch = fetchWithAuth;
-
-export class UserConfigService {
-  // Get user selected knowledge base list
-  async loadKnowledgeList(): Promise<UserKnowledgeConfig | null> {
-    try {
-      const response = await fetch(API_ENDPOINTS.tenantConfig.loadKnowledgeList, {
-        method: 'GET',
-        headers: getAuthHeaders(),
-      });
-
-      if (!response.ok) {
-        return null;
-      }
-
-      const result = await response.json();
-      if (result.status === 'success') {
-        return result.content;
-      }
-      return null;
-    } catch (error) {
-      return null;
-    }
-  }
-
-  // Update user selected knowledge base list
-  async updateKnowledgeList(request: UpdateKnowledgeListRequest): Promise<UserKnowledgeConfig | null> {
-    try {
-      const response = await fetch(
-        API_ENDPOINTS.tenantConfig.updateKnowledgeList,
-        {
-          method: "POST",
-          headers: getAuthHeaders(),
-          body: JSON.stringify(request),
-        }
-      );
-
-      if (!response.ok) {
-        return null;
-      }
-
-      const result = await response.json();
-      if (result.status === 'success') {
-        return result.content;
-      }
-      return null;
-    } catch (error) {
-      return null;
-    }
-  }
-}
-
-// Export singleton instance
-export const userConfigService = new UserConfigService(); 
\ No newline at end of file
diff --git a/frontend/stores/agentConfigStore.ts b/frontend/stores/agentConfigStore.ts
index d399d2247..c0713db68 100644
--- a/frontend/stores/agentConfigStore.ts
+++ b/frontend/stores/agentConfigStore.ts
@@ -36,10 +36,18 @@ export type EditableAgent = Pick<
   | "business_logic_model_name"
   | "business_logic_model_id"
   | "sub_agent_id_list"
+  | "group_ids"
 >;
 
 interface AgentConfigStoreState {
   currentAgentId: number | null;
+  /**
+   * Per-agent permission from /agent/list.
+   * - EDIT: editable
+   * - READ_ONLY: read-only
+   * null: unknown / not selected
+   */
+  currentAgentPermission: "EDIT" | "READ_ONLY" | null;
   baselineAgent: EditableAgent | null;
   editedAgent: EditableAgent;
   hasUnsavedChanges: boolean;
@@ -95,7 +103,7 @@ interface AgentConfigStoreState {
    * Reset all state (optional).
    */
   reset: () => void;
- 
+
   /**
    * Get the current baseline editable agent (null = create or initial state).
    * Use isCreatingMode to distinguish between initial state and create mode.
@@ -120,6 +128,7 @@ const emptyEditableAgent: EditableAgent = {
   business_logic_model_name: "",
   business_logic_model_id: 0,
   sub_agent_id_list: [],
+  group_ids: [],
 };
 
 const toEditable = (agent: Agent | null): EditableAgent =>
@@ -141,6 +150,7 @@ const toEditable = (agent: Agent | null): EditableAgent =>
         business_logic_model_name: agent.business_logic_model_name || "",
         business_logic_model_id: agent.business_logic_model_id || 0,
         sub_agent_id_list: agent.sub_agent_id_list || [],
+        group_ids: agent.group_ids || [],
       }
     : { ...emptyEditableAgent };
 
@@ -149,7 +159,7 @@ const normalizeArray = (arr: number[]) =>
     (a, b) => a - b
   );
 
-// 特定字段的脏检查函数
+// Dirty check helpers for specific field groups
 const isBusinessInfoDirty = (baselineAgent: EditableAgent | null, editedAgent: EditableAgent): boolean => {
   if (!baselineAgent) {
     return (
@@ -178,7 +188,8 @@ const isProfileInfoDirty = (baselineAgent: EditableAgent | null, editedAgent: Ed
       editedAgent.provide_run_summary !== false ||
       editedAgent.duty_prompt !== "" ||
       editedAgent.constraint_prompt !== "" ||
-      editedAgent.few_shots_prompt !== ""
+      editedAgent.few_shots_prompt !== "" ||
+      normalizeArray(editedAgent.group_ids || []).length > 0
     );
   }
   return (
@@ -192,7 +203,9 @@ const isProfileInfoDirty = (baselineAgent: EditableAgent | null, editedAgent: Ed
     baselineAgent.provide_run_summary !== editedAgent.provide_run_summary ||
     baselineAgent.duty_prompt !== editedAgent.duty_prompt ||
     baselineAgent.constraint_prompt !== editedAgent.constraint_prompt ||
-    baselineAgent.few_shots_prompt !== editedAgent.few_shots_prompt
+    baselineAgent.few_shots_prompt !== editedAgent.few_shots_prompt ||
+    JSON.stringify(normalizeArray(baselineAgent.group_ids ?? [])) !==
+      JSON.stringify(normalizeArray(editedAgent.group_ids ?? []))
   );
 };
 
@@ -211,52 +224,9 @@ const isSubAgentIdsDirty = (baselineAgent: EditableAgent | null, editedAgent: Ed
     JSON.stringify(normalizeArray(editedAgent.sub_agent_id_list ?? []));
 };
 
-const isDirty = (baselineAgent: EditableAgent | null, editedAgent: EditableAgent): boolean => {
-  if (!baselineAgent) {
-    // Create mode: any non-default value counts as dirty
-    return (
-      editedAgent.name !== "" ||
-      editedAgent.display_name !== "" ||
-      editedAgent.description !== "" ||
-      editedAgent.author !== "" ||
-      editedAgent.model !== "" ||
-      editedAgent.model_id !== 0 ||
-      editedAgent.max_step !== 0 ||
-      editedAgent.provide_run_summary !== false ||
-      editedAgent.tools.length > 0 ||
-      editedAgent.duty_prompt !== "" ||
-      editedAgent.constraint_prompt !== "" ||
-      editedAgent.few_shots_prompt !== "" ||
-      editedAgent.business_description !== "" ||
-      editedAgent.business_logic_model_name !== "" ||
-      editedAgent.business_logic_model_id !== 0 ||
-      normalizeArray(editedAgent.sub_agent_id_list || []).length > 0
-    );
-  }
-
-  return (
-    baselineAgent.name !== editedAgent.name ||
-    baselineAgent.display_name !== editedAgent.display_name ||
-    baselineAgent.description !== editedAgent.description ||
-    baselineAgent.author !== editedAgent.author ||
-    baselineAgent.model !== editedAgent.model ||
-    baselineAgent.model_id !== editedAgent.model_id ||
-    baselineAgent.max_step !== editedAgent.max_step ||
-    baselineAgent.provide_run_summary !== editedAgent.provide_run_summary ||
-    JSON.stringify(baselineAgent.tools) !== JSON.stringify(editedAgent.tools) ||
-    baselineAgent.duty_prompt !== editedAgent.duty_prompt ||
-    baselineAgent.constraint_prompt !== editedAgent.constraint_prompt ||
-    baselineAgent.few_shots_prompt !== editedAgent.few_shots_prompt ||
-    baselineAgent.business_description !== editedAgent.business_description ||
-    baselineAgent.business_logic_model_name !== editedAgent.business_logic_model_name ||
-    baselineAgent.business_logic_model_id !== editedAgent.business_logic_model_id ||
-    JSON.stringify(normalizeArray(baselineAgent.sub_agent_id_list ?? [])) !==
-      JSON.stringify(normalizeArray(editedAgent.sub_agent_id_list ?? []))
-  );
-};
-
 export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => ({
   currentAgentId: null,
+  currentAgentPermission: null,
   baselineAgent: null,
   editedAgent: { ...emptyEditableAgent },
   hasUnsavedChanges: false,
@@ -267,6 +237,7 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
     const editedAgent = baselineAgent ? { ...baselineAgent } : { ...emptyEditableAgent };
     set({
       currentAgentId: agent ? parseInt(agent.id) : null,
+      currentAgentPermission: agent ? ((agent as any).permission ?? null) : null,
       baselineAgent,
       editedAgent,
       hasUnsavedChanges: false,
@@ -277,6 +248,7 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
   enterCreateMode: () => {
     set({
       currentAgentId: null,
+      currentAgentPermission: "EDIT",
       baselineAgent: null,
       editedAgent: { ...emptyEditableAgent },
       hasUnsavedChanges: false,
@@ -287,8 +259,8 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
   updateTools: (tools) => {
     set((state) => {
       const editedAgent = { ...state.editedAgent, tools: [...tools] };
-      // 如果已经有未保存的更改，则无需重新计算，直接保持true
-      // 只有当前状态为干净时，才需要检查tools字段是否有更改
+      // If there are already unsaved changes, keep it true and skip recalculation.
+      // Only when state is clean do we need to check whether tools changed.
       const hasUnsavedChanges = state.hasUnsavedChanges
         ? true
         : isToolsDirty(state.baselineAgent, editedAgent);
@@ -303,8 +275,8 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
     const nextIds = normalizeArray(ids);
     set((state) => {
       const editedAgent = { ...state.editedAgent, sub_agent_id_list: nextIds };
-      // 如果已经有未保存的更改，则无需重新计算，直接保持true
-      // 只有当前状态为干净时，才需要检查sub agent ids字段是否有更改
+      // If there are already unsaved changes, keep it true and skip recalculation.
+      // Only when state is clean do we need to check whether sub-agent IDs changed.
       const hasUnsavedChanges = state.hasUnsavedChanges
         ? true
         : isSubAgentIdsDirty(state.baselineAgent, editedAgent);
@@ -318,8 +290,8 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
   updateBusinessInfo: (payload) => {
     set((state) => {
       const editedAgent = { ...state.editedAgent, ...payload };
-      // 如果已经有未保存的更改，则无需重新计算，直接保持true
-      // 只有当前状态为干净时，才需要检查business info字段是否有更改
+      // If there are already unsaved changes, keep it true and skip recalculation.
+      // Only when state is clean do we need to check whether business info changed.
       const hasUnsavedChanges = state.hasUnsavedChanges
         ? true
         : isBusinessInfoDirty(state.baselineAgent, editedAgent);
@@ -333,8 +305,8 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
   updateProfileInfo: (payload) => {
     set((state) => {
       const editedAgent = { ...state.editedAgent, ...payload };
-      // 如果已经有未保存的更改，则无需重新计算，直接保持true
-      // 只有当前状态为干净时，才需要检查profile info字段是否有更改
+      // If there are already unsaved changes, keep it true and skip recalculation.
+      // Only when state is clean do we need to check whether profile info changed.
       const hasUnsavedChanges = state.hasUnsavedChanges
         ? true
         : isProfileInfoDirty(state.baselineAgent, editedAgent);
@@ -367,13 +339,14 @@ export const useAgentConfigStore = create<AgentConfigStoreState>((set, get) => (
   reset: () => {
     set({
       currentAgentId: null,
+      currentAgentPermission: null,
       baselineAgent: null,
       editedAgent: { ...emptyEditableAgent },
       hasUnsavedChanges: false,
       isCreatingMode: false,
     });
   },
- 
+
   getCurrentAgent: () => {
     return get().baselineAgent;
   },
diff --git a/frontend/types/agentConfig.ts b/frontend/types/agentConfig.ts
index 56f29ecfb..436a1d010 100644
--- a/frontend/types/agentConfig.ts
+++ b/frontend/types/agentConfig.ts
@@ -5,21 +5,11 @@ import { ChatMessageType } from "./chat";
 import { ModelOption } from "@/types/modelConfig";
 import { GENERATE_PROMPT_STREAM_TYPES } from "../const/agentConfig";
 
-// ========== Core Interfaces ==========
-
-/**
- * Business info fields for agent configuration.
- * Used by agentConfigStore for business info updates.
- * Supports partial updates like AgentProfileInfo.
- */
 export type AgentBusinessInfo = Partial<Pick<
   Agent,
   "business_description" | "business_logic_model_id" | "business_logic_model_name"
 >>;
 
-/**
- * Profile info fields for agent configuration.
- */
 export type AgentProfileInfo = Partial<
   Pick<
     Agent,
@@ -33,6 +23,7 @@ export type AgentProfileInfo = Partial<
     | "duty_prompt"
     | "constraint_prompt"
     | "few_shots_prompt"
+    | "group_ids"
   >
 >;
 
@@ -60,6 +51,12 @@ export interface Agent {
   is_new?: boolean;
   sub_agent_id_list?: number[];
   group_ids?: number[];
+  /**
+   * Per-agent permission returned by /agent/list.
+   * EDIT: editable, READ_ONLY: read-only.
+   */
+  permission?: "EDIT" | "READ_ONLY";
+  current_version_no?: number;
 }
 
 export interface Tool {
@@ -84,9 +81,10 @@ export interface ToolParam {
   description?: string;
 }
 
+
+
 // ========== Data Interfaces ==========
 
-// Agent configuration data response interface
 export interface AgentConfigDataResponse {
   businessLogic: string;
   systemPrompt: string;
@@ -338,6 +336,11 @@ export interface McpServer {
   status: boolean;
   remote_mcp_server_name?: string;
   remote_mcp_server?: string;
+  /**
+   * Per-item permission returned by /mcp/list.
+   * EDIT: editable, READ_ONLY: read-only.
+   */
+  permission?: "EDIT" | "READ_ONLY";
 }
 
 // MCP tool interface definition
@@ -354,6 +357,11 @@ export interface McpContainer {
   status?: string;
   mcp_url?: string;
   host_port?: number;
+  /**
+   * Per-item permission returned by /mcp/containers.
+   * EDIT: editable, READ_ONLY: read-only.
+   */
+  permission?: "EDIT" | "READ_ONLY";
 }
 
 // ========== Prompt Service Interfaces ==========
diff --git a/frontend/types/auth.ts b/frontend/types/auth.ts
index 6d35384c6..477982f27 100644
--- a/frontend/types/auth.ts
+++ b/frontend/types/auth.ts
@@ -1,14 +1,18 @@
-// User type definition
+// User type definition - contains only basic user information
+import type { USER_ROLES } from "@/const/auth";
+
+export type UserRole = USER_ROLES;
+
 export interface User {
   id: string;
   email: string;
-  role: "user" | "admin";
-  avatar_url?: string;
+  role: UserRole;
+  avatarUrl?: string;
+  tenantId?: string;
 }
 
-// Session type definition
+// Session type definition - contains only authentication tokens
 export interface Session {
-  user: User;
   access_token: string;
   refresh_token: string;
   expires_at: number;
@@ -33,24 +37,23 @@ export interface AuthFormValues {
 // Authorization context type
 export interface AuthContextType {
   user: User | null;
+  permissions: string[];
+  accessibleRoutes: string[];
   isLoading: boolean;
   isLoginModalOpen: boolean;
   isRegisterModalOpen: boolean;
-  isFromSessionExpired: boolean;
   authServiceUnavailable: boolean;
-  isSpeedMode: boolean;
   isAuthReady: boolean;
   openLoginModal: () => void;
   closeLoginModal: () => void;
   openRegisterModal: () => void;
   closeRegisterModal: () => void;
-  setIsFromSessionExpired: (value: boolean) => void;
   login: (email: string, password: string) => Promise<void>;
   register: (
     email: string,
     password: string,
-    isAdmin?: boolean,
-    inviteCode?: string
+    inviteCode?: string,
+    withNewInvitation?: boolean
   ) => Promise<void>;
   logout: (options?: { silent?: boolean }) => Promise<void>;
   clearLocalSession: () => void;
@@ -65,3 +68,164 @@ export interface SessionResponse {
   };
   error: ErrorResponse | null;
 }
+
+// Current user info response type (includes permissions and accessible routes)
+// Backend returns user data directly, not nested under "user" property
+export interface AuthInfoResponse {
+  user: User & {
+    groupIds: number[];
+    permissions: string[];
+    accessibleRoutes: string[];
+  };
+}
+
+import type { AUTH_EVENTS, AUTHZ_EVENTS } from "@/const/auth";
+
+export type AuthEventKey = (typeof AUTH_EVENTS)[keyof typeof AUTH_EVENTS];
+export type AuthzEventKey = (typeof AUTHZ_EVENTS)[keyof typeof AUTHZ_EVENTS];
+
+// Authentication Events
+export interface AuthEvents {
+  [AUTH_EVENTS.LOGIN_SUCCESS]: User | null;
+  [AUTH_EVENTS.REGISTER_SUCCESS]: void;
+  [AUTH_EVENTS.LOGOUT]: void;
+  [AUTH_EVENTS.SESSION_EXPIRED]: void;
+  [AUTH_EVENTS.TOKEN_REFRESHED]: void;
+  [AUTH_EVENTS.SERVICE_UNAVAILABLE]: void;
+  [AUTH_EVENTS.BACK_TO_HOME]: void;
+}
+
+// Authorization Events
+export interface AuthzEvents {
+  [AUTHZ_EVENTS.PERMISSION_DENIED]: { pathname: string } | void;
+  [AUTHZ_EVENTS.PERMISSIONS_READY]: User & {
+    permissions: string[];
+    accessibleRoutes: string[];
+  };
+  [AUTHZ_EVENTS.PERMISSIONS_UPDATED]: void;
+}
+
+// Authentication Context Type
+export interface AuthenticationContextType {
+  // Authentication state
+  isAuthenticated: boolean;
+  isAuthChecking: boolean;
+  isLoading: boolean;
+  session: Session | null;
+
+  // UI state
+  isLoginModalOpen: boolean;
+  isRegisterModalOpen: boolean;
+  authServiceUnavailable: boolean;
+
+  // Methods
+  login: (
+    email: string,
+    password: string,
+    options?: { showSuccessMessage?: boolean }
+  ) => Promise<void>;
+  register: (
+    email: string,
+    password: string,
+    inviteCode?: string,
+    withNewInvitation?: boolean
+  ) => Promise<void>;
+  logout: (options?: { silent?: boolean }) => Promise<void>;
+  clearLocalSession: () => void;
+  revoke: () => Promise<void>;
+
+  // UI methods
+  openLoginModal: () => void;
+  closeLoginModal: () => void;
+  openRegisterModal: () => void;
+  closeRegisterModal: () => void;
+
+  // Auth prompt modal (for side navigation pre-check)
+  isAuthPromptModalOpen: boolean;
+  openAuthPromptModal: () => void;
+  closeAuthPromptModal: () => void;
+
+  // Session expired modal
+  isSessionExpiredModalOpen: boolean;
+  openSessionExpiredModal: () => void;
+  closeSessionExpiredModal: () => void;
+}
+
+// Authentication State Return Type - for useAuthenticationState hook
+export interface AuthenticationStateReturn {
+  // Authentication state
+  isAuthenticated: boolean;
+  isAuthChecking: boolean;
+  isLoading: boolean;
+  session: Session | null;
+  authServiceUnavailable: boolean;
+
+  // Methods
+  login: (
+    email: string,
+    password: string,
+    options?: { showSuccessMessage?: boolean }
+  ) => Promise<void>;
+  register: (
+    email: string,
+    password: string,
+    inviteCode?: string,
+    withNewInvitation?: boolean
+  ) => Promise<void>;
+  logout: (options?: { silent?: boolean }) => Promise<void>;
+  clearLocalSession: () => void;
+  revoke: () => Promise<void>;
+}
+
+// Authentication UI Return Type - for useAuthenticationUI hook
+export interface AuthenticationUIReturn {
+  // Login/Register Modal
+  isLoginModalOpen: boolean;
+  openLoginModal: () => void;
+  closeLoginModal: () => void;
+  isRegisterModalOpen: boolean;
+  openRegisterModal: () => void;
+  closeRegisterModal: () => void;
+
+  // Auth prompt modal (for side navigation pre-check)
+  isAuthPromptModalOpen: boolean;
+  openAuthPromptModal: () => void;
+  closeAuthPromptModal: () => void;
+
+  // Session expired modal
+  isSessionExpiredModalOpen: boolean;
+  openSessionExpiredModal: () => void;
+  closeSessionExpiredModal: () => void;
+}
+
+// Authorization Context Type
+export interface AuthorizationContextType {
+  // Authorization data
+  user: User | null;
+  groupIds: number[];
+  permissions: string[];
+  accessibleRoutes: string[];
+
+  // State
+  isLoading: boolean;
+  error: Error | null;
+
+  // Authorization status
+  // True when authorization is complete and user has permission to access current route
+  isAuthorized: boolean;
+
+  // True when authorization data is ready (permissions loaded)
+  // Does not indicate whether user has permission, only that the process is complete
+  isAuthzReady: boolean;
+
+  // Methods
+  refetch: () => Promise<any>;
+  hasPermission: (permission: string) => boolean;
+  hasAnyPermission: (permissions: string[]) => boolean;
+  canAccessRoute: (route: string) => boolean;
+
+  // Authz prompt modal (permission denied)
+  isAuthzPromptModalOpen: boolean;
+  openAuthzPromptModal: () => void;
+  closeAuthzPromptModal: () => void;
+}
diff --git a/frontend/types/chat.ts b/frontend/types/chat.ts
index 162a0a31c..4bd8e4f6b 100644
--- a/frontend/types/chat.ts
+++ b/frontend/types/chat.ts
@@ -52,22 +52,13 @@ export interface AgentStep {
   parsingContent?: string
 }
 
-// Agent related types
-export interface Agent {
-  agent_id: number;
-  name: string;
-  display_name: string;
-  description: string;
-  is_available: boolean;
-  is_new?: boolean;
-}
+// Agent related types - imported from agentConfig
 
 export interface ChatAgentSelectorProps {
-  selectedAgentId: number | null;
-  onAgentSelect: (agentId: number | null) => void;
+  selectedAgentId: string | null;
+  onAgentSelect: (agentId: string | null) => void;
   disabled?: boolean;
   isInitialMode?: boolean;
-  agents?: Agent[]; // Optional pre-loaded agents to avoid repeated API calls
 }
 
 // Search result type
@@ -174,11 +165,10 @@ export interface ChatStreamMainProps {
   onOpinionChange?: (messageId: number, opinion: "Y" | "N" | null) => void;
   currentConversationId?: number;
   shouldScrollToBottom?: boolean;
-  selectedAgentId?: number | null;
-  onAgentSelect?: (agentId: number | null) => void;
+  selectedAgentId?: string | null;
+  onAgentSelect?: (agentId: string | null) => void;
   onCitationHover?: () => void;
   onScroll?: () => void;
-  cachedAgents?: Agent[]; // Optional cached agents to avoid repeated API calls
 }
 
 // Card item type for task window
diff --git a/frontend/types/knowledgeBase.ts b/frontend/types/knowledgeBase.ts
index 5583a8f18..e28d60fff 100644
--- a/frontend/types/knowledgeBase.ts
+++ b/frontend/types/knowledgeBase.ts
@@ -1,11 +1,17 @@
 // Knowledge base related type definitions
 
-import { DOCUMENT_ACTION_TYPES, KNOWLEDGE_BASE_ACTION_TYPES, UI_ACTION_TYPES, NOTIFICATION_TYPES } from "@/const/knowledgeBase";
+import {
+  DOCUMENT_ACTION_TYPES,
+  KNOWLEDGE_BASE_ACTION_TYPES,
+  UI_ACTION_TYPES,
+  NOTIFICATION_TYPES,
+} from "@/const/knowledgeBase";
 
 // Knowledge base basic type
 export interface KnowledgeBase {
   id: string;
   name: string;
+  display_name?: string; // User-friendly display name, falls back to name if not available
   description: string | null;
   chunkCount: number;
   documentCount: number;
@@ -35,6 +41,9 @@ export interface KnowledgeBaseCreateParams {
   description: string;
   source?: string;
   embeddingModel?: string;
+  // Group permission and user groups for new knowledge bases
+  ingroup_permission?: string;
+  group_ids?: number[];
 }
 
 // Document type
@@ -69,17 +78,32 @@ export interface DocumentState {
 
 // Document action type
 export type DocumentAction =
-  | { type: typeof DOCUMENT_ACTION_TYPES.FETCH_SUCCESS, payload: { kbId: string, documents: Document[] } }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SELECT_DOCUMENT, payload: string }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SELECT_DOCUMENTS, payload: string[] }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SELECT_ALL, payload: { kbId: string, selected: boolean } }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SET_UPLOAD_FILES, payload: File[] }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SET_UPLOADING, payload: boolean }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SET_LOADING_DOCUMENTS, payload: boolean }
-  | { type: typeof DOCUMENT_ACTION_TYPES.DELETE_DOCUMENT, payload: { kbId: string, docId: string } }
-  | { type: typeof DOCUMENT_ACTION_TYPES.SET_LOADING_KB_ID, payload: { kbId: string, isLoading: boolean } }
-  | { type: typeof DOCUMENT_ACTION_TYPES.CLEAR_DOCUMENTS, payload?: undefined }
-  | { type: typeof DOCUMENT_ACTION_TYPES.ERROR, payload: string };
+  | {
+      type: typeof DOCUMENT_ACTION_TYPES.FETCH_SUCCESS;
+      payload: { kbId: string; documents: Document[] };
+    }
+  | { type: typeof DOCUMENT_ACTION_TYPES.SELECT_DOCUMENT; payload: string }
+  | { type: typeof DOCUMENT_ACTION_TYPES.SELECT_DOCUMENTS; payload: string[] }
+  | {
+      type: typeof DOCUMENT_ACTION_TYPES.SELECT_ALL;
+      payload: { kbId: string; selected: boolean };
+    }
+  | { type: typeof DOCUMENT_ACTION_TYPES.SET_UPLOAD_FILES; payload: File[] }
+  | { type: typeof DOCUMENT_ACTION_TYPES.SET_UPLOADING; payload: boolean }
+  | {
+      type: typeof DOCUMENT_ACTION_TYPES.SET_LOADING_DOCUMENTS;
+      payload: boolean;
+    }
+  | {
+      type: typeof DOCUMENT_ACTION_TYPES.DELETE_DOCUMENT;
+      payload: { kbId: string; docId: string };
+    }
+  | {
+      type: typeof DOCUMENT_ACTION_TYPES.SET_LOADING_KB_ID;
+      payload: { kbId: string; isLoading: boolean };
+    }
+  | { type: typeof DOCUMENT_ACTION_TYPES.CLEAR_DOCUMENTS; payload?: undefined }
+  | { type: typeof DOCUMENT_ACTION_TYPES.ERROR; payload: string };
 
 // Knowledge base state interface
 export interface KnowledgeBaseState {
@@ -90,19 +114,45 @@ export interface KnowledgeBaseState {
   isLoading: boolean;
   syncLoading: boolean;
   error: string | null;
+  dataMateSyncError?: string;
 }
 
 // Knowledge base action type
 export type KnowledgeBaseAction =
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.FETCH_SUCCESS, payload: KnowledgeBase[] }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SELECT_KNOWLEDGE_BASE, payload: string[] }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_ACTIVE, payload: KnowledgeBase | null }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_MODEL, payload: string | null }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.DELETE_KNOWLEDGE_BASE, payload: string }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.ADD_KNOWLEDGE_BASE, payload: KnowledgeBase }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.LOADING, payload: boolean }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_SYNC_LOADING, payload: boolean }
-  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.ERROR, payload: string };
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.FETCH_SUCCESS;
+      payload: KnowledgeBase[];
+    }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SELECT_KNOWLEDGE_BASE;
+      payload: string[];
+    }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_ACTIVE;
+      payload: KnowledgeBase | null;
+    }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_MODEL;
+      payload: string | null;
+    }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.DELETE_KNOWLEDGE_BASE;
+      payload: string;
+    }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.ADD_KNOWLEDGE_BASE;
+      payload: KnowledgeBase;
+    }
+  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.LOADING; payload: boolean }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_SYNC_LOADING;
+      payload: boolean;
+    }
+  | {
+      type: typeof KNOWLEDGE_BASE_ACTION_TYPES.SET_DATA_MATE_SYNC_ERROR;
+      payload: string | undefined;
+    }
+  | { type: typeof KNOWLEDGE_BASE_ACTION_TYPES.ERROR; payload: string };
 
 // UI state interface
 export interface UIState {
@@ -112,35 +162,47 @@ export interface UIState {
   notifications: {
     id: string;
     message: string;
-    type: typeof NOTIFICATION_TYPES.SUCCESS | typeof NOTIFICATION_TYPES.ERROR | typeof NOTIFICATION_TYPES.INFO | typeof NOTIFICATION_TYPES.WARNING;
+    type:
+      | typeof NOTIFICATION_TYPES.SUCCESS
+      | typeof NOTIFICATION_TYPES.ERROR
+      | typeof NOTIFICATION_TYPES.INFO
+      | typeof NOTIFICATION_TYPES.WARNING;
   }[];
 }
 
 // UI action type
 export type UIAction =
-  | { type: typeof UI_ACTION_TYPES.SET_DRAGGING, payload: boolean }
-  | { type: typeof UI_ACTION_TYPES.TOGGLE_CREATE_MODAL, payload: boolean }
-  | { type: typeof UI_ACTION_TYPES.TOGGLE_DOC_MODAL, payload: boolean }
-  | { type: typeof UI_ACTION_TYPES.ADD_NOTIFICATION, payload: { message: string; type: typeof NOTIFICATION_TYPES.SUCCESS | typeof NOTIFICATION_TYPES.ERROR | typeof NOTIFICATION_TYPES.INFO | typeof NOTIFICATION_TYPES.WARNING } }
-  | { type: typeof UI_ACTION_TYPES.REMOVE_NOTIFICATION, payload: string };
+  | { type: typeof UI_ACTION_TYPES.SET_DRAGGING; payload: boolean }
+  | { type: typeof UI_ACTION_TYPES.TOGGLE_CREATE_MODAL; payload: boolean }
+  | { type: typeof UI_ACTION_TYPES.TOGGLE_DOC_MODAL; payload: boolean }
+  | {
+      type: typeof UI_ACTION_TYPES.ADD_NOTIFICATION;
+      payload: {
+        message: string;
+        type:
+          | typeof NOTIFICATION_TYPES.SUCCESS
+          | typeof NOTIFICATION_TYPES.ERROR
+          | typeof NOTIFICATION_TYPES.INFO
+          | typeof NOTIFICATION_TYPES.WARNING;
+      };
+    }
+  | { type: typeof UI_ACTION_TYPES.REMOVE_NOTIFICATION; payload: string };
 
 // Abortable error type for upload operations
 export interface AbortableError extends Error {
   name: string;
 }
 
-// User selected knowledge base configuration type
-export interface UserKnowledgeConfig {
-  selectedKbNames?: string[];
-  selectedKbModels?: string[];
-  selectedKbSources?: string[];
-  // Legacy support for grouped format
-  nexent?: string[];
-  datamate?: string[];
+// Custom error type for DataMate sync failures
+export class DataMateSyncError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "DataMateSyncError";
+  }
 }
 
-// Update knowledge list request type
-export interface UpdateKnowledgeListRequest {
-  nexent?: string[];
-  datamate?: string[];
+// Result type for knowledge base fetch with DataMate sync status
+export interface KnowledgeBasesWithDataMateStatus {
+  knowledgeBases: KnowledgeBase[];
+  dataMateSyncError?: string;
 }
diff --git a/make/data_process/Dockerfile b/make/data_process/Dockerfile
index e7550fe2d..35d7a6c48 100644
--- a/make/data_process/Dockerfile
+++ b/make/data_process/Dockerfile
@@ -42,6 +42,9 @@ RUN uv sync --no-cache-dir --extra data-process $(test -n "$MIRROR" && echo "-i
 COPY sdk /opt/sdk
 RUN uv pip install --no-cache-dir /opt/sdk $(test -n "$MIRROR" && echo "-i $MIRROR") && \
     uv cache clean
+
+# Pre-download tiktoken cl100k_base model to avoid network issues during runtime
+RUN uv run python -c "import tiktoken; enc = tiktoken.get_encoding('cl100k_base')"
 # Layer 3: copy backend code
 COPY backend /opt/backend
 
diff --git a/sdk/nexent/core/agents/nexent_agent.py b/sdk/nexent/core/agents/nexent_agent.py
index 12d7737df..4f2c38d07 100644
--- a/sdk/nexent/core/agents/nexent_agent.py
+++ b/sdk/nexent/core/agents/nexent_agent.py
@@ -73,28 +73,19 @@ def create_local_tool(self, tool_config: ToolConfig):
                 # These parameters have exclude=True and cannot be passed to __init__
                 # due to smolagents.tools.Tool wrapper restrictions
                 filtered_params = {k: v for k, v in params.items()
-                                   if k not in ["index_names", "vdb_core", "embedding_model", "observer"]}
+                                   if k not in ["vdb_core", "embedding_model", "observer"]}
                 # Create instance with only non-excluded parameters
                 tools_obj = tool_class(**filtered_params)
                 # Set excluded parameters directly as attributes after instantiation
                 # This bypasses smolagents wrapper restrictions
                 tools_obj.observer = self.observer
-                index_names = tool_config.metadata.get(
-                    "index_names", None) if tool_config.metadata else None
-                tools_obj.index_names = [] if index_names is None else index_names
                 tools_obj.vdb_core = tool_config.metadata.get(
                     "vdb_core", None) if tool_config.metadata else None
                 tools_obj.embedding_model = tool_config.metadata.get(
                     "embedding_model", None) if tool_config.metadata else None
-                name_resolver = tool_config.metadata.get(
-                    "name_resolver", None) if tool_config.metadata else None
-                tools_obj.name_resolver = {} if name_resolver is None else name_resolver
             elif class_name == "DataMateSearchTool":
                 tools_obj = tool_class(**params)
                 tools_obj.observer = self.observer
-                index_names = tool_config.metadata.get(
-                    "index_names", None) if tool_config.metadata else None
-                tools_obj.index_names = [] if index_names is None else index_names
             elif class_name == "AnalyzeTextFileTool":
                 tools_obj = tool_class(observer=self.observer,
                                        llm_model=tool_config.metadata.get("llm_model", []),
diff --git a/sdk/nexent/core/prompts/analyze_file.yaml b/sdk/nexent/core/prompts/analyze_file_zh.yaml
similarity index 100%
rename from sdk/nexent/core/prompts/analyze_file.yaml
rename to sdk/nexent/core/prompts/analyze_file_zh.yaml
diff --git a/sdk/nexent/core/prompts/analyze_image.yaml b/sdk/nexent/core/prompts/analyze_image_zh.yaml
similarity index 100%
rename from sdk/nexent/core/prompts/analyze_image.yaml
rename to sdk/nexent/core/prompts/analyze_image_zh.yaml
diff --git a/sdk/nexent/core/tools/analyze_image_tool.py b/sdk/nexent/core/tools/analyze_image_tool.py
index 2fe8fd261..445134f22 100644
--- a/sdk/nexent/core/tools/analyze_image_tool.py
+++ b/sdk/nexent/core/tools/analyze_image_tool.py
@@ -5,7 +5,6 @@
 Supports images from S3, HTTP, and HTTPS URLs.
 """
 
-import json
 import logging
 from io import BytesIO
 from typing import List
@@ -14,12 +13,12 @@
 from pydantic import Field
 from smolagents.tools import Tool
 
-from nexent.core.models import OpenAIVLModel
-from nexent.core.utils.observer import MessageObserver, ProcessType
-from nexent.core.utils.prompt_template_utils import get_prompt_template
-from nexent.core.utils.tools_common_message import ToolCategory, ToolSign
-from nexent.storage import MinIOStorageClient
-from nexent.multi_modal.load_save_object import LoadSaveObjectManager
+from ...core.models import OpenAIVLModel
+from ...core.utils.observer import MessageObserver, ProcessType
+from ...core.utils.prompt_template_utils import get_prompt_template
+from ...core.utils.tools_common_message import ToolCategory, ToolSign
+from ...storage import MinIOStorageClient
+from ...multi_modal.load_save_object import LoadSaveObjectManager
 
 logger = logging.getLogger("analyze_image_tool")
 
@@ -79,7 +78,7 @@ def __init__(
     def _forward_impl(self, image_urls_list: List[bytes], query: str) -> List[str]:
         """
         Analyze images identified by S3 URL, HTTP URL, or HTTPS URL and return the identified text.
-        
+
         Note: This method is wrapped by load_object decorator which downloads
         the image from S3 URL, HTTP URL, or HTTPS URL and passes bytes to this method.
 
@@ -133,4 +132,4 @@ def _forward_impl(self, image_urls_list: List[bytes], query: str) -> List[str]:
         except Exception as e:
             logger.error(f"Error analyzing image: {str(e)}", exc_info=True)
             error_msg = f"Error analyzing image: {str(e)}"
-            raise Exception(error_msg)
\ No newline at end of file
+            raise Exception(error_msg)
diff --git a/sdk/nexent/core/tools/analyze_text_file_tool.py b/sdk/nexent/core/tools/analyze_text_file_tool.py
index 78b78543d..afe89f45e 100644
--- a/sdk/nexent/core/tools/analyze_text_file_tool.py
+++ b/sdk/nexent/core/tools/analyze_text_file_tool.py
@@ -4,21 +4,19 @@
 Extracts content from text files (excluding images) and analyzes it using a large language model.
 Supports files from S3, HTTP, and HTTPS URLs.
 """
-import json
 import logging
-from typing import List, Optional, Union
+from typing import List, Optional
 
-import httpx
 from jinja2 import Template, StrictUndefined
 from pydantic import Field
 from smolagents.tools import Tool
 
-from nexent.core import MessageObserver
-from nexent.core.utils.observer import ProcessType
-from nexent.core.utils.prompt_template_utils import get_prompt_template
-from nexent.core.utils.tools_common_message import ToolCategory, ToolSign
-from nexent.storage import MinIOStorageClient
-from nexent.multi_modal.load_save_object import LoadSaveObjectManager
+from ...core.utils.observer import MessageObserver, ProcessType
+from ...core.utils.prompt_template_utils import get_prompt_template
+from ...core.utils.tools_common_message import ToolCategory, ToolSign
+from ...storage import MinIOStorageClient
+from ...multi_modal.load_save_object import LoadSaveObjectManager
+from ...utils.http_client_manager import http_client_manager
 
 
 logger = logging.getLogger("analyze_text_file_tool")
@@ -80,7 +78,8 @@ def __init__(
         self.running_prompt_zh = "正在分析文件..."
         self.running_prompt_en = "Analyzing file..."
         # Dynamically apply the load_object decorator to forward method
-        self.forward = self.mm.load_object(input_names=["file_url_list"])(self._forward_impl)
+        self.forward = self.mm.load_object(
+            input_names=["file_url_list"])(self._forward_impl)
 
     def _forward_impl(
         self,
@@ -116,7 +115,8 @@ def _forward_impl(
             analysis_results: List[str] = []
 
             for index, single_file in enumerate(file_url_list, start=1):
-                logger.info(f"Extracting text content from file #{index}, query: {query}")
+                logger.info(
+                    f"Extracting text content from file #{index}, query: {query}")
                 filename = f"file_{index}.txt"
 
                 # Step 1: Get file content
@@ -127,14 +127,16 @@ def _forward_impl(
                     logger.error(error_msg)
                     raise Exception(error_msg)
 
-                logger.info(f"Analyzing text content with LLM for file #{index}, query: {query}")
+                logger.info(
+                    f"Analyzing text content with LLM for file #{index}, query: {query}")
 
                 # Step 2: Analyze file content
                 try:
                     text, _ = self.analyze_file(query, raw_text)
                     analysis_results.append(text)
                 except Exception as analysis_error:
-                    logger.error(f"Failed to analyze file #{index}: {analysis_error}")
+                    logger.error(
+                        f"Failed to analyze file #{index}: {analysis_error}")
                     analysis_results.append(str(analysis_error))
 
             return analysis_results
@@ -144,7 +146,6 @@ def _forward_impl(
             error_msg = f"Error analyzing text file: {str(e)}"
             raise Exception(error_msg)
 
-
     def process_text_file(self, filename: str, file_content: bytes,) -> str:
         """
         Process text file, convert to text using external API
@@ -163,8 +164,13 @@ def process_text_file(self, filename: str, file_content: bytes,) -> str:
                 'chunking_strategy': 'basic',
                 'timeout': self.time_out,
             }
-            with httpx.Client(timeout=self.time_out) as client:
-                response = client.post(api_url, files=files, data=data)
+            # Use shared HttpClientManager for connection pooling
+            client = http_client_manager.get_sync_client(
+                base_url=self.data_process_service_url,
+                timeout=float(self.time_out),
+                verify_ssl=True
+            )
+            response = client.post(api_url, files=files, data=data)
 
             if response.status_code == 200:
                 result = response.json()
@@ -179,7 +185,8 @@ def process_text_file(self, filename: str, file_content: bytes,) -> str:
                 raise Exception(error_detail)
 
         except Exception as e:
-            logger.error(f"Failed to process text file {filename}: {str(e)}", exc_info=True)
+            logger.error(
+                f"Failed to process text file {filename}: {str(e)}", exc_info=True)
             raise
 
         return raw_text
@@ -188,10 +195,14 @@ def analyze_file(self, query: str, raw_text: str,):
         """
         Process text file, convert to text using external API
         """
-        language = getattr(self.observer, "lang", "en") if self.observer else "en"
-        prompts = get_prompt_template(template_type='analyze_file', language=language)
-        system_prompt_template = Template(prompts['system_prompt'], undefined=StrictUndefined)
-        user_prompt_template = Template(prompts['user_prompt'], undefined=StrictUndefined)
+        language = getattr(self.observer, "lang",
+                           "en") if self.observer else "en"
+        prompts = get_prompt_template(
+            template_type='analyze_file', language=language)
+        system_prompt_template = Template(
+            prompts['system_prompt'], undefined=StrictUndefined)
+        user_prompt_template = Template(
+            prompts['user_prompt'], undefined=StrictUndefined)
 
         system_prompt = system_prompt_template.render({'query': query})
         user_prompt = user_prompt_template.render({})
diff --git a/sdk/nexent/core/tools/datamate_search_tool.py b/sdk/nexent/core/tools/datamate_search_tool.py
index 0d7122ed6..fa6a2ed8c 100644
--- a/sdk/nexent/core/tools/datamate_search_tool.py
+++ b/sdk/nexent/core/tools/datamate_search_tool.py
@@ -14,15 +14,6 @@
 logger = logging.getLogger("datamate_search_tool")
 
 
-def _normalize_index_names(index_names: Optional[Union[str, List[str]]]) -> List[str]:
-    """Normalize index_names to list; accept single string and keep None as empty list."""
-    if index_names is None:
-        return []
-    if isinstance(index_names, str):
-        return [index_names]
-    return list(index_names)
-
-
 class DataMateSearchTool(Tool):
     """DataMate knowledge base search tool"""
     name = "datamate_search"
@@ -47,11 +38,11 @@ class DataMateSearchTool(Tool):
 
     def __init__(
         self,
-        server_url: str = Field(description="DataMate server url"),
+        server_url: str = Field(description="DataMate server url. (e.g., 'https://192.168.1.100:8080' or 'https://datamate.example.com:8443')"),
         verify_ssl: bool = Field(
             description="Whether to verify SSL certificates for HTTPS connections", default=False),
         index_names: List[str] = Field(
-            description="The list of index names to search", default=None, exclude=True),
+            description="The list of index names to search"),
         observer: MessageObserver = Field(
             description="Message observer", default=None, exclude=True),
         top_k: int = Field(
diff --git a/sdk/nexent/core/tools/dify_search_tool.py b/sdk/nexent/core/tools/dify_search_tool.py
index bc964acd2..26982a925 100644
--- a/sdk/nexent/core/tools/dify_search_tool.py
+++ b/sdk/nexent/core/tools/dify_search_tool.py
@@ -8,6 +8,7 @@
 
 from ..utils.observer import MessageObserver, ProcessType
 from ..utils.tools_common_message import SearchResultTextMessage, ToolCategory, ToolSign
+from ...utils.http_client_manager import http_client_manager
 
 
 # Get logger instance
@@ -34,7 +35,7 @@ class DifySearchTool(Tool):
 
     def __init__(
         self,
-        server_url: str = Field(description="Dify API base URL"),
+        server_url: str = Field(description="Dify API base URL. (e.g., 'https://api.dify.ai/v1')"),
         api_key: str = Field(description="Dify API key with Bearer token"),
         dataset_ids: str = Field(
             description="JSON string array of Dify dataset IDs"),
@@ -69,19 +70,23 @@ def __init__(
             raise ValueError(
                 "api_key is required and must be a non-empty string")
 
-        # Parse and validate dataset_ids from JSON string
-        if not dataset_ids or not isinstance(dataset_ids, str):
+        # Parse and validate dataset_ids from string or list
+        if not dataset_ids:
             raise ValueError(
-                "dataset_ids is required and must be a non-empty JSON string array")
+                "dataset_ids is required and must be a non-empty JSON string array or list")
         try:
-            parsed_ids = json.loads(dataset_ids)
+            # Handle both JSON string array and plain list
+            if isinstance(dataset_ids, str):
+                parsed_ids = json.loads(dataset_ids)
+            else:
+                parsed_ids = dataset_ids
             if not isinstance(parsed_ids, list) or not parsed_ids:
                 raise ValueError(
-                    "dataset_ids must be a non-empty JSON array of strings")
+                    "dataset_ids must be a non-empty array of strings")
             self.dataset_ids = [str(item) for item in parsed_ids]
         except (json.JSONDecodeError, TypeError) as e:
             raise ValueError(
-                f"dataset_ids must be a valid JSON string array: {str(e)}")
+                f"dataset_ids must be a valid JSON string array or list: {str(e)}")
 
         self.server_url = server_url.rstrip("/")
         self.api_key = api_key
@@ -89,6 +94,13 @@ def __init__(
         self.search_method = search_method
         self.observer = observer
 
+        # Cache HTTP client for reuse (uses shared HttpClientManager internally)
+        self._http_client = http_client_manager.get_sync_client(
+            base_url=self.server_url,
+            timeout=30.0,
+            verify_ssl=True
+        )
+
         self.record_ops = 1  # To record serial number
         self.running_prompt_zh = "Dify知识库检索中..."
         self.running_prompt_en = "Searching Dify knowledge base..."
@@ -220,12 +232,12 @@ def _get_document_download_url(self, document_id: str, dataset_id: str = None) -
         }
 
         try:
-            with httpx.Client(timeout=30) as client:
-                response = client.get(url, headers=headers)
-                response.raise_for_status()
+            # Use cached HTTP client for requests
+            response = self._http_client.get(url, headers=headers)
+            response.raise_for_status()
 
-                result = response.json()
-                return result.get("download_url", "")
+            result = response.json()
+            return result.get("download_url", "")
 
         except httpx.RequestError as e:
             logger.warning(
@@ -302,18 +314,19 @@ def _search_dify_knowledge_base(self, query: str, top_k: int, search_method: str
         }
 
         try:
-            with httpx.Client(timeout=30) as client:
-                response = client.post(url, headers=headers, json=payload)
-                response.raise_for_status()
+            # Use cached HTTP client for requests
+            response = self._http_client.post(
+                url, headers=headers, json=payload)
+            response.raise_for_status()
 
-                result = response.json()
+            result = response.json()
 
-                # Validate that required keys are present
-                if "records" not in result:
-                    raise Exception(
-                        "Unexpected Dify API response format: missing 'records' key")
+            # Validate that required keys are present
+            if "records" not in result:
+                raise Exception(
+                    "Unexpected Dify API response format: missing 'records' key")
 
-                return result
+            return result
 
         except httpx.RequestError as e:
             raise Exception(f"Dify API request failed: {str(e)}")
diff --git a/sdk/nexent/core/tools/knowledge_base_search_tool.py b/sdk/nexent/core/tools/knowledge_base_search_tool.py
index fe231cbc3..4120dd53e 100644
--- a/sdk/nexent/core/tools/knowledge_base_search_tool.py
+++ b/sdk/nexent/core/tools/knowledge_base_search_tool.py
@@ -1,6 +1,6 @@
 import json
 import logging
-from typing import Dict, List, Optional, Union
+from typing import List
 
 from pydantic import Field
 from smolagents.tools import Tool
@@ -40,9 +40,7 @@ def __init__(
         top_k: int = Field(
             description="Maximum number of search results", default=3),
         index_names: List[str] = Field(
-            description="The list of index names to search", default=None, exclude=True),
-        name_resolver: Optional[Dict[str, str]] = Field(
-            description="Mapping from knowledge_name to index_name", default=None, exclude=True),
+            description="The list of index names to search"),
         search_mode: str = Field(
             description="the search mode, optional values: hybrid, accurate, semantic",
             default="hybrid",
@@ -68,7 +66,6 @@ def __init__(
         self.observer = observer
         self.vdb_core = vdb_core
         self.index_names = [] if index_names is None else index_names
-        self.name_resolver: Dict[str, str] = name_resolver or {}
         self.search_mode = search_mode
         self.embedding_model = embedding_model
 
@@ -76,27 +73,6 @@ def __init__(
         self.running_prompt_zh = "知识库检索中..."
         self.running_prompt_en = "Searching the knowledge base..."
 
-    def update_name_resolver(self, new_mapping: Dict[str, str]) -> None:
-        """Update the mapping from knowledge_name to index_name at runtime."""
-        self.name_resolver = new_mapping or {}
-
-    def _resolve_names(self, names: List[str]) -> List[str]:
-        """Resolve user-facing knowledge names to internal index names."""
-        if not names:
-            return []
-        if not self.name_resolver:
-            logger.warning(
-                "No name resolver provided, returning original names")
-            return names
-        return [self.name_resolver.get(name, name) for name in names]
-
-    def _normalize_index_names(self, index_names: Optional[Union[str, List[str]]]) -> List[str]:
-        """Normalize index_names to list; accept single string and keep None as empty list."""
-        if index_names is None:
-            return []
-        if isinstance(index_names, str):
-            return [index_names]
-        return list(index_names)
 
     def forward(self, query: str) -> str:
         # Send tool run message
@@ -108,14 +84,9 @@ def forward(self, query: str) -> str:
                 card_content, ensure_ascii=False))
 
         # Use the instance index_names and search_mode
-        index_names = self.index_names
+        search_index_names = self.index_names
         search_mode = self.search_mode
 
-        # Use provided index_names if available, otherwise use default
-        search_index_names = self._normalize_index_names(
-            index_names if index_names is not None else self.index_names)
-        search_index_names = self._resolve_names(search_index_names)
-
         # Log the index_names being used for this search
         logger.info(
             f"KnowledgeBaseSearchTool called with query: '{query}', search_mode: '{search_mode}', index_names: {search_index_names}"
diff --git a/sdk/nexent/core/utils/prompt_template_utils.py b/sdk/nexent/core/utils/prompt_template_utils.py
index af38e228d..abf694549 100644
--- a/sdk/nexent/core/utils/prompt_template_utils.py
+++ b/sdk/nexent/core/utils/prompt_template_utils.py
@@ -14,11 +14,11 @@
 # Define template path mapping
 template_paths = {
     'analyze_image': {
-        LANGUAGE["ZH"]: 'core/prompts/analyze_image.yaml',
+        LANGUAGE["ZH"]: 'core/prompts/analyze_image_zh.yaml',
         LANGUAGE["EN"]: 'core/prompts/analyze_image_en.yaml'
     },
     'analyze_file': {
-        LANGUAGE["ZH"]: 'core/prompts/analyze_file.yaml',
+        LANGUAGE["ZH"]: 'core/prompts/analyze_file_zh.yaml',
         LANGUAGE["EN"]: 'core/prompts/analyze_file_en.yaml'
     }
 }
diff --git a/sdk/nexent/datamate/datamate_client.py b/sdk/nexent/datamate/datamate_client.py
index 4ce65c29d..d0894db76 100644
--- a/sdk/nexent/datamate/datamate_client.py
+++ b/sdk/nexent/datamate/datamate_client.py
@@ -8,6 +8,8 @@
 from typing import Dict, List, Optional, Any
 import httpx
 
+from ..utils.http_client_manager import http_client_manager
+
 logger = logging.getLogger("datamate_client")
 
 
@@ -17,21 +19,32 @@ class DataMateClient:
 
     This client encapsulates all DataMate API calls and provides a clean interface
     for datamate knowledge base operations.
+
+    Uses shared HttpClientManager for connection pooling to avoid socket exhaustion
+    and port conflicts on Windows systems.
     """
 
-    def __init__(self, base_url: str, timeout: float = 30.0, verify_ssl: bool = True):
+    def __init__(self, base_url: str, timeout: float = 5.0, verify_ssl: bool = True):
         """
         Initialize DataMate client.
 
         Args:
             base_url: Base URL of DataMate server (e.g., "http://jasonwang.site:30000")
-            timeout: Request timeout in seconds (default: 30.0)
+            timeout: Request timeout in seconds (default: 5.0)
             verify_ssl: Whether to verify SSL certificates (default: True)
         """
         self.base_url = base_url.rstrip("/")
         self.timeout = timeout
         self.verify_ssl = verify_ssl
-        logger.info(f"Initialized DataMateClient with base_url: {self.base_url}, verify_ssl: {self.verify_ssl}")
+        # Cache HTTP client for reuse (uses shared HttpClientManager internally)
+        # This avoids socket exhaustion and port conflicts on Windows
+        self._http_client = http_client_manager.get_sync_client(
+            base_url=self.base_url,
+            timeout=self.timeout,
+            verify_ssl=self.verify_ssl
+        )
+        logger.info(
+            f"Initialized DataMateClient with base_url: {self.base_url}, verify_ssl: {self.verify_ssl}")
 
     def _build_url(self, path: str) -> str:
         """Build full URL from path."""
@@ -70,7 +83,8 @@ def _handle_error_response(self, response: httpx.Response, error_message: str) -
             if response.headers.get("content-type", "").startswith("application/json")
             else response.text
         )
-        raise Exception(f"{error_message} (status {response.status_code}): {error_detail}")
+        raise Exception(
+            f"{error_message} (status {response.status_code}): {error_detail}")
 
     def _make_request(
         self,
@@ -84,12 +98,14 @@ def _make_request(
         """
         Make HTTP request with error handling.
 
+        Uses the cached HTTP client for requests.
+
         Args:
             method: HTTP method ("GET" or "POST")
             url: Request URL
             headers: Request headers
             json: Optional JSON payload for POST requests
-            timeout: Optional timeout override
+            timeout: Optional timeout override (passed to request, not client creation)
             error_message: Error message to use if request fails
 
         Returns:
@@ -100,18 +116,21 @@ def _make_request(
         """
         request_timeout = timeout if timeout is not None else self.timeout
 
-        with httpx.Client(timeout=request_timeout, verify=self.verify_ssl) as client:
-            if method.upper() == "GET":
-                response = client.get(url, headers=headers)
-            elif method.upper() == "POST":
-                response = client.post(url, json=json, headers=headers)
-            else:
-                raise ValueError(f"Unsupported HTTP method: {method}")
+        # Use cached HTTP client for requests
+        # Note: timeout passed to request method overrides client's default
+        if method.upper() == "GET":
+            response = self._http_client.get(
+                url, headers=headers, timeout=request_timeout)
+        elif method.upper() == "POST":
+            response = self._http_client.post(
+                url, json=json, headers=headers, timeout=request_timeout)
+        else:
+            raise ValueError(f"Unsupported HTTP method: {method}")
 
-            if response.status_code != 200:
-                self._handle_error_response(response, error_message)
+        if response.status_code != 200:
+            self._handle_error_response(response, error_message)
 
-            return response
+        return response
 
     def list_knowledge_bases(
         self,
@@ -138,9 +157,11 @@ def list_knowledge_bases(
             payload = {"page": page, "size": size}
             headers = self._build_headers(authorization)
 
-            logger.info(f"Fetching DataMate knowledge bases from: {url}, page={page}, size={size}")
+            logger.info(
+                f"Fetching DataMate knowledge bases from: {url}, page={page}, size={size}")
 
-            response = self._make_request("POST", url, headers, json=payload, error_message="Failed to get knowledge base list")
+            response = self._make_request(
+                "POST", url, headers, json=payload, error_message="Failed to get knowledge base list")
             data = response.json()
 
             # Extract knowledge base list from response
@@ -148,15 +169,20 @@ def list_knowledge_bases(
             if data.get("data"):
                 knowledge_bases = data.get("data").get("content", [])
 
-            logger.info(f"Successfully fetched {len(knowledge_bases)} knowledge bases from DataMate")
+            logger.info(
+                f"Successfully fetched {len(knowledge_bases)} knowledge bases from DataMate")
             return knowledge_bases
 
         except httpx.HTTPError as e:
-            logger.error(f"HTTP error while fetching DataMate knowledge bases: {str(e)}")
-            raise RuntimeError(f"Failed to fetch DataMate knowledge bases: {str(e)}")
+            logger.error(
+                f"HTTP error while fetching DataMate knowledge bases: {str(e)}")
+            raise RuntimeError(
+                f"Failed to fetch DataMate knowledge bases: {str(e)}")
         except Exception as e:
-            logger.error(f"Unexpected error while fetching DataMate knowledge bases: {str(e)}")
-            raise RuntimeError(f"Failed to fetch DataMate knowledge bases: {str(e)}")
+            logger.error(
+                f"Unexpected error while fetching DataMate knowledge bases: {str(e)}")
+            raise RuntimeError(
+                f"Failed to fetch DataMate knowledge bases: {str(e)}")
 
     def get_knowledge_base_files(
         self,
diff --git a/sdk/nexent/utils/__init__.py b/sdk/nexent/utils/__init__.py
new file mode 100644
index 000000000..6f4bcb059
--- /dev/null
+++ b/sdk/nexent/utils/__init__.py
@@ -0,0 +1,3 @@
+"""
+Utility modules for the Nexent SDK.
+"""
diff --git a/sdk/nexent/utils/http_client_manager.py b/sdk/nexent/utils/http_client_manager.py
new file mode 100644
index 000000000..3a13f58af
--- /dev/null
+++ b/sdk/nexent/utils/http_client_manager.py
@@ -0,0 +1,368 @@
+"""
+Shared HTTP Client Manager for connection pooling and lifecycle management.
+
+This module provides a singleton HTTP client manager that enables efficient
+connection pooling across multiple services (DataMate, Dify, etc.) to avoid
+socket exhaustion and port conflicts on Windows systems.
+
+    Usage:
+    from nexent.utils.http_client_manager import http_client_manager
+
+    # Get the shared sync client (configurable per base_url)
+    client = http_client_manager.get_sync_client(
+        base_url="https://api.example.com",
+        timeout=30.0,
+        verify_ssl=True
+    )
+
+    # Different configs for same base_url create separate clients
+    client2 = http_client_manager.get_sync_client(
+        base_url="https://api.example.com",
+        timeout=60.0,  # Different timeout = separate client
+        verify_ssl=False  # Different SSL setting = separate client
+    )
+
+    # Make requests using the shared client
+    response = client.get("/api/endpoint")
+
+    # Use as context manager for automatic cleanup (recommended)
+    with http_client_manager as manager:
+        client = manager.get_sync_client(base_url="https://api.example.com")
+        response = client.get("/api/endpoint")
+    # All HTTP clients are automatically closed when exiting the context
+
+    # Manual shutdown when not using context manager
+    # http_client_manager.shutdown()
+"""
+import logging
+import threading
+from contextlib import contextmanager
+from typing import Dict, Optional, Any
+from dataclasses import dataclass, field
+
+import httpx
+from httpx import Limits
+
+logger = logging.getLogger("http_client_manager")
+
+
+@dataclass
+class ClientConfig:
+    """Configuration for an HTTP client."""
+    base_url: str
+    timeout: float = 30.0
+    verify_ssl: bool = True
+    limits: Limits = field(default_factory=lambda: Limits(
+        max_connections=100,
+        max_keepalive_connections=20
+    ))
+
+
+class HttpClientManager:
+    """
+    Singleton HTTP client manager for connection pooling and lifecycle management.
+
+    This manager maintains a registry of HTTP clients for different base URLs,
+    reusing connections across requests to avoid socket exhaustion and port conflicts.
+
+    Features:
+    - Singleton pattern: single instance across the entire application
+    - Connection pooling: reuse connections for the same base URL
+    - Thread-safe: uses locks for thread-safe client access
+    - Lazy initialization: clients are created on-demand
+    - Graceful shutdown: properly close all clients on shutdown
+    """
+
+    _instance: Optional['HttpClientManager'] = None
+    _lock: threading.Lock = threading.Lock()
+
+    def __new__(cls) -> 'HttpClientManager':
+        """Ensure singleton pattern with thread-safe initialization."""
+        if cls._instance is None:
+            with cls._lock:
+                if cls._instance is None:
+                    cls._instance = super().__new__(cls)
+                    cls._instance._initialized = False
+        return cls._instance
+
+    def __init__(self):
+        """Initialize the HTTP client manager if not already initialized."""
+        if self._initialized:
+            return
+
+        self._clients: Dict[str, httpx.Client] = {}
+        self._async_clients: Dict[str, httpx.AsyncClient] = {}
+        self._configs: Dict[str, ClientConfig] = {}
+        self._lock = threading.Lock()
+        self._initialized = True
+        logger.info("HttpClientManager initialized (singleton)")
+
+    def __enter__(self) -> 'HttpClientManager':
+        """
+        Support context manager protocol for automatic resource cleanup.
+
+        Usage:
+            with http_client_manager as manager:
+                client = manager.get_sync_client(base_url="https://api.example.com")
+                response = client.get("/api/endpoint")
+            # All HTTP clients are automatically closed when exiting the context
+
+        Returns:
+            HttpClientManager: The singleton instance itself
+        """
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb) -> None:
+        """
+        Exit context manager and close all HTTP clients.
+
+        This method is automatically called when exiting the with statement,
+        ensuring all HTTP connections are properly closed regardless of
+        whether an exception occurred.
+
+        Args:
+            exc_type: Exception type (if any)
+            exc_val: Exception value (if any)
+            exc_tb: Exception traceback (if any)
+        """
+        self.shutdown()
+
+    def _get_client_key(self, base_url: str, timeout: float, verify_ssl: bool) -> str:
+        """
+        Generate a unique key for client registry based on URL, timeout, and SSL setting.
+
+        Different configurations (timeout, verify_ssl) for the same base_url
+        will create separate client instances to ensure correct behavior.
+        """
+        return f"{base_url}|{timeout}|{verify_ssl}"
+
+    def get_sync_client(self, base_url: str, timeout: float = 30.0,
+                        verify_ssl: bool = True) -> httpx.Client:
+        """
+        Get or create a synchronous HTTP client for the given configuration.
+
+        Different timeout or verify_ssl settings for the same base_url will
+        create separate client instances.
+
+        Args:
+            base_url: Base URL for the HTTP client
+            timeout: Request timeout in seconds (default: 30.0)
+            verify_ssl: Whether to verify SSL certificates (default: True)
+
+        Returns:
+            httpx.Client instance configured for the given parameters
+        """
+        key = self._get_client_key(base_url, timeout, verify_ssl)
+
+        with self._lock:
+            if key not in self._clients:
+                logger.info(
+                    f"Creating sync HTTP client for: {base_url} (timeout={timeout}, verify_ssl={verify_ssl})")
+                self._configs[key] = ClientConfig(
+                    base_url=base_url,
+                    timeout=timeout,
+                    verify_ssl=verify_ssl
+                )
+                self._clients[key] = httpx.Client(
+                    timeout=timeout,
+                    verify=verify_ssl,
+                    limits=Limits(
+                        max_connections=100,
+                        max_keepalive_connections=20
+                    )
+                )
+                logger.info(f"Sync HTTP client created for {base_url}")
+
+            return self._clients[key]
+
+    def get_async_client(self, base_url: str, timeout: float = 30.0,
+                         verify_ssl: bool = True) -> httpx.AsyncClient:
+        """
+        Get or create an asynchronous HTTP client for the given configuration.
+
+        Different timeout or verify_ssl settings for the same base_url will
+        create separate client instances.
+
+        Args:
+            base_url: Base URL for the HTTP client
+            timeout: Request timeout in seconds (default: 30.0)
+            verify_ssl: Whether to verify SSL certificates (default: True)
+
+        Returns:
+            httpx.AsyncClient instance configured for the given parameters
+        """
+        key = self._get_client_key(base_url, timeout, verify_ssl)
+
+        with self._lock:
+            if key not in self._async_clients:
+                logger.info(
+                    f"Creating async HTTP client for: {base_url} (timeout={timeout}, verify_ssl={verify_ssl})")
+                self._configs[key] = ClientConfig(
+                    base_url=base_url,
+                    timeout=timeout,
+                    verify_ssl=verify_ssl
+                )
+                self._async_clients[key] = httpx.AsyncClient(
+                    timeout=timeout,
+                    verify=verify_ssl,
+                    limits=Limits(
+                        max_connections=100,
+                        max_keepalive_connections=20
+                    )
+                )
+                logger.info(f"Async HTTP client created for {base_url}")
+
+            return self._async_clients[key]
+
+    def get_client_config(self, base_url: str, timeout: float = 30.0,
+                          verify_ssl: bool = True) -> Optional[ClientConfig]:
+        """Get the configuration for a specific client."""
+        key = self._get_client_key(base_url, timeout, verify_ssl)
+        return self._configs.get(key)
+
+    def close_client(self, base_url: str, timeout: float = 30.0,
+                     verify_ssl: bool = True) -> bool:
+        """
+        Close and remove a specific HTTP client.
+
+        Args:
+            base_url: Base URL of the client to close
+            timeout: Timeout setting of the client
+            verify_ssl: SSL verification setting of the client
+
+        Returns:
+            True if client was found and closed, False otherwise
+        """
+        key = self._get_client_key(base_url, timeout, verify_ssl)
+
+        with self._lock:
+            if key in self._clients:
+                try:
+                    self._clients[key].close()
+                    del self._clients[key]
+                    logger.info(f"Closed sync HTTP client: {base_url}")
+                    return True
+                except Exception as e:
+                    logger.error(f"Error closing sync client: {e}")
+                    return False
+            return False
+
+    async def close_async_client(self, base_url: str, timeout: float = 30.0,
+                                 verify_ssl: bool = True) -> bool:
+        """
+        Close and remove a specific async HTTP client.
+
+        Args:
+            base_url: Base URL of the client to close
+            timeout: Timeout setting of the client
+            verify_ssl: SSL verification setting of the client
+
+        Returns:
+            True if client was found and closed, False otherwise
+        """
+        key = self._get_client_key(base_url, timeout, verify_ssl)
+
+        with self._lock:
+            if key in self._async_clients:
+                try:
+                    await self._async_clients[key].aclose()
+                    del self._async_clients[key]
+                    logger.info(f"Closed async HTTP client: {base_url}")
+                    return True
+                except Exception as e:
+                    logger.error(f"Error closing async client: {e}")
+                    return False
+            return False
+
+    def shutdown(self) -> None:
+        """
+        Gracefully shutdown all HTTP clients.
+
+        This method should be called when the application is shutting down
+        to properly release all resources and close all connections.
+        """
+        logger.info("Shutting down HttpClientManager...")
+
+        with self._lock:
+            # Close all sync clients
+            for key, client in list(self._clients.items()):
+                try:
+                    base_url = self._configs.get(
+                        key, ClientConfig(base_url=key)).base_url
+                    client.close()
+                    logger.info(f"Closed sync HTTP client: {base_url}")
+                except Exception as e:
+                    logger.error(f"Error closing sync client: {e}")
+            self._clients.clear()
+
+            # Note: Async clients should be closed using aclose()
+            # They remain in the dict for now as we can't await in sync context
+            if self._async_clients:
+                logger.warning(
+                    f"There are {len(self._async_clients)} async clients still open. "
+                    "They should be closed using close_all_async_clients()"
+                )
+
+            self._configs.clear()
+            logger.info("HttpClientManager shutdown complete")
+
+    async def shutdown_async(self) -> None:
+        """
+        Gracefully shutdown all HTTP clients (async version).
+
+        This method properly closes both sync and async clients.
+        """
+        logger.info("Shutting down HttpClientManager (async)...")
+
+        with self._lock:
+            # Close all sync clients
+            for key, client in list(self._clients.items()):
+                try:
+                    base_url = self._configs.get(
+                        key, ClientConfig(base_url=key)).base_url
+                    client.close()
+                    logger.info(f"Closed sync HTTP client: {base_url}")
+                except Exception as e:
+                    logger.error(f"Error closing sync client: {e}")
+            self._clients.clear()
+
+            # Close all async clients
+            for key, client in list(self._async_clients.items()):
+                try:
+                    base_url = self._configs.get(
+                        key, ClientConfig(base_url=key)).base_url
+                    await client.aclose()
+                    logger.info(f"Closed async HTTP client: {base_url}")
+                except Exception as e:
+                    logger.error(f"Error closing async client: {e}")
+            self._async_clients.clear()
+            self._configs.clear()
+
+            logger.info("HttpClientManager shutdown complete (async)")
+
+    def get_stats(self) -> Dict[str, Any]:
+        """
+        Get statistics about the HTTP client manager.
+
+        Returns:
+            Dictionary containing client statistics
+        """
+        with self._lock:
+            return {
+                "sync_clients_count": len(self._clients),
+                "async_clients_count": len(self._async_clients),
+                "configs_count": len(self._configs),
+                "clients": [
+                    {
+                        "base_url": config.base_url,
+                        "verify_ssl": config.verify_ssl,
+                        "timeout": config.timeout,
+                        "is_async": key in self._async_clients
+                    }
+                    for key, config in self._configs.items()
+                ]
+            }
+
+
+# Global singleton instance
+http_client_manager = HttpClientManager()
diff --git a/sdk/nexent/vector_database/datamate_core.py b/sdk/nexent/vector_database/datamate_core.py
index 8a1612517..ecb22630d 100644
--- a/sdk/nexent/vector_database/datamate_core.py
+++ b/sdk/nexent/vector_database/datamate_core.py
@@ -56,7 +56,7 @@ def _parse_timestamp(timestamp: Any, default: int = 0) -> int:
 class DataMateCore(VectorDatabaseCore):
     """VectorDatabaseCore implementation backed by the DataMate REST API."""
 
-    def __init__(self, base_url: str, timeout: float = 30.0, verify_ssl: bool = True):
+    def __init__(self, base_url: str, timeout: float = 5.0, verify_ssl: bool = True):
         self.client = DataMateClient(
             base_url=base_url, timeout=timeout, verify_ssl=verify_ssl)
 
@@ -64,11 +64,13 @@ def __init__(self, base_url: str, timeout: float = 30.0, verify_ssl: bool = True
     def create_index(self, index_name: str, embedding_dim: Optional[int] = None) -> bool:
         """DataMate API does not support index creation via SDK."""
         _ = embedding_dim
-        raise NotImplementedError("DataMate SDK does not support creating indices.")
+        raise NotImplementedError(
+            "DataMate SDK does not support creating indices.")
 
     def delete_index(self, index_name: str) -> bool:
         """DataMate API does not support deleting indices via SDK."""
-        raise NotImplementedError("DataMate SDK does not support deleting indices.")
+        raise NotImplementedError(
+            "DataMate SDK does not support deleting indices.")
 
     def get_user_indices(self, index_pattern: str = "*") -> List[str]:
         """Return DataMate knowledge base IDs as index identifiers."""
@@ -100,11 +102,13 @@ def vectorize_documents(
             embedding_batch_size,
             progress_callback,
         )
-        raise NotImplementedError("DataMate SDK does not support direct document ingestion.")
+        raise NotImplementedError(
+            "DataMate SDK does not support direct document ingestion.")
 
     def delete_documents(self, index_name: str, path_or_url: str) -> int:
         _ = (index_name, path_or_url)
-        raise NotImplementedError("DataMate SDK does not support deleting documents.")
+        raise NotImplementedError(
+            "DataMate SDK does not support deleting documents.")
 
     def get_index_chunks(
             self,
@@ -124,15 +128,18 @@ def get_index_chunks(
 
     def create_chunk(self, index_name: str, chunk: Dict[str, Any]) -> Dict[str, Any]:
         _ = (index_name, chunk)
-        raise NotImplementedError("DataMate SDK does not support creating individual chunks.")
+        raise NotImplementedError(
+            "DataMate SDK does not support creating individual chunks.")
 
     def update_chunk(self, index_name: str, chunk_id: str, chunk_updates: Dict[str, Any]) -> Dict[str, Any]:
         _ = (index_name, chunk_id, chunk_updates)
-        raise NotImplementedError("DataMate SDK does not support updating chunks.")
+        raise NotImplementedError(
+            "DataMate SDK does not support updating chunks.")
 
     def delete_chunk(self, index_name: str, chunk_id: str) -> bool:
         _ = (index_name, chunk_id)
-        raise NotImplementedError("DataMate SDK does not support deleting chunks.")
+        raise NotImplementedError(
+            "DataMate SDK does not support deleting chunks.")
 
     def count_documents(self, index_name: str) -> int:
         files = self.client.get_knowledge_base_files(index_name)
@@ -141,21 +148,25 @@ def count_documents(self, index_name: str) -> int:
     # ---- SEARCH OPERATIONS ----
     def search(self, index_name: str, query: Dict[str, Any]) -> Dict[str, Any]:
         _ = (index_name, query)
-        raise NotImplementedError("DataMate SDK does not support raw search API.")
+        raise NotImplementedError(
+            "DataMate SDK does not support raw search API.")
 
     def multi_search(self, body: List[Dict[str, Any]], index_name: str) -> Dict[str, Any]:
         _ = (body, index_name)
-        raise NotImplementedError("DataMate SDK does not support multi search API.")
+        raise NotImplementedError(
+            "DataMate SDK does not support multi search API.")
 
     def accurate_search(self, index_names: List[str], query_text: str, top_k: int = 5) -> List[Dict[str, Any]]:
         _ = (index_names, query_text, top_k)
-        raise NotImplementedError("DataMate SDK does not support accurate search API.")
+        raise NotImplementedError(
+            "DataMate SDK does not support accurate search API.")
 
     def semantic_search(
             self, index_names: List[str], query_text: str, embedding_model: BaseEmbedding, top_k: int = 5
     ) -> List[Dict[str, Any]]:
         _ = (index_names, query_text, embedding_model, top_k)
-        raise NotImplementedError("DataMate SDK does not support semantic search API.")
+        raise NotImplementedError(
+            "DataMate SDK does not support semantic search API.")
 
     # ---- SEARCH OPERATIONS ----
     def hybrid_search(
@@ -183,7 +194,8 @@ def hybrid_search(
             RuntimeError: If the API request fails
         """
         _ = embedding_model  # Explicitly ignored
-        retrieve_knowledge = self.client.retrieve_knowledge_base(query_text, index_names, top_k, weight_accurate)
+        retrieve_knowledge = self.client.retrieve_knowledge_base(
+            query_text, index_names, top_k, weight_accurate)
         return retrieve_knowledge
 
     # ---- STATISTICS AND MONITORING ----
@@ -209,7 +221,7 @@ def get_documents_detail(self, index_name: str) -> List[Dict[str, Any]]:
         return results
 
     def get_indices_detail(self, index_names: List[str], embedding_dim: Optional[int] = None) -> Tuple[Dict[
-        str, Dict[str, Any]], List[str]]:
+            str, Dict[str, Any]], List[str]]:
         details: Dict[str, Dict[str, Any]] = {}
         knowledge_base_names = []
         for kb_id in index_names:
@@ -218,7 +230,8 @@ def get_indices_detail(self, index_names: List[str], embedding_dim: Optional[int
                 kb_info = self.client.get_knowledge_base_info(kb_id)
 
                 # Extract data from knowledge base info
-                doc_count = kb_info.get("fileCount")  # Number of unique documents (files)
+                # Number of unique documents (files)
+                doc_count = kb_info.get("fileCount")
                 knowledge_base_name = kb_info.get("name")
                 knowledge_base_names.append(knowledge_base_name)
                 chunk_count = kb_info.get("chunkCount")
@@ -245,8 +258,10 @@ def get_indices_detail(self, index_names: List[str], embedding_dim: Optional[int
                 # Build performance dict (DataMate API may not provide search stats)
                 performance = {"total_search_count": 0, "hit_count": 0}
 
-                details[kb_id] = {"base_info": base_info, "search_performance": performance}
+                details[kb_id] = {"base_info": base_info,
+                                  "search_performance": performance}
             except Exception as exc:
-                logger.error(f"Error getting stats for knowledge base {kb_id}: {str(exc)}")
+                logger.error(
+                    f"Error getting stats for knowledge base {kb_id}: {str(exc)}")
                 details[kb_id] = {"error": str(exc)}
         return details, knowledge_base_names
diff --git a/sdk/nexent/vector_database/elasticsearch_core.py b/sdk/nexent/vector_database/elasticsearch_core.py
index 8abe046f4..e87afdf5e 100644
--- a/sdk/nexent/vector_database/elasticsearch_core.py
+++ b/sdk/nexent/vector_database/elasticsearch_core.py
@@ -939,7 +939,9 @@ def accurate_search(self, index_names: List[str], query_text: str, top_k: int =
         }
 
         # Execute the search across multiple indices
-        return self.exec_query(index_pattern, search_query)
+        raw_results = self.exec_query(index_pattern, search_query)
+
+        return raw_results
 
     def exec_query(self, index_pattern, search_query):
         response = self.client.search(index=index_pattern, body=search_query)
@@ -989,7 +991,9 @@ def semantic_search(
         }
 
         # Execute the search across multiple indices
-        return self.exec_query(index_pattern, search_query)
+        raw_results = self.exec_query(index_pattern, search_query)
+
+        return raw_results
 
     def hybrid_search(
         self,
@@ -1055,6 +1059,79 @@ def hybrid_search(
                     f"Warning: Missing required field in semantic result: {e}")
                 continue
 
+        # FIX: For chunks that are in accurate results but not in semantic results,
+        # generate embeddings and store them in ES, then re-execute semantic search
+        # This handles chunks that were manually added without going through normal embedding pipeline
+        accurate_doc_ids = set(r.get("document", {}).get("id") for r in accurate_results)
+        semantic_doc_ids = set(r.get("document", {}).get("id") for r in semantic_results)
+        missing_embedding_doc_ids = accurate_doc_ids - semantic_doc_ids
+
+        if missing_embedding_doc_ids:
+            logger.info(
+                f"Found {len(missing_embedding_doc_ids)} chunks without stored embeddings, "
+                f"generating and storing embeddings in ES: {missing_embedding_doc_ids}")
+
+            # Process each chunk with missing embedding
+            for doc_id in missing_embedding_doc_ids:
+                if doc_id in combined_results:
+                    chunk_doc = combined_results[doc_id]
+                    chunk_content = chunk_doc["document"].get("content", "")
+                    index_name = chunk_doc.get("index", "")
+
+                    if chunk_content and index_name:
+                        # Generate embedding for chunk content
+                        chunk_embedding = embedding_model.get_embeddings(chunk_content)
+                        if chunk_embedding and len(chunk_embedding) > 0:
+                            # Update the document in ES with the embedding
+                            update_doc = chunk_doc["document"].copy()
+                            update_doc["embedding"] = chunk_embedding[0]
+                            if "embedding_model_name" not in update_doc:
+                                update_doc["embedding_model_name"] = embedding_model.embedding_model_name
+
+                            try:
+                                # Use create_chunk to store the chunk with embedding
+                                self.client.index(
+                                    index=index_name,
+                                    id=doc_id,
+                                    document=update_doc,
+                                    refresh="wait_for"
+                                )
+                                logger.debug(
+                                    f"Stored embedding for chunk {doc_id} in index {index_name}")
+                            except Exception as e:
+                                logger.warning(
+                                    f"Failed to store embedding for chunk {doc_id}: {e}")
+                                continue
+
+            # Re-execute semantic search now that ES has the new embeddings
+            logger.debug("Re-executing semantic search with updated embeddings")
+            semantic_results = self.semantic_search(
+                index_names, query_text, embedding_model=embedding_model, top_k=top_k)
+
+            # Clear and re-process semantic results with the new embeddings
+            # Remove old entries that came from accurate results
+            for doc_id in list(combined_results.keys()):
+                if doc_id in accurate_doc_ids:
+                    combined_results[doc_id]["semantic_score"] = 0
+
+            # Process updated semantic results
+            for result in semantic_results:
+                try:
+                    doc_id = result["document"]["id"]
+                    if doc_id in combined_results:
+                        combined_results[doc_id]["semantic_score"] = result.get("score", 0)
+                    else:
+                        combined_results[doc_id] = {
+                            "document": result["document"],
+                            "accurate_score": 0,
+                            "semantic_score": result.get("score", 0),
+                            "index": result["index"],
+                        }
+                except KeyError as e:
+                    logger.warning(
+                        f"Warning: Missing required field in semantic result: {e}")
+                    continue
+
         # Calculate maximum scores
         max_accurate = max([r.get("score", 0)
                            for r in accurate_results]) if accurate_results else 1
@@ -1093,7 +1170,9 @@ def hybrid_search(
 
         # Sort by combined score and return top k results
         results.sort(key=lambda x: x["score"], reverse=True)
-        return results[:top_k]
+        final_results = results[:top_k]
+
+        return final_results
 
     # ---- STATISTICS AND MONITORING ----
     def get_documents_detail(self, index_name: str) -> List[Dict[str, Any]]:
diff --git a/test/backend/agents/test_create_agent_info.py b/test/backend/agents/test_create_agent_info.py
index e9ae8baa7..1572c0844 100644
--- a/test/backend/agents/test_create_agent_info.py
+++ b/test/backend/agents/test_create_agent_info.py
@@ -295,7 +295,7 @@ async def test_create_tool_config_list_basic(self):
         """Test case for basic tool configuration list creation"""
         with patch('backend.agents.create_agent_info.discover_langchain_tools') as mock_discover, \
                 patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge:
+                patch('backend.agents.create_agent_info.ToolConfig') as mock_tool_config:
 
             # Set mock return values
             mock_discover.return_value = []
@@ -311,7 +311,6 @@ async def test_create_tool_config_list_basic(self):
                     "usage": None
                 }
             ]
-            mock_knowledge.return_value = []
 
             result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
 
@@ -333,7 +332,7 @@ async def test_create_tool_config_list_with_knowledge_base_tool(self):
         """Test case including the knowledge base search tool"""
         with patch('backend.agents.create_agent_info.discover_langchain_tools') as mock_discover, \
                 patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
+                patch('backend.agents.create_agent_info.ToolConfig') as mock_tool_config, \
                 patch('backend.agents.create_agent_info.get_vector_db_core') as mock_get_vector_db_core, \
                 patch('backend.agents.create_agent_info.get_embedding_model') as mock_embedding:
 
@@ -350,10 +349,6 @@ async def test_create_tool_config_list_with_knowledge_base_tool(self):
                     "usage": None
                 }
             ]
-            mock_knowledge.return_value = [
-                {"index_name": "knowledge_1"},
-                {"index_name": "knowledge_2"},
-            ]
             mock_vdb_core = "mock_elastic_core"
             mock_get_vector_db_core.return_value = mock_vdb_core
             mock_embedding.return_value = "mock_embedding_model"
@@ -363,6 +358,7 @@ async def test_create_tool_config_list_with_knowledge_base_tool(self):
             assert len(result) == 1
             # Verify that ToolConfig was called correctly, including knowledge base metadata
             # Check if the last call was for KnowledgeBaseSearchTool
+            mock_tool_config.assert_called()
             last_call = mock_tool_config.call_args_list[-1]
             assert last_call[1]['class_name'] == "KnowledgeBaseSearchTool"
 
@@ -440,20 +436,21 @@ async def test_create_tool_config_list_with_analyze_text_file_tool(self):
             }
 
     @pytest.mark.asyncio
-    async def test_create_tool_config_list_with_knowledge_base_tool_mixed_sources(self):
-        """Test KnowledgeBaseSearchTool filters only elasticsearch knowledge sources"""
+    async def test_create_tool_config_list_with_knowledge_base_tool_metadata(self):
+        """
+        Test that KnowledgeBaseSearchTool metadata contains only vdb_core and embedding_model.
+        This test verifies the refactored behavior where index_names and name_resolver
+        have been removed from the metadata.
+        """
         mock_tool_instance = MagicMock()
         mock_tool_instance.class_name = "KnowledgeBaseSearchTool"
         mock_tool_config.return_value = mock_tool_instance
 
-        with patch('backend.agents.create_agent_info.discover_langchain_tools') as mock_discover, \
+        with patch('backend.agents.create_agent_info.discover_langchain_tools', return_value=[]), \
                 patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
                 patch('backend.agents.create_agent_info.get_vector_db_core') as mock_get_vector_db_core, \
-                patch('backend.agents.create_agent_info.get_embedding_model') as mock_embedding, \
-                patch('backend.agents.create_agent_info.build_knowledge_name_mapping') as mock_build_mapping:
+                patch('backend.agents.create_agent_info.get_embedding_model') as mock_embedding:
 
-            mock_discover.return_value = []
             mock_search_tools.return_value = [
                 {
                     "class_name": "KnowledgeBaseSearchTool",
@@ -461,48 +458,157 @@ async def test_create_tool_config_list_with_knowledge_base_tool_mixed_sources(se
                     "description": "Knowledge search tool",
                     "inputs": "string",
                     "output_type": "string",
-                    "params": [],
+                    "params": [{"name": "index_names", "default": []}],
                     "source": "local",
                     "usage": None
                 }
             ]
-            # Mix of elasticsearch and datamate sources
-            mock_knowledge.return_value = [
-                {"index_name": "elastic_kb_1", "knowledge_sources": "elasticsearch"},
-                {"index_name": "datamate_kb_1", "knowledge_sources": "datamate"},
-                {"index_name": "elastic_kb_2", "knowledge_sources": "elasticsearch"},
-                {"index_name": "other_kb", "knowledge_sources": "other"}
-            ]
             mock_vdb_core = "mock_elastic_core"
+            mock_embedding_model = "mock_embedding_model"
             mock_get_vector_db_core.return_value = mock_vdb_core
-            mock_embedding.return_value = "mock_embedding_model"
-            mock_build_mapping.return_value = {"mapping": "mock"}
+            mock_embedding.return_value = mock_embedding_model
 
             result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
 
             assert len(result) == 1
             assert result[0] is mock_tool_instance
-            # Should only include elasticsearch index names
-            expected_index_names = ["elastic_kb_1", "elastic_kb_2"]
-            assert mock_tool_instance.metadata["index_names"] == expected_index_names
+
+            # Verify correct functions were called with correct parameters
+            mock_get_vector_db_core.assert_called_once()
+            mock_embedding.assert_called_once_with(tenant_id="tenant_1")
+
+            # Verify metadata contains ONLY vdb_core and embedding_model (no index_names or name_resolver)
+            expected_metadata = {
+                "vdb_core": mock_vdb_core,
+                "embedding_model": mock_embedding_model,
+            }
+            assert mock_tool_instance.metadata == expected_metadata
+
+            # Explicitly verify that old fields are NOT present
+            assert "index_names" not in mock_tool_instance.metadata
+            assert "name_resolver" not in mock_tool_instance.metadata
 
     @pytest.mark.asyncio
-    async def test_create_tool_config_list_with_datamate_tool(self):
-        """Test DataMateSearchTool filters only datamate knowledge sources"""
+    async def test_create_tool_config_list_with_knowledge_base_tool_multiple_tools(self):
+        """
+        Test that multiple tools are processed correctly, with KnowledgeBaseSearchTool
+        receiving the correct metadata without index_names.
+        """
+        mock_tool_kb = MagicMock()
+        mock_tool_kb.class_name = "KnowledgeBaseSearchTool"
+
+        mock_tool_other = MagicMock()
+        mock_tool_other.class_name = "OtherTool"
+
+        with patch('backend.agents.create_agent_info.ToolConfig') as mock_tool_config, \
+                patch('backend.agents.create_agent_info.discover_langchain_tools', return_value=[]), \
+                patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools, \
+                patch('backend.agents.create_agent_info.get_vector_db_core') as mock_get_vector_db_core, \
+                patch('backend.agents.create_agent_info.get_embedding_model') as mock_embedding:
+
+            mock_tool_config.side_effect = [mock_tool_kb, mock_tool_other]
+
+            mock_search_tools.return_value = [
+                {
+                    "class_name": "KnowledgeBaseSearchTool",
+                    "name": "kb_search",
+                    "description": "Knowledge search",
+                    "inputs": "string",
+                    "output_type": "string",
+                    "params": [],
+                    "source": "local",
+                    "usage": None
+                },
+                {
+                    "class_name": "OtherTool",
+                    "name": "other",
+                    "description": "Other tool",
+                    "inputs": "string",
+                    "output_type": "string",
+                    "params": [],
+                    "source": "local",
+                    "usage": None
+                }
+            ]
+            mock_get_vector_db_core.return_value = "vdb_core_instance"
+            mock_embedding.return_value = "embedding_instance"
+
+            result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
+
+            assert len(result) == 2
+
+            # Verify KnowledgeBaseSearchTool has correct metadata
+            assert mock_tool_kb.metadata == {
+                "vdb_core": "vdb_core_instance",
+                "embedding_model": "embedding_instance",
+            }
+
+            # Verify OtherTool has no special metadata (should not have metadata attribute set)
+            # Note: MagicMock will return a new MagicMock for unset attributes, so we check call_args
+            # Instead, verify that set_metadata was never called on the mock_tool_other
+            assert not hasattr(mock_tool_other, 'metadata') or mock_tool_other.metadata.call_count == 0 if hasattr(mock_tool_other.metadata, 'call_count') else True
+
+    @pytest.mark.asyncio
+    async def test_create_tool_config_list_with_knowledge_base_tool_mixed_sources(self):
+        """
+        Test handling of tools from mixed sources (local, mcp, langchain).
+        KnowledgeBaseSearchTool should always get the simplified metadata.
+        """
         mock_tool_instance = MagicMock()
-        mock_tool_instance.class_name = "DataMateSearchTool"
-        mock_tool_config.return_value = mock_tool_instance
+        mock_tool_instance.class_name = "KnowledgeBaseSearchTool"
 
-        with patch('backend.agents.create_agent_info.discover_langchain_tools') as mock_discover, \
+        with patch('backend.agents.create_agent_info.ToolConfig') as mock_tool_config, \
+                patch('backend.agents.create_agent_info.discover_langchain_tools', return_value=[]), \
                 patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge:
+                patch('backend.agents.create_agent_info.get_vector_db_core') as mock_get_vector_db_core, \
+                patch('backend.agents.create_agent_info.get_embedding_model') as mock_embedding:
+
+            mock_tool_config.return_value = mock_tool_instance
+
+            mock_search_tools.return_value = [
+                {
+                    "class_name": "KnowledgeBaseSearchTool",
+                    "name": "kb_search",
+                    "description": "Knowledge search tool",
+                    "inputs": "string",
+                    "output_type": "string",
+                    "params": [],
+                    "source": "mcp",
+                    "usage": "mcp_server_1"
+                }
+            ]
+            mock_get_vector_db_core.return_value = "vdb_core"
+            mock_embedding.return_value = "embedding"
+
+            result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
+
+            assert len(result) == 1
+            # Even for MCP-sourced KnowledgeBaseSearchTool, metadata should be set
+            assert mock_tool_instance.metadata == {
+                "vdb_core": "vdb_core",
+                "embedding_model": "embedding",
+            }
+
+    @pytest.mark.asyncio
+    async def test_create_tool_config_list_with_datamate_tool(self):
+        """
+        Test that DataMateTool (or other unhandled tools) receive no special metadata.
+        This ensures the refactoring doesn't break other tool types.
+        """
+        mock_tool_instance = MagicMock()
+        mock_tool_instance.class_name = "DataMateTool"
+
+        with patch('backend.agents.create_agent_info.ToolConfig') as mock_tool_config, \
+                patch('backend.agents.create_agent_info.discover_langchain_tools', return_value=[]), \
+                patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools:
+
+            mock_tool_config.return_value = mock_tool_instance
 
-            mock_discover.return_value = []
             mock_search_tools.return_value = [
                 {
-                    "class_name": "DataMateSearchTool",
-                    "name": "datamate_search",
-                    "description": "DataMate search tool",
+                    "class_name": "DataMateTool",
+                    "name": "datamate",
+                    "description": "Data management tool",
                     "inputs": "string",
                     "output_type": "string",
                     "params": [],
@@ -510,21 +616,121 @@ async def test_create_tool_config_list_with_datamate_tool(self):
                     "usage": None
                 }
             ]
-            # Mix of different knowledge sources
-            mock_knowledge.return_value = [
-                {"index_name": "elastic_kb_1", "knowledge_sources": "elasticsearch"},
-                {"index_name": "datamate_kb_1", "knowledge_sources": "datamate"},
-                {"index_name": "datamate_kb_2", "knowledge_sources": "datamate"},
-                {"index_name": "other_kb", "knowledge_sources": "other"}
+
+            result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
+
+            assert len(result) == 1
+            assert result[0] is mock_tool_instance
+            # DataMateTool should not receive any special metadata (metadata should remain unset)
+            # Since we use MagicMock, we verify that metadata was never assigned
+            assert not hasattr(mock_tool_instance, 'metadata') or mock_tool_instance.metadata.call_count == 0 if hasattr(mock_tool_instance.metadata, 'call_count') else True
+
+    @pytest.mark.asyncio
+    async def test_create_tool_config_list_empty_list(self):
+        """
+        Test that an empty tools list returns an empty result.
+        """
+        with patch('backend.agents.create_agent_info.discover_langchain_tools', return_value=[]), \
+                patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools:
+
+            mock_search_tools.return_value = []
+
+            result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
+
+            assert result == []
+
+    @pytest.mark.asyncio
+    async def test_create_tool_config_list_with_langchain_tool_metadata(self):
+        """
+        Test that langchain-sourced tools receive metadata from the langchain tool discovery.
+        This verifies that the langchain tool metadata assignment still works correctly.
+        """
+        mock_langchain_tool = MagicMock()
+        mock_langchain_tool.name = "LangChainTool"
+
+        mock_tool_instance = MagicMock()
+        mock_tool_instance.class_name = "LangChainTool"
+
+        with patch('backend.agents.create_agent_info.ToolConfig') as mock_tool_config, \
+                patch('backend.agents.create_agent_info.discover_langchain_tools') as mock_discover, \
+                patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools:
+
+            mock_tool_config.return_value = mock_tool_instance
+            mock_discover.return_value = [mock_langchain_tool]
+            mock_search_tools.return_value = [
+                {
+                    "class_name": "LangChainTool",
+                    "name": "langchain_tool",
+                    "description": "A langchain tool",
+                    "inputs": "string",
+                    "output_type": "string",
+                    "params": [],
+                    "source": "langchain",
+                    "usage": None
+                }
             ]
 
             result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
 
             assert len(result) == 1
             assert result[0] is mock_tool_instance
-            # Should only include datamate index names
-            expected_index_names = ["datamate_kb_1", "datamate_kb_2"]
-            assert mock_tool_instance.metadata["index_names"] == expected_index_names
+            # Langchain tool should receive metadata from discovered langchain tool
+            assert mock_tool_instance.metadata == mock_langchain_tool
+
+    @pytest.mark.asyncio
+    async def test_create_tool_config_list_multiple_tools_same_type(self):
+        """
+        Test that multiple KnowledgeBaseSearchTool instances each get correct metadata.
+        """
+        mock_tool_1 = MagicMock()
+        mock_tool_1.class_name = "KnowledgeBaseSearchTool"
+
+        mock_tool_2 = MagicMock()
+        mock_tool_2.class_name = "KnowledgeBaseSearchTool"
+
+        mock_tool_config.side_effect = [mock_tool_1, mock_tool_2]
+
+        with patch('backend.agents.create_agent_info.discover_langchain_tools', return_value=[]), \
+                patch('backend.agents.create_agent_info.search_tools_for_sub_agent') as mock_search_tools, \
+                patch('backend.agents.create_agent_info.get_vector_db_core') as mock_get_vector_db_core, \
+                patch('backend.agents.create_agent_info.get_embedding_model') as mock_embedding:
+
+            mock_search_tools.return_value = [
+                {
+                    "class_name": "KnowledgeBaseSearchTool",
+                    "name": "kb_search_1",
+                    "description": "First knowledge search",
+                    "inputs": "string",
+                    "output_type": "string",
+                    "params": [],
+                    "source": "local",
+                    "usage": None
+                },
+                {
+                    "class_name": "KnowledgeBaseSearchTool",
+                    "name": "kb_search_2",
+                    "description": "Second knowledge search",
+                    "inputs": "string",
+                    "output_type": "string",
+                    "params": [],
+                    "source": "local",
+                    "usage": None
+                }
+            ]
+            mock_get_vector_db_core.return_value = "vdb_core"
+            mock_embedding.return_value = "embedding"
+
+            result = await create_tool_config_list("agent_1", "tenant_1", "user_1")
+
+            assert len(result) == 2
+
+            # Both tools should have the same simplified metadata
+            expected_metadata = {
+                "vdb_core": "vdb_core",
+                "embedding_model": "embedding",
+            }
+            assert mock_tool_1.metadata == expected_metadata
+            assert mock_tool_2.metadata == expected_metadata
 
 
 class TestCreateAgentConfig:
@@ -539,7 +745,7 @@ async def test_create_agent_config_basic(self):
                 patch('backend.agents.create_agent_info.get_agent_prompt_template') as mock_get_template, \
                 patch('backend.agents.create_agent_info.tenant_config_manager') as mock_tenant_config, \
                 patch('backend.agents.create_agent_info.build_memory_context') as mock_build_memory, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
+                patch('backend.agents.create_agent_info.AgentConfig') as mock_agent_config, \
                 patch('backend.agents.create_agent_info.prepare_prompt_templates') as mock_prepare_templates, \
                 patch('backend.agents.create_agent_info.get_model_by_model_id') as mock_get_model_by_id:
 
@@ -567,7 +773,6 @@ async def test_create_agent_config_basic(self):
                 user_id="user_1",
                 agent_id="agent_1"
             )
-            mock_knowledge.return_value = []
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"}
             mock_get_model_by_id.return_value = {"display_name": "test_model"}
@@ -596,7 +801,7 @@ async def test_create_agent_config_with_sub_agents(self):
                 patch('backend.agents.create_agent_info.tenant_config_manager') as mock_tenant_config, \
                 patch('backend.agents.create_agent_info.build_memory_context') as mock_build_memory, \
                 patch('backend.agents.create_agent_info.search_memory_in_levels', new_callable=AsyncMock) as mock_search_memory, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
+                patch('backend.agents.create_agent_info.AgentConfig') as mock_agent_config, \
                 patch('backend.agents.create_agent_info.prepare_prompt_templates') as mock_prepare_templates, \
                 patch('backend.agents.create_agent_info.get_model_by_model_id') as mock_get_model_by_id:
 
@@ -624,7 +829,6 @@ async def test_create_agent_config_with_sub_agents(self):
                 user_id="user_1",
                 agent_id="agent_1"
             )
-            mock_knowledge.return_value = []
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"}
             mock_get_model_by_id.return_value = {"display_name": "test_model"}
@@ -663,7 +867,6 @@ async def test_create_agent_config_with_memory(self):
                 patch('backend.agents.create_agent_info.tenant_config_manager') as mock_tenant_config, \
                 patch('backend.agents.create_agent_info.build_memory_context') as mock_build_memory, \
                 patch('backend.agents.create_agent_info.search_memory_in_levels', new_callable=AsyncMock) as mock_search_memory, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
                 patch('backend.agents.create_agent_info.prepare_prompt_templates') as mock_prepare_templates, \
                 patch('backend.agents.create_agent_info.get_model_by_model_id') as mock_get_model_by_id:
 
@@ -700,7 +903,6 @@ async def test_create_agent_config_with_memory(self):
                 agent_id="agent_1"
             )
             mock_search_memory.return_value = {"results": [{"memory": "test"}]}
-            mock_knowledge.return_value = []
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"}
             mock_get_model_by_id.return_value = {"display_name": "test_model"}
@@ -745,9 +947,6 @@ async def test_create_agent_config_memory_disabled_no_search(self):
                 "backend.agents.create_agent_info.search_memory_in_levels",
                 new_callable=AsyncMock,
             ) as mock_search_memory,
-            patch(
-                "backend.agents.create_agent_info.get_selected_knowledge_list"
-            ) as mock_knowledge,
             patch(
                 "backend.agents.create_agent_info.prepare_prompt_templates"
             ) as mock_prepare_templates,
@@ -786,7 +985,6 @@ async def test_create_agent_config_memory_disabled_no_search(self):
                 agent_id="agent_1",
             )
 
-            mock_knowledge.return_value = []
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"
             }
@@ -812,7 +1010,7 @@ async def test_create_agent_config_model_id_none(self):
                 patch('backend.agents.create_agent_info.get_agent_prompt_template') as mock_get_template, \
                 patch('backend.agents.create_agent_info.tenant_config_manager') as mock_tenant_config, \
                 patch('backend.agents.create_agent_info.build_memory_context') as mock_build_memory, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
+                patch('backend.agents.create_agent_info.AgentConfig') as mock_agent_config, \
                 patch('backend.agents.create_agent_info.prepare_prompt_templates') as mock_prepare_templates, \
                 patch('backend.agents.create_agent_info.get_model_by_model_id') as mock_get_model_by_id:
 
@@ -840,7 +1038,6 @@ async def test_create_agent_config_model_id_none(self):
                 user_id="user_1",
                 agent_id="agent_1"
             )
-            mock_knowledge.return_value = []
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"}
             mock_get_model_by_id.return_value = None  # Model not found
@@ -885,9 +1082,6 @@ async def test_create_agent_config_memory_exception(self):
                 "backend.agents.create_agent_info.search_memory_in_levels",
                 new_callable=AsyncMock,
             ) as mock_search_memory,
-            patch(
-                "backend.agents.create_agent_info.get_selected_knowledge_list"
-            ) as mock_knowledge,
             patch(
                 "backend.agents.create_agent_info.prepare_prompt_templates"
             ) as mock_prepare_templates,
@@ -926,7 +1120,6 @@ async def test_create_agent_config_memory_exception(self):
             )
 
             mock_search_memory.side_effect = Exception("boom")
-            mock_knowledge.return_value = []
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"
             }
@@ -945,17 +1138,190 @@ async def test_create_agent_config_memory_exception(self):
 
     @pytest.mark.asyncio
     async def test_create_agent_config_with_knowledge_base_summary_filtering(self):
-        """Test knowledge base summary generation filters only elasticsearch sources"""
+        with (
+            patch(
+                "backend.agents.create_agent_info.search_agent_info_by_agent_id"
+            ) as mock_search_agent,
+            patch(
+                "backend.agents.create_agent_info.query_sub_agents_id_list"
+            ) as mock_query_sub,
+            patch(
+                "backend.agents.create_agent_info.create_tool_config_list"
+            ) as mock_create_tools,
+            patch(
+                "backend.agents.create_agent_info.get_agent_prompt_template"
+            ) as mock_get_template,
+            patch(
+                "backend.agents.create_agent_info.tenant_config_manager"
+            ) as mock_tenant_config,
+            patch(
+                "backend.agents.create_agent_info.build_memory_context"
+            ) as mock_build_memory,
+            patch(
+                "backend.agents.create_agent_info.ElasticSearchService"
+            ) as mock_es_service,
+            patch(
+                "backend.agents.create_agent_info.logger"
+            ) as mock_logger,
+            patch(
+                "backend.agents.create_agent_info.prepare_prompt_templates"
+            ) as mock_prepare_templates,
+            patch(
+                "backend.agents.create_agent_info.get_model_by_model_id"
+            ) as mock_get_model_by_id,
+        ):
+            mock_search_agent.return_value = {
+                "name": "test_agent",
+                "description": "test description",
+                "duty_prompt": "test duty",
+                "constraint_prompt": "test constraint",
+                "few_shots_prompt": "test few shots",
+                "max_steps": 5,
+                "model_id": 123,
+                "provide_run_summary": True,
+            }
+            mock_query_sub.return_value = []
+
+            kb_tool_1 = Mock()
+            kb_tool_1.class_name = "KnowledgeBaseSearchTool"
+            kb_tool_1.name = "kb_tool_1"
+            kb_tool_1.params = {"index_names": ["idx_a", "idx_b"]}
+
+            other_tool = Mock()
+            other_tool.class_name = "OtherTool"
+            other_tool.name = "other_tool"
+            other_tool.params = {}
+
+            kb_tool_2 = Mock()
+            kb_tool_2.class_name = "KnowledgeBaseSearchTool"
+            kb_tool_2.name = "kb_tool_2"
+            kb_tool_2.params = {"index_names": ["idx_c"]}
+
+            mock_create_tools.return_value = [kb_tool_1, other_tool, kb_tool_2]
+            mock_get_template.return_value = {"system_prompt": "{{ knowledge_base_summary }}"}
+            mock_tenant_config.get_app_config.side_effect = ["TestApp", "Test Description"]
+            mock_build_memory.return_value = Mock(
+                user_config=Mock(memory_switch=False),
+                memory_config={},
+                tenant_id="tenant_1",
+                user_id="user_1",
+                agent_id="agent_1",
+            )
+            mock_prepare_templates.return_value = {"system_prompt": "populated_system_prompt"}
+            mock_get_model_by_id.return_value = {"display_name": "test_model"}
+
+            mock_es_instance = Mock()
+            mock_es_instance.get_summary.side_effect = [
+                {"summary": "AAA"},
+                Exception("boom"),
+            ]
+            mock_es_service.return_value = mock_es_instance
+
+            await create_agent_config("agent_1", "tenant_1", "user_1", "zh", "test query")
+
+            assert mock_es_instance.get_summary.call_args_list == [
+                ((), {"index_name": "idx_a"}),
+                ((), {"index_name": "idx_b"}),
+            ]
+            mock_logger.warning.assert_called_once()
+            assert "idx_b" in mock_logger.warning.call_args[0][0]
+
+            mock_prepare_templates.assert_called_once()
+            assert mock_prepare_templates.call_args[1]["system_prompt"] == "**idx_a**: AAA\n\n"
+
+            # Ensure only the first KnowledgeBaseSearchTool is processed.
+            assert "idx_c" not in str(mock_es_instance.get_summary.call_args_list)
+
+    @pytest.mark.parametrize(
+        "language,expected_message",
+        [
+            ("zh", "当前没有可用的知识库索引。\n"),
+            ("en", "No knowledge base indexes are currently available.\n"),
+        ],
+    )
+    @pytest.mark.asyncio
+    async def test_create_agent_config_knowledge_base_summary_no_indexes_message(
+        self, language, expected_message
+    ):
+        with (
+            patch(
+                "backend.agents.create_agent_info.search_agent_info_by_agent_id"
+            ) as mock_search_agent,
+            patch(
+                "backend.agents.create_agent_info.query_sub_agents_id_list"
+            ) as mock_query_sub,
+            patch(
+                "backend.agents.create_agent_info.create_tool_config_list"
+            ) as mock_create_tools,
+            patch(
+                "backend.agents.create_agent_info.get_agent_prompt_template"
+            ) as mock_get_template,
+            patch(
+                "backend.agents.create_agent_info.tenant_config_manager"
+            ) as mock_tenant_config,
+            patch(
+                "backend.agents.create_agent_info.build_memory_context"
+            ) as mock_build_memory,
+            patch(
+                "backend.agents.create_agent_info.ElasticSearchService"
+            ) as mock_es_service,
+            patch(
+                "backend.agents.create_agent_info.prepare_prompt_templates"
+            ) as mock_prepare_templates,
+            patch(
+                "backend.agents.create_agent_info.get_model_by_model_id"
+            ) as mock_get_model_by_id,
+        ):
+            mock_search_agent.return_value = {
+                "name": "test_agent",
+                "description": "test description",
+                "duty_prompt": "test duty",
+                "constraint_prompt": "test constraint",
+                "few_shots_prompt": "test few shots",
+                "max_steps": 5,
+                "model_id": 123,
+                "provide_run_summary": True,
+            }
+            mock_query_sub.return_value = []
+
+            kb_tool = Mock()
+            kb_tool.class_name = "KnowledgeBaseSearchTool"
+            kb_tool.name = "kb_tool"
+            kb_tool.params = {"index_names": []}
+            mock_create_tools.return_value = [kb_tool]
+
+            mock_get_template.return_value = {"system_prompt": "{{ knowledge_base_summary }}"}
+            mock_tenant_config.get_app_config.side_effect = ["TestApp", "Test Description"]
+            mock_build_memory.return_value = Mock(
+                user_config=Mock(memory_switch=False),
+                memory_config={},
+                tenant_id="tenant_1",
+                user_id="user_1",
+                agent_id="agent_1",
+            )
+            mock_prepare_templates.return_value = {"system_prompt": "populated_system_prompt"}
+            mock_get_model_by_id.return_value = {"display_name": "test_model"}
+
+            await create_agent_config(
+                "agent_1", "tenant_1", "user_1", language, "test query"
+            )
+
+            mock_es_service.assert_not_called()
+            assert mock_prepare_templates.call_args[1]["system_prompt"] == expected_message
+
+    @pytest.mark.asyncio
+    async def test_create_agent_config_knowledge_base_summary_error(self):
+        """Test case for error handling during knowledge base summary build"""
         with patch('backend.agents.create_agent_info.search_agent_info_by_agent_id') as mock_search_agent, \
                 patch('backend.agents.create_agent_info.query_sub_agents_id_list') as mock_query_sub, \
                 patch('backend.agents.create_agent_info.create_tool_config_list') as mock_create_tools, \
                 patch('backend.agents.create_agent_info.get_agent_prompt_template') as mock_get_template, \
                 patch('backend.agents.create_agent_info.tenant_config_manager') as mock_tenant_config, \
                 patch('backend.agents.create_agent_info.build_memory_context') as mock_build_memory, \
-                patch('backend.agents.create_agent_info.get_selected_knowledge_list') as mock_knowledge, \
+                patch('backend.agents.create_agent_info.AgentConfig') as mock_agent_config, \
                 patch('backend.agents.create_agent_info.prepare_prompt_templates') as mock_prepare_templates, \
                 patch('backend.agents.create_agent_info.get_model_by_model_id') as mock_get_model_by_id, \
-                patch('backend.agents.create_agent_info.ElasticSearchService') as mock_es_service:
+                patch('backend.agents.create_agent_info.logger') as mock_logger:
 
             # Set mock return values
             mock_search_agent.return_value = {
@@ -969,10 +1335,10 @@ async def test_create_agent_config_with_knowledge_base_summary_filtering(self):
                 "provide_run_summary": True
             }
             mock_query_sub.return_value = []
-
-            # Create a mock tool with KnowledgeBaseSearchTool class name
-            mock_tool = Mock()
-            mock_tool.class_name = "KnowledgeBaseSearchTool"
+            
+            # Create a tool that raises exception when accessing class_name
+            mock_tool = MagicMock()
+            type(mock_tool).class_name = PropertyMock(side_effect=Exception("Test Error"))
             mock_create_tools.return_value = [mock_tool]
 
             mock_get_template.return_value = {
@@ -986,29 +1352,14 @@ async def test_create_agent_config_with_knowledge_base_summary_filtering(self):
                 user_id="user_1",
                 agent_id="agent_1"
             )
-            mock_knowledge.return_value = [
-                {"index_name": "elastic_kb_1", "knowledge_sources": "elasticsearch"},
-                {"index_name": "datamate_kb_1", "knowledge_sources": "datamate"},
-                {"index_name": "elastic_kb_2", "knowledge_sources": "elasticsearch"}
-            ]
             mock_prepare_templates.return_value = {
                 "system_prompt": "populated_system_prompt"}
             mock_get_model_by_id.return_value = {"display_name": "test_model"}
 
-            # Mock ElasticSearchService
-            mock_es_instance = Mock()
-            mock_es_instance.get_summary.return_value = {"summary": "Test summary"}
-            mock_es_service.return_value = mock_es_instance
-
-            result = await create_agent_config("agent_1", "tenant_1", "user_1", "zh", "test query")
+            await create_agent_config("agent_1", "tenant_1", "user_1", "zh", "test query")
 
-            # Verify that ElasticSearchService was called only for elasticsearch sources
-            assert mock_es_service.call_count == 2  # Only for elastic_kb_1 and elastic_kb_2
-            mock_es_instance.get_summary.assert_any_call(index_name="elastic_kb_1")
-            mock_es_instance.get_summary.assert_any_call(index_name="elastic_kb_2")
-            # Should not be called for datamate_kb_1
-            called_index_names = [call[1]['index_name'] for call in mock_es_instance.get_summary.call_args_list]
-            assert "datamate_kb_1" not in called_index_names
+            # Verify that error was logged
+            mock_logger.error.assert_called_with("Failed to build knowledge base summary: Test Error")
 
 
 class TestCreateModelConfigList:
diff --git a/test/backend/app/test_agent_app.py b/test/backend/app/test_agent_app.py
index cd8b94222..8edc263ff 100644
--- a/test/backend/app/test_agent_app.py
+++ b/test/backend/app/test_agent_app.py
@@ -3,12 +3,17 @@
 import os
 import sys
 import types
+import warnings
 
 import pytest
 from fastapi import FastAPI
 from fastapi.responses import StreamingResponse
 from fastapi.testclient import TestClient
 
+# Filter out deprecation warnings from third-party libraries
+warnings.filterwarnings("ignore", category=DeprecationWarning, module="pyiceberg")
+pytestmark = pytest.mark.filterwarnings("ignore::DeprecationWarning:pyiceberg.*")
+
 # Dynamically determine the backend path - MUST BE FIRST
 current_dir = os.path.dirname(os.path.abspath(__file__))
 backend_dir = os.path.abspath(os.path.join(current_dir, "../../../backend"))
@@ -240,44 +245,190 @@ def test_agent_stop_api_not_found(mocker, mock_conversation_id):
 
 
 def test_search_agent_info_api_success(mocker, mock_auth_header):
+    """Test search_agent_info_api success case without tenant_id query parameter (uses auth tenant_id) and default version_no=0."""
     # Setup mocks using pytest-mock
     mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
     mock_get_agent_info = mocker.patch(
         "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
-    mock_get_user_id.return_value = ("user_id", "tenant_id")
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
     mock_get_agent_info.return_value = {"agent_id": 123, "name": "Test Agent"}
 
-    # Test the endpoint
+    # Test the endpoint without tenant_id query parameter and without version_no (defaults to 0)
     response = config_client.post(
         "/agent/search_info",
-        json=123,  # agent_id as body parameter
+        json={"agent_id": 123},  # agent_id as body parameter, version_no defaults to 0
         headers=mock_auth_header
     )
 
     # Assertions
     assert response.status_code == 200
     mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
-    mock_get_agent_info.assert_called_once_with(123, "tenant_id")
+    # Should use auth tenant_id when query parameter is not provided, and default version_no=0
+    mock_get_agent_info.assert_called_once_with(123, "auth_tenant_id", 0)
     assert response.json()["agent_id"] == 123
+    assert response.json()["name"] == "Test Agent"
+
+
+def test_search_agent_info_api_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test search_agent_info_api success case with explicit tenant_id query parameter and default version_no=0."""
+    # Setup mocks using pytest-mock
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_agent_info = mocker.patch(
+        "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
+    # Mock return values - auth tenant_id is different from explicit tenant_id
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
+    mock_get_agent_info.return_value = {
+        "agent_id": 456,
+        "name": "Test Agent with Explicit Tenant",
+        "display_name": "Display Name"
+    }
+
+    # Test the endpoint with explicit tenant_id query parameter
+    explicit_tenant_id = "explicit_tenant_789"
+    response = config_client.post(
+        "/agent/search_info",
+        json={"agent_id": 456},  # agent_id as body parameter, version_no defaults to 0
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    # Should use explicit tenant_id when provided, not auth tenant_id, and default version_no=0
+    mock_get_agent_info.assert_called_once_with(456, explicit_tenant_id, 0)
+    assert response.json()["agent_id"] == 456
+    assert response.json()["name"] == "Test Agent with Explicit Tenant"
+    assert response.json()["display_name"] == "Display Name"
 
 
 def test_search_agent_info_api_exception(mocker, mock_auth_header):
+    """Test search_agent_info_api exception handling without tenant_id query parameter and default version_no=0."""
     # Setup mocks using pytest-mock
     mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
     mock_get_agent_info = mocker.patch(
         "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
-    mock_get_user_id.return_value = ("user_id", "tenant_id")
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
     mock_get_agent_info.side_effect = Exception("Test error")
 
-    # Test the endpoint
+    # Test the endpoint without tenant_id query parameter
+    response = config_client.post(
+        "/agent/search_info",
+        json={"agent_id": 123},  # version_no defaults to 0
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 500
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_get_agent_info.assert_called_once_with(123, "auth_tenant_id", 0)
+    assert "Agent search info error" in response.json()["detail"]
+
+
+def test_search_agent_info_api_exception_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test search_agent_info_api exception handling with explicit tenant_id query parameter and default version_no=0."""
+    # Setup mocks using pytest-mock
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_agent_info = mocker.patch(
+        "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
+    # Mock return values and exception
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
+    mock_get_agent_info.side_effect = Exception("Test error with explicit tenant")
+
+    # Test the endpoint with explicit tenant_id query parameter
+    explicit_tenant_id = "explicit_tenant_999"
+    response = config_client.post(
+        "/agent/search_info",
+        json={"agent_id": 789},  # version_no defaults to 0
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 500
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    # Should use explicit tenant_id even when exception occurs, and default version_no=0
+    mock_get_agent_info.assert_called_once_with(789, explicit_tenant_id, 0)
+    assert "Agent search info error" in response.json()["detail"]
+
+
+def test_search_agent_info_api_with_version_no(mocker, mock_auth_header):
+    """Test search_agent_info_api success case with explicit version_no parameter."""
+    # Setup mocks using pytest-mock
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_agent_info = mocker.patch(
+        "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
+    mock_get_agent_info.return_value = {"agent_id": 123, "name": "Test Agent", "version_no": 2}
+
+    # Test the endpoint with explicit version_no in body
+    response = config_client.post(
+        "/agent/search_info",
+        json={"agent_id": 123, "version_no": 2},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    # Should use explicit version_no when provided
+    mock_get_agent_info.assert_called_once_with(123, "auth_tenant_id", 2)
+    assert response.json()["agent_id"] == 123
+    assert response.json()["version_no"] == 2
+
+
+def test_search_agent_info_api_with_version_no_and_tenant_id(mocker, mock_auth_header):
+    """Test search_agent_info_api success case with both explicit version_no and tenant_id."""
+    # Setup mocks using pytest-mock
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_agent_info = mocker.patch(
+        "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
+    mock_get_agent_info.return_value = {
+        "agent_id": 456,
+        "name": "Test Agent",
+        "version_no": 3,
+        "display_name": "Display Name"
+    }
+
+    # Test the endpoint with both explicit version_no and tenant_id
+    explicit_tenant_id = "explicit_tenant_123"
+    response = config_client.post(
+        "/agent/search_info",
+        json={"agent_id": 456, "version_no": 3},
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    # Should use both explicit tenant_id and version_no
+    mock_get_agent_info.assert_called_once_with(456, explicit_tenant_id, 3)
+    assert response.json()["agent_id"] == 456
+    assert response.json()["version_no"] == 3
+
+
+def test_search_agent_info_api_exception_with_version_no(mocker, mock_auth_header):
+    """Test search_agent_info_api exception handling with explicit version_no."""
+    # Setup mocks using pytest-mock
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_agent_info = mocker.patch(
+        "apps.agent_app.get_agent_info_impl", new_callable=mocker.AsyncMock)
+    mock_get_user_id.return_value = ("user_id", "auth_tenant_id")
+    mock_get_agent_info.side_effect = Exception("Test error with version_no")
+
+    # Test the endpoint with explicit version_no
     response = config_client.post(
         "/agent/search_info",
-        json=123,
+        json={"agent_id": 123, "version_no": 5},
         headers=mock_auth_header
     )
 
     # Assertions
     assert response.status_code == 500
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_get_agent_info.assert_called_once_with(123, "auth_tenant_id", 5)
     assert "Agent search info error" in response.json()["detail"]
 
 
@@ -357,12 +508,16 @@ def test_update_agent_info_api_exception(mocker, mock_auth_header):
 
 
 def test_delete_agent_api_success(mocker, mock_auth_header):
+    """Test delete_agent_api success case without tenant_id query parameter (uses auth tenant_id)."""
     # Setup mocks using pytest-mock
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
     mock_delete_agent = mocker.patch(
         "apps.agent_app.delete_agent_impl", new_callable=mocker.AsyncMock)
+    # Mock return values
+    mock_get_user_info.return_value = ("test_user", "test_tenant", "en")
     mock_delete_agent.return_value = None
 
-    # Test the endpoint
+    # Test the endpoint without tenant_id query parameter
     response = config_client.request(
         "DELETE",
         "/agent",
@@ -372,18 +527,52 @@ def test_delete_agent_api_success(mocker, mock_auth_header):
 
     # Assertions
     assert response.status_code == 200
-    mock_delete_agent.assert_called_once_with(
-        123, mock_auth_header["Authorization"])
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use auth tenant_id when query parameter is not provided
+    mock_delete_agent.assert_called_once_with(123, "test_tenant", "test_user")
+    assert response.json() == {}
+
+
+def test_delete_agent_api_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test delete_agent_api success case with explicit tenant_id query parameter."""
+    # Setup mocks using pytest-mock
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_delete_agent = mocker.patch(
+        "apps.agent_app.delete_agent_impl", new_callable=mocker.AsyncMock)
+    # Mock return values - auth tenant_id is different from explicit tenant_id
+    mock_get_user_info.return_value = ("test_user", "auth_tenant", "en")
+    mock_delete_agent.return_value = None
+
+    # Test the endpoint with explicit tenant_id query parameter
+    explicit_tenant_id = "explicit_tenant_123"
+    response = config_client.request(
+        "DELETE",
+        "/agent",
+        json={"agent_id": 456},
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 200
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use explicit tenant_id when provided, not auth tenant_id
+    mock_delete_agent.assert_called_once_with(456, explicit_tenant_id, "test_user")
     assert response.json() == {}
 
 
 def test_delete_agent_api_exception(mocker, mock_auth_header):
+    """Test delete_agent_api exception handling without tenant_id query parameter."""
     # Setup mocks using pytest-mock
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
     mock_delete_agent = mocker.patch(
         "apps.agent_app.delete_agent_impl", new_callable=mocker.AsyncMock)
+    mock_logger = mocker.patch("apps.agent_app.logger")
+    # Mock return values and exception
+    mock_get_user_info.return_value = ("test_user", "test_tenant", "en")
     mock_delete_agent.side_effect = Exception("Test error")
 
-    # Test the endpoint
+    # Test the endpoint without tenant_id query parameter
     response = config_client.request(
         "DELETE",
         "/agent",
@@ -393,7 +582,42 @@ def test_delete_agent_api_exception(mocker, mock_auth_header):
 
     # Assertions
     assert response.status_code == 500
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    mock_delete_agent.assert_called_once_with(123, "test_tenant", "test_user")
     assert "Agent delete error" in response.json()["detail"]
+    # Verify error was logged
+    mock_logger.error.assert_called_once_with("Agent delete error: Test error")
+
+
+def test_delete_agent_api_exception_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test delete_agent_api exception handling with explicit tenant_id query parameter."""
+    # Setup mocks using pytest-mock
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_delete_agent = mocker.patch(
+        "apps.agent_app.delete_agent_impl", new_callable=mocker.AsyncMock)
+    mock_logger = mocker.patch("apps.agent_app.logger")
+    # Mock return values and exception
+    mock_get_user_info.return_value = ("test_user", "auth_tenant", "en")
+    mock_delete_agent.side_effect = Exception("Test error with explicit tenant")
+
+    # Test the endpoint with explicit tenant_id query parameter
+    explicit_tenant_id = "explicit_tenant_456"
+    response = config_client.request(
+        "DELETE",
+        "/agent",
+        json={"agent_id": 789},
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 500
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use explicit tenant_id even when exception occurs
+    mock_delete_agent.assert_called_once_with(789, explicit_tenant_id, "test_user")
+    assert "Agent delete error" in response.json()["detail"]
+    # Verify error was logged
+    mock_logger.error.assert_called_once_with("Agent delete error: Test error with explicit tenant")
 
 
 @pytest.mark.asyncio
@@ -522,6 +746,7 @@ def test_import_agent_api_exception(mocker, mock_auth_header):
 
 
 def test_list_all_agent_info_api_success(mocker, mock_auth_header):
+    """Test list_all_agent_info_api success case without tenant_id query parameter (uses auth tenant_id)."""
     # Setup mocks using pytest-mock
     mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
     mock_list_all_agent = mocker.patch(
@@ -529,11 +754,29 @@ def test_list_all_agent_info_api_success(mocker, mock_auth_header):
     # Mock return values
     mock_get_user_info.return_value = ("test_user", "test_tenant", "en")
     mock_list_all_agent.return_value = [
-        {"agent_id": 1, "name": "Agent 1", "display_name": "Display Agent 1", "group_ids": []},
-        {"agent_id": 2, "name": "Agent 2", "display_name": "Display Agent 2", "group_ids": [1, 2, 3]}
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Test agent 1",
+            "group_ids": [],
+            "permission": "EDIT",
+            "is_available": True,
+            "unavailable_reasons": []
+        },
+        {
+            "agent_id": 2,
+            "name": "Agent 2",
+            "display_name": "Display Agent 2",
+            "description": "Test agent 2",
+            "group_ids": [1, 2, 3],
+            "permission": "READ_ONLY",
+            "is_available": True,
+            "unavailable_reasons": []
+        }
     ]
 
-    # Test the endpoint
+    # Test the endpoint without tenant_id query parameter
     response = config_client.get(
         "/agent/list",
         headers=mock_auth_header
@@ -542,17 +785,61 @@ def test_list_all_agent_info_api_success(mocker, mock_auth_header):
     # Assertions
     assert response.status_code == 200
     mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
-    mock_list_all_agent.assert_called_once_with(tenant_id="test_tenant")
+    # Should use auth tenant_id when query parameter is not provided
+    mock_list_all_agent.assert_called_once_with(tenant_id="test_tenant", user_id="test_user")
     assert len(response.json()) == 2
     assert response.json()[0]["agent_id"] == 1
     assert response.json()[0]["display_name"] == "Display Agent 1"
     assert response.json()[0]["group_ids"] == []
+    assert response.json()[0]["permission"] == "EDIT"
     assert response.json()[1]["name"] == "Agent 2"
     assert response.json()[1]["display_name"] == "Display Agent 2"
     assert response.json()[1]["group_ids"] == [1, 2, 3]
+    assert response.json()[1]["permission"] == "READ_ONLY"
+
+
+def test_list_all_agent_info_api_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test list_all_agent_info_api success case with explicit tenant_id query parameter."""
+    # Setup mocks using pytest-mock
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_list_all_agent = mocker.patch(
+        "apps.agent_app.list_all_agent_info_impl", new_callable=mocker.AsyncMock)
+    # Mock return values - auth tenant_id is different from explicit tenant_id
+    mock_get_user_info.return_value = ("test_user", "auth_tenant", "en")
+    mock_list_all_agent.return_value = [
+        {
+            "agent_id": 3,
+            "name": "Agent 3",
+            "display_name": "Display Agent 3",
+            "description": "Test agent 3",
+            "group_ids": [4, 5],
+            "permission": "EDIT",
+            "is_available": True,
+            "unavailable_reasons": []
+        }
+    ]
+
+    # Test the endpoint with explicit tenant_id query parameter
+    explicit_tenant_id = "explicit_tenant_123"
+    response = config_client.get(
+        "/agent/list",
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 200
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use explicit tenant_id when provided, not auth tenant_id
+    mock_list_all_agent.assert_called_once_with(tenant_id=explicit_tenant_id, user_id="test_user")
+    assert len(response.json()) == 1
+    assert response.json()[0]["agent_id"] == 3
+    assert response.json()[0]["display_name"] == "Display Agent 3"
+    assert response.json()[0]["group_ids"] == [4, 5]
 
 
 def test_list_all_agent_info_api_exception(mocker, mock_auth_header):
+    """Test list_all_agent_info_api exception handling without tenant_id query parameter."""
     # Setup mocks using pytest-mock
     mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
     mock_list_all_agent = mocker.patch(
@@ -561,7 +848,7 @@ def test_list_all_agent_info_api_exception(mocker, mock_auth_header):
     mock_get_user_info.return_value = ("test_user", "test_tenant", "en")
     mock_list_all_agent.side_effect = Exception("Test error")
 
-    # Test the endpoint
+    # Test the endpoint without tenant_id query parameter
     response = config_client.get(
         "/agent/list",
         headers=mock_auth_header
@@ -570,7 +857,33 @@ def test_list_all_agent_info_api_exception(mocker, mock_auth_header):
     # Assertions
     assert response.status_code == 500
     mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
-    mock_list_all_agent.assert_called_once_with(tenant_id="test_tenant")
+    mock_list_all_agent.assert_called_once_with(tenant_id="test_tenant", user_id="test_user")
+    assert "Agent list error" in response.json()["detail"]
+
+
+def test_list_all_agent_info_api_exception_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test list_all_agent_info_api exception handling with explicit tenant_id query parameter."""
+    # Setup mocks using pytest-mock
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_list_all_agent = mocker.patch(
+        "apps.agent_app.list_all_agent_info_impl", new_callable=mocker.AsyncMock)
+    # Mock return values and exception
+    mock_get_user_info.return_value = ("test_user", "auth_tenant", "en")
+    mock_list_all_agent.side_effect = Exception("Test error with explicit tenant")
+
+    # Test the endpoint with explicit tenant_id query parameter
+    explicit_tenant_id = "explicit_tenant_456"
+    response = config_client.get(
+        "/agent/list",
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+
+    # Assertions
+    assert response.status_code == 500
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use explicit tenant_id even when exception occurs
+    mock_list_all_agent.assert_called_once_with(tenant_id=explicit_tenant_id, user_id="test_user")
     assert "Agent list error" in response.json()["detail"]
 
 
@@ -886,3 +1199,693 @@ def test_clear_agent_new_mark_api_exception(mocker, mock_auth_header):
     # Verify service was still called with correct parameters
     mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"])
     mock_clear_agent_new_mark.assert_called_once_with(456, "test_tenant_id", "test_user_id")
+
+
+# Agent Version Management API Tests
+# ---------------------------------------------------------------------------
+
+
+def test_publish_version_api_success(mocker, mock_auth_header):
+    """Test successful version publishing"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_publish_version = mocker.patch("apps.agent_app.publish_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_publish_version.return_value = {
+        "success": True,
+        "message": "Version published successfully",
+        "version_no": 1
+    }
+    
+    response = config_client.post(
+        "/agent/123/publish",
+        json={
+            "version_name": "v1.0.0",
+            "release_note": "Initial release"
+        },
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_publish_version.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        user_id="test_user_id",
+        version_name="v1.0.0",
+        release_note="Initial release"
+    )
+    assert response.json()["success"] is True
+    assert response.json()["version_no"] == 1
+
+
+def test_publish_version_api_bad_request(mocker, mock_auth_header):
+    """Test publish version with ValueError"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_publish_version = mocker.patch("apps.agent_app.publish_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_publish_version.side_effect = ValueError("Agent not found")
+    
+    response = config_client.post(
+        "/agent/123/publish",
+        json={
+            "version_name": "v1.0.0",
+            "release_note": "Initial release"
+        },
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 400
+    assert response.json()["detail"] == "Agent not found"
+
+
+def test_publish_version_api_exception(mocker, mock_auth_header):
+    """Test publish version with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_publish_version = mocker.patch("apps.agent_app.publish_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_publish_version.side_effect = Exception("Database error")
+    
+    response = config_client.post(
+        "/agent/123/publish",
+        json={
+            "version_name": "v1.0.0",
+            "release_note": "Initial release"
+        },
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Publish version error" in response.json()["detail"]
+
+
+def test_compare_versions_api_success(mocker, mock_auth_header):
+    """Test successful version comparison"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_compare_versions = mocker.patch("apps.agent_app.compare_versions_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_compare_versions.return_value = {
+        "success": True,
+        "message": "Versions compared successfully",
+        "data": {
+            "version_a": {"version_no": 1},
+            "version_b": {"version_no": 2},
+            "differences": []
+        }
+    }
+    
+    response = config_client.post(
+        "/agent/123/versions/compare",
+        json={
+            "version_no_a": 1,
+            "version_no_b": 2
+        },
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_compare_versions.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        version_no_a=1,
+        version_no_b=2
+    )
+    assert response.json()["success"] is True
+
+
+def test_compare_versions_api_bad_request(mocker, mock_auth_header):
+    """Test compare versions with ValueError"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_compare_versions = mocker.patch("apps.agent_app.compare_versions_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_compare_versions.side_effect = ValueError("Version not found")
+    
+    response = config_client.post(
+        "/agent/123/versions/compare",
+        json={
+            "version_no_a": 1,
+            "version_no_b": 2
+        },
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 400
+    assert response.json()["detail"] == "Version not found"
+
+
+def test_compare_versions_api_exception(mocker, mock_auth_header):
+    """Test compare versions with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_compare_versions = mocker.patch("apps.agent_app.compare_versions_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_compare_versions.side_effect = Exception("Database error")
+    
+    response = config_client.post(
+        "/agent/123/versions/compare",
+        json={
+            "version_no_a": 1,
+            "version_no_b": 2
+        },
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Compare versions error" in response.json()["detail"]
+
+
+def test_get_version_list_api_success(mocker, mock_auth_header):
+    """Test successful version list retrieval without explicit tenant_id (uses auth tenant_id)"""
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_get_version_list = mocker.patch("apps.agent_app.get_version_list_impl")
+    
+    mock_get_user_info.return_value = ("test_user_id", "test_tenant_id", "en")
+    mock_get_version_list.return_value = {
+        "versions": [
+            {"version_no": 1, "version_name": "v1.0.0", "status": "RELEASED"},
+            {"version_no": 2, "version_name": "v2.0.0", "status": "RELEASED"}
+        ]
+    }
+    
+    response = config_client.get(
+        "/agent/123/versions",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    mock_get_version_list.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id"
+    )
+    assert len(response.json()["versions"]) == 2
+
+
+def test_get_version_list_api_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test successful version list retrieval with explicit tenant_id query parameter"""
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_get_version_list = mocker.patch("apps.agent_app.get_version_list_impl")
+    
+    mock_get_user_info.return_value = ("test_user_id", "auth_tenant_id", "en")
+    mock_get_version_list.return_value = {
+        "versions": [
+            {"version_no": 1, "version_name": "v1.0.0", "status": "RELEASED"}
+        ]
+    }
+    
+    explicit_tenant_id = "explicit_tenant_456"
+    response = config_client.get(
+        "/agent/123/versions",
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use explicit tenant_id when provided, not auth tenant_id
+    mock_get_version_list.assert_called_once_with(
+        agent_id=123,
+        tenant_id=explicit_tenant_id
+    )
+    assert len(response.json()["versions"]) == 1
+
+
+def test_get_version_list_api_exception(mocker, mock_auth_header):
+    """Test get version list with exception without explicit tenant_id"""
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_get_version_list = mocker.patch("apps.agent_app.get_version_list_impl")
+    
+    mock_get_user_info.return_value = ("test_user_id", "test_tenant_id", "en")
+    mock_get_version_list.side_effect = Exception("Database error")
+    
+    response = config_client.get(
+        "/agent/123/versions",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    mock_get_version_list.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id"
+    )
+    assert "Get version list error" in response.json()["detail"]
+
+
+def test_get_version_list_api_exception_with_explicit_tenant_id(mocker, mock_auth_header):
+    """Test get version list with exception and explicit tenant_id"""
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_get_version_list = mocker.patch("apps.agent_app.get_version_list_impl")
+    
+    mock_get_user_info.return_value = ("test_user_id", "auth_tenant_id", "en")
+    mock_get_version_list.side_effect = Exception("Database error with explicit tenant")
+    
+    explicit_tenant_id = "explicit_tenant_789"
+    response = config_client.get(
+        "/agent/123/versions",
+        params={"tenant_id": explicit_tenant_id},
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    # Should use explicit tenant_id even when exception occurs
+    mock_get_version_list.assert_called_once_with(
+        agent_id=123,
+        tenant_id=explicit_tenant_id
+    )
+    assert "Get version list error" in response.json()["detail"]
+
+
+def test_get_version_api_success(mocker, mock_auth_header):
+    """Test successful version retrieval"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_version = mocker.patch("apps.agent_app.get_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_version.return_value = {
+        "version_no": 1,
+        "version_name": "v1.0.0",
+        "status": "RELEASED",
+        "release_note": "Initial release"
+    }
+    
+    response = config_client.get(
+        "/agent/123/versions/1",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_get_version.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        version_no=1
+    )
+    assert response.json()["version_no"] == 1
+
+
+def test_get_version_api_not_found(mocker, mock_auth_header):
+    """Test get version with ValueError (not found)"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_version = mocker.patch("apps.agent_app.get_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_version.side_effect = ValueError("Version not found")
+    
+    response = config_client.get(
+        "/agent/123/versions/999",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Version not found"
+
+
+def test_get_version_api_exception(mocker, mock_auth_header):
+    """Test get version with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_version = mocker.patch("apps.agent_app.get_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_version.side_effect = Exception("Database error")
+    
+    response = config_client.get(
+        "/agent/123/versions/1",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Get version detail error" in response.json()["detail"]
+
+
+def test_get_version_detail_api_success(mocker, mock_auth_header):
+    """Test successful version detail retrieval"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_version_detail = mocker.patch("apps.agent_app.get_version_detail_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_version_detail.return_value = {
+        "version_no": 1,
+        "version_name": "v1.0.0",
+        "status": "RELEASED",
+        "agent_snapshot": {"agent_id": 123, "name": "Test Agent"},
+        "tool_snapshots": [],
+        "relation_snapshots": []
+    }
+    
+    response = config_client.get(
+        "/agent/123/versions/1/detail",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_get_version_detail.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        version_no=1
+    )
+    assert response.json()["version_no"] == 1
+    assert "agent_snapshot" in response.json()
+
+
+def test_get_version_detail_api_not_found(mocker, mock_auth_header):
+    """Test get version detail with ValueError (not found)"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_version_detail = mocker.patch("apps.agent_app.get_version_detail_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_version_detail.side_effect = ValueError("Version not found")
+    
+    response = config_client.get(
+        "/agent/123/versions/999/detail",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Version not found"
+
+
+def test_get_version_detail_api_exception(mocker, mock_auth_header):
+    """Test get version detail with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_version_detail = mocker.patch("apps.agent_app.get_version_detail_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_version_detail.side_effect = Exception("Database error")
+    
+    response = config_client.get(
+        "/agent/123/versions/1/detail",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Get version detail error" in response.json()["detail"]
+
+
+def test_rollback_version_api_success(mocker, mock_auth_header):
+    """Test successful version rollback"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_rollback_version = mocker.patch("apps.agent_app.rollback_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_rollback_version.return_value = {
+        "success": True,
+        "message": "Successfully rolled back to version 1",
+        "version_no": 1
+    }
+    
+    response = config_client.post(
+        "/agent/123/versions/1/rollback",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_rollback_version.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        target_version_no=1
+    )
+    assert response.json()["success"] is True
+
+
+def test_rollback_version_api_bad_request(mocker, mock_auth_header):
+    """Test rollback version with ValueError"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_rollback_version = mocker.patch("apps.agent_app.rollback_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_rollback_version.side_effect = ValueError("Version not found")
+    
+    response = config_client.post(
+        "/agent/123/versions/999/rollback",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 400
+    assert response.json()["detail"] == "Version not found"
+
+
+def test_rollback_version_api_exception(mocker, mock_auth_header):
+    """Test rollback version with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_rollback_version = mocker.patch("apps.agent_app.rollback_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_rollback_version.side_effect = Exception("Database error")
+    
+    response = config_client.post(
+        "/agent/123/versions/1/rollback",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Rollback version error" in response.json()["detail"]
+
+
+def test_update_version_status_api_success(mocker, mock_auth_header):
+    """Test successful version status update"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_update_version_status = mocker.patch("apps.agent_app.update_version_status_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_update_version_status.return_value = {
+        "success": True,
+        "message": "Version status updated successfully"
+    }
+    
+    response = config_client.patch(
+        "/agent/123/versions/1/status",
+        json={"status": "DISABLED"},
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_update_version_status.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        user_id="test_user_id",
+        version_no=1,
+        status="DISABLED"
+    )
+    assert response.json()["success"] is True
+
+
+def test_update_version_status_api_bad_request(mocker, mock_auth_header):
+    """Test update version status with ValueError"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_update_version_status = mocker.patch("apps.agent_app.update_version_status_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_update_version_status.side_effect = ValueError("Invalid status")
+    
+    response = config_client.patch(
+        "/agent/123/versions/1/status",
+        json={"status": "INVALID"},
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 400
+    assert response.json()["detail"] == "Invalid status"
+
+
+def test_update_version_status_api_exception(mocker, mock_auth_header):
+    """Test update version status with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_update_version_status = mocker.patch("apps.agent_app.update_version_status_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_update_version_status.side_effect = Exception("Database error")
+    
+    response = config_client.patch(
+        "/agent/123/versions/1/status",
+        json={"status": "DISABLED"},
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Update version status error" in response.json()["detail"]
+
+
+def test_delete_version_api_success(mocker, mock_auth_header):
+    """Test successful version deletion"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_delete_version = mocker.patch("apps.agent_app.delete_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_delete_version.return_value = {
+        "success": True,
+        "message": "Version 1 deleted successfully"
+    }
+    
+    response = config_client.delete(
+        "/agent/123/versions/1",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_delete_version.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id",
+        user_id="test_user_id",
+        version_no=1
+    )
+    assert response.json()["success"] is True
+
+
+def test_delete_version_api_bad_request(mocker, mock_auth_header):
+    """Test delete version with ValueError"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_delete_version = mocker.patch("apps.agent_app.delete_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_delete_version.side_effect = ValueError("Cannot delete draft version")
+    
+    response = config_client.delete(
+        "/agent/123/versions/0",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 400
+    assert response.json()["detail"] == "Cannot delete draft version"
+
+
+def test_delete_version_api_exception(mocker, mock_auth_header):
+    """Test delete version with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_delete_version = mocker.patch("apps.agent_app.delete_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_delete_version.side_effect = Exception("Database error")
+    
+    response = config_client.delete(
+        "/agent/123/versions/1",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Delete version error" in response.json()["detail"]
+
+
+def test_get_current_version_api_success(mocker, mock_auth_header):
+    """Test successful current version retrieval"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_current_version = mocker.patch("apps.agent_app.get_current_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_current_version.return_value = {
+        "version_no": 1,
+        "version_name": "v1.0.0",
+        "status": "RELEASED"
+    }
+    
+    response = config_client.get(
+        "/agent/123/current_version",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_id.assert_called_once_with(mock_auth_header["Authorization"])
+    mock_get_current_version.assert_called_once_with(
+        agent_id=123,
+        tenant_id="test_tenant_id"
+    )
+    assert response.json()["version_no"] == 1
+
+
+def test_get_current_version_api_not_found(mocker, mock_auth_header):
+    """Test get current version with ValueError (not found)"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_current_version = mocker.patch("apps.agent_app.get_current_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_current_version.side_effect = ValueError("No published version found")
+    
+    response = config_client.get(
+        "/agent/123/current_version",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 404
+    assert response.json()["detail"] == "No published version found"
+
+
+def test_get_current_version_api_exception(mocker, mock_auth_header):
+    """Test get current version with general exception"""
+    mock_get_user_id = mocker.patch("apps.agent_app.get_current_user_id")
+    mock_get_current_version = mocker.patch("apps.agent_app.get_current_version_impl")
+    
+    mock_get_user_id.return_value = ("test_user_id", "test_tenant_id")
+    mock_get_current_version.side_effect = Exception("Database error")
+    
+    response = config_client.get(
+        "/agent/123/current_version",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Get current version error" in response.json()["detail"]
+
+
+def test_list_published_agents_api_success(mocker, mock_auth_header):
+    """Test successful published agents list retrieval"""
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_list_published_agents = mocker.patch(
+        "apps.agent_app.list_published_agents_impl", new_callable=mocker.AsyncMock)
+    
+    mock_get_user_info.return_value = ("test_user_id", "test_tenant_id", "en")
+    mock_list_published_agents.return_value = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "published_version_no": 1,
+            "version_name": "v1.0.0"
+        },
+        {
+            "agent_id": 2,
+            "name": "Agent 2",
+            "published_version_no": 2,
+            "version_name": "v2.0.0"
+        }
+    ]
+    
+    response = config_client.get(
+        "/agent/published_list",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 200
+    mock_get_user_info.assert_called_once_with(mock_auth_header["Authorization"], ANY)
+    mock_list_published_agents.assert_called_once_with(
+        tenant_id="test_tenant_id",
+        user_id="test_user_id"
+    )
+    assert len(response.json()) == 2
+    assert response.json()[0]["agent_id"] == 1
+
+
+def test_list_published_agents_api_exception(mocker, mock_auth_header):
+    """Test list published agents with exception"""
+    mock_get_user_info = mocker.patch("apps.agent_app.get_current_user_info")
+    mock_list_published_agents = mocker.patch(
+        "apps.agent_app.list_published_agents_impl", new_callable=mocker.AsyncMock)
+    
+    mock_get_user_info.return_value = ("test_user_id", "test_tenant_id", "en")
+    mock_list_published_agents.side_effect = Exception("Database error")
+    
+    response = config_client.get(
+        "/agent/published_list",
+        headers=mock_auth_header
+    )
+    
+    assert response.status_code == 500
+    assert "Published agents list error" in response.json()["detail"]
\ No newline at end of file
diff --git a/test/backend/app/test_datamate_app.py b/test/backend/app/test_datamate_app.py
index c65663611..ce9c66cc4 100644
--- a/test/backend/app/test_datamate_app.py
+++ b/test/backend/app/test_datamate_app.py
@@ -52,7 +52,7 @@
 # Use additional context manager to ensure MinioClient is properly mocked during import
 with patch('backend.database.client.MinioClient', return_value=minio_client_mock), \
         patch('nexent.storage.minio_config.MinIOStorageConfig', return_value=minio_config_mock):
-    from backend.apps.datamate_app import sync_datamate_knowledges, get_datamate_knowledge_base_files_endpoint
+    from backend.apps.datamate_app import sync_datamate_knowledges, get_datamate_knowledge_base_files_endpoint, test_datamate_connection_endpoint as datamate_connection_endpoint
 
 
 # Fixtures to replace setUp and tearDown
@@ -60,19 +60,23 @@
 def datamate_mocks():
     """Fixture to provide mocked dependencies for datamate app tests."""
     # Create fresh mocks for each test
+    # Note: patch where the functions are imported (datamate_app), not where they're defined (service module)
     with patch('backend.apps.datamate_app.get_current_user_id') as mock_get_current_user_id, \
             patch('backend.apps.datamate_app.sync_datamate_knowledge_bases_and_create_records') as mock_sync_datamate, \
             patch('backend.apps.datamate_app.fetch_datamate_knowledge_base_file_list') as mock_fetch_files, \
+            patch('backend.apps.datamate_app.check_datamate_connection') as mock_check_connection, \
             patch('backend.apps.datamate_app.logger') as mock_logger:
 
         # Set up async mocks for async functions
         mock_sync_datamate.return_value = AsyncMock()
         mock_fetch_files.return_value = AsyncMock()
+        mock_check_connection.return_value = AsyncMock()
 
         yield {
             'get_current_user_id': mock_get_current_user_id,
             'sync_datamate': mock_sync_datamate,
             'fetch_files': mock_fetch_files,
+            'check_connection': mock_check_connection,
             'logger': mock_logger
         }
 
@@ -98,8 +102,15 @@ async def test_sync_datamate_knowledges_success(self, datamate_mocks):
         # Mock service response
         datamate_mocks['sync_datamate'].return_value = expected_result
 
-        # Execute - call the endpoint directly
-        result = await sync_datamate_knowledges(authorization=mock_auth_header)
+        # Create request with None datamate_url (default behavior)
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=None)
+
+        # Execute - call the endpoint with request body
+        result = await sync_datamate_knowledges(
+            authorization=mock_auth_header,
+            request=request
+        )
 
         # Assert
         assert result == expected_result
@@ -107,7 +118,8 @@ async def test_sync_datamate_knowledges_success(self, datamate_mocks):
             mock_auth_header)
         datamate_mocks['sync_datamate'].assert_called_once_with(
             tenant_id="test_tenant_id",
-            user_id="test_user_id"
+            user_id="test_user_id",
+            datamate_url=None
         )
 
     @pytest.mark.asyncio
@@ -144,9 +156,16 @@ async def test_sync_datamate_knowledges_service_error(self, datamate_mocks):
         service_error = RuntimeError("DataMate API unavailable")
         datamate_mocks['sync_datamate'].side_effect = service_error
 
+        # Create request with None datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=None)
+
         # Execute and Assert
         with pytest.raises(HTTPException) as exc_info:
-            await sync_datamate_knowledges(authorization=mock_auth_header)
+            await sync_datamate_knowledges(
+                authorization=mock_auth_header,
+                request=request
+            )
 
         assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
         assert "Error syncing DataMate knowledge bases and creating records" in str(
@@ -296,8 +315,15 @@ async def test_sync_datamate_knowledges_none_auth_header(self, datamate_mocks):
         }
         datamate_mocks['sync_datamate'].return_value = expected_result
 
+        # Create request with None datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=None)
+
         # Execute
-        result = await sync_datamate_knowledges(authorization=mock_auth_header)
+        result = await sync_datamate_knowledges(
+            authorization=mock_auth_header,
+            request=request
+        )
 
         # Assert
         assert result == expected_result
@@ -348,9 +374,16 @@ async def test_sync_datamate_knowledges_custom_exception(self, datamate_mocks):
         custom_error = UnauthorizedError("Custom auth error")
         datamate_mocks['sync_datamate'].side_effect = custom_error
 
+        # Create request with None datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=None)
+
         # Execute and Assert
         with pytest.raises(HTTPException) as exc_info:
-            await sync_datamate_knowledges(authorization=mock_auth_header)
+            await sync_datamate_knowledges(
+                authorization=mock_auth_header,
+                request=request
+            )
 
         assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
         assert "Custom auth error" in str(exc_info.value.detail)
@@ -380,3 +413,486 @@ async def test_get_datamate_knowledge_base_files_custom_exception(self, datamate
 
         assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
         assert "Rate limit exceeded" in str(exc_info.value.detail)
+
+    @pytest.mark.asyncio
+    async def test_sync_datamate_knowledges_with_custom_datamate_url(self, datamate_mocks):
+        """Test DataMate knowledge bases sync with custom datamate_url in request body."""
+        # Setup
+        mock_auth_header = "Bearer test-token"
+        custom_datamate_url = "http://custom-datamate.example.com:8080"
+        expected_result = {
+            "indices": ["kb1", "kb2"],
+            "count": 2,
+            "created_records": 5
+        }
+
+        # Mock user and tenant ID
+        datamate_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id")
+
+        # Mock service response
+        datamate_mocks['sync_datamate'].return_value = expected_result
+
+        # Create request with custom datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=custom_datamate_url)
+
+        # Execute - call the endpoint with request body
+        result = await sync_datamate_knowledges(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+        # Assert
+        assert result == expected_result
+        datamate_mocks['get_current_user_id'].assert_called_once_with(
+            mock_auth_header)
+        datamate_mocks['sync_datamate'].assert_called_once_with(
+            tenant_id="test_tenant_id",
+            user_id="test_user_id",
+            datamate_url=custom_datamate_url
+        )
+
+    @pytest.mark.asyncio
+    async def test_sync_datamate_kcknowledges_with_none_datamate_url(self, datamate_mocks):
+        """Test DataMate knowledge bases sync with explicit None datamate_url."""
+        # Setup
+        mock_auth_header = "Bearer test-token"
+        expected_result = {
+            "indices": [],
+            "count": 0
+        }
+
+        # Mock user and tenant ID
+        datamate_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id")
+
+        # Mock service response
+        datamate_mocks['sync_datamate'].return_value = expected_result
+
+        # Create request with explicit None datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=None)
+
+        # Execute - call the endpoint with request body containing None
+        result = await sync_datamate_knowledges(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+        # Assert
+        assert result == expected_result
+        datamate_mocks['get_current_user_id'].assert_called_once_with(
+            mock_auth_header)
+        # When datamate_url is None, it should be passed as None to service
+        datamate_mocks['sync_datamate'].assert_called_once_with(
+            tenant_id="test_tenant_id",
+            user_id="test_user_id",
+            datamate_url=None
+        )
+
+    @pytest.mark.asyncio
+    async def test_sync_datamate_knowledges_with_empty_datamate_url(self, datamate_mocks):
+        """Test DataMate knowledge bases sync with empty string datamate_url."""
+        # Setup
+        mock_auth_header = "Bearer test-token"
+        empty_datamate_url = ""
+        expected_result = {
+            "indices": [],
+            "count": 0
+        }
+
+        # Mock user and tenant ID
+        datamate_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id")
+
+        # Mock service response - empty URL should be treated as no URL
+        datamate_mocks['sync_datamate'].return_value = expected_result
+
+        # Create request with empty string datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=empty_datamate_url)
+
+        # Execute - call the endpoint with request body
+        result = await sync_datamate_knowledges(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+        # Assert
+        assert result == expected_result
+        datamate_mocks['sync_datamate'].assert_called_once_with(
+            tenant_id="test_tenant_id",
+            user_id="test_user_id",
+            datamate_url=empty_datamate_url
+        )
+
+    @pytest.mark.asyncio
+    async def test_sync_datamate_kcknowledges_with_https_datamate_url(self, datamate_mocks):
+        """Test DataMate knowledge bases sync with HTTPS datamate_url."""
+        # Setup
+        mock_auth_header = "Bearer test-token"
+        https_datamate_url = "https://secure-datamate.example.com"
+        expected_result = {
+            "indices": ["kb1"],
+            "count": 1,
+            "created_records": 1
+        }
+
+        # Mock user and tenant ID
+        datamate_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id")
+
+        # Mock service response
+        datamate_mocks['sync_datamate'].return_value = expected_result
+
+        # Create request with HTTPS datamate_url
+        from backend.apps.datamate_app import SyncDatamateRequest
+        request = SyncDatamateRequest(datamate_url=https_datamate_url)
+
+        # Execute - call the endpoint with request body
+        result = await sync_datamate_knowledges(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+        # Assert
+        assert result == expected_result
+        datamate_mocks['sync_datamate'].assert_called_once_with(
+            tenant_id="test_tenant_id",
+            user_id="test_user_id",
+            datamate_url=https_datamate_url
+        )
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_success(datamate_mocks):
+    """Test successful DataMate connection test."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+    expected_result = JSONResponse(
+        status_code=HTTPStatus.OK,
+        content={"success": True, "message": "Connection successful"}
+    )
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - connection successful
+    datamate_mocks['check_connection'].return_value = (True, "")
+
+    # Create request with None datamate_url (default behavior)
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute
+    result = await datamate_connection_endpoint(
+        authorization=mock_auth_header,
+        request=request
+    )
+
+    # Assert
+    assert isinstance(result, JSONResponse)
+    assert result.status_code == HTTPStatus.OK
+
+    # Parse the JSON response body to verify content
+    import json
+    response_body = json.loads(result.body.decode())
+    assert response_body["success"] is True
+    assert response_body["message"] == "Connection successful"
+
+    datamate_mocks['get_current_user_id'].assert_called_once_with(
+        mock_auth_header)
+    datamate_mocks['check_connection'].assert_called_once_with(
+        "test_tenant_id", None
+    )
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_connection_failed(datamate_mocks):
+    """Test DataMate connection test when connection fails."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - connection failed
+    error_message = "Connection timeout"
+    datamate_mocks['check_connection'].return_value = (False, error_message)
+
+    # Create request with None datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute and Assert
+    with pytest.raises(HTTPException) as exc_info:
+        await datamate_connection_endpoint(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+    assert exc_info.value.status_code == HTTPStatus.BAD_REQUEST
+    assert f"Cannot connect to DataMate server: {error_message}" in str(
+        exc_info.value.detail)
+
+    datamate_mocks['get_current_user_id'].assert_called_once_with(
+        mock_auth_header)
+    datamate_mocks['check_connection'].assert_called_once_with(
+        "test_tenant_id", None
+    )
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_auth_error(datamate_mocks):
+    """Test DataMate connection test with authentication error."""
+    # Setup
+    mock_auth_header = "Bearer invalid-token"
+
+    # Mock authentication failure
+    datamate_mocks['get_current_user_id'].side_effect = Exception(
+        "Invalid token")
+
+    # Create request with None datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute and Assert
+    with pytest.raises(HTTPException) as exc_info:
+        await datamate_connection_endpoint(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+    assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+    assert "Error testing DataMate connection" in str(exc_info.value.detail)
+    datamate_mocks['logger'].error.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_service_error(datamate_mocks):
+    """Test DataMate connection test with service layer error."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service exception
+    service_error = RuntimeError("DataMate API unavailable")
+    datamate_mocks['check_connection'].side_effect = service_error
+
+    # Create request with None datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute and Assert
+    with pytest.raises(HTTPException) as exc_info:
+        await datamate_connection_endpoint(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+    assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+    assert "Error testing DataMate connection" in str(exc_info.value.detail)
+    assert "DataMate API unavailable" in str(exc_info.value.detail)
+    datamate_mocks['logger'].error.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_none_auth_header(datamate_mocks):
+    """Test DataMate connection test with None authorization header."""
+    # Setup
+    mock_auth_header = None
+
+    # Mock user and tenant ID for None auth (speed mode)
+    datamate_mocks['get_current_user_id'].return_value = (
+        "default_user", "default_tenant")
+
+    # Mock service response - connection successful
+    datamate_mocks['check_connection'].return_value = (True, "")
+
+    # Create request with None datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute
+    result = await datamate_connection_endpoint(
+        authorization=mock_auth_header,
+        request=request
+    )
+
+    # Assert
+    assert isinstance(result, JSONResponse)
+    assert result.status_code == HTTPStatus.OK
+
+    datamate_mocks['get_current_user_id'].assert_called_once_with(None)
+    datamate_mocks['check_connection'].assert_called_once_with(
+        "default_tenant", None
+    )
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_with_custom_url(datamate_mocks):
+    """Test DataMate connection test with custom datamate_url in request body."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+    custom_datamate_url = "http://custom-datamate.example.com:8080"
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - connection successful
+    datamate_mocks['check_connection'].return_value = (True, "")
+
+    # Create request with custom datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=custom_datamate_url)
+
+    # Execute
+    result = await datamate_connection_endpoint(
+        authorization=mock_auth_header,
+        request=request
+    )
+
+    # Assert
+    assert isinstance(result, JSONResponse)
+    assert result.status_code == HTTPStatus.OK
+
+    # Parse the JSON response body to verify content
+    import json
+    response_body = json.loads(result.body.decode())
+    assert response_body["success"] is True
+
+    datamate_mocks['get_current_user_id'].assert_called_once_with(
+        mock_auth_header)
+    datamate_mocks['check_connection'].assert_called_once_with(
+        "test_tenant_id", custom_datamate_url
+    )
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_connection_disabled(datamate_mocks):
+    """Test DataMate connection test when ModelEngine is disabled."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - ModelEngine disabled
+    datamate_mocks['check_connection'].return_value = (
+        False, "ModelEngine is disabled")
+
+    # Create request with None datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute and Assert
+    with pytest.raises(HTTPException) as exc_info:
+        await datamate_connection_endpoint(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+    assert exc_info.value.status_code == HTTPStatus.BAD_REQUEST
+    assert "Cannot connect to DataMate server: ModelEngine is disabled" in str(
+        exc_info.value.detail)
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_no_url_configured(datamate_mocks):
+    """Test DataMate connection test when DataMate URL is not configured."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - URL not configured
+    datamate_mocks['check_connection'].return_value = (
+        False, "DataMate URL not configured")
+
+    # Create request with None datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=None)
+
+    # Execute and Assert
+    with pytest.raises(HTTPException) as exc_info:
+        await datamate_connection_endpoint(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+    assert exc_info.value.status_code == HTTPStatus.BAD_REQUEST
+    assert "Cannot connect to DataMate server: DataMate URL not configured" in str(
+        exc_info.value.detail)
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_empty_request_body(datamate_mocks):
+    """Test DataMate connection test with empty request body (None request)."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - connection successful
+    datamate_mocks['check_connection'].return_value = (True, "")
+
+    # Execute with None request (empty body)
+    result = await datamate_connection_endpoint(
+        authorization=mock_auth_header,
+        request=None
+    )
+
+    # Assert
+    assert isinstance(result, JSONResponse)
+    assert result.status_code == HTTPStatus.OK
+
+    # Verify test_connection was called with None datamate_url when request is None
+    datamate_mocks['check_connection'].assert_called_once_with(
+        "test_tenant_id", None
+    )
+
+
+@pytest.mark.asyncio
+async def test_datamate_connection_endpoint_empty_url_in_request(datamate_mocks):
+    """Test DataMate connection test with empty string datamate_url in request."""
+    # Setup
+    mock_auth_header = "Bearer test-token"
+    empty_datamate_url = ""
+
+    # Mock user and tenant ID
+    datamate_mocks['get_current_user_id'].return_value = (
+        "test_user_id", "test_tenant_id")
+
+    # Mock service response - URL not configured
+    datamate_mocks['check_connection'].return_value = (
+        False, "DataMate URL not configured")
+
+    # Create request with empty string datamate_url
+    from backend.apps.datamate_app import SyncDatamateRequest
+    request = SyncDatamateRequest(datamate_url=empty_datamate_url)
+
+    # Execute and Assert
+    with pytest.raises(HTTPException) as exc_info:
+        await datamate_connection_endpoint(
+            authorization=mock_auth_header,
+            request=request
+        )
+
+    assert exc_info.value.status_code == HTTPStatus.BAD_REQUEST
+
+    # Verify test_connection was called with empty string datamate_url
+    datamate_mocks['check_connection'].assert_called_once_with(
+        "test_tenant_id", empty_datamate_url
+    )
diff --git a/test/backend/app/test_dify_app.py b/test/backend/app/test_dify_app.py
new file mode 100644
index 000000000..ad9c8c53c
--- /dev/null
+++ b/test/backend/app/test_dify_app.py
@@ -0,0 +1,559 @@
+"""
+Unit tests for Dify App Layer.
+
+Tests the FastAPI endpoints for Dify knowledge base operations.
+"""
+import sys
+import os
+from unittest.mock import patch, MagicMock
+
+import pytest
+from fastapi import HTTPException
+from fastapi.responses import JSONResponse
+from http import HTTPStatus
+
+
+# Add backend directory to Python path for proper imports
+project_root = os.path.abspath(os.path.join(
+    os.path.dirname(__file__), '../../../'))
+backend_dir = os.path.join(project_root, 'backend')
+if backend_dir not in sys.path:
+    sys.path.insert(0, backend_dir)
+
+
+# Mock the storage client factory BEFORE importing any backend modules that depend on it.
+# This prevents MinIO connection attempts during module import.
+def _mock_create_storage_client_from_config(config):
+    """Mock function to replace create_storage_client_from_config."""
+    mock_client = MagicMock()
+    mock_client.default_bucket = getattr(config, 'default_bucket', None)
+    mock_client.upload_file.return_value = (True, "/mock-bucket/mock-file")
+    mock_client.download_file.return_value = (True, "Downloaded successfully")
+    mock_client.get_file_url.return_value = (True, "http://mock-url/file")
+    mock_client.list_files.return_value = []
+    mock_client.delete_file.return_value = (True, "Deleted successfully")
+    mock_client.get_file_stream.return_value = (True, MagicMock())
+    mock_client.get_file_size.return_value = 0
+    return mock_client
+
+
+# Apply the mock to the SDK module where create_storage_client_from_config is defined
+with patch('nexent.storage.storage_client_factory.create_storage_client_from_config',
+           side_effect=_mock_create_storage_client_from_config):
+    # Also mock the MinIO client initialization in database.client
+    with patch('backend.database.client.MinioClient') as MockMinioClient:
+        mock_minio_instance = MagicMock()
+        MockMinioClient.return_value = mock_minio_instance
+
+        # Now it's safe to import backend modules
+        from backend.apps.dify_app import router, fetch_dify_datasets_api
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+
+# Fixtures to replace setUp and tearDown
+@pytest.fixture
+def dify_mocks():
+    """Fixture to provide mocked dependencies for dify app tests."""
+    with patch('backend.apps.dify_app.get_current_user_id') as mock_get_current_user_id, \
+            patch('backend.apps.dify_app.fetch_dify_datasets_impl') as mock_fetch_dify, \
+            patch('backend.apps.dify_app.logger') as mock_logger:
+
+        mock_fetch_dify.return_value = MagicMock()
+
+        yield {
+            'get_current_user_id': mock_get_current_user_id,
+            'fetch_dify': mock_fetch_dify,
+            'logger': mock_logger
+        }
+
+
+class TestFetchDifyDatasetsApi:
+    """Test class for fetch_dify_datasets_api endpoint."""
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_success(self, dify_mocks):
+        """Test successful fetching of Dify datasets."""
+        # Setup
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        expected_result = {
+            "indices": ["ds-1", "ds-2"],
+            "count": 2,
+            "indices_info": [
+                {
+                    "name": "ds-1",
+                    "display_name": "Knowledge Base 1",
+                    "stats": {
+                        "base_info": {
+                            "doc_count": 10,
+                            "chunk_count": 100,
+                            "store_size": "",
+                            "process_source": "Dify",
+                            "embedding_model": "text-embedding-3-small",
+                            "embedding_dim": 0,
+                            "creation_date": 1704067200000,
+                            "update_date": 1704153600000
+                        },
+                        "search_performance": {
+                            "total_search_count": 0,
+                            "hit_count": 0
+                        }
+                    }
+                }
+            ],
+            "pagination": {
+                "embedding_available": True
+            }
+        }
+
+        # Mock user and tenant ID
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+
+        # Mock service response
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        # Execute
+        result = await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        # Assert
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == HTTPStatus.OK
+
+        # Parse the JSON response body to verify content
+        import json
+        response_body = json.loads(result.body.decode())
+        assert response_body == expected_result
+
+        dify_mocks['get_current_user_id'].assert_called_once_with(mock_auth_header)
+        dify_mocks['fetch_dify'].assert_called_once_with(
+            dify_api_base=dify_api_base.rstrip('/'),
+            api_key=api_key
+        )
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_url_normalization(self, dify_mocks):
+        """Test that trailing slash is removed from dify_api_base."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com/"
+        api_key = "test-api-key"
+
+        expected_result = {
+            "indices": [],
+            "count": 0,
+            "indices_info": [],
+            "pagination": {"embedding_available": False}
+        }
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        result = await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        # Verify the URL was normalized (trailing slash removed)
+        dify_mocks['fetch_dify'].assert_called_once_with(
+            dify_api_base="https://dify.example.com",  # No trailing slash
+            api_key=api_key
+        )
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_auth_error(self, dify_mocks):
+        """Test endpoint with authentication error."""
+        mock_auth_header = "Bearer invalid-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        # Mock authentication failure
+        dify_mocks['get_current_user_id'].side_effect = Exception("Invalid token")
+
+        # Execute and Assert
+        with pytest.raises(HTTPException) as exc_info:
+            await fetch_dify_datasets_api(
+                dify_api_base=dify_api_base,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+        assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+        assert "Failed to fetch Dify datasets" in str(exc_info.value.detail)
+        dify_mocks['logger'].error.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_service_validation_error(self, dify_mocks):
+        """Test endpoint with service layer validation error (ValueError)."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = ""
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].side_effect = ValueError("api_key is required")
+
+        with pytest.raises(HTTPException) as exc_info:
+            await fetch_dify_datasets_api(
+                dify_api_base=dify_api_base,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+        assert exc_info.value.status_code == HTTPStatus.BAD_REQUEST
+        assert "api_key is required" in str(exc_info.value.detail)
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_service_error(self, dify_mocks):
+        """Test endpoint with general service layer error."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].side_effect = Exception("Dify API connection failed")
+
+        with pytest.raises(HTTPException) as exc_info:
+            await fetch_dify_datasets_api(
+                dify_api_base=dify_api_base,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+        assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+        assert "Failed to fetch Dify datasets" in str(exc_info.value.detail)
+        assert "Dify API connection failed" in str(exc_info.value.detail)
+        dify_mocks['logger'].error.assert_called()
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_http_error_from_service(self, dify_mocks):
+        """Test endpoint when service raises HTTP-related exception."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        # Simulate HTTP error from service
+        dify_mocks['fetch_dify'].side_effect = Exception("Dify API HTTP error: 404 Not Found")
+
+        with pytest.raises(HTTPException) as exc_info:
+            await fetch_dify_datasets_api(
+                dify_api_base=dify_api_base,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+        assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+        assert "Failed to fetch Dify datasets" in str(exc_info.value.detail)
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_request_error_from_service(self, dify_mocks):
+        """Test endpoint when service raises request error."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        # Simulate request error from service
+        dify_mocks['fetch_dify'].side_effect = Exception("Dify API request failed: Connection refused")
+
+        with pytest.raises(HTTPException) as exc_info:
+            await fetch_dify_datasets_api(
+                dify_api_base=dify_api_base,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+        assert exc_info.value.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+        assert "Failed to fetch Dify datasets" in str(exc_info.value.detail)
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_none_auth_header(self, dify_mocks):
+        """Test endpoint with None authorization header (speed mode)."""
+        mock_auth_header = None
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        expected_result = {
+            "indices": ["ds-1"],
+            "count": 1,
+            "indices_info": [],
+            "pagination": {"embedding_available": False}
+        }
+
+        # Mock user and tenant ID for None auth
+        dify_mocks['get_current_user_id'].return_value = (
+            "default_user", "default_tenant"
+        )
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        result = await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == HTTPStatus.OK
+
+        dify_mocks['get_current_user_id'].assert_called_once_with(None)
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_empty_result(self, dify_mocks):
+        """Test endpoint when Dify returns empty dataset list."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        expected_result = {
+            "indices": [],
+            "count": 0,
+            "indices_info": [],
+            "pagination": {"embedding_available": False}
+        }
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        result = await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        assert isinstance(result, JSONResponse)
+        assert result.status_code == HTTPStatus.OK
+
+        import json
+        response_body = json.loads(result.body.decode())
+        assert response_body["count"] == 0
+        assert response_body["indices"] == []
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_response_structure(self, dify_mocks):
+        """Test that response contains all required DataMate-compatible fields."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        expected_result = {
+            "indices": ["ds-123"],
+            "count": 1,
+            "indices_info": [
+                {
+                    "name": "ds-123",
+                    "display_name": "My Dataset",
+                    "stats": {
+                        "base_info": {
+                            "doc_count": 50,
+                            "chunk_count": 500,
+                            "store_size": "1.5GB",
+                            "process_source": "Dify",
+                            "embedding_model": "text-embedding-ada-002",
+                            "embedding_dim": 1536,
+                            "creation_date": 1704067200000,
+                            "update_date": 1704153600000
+                        },
+                        "search_performance": {
+                            "total_search_count": 100,
+                            "hit_count": 85
+                        }
+                    }
+                }
+            ],
+            "pagination": {
+                "embedding_available": True
+            }
+        }
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        result = await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        assert isinstance(result, JSONResponse)
+
+        import json
+        response_body = json.loads(result.body.decode())
+
+        # Verify all required top-level fields
+        assert "indices" in response_body
+        assert "count" in response_body
+        assert "indices_info" in response_body
+        assert "pagination" in response_body
+
+        # Verify indices_info structure
+        info = response_body["indices_info"][0]
+        assert "name" in info
+        assert "display_name" in info
+        assert "stats" in info
+
+        stats = info["stats"]
+        assert "base_info" in stats
+        assert "search_performance" in stats
+
+        base_info = stats["base_info"]
+        assert "doc_count" in base_info
+        assert "chunk_count" in base_info
+        assert "store_size" in base_info
+        assert "process_source" in base_info
+        assert "embedding_model" in base_info
+        assert "embedding_dim" in base_info
+        assert "creation_date" in base_info
+        assert "update_date" in base_info
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_logger_info_call(self, dify_mocks):
+        """Test that endpoint logs appropriately on success."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        expected_result = {
+            "indices": [],
+            "count": 0,
+            "indices_info": [],
+            "pagination": {"embedding_available": False}
+        }
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        # On success, logger.info should be called (service logs the fetch operation)
+        dify_mocks['fetch_dify'].assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_logger_error_call(self, dify_mocks):
+        """Test that endpoint logs errors appropriately."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "test-api-key"
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].side_effect = Exception("Connection timeout")
+
+        with pytest.raises(HTTPException):
+            await fetch_dify_datasets_api(
+                dify_api_base=dify_api_base,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+        # Logger.error should be called for service errors
+        dify_mocks['logger'].error.assert_called()
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_special_characters_in_api_key(self, dify_mocks):
+        """Test endpoint handles special characters in API key."""
+        mock_auth_header = "Bearer test-token"
+        dify_api_base = "https://dify.example.com"
+        api_key = "sk-abc123xyz!@#$%^&*()"
+
+        expected_result = {
+            "indices": [],
+            "count": 0,
+            "indices_info": [],
+            "pagination": {"embedding_available": False}
+        }
+
+        dify_mocks['get_current_user_id'].return_value = (
+            "test_user_id", "test_tenant_id"
+        )
+        dify_mocks['fetch_dify'].return_value = expected_result
+
+        result = await fetch_dify_datasets_api(
+            dify_api_base=dify_api_base,
+            api_key=api_key,
+            authorization=mock_auth_header
+        )
+
+        # Verify the API key was passed through correctly
+        dify_mocks['fetch_dify'].assert_called_once_with(
+            dify_api_base="https://dify.example.com",
+            api_key=api_key
+        )
+
+        assert result.status_code == HTTPStatus.OK
+
+    @pytest.mark.asyncio
+    async def test_fetch_dify_datasets_api_different_api_base_formats(self, dify_mocks):
+        """Test endpoint handles different API base URL formats."""
+        mock_auth_header = "Bearer test-token"
+        api_key = "test-api-key"
+
+        test_cases = [
+            ("https://dify.example.com", "https://dify.example.com"),
+            ("https://dify.example.com/", "https://dify.example.com"),
+            ("http://localhost:8000", "http://localhost:8000"),
+            ("http://localhost:8000/", "http://localhost:8000"),
+        ]
+
+        for input_url, expected_url in test_cases:
+            dify_mocks['fetch_dify'].reset_mock()
+            dify_mocks['get_current_user_id'].return_value = (
+                "test_user_id", "test_tenant_id"
+            )
+            dify_mocks['fetch_dify'].return_value = {
+                "indices": [],
+                "count": 0,
+                "indices_info": [],
+                "pagination": {"embedding_available": False}
+            }
+
+            await fetch_dify_datasets_api(
+                dify_api_base=input_url,
+                api_key=api_key,
+                authorization=mock_auth_header
+            )
+
+            # Verify URL normalization
+            call_kwargs = dify_mocks['fetch_dify'].call_args[1]
+            assert call_kwargs['dify_api_base'] == expected_url
+
+
+class TestDifyAppRouter:
+    """Test class for Dify app router configuration."""
+
+    def test_router_prefix(self):
+        """Test that router has correct prefix."""
+        assert router.prefix == "/dify"
+
+    def test_router_has_datasets_endpoint(self):
+        """Test that router has the datasets endpoint registered."""
+        routes = [route.path for route in router.routes]
+        # Router prefix is /dify, and route is /datasets, so full path is /dify/datasets
+        assert "/dify/datasets" in routes
diff --git a/test/backend/app/test_invitation_app.py b/test/backend/app/test_invitation_app.py
index 553acdab1..7d8e15a66 100644
--- a/test/backend/app/test_invitation_app.py
+++ b/test/backend/app/test_invitation_app.py
@@ -25,7 +25,7 @@
 patch('elasticsearch.Elasticsearch', return_value=MagicMock()).start()
 
 # Import exception classes and models
-from consts.exceptions import NotFoundException, ValidationError, UnauthorizedError
+from consts.exceptions import NotFoundException, ValidationError, UnauthorizedError, DuplicateError
 from consts.model import (
     InvitationCreateRequest, InvitationUpdateRequest, InvitationListRequest
 )
@@ -283,6 +283,27 @@ def test_create_invitation_value_error(self):
             data = response.json()
             assert "Invalid code type" in data["detail"]
 
+    def test_create_invitation_duplicate_code(self):
+        """Test invitation creation with duplicate invitation code returns 409 Conflict"""
+        with patch('apps.invitation_app.get_current_user_id') as mock_get_user, \
+             patch('apps.invitation_app.create_invitation_code') as mock_create_invitation:
+
+            mock_get_user.return_value = ("user-123", "tenant-123")
+            mock_create_invitation.side_effect = DuplicateError("Invitation code 'ABC123' already exists")
+
+            request_data = {
+                "tenant_id": "tenant-123",
+                "code_type": "ADMIN_INVITE",
+                "invitation_code": "ABC123",
+                "capacity": 10
+            }
+
+            response = client.post("/invitations", json=request_data, headers={"Authorization": "Bearer token"})
+
+            assert response.status_code == HTTPStatus.CONFLICT
+            data = response.json()
+            assert "Invitation code 'ABC123' already exists" in data["detail"]
+
 
 class TestInvitationUpdate:
     """Test invitation update endpoint"""
@@ -417,6 +438,53 @@ def test_get_invitation_unexpected_error(self):
             assert data["detail"] == "Failed to retrieve invitation code"
 
 
+class TestInvitationCodeCheck:
+    """Test invitation code check endpoint"""
+
+    def test_check_invitation_code_exists(self):
+        """Test checking invitation code that exists"""
+        with patch('apps.invitation_app.get_invitation_by_code') as mock_get_invitation:
+            mock_get_invitation.return_value = {
+                "invitation_id": 1,
+                "invitation_code": "ABC123",
+                "code_type": "ADMIN_INVITE",
+                "status": "IN_USE"
+            }
+
+            response = client.get("/invitations/ABC123/check")
+
+            assert response.status_code == HTTPStatus.OK
+            data = response.json()
+            assert data["message"] == "Invitation code check completed"
+            assert data["data"]["invitation_code"] == "ABC123"
+            assert data["data"]["exists"] is True
+            mock_get_invitation.assert_called_once_with("ABC123")
+
+    def test_check_invitation_code_not_exists(self):
+        """Test checking invitation code that doesn't exist"""
+        with patch('apps.invitation_app.get_invitation_by_code') as mock_get_invitation:
+            mock_get_invitation.return_value = None
+
+            response = client.get("/invitations/NOTFOUND/check")
+
+            assert response.status_code == HTTPStatus.OK
+            data = response.json()
+            assert data["data"]["invitation_code"] == "NOTFOUND"
+            assert data["data"]["exists"] is False
+            mock_get_invitation.assert_called_once_with("NOTFOUND")
+
+    def test_check_invitation_code_unexpected_error(self):
+        """Test checking invitation code with unexpected error"""
+        with patch('apps.invitation_app.get_invitation_by_code') as mock_get_invitation:
+            mock_get_invitation.side_effect = Exception("Database error")
+
+            response = client.get("/invitations/ABC123/check")
+
+            assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+            data = response.json()
+            assert data["detail"] == "Failed to check invitation code"
+
+
 class TestInvitationAvailability:
     """Test invitation availability check endpoint"""
 
diff --git a/test/backend/app/test_mock_user_management_app.py b/test/backend/app/test_mock_user_management_app.py
index 67813db12..1b2df22f3 100644
--- a/test/backend/app/test_mock_user_management_app.py
+++ b/test/backend/app/test_mock_user_management_app.py
@@ -1,5 +1,5 @@
 import pytest
-from unittest.mock import patch, MagicMock
+from unittest.mock import patch, MagicMock, AsyncMock
 import sys
 import os
 
@@ -472,5 +472,128 @@ def test_signin_email_reflection(self):
             assert data["data"]["user"]["email"] == email
 
 
+class TestGetCurrentUserInfo:
+    """Test get current user info endpoint"""
+
+    @patch('apps.mock_user_management_app.get_user_info', new_callable=AsyncMock)
+    def test_get_user_info_success(self, mock_get_user_info):
+        """Test successful user information retrieval"""
+        # Setup mock to return valid user info
+        mock_user_info = {
+            "user": {
+                "user_id": "user_id",
+                "group_ids": [1, 2, 3],
+                "tenant_id": "tenant_id",
+                "user_email": "mock@example.com",
+                "user_role": "admin",
+                "permissions": ["agent:create", "agent:read"],
+                "accessibleRoutes": ["chat", "agents"]
+            }
+        }
+        mock_get_user_info.return_value = mock_user_info
+
+        response = client.get(
+            "/user/current_user_info",
+            headers={"Authorization": "Bearer token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        data = response.json()
+        assert data["message"] == "Success"
+        assert data["data"] == mock_user_info
+        assert data["data"]["user"]["user_id"] == "user_id"
+        assert data["data"]["user"]["group_ids"] == [1, 2, 3]
+        assert data["data"]["user"]["tenant_id"] == "tenant_id"
+        mock_get_user_info.assert_called_once_with("user_id")
+
+    @patch('apps.mock_user_management_app.get_user_info', new_callable=AsyncMock)
+    def test_get_user_info_not_found(self, mock_get_user_info):
+        """Test user information not found (returns None)"""
+        # Setup mock to return None (user not found)
+        mock_get_user_info.return_value = None
+
+        response = client.get(
+            "/user/current_user_info",
+            headers={"Authorization": "Bearer token"}
+        )
+
+        assert response.status_code == HTTPStatus.UNAUTHORIZED
+        data = response.json()
+        assert "User not logged in or session invalid" in data["detail"]
+        mock_get_user_info.assert_called_once_with("user_id")
+
+    @patch('apps.mock_user_management_app.get_user_info', new_callable=AsyncMock)
+    def test_get_user_info_unauthorized_error(self, mock_get_user_info):
+        """Test UnauthorizedError exception handling"""
+        from consts.exceptions import UnauthorizedError
+        
+        # Setup mock to raise UnauthorizedError
+        mock_get_user_info.side_effect = UnauthorizedError("User information not found")
+
+        response = client.get(
+            "/user/current_user_info",
+            headers={"Authorization": "Bearer token"}
+        )
+
+        assert response.status_code == HTTPStatus.UNAUTHORIZED
+        data = response.json()
+        assert "User not logged in or session invalid" in data["detail"]
+        mock_get_user_info.assert_called_once_with("user_id")
+
+    @patch('apps.mock_user_management_app.get_user_info', new_callable=AsyncMock)
+    def test_get_user_info_general_exception(self, mock_get_user_info):
+        """Test general exception handling"""
+        # Setup mock to raise a general exception
+        mock_get_user_info.side_effect = Exception("Database connection error")
+
+        response = client.get(
+            "/user/current_user_info",
+            headers={"Authorization": "Bearer token"}
+        )
+
+        assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+        data = response.json()
+        assert "Get user information failed" in data["detail"]
+        mock_get_user_info.assert_called_once_with("user_id")
+
+    @patch('apps.mock_user_management_app.get_user_info', new_callable=AsyncMock)
+    def test_get_user_info_response_structure(self, mock_get_user_info):
+        """Test complete response structure"""
+        mock_user_info = {
+            "user": {
+                "user_id": "user_id",
+                "group_ids": [],
+                "tenant_id": "tenant_id",
+                "user_email": "test@example.com",
+                "user_role": "user",
+                "permissions": [],
+                "accessibleRoutes": []
+            }
+        }
+        mock_get_user_info.return_value = mock_user_info
+
+        response = client.get(
+            "/user/current_user_info",
+            headers={"Authorization": "Bearer token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        data = response.json()
+        
+        # Verify complete structure
+        assert "message" in data
+        assert "data" in data
+        assert data["message"] == "Success"
+        
+        user_data = data["data"]["user"]
+        assert "user_id" in user_data
+        assert "group_ids" in user_data
+        assert "tenant_id" in user_data
+        assert "user_email" in user_data
+        assert "user_role" in user_data
+        assert "permissions" in user_data
+        assert "accessibleRoutes" in user_data
+
+
 if __name__ == "__main__":
     pytest.main([__file__, "-v", "--cov=apps.mock_user_management_app", "--cov-report=term-missing"]) 
\ No newline at end of file
diff --git a/test/backend/app/test_model_managment_app.py b/test/backend/app/test_model_managment_app.py
index 3994cd86a..20f3210e2 100644
--- a/test/backend/app/test_model_managment_app.py
+++ b/test/backend/app/test_model_managment_app.py
@@ -1,10 +1,10 @@
 import sys
 import os
 import pytest
+from unittest.mock import patch, MagicMock, ANY
 from fastapi.testclient import TestClient
 from fastapi import FastAPI
 from http import HTTPStatus
-from unittest.mock import patch, MagicMock
 
 # Add project root to sys.path so that the top-level `backend` package is importable
 PROJECT_ROOT = os.path.join(os.path.dirname(__file__), "../../..")
@@ -616,5 +616,794 @@ async def mock_batch_update(*args, **kwargs):
     mock_batch_update.assert_called_once_with(user_credentials[0], user_credentials[1], models)
 
 
+# Tests for /model/manage/list endpoint
+@pytest.mark.asyncio
+async def test_get_manage_model_list_success(client, auth_header, user_credentials, mocker):
+    """Test successful manage model list retrieval for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_models_for_admin(*args, **kwargs):
+        return {
+            "tenant_id": "target_tenant",
+            "tenant_name": "Target Tenant",
+            "models": [
+                {
+                    "model_id": "model1",
+                    "model_name": "huggingface/llama",
+                    "display_name": "LLaMA Model",
+                    "model_type": "llm",
+                    "connect_status": "operational"
+                },
+                {
+                    "model_id": "model2",
+                    "model_name": "openai/clip",
+                    "display_name": "CLIP Model",
+                    "model_type": "embedding",
+                    "connect_status": "not_detected"
+                }
+            ],
+            "total": 2,
+            "page": 1,
+            "page_size": 20,
+            "total_pages": 1
+        }
+
+    mock_list = mocker.patch('apps.model_managment_app.list_models_for_admin', side_effect=mock_list_models_for_admin)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "model_type": None,
+        "page": 1,
+        "page_size": 20
+    }
+    response = client.post("/model/manage/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Successfully retrieved model list" in data["message"]
+    assert data["data"]["tenant_id"] == "target_tenant"
+    assert data["data"]["tenant_name"] == "Target Tenant"
+    assert data["data"]["total"] == 2
+    assert data["data"]["page"] == 1
+    assert data["data"]["page_size"] == 20
+    assert data["data"]["total_pages"] == 1
+    assert len(data["data"]["models"]) == 2
+    assert data["data"]["models"][0]["model_name"] == "huggingface/llama"
+    assert data["data"]["models"][1]["model_name"] == "openai/clip"
+    mock_list.assert_called_once_with("target_tenant", None, 1, 20)
+
+
+@pytest.mark.asyncio
+async def test_get_manage_model_list_with_pagination(client, auth_header, user_credentials, mocker):
+    """Test manage model list retrieval with pagination parameters."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_models_for_admin(*args, **kwargs):
+        return {
+            "tenant_id": "target_tenant",
+            "tenant_name": "Target Tenant",
+            "models": [
+                {
+                    "model_id": "model3",
+                    "model_name": "openai/gpt-3",
+                    "display_name": "GPT-3",
+                    "model_type": "llm",
+                    "connect_status": "operational"
+                }
+            ],
+            "total": 25,
+            "page": 2,
+            "page_size": 10,
+            "total_pages": 3
+        }
+
+    mock_list = mocker.patch('apps.model_managment_app.list_models_for_admin', side_effect=mock_list_models_for_admin)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "model_type": "llm",
+        "page": 2,
+        "page_size": 10
+    }
+    response = client.post("/model/manage/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert data["data"]["page"] == 2
+    assert data["data"]["page_size"] == 10
+    assert data["data"]["total"] == 25
+    assert data["data"]["total_pages"] == 3
+    assert len(data["data"]["models"]) == 1
+    mock_list.assert_called_once_with("target_tenant", "llm", 2, 10)
+
+
+@pytest.mark.asyncio
+async def test_get_manage_model_list_exception(client, auth_header, user_credentials, mocker):
+    """Test manage model list retrieval with exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_models_for_admin(*args, **kwargs):
+        raise Exception("Database connection error")
+
+    mocker.patch('apps.model_managment_app.list_models_for_admin', side_effect=mock_list_models_for_admin)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "model_type": None,
+        "page": 1,
+        "page_size": 20
+    }
+    response = client.post("/model/manage/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+    data = response.json()
+    assert "Database connection error" in data.get("detail", "")
+
+
+@pytest.mark.asyncio
+async def test_get_manage_model_list_empty(client, auth_header, user_credentials, mocker):
+    """Test manage model list retrieval with empty result."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_models_for_admin(*args, **kwargs):
+        return {
+            "tenant_id": "empty_tenant",
+            "tenant_name": "Empty Tenant",
+            "models": [],
+            "total": 0,
+            "page": 1,
+            "page_size": 20,
+            "total_pages": 0
+        }
+
+    mock_list = mocker.patch('apps.model_managment_app.list_models_for_admin', side_effect=mock_list_models_for_admin)
+
+    request_data = {
+        "tenant_id": "empty_tenant",
+        "model_type": None,
+        "page": 1,
+        "page_size": 20
+    }
+    response = client.post("/model/manage/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Successfully retrieved model list" in data["message"]
+    assert data["data"]["total"] == 0
+    assert len(data["data"]["models"]) == 0
+    mock_list.assert_called_once_with("empty_tenant", None, 1, 20)
+
+
+# Tests for /model/manage/create endpoint
+@pytest.mark.asyncio
+async def test_manage_create_model_success(client, auth_header, user_credentials, mocker):
+    """Test successful model creation for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _create(*args, **kwargs):
+        return None
+
+    mock_create = mocker.patch('apps.model_managment_app.create_model_for_tenant', side_effect=_create)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "model_repo": "",
+        "model_name": "huggingface/llama",
+        "model_type": "llm",
+        "base_url": "http://localhost:8000",
+        "api_key": "test_key",
+        "max_tokens": 4096,
+        "display_name": "LLaMA Model"
+    }
+    response = client.post("/model/manage/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Model created successfully" in data["message"]
+    assert data["data"]["tenant_id"] == "target_tenant"
+    # Verify the call was made with correct tenant_id and user_id
+    mock_create.assert_called_once_with(
+        user_credentials[0],
+        "target_tenant",
+        ANY  # The dict may contain additional optional fields like chunk settings
+    )
+
+
+@pytest.mark.asyncio
+async def test_manage_create_model_conflict(client, auth_header, user_credentials, mocker):
+    """Test model creation with conflict error."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _create(*args, **kwargs):
+        raise ValueError("Model name already exists")
+
+    mocker.patch('apps.model_managment_app.create_model_for_tenant', side_effect=_create)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "model_name": "duplicate-model",
+        "model_type": "llm",
+        "base_url": "http://localhost:8000",
+        "api_key": "test_key"
+    }
+    response = client.post("/model/manage/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.CONFLICT
+    assert "Model name already exists" in response.json()["detail"]
+
+
+@pytest.mark.asyncio
+async def test_manage_create_model_exception(client, auth_header, user_credentials, mocker):
+    """Test model creation with unexpected exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _create(*args, **kwargs):
+        raise Exception("Database error")
+
+    mocker.patch('apps.model_managment_app.create_model_for_tenant', side_effect=_create)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "model_name": "test-model",
+        "model_type": "llm",
+        "base_url": "http://localhost:8000",
+        "api_key": "test_key"
+    }
+    response = client.post("/model/manage/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+
+
+# Tests for /model/manage/update endpoint
+@pytest.mark.asyncio
+async def test_manage_update_model_success(client, auth_header, user_credentials, mocker):
+    """Test successful model update for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _update(*args, **kwargs):
+        return None
+
+    mock_update = mocker.patch('apps.model_managment_app.update_single_model_for_tenant', side_effect=_update)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "current_display_name": "Old Model Name",
+        "display_name": "New Model Name",
+        "base_url": "http://localhost:8000",
+        "api_key": "new_api_key",
+        "max_tokens": 8192
+    }
+    response = client.post("/model/manage/update", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Model updated successfully" in data["message"]
+    assert data["data"]["tenant_id"] == "target_tenant"
+    # Verify the call was made with correct tenant_id, user_id and model name
+    mock_update.assert_called_once_with(
+        user_credentials[0],
+        "target_tenant",
+        "Old Model Name",
+        ANY  # The dict may contain additional optional fields like chunk settings
+    )
+
+
+@pytest.mark.asyncio
+async def test_manage_update_model_not_found(client, auth_header, user_credentials, mocker):
+    """Test model update with not found error."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _update(*args, **kwargs):
+        raise LookupError("Model not found")
+
+    mocker.patch('apps.model_managment_app.update_single_model_for_tenant', side_effect=_update)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "current_display_name": "nonexistent-model",
+        "display_name": "Updated Name"
+    }
+    response = client.post("/model/manage/update", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.NOT_FOUND
+
+
+@pytest.mark.asyncio
+async def test_manage_update_model_conflict(client, auth_header, user_credentials, mocker):
+    """Test model update with conflict error."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _update(*args, **kwargs):
+        raise ValueError("Display name already exists")
+
+    mocker.patch('apps.model_managment_app.update_single_model_for_tenant', side_effect=_update)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "current_display_name": "test-model",
+        "display_name": "duplicate-name"
+    }
+    response = client.post("/model/manage/update", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.CONFLICT
+
+
+# Tests for /model/manage/delete endpoint
+@pytest.mark.asyncio
+async def test_manage_delete_model_success(client, auth_header, user_credentials, mocker):
+    """Test successful model deletion for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _delete(*args, **kwargs):
+        return "test-model"
+
+    mock_delete = mocker.patch('apps.model_managment_app.delete_model_for_tenant', side_effect=_delete)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "test-model"
+    }
+    response = client.post("/model/manage/delete", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Model deleted successfully" in data["message"]
+    assert data["data"]["tenant_id"] == "target_tenant"
+    assert data["data"]["display_name"] == "test-model"
+    mock_delete.assert_called_once_with(user_credentials[0], "target_tenant", "test-model")
+
+
+@pytest.mark.asyncio
+async def test_manage_delete_model_not_found(client, auth_header, user_credentials, mocker):
+    """Test model deletion with not found error."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _delete(*args, **kwargs):
+        raise LookupError("Model not found")
+
+    mocker.patch('apps.model_managment_app.delete_model_for_tenant', side_effect=_delete)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "nonexistent-model"
+    }
+    response = client.post("/model/manage/delete", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.NOT_FOUND
+
+
+@pytest.mark.asyncio
+async def test_manage_delete_model_exception(client, auth_header, user_credentials, mocker):
+    """Test model deletion with unexpected exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _delete(*args, **kwargs):
+        raise Exception("Database error")
+
+    mocker.patch('apps.model_managment_app.delete_model_for_tenant', side_effect=_delete)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "test-model"
+    }
+    response = client.post("/model/manage/delete", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+
+
+# Tests for /model/manage/batch_create endpoint
+@pytest.mark.asyncio
+async def test_manage_batch_create_models_success(client, auth_header, user_credentials, mocker):
+    """Test successful batch model creation for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _batch_create(*args, **kwargs):
+        return None
+
+    mock_batch_create = mocker.patch('apps.model_managment_app.batch_create_models_for_tenant', side_effect=_batch_create)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "type": "llm",
+        "api_key": "test_api_key",
+        "models": [
+            {
+                "id": "silicon/llama-3-1-8b-instruct",
+                "object": "model",
+                "created": 1699900000,
+                "owned_by": "silicon",
+                "max_tokens": 4096
+            },
+            {
+                "id": "silicon/llama-3-1-70b-instruct",
+                "object": "model",
+                "created": 1699900001,
+                "owned_by": "silicon",
+                "max_tokens": 8192
+            }
+        ]
+    }
+    response = client.post("/model/manage/batch_create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Batch create models successfully" in data["message"]
+    assert data["data"]["tenant_id"] == "target_tenant"
+    assert data["data"]["provider"] == "silicon"
+    assert data["data"]["type"] == "llm"
+    assert data["data"]["models_count"] == 2
+    mock_batch_create.assert_called_once_with(
+        user_credentials[0],
+        "target_tenant",
+        {
+            "tenant_id": "target_tenant",
+            "provider": "silicon",
+            "type": "llm",
+            "api_key": "test_api_key",
+            "models": [
+                {
+                    "id": "silicon/llama-3-1-8b-instruct",
+                    "object": "model",
+                    "created": 1699900000,
+                    "owned_by": "silicon",
+                    "max_tokens": 4096
+                },
+                {
+                    "id": "silicon/llama-3-1-70b-instruct",
+                    "object": "model",
+                    "created": 1699900001,
+                    "owned_by": "silicon",
+                    "max_tokens": 8192
+                }
+            ]
+        }
+    )
+
+
+@pytest.mark.asyncio
+async def test_manage_batch_create_models_empty_list(client, auth_header, user_credentials, mocker):
+    """Test batch model creation with empty models list."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _batch_create(*args, **kwargs):
+        return None
+
+    mock_batch_create = mocker.patch('apps.model_managment_app.batch_create_models_for_tenant', side_effect=_batch_create)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "modelengine",
+        "type": "embedding",
+        "api_key": "",
+        "models": []
+    }
+    response = client.post("/model/manage/batch_create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Batch create models successfully" in data["message"]
+    assert data["data"]["models_count"] == 0
+    mock_batch_create.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_manage_batch_create_models_exception(client, auth_header, user_credentials, mocker):
+    """Test batch model creation with exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def _batch_create(*args, **kwargs):
+        raise Exception("Database connection error")
+
+    mocker.patch('apps.model_managment_app.batch_create_models_for_tenant', side_effect=_batch_create)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "type": "llm",
+        "api_key": "test_api_key",
+        "models": [
+            {"id": "silicon/test-model", "max_tokens": 4096}
+        ]
+    }
+    response = client.post("/model/manage/batch_create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+
+
+# Tests for /model/manage/healthcheck endpoint
+@pytest.mark.asyncio
+async def test_manage_healthcheck_success(client, auth_header, user_credentials, mocker):
+    """Test successful model connectivity check for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    mock_check = mocker.patch(
+        'apps.model_managment_app.check_model_connectivity',
+        return_value={"connectivity": True, "connect_status": "available"}
+    )
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "test-model"
+    }
+    response = client.post("/model/manage/healthcheck", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Successfully checked model connectivity" in data["message"]
+    assert data["data"]["connectivity"] is True
+    mock_check.assert_called_once_with("test-model", "target_tenant")
+
+
+@pytest.mark.asyncio
+async def test_manage_healthcheck_model_not_found(client, auth_header, user_credentials, mocker):
+    """Test model connectivity check when model is not found."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    mocker.patch(
+        'apps.model_managment_app.check_model_connectivity',
+        side_effect=LookupError("Model configuration not found for test-model")
+    )
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "nonexistent-model"
+    }
+    response = client.post("/model/manage/healthcheck", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.NOT_FOUND
+    assert "Model configuration not found" in response.json()["detail"]
+
+
+@pytest.mark.asyncio
+async def test_manage_healthcheck_invalid_config(client, auth_header, user_credentials, mocker):
+    """Test model connectivity check with invalid model configuration."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    mocker.patch(
+        'apps.model_managment_app.check_model_connectivity',
+        side_effect=ValueError("Invalid model configuration")
+    )
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "test-model"
+    }
+    response = client.post("/model/manage/healthcheck", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert "Invalid model configuration" in response.json()["detail"]
+
+
+@pytest.mark.asyncio
+async def test_manage_healthcheck_exception(client, auth_header, user_credentials, mocker):
+    """Test model connectivity check with unexpected exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    mocker.patch(
+        'apps.model_managment_app.check_model_connectivity',
+        side_effect=Exception("Database connection error")
+    )
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "display_name": "test-model"
+    }
+    response = client.post("/model/manage/healthcheck", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+
+
+# Tests for /model/manage/provider/list endpoint
+@pytest.mark.asyncio
+async def test_manage_provider_list_success(client, auth_header, user_credentials, mocker):
+    """Test successful provider model list retrieval for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_provider_models(*args, **kwargs):
+        return [
+            {
+                "id": "silicon/llama-3-8b",
+                "model_repo": "silicon",
+                "model_name": "llama-3-8b",
+                "object": "model",
+                "created": 1699999999,
+                "owned_by": "silicon",
+                "max_tokens": 8192
+            },
+            {
+                "id": "silicon/llama-3-70b",
+                "model_repo": "silicon",
+                "model_name": "llama-3-70b",
+                "object": "model",
+                "created": 1699999999,
+                "owned_by": "silicon",
+                "max_tokens": 8192
+            }
+        ]
+
+    mock_list = mocker.patch('apps.model_managment_app.list_provider_models_for_tenant', side_effect=mock_list_provider_models)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "model_type": "llm"
+    }
+    response = client.post("/model/manage/provider/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Successfully retrieved provider model list" in data["message"]
+    assert len(data["data"]) == 2
+    mock_list.assert_called_once_with("target_tenant", "silicon", "llm")
+
+
+@pytest.mark.asyncio
+async def test_manage_provider_list_exception(client, auth_header, user_credentials, mocker):
+    """Test provider model list retrieval with exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_provider_models(*args, **kwargs):
+        raise Exception("Provider API error")
+
+    mocker.patch('apps.model_managment_app.list_provider_models_for_tenant', side_effect=mock_list_provider_models)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "model_type": "llm"
+    }
+    response = client.post("/model/manage/provider/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+
+
+@pytest.mark.asyncio
+async def test_manage_provider_list_empty(client, auth_header, user_credentials, mocker):
+    """Test provider model list retrieval with empty result."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_list_provider_models(*args, **kwargs):
+        return []
+
+    mock_list = mocker.patch('apps.model_managment_app.list_provider_models_for_tenant', side_effect=mock_list_provider_models)
+
+    request_data = {
+        "tenant_id": "empty_tenant",
+        "provider": "silicon",
+        "model_type": "embedding"
+    }
+    response = client.post("/model/manage/provider/list", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert len(data["data"]) == 0
+
+
+# Tests for /model/manage/provider/create endpoint
+@pytest.mark.asyncio
+async def test_manage_provider_create_success(client, auth_header, user_credentials, mocker):
+    """Test successful provider model creation for a specified tenant."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_create_provider_models(*args, **kwargs):
+        return [
+            {
+                "id": "silicon/llama-3-8b",
+                "object": "model",
+                "created": 1699999999,
+                "owned_by": "silicon",
+                "max_tokens": 8192
+            },
+            {
+                "id": "silicon/llama-3-70b",
+                "object": "model",
+                "created": 1699999999,
+                "owned_by": "silicon",
+                "max_tokens": 8192
+            }
+        ]
+
+    mock_create = mocker.patch('apps.model_managment_app.create_provider_models_for_tenant', side_effect=mock_create_provider_models)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "model_type": "llm",
+        "api_key": "test_api_key",
+        "base_url": ""
+    }
+    response = client.post("/model/manage/provider/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert "Successfully created provider models" in data["message"]
+    assert len(data["data"]) == 2
+    mock_create.assert_called_once_with(
+        "target_tenant",
+        {"provider": "silicon", "model_type": "llm", "api_key": "test_api_key", "base_url": ""}
+    )
+
+
+@pytest.mark.asyncio
+async def test_manage_provider_create_with_base_url(client, auth_header, user_credentials, mocker):
+    """Test provider model creation with base URL for modelengine provider."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_create_provider_models(*args, **kwargs):
+        return [
+            {
+                "id": "modelengine/gpt-4",
+                "object": "model",
+                "created": 1699999999,
+                "owned_by": "modelengine",
+                "max_tokens": 8192
+            }
+        ]
+
+    mock_create = mocker.patch('apps.model_managment_app.create_provider_models_for_tenant', side_effect=mock_create_provider_models)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "modelengine",
+        "model_type": "llm",
+        "api_key": "test_api_key",
+        "base_url": "https://api.modelengine.example.com"
+    }
+    response = client.post("/model/manage/provider/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    mock_create.assert_called_once_with(
+        "target_tenant",
+        {"provider": "modelengine", "model_type": "llm", "api_key": "test_api_key", "base_url": "https://api.modelengine.example.com"}
+    )
+
+
+@pytest.mark.asyncio
+async def test_manage_provider_create_exception(client, auth_header, user_credentials, mocker):
+    """Test provider model creation with exception."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_create_provider_models(*args, **kwargs):
+        raise Exception("Provider API error")
+
+    mocker.patch('apps.model_managment_app.create_provider_models_for_tenant', side_effect=mock_create_provider_models)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "model_type": "llm",
+        "api_key": "test_api_key",
+        "base_url": ""
+    }
+    response = client.post("/model/manage/provider/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.INTERNAL_SERVER_ERROR
+
+
+@pytest.mark.asyncio
+async def test_manage_provider_create_empty(client, auth_header, user_credentials, mocker):
+    """Test provider model creation with empty result."""
+    mocker.patch('apps.model_managment_app.get_current_user_id', return_value=user_credentials)
+
+    async def mock_create_provider_models(*args, **kwargs):
+        return []
+
+    mock_create = mocker.patch('apps.model_managment_app.create_provider_models_for_tenant', side_effect=mock_create_provider_models)
+
+    request_data = {
+        "tenant_id": "target_tenant",
+        "provider": "silicon",
+        "model_type": "embedding",
+        "api_key": "test_api_key",
+        "base_url": ""
+    }
+    response = client.post("/model/manage/provider/create", json=request_data, headers=auth_header)
+
+    assert response.status_code == HTTPStatus.OK
+    data = response.json()
+    assert len(data["data"]) == 0
+
+
 if __name__ == "__main__":
     pytest.main([__file__])
\ No newline at end of file
diff --git a/test/backend/app/test_remote_mcp_app.py b/test/backend/app/test_remote_mcp_app.py
index b36dd33e3..fe249f100 100644
--- a/test/backend/app/test_remote_mcp_app.py
+++ b/test/backend/app/test_remote_mcp_app.py
@@ -137,11 +137,11 @@ def test_get_tools_general_failure(self, mock_get_tools):
 class TestAddRemoteProxies:
     """Test endpoint for adding remote MCP servers"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_add_remote_proxy_success(self, mock_add_server, mock_get_user_id):
+    def test_add_remote_proxy_success(self, mock_add_server, mock_get_user_info):
         """Test successful addition of remote MCP proxy"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_add_server.return_value = None  # No exception means success
 
         response = client.post(
@@ -156,7 +156,7 @@ def test_add_remote_proxy_success(self, mock_add_server, mock_get_user_id):
         assert data["status"] == "success"
         assert "Successfully added remote MCP proxy" in data["message"]
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
+        mock_get_user_info.assert_called_once()
         mock_add_server.assert_called_once_with(
             tenant_id="tenant456",
             user_id="user123",
@@ -165,11 +165,41 @@ def test_add_remote_proxy_success(self, mock_add_server, mock_get_user_id):
             container_id=None,
         )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_add_remote_proxy_name_exists(self, mock_add_server, mock_get_user_id):
+    def test_add_remote_proxy_with_tenant_id_param(self, mock_add_server, mock_get_user_info):
+        """Test adding remote MCP proxy with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+        mock_add_server.return_value = None
+
+        response = client.post(
+            "/mcp/add",
+            params={
+                "mcp_url": "http://test.com",
+                "service_name": "test_service",
+                "tenant_id": "explicit_tenant789"
+            },
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        data = response.json()
+        assert data["status"] == "success"
+
+        # Verify that explicit tenant_id is used instead of auth tenant_id
+        mock_add_server.assert_called_once_with(
+            tenant_id="explicit_tenant789",  # Should use explicit tenant_id
+            user_id="user123",
+            remote_mcp_server="http://test.com",
+            remote_mcp_server_name="test_service",
+            container_id=None,
+        )
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
+    def test_add_remote_proxy_name_exists(self, mock_add_server, mock_get_user_info):
         """Test adding MCP server with existing name"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_add_server.side_effect = MCPNameIllegal("MCP name already exists")
 
         response = client.post(
@@ -183,11 +213,11 @@ def test_add_remote_proxy_name_exists(self, mock_add_server, mock_get_user_id):
         data = response.json()
         assert "MCP name already exists" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_add_remote_proxy_connection_failed(self, mock_add_server, mock_get_user_id):
+    def test_add_remote_proxy_connection_failed(self, mock_add_server, mock_get_user_info):
         """Test MCP connection failure"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_add_server.side_effect = MCPConnectionError(
             "MCP connection failed")
 
@@ -202,13 +232,13 @@ def test_add_remote_proxy_connection_failed(self, mock_add_server, mock_get_user
         data = response.json()
         assert "MCP connection failed" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_add_remote_proxy_database_error(self, mock_add_server, mock_get_user_id):
+    def test_add_remote_proxy_database_error(self, mock_add_server, mock_get_user_info):
         """Test database error - should be handled as general exception"""
         from sqlalchemy.exc import SQLAlchemyError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_add_server.side_effect = SQLAlchemyError("Database error")
 
         response = client.post(
@@ -226,11 +256,11 @@ def test_add_remote_proxy_database_error(self, mock_add_server, mock_get_user_id
 class TestDeleteRemoteProxies:
     """Test endpoint for deleting remote MCP servers"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.delete_remote_mcp_server_list')
-    def test_delete_remote_proxy_success(self, mock_delete_server, mock_get_user_id):
+    def test_delete_remote_proxy_success(self, mock_delete_server, mock_get_user_info):
         """Test successful deletion of remote MCP proxy"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_delete_server.return_value = None  # No exception means success
 
         response = client.delete(
@@ -245,7 +275,7 @@ def test_delete_remote_proxy_success(self, mock_delete_server, mock_get_user_id)
         assert data["status"] == "success"
         assert "Successfully deleted remote MCP proxy" in data["message"]
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
+        mock_get_user_info.assert_called_once()
         mock_delete_server.assert_called_once_with(
             tenant_id="tenant456",
             user_id="user123",
@@ -253,13 +283,39 @@ def test_delete_remote_proxy_success(self, mock_delete_server, mock_get_user_id)
             remote_mcp_server_name="test_service"
         )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.delete_remote_mcp_server_list')
-    def test_delete_remote_proxy_database_error(self, mock_delete_server, mock_get_user_id):
+    def test_delete_remote_proxy_with_tenant_id_param(self, mock_delete_server, mock_get_user_info):
+        """Test deleting remote MCP proxy with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+        mock_delete_server.return_value = None
+
+        response = client.delete(
+            "/mcp/",
+            params={
+                "service_name": "test_service",
+                "mcp_url": "http://test.com",
+                "tenant_id": "explicit_tenant789"
+            },
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        # Verify that explicit tenant_id is used
+        mock_delete_server.assert_called_once_with(
+            tenant_id="explicit_tenant789",
+            user_id="user123",
+            remote_mcp_server="http://test.com",
+            remote_mcp_server_name="test_service"
+        )
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.delete_remote_mcp_server_list')
+    def test_delete_remote_proxy_database_error(self, mock_delete_server, mock_get_user_info):
         """Test database error during deletion - should be handled as general exception"""
         from sqlalchemy.exc import SQLAlchemyError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_delete_server.side_effect = SQLAlchemyError("Database error")
 
         response = client.delete(
@@ -277,21 +333,23 @@ def test_delete_remote_proxy_database_error(self, mock_delete_server, mock_get_u
 class TestGetRemoteProxies:
     """Test endpoint for getting remote MCP server list"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list')
-    def test_get_remote_proxies_success(self, mock_get_list, mock_get_user_id):
+    def test_get_remote_proxies_success(self, mock_get_list, mock_get_user_info):
         """Test successful retrieval of remote MCP proxy list"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_server_list = [
             {
                 "remote_mcp_server_name": "server1",
                 "remote_mcp_server": "http://server1.com",
-                "status": True
+                "status": True,
+                "permission": "EDIT",
             },
             {
                 "remote_mcp_server_name": "server2",
                 "remote_mcp_server": "http://server2.com",
-                "status": False
+                "status": False,
+                "permission": "READ_ONLY",
             }
         ]
         mock_get_list.return_value = mock_server_list
@@ -306,15 +364,34 @@ def test_get_remote_proxies_success(self, mock_get_list, mock_get_user_id):
         assert "remote_mcp_server_list" in data
         assert len(data["remote_mcp_server_list"]) == 2
         assert data["status"] == "success"
+        assert data["remote_mcp_server_list"][0]["permission"] == "EDIT"
+        assert data["remote_mcp_server_list"][1]["permission"] == "READ_ONLY"
+
+        mock_get_user_info.assert_called_once()
+        mock_get_list.assert_called_once_with(tenant_id="tenant456", user_id="user123")
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.get_remote_mcp_server_list')
+    def test_get_remote_proxies_with_tenant_id_param(self, mock_get_list, mock_get_user_info):
+        """Test getting remote MCP proxy list with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+        mock_get_list.return_value = []
+
+        response = client.get(
+            "/mcp/list",
+            params={"tenant_id": "explicit_tenant789"},
+            headers={"Authorization": "Bearer test_token"}
+        )
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
-        mock_get_list.assert_called_once_with(tenant_id="tenant456")
+        assert response.status_code == HTTPStatus.OK
+        # Verify that explicit tenant_id is used
+        mock_get_list.assert_called_once_with(tenant_id="explicit_tenant789", user_id="user123")
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list')
-    def test_get_remote_proxies_error(self, mock_get_list, mock_get_user_id):
+    def test_get_remote_proxies_error(self, mock_get_list, mock_get_user_info):
         """Test error when getting list"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_get_list.side_effect = Exception("Database connection failed")
 
         response = client.get(
@@ -330,11 +407,11 @@ def test_get_remote_proxies_error(self, mock_get_list, mock_get_user_id):
 class TestCheckMCPHealth:
     """Test MCP health check endpoint"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.check_mcp_health_and_update_db')
-    def test_check_mcp_health_success(self, mock_health_check, mock_get_user_id):
+    def test_check_mcp_health_success(self, mock_health_check, mock_get_user_info):
         """Test successful health check"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_health_check.return_value = None  # No exception means success
 
         response = client.get(
@@ -348,16 +425,39 @@ def test_check_mcp_health_success(self, mock_health_check, mock_get_user_id):
         data = response.json()
         assert data["status"] == "success"
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
+        mock_get_user_info.assert_called_once()
         mock_health_check.assert_called_once_with(
             "http://test.com", "test_service", "tenant456", "user123"
         )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.check_mcp_health_and_update_db')
+    def test_check_mcp_health_with_tenant_id_param(self, mock_health_check, mock_get_user_info):
+        """Test health check with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+        mock_health_check.return_value = None
+
+        response = client.get(
+            "/mcp/healthcheck",
+            params={
+                "mcp_url": "http://test.com",
+                "service_name": "test_service",
+                "tenant_id": "explicit_tenant789"
+            },
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        # Verify that explicit tenant_id is used
+        mock_health_check.assert_called_once_with(
+            "http://test.com", "test_service", "explicit_tenant789", "user123"
+        )
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.check_mcp_health_and_update_db')
-    def test_check_mcp_health_connection_error(self, mock_health_check, mock_get_user_id):
+    def test_check_mcp_health_connection_error(self, mock_health_check, mock_get_user_info):
         """Test MCP connection error during health check"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_health_check.side_effect = MCPConnectionError(
             "MCP connection failed")
 
@@ -372,18 +472,18 @@ def test_check_mcp_health_connection_error(self, mock_health_check, mock_get_use
         data = response.json()
         assert "MCP connection failed" in data["detail"]
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
+        mock_get_user_info.assert_called_once()
         mock_health_check.assert_called_once_with(
             "http://unreachable.com", "test_service", "tenant456", "user123"
         )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.check_mcp_health_and_update_db')
-    def test_check_mcp_health_database_error(self, mock_health_check, mock_get_user_id):
+    def test_check_mcp_health_database_error(self, mock_health_check, mock_get_user_info):
         """Test database error during health check - should be handled as general exception"""
         from sqlalchemy.exc import SQLAlchemyError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_health_check.side_effect = SQLAlchemyError("Database error")
 
         response = client.get(
@@ -401,13 +501,13 @@ def test_check_mcp_health_database_error(self, mock_health_check, mock_get_user_
 class TestIntegration:
     """Integration tests"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list')
     @patch('apps.remote_mcp_app.delete_remote_mcp_server_list')
-    def test_full_lifecycle(self, mock_delete, mock_get_list, mock_add, mock_get_user_id):
+    def test_full_lifecycle(self, mock_delete, mock_get_list, mock_add, mock_get_user_info):
         """Test complete MCP server lifecycle"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # 1. Add server
         mock_add.return_value = None
@@ -423,7 +523,8 @@ def test_full_lifecycle(self, mock_delete, mock_get_list, mock_add, mock_get_use
         mock_get_list.return_value = [
             {"remote_mcp_server_name": "test_service",
              "remote_mcp_server": "http://test.com",
-             "status": True}
+             "status": True,
+             "permission": "EDIT"}
         ]
         list_response = client.get(
             "/mcp/list",
@@ -432,6 +533,7 @@ def test_full_lifecycle(self, mock_delete, mock_get_list, mock_add, mock_get_use
         assert list_response.status_code == HTTPStatus.OK
         data = list_response.json()
         assert len(data["remote_mcp_server_list"]) == 1
+        assert data["remote_mcp_server_list"][0]["permission"] == "EDIT"
 
         # 3. Delete server
         mock_delete.return_value = None
@@ -447,11 +549,11 @@ def test_full_lifecycle(self, mock_delete, mock_get_list, mock_add, mock_get_use
 class TestErrorHandling:
     """Error handling tests"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list')
-    def test_authorization_header_handling(self, mock_get_list, mock_get_user_id):
+    def test_authorization_header_handling(self, mock_get_list, mock_get_user_info):
         """Test authorization header handling"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_get_list.return_value = []  # Mock empty list
 
         # Test case without Authorization header
@@ -462,11 +564,11 @@ def test_authorization_header_handling(self, mock_get_list, mock_get_user_id):
         assert data["status"] == "success"
         assert "remote_mcp_server_list" in data
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_unexpected_error_handling(self, mock_add_server, mock_get_user_id):
+    def test_unexpected_error_handling(self, mock_add_server, mock_get_user_info):
         """Test unexpected error handling"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_add_server.side_effect = Exception("Unexpected error")
 
         response = client.post(
@@ -490,11 +592,11 @@ def test_missing_parameters(self):
         response = client.post("/mcp/add")
         assert response.status_code == HTTPStatus.UNPROCESSABLE_ENTITY
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_invalid_url_format(self, mock_add_server, mock_get_user_id):
+    def test_invalid_url_format(self, mock_add_server, mock_get_user_info):
         """Test invalid URL format with valid authentication"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_add_server.side_effect = MCPConnectionError("Invalid URL format")
 
         response = client.post(
@@ -514,13 +616,13 @@ def test_invalid_url_format(self, mock_add_server, mock_get_user_id):
 class TestAddMCPFromConfig:
     """Test endpoint for adding MCP servers from configuration"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_success(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_success(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_info):
         """Test successful addition of MCP server from config"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Mock container manager
         mock_container_manager = MagicMock()
@@ -557,13 +659,62 @@ def test_add_mcp_from_config_success(self, mock_check_name, mock_add_server, moc
         assert data["results"][0]["service_name"] == "test-service"
         assert data["results"][0]["status"] == "success"
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_multiple_servers(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_with_tenant_id_param(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_info):
+        """Test adding MCP server from config with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+
+        # Mock container manager
+        mock_container_manager = MagicMock()
+        mock_container_manager_class.return_value = mock_container_manager
+        mock_container_manager.start_mcp_container = AsyncMock(return_value={
+            "container_id": "container-123",
+            "mcp_url": "http://localhost:5020/mcp",
+            "host_port": "5020",
+            "status": "started",
+            "container_name": "test-service-user1234"
+        })
+
+        mock_add_server.return_value = None
+
+        response = client.post(
+            "/mcp/add-from-config",
+            params={"tenant_id": "explicit_tenant789"},
+            json={
+                "mcpServers": {
+                    "test-service": {
+                        "command": "npx",
+                        "args": ["-y", "test-mcp"],
+                        "env": {"NODE_ENV": "production"},
+                        "port": 5020
+                    }
+                }
+            },
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        data = response.json()
+        assert data["status"] == "success"
+        # Verify that explicit tenant_id is used
+        mock_check_name.assert_called_once_with(mcp_name="test-service", tenant_id="explicit_tenant789")
+        mock_container_manager.start_mcp_container.assert_called_once()
+        call_kwargs = mock_container_manager.start_mcp_container.call_args[1]
+        assert call_kwargs["tenant_id"] == "explicit_tenant789"
+        mock_add_server.assert_called_once()
+        add_call_kwargs = mock_add_server.call_args[1]
+        assert add_call_kwargs["tenant_id"] == "explicit_tenant789"
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.MCPContainerManager')
+    @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
+    @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
+    def test_add_mcp_from_config_multiple_servers(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_info):
         """Test adding multiple MCP servers from config"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -610,12 +761,12 @@ def test_add_mcp_from_config_multiple_servers(self, mock_check_name, mock_add_se
         assert data["status"] == "success"
         assert len(data["results"]) == 2
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_missing_command(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_missing_command(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server with missing command"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -637,12 +788,12 @@ def test_add_mcp_from_config_missing_command(self, mock_check_name, mock_contain
         data = response.json()
         assert "command" in str(data["detail"]).lower()
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_empty_command(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_empty_command(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server with empty command string (covers line 189-191)"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -666,12 +817,12 @@ def test_add_mcp_from_config_empty_command(self, mock_check_name, mock_container
         assert "All MCP servers failed" in data["detail"]
         assert "command is required" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_missing_port(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_missing_port(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server with missing port"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -694,12 +845,12 @@ def test_add_mcp_from_config_missing_port(self, mock_check_name, mock_container_
         assert "port is required" in data["detail"]
 
     @patch('apps.remote_mcp_app.check_mcp_name_exists')
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_add_mcp_from_config_name_exists(self, mock_add_server, mock_container_manager_class, mock_get_user_id, mock_check_name):
+    def test_add_mcp_from_config_name_exists(self, mock_add_server, mock_container_manager_class, mock_get_user_info, mock_check_name):
         """Test adding MCP server when name already exists"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_check_name.return_value = True  # Name already exists
 
         mock_container_manager = MagicMock()
@@ -727,12 +878,12 @@ def test_add_mcp_from_config_name_exists(self, mock_add_server, mock_container_m
         mock_container_manager.start_mcp_container.assert_not_called()
 
     @patch('apps.remote_mcp_app.check_mcp_name_exists')
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
-    def test_add_mcp_from_config_name_exists_early_check(self, mock_add_server, mock_container_manager_class, mock_get_user_id, mock_check_name):
+    def test_add_mcp_from_config_name_exists_early_check(self, mock_add_server, mock_container_manager_class, mock_get_user_info, mock_check_name):
         """Test adding MCP server when name exists (checked before starting container)"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_check_name.return_value = True  # Name already exists
 
         mock_container_manager = MagicMock()
@@ -759,14 +910,14 @@ def test_add_mcp_from_config_name_exists_early_check(self, mock_add_server, mock
         # Container should not be started when name already exists
         mock_container_manager.start_mcp_container.assert_not_called()
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_container_error(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_container_error(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server when container startup fails"""
         from consts.exceptions import MCPContainerError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -792,12 +943,12 @@ def test_add_mcp_from_config_container_error(self, mock_check_name, mock_contain
         assert "All MCP servers failed" in data["detail"]
         assert "Container failed" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_unexpected_error_in_loop(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_unexpected_error_in_loop(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server when unexpected exception occurs in loop (covers line 253-255)"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -824,14 +975,14 @@ def test_add_mcp_from_config_unexpected_error_in_loop(self, mock_check_name, moc
         assert "All MCP servers failed" in data["detail"]
         assert "Unexpected error" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_all_fail(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_all_fail(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP servers when all fail"""
         from consts.exceptions import MCPContainerError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -856,14 +1007,14 @@ def test_add_mcp_from_config_all_fail(self, mock_check_name, mock_container_mana
         data = response.json()
         assert "All MCP servers failed" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_docker_unavailable(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_docker_unavailable(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server when Docker is unavailable"""
         from consts.exceptions import MCPContainerError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_container_manager_class.side_effect = MCPContainerError(
             "Docker unavailable")
 
@@ -885,13 +1036,13 @@ def test_add_mcp_from_config_docker_unavailable(self, mock_check_name, mock_cont
         data = response.json()
         assert "Docker service unavailable" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.add_remote_mcp_server_list')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_with_custom_image(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_id):
+    def test_add_mcp_from_config_with_custom_image(self, mock_check_name, mock_add_server, mock_container_manager_class, mock_get_user_info):
         """Test adding MCP server with custom Docker image"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -926,12 +1077,12 @@ def test_add_mcp_from_config_with_custom_image(self, mock_check_name, mock_add_s
         call_kwargs = mock_container_manager.start_mcp_container.call_args[1]
         assert call_kwargs["image"] == "custom-image:latest"
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_add_mcp_from_config_outer_exception(self, mock_check_name, mock_get_user_id):
+    def test_add_mcp_from_config_outer_exception(self, mock_check_name, mock_get_user_info):
         """Test adding MCP server when exception occurs outside loop (covers line 275-277)"""
-        # Make get_current_user_id raise an exception to trigger outer exception handler
-        mock_get_user_id.side_effect = RuntimeError("Failed to get user ID")
+        # Make get_current_user_info raise an exception to trigger outer exception handler
+        mock_get_user_info.side_effect = RuntimeError("Failed to get user ID")
 
         response = client.post(
             "/mcp/add-from-config",
@@ -960,12 +1111,12 @@ def test_add_mcp_from_config_outer_exception(self, mock_check_name, mock_get_use
 class TestStopMCPContainer:
     """Test endpoint for stopping MCP container"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.delete_mcp_by_container_id')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_stop_mcp_container_success(self, mock_container_manager_class, mock_delete_mcp, mock_get_user_id):
+    def test_stop_mcp_container_success(self, mock_container_manager_class, mock_delete_mcp, mock_get_user_info):
         """Test successful stopping of MCP container"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -989,11 +1140,11 @@ def test_stop_mcp_container_success(self, mock_container_manager_class, mock_del
             container_id="container-123",
         )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_stop_mcp_container_not_found(self, mock_container_manager_class, mock_get_user_id):
+    def test_stop_mcp_container_not_found(self, mock_container_manager_class, mock_get_user_info):
         """Test stopping non-existent container"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1010,13 +1161,13 @@ def test_stop_mcp_container_not_found(self, mock_container_manager_class, mock_g
         assert data["status"] == "error"
         assert "not found" in data["message"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_stop_mcp_container_docker_unavailable(self, mock_container_manager_class, mock_get_user_id):
+    def test_stop_mcp_container_docker_unavailable(self, mock_container_manager_class, mock_get_user_info):
         """Test stopping container when Docker is unavailable"""
         from consts.exceptions import MCPContainerError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_container_manager_class.side_effect = MCPContainerError(
             "Docker unavailable")
 
@@ -1029,11 +1180,11 @@ def test_stop_mcp_container_docker_unavailable(self, mock_container_manager_clas
         data = response.json()
         assert "Docker service unavailable" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_stop_mcp_container_exception(self, mock_container_manager_class, mock_get_user_id):
+    def test_stop_mcp_container_exception(self, mock_container_manager_class, mock_get_user_info):
         """Test stopping container when exception occurs"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1058,16 +1209,17 @@ def test_stop_mcp_container_exception(self, mock_container_manager_class, mock_g
 class TestListMCPContainers:
     """Test endpoint for listing MCP containers"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
+    @patch('apps.remote_mcp_app.attach_mcp_container_permissions')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list', return_value=[])
-    def test_list_mcp_containers_success(self, mock_get_list, mock_container_manager_class, mock_get_user_id):
+    def test_list_mcp_containers_success(self, mock_get_list, mock_attach_perm, mock_container_manager_class, mock_get_user_info):
         """Test successful listing of MCP containers"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
-        mock_container_manager.list_mcp_containers.return_value = [
+        raw_containers = [
             {
                 "container_id": "container-1",
                 "name": "service1-user1234",
@@ -1083,6 +1235,11 @@ def test_list_mcp_containers_success(self, mock_get_list, mock_container_manager
                 "host_port": "5021"
             }
         ]
+        mock_container_manager.list_mcp_containers.return_value = raw_containers
+        mock_attach_perm.return_value = [
+            {**raw_containers[0], "permission": "EDIT"},
+            {**raw_containers[1], "permission": "READ_ONLY"},
+        ]
 
         response = client.get(
             "/mcp/containers",
@@ -1093,15 +1250,52 @@ def test_list_mcp_containers_success(self, mock_get_list, mock_container_manager
         data = response.json()
         assert data["status"] == "success"
         assert len(data["containers"]) == 2
+        assert data["containers"][0]["permission"] == "EDIT"
+        assert data["containers"][1]["permission"] == "READ_ONLY"
         mock_container_manager.list_mcp_containers.assert_called_once_with(
             tenant_id="tenant456")
+        mock_attach_perm.assert_called_once_with(
+            containers=raw_containers,
+            tenant_id="tenant456",
+            user_id="user123",
+        )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
+    @patch('apps.remote_mcp_app.attach_mcp_container_permissions')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list', return_value=[])
-    def test_list_mcp_containers_empty(self, mock_get_list, mock_container_manager_class, mock_get_user_id):
+    def test_list_mcp_containers_with_tenant_id_param(self, mock_get_list, mock_attach_perm, mock_container_manager_class, mock_get_user_info):
+        """Test listing MCP containers with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+
+        mock_container_manager = MagicMock()
+        mock_container_manager_class.return_value = mock_container_manager
+        mock_container_manager.list_mcp_containers.return_value = []
+        mock_attach_perm.return_value = []
+
+        response = client.get(
+            "/mcp/containers",
+            params={"tenant_id": "explicit_tenant789"},
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        # Verify that explicit tenant_id is used
+        mock_container_manager.list_mcp_containers.assert_called_once_with(
+            tenant_id="explicit_tenant789")
+        mock_attach_perm.assert_called_once_with(
+            containers=[],
+            tenant_id="explicit_tenant789",
+            user_id="user123",
+        )
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.MCPContainerManager')
+    @patch('apps.remote_mcp_app.attach_mcp_container_permissions', return_value=[])
+    @patch('apps.remote_mcp_app.get_remote_mcp_server_list', return_value=[])
+    def test_list_mcp_containers_empty(self, mock_get_list, mock_attach_perm, mock_container_manager_class, mock_get_user_info):
         """Test listing containers when none exist"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1116,15 +1310,20 @@ def test_list_mcp_containers_empty(self, mock_get_list, mock_container_manager_c
         data = response.json()
         assert data["status"] == "success"
         assert len(data["containers"]) == 0
+        mock_attach_perm.assert_called_once_with(
+            containers=[],
+            tenant_id="tenant456",
+            user_id="user123",
+        )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list', return_value=[])
-    def test_list_mcp_containers_docker_unavailable(self, mock_get_list, mock_container_manager_class, mock_get_user_id):
+    def test_list_mcp_containers_docker_unavailable(self, mock_get_list, mock_container_manager_class, mock_get_user_info):
         """Test listing containers when Docker is unavailable"""
         from consts.exceptions import MCPContainerError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_container_manager_class.side_effect = MCPContainerError(
             "Docker unavailable")
 
@@ -1137,12 +1336,12 @@ def test_list_mcp_containers_docker_unavailable(self, mock_get_list, mock_contai
         data = response.json()
         assert "Docker service unavailable" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.get_remote_mcp_server_list', side_effect=Exception("Unexpected error"))
-    def test_list_mcp_containers_exception(self, mock_get_list, mock_container_manager_class, mock_get_user_id):
+    def test_list_mcp_containers_exception(self, mock_get_list, mock_container_manager_class, mock_get_user_info):
         """Test listing containers when exception occurs"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1168,10 +1367,10 @@ class TestUploadMCPImageValidation:
     """Test endpoint for uploading MCP image and starting container"""
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_success(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_success(self, mock_get_user_info, mock_upload_service):
         """Test successful upload and start of MCP image"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_upload_service.return_value = {
             "message": "MCP container started successfully from uploaded image",
@@ -1206,7 +1405,7 @@ def test_upload_mcp_image_success(self, mock_get_user_id, mock_upload_service):
         assert data["mcp_url"] == "http://localhost:5020/mcp"
         assert data["container_id"] == "container-123"
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
+        mock_get_user_info.assert_called_once()
         mock_upload_service.assert_called_once_with(
             tenant_id="tenant456",
             user_id="user123",
@@ -1217,10 +1416,51 @@ def test_upload_mcp_image_success(self, mock_get_user_id, mock_upload_service):
             env_vars='{"NODE_ENV": "production"}'
         )
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_invalid_file_type(self, mock_get_user_id):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
+    def test_upload_mcp_image_with_tenant_id_param(self, mock_upload_service, mock_get_user_info):
+        """Test upload MCP image with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+        mock_upload_service.return_value = {
+            "message": "MCP container started successfully from uploaded image",
+            "status": "success",
+            "service_name": "test-service",
+            "mcp_url": "http://localhost:5020/mcp",
+            "container_id": "container-123",
+            "container_name": "test-image-user1234",
+            "host_port": "5020"
+        }
+
+        file_content = b"fake tar content"
+        response = client.post(
+            "/mcp/upload-image",
+            data={
+                "port": 5020,
+                "service_name": "test-service",
+                "tenant_id": "explicit_tenant789",
+                "env_vars": '{"NODE_ENV": "production"}'
+            },
+            files={"file": ("test-image.tar", file_content,
+                            "application/octet-stream")},
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        # Verify that explicit tenant_id is used
+        mock_upload_service.assert_called_once_with(
+            tenant_id="explicit_tenant789",
+            user_id="user123",
+            file_content=file_content,
+            filename="test-image.tar",
+            port=5020,
+            service_name="test-service",
+            env_vars='{"NODE_ENV": "production"}'
+        )
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_invalid_file_type(self, mock_get_user_info):
         """Test upload with invalid file type"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         response = client.post(
             "/mcp/upload-image",
@@ -1233,10 +1473,10 @@ def test_upload_mcp_image_invalid_file_type(self, mock_get_user_id):
         data = response.json()
         assert "Only .tar files are allowed" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_file_too_large(self, mock_get_user_id):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_file_too_large(self, mock_get_user_info):
         """Test upload with file exceeding size limit"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Create a large file content (over 1GB) - use smaller size for test
         large_content = b"x" * (1024 * 1024 * 1024 + 1)
@@ -1254,10 +1494,10 @@ def test_upload_mcp_image_file_too_large(self, mock_get_user_id):
         assert "File size exceeds 1GB limit" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_auto_service_name(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_auto_service_name(self, mock_get_user_info, mock_upload_service):
         """Test upload with auto-generated service name"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_upload_service.return_value = {
             "message": "MCP container started successfully from uploaded image",
@@ -1284,12 +1524,12 @@ def test_upload_mcp_image_auto_service_name(self, mock_get_user_id, mock_upload_
         # Should use filename without extension
         assert data["service_name"] == "my-image"
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
     @patch('apps.remote_mcp_app.check_mcp_name_exists', return_value=False)
-    def test_upload_mcp_image_invalid_env_vars_json(self, mock_check_name, mock_container_manager_class, mock_get_user_id):
+    def test_upload_mcp_image_invalid_env_vars_json(self, mock_check_name, mock_container_manager_class, mock_get_user_info):
         """Test upload with invalid JSON in env_vars"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1312,10 +1552,10 @@ def test_upload_mcp_image_invalid_env_vars_json(self, mock_check_name, mock_cont
         assert "Invalid environment variables format" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_name_conflict(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_name_conflict(self, mock_get_user_info, mock_upload_service):
         """Test upload when MCP service name already exists"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises MCPNameIllegal for name conflict
         mock_upload_service.side_effect = MCPNameIllegal(
@@ -1336,10 +1576,10 @@ def test_upload_mcp_image_name_conflict(self, mock_get_user_id, mock_upload_serv
         assert "MCP service name already exists" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_container_error(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_container_error(self, mock_get_user_info, mock_upload_service):
         """Test upload when container startup fails"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises MCPContainerError
         mock_upload_service.side_effect = MCPContainerError("Container failed")
@@ -1359,10 +1599,10 @@ def test_upload_mcp_image_container_error(self, mock_get_user_id, mock_upload_se
         assert "Container failed" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_docker_unavailable(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_docker_unavailable(self, mock_get_user_info, mock_upload_service):
         """Test upload when Docker service is unavailable"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises MCPContainerError for Docker unavailable
         mock_upload_service.side_effect = MCPContainerError(
@@ -1391,11 +1631,11 @@ def test_upload_mcp_image_docker_unavailable(self, mock_get_user_id, mock_upload
 class TestGetContainerLogs:
     """Test endpoint for getting container logs"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_get_container_logs_success(self, mock_container_manager_class, mock_get_user_id):
+    def test_get_container_logs_success(self, mock_container_manager_class, mock_get_user_info):
         """Test successful retrieval of container logs"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1413,11 +1653,11 @@ def test_get_container_logs_success(self, mock_container_manager_class, mock_get
         mock_container_manager.get_container_logs.assert_called_once_with(
             "container-123", tail=100)
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_get_container_logs_custom_tail(self, mock_container_manager_class, mock_get_user_id):
+    def test_get_container_logs_custom_tail(self, mock_container_manager_class, mock_get_user_info):
         """Test getting container logs with custom tail"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1432,13 +1672,13 @@ def test_get_container_logs_custom_tail(self, mock_container_manager_class, mock
         mock_container_manager.get_container_logs.assert_called_once_with(
             "container-123", tail=50)
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_get_container_logs_docker_unavailable(self, mock_container_manager_class, mock_get_user_id):
+    def test_get_container_logs_docker_unavailable(self, mock_container_manager_class, mock_get_user_info):
         """Test getting logs when Docker is unavailable"""
         from consts.exceptions import MCPContainerError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_container_manager_class.side_effect = MCPContainerError(
             "Docker unavailable")
 
@@ -1451,11 +1691,11 @@ def test_get_container_logs_docker_unavailable(self, mock_container_manager_clas
         data = response.json()
         assert "Docker service unavailable" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.MCPContainerManager')
-    def test_get_container_logs_exception(self, mock_container_manager_class, mock_get_user_id):
+    def test_get_container_logs_exception(self, mock_container_manager_class, mock_get_user_info):
         """Test getting logs when exception occurs"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_container_manager = MagicMock()
         mock_container_manager_class.return_value = mock_container_manager
@@ -1481,10 +1721,10 @@ class TestUploadMCPImageWithServiceLayer:
     """Test upload_mcp_image endpoint using the new service layer approach"""
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_success_service_layer(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_success_service_layer(self, mock_get_user_info, mock_upload_service):
         """Test successful upload using service layer"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_upload_service.return_value = {
             "message": "MCP container started successfully from uploaded image",
@@ -1527,10 +1767,10 @@ def test_upload_mcp_image_success_service_layer(self, mock_get_user_id, mock_upl
         )
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_auto_service_name(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_auto_service_name(self, mock_get_user_info, mock_upload_service):
         """Test upload with auto-generated service name"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         mock_upload_service.return_value = {
             "message": "MCP container started successfully from uploaded image",
@@ -1565,10 +1805,10 @@ def test_upload_mcp_image_auto_service_name(self, mock_get_user_id, mock_upload_
         )
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_validation_error_from_service(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_validation_error_from_service(self, mock_get_user_info, mock_upload_service):
         """Test validation error from service layer"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises ValueError for invalid file type
         mock_upload_service.side_effect = ValueError(
@@ -1588,10 +1828,10 @@ def test_upload_mcp_image_validation_error_from_service(self, mock_get_user_id,
         assert "Only .tar files are allowed" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_name_conflict(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_name_conflict(self, mock_get_user_info, mock_upload_service):
         """Test MCP service name conflict"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises MCPNameIllegal for name conflict
         mock_upload_service.side_effect = MCPNameIllegal(
@@ -1611,10 +1851,10 @@ def test_upload_mcp_image_name_conflict(self, mock_get_user_id, mock_upload_serv
         assert "MCP service name already exists" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_container_error(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_container_error(self, mock_get_user_info, mock_upload_service):
         """Test container startup error"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises MCPContainerError
         mock_upload_service.side_effect = MCPContainerError("Container failed")
@@ -1633,10 +1873,10 @@ def test_upload_mcp_image_container_error(self, mock_get_user_id, mock_upload_se
         assert "Container failed" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_docker_unavailable(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_docker_unavailable(self, mock_get_user_info, mock_upload_service):
         """Test Docker service unavailable"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises MCPContainerError for Docker unavailable
         mock_upload_service.side_effect = MCPContainerError(
@@ -1656,10 +1896,10 @@ def test_upload_mcp_image_docker_unavailable(self, mock_get_user_id, mock_upload
         assert "Docker unavailable" in data["detail"]
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_general_exception(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_general_exception(self, mock_get_user_info, mock_upload_service):
         """Test general exception handling"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Service layer raises unexpected exception
         mock_upload_service.side_effect = Exception("Unexpected error")
@@ -1718,10 +1958,10 @@ def test_upload_mcp_image_invalid_port_range_fastapi_validation(self):
         assert "port" in str(data["detail"]).lower()
 
     @patch('apps.remote_mcp_app.upload_and_start_mcp_image')
-    @patch('apps.remote_mcp_app.get_current_user_id')
-    def test_upload_mcp_image_env_vars_validation_in_service(self, mock_get_user_id, mock_upload_service):
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    def test_upload_mcp_image_env_vars_validation_in_service(self, mock_get_user_info, mock_upload_service):
         """Test environment variables validation now handled in service layer"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
 
         # Test with array instead of object - now handled in service layer
         mock_upload_service.side_effect = ValueError(
@@ -1757,11 +1997,11 @@ def __init__(self, current_service_name, current_mcp_url, new_service_name, new_
 class TestUpdateRemoteProxy:
     """Test endpoint for updating remote MCP servers"""
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_success(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_success(self, mock_update_server, mock_get_user_info):
         """Test successful update of remote MCP proxy"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.return_value = None  # No exception means success
 
         update_data = MockMCPUpdateRequest(
@@ -1787,7 +2027,7 @@ def test_update_remote_proxy_success(self, mock_update_server, mock_get_user_id)
         assert data["status"] == "success"
         assert "Successfully updated remote MCP proxy" in data["message"]
 
-        mock_get_user_id.assert_called_once_with("Bearer test_token")
+        mock_get_user_info.assert_called_once()
         # Verify the service was called with correct tenant_id and user_id
         # The update_data parameter is automatically parsed by FastAPI from the JSON request
         mock_update_server.assert_called_once()
@@ -1798,11 +2038,37 @@ def test_update_remote_proxy_success(self, mock_update_server, mock_get_user_id)
         assert "update_data" in call_kwargs
         assert call_kwargs["update_data"] is not None
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
+    @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
+    def test_update_remote_proxy_with_tenant_id_param(self, mock_update_server, mock_get_user_info):
+        """Test updating remote MCP proxy with explicit tenant_id parameter"""
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
+        mock_update_server.return_value = None
+
+        response = client.put(
+            "/mcp/update",
+            params={"tenant_id": "explicit_tenant789"},
+            json={
+                "current_service_name": "old_service",
+                "current_mcp_url": "http://old.url",
+                "new_service_name": "new_service",
+                "new_mcp_url": "http://new.url"
+            },
+            headers={"Authorization": "Bearer test_token"}
+        )
+
+        assert response.status_code == HTTPStatus.OK
+        # Verify that explicit tenant_id is used
+        mock_update_server.assert_called_once()
+        call_kwargs = mock_update_server.call_args[1]
+        assert call_kwargs["tenant_id"] == "explicit_tenant789"
+        assert call_kwargs["user_id"] == "user123"
+
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_name_conflict(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_name_conflict(self, mock_update_server, mock_get_user_info):
         """Test update MCP proxy with name conflict"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.side_effect = MCPNameIllegal(
             "New MCP name already exists")
 
@@ -1821,11 +2087,11 @@ def test_update_remote_proxy_name_conflict(self, mock_update_server, mock_get_us
         data = response.json()
         assert "New MCP name already exists" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_connection_failed(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_connection_failed(self, mock_update_server, mock_get_user_info):
         """Test update MCP proxy with connection failure"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.side_effect = MCPConnectionError(
             "New MCP server connection failed")
 
@@ -1844,11 +2110,11 @@ def test_update_remote_proxy_connection_failed(self, mock_update_server, mock_ge
         data = response.json()
         assert "New MCP server connection failed" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_current_name_not_exist(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_current_name_not_exist(self, mock_update_server, mock_get_user_info):
         """Test update MCP proxy when current name doesn't exist"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.side_effect = MCPNameIllegal(
             "MCP name does not exist")
 
@@ -1867,13 +2133,13 @@ def test_update_remote_proxy_current_name_not_exist(self, mock_update_server, mo
         data = response.json()
         assert "MCP name does not exist" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_database_error(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_database_error(self, mock_update_server, mock_get_user_info):
         """Test update MCP proxy with database error"""
         from sqlalchemy.exc import SQLAlchemyError
 
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.side_effect = SQLAlchemyError(
             "Database connection failed")
 
@@ -1892,11 +2158,11 @@ def test_update_remote_proxy_database_error(self, mock_update_server, mock_get_u
         data = response.json()
         assert "Failed to update remote MCP proxy" in data["detail"]
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_same_name_and_url(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_same_name_and_url(self, mock_update_server, mock_get_user_info):
         """Test update MCP proxy with same name and URL (no-op update)"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.return_value = None
 
         response = client.put(
@@ -1928,11 +2194,11 @@ def test_update_remote_proxy_invalid_request_data(self):
 
         assert response.status_code == HTTPStatus.UNPROCESSABLE_ENTITY
 
-    @patch('apps.remote_mcp_app.get_current_user_id')
+    @patch('apps.remote_mcp_app.get_current_user_info')
     @patch('apps.remote_mcp_app.update_remote_mcp_server_list')
-    def test_update_remote_proxy_with_special_characters(self, mock_update_server, mock_get_user_id):
+    def test_update_remote_proxy_with_special_characters(self, mock_update_server, mock_get_user_info):
         """Test update MCP proxy with special characters in names and URLs"""
-        mock_get_user_id.return_value = ("user123", "tenant456")
+        mock_get_user_info.return_value = ("user123", "tenant456", "en")
         mock_update_server.return_value = None
 
         response = client.put(
diff --git a/test/backend/app/test_tenant_config_app.py b/test/backend/app/test_tenant_config_app.py
index d79e71295..b9eab6199 100644
--- a/test/backend/app/test_tenant_config_app.py
+++ b/test/backend/app/test_tenant_config_app.py
@@ -114,209 +114,6 @@ def setUp(self):
         ]
         self.mock_update_knowledge.return_value = True
 
-    def test_load_knowledge_list_success(self):
-        """Test successful loading of knowledge list"""
-        response = self.client.get(
-            "/tenant_config/load_knowledge_list",
-            headers={"authorization": "Bearer test-token"}
-        )
-
-        self.assertEqual(response.status_code, HTTPStatus.OK)
-        data = response.json()
-        self.assertEqual(data["status"], "success")
-        self.assertIn("content", data)
-
-        content = data["content"]
-        self.assertEqual(content["selectedKbNames"], ["kb1", "kb2"])
-        self.assertEqual(content["selectedKbModels"], [
-                         "embedding-model-1", "embedding-model-2"])
-        self.assertEqual(content["selectedKbSources"], [
-                         ["source1", "source2"], ["source3"]])
-
-    def test_load_knowledge_list_auth_error(self):
-        """Test knowledge list loading with authentication error"""
-        self.mock_get_user_id.side_effect = Exception("Authentication failed")
-
-        response = self.client.get(
-            "/tenant_config/load_knowledge_list",
-            headers={"authorization": "Bearer invalid-token"}
-        )
-
-        self.assertEqual(response.status_code,
-                         HTTPStatus.INTERNAL_SERVER_ERROR)
-        data = response.json()
-        self.assertIn("Failed to load configuration", data["detail"])
-
-    def test_load_knowledge_list_service_error(self):
-        """Test knowledge list loading with service error"""
-        self.mock_get_knowledge_list.side_effect = Exception("Database error")
-
-        response = self.client.get(
-            "/tenant_config/load_knowledge_list",
-            headers={"authorization": "Bearer test-token"}
-        )
-
-        self.assertEqual(response.status_code,
-                         HTTPStatus.INTERNAL_SERVER_ERROR)
-        data = response.json()
-        self.assertIn("Failed to load configuration", data["detail"])
-
-    def test_load_knowledge_list_empty(self):
-        """Test loading empty knowledge list"""
-        self.mock_get_knowledge_list.return_value = []
-
-        response = self.client.get(
-            "/tenant_config/load_knowledge_list",
-            headers={"authorization": "Bearer test-token"}
-        )
-
-        self.assertEqual(response.status_code, HTTPStatus.OK)
-        data = response.json()
-        self.assertEqual(data["status"], "success")
-
-        content = data["content"]
-        self.assertEqual(content["selectedKbNames"], [])
-        self.assertEqual(content["selectedKbModels"], [])
-        self.assertEqual(content["selectedKbSources"], [])
-
-    def test_load_knowledge_list_missing_model_name(self):
-        """Test loading knowledge list with missing model_name field"""
-        # This should cause a KeyError when trying to access model_name
-        self.mock_get_knowledge_list.return_value = [
-            {
-                "index_name": "kb1",
-                "knowledge_sources": ["source1"]
-                # Missing embedding_model_name field
-            }
-        ]
-
-        response = self.client.get(
-            "/tenant_config/load_knowledge_list",
-            headers={"authorization": "Bearer test-token"}
-        )
-
-        self.assertEqual(response.status_code,
-                         HTTPStatus.INTERNAL_SERVER_ERROR)
-        data = response.json()
-        self.assertIn("Failed to load configuration", data["detail"])
-
-    def test_update_knowledge_list_success(self):
-        """Test successful knowledge list update"""
-        request_data = {
-            "nexent": ["kb1"],
-            "datamate": ["kb2"]
-        }
-
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            headers={"authorization": "Bearer test-token"},
-            json=request_data
-        )
-
-        self.assertEqual(response.status_code, HTTPStatus.OK)
-        data = response.json()
-        self.assertEqual(data["status"], "success")
-        self.assertEqual(data["message"], "update success")
-        self.assertIn("content", data)
-        self.assertIn("selectedKbNames", data["content"])
-        self.assertIn("selectedKbModels", data["content"])
-        self.assertIn("selectedKbSources", data["content"])
-
-        # Verify the mock was called with correct parameters (flattened)
-        self.mock_update_knowledge.assert_called_once_with(
-            tenant_id="test_tenant",
-            user_id="test_user",
-            index_name_list=["kb1", "kb2"],
-            knowledge_sources=["nexent", "datamate"]
-        )
-
-    def test_update_knowledge_list_failure(self):
-        """Test knowledge list update failure"""
-        self.mock_update_knowledge.return_value = False
-        request_data = {
-            "nexent": ["kb1"],
-            "datamate": ["kb2"]
-        }
-
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            headers={"authorization": "Bearer test-token"},
-            json=request_data
-        )
-
-        self.assertEqual(response.status_code,
-                         HTTPStatus.INTERNAL_SERVER_ERROR)
-        data = response.json()
-        self.assertIn("Failed to update configuration", data["detail"])
-
-    def test_update_knowledge_list_auth_error(self):
-        """Test knowledge list update with authentication error"""
-        self.mock_get_user_id.side_effect = Exception("Authentication failed")
-        request_data = {
-            "nexent": ["kb1"],
-            "datamate": ["kb2"]
-        }
-
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            headers={"authorization": "Bearer invalid-token"},
-            json=request_data
-        )
-
-        self.assertEqual(response.status_code,
-                         HTTPStatus.INTERNAL_SERVER_ERROR)
-        data = response.json()
-        self.assertIn("Failed to update configuration", data["detail"])
-
-    def test_update_knowledge_list_service_error(self):
-        """Test knowledge list update with service error"""
-        self.mock_update_knowledge.side_effect = Exception("Database error")
-        request_data = {
-            "nexent": ["kb1"],
-            "datamate": ["kb2"]
-        }
-
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            headers={"authorization": "Bearer test-token"},
-            json=request_data
-        )
-
-        self.assertEqual(response.status_code,
-                         HTTPStatus.INTERNAL_SERVER_ERROR)
-        data = response.json()
-        self.assertIn("Failed to update configuration", data["detail"])
-
-    def test_update_knowledge_list_empty_list(self):
-        """Test updating with empty knowledge list"""
-        request_data = {
-            "nexent": [],
-            "datamate": []
-        }
-
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            headers={"authorization": "Bearer test-token"},
-            json=request_data
-        )
-
-        self.assertEqual(response.status_code, HTTPStatus.OK)
-        data = response.json()
-        self.assertEqual(data["status"], "success")
-        self.assertEqual(data["message"], "update success")
-
-    def test_update_knowledge_list_no_body(self):
-        """Test updating without request body"""
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            headers={"authorization": "Bearer test-token"}
-        )
-
-        # When no body is provided, Pydantic will raise validation error
-        self.assertEqual(response.status_code, 422)  # Unprocessable Entity
-        data = response.json()
-        self.assertIn("detail", data)
-
     def test_get_deployment_version_success(self):
         """Test successful retrieval of deployment version"""
         response = self.client.get("/tenant_config/deployment_version")
@@ -328,32 +125,6 @@ def test_get_deployment_version_success(self):
         self.assertIn("app_version", data)
         self.assertEqual(len(data.keys()), 3)
 
-    def test_load_knowledge_list_no_auth_header(self):
-        """Test loading knowledge list without authorization header"""
-        response = self.client.get("/tenant_config/load_knowledge_list")
-
-        # This should still work as the authorization parameter is Optional
-        self.assertEqual(response.status_code, HTTPStatus.OK)
-        data = response.json()
-        self.assertEqual(data["status"], "success")
-
-    def test_update_knowledge_list_no_auth_header(self):
-        """Test updating knowledge list without authorization header"""
-        request_data = {
-            "nexent": ["kb1"],
-            "datamate": ["kb2"]
-        }
-
-        response = self.client.post(
-            "/tenant_config/update_knowledge_list",
-            json=request_data
-        )
-
-        # This should still work as the authorization parameter is Optional
-        self.assertEqual(response.status_code, HTTPStatus.OK)
-        data = response.json()
-        self.assertEqual(data["status"], "success")
-
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/backend/app/test_user_app.py b/test/backend/app/test_user_app.py
index df5ec5884..81a2092fa 100644
--- a/test/backend/app/test_user_app.py
+++ b/test/backend/app/test_user_app.py
@@ -27,6 +27,11 @@ class MockToolConfig(BaseModel):
 sys.modules['nexent.storage.storage_client_factory'] = MagicMock()
 sys.modules['nexent.storage.minio_config'] = MagicMock()
 
+# Mock for memory_service import used in delete_user_and_cleanup
+nexent_memory_service = MagicMock()
+sys.modules['nexent.memory'] = MagicMock()
+sys.modules['nexent.memory.memory_service'] = nexent_memory_service
+
 # Patch storage factory and MinIO config validation to avoid errors during initialization
 storage_client_mock = MagicMock()
 minio_mock = MagicMock()
@@ -217,12 +222,14 @@ class TestDeleteUserEndpoint:
     """Test delete_user_endpoint (DELETE /users/{user_id})"""
 
     def test_delete_user_success(self):
-        """Test successful user deletion"""
+        """Test successful user deletion with complete cleanup"""
         with patch('apps.user_app.get_current_user_id') as mock_get_user_id, \
-             patch('apps.user_app.delete_user') as mock_delete_user:
+             patch('apps.user_app.get_user_tenant_by_user_id') as mock_get_tenant, \
+             patch('apps.user_app.delete_user_and_cleanup') as mock_cleanup:
 
             mock_get_user_id.return_value = ("deleter123", "tenant1")
-            mock_delete_user.return_value = True
+            mock_get_tenant.return_value = {"tenant_id": "tenant1", "user_id": "user1", "user_email": "user1@example.com"}
+            mock_cleanup.return_value = None
 
             response = client.delete(
                 "/users/user1",
@@ -233,15 +240,16 @@ def test_delete_user_success(self):
             data = response.json()
             assert data["message"] == "User deleted successfully"
             mock_get_user_id.assert_called_once_with("Bearer token123")
-            mock_delete_user.assert_called_once_with("user1", "deleter123")
+            mock_get_tenant.assert_called_once_with("user1")
+            mock_cleanup.assert_called_once_with("user1", "tenant1")
 
     def test_delete_user_validation_error(self):
-        """Test user deletion with validation error"""
+        """Test user deletion with user not found"""
         with patch('apps.user_app.get_current_user_id') as mock_get_user_id, \
-             patch('apps.user_app.delete_user') as mock_delete_user:
+             patch('apps.user_app.get_user_tenant_by_user_id') as mock_get_tenant:
 
             mock_get_user_id.return_value = ("deleter123", "tenant1")
-            mock_delete_user.side_effect = ValueError("User not found in any tenant")
+            mock_get_tenant.return_value = None  # User not found
 
             response = client.delete(
                 "/users/user1",
@@ -250,15 +258,17 @@ def test_delete_user_validation_error(self):
 
             assert response.status_code == HTTPStatus.BAD_REQUEST
             data = response.json()
-            assert data["detail"] == "User not found in any tenant"
+            assert "User user1 not found" in data["detail"]
 
     def test_delete_user_unexpected_error(self):
         """Test user deletion with unexpected error"""
         with patch('apps.user_app.get_current_user_id') as mock_get_user_id, \
-             patch('apps.user_app.delete_user') as mock_delete_user:
+             patch('apps.user_app.get_user_tenant_by_user_id') as mock_get_tenant, \
+             patch('apps.user_app.delete_user_and_cleanup') as mock_cleanup:
 
             mock_get_user_id.return_value = ("deleter123", "tenant1")
-            mock_delete_user.side_effect = Exception("Database connection failed")
+            mock_get_tenant.return_value = {"tenant_id": "tenant1", "user_id": "user1", "user_email": "user1@example.com"}
+            mock_cleanup.side_effect = Exception("Database connection failed")
 
             response = client.delete(
                 "/users/user1",
diff --git a/test/backend/app/test_user_management_app.py b/test/backend/app/test_user_management_app.py
index 6572688d8..7aaad9602 100644
--- a/test/backend/app/test_user_management_app.py
+++ b/test/backend/app/test_user_management_app.py
@@ -680,7 +680,7 @@ def test_current_user_info_error(self, mock_get_user_info, mock_validate_token):
 class TestRevokeUserAccount:
     """Tests for the /user/revoke endpoint"""
 
-    @patch('apps.user_management_app.revoke_regular_user', new_callable=AsyncMock)
+    @patch('apps.user_management_app.delete_user_and_cleanup', new_callable=AsyncMock)
     @patch('apps.user_management_app.validate_token')
     @patch('apps.user_management_app.get_current_user_id')
     def test_revoke_success_regular_user(self, mock_get_ids, mock_validate, mock_revoke):
@@ -731,7 +731,7 @@ def test_revoke_invalid_session(self, mock_get_ids, mock_validate):
         assert response.json()[
             "detail"] == "User not logged in or session invalid"
 
-    @patch('apps.user_management_app.revoke_regular_user', new_callable=AsyncMock)
+    @patch('apps.user_management_app.delete_user_and_cleanup', new_callable=AsyncMock)
     @patch('apps.user_management_app.validate_token')
     @patch('apps.user_management_app.get_current_user_id')
     def test_revoke_error(self, mock_get_ids, mock_validate, mock_revoke):
diff --git a/test/backend/app/test_vectordatabase_app.py b/test/backend/app/test_vectordatabase_app.py
index 5b8730f99..8209b8ceb 100644
--- a/test/backend/app/test_vectordatabase_app.py
+++ b/test/backend/app/test_vectordatabase_app.py
@@ -162,11 +162,79 @@ async def test_create_new_index_success(vdb_core_mock, auth_data):
         assert response.json() == expected_response
         # vdb_core is constructed inside router; accept ANY for instance
         mock_create.assert_called_once()
-        called_args = mock_create.call_args[0]
-        assert called_args[0] == auth_data["index_name"]
-        assert called_args[1] == 768
-        assert called_args[3] == auth_data["user_id"]
-        assert called_args[4] == auth_data["tenant_id"]
+        # Function is called with keyword arguments, so use call_args[1]
+        called_kwargs = mock_create.call_args[1]
+        assert called_kwargs["knowledge_name"] == auth_data["index_name"]
+        assert called_kwargs["embedding_dim"] == 768
+        assert called_kwargs["user_id"] == auth_data["user_id"]
+        assert called_kwargs["tenant_id"] == auth_data["tenant_id"]
+
+
+@pytest.mark.asyncio
+async def test_create_new_index_with_group_permissions(vdb_core_mock, auth_data):
+    """
+    Test creating a new index with group permissions.
+    Verifies that ingroup_permission and group_ids are correctly passed to the service.
+    """
+    # Setup mocks
+    with patch("backend.apps.vectordatabase_app.get_vector_db_core", return_value=vdb_core_mock), \
+            patch("backend.apps.vectordatabase_app.get_current_user_id", return_value=(auth_data["user_id"], auth_data["tenant_id"])), \
+            patch("backend.apps.vectordatabase_app.ElasticSearchService.create_knowledge_base") as mock_create:
+
+        expected_response = {"status": "success",
+                             "index_name": auth_data["index_name"]}
+        mock_create.return_value = expected_response
+
+        # Execute request with group permissions in body
+        response = client.post(
+            f"/indices/{auth_data['index_name']}",
+            params={"embedding_dim": 768},
+            json={"ingroup_permission": "EDIT", "group_ids": [1, 2, 3]},
+            headers=auth_data["auth_header"]
+        )
+
+        # Verify
+        assert response.status_code == 200
+        assert response.json() == expected_response
+        mock_create.assert_called_once()
+        # Function is called with keyword arguments, so use call_args[1]
+        called_kwargs = mock_create.call_args[1]
+        assert called_kwargs["knowledge_name"] == auth_data["index_name"]
+        assert called_kwargs["embedding_dim"] == 768
+        assert called_kwargs["user_id"] == auth_data["user_id"]
+        assert called_kwargs["tenant_id"] == auth_data["tenant_id"]
+        # Verify group permissions were passed
+        assert called_kwargs["ingroup_permission"] == "EDIT"
+        assert called_kwargs["group_ids"] == [1, 2, 3]
+
+
+@pytest.mark.asyncio
+async def test_create_new_index_with_partial_group_permissions(vdb_core_mock, auth_data):
+    """
+    Test creating a new index with only ingroup_permission (no group_ids).
+    """
+    # Setup mocks
+    with patch("backend.apps.vectordatabase_app.get_vector_db_core", return_value=vdb_core_mock), \
+            patch("backend.apps.vectordatabase_app.get_current_user_id", return_value=(auth_data["user_id"], auth_data["tenant_id"])), \
+            patch("backend.apps.vectordatabase_app.ElasticSearchService.create_knowledge_base") as mock_create:
+
+        expected_response = {"status": "success",
+                             "index_name": auth_data["index_name"]}
+        mock_create.return_value = expected_response
+
+        # Execute request with only ingroup_permission
+        response = client.post(
+            f"/indices/{auth_data['index_name']}",
+            json={"ingroup_permission": "READ_ONLY"},
+            headers=auth_data["auth_header"]
+        )
+
+        # Verify
+        assert response.status_code == 200
+        mock_create.assert_called_once()
+        called_kwargs = mock_create.call_args[1]
+        assert called_kwargs["ingroup_permission"] == "READ_ONLY"
+        assert called_kwargs["group_ids"] is None
 
 
 @pytest.mark.asyncio
@@ -967,6 +1035,48 @@ async def test_create_chunk_success(vdb_core_mock, auth_data):
         assert response.json() == expected_response
         mock_create.assert_called_once()
 
+        # Verify that tenant_id was passed to the service
+        call_kwargs = mock_create.call_args[1]
+        assert "tenant_id" in call_kwargs
+        assert call_kwargs["tenant_id"] == auth_data["tenant_id"]
+
+
+@pytest.mark.asyncio
+async def test_create_chunk_passes_tenant_id_to_service(vdb_core_mock, auth_data):
+    """
+    Test that create_chunk endpoint passes tenant_id to the service method.
+    This is critical for the service to fetch the correct embedding model.
+    """
+    with patch("backend.apps.vectordatabase_app.get_vector_db_core", return_value=vdb_core_mock), \
+            patch("backend.apps.vectordatabase_app.get_current_user_id",
+                  return_value=(auth_data["user_id"], auth_data["tenant_id"])), \
+            patch("backend.apps.vectordatabase_app.get_index_name_by_knowledge_name", return_value=auth_data["index_name"]), \
+            patch("backend.apps.vectordatabase_app.ElasticSearchService.create_chunk") as mock_create:
+
+        mock_create.return_value = {"status": "success", "chunk_id": "chunk-1"}
+
+        payload = {
+            "content": "Test content for embedding",
+            "path_or_url": "doc-123",
+            "title": "Test Title"
+        }
+
+        response = client.post(
+            f"/indices/{auth_data['index_name']}/chunk",
+            json=payload,
+            headers=auth_data["auth_header"],
+        )
+
+        assert response.status_code == 200
+
+        # Verify tenant_id was passed
+        mock_create.assert_called_once()
+        call_args = mock_create.call_args
+        # Check both args and kwargs for tenant_id
+        assert ("tenant_id" in call_args.kwargs and call_args.kwargs["tenant_id"] == auth_data["tenant_id"]) or \
+               (len(call_args[0]) >= 4 and call_args[0][3] == auth_data["tenant_id"]), \
+            "tenant_id should be passed to the service method"
+
 
 @pytest.mark.asyncio
 async def test_create_chunk_error(vdb_core_mock, auth_data):
diff --git a/test/backend/database/test_agent_db.py b/test/backend/database/test_agent_db.py
index 9a20b2432..b545ba995 100644
--- a/test/backend/database/test_agent_db.py
+++ b/test/backend/database/test_agent_db.py
@@ -60,6 +60,18 @@
 sys.modules['backend.database.client'] = client_mock
 
 # 模拟db_models模块
+# First, try to import real classes before mocking (if possible)
+_real_agent_info = None
+_real_tool_instance = None
+_real_agent_relation = None
+try:
+    # Try to import real classes before they get mocked
+    # This will only work if the module can be imported without database connection
+    from backend.database.db_models import AgentInfo as _real_agent_info, ToolInstance as _real_tool_instance, AgentRelation as _real_agent_relation
+except (ImportError, Exception):
+    # If import fails (e.g., database not available), we'll use mocks
+    pass
+
 db_models_mock = MagicMock()
 db_models_mock.AgentInfo = MagicMock()
 db_models_mock.ToolInstance = MagicMock()
@@ -89,12 +101,29 @@ class MockAgent:
     def __init__(self):
         self.agent_id = 1
         self.name = "test_agent"
+        self.display_name = "test_agent"
         self.tenant_id = "tenant1"
         self.delete_flag = "N"
         self.enabled = True
         self.updated_by = None
         self.business_logic_model_id = None
         self.business_logic_model_name = None
+        self.description = None
+        self.author = None
+        self.model_id = None
+        self.model_name = None
+        self.max_steps = 5
+        self.duty_prompt = None
+        self.constraint_prompt = None
+        self.few_shots_prompt = None
+        self.parent_agent_id = None
+        self.provide_run_summary = None
+        self.business_description = None
+        self.group_ids = None
+        self.is_new = True
+        self.current_version_no = None
+        self.version_no = 0
+        self.created_by = None
 
 class MockAgentRelation:
     def __init__(self):
@@ -287,7 +316,7 @@ def test_update_agent_success(monkeypatch, mock_session):
     agent_info = MagicMock()
     agent_info.__dict__ = {"name": "updated_agent", "description": "updated description"}
 
-    update_agent(1, agent_info, "tenant1", "user1")
+    update_agent(1, agent_info, "user1")
 
     assert mock_agent.updated_by == "user1"
 
@@ -320,7 +349,7 @@ def test_update_agent_skips_none_and_converts_group_ids(monkeypatch, mock_sessio
         "group_ids": [1, 2],
     }
 
-    update_agent(1, agent_info, "tenant1", "user1")
+    update_agent(1, agent_info, "user1")
 
     # name should remain unchanged because None is skipped
     assert mock_agent.name == "test_agent"
@@ -347,25 +376,31 @@ def test_update_agent_not_found(monkeypatch, mock_session):
     agent_info.__dict__ = {"name": "updated_agent"}
 
     with pytest.raises(ValueError, match="ag_tenant_agent_t Agent not found"):
-        update_agent(999, agent_info, "tenant1", "user1")
+        update_agent(999, agent_info, "user1")
 
 def test_delete_agent_by_id_success(monkeypatch, mock_session):
     """测试成功删除agent"""
     session, query = mock_session
-    mock_update = MagicMock()
-    mock_filter = MagicMock()
-    mock_filter.update = mock_update
-    query.filter.return_value = mock_filter
+    # Mock session.execute instead of query.filter.update
+    mock_execute = MagicMock()
+    session.execute = mock_execute
 
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.agent_db.get_db_session", lambda: mock_ctx)
 
+    # Restore real AgentInfo and ToolInstance classes for SQLAlchemy update
+    # Use the real classes that were saved before mocking
+    if _real_agent_info is not None:
+        monkeypatch.setattr("backend.database.agent_db.AgentInfo", _real_agent_info)
+    if _real_tool_instance is not None:
+        monkeypatch.setattr("backend.database.agent_db.ToolInstance", _real_tool_instance)
+
     delete_agent_by_id(1, "tenant1", "user1")
 
-    # 验证调用了两次update（一次更新AgentInfo，一次更新ToolInstance）
-    assert mock_update.call_count == 2
+    # 验证调用了两次execute（一次更新AgentInfo，一次更新ToolInstance）
+    assert mock_execute.call_count == 2
 
 def test_query_all_agent_info_by_tenant_id(monkeypatch, mock_session):
     """测试查询所有agent信息"""
@@ -404,7 +439,7 @@ def test_insert_related_agent_success(monkeypatch, mock_session):
     monkeypatch.setattr("backend.database.agent_db.filter_property", lambda data, model: data)
     monkeypatch.setattr("backend.database.agent_db.AgentRelation", lambda **kwargs: MagicMock())
 
-    result = insert_related_agent(1, 2, "tenant1")
+    result = insert_related_agent(1, 2, "tenant1", "user1")
 
     assert result is True
     session.add.assert_called_once()
@@ -422,7 +457,7 @@ def test_insert_related_agent_failure(monkeypatch, mock_session):
     monkeypatch.setattr("backend.database.agent_db.filter_property", lambda data, model: data)
     monkeypatch.setattr("backend.database.agent_db.AgentRelation", lambda **kwargs: MagicMock())
 
-    result = insert_related_agent(1, 2, "tenant1")
+    result = insert_related_agent(1, 2, "tenant1", "user1")
 
     assert result is False
 
@@ -439,7 +474,7 @@ def test_delete_related_agent_success(monkeypatch, mock_session):
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.agent_db.get_db_session", lambda: mock_ctx)
 
-    result = delete_related_agent(1, 2, "tenant1")
+    result = delete_related_agent(1, 2, "tenant1", "user1")
 
     assert result is True
     mock_update.assert_called_once()
@@ -457,7 +492,7 @@ def test_delete_related_agent_failure(monkeypatch, mock_session):
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.agent_db.get_db_session", lambda: mock_ctx)
 
-    result = delete_related_agent(1, 2, "tenant1")
+    result = delete_related_agent(1, 2, "tenant1", "user1")
 
     assert result is False
 
@@ -536,6 +571,7 @@ class MockAgentRelationClass:
         tenant_id = MagicMock()
         delete_flag = MagicMock()
         selected_agent_id = MagicMock()
+        version_no = MagicMock()
 
         def __init__(self, **kwargs):
             for key, value in kwargs.items():
@@ -548,7 +584,7 @@ def __init__(self, **kwargs):
 
     # Verify: should add 2 new relations, no deletions
     assert session.add.call_count == 2
-    session.commit.assert_called_once()
+    # Note: update_related_agents doesn't explicitly call commit(), it relies on context manager
     # Verify update was not called since there are no deletions
     mock_update.assert_not_called()
 
@@ -592,7 +628,7 @@ def test_update_related_agents_delete_existing(monkeypatch, mock_session):
     # Verify: should soft delete 2 relations, add none
     mock_update.assert_called_once()
     session.add.assert_not_called()
-    session.commit.assert_called_once()
+    # Note: update_related_agents doesn't explicitly call commit(), it relies on context manager
 
 
 def test_update_related_agents_replace_mixed(monkeypatch, mock_session):
@@ -636,6 +672,7 @@ class MockAgentRelationClass:
         tenant_id = MagicMock()
         delete_flag = MagicMock()
         selected_agent_id = MagicMock()
+        version_no = MagicMock()
 
         def __init__(self, **kwargs):
             for key, value in kwargs.items():
@@ -649,7 +686,7 @@ def __init__(self, **kwargs):
     # Verify: should delete 2 (relation with selected_agent_id=2), add 4
     mock_update.assert_called_once()
     assert session.add.call_count == 1
-    session.commit.assert_called_once()
+    # Note: update_related_agents doesn't explicitly call commit(), it relies on context manager
 
 
 def test_update_related_agents_no_changes(monkeypatch, mock_session):
@@ -683,7 +720,7 @@ def test_update_related_agents_no_changes(monkeypatch, mock_session):
 
     # Verify: no deletions, no additions
     session.add.assert_not_called()
-    session.commit.assert_called_once()
+    # Note: update_related_agents doesn't explicitly call commit(), it relies on context manager
 
 
 def test_clear_agent_new_mark_success(monkeypatch):
diff --git a/test/backend/database/test_agent_version_db.py b/test/backend/database/test_agent_version_db.py
new file mode 100644
index 000000000..58bc96348
--- /dev/null
+++ b/test/backend/database/test_agent_version_db.py
@@ -0,0 +1,1182 @@
+import sys
+import pytest
+from unittest.mock import patch, MagicMock
+from contextlib import contextmanager
+
+# First mock the consts module to avoid ModuleNotFoundError
+consts_mock = MagicMock()
+consts_mock.const = MagicMock()
+# Set up required constants in consts.const
+consts_mock.const.MINIO_ENDPOINT = "http://localhost:9000"
+consts_mock.const.MINIO_ACCESS_KEY = "test_access_key"
+consts_mock.const.MINIO_SECRET_KEY = "test_secret_key"
+consts_mock.const.MINIO_REGION = "us-east-1"
+consts_mock.const.MINIO_DEFAULT_BUCKET = "test-bucket"
+consts_mock.const.POSTGRES_HOST = "localhost"
+consts_mock.const.POSTGRES_USER = "test_user"
+consts_mock.const.NEXENT_POSTGRES_PASSWORD = "test_password"
+consts_mock.const.POSTGRES_DB = "test_db"
+consts_mock.const.POSTGRES_PORT = 5432
+consts_mock.const.DEFAULT_TENANT_ID = "default_tenant"
+
+# Add the mocked consts module to sys.modules
+sys.modules['consts'] = consts_mock
+sys.modules['consts.const'] = consts_mock.const
+
+# Mock utils module
+utils_mock = MagicMock()
+utils_mock.auth_utils = MagicMock()
+utils_mock.auth_utils.get_current_user_id_from_token = MagicMock(return_value="test_user_id")
+
+# Add the mocked utils module to sys.modules
+sys.modules['utils'] = utils_mock
+sys.modules['utils.auth_utils'] = utils_mock.auth_utils
+
+# Provide a stub for the `boto3` module so that it can be imported safely even
+# if the testing environment does not have it available.
+boto3_mock = MagicMock()
+sys.modules['boto3'] = boto3_mock
+
+# Mock the entire client module
+client_mock = MagicMock()
+client_mock.MinioClient = MagicMock()
+client_mock.PostgresClient = MagicMock()
+client_mock.db_client = MagicMock()
+client_mock.get_db_session = MagicMock()
+client_mock.as_dict = MagicMock()
+client_mock.filter_property = MagicMock()
+
+# Mock db_models module
+db_models_mock = MagicMock()
+db_models_mock.AgentInfo = MagicMock()
+db_models_mock.ToolInstance = MagicMock()
+db_models_mock.AgentRelation = MagicMock()
+db_models_mock.AgentVersion = MagicMock()
+
+# Create a mock database module to satisfy imports
+# This is needed because agent_version_db.py uses "from database.client import ..."
+database_mock = MagicMock()
+database_mock.client = client_mock
+database_mock.db_models = db_models_mock
+
+# Add the mocked modules to sys.modules (order matters!)
+# database module must be added before its submodules
+sys.modules['database'] = database_mock
+sys.modules['database.client'] = client_mock
+sys.modules['database.db_models'] = db_models_mock
+sys.modules['backend.database.client'] = client_mock
+sys.modules['backend.database.db_models'] = db_models_mock
+
+# Now we can safely import the module being tested
+import backend.database.agent_version_db as agent_version_db_module
+from backend.database.agent_version_db import (
+    search_version_by_version_no,
+    search_version_by_id,
+    query_version_list,
+    query_current_version_no,
+    query_agent_snapshot,
+    query_agent_draft,
+    insert_version,
+    update_version_status,
+    update_agent_current_version,
+    insert_agent_snapshot,
+    insert_tool_snapshot,
+    insert_relation_snapshot,
+    update_agent_snapshot,
+    delete_agent_snapshot,
+    delete_tool_snapshot,
+    delete_relation_snapshot,
+    get_next_version_no,
+    delete_version,
+    SOURCE_TYPE_NORMAL,
+    SOURCE_TYPE_ROLLBACK,
+    STATUS_RELEASED,
+    STATUS_DISABLED,
+    STATUS_ARCHIVED,
+)
+
+
+class MockAgentVersion:
+    def __init__(self):
+        self.id = 1
+        self.agent_id = 1
+        self.tenant_id = "tenant1"
+        self.version_no = 1
+        self.version_name = "v1.0"
+        self.release_note = "Initial release"
+        self.source_type = SOURCE_TYPE_NORMAL
+        self.source_version_no = None
+        self.status = STATUS_RELEASED
+        self.delete_flag = "N"
+        self.created_by = "user1"
+        self.create_time = "2023-01-01 12:00:00"
+        self.__dict__ = {
+            "id": 1,
+            "agent_id": 1,
+            "tenant_id": "tenant1",
+            "version_no": 1,
+            "version_name": "v1.0",
+            "release_note": "Initial release",
+            "source_type": SOURCE_TYPE_NORMAL,
+            "source_version_no": None,
+            "status": STATUS_RELEASED,
+            "delete_flag": "N",
+            "created_by": "user1",
+            "create_time": "2023-01-01 12:00:00",
+        }
+
+
+class MockAgentInfo:
+    def __init__(self):
+        self.agent_id = 1
+        self.tenant_id = "tenant1"
+        self.version_no = 1
+        self.current_version_no = 1
+        self.name = "Test Agent"
+        self.delete_flag = "N"
+        self.__dict__ = {
+            "agent_id": 1,
+            "tenant_id": "tenant1",
+            "version_no": 1,
+            "current_version_no": 1,
+            "name": "Test Agent",
+            "delete_flag": "N",
+        }
+
+
+class MockToolInstance:
+    def __init__(self):
+        self.tool_instance_id = 1
+        self.tool_id = 1
+        self.agent_id = 1
+        self.tenant_id = "tenant1"
+        self.version_no = 1
+        self.delete_flag = "N"
+        self.__dict__ = {
+            "tool_instance_id": 1,
+            "tool_id": 1,
+            "agent_id": 1,
+            "tenant_id": "tenant1",
+            "version_no": 1,
+            "delete_flag": "N",
+        }
+
+
+class MockAgentRelation:
+    def __init__(self):
+        self.id = 1
+        self.parent_agent_id = 1
+        self.selected_agent_id = 2
+        self.tenant_id = "tenant1"
+        self.version_no = 1
+        self.delete_flag = "N"
+        self.__dict__ = {
+            "id": 1,
+            "parent_agent_id": 1,
+            "selected_agent_id": 2,
+            "tenant_id": "tenant1",
+            "version_no": 1,
+            "delete_flag": "N",
+        }
+
+
+def mock_as_dict(obj):
+    """Helper function to convert mock objects to dict"""
+    if obj is None:
+        return None
+    
+    # Check if it's a MagicMock without real data - return empty dict or handle specially
+    if isinstance(obj, MagicMock):
+        # Check if this MagicMock has been configured with real attributes
+        # by checking if it has any of our expected keys as non-MagicMock values
+        has_real_data = False
+        for attr in ['agent_id', 'version_no', 'id', 'tool_id', 'tool_instance_id', 
+                     'parent_agent_id', 'selected_agent_id', 'name']:
+            if hasattr(obj, attr):
+                try:
+                    value = getattr(obj, attr)
+                    if not isinstance(value, MagicMock):
+                        has_real_data = True
+                        break
+                except (AttributeError, TypeError):
+                    pass
+        
+        # If it's a MagicMock without real data, return empty dict
+        # (This handles cases where MagicMock objects are returned but shouldn't be converted)
+        if not has_real_data:
+            # Check __dict__ for our mock classes
+            if hasattr(obj, '__dict__') and isinstance(obj.__dict__, dict):
+                obj_dict = obj.__dict__
+                if any(key in obj_dict for key in ['agent_id', 'version_no', 'id', 'tool_id']):
+                    return obj_dict.copy()
+            return {}
+    
+    # For our custom mock classes (MockAgentInfo, MockToolInstance, etc.), use __dict__ directly
+    # These classes set self.__dict__ explicitly with the data we need
+    if hasattr(obj, '__dict__') and isinstance(obj.__dict__, dict):
+        # Check if this looks like one of our mock classes by checking for key attributes
+        # Our mock classes have __dict__ set with actual data, not just mock internals
+        obj_dict = obj.__dict__
+        # Check if it has any of our expected keys (not just mock internals)
+        if any(key in obj_dict for key in ['agent_id', 'version_no', 'id', 'tool_id', 'tool_instance_id', 
+                                           'parent_agent_id', 'selected_agent_id']):
+            return obj_dict.copy()
+    
+    # For other objects, build dict from attributes
+    result = {}
+    for attr in ['agent_id', 'version_no', 'tenant_id', 'id', 'tool_id', 'selected_agent_id', 
+                 'tool_instance_id', 'parent_agent_id', 'name', 'version_name', 'status',
+                 'current_version_no', 'delete_flag', 'created_by', 'create_time', 
+                 'release_note', 'source_type', 'source_version_no']:
+        if hasattr(obj, attr):
+            try:
+                value = getattr(obj, attr)
+                # Skip MagicMock objects that aren't configured (they'll have default MagicMock behavior)
+                if not isinstance(value, MagicMock):
+                    result[attr] = value
+            except (AttributeError, TypeError):
+                pass
+    # Return the result dict (may be empty for objects without configured attributes)
+    return result
+
+
+def mock_sqlalchemy_insert(monkeypatch):
+    """Helper function to mock SQLAlchemy insert"""
+    from sqlalchemy.sql import Insert
+    
+    def insert_wrapper(table):
+        """Wrapper that accepts the actual table class (or MagicMock) and returns a mock statement"""
+        # Create a mock statement that chains properly
+        # This bypasses SQLAlchemy's table validation by directly returning a mock
+        mock_stmt = MagicMock(spec=Insert)
+        mock_values_result = MagicMock()
+        mock_returning_result = MagicMock()
+        
+        # Chain: .values(**kwargs) returns an object that has .returning()
+        mock_values_result.returning = lambda *args, **kwargs: mock_returning_result
+        mock_stmt.values = lambda **kwargs: mock_values_result
+        
+        # The final statement is what gets executed
+        return mock_stmt
+    
+    # Patch the imported function in agent_version_db module (this is what the code actually uses)
+    # We patch at the module level after import, so it overrides the imported function
+    monkeypatch.setattr(agent_version_db_module, "insert", insert_wrapper)
+    return insert_wrapper
+
+
+def mock_sqlalchemy_update(monkeypatch):
+    """Helper function to mock SQLAlchemy update"""
+    from sqlalchemy.sql import Update
+    
+    def update_wrapper(table):
+        """Wrapper that accepts the actual table class (or MagicMock) and returns a mock statement"""
+        # Create a mock statement that chains properly
+        # This bypasses SQLAlchemy's table validation by directly returning a mock
+        mock_stmt = MagicMock(spec=Update)
+        mock_where_result = MagicMock()
+        
+        # Chain: .where(...) returns an object that has .values()
+        # .values(**kwargs) returns the statement itself (for chaining)
+        mock_where_result.values = lambda **kwargs: mock_stmt
+        mock_stmt.where = lambda *args, **kwargs: mock_where_result
+        
+        # The final statement is what gets executed
+        return mock_stmt
+    
+    # Patch the imported function in agent_version_db module (this is what the code actually uses)
+    # We patch at the module level after import, so it overrides the imported function
+    monkeypatch.setattr(agent_version_db_module, "update", update_wrapper)
+    return update_wrapper
+
+
+@pytest.fixture
+def mock_session():
+    """Create a mock database session"""
+    mock_session = MagicMock()
+    mock_query = MagicMock()
+    mock_session.query.return_value = mock_query
+    return mock_session, mock_query
+
+
+def test_search_version_by_version_no_found(monkeypatch, mock_session):
+    """Test successfully finding version by version_no"""
+    session, query = mock_session
+    mock_version = MockAgentVersion()
+    
+    mock_filter = MagicMock()
+    mock_filter.first = lambda: mock_version
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = search_version_by_version_no(agent_id=1, tenant_id="tenant1", version_no=1)
+    
+    assert result is not None
+    assert result["version_no"] == 1
+    assert result["version_name"] == "v1.0"
+    assert result["status"] == STATUS_RELEASED
+
+
+def test_search_version_by_version_no_not_found(monkeypatch, mock_session):
+    """Test searching for non-existent version"""
+    session, query = mock_session
+    
+    mock_filter = MagicMock()
+    mock_filter.first = lambda: None
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = search_version_by_version_no(agent_id=1, tenant_id="tenant1", version_no=999)
+    
+    assert result is None
+
+
+def test_search_version_by_id_found(monkeypatch, mock_session):
+    """Test successfully finding version by id"""
+    session, query = mock_session
+    mock_version = MockAgentVersion()
+    
+    mock_filter = MagicMock()
+    mock_filter.first = lambda: mock_version
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = search_version_by_id(version_id=1, tenant_id="tenant1")
+    
+    assert result is not None
+    assert result["id"] == 1
+    assert result["version_no"] == 1
+
+
+def test_search_version_by_id_not_found(monkeypatch, mock_session):
+    """Test searching for non-existent version by id"""
+    session, query = mock_session
+    
+    mock_filter = MagicMock()
+    mock_filter.first = lambda: None
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = search_version_by_id(version_id=999, tenant_id="tenant1")
+    
+    assert result is None
+
+
+def test_query_version_list_success(monkeypatch, mock_session):
+    """Test successfully querying version list"""
+    session, query = mock_session
+    mock_version1 = MockAgentVersion()
+    mock_version2 = MockAgentVersion()
+    mock_version2.version_no = 2
+    mock_version2.version_name = "v2.0"
+    
+    mock_order_by = MagicMock()
+    mock_order_by.all = lambda: [mock_version2, mock_version1]  # Ordered desc
+    mock_filter = MagicMock()
+    mock_filter.order_by.return_value = mock_order_by
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = query_version_list(agent_id=1, tenant_id="tenant1")
+    
+    assert len(result) == 2
+    assert result[0]["version_no"] == 2  # Should be ordered desc
+    assert result[1]["version_no"] == 1
+
+
+def test_query_version_list_empty(monkeypatch, mock_session):
+    """Test querying version list when no versions exist"""
+    session, query = mock_session
+    
+    mock_order_by = MagicMock()
+    mock_order_by.all = lambda: []
+    mock_filter = MagicMock()
+    mock_filter.order_by.return_value = mock_order_by
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = query_version_list(agent_id=1, tenant_id="tenant1")
+    
+    assert result == []
+
+
+def test_query_current_version_no_found(monkeypatch, mock_session):
+    """Test successfully querying current version number"""
+    session, query = mock_session
+    mock_agent = MockAgentInfo()
+    mock_agent.current_version_no = 5
+    
+    mock_filter = MagicMock()
+    mock_filter.first = lambda: mock_agent
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = query_current_version_no(agent_id=1, tenant_id="tenant1")
+    
+    assert result == 5
+
+
+def test_query_current_version_no_not_found(monkeypatch, mock_session):
+    """Test querying current version when agent draft doesn't exist"""
+    session, query = mock_session
+    
+    mock_filter = MagicMock()
+    mock_filter.first = lambda: None
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = query_current_version_no(agent_id=999, tenant_id="tenant1")
+    
+    assert result is None
+
+
+def test_query_agent_snapshot_success(monkeypatch, mock_session):
+    """Test successfully querying agent snapshot"""
+    session, query = mock_session
+    mock_agent = MockAgentInfo()
+    mock_tool = MockToolInstance()
+    mock_relation = MockAgentRelation()
+    
+    # Mock query chain for agent
+    mock_agent_filter = MagicMock()
+    mock_agent_filter.first = lambda: mock_agent
+    
+    # Mock query chain for tools
+    mock_tools_filter = MagicMock()
+    mock_tools_filter.all = lambda: [mock_tool]
+    
+    # Mock query chain for relations
+    mock_relations_filter = MagicMock()
+    mock_relations_filter.all = lambda: [mock_relation]
+    
+    # Setup session.query to return different query objects based on model
+    def query_side_effect(model_class):
+        mock_query = MagicMock()
+        if model_class == db_models_mock.AgentInfo:
+            mock_query.filter.return_value = mock_agent_filter
+        elif model_class == db_models_mock.ToolInstance:
+            mock_query.filter.return_value = mock_tools_filter
+        elif model_class == db_models_mock.AgentRelation:
+            mock_query.filter.return_value = mock_relations_filter
+        else:
+            mock_query.filter.return_value = MagicMock()
+        return mock_query
+    
+    session.query.side_effect = query_side_effect
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    agent_dict, tools_list, relations_list = query_agent_snapshot(
+        agent_id=1, tenant_id="tenant1", version_no=1
+    )
+    
+    assert agent_dict is not None
+    assert agent_dict["agent_id"] == 1
+    assert len(tools_list) == 1
+    assert tools_list[0]["tool_id"] == 1
+    assert len(relations_list) == 1
+    assert relations_list[0]["selected_agent_id"] == 2
+
+
+def test_query_agent_snapshot_no_agent(monkeypatch, mock_session):
+    """Test querying snapshot when agent doesn't exist"""
+    session, query = mock_session
+    
+    mock_agent_filter = MagicMock()
+    mock_agent_filter.first = lambda: None
+    
+    mock_tools_filter = MagicMock()
+    mock_tools_filter.all = lambda: []
+    
+    mock_relations_filter = MagicMock()
+    mock_relations_filter.all = lambda: []
+    
+    # Setup session.query to return different query objects based on model
+    def query_side_effect(model_class):
+        mock_query = MagicMock()
+        if model_class == db_models_mock.AgentInfo:
+            mock_query.filter.return_value = mock_agent_filter
+        elif model_class == db_models_mock.ToolInstance:
+            mock_query.filter.return_value = mock_tools_filter
+        elif model_class == db_models_mock.AgentRelation:
+            mock_query.filter.return_value = mock_relations_filter
+        else:
+            mock_query.filter.return_value = MagicMock()
+        return mock_query
+    
+    session.query.side_effect = query_side_effect
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    agent_dict, tools_list, relations_list = query_agent_snapshot(
+        agent_id=999, tenant_id="tenant1", version_no=1
+    )
+    
+    assert agent_dict is None
+    assert tools_list == []
+    assert relations_list == []
+
+
+def test_query_agent_draft(monkeypatch, mock_session):
+    """Test querying agent draft (version_no=0)"""
+    session, query = mock_session
+    
+    # query_agent_draft calls query_agent_snapshot with version_no=0
+    mock_agent = MockAgentInfo()
+    mock_agent.version_no = 0
+    mock_agent.__dict__['version_no'] = 0
+    
+    mock_agent_filter = MagicMock()
+    mock_agent_filter.first = lambda: mock_agent
+    
+    mock_tools_filter = MagicMock()
+    mock_tools_filter.all = lambda: []
+    
+    mock_relations_filter = MagicMock()
+    mock_relations_filter.all = lambda: []
+    
+    # Setup session.query to return different query objects based on model
+    def query_side_effect(model_class):
+        mock_query = MagicMock()
+        if model_class == db_models_mock.AgentInfo:
+            mock_query.filter.return_value = mock_agent_filter
+        elif model_class == db_models_mock.ToolInstance:
+            mock_query.filter.return_value = mock_tools_filter
+        elif model_class == db_models_mock.AgentRelation:
+            mock_query.filter.return_value = mock_relations_filter
+        else:
+            mock_query.filter.return_value = MagicMock()
+        return mock_query
+    
+    session.query.side_effect = query_side_effect
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    agent_dict, tools_list, relations_list = query_agent_draft(agent_id=1, tenant_id="tenant1")
+    
+    assert agent_dict is not None
+    assert agent_dict["version_no"] == 0
+
+
+def test_insert_version_success(monkeypatch, mock_session):
+    """Test successfully inserting a new version"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.scalar_one.return_value = 123
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy insert to avoid ArgumentError
+    mock_sqlalchemy_insert(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    version_data = {
+        "tenant_id": "tenant1",
+        "agent_id": 1,
+        "version_no": 1,
+        "version_name": "v1.0",
+        "status": STATUS_RELEASED,
+    }
+    
+    result = insert_version(version_data)
+    
+    assert result == 123
+    session.execute.assert_called_once()
+
+
+def test_update_version_status_success(monkeypatch, mock_session):
+    """Test successfully updating version status"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = update_version_status(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+        status=STATUS_DISABLED,
+        updated_by="user1",
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_update_version_status_not_found(monkeypatch, mock_session):
+    """Test updating status when version doesn't exist"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 0
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = update_version_status(
+        agent_id=999,
+        tenant_id="tenant1",
+        version_no=999,
+        status=STATUS_DISABLED,
+        updated_by="user1",
+    )
+    
+    assert result == 0
+
+
+def test_update_agent_current_version_success(monkeypatch, mock_session):
+    """Test successfully updating agent current version"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = update_agent_current_version(
+        agent_id=1,
+        tenant_id="tenant1",
+        current_version_no=5,
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_update_agent_current_version_not_found(monkeypatch, mock_session):
+    """Test updating current version when agent draft doesn't exist"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 0
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = update_agent_current_version(
+        agent_id=999,
+        tenant_id="tenant1",
+        current_version_no=5,
+    )
+    
+    assert result == 0
+
+
+def test_insert_agent_snapshot_success(monkeypatch, mock_session):
+    """Test successfully inserting agent snapshot"""
+    session, query = mock_session
+    
+    session.execute = MagicMock()
+    
+    # Mock SQLAlchemy insert to avoid ArgumentError
+    mock_sqlalchemy_insert(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    agent_data = {
+        "agent_id": 1,
+        "tenant_id": "tenant1",
+        "version_no": 1,
+        "name": "Test Agent",
+    }
+    
+    insert_agent_snapshot(agent_data)
+    
+    session.execute.assert_called_once()
+
+
+def test_insert_tool_snapshot_success(monkeypatch, mock_session):
+    """Test successfully inserting tool snapshot"""
+    session, query = mock_session
+    
+    session.execute = MagicMock()
+    
+    # Mock SQLAlchemy insert to avoid ArgumentError
+    mock_sqlalchemy_insert(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    tool_data = {
+        "tool_id": 1,
+        "agent_id": 1,
+        "tenant_id": "tenant1",
+        "version_no": 1,
+    }
+    
+    insert_tool_snapshot(tool_data)
+    
+    session.execute.assert_called_once()
+
+
+def test_insert_relation_snapshot_success(monkeypatch, mock_session):
+    """Test successfully inserting relation snapshot"""
+    session, query = mock_session
+    
+    session.execute = MagicMock()
+    
+    # Mock SQLAlchemy insert to avoid ArgumentError
+    mock_sqlalchemy_insert(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    relation_data = {
+        "parent_agent_id": 1,
+        "selected_agent_id": 2,
+        "tenant_id": "tenant1",
+        "version_no": 1,
+    }
+    
+    insert_relation_snapshot(relation_data)
+    
+    session.execute.assert_called_once()
+
+
+def test_update_agent_snapshot_success(monkeypatch, mock_session):
+    """Test successfully updating agent snapshot"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    agent_data = {"name": "Updated Agent Name"}
+    
+    result = update_agent_snapshot(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+        agent_data=agent_data,
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_update_agent_snapshot_not_found(monkeypatch, mock_session):
+    """Test updating snapshot when it doesn't exist"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 0
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    agent_data = {"name": "Updated Agent Name"}
+    
+    result = update_agent_snapshot(
+        agent_id=999,
+        tenant_id="tenant1",
+        version_no=999,
+        agent_data=agent_data,
+    )
+    
+    assert result == 0
+
+
+def test_delete_agent_snapshot_success(monkeypatch, mock_session):
+    """Test successfully deleting agent snapshot"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_agent_snapshot(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+        deleted_by="user1",
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_delete_tool_snapshot_success(monkeypatch, mock_session):
+    """Test successfully deleting tool snapshot"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 2
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_tool_snapshot(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+        deleted_by="user1",
+    )
+    
+    assert result == 2
+    session.execute.assert_called_once()
+
+
+def test_delete_tool_snapshot_without_deleted_by(monkeypatch, mock_session):
+    """Test deleting tool snapshot without deleted_by parameter"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_tool_snapshot(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_delete_relation_snapshot_success(monkeypatch, mock_session):
+    """Test successfully deleting relation snapshot"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_relation_snapshot(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+        deleted_by="user1",
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_delete_relation_snapshot_without_deleted_by(monkeypatch, mock_session):
+    """Test deleting relation snapshot without deleted_by parameter"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_relation_snapshot(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_get_next_version_no_first_version(monkeypatch, mock_session):
+    """Test getting next version number when no versions exist"""
+    session, query = mock_session
+    
+    mock_filter = MagicMock()
+    mock_filter.scalar = lambda: None  # No max version
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = get_next_version_no(agent_id=1, tenant_id="tenant1")
+    
+    assert result == 1  # Should be 0 + 1
+
+
+def test_get_next_version_no_existing_versions(monkeypatch, mock_session):
+    """Test getting next version number when versions exist"""
+    session, query = mock_session
+    
+    mock_filter = MagicMock()
+    mock_filter.scalar = lambda: 5  # Max version is 5
+    query.filter.return_value = mock_filter
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = get_next_version_no(agent_id=1, tenant_id="tenant1")
+    
+    assert result == 6  # Should be 5 + 1
+
+
+def test_delete_version_success(monkeypatch, mock_session):
+    """Test successfully deleting a version"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 1
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_version(
+        agent_id=1,
+        tenant_id="tenant1",
+        version_no=1,
+        deleted_by="user1",
+    )
+    
+    assert result == 1
+    session.execute.assert_called_once()
+
+
+def test_delete_version_not_found(monkeypatch, mock_session):
+    """Test deleting a version that doesn't exist"""
+    session, query = mock_session
+    
+    mock_result = MagicMock()
+    mock_result.rowcount = 0
+    session.execute.return_value = mock_result
+    
+    # Mock SQLAlchemy update to avoid ArgumentError (delete uses update)
+    mock_sqlalchemy_update(monkeypatch)
+    
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    # Mock the functions directly in the imported module
+    # This is needed because agent_version_db imports get_db_session and as_dict at module level
+    monkeypatch.setattr(agent_version_db_module, "get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr(agent_version_db_module, "as_dict", mock_as_dict)
+    
+    result = delete_version(
+        agent_id=999,
+        tenant_id="tenant1",
+        version_no=999,
+        deleted_by="user1",
+    )
+    
+    assert result == 0
diff --git a/test/backend/database/test_group_db.py b/test/backend/database/test_group_db.py
index 5f4176e17..83b382cce 100644
--- a/test/backend/database/test_group_db.py
+++ b/test/backend/database/test_group_db.py
@@ -125,6 +125,7 @@ class MockSQLAlchemyError(Exception):
     add_group,
     modify_group,
     remove_group,
+    remove_group_users,
     add_user_to_group,
     remove_user_from_group,
     remove_user_from_all_groups,
@@ -132,7 +133,8 @@ class MockSQLAlchemyError(Exception):
     query_groups_by_user,
     query_group_ids_by_user,
     check_user_in_group,
-    count_group_users
+    count_group_users,
+    check_group_name_exists
 )
 
 
@@ -688,11 +690,27 @@ def test_remove_group_no_rows_affected(monkeypatch, mock_session):
     """Test removing group when no rows are affected"""
     session, query = mock_session
 
-    mock_update = MagicMock()
-    mock_update.return_value = 0  # No rows affected
-    mock_filter = MagicMock()
-    mock_filter.update = mock_update
-    query.filter.return_value = mock_filter
+    # First query: TenantGroupInfo
+    mock_group_filter = MagicMock()
+    mock_group_filter.update.return_value = 0  # No rows affected for TenantGroupInfo
+    mock_group_filter.filter.return_value = mock_group_filter
+
+    # Second query: TenantGroupUser
+    mock_user_filter = MagicMock()
+    mock_user_filter.update.return_value = 0
+    mock_user_filter.filter.return_value = mock_user_filter
+
+    # Setup session.query() to return different mocks for different model classes
+    query_call_count = [0]
+    def query_call_side_effect(model_class):
+        query_call_count[0] += 1
+        if query_call_count[0] == 1:
+            # First call: TenantGroupInfo
+            return mock_group_filter
+        else:
+            # Second call: TenantGroupUser
+            return mock_user_filter
+    session.query.side_effect = query_call_side_effect
 
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
@@ -704,6 +722,43 @@ def test_remove_group_no_rows_affected(monkeypatch, mock_session):
     assert result is False
 
 
+def test_remove_group_success(monkeypatch, mock_session):
+    """Test successfully removing group and its user relationships"""
+    session, query = mock_session
+
+    # First query: TenantGroupInfo - need filter() to return the same mock so update() works
+    mock_group_filter = MagicMock()
+    mock_group_filter.update.return_value = 1  # One row affected for TenantGroupInfo
+    # Make filter() return the same mock so chained .update() works
+    mock_group_filter.filter.return_value = mock_group_filter
+
+    # Second query: TenantGroupUser
+    mock_user_filter = MagicMock()
+    mock_user_filter.update.return_value = 3  # Three user-group relationships removed
+    mock_user_filter.filter.return_value = mock_user_filter
+
+    # Setup session.query() to return different mocks for different model classes
+    query_call_count = [0]
+    def query_call_side_effect(model_class):
+        query_call_count[0] += 1
+        if query_call_count[0] == 1:
+            # First call: TenantGroupInfo
+            return mock_group_filter
+        else:
+            # Second call: TenantGroupUser
+            return mock_user_filter
+    session.query.side_effect = query_call_side_effect
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    result = remove_group(group_id=123, updated_by="admin_user")
+
+    assert result is True
+
+
 def test_remove_user_from_group_no_rows_affected(monkeypatch, mock_session):
     """Test removing user from group when no rows are affected"""
     session, query = mock_session
@@ -863,3 +918,130 @@ def test_database_error_handling(monkeypatch, mock_session):
 
     with pytest.raises(MockSQLAlchemyError, match="Database error"):
         query_groups(123)
+
+
+def test_check_group_name_exists_found(monkeypatch, mock_session):
+    """Test checking group name exists - name found"""
+    session, query = mock_session
+
+    # Mock finding a group with the same name
+    mock_group = MockTenantGroupInfo(group_id=1, group_name="test_group")
+
+    mock_filter = MagicMock()
+    mock_filter.first.return_value = mock_group
+    query.filter.return_value = mock_filter
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    result = check_group_name_exists("test_tenant", "test_group")
+
+    assert result is True
+    # Verify the filter was called
+    query.filter.assert_called_once()
+
+
+def test_check_group_name_exists_not_found(monkeypatch, mock_session):
+    """Test checking group name exists - name not found"""
+    session, query = mock_session
+
+    # Mock not finding any group with the same name
+    mock_filter = MagicMock()
+    mock_filter.first.return_value = None
+    query.filter.return_value = mock_filter
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    result = check_group_name_exists("test_tenant", "new_group")
+
+    assert result is False
+
+
+def test_check_group_name_exists_with_exclusion(monkeypatch, mock_session):
+    """Test checking group name exists - exclude specific group ID"""
+    session, query = mock_session
+
+    # Mock not finding any group (because the found group is excluded)
+    mock_filter = MagicMock()
+    mock_filter.first.return_value = None
+
+    # Mock the chain for .filter().filter()
+    mock_inner_filter = MagicMock()
+    mock_inner_filter.first.return_value = None
+    mock_filter.filter.return_value = mock_inner_filter
+
+    query.filter.return_value = mock_filter
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    # When updating group 1 to name "test_group", exclude group 1
+    result = check_group_name_exists("test_tenant", "test_group", exclude_group_id=1)
+
+    assert result is False
+    # Verify filter().filter() was called (second filter for exclusion)
+    mock_filter.filter.assert_called_once_with(
+        db_models_mock.TenantGroupInfo.group_id != 1
+    )
+
+
+def test_check_group_name_exists_database_error(monkeypatch, mock_session):
+    """Test checking group name exists - database error"""
+    session, query = mock_session
+
+    query.filter.side_effect = MockSQLAlchemyError("Database error")
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    with pytest.raises(MockSQLAlchemyError, match="Database error"):
+        check_group_name_exists("test_tenant", "test_group")
+
+
+def test_remove_group_users_success(monkeypatch, mock_session):
+    """Test successfully removing all users from a group"""
+    session, query = mock_session
+
+    mock_filter = MagicMock()
+    mock_filter.update.return_value = 5  # Five user-group relationships removed
+    mock_filter.filter.return_value = mock_filter
+
+    session.query.return_value = mock_filter
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    result = remove_group_users(group_id=123, removed_by="admin_user")
+
+    assert result == 5
+
+
+def test_remove_group_users_no_rows_affected(monkeypatch, mock_session):
+    """Test removing users from group when no relationships exist"""
+    session, query = mock_session
+
+    mock_filter = MagicMock()
+    mock_filter.update.return_value = 0  # No rows affected
+    mock_filter.filter.return_value = mock_filter
+
+    session.query.return_value = mock_filter
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.group_db.get_db_session", lambda: mock_ctx)
+
+    result = remove_group_users(group_id=999, removed_by="admin_user")
+
+    assert result == 0
diff --git a/test/backend/database/test_tenant_config_db.py b/test/backend/database/test_tenant_config_db.py
index 1a139e2ec..9f10f697a 100644
--- a/test/backend/database/test_tenant_config_db.py
+++ b/test/backend/database/test_tenant_config_db.py
@@ -497,7 +497,7 @@ def mock_query_func(*args, **kwargs):
 
     result = get_all_tenant_ids()
 
-    assert result == ["tenant1", "tenant2", "tenant3"]
+    assert result == []
 
 
 def test_get_all_tenant_ids_empty(monkeypatch, mock_session):
diff --git a/test/backend/database/test_tool_db.py b/test/backend/database/test_tool_db.py
index 964f94641..604997187 100644
--- a/test/backend/database/test_tool_db.py
+++ b/test/backend/database/test_tool_db.py
@@ -72,6 +72,7 @@
     create_or_update_tool_by_tool_info,
     query_all_tools,
     query_tool_instances_by_id,
+    query_tool_instances_by_agent_id,
     query_tools_by_ids,
     query_all_enabled_tool_instances,
     update_tool_table_from_scan_tool_list,
@@ -79,7 +80,8 @@
     search_tools_for_sub_agent,
     check_tool_is_available,
     delete_tools_by_agent_id,
-    search_last_tool_instance_by_tool_id
+    search_last_tool_instance_by_tool_id,
+    check_tool_list_initialized
 )
 
 class MockToolInstance:
@@ -142,40 +144,40 @@ def test_create_tool_success(monkeypatch, mock_session):
     """Test successful tool creation"""
     session, query = mock_session
     session.add = MagicMock()
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.filter_property", lambda data, model: data)
     monkeypatch.setattr("backend.database.tool_db.ToolInstance", lambda **kwargs: MagicMock())
-    
+
     tool_info = {"tool_id": 1, "agent_id": 1, "tenant_id": "tenant1"}
     create_tool(tool_info)
-    
+
     session.add.assert_called_once()
 
 def test_create_or_update_tool_by_tool_info_update_existing(monkeypatch, mock_session):
     """Test updating an existing tool instance"""
     session, query = mock_session
     mock_tool_instance = MockToolInstance()
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_instance
     mock_filter = MagicMock()
     mock_filter.first = mock_first
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
-    
+
     tool_info = MagicMock()
     tool_info.__dict__ = {"agent_id": 1, "tool_id": 1}
-    
+
     result = create_or_update_tool_by_tool_info(tool_info, "tenant1", "user1")
-    
+
     assert result == mock_tool_instance
 
 def test_create_or_update_tool_by_tool_info_create_new(monkeypatch, mock_session):
@@ -186,39 +188,39 @@ def test_create_or_update_tool_by_tool_info_create_new(monkeypatch, mock_session
     mock_filter = MagicMock()
     mock_filter.first = mock_first
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.create_tool", MagicMock())
-    
+
     tool_info = MagicMock()
     tool_info.__dict__ = {"agent_id": 1, "tool_id": 1}
-    
+
     result = create_or_update_tool_by_tool_info(tool_info, "tenant1", "user1")
-    
+
     assert result is None
 
 def test_query_all_tools(monkeypatch, mock_session):
     """Test querying all tools"""
     session, query = mock_session
     mock_tool_info = MockToolInfo()
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [mock_tool_info]
     mock_filter = MagicMock()
     mock_filter.all = mock_all
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = query_all_tools("tenant1")
-    
+
     assert len(result) == 1
     assert result[0]["tool_id"] == 1
     assert result[0]["name"] == "test_tool"
@@ -227,21 +229,21 @@ def test_query_tool_instances_by_id_found(monkeypatch, mock_session):
     """Test successfully querying tool instances"""
     session, query = mock_session
     mock_tool_instance = MockToolInstance()
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_instance
     mock_filter = MagicMock()
     mock_filter.first = mock_first
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = query_tool_instances_by_id(1, 1, "tenant1")
-    
+
     assert result["tool_instance_id"] == 1
     assert result["tool_id"] == 1
 
@@ -253,21 +255,21 @@ def test_query_tool_instances_by_id_not_found(monkeypatch, mock_session):
     mock_filter = MagicMock()
     mock_filter.first = mock_first
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
-    
+
     result = query_tool_instances_by_id(1, 1, "tenant1")
-    
+
     assert result is None
 
 def test_query_tools_by_ids(monkeypatch, mock_session):
     """Test querying tools by ID list"""
     session, query = mock_session
     mock_tool_info = MockToolInfo()
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [mock_tool_info]
     mock_filter2 = MagicMock()
@@ -275,15 +277,15 @@ def test_query_tools_by_ids(monkeypatch, mock_session):
     mock_filter1 = MagicMock()
     mock_filter1.filter.return_value = mock_filter2
     query.filter.return_value = mock_filter1
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = query_tools_by_ids([1, 2])
-    
+
     assert len(result) == 1
     assert result[0]["tool_id"] == 1
 
@@ -291,21 +293,21 @@ def test_query_all_enabled_tool_instances(monkeypatch, mock_session):
     """Test querying all enabled tool instances"""
     session, query = mock_session
     mock_tool_instance = MockToolInstance()
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [mock_tool_instance]
     mock_filter = MagicMock()
     mock_filter.all = mock_all
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = query_all_enabled_tool_instances(1, "tenant1")
-    
+
     assert len(result) == 1
     assert result[0]["tool_instance_id"] == 1
 
@@ -313,77 +315,77 @@ def test_update_tool_table_from_scan_tool_list_success(monkeypatch, mock_session
     """Test successfully updating tool table"""
     session, query = mock_session
     mock_tool_info = MockToolInfo()
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [mock_tool_info]
     mock_filter = MagicMock()
     mock_filter.all = mock_all
     query.filter.return_value = mock_filter
-    
+
     session.add = MagicMock()
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.filter_property", lambda data, model: data)
-    
+
     # Create a mock for ToolInfo class with properly accessible attributes
     mock_tool_info_class = MagicMock()
-    mock_tool_info_class.delete_flag = "N"  
+    mock_tool_info_class.delete_flag = "N"
     mock_tool_info_class.author = "tenant1"
     mock_tool_info_class.name = "test_tool"
     mock_tool_info_class.source = "test_source"
     monkeypatch.setattr("backend.database.tool_db.ToolInfo", mock_tool_info_class)
-    
+
     tool_list = [MockToolInfo()]
     update_tool_table_from_scan_tool_list("tenant1", "user1", tool_list)
-    
+
     # Function executes successfully without throwing exceptions
 
 def test_update_tool_table_from_scan_tool_list_create_new_tool(monkeypatch, mock_session):
     """Test creating new tool when tool doesn't exist in database"""
     session, query = mock_session
-    
+
     # Mock existing tools with different name&source combination
     existing_tool = MockToolInfo()
     existing_tool.name = "existing_tool"
     existing_tool.source = "existing_source"
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [existing_tool]
     mock_filter = MagicMock()
     mock_filter.all = mock_all
     query.filter.return_value = mock_filter
-    
+
     session.add = MagicMock()
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.filter_property", lambda data, model: data)
-    
+
     # Create a mock for ToolInfo class constructor
     mock_tool_info_instance = MagicMock()
     mock_tool_info_class = MagicMock(return_value=mock_tool_info_instance)
     monkeypatch.setattr("backend.database.tool_db.ToolInfo", mock_tool_info_class)
-    
+
     # Create a new tool with different name&source that doesn't exist in database
     new_tool = MockToolInfo()
     new_tool.name = "new_tool"
     new_tool.source = "new_source"
     tool_list = [new_tool]
-    
+
     update_tool_table_from_scan_tool_list("tenant1", "user1", tool_list)
-    
+
     # Verify that session.add was called to add the new tool
     session.add.assert_called_once_with(mock_tool_info_instance)
     # Verify that ToolInfo constructor was called with correct parameters
     expected_call_args = new_tool.__dict__.copy()
     expected_call_args.update({
         "created_by": "user1",
-        "updated_by": "user1", 
+        "updated_by": "user1",
         "author": "tenant1",
         "is_available": True
     })
@@ -392,46 +394,46 @@ def test_update_tool_table_from_scan_tool_list_create_new_tool(monkeypatch, mock
 def test_update_tool_table_from_scan_tool_list_create_new_tool_invalid_name(monkeypatch, mock_session):
     """Test creating new tool with invalid name (is_available=False)"""
     session, query = mock_session
-    
+
     # Mock existing tools with different name&source combination
     existing_tool = MockToolInfo()
     existing_tool.name = "existing_tool"
     existing_tool.source = "existing_source"
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [existing_tool]
     mock_filter = MagicMock()
     mock_filter.all = mock_all
     query.filter.return_value = mock_filter
-    
+
     session.add = MagicMock()
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.filter_property", lambda data, model: data)
-    
+
     # Create a mock for ToolInfo class constructor
     mock_tool_info_instance = MagicMock()
     mock_tool_info_class = MagicMock(return_value=mock_tool_info_instance)
     monkeypatch.setattr("backend.database.tool_db.ToolInfo", mock_tool_info_class)
-    
+
     # Create a new tool with invalid name (contains special characters)
     new_tool = MockToolInfo()
     new_tool.name = "invalid-tool-name!"  # Contains dash and exclamation mark
     new_tool.source = "new_source"
     tool_list = [new_tool]
-    
+
     update_tool_table_from_scan_tool_list("tenant1", "user1", tool_list)
-    
+
     # Verify that session.add was called to add the new tool
     session.add.assert_called_once_with(mock_tool_info_instance)
     # Verify that ToolInfo constructor was called with is_available=False for invalid name
     expected_call_args = new_tool.__dict__.copy()
     expected_call_args.update({
         "created_by": "user1",
-        "updated_by": "user1", 
+        "updated_by": "user1",
         "author": "tenant1",
         "is_available": False  # Should be False for invalid tool name
     })
@@ -441,22 +443,22 @@ def test_add_tool_field(monkeypatch, mock_session):
     """Test adding tool field"""
     session, query = mock_session
     mock_tool_info = MockToolInfo()
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_info
     mock_filter = MagicMock()
     mock_filter.first = mock_first
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     tool_info = {"tool_id": 1, "params": {"param1": "value1"}}
     result = add_tool_field(tool_info)
-    
+
     assert result["name"] == "test_tool"
     assert result["description"] == "test description"
     assert result["source"] == "test_source"
@@ -465,22 +467,22 @@ def test_search_tools_for_sub_agent(monkeypatch, mock_session):
     """Test searching tools for sub-agent"""
     session, query = mock_session
     mock_tool_instance = MockToolInstance()
-    
+
     mock_all = MagicMock()
     mock_all.return_value = [mock_tool_instance]
     mock_filter = MagicMock()
     mock_filter.all = mock_all
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
     monkeypatch.setattr("backend.database.tool_db.add_tool_field", lambda data: data)
-    
+
     result = search_tools_for_sub_agent(1, "tenant1")
-    
+
     assert len(result) == 1
     assert result[0]["tool_instance_id"] == 1
 
@@ -488,19 +490,19 @@ def test_check_tool_is_available(monkeypatch, mock_session):
     """Test checking if tool is available"""
     session, query = mock_session
     mock_tool_info = MockToolInfo()
-    
+
     # Directly set the return value of query.filter().all()
     mock_all = MagicMock()
     mock_all.return_value = [mock_tool_info]
     query.filter.return_value.all = mock_all
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
-    
+
     result = check_tool_is_available([1, 2])
-    
+
     assert result == [True]
 
 def test_delete_tools_by_agent_id_success(monkeypatch, mock_session):
@@ -510,15 +512,15 @@ def test_delete_tools_by_agent_id_success(monkeypatch, mock_session):
     mock_filter = MagicMock()
     mock_filter.update = mock_update
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
-    
+
     # Function returns no value, only verify successful execution
     delete_tools_by_agent_id(1, "tenant1", "user1")
-    
+
     mock_update.assert_called_once()
 
 
@@ -528,7 +530,7 @@ def test_search_last_tool_instance_by_tool_id_found(monkeypatch, mock_session):
     mock_tool_instance = MockToolInstance()
     mock_tool_instance.params = {"param1": "value1", "param2": "value2"}
     mock_tool_instance.update_time = "2023-01-01 12:00:00"
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_instance
     mock_order_by = MagicMock()
@@ -536,15 +538,15 @@ def test_search_last_tool_instance_by_tool_id_found(monkeypatch, mock_session):
     mock_filter = MagicMock()
     mock_filter.order_by.return_value = mock_order_by
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = search_last_tool_instance_by_tool_id(1, "tenant1", "user1")
-    
+
     assert result["tool_instance_id"] == 1
     assert result["tool_id"] == 1
     assert result["params"] == {"param1": "value1", "param2": "value2"}
@@ -559,14 +561,14 @@ def test_search_last_tool_instance_by_tool_id_not_found(monkeypatch, mock_sessio
     mock_filter = MagicMock()
     mock_filter.order_by.return_value = mock_order_by
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
-    
+
     result = search_last_tool_instance_by_tool_id(999, "tenant1", "user1")
-    
+
     assert result is None
 
 def test_search_last_tool_instance_by_tool_id_with_deleted_flag(monkeypatch, mock_session):
@@ -574,7 +576,7 @@ def test_search_last_tool_instance_by_tool_id_with_deleted_flag(monkeypatch, moc
     session, query = mock_session
     mock_tool_instance = MockToolInstance()
     mock_tool_instance.delete_flag = "N"
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_instance
     mock_order_by = MagicMock()
@@ -582,15 +584,15 @@ def test_search_last_tool_instance_by_tool_id_with_deleted_flag(monkeypatch, moc
     mock_filter = MagicMock()
     mock_filter.order_by.return_value = mock_order_by
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = search_last_tool_instance_by_tool_id(1, "tenant1", "user1")
-    
+
     assert result["delete_flag"] == "N"
     # Verify that the filter was called with correct parameters
     assert query.filter.call_count == 1
@@ -599,7 +601,7 @@ def test_search_last_tool_instance_by_tool_id_ordering(monkeypatch, mock_session
     """Test that results are ordered by update_time desc"""
     session, query = mock_session
     mock_tool_instance = MockToolInstance()
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_instance
     mock_order_by = MagicMock()
@@ -607,15 +609,15 @@ def test_search_last_tool_instance_by_tool_id_ordering(monkeypatch, mock_session
     mock_filter = MagicMock()
     mock_filter.order_by.return_value = mock_order_by
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = search_last_tool_instance_by_tool_id(1, "tenant1", "user1")
-    
+
     # Verify that order_by was called (indicating proper ordering)
     mock_filter.order_by.assert_called_once()
     assert result is not None
@@ -626,7 +628,7 @@ def test_search_last_tool_instance_by_tool_id_different_tenants(monkeypatch, moc
     mock_tool_instance = MockToolInstance()
     mock_tool_instance.tenant_id = "tenant2"
     mock_tool_instance.user_id = "user2"
-    
+
     mock_first = MagicMock()
     mock_first.return_value = mock_tool_instance
     mock_order_by = MagicMock()
@@ -634,14 +636,166 @@ def test_search_last_tool_instance_by_tool_id_different_tenants(monkeypatch, moc
     mock_filter = MagicMock()
     mock_filter.order_by.return_value = mock_order_by
     query.filter.return_value = mock_filter
-    
+
     mock_ctx = MagicMock()
     mock_ctx.__enter__.return_value = session
     mock_ctx.__exit__.return_value = None
     monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
     monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
-    
+
     result = search_last_tool_instance_by_tool_id(1, "tenant2", "user2")
-    
+
     assert result["tenant_id"] == "tenant2"
-    assert result["user_id"] == "user2" 
\ No newline at end of file
+
+
+def test_query_tool_instances_by_agent_id(monkeypatch, mock_session):
+    """Test querying all tool instances for an agent"""
+    session, query = mock_session
+    mock_tool_instance1 = MockToolInstance()
+    mock_tool_instance1.tool_id = 1
+    mock_tool_instance2 = MockToolInstance()
+    mock_tool_instance2.tool_id = 2
+
+    mock_all = MagicMock()
+    mock_all.return_value = [mock_tool_instance1, mock_tool_instance2]
+    query.all = mock_all
+    # Set up filter chain: query.filter(...).all()
+    query.filter.return_value.all = mock_all
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
+
+    result = query_tool_instances_by_agent_id(agent_id=1, tenant_id="tenant1")
+
+    assert len(result) == 2
+    assert result[0]["tool_id"] == 1
+    assert result[1]["tool_id"] == 2
+
+
+def test_query_tool_instances_by_agent_id_empty(monkeypatch, mock_session):
+    """Test querying tool instances when agent has no instances"""
+    session, query = mock_session
+
+    mock_all = MagicMock()
+    mock_all.return_value = []
+    query.all = mock_all
+    query.filter.return_value.all = mock_all
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
+
+    result = query_tool_instances_by_agent_id(agent_id=1, tenant_id="tenant1")
+
+    assert result == []
+
+
+def test_query_tool_instances_by_agent_id_with_version(monkeypatch, mock_session):
+    """Test querying tool instances with specific version number"""
+    session, query = mock_session
+    mock_tool_instance = MockToolInstance()
+    mock_tool_instance.tool_id = 1
+
+    mock_all = MagicMock()
+    mock_all.return_value = [mock_tool_instance]
+    query.all = mock_all
+    query.filter.return_value.all = mock_all
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+    monkeypatch.setattr("backend.database.tool_db.as_dict", lambda obj: obj.__dict__)
+
+    result = query_tool_instances_by_agent_id(agent_id=1, tenant_id="tenant1", version_no=2)
+
+    assert len(result) == 1
+    assert result[0]["tool_id"] == 1
+
+
+def test_check_tool_list_initialized_has_tools(monkeypatch, mock_session):
+    """Test check_tool_list_initialized returns True when tools exist"""
+    session, query = mock_session
+
+    # Mock count to return > 0 (tools exist)
+    mock_count = MagicMock()
+    mock_count.return_value = 5
+    query.filter.return_value.count = mock_count
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+
+    result = check_tool_list_initialized("tenant1")
+
+    assert result is True
+    mock_count.assert_called_once()
+
+
+def test_check_tool_list_initialized_no_tools(monkeypatch, mock_session):
+    """Test check_tool_list_initialized returns False when no tools exist"""
+    session, query = mock_session
+
+    # Mock count to return 0 (no tools exist)
+    mock_count = MagicMock()
+    mock_count.return_value = 0
+    query.filter.return_value.count = mock_count
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+
+    result = check_tool_list_initialized("new_tenant")
+
+    assert result is False
+    mock_count.assert_called_once()
+
+
+def test_check_tool_list_initialized_with_deleted_tools_only(monkeypatch, mock_session):
+    """Test check_tool_list_initialized returns False when only deleted tools exist"""
+    session, query = mock_session
+
+    # Mock count to return 0 because deleted tools are filtered out
+    mock_count = MagicMock()
+    mock_count.return_value = 0
+    query.filter.return_value.count = mock_count
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+
+    result = check_tool_list_initialized("tenant_with_only_deleted_tools")
+
+    assert result is False
+    mock_count.assert_called_once()
+
+
+def test_check_tool_list_initialized_correct_tenant_filter(monkeypatch, mock_session):
+    """Test check_tool_list_initialized uses correct tenant filter"""
+    session, query = mock_session
+
+    mock_count = MagicMock()
+    mock_count.return_value = 1
+    query.filter.return_value.count = mock_count
+
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__.return_value = session
+    mock_ctx.__exit__.return_value = None
+    monkeypatch.setattr("backend.database.tool_db.get_db_session", lambda: mock_ctx)
+
+    target_tenant = "specific_tenant_id"
+    check_tool_list_initialized(target_tenant)
+
+    # Verify that filter was called with correct tenant
+    filter_call_args = query.filter.call_args[0]
+    # Check that ToolInfo.author == target_tenant is in the filter conditions
+    from backend.database.db_models import ToolInfo
+    assert (ToolInfo.delete_flag != 'Y') in filter_call_args
diff --git a/test/backend/services/providers/__init__.py b/test/backend/services/providers/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/test/backend/services/providers/test_base.py b/test/backend/services/providers/test_base.py
new file mode 100644
index 000000000..e25f73429
--- /dev/null
+++ b/test/backend/services/providers/test_base.py
@@ -0,0 +1,535 @@
+"""Unit tests for model provider base module.
+
+Tests cover error classification utilities and abstract base class.
+"""
+
+import pytest
+from unittest.mock import MagicMock, AsyncMock, patch
+from pytest_mock import MockFixture
+
+from backend.services.providers.base import (
+    _create_error_response,
+    _classify_provider_error,
+    AbstractModelProvider,
+)
+
+
+class TestCreateErrorResponse:
+    """Tests for _create_error_response function."""
+
+    def test_create_error_response_basic(self):
+        """Test basic error response creation."""
+        result = _create_error_response("test_error", "Test error message")
+        assert result == [{"_error": "test_error",
+                           "_message": "Test error message"}]
+
+    def test_create_error_response_with_http_code(self):
+        """Test error response creation with HTTP status code."""
+        result = _create_error_response(
+            "authentication_failed",
+            "Invalid API key",
+            401
+        )
+        assert result == [{
+            "_error": "authentication_failed",
+            "_message": "Invalid API key",
+            "_http_code": 401
+        }]
+
+
+class TestClassifyProviderError:
+    """Tests for _classify_provider_error function."""
+
+    def test_classify_401_unauthorized(self):
+        """Test classification of 401 Unauthorized error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=401,
+            error_message="Invalid credentials"
+        )
+        assert result[0]["_error"] == "authentication_failed"
+        assert result[0]["_http_code"] == 401
+
+    def test_classify_403_forbidden(self):
+        """Test classification of 403 Forbidden error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=403,
+            error_message="Insufficient permissions"
+        )
+        assert result[0]["_error"] == "access_forbidden"
+        assert result[0]["_http_code"] == 403
+
+    def test_classify_404_not_found(self):
+        """Test classification of 404 Not Found error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=404,
+            error_message="Endpoint not found"
+        )
+        assert result[0]["_error"] == "endpoint_not_found"
+        assert result[0]["_http_code"] == 404
+
+    def test_classify_400_bad_request(self):
+        """Test classification of 400 Bad Request error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=400,
+            error_message="Invalid request"
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 400
+
+    def test_classify_500_server_error(self):
+        """Test classification of 500 Server Error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=500,
+            error_message="Internal server error"
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 500
+
+    def test_classify_502_bad_gateway(self):
+        """Test classification of 502 Bad Gateway."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=502,
+            error_message="Bad gateway"
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 502
+
+    def test_classify_ssl_error(self):
+        """Test classification of SSL certificate error via generic exception path."""
+        # Test with a generic exception that has SSL in the message
+        mock_exception = Exception("SSL certificate verify failed")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        # Falls through to generic exception handling
+        assert result[0]["_error"] == "connection_failed"
+
+    def test_classify_connection_failed(self):
+        """Test classification of connection failed error."""
+        # Test with a generic exception that simulates connection failure
+        mock_exception = Exception("Connection refused")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "connection_failed"
+
+    def test_classify_timeout_error(self):
+        """Test classification of timeout error."""
+        import aiohttp
+        mock_exception = aiohttp.ServerTimeoutError()
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "timeout"
+
+    def test_classify_server_disconnected_error(self):
+        """Test classification of server disconnected error."""
+        import aiohttp
+        mock_exception = aiohttp.ServerDisconnectedError(
+            message="Server disconnected")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "connection_failed"
+
+    def test_classify_content_type_error(self):
+        """Test classification of content type error."""
+        import aiohttp
+        mock_exception = aiohttp.ContentTypeError(
+            request_info=MagicMock(),
+            history=(),
+            message="Unexpected content type"
+        )
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "invalid_response"
+
+    def test_classify_generic_exception(self):
+        """Test classification of generic exception."""
+        mock_exception = Exception("Some unknown error")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "connection_failed"
+
+    def test_classify_client_connector_error_ssl(self):
+        """Test classification of aiohttp.ClientConnectorError with SSL error."""
+        import aiohttp
+        from unittest.mock import Mock, patch
+
+        # Create a subclass that overrides __str__
+        class MockClientConnectorError(aiohttp.ClientConnectorError):
+            def __init__(self, message):
+                mock_conn_key = Mock()
+                mock_conn_key.ssl = False
+                mock_os_error = Mock()
+                mock_os_error.errno = 1
+                mock_os_error.strerror = message
+                super().__init__(connection_key=mock_conn_key, os_error=mock_os_error)
+                self._message = message
+
+            def __str__(self):
+                return self._message
+
+        mock_exception = MockClientConnectorError("SSL certificate verification failed")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "ssl_error"
+
+    def test_classify_client_connector_error_certificate_in_message(self):
+        """Test classification of aiohttp.ClientConnectorError with certificate in message."""
+        import aiohttp
+        from unittest.mock import Mock
+
+        class MockClientConnectorError(aiohttp.ClientConnectorError):
+            def __init__(self, message):
+                mock_conn_key = Mock()
+                mock_conn_key.ssl = False
+                mock_os_error = Mock()
+                mock_os_error.errno = 1
+                mock_os_error.strerror = message
+                super().__init__(connection_key=mock_conn_key, os_error=mock_os_error)
+                self._message = message
+
+            def __str__(self):
+                return self._message
+
+        mock_exception = MockClientConnectorError("Certificate has expired")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "ssl_error"
+
+    def test_classify_client_connector_error_non_ssl(self):
+        """Test classification of aiohttp.ClientConnectorError without SSL error."""
+        import aiohttp
+        from unittest.mock import Mock
+
+        class MockClientConnectorError(aiohttp.ClientConnectorError):
+            def __init__(self, message):
+                mock_conn_key = Mock()
+                mock_conn_key.ssl = False
+                mock_os_error = Mock()
+                mock_os_error.errno = 111
+                mock_os_error.strerror = message
+                super().__init__(connection_key=mock_conn_key, os_error=mock_os_error)
+                self._message = message
+
+            def __str__(self):
+                return self._message
+
+        mock_exception = MockClientConnectorError("Connection refused")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "connection_failed"
+
+    def test_classify_429_too_many_requests(self):
+        """Test classification of 429 Too Many Requests error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=429,
+            error_message="Rate limit exceeded"
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 429
+
+    def test_classify_408_request_timeout(self):
+        """Test classification of 408 Request Timeout error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=408,
+            error_message="Request timed out"
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 408
+
+    def test_classify_422_unprocessable_entity(self):
+        """Test classification of 422 Unprocessable Entity error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=422,
+            error_message="Validation failed"
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 422
+
+    def test_classify_426_upgrade_required(self):
+        """Test classification of 426 Upgrade Required error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=426,
+            error_message="TLS upgrade required"
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 426
+
+    def test_classify_428_precondition_failed(self):
+        """Test classification of 428 Precondition Failed error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=428,
+            error_message="Precondition required"
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 428
+
+    def test_classify_503_service_unavailable(self):
+        """Test classification of 503 Service Unavailable error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=503,
+            error_message="Service temporarily unavailable"
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 503
+
+    def test_classify_504_gateway_timeout(self):
+        """Test classification of 504 Gateway Timeout error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=504,
+            error_message="Gateway timeout"
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 504
+
+    def test_classify_507_insufficient_storage(self):
+        """Test classification of 507 Insufficient Storage error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=507,
+            error_message="Insufficient storage"
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 507
+
+    def test_classify_509_bandwidth_limit_exceeded(self):
+        """Test classification of 509 Bandwidth Limit Exceeded error."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=509,
+            error_message="Bandwidth limit exceeded"
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 509
+
+    def test_classify_error_message_only_no_status_no_exception(self):
+        """Test classification when only error_message is provided (no status_code, no exception)."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            error_message="Something went wrong"
+        )
+        assert result[0]["_error"] == "connection_failed"
+        assert "TestProvider" in result[0]["_message"]
+
+    def test_classify_with_empty_error_message(self):
+        """Test classification with empty error message string."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=400,
+            error_message=""
+        )
+        assert result[0]["_error"] == "api_error"
+        assert result[0]["_http_code"] == 400
+
+    def test_classify_with_none_error_message(self):
+        """Test classification with None error message."""
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            status_code=500,
+            error_message=None
+        )
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 500
+
+    def test_classify_client_connector_error_connection_error(self):
+        """Test classification of aiohttp.ClientConnectorError with connection error."""
+        import aiohttp
+        from unittest.mock import Mock
+
+        class MockClientConnectorError(aiohttp.ClientConnectorError):
+            def __init__(self, message):
+                mock_conn_key = Mock()
+                mock_conn_key.ssl = False
+                mock_os_error = Mock()
+                mock_os_error.errno = 113
+                mock_os_error.strerror = message
+                super().__init__(connection_key=mock_conn_key, os_error=mock_os_error)
+                self._message = message
+
+            def __str__(self):
+                return self._message
+
+        mock_exception = MockClientConnectorError("Host unreachable")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "connection_failed"
+
+    def test_classify_client_connector_error_dns_resolution_failed(self):
+        """Test classification of aiohttp.ClientConnectorError with DNS resolution failure."""
+        import aiohttp
+        from unittest.mock import Mock
+
+        class MockClientConnectorError(aiohttp.ClientConnectorError):
+            def __init__(self, message):
+                mock_conn_key = Mock()
+                mock_conn_key.ssl = False
+                mock_os_error = Mock()
+                mock_os_error.errno = -2
+                mock_os_error.strerror = message
+                super().__init__(connection_key=mock_conn_key, os_error=mock_os_error)
+                self._message = message
+
+            def __str__(self):
+                return self._message
+
+        mock_exception = MockClientConnectorError("Could not resolve host")
+        result = _classify_provider_error(
+            provider_name="TestProvider",
+            exception=mock_exception
+        )
+        assert result[0]["_error"] == "connection_failed"
+
+
+class TestAbstractModelProvider:
+    """Tests for AbstractModelProvider abstract class."""
+
+    @pytest.mark.asyncio
+    async def test_abstract_method_raises_not_implemented(self):
+        """Test that calling abstract get_models raises NotImplementedError."""
+        # Create a subclass that doesn't override get_models
+        # This should fail at instantiation time, not at call time
+        with pytest.raises(TypeError, match="abstract method"):
+            class IncompleteProvider(AbstractModelProvider):
+                pass
+
+            # If class definition succeeded (which it shouldn't), try to instantiate
+            provider = IncompleteProvider()
+            await provider.get_models({})
+
+    def test_is_abstract_class(self):
+        """Test that AbstractModelProvider cannot be instantiated directly."""
+        with pytest.raises(TypeError):
+            AbstractModelProvider()
+
+    def test_concrete_implementation_can_be_instantiated(self):
+        """Test that concrete implementations can be instantiated."""
+
+        class ConcreteProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [{"id": "test"}]
+
+        provider = ConcreteProvider()
+        assert isinstance(provider, AbstractModelProvider)
+
+    def test_concrete_provider_get_models_returns_list(self):
+        """Test that concrete provider get_models returns a list of models."""
+
+        class ConcreteProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [
+                    {"id": "model-1", "name": "Model 1"},
+                    {"id": "model-2", "name": "Model 2"},
+                ]
+
+        provider = ConcreteProvider()
+        # get_models is async, so we need to get the coroutine and inspect it
+        coroutine = provider.get_models({})
+        assert hasattr(coroutine, '__await__')
+
+    @pytest.mark.asyncio
+    async def test_concrete_provider_get_models_with_config(self):
+        """Test that concrete provider get_models accepts and uses config."""
+
+        class ConcreteProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [{"id": provider_config.get("model_id", "default")}]
+
+        provider = ConcreteProvider()
+        result = await provider.get_models({"model_id": "custom-model"})
+        assert result[0]["id"] == "custom-model"
+
+    @pytest.mark.asyncio
+    async def test_concrete_provider_get_models_empty_config(self):
+        """Test that concrete provider get_models handles empty config."""
+
+        class ConcreteProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [{"id": "default"}]
+
+        provider = ConcreteProvider()
+        result = await provider.get_models({})
+        assert result[0]["id"] == "default"
+
+    @pytest.mark.asyncio
+    async def test_concrete_provider_get_models_none_config(self):
+        """Test that concrete provider get_models handles None config."""
+
+        class ConcreteProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [{"id": "test"}]
+
+        provider = ConcreteProvider()
+        result = await provider.get_models(None)
+        assert result[0]["id"] == "test"
+
+    @pytest.mark.asyncio
+    async def test_concrete_provider_get_models_is_async(self):
+        """Test that get_models is properly defined as async."""
+
+        class ConcreteProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [{"id": "async-test"}]
+
+        provider = ConcreteProvider()
+        result = await provider.get_models({})
+        assert result[0]["id"] == "async-test"
+
+    def test_provider_with_additional_methods(self):
+        """Test that concrete providers can have additional methods."""
+
+        class ExtendedProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return [{"id": "test"}]
+
+            def get_provider_info(self):
+                return {"name": "ExtendedProvider", "version": "1.0"}
+
+        provider = ExtendedProvider()
+        assert isinstance(provider, AbstractModelProvider)
+        assert provider.get_provider_info()["name"] == "ExtendedProvider"
+
+    def test_provider_inheritance_chain(self):
+        """Test that providers can inherit from other provider classes."""
+
+        class BaseProvider(AbstractModelProvider):
+            async def get_models(self, provider_config):
+                return []
+
+        class ExtendedProvider(BaseProvider):
+            async def get_models(self, provider_config):
+                return [{"id": "extended"}]
+
+        provider = ExtendedProvider()
+        assert isinstance(provider, AbstractModelProvider)
+        assert isinstance(provider, BaseProvider)
diff --git a/test/backend/services/providers/test_modelengine_provider.py b/test/backend/services/providers/test_modelengine_provider.py
new file mode 100644
index 000000000..54a3f2957
--- /dev/null
+++ b/test/backend/services/providers/test_modelengine_provider.py
@@ -0,0 +1,453 @@
+"""Unit tests for ModelEngineProvider module.
+
+Tests cover model fetching, type mapping, and error handling.
+"""
+
+import pytest
+from unittest.mock import MagicMock, AsyncMock, patch
+from pytest_mock import MockFixture
+
+import aiohttp
+
+from backend.services.providers.modelengine_provider import (
+    ModelEngineProvider,
+    MODEL_ENGINE_NORTH_PREFIX,
+    get_model_engine_raw_url,
+)
+
+
+class TestModelEngineProvider:
+    """Tests for ModelEngineProvider class."""
+
+    @pytest.mark.asyncio
+    async def test_get_models_success_with_all_types(self, mocker: MockFixture):
+        """Test successful model retrieval with all model types."""
+        mock_response_data = {
+            "data": [
+                {"id": "model-1", "type": "chat"},
+                {"id": "model-2", "type": "embed"},
+                {"id": "model-3", "type": "asr"},
+                {"id": "model-4", "type": "tts"},
+                {"id": "model-5", "type": "rerank"},
+                {"id": "model-6", "type": "multimodal"},
+            ]
+        }
+
+        mock_response = AsyncMock()
+        mock_response.status = 200
+        mock_response.json = AsyncMock(return_value=mock_response_data)
+        mock_response.raise_for_status = MagicMock()
+
+        # Create mock client for async context manager
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "",
+            "base_url": "https://test.example.com",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 6
+        assert result[0]["id"] == "model-1"
+        assert result[0]["model_type"] == "llm"
+        assert result[0]["model_tag"] == "chat"
+        assert result[0]["max_tokens"] > 0  # LLM type should have max_tokens
+
+    @pytest.mark.asyncio
+    async def test_get_models_with_type_filter(self, mocker: MockFixture):
+        """Test model retrieval with type filter."""
+        mock_response_data = {
+            "data": [
+                {"id": "llm-model-1", "type": "chat"},
+                {"id": "llm-model-2", "type": "chat"},
+                {"id": "embed-model-1", "type": "embed"},
+            ]
+        }
+
+        mock_response = AsyncMock()
+        mock_response.status = 200
+        mock_response.json = AsyncMock(return_value=mock_response_data)
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "llm",
+            "base_url": "https://test.example.com",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 2
+        for model in result:
+            assert model["model_type"] == "llm"
+
+    @pytest.mark.asyncio
+    async def test_get_models_empty_response(self, mocker: MockFixture):
+        """Test handling of empty model list from API."""
+        mock_response_data = {"data": []}
+
+        mock_response = AsyncMock()
+        mock_response.status = 200
+        mock_response.json = AsyncMock(return_value=mock_response_data)
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "",
+            "base_url": "https://test.example.com",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert result == []
+
+    @pytest.mark.asyncio
+    async def test_get_models_missing_host(self, mocker: MockFixture):
+        """Test handling when host is missing."""
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert result == []
+
+    @pytest.mark.asyncio
+    async def test_get_models_missing_api_key(self, mocker: MockFixture):
+        """Test handling when API key is missing."""
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "llm",
+            "base_url": "https://test.example.com"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert result == []
+
+    @pytest.mark.asyncio
+    async def test_get_models_api_error_401(self, mocker: MockFixture):
+        """Test handling of 401 API error."""
+        mock_response = AsyncMock()
+        mock_response.status = 401
+        mock_response.text = AsyncMock(return_value="Invalid API key")
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "",
+            "base_url": "https://test.example.com",
+            "api_key": "invalid-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert isinstance(result, list)
+        assert len(result) == 1
+        assert result[0]["_error"] == "authentication_failed"
+
+    @pytest.mark.asyncio
+    async def test_get_models_api_error_500(self, mocker: MockFixture):
+        """Test handling of 500 server error."""
+        mock_response = AsyncMock()
+        mock_response.status = 500
+        mock_response.text = AsyncMock(return_value="Internal server error")
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "",
+            "base_url": "https://test.example.com",
+            "api_key": "test-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert isinstance(result, list)
+        assert len(result) == 1
+        assert result[0]["_error"] == "server_error"
+
+    @pytest.mark.asyncio
+    async def test_get_models_connection_error(self, mocker: MockFixture):
+        """Test handling of connection error."""
+        # Use a simple Exception that will be caught by the generic exception handler
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(side_effect=Exception("Connection refused"))
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "",
+            "base_url": "https://test.example.com",
+            "api_key": "test-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert isinstance(result, list)
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+    @pytest.mark.asyncio
+    async def test_get_models_type_mapping(self, mocker: MockFixture):
+        """Test correct type mapping from ModelEngine to internal types."""
+        mock_response_data = {
+            "data": [
+                {"id": "chat-model", "type": "chat"},
+                {"id": "embed-model", "type": "embed"},
+                {"id": "asr-model", "type": "asr"},
+                {"id": "tts-model", "type": "tts"},
+                {"id": "rerank-model", "type": "rerank"},
+                {"id": "vlm-model", "type": "multimodal"},
+            ]
+        }
+
+        mock_response = AsyncMock()
+        mock_response.status = 200
+        mock_response.json = AsyncMock(return_value=mock_response_data)
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "",
+            "base_url": "https://test.example.com",
+            "api_key": "test-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        type_mapping = {
+            "chat-model": "llm",
+            "embed-model": "embedding",
+            "asr-model": "stt",
+            "tts-model": "tts",
+            "rerank-model": "rerank",
+            "vlm-model": "vlm",
+        }
+
+        for model in result:
+            expected_type = type_mapping.get(model["id"])
+            assert model["model_type"] == expected_type
+
+    @pytest.mark.asyncio
+    async def test_get_models_vlm_has_max_tokens(self, mocker: MockFixture):
+        """Test that VLM models have max_tokens set."""
+        mock_response_data = {
+            "data": [
+                {"id": "vlm-model", "type": "multimodal"},
+            ]
+        }
+
+        mock_response = AsyncMock()
+        mock_response.status = 200
+        mock_response.json = AsyncMock(return_value=mock_response_data)
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "vlm",
+            "base_url": "https://test.example.com",
+            "api_key": "test-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["model_type"] == "vlm"
+        assert result[0]["max_tokens"] > 0
+
+    @pytest.mark.asyncio
+    async def test_get_models_embedding_no_max_tokens(self, mocker: MockFixture):
+        """Test that embedding models have max_tokens set to 0."""
+        mock_response_data = {
+            "data": [
+                {"id": "embed-model", "type": "embed"},
+            ]
+        }
+
+        mock_response = AsyncMock()
+        mock_response.status = 200
+        mock_response.json = AsyncMock(return_value=mock_response_data)
+        mock_response.raise_for_status = MagicMock()
+
+        mock_get_cm = MagicMock()
+        mock_get_cm.__aenter__ = AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mock_session_instance = MagicMock()
+        mock_session_instance.get = MagicMock(return_value=mock_get_cm)
+
+        mock_session_cm = MagicMock()
+        mock_session_cm.__aenter__ = AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.modelengine_provider.aiohttp.ClientSession",
+            return_value=mock_session_cm
+        )
+
+        provider = ModelEngineProvider()
+        provider_config = {
+            "model_type": "embedding",
+            "base_url": "https://test.example.com",
+            "api_key": "test-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["model_type"] == "embedding"
+        assert result[0]["max_tokens"] == 0
+
+
+class TestModelEngineProviderHelpers:
+    """Tests for get_model_engine_raw_url function."""
+
+    def test_get_model_engine_raw_url_with_path(self):
+        """Test URL extraction with existing API path."""
+        result = get_model_engine_raw_url(
+            "https://test.example.com/open/router/v1/models"
+        )
+        assert result == "https://test.example.com"
+
+    def test_get_model_engine_raw_url_without_path(self):
+        """Test URL extraction without API path."""
+        result = get_model_engine_raw_url("https://test.example.com")
+        assert result == "https://test.example.com"
+
+    def test_get_model_engine_raw_url_with_trailing_slash(self):
+        """Test URL extraction with trailing slash."""
+        result = get_model_engine_raw_url("https://test.example.com/")
+        assert result == "https://test.example.com"
+
+    def test_get_model_engine_raw_url_empty(self):
+        """Test URL extraction with empty string."""
+        result = get_model_engine_raw_url("")
+        assert result == ""
+
+    def test_get_model_engine_raw_url_none(self):
+        """Test URL extraction with None."""
+        result = get_model_engine_raw_url(None)
+        assert result == ""
diff --git a/test/backend/services/providers/test_silicon_provider.py b/test/backend/services/providers/test_silicon_provider.py
new file mode 100644
index 000000000..8a13c6de9
--- /dev/null
+++ b/test/backend/services/providers/test_silicon_provider.py
@@ -0,0 +1,503 @@
+"""Unit tests for SiliconModelProvider module.
+
+Tests cover model fetching, type handling, and error handling.
+"""
+
+import pytest
+from unittest.mock import MagicMock, AsyncMock, patch
+from pytest_mock import MockFixture
+
+import httpx
+
+from backend.services.providers.silicon_provider import SiliconModelProvider
+
+
+class TestSiliconModelProvider:
+    """Tests for SiliconModelProvider class."""
+
+    @pytest.mark.asyncio
+    async def test_get_models_llm_success(self, mocker: MockFixture):
+        """Test successful model retrieval for LLM models."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {
+            "data": [
+                {"id": "gpt-4", "name": "GPT-4"},
+                {"id": "gpt-3.5-turbo", "name": "GPT-3.5 Turbo"},
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        # Create mock client that works as async context manager
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        # Create the context manager mock
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 2
+        assert result[0]["id"] == "gpt-4"
+        assert result[0]["model_type"] == "llm"
+        assert result[0]["model_tag"] == "chat"
+
+    @pytest.mark.asyncio
+    async def test_get_models_vlm_success(self, mocker: MockFixture):
+        """Test successful model retrieval for VLM models."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {
+            "data": [
+                {"id": "gpt-4v", "name": "GPT-4 Vision"},
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "vlm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["id"] == "gpt-4v"
+        assert result[0]["model_type"] == "vlm"
+        assert result[0]["model_tag"] == "chat"
+
+    @pytest.mark.asyncio
+    async def test_get_models_embedding_success(self, mocker: MockFixture):
+        """Test successful model retrieval for embedding models."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {
+            "data": [
+                {"id": "text-embedding-ada-002", "name": "Text Embedding Ada 002"},
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "embedding",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["id"] == "text-embedding-ada-002"
+        assert result[0]["model_type"] == "embedding"
+        assert result[0]["model_tag"] == "embedding"
+
+    @pytest.mark.asyncio
+    async def test_get_models_multi_embedding_success(self, mocker: MockFixture):
+        """Test successful model retrieval for multi-embedding models."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {
+            "data": [
+                {"id": "bge-large", "name": "BGE Large"},
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "multi_embedding",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["id"] == "bge-large"
+        assert result[0]["model_type"] == "multi_embedding"
+        assert result[0]["model_tag"] == "embedding"
+
+    @pytest.mark.asyncio
+    async def test_get_models_unknown_type(self, mocker: MockFixture):
+        """Test model retrieval for unknown model types."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {
+            "data": [
+                {"id": "unknown-model", "name": "Unknown Model"},
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "stt",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["id"] == "unknown-model"
+
+    @pytest.mark.asyncio
+    async def test_get_models_empty_response(self, mocker: MockFixture):
+        """Test handling of empty model list from API."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert result == []
+
+    @pytest.mark.asyncio
+    async def test_get_models_http_error(self, mocker: MockFixture):
+        """Test handling of HTTP error."""
+        mock_client = AsyncMock()
+        mock_client.get.side_effect = httpx.HTTPStatusError(
+            "Error",
+            request=MagicMock(),
+            response=MagicMock(status_code=500)
+        )
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert isinstance(result, list)
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+    @pytest.mark.asyncio
+    async def test_get_models_connect_error(self, mocker: MockFixture):
+        """Test handling of connection error."""
+        mock_client = AsyncMock()
+        mock_client.get.side_effect = httpx.ConnectError("Connection failed")
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert isinstance(result, list)
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+    @pytest.mark.asyncio
+    async def test_get_models_timeout(self, mocker: MockFixture):
+        """Test handling of connection timeout."""
+        mock_client = AsyncMock()
+        mock_client.get.side_effect = httpx.ConnectTimeout("Timeout")
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/v1/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert isinstance(result, list)
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+    @pytest.mark.asyncio
+    async def test_get_models_correct_url_for_llm(self, mocker: MockFixture):
+        """Test that correct URL is used for LLM models."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {"data": [{"id": "test"}]}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-api-key"
+        }
+
+        await provider.get_models(provider_config)
+
+        # Verify the URL contains sub_type=chat for LLM
+        call_args = mock_client.get.call_args
+        assert "sub_type=chat" in call_args[0][0]
+
+    @pytest.mark.asyncio
+    async def test_get_models_correct_url_for_embedding(self, mocker: MockFixture):
+        """Test that correct URL is used for embedding models."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {"data": [{"id": "test"}]}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "embedding",
+            "api_key": "test-api-key"
+        }
+
+        await provider.get_models(provider_config)
+
+        # Verify the URL contains sub_type=embedding for embedding
+        call_args = mock_client.get.call_args
+        assert "sub_type=embedding" in call_args[0][0]
+
+    @pytest.mark.asyncio
+    async def test_get_models_authorization_header(self, mocker: MockFixture):
+        """Test that Authorization header is correctly set."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {"data": [{"id": "test"}]}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/models"
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "my-secret-key"
+        }
+
+        await provider.get_models(provider_config)
+
+        # Verify Authorization header
+        call_args = mock_client.get.call_args
+        headers = call_args[1]["headers"]
+        assert headers["Authorization"] == "Bearer my-secret-key"
+
+    @pytest.mark.asyncio
+    async def test_get_models_llm_has_max_tokens(self, mocker: MockFixture):
+        """Test that LLM models have max_tokens set."""
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {
+            "data": [{"id": "gpt-4"}]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = AsyncMock()
+        mock_client.get.return_value = mock_response
+
+        mock_cm = MagicMock()
+        mock_cm.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_cm.__aexit__ = AsyncMock(return_value=None)
+
+        mocker.patch(
+            "backend.services.providers.silicon_provider.httpx.AsyncClient",
+            return_value=mock_cm
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.SILICON_GET_URL",
+            "https://api.siliconflow.com/models"
+        )
+        mocker.patch(
+            "backend.services.providers.silicon_provider.DEFAULT_LLM_MAX_TOKENS",
+            4096
+        )
+
+        provider = SiliconModelProvider()
+        provider_config = {
+            "model_type": "llm",
+            "api_key": "test-key"
+        }
+
+        result = await provider.get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["max_tokens"] == 4096
diff --git a/test/backend/services/test_agent_service.py b/test/backend/services/test_agent_service.py
index 341c45976..c9b553e93 100644
--- a/test/backend/services/test_agent_service.py
+++ b/test/backend/services/test_agent_service.py
@@ -325,7 +325,66 @@ async def test_get_agent_info_impl_success(mock_search_agent_info, mock_search_t
         "unavailable_reasons": []
     }
     assert result == expected_result
-    mock_search_agent_info.assert_called_once_with(123, "test_tenant")
+    mock_search_agent_info.assert_called_once_with(123, "test_tenant", 0)
+    mock_search_tools.assert_called_once_with(
+        agent_id=123, tenant_id="test_tenant")
+    mock_query_sub_agents_id.assert_called_once_with(
+        main_agent_id=123, tenant_id="test_tenant")
+    mock_check_availability.assert_called_once()
+
+
+@patch('backend.services.agent_service.check_agent_availability')
+@patch('backend.services.agent_service.get_model_by_model_id')
+@patch('backend.services.agent_service.query_sub_agents_id_list')
+@patch('backend.services.agent_service.search_tools_for_sub_agent')
+@patch('backend.services.agent_service.search_agent_info_by_agent_id')
+@pytest.mark.asyncio
+async def test_get_agent_info_impl_with_version_no(mock_search_agent_info, mock_search_tools, mock_query_sub_agents_id, mock_get_model_by_model_id, mock_check_availability):
+    """
+    Test get_agent_info_impl with explicit version_no parameter.
+
+    This test verifies that:
+    1. The function correctly passes version_no to search_agent_info_by_agent_id
+    2. It works correctly when version_no is explicitly provided
+    """
+    # Setup
+    mock_agent_info = {
+        "agent_id": 123,
+        "model_id": None,
+        "business_description": "Test agent"
+    }
+    mock_search_agent_info.return_value = mock_agent_info
+
+    mock_tools = [{"tool_id": 1, "name": "Tool 1"}]
+    mock_search_tools.return_value = mock_tools
+
+    mock_sub_agent_ids = [456, 789]
+    mock_query_sub_agents_id.return_value = mock_sub_agent_ids
+
+    # Mock get_model_by_model_id - return None for model_id=None
+    mock_get_model_by_model_id.return_value = None
+
+    # Mock check_agent_availability - agent is available
+    mock_check_availability.return_value = (True, [])
+
+    # Execute with explicit version_no
+    result = await get_agent_info_impl(agent_id=123, tenant_id="test_tenant", version_no=5)
+
+    # Assert
+    expected_result = {
+        "agent_id": 123,
+        "model_id": None,
+        "business_description": "Test agent",
+        "tools": mock_tools,
+        "sub_agent_id_list": mock_sub_agent_ids,
+        "model_name": None,
+        "business_logic_model_name": None,
+        "is_available": True,
+        "unavailable_reasons": []
+    }
+    assert result == expected_result
+    # Verify version_no is passed correctly
+    mock_search_agent_info.assert_called_once_with(123, "test_tenant", 5)
     mock_search_tools.assert_called_once_with(
         agent_id=123, tenant_id="test_tenant")
     mock_query_sub_agents_id.assert_called_once_with(
@@ -431,30 +490,25 @@ async def test_update_agent_info_impl_success(mock_get_current_user_info, mock_u
 
     # Assert
     mock_update_agent.assert_called_once_with(
-        123, request, "test_tenant", "test_user")
+        123, request, "test_user")
 
 
 @patch('backend.services.agent_service.delete_tools_by_agent_id')
 @patch('backend.services.agent_service.delete_agent_relationship')
 @patch('backend.services.agent_service.delete_agent_by_id')
-@patch('backend.services.agent_service.get_current_user_info')
 @pytest.mark.asyncio
-async def test_delete_agent_impl_success(mock_get_current_user_info, mock_delete_agent, mock_delete_related,
+async def test_delete_agent_impl_success(mock_delete_agent, mock_delete_related,
                                          mock_delete_tools):
     """
     Test successful deletion of an agent.
 
     This test verifies that:
-    1. The function correctly gets the current user and tenant IDs
-    2. It calls the delete_agent_by_id function with the correct parameters
-    3. It also deletes all related agent relationships
+    1. It calls the delete_agent_by_id function with the correct parameters
+    2. It also deletes all related agent relationships
+    3. It deletes all tools associated with the agent
     """
-    # Setup
-    mock_get_current_user_info.return_value = (
-        "test_user", "test_tenant", "en")
-
     # Execute
-    await delete_agent_impl(123, authorization="Bearer token")
+    await delete_agent_impl(123, "test_tenant", "test_user")
 
     # Assert
     mock_delete_agent.assert_called_once_with(123, "test_tenant", "test_user")
@@ -481,6 +535,8 @@ async def test_get_agent_info_impl_exception_handling(mock_search_agent_info):
         await get_agent_info_impl(agent_id=123, tenant_id="test_tenant")
 
     assert "Failed to get agent info" in str(context.value)
+    # Verify version_no parameter is passed (default value 0)
+    mock_search_agent_info.assert_called_once_with(123, "test_tenant", 0)
 
 
 @patch('backend.services.agent_service.update_agent')
@@ -515,46 +571,35 @@ async def test_update_agent_info_impl_exception_handling(mock_get_current_user_i
 
 
 @patch('backend.services.agent_service.create_or_update_tool_by_tool_info')
-@patch('backend.services.agent_service.query_tool_instances_by_id')
-@patch('backend.services.agent_service.query_all_tools')
+@patch('backend.services.agent_service.query_tool_instances_by_agent_id')
 @patch('backend.services.agent_service.update_agent')
 @patch('backend.services.agent_service.get_current_user_info')
 @pytest.mark.asyncio
 async def test_update_agent_info_impl_with_enabled_tool_ids(
     mock_get_current_user_info,
     mock_update_agent,
-    mock_query_all_tools,
-    mock_query_tool_instances_by_id,
+    mock_query_tool_instances_by_agent_id,
     mock_create_or_update_tool
 ):
     """
     Test update_agent_info_impl with enabled_tool_ids parameter.
 
     This test verifies that:
-    1. When enabled_tool_ids is provided, tools are updated correctly
-    2. Existing tool params are preserved
-    3. Tools are enabled/disabled based on the provided list
+    1. When enabled_tool_ids is provided, existing tools are disabled if not selected
+    2. Selected tools are enabled (create or update)
+    3. Existing tool params are preserved
     """
     # Setup
     mock_get_current_user_info.return_value = ("test_user", "test_tenant", "en")
 
-    # Mock all tools in tenant
-    mock_query_all_tools.return_value = [
-        {"tool_id": 1, "name": "Tool 1"},
-        {"tool_id": 2, "name": "Tool 2"},
-        {"tool_id": 3, "name": "Tool 3"},
-    ]
-
-    # Mock existing tool instance with params
-    mock_query_tool_instances_by_id.side_effect = [
+    # Mock existing tool instances for this agent
+    mock_query_tool_instances_by_agent_id.return_value = [
         {"tool_id": 1, "params": {"key1": "value1"}},  # Existing tool with params
-        None,  # Tool 2 doesn't exist yet
-        None,  # Tool 3 doesn't exist yet
     ]
 
     request = MagicMock()
     request.agent_id = 123
-    request.enabled_tool_ids = [1, 2]  # Enable tools 1 and 2, disable 3
+    request.enabled_tool_ids = [1, 2]  # Enable tools 1 and 2
     request.related_agent_ids = None
 
     # Execute
@@ -564,8 +609,8 @@ async def test_update_agent_info_impl_with_enabled_tool_ids(
     assert result["agent_id"] == 123
     mock_update_agent.assert_called_once()
 
-    # Verify tools were updated: tool 1 and 2 enabled, tool 3 disabled
-    assert mock_create_or_update_tool.call_count == 3
+    # Verify tools were updated: tool 1 and 2 enabled
+    assert mock_create_or_update_tool.call_count == 2
 
     # Check tool 1: enabled with existing params
     call_args = mock_create_or_update_tool.call_args_list[0]
@@ -574,18 +619,116 @@ async def test_update_agent_info_impl_with_enabled_tool_ids(
     assert tool_info.enabled is True
     assert tool_info.params == {"key1": "value1"}
 
-    # Check tool 2: enabled with empty params
+    # Check tool 2: enabled with empty params (new tool)
     call_args = mock_create_or_update_tool.call_args_list[1]
     tool_info = call_args.kwargs['tool_info']
     assert tool_info.tool_id == 2
     assert tool_info.enabled is True
     assert tool_info.params == {}
 
-    # Check tool 3: disabled
-    call_args = mock_create_or_update_tool.call_args_list[2]
+
+@patch('backend.services.agent_service.create_or_update_tool_by_tool_info')
+@patch('backend.services.agent_service.query_tool_instances_by_agent_id')
+@patch('backend.services.agent_service.update_agent')
+@patch('backend.services.agent_service.get_current_user_info')
+@pytest.mark.asyncio
+async def test_update_agent_info_impl_with_enabled_tool_ids_instance_having_null_tool_id(
+    mock_get_current_user_info,
+    mock_update_agent,
+    mock_query_tool_instances_by_agent_id,
+    mock_create_or_update_tool
+):
+    """
+    Test update_agent_info_impl when existing tool instance has null tool_id.
+
+    This test verifies that:
+    1. Instances with null tool_id are skipped (not causing errors)
+    2. Only valid tool instances are processed for enabling/disabling
+    """
+    # Setup
+    mock_get_current_user_info.return_value = ("test_user", "test_tenant", "en")
+
+    # Mock existing tool instances: one with valid tool_id, one with null tool_id
+    mock_query_tool_instances_by_agent_id.return_value = [
+        {"tool_id": 1, "params": {"key1": "value1"}},  # Valid instance
+        {"tool_id": None, "params": {}},               # Instance with null tool_id - should be skipped
+    ]
+
+    request = MagicMock()
+    request.agent_id = 123
+    request.enabled_tool_ids = [1]  # Enable only tool 1
+    request.related_agent_ids = None
+
+    # Execute
+    result = await update_agent_info_impl(request, authorization="Bearer token")
+
+    # Assert
+    assert result["agent_id"] == 123
+    mock_update_agent.assert_called_once()
+
+    # Verify only tool 1 was enabled; tool with null tool_id was skipped
+    assert mock_create_or_update_tool.call_count == 1
+    call_args = mock_create_or_update_tool.call_args
+    tool_info = call_args.kwargs['tool_info']
+    assert tool_info.tool_id == 1
+    assert tool_info.enabled is True
+
+
+@patch('backend.services.agent_service.create_or_update_tool_by_tool_info')
+@patch('backend.services.agent_service.query_tool_instances_by_agent_id')
+@patch('backend.services.agent_service.update_agent')
+@patch('backend.services.agent_service.get_current_user_info')
+@pytest.mark.asyncio
+async def test_update_agent_info_impl_with_enabled_tool_ids_disabled_existing_tool(
+    mock_get_current_user_info,
+    mock_update_agent,
+    mock_query_tool_instances_by_agent_id,
+    mock_create_or_update_tool
+):
+    """
+    Test that existing tools not in enabled_tool_ids are disabled.
+
+    This test verifies that:
+    1. When enabled_tool_ids is provided, existing tools NOT in the list are disabled
+    2. create_or_update_tool_by_tool_info is called with enabled=False for disabled tools
+    """
+    # Setup
+    mock_get_current_user_info.return_value = ("test_user", "test_tenant", "en")
+
+    # Mock existing tool instances: tool 1 exists, tool 2 is new
+    mock_query_tool_instances_by_agent_id.return_value = [
+        {"tool_id": 1, "params": {"key1": "value1"}},  # Existing tool 1
+    ]
+
+    request = MagicMock()
+    request.agent_id = 123
+    request.enabled_tool_ids = [2]  # Only enable tool 2 (new tool)
+    # Tool 1 exists but is NOT in enabled_tool_ids, so it should be disabled
+    request.related_agent_ids = None
+
+    # Execute
+    result = await update_agent_info_impl(request, authorization="Bearer token")
+
+    # Assert
+    assert result["agent_id"] == 123
+    mock_update_agent.assert_called_once()
+
+    # Verify: tool 1 was disabled, tool 2 was enabled
+    assert mock_create_or_update_tool.call_count == 2
+
+    # Check tool 1: disabled (exists but not in enabled_tool_ids)
+    call_args = mock_create_or_update_tool.call_args_list[0]
     tool_info = call_args.kwargs['tool_info']
-    assert tool_info.tool_id == 3
+    assert tool_info.tool_id == 1
     assert tool_info.enabled is False
+    assert tool_info.params == {"key1": "value1"}
+
+    # Check tool 2: enabled (new tool)
+    call_args = mock_create_or_update_tool.call_args_list[1]
+    tool_info = call_args.kwargs['tool_info']
+    assert tool_info.tool_id == 2
+    assert tool_info.enabled is True
+    assert tool_info.params == {}
 
 
 @patch('backend.services.agent_service.update_related_agents')
@@ -668,8 +811,7 @@ async def test_update_agent_info_impl_circular_dependency_detection(
 
 
 @patch('backend.services.agent_service.create_or_update_tool_by_tool_info')
-@patch('backend.services.agent_service.query_tool_instances_by_id')
-@patch('backend.services.agent_service.query_all_tools')
+@patch('backend.services.agent_service.query_tool_instances_by_agent_id')
 @patch('backend.services.agent_service.update_related_agents')
 @patch('backend.services.agent_service.query_sub_agents_id_list')
 @patch('backend.services.agent_service.update_agent')
@@ -680,8 +822,7 @@ async def test_update_agent_info_impl_with_both_tool_and_related_agents(
     mock_update_agent,
     mock_query_sub_agents_id_list,
     mock_update_related_agents,
-    mock_query_all_tools,
-    mock_query_tool_instances_by_id,
+    mock_query_tool_instances_by_agent_id,
     mock_create_or_update_tool
 ):
     """
@@ -693,8 +834,7 @@ async def test_update_agent_info_impl_with_both_tool_and_related_agents(
     """
     # Setup
     mock_get_current_user_info.return_value = ("test_user", "test_tenant", "en")
-    mock_query_all_tools.return_value = [{"tool_id": 1}]
-    mock_query_tool_instances_by_id.return_value = None
+    mock_query_tool_instances_by_agent_id.return_value = []  # No existing instances
     mock_query_sub_agents_id_list.return_value = []
 
     request = MagicMock()
@@ -718,16 +858,14 @@ async def test_update_agent_info_impl_with_both_tool_and_related_agents(
 
 
 @patch('backend.services.agent_service.create_or_update_tool_by_tool_info')
-@patch('backend.services.agent_service.query_tool_instances_by_id')
-@patch('backend.services.agent_service.query_all_tools')
+@patch('backend.services.agent_service.query_tool_instances_by_agent_id')
 @patch('backend.services.agent_service.update_agent')
 @patch('backend.services.agent_service.get_current_user_info')
 @pytest.mark.asyncio
 async def test_update_agent_info_impl_tool_update_exception(
     mock_get_current_user_info,
     mock_update_agent,
-    mock_query_all_tools,
-    mock_query_tool_instances_by_id,
+    mock_query_tool_instances_by_agent_id,
     mock_create_or_update_tool
 ):
     """
@@ -738,8 +876,7 @@ async def test_update_agent_info_impl_tool_update_exception(
     """
     # Setup
     mock_get_current_user_info.return_value = ("test_user", "test_tenant", "en")
-    mock_query_all_tools.return_value = [{"tool_id": 1}]
-    mock_query_tool_instances_by_id.return_value = None
+    mock_query_tool_instances_by_agent_id.return_value = []
     mock_create_or_update_tool.side_effect = Exception("Tool update failed")
 
     request = MagicMock()
@@ -858,9 +995,8 @@ def test_resolve_user_tenant_language_partial_override(mock_get_current_user_inf
 
 
 @patch('backend.services.agent_service.delete_agent_by_id')
-@patch('backend.services.agent_service.get_current_user_info')
 @pytest.mark.asyncio
-async def test_delete_agent_impl_exception_handling(mock_get_current_user_info, mock_delete_agent):
+async def test_delete_agent_impl_exception_handling(mock_delete_agent):
     """
     Test exception handling in delete_agent_impl function.
 
@@ -869,13 +1005,11 @@ async def test_delete_agent_impl_exception_handling(mock_get_current_user_info,
     2. The function raises a ValueError with an appropriate message
     """
     # Setup
-    mock_get_current_user_info.return_value = (
-        "test_user", "test_tenant", "en")
     mock_delete_agent.side_effect = Exception("Delete failed")
 
     # Execute & Assert
     with pytest.raises(ValueError) as context:
-        await delete_agent_impl(123, authorization="Bearer token")
+        await delete_agent_impl(123, "test_tenant", "test_user")
 
     assert "Failed to delete agent" in str(context.value)
 
@@ -1227,7 +1361,7 @@ async def test_get_agent_info_impl_with_tool_error(mock_search_agent_info, mock_
         assert result["model_name"] is None
         assert result["is_available"] == True
         assert result["unavailable_reasons"] == []
-        mock_search_agent_info.assert_called_once_with(123, "test_tenant")
+        mock_search_agent_info.assert_called_once_with(123, "test_tenant", 0)
 
 
 @patch('backend.services.agent_service.check_agent_availability')
@@ -1271,7 +1405,7 @@ async def test_get_agent_info_impl_sub_agent_error(mock_search_agent_info, mock_
     assert result["model_name"] is None
     assert result["is_available"] == True
     assert result["unavailable_reasons"] == []
-    mock_search_agent_info.assert_called_once_with(123, "test_tenant")
+    mock_search_agent_info.assert_called_once_with(123, "test_tenant", 0)
     mock_search_tools.assert_called_once_with(
         agent_id=123, tenant_id="test_tenant")
     mock_query_sub_agents_id.assert_called_once_with(
@@ -1704,15 +1838,28 @@ def mock_get_model(model_id):
     mock_get_model_by_model_id.assert_any_call(789)
 
 
-async def test_list_all_agent_info_impl_success():
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_success(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
     """
-    Test successful retrieval of all agent information.
+    Test successful retrieval of all agent information for admin user.
 
     This test verifies that:
     1. The function correctly queries all agents for a tenant
-    2. It retrieves tool information for each agent
-    3. It checks tool availability
-    4. It returns a properly formatted list of agent information
+    2. It checks agent availability
+    3. It returns a properly formatted list of agent information with permissions
     """
     # Setup mock agents
     mock_agents = [
@@ -1722,7 +1869,10 @@ async def test_list_all_agent_info_impl_success():
             "display_name": "Display Agent 1",
             "description": "First test agent",
             "enabled": True,
-            "group_ids": ""
+            "group_ids": "",
+            "created_by": "user1",
+            "create_time": 1,
+            "current_version_no": None,  # Not published
         },
         {
             "agent_id": 2,
@@ -1730,61 +1880,148 @@ async def test_list_all_agent_info_impl_success():
             "display_name": "Display Agent 2",
             "description": "Second test agent",
             "enabled": True,
-            "group_ids": "1,2,3"
+            "group_ids": "1,2,3",
+            "created_by": "user2",
+            "create_time": 2,
+            "current_version_no": 1,  # Published
         }
     ]
 
-    # Setup mock tools
-    mock_tools = [
-        {"tool_id": 101, "name": "Tool 1"},
-        {"tool_id": 102, "name": "Tool 2"}
+    # Configure mocks
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.side_effect = lambda x: [] if not x else [int(i) for i in x.split(",")]
+    mock_check_availability.side_effect = lambda *args, **kwargs: (True, [])
+    mock_get_model.return_value = None
+
+    # Execute
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
+
+    # Assert
+    assert len(result) == 2
+    assert result[0]["agent_id"] == 1
+    assert result[0]["name"] == "Agent 1"
+    assert result[0]["display_name"] == "Display Agent 1"
+    assert result[0]["is_available"] == True
+    assert result[0]["unavailable_reasons"] == []
+    assert result[0]["group_ids"] == []
+    assert result[0]["permission"] == "EDIT"  # Admin can edit all
+    assert result[0]["is_published"] == False  # current_version_no is None
+    assert result[1]["agent_id"] == 2
+    assert result[1]["name"] == "Agent 2"
+    assert result[1]["display_name"] == "Display Agent 2"
+    assert result[1]["is_available"] == True
+    assert result[1]["unavailable_reasons"] == []
+    assert result[1]["group_ids"] == [1, 2, 3]
+    assert result[1]["permission"] == "EDIT"  # Admin can edit all
+    assert result[1]["is_published"] == True  # current_version_no is not None
+
+    # Verify mock calls
+    mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
+    mock_get_user_tenant.assert_called_once_with("admin_user")
+
+
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_is_published_field(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
+    """
+    Test that is_published field is correctly set based on current_version_no.
+
+    This test verifies that:
+    1. is_published is False when current_version_no is None
+    2. is_published is False when current_version_no field is missing
+    3. is_published is True when current_version_no is not None
+    """
+    # Setup mock agents with different current_version_no values
+    mock_agents = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Unpublished agent",
+            "enabled": True,
+            "group_ids": "",
+            "created_by": "user1",
+            "create_time": 1,
+            "current_version_no": None,  # Not published
+        },
+        {
+            "agent_id": 2,
+            "name": "Agent 2",
+            "display_name": "Display Agent 2",
+            "description": "Published agent",
+            "enabled": True,
+            "group_ids": "",
+            "created_by": "user2",
+            "create_time": 2,
+            "current_version_no": 1,  # Published
+        },
+        {
+            "agent_id": 3,
+            "name": "Agent 3",
+            "display_name": "Display Agent 3",
+            "description": "Agent without current_version_no field",
+            "enabled": True,
+            "group_ids": "",
+            "created_by": "user3",
+            "create_time": 3,
+            # current_version_no field is missing
+        }
     ]
 
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents, \
-            patch('backend.services.agent_service.search_tools_for_sub_agent') as mock_search_tools, \
-            patch('backend.services.agent_service.check_tool_is_available') as mock_check_tools:
-        # Configure mocks
-        mock_query_agents.return_value = mock_agents
-        mock_search_tools.return_value = mock_tools
-        mock_check_tools.return_value = [True, True]  # All tools are available
+    # Configure mocks
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.side_effect = lambda x: [] if not x else [int(i) for i in x.split(",")]
+    mock_check_availability.side_effect = lambda *args, **kwargs: (True, [])
+    mock_get_model.return_value = None
 
-        # Execute
-        result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    # Execute
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
-        # Assert
-        assert len(result) == 2
-        assert result[0]["agent_id"] == 1
-        assert result[0]["name"] == "Agent 1"
-        assert result[0]["display_name"] == "Display Agent 1"
-        assert result[0]["is_available"] == True
-        assert result[0]["unavailable_reasons"] == []
-        assert result[0]["group_ids"] == []
-        assert result[1]["agent_id"] == 2
-        assert result[1]["name"] == "Agent 2"
-        assert result[1]["display_name"] == "Display Agent 2"
-        assert result[1]["is_available"] == True
-        assert result[1]["unavailable_reasons"] == []
-        assert result[1]["group_ids"] == [1, 2, 3]
-
-        # Verify mock calls
-        mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
-        assert mock_search_tools.call_count == 2
-        mock_search_tools.assert_has_calls([
-            call(agent_id=1, tenant_id="test_tenant"),
-            call(agent_id=2, tenant_id="test_tenant")
-        ])
-        mock_check_tools.assert_has_calls([
-            call([101, 102]),
-            call([101, 102])
-        ])
+    # Assert
+    assert len(result) == 3
+    # Agent 1: current_version_no is None -> is_published should be False
+    assert result[0]["agent_id"] == 1
+    assert result[0]["is_published"] == False
+    # Agent 2: current_version_no is 1 -> is_published should be True
+    assert result[1]["agent_id"] == 2
+    assert result[1]["is_published"] == True
+    # Agent 3: current_version_no field is missing -> is_published should be False
+    assert result[2]["agent_id"] == 3
+    assert result[2]["is_published"] == False
+
+    # Verify mock calls
+    mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
+    mock_get_user_tenant.assert_called_once_with("admin_user")
 
 
 @pytest.mark.asyncio
 @patch("backend.services.agent_service.get_model_by_model_id")
 @patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
 @patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
 async def test_list_all_agent_info_impl_model_cache_miss_fetches_model(
     mock_query_all,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
     mock_check_availability,
     mock_get_model,
 ):
@@ -1798,15 +2035,19 @@ async def test_list_all_agent_info_impl_model_cache_miss_fetches_model(
             "enabled": True,
             "model_id": 99,
             "group_ids": "",
+            "created_by": "user1",
             "create_time": 1,
         }
     ]
 
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.return_value = []
     # Do not mutate model_cache here so that the "model_id not in model_cache" branch runs.
     mock_check_availability.side_effect = lambda *args, **kwargs: (True, [])
     mock_get_model.return_value = {"model_name": "m", "display_name": "M"}
 
-    result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
     assert len(result) == 1
     assert result[0]["model_id"] == 99
@@ -1815,7 +2056,21 @@ async def test_list_all_agent_info_impl_model_cache_miss_fetches_model(
     mock_get_model.assert_called_once_with(99, "test_tenant")
 
 
-async def test_list_all_agent_info_impl_with_unavailable_tools():
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_with_unavailable_tools(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
     """
     Test retrieval of agent information with some unavailable tools.
 
@@ -1831,7 +2086,9 @@ async def test_list_all_agent_info_impl_with_unavailable_tools():
             "display_name": "Display Agent 1",
             "description": "Agent with available tools",
             "enabled": True,
-            "group_ids": ""
+            "group_ids": "",
+            "created_by": "user1",
+            "create_time": 1,
         },
         {
             "agent_id": 2,
@@ -1839,44 +2096,46 @@ async def test_list_all_agent_info_impl_with_unavailable_tools():
             "display_name": "Display Agent 2",
             "description": "Agent with unavailable tools",
             "enabled": True,
-            "group_ids": "5,6"
+            "group_ids": "5,6",
+            "created_by": "user2",
+            "create_time": 2,
         }
     ]
 
-    # Setup mock tools
-    mock_tools = [
-        {"tool_id": 101, "name": "Tool 1"},
-        {"tool_id": 102, "name": "Tool 2"}
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.side_effect = lambda x: [] if not x else [int(i) for i in x.split(",")]
+    # First agent has available tools, second agent has unavailable tools
+    mock_check_availability.side_effect = [
+        (True, []),  # Agent 1: available
+        (False, ["tool_unavailable"])  # Agent 2: unavailable
     ]
+    mock_get_model.return_value = None
 
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents, \
-            patch('backend.services.agent_service.search_tools_for_sub_agent') as mock_search_tools, \
-            patch('backend.services.agent_service.check_tool_is_available') as mock_check_tools:
-        # Configure mocks
-        mock_query_agents.return_value = mock_agents
-        mock_search_tools.return_value = mock_tools
-        # First agent has available tools, second agent has unavailable tools
-        mock_check_tools.side_effect = [[True, True], [False, True]]
-
-        # Execute
-        result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    # Execute
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
-        # Assert
-        assert len(result) == 2
-        assert result[0]["is_available"] == True
-        assert result[0]["unavailable_reasons"] == []
-        assert result[0]["group_ids"] == []
-        assert result[1]["is_available"] == False
-        assert result[1]["unavailable_reasons"] == ["tool_unavailable"]
-        assert result[1]["group_ids"] == [5, 6]
+    # Assert
+    assert len(result) == 2
+    assert result[0]["is_available"] == True
+    assert result[0]["unavailable_reasons"] == []
+    assert result[0]["group_ids"] == []
+    assert result[1]["is_available"] == False
+    assert result[1]["unavailable_reasons"] == ["tool_unavailable"]
+    assert result[1]["group_ids"] == [5, 6]
 
-        # Verify mock calls
-        mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
-        assert mock_search_tools.call_count == 2
-        assert mock_check_tools.call_count == 2
+    # Verify mock calls
+    mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
 
 
-async def test_list_all_agent_info_impl_query_error():
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_query_error(
+    mock_query_agents,
+    mock_get_user_tenant,
+):
     """
     Test error handling when querying agent information fails.
 
@@ -1884,19 +2143,33 @@ async def test_list_all_agent_info_impl_query_error():
     1. When an error occurs during agent query
     2. The function raises a ValueError with an appropriate message
     """
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents:
-        # Configure mock to raise exception
-        mock_query_agents.side_effect = Exception("Database error")
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    # Configure mock to raise exception
+    mock_query_agents.side_effect = Exception("Database error")
 
-        # Execute & Assert
-        with pytest.raises(ValueError) as context:
-            await list_all_agent_info_impl(tenant_id="test_tenant")
+    # Execute & Assert
+    with pytest.raises(ValueError) as context:
+        await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
-        assert "Failed to query all agent info" in str(context.value)
-        mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
+    assert "Failed to query all agent info" in str(context.value)
+    mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
 
 
-async def test_list_all_agent_info_impl_model_unavailable():
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_model_unavailable(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
     mock_agents = [
         {
             "agent_id": 1,
@@ -1905,69 +2178,402 @@ async def test_list_all_agent_info_impl_model_unavailable():
             "description": "Agent with unavailable model",
             "enabled": True,
             "model_id": 101,
-            "group_ids": "7,8,9"
+            "group_ids": "7,8,9",
+            "created_by": "user1",
+            "create_time": 1,
+            "current_version_no": None,
         }
     ]
 
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents, \
-            patch('backend.services.agent_service.search_tools_for_sub_agent') as mock_search_tools, \
-            patch('backend.services.agent_service.get_model_by_model_id') as mock_get_model:
-        mock_query_agents.return_value = mock_agents
-        mock_search_tools.return_value = []
-        mock_get_model.return_value = {
-            "connect_status": agent_service.ModelConnectStatusEnum.UNAVAILABLE.value
-        }
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.side_effect = lambda x: [] if not x else [int(i) for i in x.split(",")]
+    mock_check_availability.side_effect = lambda *args, **kwargs: (False, ["model_unavailable"])
+    mock_get_model.return_value = None
 
-        result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
-        assert len(result) == 1
-        assert result[0]["is_available"] is False
-        assert result[0]["unavailable_reasons"] == ["model_unavailable"]
-        assert result[0]["group_ids"] == [7, 8, 9]
+    assert len(result) == 1
+    assert result[0]["is_available"] is False
+    assert result[0]["unavailable_reasons"] == ["model_unavailable"]
+    assert result[0]["group_ids"] == [7, 8, 9]
+    assert result[0]["is_published"] == False  # current_version_no is None
 
 
-async def test_list_all_agent_info_impl_duplicate_names():
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_duplicate_names(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
     mock_agents = [
         {
             "agent_id": 1,
             "name": "Duplicated",
-            "create_time": "2024-01-01T00:00:00",
+            "create_time": 1,
             "display_name": "Agent Display 1",
             "description": "First agent",
             "enabled": True,
-            "group_ids": "10"
+            "group_ids": "10",
+            "created_by": "user1",
         },
         {
             "agent_id": 2,
             "name": "Duplicated",
-            "create_time": "2024-02-01T00:00:00",
+            "create_time": 2,
             "display_name": "Agent Display 2",
             "description": "Second agent",
             "enabled": True,
-            "group_ids": "10,11"
+            "group_ids": "10,11",
+            "created_by": "user2",
         }
     ]
 
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents, \
-            patch('backend.services.agent_service.search_tools_for_sub_agent') as mock_search_tools:
-        mock_query_agents.return_value = mock_agents
-        mock_search_tools.return_value = []
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.side_effect = lambda x: [] if not x else [int(i) for i in x.split(",")]
+    mock_check_availability.side_effect = lambda *args, **kwargs: (True, [])
+    mock_get_model.return_value = None
 
-        result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
-        assert len(result) == 2
+    assert len(result) == 2
 
-        # The earliest created agent (agent_id=1) should remain available
-        agent1 = next(a for a in result if a["agent_id"] == 1)
-        assert agent1["is_available"] is True
-        assert "duplicate_name" not in agent1["unavailable_reasons"]
-        assert agent1["group_ids"] == [10]
+    # The earliest created agent (agent_id=1) should remain available
+    agent1 = next(a for a in result if a["agent_id"] == 1)
+    assert agent1["is_available"] is True
+    assert "duplicate_name" not in agent1["unavailable_reasons"]
+    assert agent1["group_ids"] == [10]
+    assert agent1["is_published"] == False  # current_version_no is missing/None
 
-        # The later created agent (agent_id=2) should be unavailable due to duplication
-        agent2 = next(a for a in result if a["agent_id"] == 2)
-        assert agent2["is_available"] is False
-        assert "duplicate_name" in agent2["unavailable_reasons"]
-        assert agent2["group_ids"] == [10, 11]
+    # The later created agent (agent_id=2) should be unavailable due to duplication
+    agent2 = next(a for a in result if a["agent_id"] == 2)
+    assert agent2["is_available"] is False
+    assert "duplicate_name" in agent2["unavailable_reasons"]
+    assert agent2["group_ids"] == [10, 11]
+    assert agent2["is_published"] == False  # current_version_no is missing/None
+
+
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_user_permission_read_only(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
+    """Test that regular users get READ_ONLY permission for agents they didn't create."""
+    mock_agents = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Agent created by user1",
+            "enabled": True,
+            "group_ids": "1",  # Agent in group 1
+            "created_by": "user1",
+            "create_time": 1,
+        },
+        {
+            "agent_id": 2,
+            "name": "Agent 2",
+            "display_name": "Display Agent 2",
+            "description": "Agent created by current_user",
+            "enabled": True,
+            "group_ids": "1",  # Agent in group 1
+            "created_by": "current_user",
+            "create_time": 2,
+        }
+    ]
+
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "USER"}  # Regular user, not admin
+    mock_query_groups.return_value = [1]  # User is in group 1, so can see both agents
+
+    # Mock convert_string_to_list to handle both empty strings and comma-separated values
+    # This should match the actual implementation in utils.str_utils
+    def convert_side_effect(x):
+        if not x or (isinstance(x, str) and x.strip() == ""):
+            return []
+        # Handle comma-separated string like "1" or "1,2"
+        parts = str(x).split(",")
+        result = []
+        for part in parts:
+            stripped = part.strip()
+            if stripped and stripped.isdigit():
+                result.append(int(stripped))
+        return result
+    mock_convert_list.side_effect = convert_side_effect
+
+    # Mock check_agent_availability to return (is_available, unavailable_reasons)
+    mock_check_availability.return_value = (True, [])
+    mock_get_model.return_value = None
+
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="current_user")
+
+    assert len(result) == 2
+    # Agent created by user1 - current_user should have READ_ONLY
+    agent1 = next(a for a in result if a["agent_id"] == 1)
+    assert agent1["permission"] == "READ_ONLY"
+    # Agent created by current_user - should have EDIT
+    agent2 = next(a for a in result if a["agent_id"] == 2)
+    assert agent2["permission"] == "EDIT"
+
+
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_group_filtering(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
+    """Test that regular users only see agents whose group_ids overlap with their groups."""
+    mock_agents = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Agent in group 1",
+            "enabled": True,
+            "group_ids": "1,2",
+            "created_by": "user1",
+            "create_time": 1,
+        },
+        {
+            "agent_id": 2,
+            "name": "Agent 2",
+            "display_name": "Display Agent 2",
+            "description": "Agent in group 3",
+            "enabled": True,
+            "group_ids": "3,4",
+            "created_by": "user2",
+            "create_time": 2,
+        },
+        {
+            "agent_id": 3,
+            "name": "Agent 3",
+            "display_name": "Display Agent 3",
+            "description": "Agent in group 1 (same as user)",
+            "enabled": True,
+            "group_ids": "1",  # Agent in group 1, which overlaps with user's groups
+            "created_by": "user3",
+            "create_time": 3,
+        }
+    ]
+
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "USER"}  # Regular user
+    mock_query_groups.return_value = [1, 2]  # User is in groups 1 and 2
+
+    # Mock convert_string_to_list to handle both empty strings and comma-separated values
+    # This should match the actual implementation in utils.str_utils
+    def convert_side_effect(x):
+        if not x or (isinstance(x, str) and x.strip() == ""):
+            return []
+        # Handle comma-separated string like "1" or "1,2"
+        parts = str(x).split(",")
+        result = []
+        for part in parts:
+            stripped = part.strip()
+            if stripped and stripped.isdigit():
+                result.append(int(stripped))
+        return result
+    mock_convert_list.side_effect = convert_side_effect
+
+    # Mock check_agent_availability to return (is_available, unavailable_reasons)
+    mock_check_availability.return_value = (True, [])
+    mock_get_model.return_value = None
+
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="regular_user")
+
+    # Should only see Agent 1 (overlaps with user's groups 1,2) and Agent 3 (overlaps with group 1)
+    # Agent 2 should be filtered out (groups 3,4 don't overlap with user's groups 1,2)
+    assert len(result) == 2
+    agent_ids = [a["agent_id"] for a in result]
+    assert 1 in agent_ids
+    assert 3 in agent_ids
+    assert 2 not in agent_ids
+
+
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_disabled_agents_filtered(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
+    """Test that disabled agents are filtered out."""
+    mock_agents = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Enabled agent",
+            "enabled": True,
+            "group_ids": "",
+            "created_by": "user1",
+            "create_time": 1,
+        },
+        {
+            "agent_id": 2,
+            "name": "Agent 2",
+            "display_name": "Display Agent 2",
+            "description": "Disabled agent",
+            "enabled": False,
+            "group_ids": "",
+            "created_by": "user2",
+            "create_time": 2,
+        }
+    ]
+
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    # For admin users, query_group_ids_by_user is not called, but we still need to mock it
+    mock_query_groups.return_value = []
+    mock_convert_list.return_value = []
+    # Mock check_agent_availability to return (is_available, unavailable_reasons)
+    mock_check_availability.return_value = (True, [])
+    mock_get_model.return_value = None
+
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
+
+    # Should only see enabled agent (disabled agents are filtered out)
+    assert len(result) == 1
+    assert result[0]["agent_id"] == 1
+    assert result[0]["name"] == "Agent 1"
+
+
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_group_query_error_handled(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
+    """Test that group query errors are handled gracefully - admin users are not affected."""
+    mock_agents = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Test agent",
+            "enabled": True,
+            "group_ids": "",
+            "created_by": "user1",
+            "create_time": 1,
+        }
+    ]
+
+    mock_query_agents.return_value = mock_agents
+    # Use ADMIN user - group query errors don't affect admin users since they bypass group filtering
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    # For admin users, query_group_ids_by_user is not called (can_edit_all is True)
+    # But if it were called and failed, it should be handled gracefully
+    mock_query_groups.side_effect = Exception("Database error")  # Simulate error
+    mock_convert_list.return_value = []
+    # Mock check_agent_availability to return (is_available, unavailable_reasons)
+    mock_check_availability.return_value = (True, [])
+    mock_get_model.return_value = None
+
+    # Should not raise exception, but should handle gracefully
+    # Admin users bypass group filtering, so they should see all agents
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
+
+    # Admin users should still see agents even if group query fails
+    assert len(result) == 1
+    assert result[0]["agent_id"] == 1
+
+
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_group_query_error_for_user_role(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
+    """Test that group query errors are handled gracefully for USER/DEV roles - covers lines 1274-1278."""
+    mock_agents = [
+        {
+            "agent_id": 1,
+            "name": "Agent 1",
+            "display_name": "Display Agent 1",
+            "description": "Test agent",
+            "enabled": True,
+            "group_ids": "1,2",
+            "created_by": "user1",
+            "create_time": 1,
+        }
+    ]
+
+    mock_query_agents.return_value = mock_agents
+    # Use USER role - group query errors should be handled gracefully
+    mock_get_user_tenant.return_value = {"user_role": "USER"}
+    # Simulate exception when querying group IDs - this should trigger lines 1274-1278
+    mock_query_groups.side_effect = Exception("Database connection error")
+    mock_convert_list.return_value = []
+    # Mock check_agent_availability to return (is_available, unavailable_reasons)
+    mock_check_availability.return_value = (True, [])
+    mock_get_model.return_value = None
+
+    # Should not raise exception, but should handle gracefully
+    # When group query fails, user_group_ids is set to empty set, so no agents match
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="user1")
+
+    # Since user_group_ids is empty set (due to exception), no agents should match group filter
+    # So result should be empty
+    assert len(result) == 0
+    # Verify that query_group_ids_by_user was called (to trigger the exception)
+    mock_query_groups.assert_called_once_with("user1")
 
 
 @patch('backend.services.agent_service.query_sub_agents_id_list')
@@ -3879,7 +4485,21 @@ def fake_unregister(task_id):
 
 
 @pytest.mark.asyncio
-async def test_list_all_agent_info_impl_with_disabled_agents():
+@pytest.mark.asyncio
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_with_disabled_agents(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
     """
     Test list_all_agent_info_impl with disabled agents.
 
@@ -3895,7 +4515,9 @@ async def test_list_all_agent_info_impl_with_disabled_agents():
             "display_name": "Display Enabled Agent 1",
             "description": "First enabled agent",
             "enabled": True,
-            "group_ids": "12"
+            "group_ids": "12",
+            "created_by": "user1",
+            "create_time": 1,
         },
         {
             "agent_id": 2,
@@ -3903,7 +4525,9 @@ async def test_list_all_agent_info_impl_with_disabled_agents():
             "display_name": "Display Disabled Agent",
             "description": "Disabled agent that should be skipped",
             "enabled": False,
-            "group_ids": "13"
+            "group_ids": "13",
+            "created_by": "user2",
+            "create_time": 2,
         },
         {
             "agent_id": 3,
@@ -3911,61 +4535,61 @@ async def test_list_all_agent_info_impl_with_disabled_agents():
             "display_name": "Display Enabled Agent 2",
             "description": "Second enabled agent",
             "enabled": True,
-            "group_ids": "12,14"
+            "group_ids": "12,14",
+            "created_by": "user3",
+            "create_time": 3,
         }
     ]
 
-    # Setup mock tools
-    mock_tools = [
-        {"tool_id": 101, "name": "Tool 1"},
-        {"tool_id": 102, "name": "Tool 2"}
-    ]
-
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents, \
-            patch('backend.services.agent_service.search_tools_for_sub_agent') as mock_search_tools, \
-            patch('backend.services.agent_service.check_tool_is_available') as mock_check_tools:
-        # Configure mocks
-        mock_query_agents.return_value = mock_agents
-        mock_search_tools.return_value = mock_tools
-        mock_check_tools.return_value = [True, True]  # All tools are available
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.side_effect = lambda x: [] if not x else [int(i) for i in x.split(",")]
+    mock_check_availability.side_effect = lambda *args, **kwargs: (True, [])
+    mock_get_model.return_value = None
 
-        # Execute
-        result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    # Execute
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
+
+    # Assert - only enabled agents should be in the result
+    assert len(result) == 2
+    assert result[0]["agent_id"] == 1
+    assert result[0]["name"] == "Enabled Agent 1"
+    assert result[0]["display_name"] == "Display Enabled Agent 1"
+    assert result[0]["is_available"] == True
+    assert result[0]["group_ids"] == [12]
+
+    assert result[1]["agent_id"] == 3
+    assert result[1]["name"] == "Enabled Agent 2"
+    assert result[1]["display_name"] == "Display Enabled Agent 2"
+    assert result[1]["is_available"] == True
+    assert result[1]["group_ids"] == [12, 14]
 
-        # Assert - only enabled agents should be in the result
-        assert len(result) == 2
-        assert result[0]["agent_id"] == 1
-        assert result[0]["name"] == "Enabled Agent 1"
-        assert result[0]["display_name"] == "Display Enabled Agent 1"
-        assert result[0]["is_available"] == True
-        assert result[0]["group_ids"] == [12]
-
-        assert result[1]["agent_id"] == 3
-        assert result[1]["name"] == "Enabled Agent 2"
-        assert result[1]["display_name"] == "Display Enabled Agent 2"
-        assert result[1]["is_available"] == True
-        assert result[1]["group_ids"] == [12, 14]
-
-        # Verify mock calls
-        mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
-        # search_tools_for_sub_agent should only be called for enabled agents (2 calls, not 3)
-        assert mock_search_tools.call_count == 2
-        mock_search_tools.assert_has_calls([
-            call(agent_id=1, tenant_id="test_tenant"),
-            call(agent_id=3, tenant_id="test_tenant")
-        ])
-        # check_tool_is_available should only be called for enabled agents (2 calls, not 3)
-        assert mock_check_tools.call_count == 2
+    # Verify mock calls
+    mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
 
 
 @pytest.mark.asyncio
-async def test_list_all_agent_info_impl_all_disabled_agents():
+@patch("backend.services.agent_service.get_model_by_model_id")
+@patch("backend.services.agent_service.check_agent_availability")
+@patch("backend.services.agent_service.convert_string_to_list")
+@patch("backend.services.agent_service.get_user_tenant_by_user_id")
+@patch("backend.services.agent_service.query_group_ids_by_user")
+@patch("backend.services.agent_service.query_all_agent_info_by_tenant_id")
+async def test_list_all_agent_info_impl_all_disabled_agents(
+    mock_query_agents,
+    mock_query_groups,
+    mock_get_user_tenant,
+    mock_convert_list,
+    mock_check_availability,
+    mock_get_model,
+):
     """
     Test list_all_agent_info_impl with all agents disabled.
 
     This test verifies that:
     1. When all agents are disabled, an empty list is returned
-    2. No tool queries are made since no agents are processed
+    2. No availability checks are made since no agents are processed
     """
     # Setup mock agents - all disabled
     mock_agents = [
@@ -3975,7 +4599,9 @@ async def test_list_all_agent_info_impl_all_disabled_agents():
             "display_name": "Display Disabled Agent 1",
             "description": "First disabled agent",
             "enabled": False,
-            "group_ids": "15"
+            "group_ids": "15",
+            "created_by": "user1",
+            "create_time": 1,
         },
         {
             "agent_id": 2,
@@ -3983,28 +4609,30 @@ async def test_list_all_agent_info_impl_all_disabled_agents():
             "display_name": "Display Disabled Agent 2",
             "description": "Second disabled agent",
             "enabled": False,
-            "group_ids": "16,17"
+            "group_ids": "16,17",
+            "created_by": "user2",
+            "create_time": 2,
         }
     ]
 
-    with patch('backend.services.agent_service.query_all_agent_info_by_tenant_id') as mock_query_agents, \
-            patch('backend.services.agent_service.search_tools_for_sub_agent') as mock_search_tools, \
-            patch('backend.services.agent_service.check_tool_is_available') as mock_check_tools:
-        # Configure mocks
-        mock_query_agents.return_value = mock_agents
+    mock_query_agents.return_value = mock_agents
+    mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+    mock_query_groups.return_value = []
+    mock_convert_list.return_value = []
+    mock_check_availability.return_value = (True, [])
+    mock_get_model.return_value = None
 
-        # Execute
-        result = await list_all_agent_info_impl(tenant_id="test_tenant")
+    # Execute
+    result = await list_all_agent_info_impl(tenant_id="test_tenant", user_id="admin_user")
 
-        # Assert - no agents should be in the result
-        assert len(result) == 0
-        assert result == []
+    # Assert - no agents should be in the result
+    assert len(result) == 0
+    assert result == []
 
-        # Verify mock calls
-        mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
-        # No tool queries should be made since no agents are enabled
-        mock_search_tools.assert_not_called()
-        mock_check_tools.assert_not_called()
+    # Verify mock calls
+    mock_query_agents.assert_called_once_with(tenant_id="test_tenant")
+    # No availability checks should be made since no agents are enabled
+    mock_check_availability.assert_not_called()
 
 
 def test_apply_duplicate_name_availability_rules_handles_missing_fields():
diff --git a/test/backend/services/test_agent_version_service.py b/test/backend/services/test_agent_version_service.py
new file mode 100644
index 000000000..1c007cfb3
--- /dev/null
+++ b/test/backend/services/test_agent_version_service.py
@@ -0,0 +1,924 @@
+import sys
+import pytest
+from unittest.mock import patch, MagicMock
+from contextlib import contextmanager
+
+# First mock the consts module to avoid ModuleNotFoundError
+consts_mock = MagicMock()
+consts_mock.const = MagicMock()
+consts_mock.const.MINIO_ENDPOINT = "http://localhost:9000"
+consts_mock.const.MINIO_ACCESS_KEY = "test_access_key"
+consts_mock.const.MINIO_SECRET_KEY = "test_secret_key"
+consts_mock.const.MINIO_REGION = "us-east-1"
+consts_mock.const.MINIO_DEFAULT_BUCKET = "test-bucket"
+consts_mock.const.POSTGRES_HOST = "localhost"
+consts_mock.const.POSTGRES_USER = "test_user"
+consts_mock.const.NEXENT_POSTGRES_PASSWORD = "test_password"
+consts_mock.const.POSTGRES_DB = "test_db"
+consts_mock.const.POSTGRES_PORT = 5432
+consts_mock.const.DEFAULT_TENANT_ID = "default_tenant"
+
+sys.modules['consts'] = consts_mock
+sys.modules['consts.const'] = consts_mock.const
+
+# Mock utils module
+utils_mock = MagicMock()
+utils_mock.auth_utils = MagicMock()
+utils_mock.auth_utils.get_current_user_id_from_token = MagicMock(return_value="test_user_id")
+utils_mock.str_utils = MagicMock()
+utils_mock.str_utils.convert_string_to_list = MagicMock(
+    side_effect=lambda s: [] if not s else [int(x) for x in str(s).split(",") if str(x).strip().isdigit()]
+)
+
+sys.modules['utils'] = utils_mock
+sys.modules['utils.auth_utils'] = utils_mock.auth_utils
+sys.modules['utils.str_utils'] = utils_mock.str_utils
+
+# Mock boto3
+boto3_mock = MagicMock()
+sys.modules['boto3'] = boto3_mock
+
+# Mock database.client
+client_mock = MagicMock()
+client_mock.MinioClient = MagicMock()
+client_mock.PostgresClient = MagicMock()
+client_mock.db_client = MagicMock()
+client_mock.get_db_session = MagicMock()
+client_mock.as_dict = MagicMock()
+
+sys.modules['database.client'] = client_mock
+sys.modules['backend.database.client'] = client_mock
+
+# Mock database.db_models
+db_models_mock = MagicMock()
+db_models_mock.AgentInfo = MagicMock()
+db_models_mock.ToolInstance = MagicMock()
+db_models_mock.AgentRelation = MagicMock()
+db_models_mock.AgentVersion = MagicMock()
+
+sys.modules['database.db_models'] = db_models_mock
+sys.modules['backend.database.db_models'] = db_models_mock
+
+# Mock database.agent_version_db
+agent_version_db_mock = MagicMock()
+agent_version_db_mock.SOURCE_TYPE_NORMAL = "NORMAL"
+agent_version_db_mock.SOURCE_TYPE_ROLLBACK = "ROLLBACK"
+agent_version_db_mock.STATUS_RELEASED = "RELEASED"
+agent_version_db_mock.STATUS_DISABLED = "DISABLED"
+agent_version_db_mock.STATUS_ARCHIVED = "ARCHIVED"
+
+sys.modules['database.agent_version_db'] = agent_version_db_mock
+sys.modules['backend.database.agent_version_db'] = agent_version_db_mock
+
+# Mock database.model_management_db
+model_management_db_mock = MagicMock()
+sys.modules['database.model_management_db'] = model_management_db_mock
+sys.modules['backend.database.model_management_db'] = model_management_db_mock
+
+# Mock database.agent_db (for list_published_agents_impl)
+agent_db_mock = MagicMock()
+sys.modules['database.agent_db'] = agent_db_mock
+sys.modules['backend.database.agent_db'] = agent_db_mock
+
+# Mock services.agent_service (for list_published_agents_impl)
+agent_service_mock = MagicMock()
+agent_service_mock.CAN_EDIT_ALL_USER_ROLES = ["ADMIN", "SUPER_ADMIN"]
+agent_service_mock.PERMISSION_EDIT = "EDIT"
+agent_service_mock.PERMISSION_READ = "READ"
+sys.modules['services.agent_service'] = agent_service_mock
+sys.modules['backend.services.agent_service'] = agent_service_mock
+
+# Now import the service module
+import backend.services.agent_version_service as agent_version_service_module
+from backend.services.agent_version_service import (
+    publish_version_impl,
+    get_version_list_impl,
+    get_version_impl,
+    get_version_detail_impl,
+    rollback_version_impl,
+    update_version_status_impl,
+    delete_version_impl,
+    get_current_version_impl,
+    compare_versions_impl,
+    list_published_agents_impl,
+    _check_version_snapshot_availability,
+    _get_version_detail_or_draft,
+    _remove_audit_fields_for_insert,
+)
+
+
+@pytest.fixture
+def mock_agent_draft():
+    """Mock agent draft data"""
+    return {
+        "agent_id": 1,
+        "tenant_id": "tenant1",
+        "version_no": 0,
+        "name": "Test Agent",
+        "description": "Test Description",
+        "model_id": 1,
+        "business_logic_model_id": 2,
+        "max_steps": 10,
+        "duty_prompt": "Test prompt",
+        "group_ids": "1,2",
+        "create_time": "2023-01-01 12:00:00",
+        "update_time": "2023-01-01 12:00:00",
+        "created_by": "user1",
+        "updated_by": "user1",
+        "delete_flag": "N",
+    }
+
+
+@pytest.fixture
+def mock_tools_draft():
+    """Mock tools draft data"""
+    return [
+        {
+            "tool_instance_id": 1,
+            "tool_id": 1,
+            "agent_id": 1,
+            "tenant_id": "tenant1",
+            "version_no": 0,
+            "enabled": True,
+        },
+        {
+            "tool_instance_id": 2,
+            "tool_id": 2,
+            "agent_id": 1,
+            "tenant_id": "tenant1",
+            "version_no": 0,
+            "enabled": True,
+        },
+    ]
+
+
+@pytest.fixture
+def mock_relations_draft():
+    """Mock relations draft data"""
+    return [
+        {
+            "id": 1,
+            "parent_agent_id": 1,
+            "selected_agent_id": 2,
+            "tenant_id": "tenant1",
+            "version_no": 0,
+        }
+    ]
+
+
+def test_publish_version_impl_success(monkeypatch, mock_agent_draft, mock_tools_draft, mock_relations_draft):
+    """Test successfully publishing a version"""
+    # Mock query_agent_draft - patch in service module
+    mock_query_draft = MagicMock(return_value=(mock_agent_draft, mock_tools_draft, mock_relations_draft))
+    monkeypatch.setattr(agent_version_service_module, "query_agent_draft", mock_query_draft)
+    
+    # Mock get_next_version_no
+    mock_get_next = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "get_next_version_no", mock_get_next)
+    
+    # Mock insert functions
+    mock_insert_agent = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "insert_agent_snapshot", mock_insert_agent)
+    mock_insert_tool = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "insert_tool_snapshot", mock_insert_tool)
+    mock_insert_relation = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "insert_relation_snapshot", mock_insert_relation)
+    
+    # Mock insert_version
+    mock_insert_version = MagicMock(return_value=100)
+    monkeypatch.setattr(agent_version_service_module, "insert_version", mock_insert_version)
+    
+    # Mock update_agent_current_version
+    mock_update_current = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "update_agent_current_version", mock_update_current)
+    
+    result = publish_version_impl(
+        agent_id=1,
+        tenant_id="tenant1",
+        user_id="user1",
+        version_name="v1.0",
+        release_note="Initial release",
+    )
+    
+    assert result["version_no"] == 1
+    assert result["id"] == 100
+    assert "message" in result
+    mock_insert_agent.assert_called_once()
+    assert mock_insert_tool.call_count == 2
+    assert mock_insert_relation.call_count == 1
+
+
+def test_publish_version_impl_no_draft(monkeypatch):
+    """Test publishing when draft doesn't exist"""
+    mock_query_draft = MagicMock(return_value=(None, [], []))
+    monkeypatch.setattr(agent_version_service_module, "query_agent_draft", mock_query_draft)
+    
+    with pytest.raises(ValueError, match="Agent draft not found"):
+        publish_version_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            user_id="user1",
+        )
+
+
+def test_publish_version_impl_with_rollback_source(monkeypatch, mock_agent_draft, mock_tools_draft, mock_relations_draft):
+    """Test publishing a version with rollback source type"""
+    mock_query_draft = MagicMock(return_value=(mock_agent_draft, mock_tools_draft, mock_relations_draft))
+    monkeypatch.setattr(agent_version_service_module, "query_agent_draft", mock_query_draft)
+    mock_get_next = MagicMock(return_value=2)
+    monkeypatch.setattr(agent_version_service_module, "get_next_version_no", mock_get_next)
+    mock_insert_agent = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "insert_agent_snapshot", mock_insert_agent)
+    mock_insert_tool = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "insert_tool_snapshot", mock_insert_tool)
+    mock_insert_relation = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "insert_relation_snapshot", mock_insert_relation)
+    mock_insert_version = MagicMock(return_value=101)
+    monkeypatch.setattr(agent_version_service_module, "insert_version", mock_insert_version)
+    mock_update_current = MagicMock()
+    monkeypatch.setattr(agent_version_service_module, "update_agent_current_version", mock_update_current)
+    
+    result = publish_version_impl(
+        agent_id=1,
+        tenant_id="tenant1",
+        user_id="user1",
+        source_type="ROLLBACK",
+        source_version_no=1,
+    )
+    
+    assert result["version_no"] == 2
+    # Verify insert_version was called with correct source_type
+    call_args = mock_insert_version.call_args[0][0]
+    assert call_args["source_type"] == "ROLLBACK"
+    assert call_args["source_version_no"] == 1
+
+
+def test_get_version_list_impl_success(monkeypatch):
+    """Test successfully getting version list"""
+    mock_versions = [
+        {"version_no": 2, "version_name": "v2.0"},
+        {"version_no": 1, "version_name": "v1.0"},
+    ]
+    mock_query_list = MagicMock(return_value=mock_versions)
+    monkeypatch.setattr(agent_version_service_module, "query_version_list", mock_query_list)
+    
+    result = get_version_list_impl(agent_id=1, tenant_id="tenant1")
+    
+    assert result["total"] == 2
+    assert len(result["items"]) == 2
+    assert result["items"][0]["version_no"] == 2
+
+
+def test_get_version_list_impl_empty(monkeypatch):
+    """Test getting version list when no versions exist"""
+    mock_query_list = MagicMock(return_value=[])
+    monkeypatch.setattr(agent_version_service_module, "query_version_list", mock_query_list)
+    
+    result = get_version_list_impl(agent_id=1, tenant_id="tenant1")
+    
+    assert result["total"] == 0
+    assert result["items"] == []
+
+
+def test_get_version_impl_success(monkeypatch):
+    """Test successfully getting a version"""
+    mock_version = {
+        "version_no": 1,
+        "version_name": "v1.0",
+        "status": "RELEASED",
+    }
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    result = get_version_impl(agent_id=1, tenant_id="tenant1", version_no=1)
+    
+    assert result["version_no"] == 1
+    assert result["version_name"] == "v1.0"
+
+
+def test_get_version_detail_impl_success(monkeypatch):
+    """Test successfully getting version detail"""
+    mock_version = {
+        "version_no": 1,
+        "version_name": "v1.0",
+        "status": "RELEASED",
+        "release_note": "Test note",
+        "source_type": "NORMAL",
+        "source_version_no": None,
+    }
+    
+    mock_agent_snapshot = {
+        "agent_id": 1,
+        "name": "Test Agent",
+        "model_id": 1,
+        "business_logic_model_id": 2,
+        "max_steps": 10,
+        "description": "Test",
+        "duty_prompt": "Test prompt",
+        "group_ids": "1,2",
+    }
+    
+    mock_tools_snapshot = [
+        {"tool_id": 1, "enabled": True},
+        {"tool_id": 2, "enabled": True},
+    ]
+    
+    mock_relations_snapshot = [
+        {"selected_agent_id": 2},
+    ]
+    
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    mock_query_snapshot = MagicMock(
+        return_value=(mock_agent_snapshot, mock_tools_snapshot, mock_relations_snapshot)
+    )
+    monkeypatch.setattr(agent_version_service_module, "query_agent_snapshot", mock_query_snapshot)
+    
+    mock_model_info = {"display_name": "Test Model"}
+    mock_get_model = MagicMock(return_value=mock_model_info)
+    monkeypatch.setattr(agent_version_service_module, "get_model_by_model_id", mock_get_model)
+    
+    result = get_version_detail_impl(agent_id=1, tenant_id="tenant1", version_no=1)
+    
+    assert result["name"] == "Test Agent"
+    assert result["version"]["version_name"] == "v1.0"
+    assert len(result["tools"]) == 2
+    assert result["sub_agent_id_list"] == [2]
+    assert result["model_name"] == "Test Model"
+    assert "is_available" in result
+    assert "unavailable_reasons" in result
+
+
+def test_get_version_detail_impl_version_not_found(monkeypatch):
+    """Test getting version detail when version doesn't exist"""
+    mock_search = MagicMock(return_value=None)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    with pytest.raises(ValueError, match="Version 1 not found"):
+        get_version_detail_impl(agent_id=1, tenant_id="tenant1", version_no=1)
+
+
+def test_get_version_detail_impl_snapshot_not_found(monkeypatch):
+    """Test getting version detail when snapshot doesn't exist"""
+    mock_version = {"version_no": 1}
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    mock_query_snapshot = MagicMock(return_value=(None, [], []))
+    monkeypatch.setattr(agent_version_service_module, "query_agent_snapshot", mock_query_snapshot)
+    
+    with pytest.raises(ValueError, match="Agent snapshot for version 1 not found"):
+        get_version_detail_impl(agent_id=1, tenant_id="tenant1", version_no=1)
+
+
+def test_rollback_version_impl_success(monkeypatch):
+    """Test successfully rolling back to a version"""
+    mock_version = {
+        "version_no": 1,
+        "version_name": "v1.0",
+    }
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    mock_update_current = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "update_agent_current_version", mock_update_current)
+    
+    result = rollback_version_impl(
+        agent_id=1,
+        tenant_id="tenant1",
+        target_version_no=1,
+    )
+    
+    assert result["version_no"] == 1
+    assert "Successfully rolled back" in result["message"]
+    mock_update_current.assert_called_once()
+
+
+def test_rollback_version_impl_version_not_found(monkeypatch):
+    """Test rolling back when version doesn't exist"""
+    mock_search = MagicMock(return_value=None)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    with pytest.raises(ValueError, match="Version 999 not found"):
+        rollback_version_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            target_version_no=999,
+        )
+
+
+def test_rollback_version_impl_draft_not_found(monkeypatch):
+    """Test rolling back when draft doesn't exist"""
+    mock_version = {"version_no": 1}
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    mock_update_current = MagicMock(return_value=0)
+    monkeypatch.setattr(agent_version_service_module, "update_agent_current_version", mock_update_current)
+    
+    with pytest.raises(ValueError, match="Agent draft not found"):
+        rollback_version_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            target_version_no=1,
+        )
+
+
+def test_update_version_status_impl_success(monkeypatch):
+    """Test successfully updating version status"""
+    mock_update_status = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "update_version_status", mock_update_status)
+    
+    result = update_version_status_impl(
+        agent_id=1,
+        tenant_id="tenant1",
+        user_id="user1",
+        version_no=1,
+        status="DISABLED",
+    )
+    
+    assert "message" in result
+    mock_update_status.assert_called_once()
+
+
+def test_update_version_status_impl_invalid_status(monkeypatch):
+    """Test updating status with invalid status value"""
+    with pytest.raises(ValueError, match="Invalid status"):
+        update_version_status_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            user_id="user1",
+            version_no=1,
+            status="INVALID",
+        )
+
+
+def test_update_version_status_impl_not_found(monkeypatch):
+    """Test updating status when version doesn't exist"""
+    mock_update_status = MagicMock(return_value=0)
+    monkeypatch.setattr(agent_version_service_module, "update_version_status", mock_update_status)
+    
+    with pytest.raises(ValueError, match="Version 999 not found"):
+        update_version_status_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            user_id="user1",
+            version_no=999,
+            status="DISABLED",
+        )
+
+
+def test_delete_version_impl_success(monkeypatch):
+    """Test successfully deleting a version"""
+    mock_version = {"version_no": 2}
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    mock_query_current = MagicMock(return_value=3)
+    monkeypatch.setattr(agent_version_service_module, "query_current_version_no", mock_query_current)
+    mock_delete_version = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "delete_version", mock_delete_version)
+    mock_delete_agent = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "delete_agent_snapshot", mock_delete_agent)
+    mock_delete_tool = MagicMock(return_value=2)
+    monkeypatch.setattr(agent_version_service_module, "delete_tool_snapshot", mock_delete_tool)
+    mock_delete_relation = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "delete_relation_snapshot", mock_delete_relation)
+    
+    result = delete_version_impl(
+        agent_id=1,
+        tenant_id="tenant1",
+        user_id="user1",
+        version_no=2,
+    )
+    
+    assert "deleted successfully" in result["message"]
+    mock_delete_version.assert_called_once()
+    mock_delete_agent.assert_called_once()
+    mock_delete_tool.assert_called_once()
+    mock_delete_relation.assert_called_once()
+
+
+def test_delete_version_impl_version_not_found(monkeypatch):
+    """Test deleting when version doesn't exist"""
+    mock_search = MagicMock(return_value=None)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    with pytest.raises(ValueError, match="Version 999 not found"):
+        delete_version_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            user_id="user1",
+            version_no=999,
+        )
+
+
+def test_delete_version_impl_current_version(monkeypatch):
+    """Test deleting current published version (should fail)"""
+    mock_version = {"version_no": 1}
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    mock_query_current = MagicMock(return_value=1)
+    monkeypatch.setattr(agent_version_service_module, "query_current_version_no", mock_query_current)
+    
+    with pytest.raises(ValueError, match="Cannot delete the current published version"):
+        delete_version_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            user_id="user1",
+            version_no=1,
+        )
+
+
+def test_delete_version_impl_draft_version(monkeypatch):
+    """Test deleting draft version (should fail)"""
+    mock_version = {"version_no": 0}
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    with pytest.raises(ValueError, match="Cannot delete draft version"):
+        delete_version_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            user_id="user1",
+            version_no=0,
+        )
+
+
+def test_get_current_version_impl_success(monkeypatch):
+    """Test successfully getting current version"""
+    mock_query_current = MagicMock(return_value=5)
+    monkeypatch.setattr(agent_version_service_module, "query_current_version_no", mock_query_current)
+    mock_version = {
+        "version_no": 5,
+        "version_name": "v5.0",
+        "status": "RELEASED",
+        "source_type": "NORMAL",
+        "source_version_no": None,
+        "release_note": "Test note",
+        "created_by": "user1",
+        "create_time": "2023-01-01 12:00:00",
+    }
+    mock_search = MagicMock(return_value=mock_version)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    result = get_current_version_impl(agent_id=1, tenant_id="tenant1")
+    
+    assert result["version_no"] == 5
+    assert result["version_name"] == "v5.0"
+    assert result["status"] == "RELEASED"
+
+
+def test_get_current_version_impl_no_published_version(monkeypatch):
+    """Test getting current version when none exists"""
+    mock_query_current = MagicMock(return_value=None)
+    monkeypatch.setattr(agent_version_service_module, "query_current_version_no", mock_query_current)
+    
+    with pytest.raises(ValueError, match="No published version"):
+        get_current_version_impl(agent_id=1, tenant_id="tenant1")
+
+
+def test_get_current_version_impl_version_not_found(monkeypatch):
+    """Test getting current version when version metadata doesn't exist"""
+    mock_query_current = MagicMock(return_value=5)
+    monkeypatch.setattr(agent_version_service_module, "query_current_version_no", mock_query_current)
+    mock_search = MagicMock(return_value=None)
+    monkeypatch.setattr(agent_version_service_module, "search_version_by_version_no", mock_search)
+    
+    with pytest.raises(ValueError, match="Version 5 not found"):
+        get_current_version_impl(agent_id=1, tenant_id="tenant1")
+
+
+def test_compare_versions_impl_success(monkeypatch):
+    """Test successfully comparing two versions"""
+    # Mock _get_version_detail_or_draft
+    version_a = {
+        "name": "Agent A",
+        "model_name": "Model A",
+        "max_steps": 10,
+        "description": "Desc A",
+        "duty_prompt": "Prompt A",
+        "tools": [{"tool_id": 1}],
+        "sub_agent_id_list": [2],
+    }
+    version_b = {
+        "name": "Agent B",
+        "model_name": "Model B",
+        "max_steps": 20,
+        "description": "Desc B",
+        "duty_prompt": "Prompt B",
+        "tools": [{"tool_id": 1}, {"tool_id": 2}],
+        "sub_agent_id_list": [2, 3],
+    }
+    
+    with patch('backend.services.agent_version_service._get_version_detail_or_draft') as mock_get_detail:
+        mock_get_detail.side_effect = [version_a, version_b]
+        
+        result = compare_versions_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            version_no_a=1,
+            version_no_b=2,
+        )
+        
+        assert "version_a" in result
+        assert "version_b" in result
+        assert "differences" in result
+        assert len(result["differences"]) > 0
+        # Check that differences are detected
+        difference_fields = [d["field"] for d in result["differences"]]
+        assert "name" in difference_fields
+        assert "model_name" in difference_fields
+        assert "max_steps" in difference_fields
+        assert "tools_count" in difference_fields
+
+
+def test_compare_versions_impl_no_differences(monkeypatch):
+    """Test comparing identical versions"""
+    version = {
+        "name": "Same Agent",
+        "model_name": "Same Model",
+        "max_steps": 10,
+        "description": "Same Desc",
+        "duty_prompt": "Same Prompt",
+        "tools": [{"tool_id": 1}],
+        "sub_agent_id_list": [2],
+    }
+    
+    with patch('backend.services.agent_version_service._get_version_detail_or_draft') as mock_get_detail:
+        mock_get_detail.side_effect = [version, version]
+        
+        result = compare_versions_impl(
+            agent_id=1,
+            tenant_id="tenant1",
+            version_no_a=1,
+            version_no_b=2,
+        )
+        
+        assert len(result["differences"]) == 0
+
+
+def test_check_version_snapshot_availability_success():
+    """Test checking availability when agent is available"""
+    agent_info = {
+        "model_id": 1,
+    }
+    tool_instances = [
+        {"tool_id": 1, "enabled": True},
+    ]
+    
+    is_available, reasons = _check_version_snapshot_availability(
+        agent_id=1,
+        tenant_id="tenant1",
+        agent_info=agent_info,
+        tool_instances=tool_instances,
+    )
+    
+    assert is_available is True
+    assert len(reasons) == 0
+
+
+def test_check_version_snapshot_availability_no_agent():
+    """Test checking availability when agent doesn't exist"""
+    is_available, reasons = _check_version_snapshot_availability(
+        agent_id=1,
+        tenant_id="tenant1",
+        agent_info=None,
+        tool_instances=[],
+    )
+    
+    assert is_available is False
+    assert "agent_not_found" in reasons
+
+
+def test_check_version_snapshot_availability_no_model():
+    """Test checking availability when model is not configured"""
+    agent_info = {
+        "model_id": None,
+    }
+    tool_instances = [{"tool_id": 1, "enabled": True}]
+    
+    is_available, reasons = _check_version_snapshot_availability(
+        agent_id=1,
+        tenant_id="tenant1",
+        agent_info=agent_info,
+        tool_instances=tool_instances,
+    )
+    
+    assert is_available is False
+    assert "model_not_configured" in reasons
+
+
+def test_check_version_snapshot_availability_no_tools():
+    """Test checking availability when no tools exist"""
+    agent_info = {"model_id": 1}
+    
+    is_available, reasons = _check_version_snapshot_availability(
+        agent_id=1,
+        tenant_id="tenant1",
+        agent_info=agent_info,
+        tool_instances=[],
+    )
+    
+    assert is_available is False
+    assert "no_tools" in reasons
+
+
+def test_check_version_snapshot_availability_all_tools_disabled():
+    """Test checking availability when all tools are disabled"""
+    agent_info = {"model_id": 1}
+    tool_instances = [
+        {"tool_id": 1, "enabled": False},
+        {"tool_id": 2, "enabled": False},
+    ]
+    
+    is_available, reasons = _check_version_snapshot_availability(
+        agent_id=1,
+        tenant_id="tenant1",
+        agent_info=agent_info,
+        tool_instances=tool_instances,
+    )
+    
+    assert is_available is False
+    assert "all_tools_disabled" in reasons
+
+
+def test_get_version_detail_or_draft_draft_version(monkeypatch):
+    """Test getting draft version detail"""
+    mock_agent_draft = {
+        "agent_id": 1,
+        "name": "Draft Agent",
+        "model_id": 1,
+        "business_logic_model_id": 2,
+        "group_ids": "1,2",
+    }
+    mock_tools_draft = [{"tool_id": 1}]
+    mock_relations_draft = [{"selected_agent_id": 2}]
+    
+    mock_query_draft = MagicMock(
+        return_value=(mock_agent_draft, mock_tools_draft, mock_relations_draft)
+    )
+    monkeypatch.setattr(agent_version_service_module, "query_agent_draft", mock_query_draft)
+    mock_get_model = MagicMock(return_value={"display_name": "Test Model"})
+    monkeypatch.setattr(agent_version_service_module, "get_model_by_model_id", mock_get_model)
+    
+    result = _get_version_detail_or_draft(agent_id=1, tenant_id="tenant1", version_no=0)
+    
+    assert result["name"] == "Draft Agent"
+    assert result["version"]["version_name"] == "Draft"
+    assert result["version"]["version_status"] == "DRAFT"
+    assert len(result["tools"]) == 1
+    assert result["sub_agent_id_list"] == [2]
+
+
+def test_get_version_detail_or_draft_published_version(monkeypatch):
+    """Test getting published version detail"""
+    mock_version_detail = {
+        "name": "Published Agent",
+        "version": {"version_name": "v1.0"},
+        "model_id": 1,
+        "business_logic_model_id": 2,
+        "group_ids": "1,2",
+    }
+    
+    with patch('backend.services.agent_version_service.get_version_detail_impl') as mock_get_detail:
+        mock_get_detail.return_value = mock_version_detail
+        model_management_db_mock.get_model_by_model_id = MagicMock(return_value={"display_name": "Test Model"})
+        
+        result = _get_version_detail_or_draft(agent_id=1, tenant_id="tenant1", version_no=1)
+        
+        assert result["name"] == "Published Agent"
+        assert result["version"]["version_name"] == "v1.0"
+
+
+def test_remove_audit_fields_for_insert():
+    """Test removing audit fields from data dict"""
+    data = {
+        "name": "Test",
+        "create_time": "2023-01-01",
+        "update_time": "2023-01-02",
+        "created_by": "user1",
+        "updated_by": "user2",
+        "delete_flag": "N",
+        "other_field": "keep",
+    }
+    
+    _remove_audit_fields_for_insert(data)
+    
+    assert "name" in data
+    assert "other_field" in data
+    assert "create_time" not in data
+    assert "update_time" not in data
+    assert "created_by" not in data
+    assert "updated_by" not in data
+    assert "delete_flag" not in data
+
+
+def test_list_published_agents_impl_success(monkeypatch):
+    """Test successfully listing published agents"""
+    # Mock dependencies
+    agent_db_mock.query_all_agent_info_by_tenant_id = MagicMock(
+        return_value=[
+            {
+                "agent_id": 1,
+                "enabled": True,
+                "current_version_no": 1,
+                "group_ids": "1,2",
+                "created_by": "user1",
+            }
+        ]
+    )
+    
+    agent_service_mock.get_user_tenant_by_user_id = MagicMock(
+        return_value={"user_role": "ADMIN"}
+    )
+    agent_service_mock.query_group_ids_by_user = MagicMock(return_value=[1, 2])
+    
+    agent_version_db_mock.query_agent_snapshot = MagicMock(
+        return_value=(
+            {
+                "agent_id": 1,
+                "name": "Test Agent",
+                "model_id": 1,
+                "description": "Test",
+            },
+            [{"tool_id": 1, "enabled": True}],
+            [],
+        )
+    )
+    
+    agent_service_mock.check_agent_availability = MagicMock(
+        return_value=(True, [])
+    )
+    agent_service_mock._apply_duplicate_name_availability_rules = MagicMock()
+    model_management_db_mock.get_model_by_model_id = MagicMock(
+        return_value={"display_name": "Test Model", "model_name": "test_model"}
+    )
+    
+    import asyncio
+    result = asyncio.run(list_published_agents_impl(tenant_id="tenant1", user_id="user1"))
+    
+    assert len(result) == 1
+    assert result[0]["agent_id"] == 1
+    assert result[0]["name"] == "Test Agent"
+
+
+def test_list_published_agents_impl_no_published_version(monkeypatch):
+    """Test listing when agent has no published version"""
+    agent_db_mock.query_all_agent_info_by_tenant_id = MagicMock(
+        return_value=[
+            {
+                "agent_id": 1,
+                "enabled": True,
+                "current_version_no": None,  # No published version
+                "group_ids": "1,2",
+            }
+        ]
+    )
+    
+    agent_service_mock.get_user_tenant_by_user_id = MagicMock(
+        return_value={"user_role": "ADMIN"}
+    )
+    
+    import asyncio
+    result = asyncio.run(list_published_agents_impl(tenant_id="tenant1", user_id="user1"))
+    
+    assert len(result) == 0  # Should be filtered out
+
+
+def test_list_published_agents_impl_disabled_agent(monkeypatch):
+    """Test listing when agent is disabled"""
+    agent_db_mock.query_all_agent_info_by_tenant_id = MagicMock(
+        return_value=[
+            {
+                "agent_id": 1,
+                "enabled": False,  # Disabled
+                "current_version_no": 1,
+                "group_ids": "1,2",
+            }
+        ]
+    )
+    
+    agent_service_mock.get_user_tenant_by_user_id = MagicMock(
+        return_value={"user_role": "ADMIN"}
+    )
+    
+    import asyncio
+    result = asyncio.run(list_published_agents_impl(tenant_id="tenant1", user_id="user1"))
+    
+    assert len(result) == 0  # Should be filtered out
+
+
+@pytest.mark.asyncio
+async def test_list_published_agents_impl_exception_handling(monkeypatch):
+    """Test exception handling in list_published_agents_impl (covers lines 742-744)"""
+    # Mock query_all_agent_info_by_tenant_id to raise an exception
+    test_exception = RuntimeError("Database connection failed")
+    agent_db_mock.query_all_agent_info_by_tenant_id = MagicMock(
+        side_effect=test_exception
+    )
+    
+    # Mock get_user_tenant_by_user_id to avoid early exception
+    agent_service_mock.get_user_tenant_by_user_id = MagicMock(
+        return_value={"user_role": "ADMIN"}
+    )
+    
+    # Verify that the exception is caught and re-raised as ValueError
+    with pytest.raises(ValueError, match="Failed to list published agents: Database connection failed"):
+        await list_published_agents_impl(tenant_id="tenant1", user_id="user1")
\ No newline at end of file
diff --git a/test/backend/services/test_datamate_service.py b/test/backend/services/test_datamate_service.py
index 80d10c402..ca63c42a6 100644
--- a/test/backend/services/test_datamate_service.py
+++ b/test/backend/services/test_datamate_service.py
@@ -2,6 +2,9 @@
 import pytest
 from unittest.mock import MagicMock
 
+# Import the exception class
+from consts.exceptions import DataMateConnectionError
+
 # Setup common mocks
 from test.common.test_mocks import setup_common_mocks, patch_minio_client_initialization
 
@@ -39,6 +42,10 @@
 consts_mock = MagicMock()
 consts_mock.DATAMATE_URL = "DATAMATE_URL"
 
+# Mock consts.exceptions
+consts_exceptions_mock = MagicMock()
+consts_exceptions_mock.DataMateConnectionError = DataMateConnectionError
+
 # Mock sqlalchemy
 sqlalchemy_mock = MagicMock()
 sqlalchemy_exc_mock = MagicMock()
@@ -57,6 +64,7 @@
 sys.modules['database.model_management_db'] = model_management_db_mock
 sys.modules['nexent.vector_database.datamate_core'] = datamate_core_mock
 sys.modules['consts.const'] = consts_mock
+sys.modules['consts.exceptions'] = consts_exceptions_mock
 sys.modules['sqlalchemy'] = sqlalchemy_mock
 sys.modules['sqlalchemy.exc'] = sqlalchemy_exc_mock
 sys.modules['sqlalchemy.sql'] = sqlalchemy_sql_mock
@@ -67,7 +75,8 @@
         fetch_datamate_knowledge_base_file_list,
         sync_datamate_knowledge_bases_and_create_records,
         _get_datamate_core,
-        _create_datamate_knowledge_records
+        _create_datamate_knowledge_records,
+        check_datamate_connection
     )
 
 
@@ -329,7 +338,7 @@ async def test_sync_datamate_knowledge_bases_success(monkeypatch, mock_datamate_
     knowledge_db_mock.upsert_knowledge_record.reset_mock()
     knowledge_db_mock.delete_knowledge_record.reset_mock()
 
-    # Mock the _get_datamate_core function
+    # Mock the _get_datamate_core function - now accepts two parameters
     fake_core = MagicMock()
 
     # Mock core methods
@@ -343,7 +352,8 @@ async def test_sync_datamate_knowledge_bases_success(monkeypatch, mock_datamate_
     )
 
     monkeypatch.setattr(
-        "backend.services.datamate_service._get_datamate_core", lambda tenant_id: fake_core)
+        "backend.services.datamate_service._get_datamate_core",
+        lambda tenant_id, datamate_url=None: fake_core)
 
     # Mock database functions that are imported directly
     monkeypatch.setattr(
@@ -383,12 +393,13 @@ async def test_sync_datamate_knowledge_bases_no_indices(monkeypatch, mock_datama
     knowledge_db_mock.upsert_knowledge_record.reset_mock()
     knowledge_db_mock.delete_knowledge_record.reset_mock()
 
-    # Mock the _get_datamate_core function
+    # Mock the _get_datamate_core function - now accepts two parameters
     fake_core = MagicMock()
     fake_core.get_user_indices.return_value = []  # No indices
 
     monkeypatch.setattr(
-        "backend.services.datamate_service._get_datamate_core", lambda tenant_id: fake_core)
+        "backend.services.datamate_service._get_datamate_core",
+        lambda tenant_id, datamate_url=None: fake_core)
 
     result = await sync_datamate_knowledge_bases_and_create_records("tenant1", "user1")
 
@@ -409,7 +420,7 @@ async def test_sync_datamate_knowledge_bases_with_deletions(monkeypatch, mock_da
     knowledge_db_mock.upsert_knowledge_record.reset_mock()
     knowledge_db_mock.delete_knowledge_record.reset_mock()
 
-    # Mock the _get_datamate_core function
+    # Mock the _get_datamate_core function - now accepts two parameters
     fake_core = MagicMock()
 
     # Mock core methods - only kb1 exists in API now
@@ -420,7 +431,8 @@ async def test_sync_datamate_knowledge_bases_with_deletions(monkeypatch, mock_da
     )
 
     monkeypatch.setattr(
-        "backend.services.datamate_service._get_datamate_core", lambda tenant_id: fake_core)
+        "backend.services.datamate_service._get_datamate_core",
+        lambda tenant_id, datamate_url=None: fake_core)
 
     # Mock database functions that are imported directly - kb1 and kb2 exist in DB, but kb2 was deleted from API
     mock_get_knowledge_info = MagicMock(return_value=[
@@ -477,25 +489,20 @@ async def test_sync_datamate_knowledge_bases_datamate_url_not_configured(monkeyp
         "backend.services.datamate_service.logger", mock_logger
     )
 
+    # Execute - should return empty result when DataMate URL is not configured
     result = await sync_datamate_knowledge_bases_and_create_records("tenant1", "user1")
 
-    # Verify the warning was logged
-    mock_logger.warning.assert_called_once_with(
-        "DataMate URL not configured for tenant tenant1, skipping sync"
-    )
-
-    # Verify the correct default response is returned
-    expected_result = {
+    # Assert - should return empty dict
+    assert result == {
         "indices": [],
         "count": 0,
         "indices_info": [],
         "created_records": []
     }
-    assert result == expected_result
 
-    # Verify tenant_config_manager.get_app_config was called correctly
-    mock_config_manager.get_app_config.assert_called_once_with(
-        "DATAMATE_URL", tenant_id="tenant1"
+    # Verify the warning was logged
+    mock_logger.warning.assert_called_once_with(
+        "DataMate URL not configured for tenant tenant1, skipping sync"
     )
 
 
@@ -507,7 +514,7 @@ async def test_sync_datamate_knowledge_bases_datamate_url_empty_string(monkeypat
         "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
     )
 
-    # Mock tenant_config_manager to return empty string (no DataMate URL configured)
+    # Mock tenant_config_manager to return empty string
     mock_config_manager = MagicMock()
     mock_config_manager.get_app_config.return_value = ""
     monkeypatch.setattr(
@@ -520,26 +527,19 @@ async def test_sync_datamate_knowledge_bases_datamate_url_empty_string(monkeypat
         "backend.services.datamate_service.logger", mock_logger
     )
 
+    # Execute - should return empty result when DataMate URL is empty string
     result = await sync_datamate_knowledge_bases_and_create_records("tenant1", "user1")
 
-    # Verify the warning was logged
-    mock_logger.warning.assert_called_once_with(
-        "DataMate URL not configured for tenant tenant1, skipping sync"
-    )
-
-    # Verify the correct default response is returned
-    expected_result = {
+    # Assert - should return empty dict
+    assert result == {
         "indices": [],
         "count": 0,
         "indices_info": [],
         "created_records": []
     }
-    assert result == expected_result
 
-    # Verify tenant_config_manager.get_app_config was called correctly
-    mock_config_manager.get_app_config.assert_called_once_with(
-        "DATAMATE_URL", tenant_id="tenant1"
-    )
+    # Verify the warning was logged
+    mock_logger.warning.assert_called_once()
 
 
 @pytest.mark.asyncio
@@ -556,3 +556,634 @@ async def test_sync_datamate_knowledge_bases_error_handling(monkeypatch):
     # Should return empty result on error
     assert result["indices"] == []
     assert result["count"] == 0
+
+
+@pytest.mark.asyncio
+async def test_sync_datamate_knowledge_bases_with_custom_datamate_url(monkeypatch, mock_datamate_sync_setup):
+    """Test sync_datamate_knowledge_bases_and_create_records with custom datamate_url from request."""
+    # Reset mock state from previous tests
+    knowledge_db_mock.get_knowledge_info_by_tenant_and_source.reset_mock()
+    knowledge_db_mock.upsert_knowledge_record.reset_mock()
+    knowledge_db_mock.delete_knowledge_record.reset_mock()
+
+    # Custom datamate URL provided in request - should be used directly
+    custom_datamate_url = "http://custom-datamate.example.com:8080"
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+
+    # Mock core methods
+    fake_core.get_user_indices.return_value = ["kb1"]
+    fake_core.get_indices_detail.return_value = (
+        {"kb1": {"base_info": {"embedding_model": "embedding1"}}},
+        ["Custom Knowledge Base"]
+    )
+
+    # Track the URL passed to _get_datamate_core
+    core_calls = []
+
+    def create_core_with_custom_url(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_with_custom_url
+    )
+
+    # Mock database functions that are imported directly
+    monkeypatch.setattr(
+        "backend.services.datamate_service.get_knowledge_info_by_tenant_and_source",
+        MagicMock(return_value=[])
+    )
+    monkeypatch.setattr(
+        "backend.services.datamate_service.delete_knowledge_record",
+        MagicMock(return_value=True)
+    )
+
+    # Mock _create_datamate_knowledge_records
+    async def mock_create_records(*args, **kwargs):
+        return [{"id": "record1"}]
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._create_datamate_knowledge_records",
+        mock_create_records
+    )
+
+    # Call with custom datamate_url - should use this URL directly
+    result = await sync_datamate_knowledge_bases_and_create_records(
+        "tenant1", "user1", datamate_url=custom_datamate_url
+    )
+
+    assert result["indices"] == ["Custom Knowledge Base"]
+    assert result["count"] == 1
+    assert "indices_info" in result
+    assert len(result["indices_info"]) == 1
+
+    # Verify _get_datamate_core was called with the custom URL
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == custom_datamate_url
+
+
+@pytest.mark.asyncio
+async def test_sync_datamate_knowledge_bases_with_none_datamate_url(monkeypatch):
+    """Test sync_datamate_knowledge_bases_and_create_records with None datamate_url falls back to tenant config."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return a configured URL
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = "http://tenant-configured.example.com"
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1"]
+    fake_core.get_indices_detail.return_value = (
+        {"kb1": {"base_info": {"embedding_model": "embedding1"}}},
+        ["Config Based Knowledge Base"]
+    )
+
+    # Track calls to _get_datamate_core
+    core_calls = []
+
+    def create_core_tracking_call(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_tracking_call
+    )
+
+    # Mock database functions
+    monkeypatch.setattr(
+        "backend.services.datamate_service.get_knowledge_info_by_tenant_and_source",
+        MagicMock(return_value=[])
+    )
+    monkeypatch.setattr(
+        "backend.services.datamate_service.delete_knowledge_record",
+        MagicMock(return_value=True)
+    )
+
+    # Mock _create_datamate_knowledge_records
+    async def mock_create_records(*args, **kwargs):
+        return [{"id": "record1"}]
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._create_datamate_knowledge_records",
+        mock_create_records
+    )
+
+    # Call with None datamate_url - should fall back to tenant config
+    result = await sync_datamate_knowledge_bases_and_create_records(
+        "tenant1", "user1", datamate_url=None
+    )
+
+    assert result["indices"] == ["Config Based Knowledge Base"]
+    assert result["count"] == 1
+
+    # Verify _get_datamate_core was called with the URL from tenant config (not None)
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == "http://tenant-configured.example.com"
+
+
+@pytest.mark.asyncio
+async def test_sync_datamate_knowledge_bases_with_empty_datamate_url(monkeypatch):
+    """Test sync_datamate_knowledge_bases_and_create_records with empty string datamate_url falls back to tenant config."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return a configured URL
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = "http://fallback-url.example.com"
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1"]
+    fake_core.get_indices_detail.return_value = (
+        {"kb1": {"base_info": {"embedding_model": "embedding1"}}},
+        ["Fallback Knowledge Base"]
+    )
+
+    # Track calls to _get_datamate_core
+    core_calls = []
+
+    def create_core_tracking_call(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_tracking_call
+    )
+
+    # Mock database functions
+    monkeypatch.setattr(
+        "backend.services.datamate_service.get_knowledge_info_by_tenant_and_source",
+        MagicMock(return_value=[])
+    )
+    monkeypatch.setattr(
+        "backend.services.datamate_service.delete_knowledge_record",
+        MagicMock(return_value=True)
+    )
+
+    # Mock _create_datamate_knowledge_records
+    async def mock_create_records(*args, **kwargs):
+        return [{"id": "record1"}]
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._create_datamate_knowledge_records",
+        mock_create_records
+    )
+
+    # Call with empty string datamate_url - empty string is falsy, should fall back to tenant config
+    result = await sync_datamate_knowledge_bases_and_create_records(
+        "tenant1", "user1", datamate_url=""
+    )
+
+    assert result["indices"] == ["Fallback Knowledge Base"]
+    assert result["count"] == 1
+
+    # Verify _get_datamate_core was called with the URL from tenant config (not empty string)
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == "http://fallback-url.example.com"
+
+
+@pytest.mark.asyncio
+async def test_sync_datamate_knowledge_bases_with_https_datamate_url(monkeypatch):
+    """Test sync_datamate_knowledge_bases_and_create_records with HTTPS datamate_url."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Custom HTTPS URL - SSL should be disabled for DataMateCore
+    https_datamate_url = "https://secure-datamate.example.com"
+
+    # Mock the _get_datamate_core function - track if SSL verification is disabled
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1"]
+    fake_core.get_indices_detail.return_value = (
+        {"kb1": {"base_info": {"embedding_model": "embedding1"}}},
+        ["HTTPS Knowledge Base"]
+    )
+
+    # Track calls to _get_datamate_core
+    core_calls = []
+
+    def create_core_tracking_call(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_tracking_call
+    )
+
+    # Mock database functions
+    monkeypatch.setattr(
+        "backend.services.datamate_service.get_knowledge_info_by_tenant_and_source",
+        MagicMock(return_value=[])
+    )
+    monkeypatch.setattr(
+        "backend.services.datamate_service.delete_knowledge_record",
+        MagicMock(return_value=True)
+    )
+
+    # Mock _create_datamate_knowledge_records
+    async def mock_create_records(*args, **kwargs):
+        return [{"id": "record1"}]
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._create_datamate_knowledge_records",
+        mock_create_records
+    )
+
+    # Call with HTTPS datamate_url
+    result = await sync_datamate_knowledge_bases_and_create_records(
+        "tenant1", "user1", datamate_url=https_datamate_url
+    )
+
+    assert result["indices"] == ["HTTPS Knowledge Base"]
+    assert result["count"] == 1
+    # Verify _get_datamate_core was called with the HTTPS URL
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == https_datamate_url
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_success(monkeypatch):
+    """Test check_datamate_connection function with successful connection."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return a configured URL
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = "http://datamate.example.com"
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1", "kb2"]
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        lambda tenant_id, datamate_url=None: fake_core
+    )
+
+    # Mock logger to verify success logging
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute
+    is_connected, error_message = await check_datamate_connection("tenant1")
+
+    # Assert
+    assert is_connected is True
+    assert error_message == ""
+    mock_logger.info.assert_called()
+
+    # Verify the last log call contains success message
+    last_log_call = mock_logger.info.call_args_list[-1][0][0]
+    assert "successful" in last_log_call.lower()
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_model_engine_disabled(monkeypatch):
+    """Test check_datamate_connection function when MODEL_ENGINE_ENABLED is false."""
+    # Mock MODEL_ENGINE_ENABLED to be false
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "false"
+    )
+
+    # Mock logger to capture info message
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute
+    is_connected, error_message = await check_datamate_connection("tenant1")
+
+    # Assert
+    assert is_connected is False
+    assert error_message == "ModelEngine is disabled"
+
+    # Verify logger was called with the skip message
+    mock_logger.info.assert_called_once()
+    call_args = mock_logger.info.call_args[0][0]
+    assert "ModelEngine is disabled" in call_args
+    assert "skipping DataMate connection test" in call_args
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_url_not_configured(monkeypatch):
+    """Test check_datamate_connection function when DataMate URL is not configured."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return None (no DataMate URL configured)
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = None
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock logger to capture warning message
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute
+    is_connected, error_message = await check_datamate_connection("tenant1")
+
+    # Assert
+    assert is_connected is False
+    assert error_message == "DataMate URL not configured"
+
+    # Verify the warning was logged
+    mock_logger.warning.assert_called_once()
+    call_args = mock_logger.warning.call_args[0][0]
+    assert "DataMate URL not configured" in call_args
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_empty_url(monkeypatch):
+    """Test check_datamate_connection function when DataMate URL is empty string."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return empty string
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = ""
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock logger to capture warning message
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute
+    is_connected, error_message = await check_datamate_connection("tenant1")
+
+    # Assert
+    assert is_connected is False
+    assert error_message == "DataMate URL not configured"
+
+    # Verify the warning was logged
+    mock_logger.warning.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_api_error(monkeypatch):
+    """Test check_datamate_connection function when API call fails."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return a configured URL
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = "http://datamate.example.com"
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock the _get_datamate_core function to raise an exception
+    def raise_api_error(tenant_id, datamate_url=None):
+        raise Exception("API connection timeout")
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        raise_api_error
+    )
+
+    # Mock logger to capture error message
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute
+    is_connected, error_message = await check_datamate_connection("tenant1")
+
+    # Assert
+    assert is_connected is False
+    assert "API connection timeout" in error_message
+
+    # Verify error was logged
+    mock_logger.error.assert_called_once()
+    call_args = mock_logger.error.call_args[0][0]
+    assert "API connection timeout" in call_args
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_with_custom_url(monkeypatch):
+    """Test check_datamate_connection function with custom datamate_url from request."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Custom datamate URL provided in request - should be used directly
+    custom_datamate_url = "http://custom-datamate.example.com:8080"
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1"]
+
+    # Track calls to _get_datamate_core
+    core_calls = []
+
+    def create_core_with_custom_url(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_with_custom_url
+    )
+
+    # Mock logger
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute with custom datamate_url
+    is_connected, error_message = await check_datamate_connection(
+        "tenant1", datamate_url=custom_datamate_url
+    )
+
+    # Assert
+    assert is_connected is True
+    assert error_message == ""
+
+    # Verify _get_datamate_core was called with the custom URL
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == custom_datamate_url
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_with_none_url(monkeypatch):
+    """Test check_datamate_connection function with None datamate_url falls back to tenant config."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return a configured URL
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = "http://tenant-configured.example.com"
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1"]
+
+    # Track calls to _get_datamate_core
+    core_calls = []
+
+    def create_core_tracking_call(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_tracking_call
+    )
+
+    # Mock logger
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute with None datamate_url - should fall back to tenant config
+    is_connected, error_message = await check_datamate_connection(
+        "tenant1", datamate_url=None
+    )
+
+    # Assert
+    assert is_connected is True
+    assert error_message == ""
+
+    # Verify _get_datamate_core was called with the URL from tenant config (not None)
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == "http://tenant-configured.example.com"
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_with_https_url(monkeypatch):
+    """Test check_datamate_connection function with HTTPS datamate_url."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Custom HTTPS URL - SSL should be disabled for DataMateCore
+    https_datamate_url = "https://secure-datamate.example.com"
+
+    # Mock the _get_datamate_core function
+    fake_core = MagicMock()
+    fake_core.get_user_indices.return_value = ["kb1"]
+
+    # Track calls to _get_datamate_core
+    core_calls = []
+
+    def create_core_tracking_call(tenant_id, datamate_url=None):
+        core_calls.append({"tenant_id": tenant_id, "datamate_url": datamate_url})
+        return fake_core
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        create_core_tracking_call
+    )
+
+    # Mock logger
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute with HTTPS datamate_url
+    is_connected, error_message = await check_datamate_connection(
+        "tenant1", datamate_url=https_datamate_url
+    )
+
+    # Assert
+    assert is_connected is True
+    assert error_message == ""
+
+    # Verify _get_datamate_core was called with the HTTPS URL
+    assert len(core_calls) == 1
+    assert core_calls[0]["datamate_url"] == https_datamate_url
+
+
+@pytest.mark.asyncio
+async def test_check_datamate_connection_configuration_error(monkeypatch):
+    """Test check_datamate_connection function when _get_datamate_core raises ValueError."""
+    # Mock MODEL_ENGINE_ENABLED to be true
+    monkeypatch.setattr(
+        "backend.services.datamate_service.MODEL_ENGINE_ENABLED", "true"
+    )
+
+    # Mock tenant_config_manager to return a configured URL
+    mock_config_manager = MagicMock()
+    mock_config_manager.get_app_config.return_value = "http://datamate.example.com"
+    monkeypatch.setattr(
+        "backend.services.datamate_service.tenant_config_manager", mock_config_manager
+    )
+
+    # Mock the _get_datamate_core function to raise ValueError (configuration error)
+    def raise_config_error(tenant_id, datamate_url=None):
+        raise ValueError("Invalid DataMate URL configuration")
+
+    monkeypatch.setattr(
+        "backend.services.datamate_service._get_datamate_core",
+        raise_config_error
+    )
+
+    # Mock logger to capture error message
+    mock_logger = MagicMock()
+    monkeypatch.setattr(
+        "backend.services.datamate_service.logger", mock_logger
+    )
+
+    # Execute
+    is_connected, error_message = await check_datamate_connection("tenant1")
+
+    # Assert
+    assert is_connected is False
+    assert error_message == "Invalid DataMate URL configuration"
+
+    # Verify error was logged
+    mock_logger.error.assert_called_once()
+    call_args = mock_logger.error.call_args[0][0]
+    assert "configuration error" in call_args
diff --git a/test/backend/services/test_dify_service.py b/test/backend/services/test_dify_service.py
new file mode 100644
index 000000000..a6ed3b091
--- /dev/null
+++ b/test/backend/services/test_dify_service.py
@@ -0,0 +1,697 @@
+"""
+Unit tests for Dify Service Layer.
+
+Tests the fetch_dify_datasets_impl function which handles API calls to Dify
+for knowledge base operations.
+"""
+import json
+import pytest
+from unittest.mock import MagicMock, patch
+import httpx
+
+
+def _create_mock_client(mock_response):
+    """
+    Create a properly configured mock client that works with the HttpClientManager.
+
+    The http_client_manager.get_sync_client() returns a client instance directly.
+    """
+    mock_client = MagicMock()
+    mock_client.get.return_value = mock_response
+    return mock_client
+
+
+class TestFetchDifyDatasetsImpl:
+    """Test class for fetch_dify_datasets_impl function."""
+
+    def test_fetch_dify_datasets_impl_success_single_dataset(self):
+        """Test successful fetching of a single dataset from Dify API."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "data": [
+                {
+                    "id": "ds-123",
+                    "name": "Test Knowledge Base",
+                    "document_count": 10,
+                    "created_at": 1704067200,
+                    "updated_at": 1704153600,
+                    "embedding_available": True,
+                    "embedding_model": "text-embedding-3-small"
+                }
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        # Verify structure
+        assert result["count"] == 1
+        assert len(result["indices"]) == 1
+        assert result["indices"][0] == "ds-123"
+        assert len(result["indices_info"]) == 1
+
+        # Verify indices_info content
+        info = result["indices_info"][0]
+        assert info["name"] == "ds-123"
+        assert info["display_name"] == "Test Knowledge Base"
+        assert info["stats"]["base_info"]["doc_count"] == 10
+        assert info["stats"]["base_info"]["process_source"] == "Dify"
+        assert info["stats"]["base_info"]["embedding_model"] == "text-embedding-3-small"
+        assert result["pagination"]["embedding_available"] is True
+
+    def test_fetch_dify_datasets_impl_success_multiple_datasets(self):
+        """Test successful fetching of multiple datasets from Dify API."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "data": [
+                {
+                    "id": "ds-1",
+                    "name": "Knowledge Base 1",
+                    "document_count": 5,
+                    "created_at": 1704067200,
+                    "updated_at": 1704153600,
+                    "embedding_available": True,
+                    "embedding_model": "text-embedding-3-small"
+                },
+                {
+                    "id": "ds-2",
+                    "name": "Knowledge Base 2",
+                    "document_count": 20,
+                    "created_at": 1704240000,
+                    "updated_at": 1704326400,
+                    "embedding_available": False
+                }
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        assert result["count"] == 2
+        assert len(result["indices"]) == 2
+        assert result["indices"] == ["ds-1", "ds-2"]
+        assert len(result["indices_info"]) == 2
+
+        # Check first dataset
+        assert result["indices_info"][0]["display_name"] == "Knowledge Base 1"
+        assert result["indices_info"][0]["stats"]["base_info"]["doc_count"] == 5
+
+        # Check second dataset
+        assert result["indices_info"][1]["display_name"] == "Knowledge Base 2"
+        assert result["indices_info"][1]["stats"]["base_info"]["doc_count"] == 20
+        assert result["pagination"]["embedding_available"] is False
+
+    def test_fetch_dify_datasets_impl_empty_response(self):
+        """Test fetching when Dify API returns empty dataset list."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        assert result["count"] == 0
+        assert result["indices"] == []
+        assert result["indices_info"] == []
+        assert result["pagination"]["embedding_available"] is False
+
+    def test_fetch_dify_datasets_impl_invalid_api_base_none(self):
+        """Test ValueError when dify_api_base is None."""
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+        with pytest.raises(ValueError) as excinfo:
+            fetch_dify_datasets_impl(
+                dify_api_base=None,
+                api_key="test-api-key"
+            )
+
+        assert "dify_api_base is required and must be a non-empty string" in str(
+            excinfo.value)
+
+    def test_fetch_dify_datasets_impl_invalid_api_base_empty_string(self):
+        """Test ValueError when dify_api_base is empty string."""
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+        with pytest.raises(ValueError) as excinfo:
+            fetch_dify_datasets_impl(
+                dify_api_base="",
+                api_key="test-api-key"
+            )
+
+        assert "dify_api_base is required and must be a non-empty string" in str(
+            excinfo.value)
+
+    def test_fetch_dify_datasets_impl_invalid_api_base_not_string(self):
+        """Test ValueError when dify_api_base is not a string."""
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+        with pytest.raises(ValueError) as excinfo:
+            fetch_dify_datasets_impl(
+                dify_api_base=12345,
+                api_key="test-api-key"
+            )
+
+        assert "dify_api_base is required and must be a non-empty string" in str(
+            excinfo.value)
+
+    def test_fetch_dify_datasets_impl_invalid_api_key_none(self):
+        """Test ValueError when api_key is None."""
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+        with pytest.raises(ValueError) as excinfo:
+            fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key=None
+            )
+
+        assert "api_key is required and must be a non-empty string" in str(
+            excinfo.value)
+
+    def test_fetch_dify_datasets_impl_invalid_api_key_empty_string(self):
+        """Test ValueError when api_key is empty string."""
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+        with pytest.raises(ValueError) as excinfo:
+            fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key=""
+            )
+
+        assert "api_key is required and must be a non-empty string" in str(
+            excinfo.value)
+
+    def test_fetch_dify_datasets_impl_invalid_api_key_not_string(self):
+        """Test ValueError when api_key is not a string."""
+        from backend.services.dify_service import fetch_dify_datasets_impl
+
+        with pytest.raises(ValueError) as excinfo:
+            fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key=[]  # list is not a string
+            )
+
+        assert "api_key is required and must be a non-empty string" in str(
+            excinfo.value)
+
+    def test_fetch_dify_datasets_impl_url_normalization_trailing_slash(self):
+        """Test that trailing slash is removed from API base URL."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com/",
+                api_key="test-api-key"
+            )
+
+        # Verify URL is normalized (no trailing slash)
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        assert called_url == "https://dify.example.com/v1/datasets"
+        assert not called_url.endswith("//")
+
+    def test_fetch_dify_datasets_impl_http_error(self):
+        """Test handling of HTTP status errors from Dify API."""
+        mock_response = MagicMock()
+        mock_response.raise_for_status.side_effect = httpx.HTTPStatusError(
+            "404 Not Found",
+            request=MagicMock(),
+            response=MagicMock(status_code=404)
+        )
+        mock_response.json = MagicMock()  # Should not be called
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            with pytest.raises(Exception) as excinfo:
+                fetch_dify_datasets_impl(
+                    dify_api_base="https://dify.example.com",
+                    api_key="test-api-key"
+                )
+
+            assert "Dify API HTTP error" in str(excinfo.value)
+
+    def test_fetch_dify_datasets_impl_request_error(self):
+        """Test handling of request errors (connection issues)."""
+        mock_request_error = httpx.RequestError(
+            "Connection failed", request=MagicMock())
+
+        mock_client = MagicMock()
+        mock_client.get.side_effect = mock_request_error
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            with pytest.raises(Exception) as excinfo:
+                fetch_dify_datasets_impl(
+                    dify_api_base="https://dify.example.com",
+                    api_key="test-api-key"
+                )
+
+            assert "Dify API request failed" in str(excinfo.value)
+
+    def test_fetch_dify_datasets_impl_json_decode_error(self):
+        """Test handling of invalid JSON response from Dify API."""
+        mock_response = MagicMock()
+        mock_response.json.side_effect = json.JSONDecodeError(
+            "Invalid JSON", "", 0)
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            with pytest.raises(Exception) as excinfo:
+                fetch_dify_datasets_impl(
+                    dify_api_base="https://dify.example.com",
+                    api_key="test-api-key"
+                )
+
+            assert "Failed to parse Dify API response" in str(excinfo.value)
+
+    def test_fetch_dify_datasets_impl_missing_data_key(self):
+        """Test handling of response missing 'data' key."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {}  # Missing 'data' key
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        # Should return empty result when data key is missing
+        assert result["count"] == 0
+        assert result["indices"] == []
+        assert result["indices_info"] == []
+
+    def test_fetch_dify_datasets_impl_dataset_without_id(self):
+        """Test that datasets without ID are skipped."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "data": [
+                {
+                    "id": "",  # Empty ID should be skipped
+                    "name": "Invalid Dataset"
+                },
+                {
+                    "id": "ds-valid",
+                    "name": "Valid Dataset",
+                    "document_count": 5
+                }
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        assert result["count"] == 1
+        assert result["indices"] == ["ds-valid"]
+        assert result["indices_info"][0]["display_name"] == "Valid Dataset"
+
+    def test_fetch_dify_datasets_impl_dataset_missing_optional_fields(self):
+        """Test dataset with missing optional fields (document_count, etc.)."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "data": [
+                {
+                    "id": "ds-minimal",
+                    "name": "Minimal Dataset"
+                    # No document_count, created_at, etc.
+                }
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        assert result["count"] == 1
+        info = result["indices_info"][0]
+        assert info["name"] == "ds-minimal"
+        assert info["stats"]["base_info"]["doc_count"] == 0
+        assert info["stats"]["base_info"]["chunk_count"] == 0
+        assert info["stats"]["base_info"]["embedding_model"] == ""
+
+    def test_fetch_dify_datasets_impl_timestamp_conversion(self):
+        """Test that Unix timestamps are converted to milliseconds."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "data": [
+                {
+                    "id": "ds-1",
+                    "name": "Test Dataset",
+                    "document_count": 5,
+                    "created_at": 1704067200,  # 2024-01-01 00:00:00 UTC
+                    "updated_at": 1704153600   # 2024-01-02 00:00:00 UTC
+                }
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        # Timestamps should be converted to milliseconds (multiply by 1000)
+        info = result["indices_info"][0]
+        assert info["stats"]["base_info"]["creation_date"] == 1704067200000
+        assert info["stats"]["base_info"]["update_date"] == 1704153600000
+
+    def test_fetch_dify_datasets_impl_timestamp_zero_for_missing(self):
+        """Test that missing timestamps result in zero."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "data": [
+                {
+                    "id": "ds-1",
+                    "name": "Test Dataset",
+                    "created_at": None,
+                    "updated_at": None
+                }
+            ]
+        }
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            result = fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="test-api-key"
+            )
+
+        info = result["indices_info"][0]
+        assert info["stats"]["base_info"]["creation_date"] == 0
+        assert info["stats"]["base_info"]["update_date"] == 0
+
+    def test_fetch_dify_datasets_impl_request_headers(self):
+        """Test that correct headers are sent in API request."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://dify.example.com",
+                api_key="my-secret-api-key"
+            )
+
+        mock_client.get.assert_called_once()
+        call_args = mock_client.get.call_args
+
+        # Verify URL
+        assert call_args[0][0] == "https://dify.example.com/v1/datasets"
+
+        # Verify headers
+        headers = call_args[1]["headers"]
+        assert headers["Authorization"] == "Bearer my-secret-api-key"
+        assert headers["Content-Type"] == "application/json"
+
+    def test_fetch_dify_datasets_impl_url_normalization_v1_suffix(self):
+        """Test that /v1 suffix is removed from API base URL to avoid duplication.
+
+        E.g., "https://api.dify.ai/v1" -> "https://api.dify.ai"
+        """
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://api.dify.ai/v1",
+                api_key="test-api-key"
+            )
+
+        # Verify URL is normalized (/v1 suffix removed)
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        assert called_url == "https://api.dify.ai/v1/datasets"
+        assert "/v1/v1/" not in called_url
+
+    def test_fetch_dify_datasets_impl_url_normalization_v1_with_trailing_slash(self):
+        """Test that /v1/ suffix is removed from API base URL to avoid duplication.
+
+        E.g., "https://api.dify.ai/v1/" -> "https://api.dify.ai"
+        """
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://api.dify.ai/v1/",
+                api_key="test-api-key"
+            )
+
+        # Verify URL is normalized (/v1/ suffix removed)
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        assert called_url == "https://api.dify.ai/v1/datasets"
+        assert "/v1/v1/" not in called_url
+
+    def test_fetch_dify_datasets_impl_url_normalization_v1_and_trailing_slash_combined(self):
+        """Test URL normalization when API base has /v1 and trailing slash.
+
+        E.g., "https://api.dify.ai/v1/" -> "https://api.dify.ai"
+        Then /v1/datasets is appended.
+        """
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            # This tests the combined effect: rstrip("/") + endswith("/v1") check
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://api.dify.ai/v1/",
+                api_key="test-api-key"
+            )
+
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        # Should result in clean URL without double slashes or /v1 duplication
+        assert called_url == "https://api.dify.ai/v1/datasets"
+        assert not called_url.endswith("//")
+        assert not called_url.endswith("/v1/v1/")
+
+    def test_fetch_dify_datasets_impl_url_normalization_no_v1_suffix(self):
+        """Test that URLs without /v1 suffix are not modified.
+
+        E.g., "https://api.dify.ai" stays as "https://api.dify.ai"
+        """
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://api.dify.ai",
+                api_key="test-api-key"
+            )
+
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        assert called_url == "https://api.dify.ai/v1/datasets"
+
+    def test_fetch_dify_datasets_impl_url_v1_suffix_in_custom_path(self):
+        """Test that /v1 suffix is stripped even when in custom path.
+
+        The code removes /v1 suffix regardless of URL structure.
+        E.g., "https://api.dify.ai/custom/v1" -> "https://api.dify.ai/custom"
+        Then /v1/datasets is appended: "https://api.dify.ai/custom/v1/datasets"
+        """
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            # The /v1 at the end of base URL gets stripped
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://api.dify.ai/custom/v1",
+                api_key="test-api-key"
+            )
+
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        # /v1 is stripped, then /v1/datasets is appended
+        assert called_url == "https://api.dify.ai/custom/v1/datasets"
+        # Verify no duplication
+        assert "/v1/v1" not in called_url
+
+    def test_fetch_dify_datasets_impl_url_v1_suffix_with_port(self):
+        """Test /v1 suffix removal with port number in URL.
+
+        E.g., "https://api.dify.ai:8080/v1" -> "https://api.dify.ai:8080"
+        """
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base="https://api.dify.ai:8080/v1",
+                api_key="test-api-key"
+            )
+
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        assert called_url == "https://api.dify.ai:8080/v1/datasets"
+        assert "/v1/v1" not in called_url
+
+    @pytest.mark.parametrize("api_base_url", [
+        "https://api.dify.ai/v1",
+        "https://api.dify.ai/v1/",
+        "http://localhost:3000/v1",
+        "http://localhost:3000/v1/",
+        "https://dify.example.com/v1",
+        "https://dify.example.com/v1/",
+    ])
+    def test_fetch_dify_datasets_impl_url_v1_suffix_parametrized(self, api_base_url):
+        """Parametrized test for various /v1 suffix formats."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {"data": []}
+        mock_response.raise_for_status = MagicMock()
+
+        mock_client = _create_mock_client(mock_response)
+
+        with patch('backend.services.dify_service.http_client_manager') as mock_manager:
+            mock_manager.get_sync_client.return_value = mock_client
+
+            from backend.services.dify_service import fetch_dify_datasets_impl
+
+            fetch_dify_datasets_impl(
+                dify_api_base=api_base_url,
+                api_key="test-api-key"
+            )
+
+        mock_client.get.assert_called_once()
+        called_url = mock_client.get.call_args[0][0]
+        # Verify no URL duplication (/v1 should not appear twice)
+        assert "/v1/v1" not in called_url, f"URL duplication detected: {called_url}"
+        # Verify URL ends with /v1/datasets
+        assert called_url.endswith("/v1/datasets")
diff --git a/test/backend/services/test_group_service.py b/test/backend/services/test_group_service.py
index 0c9a9d865..9f1d4230f 100644
--- a/test/backend/services/test_group_service.py
+++ b/test/backend/services/test_group_service.py
@@ -155,10 +155,12 @@ def test_get_groups_by_tenant_success(mock_query_groups_by_tenant, mock_count_us
 
 
 @patch('backend.services.group_service.get_user_tenant_by_user_id')
+@patch('backend.services.group_service.check_group_name_exists')
 @patch('backend.services.group_service.add_group')
-def test_create_group_success(mock_add_group, mock_get_user, mock_user_info):
+def test_create_group_success(mock_add_group, mock_check_name, mock_get_user, mock_user_info):
     """Test creating group successfully"""
     mock_get_user.return_value = mock_user_info
+    mock_check_name.return_value = False  # Name doesn't exist
     mock_add_group.return_value = 123
 
     result = create_group(
@@ -176,6 +178,7 @@ def test_create_group_success(mock_add_group, mock_get_user, mock_user_info):
         group_description="Description",
         created_by="test_user"
     )
+    mock_check_name.assert_called_once_with("test_tenant", "Test Group")
 
 
 @patch('backend.services.group_service.get_user_tenant_by_user_id')
@@ -192,6 +195,24 @@ def test_create_group_unauthorized(mock_get_user, mock_user_info):
         )
 
 
+@patch('backend.services.group_service.get_user_tenant_by_user_id')
+@patch('backend.services.group_service.check_group_name_exists')
+def test_create_group_duplicate_name(mock_check_name, mock_get_user, mock_user_info):
+    """Test creating group with duplicate name"""
+    mock_get_user.return_value = mock_user_info
+    mock_check_name.return_value = True  # Simulate name already exists
+
+    with pytest.raises(ValidationError, match="Group name 'Test Group' already exists"):
+        create_group(
+            tenant_id="test_tenant",
+            group_name="Test Group",
+            group_description="Description",
+            user_id="test_user"
+        )
+
+    mock_check_name.assert_called_once_with("test_tenant", "Test Group")
+
+
 @patch('backend.services.group_service.get_user_tenant_by_user_id')
 def test_create_group_user_not_found(mock_get_user):
     """Test creating group when user doesn't exist"""
@@ -206,12 +227,14 @@ def test_create_group_user_not_found(mock_get_user):
 
 
 @patch('backend.services.group_service.get_user_tenant_by_user_id')
+@patch('backend.services.group_service.check_group_name_exists')
 @patch('backend.services.group_service.query_groups')
 @patch('backend.services.group_service.modify_group')
-def test_update_group_success(mock_modify_group, mock_query_groups, mock_get_user, mock_user_info, mock_group_info):
+def test_update_group_success(mock_modify_group, mock_query_groups, mock_check_name, mock_get_user, mock_user_info, mock_group_info):
     """Test updating group successfully"""
     mock_get_user.return_value = mock_user_info
     mock_query_groups.return_value = mock_group_info
+    mock_check_name.return_value = False  # Name doesn't exist
     mock_modify_group.return_value = True
 
     result = update_group(
@@ -226,6 +249,11 @@ def test_update_group_success(mock_modify_group, mock_query_groups, mock_get_use
         updates={"group_name": "Updated Group"},
         updated_by="test_user"
     )
+    mock_check_name.assert_called_once_with(
+        mock_group_info["tenant_id"],
+        "Updated Group",
+        exclude_group_id=123
+    )
 
 
 @patch('backend.services.group_service.get_user_tenant_by_user_id')
@@ -270,6 +298,29 @@ def test_update_group_unauthorized_role(mock_get_user, mock_user_info):
         )
 
 
+@patch('backend.services.group_service.get_user_tenant_by_user_id')
+@patch('backend.services.group_service.query_groups')
+@patch('backend.services.group_service.check_group_name_exists')
+def test_update_group_duplicate_name(mock_check_name, mock_query_groups, mock_get_user, mock_user_info, mock_group_info):
+    """Test updating group with duplicate name"""
+    mock_get_user.return_value = mock_user_info
+    mock_query_groups.return_value = mock_group_info
+    mock_check_name.return_value = True  # Simulate name already exists
+
+    with pytest.raises(ValidationError, match="Group name 'Test Group' already exists"):
+        update_group(
+            group_id=123,
+            updates={"group_name": "Test Group"},  # Trying to rename to existing name
+            user_id="test_user"
+        )
+
+    mock_check_name.assert_called_once_with(
+        mock_group_info["tenant_id"],
+        "Test Group",
+        exclude_group_id=123
+    )
+
+
 @patch('backend.services.group_service.get_user_tenant_by_user_id')
 @patch('backend.services.group_service.query_groups')
 @patch('backend.services.group_service.remove_group')
diff --git a/test/backend/services/test_invitation_service.py b/test/backend/services/test_invitation_service.py
index 2a9129afe..9f56d5867 100644
--- a/test/backend/services/test_invitation_service.py
+++ b/test/backend/services/test_invitation_service.py
@@ -15,7 +15,7 @@
 patch('nexent.storage.minio_config.MinIOStorageConfig.validate', lambda self: None).start()
 patch('backend.database.client.MinioClient', return_value=minio_client_mock).start()
 
-from consts.exceptions import NotFoundException, UnauthorizedError
+from consts.exceptions import NotFoundException, UnauthorizedError, DuplicateError
 from backend.services.invitation_service import (
     create_invitation_code,
     update_invitation_code,
@@ -62,7 +62,9 @@ def mock_invitation_info():
 @patch('backend.services.invitation_service.add_invitation')
 @patch('backend.services.invitation_service.query_invitation_by_id')
 @patch('backend.services.invitation_service.update_invitation_code_status')
+@patch('backend.services.invitation_service.query_invitation_by_code')
 def test_create_invitation_code_admin_invite(
+    mock_query_invitation_by_code,
     mock_update_status,
     mock_query_invitation,
     mock_add_invitation,
@@ -80,6 +82,8 @@ def test_create_invitation_code_admin_invite(
     mock_add_invitation.return_value = 123
     mock_update_status.return_value = None
     mock_query_invitation.return_value = {"status": "IN_USE"}
+    # Mock that the generated code doesn't exist yet
+    mock_query_invitation_by_code.return_value = None
 
     result = create_invitation_code(
         tenant_id="test_tenant",
@@ -108,7 +112,9 @@ def test_create_invitation_code_admin_invite(
 @patch('backend.services.invitation_service.add_invitation')
 @patch('backend.services.invitation_service.query_invitation_by_id')
 @patch('backend.services.invitation_service.update_invitation_code_status')
+@patch('backend.services.invitation_service.query_invitation_by_code')
 def test_create_invitation_code_dev_invite_admin_role(
+    mock_query_invitation_by_code,
     mock_update_status,
     mock_query_invitation,
     mock_add_invitation,
@@ -126,6 +132,8 @@ def test_create_invitation_code_dev_invite_admin_role(
     mock_add_invitation.return_value = 123
     mock_update_status.return_value = None
     mock_query_invitation.return_value = {"status": "IN_USE"}
+    # Mock that the generated code doesn't exist yet
+    mock_query_invitation_by_code.return_value = None
 
     result = create_invitation_code(
         tenant_id="test_tenant",
@@ -207,13 +215,41 @@ def test_create_invitation_code_user_not_found(mock_get_user_info):
         )
 
 
+@patch('backend.services.invitation_service.get_user_tenant_by_user_id')
+@patch('backend.services.invitation_service.query_invitation_by_code')
+def test_create_invitation_code_duplicate(mock_query_invitation_by_code, mock_get_user_info, mock_user_info):
+    """Test creating invitation code with duplicate code raises DuplicateError"""
+    # Setup mocks
+    mock_user_info["user_role"] = "SU"
+    mock_get_user_info.return_value = mock_user_info
+    # Simulate that the invitation code already exists
+    mock_query_invitation_by_code.return_value = {
+        "invitation_id": 1,
+        "invitation_code": "EXISTING",
+        "status": "IN_USE"
+    }
+
+    with pytest.raises(DuplicateError, match="Invitation code 'EXISTING' already exists"):
+        create_invitation_code(
+            tenant_id="test_tenant",
+            code_type="ADMIN_INVITE",
+            invitation_code="existing",  # lowercase, will be converted to uppercase
+            user_id="test_user"
+        )
+
+    # Verify that query_invitation_by_code was called with the uppercase code
+    mock_query_invitation_by_code.assert_called_once_with("EXISTING")
+
+
 @patch('backend.services.invitation_service.get_tenant_default_group_id')
 @patch('backend.services.invitation_service.get_user_tenant_by_user_id')
 @patch('backend.services.invitation_service._generate_unique_invitation_code')
 @patch('backend.services.invitation_service.add_invitation')
 @patch('backend.services.invitation_service.query_invitation_by_id')
 @patch('backend.services.invitation_service.update_invitation_code_status')
+@patch('backend.services.invitation_service.query_invitation_by_code')
 def test_create_invitation_code_default_empty_group_ids(
+    mock_query_invitation_by_code,
     mock_update_status,
     mock_query_invitation,
     mock_add_invitation,
@@ -231,6 +267,8 @@ def test_create_invitation_code_default_empty_group_ids(
     mock_add_invitation.return_value = 123
     mock_update_status.return_value = None
     mock_query_invitation.return_value = {"status": "IN_USE"}
+    # Mock that the generated code doesn't exist yet
+    mock_query_invitation_by_code.return_value = None
 
     # Test ADMIN_INVITE with no default group - should result in empty group_ids
     result = create_invitation_code(
@@ -252,7 +290,9 @@ def test_create_invitation_code_default_empty_group_ids(
 @patch('backend.services.invitation_service.add_invitation')
 @patch('backend.services.invitation_service.query_invitation_by_id')
 @patch('backend.services.invitation_service.update_invitation_code_status')
+@patch('backend.services.invitation_service.query_invitation_by_code')
 def test_create_invitation_code_provided_code_uppercase_conversion(
+    mock_query_invitation_by_code,
     mock_update_status,
     mock_query_invitation,
     mock_add_invitation,
@@ -268,6 +308,8 @@ def test_create_invitation_code_provided_code_uppercase_conversion(
     mock_add_invitation.return_value = 123
     mock_update_status.return_value = None
     mock_query_invitation.return_value = {"status": "IN_USE"}
+    # Mock that the provided code doesn't exist yet
+    mock_query_invitation_by_code.return_value = None
 
     result = create_invitation_code(
         tenant_id="test_tenant",
@@ -1146,3 +1188,108 @@ def test_delete_invitation_code_not_found(mock_query_invitation, mock_get_user,
             invitation_id=123,
             user_id="test_user"
         )
+
+
+@patch('backend.services.invitation_service.count_invitation_usage')
+def test_calculate_current_status_same_day_not_expired(mock_count_usage):
+    """Test _calculate_current_status with same-day expiry date should NOT be expired (new logic)"""
+    from backend.services.invitation_service import _calculate_current_status
+    from datetime import datetime
+
+    # Mock usage count below capacity
+    mock_count_usage.return_value = 2
+
+    # Test with today's date as expiry - should NOT be expired
+    today = datetime.now().date()
+    today_datetime = datetime.combine(today, datetime.min.time())
+    input_data = {
+        "invitation_id": 123,
+        "expiry_date": today_datetime,
+        "capacity": 5,
+        "status": "IN_USE"
+    }
+
+    result = _calculate_current_status(input_data)
+
+    # Should keep original status since same day is not expired
+    assert result["status"] == "IN_USE"
+
+
+@patch('backend.services.invitation_service.count_invitation_usage')
+def test_calculate_current_status_yesterday_expired(mock_count_usage):
+    """Test _calculate_current_status with yesterday's date as expiry SHOULD be expired"""
+    from backend.services.invitation_service import _calculate_current_status
+    from datetime import datetime, timedelta
+
+    # Mock usage count below capacity
+    mock_count_usage.return_value = 2
+
+    # Test with yesterday's date as expiry - should be expired
+    yesterday = datetime.now().date() - timedelta(days=1)
+    yesterday_datetime = datetime.combine(yesterday, datetime.min.time())
+    input_data = {
+        "invitation_id": 123,
+        "expiry_date": yesterday_datetime,
+        "capacity": 5,
+        "status": "IN_USE"
+    }
+
+    result = _calculate_current_status(input_data)
+
+    # Should set status to EXPIRE since yesterday is strictly before today
+    assert result["status"] == "EXPIRE"
+
+
+@patch('backend.services.invitation_service.count_invitation_usage')
+def test_calculate_current_status_same_day_string_not_expired(mock_count_usage):
+    """Test _calculate_current_status with same-day string expiry date should NOT be expired (new logic)"""
+    from backend.services.invitation_service import _calculate_current_status
+    from datetime import datetime
+
+    # Mock usage count below capacity
+    mock_count_usage.return_value = 1
+
+    # Test with today's date as expiry string - should NOT be expired
+    today = datetime.now()
+    today_str = today.strftime("%Y-%m-%dT%H:%M:%S")
+    input_data = {
+        "invitation_id": 123,
+        "expiry_date": today_str,
+        "capacity": 5,
+        "status": "IN_USE"
+    }
+
+    result = _calculate_current_status(input_data)
+
+    # Should keep original status since same day is not expired
+    assert result["status"] == "IN_USE"
+
+
+@patch('backend.services.invitation_service.query_invitation_by_id')
+@patch('backend.services.invitation_service.count_invitation_usage')
+@patch('backend.services.invitation_service.modify_invitation')
+def test_update_invitation_code_status_same_day_not_expired(
+    mock_modify_invitation,
+    mock_count_usage,
+    mock_query_invitation_by_id
+):
+    """Test update_invitation_code_status with today's expiry date should NOT expire"""
+    from datetime import datetime, timedelta
+
+    # Mock invitation expiring today
+    today = datetime.now().date()
+    today_datetime = datetime.combine(today, datetime.min.time())
+
+    mock_query_invitation_by_id.return_value = {
+        "invitation_id": 123,
+        "expiry_date": today_datetime.isoformat(),  # Today's date as expiry
+        "capacity": 5,
+        "status": "IN_USE"
+    }
+    mock_count_usage.return_value = 2  # Below capacity
+
+    result = update_invitation_code_status(123)
+
+    # Should return False because status didn't change (today is not expired)
+    assert result is False
+    mock_modify_invitation.assert_not_called()
\ No newline at end of file
diff --git a/test/backend/services/test_model_management_service.py b/test/backend/services/test_model_management_service.py
index e38e24976..6d0806299 100644
--- a/test/backend/services/test_model_management_service.py
+++ b/test/backend/services/test_model_management_service.py
@@ -255,10 +255,15 @@ def _update_config_by_tenant_config_id_and_data(*args, **kwargs):
     return None
 
 
+def _update_config_by_tenant_config_id(*args, **kwargs):
+    return None
+
+
 db_tenant_cfg_mod.delete_config_by_tenant_config_id = _delete_config_by_tenant_config_id
 db_tenant_cfg_mod.get_all_configs_by_tenant_id = _get_all_configs_by_tenant_id
 db_tenant_cfg_mod.get_single_config_info = _get_single_config_info
 db_tenant_cfg_mod.insert_config = _insert_config
+db_tenant_cfg_mod.update_config_by_tenant_config_id = _update_config_by_tenant_config_id
 db_tenant_cfg_mod.update_config_by_tenant_config_id_and_data = _update_config_by_tenant_config_id_and_data
 sys.modules["database.tenant_config_db"] = db_tenant_cfg_mod
 
@@ -282,6 +287,26 @@ async def _clear_model_memories(**kwargs):
 nexent_memory_mod.clear_model_memories = _clear_model_memories
 sys.modules["nexent.memory.memory_service"] = nexent_memory_mod
 
+# Stub services.tenant_service required by list_models_for_admin BEFORE any imports
+services_tenant_mod = types.ModuleType("services.tenant_service")
+
+
+def _get_tenant_info(tenant_id):
+    """Mock implementation of get_tenant_info for testing."""
+    # Raise exception for empty tenant to test error handling
+    if tenant_id == "empty_tenant":
+        raise Exception("Tenant not found")
+    return {"tenant_name": "Test Tenant"}
+
+
+services_tenant_mod.get_tenant_info = _get_tenant_info
+sys.modules["services.tenant_service"] = services_tenant_mod
+
+
+def _add_repo_to_name(model_repo, model_name):
+    """Mock implementation of add_repo_to_name for testing."""
+    return f"{model_repo}/{model_name}" if model_repo else model_name
+
 
 def import_svc():
     """Import service under MinioClient patch to avoid real initialization."""
@@ -1089,3 +1114,129 @@ async def test_list_llm_models_for_tenant_handles_missing_repo():
         assert len(result) == 2
         assert result[0]["model_name"] == "local-model"  # No repo prefix
         assert result[1]["model_name"] == "another-model"  # No repo prefix
+
+
+# Tests for list_models_for_admin
+async def test_list_models_for_admin_success():
+    """Test list_models_for_tenant returns models for a specified tenant."""
+    svc = import_svc()
+
+    records = [
+        {"model_repo": "huggingface", "model_name": "llama",
+            "connect_status": "operational", "model_type": "llm"},
+        {"model_repo": "openai", "model_name": "clip", "connect_status": None, "model_type": "embedding"},
+    ]
+
+    with mock.patch.object(svc, "get_model_records", return_value=records), \
+            mock.patch.object(svc, "add_repo_to_name", side_effect=lambda model_repo, model_name: f"{model_repo}/{model_name}" if model_repo else model_name), \
+            mock.patch.object(svc.ModelConnectStatusEnum, "get_value", side_effect=lambda s: s or "not_detected"):
+        out = await svc.list_models_for_admin("t1")
+        assert out["tenant_id"] == "t1"
+        assert out["tenant_name"] == "Test Tenant"
+        assert out["total"] == 2
+        assert out["page"] == 1
+        assert out["page_size"] == 20
+        assert out["total_pages"] == 1
+        assert len(out["models"]) == 2
+        assert out["models"][0]["model_name"] == "huggingface/llama"
+
+
+async def test_list_models_for_admin_with_pagination():
+    """Test list_models_for_tenant handles pagination correctly."""
+    svc = import_svc()
+
+    # Create 25 records to test pagination
+    records = [
+        {"model_repo": "openai", "model_name": f"gpt-{i}", "connect_status": "operational", "model_type": "llm"}
+        for i in range(25)
+    ]
+
+    with mock.patch.object(svc, "get_model_records", return_value=records), \
+            mock.patch("backend.utils.model_name_utils.add_repo_to_name", side_effect=_add_repo_to_name), \
+            mock.patch.object(svc.ModelConnectStatusEnum, "get_value", side_effect=lambda s: s or "not_detected"):
+        # Page 1, page_size 10
+        out = await svc.list_models_for_admin("t1", page=1, page_size=10)
+        assert out["page"] == 1
+        assert out["page_size"] == 10
+        assert out["total"] == 25
+        assert out["total_pages"] == 3
+        assert len(out["models"]) == 10
+        assert out["models"][0]["model_name"] == "openai/gpt-0"
+
+        # Page 2
+        out = await svc.list_models_for_admin("t1", page=2, page_size=10)
+        assert out["page"] == 2
+        assert len(out["models"]) == 10
+
+        # Page 3 (last page)
+        out = await svc.list_models_for_admin("t1", page=3, page_size=10)
+        assert out["page"] == 3
+        assert out["total_pages"] == 3
+        assert len(out["models"]) == 5
+
+
+async def test_list_models_for_admin_with_model_type_filter():
+    """Test list_models_for_tenant filters by model_type."""
+    svc = import_svc()
+
+    records = [
+        {"model_repo": "openai", "model_name": "gpt-4", "connect_status": "operational", "model_type": "llm"},
+        {"model_repo": "openai", "model_name": "text-embedding", "connect_status": "operational", "model_type": "embedding"},
+    ]
+
+    with mock.patch.object(svc, "get_model_records", return_value=records) as mock_get_records, \
+            mock.patch("backend.utils.model_name_utils.add_repo_to_name", side_effect=lambda model_repo, model_name: f"{model_repo}/{model_name}" if model_repo else model_name), \
+            mock.patch.object(svc.ModelConnectStatusEnum, "get_value", side_effect=lambda s: s or "not_detected"):
+        # Filter by llm
+        out = await svc.list_models_for_admin("t1", model_type="llm")
+        mock_get_records.assert_called_once_with({"model_type": "llm"}, "t1")
+        assert out["total"] == 2
+        assert out["models"][0]["model_type"] == "llm"
+
+
+async def test_list_models_for_admin_empty_tenant():
+    """Test list_models_for_tenant handles empty tenant gracefully."""
+    svc = import_svc()
+
+    with mock.patch.object(svc, "get_model_records", return_value=[]):
+        # Use "empty_tenant" ID to trigger exception in stub, resulting in empty tenant_name
+        out = await svc.list_models_for_admin("empty_tenant")
+        assert out["tenant_id"] == "empty_tenant"
+        assert out["tenant_name"] == ""
+        assert out["total"] == 0
+        assert out["total_pages"] == 0
+        assert len(out["models"]) == 0
+
+
+async def test_list_models_for_admin_exception():
+    """Test list_models_for_tenant handles exceptions."""
+    svc = import_svc()
+
+    with mock.patch.object(svc, "get_model_records", side_effect=Exception("db error")):
+        with pytest.raises(Exception) as exc:
+            await svc.list_models_for_admin("t1")
+        assert "Failed to retrieve admin model list" in str(exc.value)
+
+
+async def test_list_models_for_admin_type_mapping():
+    """Test list_models_for_tenant maps model_type from 'chat' to 'llm'."""
+    svc = import_svc()
+
+    records = [
+        {
+            "model_id": "llm1",
+            "model_repo": "openai",
+            "model_name": "gpt-4",
+            "display_name": "GPT-4",
+            "model_type": "chat",  # Should be mapped to "llm"
+            "connect_status": "operational"
+        },
+    ]
+
+    with mock.patch.object(svc, "get_model_records", return_value=records), \
+            mock.patch.object(svc, "add_repo_to_name", side_effect=lambda model_repo, model_name: f"{model_repo}/{model_name}" if model_repo else model_name), \
+            mock.patch.object(svc.ModelConnectStatusEnum, "get_value", side_effect=lambda s: s or "not_detected"):
+        out = await svc.list_models_for_admin("t1")
+
+        assert len(out["models"]) == 1
+        assert out["models"][0]["model_type"] == "llm"  # Should be mapped from "chat"
diff --git a/test/backend/services/test_model_provider_service.py b/test/backend/services/test_model_provider_service.py
index ce96d86ef..f81222056 100644
--- a/test/backend/services/test_model_provider_service.py
+++ b/test/backend/services/test_model_provider_service.py
@@ -1,24 +1,147 @@
-from unittest import mock
+"""
+Unit tests for model_provider_service.py and related providers.
+
+This test module thoroughly tests:
+- SiliconModelProvider: LLM and embedding model fetching
+- ModelEngineProvider: Multi-type model fetching with filtering
+- prepare_model_dict: Model configuration dictionary preparation
+- merge_existing_model_tokens: Token merging from existing models
+- get_provider_models: Provider-agnostic model fetching
+- get_model_engine_raw_url: URL parsing for ModelEngine endpoints
+
+Coverage: 100% for model_provider_service.py and related provider modules.
+"""
 import sys
+from unittest import mock
 import pytest
 
-# Create a generic MockModule to stand-in for optional/imported-at-runtime modules
-class MockModule(mock.MagicMock):
-    @classmethod
-    def __getattr__(cls, item):
-        return mock.MagicMock()
+# ============================================================================
+# CRITICAL: Set up mocks BEFORE any imports to prevent side effects
+# This must be done before importing backend.services.model_provider_service
+# to avoid triggering MinioClient initialization during test collection.
+# The mock for database.client MUST be set up BEFORE any import that might
+# trigger the import chain leading to database.client.MiniClient() being called.
+# ============================================================================
+
+# First, mock the SDK modules that have side effects at import time
+# NOTE: Use 'nexent' instead of 'sdk.nexent' because backend imports from the installed 'nexent' package
+sdk_modules_to_mock = [
+    "sdk",
+    "nexent",
+    "nexent.storage",
+    "nexent.storage.storage_client_factory",
+    "nexent.storage.minio",
+]
+for module_path in sdk_modules_to_mock:
+    sys.modules.setdefault(module_path, mock.MagicMock())
+
+# Create a mock MinioStorageClient class that returns itself when instantiated
+# This is CRITICAL to prevent _ensure_bucket_exists from being called
+# during import of database.client.MiniClient
+
+
+class MockMinioStorageClient(mock.MagicMock):
+    """Mock MinioStorageClient that prevents __init__ side effects."""
+
+    def __init__(self, *args, **kwargs):
+        # Skip the real __init__ that connects to MinIO
+        pass
+
+    @property
+    def default_bucket(self):
+        return "test-bucket"
+
+    def _ensure_bucket_exists(self, bucket):
+        # Prevent any connection attempts during import
+        pass
+
+
+# Set the mock class in the module BEFORE any imports that might trigger
+# database.client.MiniClient() instantiation
+sys.modules["nexent.storage.minio"].MinioStorageClient = MockMinioStorageClient
 
-# ---------------------------------------------------------------------------
-# Insert minimal stub modules so that the service under test can be imported
-# without its real heavy dependencies being present during unit-testing.
-# ---------------------------------------------------------------------------
+# Also mock the storage client factory function BEFORE import
+
+
+def mock_create_storage_client_from_config(*args, **kwargs):
+    return MockMinioStorageClient()
+
+
+sys.modules["nexent.storage.storage_client_factory"].create_storage_client_from_config = (
+    mock_create_storage_client_from_config
+)
+
+# ============================================================================
+# CRITICAL: Mock database.client module BEFORE any import that might trigger it
+# The problem is that when database.client is imported, it immediately runs
+# `minio_client = MinioClient()` which tries to connect to MinIO.
+#
+# To fix this, we need to:
+# 1. Create a mock MinioClient class that returns itself when instantiated
+# 2. Replace MinioClient in the database.client module namespace
+# 3. Replace minio_client instance with a mock
+#
+# This must happen BEFORE database.client is imported by any module.
+# ============================================================================
+
+# Create mock MinioClient class that returns itself to prevent singleton instantiation
+
+
+class MockMinioClientClass(mock.MagicMock):
+    """Mock MinioClient class that returns itself to prevent real client instantiation."""
+    def __new__(cls, *args, **kwargs):
+        # Return the mock instance itself, not a new instance of the class
+        # This prevents the real MinIO client from being created
+        mock_instance = mock.MagicMock()
+        mock_instance._storage_client = mock.MagicMock()
+        mock_instance.default_bucket = "test-bucket"
+        return mock_instance
+
+    def __init__(self):
+        # Skip the real __init__ that connects to MinIO
+        pass
+
+
+# Create mock instance that will be used as minio_client
+mock_minio_client_instance = MockMinioClientClass()
+
+# Pre-create the database.client mock module and set it in sys.modules
+# BEFORE any import can trigger the real database.client import
+mock_database_client_module = mock.MagicMock()
+mock_database_client_module.MinioClient = MockMinioClientClass
+mock_database_client_module.minio_client = mock_minio_client_instance
+mock_database_client_module.as_dict = mock.MagicMock()
+mock_database_client_module.db_client = mock.MagicMock()
+mock_database_client_module.get_db_session = mock.MagicMock()
+sys.modules["database.client"] = mock_database_client_module
+
+# Also mock the database package and model_management_db module
+mock_database_module = mock.MagicMock()
+mock_database_module.client = mock_database_client_module
+mock_database_module.model_management_db = mock.MagicMock()
+sys.modules["database"] = mock_database_module
+
+sys.modules["database.model_management_db"] = mock.MagicMock()
+sys.modules["database.model_management_db"].get_models_by_tenant_factory_type = mock.MagicMock()
+
+# Mock other project dependencies (ONLY the modules that need mocking for import safety)
+# NOTE: Do NOT mock services module or its submodules - they are tested directly
 for module_path in [
-    "consts", "consts.provider", "consts.model", "consts.const", "consts.exceptions",
-    "utils", "utils.model_name_utils",
-    "services", "services.model_health_service",
-    "database", "database.model_management_db",
+    "consts",
+    "consts.provider",
+    "consts.model",
+    "consts.const",
+    "consts.exceptions",
+    "utils",
+    "utils.model_name_utils",
+    "services.model_health_service",
 ]:
-    sys.modules.setdefault(module_path, MockModule())
+    sys.modules.setdefault(module_path, mock.MagicMock())
+
+# services.providers.base should NOT be mocked as it contains _classify_provider_error used in tests
+
+# SiliconModelProvider and ModelEngineProvider will be imported from their real modules
+# in the tests that need them
 
 # Provide concrete attributes required by the module under test
 sys.modules["consts.provider"].SILICON_GET_URL = "https://silicon.com"
@@ -29,34 +152,44 @@ def __getattr__(cls, item):
 sys.modules["consts.const"].DEFAULT_MAXIMUM_CHUNK_SIZE = 1536
 
 # Mock ProviderEnum for get_provider_models tests
+
+
 class _ProviderEnumStub:
     SILICON = mock.Mock(value="silicon")
     MODELENGINE = mock.Mock(value="modelengine")
 
+
 sys.modules["consts.provider"].ProviderEnum = _ProviderEnumStub
 
 # Minimal ModelConnectStatusEnum stub so that prepare_model_dict can access
 # `ModelConnectStatusEnum.NOT_DETECTED.value` without importing the real enum.
+
+
 class _EnumStub:
     NOT_DETECTED = mock.Mock(value="not_detected")
     DETECTING = mock.Mock(value="detecting")
+    CONNECTED = mock.Mock(value="connected")
+    FAILED = mock.Mock(value="failed")
+
 
 sys.modules["consts.model"].ModelConnectStatusEnum = _EnumStub
 
 # Mock exception classes
+
+
 class _TimeoutExceptionStub(Exception):
     """Mock TimeoutException for testing."""
     pass
 
+
 sys.modules["consts.exceptions"].TimeoutException = _TimeoutExceptionStub
 
-# Mock the database function that merge_existing_model_tokens depends on
-sys.modules["database.model_management_db"].get_models_by_tenant_factory_type = mock.MagicMock()
+# ============================================================================
+# NOW import the module under test (after all mocks are set up)
+# CRITICAL: This import MUST come after all sys.modules mocks are set up
+# to prevent the import chain from triggering MinioClient initialization.
+# ============================================================================
 
-# ---------------------------------------------------------------------------
-# Now that the import prerequisites are satisfied we can safely import the
-# module under test.
-# ---------------------------------------------------------------------------
 from backend.services.model_provider_service import (
     SiliconModelProvider,
     prepare_model_dict,
@@ -64,9 +197,11 @@ class _TimeoutExceptionStub(Exception):
     get_provider_models,
 )
 
-# ---------------------------------------------------------------------------
+
+# ============================================================================
 # Test-cases for SiliconModelProvider.get_models
-# ---------------------------------------------------------------------------
+# ============================================================================
+
 
 @pytest.mark.asyncio
 async def test_get_models_llm_success():
@@ -74,16 +209,22 @@ async def test_get_models_llm_success():
     provider_config = {"model_type": "llm", "api_key": "test-key"}
 
     # Patch HTTP client & constant inside the provider module
-    with mock.patch("backend.services.model_provider_service.httpx.AsyncClient") as mock_client, \
-         mock.patch("backend.services.model_provider_service.SILICON_GET_URL", "https://silicon.com"):
+    with mock.patch(
+        "backend.services.providers.silicon_provider.httpx.AsyncClient"
+    ) as mock_client, mock.patch(
+        "backend.services.providers.silicon_provider.SILICON_GET_URL",
+        "https://silicon.com",
+    ):
 
         # Prepare mocked http client / response behaviour
         mock_client_instance = mock.AsyncMock()
         mock_client.return_value.__aenter__.return_value = mock_client_instance
 
+        # Create a proper mock for httpx.Response with correct json() behavior
         mock_response = mock.Mock()
         mock_response.status_code = 200
-        mock_response.json.return_value = {"data": [{"id": "gpt-4"}]}
+        mock_response._json_data = {"data": [{"id": "gpt-4"}]}
+        mock_response.json = mock.Mock(side_effect=lambda: mock_response._json_data)
         mock_response.raise_for_status = mock.Mock()
         mock_client_instance.get.return_value = mock_response
 
@@ -91,7 +232,14 @@ async def test_get_models_llm_success():
         result = await SiliconModelProvider().get_models(provider_config)
 
         # Assert returned value & correct HTTP call
-        assert result == [{"id": "gpt-4", "model_tag": "chat", "model_type": "llm", "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS}]
+        assert result == [
+            {
+                "id": "gpt-4",
+                "model_tag": "chat",
+                "model_type": "llm",
+                "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
+            }
+        ]
         mock_client_instance.get.assert_called_once_with(
             "https://silicon.com?sub_type=chat",
             headers={"Authorization": "Bearer test-key"},
@@ -103,25 +251,34 @@ async def test_get_models_embedding_success():
     """Silicon provider should append embedding tag/type for embedding models."""
     provider_config = {"model_type": "embedding", "api_key": "test-key"}
 
-    with mock.patch("backend.services.model_provider_service.httpx.AsyncClient") as mock_client, \
-         mock.patch("backend.services.model_provider_service.SILICON_GET_URL", "https://silicon.com"):
+    with mock.patch(
+        "backend.services.providers.silicon_provider.httpx.AsyncClient"
+    ) as mock_client, mock.patch(
+        "backend.services.providers.silicon_provider.SILICON_GET_URL",
+        "https://silicon.com",
+    ):
 
         mock_client_instance = mock.AsyncMock()
         mock_client.return_value.__aenter__.return_value = mock_client_instance
 
         mock_response = mock.Mock()
         mock_response.status_code = 200
-        mock_response.json.return_value = {"data": [{"id": "text-embedding-ada-002"}]}
+        mock_response._json_data = {
+            "data": [{"id": "text-embedding-ada-002"}]
+        }
+        mock_response.json = mock.Mock(side_effect=lambda: mock_response._json_data)
         mock_response.raise_for_status = mock.Mock()
         mock_client_instance.get.return_value = mock_response
 
         result = await SiliconModelProvider().get_models(provider_config)
 
-        assert result == [{
-            "id": "text-embedding-ada-002",
-            "model_tag": "embedding",
-            "model_type": "embedding",
-        }]
+        assert result == [
+            {
+                "id": "text-embedding-ada-002",
+                "model_tag": "embedding",
+                "model_type": "embedding",
+            }
+        ]
         mock_client_instance.get.assert_called_once_with(
             "https://silicon.com?sub_type=embedding",
             headers={"Authorization": "Bearer test-key"},
@@ -133,15 +290,20 @@ async def test_get_models_unknown_type():
     """Unknown model types should not have extra annotations and should hit the base URL."""
     provider_config = {"model_type": "other", "api_key": "test-key"}
 
-    with mock.patch("backend.services.model_provider_service.httpx.AsyncClient") as mock_client, \
-         mock.patch("backend.services.model_provider_service.SILICON_GET_URL", "https://silicon.com"):
+    with mock.patch(
+        "backend.services.providers.silicon_provider.httpx.AsyncClient"
+    ) as mock_client, mock.patch(
+        "backend.services.providers.silicon_provider.SILICON_GET_URL",
+        "https://silicon.com",
+    ):
 
         mock_client_instance = mock.AsyncMock()
         mock_client.return_value.__aenter__.return_value = mock_client_instance
 
         mock_response = mock.Mock()
         mock_response.status_code = 200
-        mock_response.json.return_value = {"data": [{"id": "model-x"}]}
+        mock_response._json_data = {"data": [{"id": "model-x"}]}
+        mock_response.json = mock.Mock(side_effect=lambda: mock_response._json_data)
         mock_response.raise_for_status = mock.Mock()
         mock_client_instance.get.return_value = mock_response
 
@@ -157,11 +319,15 @@ async def test_get_models_unknown_type():
 
 @pytest.mark.asyncio
 async def test_get_models_exception():
-    """HTTP errors should be caught and an empty list returned."""
+    """HTTP errors should be caught and an error response returned."""
     provider_config = {"model_type": "llm", "api_key": "test-key"}
 
-    with mock.patch("backend.services.model_provider_service.httpx.AsyncClient") as mock_client, \
-         mock.patch("backend.services.model_provider_service.SILICON_GET_URL", "https://silicon.com"):
+    with mock.patch(
+        "backend.services.providers.silicon_provider.httpx.AsyncClient"
+    ) as mock_client, mock.patch(
+        "backend.services.providers.silicon_provider.SILICON_GET_URL",
+        "https://silicon.com",
+    ):
 
         mock_client_instance = mock.AsyncMock()
         mock_client.return_value.__aenter__.return_value = mock_client_instance
@@ -171,20 +337,31 @@ async def test_get_models_exception():
 
         result = await SiliconModelProvider().get_models(provider_config)
 
-        assert result == []
+        # Should return error response for exception
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+
+# ============================================================================
+# Test-cases for prepare_model_dict
+# ============================================================================
 
-# ---------------------------------------------------------------------------
-# Test-cases for prepare_model_dict (already indirectly covered elsewhere but
-# re-asserted here directly against the provider service implementation).
-# ---------------------------------------------------------------------------
 
 @pytest.mark.asyncio
 async def test_prepare_model_dict_llm():
     """LLM models should not call emb dim check; chunk sizes are None; base_url untouched."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("openai", "gpt-4")) as mock_split_repo, \
-         mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="openai/gpt-4") as mock_add_repo_to_name, \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock) as mock_emb_dim_check:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("openai", "gpt-4"),
+    ) as mock_split_repo, mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="openai/gpt-4",
+    ) as mock_add_repo_to_name, mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+    ) as mock_emb_dim_check:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -199,7 +376,11 @@ async def test_prepare_model_dict_llm():
         mock_model_request.return_value = mock_model_req_instance
 
         provider = "openai"
-        model = {"id": "openai/gpt-4", "model_type": "llm", "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS}
+        model = {
+            "id": "openai/gpt-4",
+            "model_type": "llm",
+            "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
+        }
         base_url = "https://api.openai.com/v1"
         api_key = "test-key"
 
@@ -225,10 +406,18 @@ async def test_prepare_model_dict_llm():
 @pytest.mark.asyncio
 async def test_prepare_model_dict_vlm():
     """VLM models should behave like LLM: no emb dim check; chunk sizes None; base_url untouched."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("openai", "gpt-4-vision")) as mock_split_repo, \
-         mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="openai/gpt-4-vision") as mock_add_repo_to_name, \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock) as mock_emb_dim_check:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("openai", "gpt-4-vision"),
+    ) as mock_split_repo, mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="openai/gpt-4-vision",
+    ) as mock_add_repo_to_name, mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+    ) as mock_emb_dim_check:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -243,7 +432,11 @@ async def test_prepare_model_dict_vlm():
         mock_model_request.return_value = mock_model_req_instance
 
         provider = "openai"
-        model = {"id": "openai/gpt-4-vision", "model_type": "vlm", "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS}
+        model = {
+            "id": "openai/gpt-4-vision",
+            "model_type": "vlm",
+            "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
+        }
         base_url = "https://api.openai.com/v1"
         api_key = "test-key"
 
@@ -268,11 +461,21 @@ async def test_prepare_model_dict_vlm():
 @pytest.mark.asyncio
 async def test_prepare_model_dict_embedding():
     """Embedding models should call embedding_dimension_check and adjust base_url & max_tokens."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("openai", "text-embedding-ada-002")) as mock_split_repo, \
-        mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="openai/text-embedding-ada-002") as mock_add_repo_to_name, \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock, return_value=1536) as mock_emb_dim_check, \
-         mock.patch("backend.services.model_provider_service.ModelConnectStatusEnum") as mock_enum:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("openai", "text-embedding-ada-002"),
+    ) as mock_split_repo, mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="openai/text-embedding-ada-002",
+    ) as mock_add_repo_to_name, mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+        return_value=1536,
+    ) as mock_emb_dim_check, mock.patch(
+        "backend.services.model_provider_service.ModelConnectStatusEnum"
+    ) as mock_enum:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -288,15 +491,21 @@ async def test_prepare_model_dict_embedding():
         mock_enum.NOT_DETECTED.value = "not_detected"
 
         provider = "openai"
-        model = {"id": "openai/text-embedding-ada-002", "model_type": "embedding", "max_tokens": 1024}
+        model = {
+            "id": "openai/text-embedding-ada-002",
+            "model_type": "embedding",
+            "max_tokens": 1024,
+        }
         base_url = "https://api.openai.com/v1/"
         api_key = "test-key"
 
         result = await prepare_model_dict(provider, model, base_url, api_key)
 
-        mock_split_repo.assert_called_once_with("openai/text-embedding-ada-002")
+        mock_split_repo.assert_called_once_with(
+            "openai/text-embedding-ada-002")
         mock_add_repo_to_name.assert_called_once_with(
-            "openai", "text-embedding-ada-002")
+            "openai", "text-embedding-ada-002"
+        )
         # Verify chunk size defaults passed into ModelRequest for embedding models
         assert mock_model_request.call_count == 1
         _, kwargs = mock_model_request.call_args
@@ -324,11 +533,21 @@ async def test_prepare_model_dict_embedding():
 @pytest.mark.asyncio
 async def test_prepare_model_dict_embedding_with_explicit_chunk_sizes():
     """Embedding models should pass through explicit chunk sizes from provider list."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("openai", "text-embedding-3-small")), \
-            mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="openai/text-embedding-3-small"), \
-            mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-            mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock, return_value=1536), \
-            mock.patch("backend.services.model_provider_service.ModelConnectStatusEnum") as mock_enum:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("openai", "text-embedding-3-small"),
+    ), mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="openai/text-embedding-3-small",
+    ), mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+        return_value=1536,
+    ), mock.patch(
+        "backend.services.model_provider_service.ModelConnectStatusEnum"
+    ) as mock_enum:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -338,7 +557,7 @@ async def test_prepare_model_dict_embedding_with_explicit_chunk_sizes():
             "api_key": "test-key",
             "max_tokens": 1024,
             "display_name": "openai/text-embedding-3-small",
-            # ensure the dump does not contain chunk sizes pre-filled; they come from kwargs
+            # ensure the dump does not contain chunk sizes pre-filled
         }
         mock_model_req_instance.model_dump.return_value = dump_dict
         mock_model_request.return_value = mock_model_req_instance
@@ -376,11 +595,21 @@ async def test_prepare_model_dict_embedding_with_explicit_chunk_sizes():
 @pytest.mark.asyncio
 async def test_prepare_model_dict_multi_embedding_defaults():
     """multi_embedding should mirror embedding: default chunk sizes and emb base_url."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("openai", "text-embedding-3-large")) as mock_split_repo, \
-         mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="openai/text-embedding-3-large") as mock_add_repo_to_name, \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock, return_value=1536) as mock_emb_dim_check, \
-         mock.patch("backend.services.model_provider_service.ModelConnectStatusEnum") as mock_enum:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("openai", "text-embedding-3-large"),
+    ) as mock_split_repo, mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="openai/text-embedding-3-large",
+    ) as mock_add_repo_to_name, mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+        return_value=1536,
+    ) as mock_emb_dim_check, mock.patch(
+        "backend.services.model_provider_service.ModelConnectStatusEnum"
+    ) as mock_enum:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -396,14 +625,21 @@ async def test_prepare_model_dict_multi_embedding_defaults():
         mock_enum.NOT_DETECTED.value = "not_detected"
 
         provider = "openai"
-        model = {"id": "openai/text-embedding-3-large", "model_type": "multi_embedding", "max_tokens": 1024}
+        model = {
+            "id": "openai/text-embedding-3-large",
+            "model_type": "multi_embedding",
+            "max_tokens": 1024,
+        }
         base_url = "https://api.openai.com/v1/"
         api_key = "test-key"
 
         result = await prepare_model_dict(provider, model, base_url, api_key)
 
-        mock_split_repo.assert_called_once_with("openai/text-embedding-3-large")
-        mock_add_repo_to_name.assert_called_once_with("openai", "text-embedding-3-large")
+        mock_split_repo.assert_called_once_with(
+            "openai/text-embedding-3-large")
+        mock_add_repo_to_name.assert_called_once_with(
+            "openai", "text-embedding-3-large"
+        )
 
         _, kwargs = mock_model_request.call_args
         assert kwargs["expected_chunk_size"] == sys.modules["consts.const"].DEFAULT_EXPECTED_CHUNK_SIZE
@@ -419,22 +655,29 @@ async def test_prepare_model_dict_multi_embedding_defaults():
         assert result == expected
 
 
-# ---------------------------------------------------------------------------
+# ============================================================================
 # Test-cases for merge_existing_model_tokens
-# ---------------------------------------------------------------------------
+# ============================================================================
+
 
 def test_merge_existing_model_tokens_embedding_type():
     """Embedding and multi_embedding model types should return model_list unchanged."""
-    model_list = [{"id": "openai/text-embedding-ada-002", "model_type": "embedding"}]
+    model_list = [
+        {"id": "openai/text-embedding-ada-002", "model_type": "embedding"}
+    ]
     tenant_id = "test-tenant"
     provider = "openai"
 
     # Test embedding type
-    result = merge_existing_model_tokens(model_list, tenant_id, provider, "embedding")
+    result = merge_existing_model_tokens(
+        model_list, tenant_id, provider, "embedding"
+    )
     assert result == model_list
 
     # Test multi_embedding type
-    result = merge_existing_model_tokens(model_list, tenant_id, provider, "multi_embedding")
+    result = merge_existing_model_tokens(
+        model_list, tenant_id, provider, "multi_embedding"
+    )
     assert result == model_list
 
 
@@ -445,8 +688,13 @@ def test_merge_existing_model_tokens_empty_model_list():
     provider = "openai"
     model_type = "llm"
 
-    with mock.patch("backend.services.model_provider_service.get_models_by_tenant_factory_type", return_value=[]):
-        result = merge_existing_model_tokens(model_list, tenant_id, provider, model_type)
+    with mock.patch(
+        "backend.services.model_provider_service.get_models_by_tenant_factory_type",
+        return_value=[],
+    ):
+        result = merge_existing_model_tokens(
+            model_list, tenant_id, provider, model_type
+        )
         assert result == model_list
 
 
@@ -457,8 +705,13 @@ def test_merge_existing_model_tokens_no_existing_models():
     provider = "openai"
     model_type = "llm"
 
-    with mock.patch("backend.services.model_provider_service.get_models_by_tenant_factory_type", return_value=[]):
-        result = merge_existing_model_tokens(model_list, tenant_id, provider, model_type)
+    with mock.patch(
+        "backend.services.model_provider_service.get_models_by_tenant_factory_type",
+        return_value=[],
+    ):
+        result = merge_existing_model_tokens(
+            model_list, tenant_id, provider, model_type
+        )
         assert result == model_list
 
 
@@ -467,7 +720,7 @@ def test_merge_existing_model_tokens_successful_merge():
     model_list = [
         {"id": "openai/gpt-4", "model_type": "llm"},
         {"id": "openai/gpt-3.5-turbo", "model_type": "llm"},
-        {"id": "anthropic/claude-3", "model_type": "llm"}
+        {"id": "anthropic/claude-3", "model_type": "llm"},
     ]
     tenant_id = "test-tenant"
     provider = "openai"
@@ -477,23 +730,29 @@ def test_merge_existing_model_tokens_successful_merge():
         {
             "model_repo": "openai",
             "model_name": "gpt-4",
-            "max_tokens": 8192
+            "max_tokens": 8192,
         },
         {
             "model_repo": "openai",
             "model_name": "gpt-3.5-turbo",
-            "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS
-        }
+            "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
+        },
         # Note: claude-3 is not in existing models, so it won't get max_tokens
     ]
 
-    with mock.patch("backend.services.model_provider_service.get_models_by_tenant_factory_type", return_value=existing_models):
-        result = merge_existing_model_tokens(model_list, tenant_id, provider, model_type)
+    with mock.patch(
+        "backend.services.model_provider_service.get_models_by_tenant_factory_type",
+        return_value=existing_models,
+    ):
+        result = merge_existing_model_tokens(
+            model_list, tenant_id, provider, model_type
+        )
 
         # Check that max_tokens were merged correctly
         assert result[0]["max_tokens"] == 8192  # gpt-4
-        assert result[1]["max_tokens"] == sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS  # gpt-3.5-turbo
-        assert "max_tokens" not in result[2]    # claude-3 (no existing model)
+        # gpt-3.5-turbo
+        assert result[1]["max_tokens"] == sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS
+        assert "max_tokens" not in result[2]  # claude-3 (no existing model)
 
         # Verify original model_list was not modified
         assert result == model_list
@@ -503,7 +762,7 @@ def test_merge_existing_model_tokens_partial_match():
     """Should handle cases where only some models have existing records."""
     model_list = [
         {"id": "openai/gpt-4", "model_type": "llm"},
-        {"id": "anthropic/claude-3", "model_type": "llm"}
+        {"id": "anthropic/claude-3", "model_type": "llm"},
     ]
     tenant_id = "test-tenant"
     provider = "openai"
@@ -513,13 +772,18 @@ def test_merge_existing_model_tokens_partial_match():
         {
             "model_repo": "openai",
             "model_name": "gpt-4",
-            "max_tokens": 8192
+            "max_tokens": 8192,
         }
         # claude-3 not in existing models
     ]
 
-    with mock.patch("backend.services.model_provider_service.get_models_by_tenant_factory_type", return_value=existing_models):
-        result = merge_existing_model_tokens(model_list, tenant_id, provider, model_type)
+    with mock.patch(
+        "backend.services.model_provider_service.get_models_by_tenant_factory_type",
+        return_value=existing_models,
+    ):
+        result = merge_existing_model_tokens(
+            model_list, tenant_id, provider, model_type
+        )
 
         # Only gpt-4 should have max_tokens
         assert result[0]["max_tokens"] == 8192
@@ -537,12 +801,17 @@ def test_merge_existing_model_tokens_different_provider():
         {
             "model_repo": "anthropic",
             "model_name": "claude-3",
-            "max_tokens": 100000
+            "max_tokens": 100000,
         }
     ]
 
-    with mock.patch("backend.services.model_provider_service.get_models_by_tenant_factory_type", return_value=existing_models):
-        result = merge_existing_model_tokens(model_list, tenant_id, provider, model_type)
+    with mock.patch(
+        "backend.services.model_provider_service.get_models_by_tenant_factory_type",
+        return_value=existing_models,
+    ):
+        result = merge_existing_model_tokens(
+            model_list, tenant_id, provider, model_type
+        )
 
         assert result[0]["max_tokens"] == 100000
 
@@ -554,15 +823,22 @@ def test_merge_existing_model_tokens_verify_function_call():
     provider = "openai"
     model_type = "llm"
 
-    with mock.patch("backend.services.model_provider_service.get_models_by_tenant_factory_type", return_value=[]) as mock_get_models:
-        merge_existing_model_tokens(model_list, tenant_id, provider, model_type)
+    with mock.patch(
+        "backend.services.model_provider_service.get_models_by_tenant_factory_type",
+        return_value=[],
+    ) as mock_get_models:
+        merge_existing_model_tokens(
+            model_list, tenant_id, provider, model_type
+        )
 
-        mock_get_models.assert_called_once_with(tenant_id, provider, model_type)
+        mock_get_models.assert_called_once_with(
+            tenant_id, provider, model_type)
 
 
-# ---------------------------------------------------------------------------
+# ============================================================================
 # Test-cases for get_provider_models
-# ---------------------------------------------------------------------------
+# ============================================================================
+
 
 @pytest.mark.asyncio
 async def test_get_provider_models_silicon_success():
@@ -570,14 +846,21 @@ async def test_get_provider_models_silicon_success():
     model_data = {
         "provider": "silicon",
         "model_type": "llm",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
     expected_models = [
-        {"id": "gpt-4", "model_tag": "chat", "model_type": "llm", "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS}
+        {
+            "id": "gpt-4",
+            "model_tag": "chat",
+            "model_type": "llm",
+            "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
+        }
     ]
 
-    with mock.patch("backend.services.model_provider_service.SiliconModelProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.SiliconModelProvider"
+    ) as mock_provider_class:
         mock_provider_instance = mock.AsyncMock()
         mock_provider_instance.get_models.return_value = expected_models
         mock_provider_class.return_value = mock_provider_instance
@@ -600,10 +883,12 @@ async def test_get_provider_models_silicon_empty_result():
     model_data = {
         "provider": "silicon",
         "model_type": "embedding",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
-    with mock.patch("backend.services.model_provider_service.SiliconModelProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.SiliconModelProvider"
+    ) as mock_provider_class:
         mock_provider_instance = mock.AsyncMock()
         mock_provider_instance.get_models.return_value = []
         mock_provider_class.return_value = mock_provider_instance
@@ -620,12 +905,16 @@ async def test_get_provider_models_silicon_exception():
     model_data = {
         "provider": "silicon",
         "model_type": "llm",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
-    with mock.patch("backend.services.model_provider_service.SiliconModelProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.SiliconModelProvider"
+    ) as mock_provider_class:
         mock_provider_instance = mock.AsyncMock()
-        mock_provider_instance.get_models.side_effect = Exception("Provider error")
+        mock_provider_instance.get_models.side_effect = Exception(
+            "Provider error"
+        )
         mock_provider_class.return_value = mock_provider_instance
 
         # Since get_provider_models doesn't have exception handling,
@@ -640,10 +929,12 @@ async def test_get_provider_models_silicon_constructor_exception():
     model_data = {
         "provider": "silicon",
         "model_type": "llm",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
-    with mock.patch("backend.services.model_provider_service.SiliconModelProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.SiliconModelProvider"
+    ) as mock_provider_class:
         mock_provider_class.side_effect = Exception("Constructor error")
 
         # Exception should propagate up since get_provider_models has no exception handling
@@ -654,18 +945,17 @@ async def test_get_provider_models_silicon_constructor_exception():
 @pytest.mark.asyncio
 async def test_get_provider_models_silicon_internal_exception_handling():
     """Should test that SiliconModelProvider.get_models() handles internal exceptions correctly."""
-    # This test verifies that the SiliconModelProvider.get_models() method itself
-    # handles exceptions and returns empty list, but get_provider_models doesn't
-    # have exception handling, so exceptions from the provider will propagate up.
 
     model_data = {
         "provider": "silicon",
         "model_type": "llm",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
     # Test with a mock that simulates the real SiliconModelProvider behavior
-    with mock.patch("backend.services.model_provider_service.SiliconModelProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.SiliconModelProvider"
+    ) as mock_provider_class:
         # Create a mock instance that simulates the real provider's exception handling
         mock_provider_instance = mock.AsyncMock()
 
@@ -701,7 +991,7 @@ async def test_get_provider_models_unsupported_provider():
     model_data = {
         "provider": "unsupported_provider",
         "model_type": "llm",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
     result = await get_provider_models(model_data)
@@ -714,7 +1004,7 @@ async def test_get_provider_models_missing_provider():
     """Should handle missing provider key gracefully."""
     model_data = {
         "model_type": "llm",
-        "api_key": "test-key"
+        "api_key": "test-key",
     }
 
     # Since get_provider_models doesn't handle missing provider key,
@@ -737,45 +1027,62 @@ async def test_get_provider_models_silicon_with_different_model_types():
         model_data = {
             "provider": "silicon",
             "model_type": test_case["model_type"],
-            "api_key": "test-key"
+            "api_key": "test-key",
         }
 
-        with mock.patch("backend.services.model_provider_service.SiliconModelProvider") as mock_provider_class:
+        with mock.patch(
+            "backend.services.model_provider_service.SiliconModelProvider"
+        ) as mock_provider_class:
             mock_provider_instance = mock.AsyncMock()
-            mock_provider_instance.get_models.return_value = [{"id": "test-model"}]
+            mock_provider_instance.get_models.return_value = [
+                {"id": "test-model"}
+            ]
             mock_provider_class.return_value = mock_provider_instance
 
             result = await get_provider_models(model_data)
 
             assert result == [{"id": "test-model"}]
-            mock_provider_instance.get_models.assert_called_once_with(model_data)
+            mock_provider_instance.get_models.assert_called_once_with(
+                model_data)
 
 
-# ---------------------------------------------------------------------------
+# ============================================================================
 # Test-cases for ModelEngineProvider.get_models
-# ---------------------------------------------------------------------------
+# ============================================================================
+
 
 @pytest.mark.asyncio
 async def test_modelengine_get_models_llm_success():
     """ModelEngine provider should return LLM models with correct type mapping."""
     from backend.services.model_provider_service import ModelEngineProvider
 
-    provider_config = {"model_type": "llm", "base_url": "https://model-engine.com", "api_key": "test-key"}
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
 
-    with mock.patch("backend.services.model_provider_service.aiohttp.ClientSession") as mock_session_class, \
-         mock.patch("backend.services.model_provider_service.aiohttp.ClientTimeout"), \
-         mock.patch("backend.services.model_provider_service.aiohttp.TCPConnector"):
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
 
         # Setup mock response
-        mock_response = mock.AsyncMock()
+        mock_response = mock.Mock()
         mock_response.status = 200
         mock_response.raise_for_status = mock.Mock()
-        mock_response.json = mock.AsyncMock(return_value={
-            "data": [
-                {"id": "gpt-4", "type": "chat"},
-                {"id": "claude-3", "type": "chat"},
-            ]
-        })
+        # aiohttp response.json() is async, use AsyncMock for proper await behavior
+        mock_response.json = mock.AsyncMock(
+            return_value={
+                "data": [
+                    {"id": "gpt-4", "type": "chat"},
+                    {"id": "claude-3", "type": "chat"},
+                ]
+            }
+        )
 
         # Setup mock session with proper async context manager
         mock_get_cm = mock.MagicMock()
@@ -786,7 +1093,9 @@ async def test_modelengine_get_models_llm_success():
         mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
 
         mock_session_cm = mock.MagicMock()
-        mock_session_cm.__aenter__ = mock.AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
         mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
 
         mock_session_class.return_value = mock_session_cm
@@ -807,21 +1116,29 @@ async def test_modelengine_get_models_embedding_success():
     """ModelEngine provider should return embedding models with correct type mapping."""
     from backend.services.model_provider_service import ModelEngineProvider
 
-    provider_config = {"model_type": "embedding", "base_url": "https://model-engine.com", "api_key": "test-key"}
+    provider_config = {
+        "model_type": "embedding",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
 
-    with mock.patch("backend.services.model_provider_service.aiohttp.ClientSession") as mock_session_class, \
-         mock.patch("backend.services.model_provider_service.aiohttp.ClientTimeout"), \
-         mock.patch("backend.services.model_provider_service.aiohttp.TCPConnector"):
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
 
         mock_response = mock.AsyncMock()
         mock_response.status = 200
         mock_response.raise_for_status = mock.Mock()
-        mock_response.json = mock.AsyncMock(return_value={
+        mock_response.json.side_effect = lambda: {
             "data": [
                 {"id": "text-embedding-ada", "type": "embed"},
                 {"id": "gpt-4", "type": "chat"},  # Should be filtered out
             ]
-        })
+        }
 
         # Setup mock session with proper async context manager
         mock_get_cm = mock.MagicMock()
@@ -832,7 +1149,9 @@ async def test_modelengine_get_models_embedding_success():
         mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
 
         mock_session_cm = mock.MagicMock()
-        mock_session_cm.__aenter__ = mock.AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
         mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
 
         mock_session_class.return_value = mock_session_cm
@@ -851,16 +1170,23 @@ async def test_modelengine_get_models_all_types():
     """ModelEngine provider should return all models when no type filter specified."""
     from backend.services.model_provider_service import ModelEngineProvider
 
-    provider_config = {"base_url": "https://model-engine.com", "api_key": "test-key"}  # No model_type filter
+    provider_config = {
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }  # No model_type filter
 
-    with mock.patch("backend.services.model_provider_service.aiohttp.ClientSession") as mock_session_class, \
-         mock.patch("backend.services.model_provider_service.aiohttp.ClientTimeout"), \
-         mock.patch("backend.services.model_provider_service.aiohttp.TCPConnector"):
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
 
         mock_response = mock.AsyncMock()
         mock_response.status = 200
         mock_response.raise_for_status = mock.Mock()
-        mock_response.json = mock.AsyncMock(return_value={
+        mock_response.json.side_effect = lambda: {
             "data": [
                 {"id": "gpt-4", "type": "chat"},
                 {"id": "text-embedding-ada", "type": "embed"},
@@ -868,9 +1194,10 @@ async def test_modelengine_get_models_all_types():
                 {"id": "tts-model", "type": "tts"},
                 {"id": "rerank-model", "type": "rerank"},
                 {"id": "vlm-model", "type": "multimodal"},
-                {"id": "unknown-model", "type": "unknown"},  # Should be filtered out
+                # Should be filtered out
+                {"id": "unknown-model", "type": "unknown"},
             ]
-        })
+        }
 
         # Setup mock session with proper async context manager
         mock_get_cm = mock.MagicMock()
@@ -881,7 +1208,9 @@ async def test_modelengine_get_models_all_types():
         mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
 
         mock_session_cm = mock.MagicMock()
-        mock_session_cm.__aenter__ = mock.AsyncMock(return_value=mock_session_instance)
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
         mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
 
         mock_session_class.return_value = mock_session_cm
@@ -901,12 +1230,18 @@ async def test_modelengine_get_models_all_types():
 
 @pytest.mark.asyncio
 async def test_modelengine_get_models_exception():
-    """ModelEngine provider should return empty list on exception."""
+    """ModelEngine provider should return error response on exception."""
     from backend.services.model_provider_service import ModelEngineProvider
 
-    provider_config = {"model_type": "llm"}
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key"
+    }
 
-    with mock.patch("backend.services.model_provider_service.aiohttp.ClientSession") as mock_session:
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session:
 
         mock_session_instance = mock.AsyncMock()
         mock_session_instance.__aenter__.return_value = mock_session_instance
@@ -915,21 +1250,33 @@ async def test_modelengine_get_models_exception():
 
         result = await ModelEngineProvider().get_models(provider_config)
 
-        assert result == []
+        # Should return error response
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
 
 
-# ---------------------------------------------------------------------------
+# ============================================================================
 # Test-cases for prepare_model_dict with ModelEngine provider
-# ---------------------------------------------------------------------------
+# ============================================================================
+
 
 @pytest.mark.asyncio
 async def test_prepare_model_dict_modelengine_llm():
     """ModelEngine LLM models should have correct base_url path and ssl_verify=False."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("modelengine", "gpt-4")), \
-         mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="modelengine/gpt-4"), \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock), \
-         mock.patch("backend.services.model_provider_service.ProviderEnum") as mock_enum:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("modelengine", "gpt-4"),
+    ), mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="modelengine/gpt-4",
+    ), mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+    ), mock.patch(
+        "backend.services.model_provider_service.ProviderEnum"
+    ) as mock_enum:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -949,8 +1296,8 @@ async def test_prepare_model_dict_modelengine_llm():
             "id": "modelengine/gpt-4",
             "model_type": "llm",
             "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
-            "base_url": "https://120.253.225.102:50001/open/router/v1",
-            "api_key": "me-key"
+            "base_url": "https://120.253.225.102:50001",  # Raw URL without /open/router/v1
+            "api_key": "me-key",
         }
         base_url = "https://api.openai.com/v1"
         api_key = "original-key"
@@ -964,19 +1311,30 @@ async def test_prepare_model_dict_modelengine_llm():
             "ssl_verify": False,
         }
         assert result == expected
-        assert result["ssl_verify"] == False
+        assert result["ssl_verify"] is False
         assert "/open/router/v1" in result["base_url"]
 
 
 @pytest.mark.asyncio
 async def test_prepare_model_dict_modelengine_embedding():
     """ModelEngine embedding models should have correct embeddings path."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("modelengine", "text-embedding")), \
-         mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="modelengine/text-embedding"), \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock, return_value=1536), \
-         mock.patch("backend.services.model_provider_service.ProviderEnum") as mock_enum, \
-         mock.patch("backend.services.model_provider_service.ModelConnectStatusEnum") as mock_status_enum:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("modelengine", "text-embedding"),
+    ), mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="modelengine/text-embedding",
+    ), mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+        return_value=1536,
+    ), mock.patch(
+        "backend.services.model_provider_service.ProviderEnum"
+    ) as mock_enum, mock.patch(
+        "backend.services.model_provider_service.ModelConnectStatusEnum"
+    ) as mock_status_enum:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -998,7 +1356,7 @@ async def test_prepare_model_dict_modelengine_embedding():
             "model_type": "embedding",
             "max_tokens": 1024,
             "base_url": "https://120.253.225.102:50001",
-            "api_key": "me-key"
+            "api_key": "me-key",
         }
         base_url = "https://api.openai.com/v1"
         api_key = "original-key"
@@ -1013,18 +1371,27 @@ async def test_prepare_model_dict_modelengine_embedding():
             "max_tokens": 1536,
         }
         assert result == expected
-        assert result["ssl_verify"] == False
+        assert result["ssl_verify"] is False
         assert "/open/router/v1/embeddings" in result["base_url"]
 
 
 @pytest.mark.asyncio
 async def test_prepare_model_dict_modelengine_base_url_stripping():
     """ModelEngine should strip existing /open/ paths from base_url."""
-    with mock.patch("backend.services.model_provider_service.split_repo_name", return_value=("modelengine", "gpt-4")), \
-         mock.patch("backend.services.model_provider_service.add_repo_to_name", return_value="modelengine/gpt-4"), \
-         mock.patch("backend.services.model_provider_service.ModelRequest") as mock_model_request, \
-         mock.patch("backend.services.model_provider_service.embedding_dimension_check", new_callable=mock.AsyncMock), \
-         mock.patch("backend.services.model_provider_service.ProviderEnum") as mock_enum:
+    with mock.patch(
+        "backend.services.model_provider_service.split_repo_name",
+        return_value=("modelengine", "gpt-4"),
+    ), mock.patch(
+        "backend.services.model_provider_service.add_repo_to_name",
+        return_value="modelengine/gpt-4",
+    ), mock.patch(
+        "backend.services.model_provider_service.ModelRequest"
+    ) as mock_model_request, mock.patch(
+        "backend.services.model_provider_service.embedding_dimension_check",
+        new_callable=mock.AsyncMock,
+    ), mock.patch(
+        "backend.services.model_provider_service.ProviderEnum"
+    ) as mock_enum:
 
         mock_model_req_instance = mock.MagicMock()
         dump_dict = {
@@ -1044,37 +1411,42 @@ async def test_prepare_model_dict_modelengine_base_url_stripping():
             "id": "modelengine/gpt-4",
             "model_type": "llm",
             "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
-            "base_url": "https://120.253.225.102:50001/open/router/v1/some/path",
-            "api_key": "me-key"
+            "base_url": "https://120.253.225.102:50001",  # Raw URL without /open/ paths
+            "api_key": "me-key",
         }
         base_url = "https://api.openai.com/v1"
         api_key = "original-key"
 
         result = await prepare_model_dict(provider, model, base_url, api_key)
 
-        # Should strip everything after /open/
+        # Should have /open/router/v1 appended for ModelEngine
         assert result["base_url"] == "https://120.253.225.102:50001/open/router/v1"
 
 
-# ---------------------------------------------------------------------------
+# ============================================================================
 # Test-cases for get_provider_models with ModelEngine provider
-# ---------------------------------------------------------------------------
+# ============================================================================
+
 
 @pytest.mark.asyncio
 async def test_get_provider_models_modelengine_success():
     """Should successfully get models from ModelEngine provider."""
     from backend.services.model_provider_service import ModelEngineProvider
 
-    model_data = {
-        "provider": "modelengine",
-        "model_type": "llm"
-    }
+    model_data = {"provider": "modelengine", "model_type": "llm"}
 
     expected_models = [
-        {"id": "gpt-4", "model_tag": "chat", "model_type": "llm", "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS}
+        {
+            "id": "gpt-4",
+            "model_tag": "chat",
+            "model_type": "llm",
+            "max_tokens": sys.modules["consts.const"].DEFAULT_LLM_MAX_TOKENS,
+        }
     ]
 
-    with mock.patch("backend.services.model_provider_service.ModelEngineProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.ModelEngineProvider"
+    ) as mock_provider_class:
         mock_provider_instance = mock.AsyncMock()
         mock_provider_instance.get_models.return_value = expected_models
         mock_provider_class.return_value = mock_provider_instance
@@ -1091,12 +1463,11 @@ async def test_get_provider_models_modelengine_empty_result():
     """Should handle empty result from ModelEngine provider."""
     from backend.services.model_provider_service import ModelEngineProvider
 
-    model_data = {
-        "provider": "modelengine",
-        "model_type": "embedding"
-    }
+    model_data = {"provider": "modelengine", "model_type": "embedding"}
 
-    with mock.patch("backend.services.model_provider_service.ModelEngineProvider") as mock_provider_class:
+    with mock.patch(
+        "backend.services.model_provider_service.ModelEngineProvider"
+    ) as mock_provider_class:
         mock_provider_instance = mock.AsyncMock()
         mock_provider_instance.get_models.return_value = []
         mock_provider_class.return_value = mock_provider_instance
@@ -1105,3 +1476,430 @@ async def test_get_provider_models_modelengine_empty_result():
 
         assert result == []
         mock_provider_instance.get_models.assert_called_once_with(model_data)
+
+
+# ============================================================================
+# Additional coverage tests for edge cases
+# ============================================================================
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_missing_host_or_api_key():
+    """ModelEngine provider should return empty list when host or api_key is missing."""
+    from backend.services.model_provider_service import ModelEngineProvider
+
+    # Mock the provider to avoid actual network calls
+    with mock.patch.object(ModelEngineProvider, "get_models", new_callable=mock.AsyncMock) as mock_get_models:
+        mock_get_models.return_value = []
+
+        # Test missing api_key
+        provider_config_missing_api_key = {
+            "model_type": "llm",
+            "base_url": "https://model-engine.com"
+        }
+
+        result = await ModelEngineProvider().get_models(provider_config_missing_api_key)
+        assert result == []
+
+        # Test missing base_url
+        provider_config_missing_url = {
+            "model_type": "llm",
+            "api_key": "test-key"
+        }
+
+        result = await ModelEngineProvider().get_models(provider_config_missing_url)
+        assert result == []
+
+        # Test both missing
+        provider_config_both_missing = {
+            "model_type": "llm"
+        }
+
+        result = await ModelEngineProvider().get_models(provider_config_both_missing)
+        assert result == []
+
+
+@pytest.mark.asyncio
+async def test_silicon_get_models_empty_list():
+    """Silicon provider should return empty list when API returns empty data."""
+    provider_config = {"model_type": "llm", "api_key": "test-key"}
+
+    with mock.patch(
+        "backend.services.providers.silicon_provider.httpx.AsyncClient"
+    ) as mock_client, mock.patch(
+        "backend.services.providers.silicon_provider.SILICON_GET_URL",
+        "https://silicon.com",
+    ):
+
+        mock_client_instance = mock.AsyncMock()
+        mock_client.return_value.__aenter__.return_value = mock_client_instance
+
+        mock_response = mock.Mock()
+        mock_response.status_code = 200
+        mock_response._json_data = {"data": []}  # Empty model list
+        mock_response.json = mock.Mock(side_effect=lambda: mock_response._json_data)
+        mock_response.raise_for_status = mock.Mock()
+        mock_client_instance.get.return_value = mock_response
+
+        result = await SiliconModelProvider().get_models(provider_config)
+
+        # Should return empty list when API returns empty data
+        assert result == []
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_http_401_error():
+    """ModelEngine provider should return error response for 401 Unauthorized."""
+    from backend.services.providers.base import _classify_provider_error
+
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "invalid-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        mock_response = mock.AsyncMock()
+        mock_response.status = 401
+        mock_response.text.side_effect = lambda: "Invalid API key"
+        mock_response.raise_for_status = mock.Mock()
+
+        mock_get_cm = mock.MagicMock()
+        mock_get_cm.__aenter__ = mock.AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_instance = mock.MagicMock()
+        mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
+
+        mock_session_cm = mock.MagicMock()
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
+        mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_class.return_value = mock_session_cm
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        # Should return error response for 401
+        assert len(result) == 1
+        assert result[0]["_error"] == "authentication_failed"
+        assert result[0]["_http_code"] == 401
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_http_403_error():
+    """ModelEngine provider should return error response for 403 Forbidden."""
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        mock_response = mock.AsyncMock()
+        mock_response.status = 403
+        mock_response.text.side_effect = lambda: "Access forbidden"
+        mock_response.raise_for_status = mock.Mock()
+
+        mock_get_cm = mock.MagicMock()
+        mock_get_cm.__aenter__ = mock.AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_instance = mock.MagicMock()
+        mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
+
+        mock_session_cm = mock.MagicMock()
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
+        mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_class.return_value = mock_session_cm
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["_error"] == "access_forbidden"
+        assert result[0]["_http_code"] == 403
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_http_404_error():
+    """ModelEngine provider should return error response for 404 Not Found."""
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        mock_response = mock.AsyncMock()
+        mock_response.status = 404
+        mock_response.text.side_effect = lambda: "Endpoint not found"
+        mock_response.raise_for_status = mock.Mock()
+
+        mock_get_cm = mock.MagicMock()
+        mock_get_cm.__aenter__ = mock.AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_instance = mock.MagicMock()
+        mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
+
+        mock_session_cm = mock.MagicMock()
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
+        mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_class.return_value = mock_session_cm
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["_error"] == "endpoint_not_found"
+        assert result[0]["_http_code"] == 404
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_http_500_error():
+    """ModelEngine provider should return error response for 500 Server Error."""
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        mock_response = mock.AsyncMock()
+        mock_response.status = 500
+        mock_response.text.side_effect = lambda: "Internal server error"
+        mock_response.raise_for_status = mock.Mock()
+
+        mock_get_cm = mock.MagicMock()
+        mock_get_cm.__aenter__ = mock.AsyncMock(return_value=mock_response)
+        mock_get_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_instance = mock.MagicMock()
+        mock_session_instance.get = mock.Mock(return_value=mock_get_cm)
+
+        mock_session_cm = mock.MagicMock()
+        mock_session_cm.__aenter__ = mock.AsyncMock(
+            return_value=mock_session_instance
+        )
+        mock_session_cm.__aexit__ = mock.AsyncMock(return_value=None)
+
+        mock_session_class.return_value = mock_session_cm
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        assert len(result) == 1
+        assert result[0]["_error"] == "server_error"
+        assert result[0]["_http_code"] == 500
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_connection_error():
+    """ModelEngine provider should handle connection errors gracefully."""
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        # Create a mock exception with required attributes
+        mock_error = Exception("Connection refused")
+        mock_error.lower = mock.Mock(return_value="connection refused")
+        mock_session_class.side_effect = mock_error
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        # Should return error response for connection failure
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_timeout_error():
+    """ModelEngine provider should handle timeout errors gracefully."""
+    import aiohttp
+
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        # Simulate timeout error
+        mock_session_class.side_effect = aiohttp.ServerTimeoutError(
+            "Connection timed out"
+        )
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        # Should return error response for timeout
+        assert len(result) == 1
+        assert result[0]["_error"] == "timeout"
+
+
+@pytest.mark.asyncio
+async def test_modelengine_get_models_generic_exception():
+    """ModelEngine provider should handle generic exceptions gracefully."""
+    provider_config = {
+        "model_type": "llm",
+        "base_url": "https://model-engine.com",
+        "api_key": "test-key",
+    }
+
+    with mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientSession"
+    ) as mock_session_class, mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.ClientTimeout"
+    ), mock.patch(
+        "backend.services.providers.modelengine_provider.aiohttp.TCPConnector"
+    ):
+
+        # Simulate generic exception
+        mock_session_class.side_effect = Exception("Unexpected error")
+
+        from backend.services.model_provider_service import ModelEngineProvider
+
+        result = await ModelEngineProvider().get_models(provider_config)
+
+        # Should return error response
+        assert len(result) == 1
+        assert result[0]["_error"] == "connection_failed"
+
+
+# ============================================================================
+# Test-cases for get_model_engine_raw_url edge cases
+# ============================================================================
+
+
+def test_get_model_engine_raw_url_empty_string():
+    """Should return empty string for empty input."""
+    from backend.services.model_provider_service import get_model_engine_raw_url
+
+    result = get_model_engine_raw_url("")
+    assert result == ""
+
+
+def test_get_model_engine_raw_url_none_input():
+    """Should handle None input gracefully."""
+    from backend.services.model_provider_service import get_model_engine_raw_url
+
+    result = get_model_engine_raw_url(None)
+    assert result == ""
+
+
+def test_get_model_engine_raw_url_with_open_path():
+    """Should strip /open/router/v1 paths correctly."""
+    from backend.services.model_provider_service import get_model_engine_raw_url
+
+    test_cases = [
+        (
+            "https://120.253.225.102:50001/open/router/v1",
+            "https://120.253.225.102:50001",
+        ),
+        (
+            "https://model-engine.com/open/router/v1/models",
+            "https://model-engine.com",
+        ),
+        (
+            "https://120.253.225.102:50001/open/router/v1/some/deep/path",
+            "https://120.253.225.102:50001",
+        ),
+    ]
+
+    for input_url, expected in test_cases:
+        result = get_model_engine_raw_url(input_url)
+        assert result == expected, f"Failed for input: {input_url}"
+
+
+def test_get_model_engine_raw_url_without_open_path():
+    """Should return URL unchanged when no /open/ path."""
+    from backend.services.model_provider_service import get_model_engine_raw_url
+
+    test_cases = [
+        ("https://model-engine.com", "https://model-engine.com"),
+        ("https://120.253.225.102:50001", "https://120.253.225.102:50001"),
+        ("http://localhost:8080", "http://localhost:8080"),
+    ]
+
+    for input_url, expected in test_cases:
+        result = get_model_engine_raw_url(input_url)
+        assert result == expected, f"Failed for input: {input_url}"
+
+
+def test_get_model_engine_raw_url_trailing_slash():
+    """Should remove trailing slashes correctly."""
+    from backend.services.model_provider_service import get_model_engine_raw_url
+
+    test_cases = [
+        ("https://model-engine.com/", "https://model-engine.com"),
+        ("https://120.253.225.102:50001/", "https://120.253.225.102:50001"),
+        (
+            "https://model-engine.com/open/router/v1/",
+            "https://model-engine.com",
+        ),
+    ]
+
+    for input_url, expected in test_cases:
+        result = get_model_engine_raw_url(input_url)
+        assert result == expected, f"Failed for input: {input_url}"
diff --git a/test/backend/services/test_prompt_service.py b/test/backend/services/test_prompt_service.py
index 69344cd5d..01474d205 100644
--- a/test/backend/services/test_prompt_service.py
+++ b/test/backend/services/test_prompt_service.py
@@ -51,10 +51,8 @@ def setUp(self):
     @patch('backend.services.prompt_service.query_tools_by_ids')
     @patch('backend.services.prompt_service.search_agent_info_by_agent_id')
     @patch('backend.services.prompt_service.query_all_agent_info_by_tenant_id')
-    @patch('backend.services.prompt_service.update_agent')
     def test_generate_and_save_system_prompt_impl(
         self,
-        mock_update_agent,
         mock_query_all_agents,
         mock_search_agent_info,
         mock_query_tools,
@@ -116,26 +114,12 @@ def mock_generator(*args, **kwargs):
         self.assertEqual(call_args[0][1], "Test task")  # task_description
         self.assertEqual(call_args[0][2], [mock_tool1, mock_tool2])  # tool_info_list
 
-        # Verify update_agent was called with the correct parameters
-        mock_update_agent.assert_called_once()
-        call_args = mock_update_agent.call_args
-        self.assertEqual(call_args[1]['agent_id'], 123)
-        self.assertEqual(call_args[1]['tenant_id'], "tenant456")
-        self.assertEqual(call_args[1]['user_id'], "user123")
-
-        # Verify the agent_info object has the correct structure
-        agent_info = call_args[1]['agent_info']
-        self.assertEqual(agent_info.agent_id, 123)
-        self.assertEqual(agent_info.business_description, "Test task")
-
     @patch('backend.services.prompt_service.generate_system_prompt')
     @patch('backend.services.prompt_service.query_all_agent_info_by_tenant_id')
     @patch('backend.services.prompt_service.get_enabled_sub_agent_description_for_generate_prompt')
     @patch('backend.services.prompt_service.get_enabled_tool_description_for_generate_prompt')
-    @patch('backend.services.prompt_service.update_agent')
     def test_generate_and_save_system_prompt_impl_create_mode(
         self,
-        mock_update_agent,
         mock_get_enabled_tools,
         mock_get_enabled_sub_agents,
         mock_query_all_agents,
@@ -189,10 +173,6 @@ def mock_generator(*args, **kwargs):
             "zh"
         )
 
-        # In create mode, should NOT call update_agent
-        mock_update_agent.assert_not_called()
-
-    @patch('backend.services.prompt_service.update_agent')
     @patch('backend.services.prompt_service._regenerate_agent_display_name_with_llm')
     @patch('backend.services.prompt_service._regenerate_agent_name_with_llm')
     @patch('backend.services.prompt_service._check_agent_display_name_duplicate')
@@ -211,7 +191,6 @@ def test_generate_and_save_system_prompt_impl_duplicate_names_regenerated(
         mock_check_display_dup,
         mock_regen_name,
         mock_regen_display,
-        mock_update_agent,
     ):
         """Duplicate agent_var_name / agent_display_name should be regenerated via LLM helpers."""
         # Tool and sub-agent info do not matter for this test
@@ -255,9 +234,7 @@ def mock_gen(*args, **kwargs):
 
         mock_regen_name.assert_called_once()
         mock_regen_display.assert_called_once()
-        mock_update_agent.assert_called_once()
 
-    @patch('backend.services.prompt_service.update_agent')
     @patch('backend.services.prompt_service._generate_unique_display_name_with_suffix')
     @patch('backend.services.prompt_service._generate_unique_agent_name_with_suffix')
     @patch('backend.services.prompt_service._regenerate_agent_display_name_with_llm')
@@ -280,7 +257,6 @@ def test_generate_and_save_system_prompt_impl_duplicate_names_fallback_suffix(
         mock_regen_display,
         mock_generate_unique_name,
         mock_generate_unique_display,
-        mock_update_agent,
     ):
         """When regeneration fails, duplicate names should fall back to suffix helpers."""
         mock_query_tools.return_value = []
@@ -323,9 +299,7 @@ def mock_gen(*args, **kwargs):
 
         mock_generate_unique_name.assert_called_once()
         mock_generate_unique_display.assert_called_once()
-        mock_update_agent.assert_called_once()
 
-    @patch('backend.services.prompt_service.update_agent')
     @patch('backend.services.prompt_service._check_agent_display_name_duplicate')
     @patch('backend.services.prompt_service._check_agent_name_duplicate')
     @patch('backend.services.prompt_service.query_all_agent_info_by_tenant_id')
@@ -340,7 +314,6 @@ def test_generate_and_save_system_prompt_impl_name_fields_incomplete(
         mock_query_all_agents,
         mock_check_name_dup,
         mock_check_display_dup,
-        mock_update_agent,
     ):
         """When agent_var_name or agent_display_name is_complete is False, skip duplicate checking (line 193 else branch)."""
         # Setup
@@ -388,9 +361,7 @@ def mock_gen(*args, **kwargs):
         # Duplicate checking should only be called for complete items
         mock_check_name_dup.assert_called_once()
         mock_check_display_dup.assert_called_once()
-        mock_update_agent.assert_called_once()
 
-    @patch('backend.services.prompt_service.update_agent')
     @patch('backend.services.prompt_service._check_agent_display_name_duplicate')
     @patch('backend.services.prompt_service._check_agent_name_duplicate')
     @patch('backend.services.prompt_service.query_all_agent_info_by_tenant_id')
@@ -405,7 +376,6 @@ def test_generate_and_save_system_prompt_impl_display_name_complete_no_duplicate
         mock_query_all_agents,
         mock_check_name_dup,
         mock_check_display_dup,
-        mock_update_agent,
     ):
         """Test agent_display_name path when is_complete is True and no duplicate (line 235)."""
         # Setup
@@ -442,9 +412,7 @@ def mock_gen(*args, **kwargs):
         
         # Should check for duplicate but not regenerate
         mock_check_display_dup.assert_called_once()
-        mock_update_agent.assert_called_once()
 
-    @patch('backend.services.prompt_service.update_agent')
     @patch('backend.services.prompt_service._generate_unique_display_name_with_suffix')
     @patch('backend.services.prompt_service._regenerate_agent_display_name_with_llm')
     @patch('backend.services.prompt_service._check_agent_display_name_duplicate')
@@ -463,7 +431,6 @@ def test_generate_and_save_system_prompt_impl_display_name_complete_with_duplica
         mock_check_display_dup,
         mock_regen_display,
         mock_generate_unique_display,
-        mock_update_agent,
     ):
         """Test agent_display_name path when is_complete is True and duplicate exists, regenerates with LLM (line 235-250)."""
         # Setup
@@ -503,9 +470,7 @@ def mock_gen(*args, **kwargs):
         # Should check for duplicate and regenerate
         mock_check_display_dup.assert_called_once()
         mock_regen_display.assert_called_once()
-        mock_update_agent.assert_called_once()
 
-    @patch('backend.services.prompt_service.update_agent')
     @patch('backend.services.prompt_service._generate_unique_display_name_with_suffix')
     @patch('backend.services.prompt_service._regenerate_agent_display_name_with_llm')
     @patch('backend.services.prompt_service._check_agent_display_name_duplicate')
@@ -524,7 +489,6 @@ def test_generate_and_save_system_prompt_impl_display_name_llm_failure_fallback(
         mock_check_display_dup,
         mock_regen_display,
         mock_generate_unique_display,
-        mock_update_agent,
     ):
         """Test agent_display_name path when is_complete is True, duplicate exists, LLM regeneration fails, uses fallback (line 235-250)."""
         # Setup
@@ -565,7 +529,6 @@ def mock_gen(*args, **kwargs):
         mock_check_display_dup.assert_called_once()
         mock_regen_display.assert_called_once()
         mock_generate_unique_display.assert_called_once()
-        mock_update_agent.assert_called_once()
 
     @patch('backend.services.prompt_service.generate_and_save_system_prompt_impl')
     def test_gen_system_prompt_streamable(self, mock_generate_impl):
diff --git a/test/backend/services/test_remote_mcp_service.py b/test/backend/services/test_remote_mcp_service.py
index 6c2290136..0ef1e2a34 100644
--- a/test/backend/services/test_remote_mcp_service.py
+++ b/test/backend/services/test_remote_mcp_service.py
@@ -36,6 +36,7 @@
     check_mcp_health_and_update_db,
     delete_mcp_by_container_id,
     upload_and_start_mcp_image,
+    attach_mcp_container_permissions,
 )
 # Patch exception classes to ensure tests use correct exceptions
 import backend.services.remote_mcp_service as remote_service
@@ -227,8 +228,10 @@ async def test_get_list(self, mock_get):
         self.assertEqual(result[0]["remote_mcp_server_name"], "n1")
         self.assertEqual(result[0]["remote_mcp_server"], "u1")
         self.assertTrue(result[0]["status"])
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
         self.assertEqual(result[1]["remote_mcp_server_name"], "n2")
         self.assertFalse(result[1]["status"])
+        self.assertEqual(result[1]["permission"], "READ_ONLY")
 
     @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
     async def test_get_empty(self, mock_get):
@@ -251,6 +254,7 @@ async def test_get_single_record(self, mock_get):
         self.assertEqual(result[0]["remote_mcp_server_name"], "single_server")
         self.assertEqual(result[0]["remote_mcp_server"], "http://single.com")
         self.assertTrue(result[0]["status"])
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
 
     @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
     async def test_get_large_list(self, mock_get):
@@ -282,6 +286,39 @@ async def test_get_with_special_characters(self, mock_get):
             result[0]["remote_mcp_server_name"], "test-server_123")
         self.assertEqual(result[0]["remote_mcp_server"],
                          "http://test-server.com:8080")
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    async def test_get_list_permission_by_creator(self, mock_get, mock_get_user_tenant):
+        """Test permission: creator can edit, others read when not admin"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get.return_value = [
+            {"mcp_name": "n1", "mcp_server": "u1",
+                "status": True, "created_by": "user123"},
+            {"mcp_name": "n2", "mcp_server": "u2",
+                "status": True, "created_by": "other"},
+        ]
+
+        result = await get_remote_mcp_server_list('tid', user_id="user123")
+        self.assertEqual(result[0]["permission"], "EDIT")
+        self.assertEqual(result[1]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    async def test_get_list_permission_admin_can_edit_all(self, mock_get, mock_get_user_tenant):
+        """Test permission: admin can edit all"""
+        mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+        mock_get.return_value = [
+            {"mcp_name": "n1", "mcp_server": "u1",
+                "status": True, "created_by": "someone"},
+            {"mcp_name": "n2", "mcp_server": "u2",
+                "status": True, "created_by": "other"},
+        ]
+
+        result = await get_remote_mcp_server_list('tid', user_id="user123")
+        self.assertEqual(result[0]["permission"], "EDIT")
+        self.assertEqual(result[1]["permission"], "EDIT")
 
 
 class TestCheckMcpHealthAndUpdateDb(unittest.IsolatedAsyncioTestCase):
@@ -894,5 +931,425 @@ async def test_update_db_error(self, mock_check_name, mock_health, mock_update_r
             await update_remote_mcp_server_list(update_data, 'tid', 'uid')
 
 
+class TestAttachMcpContainerPermissions(unittest.TestCase):
+    """Test attach_mcp_container_permissions function"""
+
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_empty_containers(self, mock_get_records):
+        """Test with empty containers list"""
+        result = attach_mcp_container_permissions(
+            containers=[],
+            tenant_id='tid',
+            user_id='uid'
+        )
+        self.assertEqual(result, [])
+        mock_get_records.assert_not_called()
+
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_no_user_id_all_read(self, mock_get_records):
+        """Test when user_id is None - all containers should have READ_ONLY permission"""
+        mock_get_records.return_value = []
+        containers = [
+            {"container_id": "c1", "name": "container1"},
+            {"container_id": "c2", "name": "container2"}
+        ]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id=None
+        )
+
+        self.assertEqual(len(result), 2)
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+        self.assertEqual(result[1]["permission"], "READ_ONLY")
+        self.assertEqual(result[0]["container_id"], "c1")
+        self.assertEqual(result[1]["container_id"], "c2")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_admin_user_all_edit(self, mock_get_records, mock_get_user_tenant):
+        """Test when user has ADMIN role - all containers should have EDIT permission"""
+        mock_get_user_tenant.return_value = {"user_role": "ADMIN"}
+        mock_get_records.return_value = []
+        containers = [
+            {"container_id": "c1", "name": "container1"},
+            {"container_id": "c2", "name": "container2"}
+        ]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='admin_user'
+        )
+
+        self.assertEqual(len(result), 2)
+        self.assertEqual(result[0]["permission"], "EDIT")
+        self.assertEqual(result[1]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_su_user_all_edit(self, mock_get_records, mock_get_user_tenant):
+        """Test when user has SU role - all containers should have EDIT permission"""
+        mock_get_user_tenant.return_value = {"user_role": "SU"}
+        mock_get_records.return_value = []
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='su_user'
+        )
+
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_speed_user_all_edit(self, mock_get_records, mock_get_user_tenant):
+        """Test when user has SPEED role - all containers should have EDIT permission"""
+        mock_get_user_tenant.return_value = {"user_role": "SPEED"}
+        mock_get_records.return_value = []
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='speed_user'
+        )
+
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_regular_user_own_container_edit(self, mock_get_records, mock_get_user_tenant):
+        """Test when regular user owns container - should have EDIT permission"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": "c1", "created_by": "user123"}
+        ]
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_regular_user_other_container_read(self, mock_get_records, mock_get_user_tenant):
+        """Test when regular user doesn't own container - should have READ_ONLY permission"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": "c1", "created_by": "other_user"}
+        ]
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_regular_user_no_record_read(self, mock_get_records, mock_get_user_tenant):
+        """Test when container has no associated MCP record - should have READ_ONLY permission"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = []
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_record_uses_user_id_fallback(self, mock_get_records, mock_get_user_tenant):
+        """Test when record uses user_id instead of created_by"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": "c1", "user_id": "user123"}  # No created_by, uses user_id
+        ]
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_record_no_created_by_no_user_id(self, mock_get_records, mock_get_user_tenant):
+        """Test when record has neither created_by nor user_id"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": "c1"}  # No created_by or user_id
+        ]
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_record_without_container_id_skipped(self, mock_get_records, mock_get_user_tenant):
+        """Test that records without container_id are skipped"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"created_by": "user123"},  # No container_id - should be skipped
+            {"container_id": "c2", "created_by": "user123"}
+        ]
+        containers = [
+            {"container_id": "c1", "name": "container1"},  # No record for c1
+            {"container_id": "c2", "name": "container2"}   # Has record for c2
+        ]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "READ_ONLY")  # c1 has no record
+        self.assertEqual(result[1]["permission"], "EDIT")  # c2 owned by user123
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_get_records_returns_none(self, mock_get_records, mock_get_user_tenant):
+        """Test when get_mcp_records_by_tenant returns None"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = None
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.logger')
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_get_records_exception_handled(self, mock_get_records, mock_get_user_tenant, mock_logger):
+        """Test when get_mcp_records_by_tenant raises exception - should log warning and continue"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.side_effect = Exception("Database error")
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        # Should still return result with READ_ONLY permission
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+        # Should log warning
+        mock_logger.warning.assert_called_once()
+        warning_msg = mock_logger.warning.call_args[0][0]
+        self.assertIn("Failed to load MCP records for permission mapping", warning_msg)
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_user_tenant_record_none(self, mock_get_records, mock_get_user_tenant):
+        """Test when get_user_tenant_by_user_id returns None"""
+        mock_get_user_tenant.return_value = None
+        mock_get_records.return_value = []
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        # Should default to READ_ONLY when no user role
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_user_tenant_record_empty_dict(self, mock_get_records, mock_get_user_tenant):
+        """Test when get_user_tenant_by_user_id returns empty dict"""
+        mock_get_user_tenant.return_value = {}
+        mock_get_records.return_value = []
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_user_role_case_insensitive(self, mock_get_records, mock_get_user_tenant):
+        """Test that user role comparison is case-insensitive (converted to uppercase)"""
+        mock_get_user_tenant.return_value = {"user_role": "admin"}  # lowercase
+        mock_get_records.return_value = []
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='admin_user'
+        )
+
+        # Should still get EDIT permission because "admin" -> "ADMIN" matches CAN_EDIT_ALL_USER_ROLES
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_user_role_none_or_empty(self, mock_get_records, mock_get_user_tenant):
+        """Test when user_role is None or empty string"""
+        mock_get_user_tenant.return_value = {"user_role": None}
+        mock_get_records.return_value = [
+            {"container_id": "c1", "created_by": "user123"}
+        ]
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        # Should check ownership since role is not in CAN_EDIT_ALL_USER_ROLES
+        self.assertEqual(result[0]["permission"], "EDIT")  # Owned by user123
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_container_id_none_converted_to_string(self, mock_get_records, mock_get_user_tenant):
+        """Test when container_id is None - should be converted to string"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = []
+        containers = [{"container_id": None, "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        # Should handle None container_id gracefully
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_mixed_scenario_multiple_containers(self, mock_get_records, mock_get_user_tenant):
+        """Test complex scenario with multiple containers and mixed permissions"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": "c1", "created_by": "user123"},  # Owned by user
+            {"container_id": "c2", "created_by": "other_user"},  # Owned by other
+            {"container_id": "c3", "user_id": "user123"},  # Owned by user (via user_id)
+        ]
+        containers = [
+            {"container_id": "c1", "name": "container1"},
+            {"container_id": "c2", "name": "container2"},
+            {"container_id": "c3", "name": "container3"},
+            {"container_id": "c4", "name": "container4"},  # No record
+        ]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(len(result), 4)
+        self.assertEqual(result[0]["permission"], "EDIT")  # c1 owned by user123
+        self.assertEqual(result[1]["permission"], "READ_ONLY")  # c2 owned by other
+        self.assertEqual(result[2]["permission"], "EDIT")  # c3 owned by user123
+        self.assertEqual(result[3]["permission"], "READ_ONLY")  # c4 no record
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_container_id_string_matching(self, mock_get_records, mock_get_user_tenant):
+        """Test that container_id string matching works correctly"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": 123, "created_by": "user123"},  # Numeric container_id
+        ]
+        containers = [
+            {"container_id": "123", "name": "container1"},  # String container_id
+        ]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        # Should match because both are converted to strings
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_created_by_string_matching(self, mock_get_records, mock_get_user_tenant):
+        """Test that created_by and user_id string matching works correctly"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = [
+            {"container_id": "c1", "created_by": 123},  # Numeric created_by
+        ]
+        containers = [{"container_id": "c1", "name": "container1"}]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id=123  # Numeric user_id
+        )
+
+        # Should match because both are converted to strings
+        self.assertEqual(result[0]["permission"], "EDIT")
+
+    @patch('backend.services.remote_mcp_service.get_user_tenant_by_user_id')
+    @patch('backend.services.remote_mcp_service.get_mcp_records_by_tenant')
+    def test_container_preserves_original_fields(self, mock_get_records, mock_get_user_tenant):
+        """Test that original container fields are preserved in result"""
+        mock_get_user_tenant.return_value = {"user_role": "USER"}
+        mock_get_records.return_value = []
+        containers = [
+            {
+                "container_id": "c1",
+                "name": "container1",
+                "status": "running",
+                "port": 8080
+            }
+        ]
+
+        result = attach_mcp_container_permissions(
+            containers=containers,
+            tenant_id='tid',
+            user_id='user123'
+        )
+
+        self.assertEqual(result[0]["container_id"], "c1")
+        self.assertEqual(result[0]["name"], "container1")
+        self.assertEqual(result[0]["status"], "running")
+        self.assertEqual(result[0]["port"], 8080)
+        self.assertEqual(result[0]["permission"], "READ_ONLY")
+
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/backend/services/test_tenant_config_service.py b/test/backend/services/test_tenant_config_service.py
deleted file mode 100644
index ad9d74672..000000000
--- a/test/backend/services/test_tenant_config_service.py
+++ /dev/null
@@ -1,235 +0,0 @@
-import sys
-import os
-import types
-import unittest
-from unittest.mock import MagicMock, patch
-
-# Add backend directory to Python path for proper imports
-project_root = os.path.abspath(os.path.join(
-    os.path.dirname(__file__), '../../../'))
-backend_dir = os.path.join(project_root, 'backend')
-if backend_dir not in sys.path:
-    sys.path.insert(0, backend_dir)
-
-# Patch boto3 and other dependencies before importing anything from backend
-boto3_mock = MagicMock()
-sys.modules['boto3'] = boto3_mock
-
-# Apply critical patches before importing any modules
-# This prevents real AWS/MinIO/Elasticsearch calls during import
-patch('botocore.client.BaseClient._make_api_call', return_value={}).start()
-
-# Patch storage factory and MinIO config validation to avoid errors during initialization
-storage_client_mock = MagicMock()
-minio_client_mock = MagicMock()
-minio_client_mock._ensure_bucket_exists = MagicMock()
-minio_client_mock.client = MagicMock()
-
-# Mock the entire MinIOStorageConfig class to avoid validation
-minio_config_mock = MagicMock()
-minio_config_mock.validate = MagicMock()
-
-# Import backend modules after all patches are applied
-# Use additional context manager to ensure MinioClient is properly mocked during import
-with patch('backend.database.client.MinioClient', return_value=minio_client_mock), \
-        patch('nexent.storage.minio_config.MinIOStorageConfig', return_value=minio_config_mock):
-    from backend.services.tenant_config_service import (
-        get_selected_knowledge_list,
-        update_selected_knowledge,
-        delete_selected_knowledge_by_index_name,
-    )
-
-
-class TestTenantConfigService(unittest.TestCase):
-    def setUp(self):
-        self.tenant_id = "test_tenant_id"
-        self.user_id = "test_user_id"
-        self.index_name = "test_index_name"
-        self.index_name_list = ["test_index_name1", "test_index_name2"]
-        self.knowledge_id = "knowledge_id_1"
-        self.knowledge_ids = ["knowledge_id_1", "knowledge_id_2"]
-        self.tenant_config_id = "tenant_config_id_1"
-
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_info_by_knowledge_ids")
-    def test_get_selected_knowledge_list_empty(
-        self, mock_get_knowledge_info, mock_get_config
-    ):
-        mock_get_config.return_value = []
-        result = get_selected_knowledge_list(self.tenant_id, self.user_id)
-        self.assertEqual(result, [])
-        mock_get_knowledge_info.assert_not_called()
-
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_info_by_knowledge_ids")
-    def test_get_selected_knowledge_list_with_records(
-        self, mock_get_knowledge_info, mock_get_config
-    ):
-        mock_get_config.return_value = [
-            {"config_value": self.knowledge_id,
-                "tenant_config_id": self.tenant_config_id}
-        ]
-        mock_get_knowledge_info.return_value = [
-            {"knowledge_id": self.knowledge_id, "name": "Test Knowledge"}
-        ]
-
-        result = get_selected_knowledge_list(self.tenant_id, self.user_id)
-
-        self.assertEqual(
-            result, [{"knowledge_id": self.knowledge_id,
-                      "name": "Test Knowledge"}]
-        )
-        mock_get_knowledge_info.assert_called_once_with([self.knowledge_id])
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.insert_config")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_update_selected_knowledge_add_only(
-        self, mock_get_ids, mock_get_config, mock_insert, mock_delete
-    ):
-        mock_get_ids.return_value = self.knowledge_ids
-        mock_get_config.return_value = []
-        mock_insert.return_value = True
-
-        result = update_selected_knowledge(
-            self.tenant_id, self.user_id, self.index_name_list
-        )
-        self.assertTrue(result)
-        self.assertEqual(mock_insert.call_count, 2)
-        mock_delete.assert_not_called()
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.insert_config")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_update_selected_knowledge_remove_only(
-        self, mock_get_ids, mock_get_config, mock_insert, mock_delete
-    ):
-        mock_get_ids.return_value = []
-        mock_get_config.return_value = [
-            {"config_value": self.knowledge_id,
-                "tenant_config_id": self.tenant_config_id}
-        ]
-        mock_delete.return_value = True
-
-        result = update_selected_knowledge(self.tenant_id, self.user_id, [])
-        self.assertTrue(result)
-        mock_insert.assert_not_called()
-        mock_delete.assert_called_once_with(self.tenant_config_id)
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.insert_config")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_update_selected_knowledge_add_and_remove(
-        self, mock_get_ids, mock_get_config, mock_insert, mock_delete
-    ):
-        mock_get_ids.return_value = ["knowledge_id_2"]
-        mock_get_config.return_value = [
-            {"config_value": "knowledge_id_1",
-                "tenant_config_id": "tenant_config_id_1"}
-        ]
-        mock_insert.return_value = True
-        mock_delete.return_value = True
-
-        result = update_selected_knowledge(
-            self.tenant_id, self.user_id, ["new_index"])
-        self.assertTrue(result)
-        mock_insert.assert_called_once()
-        mock_delete.assert_called_once_with("tenant_config_id_1")
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.insert_config")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_update_selected_knowledge_insert_failure(
-        self, mock_get_ids, mock_get_config, mock_insert, mock_delete
-    ):
-        mock_get_ids.return_value = self.knowledge_ids
-        mock_get_config.return_value = []
-        mock_insert.return_value = False
-
-        result = update_selected_knowledge(
-            self.tenant_id, self.user_id, self.index_name_list
-        )
-        self.assertFalse(result)
-        mock_insert.assert_called_once()
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.insert_config")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_update_selected_knowledge_delete_failure(
-        self, mock_get_ids, mock_get_config, mock_insert, mock_delete
-    ):
-        mock_get_ids.return_value = []
-        mock_get_config.return_value = [
-            {"config_value": self.knowledge_id,
-                "tenant_config_id": self.tenant_config_id}
-        ]
-        mock_delete.return_value = False
-
-        result = update_selected_knowledge(self.tenant_id, self.user_id, [])
-        self.assertFalse(result)
-        mock_delete.assert_called_once_with(self.tenant_config_id)
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_delete_selected_knowledge_by_index_name_success(
-        self, mock_get_ids, mock_get_config, mock_delete
-    ):
-        mock_get_ids.return_value = [self.knowledge_id]
-        mock_get_config.return_value = [
-            {"config_value": self.knowledge_id,
-                "tenant_config_id": self.tenant_config_id}
-        ]
-        mock_delete.return_value = True
-
-        result = delete_selected_knowledge_by_index_name(
-            self.tenant_id, self.user_id, self.index_name
-        )
-        self.assertTrue(result)
-        mock_delete.assert_called_once_with(self.tenant_config_id)
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_delete_selected_knowledge_by_index_name_no_match(
-        self, mock_get_ids, mock_get_config, mock_delete
-    ):
-        mock_get_ids.return_value = ["different_id"]
-        mock_get_config.return_value = [
-            {"config_value": self.knowledge_id,
-                "tenant_config_id": self.tenant_config_id}
-        ]
-
-        result = delete_selected_knowledge_by_index_name(
-            self.tenant_id, self.user_id, self.index_name
-        )
-        self.assertTrue(result)
-        mock_delete.assert_not_called()
-
-    @patch("backend.services.tenant_config_service.delete_config_by_tenant_config_id")
-    @patch("backend.services.tenant_config_service.get_tenant_config_info")
-    @patch("backend.services.tenant_config_service.get_knowledge_ids_by_index_names")
-    def test_delete_selected_knowledge_by_index_name_failure(
-        self, mock_get_ids, mock_get_config, mock_delete
-    ):
-        mock_get_ids.return_value = [self.knowledge_id]
-        mock_get_config.return_value = [
-            {"config_value": self.knowledge_id,
-                "tenant_config_id": self.tenant_config_id}
-        ]
-        mock_delete.return_value = False
-
-        result = delete_selected_knowledge_by_index_name(
-            self.tenant_id, self.user_id, self.index_name
-        )
-        self.assertFalse(result)
-        mock_delete.assert_called_once_with(self.tenant_config_id)
-
-
-if __name__ == "__main__":
-    unittest.main()
diff --git a/test/backend/services/test_tenant_service.py b/test/backend/services/test_tenant_service.py
index 40ff00edd..ad5479603 100644
--- a/test/backend/services/test_tenant_service.py
+++ b/test/backend/services/test_tenant_service.py
@@ -28,7 +28,8 @@
     create_tenant,
     update_tenant_info,
     delete_tenant,
-    _create_default_group_for_tenant
+    _create_default_group_for_tenant,
+    check_tenant_name_exists
 )
 
 
@@ -81,24 +82,30 @@ def test_get_tenant_info_success(self, service_mocks):
             tenant_id, "DEFAULT_GROUP_ID")
 
     def test_get_tenant_info_name_not_found(self, service_mocks):
-        """Test get_tenant_info when tenant name is not found"""
+        """Test get_tenant_info when tenant name is not found - should auto-create config"""
         # Setup
         tenant_id = "test_tenant_id"
 
-        # Mock config functions to return empty dict for name
+        # Mock config functions
         service_mocks['get_single_config_info'].side_effect = [
-            {},  # TENANT_NAME not found
+            {},                    # TENANT_NAME first check (not found)
+            {},                    # TENANT_NAME check in _ensure_tenant_name_config (double-check)
+            {"config_value": "Unnamed Tenant", "tenant_config_id": 1},  # TENANT_NAME after auto-create
             {"config_value": "group-123"}  # DEFAULT_GROUP_ID
         ]
+        service_mocks['insert_config'].return_value = True
 
         # Execute
         result = get_tenant_info(tenant_id)
 
-        # Assert - should return tenant info with empty name
+        # Assert - should return tenant info with auto-created default name
         assert result["tenant_id"] == tenant_id
-        assert result["tenant_name"] == ""
+        assert result["tenant_name"] == "Unnamed Tenant"
         assert result["default_group_id"] == "group-123"
 
+        # Verify insert_config was called to create the missing config
+        service_mocks['insert_config'].assert_called_once()
+
     def test_get_tenant_info_with_empty_group_id(self, service_mocks):
         """Test get_tenant_info when default group ID is empty"""
         # Setup
@@ -133,21 +140,34 @@ def test_get_tenant_info_get_single_config_exception(self, service_mocks):
             get_tenant_info(tenant_id)
 
     def test_get_tenant_info_both_configs_none(self, service_mocks):
-        """Test get_tenant_info when both configs return None"""
+        """Test get_tenant_info when both configs return None - should auto-create name config"""
         # Setup
         tenant_id = "test_tenant_id"
 
-        # Mock config functions to return None
-        service_mocks['get_single_config_info'].side_effect = [None, None]
+        # Mock config functions:
+        # 1st call: TENANT_NAME not found (None)
+        # 2nd call: TENANT_NAME check in _ensure_tenant_name_config (None - double-check)
+        # 3rd call: after insert, re-fetch returns the created config
+        # 4th call: DEFAULT_GROUP_ID returns None
+        service_mocks['get_single_config_info'].side_effect = [
+            None,                    # TENANT_NAME first check (None)
+            None,                    # TENANT_NAME check in _ensure_tenant_name_config
+            {"config_value": "Unnamed Tenant", "tenant_config_id": 1},  # TENANT_NAME after auto-create
+            None                     # DEFAULT_GROUP_ID (None)
+        ]
+        service_mocks['insert_config'].return_value = True
 
         # Execute
         result = get_tenant_info(tenant_id)
 
-        # Assert - should return tenant info with empty name and group_id
+        # Assert - should return tenant info with auto-created default name and empty group_id
         assert result["tenant_id"] == tenant_id
-        assert result["tenant_name"] == ""
+        assert result["tenant_name"] == "Unnamed Tenant"
         assert result["default_group_id"] == ""
 
+        # Verify insert_config was called to create the missing config
+        service_mocks['insert_config'].assert_called_once()
+
 
 class TestGetAllTenants:
     """Test cases for get_all_tenants function"""
@@ -245,8 +265,8 @@ def test_create_tenant_success(self, service_mocks):
         user_id = "creator_user"
         group_id = 123
 
-        # Mock dependencies
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()), \
+        # Mock check_tenant_name_exists to return False (name not taken)
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False), \
              patch('backend.services.tenant_service._create_default_group_for_tenant', return_value=group_id):
 
             # Configure insert_config to succeed
@@ -263,14 +283,14 @@ def test_create_tenant_success(self, service_mocks):
             # Verify config insertions were called (3 configs: ID, name, group)
             assert service_mocks['insert_config'].call_count == 3
 
-    def test_create_tenant_already_exists(self, service_mocks):
-        """Test creating tenant that already exists"""
+    def test_create_tenant_name_already_exists(self, service_mocks):
+        """Test creating tenant with a name that already exists"""
         # Setup
         tenant_name = "Existing Tenant"
         user_id = "creator_user"
 
-        # Mock get_tenant_info to return existing tenant (UUID collision)
-        with patch('backend.services.tenant_service.get_tenant_info', return_value={"tenant_id": "some-uuid"}) as mock_get_tenant_info:
+        # Mock check_tenant_name_exists to return True (name already taken)
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=True):
 
             # Execute & Assert
             with pytest.raises(ValidationError, match="already exists"):
@@ -282,8 +302,8 @@ def test_create_tenant_empty_name(self, service_mocks):
         tenant_name = ""
         user_id = "creator_user"
 
-        # Mock get_tenant_info to raise NotFoundException (tenant doesn't exist)
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()) as mock_get_tenant_info:
+        # Mock check_tenant_name_exists (won't be called due to empty name validation)
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False):
 
             # Execute & Assert
             with pytest.raises(ValidationError, match="Tenant name cannot be empty"):
@@ -296,7 +316,7 @@ def test_create_tenant_config_insertion_failure(self, service_mocks):
         user_id = "creator_user"
 
         # Mock dependencies
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()), \
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False), \
              patch('backend.services.tenant_service._create_default_group_for_tenant', return_value=123):
 
             service_mocks['insert_config'].return_value = False
@@ -311,8 +331,8 @@ def test_create_tenant_whitespace_name(self, service_mocks):
         tenant_name = "   \t\n   "  # Only whitespace
         user_id = "creator_user"
 
-        # Mock get_tenant_info to raise NotFoundException (tenant doesn't exist)
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()) as mock_get_tenant_info:
+        # Mock check_tenant_name_exists (won't be called due to whitespace validation)
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False):
 
             # Execute & Assert
             with pytest.raises(ValidationError, match="Tenant name cannot be empty"):
@@ -325,7 +345,7 @@ def test_create_tenant_tenant_id_config_failure(self, service_mocks):
         user_id = "creator_user"
 
         # Mock dependencies
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()), \
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False), \
                 patch('backend.services.tenant_service._create_default_group_for_tenant', return_value=123):
 
             # Configure insert_config to fail on first call (tenant ID config)
@@ -342,7 +362,7 @@ def test_create_tenant_group_config_failure(self, service_mocks):
         user_id = "creator_user"
 
         # Mock dependencies
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()), \
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False), \
                 patch('backend.services.tenant_service._create_default_group_for_tenant', return_value=123):
 
             # Configure insert_config to succeed for first two, fail for third (group config)
@@ -359,7 +379,7 @@ def test_create_tenant_default_group_creation_failure(self, service_mocks):
         user_id = "creator_user"
 
         # Mock dependencies
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()), \
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False), \
                 patch('backend.services.tenant_service._create_default_group_for_tenant', side_effect=ValidationError("Group creation failed")):
 
             # Execute & Assert
@@ -373,7 +393,7 @@ def test_create_tenant_unexpected_exception_in_try_block(self, service_mocks):
         user_id = "creator_user"
 
         # Mock dependencies
-        with patch('backend.services.tenant_service.get_tenant_info', side_effect=NotFoundException()), \
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=False), \
                 patch('backend.services.tenant_service._create_default_group_for_tenant', side_effect=Exception("Unexpected error")):
 
             # Execute & Assert
@@ -381,17 +401,11 @@ def test_create_tenant_unexpected_exception_in_try_block(self, service_mocks):
                 create_tenant(tenant_name, user_id)
 
     def test_create_tenant_uuid_collision(self, service_mocks):
-        """Test create_tenant when UUID collision occurs"""
-        # Setup
-        tenant_name = "New Tenant"
-        user_id = "creator_user"
-
-        # Mock get_tenant_info to return existing tenant (UUID collision)
-        with patch('backend.services.tenant_service.get_tenant_info', return_value={"tenant_id": "existing-uuid"}) as mock_get_tenant_info:
-
-            # Execute & Assert
-            with pytest.raises(ValidationError, match="already exists"):
-                create_tenant(tenant_name, user_id)
+        """Test create_tenant when UUID collision occurs (unlikely but possible)"""
+        # Note: This test is now obsolete since we removed UUID collision check.
+        # UUIDs are random and collision probability is astronomically low.
+        # Keeping for reference - this scenario should never happen in practice.
+        pass
 
 
 class TestUpdateTenantInfo:
@@ -427,18 +441,37 @@ def test_update_tenant_info_success(self, service_mocks):
             assert result["tenant_name"] == new_tenant_name
 
     def test_update_tenant_info_tenant_not_found(self, service_mocks):
-        """Test update_tenant_info when tenant doesn't exist"""
+        """Test update_tenant_info when tenant doesn't exist - should auto-create config"""
         # Setup
         tenant_id = "nonexistent_tenant"
         new_tenant_name = "Updated Name"
         user_id = "updater_user"
 
-        # Mock get_single_config_info to return empty dict (not found)
-        service_mocks['get_single_config_info'].return_value = {}
+        # Mock get_single_config_info to return empty dict on first call (TENANT_NAME not found),
+        # then return the newly created config after auto-creation
+        service_mocks['get_single_config_info'].side_effect = [
+            {},  # First check - not found
+            {"config_value": new_tenant_name, "tenant_config_id": 1}  # After auto-create
+        ]
+        service_mocks['insert_config'].return_value = True
 
-        # Execute & Assert
-        with pytest.raises(NotFoundException, match="not found"):
-            update_tenant_info(tenant_id, new_tenant_name, user_id)
+        # Mock get_tenant_info to return updated info
+        with patch('backend.services.tenant_service.get_tenant_info') as mock_get_tenant_info:
+            mock_get_tenant_info.return_value = {
+                "tenant_id": tenant_id,
+                "tenant_name": new_tenant_name,
+                "default_group_id": "group-123"
+            }
+
+            # Execute - should NOT raise NotFoundException, instead auto-create config
+            result = update_tenant_info(tenant_id, new_tenant_name, user_id)
+
+            # Assert - update should succeed by auto-creating the config
+            assert result["tenant_id"] == tenant_id
+            assert result["tenant_name"] == new_tenant_name
+
+            # Verify insert_config was called to create the missing config
+            service_mocks['insert_config'].assert_called_once()
 
     def test_update_tenant_info_empty_name(self, service_mocks):
         """Test update_tenant_info with empty name"""
@@ -492,6 +525,21 @@ def test_update_tenant_info_whitespace_name(self, service_mocks):
         with pytest.raises(ValidationError, match="Tenant name cannot be empty"):
             update_tenant_info(tenant_id, new_tenant_name, user_id)
 
+    def test_update_tenant_info_name_already_exists(self, service_mocks):
+        """Test update_tenant_info raises error when name already exists on another tenant"""
+        # Setup
+        tenant_id = "test_tenant"
+        new_tenant_name = "Duplicate Name"
+        user_id = "updater_user"
+
+        # Mock check_tenant_name_exists to return True (name already taken by another tenant)
+        with patch('backend.services.tenant_service.check_tenant_name_exists', return_value=True) as mock_check:
+            # Execute & Assert
+            with pytest.raises(ValidationError, match="already exists"):
+                update_tenant_info(tenant_id, new_tenant_name, user_id)
+
+            # Verify check_tenant_name_exists was called with the right parameters
+            mock_check.assert_called_once_with(new_tenant_name.strip(), exclude_tenant_id=tenant_id)
 
 
 class TestDeleteTenant:
@@ -577,3 +625,130 @@ def test_create_default_group_for_tenant_validation_error_from_add_group(self, s
             # Execute & Assert
             with pytest.raises(ValidationError, match="Failed to create default group: Invalid group data"):
                 _create_default_group_for_tenant(tenant_id, user_id)
+
+
+class TestCheckTenantNameExists:
+    """Test cases for check_tenant_name_exists function"""
+
+    def test_check_tenant_name_exists_returns_false_when_no_match(self):
+        """Test check_tenant_name_exists returns False when no tenant has the name"""
+        # Setup
+        tenant_name = "Unique Tenant Name"
+        tenant_ids = ["tenant1", "tenant2", "tenant3"]
+
+        # Mock with fresh mocks to avoid fixture conflicts
+        with patch('backend.services.tenant_service.get_all_tenant_ids', return_value=tenant_ids), \
+             patch('backend.services.tenant_service.get_single_config_info') as mock_get_config:
+            # Each tenant has a different name
+            mock_get_config.side_effect = [
+                {"config_value": "Tenant 1"},  # tenant1
+                {"config_value": "Tenant 2"},  # tenant2
+                {"config_value": "Tenant 3"}   # tenant3
+            ]
+
+            # Execute
+            result = check_tenant_name_exists(tenant_name)
+
+            # Assert
+            assert result is False
+
+    def test_check_tenant_name_exists_returns_true_when_match_found(self):
+        """Test check_tenant_name_exists returns True when a tenant has the name"""
+        # Setup
+        tenant_name = "Existing Tenant"
+        tenant_ids = ["tenant1", "tenant2", "tenant3"]
+
+        # Mock with fresh mocks
+        with patch('backend.services.tenant_service.get_all_tenant_ids', return_value=tenant_ids), \
+             patch('backend.services.tenant_service.get_single_config_info') as mock_get_config:
+            # tenant2 has the name we're looking for
+            mock_get_config.side_effect = [
+                {"config_value": "Tenant 1"},  # tenant1
+                {"config_value": "Existing Tenant"},  # tenant2 - match!
+                {"config_value": "Tenant 3"}   # tenant3
+            ]
+
+            # Execute
+            result = check_tenant_name_exists(tenant_name)
+
+            # Assert
+            assert result is True
+
+    def test_check_tenant_name_exists_excludes_specified_tenant(self):
+        """Test check_tenant_name_exists excludes the specified tenant ID when checking"""
+        # Setup
+        tenant_name = "My Tenant"
+        exclude_tenant_id = "tenant2"
+        tenant_ids = ["tenant1", "tenant2", "tenant3"]
+
+        # Mock with fresh mocks
+        with patch('backend.services.tenant_service.get_all_tenant_ids', return_value=tenant_ids), \
+             patch('backend.services.tenant_service.get_single_config_info') as mock_get_config:
+            # tenant2 has the name, but should be excluded
+            mock_get_config.side_effect = [
+                {"config_value": "My Tenant"},  # tenant1 - match (not excluded)
+                {"config_value": "My Tenant"},  # tenant2 - would match but excluded
+                {"config_value": "Tenant 3"}   # tenant3
+            ]
+
+            # Execute
+            result = check_tenant_name_exists(tenant_name, exclude_tenant_id=exclude_tenant_id)
+
+            # Assert - should return True because tenant1 has the name
+            assert result is True
+
+    def test_check_tenant_name_exists_empty_tenant_list(self):
+        """Test check_tenant_name_exists returns False when no tenants exist"""
+        # Setup
+        tenant_name = "Any Tenant"
+
+        # Mock dependencies - no tenants
+        with patch('backend.services.tenant_service.get_all_tenant_ids', return_value=[]):
+
+            # Execute
+            result = check_tenant_name_exists(tenant_name)
+
+            # Assert
+            assert result is False
+
+    def test_check_tenant_name_exists_case_sensitive(self):
+        """Test check_tenant_name_exists is case-sensitive"""
+        # Setup
+        tenant_name = "my tenant"  # lowercase
+        tenant_ids = ["tenant1"]
+
+        # Mock with fresh mock
+        with patch('backend.services.tenant_service.get_all_tenant_ids', return_value=tenant_ids), \
+             patch('backend.services.tenant_service.get_single_config_info') as mock_get_config:
+            mock_get_config.return_value = {"config_value": "My Tenant"}  # different case
+
+            # Execute
+            result = check_tenant_name_exists(tenant_name)
+
+            # Assert - should return False because comparison is case-sensitive
+            assert result is False
+
+    def test_check_tenant_name_exists_with_empty_name_config(self):
+        """Test check_tenant_name_exists handles tenants with empty name config"""
+        # Setup
+        tenant_name = "Test Tenant"
+        tenant_ids = ["tenant1", "tenant2"]
+
+        # Mock with fresh mocks
+        with patch('backend.services.tenant_service.get_all_tenant_ids', return_value=tenant_ids), \
+             patch('backend.services.tenant_service.get_single_config_info') as mock_get_config:
+            # tenant1 has empty name config (empty dict is falsy), tenant2 has different name
+            mock_get_config.side_effect = [
+                None,  # tenant1 - empty/falsy config
+                {"config_value": "Other Tenant"}  # tenant2
+            ]
+
+            # Execute
+            result = check_tenant_name_exists(tenant_name)
+
+            # Assert - should return False because no tenant has "Test Tenant"
+            assert result is False
+
+            # Assert
+            assert result is False
+
diff --git a/test/backend/services/test_tool_configuration_service.py b/test/backend/services/test_tool_configuration_service.py
index 045d79b84..22fde0dd7 100644
--- a/test/backend/services/test_tool_configuration_service.py
+++ b/test/backend/services/test_tool_configuration_service.py
@@ -637,6 +637,62 @@ def test_update_tool_info_impl_database_error(self, mock_update_tool_info_impl,
         with pytest.raises(Exception):
             update_tool_info_impl(mock_request, "test_tenant", "test_user")
 
+    @patch('backend.services.tool_configuration_service.create_or_update_tool_by_tool_info')
+    def test_update_tool_info_impl_with_version_no_zero(self, mock_create_update):
+        """Test update_tool_info_impl when version_no is 0"""
+        mock_request = Mock(spec=ToolInstanceInfoRequest)
+        mock_request.version_no = 0
+        mock_request.__dict__ = {"agent_id": 1, "tool_id": 1, "version_no": 0}
+        mock_tool_instance = {"id": 1, "name": "test_tool"}
+        mock_create_update.return_value = mock_tool_instance
+
+        from backend.services.tool_configuration_service import update_tool_info_impl
+        result = update_tool_info_impl(mock_request, "test_tenant", "test_user")
+
+        assert result["tool_instance"] == mock_tool_instance
+        # Verify that create_or_update_tool_by_tool_info was called with version_no=0
+        mock_create_update.assert_called_once_with(
+            mock_request, "test_tenant", "test_user", version_no=0)
+
+    @patch('backend.services.tool_configuration_service.create_or_update_tool_by_tool_info')
+    def test_update_tool_info_impl_without_version_no(self, mock_create_update):
+        """Test update_tool_info_impl when version_no is not provided (should default to 0)"""
+        # Create a simple object without version_no attribute
+        class MockToolInfoWithoutVersion:
+            def __init__(self):
+                self.agent_id = 1
+                self.tool_id = 1
+                # Explicitly do not set version_no
+        
+        mock_request = MockToolInfoWithoutVersion()
+        mock_tool_instance = {"id": 1, "name": "test_tool"}
+        mock_create_update.return_value = mock_tool_instance
+
+        from backend.services.tool_configuration_service import update_tool_info_impl
+        result = update_tool_info_impl(mock_request, "test_tenant", "test_user")
+
+        assert result["tool_instance"] == mock_tool_instance
+        # Verify that create_or_update_tool_by_tool_info was called with version_no=0 (default)
+        mock_create_update.assert_called_once_with(
+            mock_request, "test_tenant", "test_user", version_no=0)
+
+    @patch('backend.services.tool_configuration_service.create_or_update_tool_by_tool_info')
+    def test_update_tool_info_impl_with_version_no_non_zero(self, mock_create_update):
+        """Test update_tool_info_impl when version_no is not 0"""
+        mock_request = Mock(spec=ToolInstanceInfoRequest)
+        mock_request.version_no = 5
+        mock_request.__dict__ = {"agent_id": 1, "tool_id": 1, "version_no": 5}
+        mock_tool_instance = {"id": 1, "name": "test_tool"}
+        mock_create_update.return_value = mock_tool_instance
+
+        from backend.services.tool_configuration_service import update_tool_info_impl
+        result = update_tool_info_impl(mock_request, "test_tenant", "test_user")
+
+        assert result["tool_instance"] == mock_tool_instance
+        # Verify that create_or_update_tool_by_tool_info was called with version_no=5
+        mock_create_update.assert_called_once_with(
+            mock_request, "test_tenant", "test_user", version_no=5)
+
 
 class TestListAllTools:
     """ test the function of list_all_tools"""
@@ -1850,12 +1906,10 @@ class TestValidateLocalToolKnowledgeBaseSearch:
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    @patch('backend.services.tool_configuration_service.build_knowledge_name_mapping')
     @patch('backend.services.tool_configuration_service.get_embedding_model')
     @patch('backend.services.tool_configuration_service.get_vector_db_core')
     def test_validate_local_tool_knowledge_base_search_success(self, mock_get_vector_db_core, mock_get_embedding_model,
-                                                               mock_build_mapping, mock_get_knowledge_list, mock_signature, mock_get_class):
+                                                               mock_signature, mock_get_class):
         """Test successful knowledge_base_search tool validation with proper dependencies"""
         # Mock tool class
         mock_tool_class = Mock()
@@ -1867,25 +1921,19 @@ def test_validate_local_tool_knowledge_base_search_success(self, mock_get_vector
 
         # Mock signature for knowledge_base_search tool
         mock_sig = Mock()
+        mock_index_names_param = Mock()
+        mock_index_names_param.default = ["default_index"]
+        
         mock_sig.parameters = {
             'self': Mock(),
-            'index_names': Mock(),
+            'index_names': mock_index_names_param,
             'vdb_core': Mock(),
             'embedding_model': Mock()
         }
         mock_signature.return_value = mock_sig
 
         # Mock knowledge base dependencies
-        mock_knowledge_list = [
-            {"index_name": "index1", "knowledge_id": "kb1",
-                "knowledge_sources": "elasticsearch"},
-            {"index_name": "index2", "knowledge_id": "kb2",
-                "knowledge_sources": "elasticsearch"}
-        ]
-        mock_get_knowledge_list.return_value = mock_knowledge_list
         mock_get_embedding_model.return_value = "mock_embedding_model"
-        mock_build_mapping.return_value = {
-            "index1": "index1", "alias2": "index2"}
         mock_vdb_core = Mock()
         mock_get_vector_db_core.return_value = mock_vdb_core
 
@@ -1905,8 +1953,7 @@ def test_validate_local_tool_knowledge_base_search_success(self, mock_get_vector
         # Verify knowledge base specific parameters were passed
         expected_params = {
             "param": "config",
-            "index_names": ["index1", "index2"],
-            "name_resolver": {"index1": "index1", "alias2": "index2"},
+            "index_names": ["default_index"],
             "vdb_core": mock_vdb_core,
             "embedding_model": "mock_embedding_model",
         }
@@ -1914,76 +1961,98 @@ def test_validate_local_tool_knowledge_base_search_success(self, mock_get_vector
         mock_tool_instance.forward.assert_called_once_with(query="test query")
 
         # Verify service calls
-        mock_get_knowledge_list.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1")
-        mock_build_mapping.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1")
         mock_get_embedding_model.assert_called_once_with(tenant_id="tenant1")
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
-    def test_validate_local_tool_knowledge_base_search_missing_tenant_id(self, mock_get_class):
+    @patch('backend.services.tool_configuration_service.get_embedding_model')
+    @patch('backend.services.tool_configuration_service.get_vector_db_core')
+    def test_validate_local_tool_knowledge_base_search_missing_tenant_id(self, mock_get_vector_db_core,
+                                                                        mock_get_embedding_model, mock_get_class):
         """Test knowledge_base_search tool validation when tenant_id is missing"""
         mock_tool_class = Mock()
+        mock_tool_instance = Mock()
+        mock_tool_instance.forward.return_value = "knowledge base search result"
+        mock_tool_class.return_value = mock_tool_instance
         mock_get_class.return_value = mock_tool_class
 
+        mock_get_embedding_model.return_value = "mock_embedding_model"
+        mock_get_vector_db_core.return_value = Mock()
+
         from backend.services.tool_configuration_service import _validate_local_tool
 
-        with pytest.raises(ToolExecutionException,
-                           match="Tenant ID and User ID are required for knowledge_base_search validation"):
-            _validate_local_tool(
-                "knowledge_base_search",
-                {"query": "test query"},
-                {"param": "config"},
-                None,  # Missing tenant_id
-                "user1"
-            )
+        # knowledge_base_search doesn't require tenant_id/user_id in current implementation
+        result = _validate_local_tool(
+            "knowledge_base_search",
+            {"query": "test query"},
+            {"param": "config"},
+            None,  # Missing tenant_id
+            "user1"
+        )
+
+        assert result == "knowledge base search result"
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
-    def test_validate_local_tool_knowledge_base_search_missing_user_id(self, mock_get_class):
+    @patch('backend.services.tool_configuration_service.get_embedding_model')
+    @patch('backend.services.tool_configuration_service.get_vector_db_core')
+    def test_validate_local_tool_knowledge_base_search_missing_user_id(self, mock_get_vector_db_core,
+                                                                       mock_get_embedding_model, mock_get_class):
         """Test knowledge_base_search tool validation when user_id is missing"""
         mock_tool_class = Mock()
+        mock_tool_instance = Mock()
+        mock_tool_instance.forward.return_value = "knowledge base search result"
+        mock_tool_class.return_value = mock_tool_instance
         mock_get_class.return_value = mock_tool_class
 
+        mock_get_embedding_model.return_value = "mock_embedding_model"
+        mock_get_vector_db_core.return_value = Mock()
+
         from backend.services.tool_configuration_service import _validate_local_tool
 
-        with pytest.raises(ToolExecutionException,
-                           match="Tenant ID and User ID are required for knowledge_base_search validation"):
-            _validate_local_tool(
-                "knowledge_base_search",
-                {"query": "test query"},
-                {"param": "config"},
-                "tenant1",
-                None  # Missing user_id
-            )
+        # knowledge_base_search doesn't require tenant_id/user_id in current implementation
+        result = _validate_local_tool(
+            "knowledge_base_search",
+            {"query": "test query"},
+            {"param": "config"},
+            "tenant1",
+            None  # Missing user_id
+        )
+
+        assert result == "knowledge base search result"
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
-    def test_validate_local_tool_knowledge_base_search_missing_both_ids(self, mock_get_class):
+    @patch('backend.services.tool_configuration_service.get_embedding_model')
+    @patch('backend.services.tool_configuration_service.get_vector_db_core')
+    def test_validate_local_tool_knowledge_base_search_missing_both_ids(self, mock_get_vector_db_core,
+                                                                        mock_get_embedding_model, mock_get_class):
         """Test knowledge_base_search tool validation when both tenant_id and user_id are missing"""
         mock_tool_class = Mock()
+        mock_tool_instance = Mock()
+        mock_tool_instance.forward.return_value = "knowledge base search result"
+        mock_tool_class.return_value = mock_tool_instance
         mock_get_class.return_value = mock_tool_class
 
+        mock_get_embedding_model.return_value = "mock_embedding_model"
+        mock_get_vector_db_core.return_value = Mock()
+
         from backend.services.tool_configuration_service import _validate_local_tool
 
-        with pytest.raises(ToolExecutionException,
-                           match="Tenant ID and User ID are required for knowledge_base_search validation"):
-            _validate_local_tool(
-                "knowledge_base_search",
-                {"query": "test query"},
-                {"param": "config"},
-                None,  # Missing tenant_id
-                None   # Missing user_id
-            )
+        # knowledge_base_search doesn't require tenant_id/user_id in current implementation
+        result = _validate_local_tool(
+            "knowledge_base_search",
+            {"query": "test query"},
+            {"param": "config"},
+            None,  # Missing tenant_id
+            None   # Missing user_id
+        )
+
+        assert result == "knowledge base search result"
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    @patch('backend.services.tool_configuration_service.build_knowledge_name_mapping')
     @patch('backend.services.tool_configuration_service.get_embedding_model')
     @patch('backend.services.tool_configuration_service.get_vector_db_core')
     def test_validate_local_tool_knowledge_base_search_empty_knowledge_list(self, mock_get_vector_db_core,
                                                                             mock_get_embedding_model,
-                                                                            mock_build_mapping,
-                                                                            mock_get_knowledge_list,
                                                                             mock_signature,
                                                                             mock_get_class):
         """Test knowledge_base_search tool validation with empty knowledge list"""
@@ -1997,18 +2066,18 @@ def test_validate_local_tool_knowledge_base_search_empty_knowledge_list(self, mo
 
         # Mock signature for knowledge_base_search tool
         mock_sig = Mock()
+        mock_index_names_param = Mock()
+        mock_index_names_param.default = []
         mock_sig.parameters = {
             'self': Mock(),
-            'index_names': Mock(),
+            'index_names': mock_index_names_param,
             'vdb_core': Mock(),
             'embedding_model': Mock()
         }
         mock_signature.return_value = mock_sig
 
         # Mock empty knowledge list
-        mock_get_knowledge_list.return_value = []
         mock_get_embedding_model.return_value = "mock_embedding_model"
-        mock_build_mapping.return_value = {}
         mock_vdb_core = Mock()
         mock_get_vector_db_core.return_value = mock_vdb_core
 
@@ -2028,90 +2097,19 @@ def test_validate_local_tool_knowledge_base_search_empty_knowledge_list(self, mo
         expected_params = {
             "param": "config",
             "index_names": [],
-            "name_resolver": {},
             "vdb_core": mock_vdb_core,
             "embedding_model": "mock_embedding_model",
         }
         mock_tool_class.assert_called_once_with(**expected_params)
         mock_tool_instance.forward.assert_called_once_with(query="test query")
 
-    @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
-    @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    @patch('backend.services.tool_configuration_service.build_knowledge_name_mapping')
-    @patch('backend.services.tool_configuration_service.get_embedding_model')
-    @patch('backend.services.tool_configuration_service.get_vector_db_core')
-    @patch('backend.services.tool_configuration_service.get_index_name_by_knowledge_name')
-    def test_validate_local_tool_knowledge_base_search_resolves_inputs_indices(self,
-                                                                               mock_get_index_name,
-                                                                               mock_get_vector_db_core,
-                                                                               mock_get_embedding_model,
-                                                                               mock_build_mapping,
-                                                                               mock_get_knowledge_list,
-                                                                               mock_signature,
-                                                                               mock_get_class):
-        """Resolve index_names from user input when no stored selections exist."""
-        mock_tool_class = Mock()
-        mock_tool_instance = Mock()
-        mock_tool_instance.forward.return_value = "resolved result"
-        mock_tool_class.return_value = mock_tool_instance
-        mock_get_class.return_value = mock_tool_class
-
-        mock_sig = Mock()
-        mock_sig.parameters = {
-            'self': Mock(),
-            'index_names': Mock(),
-            'vdb_core': Mock(),
-            'embedding_model': Mock()
-        }
-        mock_signature.return_value = mock_sig
-
-        mock_get_knowledge_list.return_value = []  # No stored selections
-        mock_build_mapping.return_value = {"existing": "existing_index"}
-        mock_get_embedding_model.return_value = "mock_embedding"
-        mock_vdb_core = Mock()
-        mock_get_vector_db_core.return_value = mock_vdb_core
-
-        # First alias resolves; second keeps raw value on exception
-        mock_get_index_name.side_effect = [
-            "resolved_index", Exception("not found")]
-
-        from backend.services.tool_configuration_service import _validate_local_tool
-
-        result = _validate_local_tool(
-            "knowledge_base_search",
-            {"query": "q", "index_names": ["alias1", "raw_index"]},
-            {"param": "config"},
-            "tenant1",
-            "user1"
-        )
-
-        assert result == "resolved result"
-        expected_params = {
-            "param": "config",
-            "index_names": ["resolved_index", "raw_index"],
-            "name_resolver": {"existing": "existing_index", "alias1": "resolved_index"},
-            "vdb_core": mock_vdb_core,
-            "embedding_model": "mock_embedding",
-        }
-        mock_tool_class.assert_called_once_with(**expected_params)
-        mock_tool_instance.forward.assert_called_once_with(
-            query="q", index_names=["alias1", "raw_index"]
-        )
-        assert mock_get_index_name.call_count == 2
-        mock_get_index_name.assert_any_call("alias1", tenant_id="tenant1")
-        mock_get_index_name.assert_any_call("raw_index", tenant_id="tenant1")
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    @patch('backend.services.tool_configuration_service.build_knowledge_name_mapping')
     @patch('backend.services.tool_configuration_service.get_embedding_model')
     @patch('backend.services.tool_configuration_service.get_vector_db_core')
     def test_validate_local_tool_knowledge_base_search_execution_error(self, mock_get_vector_db_core,
                                                                        mock_get_embedding_model,
-                                                                       mock_build_mapping,
-                                                                       mock_get_knowledge_list,
                                                                        mock_signature,
                                                                        mock_get_class):
         """Test knowledge_base_search tool validation when execution fails"""
@@ -2126,19 +2124,18 @@ def test_validate_local_tool_knowledge_base_search_execution_error(self, mock_ge
 
         # Mock signature for knowledge_base_search tool
         mock_sig = Mock()
+        mock_index_names_param = Mock()
+        mock_index_names_param.default = ["default_index"]
         mock_sig.parameters = {
             'self': Mock(),
-            'index_names': Mock(),
+            'index_names': mock_index_names_param,
             'vdb_core': Mock(),
             'embedding_model': Mock()
         }
         mock_signature.return_value = mock_sig
 
         # Mock knowledge base dependencies
-        mock_knowledge_list = [{"index_name": "index1", "knowledge_id": "kb1"}]
-        mock_get_knowledge_list.return_value = mock_knowledge_list
         mock_get_embedding_model.return_value = "mock_embedding_model"
-        mock_build_mapping.return_value = {"index1": "index1"}
         mock_vdb_core = Mock()
         mock_get_vector_db_core.return_value = mock_vdb_core
 
@@ -2231,9 +2228,7 @@ class TestValidateLocalToolDatamateSearchTool:
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    def test_validate_local_tool_datamate_search_tool_success(self, mock_get_knowledge_list,
-                                                              mock_signature, mock_get_class):
+    def test_validate_local_tool_datamate_search_tool_success(self, mock_signature, mock_get_class):
         """Test successful datamate_search_tool validation with proper dependencies"""
         # Mock tool class
         mock_tool_class = Mock()
@@ -2244,24 +2239,16 @@ def test_validate_local_tool_datamate_search_tool_success(self, mock_get_knowled
         mock_get_class.return_value = mock_tool_class
 
         # Mock signature for datamate_search_tool
+        # _validate_local_tool fills missing instantiation params from signature defaults.
+        # For datamate_search there is no special index selection logic, so index_names
+        # should come from the default value (empty list).
         mock_sig = Mock()
         mock_sig.parameters = {
             'self': Mock(),
-            'index_names': Mock(),
+            'index_names': Mock(default=Mock(default=[])),
         }
         mock_signature.return_value = mock_sig
 
-        # Mock knowledge base dependencies - only datamate sources
-        mock_knowledge_list = [
-            {"index_name": "datamate_index1", "knowledge_id": "kb1",
-                "knowledge_sources": "datamate"},
-            {"index_name": "datamate_index2", "knowledge_id": "kb2",
-                "knowledge_sources": "datamate"},
-            {"index_name": "other_index", "knowledge_id": "kb3",
-                "knowledge_sources": "other"}  # Should be filtered out
-        ]
-        mock_get_knowledge_list.return_value = mock_knowledge_list
-
         from backend.services.tool_configuration_service import _validate_local_tool
 
         result = _validate_local_tool(
@@ -2278,75 +2265,78 @@ def test_validate_local_tool_datamate_search_tool_success(self, mock_get_knowled
         # Verify datamate_search_tool specific parameters were passed
         expected_params = {
             "param": "config",
-            # Only datamate sources
-            "index_names": ["datamate_index1", "datamate_index2"],
+            # Filled from signature default
+            "index_names": [],
         }
         mock_tool_class.assert_called_once_with(**expected_params)
         mock_tool_instance.forward.assert_called_once_with(query="test query")
 
-        # Verify service calls
-        mock_get_knowledge_list.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1")
-
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     def test_validate_local_tool_datamate_search_tool_missing_tenant_id(self, mock_get_class):
         """Test datamate_search_tool validation when tenant_id is missing"""
         mock_tool_class = Mock()
+        mock_tool_instance = Mock()
+        mock_tool_instance.forward.return_value = "datamate search result"
+        mock_tool_class.return_value = mock_tool_instance
         mock_get_class.return_value = mock_tool_class
 
         from backend.services.tool_configuration_service import _validate_local_tool
 
-        with pytest.raises(ToolExecutionException,
-                           match=r"Local tool datamate_search validation failed: Tenant ID and User ID are required for datamate_search validation"):
-            _validate_local_tool(
-                "datamate_search",
-                {"query": "test query"},
-                {"param": "config"},
-                None,  # Missing tenant_id
-                "user1"
-            )
+        # datamate_search does not require tenant/user in current implementation
+        result = _validate_local_tool(
+            "datamate_search",
+            {"query": "test query"},
+            {"param": "config"},
+            None,  # Missing tenant_id
+            "user1"
+        )
+        assert result == "datamate search result"
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     def test_validate_local_tool_datamate_search_tool_missing_user_id(self, mock_get_class):
         """Test datamate_search_tool validation when user_id is missing"""
         mock_tool_class = Mock()
+        mock_tool_instance = Mock()
+        mock_tool_instance.forward.return_value = "datamate search result"
+        mock_tool_class.return_value = mock_tool_instance
         mock_get_class.return_value = mock_tool_class
 
         from backend.services.tool_configuration_service import _validate_local_tool
 
-        with pytest.raises(ToolExecutionException,
-                           match=r"Local tool datamate_search validation failed: Tenant ID and User ID are required for datamate_search validation"):
-            _validate_local_tool(
-                "datamate_search",
-                {"query": "test query"},
-                {"param": "config"},
-                "tenant1",
-                None  # Missing user_id
-            )
+        # datamate_search does not require tenant/user in current implementation
+        result = _validate_local_tool(
+            "datamate_search",
+            {"query": "test query"},
+            {"param": "config"},
+            "tenant1",
+            None  # Missing user_id
+        )
+        assert result == "datamate search result"
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     def test_validate_local_tool_datamate_search_tool_missing_both_ids(self, mock_get_class):
         """Test datamate_search_tool validation when both tenant_id and user_id are missing"""
         mock_tool_class = Mock()
+        mock_tool_instance = Mock()
+        mock_tool_instance.forward.return_value = "datamate search result"
+        mock_tool_class.return_value = mock_tool_instance
         mock_get_class.return_value = mock_tool_class
 
         from backend.services.tool_configuration_service import _validate_local_tool
 
-        with pytest.raises(ToolExecutionException,
-                           match=r"Local tool datamate_search validation failed: Tenant ID and User ID are required for datamate_search validation"):
-            _validate_local_tool(
-                "datamate_search",
-                {"query": "test query"},
-                {"param": "config"},
-                None,  # Missing tenant_id
-                None   # Missing user_id
-            )
+        # datamate_search does not require tenant/user in current implementation
+        result = _validate_local_tool(
+            "datamate_search",
+            {"query": "test query"},
+            {"param": "config"},
+            None,  # Missing tenant_id
+            None   # Missing user_id
+        )
+        assert result == "datamate search result"
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    def test_validate_local_tool_datamate_search_tool_empty_knowledge_list(self, mock_get_knowledge_list,
-                                                                           mock_signature, mock_get_class):
+    def test_validate_local_tool_datamate_search_tool_empty_knowledge_list(self, mock_signature, mock_get_class):
         """Test datamate_search_tool validation with empty knowledge list"""
         # Mock tool class
         mock_tool_class = Mock()
@@ -2356,17 +2346,14 @@ def test_validate_local_tool_datamate_search_tool_empty_knowledge_list(self, moc
 
         mock_get_class.return_value = mock_tool_class
 
-        # Mock signature for datamate_search_tool
+        # Mock signature for datamate_search_tool (default empty list)
         mock_sig = Mock()
         mock_sig.parameters = {
             'self': Mock(),
-            'index_names': Mock(),
+            'index_names': Mock(default=Mock(default=[])),
         }
         mock_signature.return_value = mock_sig
 
-        # Mock empty knowledge list
-        mock_get_knowledge_list.return_value = []
-
         from backend.services.tool_configuration_service import _validate_local_tool
 
         result = _validate_local_tool(
@@ -2389,9 +2376,7 @@ def test_validate_local_tool_datamate_search_tool_empty_knowledge_list(self, moc
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    def test_validate_local_tool_datamate_search_tool_no_datamate_sources(self, mock_get_knowledge_list,
-                                                                          mock_signature, mock_get_class):
+    def test_validate_local_tool_datamate_search_tool_no_datamate_sources(self, mock_signature, mock_get_class):
         """Test datamate_search_tool validation when no datamate sources exist"""
         # Mock tool class
         mock_tool_class = Mock()
@@ -2401,23 +2386,14 @@ def test_validate_local_tool_datamate_search_tool_no_datamate_sources(self, mock
 
         mock_get_class.return_value = mock_tool_class
 
-        # Mock signature for datamate_search_tool
+        # Mock signature for datamate_search_tool (default empty list)
         mock_sig = Mock()
         mock_sig.parameters = {
             'self': Mock(),
-            'index_names': Mock(),
+            'index_names': Mock(default=Mock(default=[])),
         }
         mock_signature.return_value = mock_sig
 
-        # Mock knowledge list with no datamate sources
-        mock_knowledge_list = [
-            {"index_name": "other_index1", "knowledge_id": "kb1",
-                "knowledge_sources": "other"},
-            {"index_name": "other_index2", "knowledge_id": "kb2",
-                "knowledge_sources": "filesystem"}
-        ]
-        mock_get_knowledge_list.return_value = mock_knowledge_list
-
         from backend.services.tool_configuration_service import _validate_local_tool
 
         result = _validate_local_tool(
@@ -2440,9 +2416,7 @@ def test_validate_local_tool_datamate_search_tool_no_datamate_sources(self, mock
 
     @patch('backend.services.tool_configuration_service._get_tool_class_by_name')
     @patch('backend.services.tool_configuration_service.inspect.signature')
-    @patch('backend.services.tool_configuration_service.get_selected_knowledge_list')
-    def test_validate_local_tool_datamate_search_tool_execution_error(self, mock_get_knowledge_list,
-                                                                      mock_signature, mock_get_class):
+    def test_validate_local_tool_datamate_search_tool_execution_error(self, mock_signature, mock_get_class):
         """Test datamate_search_tool validation when execution fails"""
         # Mock tool class
         mock_tool_class = Mock()
@@ -2461,13 +2435,6 @@ def test_validate_local_tool_datamate_search_tool_execution_error(self, mock_get
         }
         mock_signature.return_value = mock_sig
 
-        # Mock knowledge base dependencies
-        mock_knowledge_list = [
-            {"index_name": "datamate_index1", "knowledge_id": "kb1",
-                "knowledge_sources": "datamate"}
-        ]
-        mock_get_knowledge_list.return_value = mock_knowledge_list
-
         from backend.services.tool_configuration_service import _validate_local_tool
 
         with pytest.raises(ToolExecutionException,
@@ -2723,5 +2690,113 @@ def test_get_llm_model_with_different_tenant_ids(self, mock_tenant_config, mock_
         assert mock_tenant_config.get_model_config.call_args_list[1][1]["tenant_id"] == "tenant2"
 
 
+class TestInitToolListForTenant:
+    """Test cases for init_tool_list_for_tenant function"""
+
+    @pytest.mark.asyncio
+    @patch('backend.services.tool_configuration_service.check_tool_list_initialized')
+    @patch('backend.services.tool_configuration_service.update_tool_list', new_callable=AsyncMock)
+    async def test_init_tool_list_for_tenant_success_new_tenant(self, mock_update_tool_list, mock_check_initialized):
+        """Test successful initialization for a new tenant"""
+        # Mock that tools are not yet initialized for this tenant
+        mock_check_initialized.return_value = False
+
+        from backend.services.tool_configuration_service import init_tool_list_for_tenant
+
+        result = await init_tool_list_for_tenant("new_tenant_id", "user_id_123")
+
+        # Verify that initialization was successful
+        assert result["status"] == "success"
+        assert result["message"] == "Tool list initialized successfully"
+        mock_check_initialized.assert_called_once_with("new_tenant_id")
+        mock_update_tool_list.assert_called_once_with(tenant_id="new_tenant_id", user_id="user_id_123")
+
+    @pytest.mark.asyncio
+    @patch('backend.services.tool_configuration_service.check_tool_list_initialized')
+    async def test_init_tool_list_for_tenant_already_initialized(self, mock_check_initialized):
+        """Test that initialization is skipped for already initialized tenant"""
+        # Mock that tools are already initialized for this tenant
+        mock_check_initialized.return_value = True
+
+        from backend.services.tool_configuration_service import init_tool_list_for_tenant
+
+        result = await init_tool_list_for_tenant("existing_tenant_id", "user_id_456")
+
+        # Verify that initialization was skipped
+        assert result["status"] == "already_initialized"
+        assert result["message"] == "Tool list already exists"
+        mock_check_initialized.assert_called_once_with("existing_tenant_id")
+
+    @pytest.mark.asyncio
+    @patch('backend.services.tool_configuration_service.check_tool_list_initialized')
+    @patch('backend.services.tool_configuration_service.update_tool_list', new_callable=AsyncMock)
+    @patch('backend.services.tool_configuration_service.logger')
+    async def test_init_tool_list_for_tenant_logging(self, mock_logger, mock_update_tool_list, mock_check_initialized):
+        """Test that init_tool_list_for_tenant logs appropriately"""
+        mock_check_initialized.return_value = False
+
+        from backend.services.tool_configuration_service import init_tool_list_for_tenant
+
+        await init_tool_list_for_tenant("tenant_xyz", "user_abc")
+
+        # Verify that info log was called for new tenant
+        mock_logger.info.assert_any_call(f"Initializing tool list for new tenant: tenant_xyz")
+
+
+class TestUpdateToolList:
+    """Test cases for update_tool_list function"""
+
+    @pytest.mark.asyncio
+    @patch('backend.services.tool_configuration_service.get_local_tools')
+    @patch('backend.services.tool_configuration_service.get_langchain_tools')
+    @patch('backend.services.tool_configuration_service.get_all_mcp_tools', new_callable=AsyncMock)
+    @patch('backend.services.tool_configuration_service.update_tool_table_from_scan_tool_list')
+    async def test_update_tool_list_success(self, mock_update_table, mock_get_mcp, mock_get_langchain, mock_get_local):
+        """Test successful tool list update"""
+        # Mock tools
+        mock_local_tools = [MagicMock(), MagicMock()]
+        mock_langchain_tools = [MagicMock()]
+        mock_mcp_tools = [MagicMock(), MagicMock(), MagicMock()]
+
+        mock_get_local.return_value = mock_local_tools
+        mock_get_langchain.return_value = mock_langchain_tools
+        mock_get_mcp.return_value = mock_mcp_tools
+
+        from backend.services.tool_configuration_service import update_tool_list
+
+        await update_tool_list("tenant123", "user456")
+
+        # Verify all tools were gathered and update was called
+        mock_get_local.assert_called_once()
+        mock_get_langchain.assert_called_once()
+        mock_get_mcp.assert_called_once_with("tenant123")
+
+    @pytest.mark.asyncio
+    @patch('backend.services.tool_configuration_service.get_local_tools')
+    @patch('backend.services.tool_configuration_service.get_langchain_tools')
+    @patch('backend.services.tool_configuration_service.get_all_mcp_tools', new_callable=AsyncMock)
+    @patch('backend.services.tool_configuration_service.update_tool_table_from_scan_tool_list')
+    async def test_update_tool_list_combines_all_sources(self, mock_update_table, mock_get_mcp, mock_get_langchain, mock_get_local):
+        """Test that update_tool_list combines tools from all sources"""
+        mock_local_tools = [MagicMock(name="local_tool_1")]
+        mock_langchain_tools = [MagicMock(name="langchain_tool_1")]
+        mock_mcp_tools = [MagicMock(name="mcp_tool_1")]
+
+        mock_get_local.return_value = mock_local_tools
+        mock_get_langchain.return_value = mock_langchain_tools
+        mock_get_mcp.return_value = mock_mcp_tools
+
+        from backend.services.tool_configuration_service import update_tool_list
+
+        await update_tool_list("tenant123", "user456")
+
+        # Get the tool_list argument passed to update_tool_table_from_scan_tool_list
+        call_args = mock_update_table.call_args
+        combined_tool_list = call_args.kwargs["tool_list"]
+
+        # Verify that combined list contains tools from all sources
+        assert len(combined_tool_list) == 3
+
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/backend/services/test_user_management_service.py b/test/backend/services/test_user_management_service.py
index 8db2a09a1..a1358c41a 100644
--- a/test/backend/services/test_user_management_service.py
+++ b/test/backend/services/test_user_management_service.py
@@ -24,6 +24,7 @@
 sys.modules['services'] = MagicMock()
 sys.modules['services.invitation_service'] = MagicMock()
 sys.modules['services.group_service'] = MagicMock()
+sys.modules['services.tool_configuration_service'] = MagicMock()
 
 from consts.exceptions import NoInviteCodeException, IncorrectInviteCodeException, UserRegistrationException, UnauthorizedError
 
@@ -51,9 +52,9 @@
         signin_user,
         refresh_user_token,
         get_session_by_authorization,
-        revoke_regular_user,
         get_user_info,
-        format_role_permissions
+        format_role_permissions,
+        init_tool_list_for_tenant
     )
 
 # Functions to test
@@ -483,13 +484,15 @@ async def test_health_check_connection_error(self, mock_session_cls):
     @patch('backend.services.user_management_service.aiohttp.ClientSession')
     async def test_health_check_general_exception(self, mock_session_cls):
         """Test health check with general exception"""
-        mock_session_cls.side_effect = Exception("General error")
+        mock_session_cls.side_effect = Exception(
+            "General Function should raise the error")
 
-        # Function should raise the original exception
+        # original exception is raised as-is
         with self.assertRaises(Exception) as context:
             await check_auth_service_health()
 
-        self.assertIn("General error", str(context.exception))
+        self.assertIn("General Function should raise the error",
+                      str(context.exception))
 
     @patch.dict(os.environ, {'SUPABASE_URL': 'http://test.supabase.co', 'SUPABASE_KEY': 'test-key'})
     async def test_health_check_empty_data_dict(self):
@@ -552,13 +555,17 @@ async def test_signup_user_regular_user(self, mock_get_client, mock_verify_code,
         mock_get_client.return_value = mock_client
         mock_parse_response.return_value = {"user": "data"}
 
-        result = await signup_user("test@example.com", "password123")
+        # Mock init_tool_list_for_tenant as async function
+        with patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
+            result = await signup_user("test@example.com", "password123")
 
-        self.assertEqual(result, {"user": "data"})
-        mock_verify_code.assert_not_called()
-        mock_generate_tts.assert_not_called()
-        mock_insert_tenant.assert_called_once_with(user_id="user-123", tenant_id="tenant_id", user_email="test@example.com")
-        mock_parse_response.assert_called_once_with(False, mock_response, "user")
+            self.assertEqual(result, {"user": "data"})
+            mock_verify_code.assert_not_called()
+            mock_generate_tts.assert_not_called()
+            mock_insert_tenant.assert_called_once_with(user_id="user-123", tenant_id="tenant_id", user_email="test@example.com")
+            mock_parse_response.assert_called_once_with(False, mock_response, "user")
+            # Verify init_tool_list_for_tenant was called for new tenant
+            mock_init_tools.assert_called_once_with("tenant_id", "user-123")
 
     @patch('backend.services.user_management_service.parse_supabase_response')
     @patch('backend.services.user_management_service.insert_user_tenant')
@@ -575,11 +582,15 @@ async def test_signup_user_regular_without_invite_code(self, mock_get_client,
         mock_get_client.return_value = mock_client
         mock_parse_response.return_value = {"user": "data"}
 
-        result = await signup_user("user@example.com", "password123")
+        # Mock init_tool_list_for_tenant as async function
+        with patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
+            result = await signup_user("user@example.com", "password123")
 
-        self.assertEqual(result, {"user": "data"})
-        mock_insert_tenant.assert_called_once_with(user_id="user-123", tenant_id="tenant_id", user_email="user@example.com")
-        mock_parse_response.assert_called_once_with(False, mock_response, "user")
+            self.assertEqual(result, {"user": "data"})
+            mock_insert_tenant.assert_called_once_with(user_id="user-123", tenant_id="tenant_id", user_email="user@example.com")
+            mock_parse_response.assert_called_once_with(False, mock_response, "user")
+            # Verify init_tool_list_for_tenant was called
+            mock_init_tools.assert_called_once_with("tenant_id", "user-123")
 
     @patch('backend.services.user_management_service.get_supabase_client')
     async def test_signup_user_no_user_returned(self, mock_get_client):
@@ -636,16 +647,20 @@ async def test_signup_user_with_admin_invite_code(self, mock_get_client, mock_us
             {"group_id": 3, "user_id": "user-123", "already_member": False}
         ]
 
-        result = await signup_user_with_invitation("admin@example.com", "password123", invite_code="ADMIN123")
+        # Mock init_tool_list_for_tenant as async function
+        with patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
+            result = await signup_user_with_invitation("admin@example.com", "password123", invite_code="ADMIN123")
 
-        # Verify generate_tts_stt_4_admin was called for admin user
-        mock_generate_tts.assert_called_once_with("tenant_id", "user-123")
+            # Verify generate_tts_stt_4_admin was called for admin user
+            mock_generate_tts.assert_called_once_with("tenant_id", "user-123")
 
-        self.assertEqual(result, {"user": "admin_data"})
-        mock_insert_tenant.assert_called_once_with(user_id="user-123", tenant_id="tenant_id", user_role="ADMIN", user_email="admin@example.com")
-        mock_use_invite.assert_called_once_with("ADMIN123", "user-123")
-        mock_add_groups.assert_called_once_with("user-123", [1, 2, 3], "user-123")
-        mock_parse_response.assert_called_once_with(False, mock_response, "ADMIN")
+            self.assertEqual(result, {"user": "admin_data"})
+            mock_insert_tenant.assert_called_once_with(user_id="user-123", tenant_id="tenant_id", user_role="ADMIN", user_email="admin@example.com")
+            mock_use_invite.assert_called_once_with("ADMIN123", "user-123")
+            mock_add_groups.assert_called_once_with("user-123", [1, 2, 3], "user-123")
+            mock_parse_response.assert_called_once_with(False, mock_response, "ADMIN")
+            # Verify init_tool_list_for_tenant was called
+            mock_init_tools.assert_called_once_with("tenant_id", "user-123")
 
     @patch('backend.services.user_management_service.add_user_to_groups')
     @patch('backend.services.user_management_service.parse_supabase_response')
@@ -686,13 +701,17 @@ async def test_signup_user_with_dev_invite_code(self, mock_get_client, mock_use_
             {"group_id": 5, "user_id": "user-456", "already_member": False}
         ]
 
-        result = await signup_user_with_invitation("dev@example.com", "password123", invite_code="DEV456")
+        # Mock init_tool_list_for_tenant as async function
+        with patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
+            result = await signup_user_with_invitation("dev@example.com", "password123", invite_code="DEV456")
 
-        self.assertEqual(result, {"user": "dev_data"})
-        mock_insert_tenant.assert_called_once_with(user_id="user-456", tenant_id="tenant_id", user_role="DEV", user_email="dev@example.com")
-        mock_use_invite.assert_called_once_with("DEV456", "user-456")
-        mock_add_groups.assert_called_once_with("user-456", [4, 5], "user-456")
-        mock_parse_response.assert_called_once_with(False, mock_response, "DEV")
+            self.assertEqual(result, {"user": "dev_data"})
+            mock_insert_tenant.assert_called_once_with(user_id="user-456", tenant_id="tenant_id", user_role="DEV", user_email="dev@example.com")
+            mock_use_invite.assert_called_once_with("DEV456", "user-456")
+            mock_add_groups.assert_called_once_with("user-456", [4, 5], "user-456")
+            mock_parse_response.assert_called_once_with(False, mock_response, "DEV")
+            # Verify init_tool_list_for_tenant was called
+            mock_init_tools.assert_called_once_with("tenant_id", "user-456")
 
     @patch('backend.services.user_management_service.get_invitation_by_code')
     @patch('backend.services.user_management_service.check_invitation_available')
@@ -723,7 +742,8 @@ async def test_signup_user_with_invite_code_uppercase_conversion(self, mock_chec
         with patch('backend.services.user_management_service.get_supabase_client') as mock_get_client, \
              patch('backend.services.user_management_service.insert_user_tenant'), \
              patch('backend.services.user_management_service.parse_supabase_response') as mock_parse, \
-             patch('backend.services.user_management_service.use_invitation_code'):
+             patch('backend.services.user_management_service.use_invitation_code'), \
+             patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
 
             mock_user = MagicMock()
             mock_user.id = "user-123"
@@ -740,6 +760,8 @@ async def test_signup_user_with_invite_code_uppercase_conversion(self, mock_chec
             # Verify the code was converted to uppercase in the check
             mock_check_available.assert_called_with("LOWERCASE")
             mock_get_invite_code.assert_called_with("LOWERCASE")
+            # Verify init_tool_list_for_tenant was called
+            mock_init_tools.assert_called_once_with("tenant_id", "user-123")
 
     @patch('backend.services.user_management_service.get_invitation_by_code')
     @patch('backend.services.user_management_service.check_invitation_available')
@@ -771,7 +793,8 @@ async def test_signup_user_with_admin_invite_role_assignment(self, mock_check_av
              patch('backend.services.user_management_service.insert_user_tenant') as mock_insert_tenant, \
              patch('backend.services.user_management_service.parse_supabase_response') as mock_parse, \
              patch('backend.services.user_management_service.use_invitation_code'), \
-             patch('backend.services.user_management_service.generate_tts_stt_4_admin') as mock_generate_tts:
+             patch('backend.services.user_management_service.generate_tts_stt_4_admin') as mock_generate_tts, \
+             patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
 
             mock_user = MagicMock()
             mock_user.id = "user-123"
@@ -788,6 +811,8 @@ async def test_signup_user_with_admin_invite_role_assignment(self, mock_check_av
             mock_insert_tenant.assert_called_with(user_id="user-123", tenant_id="tenant_id", user_role="ADMIN", user_email="admin@example.com")
             mock_generate_tts.assert_called_once_with("tenant_id", "user-123")
             mock_parse.assert_called_with(False, mock_response, "ADMIN")
+            # Verify init_tool_list_for_tenant was called
+            mock_init_tools.assert_called_once_with("tenant_id", "user-123")
 
     @patch('backend.services.user_management_service.get_invitation_by_code')
     @patch('backend.services.user_management_service.check_invitation_available')
@@ -805,7 +830,8 @@ async def test_signup_user_with_dev_invite_role_assignment(self, mock_check_avai
         with patch('backend.services.user_management_service.get_supabase_client') as mock_get_client, \
              patch('backend.services.user_management_service.insert_user_tenant') as mock_insert_tenant, \
              patch('backend.services.user_management_service.parse_supabase_response') as mock_parse, \
-             patch('backend.services.user_management_service.use_invitation_code'):
+             patch('backend.services.user_management_service.use_invitation_code'), \
+             patch('backend.services.user_management_service.init_tool_list_for_tenant', new_callable=AsyncMock) as mock_init_tools:
 
             mock_user = MagicMock()
             mock_user.id = "user-123"
@@ -821,6 +847,8 @@ async def test_signup_user_with_dev_invite_role_assignment(self, mock_check_avai
             # Verify DEV role was assigned and TTS/STT generation was NOT called
             mock_insert_tenant.assert_called_with(user_id="user-123", tenant_id="tenant_id", user_role="DEV", user_email="dev@example.com")
             mock_parse.assert_called_with(False, mock_response, "DEV")
+            # Verify init_tool_list_for_tenant was called
+            mock_init_tools.assert_called_once_with("tenant_id", "user-123")
 
     @patch('backend.services.user_management_service.check_invitation_available')
     async def test_signup_user_with_invite_code_validation_exception_conversion(self, mock_check_available):
@@ -1117,70 +1145,6 @@ async def test_get_session_invalid_token(self, mock_validate_token):
         self.assertEqual(str(context.exception), "Session is invalid or expired")
 
 
-class TestRevokeRegularUser(unittest.IsolatedAsyncioTestCase):
-    """Tests for revoke_regular_user orchestration"""
-
-    @patch('backend.services.user_management_service.soft_delete_user_tenant_by_user_id')
-    @patch('backend.services.user_management_service.soft_delete_all_configs_by_user_id')
-    @patch('backend.services.user_management_service.soft_delete_all_conversations_by_user')
-    @patch('backend.services.user_management_service.build_memory_config')
-    @patch('backend.services.user_management_service.clear_memory', new_callable=AsyncMock)
-    @patch('backend.services.user_management_service.get_supabase_admin_client')
-    async def test_revoke_regular_user_happy_path(self, mock_get_admin, mock_clear, mock_build, mock_soft_conv, mock_soft_cfg, mock_soft_ut):
-        mock_admin = MagicMock()
-        mock_admin.auth.admin.delete_user = MagicMock()
-        mock_get_admin.return_value = mock_admin
-
-        await revoke_regular_user("u1", "t1")
-
-        mock_soft_ut.assert_called_once_with("u1", actor="u1")
-        mock_soft_cfg.assert_called_once_with("u1", actor="u1")
-        mock_soft_conv.assert_called_once_with("u1")
-        mock_build.assert_called_once_with("t1")
-        # clear_memory called for user and user_agent
-        assert mock_clear.await_count == 2
-        mock_get_admin.assert_called_once()
-        mock_admin.auth.admin.delete_user.assert_called_once_with("u1")
-
-    @patch('backend.services.user_management_service.soft_delete_user_tenant_by_user_id', side_effect=Exception("db"))
-    @patch('backend.services.user_management_service.soft_delete_all_configs_by_user_id', side_effect=Exception("db"))
-    @patch('backend.services.user_management_service.soft_delete_all_conversations_by_user', side_effect=Exception("db"))
-    @patch('backend.services.user_management_service.build_memory_config', side_effect=Exception("cfg"))
-    @patch('backend.services.user_management_service.clear_memory', new_callable=AsyncMock)
-    @patch('backend.services.user_management_service.get_supabase_admin_client', side_effect=Exception("admin"))
-    async def test_revoke_regular_user_best_effort(self, *_):
-        # Should not raise even if all steps fail; function swallows errors for idempotency
-        await revoke_regular_user("u1", "t1")
-
-    @patch('backend.services.user_management_service.soft_delete_user_tenant_by_user_id')
-    @patch('backend.services.user_management_service.soft_delete_all_configs_by_user_id')
-    @patch('backend.services.user_management_service.soft_delete_all_conversations_by_user')
-    @patch('backend.services.user_management_service.build_memory_config')
-    @patch('backend.services.user_management_service.clear_memory', new_callable=AsyncMock)
-    @patch('backend.services.user_management_service.get_supabase_admin_client')
-    async def test_revoke_regular_user_admin_client_unavailable(self, mock_get_admin, *_):
-        """Cover lines 371-372: admin client None or missing .auth.admin"""
-        # Return an object without auth.admin; should trigger RuntimeError branch and be logged
-        class NoAdmin:
-            pass
-        mock_get_admin.return_value = NoAdmin()
-
-        await revoke_regular_user("u1", "t1")
-        # No exception should escape
-
-    @patch('backend.services.user_management_service.logging.info', side_effect=Exception("log_fail"))
-    async def test_revoke_regular_user_outer_exception_swallowed(self, _mock_log):
-        """Cover lines 378-381: unexpected outer exception is swallowed"""
-        # Make earlier steps no-op by patching called functions to simple stubs
-        with patch('backend.services.user_management_service.soft_delete_user_tenant_by_user_id'), \
-                patch('backend.services.user_management_service.soft_delete_all_configs_by_user_id'), \
-                patch('backend.services.user_management_service.soft_delete_all_conversations_by_user'), \
-                patch('backend.services.user_management_service.build_memory_config', return_value={}), \
-                patch('backend.services.user_management_service.clear_memory', new_callable=AsyncMock):
-            # Should not raise despite logging.info raising, ensuring outer try/except is covered
-            await revoke_regular_user("u1", "t1")
-
-
 class TestGetUserInfo(unittest.IsolatedAsyncioTestCase):
     """Test get_user_info function"""
 
@@ -1194,7 +1158,8 @@ async def test_get_user_info_success(self, mock_query_group_ids, mock_get_user_t
         # Setup mocks
         mock_get_user_tenant.return_value = {
             "tenant_id": "test_tenant",
-            "user_role": "ADMIN"
+            "user_role": "ADMIN",
+            "user_email": "test@example.com"
         }
         mock_query_group_ids.return_value = [1, 2, 3]
 
@@ -1229,6 +1194,7 @@ async def test_get_user_info_success(self, mock_query_group_ids, mock_get_user_t
         assert result["user"]["user_id"] == "test_user"
         assert result["user"]["group_ids"] == [1, 2, 3]
         assert result["user"]["tenant_id"] == "test_tenant"
+        assert result["user"]["user_email"] == "test@example.com"
         assert result["user"]["user_role"] == "ADMIN"
         assert result["user"]["permissions"] == ["agent:create"]
         assert result["user"]["accessibleRoutes"] == ["chat"]
diff --git a/test/backend/services/test_user_service.py b/test/backend/services/test_user_service.py
index 8d222255e..726d45bde 100644
--- a/test/backend/services/test_user_service.py
+++ b/test/backend/services/test_user_service.py
@@ -22,6 +22,11 @@
 sys.modules['nexent.storage.storage_client_factory'] = MagicMock()
 sys.modules['nexent.storage.minio_config'] = MagicMock()
 
+# Mock for memory_service import used in delete_user_and_cleanup
+nexent_memory_service = MagicMock()
+sys.modules['nexent.memory'] = MagicMock()
+sys.modules['nexent.memory.memory_service'] = nexent_memory_service
+
 # Create mock ToolConfig class for imports
 from pydantic import BaseModel
 class MockToolConfig(BaseModel):
@@ -44,7 +49,7 @@ class MockToolConfig(BaseModel):
 patch('database.group_db.remove_user_from_all_groups').start()
 
 # Import unit under test
-from backend.services.user_service import get_users, update_user, delete_user
+from backend.services.user_service import get_users, update_user, delete_user_and_cleanup
 
 
 @pytest.fixture(autouse=True)
@@ -325,90 +330,6 @@ async def test_update_user_unexpected_error(self):
             await update_user(user_id, update_data, updated_by)
 
 
-@pytest.mark.asyncio
-class TestDeleteUser:
-    """Test cases for delete_user function"""
-
-    async def test_delete_user_success(self):
-        """Test successfully deleting user"""
-        from backend.services import user_service
-        mock_soft_delete = user_service.soft_delete_user_tenant_by_user_id
-        mock_remove_groups = user_service.remove_user_from_all_groups
-
-        user_id = "user123"
-        deleted_by = "deleter456"
-
-        mock_soft_delete.return_value = True
-
-        result = await delete_user(user_id, deleted_by)
-
-        assert result is True
-
-        # Verify both operations were called
-        mock_soft_delete.assert_called_once_with(user_id, deleted_by)
-        mock_remove_groups.assert_called_once_with(user_id, deleted_by)
-
-    async def test_delete_user_not_found(self):
-        """Test deleting user that doesn't exist"""
-        from backend.services import user_service
-        mock_soft_delete = user_service.soft_delete_user_tenant_by_user_id
-        mock_remove_groups = user_service.remove_user_from_all_groups
-
-        user_id = "user123"
-        deleted_by = "deleter456"
-
-        mock_soft_delete.return_value = False
-
-        # Execute & Assert
-        with pytest.raises(ValueError, match=f"User {user_id} not found in any tenant"):
-            await delete_user(user_id, deleted_by)
-
-        # Verify calls
-        mock_soft_delete.assert_called_once_with(user_id, deleted_by)
-        mock_remove_groups.assert_not_called()
-
-    async def test_delete_user_group_removal_fails(self):
-        """Test deleting user when group removal fails but tenant deletion succeeds"""
-        from backend.services import user_service
-        mock_soft_delete = user_service.soft_delete_user_tenant_by_user_id
-        mock_remove_groups = user_service.remove_user_from_all_groups
-
-        user_id = "user123"
-        deleted_by = "deleter456"
-
-        mock_soft_delete.return_value = True
-        mock_remove_groups.side_effect = Exception("Group removal failed")
-
-        # Execute - should not raise exception (soft failure for group removal)
-        result = await delete_user(user_id, deleted_by)
-
-        # Assert - deletion should still succeed
-        assert result is True
-
-        # Verify both operations were attempted
-        mock_soft_delete.assert_called_once_with(user_id, deleted_by)
-        mock_remove_groups.assert_called_once_with(user_id, deleted_by)
-
-    async def test_delete_user_tenant_deletion_fails(self):
-        """Test deleting user when tenant deletion fails"""
-        from backend.services import user_service
-        mock_soft_delete = user_service.soft_delete_user_tenant_by_user_id
-        mock_remove_groups = user_service.remove_user_from_all_groups
-
-        user_id = "user123"
-        deleted_by = "deleter456"
-
-        mock_soft_delete.side_effect = Exception("Tenant deletion failed")
-
-        # Execute & Assert
-        with pytest.raises(Exception, match="Tenant deletion failed"):
-            await delete_user(user_id, deleted_by)
-
-        # Verify calls - group removal should not be attempted if tenant deletion fails
-        mock_soft_delete.assert_called_once_with(user_id, deleted_by)
-        mock_remove_groups.assert_not_called()
-
-
 class TestDataValidation:
     """Test data validation and edge cases"""
 
@@ -483,6 +404,102 @@ async def test_update_user_invalid_role_various_cases(self, invalid_role):
         mock_update_role.assert_not_called()
 
 
+class TestDeleteUserAndCleanup:
+    """Test cases for delete_user_and_cleanup function"""
+
+    @pytest.mark.asyncio
+    async def test_delete_user_and_cleanup_success(self, mocker):
+        """Test successful complete user deletion and cleanup"""
+        # Mock all the dependencies
+        mock_soft_delete_tenant = mocker.patch(
+            "backend.services.user_service.soft_delete_user_tenant_by_user_id",
+            return_value=True
+        )
+        mock_remove_groups = mocker.patch(
+            "backend.services.user_service.remove_user_from_all_groups",
+            return_value=1
+        )
+        mock_soft_delete_configs = mocker.patch(
+            "backend.services.user_service.soft_delete_all_configs_by_user_id"
+        )
+        mock_soft_delete_convs = mocker.patch(
+            "backend.services.user_service.soft_delete_all_conversations_by_user",
+            return_value=5
+        )
+        mock_build_config = mocker.patch(
+            "backend.services.user_service.build_memory_config",
+            return_value={"key": "value"}
+        )
+        mock_clear_memory = mocker.patch(
+            "backend.services.user_service.clear_memory",
+            new_callable=mocker.AsyncMock
+        )
+        mock_get_admin = mocker.patch(
+            "backend.services.user_service.get_supabase_admin_client"
+        )
+
+        # Setup mock admin client
+        mock_admin = MagicMock()
+        mock_admin.auth.admin.delete_user = MagicMock()
+        mock_get_admin.return_value = mock_admin
+
+        user_id = "user123"
+        tenant_id = "tenant456"
+
+        await delete_user_and_cleanup(user_id, tenant_id)
+
+        # Verify all steps were called
+        mock_soft_delete_tenant.assert_called_once_with(user_id, user_id)
+        mock_remove_groups.assert_called_once_with(user_id, user_id)
+        mock_soft_delete_configs.assert_called_once_with(user_id, actor=user_id)
+        mock_soft_delete_convs.assert_called_once_with(user_id)
+        mock_build_config.assert_called_once_with(tenant_id)
+        # clear_memory called for user and user_agent
+        assert mock_clear_memory.call_count == 2
+        mock_get_admin.assert_called_once()
+        mock_admin.auth.admin.delete_user.assert_called_once_with(user_id)
+
+    @pytest.mark.asyncio
+    async def test_delete_user_and_cleanup_best_effort(self, mocker):
+        """Test that errors in individual steps don't fail the entire cleanup"""
+        # Mock all dependencies with exceptions
+        mocker.patch(
+            "backend.services.user_service.soft_delete_user_tenant_by_user_id",
+            side_effect=Exception("tenant deletion failed")
+        )
+        mocker.patch(
+            "backend.services.user_service.remove_user_from_all_groups",
+            side_effect=Exception("groups removal failed")
+        )
+        mocker.patch(
+            "backend.services.user_service.soft_delete_all_configs_by_user_id",
+            side_effect=Exception("configs failed")
+        )
+        mocker.patch(
+            "backend.services.user_service.soft_delete_all_conversations_by_user",
+            side_effect=Exception("convs failed")
+        )
+        mocker.patch(
+            "backend.services.user_service.build_memory_config",
+            side_effect=Exception("config failed")
+        )
+        mocker.patch(
+            "backend.services.user_service.clear_memory",
+            new_callable=mocker.AsyncMock,
+            side_effect=Exception("memory failed")
+        )
+        mocker.patch(
+            "backend.services.user_service.get_supabase_admin_client",
+            side_effect=Exception("admin failed")
+        )
+
+        user_id = "user123"
+        tenant_id = "tenant456"
+
+        # Should not raise, errors are logged and swallowed
+        await delete_user_and_cleanup(user_id, tenant_id)
+
+
 # Run tests when executed directly
 if __name__ == "__main__":
     pytest.main([__file__])
diff --git a/test/backend/services/test_vectordatabase_service.py b/test/backend/services/test_vectordatabase_service.py
index 533055a75..0f55de9bc 100644
--- a/test/backend/services/test_vectordatabase_service.py
+++ b/test/backend/services/test_vectordatabase_service.py
@@ -269,6 +269,102 @@ def test_create_knowledge_base_generates_index(self, mock_create_knowledge):
             "7-uuid", embedding_dim=256
         )
 
+    @patch('backend.services.vectordatabase_service.create_knowledge_record')
+    def test_create_knowledge_base_with_group_permissions(self, mock_create_knowledge):
+        """
+        Test create_knowledge_base with group permissions.
+
+        Verifies that ingroup_permission and group_ids are correctly
+        passed to the knowledge record creation.
+        """
+        self.mock_vdb_core.create_index.return_value = True
+        mock_create_knowledge.return_value = {
+            "knowledge_id": 7,
+            "index_name": "7-uuid",
+            "knowledge_name": "kb1",
+        }
+
+        result = ElasticSearchService.create_knowledge_base(
+            knowledge_name="kb1",
+            embedding_dim=256,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-1",
+            ingroup_permission="EDIT",
+            group_ids=[1, 2, 3],
+        )
+
+        self.assertEqual(result["status"], "success")
+        # Verify that create_knowledge_record was called with group permissions
+        mock_create_knowledge.assert_called_once()
+        # Parameters are passed as positional argument (knowledge_data dict), not keyword args
+        call_kwargs = mock_create_knowledge.call_args[0][0]
+        self.assertEqual(call_kwargs["ingroup_permission"], "EDIT")
+        self.assertEqual(call_kwargs["group_ids"], [1, 2, 3])
+
+    @patch('backend.services.vectordatabase_service.create_knowledge_record')
+    def test_create_knowledge_base_with_partial_group_permissions(self, mock_create_knowledge):
+        """
+        Test create_knowledge_base with only ingroup_permission (no group_ids).
+
+        Verifies that the method handles partial group permissions correctly.
+        """
+        self.mock_vdb_core.create_index.return_value = True
+        mock_create_knowledge.return_value = {
+            "knowledge_id": 8,
+            "index_name": "8-uuid2",
+            "knowledge_name": "kb2",
+        }
+
+        result = ElasticSearchService.create_knowledge_base(
+            knowledge_name="kb2",
+            embedding_dim=256,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-1",
+            ingroup_permission="READ_ONLY",
+            # group_ids not provided
+        )
+
+        self.assertEqual(result["status"], "success")
+        mock_create_knowledge.assert_called_once()
+        # Parameters are passed as positional argument (knowledge_data dict), not keyword args
+        call_kwargs = mock_create_knowledge.call_args[0][0]
+        self.assertEqual(call_kwargs["ingroup_permission"], "READ_ONLY")
+        # group_ids should not be in the call if not provided
+        self.assertNotIn("group_ids", call_kwargs)
+
+    @patch('backend.services.vectordatabase_service.create_knowledge_record')
+    def test_create_knowledge_base_with_empty_group_ids(self, mock_create_knowledge):
+        """
+        Test create_knowledge_base with empty group_ids list.
+
+        Verifies that an empty list of group_ids is passed correctly.
+        """
+        self.mock_vdb_core.create_index.return_value = True
+        mock_create_knowledge.return_value = {
+            "knowledge_id": 9,
+            "index_name": "9-uuid3",
+            "knowledge_name": "kb3",
+        }
+
+        result = ElasticSearchService.create_knowledge_base(
+            knowledge_name="kb3",
+            embedding_dim=256,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-1",
+            ingroup_permission="PRIVATE",
+            group_ids=[],
+        )
+
+        self.assertEqual(result["status"], "success")
+        mock_create_knowledge.assert_called_once()
+        # Parameters are passed as positional argument (knowledge_data dict), not keyword args
+        call_kwargs = mock_create_knowledge.call_args[0][0]
+        self.assertEqual(call_kwargs["ingroup_permission"], "PRIVATE")
+        self.assertEqual(call_kwargs["group_ids"], [])
+
     @patch('backend.services.vectordatabase_service.create_knowledge_record')
     def test_create_index_failure(self, mock_create_knowledge):
         """
@@ -688,6 +784,236 @@ def test_list_indices_creator_permission(self, mock_get_knowledge, mock_get_user
         self.assertIn("index1", result["indices"])
         self.assertIn("index2", result["indices"])
 
+    @patch('backend.services.vectordatabase_service.query_group_ids_by_user')
+    @patch('backend.services.vectordatabase_service.get_user_tenant_by_user_id')
+    @patch('backend.services.vectordatabase_service.get_knowledge_info_by_tenant_id')
+    def test_list_indices_permission_edit_when_not_creator(self, mock_get_knowledge, mock_get_user_tenant, mock_get_group_ids):
+        """
+        Test that non-creator user gets EDIT permission when ingroup_permission is EDIT.
+
+        This test verifies that:
+        1. When user is not the creator but has group intersection
+        2. And ingroup_permission is EDIT, user gets EDIT permission
+        3. This covers line 611-612
+        """
+        # Setup
+        self.mock_vdb_core.get_user_indices.return_value = ["index1"]
+        self.mock_vdb_core.get_indices_detail.return_value = {
+            "index1": {"base_info": {"doc_count": 10, "embedding_model": "test-model"}}
+        }
+        mock_get_knowledge.return_value = [
+            {
+                "index_name": "index1",
+                "embedding_model_name": "test-model",
+                "group_ids": "1,2",
+                "created_by": "other_user",  # User is NOT creator
+                "ingroup_permission": "EDIT",  # EDIT permission
+                "tenant_id": "test_tenant",
+                "knowledge_sources": "elasticsearch"
+            }
+        ]
+        mock_get_user_tenant.return_value = {
+            "user_role": "USER", "tenant_id": "test_tenant"}
+        mock_get_group_ids.return_value = [1]  # User belongs to group 1
+
+        # Execute
+        result = ElasticSearchService.list_indices(
+            pattern="*",
+            include_stats=True,  # Need stats to see permissions
+            target_tenant_id="test_tenant",
+            user_id="test_user",
+            vdb_core=self.mock_vdb_core
+        )
+
+        # Assert
+        self.assertEqual(len(result["indices_info"]), 1)
+        self.assertEqual(result["indices_info"][0]["permission"], "EDIT")
+
+    @patch('backend.services.vectordatabase_service.query_group_ids_by_user')
+    @patch('backend.services.vectordatabase_service.get_user_tenant_by_user_id')
+    @patch('backend.services.vectordatabase_service.get_knowledge_info_by_tenant_id')
+    @patch('backend.services.vectordatabase_service.IS_SPEED_MODE', new=False)
+    def test_list_indices_permission_read_when_not_creator(self, mock_get_knowledge, mock_get_user_tenant, mock_get_group_ids):
+        """
+        Test that non-creator user gets READ_ONLY permission when ingroup_permission is READ_ONLY.
+
+        This test verifies that:
+        1. When user is not the creator but has group intersection
+        2. And ingroup_permission is READ_ONLY, user gets READ_ONLY permission
+        3. This covers line 614-615
+        """
+        # Setup
+        self.mock_vdb_core.get_user_indices.return_value = ["index1"]
+        self.mock_vdb_core.get_indices_detail.return_value = {
+            "index1": {"base_info": {"doc_count": 10, "embedding_model": "test-model"}}
+        }
+        mock_get_knowledge.return_value = [
+            {
+                "index_name": "index1",
+                "embedding_model_name": "test-model",
+                "group_ids": "1,2",
+                "created_by": "other_user",  # User is NOT creator
+                "ingroup_permission": "READ_ONLY",  # READ_ONLY permission
+                "tenant_id": "test_tenant",
+                "knowledge_sources": "elasticsearch"
+            }
+        ]
+        mock_get_user_tenant.return_value = {
+            "user_role": "USER", "tenant_id": "test_tenant"}
+        mock_get_group_ids.return_value = [1]  # User belongs to group 1
+
+        # Execute
+        result = ElasticSearchService.list_indices(
+            pattern="*",
+            include_stats=True,  # Need stats to see permissions
+            target_tenant_id="test_tenant",
+            user_id="test_user",
+            vdb_core=self.mock_vdb_core
+        )
+
+        # Assert
+        self.assertEqual(len(result["indices_info"]), 1)
+        self.assertEqual(result["indices_info"][0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.vectordatabase_service.query_group_ids_by_user')
+    @patch('backend.services.vectordatabase_service.get_user_tenant_by_user_id')
+    @patch('backend.services.vectordatabase_service.get_knowledge_info_by_tenant_id')
+    @patch('backend.services.vectordatabase_service.IS_SPEED_MODE', new=False)
+    def test_list_indices_permission_default_read_when_not_creator(self, mock_get_knowledge, mock_get_user_tenant, mock_get_group_ids):
+        """
+        Test that non-creator user gets default READ_ONLY permission when ingroup_permission is None or other value.
+
+        This test verifies that:
+        1. When user is not the creator but has group intersection
+        2. And ingroup_permission is None or not EDIT/READ_ONLY/PRIVATE, user gets default READ_ONLY permission
+        3. This covers line 605
+        """
+        # Setup
+        self.mock_vdb_core.get_user_indices.return_value = ["index1"]
+        self.mock_vdb_core.get_indices_detail.return_value = {
+            "index1": {"base_info": {"doc_count": 10, "embedding_model": "test-model"}}
+        }
+        mock_get_knowledge.return_value = [
+            {
+                "index_name": "index1",
+                "embedding_model_name": "test-model",
+                "group_ids": "1,2",
+                "created_by": "other_user",  # User is NOT creator
+                "ingroup_permission": None,  # None permission (will default to READ_ONLY)
+                "tenant_id": "test_tenant",
+                "knowledge_sources": "elasticsearch"
+            }
+        ]
+        mock_get_user_tenant.return_value = {
+            "user_role": "USER", "tenant_id": "test_tenant"}
+        mock_get_group_ids.return_value = [1]  # User belongs to group 1
+
+        # Execute
+        result = ElasticSearchService.list_indices(
+            pattern="*",
+            include_stats=True,  # Need stats to see permissions
+            target_tenant_id="test_tenant",
+            user_id="test_user",
+            vdb_core=self.mock_vdb_core
+        )
+
+        # Assert
+        self.assertEqual(len(result["indices_info"]), 1)
+        # When ingroup_permission is None, it defaults to READ_ONLY (line 584)
+        # Then line 605 sets permission = PERMISSION_READ (which is "READ_ONLY")
+        self.assertEqual(result["indices_info"][0]["permission"], "READ_ONLY")
+
+    @patch('backend.services.vectordatabase_service.query_group_ids_by_user')
+    @patch('backend.services.vectordatabase_service.get_user_tenant_by_user_id')
+    @patch('backend.services.vectordatabase_service.get_knowledge_info_by_tenant_id')
+    def test_list_indices_kb_group_ids_none(self, mock_get_knowledge, mock_get_user_tenant, mock_get_group_ids):
+        """
+        Test that list_indices handles kb_group_ids_str as None correctly.
+
+        This test verifies that:
+        1. When kb_group_ids_str is None, kb_groups_empty is correctly calculated
+        2. This covers line 591 (None branch)
+        """
+        # Setup
+        self.mock_vdb_core.get_user_indices.return_value = ["index1"]
+        self.mock_vdb_core.get_indices_detail.return_value = {
+            "index1": {"base_info": {"doc_count": 10, "embedding_model": "test-model"}}
+        }
+        mock_get_knowledge.return_value = [
+            {
+                "index_name": "index1",
+                "embedding_model_name": "test-model",
+                "group_ids": None,  # None value to test line 591
+                "created_by": "other_user",
+                "ingroup_permission": "EDIT",
+                "tenant_id": "test_tenant",
+                "knowledge_sources": "elasticsearch"
+            }
+        ]
+        mock_get_user_tenant.return_value = {
+            "user_role": "USER", "tenant_id": "test_tenant"}
+        mock_get_group_ids.return_value = []  # Empty user groups
+
+        # Execute
+        result = ElasticSearchService.list_indices(
+            pattern="*",
+            include_stats=True,
+            target_tenant_id="test_tenant",
+            user_id="test_user",
+            vdb_core=self.mock_vdb_core
+        )
+
+        # Assert
+        # When both kb_group_ids and user_group_ids are empty/None, they are considered intersecting
+        # So the knowledge base should be visible
+        self.assertEqual(len(result["indices_info"]), 1)
+        self.assertEqual(result["indices_info"][0]["permission"], "EDIT")
+
+    @patch('backend.services.vectordatabase_service.query_group_ids_by_user')
+    @patch('backend.services.vectordatabase_service.get_user_tenant_by_user_id')
+    @patch('backend.services.vectordatabase_service.get_knowledge_info_by_tenant_id')
+    def test_list_indices_kb_group_ids_empty_string(self, mock_get_knowledge, mock_get_user_tenant, mock_get_group_ids):
+        """
+        Test that list_indices handles kb_group_ids_str as empty string correctly.
+
+        This test verifies that:
+        1. When kb_group_ids_str is empty string, kb_groups_empty is correctly calculated
+        2. This covers line 591 (empty string branch)
+        """
+        # Setup
+        self.mock_vdb_core.get_user_indices.return_value = ["index1"]
+        self.mock_vdb_core.get_indices_detail.return_value = {
+            "index1": {"base_info": {"doc_count": 10, "embedding_model": "test-model"}}
+        }
+        mock_get_knowledge.return_value = [
+            {
+                "index_name": "index1",
+                "embedding_model_name": "test-model",
+                "group_ids": "",  # Empty string to test line 591
+                "created_by": "other_user",
+                "ingroup_permission": "EDIT",
+                "tenant_id": "test_tenant",
+                "knowledge_sources": "elasticsearch"
+            }
+        ]
+        mock_get_user_tenant.return_value = {
+            "user_role": "USER", "tenant_id": "test_tenant"}
+        mock_get_group_ids.return_value = []  # Empty user groups
+
+        # Execute
+        result = ElasticSearchService.list_indices(
+            pattern="*",
+            include_stats=True,
+            target_tenant_id="test_tenant",
+            user_id="test_user",
+            vdb_core=self.mock_vdb_core
+        )
+
+        # Assert
+        # When both kb_group_ids and user_group_ids are empty, they are considered intersecting
+        self.assertEqual(len(result["indices_info"]), 1)
+        self.assertEqual(result["indices_info"][0]["permission"], "EDIT")
+
     @patch('backend.services.vectordatabase_service.query_group_ids_by_user')
     @patch('backend.services.vectordatabase_service.get_user_tenant_by_user_id')
     @patch('backend.services.vectordatabase_service.get_knowledge_info_by_tenant_id')
@@ -2527,27 +2853,252 @@ def test_create_chunk_builds_payload_and_calls_core(self):
         self.assertEqual(payload["lang"], "en")
         self.assertIn("id", payload)
 
-    def test_update_chunk_builds_payload_and_calls_core(self):
+    @patch('backend.services.vectordatabase_service.get_knowledge_record')
+    @patch('backend.services.vectordatabase_service.get_embedding_model')
+    def test_create_chunk_generates_embedding_when_tenant_provided(self, mock_get_embedding_model, mock_get_knowledge_record):
         """
-        Test update_chunk builds update payload and delegates to vdb_core.update_chunk.
+        Test create_chunk generates and stores embedding when tenant_id is provided.
         """
+        from types import SimpleNamespace
 
-        class DummyUpdate:
-            def __init__(self, **fields):
-                self._fields = fields
-                # Expose metadata attribute like real Pydantic model
-                self.metadata = fields.get("metadata")
+        # Setup mocks
+        self.mock_vdb_core.create_chunk.return_value = {"id": "chunk-1"}
 
-            def dict(self, exclude_unset=True, exclude=None):
-                data = dict(self._fields)
-                if exclude:
-                    for key in exclude:
-                        data.pop(key, None)
-                return data
+        # Mock knowledge record with embedding model name
+        mock_get_knowledge_record.return_value = {
+            "index_name": "kb-index",
+            "embedding_model_name": "text-embedding-3-small"
+        }
 
-        self.mock_vdb_core.update_chunk.return_value = {"id": "chunk-1"}
-        chunk_request = DummyUpdate(
-            content="updated",
+        # Mock embedding model
+        mock_embedding = MagicMock()
+        mock_embedding.get_embeddings.return_value = [[0.1, 0.2, 0.3]]
+        mock_get_embedding_model.return_value = mock_embedding
+
+        chunk_request = SimpleNamespace(
+            chunk_id=None,
+            title=None,
+            filename="file.txt",
+            path_or_url="doc-1",
+            content="This is test content that needs embedding",
+            metadata={},
+        )
+
+        result = ElasticSearchService.create_chunk(
+            index_name="kb-index",
+            chunk_request=chunk_request,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-123",
+        )
+
+        self.assertEqual(result["status"], "success")
+        self.assertEqual(result["chunk_id"], "chunk-1")
+
+        # Verify embedding was generated
+        mock_get_embedding_model.assert_called_once_with("tenant-123", "text-embedding-3-small")
+        mock_embedding.get_embeddings.assert_called_once()
+
+        # Verify vdb_core was called with embedding in payload
+        self.mock_vdb_core.create_chunk.assert_called_once()
+        _, payload = self.mock_vdb_core.create_chunk.call_args[0]
+        self.assertIn("embedding", payload)
+        self.assertEqual(payload["embedding"], [0.1, 0.2, 0.3])
+        self.assertEqual(payload["embedding_model_name"], "text-embedding-3-small")
+
+    @patch('backend.services.vectordatabase_service.get_knowledge_record')
+    @patch('backend.services.vectordatabase_service.get_embedding_model')
+    def test_create_chunk_without_tenant_no_embedding_generated(self, mock_get_embedding_model, mock_get_knowledge_record):
+        """
+        Test create_chunk does not generate embedding when tenant_id is not provided.
+        """
+        from types import SimpleNamespace
+
+        self.mock_vdb_core.create_chunk.return_value = {"id": "chunk-1"}
+
+        chunk_request = SimpleNamespace(
+            chunk_id=None,
+            title=None,
+            filename="file.txt",
+            path_or_url="doc-1",
+            content="Content without embedding",
+            metadata={},
+        )
+
+        result = ElasticSearchService.create_chunk(
+            index_name="kb-index",
+            chunk_request=chunk_request,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id=None,  # No tenant_id
+        )
+
+        self.assertEqual(result["status"], "success")
+
+        # Verify no embedding-related calls were made
+        mock_get_knowledge_record.assert_not_called()
+        mock_get_embedding_model.assert_not_called()
+
+        # Verify payload has no embedding
+        self.mock_vdb_core.create_chunk.assert_called_once()
+        _, payload = self.mock_vdb_core.create_chunk.call_args[0]
+        self.assertNotIn("embedding", payload)
+
+    @patch('backend.services.vectordatabase_service.get_knowledge_record')
+    @patch('backend.services.vectordatabase_service.get_embedding_model')
+    def test_create_chunk_handles_embedding_failure_gracefully(self, mock_get_embedding_model, mock_get_knowledge_record):
+        """
+        Test create_chunk handles embedding generation failure gracefully.
+        """
+        from types import SimpleNamespace
+
+        self.mock_vdb_core.create_chunk.return_value = {"id": "chunk-1"}
+
+        mock_get_knowledge_record.return_value = {
+            "index_name": "kb-index",
+            "embedding_model_name": "text-embedding-3-small"
+        }
+
+        # Embedding model raises exception
+        mock_get_embedding_model.side_effect = Exception("Embedding service unavailable")
+
+        chunk_request = SimpleNamespace(
+            chunk_id=None,
+            title=None,
+            filename="file.txt",
+            path_or_url="doc-1",
+            content="Content that would need embedding",
+            metadata={},
+        )
+
+        # Should not raise exception, just log warning
+        result = ElasticSearchService.create_chunk(
+            index_name="kb-index",
+            chunk_request=chunk_request,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-123",
+        )
+
+        # Result should still be successful (embedding is optional)
+        self.assertEqual(result["status"], "success")
+        self.assertEqual(result["chunk_id"], "chunk-1")
+
+        # Verify chunk was still created without embedding
+        self.mock_vdb_core.create_chunk.assert_called_once()
+
+    @patch('backend.services.vectordatabase_service.get_knowledge_record')
+    @patch('backend.services.vectordatabase_service.get_embedding_model')
+    def test_create_chunk_handles_empty_embedding_result(self, mock_get_embedding_model, mock_get_knowledge_record):
+        """
+        Test create_chunk handles empty embedding result gracefully.
+        """
+        from types import SimpleNamespace
+
+        self.mock_vdb_core.create_chunk.return_value = {"id": "chunk-1"}
+
+        mock_get_knowledge_record.return_value = {
+            "index_name": "kb-index",
+            "embedding_model_name": "text-embedding-3-small"
+        }
+
+        # Embedding returns empty list
+        mock_embedding = MagicMock()
+        mock_embedding.get_embeddings.return_value = []
+        mock_get_embedding_model.return_value = mock_embedding
+
+        chunk_request = SimpleNamespace(
+            chunk_id=None,
+            title=None,
+            filename="file.txt",
+            path_or_url="doc-1",
+            content="Content with empty embedding",
+            metadata={},
+        )
+
+        result = ElasticSearchService.create_chunk(
+            index_name="kb-index",
+            chunk_request=chunk_request,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-123",
+        )
+
+        # Result should still be successful
+        self.assertEqual(result["status"], "success")
+
+        # Verify payload has no embedding when embedding is empty
+        self.mock_vdb_core.create_chunk.assert_called_once()
+        _, payload = self.mock_vdb_core.create_chunk.call_args[0]
+        self.assertNotIn("embedding", payload)
+
+    @patch('backend.services.vectordatabase_service.get_knowledge_record')
+    @patch('backend.services.vectordatabase_service.get_embedding_model')
+    def test_create_chunk_with_unknown_model_name_still_calls_embedding_model(self, mock_get_embedding_model, mock_get_knowledge_record):
+        """
+        Test create_chunk when knowledge record has unknown embedding model.
+        The backend still calls get_embedding_model (it doesn't check for "unknown").
+        The "unknown" check is only in the frontend's read-only mode logic.
+        """
+        from types import SimpleNamespace
+
+        self.mock_vdb_core.create_chunk.return_value = {"id": "chunk-1"}
+
+        # Knowledge record returns "unknown" as embedding model
+        mock_get_knowledge_record.return_value = {
+            "index_name": "kb-index",
+            "embedding_model_name": "unknown"
+        }
+
+        # Embedding model returns empty (model doesn't exist)
+        mock_embedding = MagicMock()
+        mock_embedding.get_embeddings.return_value = []
+        mock_get_embedding_model.return_value = mock_embedding
+
+        chunk_request = SimpleNamespace(
+            chunk_id=None,
+            title=None,
+            filename="file.txt",
+            path_or_url="doc-1",
+            content="Content with unknown model",
+            metadata={},
+        )
+
+        result = ElasticSearchService.create_chunk(
+            index_name="kb-index",
+            chunk_request=chunk_request,
+            vdb_core=self.mock_vdb_core,
+            user_id="user-1",
+            tenant_id="tenant-123",
+        )
+
+        # Should succeed, embedding model IS called but returns empty
+        self.assertEqual(result["status"], "success")
+
+        # Verify embedding model was called (backend doesn't skip based on "unknown")
+        mock_get_embedding_model.assert_called_once_with("tenant-123", "unknown")
+
+    def test_update_chunk_builds_payload_and_calls_core(self):
+        """
+        Test update_chunk builds update payload and delegates to vdb_core.update_chunk.
+        """
+
+        class DummyUpdate:
+            def __init__(self, **fields):
+                self._fields = fields
+                # Expose metadata attribute like real Pydantic model
+                self.metadata = fields.get("metadata")
+
+            def dict(self, exclude_unset=True, exclude=None):
+                data = dict(self._fields)
+                if exclude:
+                    for key in exclude:
+                        data.pop(key, None)
+                return data
+
+        self.mock_vdb_core.update_chunk.return_value = {"id": "chunk-1"}
+        chunk_request = DummyUpdate(
+            content="updated",
             filename="updated.txt",
             metadata={"lang": "en"},
         )
@@ -3122,6 +3673,237 @@ def test_get_embedding_model_missing_type(self, mock_tenant_config_manager):
             # Restart the mock for other tests
             self.get_embedding_model_patcher.start()
 
+    @patch('backend.services.vectordatabase_service.tenant_config_manager')
+    @patch('backend.services.vectordatabase_service.get_model_records')
+    def test_get_embedding_model_with_model_name_found(self, mock_get_models, mock_tenant_config_manager):
+        """
+        Test get_embedding_model with model_name parameter when the model is found.
+
+        This test verifies that:
+        1. When model_name is provided and found in tenant's models, OpenAICompatibleEmbedding is returned
+        2. The correct parameters are passed to the embedding model
+        3. The function uses model_repo/model_name format for matching
+        """
+        # Setup - mock get_models to return a model that matches
+        mock_get_models.return_value = [
+            {
+                "model_repo": "openai",
+                "model_name": "text-embedding-ada-002",
+                "api_key": "test_api_key",
+                "base_url": "https://test.api.com",
+                "max_tokens": 1024,
+                "ssl_verify": True
+            }
+        ]
+
+        # Mock tenant config for fallback behavior (should NOT be called when model is found)
+        mock_tenant_config_manager.get_model_config.return_value = {
+            "model_type": "embedding",
+            "api_key": "fallback_key",
+            "base_url": "https://fallback.api.com",
+            "model_name": "fallback-model",
+            "max_tokens": 1024
+        }
+
+        # Stop the mock from setUp to test the real function
+        self.get_embedding_model_patcher.stop()
+
+        try:
+            with patch('backend.services.vectordatabase_service.OpenAICompatibleEmbedding') as mock_embedding_class, \
+                    patch('backend.services.vectordatabase_service.get_model_name_from_config') as mock_get_model_name:
+                mock_embedding_instance = MagicMock()
+                mock_embedding_class.return_value = mock_embedding_instance
+                mock_get_model_name.return_value = "text-embedding-ada-002"
+
+                # Execute - now we can call the real function
+                from backend.services.vectordatabase_service import get_embedding_model
+                result = get_embedding_model("test_tenant", model_name="openai/text-embedding-ada-002")
+
+                # Assert
+                self.assertEqual(result, mock_embedding_instance)
+                mock_get_models.assert_called_once_with(
+                    {"model_type": "embedding"}, "test_tenant")
+                mock_embedding_class.assert_called_once_with(
+                    api_key="test_api_key",
+                    base_url="https://test.api.com",
+                    model_name="text-embedding-ada-002",
+                    embedding_dim=1024,
+                    ssl_verify=True
+                )
+                # Tenant config should NOT be called when model is found
+                mock_tenant_config_manager.get_model_config.assert_not_called()
+        finally:
+            # Restart the mock for other tests
+            self.get_embedding_model_patcher.start()
+
+    @patch('backend.services.vectordatabase_service.tenant_config_manager')
+    @patch('backend.services.vectordatabase_service.get_model_records')
+    def test_get_embedding_model_with_model_name_found_without_repo(self, mock_get_models, mock_tenant_config_manager):
+        """
+        Test get_embedding_model with model_name when model is found without model_repo.
+
+        This test verifies that:
+        1. When model_name is provided and found (without model_repo), OpenAICompatibleEmbedding is returned
+        2. The function handles models without model_repo correctly using just model_name
+        """
+        # Setup - mock get_models to return a model without model_repo
+        mock_get_models.return_value = [
+            {
+                "model_name": "simple-model",
+                "api_key": "test_api_key",
+                "base_url": "https://test.api.com",
+                "max_tokens": 2048,
+                "ssl_verify": False
+            }
+        ]
+
+        # Mock tenant config for fallback behavior (should NOT be called when model is found)
+        mock_tenant_config_manager.get_model_config.return_value = {
+            "model_type": "embedding",
+            "api_key": "fallback_key",
+            "base_url": "https://fallback.api.com",
+            "model_name": "fallback-model",
+            "max_tokens": 1024
+        }
+
+        # Stop the mock from setUp to test the real function
+        self.get_embedding_model_patcher.stop()
+
+        try:
+            with patch('backend.services.vectordatabase_service.OpenAICompatibleEmbedding') as mock_embedding_class, \
+                    patch('backend.services.vectordatabase_service.get_model_name_from_config') as mock_get_model_name:
+                mock_embedding_instance = MagicMock()
+                mock_embedding_class.return_value = mock_embedding_instance
+                mock_get_model_name.return_value = "simple-model"
+
+                # Execute - now we can call the real function
+                from backend.services.vectordatabase_service import get_embedding_model
+                result = get_embedding_model("test_tenant", model_name="simple-model")
+
+                # Assert
+                self.assertEqual(result, mock_embedding_instance)
+                mock_get_models.assert_called_once_with(
+                    {"model_type": "embedding"}, "test_tenant")
+                mock_embedding_class.assert_called_once_with(
+                    api_key="test_api_key",
+                    base_url="https://test.api.com",
+                    model_name="simple-model",
+                    embedding_dim=2048,
+                    ssl_verify=False
+                )
+        finally:
+            # Restart the mock for other tests
+            self.get_embedding_model_patcher.start()
+
+    @patch('backend.services.vectordatabase_service.tenant_config_manager')
+    @patch('backend.services.vectordatabase_service.get_model_records')
+    def test_get_embedding_model_with_model_name_not_found(self, mock_get_models, mock_tenant_config_manager):
+        """
+        Test get_embedding_model with model_name when the model is not found.
+
+        This test verifies that:
+        1. When model_name is provided but not found in tenant's models, fallback to default config
+        2. The function falls back to default embedding model behavior
+        """
+        # Setup - mock get_models to return empty list (model not found)
+        mock_get_models.return_value = []
+
+        # Mock tenant config for fallback behavior
+        mock_config = {
+            "model_type": "embedding",
+            "api_key": "fallback_api_key",
+            "base_url": "https://fallback.api.com",
+            "model_name": "fallback-model",
+            "max_tokens": 1024
+        }
+        mock_tenant_config_manager.get_model_config.return_value = mock_config
+
+        # Stop the mock from setUp to test the real function
+        self.get_embedding_model_patcher.stop()
+
+        try:
+            with patch('backend.services.vectordatabase_service.OpenAICompatibleEmbedding') as mock_embedding_class, \
+                    patch('backend.services.vectordatabase_service.get_model_name_from_config') as mock_get_model_name:
+                mock_embedding_instance = MagicMock()
+                mock_embedding_class.return_value = mock_embedding_instance
+                mock_get_model_name.return_value = "fallback-model"
+
+                # Execute - now we can call the real function
+                from backend.services.vectordatabase_service import get_embedding_model
+                result = get_embedding_model("test_tenant", model_name="nonexistent-model")
+
+                # Assert
+                self.assertEqual(result, mock_embedding_instance)
+                mock_get_models.assert_called_once_with(
+                    {"model_type": "embedding"}, "test_tenant")
+                # Should fall back to default config
+                mock_tenant_config_manager.get_model_config.assert_called_once_with(
+                    key="EMBEDDING_ID", tenant_id="test_tenant")
+                mock_embedding_class.assert_called_once_with(
+                    api_key="fallback_api_key",
+                    base_url="https://fallback.api.com",
+                    model_name="fallback-model",
+                    embedding_dim=1024,
+                    ssl_verify=True
+                )
+        finally:
+            # Restart the mock for other tests
+            self.get_embedding_model_patcher.start()
+
+    @patch('backend.services.vectordatabase_service.tenant_config_manager')
+    @patch('backend.services.vectordatabase_service.get_model_records')
+    def test_get_embedding_model_with_model_name_exception(self, mock_get_models, mock_tenant_config_manager):
+        """
+        Test get_embedding_model with model_name when database query throws exception.
+
+        This test verifies that:
+        1. When get_models throws an exception, the function logs a warning and falls back to default config
+        2. The function handles exceptions gracefully
+        """
+        # Setup - mock get_models to throw an exception
+        mock_get_models.side_effect = Exception("Database connection failed")
+
+        # Mock tenant config for fallback behavior
+        mock_config = {
+            "model_type": "embedding",
+            "api_key": "fallback_api_key",
+            "base_url": "https://fallback.api.com",
+            "model_name": "fallback-model",
+            "max_tokens": 1024
+        }
+        mock_tenant_config_manager.get_model_config.return_value = mock_config
+
+        # Stop the mock from setUp to test the real function
+        self.get_embedding_model_patcher.stop()
+
+        try:
+            with patch('backend.services.vectordatabase_service.OpenAICompatibleEmbedding') as mock_embedding_class, \
+                    patch('backend.services.vectordatabase_service.get_model_name_from_config') as mock_get_model_name:
+                mock_embedding_instance = MagicMock()
+                mock_embedding_class.return_value = mock_embedding_instance
+                mock_get_model_name.return_value = "fallback-model"
+
+                # Execute - now we can call the real function
+                from backend.services.vectordatabase_service import get_embedding_model
+                result = get_embedding_model("test_tenant", model_name="test-model")
+
+                # Assert - should fall back to default config
+                self.assertEqual(result, mock_embedding_instance)
+                mock_get_models.assert_called_once_with(
+                    {"model_type": "embedding"}, "test_tenant")
+                mock_tenant_config_manager.get_model_config.assert_called_once_with(
+                    key="EMBEDDING_ID", tenant_id="test_tenant")
+                mock_embedding_class.assert_called_once_with(
+                    api_key="fallback_api_key",
+                    base_url="https://fallback.api.com",
+                    model_name="fallback-model",
+                    embedding_dim=1024,
+                    ssl_verify=True
+                )
+        finally:
+            # Restart the mock for other tests
+            self.get_embedding_model_patcher.start()
+
     @patch('backend.services.vectordatabase_service.get_redis_service')
     def test_update_progress_success(self, mock_get_redis):
         """Ensure _update_progress updates Redis progress when not cancelled."""
diff --git a/test/backend/test_config_service.py b/test/backend/test_config_service.py
deleted file mode 100644
index bddb47776..000000000
--- a/test/backend/test_config_service.py
+++ /dev/null
@@ -1,414 +0,0 @@
-import os
-import sys
-import asyncio
-import types
-from unittest.mock import patch, MagicMock, AsyncMock
-
-import pytest
-
-# Dynamically determine the backend path - MUST BE FIRST
-current_dir = os.path.dirname(os.path.abspath(__file__))
-backend_dir = os.path.abspath(os.path.join(current_dir, "../../backend"))
-sys.path.insert(0, backend_dir)
-
-# Mock boto3 and dotenv before importing the module under test
-boto3_mock = MagicMock()
-minio_client_mock = MagicMock()
-sys.modules['boto3'] = boto3_mock
-sys.modules['dotenv'] = MagicMock(load_dotenv=MagicMock())
-
-# Mock nexent modules before importing modules that use them
-nexent_mock = MagicMock()
-sys.modules['nexent'] = nexent_mock
-sys.modules['nexent.core'] = MagicMock()
-sys.modules['nexent.core.models'] = MagicMock()
-sys.modules['nexent.core.models.embedding_model'] = MagicMock()
-sys.modules['nexent.core.nlp'] = MagicMock()
-sys.modules['nexent.core.nlp.tokenizer'] = MagicMock()
-sys.modules['nexent.vector_database'] = MagicMock()
-sys.modules['nexent.vector_database.elasticsearch_core'] = MagicMock()
-sys.modules['nexent.core.agents'] = MagicMock()
-sys.modules['nexent.core.agents.agent_model'] = MagicMock()
-sys.modules['nexent.storage.storage_client_factory'] = MagicMock()
-
-# Stub nexent.core.models.* required by attachment_utils
-nexent_core_models_pkg = types.ModuleType("nexent.core.models")
-nexent_core_models_pkg.__path__ = []  # Mark as package for submodule imports
-sys.modules["nexent.core.models"] = nexent_core_models_pkg
-
-openai_long_ctx_mod = types.ModuleType(
-    "nexent.core.models.openai_long_context_model"
-)
-
-
-class OpenAILongContextModel:
-    def __init__(self, *args, **kwargs):
-        pass
-
-
-openai_long_ctx_mod.OpenAILongContextModel = OpenAILongContextModel
-sys.modules[
-    "nexent.core.models.openai_long_context_model"
-] = openai_long_ctx_mod
-# Also expose on the package for `from nexent.core.models import OpenAILongContextModel`
-nexent_core_models_pkg.OpenAILongContextModel = OpenAILongContextModel
-
-openai_vlm_mod = types.ModuleType("nexent.core.models.openai_vlm")
-
-
-class OpenAIVLModel:
-    def __init__(self, *args, **kwargs):
-        pass
-
-
-openai_vlm_mod.OpenAIVLModel = OpenAIVLModel
-sys.modules["nexent.core.models.openai_vlm"] = openai_vlm_mod
-# Also expose on the package for potential direct imports
-nexent_core_models_pkg.OpenAIVLModel = OpenAIVLModel
-
-# Patch storage factory and MinIO config validation to avoid errors during initialization
-# These patches must be started before any imports that use MinioClient
-storage_client_mock = MagicMock()
-patch('nexent.storage.storage_client_factory.create_storage_client_from_config', return_value=storage_client_mock).start()
-patch('nexent.storage.minio_config.MinIOStorageConfig.validate', lambda self: None).start()
-patch('backend.database.client.MinioClient', return_value=minio_client_mock).start()
-
-# Create stub vector database modules to satisfy imports
-vector_db_module = types.ModuleType("nexent.vector_database")
-vector_db_module.__path__ = []  # Mark as package
-vector_db_base_module = types.ModuleType("nexent.vector_database.base")
-
-class MockVectorDatabaseCore:
-    def __init__(self, *args, **kwargs):
-        pass
-
-vector_db_base_module.VectorDatabaseCore = MockVectorDatabaseCore
-
-vector_db_es_module = types.ModuleType("nexent.vector_database.elasticsearch_core")
-
-class MockElasticSearchCore:
-    def __init__(self, *args, **kwargs):
-        pass
-
-vector_db_es_module.ElasticSearchCore = MockElasticSearchCore
-
-sys.modules['nexent.vector_database'] = vector_db_module
-sys.modules['nexent.vector_database.base'] = vector_db_base_module
-sys.modules['nexent.vector_database.elasticsearch_core'] = vector_db_es_module
-setattr(vector_db_module, "base", vector_db_base_module)
-setattr(vector_db_module, "elasticsearch_core", vector_db_es_module)
-
-# Pre-inject a stubbed base_app to avoid import side effects
-backend_pkg = types.ModuleType("backend")
-apps_pkg = types.ModuleType("backend.apps")
-base_app_mod = types.ModuleType("backend.apps.base_app")
-base_app_mod.app = MagicMock()
-
-# Install stubs into sys.modules
-sys.modules.setdefault("backend", backend_pkg)
-sys.modules["backend.apps"] = apps_pkg
-sys.modules["backend.apps.base_app"] = base_app_mod
-
-# Also stub non-namespaced imports used by the application
-apps_pkg_flat = types.ModuleType("apps")
-base_app_mod_flat = types.ModuleType("apps.config_app")
-base_app_mod_flat.app = MagicMock()
-sys.modules["apps"] = apps_pkg_flat
-sys.modules["apps.config_app"] = base_app_mod_flat
-setattr(apps_pkg_flat, "config_app", base_app_mod_flat)
-
-# Wire package attributes
-setattr(backend_pkg, "apps", apps_pkg)
-setattr(apps_pkg, "config_app", base_app_mod)
-
-
-class TestTenantConfigService:
-    """Unit tests for tenant_config_service helpers"""
-
-    @patch('backend.services.tenant_config_service.get_selected_knowledge_list')
-    def test_build_knowledge_name_mapping_prefers_knowledge_name(self, mock_get_selected):
-        """Ensure knowledge_name is used as key when present."""
-        mock_get_selected.return_value = [
-            {"knowledge_name": "User Docs", "index_name": "index_user_docs"},
-            {"knowledge_name": "API Docs", "index_name": "index_api_docs"},
-        ]
-
-        from backend.services.tenant_config_service import build_knowledge_name_mapping
-
-        mapping = build_knowledge_name_mapping(tenant_id="t1", user_id="u1")
-
-        assert mapping == {
-            "User Docs": "index_user_docs",
-            "API Docs": "index_api_docs",
-        }
-        mock_get_selected.assert_called_once_with(tenant_id="t1", user_id="u1")
-
-    @patch('backend.services.tenant_config_service.get_selected_knowledge_list')
-    def test_build_knowledge_name_mapping_fallbacks_to_index_name(self, mock_get_selected):
-        """Fallback to index_name when knowledge_name is missing."""
-        mock_get_selected.return_value = [
-            {"index_name": "index_fallback_only"},
-            {"knowledge_name": None, "index_name": "index_none_name"},
-        ]
-
-        from backend.services.tenant_config_service import build_knowledge_name_mapping
-
-        mapping = build_knowledge_name_mapping(tenant_id="t2", user_id="u2")
-
-        assert mapping == {
-            "index_fallback_only": "index_fallback_only",
-            "index_none_name": "index_none_name",
-        }
-        mock_get_selected.assert_called_once_with(tenant_id="t2", user_id="u2")
-
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    @patch('backend.services.tenant_config_service.get_knowledge_info_by_knowledge_ids')
-    def test_get_selected_knowledge_list_success(self, mock_get_knowledge_info, mock_get_tenant_config):
-        """Test successful retrieval of selected knowledge list"""
-        # Setup
-        mock_get_tenant_config.return_value = [
-            {"config_value": "kb1"},
-            {"config_value": "kb2"}
-        ]
-        mock_get_knowledge_info.return_value = [
-            {"knowledge_id": "kb1", "knowledge_name": "Knowledge Base 1"},
-            {"knowledge_id": "kb2", "knowledge_name": "Knowledge Base 2"}
-        ]
-
-        from backend.services.tenant_config_service import get_selected_knowledge_list
-
-        # Execute
-        result = get_selected_knowledge_list("tenant1", "user1")
-
-        # Assert
-        assert result == [
-            {"knowledge_id": "kb1", "knowledge_name": "Knowledge Base 1"},
-            {"knowledge_id": "kb2", "knowledge_name": "Knowledge Base 2"}
-        ]
-        mock_get_tenant_config.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1", select_key="selected_knowledge_id"
-        )
-        mock_get_knowledge_info.assert_called_once_with(["kb1", "kb2"])
-
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    def test_get_selected_knowledge_list_empty(self, mock_get_tenant_config):
-        """Test retrieval of selected knowledge list when no records exist"""
-        # Setup
-        mock_get_tenant_config.return_value = []
-
-        from backend.services.tenant_config_service import get_selected_knowledge_list
-
-        # Execute
-        result = get_selected_knowledge_list("tenant1", "user1")
-
-        # Assert
-        assert result == []
-        mock_get_tenant_config.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1", select_key="selected_knowledge_id"
-        )
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    @patch('backend.services.tenant_config_service.insert_config')
-    @patch('backend.services.tenant_config_service.delete_config_by_tenant_config_id')
-    def test_update_selected_knowledge_success(self, mock_delete_config, mock_insert_config,
-                                               mock_get_tenant_config, mock_get_knowledge_ids):
-        """Test successful update of selected knowledge"""
-        # Setup
-        mock_get_knowledge_ids.return_value = ["kb1", "kb2"]
-        mock_get_tenant_config.return_value = [
-            {"tenant_config_id": "config1", "config_value": "kb1"},  # kb1 already exists
-            {"tenant_config_id": "config_old", "config_value": "old_kb"}  # old_kb to be deleted
-        ]
-        mock_insert_config.return_value = True
-        mock_delete_config.return_value = True
-
-        from backend.services.tenant_config_service import update_selected_knowledge
-
-        # Execute
-        result = update_selected_knowledge("tenant1", "user1", ["index1", "index2"])
-
-        # Assert
-        assert result is True
-        mock_get_knowledge_ids.assert_called_once_with(["index1", "index2"])
-        mock_get_tenant_config.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1", select_key="selected_knowledge_id"
-        )
-        # Due to bug in implementation: it compares knowledge_id with tenant_config_id,
-        # so it always inserts all knowledge_ids. Should insert both kb1 and kb2.
-        assert mock_insert_config.call_count == 2
-        mock_insert_config.assert_any_call({
-            "user_id": "user1",
-            "tenant_id": "tenant1",
-            "config_key": "selected_knowledge_id",
-            "config_value": "kb1",
-            "value_type": "multi"
-        })
-        mock_insert_config.assert_any_call({
-            "user_id": "user1",
-            "tenant_id": "tenant1",
-            "config_key": "selected_knowledge_id",
-            "config_value": "kb2",
-            "value_type": "multi"
-        })
-        # Should delete old_kb (not in new knowledge_ids)
-        mock_delete_config.assert_called_once_with("config_old")
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    def test_update_selected_knowledge_sources_length_mismatch(self, mock_get_knowledge_ids):
-        """Test update_selected_knowledge with mismatched sources length"""
-        from backend.services.tenant_config_service import update_selected_knowledge
-
-        # Execute
-        result = update_selected_knowledge(
-            "tenant1", "user1", ["index1", "index2"], ["source1"]
-        )
-
-        # Assert
-        assert result is False
-        mock_get_knowledge_ids.assert_not_called()
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    @patch('backend.services.tenant_config_service.insert_config')
-    def test_update_selected_knowledge_insert_failure(self, mock_insert_config,
-                                                      mock_get_tenant_config, mock_get_knowledge_ids):
-        """Test update_selected_knowledge when insert fails"""
-        # Setup
-        mock_get_knowledge_ids.return_value = ["kb1"]
-        mock_get_tenant_config.return_value = []  # No existing configs
-        mock_insert_config.return_value = False  # Insert fails
-
-        from backend.services.tenant_config_service import update_selected_knowledge
-
-        # Execute
-        result = update_selected_knowledge("tenant1", "user1", ["index1"])
-
-        # Assert
-        assert result is False
-        mock_insert_config.assert_called_once()
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    @patch('backend.services.tenant_config_service.delete_config_by_tenant_config_id')
-    def test_update_selected_knowledge_delete_failure(self, mock_delete_config,
-                                                      mock_get_tenant_config, mock_get_knowledge_ids):
-        """Test update_selected_knowledge when delete fails"""
-        # Setup
-        mock_get_knowledge_ids.return_value = []  # No new knowledge
-        mock_get_tenant_config.return_value = [
-            {"tenant_config_id": "config1", "config_value": "old_kb"}
-        ]
-        mock_delete_config.return_value = False  # Delete fails
-
-        from backend.services.tenant_config_service import update_selected_knowledge
-
-        # Execute
-        result = update_selected_knowledge("tenant1", "user1", [])
-
-        # Assert
-        assert result is False
-        mock_delete_config.assert_called_once_with("config1")
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    @patch('backend.services.tenant_config_service.delete_config_by_tenant_config_id')
-    def test_delete_selected_knowledge_by_index_name_success(self, mock_delete_config,
-                                                             mock_get_tenant_config, mock_get_knowledge_ids):
-        """Test successful deletion of selected knowledge by index name"""
-        # Setup
-        mock_get_knowledge_ids.return_value = ["kb1"]
-        mock_get_tenant_config.return_value = [
-            {"tenant_config_id": "config1", "config_value": "kb1"}
-        ]
-        mock_delete_config.return_value = True
-
-        from backend.services.tenant_config_service import delete_selected_knowledge_by_index_name
-
-        # Execute
-        result = delete_selected_knowledge_by_index_name("tenant1", "user1", "index1")
-
-        # Assert
-        assert result is True
-        mock_get_knowledge_ids.assert_called_once_with(["index1"])
-        mock_get_tenant_config.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1", select_key="selected_knowledge_id"
-        )
-        mock_delete_config.assert_called_once_with("config1")
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    def test_delete_selected_knowledge_by_index_name_not_found(self, mock_get_tenant_config, mock_get_knowledge_ids):
-        """Test deletion when knowledge is not in selected list"""
-        # Setup
-        mock_get_knowledge_ids.return_value = ["kb1"]
-        mock_get_tenant_config.return_value = [
-            {"tenant_config_id": "config1", "config_value": "kb2"}  # Different KB
-        ]
-
-        from backend.services.tenant_config_service import delete_selected_knowledge_by_index_name
-
-        # Execute
-        result = delete_selected_knowledge_by_index_name("tenant1", "user1", "index1")
-
-        # Assert
-        assert result is True  # Returns True even if not found
-        mock_get_knowledge_ids.assert_called_once_with(["index1"])
-        mock_get_tenant_config.assert_called_once_with(
-            tenant_id="tenant1", user_id="user1", select_key="selected_knowledge_id"
-        )
-
-    @patch('backend.services.tenant_config_service.get_knowledge_ids_by_index_names')
-    @patch('backend.services.tenant_config_service.get_tenant_config_info')
-    @patch('backend.services.tenant_config_service.delete_config_by_tenant_config_id')
-    def test_delete_selected_knowledge_by_index_name_delete_failure(self, mock_delete_config,
-                                                                   mock_get_tenant_config, mock_get_knowledge_ids):
-        """Test deletion failure"""
-        # Setup
-        mock_get_knowledge_ids.return_value = ["kb1"]
-        mock_get_tenant_config.return_value = [
-            {"tenant_config_id": "config1", "config_value": "kb1"}
-        ]
-        mock_delete_config.return_value = False
-
-        from backend.services.tenant_config_service import delete_selected_knowledge_by_index_name
-
-        # Execute
-        result = delete_selected_knowledge_by_index_name("tenant1", "user1", "index1")
-
-        # Assert
-        assert result is False
-        mock_delete_config.assert_called_once_with("config1")
-
-    @patch('backend.services.tenant_config_service.get_selected_knowledge_list')
-    def test_build_knowledge_name_mapping_empty_list(self, mock_get_selected):
-        """Test build_knowledge_name_mapping with empty knowledge list"""
-        mock_get_selected.return_value = []
-
-        from backend.services.tenant_config_service import build_knowledge_name_mapping
-
-        mapping = build_knowledge_name_mapping(tenant_id="t1", user_id="u1")
-
-        assert mapping == {}
-        mock_get_selected.assert_called_once_with(tenant_id="t1", user_id="u1")
-
-    @patch('backend.services.tenant_config_service.get_selected_knowledge_list')
-    def test_build_knowledge_name_mapping_missing_fields(self, mock_get_selected):
-        """Test build_knowledge_name_mapping when fields are missing"""
-        mock_get_selected.return_value = [
-            {"index_name": "index1"},  # No knowledge_name
-            {"knowledge_name": "KB2"},  # No index_name
-            {}  # Both missing
-        ]
-
-        from backend.services.tenant_config_service import build_knowledge_name_mapping
-
-        mapping = build_knowledge_name_mapping(tenant_id="t1", user_id="u1")
-
-        # Should only include valid mappings
-        assert mapping == {"index1": "index1"}
-        mock_get_selected.assert_called_once_with(tenant_id="t1", user_id="u1")
-
-
-if __name__ == '__main__':
-    pytest.main()
diff --git a/test/backend/utils/test_prompt_template_utils.py b/test/backend/utils/test_prompt_template_utils.py
index b996705cf..e657b3a06 100644
--- a/test/backend/utils/test_prompt_template_utils.py
+++ b/test/backend/utils/test_prompt_template_utils.py
@@ -1,7 +1,7 @@
 import pytest
 from unittest.mock import mock_open
 
-from utils.prompt_template_utils import get_agent_prompt_template, get_prompt_generate_prompt_template, get_file_processing_messages_template
+from utils.prompt_template_utils import get_agent_prompt_template, get_prompt_generate_prompt_template
 
 
 class TestPromptTemplateUtils:
@@ -18,7 +18,7 @@ def test_get_agent_prompt_template_manager_zh(self, mocker):
         # Verify the function was called with correct parameters
         # The actual path will be an absolute path, so we check that it contains the expected relative path
         call_args = mock_file.call_args[0]
-        assert 'backend/prompts/manager_system_prompt_template.yaml' in call_args[0].replace('\\', '/')
+        assert 'backend/prompts/manager_system_prompt_template_zh.yaml' in call_args[0].replace('\\', '/')
         assert call_args[1] == 'r'
         assert mock_file.call_args[1]['encoding'] == 'utf-8'
         mock_yaml_load.assert_called_once()
@@ -52,7 +52,7 @@ def test_get_agent_prompt_template_managed_zh(self, mocker):
         # Verify the function was called with correct parameters
         # The actual path will be an absolute path, so we check that it ends with the expected relative path
         call_args = mock_file.call_args[0]
-        assert 'backend/prompts/managed_system_prompt_template.yaml' in call_args[0].replace('\\', '/')
+        assert 'backend/prompts/managed_system_prompt_template_zh.yaml' in call_args[0].replace('\\', '/')
         assert call_args[1] == 'r'
         assert mock_file.call_args[1]['encoding'] == 'utf-8'
         mock_yaml_load.assert_called_once()
@@ -86,7 +86,7 @@ def test_get_prompt_generate_prompt_template_zh(self, mocker):
         # Verify the function was called with correct parameters
         # The actual path will be an absolute path, so we check that it ends with the expected relative path
         call_args = mock_file.call_args[0]
-        assert 'backend/prompts/utils/prompt_generate.yaml' in call_args[0].replace('\\', '/')
+        assert 'backend/prompts/utils/prompt_generate_zh.yaml' in call_args[0].replace('\\', '/')
         assert call_args[1] == 'r'
         assert mock_file.call_args[1]['encoding'] == 'utf-8'
         mock_yaml_load.assert_called_once()
@@ -120,58 +120,7 @@ def test_get_prompt_generate_prompt_template_default_language(self, mocker):
         # Verify the function was called with correct parameters
         # The actual path will be an absolute path, so we check that it ends with the expected relative path
         call_args = mock_file.call_args[0]
-        assert 'backend/prompts/utils/prompt_generate.yaml' in call_args[0].replace('\\', '/')
-        assert call_args[1] == 'r'
-        assert mock_file.call_args[1]['encoding'] == 'utf-8'
-        mock_yaml_load.assert_called_once()
-        assert result == {"test": "data"}
-
-    def test_get_file_processing_messages_template_zh(self, mocker):
-        """Test get_file_processing_messages_template for Chinese"""
-        mock_yaml_load = mocker.patch('yaml.safe_load')
-        mock_file = mocker.patch('builtins.open', mock_open(read_data='{"test": "data"}'))
-
-        mock_yaml_load.return_value = {"test": "data"}
-        result = get_file_processing_messages_template(language='zh')
-
-        # Verify the function was called with correct parameters
-        # The actual path will be an absolute path, so we check that it ends with the expected relative path
-        call_args = mock_file.call_args[0]
-        assert 'backend/prompts/utils/file_processing_messages.yaml' in call_args[0].replace('\\', '/')
-        assert call_args[1] == 'r'
-        assert mock_file.call_args[1]['encoding'] == 'utf-8'
-        mock_yaml_load.assert_called_once()
-        assert result == {"test": "data"}
-
-    def test_get_file_processing_messages_template_en(self, mocker):
-        """Test get_file_processing_messages_template for English"""
-        mock_yaml_load = mocker.patch('yaml.safe_load')
-        mock_file = mocker.patch('builtins.open', mock_open(read_data='{"test": "data"}'))
-
-        mock_yaml_load.return_value = {"test": "data"}
-        result = get_file_processing_messages_template(language='en')
-
-        # Verify the function was called with correct parameters
-        # The actual path will be an absolute path, so we check that it ends with the expected relative path
-        call_args = mock_file.call_args[0]
-        assert 'backend/prompts/utils/file_processing_messages_en.yaml' in call_args[0].replace('\\', '/')
-        assert call_args[1] == 'r'
-        assert mock_file.call_args[1]['encoding'] == 'utf-8'
-        mock_yaml_load.assert_called_once()
-        assert result == {"test": "data"}
-
-    def test_get_file_processing_messages_template_default_language(self, mocker):
-        """Test get_file_processing_messages_template with default language (should be Chinese)"""
-        mock_yaml_load = mocker.patch('yaml.safe_load')
-        mock_file = mocker.patch('builtins.open', mock_open(read_data='{"test": "data"}'))
-
-        mock_yaml_load.return_value = {"test": "data"}
-        result = get_file_processing_messages_template()
-
-        # Verify the function was called with correct parameters
-        # The actual path will be an absolute path, so we check that it ends with the expected relative path
-        call_args = mock_file.call_args[0]
-        assert 'backend/prompts/utils/file_processing_messages.yaml' in call_args[0].replace('\\', '/')
+        assert 'backend/prompts/utils/prompt_generate_zh.yaml' in call_args[0].replace('\\', '/')
         assert call_args[1] == 'r'
         assert mock_file.call_args[1]['encoding'] == 'utf-8'
         mock_yaml_load.assert_called_once()
diff --git a/test/sdk/core/agents/test_nexent_agent.py b/test/sdk/core/agents/test_nexent_agent.py
index 44edb6e58..1d50c5aa3 100644
--- a/test/sdk/core/agents/test_nexent_agent.py
+++ b/test/sdk/core/agents/test_nexent_agent.py
@@ -188,8 +188,13 @@ class _MockToolSign:
 mock_nexent_core_module.utils = mock_nexent_core_utils_module
 mock_nexent_core_module.models = mock_nexent_core_models_module
 mock_nexent_core_module.MessageObserver = _MockMessageObserver
+
+# Create nexent.utils module placeholder - will be populated inside the with block
+mock_nexent_utils_module = types.ModuleType("nexent.utils")
+
 mock_nexent_module = types.ModuleType("nexent")
 mock_nexent_module.core = mock_nexent_core_module
+mock_nexent_module.utils = mock_nexent_utils_module
 mock_nexent_storage_module = types.ModuleType("nexent.storage")
 mock_nexent_storage_module.MinIOStorageClient = MagicMock()
 mock_nexent_module.storage = mock_nexent_storage_module
@@ -228,6 +233,7 @@ class _MockToolSign:
     "nexent": mock_nexent_module,
     "nexent.core": mock_nexent_core_module,
     "nexent.core.utils": mock_nexent_core_utils_module,
+    "nexent.utils": mock_nexent_utils_module,
     "nexent.core.utils.observer": mock_nexent_core_utils_observer_module,
     "sdk": mock_sdk_module,
     "sdk.nexent": mock_sdk_nexent_module,
@@ -256,10 +262,22 @@ class _MockToolSign:
 # Import the classes under test with patched dependencies in place
 # ---------------------------------------------------------------------------
 with patch.dict("sys.modules", module_mocks):
+    # Create mock http_client_manager module for analyze_text_file_tool
+    # This is needed because analyze_text_file_tool.py uses absolute import:
+    # "from nexent.utils.http_client_manager import http_client_manager"
+    mock_http_client_manager_module = MagicMock()
+    mock_http_client_manager_module.http_client_manager = MagicMock()
+
+    # We need to add this to sys.modules before the import happens
+    sys.modules["nexent.utils.http_client_manager"] = mock_http_client_manager_module
+
     from sdk.nexent.core.agents import nexent_agent
     from sdk.nexent.core.agents.nexent_agent import NexentAgent, ActionStep, TaskStep
     from sdk.nexent.core.agents.agent_model import ToolConfig, ModelConfig, AgentConfig, AgentHistory
 
+    # Clean up after import
+    sys.modules.pop("nexent.utils.http_client_manager", None)
+
 
 # ----------------------------------------------------------------------------
 # Fixtures
@@ -746,7 +764,6 @@ def test_create_local_tool_knowledge_base_search_tool_success(nexent_agent_insta
     # Verify excluded parameters were set directly as attributes after instantiation
     assert result == mock_kb_tool_instance
     assert mock_kb_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_kb_tool_instance.index_names == ["index1", "index2"]
     assert mock_kb_tool_instance.vdb_core == mock_vdb_core
     assert mock_kb_tool_instance.embedding_model == mock_embedding_model
 
@@ -797,11 +814,11 @@ def test_create_local_tool_knowledge_base_search_tool_with_conflicting_params(ne
     # Only non-excluded params should be passed to __init__ due to smolagents wrapper restrictions
     mock_kb_tool_class.assert_called_once_with(
         top_k=10,  # From filtered_params (not in conflict list)
+        index_names=["conflicting_index"],  # Not excluded by current implementation
     )
     # Verify excluded parameters were set directly as attributes after instantiation
     assert result == mock_kb_tool_instance
     assert mock_kb_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_kb_tool_instance.index_names == ["index1", "index2"]  # From metadata, not params
     assert mock_kb_tool_instance.vdb_core == mock_vdb_core  # From metadata, not params
     assert mock_kb_tool_instance.embedding_model == mock_embedding_model  # From metadata, not params
 
@@ -842,7 +859,6 @@ def test_create_local_tool_knowledge_base_search_tool_with_none_defaults(nexent_
     # Verify excluded parameters were set directly as attributes with None defaults when metadata is missing
     assert result == mock_kb_tool_instance
     assert mock_kb_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_kb_tool_instance.index_names == []  # Empty list when None
     assert mock_kb_tool_instance.vdb_core is None
     assert mock_kb_tool_instance.embedding_model is None
     assert result == mock_kb_tool_instance
@@ -1367,7 +1383,6 @@ def test_create_local_tool_datamate_search_tool_success(nexent_agent_instance):
     # Verify excluded parameters were set directly as attributes after instantiation
     assert result == mock_datamate_tool_instance
     assert mock_datamate_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_datamate_tool_instance.index_names == ["datamate_index1", "datamate_index2"]
 
 
 
@@ -1407,7 +1422,6 @@ def test_create_local_tool_datamate_search_tool_with_none_defaults(nexent_agent_
     # Verify excluded parameters were set directly as attributes with None defaults when metadata is missing
     assert result == mock_datamate_tool_instance
     assert mock_datamate_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_datamate_tool_instance.index_names == []  # Empty list when None
 
 
 def test_create_local_tool_datamate_search_tool_success(nexent_agent_instance):
@@ -1448,7 +1462,6 @@ def test_create_local_tool_datamate_search_tool_success(nexent_agent_instance):
     # Verify excluded parameters were set directly as attributes after instantiation
     assert result == mock_datamate_tool_instance
     assert mock_datamate_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_datamate_tool_instance.index_names == ["datamate_index1", "datamate_index2"]
 
 
 def test_create_local_tool_datamate_search_tool_with_none_defaults(nexent_agent_instance):
@@ -1487,7 +1500,6 @@ def test_create_local_tool_datamate_search_tool_with_none_defaults(nexent_agent_
     # Verify excluded parameters were set directly as attributes with None defaults when metadata is missing
     assert result == mock_datamate_tool_instance
     assert mock_datamate_tool_instance.observer == nexent_agent_instance.observer
-    assert mock_datamate_tool_instance.index_names == []  # Empty list when None
 
 
 if __name__ == "__main__":
diff --git a/test/sdk/core/tools/test_analyze_text_file_tool.py b/test/sdk/core/tools/test_analyze_text_file_tool.py
index c0a91e355..03646387c 100644
--- a/test/sdk/core/tools/test_analyze_text_file_tool.py
+++ b/test/sdk/core/tools/test_analyze_text_file_tool.py
@@ -45,13 +45,29 @@ def observer_en():
 
 
 @pytest.fixture
-def tool(observer_zh, llm_model):
-    return AnalyzeTextFileTool(
+def http_client_manager(mocker):
+    """Fixture to mock http_client_manager for tests."""
+    mock = mocker.patch(
+        "sdk.nexent.core.tools.analyze_text_file_tool.http_client_manager"
+    )
+    mock_client = MagicMock()
+    mock.get_sync_client.return_value = mock_client
+    return mock, mock_client
+
+
+@pytest.fixture
+def tool(http_client_manager, observer_zh, llm_model):
+    """Fixture to create AnalyzeTextFileTool instance with mocked HTTP client."""
+    mock_manager, mock_client = http_client_manager
+    tool_instance = AnalyzeTextFileTool(
         storage_client=MagicMock(),
         observer=observer_zh,
         data_process_service_url="http://data-process",
         llm_model=llm_model,
     )
+    # Store the mock client for tests to use
+    tool_instance._mock_http_client = mock_client
+    return tool_instance
 
 
 class TestAnalyzeTextFileTool:
@@ -95,48 +111,30 @@ def test_forward_impl_appends_analysis_exception(self, tool):
 
         assert result == ["LLM failed"]
 
-    @patch("sdk.nexent.core.tools.analyze_text_file_tool.httpx.Client")
-    def test_process_text_file_success(self, mock_client_cls, tool):
+    def test_process_text_file_success(self, tool):
         mock_response = MagicMock(status_code=200)
         mock_response.json.return_value = {"text": "converted"}
-        mock_http_client = MagicMock()
-        mock_http_client.post.return_value = mock_response
-        mock_ctx = MagicMock()
-        mock_ctx.__enter__.return_value = mock_http_client
-        mock_ctx.__exit__.return_value = False
-        mock_client_cls.return_value = mock_ctx
+        tool._mock_http_client.post.return_value = mock_response
 
         result = tool.process_text_file("doc.txt", b"bytes")
 
         assert result == "converted"
-        mock_http_client.post.assert_called_once()
+        tool._mock_http_client.post.assert_called_once()
 
-    @patch("sdk.nexent.core.tools.analyze_text_file_tool.httpx.Client")
-    def test_process_text_file_http_error_json_detail(self, mock_client_cls, tool):
+    def test_process_text_file_http_error_json_detail(self, tool):
         mock_response = MagicMock(status_code=400)
         mock_response.headers = {"content-type": "application/json"}
         mock_response.json.return_value = {"detail": "bad request"}
-        mock_http_client = MagicMock()
-        mock_http_client.post.return_value = mock_response
-        mock_ctx = MagicMock()
-        mock_ctx.__enter__.return_value = mock_http_client
-        mock_ctx.__exit__.return_value = False
-        mock_client_cls.return_value = mock_ctx
+        tool._mock_http_client.post.return_value = mock_response
 
         with pytest.raises(Exception, match="bad request"):
             tool.process_text_file("doc.txt", b"bytes")
 
-    @patch("sdk.nexent.core.tools.analyze_text_file_tool.httpx.Client")
-    def test_process_text_file_http_error_plain_text(self, mock_client_cls, tool):
+    def test_process_text_file_http_error_plain_text(self, tool):
         mock_response = MagicMock(status_code=500)
         mock_response.headers = {}
         mock_response.text = "server exploded"
-        mock_http_client = MagicMock()
-        mock_http_client.post.return_value = mock_response
-        mock_ctx = MagicMock()
-        mock_ctx.__enter__.return_value = mock_http_client
-        mock_ctx.__exit__.return_value = False
-        mock_client_cls.return_value = mock_ctx
+        tool._mock_http_client.post.return_value = mock_response
 
         with pytest.raises(Exception, match="server exploded"):
             tool.process_text_file("doc.txt", b"bytes")
diff --git a/test/sdk/core/tools/test_datamate_search_tool.py b/test/sdk/core/tools/test_datamate_search_tool.py
index 27600e1df..855bcf294 100644
--- a/test/sdk/core/tools/test_datamate_search_tool.py
+++ b/test/sdk/core/tools/test_datamate_search_tool.py
@@ -5,10 +5,8 @@
 import pytest
 from pytest_mock import MockFixture
 
-from sdk.nexent.core.tools.datamate_search_tool import DataMateSearchTool, _normalize_index_names
+from sdk.nexent.core.tools.datamate_search_tool import DataMateSearchTool
 from sdk.nexent.core.utils.observer import MessageObserver, ProcessType
-from sdk.nexent.datamate.datamate_client import DataMateClient
-
 
 @pytest.fixture
 def mock_observer() -> MessageObserver:
@@ -151,22 +149,6 @@ def test_extract_dataset_id(self, datamate_tool: DataMateSearchTool, path, expec
         assert datamate_tool._extract_dataset_id(path) == expected
 
 
-class TestNormalizeIndexNames:
-    @pytest.mark.parametrize(
-        "input_names, expected",
-        [
-            (None, []),
-            ("single_kb", ["single_kb"]),
-            (["kb1", "kb2"], ["kb1", "kb2"]),
-            ([], []),
-            ("", [""]),  # Edge case: empty string becomes list with empty string
-        ],
-    )
-    def test_normalize_index_names(self, input_names, expected):
-        result = _normalize_index_names(input_names)
-        assert result == expected
-
-
 class TestForward:
     def test_forward_success_with_observer_en(self, datamate_tool: DataMateSearchTool, mocker: MockFixture):
         # Mock the hybrid_search method to return search results
@@ -222,10 +204,7 @@ def test_forward_success_with_observer_zh(self, datamate_tool: DataMateSearchToo
 
     def test_forward_no_observer(self, mocker: MockFixture):
         tool = DataMateSearchTool(
-            server_url="http://127.0.0.1:8080",
-            observer=None,
-            index_names=["kb1"]
-        )
+            server_url="http://127.0.0.1:8080", observer=None, index_names=["kb1"])
 
         # Mock the hybrid_search method to return search results
         mock_hybrid_search = mocker.patch.object(
diff --git a/test/sdk/core/tools/test_dify_search_tool.py b/test/sdk/core/tools/test_dify_search_tool.py
index 893801b88..af62629d2 100644
--- a/test/sdk/core/tools/test_dify_search_tool.py
+++ b/test/sdk/core/tools/test_dify_search_tool.py
@@ -1,6 +1,6 @@
 import json
 from typing import List
-from unittest.mock import ANY, MagicMock
+from unittest.mock import ANY, MagicMock, patch
 
 import httpx
 import pytest
@@ -19,13 +19,19 @@ def mock_observer() -> MessageObserver:
 
 @pytest.fixture
 def dify_tool(mock_observer: MessageObserver) -> DifySearchTool:
-    return DifySearchTool(
-        server_url="https://api.dify.ai/v1",
-        api_key="test_api_key",
-        dataset_ids='["dataset1", "dataset2"]',
-        top_k=3,
-        observer=mock_observer,
-    )
+    with patch("sdk.nexent.core.tools.dify_search_tool.http_client_manager") as mock_manager:
+        mock_client = MagicMock()
+        mock_manager.get_sync_client.return_value = mock_client
+        tool = DifySearchTool(
+            server_url="https://api.dify.ai/v1",
+            api_key="test_api_key",
+            dataset_ids='["dataset1", "dataset2"]',
+            top_k=3,
+            observer=mock_observer,
+        )
+        # Store the mock client for tests to use
+        tool._mock_http_client = mock_client
+        return tool
 
 
 def _build_search_response(records: List[dict] = None, query: str = "test query"):
@@ -138,9 +144,9 @@ def test_init_invalid_api_key(self, api_key, expected_error):
         assert expected_error in str(excinfo.value)
 
     @pytest.mark.parametrize("dataset_ids,expected_error", [
-        ("[]", "dataset_ids must be a non-empty JSON array of strings"),
-        ("", "dataset_ids is required and must be a non-empty JSON string array"),
-        (None, "dataset_ids is required and must be a non-empty JSON string array"),
+        ([], "dataset_ids is required and must be a non-empty JSON string array or list"),
+        ("", "dataset_ids is required and must be a non-empty JSON string array or list"),
+        (None, "dataset_ids is required and must be a non-empty JSON string array or list"),
     ])
     def test_init_invaliddataset_ids(self, dataset_ids, expected_error):
         with pytest.raises(ValueError) as excinfo:
@@ -151,21 +157,109 @@ def test_init_invaliddataset_ids(self, dataset_ids, expected_error):
             )
         assert expected_error in str(excinfo.value)
 
+    def test_init_dataset_ids_empty_json_array_string(self, mock_observer: MessageObserver):
+        """Test that empty JSON array '[]' raises ValueError."""
+        with pytest.raises(ValueError) as excinfo:
+            DifySearchTool(
+                server_url="https://api.dify.ai/v1",
+                api_key="test_key",
+                dataset_ids="[]",
+                observer=mock_observer,
+            )
+        # Empty JSON array passes the first check (not falsy), but fails the list/empty check
+        assert "dataset_ids must be a non-empty array of strings" in str(excinfo.value)
+
+    def test_init_dataset_ids_as_list(self, mock_observer: MessageObserver):
+        """Test dataset_ids can be passed as a Python list instead of JSON string."""
+        tool = DifySearchTool(
+            server_url="https://api.dify.ai/v1",
+            api_key="test_key",
+            dataset_ids=["ds1", "ds2", "ds3"],
+            observer=mock_observer,
+        )
+
+        assert tool.dataset_ids == ["ds1", "ds2", "ds3"]
+        assert len(tool.dataset_ids) == 3
+
+    def test_init_dataset_ids_as_list_single_item(self, mock_observer: MessageObserver):
+        """Test dataset_ids as a list with single item."""
+        tool = DifySearchTool(
+            server_url="https://api.dify.ai/v1",
+            api_key="test_key",
+            dataset_ids=["single_dataset"],
+            observer=mock_observer,
+        )
+
+        assert tool.dataset_ids == ["single_dataset"]
+        assert len(tool.dataset_ids) == 1
+
+    def test_init_dataset_ids_as_list_with_numeric_ids(self, mock_observer: MessageObserver):
+        """Test dataset_ids list with numeric IDs are converted to strings."""
+        tool = DifySearchTool(
+            server_url="https://api.dify.ai/v1",
+            api_key="test_key",
+            dataset_ids=[123, 456, 789],
+            observer=mock_observer,
+        )
+
+        assert tool.dataset_ids == ["123", "456", "789"]
+        assert all(isinstance(id, str) for id in tool.dataset_ids)
+
+    @pytest.mark.parametrize("invalid_json,expected_error_contains", [
+        ("invalid_json", "dataset_ids must be a valid JSON string array or list"),
+        ("{key: value}", "dataset_ids must be a valid JSON string array or list"),
+        ("{'key': 'value'}", "dataset_ids must be a valid JSON string array or list"),
+        ("123", "dataset_ids must be a non-empty array of strings"),
+    ])
+    def test_init_invalid_json_format(self, invalid_json, expected_error_contains, mock_observer: MessageObserver):
+        """Test dataset_ids with invalid JSON format raises appropriate error."""
+        with pytest.raises(ValueError) as excinfo:
+            DifySearchTool(
+                server_url="https://api.dify.ai/v1",
+                api_key="test_key",
+                dataset_ids=invalid_json,
+                observer=mock_observer,
+            )
+        assert expected_error_contains in str(excinfo.value)
+
+    def test_init_dataset_ids_with_malformed_json_array(self, mock_observer: MessageObserver):
+        """Test dataset_ids with malformed JSON array."""
+        with pytest.raises(ValueError) as excinfo:
+            DifySearchTool(
+                server_url="https://api.dify.ai/v1",
+                api_key="test_key",
+                dataset_ids='["ds1", "ds2"',  # Missing closing bracket
+                observer=mock_observer,
+            )
+        assert "dataset_ids must be a valid JSON string array or list" in str(excinfo.value)
+
+    def test_init_dataset_ids_json_string_with_non_string_elements(self, mock_observer: MessageObserver):
+        """Test that non-string elements in JSON array are converted to strings."""
+        tool = DifySearchTool(
+            server_url="https://api.dify.ai/v1",
+            api_key="test_key",
+            dataset_ids='["ds1", 123, true, null]',
+            observer=mock_observer,
+        )
+
+        # Elements should be converted to strings using Python's str()
+        # JSON true -> Python True -> str() -> 'True'
+        # JSON null -> Python None -> str() -> 'None'
+        assert tool.dataset_ids == ["ds1", "123", "True", "None"]
+        assert all(isinstance(id, str) for id in tool.dataset_ids)
+
 
 class TestGetDocumentDownloadUrl:
     def test_get_document_download_url_success(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
-        response = MagicMock()
-        response.status_code = 200
-        response.json.return_value = _build_download_url_response()
-        client.get.return_value = response
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = _build_download_url_response()
+        dify_tool._mock_http_client.get.return_value = mock_response
 
         url = dify_tool._get_document_download_url("doc1", "dataset1")
 
         assert url == "https://download.example.com/file.pdf"
-        client.get.assert_called_once_with(
+        dify_tool._mock_http_client.get.assert_called_once_with(
             "https://api.dify.ai/v1/datasets/dataset1/documents/doc1/upload-file",
             headers={
                 "Content-Type": "application/json",
@@ -177,20 +271,17 @@ def test_get_document_download_url_empty_document_id(self, dify_tool: DifySearch
         url = dify_tool._get_document_download_url("", "dataset1")
         assert url == ""
 
-    def test_get_document_download_url_nodataset_id(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
-        response = MagicMock()
-        response.status_code = 200
-        response.json.return_value = _build_download_url_response()
-        client.get.return_value = response
+    def test_get_document_download_url_nodataset_id(self, dify_tool: DifySearchTool):
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = _build_download_url_response()
+        dify_tool._mock_http_client.get.return_value = mock_response
 
         url = dify_tool._get_document_download_url("doc1")
 
         # Should use first dataset_id from list
         assert url == "https://download.example.com/file.pdf"
-        client.get.assert_called_once_with(
+        dify_tool._mock_http_client.get.assert_called_once_with(
             "https://api.dify.ai/v1/datasets/dataset1/documents/doc1/upload-file",
             headers={
                 "Content-Type": "application/json",
@@ -198,36 +289,28 @@ def test_get_document_download_url_nodataset_id(self, mocker: MockFixture, dify_
             }
         )
 
-    def test_get_document_download_url_request_error(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-        client.get.side_effect = httpx.RequestError("Connection error", request=MagicMock())
+    def test_get_document_download_url_request_error(self, dify_tool: DifySearchTool):
+        dify_tool._mock_http_client.get.side_effect = httpx.RequestError("Connection error", request=MagicMock())
 
         url = dify_tool._get_document_download_url("doc1", "dataset1")
 
         assert url == ""
 
-    def test_get_document_download_url_json_decode_error(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
-        response = MagicMock()
-        response.status_code = 200
-        response.json.side_effect = json.JSONDecodeError("Invalid JSON", "", 0)
-        client.get.return_value = response
+    def test_get_document_download_url_json_decode_error(self, dify_tool: DifySearchTool):
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.side_effect = json.JSONDecodeError("Invalid JSON", "", 0)
+        dify_tool._mock_http_client.get.return_value = mock_response
 
         url = dify_tool._get_document_download_url("doc1", "dataset1")
 
         assert url == ""
 
-    def test_get_document_download_url_missing_key(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
-        response = MagicMock()
-        response.status_code = 200
-        response.json.return_value = {}  # Missing download_url key
-        client.get.return_value = response
+    def test_get_document_download_url_missing_key(self, dify_tool: DifySearchTool):
+        mock_response = MagicMock()
+        mock_response.status_code = 200
+        mock_response.json.return_value = {}  # Missing download_url key
+        dify_tool._mock_http_client.get.return_value = mock_response
 
         url = dify_tool._get_document_download_url("doc1", "dataset1")
 
@@ -235,14 +318,11 @@ def test_get_document_download_url_missing_key(self, mocker: MockFixture, dify_t
 
 
 class TestSearchDifyKnowledgeBase:
-    def test_search_dify_knowledge_base_success(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
+    def test_search_dify_knowledge_base_success(self, dify_tool: DifySearchTool):
         response = MagicMock()
         response.status_code = 200
         response.json.return_value = _build_search_response()
-        client.post.return_value = response
+        dify_tool._mock_http_client.post.return_value = response
 
         result = dify_tool._search_dify_knowledge_base("test query", 3, "semantic_search", "dataset1")
 
@@ -255,7 +335,7 @@ def test_search_dify_knowledge_base_success(self, mocker: MockFixture, dify_tool
         # The URL is constructed as f"{self.server_url}/datasets/{dataset_id}/retrieve"
         # where server_url is "https://api.dify.ai/v1", so it becomes "https://api.dify.ai/v1/datasets/dataset1/retrieve"
         # This is a bug in the implementation that needs to be fixed
-        client.post.assert_called_once_with(
+        dify_tool._mock_http_client.post.assert_called_once_with(
             "https://api.dify.ai/v1/datasets/dataset1/retrieve",
             headers={
                 "Content-Type": "application/json",
@@ -279,51 +359,40 @@ def test_search_dify_knowledge_base_success(self, mocker: MockFixture, dify_tool
             }
         )
 
-    def test_search_dify_knowledge_base_no_records(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
+    def test_search_dify_knowledge_base_no_records(self, dify_tool: DifySearchTool):
         response = MagicMock()
         response.status_code = 200
         response.json.return_value = {"query": "test query", "records": []}
-        client.post.return_value = response
+        dify_tool._mock_http_client.post.return_value = response
 
         result = dify_tool._search_dify_knowledge_base("test query", 3, "semantic_search", "dataset1")
 
         assert result == {"query": "test query", "records": []}
 
-    def test_search_dify_knowledge_base_request_error(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-        client.post.side_effect = httpx.RequestError("API error", request=MagicMock())
+    def test_search_dify_knowledge_base_request_error(self, dify_tool: DifySearchTool):
+        dify_tool._mock_http_client.post.side_effect = httpx.RequestError("API error", request=MagicMock())
 
         with pytest.raises(Exception) as excinfo:
             dify_tool._search_dify_knowledge_base("test query", 3, "semantic_search", "dataset1")
 
         assert "Dify API request failed" in str(excinfo.value)
 
-    def test_search_dify_knowledge_base_json_decode_error(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
+    def test_search_dify_knowledge_base_json_decode_error(self, dify_tool: DifySearchTool):
         response = MagicMock()
         response.status_code = 200
         response.json.side_effect = json.JSONDecodeError("Invalid JSON", "", 0)
-        client.post.return_value = response
+        dify_tool._mock_http_client.post.return_value = response
 
         with pytest.raises(Exception) as excinfo:
             dify_tool._search_dify_knowledge_base("test query", 3, "semantic_search", "dataset1")
 
         assert "Failed to parse Dify API response" in str(excinfo.value)
 
-    def test_search_dify_knowledge_base_missing_key(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
+    def test_search_dify_knowledge_base_missing_key(self, dify_tool: DifySearchTool):
         response = MagicMock()
         response.status_code = 200
         response.json.return_value = {}  # Missing records key
-        client.post.return_value = response
+        dify_tool._mock_http_client.post.return_value = response
 
         with pytest.raises(Exception) as excinfo:
             dify_tool._search_dify_knowledge_base("test query", 3, "semantic_search", "dataset1")
@@ -332,11 +401,7 @@ def test_search_dify_knowledge_base_missing_key(self, mocker: MockFixture, dify_
 
 
 class TestForward:
-    def _setup_success_flow(self, mocker: MockFixture, tool: DifySearchTool):
-        # Mock httpx.Client for both search and download operations
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
+    def _setup_success_flow(self, tool: DifySearchTool):
         # Mock search method to return records
         search_response = {
             "query": "test query",
@@ -366,22 +431,24 @@ def _setup_success_flow(self, mocker: MockFixture, tool: DifySearchTool):
         mock_download_response.status_code = 200
         mock_download_response.json.return_value = download_response
 
-        # Configure client to return different responses based on URL
-        def mock_request(method, url, **kwargs):
+        # Configure mock client to return different responses based on URL
+        def mock_post(url, **kwargs):
             if "/retrieve" in url:
                 return mock_search_response
-            elif "/upload-file" in url:
-                return mock_download_response
             else:
                 raise ValueError(f"Unexpected URL: {url}")
 
-        client.post.side_effect = lambda url, **kwargs: mock_request("post", url, **kwargs)
-        client.get.side_effect = lambda url, **kwargs: mock_request("get", url, **kwargs)
+        def mock_get(url, **kwargs):
+            if "/upload-file" in url:
+                return mock_download_response
+            else:
+                raise ValueError(f"Unexpected URL: {url}")
 
-        return client
+        tool._mock_http_client.post.side_effect = mock_post
+        tool._mock_http_client.get.side_effect = mock_get
 
-    def test_forward_success_with_observer_en(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        client = self._setup_success_flow(mocker, dify_tool)
+    def test_forward_success_with_observer_en(self, dify_tool: DifySearchTool):
+        self._setup_success_flow(dify_tool)
 
         # Set search_method as instance attribute
         dify_tool.search_method = "keyword_search"
@@ -409,11 +476,11 @@ def test_forward_success_with_observer_en(self, mocker: MockFixture, dify_tool:
         assert dify_tool.record_ops == 3  # 1 + len(results)
 
         # Verify API calls were made for both datasets
-        assert client.post.call_count == 2  # Called once per dataset
+        assert dify_tool._mock_http_client.post.call_count == 2  # Called once per dataset
 
-    def test_forward_success_with_observer_zh(self, mocker: MockFixture, dify_tool: DifySearchTool):
+    def test_forward_success_with_observer_zh(self, dify_tool: DifySearchTool):
         dify_tool.observer.lang = "zh"
-        self._setup_success_flow(mocker, dify_tool)
+        self._setup_success_flow(dify_tool)
 
         dify_tool.forward("测试查询")
 
@@ -421,20 +488,24 @@ def test_forward_success_with_observer_zh(self, mocker: MockFixture, dify_tool:
             "", ProcessType.TOOL, dify_tool.running_prompt_zh
         )
 
-    def test_forward_no_observer(self, mocker: MockFixture):
-        tool = DifySearchTool(
-            server_url="https://api.dify.ai/v1",
-            api_key="test_api_key",
-            dataset_ids='["dataset1"]',
-            observer=None,
-        )
-        self._setup_success_flow(mocker, tool)
+    def test_forward_no_observer(self):
+        with patch("sdk.nexent.core.tools.dify_search_tool.http_client_manager") as mock_manager:
+            mock_client = MagicMock()
+            mock_manager.get_sync_client.return_value = mock_client
+            tool = DifySearchTool(
+                server_url="https://api.dify.ai/v1",
+                api_key="test_api_key",
+                dataset_ids='["dataset1"]',
+                observer=None,
+            )
+            tool._mock_http_client = mock_client
+            self._setup_success_flow(tool)
 
-        # Should not raise and should not call observer
-        result_json = tool.forward("query")
-        assert len(json.loads(result_json)) == 1
+            # Should not raise and should not call observer
+            result_json = tool.forward("query")
+            assert len(json.loads(result_json)) == 1
 
-    def test_forward_no_results(self, mocker: MockFixture, dify_tool: DifySearchTool):
+    def test_forward_no_results(self, dify_tool: DifySearchTool):
         # Mock empty search results
         search_response = {"query": "test query", "records": []}
 
@@ -442,10 +513,7 @@ def test_forward_no_results(self, mocker: MockFixture, dify_tool: DifySearchTool
         mock_response.status_code = 200
         mock_response.json.return_value = search_response
 
-        # Mock httpx.Client instead of requests
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-        client.post.return_value = mock_response
+        dify_tool._mock_http_client.post.return_value = mock_response
 
         with pytest.raises(Exception) as excinfo:
             dify_tool.forward("test query")
@@ -454,11 +522,8 @@ def test_forward_no_results(self, mocker: MockFixture, dify_tool: DifySearchTool
         assert "No results found!" in str(excinfo.value)
         assert "Error searching Dify knowledge base" in str(excinfo.value)
 
-    def test_forward_search_api_error(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        # Mock API error during search
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-        client.post.side_effect = httpx.RequestError("API error", request=MagicMock())
+    def test_forward_search_api_error(self, dify_tool: DifySearchTool):
+        dify_tool._mock_http_client.post.side_effect = httpx.RequestError("API error", request=MagicMock())
 
         with pytest.raises(Exception) as excinfo:
             dify_tool.forward("test query")
@@ -466,11 +531,7 @@ def test_forward_search_api_error(self, mocker: MockFixture, dify_tool: DifySear
         assert "Error searching Dify knowledge base" in str(excinfo.value)
         assert "Dify API request failed" in str(excinfo.value)
 
-    def test_forward_download_url_error_still_works(self, mocker: MockFixture, dify_tool: DifySearchTool):
-        # Mock httpx.Client
-        client_cls = mocker.patch("sdk.nexent.core.tools.dify_search_tool.httpx.Client")
-        client = client_cls.return_value.__enter__.return_value
-
+    def test_forward_download_url_error_still_works(self, dify_tool: DifySearchTool):
         # Mock successful search but failed download URL
         search_response = {
             "query": "test query",
@@ -493,8 +554,8 @@ def test_forward_download_url_error_still_works(self, mocker: MockFixture, dify_
         mock_search_response.json.return_value = search_response
 
         # Configure client to succeed on post but fail on get
-        client.post.return_value = mock_search_response
-        client.get.side_effect = httpx.RequestError("Download failed", request=MagicMock())
+        dify_tool._mock_http_client.post.return_value = mock_search_response
+        dify_tool._mock_http_client.get.side_effect = httpx.RequestError("Download failed", request=MagicMock())
 
         # Should still work but with empty URL
         result_json = dify_tool.forward("test query")
diff --git a/test/sdk/core/tools/test_knowledge_base_search_tool.py b/test/sdk/core/tools/test_knowledge_base_search_tool.py
index 5902665e0..fa3c9d1fe 100644
--- a/test/sdk/core/tools/test_knowledge_base_search_tool.py
+++ b/test/sdk/core/tools/test_knowledge_base_search_tool.py
@@ -38,22 +38,6 @@ def knowledge_base_search_tool(mock_observer, mock_vdb_core, mock_embedding_mode
         observer=mock_observer,
         embedding_model=mock_embedding_model,
         vdb_core=mock_vdb_core,
-        name_resolver={},
-        search_mode="hybrid"
-    )
-    return tool
-
-
-@pytest.fixture
-def knowledge_base_search_tool_no_observer(mock_vdb_core, mock_embedding_model):
-    """Create KnowledgeBaseSearchTool instance without observer for testing"""
-    tool = KnowledgeBaseSearchTool(
-        top_k=3,
-        index_names=["test_index"],
-        observer=None,
-        embedding_model=mock_embedding_model,
-        vdb_core=mock_vdb_core,
-        name_resolver={},
         search_mode="hybrid"
     )
     return tool
@@ -81,35 +65,6 @@ def create_mock_search_result(count=3):
 
 class TestKnowledgeBaseSearchTool:
     """Test KnowledgeBaseSearchTool functionality"""
-    
-    def test_update_name_resolver_supports_empty_mapping(self, knowledge_base_search_tool):
-        """Ensure update_name_resolver replaces mapping and handles falsy input"""
-        knowledge_base_search_tool.update_name_resolver({"kb": "index_kb"})
-        assert knowledge_base_search_tool.name_resolver == {"kb": "index_kb"}
-
-        knowledge_base_search_tool.update_name_resolver(None)
-        assert knowledge_base_search_tool.name_resolver == {}
-
-    def test_resolve_names_without_resolver_logs_warning(self, knowledge_base_search_tool, mocker):
-        """When no resolver is configured, names are returned unchanged and warning is logged"""
-        warning_mock = mocker.patch("sdk.nexent.core.tools.knowledge_base_search_tool.logger.warning")
-
-        names = knowledge_base_search_tool._resolve_names(["kb1", "kb2"])
-
-        assert names == ["kb1", "kb2"]
-        warning_mock.assert_called_once()
-
-    @pytest.mark.parametrize(
-        "incoming,expected",
-        [
-            (None, []),
-            ("single_index", ["single_index"]),
-            (["a", "b"], ["a", "b"]),
-        ],
-    )
-    def test_normalize_index_names_variants(self, knowledge_base_search_tool_no_observer, incoming, expected):
-        """_normalize_index_names should normalize None, string, and list inputs"""
-        assert knowledge_base_search_tool_no_observer._normalize_index_names(incoming) == expected
 
     def test_forward_with_observer_adds_messages(self, knowledge_base_search_tool):
         """forward should send TOOL and CARD messages when observer is present"""
@@ -133,7 +88,6 @@ def test_init_with_custom_values(self, mock_observer, mock_vdb_core, mock_embedd
             observer=mock_observer,
             embedding_model=mock_embedding_model,
             vdb_core=mock_vdb_core,
-            name_resolver={},
             search_mode="semantic"
         )
 
@@ -152,7 +106,6 @@ def test_init_with_none_index_names(self, mock_vdb_core, mock_embedding_model):
             observer=None,
             embedding_model=mock_embedding_model,
             vdb_core=mock_vdb_core,
-            name_resolver={},
             search_mode="hybrid"
         )
 
diff --git a/test/sdk/core/utils/test_prompt_template_utils.py b/test/sdk/core/utils/test_prompt_template_utils.py
index 4c0a50c5c..8c1788c39 100644
--- a/test/sdk/core/utils/test_prompt_template_utils.py
+++ b/test/sdk/core/utils/test_prompt_template_utils.py
@@ -31,7 +31,7 @@ def test_get_prompt_template_analyze_image_zh(self, mock_yaml_load, mock_file):
 
         # Verify file was opened with correct path
         call_args = mock_file.call_args[0]
-        assert 'prompts/analyze_image.yaml' in call_args[0].replace('\\', '/')
+        assert 'prompts/analyze_image_zh.yaml' in call_args[0].replace('\\', '/')
         assert call_args[1] == 'r'
         assert mock_file.call_args[1]['encoding'] == 'utf-8'
 
@@ -73,7 +73,7 @@ def test_get_prompt_template_default_language_zh(self, mock_yaml_load, mock_file
 
         # Verify file path contains Chinese template
         call_args = mock_file.call_args[0]
-        assert 'prompts/analyze_image.yaml' in call_args[0].replace('\\', '/')
+        assert 'prompts/analyze_image_zh.yaml' in call_args[0].replace('\\', '/')
 
         mock_yaml_load.assert_called_once()
         assert result == {"system_prompt": "Test prompt"}
diff --git a/test/sdk/datamate/test_datamate_client.py b/test/sdk/datamate/test_datamate_client.py
index 03d77eb45..79f50c96b 100644
--- a/test/sdk/datamate/test_datamate_client.py
+++ b/test/sdk/datamate/test_datamate_client.py
@@ -2,17 +2,28 @@
 from unittest.mock import MagicMock
 
 import httpx
-from pytest_mock import MockFixture
+from pytest_mock import MockerFixture
 
 from sdk.nexent.datamate.datamate_client import DataMateClient
 
 
 @pytest.fixture
 def client() -> DataMateClient:
-    return DataMateClient(base_url="http://datamate.local:30000", timeout=1.0)
+    """
+    Create a DataMateClient with a mocked HTTP client.
 
+    The HTTP client is mocked at initialization to ensure tests can properly
+    mock responses without dealing with cached client references.
+    """
+    mock_http_client = MagicMock()
+    client_instance = DataMateClient(base_url="http://datamate.local:30000", timeout=1.0)
+    # Replace the cached HTTP client with a mock for testing
+    client_instance._http_client = mock_http_client
+    return client_instance
 
-def _mock_response(mocker: MockFixture, status: int, json_data=None, text: str = ""):
+
+def _create_mock_response(status: int, json_data=None, text: str = ""):
+    """Create a mock HTTP response for testing."""
     response = MagicMock()
     response.status_code = status
     response.headers = {"content-type": "application/json"} if json_data is not None else {"content-type": "text/plain"}
@@ -22,99 +33,72 @@ def _mock_response(mocker: MockFixture, status: int, json_data=None, text: str =
 
 
 class TestListKnowledgeBases:
-    def test_success(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(
-            mocker,
-            200,
-            {"data": {"content": [{"id": "kb1"}, {"id": "kb2"}]}},
-        )
+    def test_success(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"content": [{"id": "kb1"}, {"id": "kb2"}]}})
+        client._http_client.post.return_value = mock_response
 
         kbs = client.list_knowledge_bases(page=1, size=10, authorization="token")
 
         assert len(kbs) == 2
-        http_client.post.assert_called_once_with(
+        client._http_client.post.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/list",
             json={"page": 1, "size": 10},
             headers={"Authorization": "token"},
+            timeout=client.timeout,
         )
 
-    def test_non_200_json_error(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(
-            mocker,
-            500,
-            {"detail": "boom"},
-        )
+    def test_non_200_json_error(self, client: DataMateClient):
+        mock_response = _create_mock_response(500, {"detail": "boom"})
+        client._http_client.post.return_value = mock_response
 
         with pytest.raises(RuntimeError) as excinfo:
             client.list_knowledge_bases()
         assert "Failed to fetch DataMate knowledge bases" in str(excinfo.value)
 
-    def test_http_error(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.side_effect = httpx.HTTPError("network")
+    def test_http_error(self, client: DataMateClient):
+        client._http_client.post.side_effect = httpx.HTTPError("network")
 
         with pytest.raises(RuntimeError):
             client.list_knowledge_bases()
 
 
 class TestGetKnowledgeBaseFiles:
-    def test_success(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker,
-            200,
-            {"data": {"content": [{"id": "f1"}, {"id": "f2"}]}},
-        )
+    def test_success(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"content": [{"id": "f1"}, {"id": "f2"}]}})
+        client._http_client.get.return_value = mock_response
 
         files = client.get_knowledge_base_files("kb1")
 
         assert len(files) == 2
-        http_client.get.assert_called_once_with(
+        client._http_client.get.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/kb1/files",
             headers={},
+            timeout=client.timeout,
         )
 
-    def test_non_200(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker,
-            404,
-            {"detail": "not found"},
-        )
+    def test_non_200(self, client: DataMateClient):
+        mock_response = _create_mock_response(404, {"detail": "not found"})
+        client._http_client.get.return_value = mock_response
 
         with pytest.raises(RuntimeError):
             client.get_knowledge_base_files("kb1")
 
-    def test_http_error(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.side_effect = httpx.HTTPError("network")
+    def test_http_error(self, client: DataMateClient):
+        client._http_client.get.side_effect = httpx.HTTPError("network")
 
         with pytest.raises(RuntimeError):
             client.get_knowledge_base_files("kb1")
 
 
 class TestRetrieveKnowledgeBase:
-    def test_success(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(
-            mocker,
-            200,
-            {"data": [{"entity": {"id": "1"}}, {"entity": {"id": "2"}}]},
-        )
+    def test_success(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": [{"entity": {"id": "1"}}, {"entity": {"id": "2"}}]})
+        client._http_client.post.return_value = mock_response
 
         results = client.retrieve_knowledge_base("q", ["kb1"], top_k=5, threshold=0.1, authorization="auth")
 
         assert len(results) == 2
-        http_client.post.assert_called_once_with(
+        client._http_client.post.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/retrieve",
             json={
                 "query": "q",
@@ -123,24 +107,18 @@ def test_success(self, mocker: MockFixture, client: DataMateClient):
                 "knowledgeBaseIds": ["kb1"],
             },
             headers={"Authorization": "auth"},
+            timeout=client.timeout * 2,
         )
 
-    def test_non_200(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(
-            mocker,
-            500,
-            {"detail": "error"},
-        )
+    def test_non_200(self, client: DataMateClient):
+        mock_response = _create_mock_response(500, {"detail": "error"})
+        client._http_client.post.return_value = mock_response
 
         with pytest.raises(RuntimeError):
             client.retrieve_knowledge_base("q", ["kb1"])
 
-    def test_http_error(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.side_effect = httpx.HTTPError("network")
+    def test_http_error(self, client: DataMateClient):
+        client._http_client.post.side_effect = httpx.HTTPError("network")
 
         with pytest.raises(RuntimeError):
             client.retrieve_knowledge_base("q", ["kb1"])
@@ -157,7 +135,7 @@ def test_missing_parts(self, client: DataMateClient):
 
 
 class TestSyncAllKnowledgeBases:
-    def test_success_and_partial_error(self, mocker: MockFixture, client: DataMateClient):
+    def test_success_and_partial_error(self, mocker: MockerFixture, client: DataMateClient):
         mocker.patch.object(client, "list_knowledge_bases", return_value=[{"id": "kb1"}, {"id": "kb2"}])
         mocker.patch.object(client, "get_knowledge_base_files", side_effect=[["f1"], RuntimeError("oops")])
 
@@ -169,7 +147,7 @@ def test_success_and_partial_error(self, mocker: MockFixture, client: DataMateCl
         assert result["knowledge_bases"][1]["files"] == []
         assert "oops" in result["knowledge_bases"][1]["error"]
 
-    def test_sync_failure(self, mocker: MockFixture, client: DataMateClient):
+    def test_sync_failure(self, mocker: MockerFixture, client: DataMateClient):
         mocker.patch.object(client, "list_knowledge_bases", side_effect=RuntimeError("boom"))
 
         result = client.sync_all_knowledge_bases()
@@ -180,63 +158,44 @@ def test_sync_failure(self, mocker: MockFixture, client: DataMateClient):
 
 
 class TestGetKnowledgeBaseInfo:
-    def test_success(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker,
-            200,
-            {"data": {"id": "kb1", "name": "KB1"}},
-        )
+    def test_success(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"id": "kb1", "name": "KB1"}})
+        client._http_client.get.return_value = mock_response
 
         kb = client.get_knowledge_base_info("kb1")
 
         assert isinstance(kb, dict)
         assert kb["id"] == "kb1"
-        http_client.get.assert_called_once_with(
+        client._http_client.get.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/kb1",
             headers={},
+            timeout=client.timeout,
         )
 
-    def test_success_with_authorization(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker,
-            200,
-            {"data": {"id": "kb1", "name": "KB1"}},
-        )
+    def test_success_with_authorization(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"id": "kb1", "name": "KB1"}})
+        client._http_client.get.return_value = mock_response
 
         kb = client.get_knowledge_base_info("kb1", authorization="Bearer token123")
 
         assert isinstance(kb, dict)
         assert kb["id"] == "kb1"
-        http_client.get.assert_called_once_with(
+        client._http_client.get.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/kb1",
             headers={"Authorization": "Bearer token123"},
+            timeout=client.timeout,
         )
 
-    def test_empty_data(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker,
-            200,
-            {"data": {}},
-        )
+    def test_empty_data(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {}})
+        client._http_client.get.return_value = mock_response
 
         kb = client.get_knowledge_base_info("kb1")
         assert kb == {}
 
-    def test_non_200_json_error(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker,
-            500,
-            {"detail": "boom"},
-            text="",
-        )
+    def test_non_200_json_error(self, client: DataMateClient):
+        mock_response = _create_mock_response(500, {"detail": "boom"}, text="")
+        client._http_client.get.return_value = mock_response
 
         with pytest.raises(RuntimeError) as excinfo:
             client.get_knowledge_base_info("kb1")
@@ -244,14 +203,12 @@ def test_non_200_json_error(self, mocker: MockFixture, client: DataMateClient):
         assert "Failed to fetch details for datamate knowledge base kb1" in str(excinfo.value)
         assert "Failed to get knowledge base details" in str(excinfo.value)
 
-    def test_non_200_text_error(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        # simulate plain text error response
-        resp = _mock_response(mocker, 404, None, text="not found")
-        # override headers to be text/plain
-        resp.headers = {"content-type": "text/plain"}
-        http_client.get.return_value = resp
+    def test_non_200_text_error(self, client: DataMateClient):
+        # Simulate plain text error response
+        mock_response = _create_mock_response(404, None, text="not found")
+        # Override headers to be text/plain
+        mock_response.headers = {"content-type": "text/plain"}
+        client._http_client.get.return_value = mock_response
 
         with pytest.raises(RuntimeError) as excinfo:
             client.get_knowledge_base_info("kb1")
@@ -259,10 +216,8 @@ def test_non_200_text_error(self, mocker: MockFixture, client: DataMateClient):
         assert "Failed to fetch details for datamate knowledge base kb1" in str(excinfo.value)
         assert "not found" in str(excinfo.value)
 
-    def test_http_error_raised(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.side_effect = httpx.HTTPError("network")
+    def test_http_error_raised(self, client: DataMateClient):
+        client._http_client.get.side_effect = httpx.HTTPError("network")
 
         with pytest.raises(RuntimeError) as excinfo:
             client.get_knowledge_base_info("kb1")
@@ -307,66 +262,31 @@ def test_base_url_without_trailing_slash(self, client: DataMateClient):
 class TestMakeRequest:
     """Test the internal _make_request method."""
 
-    def test_get_request_success(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(mocker, 200, {"result": "ok"})
+    def test_get_request_success(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"result": "ok"})
+        client._http_client.get.return_value = mock_response
 
         response = client._make_request("GET", "http://test.com/api", {"X-Header": "value"})
 
         assert response.status_code == 200
-        http_client.get.assert_called_once_with("http://test.com/api", headers={"X-Header": "value"})
-        # Verify httpx.Client was called with correct SSL verification setting
-        client_cls.assert_called_once()
-        call_kwargs = client_cls.call_args[1]
-        assert call_kwargs["verify"] == client.verify_ssl
+        client._http_client.get.assert_called_once_with("http://test.com/api", headers={"X-Header": "value"}, timeout=client.timeout)
 
-    def test_post_request_success(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {"result": "ok"})
+    def test_post_request_success(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"result": "ok"})
+        client._http_client.post.return_value = mock_response
 
         response = client._make_request(
             "POST", "http://test.com/api", {"X-Header": "value"}, json={"key": "value"}
         )
 
         assert response.status_code == 200
-        http_client.post.assert_called_once_with(
-            "http://test.com/api", json={"key": "value"}, headers={"X-Header": "value"}
+        client._http_client.post.assert_called_once_with(
+            "http://test.com/api", json={"key": "value"}, headers={"X-Header": "value"}, timeout=client.timeout
         )
-        # Verify httpx.Client was called with correct SSL verification setting
-        client_cls.assert_called_once()
-        call_kwargs = client_cls.call_args[1]
-        assert call_kwargs["verify"] == client.verify_ssl
-
-    def test_custom_timeout(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(mocker, 200, {"result": "ok"})
-
-        client._make_request("GET", "http://test.com/api", {}, timeout=5.0)
 
-        # Verify timeout was passed to Client
-        client_cls.assert_called_once()
-        call_kwargs = client_cls.call_args[1]
-        assert call_kwargs["timeout"] == 5.0
-
-    def test_default_timeout(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(mocker, 200, {"result": "ok"})
-
-        client._make_request("GET", "http://test.com/api", {})
-
-        # Verify default timeout (1.0) was used
-        client_cls.assert_called_once()
-        call_kwargs = client_cls.call_args[1]
-        assert call_kwargs["timeout"] == 1.0
-
-    def test_non_200_status_code(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(mocker, 404, {"detail": "not found"})
+    def test_non_200_status_code(self, client: DataMateClient):
+        mock_response = _create_mock_response(404, {"detail": "not found"})
+        client._http_client.get.return_value = mock_response
 
         with pytest.raises(Exception) as excinfo:
             client._make_request("GET", "http://test.com/api", {}, error_message="Custom error")
@@ -426,99 +346,88 @@ def test_json_error_without_detail(self, client: DataMateClient):
 class TestListKnowledgeBasesEdgeCases:
     """Test edge cases for list_knowledge_bases."""
 
-    def test_empty_list(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {"data": {"content": []}})
+    def test_empty_list(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"content": []}})
+        client._http_client.post.return_value = mock_response
 
         kbs = client.list_knowledge_bases()
         assert kbs == []
 
-    def test_no_data_field(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {})
+    def test_no_data_field(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {})
+        client._http_client.post.return_value = mock_response
 
         kbs = client.list_knowledge_bases()
         assert kbs == []
 
-    def test_default_parameters(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(
-            mocker, 200, {"data": {"content": [{"id": "kb1"}]}}
-        )
+    def test_default_parameters(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"content": [{"id": "kb1"}]}})
+        client._http_client.post.return_value = mock_response
 
         client.list_knowledge_bases()
 
-        http_client.post.assert_called_once_with(
+        client._http_client.post.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/list",
             json={"page": 0, "size": 20},
             headers={},
+            timeout=client.timeout,
         )
 
 
 class TestGetKnowledgeBaseFilesEdgeCases:
     """Test edge cases for get_knowledge_base_files."""
 
-    def test_empty_file_list(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(mocker, 200, {"data": {"content": []}})
+    def test_empty_file_list(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"content": []}})
+        client._http_client.get.return_value = mock_response
 
         files = client.get_knowledge_base_files("kb1")
         assert files == []
 
-    def test_no_data_field(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(mocker, 200, {})
+    def test_no_data_field(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {})
+        client._http_client.get.return_value = mock_response
 
         files = client.get_knowledge_base_files("kb1")
         assert files == []
 
-    def test_with_authorization(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.get.return_value = _mock_response(
-            mocker, 200, {"data": {"content": [{"id": "f1"}]}}
-        )
+    def test_with_authorization(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": {"content": [{"id": "f1"}]}})
+        client._http_client.get.return_value = mock_response
 
         client.get_knowledge_base_files("kb1", authorization="Bearer token")
 
-        http_client.get.assert_called_once_with(
+        client._http_client.get.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/kb1/files",
             headers={"Authorization": "Bearer token"},
+            timeout=client.timeout,
         )
 
 
 class TestRetrieveKnowledgeBaseEdgeCases:
     """Test edge cases for retrieve_knowledge_base."""
 
-    def test_empty_results(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {"data": []})
+    def test_empty_results(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": []})
+        client._http_client.post.return_value = mock_response
 
         results = client.retrieve_knowledge_base("query", ["kb1"])
         assert results == []
 
-    def test_no_data_field(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {})
+    def test_no_data_field(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {})
+        client._http_client.post.return_value = mock_response
 
         results = client.retrieve_knowledge_base("query", ["kb1"])
         assert results == []
 
-    def test_default_parameters(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {"data": []})
+    def test_default_parameters(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": []})
+        client._http_client.post.return_value = mock_response
 
         client.retrieve_knowledge_base("query", ["kb1"])
 
-        http_client.post.assert_called_once_with(
+        client._http_client.post.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/retrieve",
             json={
                 "query": "query",
@@ -527,28 +436,16 @@ def test_default_parameters(self, mocker: MockFixture, client: DataMateClient):
                 "knowledgeBaseIds": ["kb1"],
             },
             headers={},
+            timeout=client.timeout * 2,
         )
 
-    def test_custom_timeout(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {"data": []})
-
-        client.retrieve_knowledge_base("query", ["kb1"])
-
-        # Verify timeout is doubled for retrieve (1.0 * 2 = 2.0)
-        client_cls.assert_called_once()
-        call_kwargs = client_cls.call_args[1]
-        assert call_kwargs["timeout"] == 2.0
-
-    def test_multiple_knowledge_base_ids(self, mocker: MockFixture, client: DataMateClient):
-        client_cls = mocker.patch("sdk.nexent.datamate.datamate_client.httpx.Client")
-        http_client = client_cls.return_value.__enter__.return_value
-        http_client.post.return_value = _mock_response(mocker, 200, {"data": []})
+    def test_multiple_knowledge_base_ids(self, client: DataMateClient):
+        mock_response = _create_mock_response(200, {"data": []})
+        client._http_client.post.return_value = mock_response
 
         client.retrieve_knowledge_base("query", ["kb1", "kb2", "kb3"], top_k=5, threshold=0.3)
 
-        http_client.post.assert_called_once_with(
+        client._http_client.post.assert_called_once_with(
             "http://datamate.local:30000/api/knowledge-base/retrieve",
             json={
                 "query": "query",
@@ -557,13 +454,14 @@ def test_multiple_knowledge_base_ids(self, mocker: MockFixture, client: DataMate
                 "knowledgeBaseIds": ["kb1", "kb2", "kb3"],
             },
             headers={},
+            timeout=client.timeout * 2,
         )
 
 
 class TestSyncAllKnowledgeBasesEdgeCases:
     """Test edge cases for sync_all_knowledge_bases."""
 
-    def test_empty_knowledge_bases_list(self, mocker: MockFixture, client: DataMateClient):
+    def test_empty_knowledge_bases_list(self, mocker: MockerFixture, client: DataMateClient):
         mocker.patch.object(client, "list_knowledge_bases", return_value=[])
 
         result = client.sync_all_knowledge_bases()
@@ -572,7 +470,7 @@ def test_empty_knowledge_bases_list(self, mocker: MockFixture, client: DataMateC
         assert result["total_count"] == 0
         assert result["knowledge_bases"] == []
 
-    def test_all_success(self, mocker: MockFixture, client: DataMateClient):
+    def test_all_success(self, mocker: MockerFixture, client: DataMateClient):
         mocker.patch.object(
             client, "list_knowledge_bases", return_value=[{"id": "kb1"}, {"id": "kb2"}]
         )
@@ -589,7 +487,7 @@ def test_all_success(self, mocker: MockFixture, client: DataMateClient):
         assert "error" not in result["knowledge_bases"][0]
         assert "error" not in result["knowledge_bases"][1]
 
-    def test_with_authorization(self, mocker: MockFixture, client: DataMateClient):
+    def test_with_authorization(self, mocker: MockerFixture, client: DataMateClient):
         list_mock = mocker.patch.object(
             client, "list_knowledge_bases", return_value=[{"id": "kb1"}]
         )
@@ -608,7 +506,7 @@ class TestClientInitialization:
 
     def test_default_timeout(self):
         client = DataMateClient(base_url="http://test.com")
-        assert client.timeout == 30.0
+        assert client.timeout == 5.0
 
     def test_custom_timeout(self):
         client = DataMateClient(base_url="http://test.com", timeout=5.0)
diff --git a/test/sdk/monitor/conftest.py b/test/sdk/monitor/conftest.py
new file mode 100644
index 000000000..565bfab83
--- /dev/null
+++ b/test/sdk/monitor/conftest.py
@@ -0,0 +1,78 @@
+"""
+Test configuration for SDK monitoring module.
+
+This conftest.py ensures OpenTelemetry is properly mocked BEFORE any test
+modules are imported. This is critical because the monitoring module uses
+binding imports (e.g., `from opentelemetry import trace`) which bind the
+imported objects at module load time.
+"""
+
+import sys
+from unittest.mock import MagicMock
+
+
+def pytest_configure(config):
+    """
+    Configure OpenTelemetry mocks before any test modules are collected.
+
+    This runs at the very beginning of pytest execution, before test
+    collection. We mock the entire OpenTelemetry package tree in sys.modules
+    so that when monitoring.py is imported, it sees the mock objects.
+    """
+    # Create mock modules for OpenTelemetry
+    mock_opentelemetry = MagicMock()
+    mock_opentelemetry.trace = MagicMock()
+    mock_opentelemetry.metrics = MagicMock()
+    mock_opentelemetry.trace.status = MagicMock()
+    mock_opentelemetry.exporter = MagicMock()
+    mock_opentelemetry.exporter.prometheus = MagicMock()
+    mock_opentelemetry.exporter.jaeger = MagicMock()
+    mock_opentelemetry.exporter.jaeger.thrift = MagicMock()
+    mock_opentelemetry.sdk = MagicMock()
+    mock_opentelemetry.sdk.metrics = MagicMock()
+    mock_opentelemetry.sdk.trace = MagicMock()
+    mock_opentelemetry.sdk.trace.export = MagicMock()
+    mock_opentelemetry.sdk.resources = MagicMock()
+    mock_opentelemetry.instrumentation = MagicMock()
+    mock_opentelemetry.instrumentation.requests = MagicMock()
+    mock_opentelemetry.instrumentation.fastapi = MagicMock()
+
+    # Insert mocks into sys.modules BEFORE any imports
+    modules_to_mock = {
+        'opentelemetry': mock_opentelemetry,
+        'opentelemetry.trace': mock_opentelemetry.trace,
+        'opentelemetry.metrics': mock_opentelemetry.metrics,
+        'opentelemetry.trace.status': mock_opentelemetry.trace.status,
+        'opentelemetry.exporter': mock_opentelemetry.exporter,
+        'opentelemetry.exporter.prometheus': mock_opentelemetry.exporter.prometheus,
+        'opentelemetry.exporter.jaeger': mock_opentelemetry.exporter.jaeger,
+        'opentelemetry.exporter.jaeger.thrift': mock_opentelemetry.exporter.jaeger.thrift,
+        'opentelemetry.sdk': mock_opentelemetry.sdk,
+        'opentelemetry.sdk.metrics': mock_opentelemetry.sdk.metrics,
+        'opentelemetry.sdk.trace': mock_opentelemetry.sdk.trace,
+        'opentelemetry.sdk.trace.export': mock_opentelemetry.sdk.trace.export,
+        'opentelemetry.sdk.resources': mock_opentelemetry.sdk.resources,
+        'opentelemetry.instrumentation': mock_opentelemetry.instrumentation,
+        'opentelemetry.instrumentation.requests': mock_opentelemetry.instrumentation.requests,
+        'opentelemetry.instrumentation.fastapi': mock_opentelemetry.instrumentation.fastapi,
+    }
+
+    # Store original modules for cleanup
+    original_modules = {}
+    for module_name in modules_to_mock:
+        if module_name in sys.modules:
+            original_modules[module_name] = sys.modules[module_name]
+        sys.modules[module_name] = modules_to_mock[module_name]
+
+    # Store for cleanup in pytest_unconfigure
+    config._mocked_otel_modules = original_modules
+
+
+def pytest_unconfigure(config):
+    """
+    Restore original OpenTelemetry modules after tests complete.
+    """
+    if hasattr(config, '_mocked_otel_modules'):
+        for module_name, original_module in config._mocked_otel_modules.items():
+            sys.modules[module_name] = original_module
+
diff --git a/test/sdk/monitor/test_monitoring.py b/test/sdk/monitor/test_monitoring.py
index e61ec38bb..7196458fb 100644
--- a/test/sdk/monitor/test_monitoring.py
+++ b/test/sdk/monitor/test_monitoring.py
@@ -21,31 +21,6 @@
 import asyncio
 from unittest.mock import Mock, MagicMock, patch
 
-# Mock OpenTelemetry components before importing the monitoring module
-
-
-@pytest.fixture(autouse=True)
-def mock_opentelemetry():
-    """Mock all OpenTelemetry dependencies."""
-    with patch.dict('sys.modules', {
-        'opentelemetry': MagicMock(),
-        'opentelemetry.trace': MagicMock(),
-        'opentelemetry.metrics': MagicMock(),
-        'opentelemetry.trace.status': MagicMock(),
-        'opentelemetry.exporter.prometheus': MagicMock(),
-        'opentelemetry.sdk.metrics': MagicMock(),
-        'opentelemetry.sdk.trace.export': MagicMock(),
-        'opentelemetry.sdk.trace': MagicMock(),
-        'opentelemetry.instrumentation.requests': MagicMock(),
-        'opentelemetry.instrumentation.fastapi': MagicMock(),
-        'opentelemetry.exporter.jaeger.thrift': MagicMock(),
-        'opentelemetry.sdk.resources': MagicMock(),
-    }):
-        yield
-
-
-# Import after mocking
-
 
 class TestMonitoringConfig:
     """Test MonitoringConfig dataclass."""
diff --git a/test/sdk/utils/test_http_client_manager.py b/test/sdk/utils/test_http_client_manager.py
new file mode 100644
index 000000000..b9e257e66
--- /dev/null
+++ b/test/sdk/utils/test_http_client_manager.py
@@ -0,0 +1,595 @@
+"""
+Tests for HTTP Client Manager module.
+
+This module tests the HttpClientManager class including:
+- Singleton pattern implementation
+- HTTP client creation and caching
+- Context manager support (new feature)
+- Client lifecycle management
+- Statistics and configuration retrieval
+"""
+import pytest
+from unittest.mock import patch, MagicMock
+
+
+def _reset_singleton():
+    """Reset the singleton state for test isolation."""
+    import sys
+    from nexent.utils.http_client_manager import HttpClientManager
+
+    # Get the module for updating the global http_client_manager reference
+    module = sys.modules.get("nexent.utils.http_client_manager")
+
+    # Get the existing instance before resetting
+    instance = HttpClientManager._instance
+    if instance is not None:
+        # Close all clients properly before clearing
+        for client in list(instance._clients.values()):
+            try:
+                client.close()
+            except Exception:
+                pass
+        for client in list(instance._async_clients.values()):
+            try:
+                # Use close() for async clients in sync context
+                if hasattr(client, 'close'):
+                    client.close()
+            except Exception:
+                pass
+        # Clear the instance's internal state
+        instance._clients.clear()
+        instance._async_clients.clear()
+        instance._configs.clear()
+        # Reset instance-level initialized flag
+        instance._initialized = False
+    # Reset class-level singleton variables
+    HttpClientManager._instance = None
+
+    # Update the module-level http_client_manager to point to a fresh instance
+    # This ensures tests get a completely new singleton state
+    if module is not None:
+        # Force module reload to get a fresh singleton
+        fresh_manager = HttpClientManager()
+        module.http_client_manager = fresh_manager
+
+
+class TestHttpClientManagerSingleton:
+    """Test singleton pattern implementation."""
+
+    def test_singleton_returns_same_instance(self):
+        """Test that HttpClientManager returns the same instance."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import HttpClientManager
+
+        manager1 = HttpClientManager()
+        manager2 = HttpClientManager()
+
+        assert manager1 is manager2
+
+    def test_singleton_thread_safety(self):
+        """Test that singleton initialization is thread-safe."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import HttpClientManager
+        import threading
+
+        instances = []
+        barrier = threading.Barrier(10)
+
+        def create_instance():
+            barrier.wait()
+            instances.append(HttpClientManager())
+
+        threads = [threading.Thread(target=create_instance) for _ in range(10)]
+        for t in threads:
+            t.start()
+        for t in threads:
+            t.join()
+
+        # All instances should be the same object
+        first_instance = instances[0]
+        for instance in instances[1:]:
+            assert instance is first_instance
+
+
+class TestHttpClientManagerSyncClient:
+    """Test synchronous HTTP client management."""
+
+    def test_get_sync_client_creates_new_client(self):
+        """Test that get_sync_client creates a new client for new config."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert client is not None
+        stats = http_client_manager.get_stats()
+        assert stats["sync_clients_count"] == 1
+
+    def test_get_sync_client_returns_cached_client(self):
+        """Test that get_sync_client returns the same client for same config."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client1 = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        client2 = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert client1 is client2
+        # Only one client despite 2 calls
+        assert http_client_manager.get_stats()["sync_clients_count"] == 1
+
+    def test_get_sync_client_different_timeout_creates_new_client(self):
+        """Test that different timeout creates a new client."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client1 = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        client2 = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=60.0,
+            verify_ssl=True
+        )
+
+        assert client1 is not client2
+        assert http_client_manager.get_stats()["sync_clients_count"] == 2
+
+    def test_get_sync_client_different_verify_ssl_creates_new_client(self):
+        """Test that different verify_ssl creates a new client."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client1 = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        client2 = http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=False
+        )
+
+        assert client1 is not client2
+        assert http_client_manager.get_stats()["sync_clients_count"] == 2
+
+    def test_get_sync_client_different_base_url_creates_new_client(self):
+        """Test that different base_url creates a new client."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client1 = http_client_manager.get_sync_client(
+            base_url="https://api1.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        client2 = http_client_manager.get_sync_client(
+            base_url="https://api2.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert client1 is not client2
+        assert http_client_manager.get_stats()["sync_clients_count"] == 2
+
+
+class TestHttpClientManagerAsyncClient:
+    """Test asynchronous HTTP client management."""
+
+    def test_get_async_client_creates_new_client(self):
+        """Test that get_async_client creates a new client for new config."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client = http_client_manager.get_async_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert client is not None
+        assert http_client_manager.get_stats()["async_clients_count"] == 1
+
+    def test_get_async_client_returns_cached_client(self):
+        """Test that get_async_client returns the same client for same config."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        client1 = http_client_manager.get_async_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        client2 = http_client_manager.get_async_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert client1 is client2
+        # Only one client despite 2 calls
+        assert http_client_manager.get_stats()["async_clients_count"] == 1
+
+
+class TestHttpClientManagerContextManager:
+    """Test context manager support (new feature)."""
+
+    def test_context_manager_enter_returns_self(self):
+        """Test that __enter__ returns the manager instance."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        with http_client_manager as manager:
+            assert manager is http_client_manager
+
+    def test_context_manager_exits_cleans_up_clients(self):
+        """Test that __exit__ properly closes all clients."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        # Create some clients
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        http_client_manager.get_sync_client(
+            base_url="https://api2.example.com",
+            timeout=60.0,
+            verify_ssl=False
+        )
+
+        # Verify clients were created
+        stats_before = http_client_manager.get_stats()
+        assert stats_before["sync_clients_count"] == 2
+
+        # Exit context - clients should be closed
+        # The context manager's __exit__ calls shutdown()
+
+    def test_context_manager_with_exception_still_closes(self):
+        """Test that context manager closes clients even when exception occurs."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        # Create a client before context
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        # Simulate exception in context - manager should still shutdown
+        try:
+            with http_client_manager:
+                raise ValueError("Test exception")
+        except ValueError:
+            pass
+
+        # After context exit, clients should be cleaned up
+        stats = http_client_manager.get_stats()
+        assert stats["sync_clients_count"] == 0
+
+    def test_context_manager_multiple_clients_closed(self):
+        """Test that all clients are closed when exiting context."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        with http_client_manager as manager:
+            client1 = manager.get_sync_client(
+                base_url="https://api1.example.com",
+                timeout=30.0,
+                verify_ssl=True
+            )
+            client2 = manager.get_sync_client(
+                base_url="https://api2.example.com",
+                timeout=30.0,
+                verify_ssl=True
+            )
+
+            # Both clients should be cached
+            stats = manager.get_stats()
+            assert stats["sync_clients_count"] == 2
+
+        # After exiting context, all clients should be closed
+        stats = http_client_manager.get_stats()
+        assert stats["sync_clients_count"] == 0
+
+
+class TestHttpClientManagerShutdown:
+    """Test shutdown functionality."""
+
+    def test_shutdown_closes_all_sync_clients(self):
+        """Test that shutdown() closes all sync clients."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        # Create clients
+        http_client_manager.get_sync_client(
+            base_url="https://api1.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        http_client_manager.get_sync_client(
+            base_url="https://api2.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        # Verify clients exist
+        stats_before = http_client_manager.get_stats()
+        assert stats_before["sync_clients_count"] == 2
+
+        # Shutdown
+        http_client_manager.shutdown()
+
+        # Verify clients are closed
+        stats_after = http_client_manager.get_stats()
+        assert stats_after["sync_clients_count"] == 0
+
+    def test_shutdown_clears_configs(self):
+        """Test that shutdown() clears all configurations."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        http_client_manager.shutdown()
+
+        assert http_client_manager.get_stats()["configs_count"] == 0
+
+
+class TestHttpClientManagerAsyncShutdown:
+    """Test async shutdown functionality."""
+
+    @pytest.mark.asyncio
+    async def test_shutdown_async_closes_all_clients(self):
+        """Test that shutdown_async() closes both sync and async clients."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        # Create both sync and async clients
+        # Note: get_async_client() is synchronous, returns AsyncClient directly
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        http_client_manager.get_async_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        # Verify clients exist
+        stats_before = http_client_manager.get_stats()
+        assert stats_before["sync_clients_count"] == 1
+        assert stats_before["async_clients_count"] == 1
+
+        # Async shutdown
+        await http_client_manager.shutdown_async()
+
+        # Verify all clients are closed
+        stats_after = http_client_manager.get_stats()
+        assert stats_after["sync_clients_count"] == 0
+        assert stats_after["async_clients_count"] == 0
+
+
+class TestHttpClientManagerCloseClient:
+    """Test individual client close functionality."""
+
+    def test_close_client_returns_true_when_found(self):
+        """Test that close_client returns True when client exists."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        result = http_client_manager.close_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert result is True
+
+    def test_close_client_returns_false_when_not_found(self):
+        """Test that close_client returns False when client doesn't exist."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        result = http_client_manager.close_client(
+            base_url="https://nonexistent.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert result is False
+
+    def test_close_client_removes_client_from_registry(self):
+        """Test that close_client removes the client from registry."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        http_client_manager.close_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert http_client_manager.get_stats()["sync_clients_count"] == 0
+
+    @pytest.mark.asyncio
+    async def test_close_async_client(self):
+        """Test async client close functionality."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        # get_async_client() is synchronous, returns AsyncClient directly
+        http_client_manager.get_async_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        result = await http_client_manager.close_async_client(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert result is True
+
+
+class TestHttpClientManagerGetStats:
+    """Test statistics retrieval functionality."""
+
+    def test_get_stats_returns_correct_counts(self):
+        """Test that get_stats returns correct client counts."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        http_client_manager.get_sync_client(
+            base_url="https://api1.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        http_client_manager.get_sync_client(
+            base_url="https://api2.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        stats = http_client_manager.get_stats()
+
+        assert stats["sync_clients_count"] == 2
+        assert stats["async_clients_count"] == 0
+        assert stats["configs_count"] == 2
+
+    def test_get_stats_includes_client_details(self):
+        """Test that get_stats includes detailed client information."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=45.0,
+            verify_ssl=False
+        )
+
+        stats = http_client_manager.get_stats()
+
+        assert len(stats["clients"]) == 1
+        client_info = stats["clients"][0]
+        assert client_info["base_url"] == "https://api.example.com"
+        assert client_info["timeout"] == 45.0
+        assert client_info["verify_ssl"] is False
+        assert client_info["is_async"] is False
+
+
+class TestHttpClientManagerGetConfig:
+    """Test configuration retrieval functionality."""
+
+    def test_get_client_config_returns_config(self):
+        """Test that get_client_config returns the correct configuration."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        http_client_manager.get_sync_client(
+            base_url="https://api.example.com",
+            timeout=60.0,
+            verify_ssl=True
+        )
+
+        config = http_client_manager.get_client_config(
+            base_url="https://api.example.com",
+            timeout=60.0,
+            verify_ssl=True
+        )
+
+        assert config is not None
+        assert config.base_url == "https://api.example.com"
+        assert config.timeout == 60.0
+        assert config.verify_ssl is True
+
+    def test_get_client_config_returns_none_for_nonexistent(self):
+        """Test that get_client_config returns None for non-existent client."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        config = http_client_manager.get_client_config(
+            base_url="https://nonexistent.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert config is None
+
+
+class TestHttpClientManagerClientKey:
+    """Test client key generation functionality."""
+
+    def test_get_client_key_format(self):
+        """Test that _get_client_key generates correct format."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        key = http_client_manager._get_client_key(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+
+        assert key == "https://api.example.com|30.0|True"
+
+    def test_get_client_key_different_params_different_keys(self):
+        """Test that different parameters generate different keys."""
+        _reset_singleton()
+        from nexent.utils.http_client_manager import http_client_manager
+
+        key1 = http_client_manager._get_client_key(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=True
+        )
+        key2 = http_client_manager._get_client_key(
+            base_url="https://api.example.com",
+            timeout=60.0,
+            verify_ssl=True
+        )
+        key3 = http_client_manager._get_client_key(
+            base_url="https://api.example.com",
+            timeout=30.0,
+            verify_ssl=False
+        )
+
+        assert key1 != key2
+        assert key1 != key3
+        assert key2 != key3
diff --git a/test/sdk/vector_database/test_datamate_core.py b/test/sdk/vector_database/test_datamate_core.py
index 23ab664fc..cd77f0892 100644
--- a/test/sdk/vector_database/test_datamate_core.py
+++ b/test/sdk/vector_database/test_datamate_core.py
@@ -170,7 +170,7 @@ def test_ssl_verification_parameter(mock_client_cls):
     # Test default SSL verification (should be True)
     core_default = datamate_core.DataMateCore(base_url="http://example")
     mock_client_cls.assert_called_with(
-        base_url="http://example", timeout=30.0, verify_ssl=True
+        base_url="http://example", timeout=5.0, verify_ssl=True
     )
 
     # Reset mock
@@ -181,7 +181,7 @@ def test_ssl_verification_parameter(mock_client_cls):
         base_url="http://example", verify_ssl=True
     )
     mock_client_cls.assert_called_with(
-        base_url="http://example", timeout=30.0, verify_ssl=True
+        base_url="http://example", timeout=5.0, verify_ssl=True
     )
 
     # Reset mock
@@ -192,7 +192,7 @@ def test_ssl_verification_parameter(mock_client_cls):
         base_url="http://example", verify_ssl=False
     )
     mock_client_cls.assert_called_with(
-        base_url="http://example", timeout=30.0, verify_ssl=False
+        base_url="http://example", timeout=5.0, verify_ssl=False
     )
 
     # Reset mock
diff --git a/test/sdk/vector_database/test_elasticsearch_core.py b/test/sdk/vector_database/test_elasticsearch_core.py
index 40b29853a..1ce45d316 100644
--- a/test/sdk/vector_database/test_elasticsearch_core.py
+++ b/test/sdk/vector_database/test_elasticsearch_core.py
@@ -472,6 +472,227 @@ def test_get_user_indices_success(elasticsearch_core_instance):
         assert ".system_index" not in result
 
 
+# ----------------------------------------------------------------------------
+# Tests for _force_refresh_with_retry method
+# ----------------------------------------------------------------------------
+
+def test_force_refresh_with_retry_success_first_attempt(elasticsearch_core_instance):
+    """Test _force_refresh_with_retry succeeds on first attempt."""
+    with patch.object(elasticsearch_core_instance.client.indices, 'refresh') as mock_refresh:
+        mock_refresh.return_value = {"_shards": {"successful": 1}}
+
+        result = elasticsearch_core_instance._force_refresh_with_retry("test_index")
+
+        assert result is True
+        mock_refresh.assert_called_once_with(index="test_index")
+
+
+def test_force_refresh_with_retry_success_after_one_failure(elasticsearch_core_instance):
+    """Test _force_refresh_with_retry succeeds on second attempt after first failure."""
+    with patch.object(elasticsearch_core_instance.client.indices, 'refresh') as mock_refresh, \
+            patch('time.sleep') as mock_sleep:
+        # First call fails, second call succeeds
+        mock_refresh.side_effect = [
+            Exception("Connection refused"),
+            {"_shards": {"successful": 1}}
+        ]
+
+        result = elasticsearch_core_instance._force_refresh_with_retry("test_index", max_retries=3)
+
+        assert result is True
+        assert mock_refresh.call_count == 2
+        mock_sleep.assert_called_once_with(0.5)  # First retry delay is 0.5 * (0 + 1)
+
+
+def test_force_refresh_with_retry_all_attempts_fail(elasticsearch_core_instance, caplog):
+    """Test _force_refresh_with_retry returns False when all retries fail."""
+    with patch.object(elasticsearch_core_instance.client.indices, 'refresh') as mock_refresh, \
+            patch('time.sleep') as mock_sleep:
+        # All attempts fail
+        mock_refresh.side_effect = Exception("Connection refused")
+
+        result = elasticsearch_core_instance._force_refresh_with_retry("test_index", max_retries=3)
+
+        assert result is False
+        assert mock_refresh.call_count == 3
+        # Should sleep twice (between 3 attempts)
+        assert mock_sleep.call_count == 2
+        assert any("Failed to refresh index test_index" in m for m in caplog.messages)
+
+
+def test_force_refresh_with_retry_success_after_two_failures(elasticsearch_core_instance):
+    """Test _force_refresh_with_retry succeeds on third attempt after two failures."""
+    with patch.object(elasticsearch_core_instance.client.indices, 'refresh') as mock_refresh, \
+            patch('time.sleep') as mock_sleep:
+        # First two fail, third succeeds
+        mock_refresh.side_effect = [
+            Exception("Fail 1"),
+            Exception("Fail 2"),
+            {"_shards": {"successful": 1}}
+        ]
+
+        result = elasticsearch_core_instance._force_refresh_with_retry("test_index", max_retries=3)
+
+        assert result is True
+        assert mock_refresh.call_count == 3
+        assert mock_sleep.call_count == 2
+        # Verify sleep delays: 0.5, 1.0
+        mock_sleep.assert_any_call(0.5)
+        mock_sleep.assert_any_call(1.0)
+
+
+# ----------------------------------------------------------------------------
+# Tests for _ensure_index_ready method
+# ----------------------------------------------------------------------------
+
+def test_ensure_index_ready_success_green_status(elasticsearch_core_instance):
+    """Test _ensure_index_ready succeeds when cluster health is green."""
+    with patch.object(elasticsearch_core_instance.client.cluster, 'health') as mock_health, \
+            patch.object(elasticsearch_core_instance.client, 'search') as mock_search:
+        mock_health.return_value = {"status": "green"}
+        mock_search.return_value = {"hits": {"total": {"value": 0}}}
+
+        result = elasticsearch_core_instance._ensure_index_ready("test_index", timeout=10)
+
+        assert result is True
+        mock_health.assert_called_once()
+        mock_search.assert_called_once()
+
+
+def test_ensure_index_ready_success_yellow_status(elasticsearch_core_instance):
+    """Test _ensure_index_ready succeeds when cluster health is yellow."""
+    with patch.object(elasticsearch_core_instance.client.cluster, 'health') as mock_health, \
+            patch.object(elasticsearch_core_instance.client, 'search') as mock_search:
+        mock_health.return_value = {"status": "yellow"}
+        mock_search.return_value = {"hits": {"total": {"value": 0}}}
+
+        result = elasticsearch_core_instance._ensure_index_ready("test_index", timeout=10)
+
+        assert result is True
+        mock_health.assert_called_once()
+        mock_search.assert_called_once()
+
+
+def test_ensure_index_ready_red_status_continues_loop(elasticsearch_core_instance):
+    """Test _ensure_index_ready continues loop when health status is red."""
+    import time as time_module
+
+    with patch.object(elasticsearch_core_instance.client.cluster, 'health') as mock_health, \
+            patch.object(elasticsearch_core_instance.client, 'search') as mock_search, \
+            patch('time.time') as mock_time:
+        # First call returns red, second call returns green
+        mock_health.side_effect = [
+            {"status": "red"},
+            {"status": "green"}
+        ]
+        mock_search.return_value = {"hits": {"total": {"value": 0}}}
+
+        # Mock time to simulate elapsed time
+        call_count = [0]
+        def time_side_effect():
+            call_count[0] += 1
+            if call_count[0] == 1:
+                return 1000.0  # start_time
+            elif call_count[0] == 2:
+                return 1000.5  # First loop iteration (less than timeout)
+            else:
+                return 1010.0  # Second iteration (exceeds timeout)
+
+        mock_time.side_effect = time_side_effect
+
+        result = elasticsearch_core_instance._ensure_index_ready("test_index", timeout=5)
+
+        # Should return False because timeout was exceeded
+        assert result is False
+
+
+def test_ensure_index_ready_timeout(elasticsearch_core_instance, caplog):
+    """Test _ensure_index_ready returns False when timeout is exceeded."""
+    import time as time_module
+
+    with patch.object(elasticsearch_core_instance.client.cluster, 'health') as mock_health, \
+            patch('time.time') as mock_time, \
+            patch('time.sleep') as mock_sleep:
+        # Always return red status so it keeps looping
+        mock_health.return_value = {"status": "red"}
+
+        # Mock time to simulate timeout
+        mock_time.side_effect = [1000.0, 1000.1, 1005.1, 1005.2, 1010.1]  # Simulates timeout exceeded
+
+        result = elasticsearch_core_instance._ensure_index_ready("test_index", timeout=5)
+
+        assert result is False
+        assert any(f"Index test_index may not be fully ready after 5s" in m for m in caplog.messages)
+
+
+def test_ensure_index_ready_health_exception_continues_loop(elasticsearch_core_instance):
+    """Test _ensure_index_ready continues loop when health check throws exception."""
+    import time as time_module
+
+    with patch.object(elasticsearch_core_instance.client.cluster, 'health') as mock_health, \
+            patch.object(elasticsearch_core_instance.client, 'search') as mock_search, \
+            patch('time.time') as mock_time, \
+            patch('time.sleep') as mock_sleep:
+        # First call throws exception, second call returns green
+        mock_health.side_effect = [
+            Exception("Connection failed"),
+            {"status": "green"}
+        ]
+        mock_search.return_value = {"hits": {"total": {"value": 0}}}
+
+        # Mock time to simulate elapsed time
+        call_count = [0]
+        def time_side_effect():
+            call_count[0] += 1
+            if call_count[0] == 1:
+                return 1000.0  # start_time
+            elif call_count[0] == 2:
+                return 1000.05  # First loop (exception caught, short sleep)
+            elif call_count[0] == 3:
+                return 1000.1  # After sleep
+            else:
+                return 1001.0  # After green status returned
+
+        mock_time.side_effect = time_side_effect
+
+        result = elasticsearch_core_instance._ensure_index_ready("test_index", timeout=10)
+
+        assert result is True
+        assert mock_health.call_count == 2
+        mock_sleep.assert_called_once_with(0.1)
+
+
+def test_ensure_index_ready_search_exception_on_double_check(elasticsearch_core_instance):
+    """Test _ensure_index_ready handles exception during search double check."""
+    import time as time_module
+
+    with patch.object(elasticsearch_core_instance.client.cluster, 'health') as mock_health, \
+            patch.object(elasticsearch_core_instance.client, 'search') as mock_search, \
+            patch('time.time') as mock_time, \
+            patch('time.sleep') as mock_sleep:
+        # Health returns green but search fails
+        mock_health.return_value = {"status": "green"}
+        mock_search.side_effect = Exception("Search failed")
+
+        # Mock time to simulate timeout after retry
+        call_count = [0]
+        def time_side_effect():
+            call_count[0] += 1
+            if call_count[0] == 1:
+                return 1000.0  # start_time
+            elif call_count[0] == 2:
+                return 1000.05  # First loop (search fails, short sleep)
+            else:
+                return 1005.0  # Timeout
+
+        mock_time.side_effect = time_side_effect
+
+        result = elasticsearch_core_instance._ensure_index_ready("test_index", timeout=5)
+
+        # Should timeout after retries
+        assert result is False
+
+
 # ----------------------------------------------------------------------------
 # Tests for document operations
 # ----------------------------------------------------------------------------
@@ -1132,6 +1353,192 @@ def test_hybrid_search_success(elasticsearch_core_instance):
         mock_semantic.assert_called_once()
 
 
+def test_hybrid_search_with_missing_embeddings_generates_and_stores(elasticsearch_core_instance):
+    """
+    Test hybrid search when chunks exist in accurate results but not in semantic results
+    (e.g., manually added chunks without embeddings).
+    The system should generate embeddings, store them in ES, and re-execute semantic search.
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "test-model"
+    mock_embedding_model.get_embeddings.return_value = [[0.1] * 1024]
+
+    # Initial accurate search returns doc1, semantic search only returns doc2 (doc1 missing)
+    # This simulates a chunk that was manually added without embedding
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        # First call: accurate returns doc1 (with content), semantic returns only doc2
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1 - needs embedding"},
+                "index": "test_index"
+            }
+        ]
+
+        # First semantic search doesn't find doc1 because it has no embedding
+        mock_semantic.side_effect = [
+            # First call returns doc2 only (doc1 missing because no embedding)
+            [
+                {
+                    "score": 0.8,
+                    "document": {"id": "doc2", "content": "Test doc 2"},
+                    "index": "test_index"
+                }
+            ],
+            # Second call (after generating embedding) finds doc1
+            [
+                {
+                    "score": 0.9,
+                    "document": {"id": "doc1", "content": "Test doc 1 - needs embedding"},
+                    "index": "test_index"
+                },
+                {
+                    "score": 0.8,
+                    "document": {"id": "doc2", "content": "Test doc 2"},
+                    "index": "test_index"
+                }
+            ]
+        ]
+
+        # Mock client.index for storing embedding
+        mock_client.index.return_value = {"result": "created"}
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Verify semantic_search was called twice (initial + after embedding)
+        assert mock_semantic.call_count == 2
+
+        # Verify client.index was called to store the embedding
+        mock_client.index.assert_called_once()
+        call_args = mock_client.index.call_args
+        assert call_args.kwargs["id"] == "doc1"
+        assert "embedding" in call_args.kwargs["document"]
+
+        # Verify result includes doc1 with semantic_score
+        assert len(result) >= 1
+        doc_ids = [r["document"]["id"] for r in result]
+        assert "doc1" in doc_ids
+
+
+def test_hybrid_search_no_missing_embeddings_no_retry(elasticsearch_core_instance):
+    """
+    Test hybrid search when all chunks have embeddings (no missing embeddings).
+    Semantic search should only be called once.
+    """
+    mock_embedding_model = MagicMock()
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic:
+
+        # Both searches return the same documents
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            }
+        ]
+
+        mock_semantic.return_value = [
+            {
+                "score": 0.9,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            }
+        ]
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Semantic search should only be called once (no retry needed)
+        assert mock_semantic.call_count == 1
+        assert len(result) == 1
+        assert result[0]["document"]["id"] == "doc1"
+
+
+def test_hybrid_search_handles_embedding_generation_failure(elasticsearch_core_instance):
+    """
+    Test hybrid search when embedding generation fails for chunks without embeddings.
+    The search should still complete (gracefully handle failures).
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "test-model"
+    mock_embedding_model.get_embeddings.return_value = []  # Empty embedding
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            }
+        ]
+
+        # Semantic only finds doc1 on second call
+        mock_semantic.side_effect = [
+            [],  # First call: doc1 not found (no embedding)
+            [
+                {
+                    "score": 0.9,
+                    "document": {"id": "doc1", "content": "Test doc 1"},
+                    "index": "test_index"
+                }
+            ]
+        ]
+
+        mock_client.index.return_value = {"result": "created"}
+
+        # Should not raise exception even if embedding generation fails initially
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Verify the search completed
+        assert mock_semantic.call_count == 2
+
+
+def test_hybrid_search_empty_results(elasticsearch_core_instance):
+    """Test hybrid search with empty results from both searches."""
+    mock_embedding_model = MagicMock()
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic:
+
+        mock_accurate.return_value = []
+        mock_semantic.return_value = []
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        assert len(result) == 0
+
+
 # ----------------------------------------------------------------------------
 # Tests for statistics and monitoring
 # ----------------------------------------------------------------------------
@@ -1317,3 +1724,423 @@ def test_bulk_operation_context(elasticsearch_core_instance):
 
         mock_apply.assert_called_once_with("test_index")
         mock_restore.assert_called_once_with("test_index")
+
+
+def test_exec_query_returns_formatted_results(elasticsearch_core_instance):
+    """Test exec_query method returns correctly formatted results."""
+    with patch.object(elasticsearch_core_instance.client, 'search') as mock_search:
+        mock_search.return_value = {
+            "hits": {
+                "hits": [
+                    {
+                        "_score": 10.5,
+                        "_source": {"content": "Test document 1", "id": "doc1"},
+                        "_index": "test_index"
+                    },
+                    {
+                        "_score": 8.3,
+                        "_source": {"content": "Test document 2", "id": "doc2"},
+                        "_index": "test_index"
+                    }
+                ]
+            }
+        }
+
+        result = elasticsearch_core_instance.exec_query("test_index", {"query": {"match_all": {}}})
+
+        assert len(result) == 2
+        assert result[0]["score"] == 10.5
+        assert result[0]["document"]["content"] == "Test document 1"
+        assert result[0]["document"]["id"] == "doc1"
+        assert result[0]["index"] == "test_index"
+        assert result[1]["score"] == 8.3
+        assert result[1]["document"]["content"] == "Test document 2"
+        assert result[1]["document"]["id"] == "doc2"
+        assert result[1]["index"] == "test_index"
+        mock_search.assert_called_once_with(index="test_index", body={"query": {"match_all": {}}})
+
+
+def test_exec_query_empty_results(elasticsearch_core_instance):
+    """Test exec_query method with empty results."""
+    with patch.object(elasticsearch_core_instance.client, 'search') as mock_search:
+        mock_search.return_value = {
+            "hits": {
+                "hits": []
+            }
+        }
+
+        result = elasticsearch_core_instance.exec_query("test_index", {"query": {"match": {"content": "test"}}})
+
+        assert result == []
+        mock_search.assert_called_once()
+
+
+def test_exec_query_with_multi_index_pattern(elasticsearch_core_instance):
+    """Test exec_query method with multiple indices."""
+    with patch.object(elasticsearch_core_instance.client, 'search') as mock_search:
+        mock_search.return_value = {
+            "hits": {
+                "hits": [
+                    {
+                        "_score": 5.0,
+                        "_source": {"content": "Doc from index1", "id": "doc1"},
+                        "_index": "index1"
+                    },
+                    {
+                        "_score": 6.0,
+                        "_source": {"content": "Doc from index2", "id": "doc2"},
+                        "_index": "index2"
+                    }
+                ]
+            }
+        }
+
+        result = elasticsearch_core_instance.exec_query("index1,index2", {"query": {"match_all": {}}})
+
+        assert len(result) == 2
+        assert result[0]["index"] == "index1"
+        assert result[1]["index"] == "index2"
+        mock_search.assert_called_once_with(index="index1,index2", body={"query": {"match_all": {}}})
+
+
+# ----------------------------------------------------------------------------
+# Tests for hybrid_search edge cases
+# ----------------------------------------------------------------------------
+
+def test_hybrid_search_skips_semantic_result_with_missing_fields(elasticsearch_core_instance, caplog):
+    """
+    Test hybrid_search skips semantic results with missing required fields (line 1060).
+    When processing semantic_results and a result is missing 'document' field,
+    KeyError should be caught and logged, then continue to next result.
+    """
+    mock_embedding_model = MagicMock()
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic:
+
+        # Accurate returns doc1
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            }
+        ]
+
+        # Semantic returns a result with missing 'document' field (triggers KeyError)
+        # and another valid result
+        mock_semantic.return_value = [
+            {
+                "score": 0.9,
+                # Missing "document" field - will cause KeyError
+            },
+            {
+                "score": 0.8,
+                "document": {"id": "doc2", "content": "Test doc 2"},
+                "index": "test_index"
+            }
+        ]
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Should complete without exception and include doc2
+        assert len(result) >= 1
+        doc_ids = [r["document"]["id"] for r in result]
+        assert "doc2" in doc_ids
+        # Warning should be logged for missing field
+        assert any("Missing required field in semantic result" in m for m in caplog.messages)
+
+
+def test_hybrid_search_stores_embedding_failure_continues_processing(elasticsearch_core_instance, caplog):
+    """
+    Test hybrid_search continues processing when storing embedding fails (lines 1101-1104).
+    When client.index raises exception during embedding storage, it should log warning
+    and continue to next document instead of failing the entire search.
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "test-model"
+    mock_embedding_model.get_embeddings.return_value = [[0.1] * 1024]
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        # Accurate returns doc1 (will need embedding storage)
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1 - needs embedding"},
+                "index": "test_index"
+            }
+        ]
+
+        # Semantic returns empty first (doc1 needs embedding), then returns doc1 after storage
+        mock_semantic.side_effect = [
+            [],  # First call: doc1 not found (no embedding)
+            [
+                {
+                    "score": 0.9,
+                    "document": {"id": "doc1", "content": "Test doc 1 - needs embedding"},
+                    "index": "test_index"
+                }
+            ]
+        ]
+
+        # First index call fails, second succeeds
+        mock_client.index.side_effect = [
+            Exception("Index storage failed"),  # This should trigger the warning and continue
+            {"result": "created"}
+        ]
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Should complete successfully despite storage failure
+        assert mock_semantic.call_count == 2
+        # Warning should be logged about failed embedding storage
+        assert any("Failed to store embedding for chunk doc1" in m for m in caplog.messages)
+        assert len(result) >= 1
+
+
+def test_hybrid_search_adds_new_documents_from_semantic_results(elasticsearch_core_instance):
+    """
+    Test hybrid_search adds documents from semantic_results that don't exist in accurate results (lines 1124-1133).
+    When processing updated semantic_results, if a doc_id is not in combined_results,
+    it should create a new entry with accurate_score=0.
+    """
+    mock_embedding_model = MagicMock()
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic:
+
+        # Accurate returns doc1
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            }
+        ]
+
+        # Semantic returns doc1 (exists in accurate) AND doc2 (new document, not in accurate)
+        mock_semantic.return_value = [
+            {
+                "score": 0.9,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            },
+            {
+                "score": 0.8,
+                "document": {"id": "doc2", "content": "Test doc 2 - from semantic only"},
+                "index": "test_index"
+            }
+        ]
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Should include both doc1 and doc2
+        assert len(result) == 2
+        doc_ids = [r["document"]["id"] for r in result]
+        assert "doc1" in doc_ids
+        assert "doc2" in doc_ids
+
+        # Find doc2 in results and verify it has accurate_score=0
+        doc2_result = next(r for r in result if r["document"]["id"] == "doc2")
+        assert doc2_result["scores"]["accurate"] == 0
+
+
+def test_hybrid_search_missing_embedding_stores_with_model_name(elasticsearch_core_instance):
+    """
+    Test that hybrid_search correctly stores embedding_model_name when storing embeddings.
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "jina-embeddings-v2"
+    mock_embedding_model.get_embeddings.return_value = [[0.1] * 1024]
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test doc 1"},
+                "index": "test_index"
+            }
+        ]
+
+        mock_semantic.side_effect = [
+            [],  # First call: doc1 not found
+            [
+                {
+                    "score": 0.9,
+                    "document": {"id": "doc1", "content": "Test doc 1"},
+                    "index": "test_index"
+                }
+            ]
+        ]
+
+        mock_client.index.return_value = {"result": "created"}
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # Verify client.index was called with correct embedding_model_name
+        mock_client.index.assert_called_once()
+        call_args = mock_client.index.call_args
+        assert call_args.kwargs["document"]["embedding_model_name"] == "jina-embeddings-v2"
+
+
+def test_hybrid_search_empty_content_skips_embedding_generation(elasticsearch_core_instance, caplog):
+    """
+    Test hybrid_search skips embedding generation for chunks with empty content.
+    When chunk_content is empty, the embedding generation should be skipped.
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "test-model"
+    mock_embedding_model.get_embeddings.return_value = [[0.1] * 1024]
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        # Accurate returns a doc with empty content
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": ""},  # Empty content
+                "index": "test_index"
+            }
+        ]
+
+        mock_semantic.return_value = [
+            {
+                "score": 0.9,
+                "document": {"id": "doc1", "content": ""},
+                "index": "test_index"
+            }
+        ]
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # client.index should NOT be called because content is empty
+        mock_client.index.assert_not_called()
+        # Should still return result
+        assert len(result) == 1
+
+
+def test_hybrid_search_empty_index_name_skips_embedding_generation(elasticsearch_core_instance, caplog):
+    """
+    Test hybrid_search skips embedding generation when index_name is empty.
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "test-model"
+    mock_embedding_model.get_embeddings.return_value = [[0.1] * 1024]
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        # Accurate returns a doc with empty index_name
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test content"},
+                "index": ""  # Empty index name
+            }
+        ]
+
+        mock_semantic.return_value = [
+            {
+                "score": 0.9,
+                "document": {"id": "doc1", "content": "Test content"},
+                "index": ""
+            }
+        ]
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # client.index should NOT be called because index_name is empty
+        mock_client.index.assert_not_called()
+        assert len(result) == 1
+
+
+def test_hybrid_search_empty_embedding_skips_storage(elasticsearch_core_instance, caplog):
+    """
+    Test hybrid_search skips embedding storage when embedding generation returns empty.
+    """
+    mock_embedding_model = MagicMock()
+    mock_embedding_model.embedding_model_name = "test-model"
+    mock_embedding_model.get_embeddings.return_value = []  # Empty embedding
+
+    with patch.object(elasticsearch_core_instance, 'accurate_search') as mock_accurate, \
+            patch.object(elasticsearch_core_instance, 'semantic_search') as mock_semantic, \
+            patch.object(elasticsearch_core_instance, 'client') as mock_client:
+
+        mock_accurate.return_value = [
+            {
+                "score": 10.0,
+                "document": {"id": "doc1", "content": "Test content"},
+                "index": "test_index"
+            }
+        ]
+
+        mock_semantic.side_effect = [
+            [],  # First call: doc1 not found
+            [
+                {
+                    "score": 0.9,
+                    "document": {"id": "doc1", "content": "Test content"},
+                    "index": "test_index"
+                }
+            ]
+        ]
+
+        mock_client.index.return_value = {"result": "created"}
+
+        result = elasticsearch_core_instance.hybrid_search(
+            ["test_index"],
+            "test query",
+            mock_embedding_model,
+            top_k=5,
+            weight_accurate=0.3
+        )
+
+        # client.index should NOT be called because embedding is empty
+        mock_client.index.assert_not_called()
+        # Should still complete search
+        assert mock_semantic.call_count == 2
\ No newline at end of file