From 4cd221af5e104ffe737adaedb97ae66d2580fd10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E6=80=A7=E9=A9=8A?= <danielwang@supermicro.com>
Date: Tue, 23 Jun 2026 17:54:27 +0800
Subject: [PATCH] fix dockerfile unhealth problem

---
 haixun-backend/.idea/.gitignore               |   10 +
 haixun-backend/.idea/go.imports.xml           |   10 +
 haixun-backend/.idea/haixun-backend.iml       |    9 +
 .../.idea/material_theme_project_new.xml      |   10 +
 haixun-backend/.idea/modules.xml              |    8 +
 haixun-backend/.idea/vcs.xml                  |    6 +
 haixun-backend/AGENTS.md                      |  335 +++
 haixun-backend/Makefile                       |   52 +
 haixun-backend/README.md                      |  365 +++
 haixun-backend/cmd/tool/main.go               |   87 +
 haixun-backend/deploy/README.md               |   64 +
 haixun-backend/deploy/docker-compose.yml      |   37 +
 .../deploy/mongo/init/01-gateway-indexes.js   |   31 +
 haixun-backend/docs/job-system-plan.md        |  381 +++
 haixun-backend/etc/gateway.dev.example.yaml   |   20 +
 haixun-backend/etc/gateway.yaml               |   32 +
 haixun-backend/gateway.go                     |   34 +
 haixun-backend/generate/api/ai.api            |   67 +
 haixun-backend/generate/api/auth.api          |   62 +
 haixun-backend/generate/api/common.api        |   15 +
 haixun-backend/generate/api/gateway.api       |   24 +
 haixun-backend/generate/api/job.api           |  245 ++
 haixun-backend/generate/api/member.api        |   46 +
 haixun-backend/generate/api/normal.api        |   16 +
 haixun-backend/generate/api/permission.api    |   52 +
 haixun-backend/generate/api/setting.api       |   68 +
 haixun-backend/generate/goctl/api/handler.tpl |   31 +
 haixun-backend/go.mod                         |   69 +
 haixun-backend/go.sum                         |  196 ++
 haixun-backend/internal/bootstrap/admin.go    |   72 +
 .../internal/bootstrap/admin_test.go          |  116 +
 haixun-backend/internal/bootstrap/init.go     |  104 +
 haixun-backend/internal/config/config.go      |   48 +
 .../internal/handler/ai/chat_handler.go       |   36 +
 .../handler/ai/chat_stream_handler.go         |   72 +
 .../ai/list_ai_provider_models_handler.go     |   36 +
 .../handler/ai/list_ai_providers_handler.go   |   17 +
 .../internal/handler/auth/login_handler.go    |   29 +
 .../internal/handler/auth/logout_handler.go   |   17 +
 .../internal/handler/auth/refresh_handler.go  |   29 +
 .../internal/handler/auth/register_handler.go |   29 +
 .../handler/job/cancel_job_handler.go         |   33 +
 .../handler/job/create_job_handler.go         |   33 +
 .../job/create_job_schedule_handler.go        |   33 +
 .../job/disable_job_schedule_handler.go       |   33 +
 .../job/enable_job_schedule_handler.go        |   33 +
 .../internal/handler/job/get_job_handler.go   |   33 +
 .../handler/job/get_job_template_handler.go   |   33 +
 .../handler/job/list_job_events_handler.go    |   33 +
 .../handler/job/list_job_schedules_handler.go |   33 +
 .../handler/job/list_job_templates_handler.go |   20 +
 .../internal/handler/job/list_jobs_handler.go |   33 +
 .../internal/handler/job/retry_job_handler.go |   33 +
 .../job/update_job_schedule_handler.go        |   33 +
 .../job/upsert_job_template_handler.go        |   33 +
 .../handler/member/get_member_me_handler.go   |   20 +
 .../member/update_member_me_handler.go        |   33 +
 .../internal/handler/normal/health_handler.go |   17 +
 .../permission/get_me_permissions_handler.go  |   33 +
 .../get_permission_catalog_handler.go         |   29 +
 haixun-backend/internal/handler/routes.go     |  248 ++
 .../handler/setting/delete_setting_handler.go |   29 +
 .../handler/setting/get_setting_handler.go    |   29 +
 .../handler/setting/list_settings_handler.go  |   29 +
 .../handler/setting/upsert_setting_handler.go |   29 +
 .../internal/library/authctx/context.go       |   20 +
 .../internal/library/clock/clock.go           |   36 +
 .../internal/library/clock/clock_test.go      |   24 +
 .../internal/library/errors/code/types.go     |   39 +
 .../internal/library/errors/errors.go         |  169 ++
 .../internal/library/mongo/client.go          |   51 +
 .../internal/library/redact/redact.go         |   17 +
 .../internal/library/redact/redact_test.go    |   12 +
 .../internal/library/redis/client.go          |   17 +
 .../internal/library/validate/validate.go     |   18 +
 .../internal/logic/ai/chat_logic.go           |   26 +
 .../internal/logic/ai/chat_stream_logic.go    |   22 +
 .../internal/logic/ai/credential.go           |   27 +
 .../logic/ai/list_ai_provider_models_logic.go |   30 +
 .../logic/ai/list_ai_providers_logic.go       |   30 +
 haixun-backend/internal/logic/ai/mapper.go    |   28 +
 .../internal/logic/auth/login_logic.go        |   27 +
 .../internal/logic/auth/logout_logic.go       |   29 +
 haixun-backend/internal/logic/auth/mapper.go  |   19 +
 .../internal/logic/auth/refresh_logic.go      |   31 +
 .../internal/logic/auth/register_logic.go     |   29 +
 .../internal/logic/job/cancel_job_logic.go    |   30 +
 .../internal/logic/job/create_job_logic.go    |   32 +
 .../logic/job/create_job_schedule_logic.go    |   35 +
 .../logic/job/disable_job_schedule_logic.go   |   26 +
 .../logic/job/enable_job_schedule_logic.go    |   26 +
 .../internal/logic/job/get_job_logic.go       |   26 +
 .../logic/job/get_job_template_logic.go       |   26 +
 .../logic/job/list_job_events_logic.go        |   33 +
 .../logic/job/list_job_schedules_logic.go     |   37 +
 .../logic/job/list_job_templates_logic.go     |   29 +
 .../internal/logic/job/list_jobs_logic.go     |   37 +
 haixun-backend/internal/logic/job/mapper.go   |  123 +
 .../internal/logic/job/retry_job_logic.go     |   26 +
 .../logic/job/update_job_schedule_logic.go    |   33 +
 .../logic/job/upsert_job_template_logic.go    |   48 +
 .../logic/member/get_member_me_logic.go       |   32 +
 .../internal/logic/member/mapper.go           |   31 +
 .../logic/member/update_member_me_logic.go    |   48 +
 .../internal/logic/normal/health_logic.go     |   21 +
 .../permission/get_me_permissions_logic.go    |   42 +
 .../get_permission_catalog_logic.go           |   33 +
 .../internal/logic/permission/mapper.go       |   33 +
 .../logic/setting/delete_setting_logic.go     |   21 +
 .../logic/setting/get_setting_logic.go        |   26 +
 .../logic/setting/list_settings_logic.go      |   41 +
 .../internal/logic/setting/mapper.go          |   19 +
 .../logic/setting/upsert_setting_logic.go     |   33 +
 haixun-backend/internal/middleware/auth.go    |   97 +
 .../internal/middleware/auth_test.go          |   46 +
 .../internal/middleware/authjwt_middleware.go |   23 +
 .../middleware/memberauth_middleware.go       |   24 +
 .../internal/model/ai/domain/enum/provider.go |    8 +
 .../internal/model/ai/domain/usecase/ai.go    |   66 +
 .../model/ai/provider/openai_compatible.go    |  356 +++
 .../ai/provider/openai_compatible_test.go     |  178 ++
 .../internal/model/ai/usecase/usecase.go      |  118 +
 .../auth/domain/repository/token_revoke.go    |   14 +
 .../model/auth/domain/usecase/token.go        |   42 +
 .../auth/repository/token_revoke_redis.go     |   98 +
 .../internal/model/auth/usecase/token.go      |  233 ++
 .../internal/model/job/cron/next_run.go       |   31 +
 .../internal/model/job/cron/next_run_test.go  |   27 +
 .../internal/model/job/domain/entity/event.go |   16 +
 .../internal/model/job/domain/entity/run.go   |   50 +
 .../model/job/domain/entity/schedule.go       |   20 +
 .../model/job/domain/entity/template.go       |   42 +
 .../internal/model/job/domain/enum/status.go  |   58 +
 .../model/job/domain/repository/event.go      |   13 +
 .../model/job/domain/repository/queue.go      |   19 +
 .../model/job/domain/repository/run.go        |   29 +
 .../model/job/domain/repository/schedule.go   |   21 +
 .../model/job/domain/repository/template.go   |   14 +
 .../internal/model/job/domain/usecase/job.go  |  122 +
 .../model/job/repository/mongo_event.go       |   71 +
 .../model/job/repository/mongo_run.go         |  317 ++
 .../model/job/repository/mongo_schedule.go    |  145 +
 .../model/job/repository/mongo_template.go    |   90 +
 .../model/job/repository/redis_queue.go       |  220 ++
 .../model/job/repository/redis_queue_test.go  |   71 +
 .../internal/model/job/resume/resume.go       |   69 +
 .../internal/model/job/resume/resume_test.go  |   46 +
 .../internal/model/job/usecase/cancel_test.go |   58 +
 .../internal/model/job/usecase/dedupe_test.go |   85 +
 .../internal/model/job/usecase/helpers.go     |  146 +
 .../internal/model/job/usecase/maintenance.go |   76 +
 .../model/job/usecase/maintenance_test.go     |   90 +
 .../model/job/usecase/retry_resume_test.go    |   85 +
 .../internal/model/job/usecase/retry_test.go  |   52 +
 .../internal/model/job/usecase/schedule.go    |  171 ++
 .../model/job/usecase/schedule_payload.go     |   25 +
 .../job/usecase/schedule_payload_test.go      |   40 +
 .../model/job/usecase/schedule_test.go        |   75 +
 .../internal/model/job/usecase/step_resume.go |   18 +
 .../internal/model/job/usecase/template.go    |   68 +
 .../model/job/usecase/template_test.go        |   35 +
 .../internal/model/job/usecase/test_mocks.go  |  430 +++
 .../internal/model/job/usecase/usecase.go     |  562 ++++
 .../model/member/domain/entity/member.go      |   41 +
 .../model/member/domain/repository/member.go  |   24 +
 .../model/member/domain/usecase/member.go     |   46 +
 .../internal/model/member/repository/mongo.go |  147 +
 .../internal/model/member/usecase/usecase.go  |  120 +
 .../permission/domain/entity/permission.go    |   42 +
 .../domain/repository/permission.go           |   25 +
 .../permission/domain/usecase/permission.go   |   43 +
 .../permission/repository/mongo_permission.go |  112 +
 .../repository/mongo_role_permission.go       |   89 +
 .../model/permission/repository/object_id.go  |   14 +
 .../model/permission/usecase/usecase.go       |  209 ++
 .../model/setting/domain/entity/setting.go    |   16 +
 .../setting/domain/repository/setting.go      |   15 +
 .../model/setting/domain/usecase/setting.go   |   22 +
 .../model/setting/repository/mongo.go         |  135 +
 .../internal/model/setting/usecase/usecase.go |   88 +
 haixun-backend/internal/response/request.go   |   14 +
 haixun-backend/internal/response/response.go  |   53 +
 .../internal/svc/service_context.go           |  194 ++
 haixun-backend/internal/types/types.go        |  390 +++
 haixun-backend/internal/worker/job/reaper.go  |   44 +
 haixun-backend/internal/worker/job/runner.go  |  221 ++
 .../internal/worker/job/runner_test.go        |   52 +
 .../internal/worker/job/scheduler.go          |   44 +
 haixun-backend/scripts/debug-opencode-raw.sh  |   71 +
 haixun-backend/scripts/test-job-cancel.sh     |   76 +
 .../scripts/test-job-concurrency.sh           |   87 +
 haixun-backend/web/.gitignore                 |    4 +
 haixun-backend/web/index.html                 |   25 +
 haixun-backend/web/package-lock.json          | 2558 +++++++++++++++++
 haixun-backend/web/package.json               |   26 +
 haixun-backend/web/src/App.tsx                |   45 +
 haixun-backend/web/src/api/client.ts          |  167 ++
 haixun-backend/web/src/auth/AuthContext.tsx   |  132 +
 .../web/src/components/AuthShell.tsx          |   28 +
 haixun-backend/web/src/components/Layout.tsx  |  110 +
 .../web/src/components/MobileBottomNav.tsx    |  187 ++
 .../web/src/components/ProtectedRoute.tsx     |   15 +
 .../web/src/components/ThemeToggle.tsx        |   28 +
 haixun-backend/web/src/components/ui.tsx      |  178 ++
 haixun-backend/web/src/index.css              |  181 ++
 haixun-backend/web/src/lib/jobStatus.ts       |   52 +
 haixun-backend/web/src/lib/storage.ts         |   25 +
 haixun-backend/web/src/main.tsx               |   10 +
 haixun-backend/web/src/pages/AiPage.tsx       |  148 +
 .../web/src/pages/DashboardPage.tsx           |   85 +
 .../web/src/pages/JobDetailPage.tsx           |   90 +
 .../web/src/pages/JobSchedulesPage.tsx        |  125 +
 .../web/src/pages/JobTemplatesPage.tsx        |   43 +
 haixun-backend/web/src/pages/JobsPage.tsx     |  183 ++
 haixun-backend/web/src/pages/LoginPage.tsx    |   66 +
 .../web/src/pages/PermissionsPage.tsx         |   86 +
 haixun-backend/web/src/pages/ProfilePage.tsx  |   90 +
 haixun-backend/web/src/pages/RegisterPage.tsx |   71 +
 haixun-backend/web/src/pages/SettingsPage.tsx |  124 +
 haixun-backend/web/src/theme/ThemeContext.tsx |   48 +
 haixun-backend/web/src/types/api.ts           |  138 +
 haixun-backend/web/src/vite-env.d.ts          |    1 +
 haixun-backend/web/tsconfig.app.json          |   22 +
 haixun-backend/web/tsconfig.json              |    7 +
 haixun-backend/web/tsconfig.node.json         |   20 +
 haixun-backend/web/vite.config.ts             |   16 +
 template-monorepo                             |    1 +
 227 files changed, 17959 insertions(+)
 create mode 100644 haixun-backend/.idea/.gitignore
 create mode 100644 haixun-backend/.idea/go.imports.xml
 create mode 100644 haixun-backend/.idea/haixun-backend.iml
 create mode 100644 haixun-backend/.idea/material_theme_project_new.xml
 create mode 100644 haixun-backend/.idea/modules.xml
 create mode 100644 haixun-backend/.idea/vcs.xml
 create mode 100644 haixun-backend/AGENTS.md
 create mode 100644 haixun-backend/Makefile
 create mode 100644 haixun-backend/README.md
 create mode 100644 haixun-backend/cmd/tool/main.go
 create mode 100644 haixun-backend/deploy/README.md
 create mode 100644 haixun-backend/deploy/docker-compose.yml
 create mode 100644 haixun-backend/deploy/mongo/init/01-gateway-indexes.js
 create mode 100644 haixun-backend/docs/job-system-plan.md
 create mode 100644 haixun-backend/etc/gateway.dev.example.yaml
 create mode 100644 haixun-backend/etc/gateway.yaml
 create mode 100644 haixun-backend/gateway.go
 create mode 100644 haixun-backend/generate/api/ai.api
 create mode 100644 haixun-backend/generate/api/auth.api
 create mode 100644 haixun-backend/generate/api/common.api
 create mode 100644 haixun-backend/generate/api/gateway.api
 create mode 100644 haixun-backend/generate/api/job.api
 create mode 100644 haixun-backend/generate/api/member.api
 create mode 100644 haixun-backend/generate/api/normal.api
 create mode 100644 haixun-backend/generate/api/permission.api
 create mode 100644 haixun-backend/generate/api/setting.api
 create mode 100644 haixun-backend/generate/goctl/api/handler.tpl
 create mode 100644 haixun-backend/go.mod
 create mode 100644 haixun-backend/go.sum
 create mode 100644 haixun-backend/internal/bootstrap/admin.go
 create mode 100644 haixun-backend/internal/bootstrap/admin_test.go
 create mode 100644 haixun-backend/internal/bootstrap/init.go
 create mode 100644 haixun-backend/internal/config/config.go
 create mode 100644 haixun-backend/internal/handler/ai/chat_handler.go
 create mode 100644 haixun-backend/internal/handler/ai/chat_stream_handler.go
 create mode 100644 haixun-backend/internal/handler/ai/list_ai_provider_models_handler.go
 create mode 100644 haixun-backend/internal/handler/ai/list_ai_providers_handler.go
 create mode 100644 haixun-backend/internal/handler/auth/login_handler.go
 create mode 100644 haixun-backend/internal/handler/auth/logout_handler.go
 create mode 100644 haixun-backend/internal/handler/auth/refresh_handler.go
 create mode 100644 haixun-backend/internal/handler/auth/register_handler.go
 create mode 100644 haixun-backend/internal/handler/job/cancel_job_handler.go
 create mode 100644 haixun-backend/internal/handler/job/create_job_handler.go
 create mode 100644 haixun-backend/internal/handler/job/create_job_schedule_handler.go
 create mode 100644 haixun-backend/internal/handler/job/disable_job_schedule_handler.go
 create mode 100644 haixun-backend/internal/handler/job/enable_job_schedule_handler.go
 create mode 100644 haixun-backend/internal/handler/job/get_job_handler.go
 create mode 100644 haixun-backend/internal/handler/job/get_job_template_handler.go
 create mode 100644 haixun-backend/internal/handler/job/list_job_events_handler.go
 create mode 100644 haixun-backend/internal/handler/job/list_job_schedules_handler.go
 create mode 100644 haixun-backend/internal/handler/job/list_job_templates_handler.go
 create mode 100644 haixun-backend/internal/handler/job/list_jobs_handler.go
 create mode 100644 haixun-backend/internal/handler/job/retry_job_handler.go
 create mode 100644 haixun-backend/internal/handler/job/update_job_schedule_handler.go
 create mode 100644 haixun-backend/internal/handler/job/upsert_job_template_handler.go
 create mode 100644 haixun-backend/internal/handler/member/get_member_me_handler.go
 create mode 100644 haixun-backend/internal/handler/member/update_member_me_handler.go
 create mode 100644 haixun-backend/internal/handler/normal/health_handler.go
 create mode 100644 haixun-backend/internal/handler/permission/get_me_permissions_handler.go
 create mode 100644 haixun-backend/internal/handler/permission/get_permission_catalog_handler.go
 create mode 100644 haixun-backend/internal/handler/routes.go
 create mode 100644 haixun-backend/internal/handler/setting/delete_setting_handler.go
 create mode 100644 haixun-backend/internal/handler/setting/get_setting_handler.go
 create mode 100644 haixun-backend/internal/handler/setting/list_settings_handler.go
 create mode 100644 haixun-backend/internal/handler/setting/upsert_setting_handler.go
 create mode 100644 haixun-backend/internal/library/authctx/context.go
 create mode 100644 haixun-backend/internal/library/clock/clock.go
 create mode 100644 haixun-backend/internal/library/clock/clock_test.go
 create mode 100644 haixun-backend/internal/library/errors/code/types.go
 create mode 100644 haixun-backend/internal/library/errors/errors.go
 create mode 100644 haixun-backend/internal/library/mongo/client.go
 create mode 100644 haixun-backend/internal/library/redact/redact.go
 create mode 100644 haixun-backend/internal/library/redact/redact_test.go
 create mode 100644 haixun-backend/internal/library/redis/client.go
 create mode 100644 haixun-backend/internal/library/validate/validate.go
 create mode 100644 haixun-backend/internal/logic/ai/chat_logic.go
 create mode 100644 haixun-backend/internal/logic/ai/chat_stream_logic.go
 create mode 100644 haixun-backend/internal/logic/ai/credential.go
 create mode 100644 haixun-backend/internal/logic/ai/list_ai_provider_models_logic.go
 create mode 100644 haixun-backend/internal/logic/ai/list_ai_providers_logic.go
 create mode 100644 haixun-backend/internal/logic/ai/mapper.go
 create mode 100644 haixun-backend/internal/logic/auth/login_logic.go
 create mode 100644 haixun-backend/internal/logic/auth/logout_logic.go
 create mode 100644 haixun-backend/internal/logic/auth/mapper.go
 create mode 100644 haixun-backend/internal/logic/auth/refresh_logic.go
 create mode 100644 haixun-backend/internal/logic/auth/register_logic.go
 create mode 100644 haixun-backend/internal/logic/job/cancel_job_logic.go
 create mode 100644 haixun-backend/internal/logic/job/create_job_logic.go
 create mode 100644 haixun-backend/internal/logic/job/create_job_schedule_logic.go
 create mode 100644 haixun-backend/internal/logic/job/disable_job_schedule_logic.go
 create mode 100644 haixun-backend/internal/logic/job/enable_job_schedule_logic.go
 create mode 100644 haixun-backend/internal/logic/job/get_job_logic.go
 create mode 100644 haixun-backend/internal/logic/job/get_job_template_logic.go
 create mode 100644 haixun-backend/internal/logic/job/list_job_events_logic.go
 create mode 100644 haixun-backend/internal/logic/job/list_job_schedules_logic.go
 create mode 100644 haixun-backend/internal/logic/job/list_job_templates_logic.go
 create mode 100644 haixun-backend/internal/logic/job/list_jobs_logic.go
 create mode 100644 haixun-backend/internal/logic/job/mapper.go
 create mode 100644 haixun-backend/internal/logic/job/retry_job_logic.go
 create mode 100644 haixun-backend/internal/logic/job/update_job_schedule_logic.go
 create mode 100644 haixun-backend/internal/logic/job/upsert_job_template_logic.go
 create mode 100644 haixun-backend/internal/logic/member/get_member_me_logic.go
 create mode 100644 haixun-backend/internal/logic/member/mapper.go
 create mode 100644 haixun-backend/internal/logic/member/update_member_me_logic.go
 create mode 100644 haixun-backend/internal/logic/normal/health_logic.go
 create mode 100644 haixun-backend/internal/logic/permission/get_me_permissions_logic.go
 create mode 100644 haixun-backend/internal/logic/permission/get_permission_catalog_logic.go
 create mode 100644 haixun-backend/internal/logic/permission/mapper.go
 create mode 100644 haixun-backend/internal/logic/setting/delete_setting_logic.go
 create mode 100644 haixun-backend/internal/logic/setting/get_setting_logic.go
 create mode 100644 haixun-backend/internal/logic/setting/list_settings_logic.go
 create mode 100644 haixun-backend/internal/logic/setting/mapper.go
 create mode 100644 haixun-backend/internal/logic/setting/upsert_setting_logic.go
 create mode 100644 haixun-backend/internal/middleware/auth.go
 create mode 100644 haixun-backend/internal/middleware/auth_test.go
 create mode 100644 haixun-backend/internal/middleware/authjwt_middleware.go
 create mode 100644 haixun-backend/internal/middleware/memberauth_middleware.go
 create mode 100644 haixun-backend/internal/model/ai/domain/enum/provider.go
 create mode 100644 haixun-backend/internal/model/ai/domain/usecase/ai.go
 create mode 100644 haixun-backend/internal/model/ai/provider/openai_compatible.go
 create mode 100644 haixun-backend/internal/model/ai/provider/openai_compatible_test.go
 create mode 100644 haixun-backend/internal/model/ai/usecase/usecase.go
 create mode 100644 haixun-backend/internal/model/auth/domain/repository/token_revoke.go
 create mode 100644 haixun-backend/internal/model/auth/domain/usecase/token.go
 create mode 100644 haixun-backend/internal/model/auth/repository/token_revoke_redis.go
 create mode 100644 haixun-backend/internal/model/auth/usecase/token.go
 create mode 100644 haixun-backend/internal/model/job/cron/next_run.go
 create mode 100644 haixun-backend/internal/model/job/cron/next_run_test.go
 create mode 100644 haixun-backend/internal/model/job/domain/entity/event.go
 create mode 100644 haixun-backend/internal/model/job/domain/entity/run.go
 create mode 100644 haixun-backend/internal/model/job/domain/entity/schedule.go
 create mode 100644 haixun-backend/internal/model/job/domain/entity/template.go
 create mode 100644 haixun-backend/internal/model/job/domain/enum/status.go
 create mode 100644 haixun-backend/internal/model/job/domain/repository/event.go
 create mode 100644 haixun-backend/internal/model/job/domain/repository/queue.go
 create mode 100644 haixun-backend/internal/model/job/domain/repository/run.go
 create mode 100644 haixun-backend/internal/model/job/domain/repository/schedule.go
 create mode 100644 haixun-backend/internal/model/job/domain/repository/template.go
 create mode 100644 haixun-backend/internal/model/job/domain/usecase/job.go
 create mode 100644 haixun-backend/internal/model/job/repository/mongo_event.go
 create mode 100644 haixun-backend/internal/model/job/repository/mongo_run.go
 create mode 100644 haixun-backend/internal/model/job/repository/mongo_schedule.go
 create mode 100644 haixun-backend/internal/model/job/repository/mongo_template.go
 create mode 100644 haixun-backend/internal/model/job/repository/redis_queue.go
 create mode 100644 haixun-backend/internal/model/job/repository/redis_queue_test.go
 create mode 100644 haixun-backend/internal/model/job/resume/resume.go
 create mode 100644 haixun-backend/internal/model/job/resume/resume_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/cancel_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/dedupe_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/helpers.go
 create mode 100644 haixun-backend/internal/model/job/usecase/maintenance.go
 create mode 100644 haixun-backend/internal/model/job/usecase/maintenance_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/retry_resume_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/retry_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/schedule.go
 create mode 100644 haixun-backend/internal/model/job/usecase/schedule_payload.go
 create mode 100644 haixun-backend/internal/model/job/usecase/schedule_payload_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/schedule_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/step_resume.go
 create mode 100644 haixun-backend/internal/model/job/usecase/template.go
 create mode 100644 haixun-backend/internal/model/job/usecase/template_test.go
 create mode 100644 haixun-backend/internal/model/job/usecase/test_mocks.go
 create mode 100644 haixun-backend/internal/model/job/usecase/usecase.go
 create mode 100644 haixun-backend/internal/model/member/domain/entity/member.go
 create mode 100644 haixun-backend/internal/model/member/domain/repository/member.go
 create mode 100644 haixun-backend/internal/model/member/domain/usecase/member.go
 create mode 100644 haixun-backend/internal/model/member/repository/mongo.go
 create mode 100644 haixun-backend/internal/model/member/usecase/usecase.go
 create mode 100644 haixun-backend/internal/model/permission/domain/entity/permission.go
 create mode 100644 haixun-backend/internal/model/permission/domain/repository/permission.go
 create mode 100644 haixun-backend/internal/model/permission/domain/usecase/permission.go
 create mode 100644 haixun-backend/internal/model/permission/repository/mongo_permission.go
 create mode 100644 haixun-backend/internal/model/permission/repository/mongo_role_permission.go
 create mode 100644 haixun-backend/internal/model/permission/repository/object_id.go
 create mode 100644 haixun-backend/internal/model/permission/usecase/usecase.go
 create mode 100644 haixun-backend/internal/model/setting/domain/entity/setting.go
 create mode 100644 haixun-backend/internal/model/setting/domain/repository/setting.go
 create mode 100644 haixun-backend/internal/model/setting/domain/usecase/setting.go
 create mode 100644 haixun-backend/internal/model/setting/repository/mongo.go
 create mode 100644 haixun-backend/internal/model/setting/usecase/usecase.go
 create mode 100644 haixun-backend/internal/response/request.go
 create mode 100644 haixun-backend/internal/response/response.go
 create mode 100644 haixun-backend/internal/svc/service_context.go
 create mode 100644 haixun-backend/internal/types/types.go
 create mode 100644 haixun-backend/internal/worker/job/reaper.go
 create mode 100644 haixun-backend/internal/worker/job/runner.go
 create mode 100644 haixun-backend/internal/worker/job/runner_test.go
 create mode 100644 haixun-backend/internal/worker/job/scheduler.go
 create mode 100755 haixun-backend/scripts/debug-opencode-raw.sh
 create mode 100755 haixun-backend/scripts/test-job-cancel.sh
 create mode 100755 haixun-backend/scripts/test-job-concurrency.sh
 create mode 100644 haixun-backend/web/.gitignore
 create mode 100644 haixun-backend/web/index.html
 create mode 100644 haixun-backend/web/package-lock.json
 create mode 100644 haixun-backend/web/package.json
 create mode 100644 haixun-backend/web/src/App.tsx
 create mode 100644 haixun-backend/web/src/api/client.ts
 create mode 100644 haixun-backend/web/src/auth/AuthContext.tsx
 create mode 100644 haixun-backend/web/src/components/AuthShell.tsx
 create mode 100644 haixun-backend/web/src/components/Layout.tsx
 create mode 100644 haixun-backend/web/src/components/MobileBottomNav.tsx
 create mode 100644 haixun-backend/web/src/components/ProtectedRoute.tsx
 create mode 100644 haixun-backend/web/src/components/ThemeToggle.tsx
 create mode 100644 haixun-backend/web/src/components/ui.tsx
 create mode 100644 haixun-backend/web/src/index.css
 create mode 100644 haixun-backend/web/src/lib/jobStatus.ts
 create mode 100644 haixun-backend/web/src/lib/storage.ts
 create mode 100644 haixun-backend/web/src/main.tsx
 create mode 100644 haixun-backend/web/src/pages/AiPage.tsx
 create mode 100644 haixun-backend/web/src/pages/DashboardPage.tsx
 create mode 100644 haixun-backend/web/src/pages/JobDetailPage.tsx
 create mode 100644 haixun-backend/web/src/pages/JobSchedulesPage.tsx
 create mode 100644 haixun-backend/web/src/pages/JobTemplatesPage.tsx
 create mode 100644 haixun-backend/web/src/pages/JobsPage.tsx
 create mode 100644 haixun-backend/web/src/pages/LoginPage.tsx
 create mode 100644 haixun-backend/web/src/pages/PermissionsPage.tsx
 create mode 100644 haixun-backend/web/src/pages/ProfilePage.tsx
 create mode 100644 haixun-backend/web/src/pages/RegisterPage.tsx
 create mode 100644 haixun-backend/web/src/pages/SettingsPage.tsx
 create mode 100644 haixun-backend/web/src/theme/ThemeContext.tsx
 create mode 100644 haixun-backend/web/src/types/api.ts
 create mode 100644 haixun-backend/web/src/vite-env.d.ts
 create mode 100644 haixun-backend/web/tsconfig.app.json
 create mode 100644 haixun-backend/web/tsconfig.json
 create mode 100644 haixun-backend/web/tsconfig.node.json
 create mode 100644 haixun-backend/web/vite.config.ts
 create mode 160000 template-monorepo

diff --git a/haixun-backend/.idea/.gitignore b/haixun-backend/.idea/.gitignore
new file mode 100644
index 0000000..30cf57e
--- /dev/null
+++ b/haixun-backend/.idea/.gitignore
@@ -0,0 +1,10 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Ignored default folder with query files
+/queries/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/haixun-backend/.idea/go.imports.xml b/haixun-backend/.idea/go.imports.xml
new file mode 100644
index 0000000..644cdf0
--- /dev/null
+++ b/haixun-backend/.idea/go.imports.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="GoImports">
+    <option name="excludedPackages">
+      <array>
+        <option value="golang.org/x/net/context" />
+      </array>
+    </option>
+  </component>
+</project>
\ No newline at end of file
diff --git a/haixun-backend/.idea/haixun-backend.iml b/haixun-backend/.idea/haixun-backend.iml
new file mode 100644
index 0000000..5e764c4
--- /dev/null
+++ b/haixun-backend/.idea/haixun-backend.iml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="WEB_MODULE" version="4">
+  <component name="Go" enabled="true" />
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file
diff --git a/haixun-backend/.idea/material_theme_project_new.xml b/haixun-backend/.idea/material_theme_project_new.xml
new file mode 100644
index 0000000..b401c17
--- /dev/null
+++ b/haixun-backend/.idea/material_theme_project_new.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="MaterialThemeProjectNewConfig">
+    <option name="metadata">
+      <MTProjectMetadataState>
+        <option name="userId" value="73c9beac:19eed3331be:-7ebe" />
+      </MTProjectMetadataState>
+    </option>
+  </component>
+</project>
\ No newline at end of file
diff --git a/haixun-backend/.idea/modules.xml b/haixun-backend/.idea/modules.xml
new file mode 100644
index 0000000..1881042
--- /dev/null
+++ b/haixun-backend/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/haixun-backend.iml" filepath="$PROJECT_DIR$/.idea/haixun-backend.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
diff --git a/haixun-backend/.idea/vcs.xml b/haixun-backend/.idea/vcs.xml
new file mode 100644
index 0000000..6c0b863
--- /dev/null
+++ b/haixun-backend/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/haixun-backend/AGENTS.md b/haixun-backend/AGENTS.md
new file mode 100644
index 0000000..74d581e
--- /dev/null
+++ b/haixun-backend/AGENTS.md
@@ -0,0 +1,335 @@
+# Agent Handoff Notes
+
+這個資料夾是新的巡樓後端核心，請優先維持乾淨邊界，不要把舊 Next.js 或 `template-monorepo` 的業務包袱搬進來。
+
+## 核心原則
+
+- 全系統時間一律 **UTC+0**；寫入 Mongo / API 的時間欄位一律 **unix nanoseconds**（`int64`）。排程的 `timezone` 只用於 cron 解讀與下發 payload，不作為儲存時區。
+- 複製模式，不複製舊業務。
+- `logic` 做 API 編排，`model/usecase` 做可重複使用能力。
+- provider adapter 不讀 setting、不碰 Mongo、不知道 HTTP。
+- setting 是通用 key-value model，不依賴 AI 或其他業務。
+- token / API key 第一版每次 request 帶入，不寫入 config。
+- SSE contract 由本服務 normalize，前端不要讀 provider 原始 chunk。
+- JSON API 必須使用 `code/message/data/error` envelope 與 `SSCCCDDD` 錯誤碼。
+- 列表 API 必須使用 `page/pageSize` query，並在 `data` 回傳 `pagination/list`。
+- Job 狀態轉移必須使用 guarded/conditional update；不要在 API/worker 直接裸 `Update` 覆蓋 job 狀態。
+- Redis job lock 的 value 是 `workerID`；release / refresh 必須檢查 owner，長任務必須 heartbeat。
+- Auth 目前是 native email/password + JWT，不包含 OAuth / OTP / MFA / Zitadel。不要為了相容 template-monorepo 把重依賴搬進來。
+- AI provider token 與會員 JWT 是兩種不同 token；AI token 每次 request header 帶入，會員 JWT 由 `/api/v1/auth/*` 簽發。
+
+## 設計文件
+
+- `docs/job-system-plan.md`：通用 job system 規劃，包含 template、run、schedule、Redis queue/lock、取消語意與 API 草案。
+
+## 新增 API 流程
+
+1. 修改 `generate/api/*.api`。
+2. 優先使用 `make gen-api` 重新產生 handler/logic/types。
+3. 若手寫 handler，仍需遵守 `response.Write` 與 validator 流程。
+4. SSE endpoint 不使用 `response.Write`，直接輸出 `text/event-stream`。
+5. 更新 `README.md` 的 API 與架構說明。
+
+## Response / Error Code
+
+錯誤碼格式是 `SSCCCDDD`：
+
+```text
+SS  = scope
+CCC = category
+DDD = detail
+```
+
+目前 scope：
+
+```text
+10 = Facade
+32 = Setting
+33 = AI
+34 = Job
+35 = Auth
+36 = Member
+37 = Permission
+```
+
+建立錯誤時使用：
+
+```go
+errs.For(code.AI).InputMissingRequired("缺少 AI provider token")
+errs.For(code.Setting).ResNotFound("找不到設定")
+errs.For(code.Job).ResInvalidState("job state changed; update rejected")
+errs.For(code.Auth).AuthUnauthorized("missing bearer token")
+```
+
+不要直接手寫 `33104000` 這種數字，也不要回傳裸 `error` 給 handler 後讓使用者看到內部錯誤。
+
+## Pagination
+
+列表 API 使用：
+
+```text
+?page=1&pageSize=10
+```
+
+response：
+
+```json
+{
+  "code": 102000,
+  "message": "SUCCESS",
+  "data": {
+    "pagination": {
+      "total": 100,
+      "page": 1,
+      "pageSize": 10,
+      "totalPages": 10
+    },
+    "list": []
+  }
+}
+```
+
+`page/pageSize` 必須是 server 正規化後的值。不要使用 `offset/limit/items`。
+
+## 新增 Model 流程
+
+模組放在：
+
+```text
+internal/model/<module>/
+  domain/entity
+  domain/repository
+  domain/usecase
+  repository
+  usecase
+```
+
+依賴方向：
+
+```text
+handler -> logic -> model/domain/usecase
+model/usecase -> model/domain/repository
+model/repository -> Mongo / Redis
+```
+
+不要讓 `logic` import `model/<module>/repository`。
+
+## Auth / Permission 擴充
+
+目前已接：
+
+```text
+POST /api/v1/auth/register
+POST /api/v1/auth/login
+POST /api/v1/auth/refresh
+POST /api/v1/auth/logout          # requires member JWT
+GET  /api/v1/members/me
+PATCH /api/v1/members/me
+GET  /api/v1/permissions/catalog
+GET  /api/v1/permissions/me
+```
+
+Auth matrix（`internal/handler/routes.go`）：
+
+| 路由 | 需要會員 JWT |
+|------|----------------|
+| `GET /api/v1/health` | 否 |
+| `POST /api/v1/auth/register/login/refresh` | 否 |
+| `POST /api/v1/auth/logout` | 是（`Authorization`） |
+| `GET /api/v1/ai/providers` | 否 |
+| `POST /api/v1/ai/chat/stream/models` | 是（`X-Member-Authorization`）+ provider token（`Authorization`） |
+| `/api/v1/members/*`、`/api/v1/permissions/me` | 是（`Authorization`） |
+| `/api/v1/permissions/catalog`、`/api/v1/settings/*`、`/api/v1/jobs*`、`/api/v1/job/*` | 是（`Authorization`） |
+
+規則：
+
+- 保護路由用 `internal/middleware.Auth`（`Authorization: Bearer <access_token>`）；AI 變更路由用 `middleware.MemberAuth`（`X-Member-Authorization`），因 `Authorization` 保留給 provider API key。
+- logic 從 `authctx.ActorFromContext` 讀 `tenant_id` / `uid`。
+- 不要在 handler 直接 parse JWT；token 驗證集中在 `model/auth/usecase`。
+- 密碼只存 bcrypt hash，不回傳、不寫 log。
+- `members.roles` 第一版是簡化 role key。正式 RBAC 可逐步補 roles collection，但不要破壞 `role_permissions` 的 tenant + role_key contract。
+- `Auth.DevHeaderFallback` 只給本機開發，正式環境應關閉。
+
+## AI Provider 擴充
+
+新增 provider 時：
+
+1. 在 `internal/model/ai/domain/enum` 新增 provider id。
+2. 在 `internal/model/ai/provider` 新增 adapter。
+3. 在 `internal/model/ai/usecase` registry 註冊 provider 與 models。
+4. 確保 adapter 回傳統一 `StreamEvent`。
+5. 不要改 `logic/ai` 的 SSE 格式。
+
+## Job Worker 擴充
+
+新增 job step 時優先註冊 runner handler：
+
+```go
+runner.RegisterStepHandler("analyze_8d", func(ctx context.Context, step job.StepContext) error {
+    if err := step.Heartbeat(ctx); err != nil {
+        return err
+    }
+    // do work, check cancel via job usecase if needed
+    return nil
+})
+```
+
+規則：
+
+- Handler 不要直接操作 Mongo / Redis，透過 job usecase 更新進度、完成、失敗或取消。
+- 長任務每個 checkpoint 呼叫 `StepContext.Heartbeat` 或 `RefreshRunLock`。
+- 收到 cancel signal 後呼叫 `AcknowledgeCancel(jobId, workerID)`，不要自行把狀態改成 `cancelled`。
+- release lock 時必須帶 `workerID`；不要新增無 owner 的 release helper。
+
+## 前端設計規則（`web/`）
+
+巡樓 Console 前端在 `haixun-backend/web/`，風格參考 [simular.co](https://simular.co/)：**明亮、年輕、圓角多、配色克制**。不要把舊 Next.js / `template-monorepo` UI 搬進來，也不要引入重型 UI 框架。
+
+### 技術棧與指令
+
+```text
+web/
+  src/
+    api/          # API client（envelope、JWT refresh）
+    auth/         # AuthContext
+    components/   # Layout、ui、ThemeToggle、AuthShell
+    theme/        # ThemeContext（淺色 / 深色）
+    pages/        # 路由頁面
+    lib/          # jobStatus 等共用工具
+  index.css       # 設計 token 唯一來源
+```
+
+```bash
+make web-dev      # dev server :5173，proxy 到 :8890
+make web-build    # tsc + vite build
+```
+
+### 字型
+
+| 語言 | 字型 | 載入方式 |
+|------|------|----------|
+| 繁體中文 | **台北黑體 Taipei Sans TC** | npm `taipei-sans-tc`，在 `index.css` `@import` Light / Regular / Bold |
+| 英文 | **Inter**（與 simular.co 相同，Google Fonts 免費） | `web/index.html` link |
+
+規則：
+
+- `body` / 中文標題：`Inter` + `Taipei Sans TC` 混排（`--font-sans`）。
+- 純英文裝飾字（導覽副標、Hero 小字）：加 class `display-en`，使用 `--font-en`。
+- 中文 `line-height` 維持 **1.7+**；不要用過細字重當標題（標題用 `font-bold` / `font-black`）。
+- 只載入 Taipei Sans TC **Regular + Bold**，不要載入 Light，避免小字過細。
+- 不要改回 Noto Sans TC，也不要手寫 `#333` 這類裸色碼當主色。
+
+### 對比度與字級
+
+- 內文、表頭、表單 label、卡片說明：優先 `text-ink` / `text-ink-secondary`，**不要**拿 `text-muted` 當主要閱讀文字。
+- `text-muted` 只給次要提示（筆數、hint、placeholder 用 `text-subtle`）。
+- 表單輸入字級 **15px**（`text-[15px]`），輸入框底用 `bg-surface` 白底，確保與背景拉開。
+- 淺色 `muted` 約 `#5a6578`、深色約 `#b8c4d6`；改色時以「小字仍可舒適閱讀」為準，不要回到 `#94a3b8` 那種淡灰。
+
+### 主題（淺色 / 深色）
+
+- `ThemeProvider`（`src/theme/ThemeContext.tsx`）包住 App；偏好存 `localStorage` key：`haixun.theme`（`light` | `dark`）。
+- `index.html` 內嵌 script 在 React 載入前設定 `data-theme`，避免閃爍。
+- 所有顏色必須走 CSS 變數 `--hx-*`，再映射到 Tailwind `@theme`（`bg-canvas`、`text-brand` 等）。
+- 切換按鈕用 `ThemeToggle`；Layout 頂欄與 `AuthShell` 都要有。
+- **禁止**在元件裡寫死 `bg-slate-*`、`text-emerald-*`、`bg-amber-*` 等 Tailwind 預設色；語意狀態用 `text-success` / `text-warning` / `text-danger` 或 `jobStatus.ts` 的 badge class。
+
+淺色預設明亮藍白底；深色為深藍黑底。兩套都只允許 **一個主色 brand（靛藍）** + success / warning / danger 語意色，不要再加褐色、墨綠、多種 accent 亂配。
+
+### 色彩 token（語意命名）
+
+開發時只用這些 Tailwind class（值定義在 `web/src/index.css`）：
+
+| Token | 用途 |
+|-------|------|
+| `canvas` | 全頁背景 |
+| `surface` / `surface-muted` | 卡片、輸入框底 |
+| `ink` / `ink-secondary` / `muted` | 主文 / 次文 / 輔助 |
+| `line` | 邊框 |
+| `brand` / `brand-hover` / `brand-soft` | 主 CTA、active 導覽、連結 hover |
+| `glow` | 裝飾色塊（`.glow-blob-alt`） |
+| `success` / `warning` / `danger`（含 `*-soft`） | 狀態、錯誤、Job badge |
+
+主按鈕一律 `Button variant="primary"` → `bg-brand`，不要用全黑按鈕。
+
+### 圓角與陰影
+
+```text
+--radius-sm   0.75rem   小元素、code
+--radius-md   1.25rem   Input / Textarea
+--radius-lg   1.75rem   Card
+--radius-xl   2.25rem   Hero、QuickLink、StatCard
+--radius-pill 9999px    Button、Badge、導覽 pill
+```
+
+陰影用 utility：`shadow-card`（一般卡片）、`shadow-soft`（主按鈕、Hero）。Hero 背景用 class `hero-panel`；裝飾 blob 用 `glow-blob` / `glow-blob-alt`。
+
+### 共用元件（優先復用）
+
+新頁面必須從 `src/components/ui.tsx` 組裝，不要另寫一套按鈕樣式：
+
+| 元件 | 用途 |
+|------|------|
+| `PageTitle` | 頁面標題 + 副標 |
+| `Card` | 內容區塊 |
+| `Field` + `Input` / `Textarea` | 表單 |
+| `Button` | `primary` / `ghost` / `danger` / `soft` |
+| `Badge` | 標籤 pill（`brand` / `sky` / `success` / `warning` / `danger` / `neutral`） |
+| `StatCard` / `QuickLinkCard` | 總覽統計與快捷入口 |
+| `ErrorText` / `CopyableId` | 錯誤與可複製 ID |
+
+`Button` 必須渲染 `{children}`；文案用**中文動詞**（例：「建立背景任務」「重新載入任務列表」），不要留空白小框。
+
+### RWD（手機）
+
+- `< lg`：隱藏左側欄；**底部固定導覽**最多 **4 格**（總覽 / 任務 / 排程 / **更多**），不要把漢堡或 ⋯ 選單放在左上角。
+- 「更多」以底部 sheet 展開：AI、模板、設定、會員、權限、主題切換、登出。
+- 主內容加 `layout-main` 底部 padding，避開 tab bar + `safe-area-inset-bottom`。
+- 寬表格包 `overflow-x-auto` + `min-w-*`，避免小螢幕擠爆版面。
+
+### 版面與導覽
+
+- 已登入（桌面）：`Layout` = 左側欄 + 頂部 sticky bar（UID + `ThemeToggle`）+ `Outlet`。
+- 已登入（手機）：頂欄品牌 + 主題切換；導覽走 `MobileBottomNav`。
+- 側欄分組：**工作區**（總覽、背景任務、排程、AI）、**管理**（模板、設定、會員、權限）。
+- Active 導覽：`bg-brand text-white shadow-soft`；hover：`bg-brand-soft text-brand`。
+- 未登入：`AuthShell` 置中卡片 + 右上主題切換；背景用柔和 blob，不要花俏插圖牆。
+- 語氣：年輕、直接、短句；Hero 可有一句主標 + brand 色強調詞，避免長篇企業八股。
+
+### API 與狀態
+
+- JSON 一律走 `api/client.ts`（`code/message/data` envelope）；需登入加 `{ auth: true }`。
+- AI 路由用 `X-Member-Authorization`；provider token 用 `Authorization`（見後端 Auth matrix）。
+- Job 狀態中文與 badge 色：`src/lib/jobStatus.ts`（`jobStatusLabel` / `jobStatusBadgeClass`），列表有進行中任務時可每 3 秒 refresh。
+- 不要在前端 parse JWT；`uid` / `tenant_id` 從 `AuthContext` 讀。
+
+### 新增頁面流程
+
+1. 在 `App.tsx` 掛路由（需登入的放在 `Layout` 底下）。
+2. 頁面用 `PageTitle` + `Card` + 既有元件；色票只引用 semantic token。
+3. 若需新語意色，**先**改 `index.css` 的 `--hx-*` 與 `@theme`，再改元件；不要頁面內硬編色碼。
+4. 完成後執行 `make web-build`。
+
+### 前端禁忌
+
+- 不要引入 MUI / Ant Design / Chakra 等大型 UI 庫。
+- 不要為單頁新增第三套配色或漸層彩虹按鈕。
+- 不要讓 SSE / AI 直接吃 provider 原始 chunk（後端已 normalize）。
+- 不要用 `offset/limit` 呼叫列表 API；用 `page` / `pageSize`。
+
+## 驗證
+
+完成變更後至少執行：
+
+```bash
+cd haixun-backend
+go mod tidy
+make fmt
+go test ./...
+```
+
+有動到前端時另執行：
+
+```bash
+make web-build
+```
diff --git a/haixun-backend/Makefile b/haixun-backend/Makefile
new file mode 100644
index 0000000..708ed11
--- /dev/null
+++ b/haixun-backend/Makefile
@@ -0,0 +1,52 @@
+GO ?= go
+GOFMT ?= gofmt
+GOCTL ?= goctl
+GO_ZERO_STYLE := go_zero
+API_ENTRY := ./generate/api/gateway.api
+GOFILES := $(shell find . -name '*.go')
+
+.DEFAULT_GOAL := help
+
+help: ## 顯示可用指令
+	@echo "Haixun Backend"
+	@echo ""
+	@grep -E '^[a-zA-Z0-9_-]+:.*## ' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*## "}; {printf "  make %-12s %s\n", $$1, $$2}'
+
+tools: ## 安裝 goctl / goimports
+	@command -v $(GOCTL) >/dev/null 2>&1 || (echo ">> installing goctl" && $(GO) install github.com/zeromicro/go-zero/tools/goctl@latest)
+	@command -v goimports >/dev/null 2>&1 || (echo ">> installing goimports" && $(GO) install golang.org/x/tools/cmd/goimports@latest)
+
+gen-api: tools ## 由 .api 生成 handler / logic / types
+	$(GOCTL) api go -api $(API_ENTRY) -dir . -style $(GO_ZERO_STYLE) -home generate/goctl
+
+fmt: ## gofmt + goimports
+	$(GOFMT) -s -w $(GOFILES)
+	@command -v goimports >/dev/null 2>&1 && goimports -w . || true
+
+test: ## 執行測試
+	$(GO) test ./...
+
+run: ## 啟動 API
+	$(GO) run ./gateway.go -f etc/gateway.yaml
+
+CONFIG ?= etc/gateway.yaml
+INIT_TENANT ?= default
+INIT_EMAIL ?= admin@30cm.net
+INIT_PASSWORD ?= Fafafa54088!
+
+tool-init: ## 初始化 Mongo indexes、預設權限與 admin 帳號
+	$(GO) run ./cmd/tool init -f $(CONFIG) -tenant $(INIT_TENANT) -email $(INIT_EMAIL) -password '$(INIT_PASSWORD)'
+
+tool: ## 執行 cmd/tool（例：make tool ARGS="init -f etc/gateway.yaml"）
+	$(GO) run ./cmd/tool $(ARGS)
+
+web-install: ## 安裝前端依賴
+	cd web && npm install
+
+web-dev: web-install ## 啟動前端 dev server（proxy 到 :8890）
+	cd web && npm run dev
+
+web-build: web-install ## 建置前端靜態檔
+	cd web && npm run build
+
+check: fmt test ## 格式化並測試
diff --git a/haixun-backend/README.md b/haixun-backend/README.md
new file mode 100644
index 0000000..84c34ef
--- /dev/null
+++ b/haixun-backend/README.md
@@ -0,0 +1,365 @@
+# Haixun Backend
+
+新的巡樓後端核心。這個資料夾刻意不直接複製 `template-monorepo` 的產物碼，只沿用它的架構模式、goctl handler template 概念與必要 runtime library，讓後續可以用更乾淨的邊界重建服務。
+
+## 目前範圍
+
+第一版先放六個核心能力：
+
+- `setting`：通用設定模型，支援 `scope + scope_id + key` 儲存不同類型設定。
+- `ai`：可替換 AI provider interface，第一版支援 OpenCode Go 與 Grok/xAI，並提供 SSE 串流回應。
+- `job`：通用背景任務系統，支援 template/run/schedule/event、Redis queue/lock、進度、retry 與 cooperative cancel。
+- `auth`：native email/password 登入、JWT access/refresh token、logout revoke。
+- `member`：目前登入會員的 profile 讀寫。
+- `permission`：permission catalog 與目前會員權限查詢。
+
+暫時不包含 template-monorepo 裡較重的 OAuth / OTP / MFA / Zitadel 整合，也不包含 notification、Playwright worker。這些之後要接時再按服務邊界新增。
+
+## 快速開始
+
+```bash
+cd haixun-backend
+go mod download
+make run
+```
+
+預設服務：
+
+```text
+http://127.0.0.1:8890
+```
+
+健康檢查：
+
+```bash
+curl http://127.0.0.1:8890/api/v1/health
+```
+
+## 專案結構
+
+```text
+haixun-backend/
+  gateway.go                    # go-zero server 入口
+  Makefile                      # gen-api / fmt / test / run
+  etc/                          # runtime config
+  generate/
+    api/                        # goctl .api 定義
+    goctl/api/handler.tpl       # 從 template-monorepo 精簡改來的 handler 模板
+  internal/
+    config/                     # config struct
+    handler/                    # HTTP handler，目前手寫；之後可由 goctl 生成
+    logic/                      # API 編排層
+    model/
+      setting/                  # 通用設定 model
+      ai/                       # AI provider interface + adapter
+      job/                      # Job template/run/schedule/event usecase + repository
+      auth/                     # JWT token issue/refresh/logout + Redis revoke store
+      member/                   # Native member profile + password hash
+      permission/               # Permission catalog + role permission mapping
+    worker/                     # 常駐背景 worker / scheduler / reaper
+    library/                    # 最小 runtime library
+    response/                   # 統一 JSON response envelope
+    svc/                        # ServiceContext 組裝依賴
+    types/                      # API request/response types
+```
+
+## 分層規則
+
+## Response 與錯誤碼標準
+
+所有一般 JSON API 都必須回傳同一層 envelope：
+
+```json
+{
+  "code": 102000,
+  "message": "SUCCESS",
+  "data": {}
+}
+```
+
+成功固定：
+
+```text
+HTTP 200
+code = 102000
+message = SUCCESS
+```
+
+失敗格式：
+
+```json
+{
+  "code": 33101000,
+  "message": "缺少 AI provider token",
+  "error": {
+    "biz_code": "33101000",
+    "scope": 33,
+    "category": 104,
+    "detail": 0
+  }
+}
+```
+
+錯誤碼採 `SSCCCDDD`：
+
+```text
+SS  = scope，服務或模組範圍
+CCC = category，錯誤分類
+DDD = detail，細分錯誤碼，未細分時為 000
+```
+
+目前 scope：
+
+```text
+10 = Facade / request parse / validation
+32 = Setting
+33 = AI
+34 = Job
+35 = Auth
+36 = Member
+37 = Permission
+```
+
+常用 category：
+
+```text
+101 = InputInvalidFormat
+104 = InputMissingRequired
+204 = DBUnavailable
+301 = ResourceNotFound
+303 = ResourceConflict
+401 = AuthUnauthorized
+505 = AuthForbidden
+601 = SystemInternal
+802 = ServiceThirdParty
+```
+
+實作規則：
+
+- Handler 成功/失敗都用 `internal/response.Write`，SSE endpoint 例外。
+- Request parse / validation 錯誤用 `response.WrapRequestError`，會落在 Facade scope。
+- Model/usecase 內建立錯誤時使用 `errors.For(code.<Scope>)` builder，不要手刻數字。
+- 不要把 provider 原始錯誤完整洩漏到前端；必要時只保留可排查的摘要。
+
+### 分頁標準
+
+列表型 API 的 query 使用 `page` / `pageSize`：
+
+```text
+GET /api/v1/settings/user/user_123?page=1&pageSize=10
+```
+
+回應的分頁資訊放在 `data.pagination`，資料陣列放在 `data.list`：
+
+```json
+{
+  "code": 102000,
+  "message": "SUCCESS",
+  "data": {
+    "pagination": {
+      "total": 42,
+      "page": 1,
+      "pageSize": 10,
+      "totalPages": 5
+    },
+    "list": []
+  }
+}
+```
+
+規則：
+
+- `page` 從 1 開始。
+- `pageSize <= 0` 時由 server 套用預設值。
+- `pageSize` 超過 server 上限時由 server 截斷。
+- `totalPages = ceil(total / pageSize)`。
+- response 內的 `page/pageSize` 必須回傳 server 正規化後的值。
+
+### logic
+
+`internal/logic/*` 只負責一次 API 請求的流程編排：
+
+- 轉換 HTTP types 與 usecase DTO
+- 呼叫一個或多個 model usecase
+- 不直接操作 Mongo / Redis
+- 不放 provider HTTP 細節
+
+### model
+
+`internal/model/*` 放可重複使用的業務能力：
+
+- `domain/entity`：資料結構
+- `domain/repository`：repository interface
+- `domain/usecase`：usecase interface 與 DTO
+- `repository`：Mongo / Redis 實作
+- `usecase`：業務能力實作
+
+### provider
+
+`internal/model/ai/provider` 只負責外部 AI API adapter：
+
+- 不讀 setting
+- 不碰 HTTP handler
+- 不存 token
+- token 每次由 request 帶入
+
+## Setting Model
+
+設定使用 typed setting 形式：
+
+```json
+{
+  "scope": "user",
+  "scope_id": "user_123",
+  "key": "ai.default",
+  "value": {
+    "provider": "opencode-go",
+    "model": "deepseek-v4-pro",
+    "temperature": 0.7,
+    "max_tokens": 2000
+  },
+  "version": 1
+}
+```
+
+API：
+
+```text
+GET    /api/v1/settings/:scope/:scope_id?page=1&pageSize=10
+GET    /api/v1/settings/:scope/:scope_id/:key
+PUT    /api/v1/settings/:scope/:scope_id/:key
+DELETE /api/v1/settings/:scope/:scope_id/:key
+```
+
+`setting` model 不知道 AI、Threads、crawler 等業務含義。各業務 model 自己解讀對應 key 的 value。
+
+## Auth / Member / Permission
+
+這版從 `template-monorepo` 精簡搬入會員、權限與 token 的核心概念，但不搬 OAuth / OTP / MFA / Zitadel 依賴。
+
+Auth 採 native email/password：
+
+```text
+POST /api/v1/auth/register
+POST /api/v1/auth/login
+POST /api/v1/auth/refresh
+POST /api/v1/auth/logout
+```
+
+`register` / `login` 回傳：
+
+```json
+{
+  "access_token": "...",
+  "refresh_token": "...",
+  "expires_in": 900,
+  "uid": "user_uid",
+  "token_type": "Bearer"
+}
+```
+
+保護路由使用：
+
+```http
+Authorization: Bearer <access_token>
+```
+
+本機開發可以開啟 `Auth.DevHeaderFallback`，用 header 模擬登入：
+
+```http
+X-Tenant-ID: default
+X-UID: user_uid
+```
+
+Member API：
+
+```text
+GET   /api/v1/members/me
+PATCH /api/v1/members/me
+```
+
+Permission API：
+
+```text
+GET /api/v1/permissions/catalog?tree=true
+GET /api/v1/permissions/me?include_tree=true
+```
+
+資料模型：
+
+- `members`：tenant-scoped profile、email、bcrypt password hash、roles。
+- `permissions`：平台 permission catalog。
+- `role_permissions`：tenant + role_key 對 permission catalog 的綁定。
+- Redis `auth:jwt:*`：access/refresh pair 與 blacklist。Redis 未配置時仍可簽發 token，但 refresh/logout revoke 不會持久化。
+
+## AI Provider
+
+AI token 不存在 config，呼叫時每次帶入，且**只放 HTTP header**，不要放 JSON body（避免 log / 回應洩漏）：
+
+```http
+Authorization: Bearer sk-...
+Content-Type: application/json
+
+{
+  "provider": "opencode-go",
+  "model": "deepseek-v4-pro",
+  "messages": [
+    { "role": "user", "content": "請幫我寫一段文案" }
+  ]
+}
+```
+
+API：
+
+```text
+GET  /api/v1/ai/providers
+POST /api/v1/ai/providers/:provider/models
+POST /api/v1/ai/chat
+POST /api/v1/ai/chat/stream
+```
+
+- `GET /providers`：只回傳 catalog（id、label、streams），不含 models、不含 token。
+- `POST /providers/:provider/models`：向 provider 的 `/models` 動態拉清單，需帶 `Authorization: Bearer <token>`。
+- 回應與錯誤訊息不會 echo token；provider 原始錯誤 body 也不會直接回傳給前端。
+
+串流 endpoint 使用 SSE：
+
+```text
+event: delta
+data: {"type":"delta","text":"..."}
+
+event: done
+data: {"type":"done","finish_reason":"stop"}
+```
+
+## Job System
+
+Job 系統的詳細設計在 `docs/job-system-plan.md`。目前 runtime 原則：
+
+- MongoDB 的 `job_runs` 是狀態真相來源；claim、cancel、complete、fail、retry 必須使用 conditional update，避免 worker 與 API 互相覆蓋狀態。
+- Redis `jobs:lock:<jobId>` 的 value 是 `workerID`；release / refresh 必須檢查 owner，只能由持有 lock 的 worker 操作。
+- Worker 執行長任務時要定期呼叫 `RefreshRunLock(jobId, workerID, ttlSeconds)`，避免 reaper 誤判過期。
+- Runner 支援 `RegisterStepHandler(stepID, handler)` 註冊自訂 step handler；未註冊時會走 demo handler。自訂 handler 可用 `StepContext.Heartbeat` 續約 lock。
+- 取消採 cooperative cancellation：API 先寫 `cancel_requested` 與 Redis cancel signal，worker checkpoint 讀取後呼叫 `AcknowledgeCancel(jobId, workerID)`。
+
+## OpenCode Go 注意事項
+
+第一版 OpenCode Go 先走 OpenAI-compatible `/chat/completions`：
+
+```text
+https://opencode.ai/zen/go/v1/chat/completions
+```
+
+目前已處理 Kimi 模型 `temperature = 1` 的特殊規則。部分 OpenCode Go 模型官方文件標示為 Anthropic-compatible `/messages`，後續可在 `internal/model/ai/provider` 新增 messages adapter，不需要改 logic 或前端 SSE contract。
+
+## 下一步建議
+
+1. 用 `goctl` 重新生成 handler / logic / types，確認 `.api` 與手寫版本對齊。
+2. 補 `setting` repository 測試與 Mongo integration 測試。
+3. 補 AI provider mock，讓 `logic/ai` 不需要真的打 provider 也能測。
+4. 新增 credential service 或 Vault/KMS 整合，但不要把 token 放進 provider config。
+5. 新增 worker/job model，讓 Go worker 與 Node Playwright worker 共用同一套 job contract。
+
+## 設計文件
+
+- [Job 核心系統規劃](docs/job-system-plan.md)：通用 job template、run、schedule、事件、取消語意與 worker contract。
diff --git a/haixun-backend/cmd/tool/main.go b/haixun-backend/cmd/tool/main.go
new file mode 100644
index 0000000..cb936de
--- /dev/null
+++ b/haixun-backend/cmd/tool/main.go
@@ -0,0 +1,87 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"haixun-backend/internal/bootstrap"
+	"haixun-backend/internal/config"
+
+	"github.com/zeromicro/go-zero/core/conf"
+)
+
+func main() {
+	if len(os.Args) < 2 {
+		printUsage()
+		os.Exit(1)
+	}
+	switch os.Args[1] {
+	case "init":
+		if err := runInit(os.Args[2:]); err != nil {
+			fmt.Fprintf(os.Stderr, "[tool] error: %v\n", err)
+			os.Exit(1)
+		}
+	default:
+		fmt.Fprintf(os.Stderr, "[tool] unknown command: %s\n", os.Args[1])
+		printUsage()
+		os.Exit(1)
+	}
+}
+
+func runInit(args []string) error {
+	fs := flag.NewFlagSet("init", flag.ExitOnError)
+	configFile := fs.String("f", "etc/gateway.yaml", "config file")
+	tenantID := fs.String("tenant", envOr("INIT_TENANT_ID", "default"), "tenant id for admin and role permissions")
+	email := fs.String("email", envOr("INIT_ADMIN_EMAIL", "admin@haixun.local"), "bootstrap admin email")
+	password := fs.String("password", envOr("INIT_ADMIN_PASSWORD", "Admin-Pass-1!"), "bootstrap admin password")
+	displayName := fs.String("display-name", envOr("INIT_ADMIN_DISPLAY_NAME", "Admin"), "bootstrap admin display name")
+	if err := fs.Parse(args); err != nil {
+		return err
+	}
+
+	var cfg config.Config
+	conf.MustLoad(*configFile, &cfg)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	report, err := bootstrap.Init(ctx, cfg, bootstrap.InitOptions{
+		TenantID:    strings.TrimSpace(*tenantID),
+		AdminEmail:  strings.TrimSpace(*email),
+		AdminPass:   *password,
+		DisplayName: strings.TrimSpace(*displayName),
+	})
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintf(os.Stderr, "[tool] indexes ensured\n")
+	fmt.Fprintf(os.Stderr, "[tool] permissions catalog seeded\n")
+	fmt.Fprintf(os.Stderr, "[tool] role_permissions seeded (admin=all, user=default)\n")
+	if report.AdminCreated {
+		fmt.Fprintf(os.Stderr, "[tool] admin created uid=%s email=%s tenant=%s\n", report.AdminUID, *email, *tenantID)
+	} else {
+		fmt.Fprintf(os.Stderr, "[tool] admin exists uid=%s email=%s tenant=%s (roles ensured admin)\n", report.AdminUID, *email, *tenantID)
+	}
+	fmt.Printf("export INIT_TENANT_ID=%s\n", *tenantID)
+	fmt.Printf("export INIT_ADMIN_EMAIL=%s\n", *email)
+	fmt.Printf("export INIT_ADMIN_PASSWORD=%s\n", *password)
+	fmt.Printf("export INIT_ADMIN_UID=%s\n", report.AdminUID)
+	return nil
+}
+
+func envOr(key, fallback string) string {
+	if v := strings.TrimSpace(os.Getenv(key)); v != "" {
+		return v
+	}
+	return fallback
+}
+
+func printUsage() {
+	fmt.Fprintf(os.Stderr, "usage:\n")
+	fmt.Fprintf(os.Stderr, "  tool init [-f etc/gateway.yaml] [-tenant default] [-email admin@haixun.local] [-password ...]\n")
+}
diff --git a/haixun-backend/deploy/README.md b/haixun-backend/deploy/README.md
new file mode 100644
index 0000000..e0f0a17
--- /dev/null
+++ b/haixun-backend/deploy/README.md
@@ -0,0 +1,64 @@
+# 本機依賴（Docker Compose）
+
+Gateway 啟用 **Notification** / **Member OTP** 需要：
+
+| 服務 | 用途 | 預設埠 |
+|------|------|--------|
+| **MongoDB** | `notifications`、`notification_dlq` collections | 27017 |
+| **Redis** | 冪等、配額、異步重試佇列、member OTP challenge | 6379 |
+| MailHog（選用） | 本機 SMTP 測試 | 1025 / 8025 |
+| OpenLDAP（`make ldap-up` / `make k6-up`） | ZITADEL LDAP IdP 本機目錄 | 389 |
+| ZITADEL（`make k6-up`） | OIDC / Social / LDAP 登入 | 8080 |
+
+Mongo **不需要**事先手動建 collection；應用程式寫入時會自動建立。索引由 init script 或 `make mongo-index` 建立。
+
+## 快速開始
+
+```bash
+# 1. 啟動 Mongo + Redis
+make deps-up
+
+# 2.（選用）含 MailHog
+make deps-up-smtp
+
+# 3. 確認索引（首次 docker volume 通常已由 init 建立；可再跑一次保險）
+make mongo-index
+
+# 4. 啟動 Gateway（使用 etc/gateway.dev.yaml）
+make run-dev
+```
+
+## Mongo collections
+
+| Collection | 模組 | 說明 |
+|------------|------|------|
+| `notifications` | notification | 發送紀錄、冪等 |
+| `notification_dlq` | notification | 超過 MaxRetry 的死信 |
+
+索引定義見 [`deploy/mongo/init/01-gateway-indexes.js`](mongo/init/01-gateway-indexes.js)，與 Go 的 `Index20260520001UP` 一致。
+
+## 常用指令
+
+```bash
+make deps-up        # docker compose up -d mongo redis
+make deps-up-smtp   # 再加上 mailhog（profile smtp）
+make ldap-up        # 只起 OpenLDAP（profile ldap）
+make k6-up          # 全棧含 OpenLDAP + ZITADEL（見 deploy/zitadel、deploy/openldap README）
+make ldap-test      # 確認 LDAP 測試帳號 alice/bob
+make deps-down      # 停止並移除容器（保留 volume）
+make deps-down-v    # 停止並刪除 volume（會清掉 Mongo 資料）
+make deps-logs      # 查看 log
+make mongo-index    # 手動建立／補齊索引
+```
+
+LDAP 本機測試：[deploy/openldap/README.md](openldap/README.md)
+
+## 連線設定
+
+設定說明：[`etc/README.md`](../etc/README.md)
+
+| 檔案 | 用途 |
+|------|------|
+| [`etc/gateway.yaml`](../etc/gateway.yaml) | 預設，無需 Docker |
+| [`etc/gateway.dev.example.yaml`](../etc/gateway.dev.example.yaml) | 範例（可提交） |
+| `etc/gateway.dev.yaml` | 本機專用（**勿提交**，見 `.gitignore`） |
diff --git a/haixun-backend/deploy/docker-compose.yml b/haixun-backend/deploy/docker-compose.yml
new file mode 100644
index 0000000..5eaef55
--- /dev/null
+++ b/haixun-backend/deploy/docker-compose.yml
@@ -0,0 +1,37 @@
+services:
+  mongo:
+    image: mongo:7
+    container_name: gateway-mongo
+    restart: unless-stopped
+    ports:
+      - "27017:27017"
+    environment:
+      MONGO_INITDB_DATABASE: gateway
+    volumes:
+      - mongo_data:/data/db
+      - ./mongo/init:/docker-entrypoint-initdb.d:ro
+    healthcheck:
+      test: ["CMD", "mongosh", "--quiet", "--eval", "db.adminCommand('ping').ok"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+
+  redis:
+    image: redis:7-alpine
+    container_name: gateway-redis
+    restart: unless-stopped
+    ports:
+      - "6379:6379"
+    command: ["redis-server", "--appendonly", "yes"]
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+
+volumes:
+  mongo_data:
+  redis_data:
diff --git a/haixun-backend/deploy/mongo/init/01-gateway-indexes.js b/haixun-backend/deploy/mongo/init/01-gateway-indexes.js
new file mode 100644
index 0000000..82ff7b3
--- /dev/null
+++ b/haixun-backend/deploy/mongo/init/01-gateway-indexes.js
@@ -0,0 +1,31 @@
+// Gateway MongoDB 初始化（僅在 data volume 首次建立時執行）
+// 與 internal/model/notification/repository/* Index20260520001UP 對齊
+// 既有 volume 請執行：make mongo-index
+
+db = db.getSiblingDB('gateway');
+
+print('Creating indexes on notifications...');
+
+db.notifications.createIndex(
+  { tenant_id: 1, kind: 1, idempotency_key: 1 },
+  { unique: true, name: 'idx_notifications_tenant_kind_idempotency' }
+);
+
+db.notifications.createIndex(
+  { tenant_id: 1, uid: 1, occurred_at: -1 },
+  { name: 'idx_notifications_tenant_uid_occurred' }
+);
+
+db.notifications.createIndex(
+  { status: 1, attempts: 1, occurred_at: 1 },
+  { name: 'idx_notifications_status_attempts_occurred' }
+);
+
+print('Creating indexes on notification_dlq...');
+
+db.notification_dlq.createIndex(
+  { tenant_id: 1, occurred_at: -1 },
+  { name: 'idx_notification_dlq_tenant_occurred' }
+);
+
+print('Gateway Mongo init done.');
diff --git a/haixun-backend/docs/job-system-plan.md b/haixun-backend/docs/job-system-plan.md
new file mode 100644
index 0000000..99702db
--- /dev/null
+++ b/haixun-backend/docs/job-system-plan.md
@@ -0,0 +1,381 @@
+# Job 核心系統規劃
+
+## 目標
+
+建立一套通用 job system，讓任何長任務、流程任務、定時任務未來都能共用。Job 不只是背景任務，而是「有模板、有設定、有狀態、有進度、有取消能力、有重跑策略、有排程能力」的工作單元。
+
+## 核心設計
+
+採用：
+
+```text
+Mongo = job/template/run/history 的真相來源
+Redis = queue、distributed lock、schedule tick、短期 lease
+```
+
+```mermaid
+flowchart LR
+  Api[GoAPI] --> Template[JobTemplate]
+  Api --> JobRun[JobRunMongo]
+  JobRun --> RedisQueue[RedisQueue]
+  Scheduler[SchedulerTick] --> RedisQueue
+  Worker[Worker] --> RedisQueue
+  Worker --> JobRun
+  Worker --> Step[JobStep]
+```
+
+## 核心概念
+
+### JobTemplate
+
+Template 定義「這種 job 要怎麼做」。例如：
+
+```text
+demo_long_task
+external_worker_task
+scheduled_report
+multi_step_pipeline
+```
+
+Template 要回答：
+
+- 這個 job 的輸入 payload schema 是什麼
+- 有哪些 steps
+- 最終狀態是什麼
+- 可不可以重複執行
+- 是否允許同 account / 同 target 同時跑
+- retry policy 是什麼
+- timeout 是多少
+- 是否可被排程
+- 是否支援取消，以及取消時 worker 要如何收斂
+
+### JobRun
+
+JobRun 是每一次執行實例。它引用 template，保存當次 payload、狀態、進度、結果、錯誤與執行歷史。
+
+### JobSchedule
+
+JobSchedule 是「何時建立 JobRun」。支援：
+
+- cron
+- enabled / disabled
+- timezone
+- payload template
+- target scope，例如 user/account/system
+- nextRunAt / lastRunAt
+
+### JobFlow
+
+Flow 是多步驟流程。第一版不用做完整 DAG，先支援線性 steps：
+
+```text
+multi_step_pipeline:
+  1. prepare
+  2. execute
+  3. finalize
+```
+
+之後再擴成 DAG 或 conditional branch。
+
+## Mongo Collections
+
+### `job_templates`
+
+```json
+{
+  "_id": "...",
+  "type": "demo_long_task",
+  "version": 1,
+  "name": "示範長任務",
+  "description": "展示 job template、進度、取消、重跑與排程能力",
+  "enabled": true,
+  "repeatable": true,
+  "concurrencyPolicy": "reject_same_scope",
+  "dedupeKeys": ["scope_id", "target"],
+  "timeoutSeconds": 600,
+  "cancelPolicy": {
+    "supported": true,
+    "mode": "cooperative",
+    "graceSeconds": 30
+  },
+  "retryPolicy": {
+    "maxAttempts": 2,
+    "backoffSeconds": [30, 120]
+  },
+  "steps": [
+    { "id": "prepare", "name": "準備資料", "workerType": "go", "timeoutSeconds": 60, "cancelable": true },
+    { "id": "execute", "name": "執行任務", "workerType": "go", "timeoutSeconds": 300, "cancelable": true },
+    { "id": "finalize", "name": "整理結果", "workerType": "go", "timeoutSeconds": 30, "cancelable": false }
+  ],
+  "createAt": 0,
+  "updateAt": 0
+}
+```
+
+### `job_runs`
+
+```json
+{
+  "_id": "...",
+  "templateType": "demo_long_task",
+  "templateVersion": 1,
+  "scope": "user",
+  "scopeId": "user_123",
+  "status": "pending",
+  "phase": "prepare",
+  "payload": {},
+  "progress": {
+    "summary": "等待 worker 執行",
+    "percentage": 20,
+    "steps": []
+  },
+  "result": null,
+  "error": null,
+  "attempt": 0,
+  "maxAttempts": 2,
+  "lockedBy": null,
+  "lockedUntil": null,
+  "cancelRequestedAt": null,
+  "cancelReason": null,
+  "scheduledAt": null,
+  "startedAt": null,
+  "completedAt": null,
+  "createAt": 0,
+  "updateAt": 0
+}
+```
+
+### `job_schedules`
+
+```json
+{
+  "_id": "...",
+  "templateType": "demo_long_task",
+  "scope": "user",
+  "scopeId": "user_123",
+  "enabled": true,
+  "cron": "0 9 * * *",
+  "timezone": "Asia/Taipei",
+  "payloadTemplate": {},
+  "lastRunAt": null,
+  "nextRunAt": 0,
+  "createAt": 0,
+  "updateAt": 0
+}
+```
+
+### `job_events`
+
+用來觀察與 audit：
+
+```json
+{
+  "_id": "...",
+  "jobId": "...",
+  "type": "status_changed",
+  "from": "pending",
+  "to": "running",
+  "message": "worker claimed job",
+  "metadata": {},
+  "createAt": 0
+}
+```
+
+## Status Model
+
+```text
+pending          = 已建立，等待 queue
+queued           = 已推進 Redis queue
+running          = worker 執行中
+waiting_worker   = 等外部 worker 回寫
+cancel_requested = 使用者已要求取消，等待 worker cooperative stop
+succeeded        = 成功完成
+failed           = 最終失敗
+cancelled        = 使用者取消
+expired          = lock/timeout 過期後無法恢復
+```
+
+Step status：
+
+```text
+pending | running | succeeded | failed | skipped | cancelled
+```
+
+## 取消語意
+
+取消是第一版必做能力，採 cooperative cancellation：
+
+```mermaid
+flowchart LR
+  User[User] --> ApiCancel[CancelAPI]
+  ApiCancel --> Run[JobRun cancel_requested]
+  Run --> RedisCancel[RedisCancelSignal]
+  Worker[Worker] -->|"poll cancel flag"| Run
+  Worker --> Stop[StopCurrentStep]
+  Stop --> Final[JobRun cancelled]
+```
+
+規則：
+
+- `pending` / `queued`：取消後直接變 `cancelled`，並盡量從 Redis queue 移除；若無法移除，worker claim 時必須檢查狀態並跳過。
+- `running`：狀態改為 `cancel_requested`，寫入 `cancelRequestedAt` / `cancelReason`，worker 必須在 step 間或長任務 checkpoint 檢查取消旗標。
+- `waiting_worker`：狀態改為 `cancel_requested`，同時寫 Redis cancel signal；外部 worker 回寫前要檢查 job 狀態。
+- `succeeded` / `failed` / `cancelled` / `expired`：不可取消，回傳 ResourceInvalidState。
+- worker 收到取消後呼叫 `AcknowledgeCancel(jobId, workerId)`，釋放 lock，寫入 `job_events`，狀態變 `cancelled`。
+- 若 `cancel_requested` 超過 template 的 `cancelPolicy.graceSeconds`，scheduler/reaper 可標記為 `cancelled` 或 `expired`，第一版建議標記 `cancelled` 並記錄 timeout event。
+
+## 狀態與 Lock 安全規則
+
+第一版已把最容易出問題的 race condition 收斂在 repository / usecase：
+
+- `ClaimNext` 只能從 `pending` / `queued` conditional update 成 `running`。如果 API 同時取消，Mongo update 會被拒絕。
+- `RequestCancel` 只能從 cancellable 狀態 conditional update；`pending` / `queued` 直接變 `cancelled`，`running` / `waiting_worker` 變 `cancel_requested`。
+- `CompleteRun` / `FailRun` / `UpdateProgress` 必須帶 `workerID`，並且只能更新 `lockedBy == workerID` 的 job。
+- Redis `jobs:lock:<jobId>` 的 value 是 `workerID`；`ReleaseLock` / `RefreshLock` 使用 owner check，避免舊 worker 誤刪新 worker 的 lock。
+- Worker 長任務要定期 heartbeat，呼叫 `RefreshRunLock(jobId, workerID, ttlSeconds)`。自訂 step handler 可用 `StepContext.Heartbeat`。
+
+之後新增狀態轉移時，不要直接使用裸 `Update`；若是生命週期狀態，應新增明確的 guarded repository 方法或使用現有 conditional update。
+
+## Redis Keys
+
+```text
+jobs:queue:<workerType>           # list 或 stream，worker 消費
+jobs:lock:<jobId>                 # lease lock
+jobs:scheduler:lock               # scheduler singleton lock
+jobs:dedupe:<template>:<hash>     # 防止同 scope 重複跑
+jobs:cancel:<jobId>               # cancel signal，worker checkpoint 讀取
+```
+
+第一版建議用 Redis List 即可，之後需要 ack/replay 再升級 Redis Streams。
+
+## API 規劃
+
+```text
+GET  /api/v1/job/templates
+GET  /api/v1/job/templates/:type
+PUT  /api/v1/job/templates/:type
+
+POST /api/v1/jobs
+GET  /api/v1/jobs/:id
+GET  /api/v1/jobs?page=1&pageSize=20
+POST /api/v1/jobs/:id/cancel
+POST /api/v1/jobs/:id/retry
+
+GET  /api/v1/job/schedules?page=1&pageSize=20
+POST /api/v1/job/schedules
+PUT  /api/v1/job/schedules/:id
+POST /api/v1/job/schedules/:id/enable
+POST /api/v1/job/schedules/:id/disable
+```
+
+所有列表回應使用目前標準：
+
+```json
+{
+  "code": 102000,
+  "message": "SUCCESS",
+  "data": {
+    "pagination": {
+      "total": 42,
+      "page": 1,
+      "pageSize": 10,
+      "totalPages": 5
+    },
+    "list": []
+  }
+}
+```
+
+## 分層規劃
+
+```text
+internal/model/job/
+  domain/entity/template.go
+  domain/entity/run.go
+  domain/entity/schedule.go
+  domain/entity/event.go
+  domain/enum/status.go
+  domain/repository/*.go
+  domain/usecase/*.go
+  repository/mongo_*.go
+  repository/redis_queue.go
+  usecase/template_usecase.go
+  usecase/run_usecase.go
+  usecase/schedule_usecase.go
+  usecase/progress_usecase.go
+  usecase/worker_usecase.go
+
+internal/logic/job/
+  create_job_logic.go
+  get_job_logic.go
+  list_jobs_logic.go
+  cancel_job_logic.go
+  retry_job_logic.go
+  template_logic.go
+  schedule_logic.go
+
+internal/worker/job/
+  runner.go
+  scheduler.go
+  dispatcher.go
+```
+
+## Template 執行規則
+
+### 可不可以重複做
+
+由 `repeatable` 與 `concurrencyPolicy` 控制：
+
+```text
+repeatable=false
+  同 dedupe key 完成過就不再建立
+
+repeatable=true + reject_same_scope
+  已有 running/pending job 時拒絕建立
+
+repeatable=true + allow_parallel
+  允許平行跑
+
+repeatable=true + replace_existing
+  取消舊 job，建立新 job
+```
+
+### 最終狀態
+
+Template 可定義成功條件：
+
+```text
+successWhen = all_steps_succeeded
+```
+
+第一版只支援 `all_steps_succeeded`。之後再加 `any_step_succeeded` 或 conditional flow。
+
+### 取消能力
+
+Template 用 `cancelPolicy` 控制取消：
+
+```text
+supported=false
+  API 不允許取消此 job
+
+mode=cooperative
+  worker checkpoint 檢查取消旗標後收斂
+
+graceSeconds=30
+  cancel_requested 超過 grace 後由 reaper 收斂
+```
+
+Step 用 `cancelable` 控制目前步驟是否可立即停止。若目前 step 不可取消，worker 需要在 step 結束後停止後續 steps，最後狀態仍為 `cancelled`。
+
+## 第一版建議實作順序
+
+1. 建 `model/job` 的 enum/entity/repository interface。
+2. 實作 Mongo repositories：template/run/schedule/event。
+3. 實作 Redis queue/lock repository。
+4. 實作 `CreateRun`：讀 template、檢查 repeat/concurrency、建立 run、push queue。
+5. 實作 `ClaimNext`：worker 從 Redis 取 job，Mongo 設 lock/status。
+6. 實作 `RequestCancel`：狀態轉 `cancel_requested` 或直接 `cancelled`，寫 Redis cancel signal 與 event。
+7. 實作 `AcknowledgeCancel`：worker 收斂後釋放 lock，狀態轉 `cancelled`。
+8. 實作 `UpdateProgress`、`Complete`、`Fail`、`Retry`。
+9. 實作 schedule tick：掃 `job_schedules.nextRunAt <= now`，建立 JobRun。
+10. 實作 API 與文件。
diff --git a/haixun-backend/etc/gateway.dev.example.yaml b/haixun-backend/etc/gateway.dev.example.yaml
new file mode 100644
index 0000000..d3584e7
--- /dev/null
+++ b/haixun-backend/etc/gateway.dev.example.yaml
@@ -0,0 +1,20 @@
+Name: haixun-backend
+Host: 0.0.0.0
+Port: 8890
+Timeout: 120000
+
+Mongo:
+  URI: mongodb://127.0.0.1:27017
+  Database: haixun_dev
+  TimeoutSeconds: 10
+
+Redis:
+  Addr: 127.0.0.1:6379
+  DB: 0
+
+Auth:
+  AccessSecret: haixun-dev-access-secret-change-me
+  RefreshSecret: haixun-dev-refresh-secret-change-me
+  AccessExpireSeconds: 900
+  RefreshExpireSeconds: 2592000
+  DevHeaderFallback: true
diff --git a/haixun-backend/etc/gateway.yaml b/haixun-backend/etc/gateway.yaml
new file mode 100644
index 0000000..eeaffea
--- /dev/null
+++ b/haixun-backend/etc/gateway.yaml
@@ -0,0 +1,32 @@
+Name: haixun-backend
+Host: 0.0.0.0
+Port: 8890
+Timeout: 120000
+
+Mongo:
+  URI: mongodb://127.0.0.1:27017
+  Database: haixun
+  TimeoutSeconds: 10
+
+Redis:
+  Addr: 127.0.0.1:6379
+  DB: 0
+
+Auth:
+  AccessSecret: haixun-dev-access-secret-change-me
+  RefreshSecret: haixun-dev-refresh-secret-change-me
+  AccessExpireSeconds: 900
+  RefreshExpireSeconds: 2592000
+  DevHeaderFallback: true
+
+JobWorker:
+  Enabled: true
+  WorkerType: go
+
+JobScheduler:
+  Enabled: true
+  IntervalSeconds: 60
+
+JobReaper:
+  Enabled: true
+  IntervalSeconds: 30
diff --git a/haixun-backend/gateway.go b/haixun-backend/gateway.go
new file mode 100644
index 0000000..ab4a148
--- /dev/null
+++ b/haixun-backend/gateway.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+
+	"haixun-backend/internal/config"
+	"haixun-backend/internal/handler"
+	"haixun-backend/internal/svc"
+
+	"github.com/zeromicro/go-zero/core/conf"
+	"github.com/zeromicro/go-zero/rest"
+)
+
+var configFile = flag.String("f", "etc/gateway.yaml", "config file")
+
+func main() {
+	flag.Parse()
+
+	var c config.Config
+	conf.MustLoad(*configFile, &c)
+
+	server := rest.MustNewServer(c.RestConf)
+	defer server.Stop()
+
+	sc := svc.NewServiceContext(c)
+	defer sc.Close(context.Background())
+
+	handler.RegisterHandlers(server, sc)
+
+	fmt.Printf("Starting backend backend at %s:%d...\n", c.Host, c.Port)
+	server.Start()
+}
diff --git a/haixun-backend/generate/api/ai.api b/haixun-backend/generate/api/ai.api
new file mode 100644
index 0000000..bdf97c5
--- /dev/null
+++ b/haixun-backend/generate/api/ai.api
@@ -0,0 +1,67 @@
+syntax = "v1"
+
+type (
+	AIMessage {
+		Role    string `json:"role" validate:"required,oneof=system user assistant"` // 訊息角色
+		Content string `json:"content" validate:"required"` // 訊息內容
+	}
+	AIChatReq {
+		Provider    string      `json:"provider" validate:"required,oneof=opencode-go xai"` // AI provider
+		Model       string      `json:"model" validate:"required"` // 模型 ID
+		System      string      `json:"system,optional"` // system prompt
+		Messages    []AIMessage `json:"messages" validate:"required,min=1,dive"` // 對話訊息
+		Temperature *float64    `json:"temperature,optional"` // 溫度
+		MaxTokens   *int        `json:"max_tokens,optional"` // 最大輸出 token
+	}
+	AIProviderOption {
+		ID      string `json:"id"`
+		Label   string `json:"label"`
+		Streams bool   `json:"streams"`
+	}
+	AIProvidersData {
+		Providers []AIProviderOption `json:"providers"`
+	}
+	AIProviderPath {
+		Provider string `path:"provider" validate:"required,oneof=opencode-go xai"` // 要查模型的 provider
+	}
+	AIProviderModelsData {
+		ID      string   `json:"id"`
+		Label   string   `json:"label"`
+		Models  []string `json:"models"`
+		Streams bool     `json:"streams"`
+		Error   string   `json:"error,optional"` // 拉 models 失敗時的摘要
+	}
+	AIChatData {
+		Text         string `json:"text"`
+		FinishReason string `json:"finish_reason,optional"`
+	}
+)
+
+@server (
+	group:   ai
+	prefix:  /api/v1/ai
+	tags:    "AI - Provider Streaming"
+	summary: "Public AI provider catalog"
+)
+service gateway {
+	@handler listAiProviders
+	get /providers returns (AIProvidersData)
+}
+
+@server (
+	group:      ai
+	prefix:     /api/v1/ai
+	middleware: MemberAuth
+	tags:       "AI - Provider Streaming (member)"
+	summary:    "Chat/stream/models; member JWT via X-Member-Authorization; provider API key via Authorization"
+)
+service gateway {
+	@handler listAiProviderModels
+	post /providers/:provider/models (AIProviderPath) returns (AIProviderModelsData)
+
+	@handler chat
+	post /chat (AIChatReq) returns (AIChatData)
+
+	@handler chatStream
+	post /chat/stream (AIChatReq)
+}
\ No newline at end of file
diff --git a/haixun-backend/generate/api/auth.api b/haixun-backend/generate/api/auth.api
new file mode 100644
index 0000000..b2556cd
--- /dev/null
+++ b/haixun-backend/generate/api/auth.api
@@ -0,0 +1,62 @@
+syntax = "v1"
+
+type (
+	AuthRegisterReq {
+		TenantID    string `json:"tenant_id" validate:"required"`
+		Email       string `json:"email" validate:"required,email"`
+		Password    string `json:"password" validate:"required,min=8,max=128"`
+		DisplayName string `json:"display_name,optional"`
+		Language    string `json:"language,optional"`
+	}
+
+	AuthLoginReq {
+		TenantID string `json:"tenant_id" validate:"required"`
+		Email    string `json:"email" validate:"required,email"`
+		Password string `json:"password" validate:"required,min=8,max=128"`
+	}
+
+	AuthRefreshReq {
+		RefreshToken string `json:"refresh_token" validate:"required"`
+	}
+
+	AuthTokenData {
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+		ExpiresIn    int64  `json:"expires_in"`
+		UID          string `json:"uid"`
+		TokenType    string `json:"token_type"`
+	}
+
+	LogoutData {
+		OK bool `json:"ok"`
+	}
+)
+
+@server(
+	group:   auth
+	prefix:  /api/v1/auth
+	tags:    "Auth"
+	summary: "Native member auth and JWT token endpoints"
+)
+service gateway {
+	@handler register
+	post /register (AuthRegisterReq) returns (AuthTokenData)
+
+	@handler login
+	post /login (AuthLoginReq) returns (AuthTokenData)
+
+	@handler refresh
+	post /refresh (AuthRefreshReq) returns (AuthTokenData)
+}
+
+@server(
+	group:      auth
+	prefix:     /api/v1/auth
+	middleware: AuthJWT
+	tags:       "Auth"
+	summary:    "Logout requires member Bearer JWT"
+)
+service gateway {
+	@handler logout
+	post /logout returns (LogoutData)
+}
diff --git a/haixun-backend/generate/api/common.api b/haixun-backend/generate/api/common.api
new file mode 100644
index 0000000..e595197
--- /dev/null
+++ b/haixun-backend/generate/api/common.api
@@ -0,0 +1,15 @@
+syntax = "v1"
+
+type ErrorDetail {
+	BizCode  string `json:"biz_code,optional"`
+	Scope    int64  `json:"scope,optional"`
+	Category int64  `json:"category,optional"`
+	Detail   int64  `json:"detail,optional"`
+}
+
+type Status {
+	Code    int64       `json:"code"`
+	Message string      `json:"message"`
+	Data    interface{} `json:"data,optional"`
+	Error   ErrorDetail `json:"error,optional"`
+}
diff --git a/haixun-backend/generate/api/gateway.api b/haixun-backend/generate/api/gateway.api
new file mode 100644
index 0000000..99b1e81
--- /dev/null
+++ b/haixun-backend/generate/api/gateway.api
@@ -0,0 +1,24 @@
+syntax = "v1"
+
+info (
+	title:    "Haixun Backend"
+	desc:     "Haixun service-oriented backend core"
+	author:   "haixun"
+	version:  "0.1.0"
+	host:     "127.0.0.1:8890"
+	schemes:  "http,https"
+	consumes: "application/json"
+	produces: "application/json"
+)
+
+import (
+	"common.api"
+	"normal.api"
+	"setting.api"
+	"ai.api"
+	"job.api"
+	"auth.api"
+	"member.api"
+	"permission.api"
+)
+
diff --git a/haixun-backend/generate/api/job.api b/haixun-backend/generate/api/job.api
new file mode 100644
index 0000000..3348734
--- /dev/null
+++ b/haixun-backend/generate/api/job.api
@@ -0,0 +1,245 @@
+syntax = "v1"
+
+type (
+	JobTemplatePath {
+		Type string `path:"type" validate:"required"` // template type
+	}
+
+	JobIDPath {
+		ID string `path:"id" validate:"required"` // job run id
+	}
+
+	JobScheduleIDPath {
+		ID string `path:"id" validate:"required"` // schedule id
+	}
+
+	ListJobsReq {
+		Scope    string `form:"scope,optional"` // filter by scope
+		ScopeID  string `form:"scope_id,optional"` // filter by scope id
+		Page     int64  `form:"page,optional"` // page number starting at 1
+		PageSize int64  `form:"pageSize,optional"` // page size
+	}
+
+	ListJobSchedulesReq {
+		Scope    string `form:"scope,optional"` // filter by scope
+		ScopeID  string `form:"scope_id,optional"` // filter by scope id
+		Page     int64  `form:"page,optional"` // page number starting at 1
+		PageSize int64  `form:"pageSize,optional"` // page size
+	}
+
+	ListJobEventsReq {
+		ID    string `path:"id" validate:"required"` // job run id
+		Limit int64  `form:"limit,optional"` // max events
+	}
+
+	CancelJobReq {
+		ID     string `path:"id" validate:"required"` // job run id
+		Reason string `json:"reason,optional"` // cancel reason
+	}
+
+	CreateJobReq {
+		TemplateType string                 `json:"template_type" validate:"required"` // job template type
+		Scope        string                 `json:"scope" validate:"required,oneof=user account system"` // job scope
+		ScopeID      string                 `json:"scope_id" validate:"required"` // scope id
+		Payload      map[string]interface{} `json:"payload,optional"` // job payload
+	}
+
+	UpsertJobTemplateReq {
+		Type              string                   `path:"type" validate:"required"` // template type
+		Version           int                      `json:"version,optional"` // template version
+		Name              string                   `json:"name" validate:"required"` // display name
+		Description       string                   `json:"description,optional"` // description
+		Enabled           bool                     `json:"enabled"` // enabled flag
+		Repeatable        bool                     `json:"repeatable"` // repeatable flag
+		ConcurrencyPolicy string                   `json:"concurrency_policy,optional"` // concurrency policy
+		DedupeKeys        []string                 `json:"dedupe_keys,optional"` // dedupe keys
+		TimeoutSeconds    int                      `json:"timeout_seconds,optional"` // timeout seconds
+		CancelPolicy      JobCancelPolicyData      `json:"cancel_policy,optional"` // cancel policy
+		RetryPolicy       JobRetryPolicyData       `json:"retry_policy,optional"` // retry policy
+		Steps             []JobTemplateStepData    `json:"steps" validate:"required,min=1,dive"` // steps
+	}
+
+	CreateJobScheduleReq {
+		TemplateType    string                 `json:"template_type" validate:"required"` // template type
+		Scope           string                 `json:"scope" validate:"required,oneof=user account system"` // scope
+		ScopeID         string                 `json:"scope_id" validate:"required"` // scope id
+		Cron            string                 `json:"cron" validate:"required"` // cron expression
+		Timezone        string                 `json:"timezone,optional"` // timezone
+		PayloadTemplate map[string]interface{} `json:"payload_template,optional"` // payload template
+		Enabled         bool                   `json:"enabled"` // enabled flag
+	}
+
+	UpdateJobScheduleReq {
+		ID              string                 `path:"id" validate:"required"` // schedule id
+		Cron            string                 `json:"cron,optional"` // cron expression
+		Timezone        string                 `json:"timezone,optional"` // timezone
+		PayloadTemplate map[string]interface{} `json:"payload_template,optional"` // payload template
+		Enabled         *bool                  `json:"enabled,optional"` // enabled flag
+	}
+
+	JobCancelPolicyData {
+		Supported    bool   `json:"supported"`
+		Mode         string `json:"mode"`
+		GraceSeconds int    `json:"grace_seconds"`
+	}
+
+	JobRetryPolicyData {
+		MaxAttempts    int   `json:"max_attempts"`
+		BackoffSeconds []int `json:"backoff_seconds"`
+	}
+
+	JobTemplateStepData {
+		ID             string `json:"id"`
+		Name           string `json:"name"`
+		WorkerType     string `json:"worker_type"`
+		TimeoutSeconds int    `json:"timeout_seconds"`
+		Cancelable     bool   `json:"cancelable"`
+	}
+
+	JobTemplateData {
+		Type              string                `json:"type"`
+		Version           int                   `json:"version"`
+		Name              string                `json:"name"`
+		Description       string                `json:"description"`
+		Enabled           bool                  `json:"enabled"`
+		Repeatable        bool                  `json:"repeatable"`
+		ConcurrencyPolicy string                `json:"concurrency_policy"`
+		DedupeKeys        []string              `json:"dedupe_keys"`
+		TimeoutSeconds    int                   `json:"timeout_seconds"`
+		CancelPolicy      JobCancelPolicyData   `json:"cancel_policy"`
+		RetryPolicy       JobRetryPolicyData    `json:"retry_policy"`
+		Steps             []JobTemplateStepData `json:"steps"`
+	}
+
+	JobTemplateListData {
+		List []JobTemplateData `json:"list"`
+	}
+
+	JobStepProgressData {
+		ID        string `json:"id"`
+		Status    string `json:"status"`
+		StartedAt *int64 `json:"started_at,optional"`
+		EndedAt   *int64 `json:"ended_at,optional"`
+		Message   string `json:"message,optional"`
+	}
+
+	JobProgressData {
+		Summary    string                `json:"summary"`
+		Percentage int                   `json:"percentage"`
+		Steps      []JobStepProgressData `json:"steps"`
+	}
+
+	JobData {
+		ID                string                 `json:"id"`
+		TemplateType      string                 `json:"template_type"`
+		TemplateVersion   int                    `json:"template_version"`
+		Scope             string                 `json:"scope"`
+		ScopeID           string                 `json:"scope_id"`
+		Status            string                 `json:"status"`
+		Phase             string                 `json:"phase"`
+		WorkerType        string                 `json:"worker_type"`
+		Payload           map[string]interface{} `json:"payload"`
+		Progress          JobProgressData        `json:"progress"`
+		Result            map[string]interface{} `json:"result,optional"`
+		Error             string                 `json:"error,optional"`
+		Attempt           int                    `json:"attempt"`
+		MaxAttempts       int                    `json:"max_attempts"`
+		CancelRequestedAt *int64                 `json:"cancel_requested_at,optional"`
+		CancelReason      string                 `json:"cancel_reason,optional"`
+		StartedAt         *int64                 `json:"started_at,optional"`
+		CompletedAt       *int64                 `json:"completed_at,optional"`
+		CreateAt          int64                  `json:"create_at"`
+		UpdateAt          int64                  `json:"update_at"`
+	}
+
+	JobListData {
+		Pagination PaginationData `json:"pagination"`
+		List       []JobData      `json:"list"`
+	}
+
+	JobScheduleData {
+		ID              string                 `json:"id"`
+		TemplateType    string                 `json:"template_type"`
+		Scope           string                 `json:"scope"`
+		ScopeID         string                 `json:"scope_id"`
+		Enabled         bool                   `json:"enabled"`
+		Cron            string                 `json:"cron"`
+		Timezone        string                 `json:"timezone"`
+		PayloadTemplate map[string]interface{} `json:"payload_template"`
+		LastRunAt       *int64                 `json:"last_run_at,optional"`
+		NextRunAt       int64                  `json:"next_run_at"`
+		CreateAt        int64                  `json:"create_at"`
+		UpdateAt        int64                  `json:"update_at"`
+	}
+
+	JobScheduleListData {
+		Pagination PaginationData  `json:"pagination"`
+		List       []JobScheduleData `json:"list"`
+	}
+
+	JobEventData {
+		ID       string                 `json:"id"`
+		JobID    string                 `json:"job_id"`
+		Type     string                 `json:"type"`
+		From     string                 `json:"from,optional"`
+		To       string                 `json:"to,optional"`
+		Message  string                 `json:"message"`
+		Metadata map[string]interface{} `json:"metadata,optional"`
+		CreateAt int64                  `json:"create_at"`
+	}
+
+	JobEventListData {
+		List []JobEventData `json:"list"`
+	}
+)
+
+@server(
+	group:      job
+	prefix:     /api/v1
+	middleware: AuthJWT
+	tags:       "Job - Core"
+	summary:    "Generic job templates, runs, schedules, cancel, and retry. Requires Bearer JWT."
+)
+service gateway {
+	@handler listJobTemplates
+	get /job/templates returns (JobTemplateListData)
+
+	@handler getJobTemplate
+	get /job/templates/:type (JobTemplatePath) returns (JobTemplateData)
+
+	@handler upsertJobTemplate
+	put /job/templates/:type (UpsertJobTemplateReq) returns (JobTemplateData)
+
+	@handler createJob
+	post /jobs (CreateJobReq) returns (JobData)
+
+	@handler getJob
+	get /jobs/:id (JobIDPath) returns (JobData)
+
+	@handler listJobs
+	get /jobs (ListJobsReq) returns (JobListData)
+
+	@handler listJobEvents
+	get /jobs/:id/events (ListJobEventsReq) returns (JobEventListData)
+
+	@handler cancelJob
+	post /jobs/:id/cancel (CancelJobReq) returns (JobData)
+
+	@handler retryJob
+	post /jobs/:id/retry (JobIDPath) returns (JobData)
+
+	@handler listJobSchedules
+	get /job/schedules (ListJobSchedulesReq) returns (JobScheduleListData)
+
+	@handler createJobSchedule
+	post /job/schedules (CreateJobScheduleReq) returns (JobScheduleData)
+
+	@handler updateJobSchedule
+	put /job/schedules/:id (UpdateJobScheduleReq) returns (JobScheduleData)
+
+	@handler enableJobSchedule
+	post /job/schedules/:id/enable (JobScheduleIDPath) returns (JobScheduleData)
+
+	@handler disableJobSchedule
+	post /job/schedules/:id/disable (JobScheduleIDPath) returns (JobScheduleData)
+}
\ No newline at end of file
diff --git a/haixun-backend/generate/api/member.api b/haixun-backend/generate/api/member.api
new file mode 100644
index 0000000..bf32d2d
--- /dev/null
+++ b/haixun-backend/generate/api/member.api
@@ -0,0 +1,46 @@
+syntax = "v1"
+
+type (
+	MemberMeData {
+		TenantID              string   `json:"tenant_id"`
+		UID                   string   `json:"uid"`
+		Email                 string   `json:"email"`
+		DisplayName           string   `json:"display_name,omitempty"`
+		Avatar                string   `json:"avatar,omitempty"`
+		Phone                 string   `json:"phone,omitempty"`
+		Language              string   `json:"language,omitempty"`
+		Currency              string   `json:"currency,omitempty"`
+		Status                string   `json:"status"`
+		Origin                string   `json:"origin"`
+		Roles                 []string `json:"roles,omitempty"`
+		BusinessEmail         string   `json:"business_email,omitempty"`
+		BusinessEmailVerified bool     `json:"business_email_verified"`
+		BusinessPhone         string   `json:"business_phone,omitempty"`
+		BusinessPhoneVerified bool     `json:"business_phone_verified"`
+		CreateAt              int64    `json:"create_at"`
+		UpdateAt              int64    `json:"update_at"`
+	}
+
+	UpdateMemberMeReq {
+		DisplayName string `json:"display_name,optional"`
+		Avatar      string `json:"avatar,optional"`
+		Language    string `json:"language,optional"`
+		Currency    string `json:"currency,optional"`
+		Phone       string `json:"phone,optional"`
+	}
+)
+
+@server(
+	group:      member
+	prefix:     /api/v1/members
+	middleware: AuthJWT
+	tags:       "Member"
+	summary:    "Current member profile endpoints. Requires Bearer JWT or dev headers."
+)
+service gateway {
+	@handler getMemberMe
+	get /me returns (MemberMeData)
+
+	@handler updateMemberMe
+	patch /me (UpdateMemberMeReq) returns (MemberMeData)
+}
diff --git a/haixun-backend/generate/api/normal.api b/haixun-backend/generate/api/normal.api
new file mode 100644
index 0000000..8310530
--- /dev/null
+++ b/haixun-backend/generate/api/normal.api
@@ -0,0 +1,16 @@
+syntax = "v1"
+
+type HealthData {
+	Pong string `json:"pong"`
+}
+
+@server(
+	group:   normal
+	prefix:  /api/v1
+	tags:    "Normal - Public"
+	summary: "Health check"
+)
+service gateway {
+	@handler health
+	get /health () returns (HealthData)
+}
diff --git a/haixun-backend/generate/api/permission.api b/haixun-backend/generate/api/permission.api
new file mode 100644
index 0000000..8a9f61f
--- /dev/null
+++ b/haixun-backend/generate/api/permission.api
@@ -0,0 +1,52 @@
+syntax = "v1"
+
+type (
+	PermissionCatalogQuery {
+		Status string `form:"status,optional" validate:"omitempty,oneof=open close"`
+		Type   string `form:"type,optional" validate:"omitempty,oneof=backend_user frontend_user"`
+		Tree   bool   `form:"tree,optional"`
+	}
+
+	PermissionNode {
+		ID          string           `json:"id"`
+		Parent      string           `json:"parent,omitempty"`
+		Name        string           `json:"name"`
+		HTTPMethods string           `json:"http_methods,omitempty"`
+		HTTPPath    string           `json:"http_path,omitempty"`
+		Status      string           `json:"status"`
+		Type        string           `json:"type"`
+		Children    []PermissionNode `json:"children,omitempty"`
+	}
+
+	PermissionCatalogData {
+		Tree []PermissionNode `json:"tree,omitempty"`
+		List []PermissionNode `json:"list,omitempty"`
+	}
+
+	MePermissionsQuery {
+		IncludeTree bool `form:"include_tree,optional"`
+	}
+
+	MePermissionsData {
+		UID         string            `json:"uid"`
+		TenantID    string            `json:"tenant_id"`
+		Roles       []string          `json:"roles"`
+		Permissions map[string]string `json:"permissions"`
+		Tree        []PermissionNode  `json:"tree,omitempty"`
+	}
+)
+
+@server(
+	group:      permission
+	prefix:     /api/v1/permissions
+	middleware: AuthJWT
+	tags:       "Permission"
+	summary:    "Permission catalog and current member permissions. Requires Bearer JWT."
+)
+service gateway {
+	@handler getPermissionCatalog
+	get /catalog (PermissionCatalogQuery) returns (PermissionCatalogData)
+
+	@handler getMePermissions
+	get /me (MePermissionsQuery) returns (MePermissionsData)
+}
diff --git a/haixun-backend/generate/api/setting.api b/haixun-backend/generate/api/setting.api
new file mode 100644
index 0000000..1dc68a2
--- /dev/null
+++ b/haixun-backend/generate/api/setting.api
@@ -0,0 +1,68 @@
+syntax = "v1"
+
+type (
+	SettingPath {
+		Scope   string `path:"scope" validate:"required,oneof=user account system"` // 設定範圍，可選 user / account / system
+		ScopeID string `path:"scope_id" validate:"required"`                        // 範圍 ID，例如 user_id、account_id 或 global
+		Page    int64  `form:"page,optional"`                                       // 頁碼，從 1 開始
+		PageSize int64 `form:"pageSize,optional"`                                   // 每頁筆數，server 會限制最大值
+	}
+
+	SettingKeyPath {
+		Scope   string `path:"scope" validate:"required,oneof=user account system"` // 設定範圍，可選 user / account / system
+		ScopeID string `path:"scope_id" validate:"required"`                        // 範圍 ID，例如 user_id、account_id 或 global
+		Key     string `path:"key" validate:"required"`                             // 設定 key，例如 ai.default
+	}
+
+	SettingUpsertReq {
+		Scope   string         `path:"scope" validate:"required,oneof=user account system"` // 設定範圍，可選 user / account / system
+		ScopeID string         `path:"scope_id" validate:"required"`                        // 範圍 ID，例如 user_id、account_id 或 global
+		Key     string         `path:"key" validate:"required"`                             // 設定 key，例如 ai.default
+		Value   map[string]interface{} `json:"value" validate:"required"`                           // 設定內容 JSON object
+		Version int            `json:"version,optional"`                                     // schema version，未帶入時預設 1
+	}
+
+	SettingData {
+		ID       string         `json:"id"`
+		Scope    string         `json:"scope"`
+		ScopeID  string         `json:"scope_id"`
+		Key      string         `json:"key"`
+		Value    map[string]interface{} `json:"value"`
+		Version  int            `json:"version"`
+		CreateAt int64          `json:"create_at"`
+		UpdateAt int64          `json:"update_at"`
+	}
+
+	SettingListData {
+		Pagination PaginationData `json:"pagination"`
+		List       []SettingData  `json:"list"`
+	}
+
+	PaginationData {
+		Total      int64 `json:"total"`
+		Page       int64 `json:"page"`
+		PageSize   int64 `json:"pageSize"`
+		TotalPages int64 `json:"totalPages"`
+	}
+)
+
+@server(
+	group:      setting
+	prefix:     /api/v1/settings
+	middleware: AuthJWT
+	tags:       "Setting - General"
+	summary:    "Manage settings by scope, scope_id, and key. Requires Bearer JWT."
+)
+service gateway {
+	@handler listSettings
+	get /:scope/:scope_id (SettingPath) returns (SettingListData)
+
+	@handler getSetting
+	get /:scope/:scope_id/:key (SettingKeyPath) returns (SettingData)
+
+	@handler upsertSetting
+	put /:scope/:scope_id/:key (SettingUpsertReq) returns (SettingData)
+
+	@handler deleteSetting
+	delete /:scope/:scope_id/:key (SettingKeyPath)
+}
diff --git a/haixun-backend/generate/goctl/api/handler.tpl b/haixun-backend/generate/goctl/api/handler.tpl
new file mode 100644
index 0000000..e299ff0
--- /dev/null
+++ b/haixun-backend/generate/goctl/api/handler.tpl
@@ -0,0 +1,31 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl {{.version}}
+
+package {{.PkgName}}
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/response"
+	"github.com/zeromicro/go-zero/rest/httpx"
+	{{.ImportPackages}}
+)
+
+{{if .HasDoc}}{{.Doc}}{{end}}
+func {{.HandlerName}}(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		{{if .HasRequest}}var req types.{{.RequestType}}
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		{{end}}l := {{.LogicName}}.New{{.LogicType}}(r.Context(), svcCtx)
+		{{if .HasResp}}data, {{end}}err := l.{{.Call}}({{if .HasRequest}}&req{{end}})
+		{{if .HasResp}}response.Write(r.Context(), w, data, err){{else}}response.Write(r.Context(), w, nil, err){{end}}
+	}
+}
diff --git a/haixun-backend/go.mod b/haixun-backend/go.mod
new file mode 100644
index 0000000..c277ba1
--- /dev/null
+++ b/haixun-backend/go.mod
@@ -0,0 +1,69 @@
+module haixun-backend
+
+go 1.22
+
+require (
+	github.com/go-playground/validator/v10 v10.27.0
+	github.com/golang-jwt/jwt/v4 v4.5.2
+	github.com/google/uuid v1.6.0
+	github.com/redis/go-redis/v9 v9.14.0
+	github.com/robfig/cron/v3 v3.0.1
+	github.com/zeromicro/go-zero v1.9.2
+	go.mongodb.org/mongo-driver v1.17.4
+	golang.org/x/crypto v0.33.0
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
+	github.com/grafana/pyroscope-go v1.2.7 // indirect
+	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/openzipkin/zipkin-go v0.4.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/prometheus/client_golang v1.21.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.1.2 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.24.0 // indirect
+	go.opentelemetry.io/otel/exporters/zipkin v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)
diff --git a/haixun-backend/go.sum b/haixun-backend/go.sum
new file mode 100644
index 0000000..1b87f59
--- /dev/null
+++ b/haixun-backend/go.sum
@@ -0,0 +1,196 @@
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
+github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
+github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
+github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
+github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
+github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grafana/pyroscope-go v1.2.7 h1:VWBBlqxjyR0Cwk2W6UrE8CdcdD80GOFNutj0Kb1T8ac=
+github.com/grafana/pyroscope-go v1.2.7/go.mod h1:o/bpSLiJYYP6HQtvcoVKiE9s5RiNgjYTj1DhiddP2Pc=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
+github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/openzipkin/zipkin-go v0.4.3 h1:9EGwpqkgnwdEIJ+Od7QVSEIH+ocmm5nPat0G7sjsSdg=
+github.com/openzipkin/zipkin-go v0.4.3/go.mod h1:M9wCJZFWCo2RiY+o1eBCEMe0Dp2S5LDHcMZmk3RmK7c=
+github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
+github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
+github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/redis/go-redis/v9 v9.14.0 h1:u4tNCjXOyzfgeLN+vAZaW1xUooqWDqVEsZN0U01jfAE=
+github.com/redis/go-redis/v9 v9.14.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
+github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
+github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
+github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zeromicro/go-zero v1.9.2 h1:ZXOXBIcazZ1pWAMiHyVnDQ3Sxwy7DYPzjE89Qtj9vqM=
+github.com/zeromicro/go-zero v1.9.2/go.mod h1:k8YBMEFZKjTd4q/qO5RCW+zDgUlNyAs5vue3P4/Kmn0=
+go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
+go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/otel/exporters/jaeger v1.17.0 h1:D7UpUy2Xc2wsi1Ras6V40q806WM07rqoCWzXu7Sqy+4=
+go.opentelemetry.io/otel/exporters/jaeger v1.17.0/go.mod h1:nPCqOnEH9rNLKqH/+rrUjiMzHJdV1BlpKcTwRTyKkKI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0 h1:Mw5xcxMwlqoJd97vwPxA8isEaIoxsta9/Q51+TTJLGE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0/go.mod h1:CQNu9bj7o7mC6U7+CA/schKEYakYXWr79ucDHTMGhCM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.24.0 h1:s0PHtIkN+3xrbDOpt2M8OTG92cWqUESvzh2MxiR5xY8=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.24.0/go.mod h1:hZlFbDbRt++MMPCCfSJfmhkGIWnX1h3XjkfxZUjLrIA=
+go.opentelemetry.io/otel/exporters/zipkin v1.24.0 h1:3evrL5poBuh1KF51D9gO/S+N/1msnm4DaBqs/rpXUqY=
+go.opentelemetry.io/otel/exporters/zipkin v1.24.0/go.mod h1:0EHgD8R0+8yRhUYJOGR8Hfg2dpiJQxDOszd5smVO9wM=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
+go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d h1:kHjw/5UfflP/L5EbledDrcG4C2597RtymmGRZvHiCuY=
+google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
+google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/h2non/gock.v1 v1.1.2 h1:jBbHXgGBK/AoPVfJh5x4r/WxIrElvbLel8TCZkkZJoY=
+gopkg.in/h2non/gock.v1 v1.1.2/go.mod h1:n7UGz/ckNChHiK05rDoiC4MYSunEC/lyaUm2WWaDva0=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
diff --git a/haixun-backend/internal/bootstrap/admin.go b/haixun-backend/internal/bootstrap/admin.go
new file mode 100644
index 0000000..a820eae
--- /dev/null
+++ b/haixun-backend/internal/bootstrap/admin.go
@@ -0,0 +1,72 @@
+package bootstrap
+
+import (
+	"context"
+	"strings"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/member/domain/entity"
+	domrepo "haixun-backend/internal/model/member/domain/repository"
+
+	"github.com/google/uuid"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type AdminOptions struct {
+	TenantID    string
+	Email       string
+	Password    string
+	DisplayName string
+}
+
+func EnsureAdminMember(ctx context.Context, repo domrepo.Repository, opts AdminOptions) (*entity.Member, bool, error) {
+	tenantID := strings.TrimSpace(opts.TenantID)
+	email := normalizeEmail(opts.Email)
+	if tenantID == "" || email == "" || opts.Password == "" {
+		return nil, false, app.For(code.Member).InputMissingRequired("tenant_id, email, and password are required")
+	}
+	if len(opts.Password) < 8 {
+		return nil, false, app.For(code.Member).InputInvalidFormat("password must be at least 8 characters")
+	}
+
+	existing, err := repo.FindByEmail(ctx, tenantID, email)
+	if err == nil {
+		if err := repo.SetRoles(ctx, tenantID, existing.UID, []string{"admin"}); err != nil {
+			return nil, false, err
+		}
+		existing.Roles = []string{"admin"}
+		return existing, false, nil
+	}
+	if e := app.FromError(err); e == nil || e.Category() != code.ResNotFound {
+		return nil, false, err
+	}
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(opts.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, false, app.For(code.Member).SysInternal("hash password failed").WithCause(err)
+	}
+	displayName := strings.TrimSpace(opts.DisplayName)
+	if displayName == "" {
+		displayName = "Admin"
+	}
+	member, err := repo.Create(ctx, &entity.Member{
+		TenantID:     tenantID,
+		UID:          uuid.NewString(),
+		Email:        email,
+		DisplayName:  displayName,
+		Language:     "zh-TW",
+		Status:       entity.StatusOpen,
+		Origin:       entity.OriginNative,
+		PasswordHash: string(hash),
+		Roles:        []string{"admin"},
+	})
+	if err != nil {
+		return nil, false, err
+	}
+	return member, true, nil
+}
+
+func normalizeEmail(email string) string {
+	return strings.ToLower(strings.TrimSpace(email))
+}
diff --git a/haixun-backend/internal/bootstrap/admin_test.go b/haixun-backend/internal/bootstrap/admin_test.go
new file mode 100644
index 0000000..cae8a2d
--- /dev/null
+++ b/haixun-backend/internal/bootstrap/admin_test.go
@@ -0,0 +1,116 @@
+package bootstrap
+
+import (
+	"context"
+	"testing"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/member/domain/entity"
+	domrepo "haixun-backend/internal/model/member/domain/repository"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+type memoryMemberRepo struct {
+	byEmail map[string]*entity.Member
+}
+
+func memberKey(tenantID, email string) string {
+	return tenantID + ":" + normalizeEmail(email)
+}
+
+func (m *memoryMemberRepo) EnsureIndexes(context.Context) error { return nil }
+
+func (m *memoryMemberRepo) Create(_ context.Context, member *entity.Member) (*entity.Member, error) {
+	if m.byEmail == nil {
+		m.byEmail = map[string]*entity.Member{}
+	}
+	key := memberKey(member.TenantID, member.Email)
+	if _, ok := m.byEmail[key]; ok {
+		return nil, app.For(code.Member).ResConflict("member already exists")
+	}
+	cp := *member
+	m.byEmail[key] = &cp
+	return &cp, nil
+}
+
+func (m *memoryMemberRepo) FindByUID(_ context.Context, tenantID, uid string) (*entity.Member, error) {
+	for _, item := range m.byEmail {
+		if item.TenantID == tenantID && item.UID == uid {
+			cp := *item
+			return &cp, nil
+		}
+	}
+	return nil, app.For(code.Member).ResNotFound("member not found")
+}
+
+func (m *memoryMemberRepo) FindByEmail(_ context.Context, tenantID, email string) (*entity.Member, error) {
+	item, ok := m.byEmail[memberKey(tenantID, email)]
+	if !ok {
+		return nil, app.For(code.Member).ResNotFound("member not found")
+	}
+	cp := *item
+	return &cp, nil
+}
+
+func (m *memoryMemberRepo) UpdateProfile(context.Context, string, string, domrepo.ProfileUpdate) (*entity.Member, error) {
+	return nil, app.For(code.Member).SysNotImplemented("not implemented")
+}
+
+func (m *memoryMemberRepo) SetRoles(_ context.Context, tenantID, uid string, roles []string) error {
+	for _, item := range m.byEmail {
+		if item.TenantID == tenantID && item.UID == uid {
+			item.Roles = append([]string(nil), roles...)
+			return nil
+		}
+	}
+	return app.For(code.Member).ResNotFound("member not found")
+}
+
+func TestEnsureAdminMemberCreatesAdmin(t *testing.T) {
+	repo := &memoryMemberRepo{byEmail: map[string]*entity.Member{}}
+	member, created, err := EnsureAdminMember(context.Background(), repo, AdminOptions{
+		TenantID: "default",
+		Email:    "admin@haixun.local",
+		Password: "Admin-Pass-1!",
+	})
+	if err != nil {
+		t.Fatalf("EnsureAdminMember: %v", err)
+	}
+	if !created {
+		t.Fatal("expected created=true")
+	}
+	if member.Roles[0] != "admin" {
+		t.Fatalf("roles=%v", member.Roles)
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(member.PasswordHash), []byte("Admin-Pass-1!")); err != nil {
+		t.Fatalf("password hash mismatch: %v", err)
+	}
+}
+
+func TestEnsureAdminMemberUpgradesExisting(t *testing.T) {
+	repo := &memoryMemberRepo{byEmail: map[string]*entity.Member{
+		memberKey("default", "admin@haixun.local"): {
+			TenantID: "default",
+			UID:      "uid-1",
+			Email:    "admin@haixun.local",
+			Roles:    []string{"user"},
+		},
+	}}
+	_, created, err := EnsureAdminMember(context.Background(), repo, AdminOptions{
+		TenantID: "default",
+		Email:    "admin@haixun.local",
+		Password: "Admin-Pass-1!",
+	})
+	if err != nil {
+		t.Fatalf("EnsureAdminMember: %v", err)
+	}
+	if created {
+		t.Fatal("expected created=false")
+	}
+	member := repo.byEmail[memberKey("default", "admin@haixun.local")]
+	if len(member.Roles) != 1 || member.Roles[0] != "admin" {
+		t.Fatalf("roles=%v", member.Roles)
+	}
+}
diff --git a/haixun-backend/internal/bootstrap/init.go b/haixun-backend/internal/bootstrap/init.go
new file mode 100644
index 0000000..6706fbd
--- /dev/null
+++ b/haixun-backend/internal/bootstrap/init.go
@@ -0,0 +1,104 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+
+	"haixun-backend/internal/config"
+	libmongo "haixun-backend/internal/library/mongo"
+	jobrepo "haixun-backend/internal/model/job/repository"
+	memberrepo "haixun-backend/internal/model/member/repository"
+	permissionrepo "haixun-backend/internal/model/permission/repository"
+	permissionuc "haixun-backend/internal/model/permission/usecase"
+	settingrepo "haixun-backend/internal/model/setting/repository"
+)
+
+type InitOptions struct {
+	TenantID    string
+	AdminEmail  string
+	AdminPass   string
+	DisplayName string
+}
+
+type InitReport struct {
+	IndexesEnsured        bool
+	PermissionsSeeded     bool
+	RolePermissionsSeeded bool
+	AdminUID              string
+	AdminCreated          bool
+}
+
+func Init(ctx context.Context, cfg config.Config, opts InitOptions) (*InitReport, error) {
+	if cfg.Mongo.URI == "" || cfg.Mongo.Database == "" {
+		return nil, fmt.Errorf("mongo URI and database are required")
+	}
+	if opts.TenantID == "" {
+		return nil, fmt.Errorf("tenant_id is required")
+	}
+	if opts.AdminEmail == "" || opts.AdminPass == "" {
+		return nil, fmt.Errorf("admin email and password are required")
+	}
+
+	mongoClient, err := libmongo.NewClient(ctx, cfg.Mongo)
+	if err != nil {
+		return nil, fmt.Errorf("connect mongo: %w", err)
+	}
+	defer func() { _ = mongoClient.Close(ctx) }()
+
+	db := mongoClient.Database()
+	report := &InitReport{}
+
+	settingRepository := settingrepo.NewMongoRepository(db)
+	memberRepository := memberrepo.NewMongoRepository(db)
+	permissionRepository := permissionrepo.NewMongoPermissionRepository(db)
+	rolePermissionRepository := permissionrepo.NewMongoRolePermissionRepository(db)
+	jobTemplateRepository := jobrepo.NewMongoTemplateRepository(db)
+	jobRunRepository := jobrepo.NewMongoRunRepository(db)
+	jobScheduleRepository := jobrepo.NewMongoScheduleRepository(db)
+	jobEventRepository := jobrepo.NewMongoEventRepository(db)
+
+	repos := []struct {
+		name string
+		fn   func(context.Context) error
+	}{
+		{"settings", settingRepository.EnsureIndexes},
+		{"members", memberRepository.EnsureIndexes},
+		{"permissions", permissionRepository.EnsureIndexes},
+		{"role_permissions", rolePermissionRepository.EnsureIndexes},
+		{"job_templates", jobTemplateRepository.EnsureIndexes},
+		{"job_runs", jobRunRepository.EnsureIndexes},
+		{"job_schedules", jobScheduleRepository.EnsureIndexes},
+		{"job_events", jobEventRepository.EnsureIndexes},
+	}
+	for _, repo := range repos {
+		if err := repo.fn(ctx); err != nil {
+			return nil, fmt.Errorf("ensure %s indexes: %w", repo.name, err)
+		}
+	}
+	report.IndexesEnsured = true
+
+	permissionUseCase := permissionuc.NewUseCase(permissionRepository, rolePermissionRepository)
+	if err := permissionUseCase.EnsureDefaultPermissions(ctx); err != nil {
+		return nil, fmt.Errorf("seed permissions catalog: %w", err)
+	}
+	report.PermissionsSeeded = true
+
+	if err := permissionUseCase.EnsureDefaultRolePermissions(ctx, opts.TenantID); err != nil {
+		return nil, fmt.Errorf("seed role permissions: %w", err)
+	}
+	report.RolePermissionsSeeded = true
+
+	admin, created, err := EnsureAdminMember(ctx, memberRepository, AdminOptions{
+		TenantID:    opts.TenantID,
+		Email:       opts.AdminEmail,
+		Password:    opts.AdminPass,
+		DisplayName: opts.DisplayName,
+	})
+	if err != nil {
+		return nil, err
+	}
+	report.AdminUID = admin.UID
+	report.AdminCreated = created
+
+	return report, nil
+}
diff --git a/haixun-backend/internal/config/config.go b/haixun-backend/internal/config/config.go
new file mode 100644
index 0000000..99d4c98
--- /dev/null
+++ b/haixun-backend/internal/config/config.go
@@ -0,0 +1,48 @@
+package config
+
+import "github.com/zeromicro/go-zero/rest"
+
+type MongoConf struct {
+	URI            string
+	Database       string
+	TimeoutSeconds int `json:",default=10"`
+}
+
+type RedisConf struct {
+	Addr string `json:",optional"`
+	DB   int    `json:",optional"`
+}
+
+type JobWorkerConf struct {
+	Enabled    bool   `json:",default=true"`
+	WorkerType string `json:",default=go"`
+	WorkerID   string `json:",optional"`
+}
+
+type JobSchedulerConf struct {
+	Enabled         bool `json:",default=true"`
+	IntervalSeconds int  `json:",default=60"`
+}
+
+type JobReaperConf struct {
+	Enabled         bool `json:",default=true"`
+	IntervalSeconds int  `json:",default=30"`
+}
+
+type AuthConf struct {
+	AccessSecret         string `json:",optional"`
+	RefreshSecret        string `json:",optional"`
+	AccessExpireSeconds  int64  `json:",default=900"`
+	RefreshExpireSeconds int64  `json:",default=2592000"`
+	DevHeaderFallback    bool   `json:",default=true"`
+}
+
+type Config struct {
+	rest.RestConf
+	Mongo        MongoConf        `json:",optional"`
+	Redis        RedisConf        `json:",optional"`
+	Auth         AuthConf         `json:",optional"`
+	JobWorker    JobWorkerConf    `json:",optional"`
+	JobScheduler JobSchedulerConf `json:",optional"`
+	JobReaper    JobReaperConf    `json:",optional"`
+}
diff --git a/haixun-backend/internal/handler/ai/chat_handler.go b/haixun-backend/internal/handler/ai/chat_handler.go
new file mode 100644
index 0000000..88123e3
--- /dev/null
+++ b/haixun-backend/internal/handler/ai/chat_handler.go
@@ -0,0 +1,36 @@
+package ai
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/ai"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ChatHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.AIChatReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		token, err := ai.BearerToken(r)
+		if err != nil {
+			response.Write(r.Context(), w, nil, err)
+			return
+		}
+
+		l := ai.NewChatLogic(r.Context(), svcCtx)
+		data, err := l.Chat(&req, token)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/ai/chat_stream_handler.go b/haixun-backend/internal/handler/ai/chat_stream_handler.go
new file mode 100644
index 0000000..ecc4fc3
--- /dev/null
+++ b/haixun-backend/internal/handler/ai/chat_stream_handler.go
@@ -0,0 +1,72 @@
+package ai
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"haixun-backend/internal/logic/ai"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ChatStreamHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.AIChatReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		token, err := ai.BearerToken(r)
+		if err != nil {
+			response.Write(r.Context(), w, nil, err)
+			return
+		}
+
+		l := ai.NewChatStreamLogic(r.Context(), svcCtx)
+		stream, err := l.ChatStream(&req, token)
+		if err != nil {
+			response.Write(r.Context(), w, nil, err)
+			return
+		}
+
+		flusher, ok := w.(http.Flusher)
+		if !ok {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(fmt.Errorf("server does not support streaming")))
+			return
+		}
+
+		w.Header().Set("Content-Type", "text/event-stream; charset=utf-8")
+		w.Header().Set("Cache-Control", "no-cache")
+		w.Header().Set("Connection", "keep-alive")
+		w.Header().Set("X-Accel-Buffering", "no")
+
+		for event := range stream {
+			writeSSE(w, event.Type, event)
+			flusher.Flush()
+			if event.Type == "done" || event.Type == "error" {
+				return
+			}
+		}
+		writeSSE(w, "done", map[string]string{"finish_reason": "stop"})
+		flusher.Flush()
+	}
+}
+
+func writeSSE(w http.ResponseWriter, eventName string, data any) {
+	payload, err := json.Marshal(data)
+	if err != nil {
+		payload = []byte(`{"type":"error","error":"failed to serialize SSE payload"}`)
+		eventName = "error"
+	}
+	_, _ = fmt.Fprintf(w, "event: %s\n", eventName)
+	_, _ = fmt.Fprintf(w, "data: %s\n\n", payload)
+}
diff --git a/haixun-backend/internal/handler/ai/list_ai_provider_models_handler.go b/haixun-backend/internal/handler/ai/list_ai_provider_models_handler.go
new file mode 100644
index 0000000..5618812
--- /dev/null
+++ b/haixun-backend/internal/handler/ai/list_ai_provider_models_handler.go
@@ -0,0 +1,36 @@
+package ai
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/ai"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ListAiProviderModelsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.AIProviderPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		token, err := ai.BearerToken(r)
+		if err != nil {
+			response.Write(r.Context(), w, nil, err)
+			return
+		}
+
+		l := ai.NewListAIProviderModelsLogic(r.Context(), svcCtx)
+		data, err := l.ListAIProviderModels(&req, token)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/ai/list_ai_providers_handler.go b/haixun-backend/internal/handler/ai/list_ai_providers_handler.go
new file mode 100644
index 0000000..6397e77
--- /dev/null
+++ b/haixun-backend/internal/handler/ai/list_ai_providers_handler.go
@@ -0,0 +1,17 @@
+package ai
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/ai"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+)
+
+func ListAiProvidersHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		l := ai.NewListAIProvidersLogic(r.Context(), svcCtx)
+		data, err := l.ListAIProviders()
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/auth/login_handler.go b/haixun-backend/internal/handler/auth/login_handler.go
new file mode 100644
index 0000000..acdd92f
--- /dev/null
+++ b/haixun-backend/internal/handler/auth/login_handler.go
@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/auth"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func LoginHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.AuthLoginReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := auth.NewLoginLogic(r.Context(), svcCtx)
+		data, err := l.Login(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/auth/logout_handler.go b/haixun-backend/internal/handler/auth/logout_handler.go
new file mode 100644
index 0000000..73ba93d
--- /dev/null
+++ b/haixun-backend/internal/handler/auth/logout_handler.go
@@ -0,0 +1,17 @@
+package auth
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/auth"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+)
+
+func LogoutHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		l := auth.NewLogoutLogic(r.Context(), svcCtx)
+		data, err := l.Logout(r.Header.Get("Authorization"))
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/auth/refresh_handler.go b/haixun-backend/internal/handler/auth/refresh_handler.go
new file mode 100644
index 0000000..0c1d3f8
--- /dev/null
+++ b/haixun-backend/internal/handler/auth/refresh_handler.go
@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/auth"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func RefreshHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.AuthRefreshReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := auth.NewRefreshLogic(r.Context(), svcCtx)
+		data, err := l.Refresh(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/auth/register_handler.go b/haixun-backend/internal/handler/auth/register_handler.go
new file mode 100644
index 0000000..d51af57
--- /dev/null
+++ b/haixun-backend/internal/handler/auth/register_handler.go
@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/auth"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func RegisterHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.AuthRegisterReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := auth.NewRegisterLogic(r.Context(), svcCtx)
+		data, err := l.Register(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/cancel_job_handler.go b/haixun-backend/internal/handler/job/cancel_job_handler.go
new file mode 100644
index 0000000..afde3d7
--- /dev/null
+++ b/haixun-backend/internal/handler/job/cancel_job_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func CancelJobHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.CancelJobReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewCancelJobLogic(r.Context(), svcCtx)
+		data, err := l.CancelJob(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/create_job_handler.go b/haixun-backend/internal/handler/job/create_job_handler.go
new file mode 100644
index 0000000..fe6f2dd
--- /dev/null
+++ b/haixun-backend/internal/handler/job/create_job_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func CreateJobHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.CreateJobReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewCreateJobLogic(r.Context(), svcCtx)
+		data, err := l.CreateJob(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/create_job_schedule_handler.go b/haixun-backend/internal/handler/job/create_job_schedule_handler.go
new file mode 100644
index 0000000..3076cb3
--- /dev/null
+++ b/haixun-backend/internal/handler/job/create_job_schedule_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func CreateJobScheduleHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.CreateJobScheduleReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewCreateJobScheduleLogic(r.Context(), svcCtx)
+		data, err := l.CreateJobSchedule(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/disable_job_schedule_handler.go b/haixun-backend/internal/handler/job/disable_job_schedule_handler.go
new file mode 100644
index 0000000..452b586
--- /dev/null
+++ b/haixun-backend/internal/handler/job/disable_job_schedule_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func DisableJobScheduleHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.JobScheduleIDPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewDisableJobScheduleLogic(r.Context(), svcCtx)
+		data, err := l.DisableJobSchedule(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/enable_job_schedule_handler.go b/haixun-backend/internal/handler/job/enable_job_schedule_handler.go
new file mode 100644
index 0000000..6797f47
--- /dev/null
+++ b/haixun-backend/internal/handler/job/enable_job_schedule_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func EnableJobScheduleHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.JobScheduleIDPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewEnableJobScheduleLogic(r.Context(), svcCtx)
+		data, err := l.EnableJobSchedule(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/get_job_handler.go b/haixun-backend/internal/handler/job/get_job_handler.go
new file mode 100644
index 0000000..45c2682
--- /dev/null
+++ b/haixun-backend/internal/handler/job/get_job_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func GetJobHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.JobIDPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewGetJobLogic(r.Context(), svcCtx)
+		data, err := l.GetJob(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/get_job_template_handler.go b/haixun-backend/internal/handler/job/get_job_template_handler.go
new file mode 100644
index 0000000..133d296
--- /dev/null
+++ b/haixun-backend/internal/handler/job/get_job_template_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func GetJobTemplateHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.JobTemplatePath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewGetJobTemplateLogic(r.Context(), svcCtx)
+		data, err := l.GetJobTemplate(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/list_job_events_handler.go b/haixun-backend/internal/handler/job/list_job_events_handler.go
new file mode 100644
index 0000000..dcb64f0
--- /dev/null
+++ b/haixun-backend/internal/handler/job/list_job_events_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ListJobEventsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.ListJobEventsReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewListJobEventsLogic(r.Context(), svcCtx)
+		data, err := l.ListJobEvents(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/list_job_schedules_handler.go b/haixun-backend/internal/handler/job/list_job_schedules_handler.go
new file mode 100644
index 0000000..27c0ef5
--- /dev/null
+++ b/haixun-backend/internal/handler/job/list_job_schedules_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ListJobSchedulesHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.ListJobSchedulesReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewListJobSchedulesLogic(r.Context(), svcCtx)
+		data, err := l.ListJobSchedules(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/list_job_templates_handler.go b/haixun-backend/internal/handler/job/list_job_templates_handler.go
new file mode 100644
index 0000000..2132c5d
--- /dev/null
+++ b/haixun-backend/internal/handler/job/list_job_templates_handler.go
@@ -0,0 +1,20 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+)
+
+func ListJobTemplatesHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		l := job.NewListJobTemplatesLogic(r.Context(), svcCtx)
+		data, err := l.ListJobTemplates()
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/list_jobs_handler.go b/haixun-backend/internal/handler/job/list_jobs_handler.go
new file mode 100644
index 0000000..579a728
--- /dev/null
+++ b/haixun-backend/internal/handler/job/list_jobs_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ListJobsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.ListJobsReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewListJobsLogic(r.Context(), svcCtx)
+		data, err := l.ListJobs(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/retry_job_handler.go b/haixun-backend/internal/handler/job/retry_job_handler.go
new file mode 100644
index 0000000..50c7229
--- /dev/null
+++ b/haixun-backend/internal/handler/job/retry_job_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func RetryJobHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.JobIDPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewRetryJobLogic(r.Context(), svcCtx)
+		data, err := l.RetryJob(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/update_job_schedule_handler.go b/haixun-backend/internal/handler/job/update_job_schedule_handler.go
new file mode 100644
index 0000000..b7957fe
--- /dev/null
+++ b/haixun-backend/internal/handler/job/update_job_schedule_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func UpdateJobScheduleHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.UpdateJobScheduleReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewUpdateJobScheduleLogic(r.Context(), svcCtx)
+		data, err := l.UpdateJobSchedule(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/job/upsert_job_template_handler.go b/haixun-backend/internal/handler/job/upsert_job_template_handler.go
new file mode 100644
index 0000000..5e2c946
--- /dev/null
+++ b/haixun-backend/internal/handler/job/upsert_job_template_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package job
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/job"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func UpsertJobTemplateHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.UpsertJobTemplateReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := job.NewUpsertJobTemplateLogic(r.Context(), svcCtx)
+		data, err := l.UpsertJobTemplate(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/member/get_member_me_handler.go b/haixun-backend/internal/handler/member/get_member_me_handler.go
new file mode 100644
index 0000000..242229a
--- /dev/null
+++ b/haixun-backend/internal/handler/member/get_member_me_handler.go
@@ -0,0 +1,20 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package member
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/member"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+)
+
+func GetMemberMeHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		l := member.NewGetMemberMeLogic(r.Context(), svcCtx)
+		data, err := l.GetMemberMe()
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/member/update_member_me_handler.go b/haixun-backend/internal/handler/member/update_member_me_handler.go
new file mode 100644
index 0000000..435f4f5
--- /dev/null
+++ b/haixun-backend/internal/handler/member/update_member_me_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package member
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/member"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func UpdateMemberMeHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.UpdateMemberMeReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := member.NewUpdateMemberMeLogic(r.Context(), svcCtx)
+		data, err := l.UpdateMemberMe(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/normal/health_handler.go b/haixun-backend/internal/handler/normal/health_handler.go
new file mode 100644
index 0000000..a53f6fd
--- /dev/null
+++ b/haixun-backend/internal/handler/normal/health_handler.go
@@ -0,0 +1,17 @@
+package normal
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/normal"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+)
+
+func HealthHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		l := normal.NewHealthLogic(r.Context(), svcCtx)
+		data, err := l.Health()
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/permission/get_me_permissions_handler.go b/haixun-backend/internal/handler/permission/get_me_permissions_handler.go
new file mode 100644
index 0000000..30d5fd5
--- /dev/null
+++ b/haixun-backend/internal/handler/permission/get_me_permissions_handler.go
@@ -0,0 +1,33 @@
+// Code scaffolded by goctl. Safe to edit.
+// goctl 1.10.1
+
+package permission
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/permission"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func GetMePermissionsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.MePermissionsQuery
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+
+		l := permission.NewGetMePermissionsLogic(r.Context(), svcCtx)
+		data, err := l.GetMePermissions(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/permission/get_permission_catalog_handler.go b/haixun-backend/internal/handler/permission/get_permission_catalog_handler.go
new file mode 100644
index 0000000..01c4f58
--- /dev/null
+++ b/haixun-backend/internal/handler/permission/get_permission_catalog_handler.go
@@ -0,0 +1,29 @@
+package permission
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/permission"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func GetPermissionCatalogHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.PermissionCatalogQuery
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := permission.NewGetPermissionCatalogLogic(r.Context(), svcCtx)
+		data, err := l.GetPermissionCatalog(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/routes.go b/haixun-backend/internal/handler/routes.go
new file mode 100644
index 0000000..c092906
--- /dev/null
+++ b/haixun-backend/internal/handler/routes.go
@@ -0,0 +1,248 @@
+// Code generated by goctl. DO NOT EDIT.
+// goctl 1.10.1
+
+package handler
+
+import (
+	"net/http"
+
+	ai "haixun-backend/internal/handler/ai"
+	auth "haixun-backend/internal/handler/auth"
+	job "haixun-backend/internal/handler/job"
+	member "haixun-backend/internal/handler/member"
+	normal "haixun-backend/internal/handler/normal"
+	permission "haixun-backend/internal/handler/permission"
+	setting "haixun-backend/internal/handler/setting"
+	"haixun-backend/internal/svc"
+
+	"github.com/zeromicro/go-zero/rest"
+)
+
+func RegisterHandlers(server *rest.Server, serverCtx *svc.ServiceContext) {
+	server.AddRoutes(
+		[]rest.Route{
+			{
+				Method:  http.MethodGet,
+				Path:    "/providers",
+				Handler: ai.ListAiProvidersHandler(serverCtx),
+			},
+		},
+		rest.WithPrefix("/api/v1/ai"),
+	)
+
+	server.AddRoutes(
+		rest.WithMiddlewares(
+			[]rest.Middleware{serverCtx.MemberAuth},
+			[]rest.Route{
+				{
+					Method:  http.MethodPost,
+					Path:    "/chat",
+					Handler: ai.ChatHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/chat/stream",
+					Handler: ai.ChatStreamHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/providers/:provider/models",
+					Handler: ai.ListAiProviderModelsHandler(serverCtx),
+				},
+			}...,
+		),
+		rest.WithPrefix("/api/v1/ai"),
+	)
+
+	server.AddRoutes(
+		[]rest.Route{
+			{
+				Method:  http.MethodPost,
+				Path:    "/login",
+				Handler: auth.LoginHandler(serverCtx),
+			},
+			{
+				Method:  http.MethodPost,
+				Path:    "/refresh",
+				Handler: auth.RefreshHandler(serverCtx),
+			},
+			{
+				Method:  http.MethodPost,
+				Path:    "/register",
+				Handler: auth.RegisterHandler(serverCtx),
+			},
+		},
+		rest.WithPrefix("/api/v1/auth"),
+	)
+
+	server.AddRoutes(
+		rest.WithMiddlewares(
+			[]rest.Middleware{serverCtx.AuthJWT},
+			[]rest.Route{
+				{
+					Method:  http.MethodPost,
+					Path:    "/logout",
+					Handler: auth.LogoutHandler(serverCtx),
+				},
+			}...,
+		),
+		rest.WithPrefix("/api/v1/auth"),
+	)
+
+	server.AddRoutes(
+		rest.WithMiddlewares(
+			[]rest.Middleware{serverCtx.AuthJWT},
+			[]rest.Route{
+				{
+					Method:  http.MethodGet,
+					Path:    "/job/schedules",
+					Handler: job.ListJobSchedulesHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/job/schedules",
+					Handler: job.CreateJobScheduleHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPut,
+					Path:    "/job/schedules/:id",
+					Handler: job.UpdateJobScheduleHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/job/schedules/:id/disable",
+					Handler: job.DisableJobScheduleHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/job/schedules/:id/enable",
+					Handler: job.EnableJobScheduleHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/job/templates",
+					Handler: job.ListJobTemplatesHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/job/templates/:type",
+					Handler: job.GetJobTemplateHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPut,
+					Path:    "/job/templates/:type",
+					Handler: job.UpsertJobTemplateHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/jobs",
+					Handler: job.CreateJobHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/jobs",
+					Handler: job.ListJobsHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/jobs/:id",
+					Handler: job.GetJobHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/jobs/:id/cancel",
+					Handler: job.CancelJobHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/jobs/:id/events",
+					Handler: job.ListJobEventsHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPost,
+					Path:    "/jobs/:id/retry",
+					Handler: job.RetryJobHandler(serverCtx),
+				},
+			}...,
+		),
+		rest.WithPrefix("/api/v1"),
+	)
+
+	server.AddRoutes(
+		rest.WithMiddlewares(
+			[]rest.Middleware{serverCtx.AuthJWT},
+			[]rest.Route{
+				{
+					Method:  http.MethodGet,
+					Path:    "/me",
+					Handler: member.GetMemberMeHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPatch,
+					Path:    "/me",
+					Handler: member.UpdateMemberMeHandler(serverCtx),
+				},
+			}...,
+		),
+		rest.WithPrefix("/api/v1/members"),
+	)
+
+	server.AddRoutes(
+		[]rest.Route{
+			{
+				Method:  http.MethodGet,
+				Path:    "/health",
+				Handler: normal.HealthHandler(serverCtx),
+			},
+		},
+		rest.WithPrefix("/api/v1"),
+	)
+
+	server.AddRoutes(
+		rest.WithMiddlewares(
+			[]rest.Middleware{serverCtx.AuthJWT},
+			[]rest.Route{
+				{
+					Method:  http.MethodGet,
+					Path:    "/catalog",
+					Handler: permission.GetPermissionCatalogHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/me",
+					Handler: permission.GetMePermissionsHandler(serverCtx),
+				},
+			}...,
+		),
+		rest.WithPrefix("/api/v1/permissions"),
+	)
+
+	server.AddRoutes(
+		rest.WithMiddlewares(
+			[]rest.Middleware{serverCtx.AuthJWT},
+			[]rest.Route{
+				{
+					Method:  http.MethodGet,
+					Path:    "/:scope/:scope_id",
+					Handler: setting.ListSettingsHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodGet,
+					Path:    "/:scope/:scope_id/:key",
+					Handler: setting.GetSettingHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodPut,
+					Path:    "/:scope/:scope_id/:key",
+					Handler: setting.UpsertSettingHandler(serverCtx),
+				},
+				{
+					Method:  http.MethodDelete,
+					Path:    "/:scope/:scope_id/:key",
+					Handler: setting.DeleteSettingHandler(serverCtx),
+				},
+			}...,
+		),
+		rest.WithPrefix("/api/v1/settings"),
+	)
+}
diff --git a/haixun-backend/internal/handler/setting/delete_setting_handler.go b/haixun-backend/internal/handler/setting/delete_setting_handler.go
new file mode 100644
index 0000000..bc85b59
--- /dev/null
+++ b/haixun-backend/internal/handler/setting/delete_setting_handler.go
@@ -0,0 +1,29 @@
+package setting
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/setting"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func DeleteSettingHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.SettingKeyPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := setting.NewDeleteSettingLogic(r.Context(), svcCtx)
+		err := l.DeleteSetting(&req)
+		response.Write(r.Context(), w, nil, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/setting/get_setting_handler.go b/haixun-backend/internal/handler/setting/get_setting_handler.go
new file mode 100644
index 0000000..beaeeac
--- /dev/null
+++ b/haixun-backend/internal/handler/setting/get_setting_handler.go
@@ -0,0 +1,29 @@
+package setting
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/setting"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func GetSettingHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.SettingKeyPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := setting.NewGetSettingLogic(r.Context(), svcCtx)
+		data, err := l.GetSetting(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/setting/list_settings_handler.go b/haixun-backend/internal/handler/setting/list_settings_handler.go
new file mode 100644
index 0000000..4c01f22
--- /dev/null
+++ b/haixun-backend/internal/handler/setting/list_settings_handler.go
@@ -0,0 +1,29 @@
+package setting
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/setting"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func ListSettingsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.SettingPath
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := setting.NewListSettingsLogic(r.Context(), svcCtx)
+		data, err := l.ListSettings(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/handler/setting/upsert_setting_handler.go b/haixun-backend/internal/handler/setting/upsert_setting_handler.go
new file mode 100644
index 0000000..c270de1
--- /dev/null
+++ b/haixun-backend/internal/handler/setting/upsert_setting_handler.go
@@ -0,0 +1,29 @@
+package setting
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/logic/setting"
+	"haixun-backend/internal/response"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func UpsertSettingHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req types.SettingUpsertReq
+		if err := httpx.Parse(r, &req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		if err := svcCtx.Validator.ValidateAll(&req); err != nil {
+			response.Write(r.Context(), w, nil, response.WrapRequestError(err))
+			return
+		}
+		l := setting.NewUpsertSettingLogic(r.Context(), svcCtx)
+		data, err := l.UpsertSetting(&req)
+		response.Write(r.Context(), w, data, err)
+	}
+}
diff --git a/haixun-backend/internal/library/authctx/context.go b/haixun-backend/internal/library/authctx/context.go
new file mode 100644
index 0000000..99252e7
--- /dev/null
+++ b/haixun-backend/internal/library/authctx/context.go
@@ -0,0 +1,20 @@
+package authctx
+
+import "context"
+
+type Actor struct {
+	TenantID string
+	UID      string
+	JTI      string
+}
+
+type actorKey struct{}
+
+func WithActor(ctx context.Context, actor Actor) context.Context {
+	return context.WithValue(ctx, actorKey{}, actor)
+}
+
+func ActorFromContext(ctx context.Context) (Actor, bool) {
+	actor, ok := ctx.Value(actorKey{}).(Actor)
+	return actor, ok
+}
diff --git a/haixun-backend/internal/library/clock/clock.go b/haixun-backend/internal/library/clock/clock.go
new file mode 100644
index 0000000..7740cd8
--- /dev/null
+++ b/haixun-backend/internal/library/clock/clock.go
@@ -0,0 +1,36 @@
+package clock
+
+import "time"
+
+// StorageTimezone is the only timezone used for persisted timestamps.
+const StorageTimezone = "UTC"
+
+// Now returns the current instant in UTC.
+func Now() time.Time {
+	return time.Now().UTC()
+}
+
+// NowUnixNano returns the current instant as UTC unix nanoseconds.
+func NowUnixNano() int64 {
+	return Now().UnixNano()
+}
+
+// UnixNano converts an instant to UTC unix nanoseconds.
+func UnixNano(t time.Time) int64 {
+	return t.UTC().UnixNano()
+}
+
+// FromUnixNano parses UTC unix nanoseconds.
+func FromUnixNano(nano int64) time.Time {
+	return time.Unix(0, nano).UTC()
+}
+
+// AddSecondsFromNow returns UTC unix nanoseconds after the given seconds.
+func AddSecondsFromNow(seconds int) int64 {
+	return Now().Add(time.Duration(seconds) * time.Second).UnixNano()
+}
+
+// SecondsToNanos converts whole seconds to nanoseconds.
+func SecondsToNanos(seconds int) int64 {
+	return int64(seconds) * int64(time.Second)
+}
diff --git a/haixun-backend/internal/library/clock/clock_test.go b/haixun-backend/internal/library/clock/clock_test.go
new file mode 100644
index 0000000..369fe90
--- /dev/null
+++ b/haixun-backend/internal/library/clock/clock_test.go
@@ -0,0 +1,24 @@
+package clock
+
+import (
+	"testing"
+	"time"
+)
+
+func TestNow_IsUTC(t *testing.T) {
+	now := Now()
+	if now.Location() != time.UTC {
+		t.Fatalf("location = %v, want UTC", now.Location())
+	}
+}
+
+func TestFromUnixNano_RoundTrip(t *testing.T) {
+	nano := NowUnixNano()
+	parsed := FromUnixNano(nano)
+	if parsed.UnixNano() != nano {
+		t.Fatalf("parsed = %d, want %d", parsed.UnixNano(), nano)
+	}
+	if parsed.Location() != time.UTC {
+		t.Fatalf("location = %v, want UTC", parsed.Location())
+	}
+}
diff --git a/haixun-backend/internal/library/errors/code/types.go b/haixun-backend/internal/library/errors/code/types.go
new file mode 100644
index 0000000..d3de14a
--- /dev/null
+++ b/haixun-backend/internal/library/errors/code/types.go
@@ -0,0 +1,39 @@
+package code
+
+type Scope uint32
+type Category uint32
+type Detail uint32
+
+const (
+	Unset              Scope  = 0
+	Facade             Scope  = 10
+	Setting            Scope  = 32
+	AI                 Scope  = 33
+	Job                Scope  = 34
+	Auth               Scope  = 35
+	Member             Scope  = 36
+	Permission         Scope  = 37
+	CategoryMultiplier        = 1000
+	ScopeMultiplier           = 1000000
+	DefaultDetail      Detail = 0
+)
+
+const (
+	DefaultSuccessFullCodeInt int64  = 102000
+	DefaultSuccessMessage     string = "SUCCESS"
+)
+
+const (
+	InputInvalidFormat   Category = 101
+	InputMissingRequired Category = 104
+	DBError              Category = 201
+	DBUnavailable        Category = 204
+	ResNotFound          Category = 301
+	ResConflict          Category = 303
+	ResInvalidState      Category = 309
+	AuthUnauthorized     Category = 401
+	AuthForbidden        Category = 505
+	SysInternal          Category = 601
+	SysNotImplemented    Category = 605
+	SvcThirdParty        Category = 802
+)
diff --git a/haixun-backend/internal/library/errors/errors.go b/haixun-backend/internal/library/errors/errors.go
new file mode 100644
index 0000000..fa1727b
--- /dev/null
+++ b/haixun-backend/internal/library/errors/errors.go
@@ -0,0 +1,169 @@
+package errors
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	"haixun-backend/internal/library/errors/code"
+)
+
+type Error struct {
+	scope    code.Scope
+	category code.Category
+	detail   code.Detail
+	message  string
+	cause    error
+}
+
+func New(scope code.Scope, category code.Category, detail code.Detail, message string) *Error {
+	return &Error{scope: scope, category: category, detail: detail, message: message}
+}
+
+func FromError(err error) *Error {
+	var e *Error
+	if errors.As(err, &e) {
+		return e
+	}
+	return nil
+}
+
+func (e *Error) Error() string {
+	if e == nil {
+		return ""
+	}
+	return e.message
+}
+
+func (e *Error) Unwrap() error {
+	if e == nil {
+		return nil
+	}
+	return e.cause
+}
+
+func (e *Error) WithCause(cause error) *Error {
+	if e == nil {
+		return nil
+	}
+	cp := *e
+	cp.cause = cause
+	return &cp
+}
+
+func (e *Error) Scope() code.Scope {
+	if e == nil {
+		return code.Unset
+	}
+	return e.scope
+}
+
+func (e *Error) Category() code.Category {
+	if e == nil {
+		return code.SysInternal
+	}
+	return e.category
+}
+
+func (e *Error) Detail() code.Detail {
+	if e == nil {
+		return code.DefaultDetail
+	}
+	return e.detail
+}
+
+func (e *Error) Code() uint32 {
+	if e == nil {
+		return 0
+	}
+	return uint32(e.scope)*code.ScopeMultiplier + uint32(e.category)*code.CategoryMultiplier + uint32(e.detail)
+}
+
+func (e *Error) DisplayCode() string {
+	if e == nil {
+		return "00000000"
+	}
+	return fmt.Sprintf("%08d", e.Code())
+}
+
+func (e *Error) HTTPStatus() int {
+	if e == nil {
+		return http.StatusInternalServerError
+	}
+	switch e.category {
+	case code.InputInvalidFormat, code.InputMissingRequired:
+		return http.StatusBadRequest
+	case code.DBUnavailable:
+		return http.StatusServiceUnavailable
+	case code.ResNotFound:
+		return http.StatusNotFound
+	case code.ResConflict:
+		return http.StatusConflict
+	case code.ResInvalidState:
+		return http.StatusConflict
+	case code.AuthUnauthorized:
+		return http.StatusUnauthorized
+	case code.AuthForbidden:
+		return http.StatusForbidden
+	case code.SvcThirdParty:
+		return http.StatusBadGateway
+	default:
+		return http.StatusInternalServerError
+	}
+}
+
+type Builder struct {
+	scope code.Scope
+}
+
+func For(scope code.Scope) Builder {
+	return Builder{scope: scope}
+}
+
+func (b Builder) InputInvalidFormat(message string) *Error {
+	return New(b.scope, code.InputInvalidFormat, 0, message)
+}
+
+func (b Builder) InputMissingRequired(message string) *Error {
+	return New(b.scope, code.InputMissingRequired, 0, message)
+}
+
+func (b Builder) DBError(message string) *Error {
+	return New(b.scope, code.DBError, 0, message)
+}
+
+func (b Builder) DBUnavailable(message string) *Error {
+	return New(b.scope, code.DBUnavailable, 0, message)
+}
+
+func (b Builder) ResNotFound(message string) *Error {
+	return New(b.scope, code.ResNotFound, 0, message)
+}
+
+func (b Builder) ResConflict(message string) *Error {
+	return New(b.scope, code.ResConflict, 0, message)
+}
+
+func (b Builder) ResInvalidState(message string) *Error {
+	return New(b.scope, code.ResInvalidState, 0, message)
+}
+
+func (b Builder) AuthUnauthorized(message string) *Error {
+	return New(b.scope, code.AuthUnauthorized, 0, message)
+}
+
+func (b Builder) AuthForbidden(message string) *Error {
+	return New(b.scope, code.AuthForbidden, 0, message)
+}
+
+func (b Builder) SysInternal(message string) *Error {
+	return New(b.scope, code.SysInternal, 0, message)
+}
+
+func (b Builder) SysNotImplemented(message string) *Error {
+	return New(b.scope, code.SysNotImplemented, 0, message)
+}
+
+func (b Builder) SvcThirdParty(message string) *Error {
+	return New(b.scope, code.SvcThirdParty, 0, message)
+}
diff --git a/haixun-backend/internal/library/mongo/client.go b/haixun-backend/internal/library/mongo/client.go
new file mode 100644
index 0000000..be3b101
--- /dev/null
+++ b/haixun-backend/internal/library/mongo/client.go
@@ -0,0 +1,51 @@
+package mongo
+
+import (
+	"context"
+	"time"
+
+	"haixun-backend/internal/config"
+
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type Client struct {
+	raw *mongo.Client
+	db  *mongo.Database
+}
+
+func NewClient(ctx context.Context, conf config.MongoConf) (*Client, error) {
+	if conf.URI == "" || conf.Database == "" {
+		return nil, nil
+	}
+	timeout := time.Duration(conf.TimeoutSeconds) * time.Second
+	if timeout <= 0 {
+		timeout = 10 * time.Second
+	}
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	raw, err := mongo.Connect(ctx, options.Client().ApplyURI(conf.URI))
+	if err != nil {
+		return nil, err
+	}
+	if err := raw.Ping(ctx, nil); err != nil {
+		return nil, err
+	}
+	return &Client{raw: raw, db: raw.Database(conf.Database)}, nil
+}
+
+func (c *Client) Database() *mongo.Database {
+	if c == nil {
+		return nil
+	}
+	return c.db
+}
+
+func (c *Client) Close(ctx context.Context) error {
+	if c == nil || c.raw == nil {
+		return nil
+	}
+	return c.raw.Disconnect(ctx)
+}
diff --git a/haixun-backend/internal/library/redact/redact.go b/haixun-backend/internal/library/redact/redact.go
new file mode 100644
index 0000000..1672610
--- /dev/null
+++ b/haixun-backend/internal/library/redact/redact.go
@@ -0,0 +1,17 @@
+package redact
+
+import "regexp"
+
+var (
+	bearerPattern = regexp.MustCompile(`(?i)Bearer\s+[A-Za-z0-9._\-]+`)
+	tokenPattern  = regexp.MustCompile(`(?i)(api[_-]?key|token|authorization)\s*[:=]\s*["']?[^"'\s,}]+`)
+)
+
+func Message(message string) string {
+	if message == "" {
+		return message
+	}
+	message = bearerPattern.ReplaceAllString(message, "Bearer [REDACTED]")
+	message = tokenPattern.ReplaceAllString(message, "$1=[REDACTED]")
+	return message
+}
diff --git a/haixun-backend/internal/library/redact/redact_test.go b/haixun-backend/internal/library/redact/redact_test.go
new file mode 100644
index 0000000..c109f2a
--- /dev/null
+++ b/haixun-backend/internal/library/redact/redact_test.go
@@ -0,0 +1,12 @@
+package redact
+
+import "testing"
+
+func TestMessage_RedactsBearerToken(t *testing.T) {
+	input := `Authorization Bearer sk-abc123xyz failed`
+	got := Message(input)
+	want := `Authorization Bearer [REDACTED] failed`
+	if got != want {
+		t.Fatalf("Message() = %q, want %q", got, want)
+	}
+}
diff --git a/haixun-backend/internal/library/redis/client.go b/haixun-backend/internal/library/redis/client.go
new file mode 100644
index 0000000..ff13bcd
--- /dev/null
+++ b/haixun-backend/internal/library/redis/client.go
@@ -0,0 +1,17 @@
+package redis
+
+import (
+	"haixun-backend/internal/config"
+
+	goredis "github.com/redis/go-redis/v9"
+)
+
+func NewClient(conf config.RedisConf) *goredis.Client {
+	if conf.Addr == "" {
+		return nil
+	}
+	return goredis.NewClient(&goredis.Options{
+		Addr: conf.Addr,
+		DB:   conf.DB,
+	})
+}
diff --git a/haixun-backend/internal/library/validate/validate.go b/haixun-backend/internal/library/validate/validate.go
new file mode 100644
index 0000000..5ccf19d
--- /dev/null
+++ b/haixun-backend/internal/library/validate/validate.go
@@ -0,0 +1,18 @@
+package validate
+
+import "github.com/go-playground/validator/v10"
+
+type Validate struct {
+	validator *validator.Validate
+}
+
+func New() *Validate {
+	return &Validate{validator: validator.New()}
+}
+
+func (v *Validate) ValidateAll(value any) error {
+	if v == nil || v.validator == nil {
+		return nil
+	}
+	return v.validator.Struct(value)
+}
diff --git a/haixun-backend/internal/logic/ai/chat_logic.go b/haixun-backend/internal/logic/ai/chat_logic.go
new file mode 100644
index 0000000..fd74880
--- /dev/null
+++ b/haixun-backend/internal/logic/ai/chat_logic.go
@@ -0,0 +1,26 @@
+package ai
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ChatLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewChatLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ChatLogic {
+	return &ChatLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ChatLogic) Chat(req *types.AIChatReq, token string) (*types.AIChatData, error) {
+	result, err := l.svcCtx.AI.GenerateText(l.ctx, toGenerateRequest(req, token))
+	if err != nil {
+		return nil, err
+	}
+
+	return &types.AIChatData{Text: result.Text, FinishReason: result.FinishReason}, nil
+}
diff --git a/haixun-backend/internal/logic/ai/chat_stream_logic.go b/haixun-backend/internal/logic/ai/chat_stream_logic.go
new file mode 100644
index 0000000..b0b7da2
--- /dev/null
+++ b/haixun-backend/internal/logic/ai/chat_stream_logic.go
@@ -0,0 +1,22 @@
+package ai
+
+import (
+	"context"
+
+	domai "haixun-backend/internal/model/ai/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ChatStreamLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewChatStreamLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ChatStreamLogic {
+	return &ChatStreamLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ChatStreamLogic) ChatStream(req *types.AIChatReq, token string) (<-chan domai.StreamEvent, error) {
+	return l.svcCtx.AI.StreamText(l.ctx, toGenerateRequest(req, token))
+}
diff --git a/haixun-backend/internal/logic/ai/credential.go b/haixun-backend/internal/logic/ai/credential.go
new file mode 100644
index 0000000..981630f
--- /dev/null
+++ b/haixun-backend/internal/logic/ai/credential.go
@@ -0,0 +1,27 @@
+package ai
+
+import (
+	"net/http"
+	"strings"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+)
+
+func BearerToken(r *http.Request) (string, error) {
+	auth := strings.TrimSpace(r.Header.Get("Authorization"))
+	if auth == "" {
+		return "", app.For(code.AI).InputMissingRequired("missing Authorization header")
+	}
+
+	const prefix = "Bearer "
+	if !strings.HasPrefix(auth, prefix) {
+		return "", app.For(code.Facade).InputInvalidFormat("Authorization must be a Bearer token")
+	}
+
+	token := strings.TrimSpace(strings.TrimPrefix(auth, prefix))
+	if token == "" {
+		return "", app.For(code.AI).InputMissingRequired("missing AI provider token")
+	}
+	return token, nil
+}
diff --git a/haixun-backend/internal/logic/ai/list_ai_provider_models_logic.go b/haixun-backend/internal/logic/ai/list_ai_provider_models_logic.go
new file mode 100644
index 0000000..c9cd6df
--- /dev/null
+++ b/haixun-backend/internal/logic/ai/list_ai_provider_models_logic.go
@@ -0,0 +1,30 @@
+package ai
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/ai/domain/enum"
+	aiuc "haixun-backend/internal/model/ai/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListAIProviderModelsLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListAIProviderModelsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListAIProviderModelsLogic {
+	return &ListAIProviderModelsLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListAIProviderModelsLogic) ListAIProviderModels(req *types.AIProviderPath, token string) (*types.AIProviderModelsData, error) {
+	result := l.svcCtx.AI.ListProviderModels(l.ctx, enum.ProviderID(req.Provider), aiuc.Credential{APIKey: token})
+	return &types.AIProviderModelsData{
+		ID:      result.ID,
+		Label:   result.Label,
+		Models:  result.Models,
+		Streams: result.Streams,
+		Error:   result.Error,
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/ai/list_ai_providers_logic.go b/haixun-backend/internal/logic/ai/list_ai_providers_logic.go
new file mode 100644
index 0000000..54e59cf
--- /dev/null
+++ b/haixun-backend/internal/logic/ai/list_ai_providers_logic.go
@@ -0,0 +1,30 @@
+package ai
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListAIProvidersLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListAIProvidersLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListAIProvidersLogic {
+	return &ListAIProvidersLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListAIProvidersLogic) ListAIProviders() (*types.AIProvidersData, error) {
+	options := l.svcCtx.AI.ListProviders(l.ctx)
+	items := make([]types.AIProviderOption, 0, len(options))
+	for _, option := range options {
+		items = append(items, types.AIProviderOption{
+			ID:      option.ID,
+			Label:   option.Label,
+			Streams: option.Streams,
+		})
+	}
+	return &types.AIProvidersData{Providers: items}, nil
+}
diff --git a/haixun-backend/internal/logic/ai/mapper.go b/haixun-backend/internal/logic/ai/mapper.go
new file mode 100644
index 0000000..f319b22
--- /dev/null
+++ b/haixun-backend/internal/logic/ai/mapper.go
@@ -0,0 +1,28 @@
+package ai
+
+import (
+	"haixun-backend/internal/model/ai/domain/enum"
+	domai "haixun-backend/internal/model/ai/domain/usecase"
+	"haixun-backend/internal/types"
+)
+
+func toGenerateRequest(req *types.AIChatReq, token string) domai.GenerateRequest {
+	messages := make([]domai.Message, 0, len(req.Messages))
+	for _, msg := range req.Messages {
+		messages = append(messages, domai.Message{
+			Role:    msg.Role,
+			Content: msg.Content,
+		})
+	}
+	return domai.GenerateRequest{
+		Provider: enum.ProviderID(req.Provider),
+		Model:    req.Model,
+		Credential: domai.Credential{
+			APIKey: token,
+		},
+		System:      req.System,
+		Messages:    messages,
+		Temperature: req.Temperature,
+		MaxTokens:   req.MaxTokens,
+	}
+}
diff --git a/haixun-backend/internal/logic/auth/login_logic.go b/haixun-backend/internal/logic/auth/login_logic.go
new file mode 100644
index 0000000..2cfc217
--- /dev/null
+++ b/haixun-backend/internal/logic/auth/login_logic.go
@@ -0,0 +1,27 @@
+package auth
+
+import (
+	"context"
+
+	memberusecase "haixun-backend/internal/model/member/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type LoginLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewLoginLogic(ctx context.Context, svcCtx *svc.ServiceContext) *LoginLogic {
+	return &LoginLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *LoginLogic) Login(req *types.AuthLoginReq) (*types.AuthTokenData, error) {
+	_, token, err := l.svcCtx.Member.Login(l.ctx, memberusecase.LoginRequest{
+		TenantID: req.TenantID,
+		Email:    req.Email,
+		Password: req.Password,
+	})
+	return toAuthTokenData(token), err
+}
diff --git a/haixun-backend/internal/logic/auth/logout_logic.go b/haixun-backend/internal/logic/auth/logout_logic.go
new file mode 100644
index 0000000..71b28e4
--- /dev/null
+++ b/haixun-backend/internal/logic/auth/logout_logic.go
@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"context"
+
+	"haixun-backend/internal/middleware"
+	authusecase "haixun-backend/internal/model/auth/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type LogoutLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewLogoutLogic(ctx context.Context, svcCtx *svc.ServiceContext) *LogoutLogic {
+	return &LogoutLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *LogoutLogic) Logout(authorization string) (*types.LogoutData, error) {
+	err := l.svcCtx.AuthToken.Logout(l.ctx, authusecase.LogoutRequest{
+		AccessToken: middleware.BearerToken(authorization),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &types.LogoutData{OK: true}, nil
+}
diff --git a/haixun-backend/internal/logic/auth/mapper.go b/haixun-backend/internal/logic/auth/mapper.go
new file mode 100644
index 0000000..3aaf83e
--- /dev/null
+++ b/haixun-backend/internal/logic/auth/mapper.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	memberusecase "haixun-backend/internal/model/member/domain/usecase"
+	"haixun-backend/internal/types"
+)
+
+func toAuthTokenData(token *memberusecase.AuthToken) *types.AuthTokenData {
+	if token == nil {
+		return nil
+	}
+	return &types.AuthTokenData{
+		AccessToken:  token.AccessToken,
+		RefreshToken: token.RefreshToken,
+		ExpiresIn:    token.ExpiresIn,
+		UID:          token.UID,
+		TokenType:    token.TokenType,
+	}
+}
diff --git a/haixun-backend/internal/logic/auth/refresh_logic.go b/haixun-backend/internal/logic/auth/refresh_logic.go
new file mode 100644
index 0000000..2f1df20
--- /dev/null
+++ b/haixun-backend/internal/logic/auth/refresh_logic.go
@@ -0,0 +1,31 @@
+package auth
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type RefreshLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewRefreshLogic(ctx context.Context, svcCtx *svc.ServiceContext) *RefreshLogic {
+	return &RefreshLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *RefreshLogic) Refresh(req *types.AuthRefreshReq) (*types.AuthTokenData, error) {
+	pair, err := l.svcCtx.AuthToken.Refresh(l.ctx, req.RefreshToken)
+	if err != nil {
+		return nil, err
+	}
+	return &types.AuthTokenData{
+		AccessToken:  pair.AccessToken,
+		RefreshToken: pair.RefreshToken,
+		ExpiresIn:    pair.ExpiresIn,
+		UID:          pair.UID,
+		TokenType:    pair.TokenType,
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/auth/register_logic.go b/haixun-backend/internal/logic/auth/register_logic.go
new file mode 100644
index 0000000..9ee49cf
--- /dev/null
+++ b/haixun-backend/internal/logic/auth/register_logic.go
@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"context"
+
+	memberusecase "haixun-backend/internal/model/member/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type RegisterLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewRegisterLogic(ctx context.Context, svcCtx *svc.ServiceContext) *RegisterLogic {
+	return &RegisterLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *RegisterLogic) Register(req *types.AuthRegisterReq) (*types.AuthTokenData, error) {
+	_, token, err := l.svcCtx.Member.Register(l.ctx, memberusecase.RegisterRequest{
+		TenantID:    req.TenantID,
+		Email:       req.Email,
+		Password:    req.Password,
+		DisplayName: req.DisplayName,
+		Language:    req.Language,
+	})
+	return toAuthTokenData(token), err
+}
diff --git a/haixun-backend/internal/logic/job/cancel_job_logic.go b/haixun-backend/internal/logic/job/cancel_job_logic.go
new file mode 100644
index 0000000..72c354d
--- /dev/null
+++ b/haixun-backend/internal/logic/job/cancel_job_logic.go
@@ -0,0 +1,30 @@
+package job
+
+import (
+	"context"
+
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type CancelJobLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewCancelJobLogic(ctx context.Context, svcCtx *svc.ServiceContext) *CancelJobLogic {
+	return &CancelJobLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *CancelJobLogic) CancelJob(req *types.CancelJobReq) (*types.JobData, error) {
+	run, err := l.svcCtx.Job.RequestCancel(l.ctx, domusecase.CancelRunRequest{
+		JobID:  req.ID,
+		Reason: req.Reason,
+	})
+	if err != nil {
+		return nil, err
+	}
+	data := toJobData(run)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/create_job_logic.go b/haixun-backend/internal/logic/job/create_job_logic.go
new file mode 100644
index 0000000..91a8f81
--- /dev/null
+++ b/haixun-backend/internal/logic/job/create_job_logic.go
@@ -0,0 +1,32 @@
+package job
+
+import (
+	"context"
+
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type CreateJobLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewCreateJobLogic(ctx context.Context, svcCtx *svc.ServiceContext) *CreateJobLogic {
+	return &CreateJobLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *CreateJobLogic) CreateJob(req *types.CreateJobReq) (*types.JobData, error) {
+	run, err := l.svcCtx.Job.CreateRun(l.ctx, domusecase.CreateRunRequest{
+		TemplateType: req.TemplateType,
+		Scope:        req.Scope,
+		ScopeID:      req.ScopeID,
+		Payload:      req.Payload,
+	})
+	if err != nil {
+		return nil, err
+	}
+	data := toJobData(run)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/create_job_schedule_logic.go b/haixun-backend/internal/logic/job/create_job_schedule_logic.go
new file mode 100644
index 0000000..8737148
--- /dev/null
+++ b/haixun-backend/internal/logic/job/create_job_schedule_logic.go
@@ -0,0 +1,35 @@
+package job
+
+import (
+	"context"
+
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type CreateJobScheduleLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewCreateJobScheduleLogic(ctx context.Context, svcCtx *svc.ServiceContext) *CreateJobScheduleLogic {
+	return &CreateJobScheduleLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *CreateJobScheduleLogic) CreateJobSchedule(req *types.CreateJobScheduleReq) (*types.JobScheduleData, error) {
+	schedule, err := l.svcCtx.Job.CreateSchedule(l.ctx, domusecase.CreateScheduleRequest{
+		TemplateType:    req.TemplateType,
+		Scope:           req.Scope,
+		ScopeID:         req.ScopeID,
+		Cron:            req.Cron,
+		Timezone:        req.Timezone,
+		PayloadTemplate: req.PayloadTemplate,
+		Enabled:         req.Enabled,
+	})
+	if err != nil {
+		return nil, err
+	}
+	data := toJobScheduleData(schedule)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/disable_job_schedule_logic.go b/haixun-backend/internal/logic/job/disable_job_schedule_logic.go
new file mode 100644
index 0000000..d1847f8
--- /dev/null
+++ b/haixun-backend/internal/logic/job/disable_job_schedule_logic.go
@@ -0,0 +1,26 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type DisableJobScheduleLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewDisableJobScheduleLogic(ctx context.Context, svcCtx *svc.ServiceContext) *DisableJobScheduleLogic {
+	return &DisableJobScheduleLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *DisableJobScheduleLogic) DisableJobSchedule(req *types.JobScheduleIDPath) (*types.JobScheduleData, error) {
+	schedule, err := l.svcCtx.Job.DisableSchedule(l.ctx, req.ID)
+	if err != nil {
+		return nil, err
+	}
+	data := toJobScheduleData(schedule)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/enable_job_schedule_logic.go b/haixun-backend/internal/logic/job/enable_job_schedule_logic.go
new file mode 100644
index 0000000..8e258b9
--- /dev/null
+++ b/haixun-backend/internal/logic/job/enable_job_schedule_logic.go
@@ -0,0 +1,26 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type EnableJobScheduleLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewEnableJobScheduleLogic(ctx context.Context, svcCtx *svc.ServiceContext) *EnableJobScheduleLogic {
+	return &EnableJobScheduleLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *EnableJobScheduleLogic) EnableJobSchedule(req *types.JobScheduleIDPath) (*types.JobScheduleData, error) {
+	schedule, err := l.svcCtx.Job.EnableSchedule(l.ctx, req.ID)
+	if err != nil {
+		return nil, err
+	}
+	data := toJobScheduleData(schedule)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/get_job_logic.go b/haixun-backend/internal/logic/job/get_job_logic.go
new file mode 100644
index 0000000..c74e928
--- /dev/null
+++ b/haixun-backend/internal/logic/job/get_job_logic.go
@@ -0,0 +1,26 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type GetJobLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewGetJobLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetJobLogic {
+	return &GetJobLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *GetJobLogic) GetJob(req *types.JobIDPath) (*types.JobData, error) {
+	run, err := l.svcCtx.Job.GetRun(l.ctx, req.ID)
+	if err != nil {
+		return nil, err
+	}
+	data := toJobData(run)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/get_job_template_logic.go b/haixun-backend/internal/logic/job/get_job_template_logic.go
new file mode 100644
index 0000000..dff3cff
--- /dev/null
+++ b/haixun-backend/internal/logic/job/get_job_template_logic.go
@@ -0,0 +1,26 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type GetJobTemplateLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewGetJobTemplateLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetJobTemplateLogic {
+	return &GetJobTemplateLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *GetJobTemplateLogic) GetJobTemplate(req *types.JobTemplatePath) (*types.JobTemplateData, error) {
+	template, err := l.svcCtx.Job.GetTemplate(l.ctx, req.Type)
+	if err != nil {
+		return nil, err
+	}
+	data := toJobTemplateData(template)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/list_job_events_logic.go b/haixun-backend/internal/logic/job/list_job_events_logic.go
new file mode 100644
index 0000000..93345e1
--- /dev/null
+++ b/haixun-backend/internal/logic/job/list_job_events_logic.go
@@ -0,0 +1,33 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListJobEventsLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListJobEventsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListJobEventsLogic {
+	return &ListJobEventsLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListJobEventsLogic) ListJobEvents(req *types.ListJobEventsReq) (*types.JobEventListData, error) {
+	limit := req.Limit
+	if limit <= 0 {
+		limit = 50
+	}
+	events, err := l.svcCtx.Job.ListJobEvents(l.ctx, req.ID, limit)
+	if err != nil {
+		return nil, err
+	}
+	list := make([]types.JobEventData, 0, len(events))
+	for _, event := range events {
+		list = append(list, toJobEventData(event))
+	}
+	return &types.JobEventListData{List: list}, nil
+}
diff --git a/haixun-backend/internal/logic/job/list_job_schedules_logic.go b/haixun-backend/internal/logic/job/list_job_schedules_logic.go
new file mode 100644
index 0000000..23c9b51
--- /dev/null
+++ b/haixun-backend/internal/logic/job/list_job_schedules_logic.go
@@ -0,0 +1,37 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListJobSchedulesLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListJobSchedulesLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListJobSchedulesLogic {
+	return &ListJobSchedulesLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListJobSchedulesLogic) ListJobSchedules(req *types.ListJobSchedulesReq) (*types.JobScheduleListData, error) {
+	items, total, page, pageSize, totalPages, err := l.svcCtx.Job.ListSchedules(l.ctx, req.Scope, req.ScopeID, req.Page, req.PageSize)
+	if err != nil {
+		return nil, err
+	}
+	list := make([]types.JobScheduleData, 0, len(items))
+	for _, item := range items {
+		list = append(list, toJobScheduleData(item))
+	}
+	return &types.JobScheduleListData{
+		Pagination: types.PaginationData{
+			Total:      total,
+			Page:       page,
+			PageSize:   pageSize,
+			TotalPages: totalPages,
+		},
+		List: list,
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/job/list_job_templates_logic.go b/haixun-backend/internal/logic/job/list_job_templates_logic.go
new file mode 100644
index 0000000..443571e
--- /dev/null
+++ b/haixun-backend/internal/logic/job/list_job_templates_logic.go
@@ -0,0 +1,29 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListJobTemplatesLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListJobTemplatesLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListJobTemplatesLogic {
+	return &ListJobTemplatesLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListJobTemplatesLogic) ListJobTemplates() (*types.JobTemplateListData, error) {
+	templates, err := l.svcCtx.Job.ListTemplates(l.ctx)
+	if err != nil {
+		return nil, err
+	}
+	list := make([]types.JobTemplateData, 0, len(templates))
+	for _, template := range templates {
+		list = append(list, toJobTemplateData(template))
+	}
+	return &types.JobTemplateListData{List: list}, nil
+}
diff --git a/haixun-backend/internal/logic/job/list_jobs_logic.go b/haixun-backend/internal/logic/job/list_jobs_logic.go
new file mode 100644
index 0000000..6a46e06
--- /dev/null
+++ b/haixun-backend/internal/logic/job/list_jobs_logic.go
@@ -0,0 +1,37 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListJobsLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListJobsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListJobsLogic {
+	return &ListJobsLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListJobsLogic) ListJobs(req *types.ListJobsReq) (*types.JobListData, error) {
+	runs, total, page, pageSize, totalPages, err := l.svcCtx.Job.ListRuns(l.ctx, req.Scope, req.ScopeID, req.Page, req.PageSize)
+	if err != nil {
+		return nil, err
+	}
+	list := make([]types.JobData, 0, len(runs))
+	for _, run := range runs {
+		list = append(list, toJobData(run))
+	}
+	return &types.JobListData{
+		Pagination: types.PaginationData{
+			Total:      total,
+			Page:       page,
+			PageSize:   pageSize,
+			TotalPages: totalPages,
+		},
+		List: list,
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/job/mapper.go b/haixun-backend/internal/logic/job/mapper.go
new file mode 100644
index 0000000..b7d12f2
--- /dev/null
+++ b/haixun-backend/internal/logic/job/mapper.go
@@ -0,0 +1,123 @@
+package job
+
+import (
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/types"
+)
+
+func toJobTemplateData(template *entity.Template) types.JobTemplateData {
+	steps := make([]types.JobTemplateStepData, 0, len(template.Steps))
+	for _, step := range template.Steps {
+		steps = append(steps, types.JobTemplateStepData{
+			ID:             step.ID,
+			Name:           step.Name,
+			WorkerType:     step.WorkerType,
+			TimeoutSeconds: step.TimeoutSeconds,
+			Cancelable:     step.Cancelable,
+		})
+	}
+	return types.JobTemplateData{
+		Type:              template.Type,
+		Version:           template.Version,
+		Name:              template.Name,
+		Description:       template.Description,
+		Enabled:           template.Enabled,
+		Repeatable:        template.Repeatable,
+		ConcurrencyPolicy: template.ConcurrencyPolicy,
+		DedupeKeys:        template.DedupeKeys,
+		TimeoutSeconds:    template.TimeoutSeconds,
+		CancelPolicy: types.JobCancelPolicyData{
+			Supported:    template.CancelPolicy.Supported,
+			Mode:         template.CancelPolicy.Mode,
+			GraceSeconds: template.CancelPolicy.GraceSeconds,
+		},
+		RetryPolicy: types.JobRetryPolicyData{
+			MaxAttempts:    template.RetryPolicy.MaxAttempts,
+			BackoffSeconds: template.RetryPolicy.BackoffSeconds,
+		},
+		Steps: steps,
+	}
+}
+
+func toJobData(run *entity.Run) types.JobData {
+	steps := make([]types.JobStepProgressData, 0, len(run.Progress.Steps))
+	for _, step := range run.Progress.Steps {
+		steps = append(steps, types.JobStepProgressData{
+			ID:        step.ID,
+			Status:    string(step.Status),
+			StartedAt: step.StartedAt,
+			EndedAt:   step.EndedAt,
+			Message:   step.Message,
+		})
+	}
+	return types.JobData{
+		ID:              run.ID.Hex(),
+		TemplateType:    run.TemplateType,
+		TemplateVersion: run.TemplateVersion,
+		Scope:           run.Scope,
+		ScopeID:         run.ScopeID,
+		Status:          string(run.Status),
+		Phase:           run.Phase,
+		WorkerType:      run.WorkerType,
+		Payload:         run.Payload,
+		Progress: types.JobProgressData{
+			Summary:    run.Progress.Summary,
+			Percentage: run.Progress.Percentage,
+			Steps:      steps,
+		},
+		Result:            run.Result,
+		Error:             run.Error,
+		Attempt:           run.Attempt,
+		MaxAttempts:       run.MaxAttempts,
+		CancelRequestedAt: run.CancelRequestedAt,
+		CancelReason:      run.CancelReason,
+		StartedAt:         run.StartedAt,
+		CompletedAt:       run.CompletedAt,
+		CreateAt:          run.CreateAt,
+		UpdateAt:          run.UpdateAt,
+	}
+}
+
+func toJobScheduleData(schedule *entity.Schedule) types.JobScheduleData {
+	return types.JobScheduleData{
+		ID:              schedule.ID.Hex(),
+		TemplateType:    schedule.TemplateType,
+		Scope:           schedule.Scope,
+		ScopeID:         schedule.ScopeID,
+		Enabled:         schedule.Enabled,
+		Cron:            schedule.Cron,
+		Timezone:        schedule.Timezone,
+		PayloadTemplate: schedule.PayloadTemplate,
+		LastRunAt:       schedule.LastRunAt,
+		NextRunAt:       schedule.NextRunAt,
+		CreateAt:        schedule.CreateAt,
+		UpdateAt:        schedule.UpdateAt,
+	}
+}
+
+func toJobEventData(event *entity.Event) types.JobEventData {
+	return types.JobEventData{
+		ID:       event.ID.Hex(),
+		JobID:    event.JobID,
+		Type:     event.Type,
+		From:     event.From,
+		To:       event.To,
+		Message:  event.Message,
+		Metadata: event.Metadata,
+		CreateAt: event.CreateAt,
+	}
+}
+
+func toTemplateSteps(steps []types.JobTemplateStepData) []entity.TemplateStep {
+	out := make([]entity.TemplateStep, 0, len(steps))
+	for _, step := range steps {
+		out = append(out, entity.TemplateStep{
+			ID:             step.ID,
+			Name:           step.Name,
+			WorkerType:     step.WorkerType,
+			TimeoutSeconds: step.TimeoutSeconds,
+			Cancelable:     step.Cancelable,
+		})
+	}
+	return out
+}
diff --git a/haixun-backend/internal/logic/job/retry_job_logic.go b/haixun-backend/internal/logic/job/retry_job_logic.go
new file mode 100644
index 0000000..a1afe94
--- /dev/null
+++ b/haixun-backend/internal/logic/job/retry_job_logic.go
@@ -0,0 +1,26 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type RetryJobLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewRetryJobLogic(ctx context.Context, svcCtx *svc.ServiceContext) *RetryJobLogic {
+	return &RetryJobLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *RetryJobLogic) RetryJob(req *types.JobIDPath) (*types.JobData, error) {
+	run, err := l.svcCtx.Job.RetryRun(l.ctx, req.ID)
+	if err != nil {
+		return nil, err
+	}
+	data := toJobData(run)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/update_job_schedule_logic.go b/haixun-backend/internal/logic/job/update_job_schedule_logic.go
new file mode 100644
index 0000000..26a1273
--- /dev/null
+++ b/haixun-backend/internal/logic/job/update_job_schedule_logic.go
@@ -0,0 +1,33 @@
+package job
+
+import (
+	"context"
+
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type UpdateJobScheduleLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewUpdateJobScheduleLogic(ctx context.Context, svcCtx *svc.ServiceContext) *UpdateJobScheduleLogic {
+	return &UpdateJobScheduleLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *UpdateJobScheduleLogic) UpdateJobSchedule(req *types.UpdateJobScheduleReq) (*types.JobScheduleData, error) {
+	schedule, err := l.svcCtx.Job.UpdateSchedule(l.ctx, domusecase.UpdateScheduleRequest{
+		ID:              req.ID,
+		Cron:            req.Cron,
+		Timezone:        req.Timezone,
+		PayloadTemplate: req.PayloadTemplate,
+		Enabled:         req.Enabled,
+	})
+	if err != nil {
+		return nil, err
+	}
+	data := toJobScheduleData(schedule)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/job/upsert_job_template_logic.go b/haixun-backend/internal/logic/job/upsert_job_template_logic.go
new file mode 100644
index 0000000..771527c
--- /dev/null
+++ b/haixun-backend/internal/logic/job/upsert_job_template_logic.go
@@ -0,0 +1,48 @@
+package job
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type UpsertJobTemplateLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewUpsertJobTemplateLogic(ctx context.Context, svcCtx *svc.ServiceContext) *UpsertJobTemplateLogic {
+	return &UpsertJobTemplateLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *UpsertJobTemplateLogic) UpsertJobTemplate(req *types.UpsertJobTemplateReq) (*types.JobTemplateData, error) {
+	template, err := l.svcCtx.Job.UpsertTemplate(l.ctx, domusecase.UpsertTemplateRequest{
+		Type:              req.Type,
+		Version:           req.Version,
+		Name:              req.Name,
+		Description:       req.Description,
+		Enabled:           req.Enabled,
+		Repeatable:        req.Repeatable,
+		ConcurrencyPolicy: req.ConcurrencyPolicy,
+		DedupeKeys:        req.DedupeKeys,
+		TimeoutSeconds:    req.TimeoutSeconds,
+		CancelPolicy: entity.CancelPolicy{
+			Supported:    req.CancelPolicy.Supported,
+			Mode:         req.CancelPolicy.Mode,
+			GraceSeconds: req.CancelPolicy.GraceSeconds,
+		},
+		RetryPolicy: entity.RetryPolicy{
+			MaxAttempts:    req.RetryPolicy.MaxAttempts,
+			BackoffSeconds: req.RetryPolicy.BackoffSeconds,
+		},
+		Steps: toTemplateSteps(req.Steps),
+	})
+	if err != nil {
+		return nil, err
+	}
+	data := toJobTemplateData(template)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/member/get_member_me_logic.go b/haixun-backend/internal/logic/member/get_member_me_logic.go
new file mode 100644
index 0000000..7dc61bd
--- /dev/null
+++ b/haixun-backend/internal/logic/member/get_member_me_logic.go
@@ -0,0 +1,32 @@
+package member
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/authctx"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type GetMemberMeLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewGetMemberMeLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetMemberMeLogic {
+	return &GetMemberMeLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *GetMemberMeLogic) GetMemberMe() (*types.MemberMeData, error) {
+	actor, ok := authctx.ActorFromContext(l.ctx)
+	if !ok {
+		return nil, app.For(code.Auth).AuthUnauthorized("missing actor")
+	}
+	member, err := l.svcCtx.Member.GetByUID(l.ctx, actor.TenantID, actor.UID)
+	if err != nil {
+		return nil, err
+	}
+	return toMemberMeData(member), nil
+}
diff --git a/haixun-backend/internal/logic/member/mapper.go b/haixun-backend/internal/logic/member/mapper.go
new file mode 100644
index 0000000..985f7bd
--- /dev/null
+++ b/haixun-backend/internal/logic/member/mapper.go
@@ -0,0 +1,31 @@
+package member
+
+import (
+	"haixun-backend/internal/model/member/domain/entity"
+	"haixun-backend/internal/types"
+)
+
+func toMemberMeData(member *entity.Member) *types.MemberMeData {
+	if member == nil {
+		return nil
+	}
+	return &types.MemberMeData{
+		TenantID:              member.TenantID,
+		UID:                   member.UID,
+		Email:                 member.Email,
+		DisplayName:           member.DisplayName,
+		Avatar:                member.Avatar,
+		Phone:                 member.Phone,
+		Language:              member.Language,
+		Currency:              member.Currency,
+		Status:                string(member.Status),
+		Origin:                string(member.Origin),
+		Roles:                 member.Roles,
+		BusinessEmail:         member.BusinessEmail,
+		BusinessEmailVerified: member.BusinessEmailVerified,
+		BusinessPhone:         member.BusinessPhone,
+		BusinessPhoneVerified: member.BusinessPhoneVerified,
+		CreateAt:              member.CreateAt,
+		UpdateAt:              member.UpdateAt,
+	}
+}
diff --git a/haixun-backend/internal/logic/member/update_member_me_logic.go b/haixun-backend/internal/logic/member/update_member_me_logic.go
new file mode 100644
index 0000000..d06ac4d
--- /dev/null
+++ b/haixun-backend/internal/logic/member/update_member_me_logic.go
@@ -0,0 +1,48 @@
+package member
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/authctx"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	memberusecase "haixun-backend/internal/model/member/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type UpdateMemberMeLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewUpdateMemberMeLogic(ctx context.Context, svcCtx *svc.ServiceContext) *UpdateMemberMeLogic {
+	return &UpdateMemberMeLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *UpdateMemberMeLogic) UpdateMemberMe(req *types.UpdateMemberMeReq) (*types.MemberMeData, error) {
+	actor, ok := authctx.ActorFromContext(l.ctx)
+	if !ok {
+		return nil, app.For(code.Auth).AuthUnauthorized("missing actor")
+	}
+	member, err := l.svcCtx.Member.UpdateProfile(l.ctx, memberusecase.UpdateProfileRequest{
+		TenantID:    actor.TenantID,
+		UID:         actor.UID,
+		DisplayName: optionalString(req.DisplayName),
+		Avatar:      optionalString(req.Avatar),
+		Language:    optionalString(req.Language),
+		Currency:    optionalString(req.Currency),
+		Phone:       optionalString(req.Phone),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return toMemberMeData(member), nil
+}
+
+func optionalString(value string) *string {
+	if value == "" {
+		return nil
+	}
+	return &value
+}
diff --git a/haixun-backend/internal/logic/normal/health_logic.go b/haixun-backend/internal/logic/normal/health_logic.go
new file mode 100644
index 0000000..011a700
--- /dev/null
+++ b/haixun-backend/internal/logic/normal/health_logic.go
@@ -0,0 +1,21 @@
+package normal
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type HealthLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewHealthLogic(ctx context.Context, svcCtx *svc.ServiceContext) *HealthLogic {
+	return &HealthLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *HealthLogic) Health() (*types.HealthData, error) {
+	return &types.HealthData{Pong: "ok"}, nil
+}
diff --git a/haixun-backend/internal/logic/permission/get_me_permissions_logic.go b/haixun-backend/internal/logic/permission/get_me_permissions_logic.go
new file mode 100644
index 0000000..43f26e7
--- /dev/null
+++ b/haixun-backend/internal/logic/permission/get_me_permissions_logic.go
@@ -0,0 +1,42 @@
+package permission
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/authctx"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type GetMePermissionsLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewGetMePermissionsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetMePermissionsLogic {
+	return &GetMePermissionsLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *GetMePermissionsLogic) GetMePermissions(req *types.MePermissionsQuery) (*types.MePermissionsData, error) {
+	actor, ok := authctx.ActorFromContext(l.ctx)
+	if !ok {
+		return nil, app.For(code.Auth).AuthUnauthorized("missing actor")
+	}
+	member, err := l.svcCtx.Member.GetByUID(l.ctx, actor.TenantID, actor.UID)
+	if err != nil {
+		return nil, err
+	}
+	perms, err := l.svcCtx.Permission.Me(l.ctx, member, req.IncludeTree)
+	if err != nil {
+		return nil, err
+	}
+	return &types.MePermissionsData{
+		UID:         perms.UID,
+		TenantID:    perms.TenantID,
+		Roles:       perms.Roles,
+		Permissions: perms.Permissions,
+		Tree:        toPermissionNodes(perms.Tree),
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/permission/get_permission_catalog_logic.go b/haixun-backend/internal/logic/permission/get_permission_catalog_logic.go
new file mode 100644
index 0000000..553575f
--- /dev/null
+++ b/haixun-backend/internal/logic/permission/get_permission_catalog_logic.go
@@ -0,0 +1,33 @@
+package permission
+
+import (
+	"context"
+
+	domusecase "haixun-backend/internal/model/permission/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type GetPermissionCatalogLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewGetPermissionCatalogLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetPermissionCatalogLogic {
+	return &GetPermissionCatalogLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *GetPermissionCatalogLogic) GetPermissionCatalog(req *types.PermissionCatalogQuery) (*types.PermissionCatalogData, error) {
+	tree, list, err := l.svcCtx.Permission.Catalog(l.ctx, domusecase.CatalogRequest{
+		Status: req.Status,
+		Type:   req.Type,
+		Tree:   req.Tree,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &types.PermissionCatalogData{
+		Tree: toPermissionNodes(tree),
+		List: toPermissionNodes(list),
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/permission/mapper.go b/haixun-backend/internal/logic/permission/mapper.go
new file mode 100644
index 0000000..25f3b3f
--- /dev/null
+++ b/haixun-backend/internal/logic/permission/mapper.go
@@ -0,0 +1,33 @@
+package permission
+
+import (
+	domusecase "haixun-backend/internal/model/permission/domain/usecase"
+	"haixun-backend/internal/types"
+)
+
+func toPermissionNode(node domusecase.PermissionNode) types.PermissionNode {
+	out := types.PermissionNode{
+		ID:          node.ID,
+		Parent:      node.Parent,
+		Name:        node.Name,
+		HTTPMethods: node.HTTPMethods,
+		HTTPPath:    node.HTTPPath,
+		Status:      node.Status,
+		Type:        node.Type,
+	}
+	if len(node.Children) > 0 {
+		out.Children = make([]types.PermissionNode, 0, len(node.Children))
+		for _, child := range node.Children {
+			out.Children = append(out.Children, toPermissionNode(child))
+		}
+	}
+	return out
+}
+
+func toPermissionNodes(nodes []domusecase.PermissionNode) []types.PermissionNode {
+	out := make([]types.PermissionNode, 0, len(nodes))
+	for _, node := range nodes {
+		out = append(out, toPermissionNode(node))
+	}
+	return out
+}
diff --git a/haixun-backend/internal/logic/setting/delete_setting_logic.go b/haixun-backend/internal/logic/setting/delete_setting_logic.go
new file mode 100644
index 0000000..6eb1395
--- /dev/null
+++ b/haixun-backend/internal/logic/setting/delete_setting_logic.go
@@ -0,0 +1,21 @@
+package setting
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type DeleteSettingLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewDeleteSettingLogic(ctx context.Context, svcCtx *svc.ServiceContext) *DeleteSettingLogic {
+	return &DeleteSettingLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *DeleteSettingLogic) DeleteSetting(req *types.SettingKeyPath) error {
+	return l.svcCtx.Setting.Delete(l.ctx, req.Scope, req.ScopeID, req.Key)
+}
diff --git a/haixun-backend/internal/logic/setting/get_setting_logic.go b/haixun-backend/internal/logic/setting/get_setting_logic.go
new file mode 100644
index 0000000..eb5ab6d
--- /dev/null
+++ b/haixun-backend/internal/logic/setting/get_setting_logic.go
@@ -0,0 +1,26 @@
+package setting
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type GetSettingLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewGetSettingLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetSettingLogic {
+	return &GetSettingLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *GetSettingLogic) GetSetting(req *types.SettingKeyPath) (*types.SettingData, error) {
+	item, err := l.svcCtx.Setting.Get(l.ctx, req.Scope, req.ScopeID, req.Key)
+	if err != nil {
+		return nil, err
+	}
+	data := toSettingData(item)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/logic/setting/list_settings_logic.go b/haixun-backend/internal/logic/setting/list_settings_logic.go
new file mode 100644
index 0000000..da5b2cc
--- /dev/null
+++ b/haixun-backend/internal/logic/setting/list_settings_logic.go
@@ -0,0 +1,41 @@
+package setting
+
+import (
+	"context"
+
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type ListSettingsLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewListSettingsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *ListSettingsLogic {
+	return &ListSettingsLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *ListSettingsLogic) ListSettings(req *types.SettingPath) (*types.SettingListData, error) {
+	items, total, page, pageSize, err := l.svcCtx.Setting.List(l.ctx, req.Scope, req.ScopeID, req.Page, req.PageSize)
+	if err != nil {
+		return nil, err
+	}
+	data := make([]types.SettingData, 0, len(items))
+	for _, item := range items {
+		data = append(data, toSettingData(item))
+	}
+	totalPages := int64(0)
+	if pageSize > 0 {
+		totalPages = (total + pageSize - 1) / pageSize
+	}
+	return &types.SettingListData{
+		Pagination: types.PaginationData{
+			Total:      total,
+			Page:       page,
+			PageSize:   pageSize,
+			TotalPages: totalPages,
+		},
+		List: data,
+	}, nil
+}
diff --git a/haixun-backend/internal/logic/setting/mapper.go b/haixun-backend/internal/logic/setting/mapper.go
new file mode 100644
index 0000000..36825f0
--- /dev/null
+++ b/haixun-backend/internal/logic/setting/mapper.go
@@ -0,0 +1,19 @@
+package setting
+
+import (
+	"haixun-backend/internal/model/setting/domain/entity"
+	"haixun-backend/internal/types"
+)
+
+func toSettingData(item *entity.Setting) types.SettingData {
+	return types.SettingData{
+		ID:       item.ID.Hex(),
+		Scope:    item.Scope,
+		ScopeID:  item.ScopeID,
+		Key:      item.Key,
+		Value:    item.Value,
+		Version:  item.Version,
+		CreateAt: item.CreateAt,
+		UpdateAt: item.UpdateAt,
+	}
+}
diff --git a/haixun-backend/internal/logic/setting/upsert_setting_logic.go b/haixun-backend/internal/logic/setting/upsert_setting_logic.go
new file mode 100644
index 0000000..d30547d
--- /dev/null
+++ b/haixun-backend/internal/logic/setting/upsert_setting_logic.go
@@ -0,0 +1,33 @@
+package setting
+
+import (
+	"context"
+
+	settinguc "haixun-backend/internal/model/setting/domain/usecase"
+	"haixun-backend/internal/svc"
+	"haixun-backend/internal/types"
+)
+
+type UpsertSettingLogic struct {
+	ctx    context.Context
+	svcCtx *svc.ServiceContext
+}
+
+func NewUpsertSettingLogic(ctx context.Context, svcCtx *svc.ServiceContext) *UpsertSettingLogic {
+	return &UpsertSettingLogic{ctx: ctx, svcCtx: svcCtx}
+}
+
+func (l *UpsertSettingLogic) UpsertSetting(req *types.SettingUpsertReq) (*types.SettingData, error) {
+	item, err := l.svcCtx.Setting.Upsert(l.ctx, settinguc.UpsertRequest{
+		Scope:   req.Scope,
+		ScopeID: req.ScopeID,
+		Key:     req.Key,
+		Value:   req.Value,
+		Version: req.Version,
+	})
+	if err != nil {
+		return nil, err
+	}
+	data := toSettingData(item)
+	return &data, nil
+}
diff --git a/haixun-backend/internal/middleware/auth.go b/haixun-backend/internal/middleware/auth.go
new file mode 100644
index 0000000..be8f782
--- /dev/null
+++ b/haixun-backend/internal/middleware/auth.go
@@ -0,0 +1,97 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"haixun-backend/internal/config"
+	"haixun-backend/internal/library/authctx"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	authusecase "haixun-backend/internal/model/auth/domain/usecase"
+	"haixun-backend/internal/response"
+
+	"github.com/zeromicro/go-zero/rest"
+)
+
+const MemberAuthorizationHeader = "X-Member-Authorization"
+
+// Auth validates member JWT from Authorization: Bearer <access_token>.
+// Use for all protected routes except AI endpoints that reserve Authorization for provider tokens.
+func Auth(tokens authusecase.TokenUseCase, cfg config.AuthConf, next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		actor, err := resolveActor(r, tokens, cfg, r.Header.Get("Authorization"), "missing bearer token")
+		if err != nil {
+			response.Write(r.Context(), w, nil, err)
+			return
+		}
+		next(w, r.WithContext(authctx.WithActor(r.Context(), actor)))
+	}
+}
+
+// MemberAuth validates member JWT from X-Member-Authorization.
+// AI routes keep Authorization for provider API keys.
+func MemberAuth(tokens authusecase.TokenUseCase, cfg config.AuthConf, next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		actor, err := resolveActor(r, tokens, cfg, r.Header.Get(MemberAuthorizationHeader), "missing member bearer token")
+		if err != nil {
+			response.Write(r.Context(), w, nil, err)
+			return
+		}
+		next(w, r.WithContext(authctx.WithActor(r.Context(), actor)))
+	}
+}
+
+// RestAuth wraps Auth as a go-zero route middleware.
+func RestAuth(tokens authusecase.TokenUseCase, cfg config.AuthConf) rest.Middleware {
+	return func(next http.HandlerFunc) http.HandlerFunc {
+		return Auth(tokens, cfg, next)
+	}
+}
+
+// RestMemberAuth wraps MemberAuth as a go-zero route middleware.
+func RestMemberAuth(tokens authusecase.TokenUseCase, cfg config.AuthConf) rest.Middleware {
+	return func(next http.HandlerFunc) http.HandlerFunc {
+		return MemberAuth(tokens, cfg, next)
+	}
+}
+
+func resolveActor(
+	r *http.Request,
+	tokens authusecase.TokenUseCase,
+	cfg config.AuthConf,
+	authorizationHeader string,
+	missingMessage string,
+) (authctx.Actor, error) {
+	if cfg.DevHeaderFallback {
+		tenantID := strings.TrimSpace(r.Header.Get("X-Tenant-ID"))
+		uid := strings.TrimSpace(r.Header.Get("X-UID"))
+		if tenantID != "" && uid != "" {
+			return authctx.Actor{TenantID: tenantID, UID: uid}, nil
+		}
+	}
+	raw := bearerToken(authorizationHeader)
+	if raw == "" {
+		return authctx.Actor{}, app.For(code.Auth).AuthUnauthorized(missingMessage)
+	}
+	if tokens == nil {
+		return authctx.Actor{}, app.For(code.Auth).SysNotImplemented("token usecase is not configured")
+	}
+	claims, err := tokens.ParseAccessToken(r.Context(), raw)
+	if err != nil {
+		return authctx.Actor{}, err
+	}
+	return authctx.Actor{TenantID: claims.TenantID, UID: claims.UID, JTI: claims.JTI}, nil
+}
+
+func BearerToken(header string) string {
+	return bearerToken(header)
+}
+
+func bearerToken(header string) string {
+	const prefix = "Bearer "
+	if !strings.HasPrefix(header, prefix) {
+		return ""
+	}
+	return strings.TrimSpace(strings.TrimPrefix(header, prefix))
+}
diff --git a/haixun-backend/internal/middleware/auth_test.go b/haixun-backend/internal/middleware/auth_test.go
new file mode 100644
index 0000000..2a921e6
--- /dev/null
+++ b/haixun-backend/internal/middleware/auth_test.go
@@ -0,0 +1,46 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"haixun-backend/internal/config"
+	"haixun-backend/internal/library/authctx"
+)
+
+func TestMemberAuth_DevHeaderFallback(t *testing.T) {
+	called := false
+	handler := MemberAuth(nil, config.AuthConf{DevHeaderFallback: true}, func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		actor, ok := authctx.ActorFromContext(r.Context())
+		if !ok || actor.UID != "u1" {
+			t.Fatalf("actor = %+v, ok=%v", actor, ok)
+		}
+	})
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/ai/chat", nil)
+	req.Header.Set("X-Tenant-ID", "default")
+	req.Header.Set("X-UID", "u1")
+	req.Header.Set("Authorization", "Bearer sk-provider-key")
+	rec := httptest.NewRecorder()
+	handler(rec, req)
+
+	if !called {
+		t.Fatal("expected handler to be called via dev headers")
+	}
+}
+
+func TestAuth_RequiresAuthorizationBearer(t *testing.T) {
+	handler := Auth(nil, config.AuthConf{DevHeaderFallback: false}, func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("handler should not be called")
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/jobs", nil)
+	rec := httptest.NewRecorder()
+	handler(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("status = %d, want 401", rec.Code)
+	}
+}
diff --git a/haixun-backend/internal/middleware/authjwt_middleware.go b/haixun-backend/internal/middleware/authjwt_middleware.go
new file mode 100644
index 0000000..4d29299
--- /dev/null
+++ b/haixun-backend/internal/middleware/authjwt_middleware.go
@@ -0,0 +1,23 @@
+package middleware
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/config"
+	authusecase "haixun-backend/internal/model/auth/domain/usecase"
+)
+
+// AuthJWTMiddleware enforces Bearer member JWT on protected routes.
+// Mounted via @server(middleware: AuthJWT) in generate/api/*.api.
+type AuthJWTMiddleware struct {
+	tokens authusecase.TokenUseCase
+	cfg    config.AuthConf
+}
+
+func NewAuthJWTMiddleware(tokens authusecase.TokenUseCase, cfg config.AuthConf) *AuthJWTMiddleware {
+	return &AuthJWTMiddleware{tokens: tokens, cfg: cfg}
+}
+
+func (m *AuthJWTMiddleware) Handle(next http.HandlerFunc) http.HandlerFunc {
+	return Auth(m.tokens, m.cfg, next)
+}
diff --git a/haixun-backend/internal/middleware/memberauth_middleware.go b/haixun-backend/internal/middleware/memberauth_middleware.go
new file mode 100644
index 0000000..bbf26cf
--- /dev/null
+++ b/haixun-backend/internal/middleware/memberauth_middleware.go
@@ -0,0 +1,24 @@
+package middleware
+
+import (
+	"net/http"
+
+	"haixun-backend/internal/config"
+	authusecase "haixun-backend/internal/model/auth/domain/usecase"
+)
+
+// MemberAuthMiddleware enforces member JWT from X-Member-Authorization.
+// AI routes keep Authorization for provider API keys.
+// Mounted via @server(middleware: MemberAuth) in generate/api/ai.api.
+type MemberAuthMiddleware struct {
+	tokens authusecase.TokenUseCase
+	cfg    config.AuthConf
+}
+
+func NewMemberAuthMiddleware(tokens authusecase.TokenUseCase, cfg config.AuthConf) *MemberAuthMiddleware {
+	return &MemberAuthMiddleware{tokens: tokens, cfg: cfg}
+}
+
+func (m *MemberAuthMiddleware) Handle(next http.HandlerFunc) http.HandlerFunc {
+	return MemberAuth(m.tokens, m.cfg, next)
+}
diff --git a/haixun-backend/internal/model/ai/domain/enum/provider.go b/haixun-backend/internal/model/ai/domain/enum/provider.go
new file mode 100644
index 0000000..44a1913
--- /dev/null
+++ b/haixun-backend/internal/model/ai/domain/enum/provider.go
@@ -0,0 +1,8 @@
+package enum
+
+type ProviderID string
+
+const (
+	ProviderOpenCode ProviderID = "opencode-go"
+	ProviderXAI      ProviderID = "xai"
+)
diff --git a/haixun-backend/internal/model/ai/domain/usecase/ai.go b/haixun-backend/internal/model/ai/domain/usecase/ai.go
new file mode 100644
index 0000000..024e657
--- /dev/null
+++ b/haixun-backend/internal/model/ai/domain/usecase/ai.go
@@ -0,0 +1,66 @@
+package usecase
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/ai/domain/enum"
+)
+
+type Message struct {
+	Role    string
+	Content string
+}
+
+type Credential struct {
+	APIKey string
+}
+
+type GenerateRequest struct {
+	Provider    enum.ProviderID
+	Model       string
+	Credential  Credential
+	System      string
+	Messages    []Message
+	Temperature *float64
+	MaxTokens   *int
+}
+
+type GenerateResult struct {
+	Text         string
+	FinishReason string
+}
+
+type StreamEvent struct {
+	Type         string `json:"type"`
+	Text         string `json:"text,omitempty"`
+	FinishReason string `json:"finish_reason,omitempty"`
+	Error        string `json:"error,omitempty"`
+}
+
+type ProviderOption struct {
+	ID      string
+	Label   string
+	Streams bool
+}
+
+type ProviderModels struct {
+	ID      string
+	Label   string
+	Models  []string
+	Streams bool
+	Error   string
+}
+
+type Provider interface {
+	ID() enum.ProviderID
+	ListModels(ctx context.Context, credential Credential) ([]string, error)
+	GenerateText(ctx context.Context, req GenerateRequest) (*GenerateResult, error)
+	StreamText(ctx context.Context, req GenerateRequest) (<-chan StreamEvent, error)
+}
+
+type UseCase interface {
+	ListProviders(ctx context.Context) []ProviderOption
+	ListProviderModels(ctx context.Context, provider enum.ProviderID, credential Credential) ProviderModels
+	GenerateText(ctx context.Context, req GenerateRequest) (*GenerateResult, error)
+	StreamText(ctx context.Context, req GenerateRequest) (<-chan StreamEvent, error)
+}
diff --git a/haixun-backend/internal/model/ai/provider/openai_compatible.go b/haixun-backend/internal/model/ai/provider/openai_compatible.go
new file mode 100644
index 0000000..7762995
--- /dev/null
+++ b/haixun-backend/internal/model/ai/provider/openai_compatible.go
@@ -0,0 +1,356 @@
+package provider
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"sort"
+	"strings"
+	"time"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/ai/domain/enum"
+	domai "haixun-backend/internal/model/ai/domain/usecase"
+)
+
+type OpenAICompatible struct {
+	id      enum.ProviderID
+	baseURL string
+	client  *http.Client
+}
+
+func NewOpenAICompatible(id enum.ProviderID, baseURL string) *OpenAICompatible {
+	return &OpenAICompatible{
+		id:      id,
+		baseURL: strings.TrimRight(baseURL, "/"),
+		client:  &http.Client{Timeout: 10 * time.Minute},
+	}
+}
+
+func (p *OpenAICompatible) ID() enum.ProviderID {
+	return p.id
+}
+
+func (p *OpenAICompatible) ListModels(ctx context.Context, credential domai.Credential) ([]string, error) {
+	if strings.TrimSpace(credential.APIKey) == "" {
+		return nil, app.For(code.AI).InputMissingRequired("missing AI provider token")
+	}
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodGet, p.baseURL+"/models", nil)
+	if err != nil {
+		return nil, err
+	}
+	httpReq.Header.Set("Authorization", "Bearer "+credential.APIKey)
+	httpReq.Header.Set("Accept", "application/json")
+
+	resp, err := p.client.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return nil, providerHTTPError("AI provider models request failed", resp.StatusCode, resp.Status)
+	}
+
+	var payload openAIModelsResponse
+	if err := json.Unmarshal(data, &payload); err != nil {
+		return nil, app.For(code.AI).SvcThirdParty("failed to parse AI provider models response")
+	}
+
+	models := make([]string, 0, len(payload.Data))
+	for _, item := range payload.Data {
+		id := strings.TrimSpace(item.ID)
+		if id == "" {
+			continue
+		}
+		models = append(models, id)
+	}
+	sort.Strings(models)
+	return models, nil
+}
+
+func (p *OpenAICompatible) GenerateText(ctx context.Context, req domai.GenerateRequest) (*domai.GenerateResult, error) {
+	if strings.TrimSpace(req.Credential.APIKey) == "" {
+		return nil, app.For(code.AI).InputMissingRequired("missing AI provider token")
+	}
+
+	body := p.buildChatCompletionRequest(req, false)
+	payload, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, p.baseURL+"/chat/completions", bytes.NewReader(payload))
+	if err != nil {
+		return nil, err
+	}
+	httpReq.Header.Set("Authorization", "Bearer "+req.Credential.APIKey)
+	httpReq.Header.Set("Content-Type", "application/json")
+	httpReq.Header.Set("Accept", "application/json")
+
+	resp, err := p.client.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return nil, providerHTTPError("AI provider request failed", resp.StatusCode, resp.Status)
+	}
+
+	var chatResp openAIChatResponse
+	if err := json.Unmarshal(data, &chatResp); err != nil {
+		return nil, app.For(code.AI).SvcThirdParty("failed to parse AI provider chat response")
+	}
+	if len(chatResp.Choices) == 0 {
+		return nil, app.For(code.AI).SvcThirdParty("AI provider returned no choices")
+	}
+
+	choice := chatResp.Choices[0]
+	return &domai.GenerateResult{
+		Text:         extractAssistantText(choice.Message),
+		FinishReason: choice.FinishReason,
+	}, nil
+}
+
+func (p *OpenAICompatible) StreamText(ctx context.Context, req domai.GenerateRequest) (<-chan domai.StreamEvent, error) {
+	if strings.TrimSpace(req.Credential.APIKey) == "" {
+		return nil, app.For(code.AI).InputMissingRequired("missing AI provider token")
+	}
+
+	body := p.buildChatCompletionRequest(req, true)
+	payload, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, p.baseURL+"/chat/completions", bytes.NewReader(payload))
+	if err != nil {
+		return nil, err
+	}
+	httpReq.Header.Set("Authorization", "Bearer "+req.Credential.APIKey)
+	httpReq.Header.Set("Content-Type", "application/json")
+	httpReq.Header.Set("Accept", "text/event-stream")
+
+	resp, err := p.client.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		defer resp.Body.Close()
+		_, _ = io.Copy(io.Discard, io.LimitReader(resp.Body, 4096))
+		return nil, providerHTTPError("AI provider request failed", resp.StatusCode, resp.Status)
+	}
+
+	out := make(chan domai.StreamEvent)
+	go func() {
+		defer close(out)
+		defer resp.Body.Close()
+		parseOpenAIStream(resp.Body, out)
+	}()
+	return out, nil
+}
+
+type chatCompletionRequest struct {
+	Model       string          `json:"model"`
+	Messages    []chatMessage   `json:"messages"`
+	Stream      bool            `json:"stream"`
+	Temperature *float64        `json:"temperature,omitempty"`
+	MaxTokens   *int            `json:"max_tokens,omitempty"`
+	Thinking    *thinkingConfig `json:"thinking,omitempty"`
+}
+
+type thinkingConfig struct {
+	Type string `json:"type,omitempty"`
+}
+
+type assistantMessage struct {
+	Content          json.RawMessage `json:"content"`
+	ReasoningContent string          `json:"reasoning_content"`
+	Reasoning        string          `json:"reasoning"`
+}
+
+type openAIChatResponse struct {
+	Choices []struct {
+		Message      assistantMessage `json:"message"`
+		FinishReason string           `json:"finish_reason"`
+	} `json:"choices"`
+}
+
+func (p *OpenAICompatible) buildChatCompletionRequest(req domai.GenerateRequest, stream bool) chatCompletionRequest {
+	return chatCompletionRequest{
+		Model:       req.Model,
+		Messages:    toChatMessages(req),
+		Stream:      stream,
+		Temperature: normalizeTemperature(p.id, req.Model, req.Temperature),
+		MaxTokens:   normalizeMaxTokens(p.id, req.Model, req.MaxTokens),
+		Thinking:    normalizeThinking(p.id, req.Model),
+	}
+}
+
+func extractAssistantText(msg assistantMessage) string {
+	if text := parseMessageContent(msg.Content); strings.TrimSpace(text) != "" {
+		return text
+	}
+	if strings.TrimSpace(msg.ReasoningContent) != "" {
+		return msg.ReasoningContent
+	}
+	return msg.Reasoning
+}
+
+func parseMessageContent(raw json.RawMessage) string {
+	if len(raw) == 0 || string(raw) == "null" {
+		return ""
+	}
+
+	var text string
+	if err := json.Unmarshal(raw, &text); err == nil {
+		return text
+	}
+
+	var parts []struct {
+		Text string `json:"text"`
+	}
+	if err := json.Unmarshal(raw, &parts); err == nil {
+		var b strings.Builder
+		for _, part := range parts {
+			if part.Text != "" {
+				b.WriteString(part.Text)
+			}
+		}
+		return b.String()
+	}
+
+	return ""
+}
+
+type chatMessage struct {
+	Role    string `json:"role"`
+	Content string `json:"content"`
+}
+
+func toChatMessages(req domai.GenerateRequest) []chatMessage {
+	messages := make([]chatMessage, 0, len(req.Messages)+1)
+	if strings.TrimSpace(req.System) != "" {
+		messages = append(messages, chatMessage{Role: "system", Content: req.System})
+	}
+	for _, msg := range req.Messages {
+		messages = append(messages, chatMessage{Role: msg.Role, Content: msg.Content})
+	}
+	return messages
+}
+
+func normalizeTemperature(provider enum.ProviderID, model string, requested *float64) *float64 {
+	if provider == enum.ProviderOpenCode && strings.HasPrefix(model, "kimi-") {
+		v := 1.0
+		return &v
+	}
+	return requested
+}
+
+func normalizeMaxTokens(provider enum.ProviderID, model string, requested *int) *int {
+	if provider != enum.ProviderOpenCode || !strings.HasPrefix(model, "deepseek-") {
+		return requested
+	}
+
+	// DeepSeek V4 thinking can consume the full budget before content appears.
+	const minDeepSeekTokens = 2048
+	if requested == nil || *requested < minDeepSeekTokens {
+		v := minDeepSeekTokens
+		return &v
+	}
+	return requested
+}
+
+func normalizeThinking(provider enum.ProviderID, model string) *thinkingConfig {
+	// DeepSeek V4 on OpenCode Go defaults to thinking mode and may spend the entire
+	// max_tokens budget on reasoning_content before emitting content.
+	if provider == enum.ProviderOpenCode && strings.HasPrefix(model, "deepseek-") {
+		return &thinkingConfig{Type: "disabled"}
+	}
+	return nil
+}
+
+func streamDeltaText(delta streamDelta) string {
+	if delta.Content != "" {
+		return delta.Content
+	}
+	if delta.Text != "" {
+		return delta.Text
+	}
+	if delta.ReasoningContent != "" {
+		return delta.ReasoningContent
+	}
+	return delta.Reasoning
+}
+
+func parseOpenAIStream(body io.Reader, out chan<- domai.StreamEvent) {
+	scanner := bufio.NewScanner(body)
+	scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || !strings.HasPrefix(line, "data:") {
+			continue
+		}
+		data := strings.TrimSpace(strings.TrimPrefix(line, "data:"))
+		if data == "[DONE]" {
+			out <- domai.StreamEvent{Type: "done"}
+			return
+		}
+		var chunk openAIStreamChunk
+		if err := json.Unmarshal([]byte(data), &chunk); err != nil {
+			out <- domai.StreamEvent{Type: "error", Error: "failed to parse AI stream payload"}
+			return
+		}
+		for _, choice := range chunk.Choices {
+			if text := streamDeltaText(choice.Delta); text != "" {
+				out <- domai.StreamEvent{Type: "delta", Text: text}
+			}
+			if choice.FinishReason != "" {
+				out <- domai.StreamEvent{Type: "done", FinishReason: choice.FinishReason}
+				return
+			}
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		out <- domai.StreamEvent{Type: "error", Error: err.Error()}
+	}
+}
+
+type streamDelta struct {
+	Content          string `json:"content"`
+	Text             string `json:"text"`
+	ReasoningContent string `json:"reasoning_content"`
+	Reasoning        string `json:"reasoning"`
+}
+
+type openAIStreamChunk struct {
+	Choices []struct {
+		Delta        streamDelta `json:"delta"`
+		FinishReason string      `json:"finish_reason"`
+	} `json:"choices"`
+}
+
+type openAIModelsResponse struct {
+	Data []struct {
+		ID string `json:"id"`
+	} `json:"data"`
+}
+
+func providerHTTPError(prefix string, statusCode int, statusLine string) error {
+	return app.For(code.AI).SvcThirdParty(fmt.Sprintf("%s: HTTP %d %s", prefix, statusCode, statusLine))
+}
diff --git a/haixun-backend/internal/model/ai/provider/openai_compatible_test.go b/haixun-backend/internal/model/ai/provider/openai_compatible_test.go
new file mode 100644
index 0000000..5ce9038
--- /dev/null
+++ b/haixun-backend/internal/model/ai/provider/openai_compatible_test.go
@@ -0,0 +1,178 @@
+package provider
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"haixun-backend/internal/model/ai/domain/enum"
+	domai "haixun-backend/internal/model/ai/domain/usecase"
+)
+
+func TestOpenAICompatible_ListModels(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet || r.URL.Path != "/models" {
+			t.Fatalf("unexpected request: %s %s", r.Method, r.URL.Path)
+		}
+		if got := r.Header.Get("Authorization"); got != "Bearer test-token" {
+			t.Fatalf("unexpected auth header: %s", got)
+		}
+		_, _ = w.Write([]byte(`{"data":[{"id":"grok-3-fast"},{"id":"grok-3"},{"id":""}]}`))
+	}))
+	defer server.Close()
+
+	p := NewOpenAICompatible(enum.ProviderXAI, server.URL)
+	models, err := p.ListModels(context.Background(), domai.Credential{APIKey: "test-token"})
+	if err != nil {
+		t.Fatalf("ListModels() error = %v", err)
+	}
+
+	want := []string{"grok-3", "grok-3-fast"}
+	if len(models) != len(want) {
+		t.Fatalf("models = %v, want %v", models, want)
+	}
+	for i, id := range want {
+		if models[i] != id {
+			t.Fatalf("models[%d] = %s, want %s", i, models[i], id)
+		}
+	}
+}
+
+func TestOpenAICompatible_ListModels_MissingToken(t *testing.T) {
+	p := NewOpenAICompatible(enum.ProviderXAI, "https://example.com")
+	_, err := p.ListModels(context.Background(), domai.Credential{})
+	if err == nil {
+		t.Fatal("expected error for missing token")
+	}
+}
+
+func TestOpenAICompatible_GenerateText_UsesContent(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost || r.URL.Path != "/chat/completions" {
+			t.Fatalf("unexpected request: %s %s", r.Method, r.URL.Path)
+		}
+		body, _ := io.ReadAll(r.Body)
+		var req chatCompletionRequest
+		if err := json.Unmarshal(body, &req); err != nil {
+			t.Fatalf("unmarshal request: %v", err)
+		}
+		if req.Stream {
+			t.Fatal("expected non-stream request")
+		}
+		if req.Thinking == nil || req.Thinking.Type != "disabled" {
+			t.Fatalf("thinking = %+v, want disabled for deepseek on opencode", req.Thinking)
+		}
+		if req.MaxTokens == nil || *req.MaxTokens < 2048 {
+			t.Fatalf("max_tokens = %+v, want >= 2048 for deepseek on opencode", req.MaxTokens)
+		}
+		_, _ = w.Write([]byte(`{"choices":[{"message":{"content":"hello"},"finish_reason":"stop"}]}`))
+	}))
+	defer server.Close()
+
+	p := NewOpenAICompatible(enum.ProviderOpenCode, server.URL)
+	maxTokens := 256
+	result, err := p.GenerateText(context.Background(), domai.GenerateRequest{
+		Provider:   enum.ProviderOpenCode,
+		Model:      "deepseek-v4-flash",
+		Credential: domai.Credential{APIKey: "test-token"},
+		Messages:   []domai.Message{{Role: "user", Content: "hi"}},
+		MaxTokens:  &maxTokens,
+	})
+	if err != nil {
+		t.Fatalf("GenerateText() error = %v", err)
+	}
+	if result.Text != "hello" || result.FinishReason != "stop" {
+		t.Fatalf("result = %+v, want text=hello finish_reason=stop", result)
+	}
+}
+
+func TestOpenAICompatible_GenerateText_FallsBackToReasoningContent(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = w.Write([]byte(`{"choices":[{"message":{"content":"","reasoning_content":"thinking only"},"finish_reason":"length"}]}`))
+	}))
+	defer server.Close()
+
+	p := NewOpenAICompatible(enum.ProviderXAI, server.URL)
+	result, err := p.GenerateText(context.Background(), domai.GenerateRequest{
+		Model:      "deepseek-test",
+		Credential: domai.Credential{APIKey: "test-token"},
+		Messages:   []domai.Message{{Role: "user", Content: "hi"}},
+	})
+	if err != nil {
+		t.Fatalf("GenerateText() error = %v", err)
+	}
+	if result.Text != "thinking only" {
+		t.Fatalf("result.Text = %q, want thinking only", result.Text)
+	}
+}
+
+func TestOpenAICompatible_StreamText_ParsesReasoningContent(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/event-stream")
+		_, _ = w.Write([]byte("data: {\"choices\":[{\"delta\":{\"reasoning_content\":\"think\"}}]}\n\n"))
+		_, _ = w.Write([]byte("data: {\"choices\":[{\"delta\":{\"content\":\"answer\"},\"finish_reason\":\"stop\"}]}\n\n"))
+		_, _ = w.Write([]byte("data: [DONE]\n\n"))
+	}))
+	defer server.Close()
+
+	p := NewOpenAICompatible(enum.ProviderXAI, server.URL)
+	stream, err := p.StreamText(context.Background(), domai.GenerateRequest{
+		Model:      "deepseek-test",
+		Credential: domai.Credential{APIKey: "test-token"},
+		Messages:   []domai.Message{{Role: "user", Content: "hi"}},
+	})
+	if err != nil {
+		t.Fatalf("StreamText() error = %v", err)
+	}
+
+	var deltas []string
+	var finishReason string
+	for event := range stream {
+		switch event.Type {
+		case "delta":
+			deltas = append(deltas, event.Text)
+		case "done":
+			finishReason = event.FinishReason
+		case "error":
+			t.Fatalf("stream error: %s", event.Error)
+		}
+	}
+
+	if strings.Join(deltas, "") != "thinkanswer" {
+		t.Fatalf("deltas = %v, want thinkanswer", deltas)
+	}
+	if finishReason != "stop" {
+		t.Fatalf("finishReason = %q, want stop", finishReason)
+	}
+}
+
+func TestBuildChatCompletionRequest_DisablesThinkingForOpenCodeDeepSeek(t *testing.T) {
+	p := NewOpenAICompatible(enum.ProviderOpenCode, "https://example.com")
+	maxTokens := 128
+	body := p.buildChatCompletionRequest(domai.GenerateRequest{
+		Provider:  enum.ProviderOpenCode,
+		Model:     "deepseek-v4-flash",
+		Messages:  []domai.Message{{Role: "user", Content: "hi"}},
+		MaxTokens: &maxTokens,
+	}, true)
+
+	if body.Thinking == nil || body.Thinking.Type != "disabled" {
+		t.Fatalf("thinking = %+v, want disabled", body.Thinking)
+	}
+	if body.MaxTokens == nil || *body.MaxTokens < 2048 {
+		t.Fatalf("max_tokens = %+v, want >= 2048", body.MaxTokens)
+	}
+}
+
+func TestExtractAssistantText_ContentArray(t *testing.T) {
+	msg := assistantMessage{
+		Content: json.RawMessage(`[{"type":"text","text":"array content"}]`),
+	}
+	if got := extractAssistantText(msg); got != "array content" {
+		t.Fatalf("extractAssistantText() = %q, want array content", got)
+	}
+}
diff --git a/haixun-backend/internal/model/ai/usecase/usecase.go b/haixun-backend/internal/model/ai/usecase/usecase.go
new file mode 100644
index 0000000..f3cb4ef
--- /dev/null
+++ b/haixun-backend/internal/model/ai/usecase/usecase.go
@@ -0,0 +1,118 @@
+package usecase
+
+import (
+	"context"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/ai/domain/enum"
+	domai "haixun-backend/internal/model/ai/domain/usecase"
+	"haixun-backend/internal/model/ai/provider"
+)
+
+type UseCase = domai.UseCase
+
+type providerMeta struct {
+	ID      string
+	Label   string
+	Streams bool
+}
+
+type aiUseCase struct {
+	providers map[enum.ProviderID]domai.Provider
+	catalog   []providerMeta
+}
+
+func NewUseCase() UseCase {
+	providers := map[enum.ProviderID]domai.Provider{
+		enum.ProviderOpenCode: provider.NewOpenAICompatible(enum.ProviderOpenCode, "https://opencode.ai/zen/go/v1"),
+		enum.ProviderXAI:      provider.NewOpenAICompatible(enum.ProviderXAI, "https://api.x.ai/v1"),
+	}
+	return &aiUseCase{
+		providers: providers,
+		catalog: []providerMeta{
+			{ID: string(enum.ProviderOpenCode), Label: "OpenCode Go", Streams: true},
+			{ID: string(enum.ProviderXAI), Label: "Grok (xAI)", Streams: true},
+		},
+	}
+}
+
+func (u *aiUseCase) ListProviders(ctx context.Context) []domai.ProviderOption {
+	options := make([]domai.ProviderOption, 0, len(u.catalog))
+	for _, meta := range u.catalog {
+		options = append(options, domai.ProviderOption{
+			ID:      meta.ID,
+			Label:   meta.Label,
+			Streams: meta.Streams,
+		})
+	}
+	return options
+}
+
+func (u *aiUseCase) ListProviderModels(ctx context.Context, providerID enum.ProviderID, credential domai.Credential) domai.ProviderModels {
+	meta, ok := u.meta(providerID)
+	if !ok {
+		return domai.ProviderModels{
+			Error: app.For(code.AI).InputInvalidFormat("unsupported AI provider").Error(),
+		}
+	}
+
+	result := domai.ProviderModels{
+		ID:      meta.ID,
+		Label:   meta.Label,
+		Models:  []string{},
+		Streams: meta.Streams,
+	}
+
+	p, ok := u.providers[providerID]
+	if !ok {
+		result.Error = app.For(code.AI).InputInvalidFormat("unsupported AI provider").Error()
+		return result
+	}
+
+	models, err := p.ListModels(ctx, credential)
+	if err != nil {
+		if appErr := app.FromError(err); appErr != nil {
+			result.Error = appErr.Error()
+		} else {
+			result.Error = err.Error()
+		}
+		return result
+	}
+
+	result.Models = models
+	return result
+}
+
+func (u *aiUseCase) GenerateText(ctx context.Context, req domai.GenerateRequest) (*domai.GenerateResult, error) {
+	p, err := u.resolve(req.Provider)
+	if err != nil {
+		return nil, err
+	}
+	return p.GenerateText(ctx, req)
+}
+
+func (u *aiUseCase) StreamText(ctx context.Context, req domai.GenerateRequest) (<-chan domai.StreamEvent, error) {
+	p, err := u.resolve(req.Provider)
+	if err != nil {
+		return nil, err
+	}
+	return p.StreamText(ctx, req)
+}
+
+func (u *aiUseCase) meta(id enum.ProviderID) (providerMeta, bool) {
+	for _, meta := range u.catalog {
+		if meta.ID == string(id) {
+			return meta, true
+		}
+	}
+	return providerMeta{}, false
+}
+
+func (u *aiUseCase) resolve(id enum.ProviderID) (domai.Provider, error) {
+	p, ok := u.providers[id]
+	if !ok {
+		return nil, app.For(code.AI).InputInvalidFormat("unsupported AI provider")
+	}
+	return p, nil
+}
diff --git a/haixun-backend/internal/model/auth/domain/repository/token_revoke.go b/haixun-backend/internal/model/auth/domain/repository/token_revoke.go
new file mode 100644
index 0000000..cb1d2c9
--- /dev/null
+++ b/haixun-backend/internal/model/auth/domain/repository/token_revoke.go
@@ -0,0 +1,14 @@
+package repository
+
+import (
+	"context"
+	"time"
+)
+
+type TokenRevokeStore interface {
+	SavePair(ctx context.Context, accessJTI, refreshJTI string, accessTTL, refreshTTL time.Duration) error
+	GetPairedJTI(ctx context.Context, jti string) (string, error)
+	DeletePair(ctx context.Context, accessJTI, refreshJTI string) error
+	Blacklist(ctx context.Context, jti string, ttl time.Duration) error
+	IsBlacklisted(ctx context.Context, jti string) (bool, error)
+}
diff --git a/haixun-backend/internal/model/auth/domain/usecase/token.go b/haixun-backend/internal/model/auth/domain/usecase/token.go
new file mode 100644
index 0000000..85a72d6
--- /dev/null
+++ b/haixun-backend/internal/model/auth/domain/usecase/token.go
@@ -0,0 +1,42 @@
+package usecase
+
+import "context"
+
+type TokenType string
+
+const (
+	TokenTypeAccess  TokenType = "access"
+	TokenTypeRefresh TokenType = "refresh"
+)
+
+type TokenPair struct {
+	AccessToken  string
+	RefreshToken string
+	ExpiresIn    int64
+	TokenType    string
+	UID          string
+}
+
+type IssuePairRequest struct {
+	TenantID string
+	UID      string
+	AuthGen  int64
+}
+
+type AccessClaims struct {
+	TenantID string
+	UID      string
+	AuthGen  int64
+	JTI      string
+}
+
+type LogoutRequest struct {
+	AccessToken string
+}
+
+type TokenUseCase interface {
+	IssuePair(ctx context.Context, req IssuePairRequest) (*TokenPair, error)
+	Refresh(ctx context.Context, refreshToken string) (*TokenPair, error)
+	Logout(ctx context.Context, req LogoutRequest) error
+	ParseAccessToken(ctx context.Context, accessToken string) (*AccessClaims, error)
+}
diff --git a/haixun-backend/internal/model/auth/repository/token_revoke_redis.go b/haixun-backend/internal/model/auth/repository/token_revoke_redis.go
new file mode 100644
index 0000000..4235423
--- /dev/null
+++ b/haixun-backend/internal/model/auth/repository/token_revoke_redis.go
@@ -0,0 +1,98 @@
+package repository
+
+import (
+	"context"
+	"time"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	domrepo "haixun-backend/internal/model/auth/domain/repository"
+
+	goredis "github.com/redis/go-redis/v9"
+)
+
+const (
+	jwtPairPrefix      = "auth:jwt:pair:"
+	jwtBlacklistPrefix = "auth:jwt:blacklist:"
+)
+
+type redisTokenRevokeStore struct {
+	client *goredis.Client
+}
+
+func NewRedisTokenRevokeStore(client *goredis.Client) domrepo.TokenRevokeStore {
+	return &redisTokenRevokeStore{client: client}
+}
+
+func (s *redisTokenRevokeStore) SavePair(ctx context.Context, accessJTI, refreshJTI string, accessTTL, refreshTTL time.Duration) error {
+	if err := s.requireRedis(); err != nil {
+		return err
+	}
+	if accessJTI == "" || refreshJTI == "" {
+		return app.For(code.Auth).InputMissingRequired("jwt pair jti is required")
+	}
+	if err := s.client.Set(ctx, jwtPairPrefix+accessJTI, refreshJTI, minTTL(accessTTL)).Err(); err != nil {
+		return err
+	}
+	return s.client.Set(ctx, jwtPairPrefix+refreshJTI, accessJTI, minTTL(refreshTTL)).Err()
+}
+
+func (s *redisTokenRevokeStore) GetPairedJTI(ctx context.Context, jti string) (string, error) {
+	if err := s.requireRedis(); err != nil {
+		return "", err
+	}
+	value, err := s.client.Get(ctx, jwtPairPrefix+jti).Result()
+	if err == goredis.Nil {
+		return "", nil
+	}
+	return value, err
+}
+
+func (s *redisTokenRevokeStore) DeletePair(ctx context.Context, accessJTI, refreshJTI string) error {
+	if err := s.requireRedis(); err != nil {
+		return err
+	}
+	keys := make([]string, 0, 2)
+	if accessJTI != "" {
+		keys = append(keys, jwtPairPrefix+accessJTI)
+	}
+	if refreshJTI != "" {
+		keys = append(keys, jwtPairPrefix+refreshJTI)
+	}
+	if len(keys) == 0 {
+		return nil
+	}
+	return s.client.Del(ctx, keys...).Err()
+}
+
+func (s *redisTokenRevokeStore) Blacklist(ctx context.Context, jti string, ttl time.Duration) error {
+	if err := s.requireRedis(); err != nil {
+		return err
+	}
+	if jti == "" {
+		return app.For(code.Auth).InputMissingRequired("jti is required")
+	}
+	return s.client.Set(ctx, jwtBlacklistPrefix+jti, "1", minTTL(ttl)).Err()
+}
+
+func (s *redisTokenRevokeStore) IsBlacklisted(ctx context.Context, jti string) (bool, error) {
+	if err := s.requireRedis(); err != nil {
+		return false, err
+	}
+	count, err := s.client.Exists(ctx, jwtBlacklistPrefix+jti).Result()
+	return count > 0, err
+}
+
+func (s *redisTokenRevokeStore) requireRedis() error {
+	if s.client == nil {
+		return app.For(code.Auth).DBUnavailable("Redis is not configured")
+	}
+	return nil
+}
+
+func minTTL(ttl time.Duration) time.Duration {
+	if ttl < time.Second {
+		return time.Second
+	}
+	return ttl
+}
diff --git a/haixun-backend/internal/model/auth/usecase/token.go b/haixun-backend/internal/model/auth/usecase/token.go
new file mode 100644
index 0000000..ca1e040
--- /dev/null
+++ b/haixun-backend/internal/model/auth/usecase/token.go
@@ -0,0 +1,233 @@
+package usecase
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"haixun-backend/internal/config"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	domrepo "haixun-backend/internal/model/auth/domain/repository"
+	domusecase "haixun-backend/internal/model/auth/domain/usecase"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/uuid"
+)
+
+type tokenUseCase struct {
+	cfg    config.AuthConf
+	revoke domrepo.TokenRevokeStore
+}
+
+func NewTokenUseCase(cfg config.AuthConf, revoke domrepo.TokenRevokeStore) domusecase.TokenUseCase {
+	cfg = normalizeConfig(cfg)
+	return &tokenUseCase{cfg: cfg, revoke: revoke}
+}
+
+func (u *tokenUseCase) IssuePair(ctx context.Context, req domusecase.IssuePairRequest) (*domusecase.TokenPair, error) {
+	if req.TenantID == "" || req.UID == "" {
+		return nil, app.For(code.Auth).InputMissingRequired("tenant_id and uid are required")
+	}
+	access, err := u.sign(req, domusecase.TokenTypeAccess, u.cfg.AccessExpireSeconds, u.cfg.AccessSecret)
+	if err != nil {
+		return nil, app.For(code.Auth).SysInternal("sign access token failed").WithCause(err)
+	}
+	refresh, err := u.sign(req, domusecase.TokenTypeRefresh, u.cfg.RefreshExpireSeconds, u.cfg.RefreshSecret)
+	if err != nil {
+		return nil, app.For(code.Auth).SysInternal("sign refresh token failed").WithCause(err)
+	}
+	if u.revoke != nil {
+		if err := u.revoke.SavePair(ctx, access.jti, refresh.jti, time.Until(access.expiresAt), time.Until(refresh.expiresAt)); err != nil {
+			return nil, app.For(code.Auth).DBError("save jwt pair failed").WithCause(err)
+		}
+	}
+	return &domusecase.TokenPair{
+		AccessToken:  access.raw,
+		RefreshToken: refresh.raw,
+		ExpiresIn:    u.cfg.AccessExpireSeconds,
+		TokenType:    "Bearer",
+		UID:          req.UID,
+	}, nil
+}
+
+func (u *tokenUseCase) Refresh(ctx context.Context, refreshToken string) (*domusecase.TokenPair, error) {
+	if refreshToken == "" {
+		return nil, app.For(code.Auth).InputMissingRequired("refresh_token is required")
+	}
+	claims, err := u.parse(refreshToken, domusecase.TokenTypeRefresh, u.cfg.RefreshSecret)
+	if err != nil {
+		return nil, app.For(code.Auth).AuthUnauthorized("invalid refresh token").WithCause(err)
+	}
+	if err := u.ensureNotBlacklisted(ctx, claims.ID); err != nil {
+		return nil, err
+	}
+	pair, err := u.IssuePair(ctx, domusecase.IssuePairRequest{
+		TenantID: claims.TenantID,
+		UID:      claims.UID,
+		AuthGen:  claims.AuthGen,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if u.revoke != nil {
+		_ = u.revoke.Blacklist(ctx, claims.ID, remainingTTL(claims.expiresAt))
+		if accessJTI, err := u.revoke.GetPairedJTI(ctx, claims.ID); err == nil && accessJTI != "" {
+			_ = u.revoke.Blacklist(ctx, accessJTI, time.Duration(u.cfg.AccessExpireSeconds)*time.Second)
+			_ = u.revoke.DeletePair(ctx, accessJTI, claims.ID)
+		}
+	}
+	return pair, nil
+}
+
+func (u *tokenUseCase) Logout(ctx context.Context, req domusecase.LogoutRequest) error {
+	if req.AccessToken == "" {
+		return app.For(code.Auth).InputMissingRequired("access token is required")
+	}
+	if u.revoke == nil {
+		return nil
+	}
+	claims, err := u.parse(req.AccessToken, domusecase.TokenTypeAccess, u.cfg.AccessSecret)
+	if err != nil {
+		return app.For(code.Auth).AuthUnauthorized("invalid access token").WithCause(err)
+	}
+	if err := u.revoke.Blacklist(ctx, claims.ID, remainingTTL(claims.expiresAt)); err != nil {
+		return app.For(code.Auth).DBError("blacklist access token failed").WithCause(err)
+	}
+	refreshJTI, err := u.revoke.GetPairedJTI(ctx, claims.ID)
+	if err != nil {
+		return app.For(code.Auth).DBError("read jwt pair failed").WithCause(err)
+	}
+	if refreshJTI != "" {
+		_ = u.revoke.Blacklist(ctx, refreshJTI, time.Duration(u.cfg.RefreshExpireSeconds)*time.Second)
+	}
+	return u.revoke.DeletePair(ctx, claims.ID, refreshJTI)
+}
+
+func (u *tokenUseCase) ParseAccessToken(ctx context.Context, accessToken string) (*domusecase.AccessClaims, error) {
+	if accessToken == "" {
+		return nil, app.For(code.Auth).AuthUnauthorized("missing access token")
+	}
+	claims, err := u.parse(accessToken, domusecase.TokenTypeAccess, u.cfg.AccessSecret)
+	if err != nil {
+		return nil, app.For(code.Auth).AuthUnauthorized("invalid access token").WithCause(err)
+	}
+	if err := u.ensureNotBlacklisted(ctx, claims.ID); err != nil {
+		return nil, err
+	}
+	return &domusecase.AccessClaims{
+		TenantID: claims.TenantID,
+		UID:      claims.UID,
+		AuthGen:  claims.AuthGen,
+		JTI:      claims.ID,
+	}, nil
+}
+
+func (u *tokenUseCase) ensureNotBlacklisted(ctx context.Context, jti string) error {
+	if u.revoke == nil || jti == "" {
+		return nil
+	}
+	blacklisted, err := u.revoke.IsBlacklisted(ctx, jti)
+	if err != nil {
+		return app.For(code.Auth).DBError("check jwt blacklist failed").WithCause(err)
+	}
+	if blacklisted {
+		return app.For(code.Auth).AuthUnauthorized("token revoked")
+	}
+	return nil
+}
+
+type jwtClaims struct {
+	TenantID string `json:"tenant_id"`
+	UID      string `json:"uid"`
+	Typ      string `json:"typ"`
+	AuthGen  int64  `json:"auth_gen"`
+	jwt.RegisteredClaims
+}
+
+type parsedClaims struct {
+	TenantID  string
+	UID       string
+	AuthGen   int64
+	ID        string
+	expiresAt time.Time
+}
+
+type signedToken struct {
+	raw       string
+	jti       string
+	expiresAt time.Time
+}
+
+func (u *tokenUseCase) sign(req domusecase.IssuePairRequest, typ domusecase.TokenType, expireSec int64, secret string) (*signedToken, error) {
+	now := time.Now().UTC()
+	expiresAt := now.Add(time.Duration(expireSec) * time.Second)
+	jti := uuid.NewString()
+	claims := jwtClaims{
+		TenantID: req.TenantID,
+		UID:      req.UID,
+		Typ:      string(typ),
+		AuthGen:  req.AuthGen,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:        jti,
+			IssuedAt:  jwt.NewNumericDate(now),
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
+		},
+	}
+	raw, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte(secret))
+	if err != nil {
+		return nil, err
+	}
+	return &signedToken{raw: raw, jti: jti, expiresAt: expiresAt}, nil
+}
+
+func (u *tokenUseCase) parse(raw string, want domusecase.TokenType, secret string) (*parsedClaims, error) {
+	parsed, err := jwt.ParseWithClaims(raw, &jwtClaims{}, func(t *jwt.Token) (any, error) {
+		if t.Method != jwt.SigningMethodHS256 {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return []byte(secret), nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", errInvalidToken, err)
+	}
+	claims, ok := parsed.Claims.(*jwtClaims)
+	if !ok || !parsed.Valid || claims.Typ != string(want) || claims.TenantID == "" || claims.UID == "" {
+		return nil, errInvalidToken
+	}
+	expiresAt := time.Time{}
+	if claims.ExpiresAt != nil {
+		expiresAt = claims.ExpiresAt.Time
+	}
+	return &parsedClaims{TenantID: claims.TenantID, UID: claims.UID, AuthGen: claims.AuthGen, ID: claims.ID, expiresAt: expiresAt}, nil
+}
+
+func normalizeConfig(cfg config.AuthConf) config.AuthConf {
+	if cfg.AccessExpireSeconds <= 0 {
+		cfg.AccessExpireSeconds = 900
+	}
+	if cfg.RefreshExpireSeconds <= 0 {
+		cfg.RefreshExpireSeconds = 2592000
+	}
+	if cfg.AccessSecret == "" {
+		cfg.AccessSecret = "haixun-dev-access-secret-change-me"
+	}
+	if cfg.RefreshSecret == "" {
+		cfg.RefreshSecret = "haixun-dev-refresh-secret-change-me"
+	}
+	return cfg
+}
+
+func remainingTTL(expiresAt time.Time) time.Duration {
+	if expiresAt.IsZero() {
+		return time.Second
+	}
+	ttl := time.Until(expiresAt)
+	if ttl < time.Second {
+		return time.Second
+	}
+	return ttl
+}
+
+var errInvalidToken = errors.New("auth: invalid token")
diff --git a/haixun-backend/internal/model/job/cron/next_run.go b/haixun-backend/internal/model/job/cron/next_run.go
new file mode 100644
index 0000000..e249337
--- /dev/null
+++ b/haixun-backend/internal/model/job/cron/next_run.go
@@ -0,0 +1,31 @@
+package cron
+
+import (
+	"fmt"
+	"time"
+
+	"haixun-backend/internal/library/clock"
+
+	"github.com/robfig/cron/v3"
+)
+
+func NextRunAt(cronExpr, timezone string, from time.Time) (int64, error) {
+	expr := cronExpr
+	parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow)
+	schedule, err := parser.Parse(expr)
+	if err != nil {
+		return 0, fmt.Errorf("invalid cron expression: %w", err)
+	}
+
+	loc := time.UTC
+	if timezone != "" {
+		loaded, loadErr := time.LoadLocation(timezone)
+		if loadErr != nil {
+			return 0, fmt.Errorf("invalid timezone: %w", loadErr)
+		}
+		loc = loaded
+	}
+
+	next := schedule.Next(from.In(loc))
+	return clock.UnixNano(next), nil
+}
diff --git a/haixun-backend/internal/model/job/cron/next_run_test.go b/haixun-backend/internal/model/job/cron/next_run_test.go
new file mode 100644
index 0000000..3ce2e26
--- /dev/null
+++ b/haixun-backend/internal/model/job/cron/next_run_test.go
@@ -0,0 +1,27 @@
+package cron
+
+import (
+	"testing"
+	"time"
+
+	"haixun-backend/internal/library/clock"
+)
+
+func TestNextRunAt_HourlyCron(t *testing.T) {
+	from := time.Date(2026, 6, 23, 10, 30, 0, 0, time.UTC)
+	next, err := NextRunAt("0 * * * *", "UTC", from)
+	if err != nil {
+		t.Fatalf("NextRunAt() error = %v", err)
+	}
+	nextTime := clock.FromUnixNano(next)
+	if nextTime.Hour() != 11 || nextTime.Minute() != 0 {
+		t.Fatalf("next = %v, want 11:00 UTC", nextTime)
+	}
+}
+
+func TestNextRunAt_InvalidCron(t *testing.T) {
+	_, err := NextRunAt("not-a-cron", "UTC", clock.Now())
+	if err == nil {
+		t.Fatal("expected invalid cron error")
+	}
+}
diff --git a/haixun-backend/internal/model/job/domain/entity/event.go b/haixun-backend/internal/model/job/domain/entity/event.go
new file mode 100644
index 0000000..5c7975e
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/entity/event.go
@@ -0,0 +1,16 @@
+package entity
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+const EventCollectionName = "job_events"
+
+type Event struct {
+	ID       primitive.ObjectID `bson:"_id,omitempty"`
+	JobID    string             `bson:"job_id"`
+	Type     string             `bson:"type"`
+	From     string             `bson:"from,omitempty"`
+	To       string             `bson:"to,omitempty"`
+	Message  string             `bson:"message"`
+	Metadata map[string]any     `bson:"metadata,omitempty"`
+	CreateAt int64              `bson:"create_at"`
+}
diff --git a/haixun-backend/internal/model/job/domain/entity/run.go b/haixun-backend/internal/model/job/domain/entity/run.go
new file mode 100644
index 0000000..cf583c8
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/entity/run.go
@@ -0,0 +1,50 @@
+package entity
+
+import (
+	"haixun-backend/internal/model/job/domain/enum"
+
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+const RunCollectionName = "job_runs"
+
+type StepProgress struct {
+	ID        string          `bson:"id"`
+	Status    enum.StepStatus `bson:"status"`
+	StartedAt *int64          `bson:"started_at,omitempty"`
+	EndedAt   *int64          `bson:"ended_at,omitempty"`
+	Message   string          `bson:"message,omitempty"`
+}
+
+type RunProgress struct {
+	Summary    string         `bson:"summary"`
+	Percentage int            `bson:"percentage"`
+	Steps      []StepProgress `bson:"steps"`
+}
+
+type Run struct {
+	ID                primitive.ObjectID `bson:"_id,omitempty"`
+	TemplateType      string             `bson:"template_type"`
+	TemplateVersion   int                `bson:"template_version"`
+	Scope             string             `bson:"scope"`
+	ScopeID           string             `bson:"scope_id"`
+	Status            enum.RunStatus     `bson:"status"`
+	Phase             string             `bson:"phase"`
+	WorkerType        string             `bson:"worker_type"`
+	Payload           map[string]any     `bson:"payload"`
+	Progress          RunProgress        `bson:"progress"`
+	Result            map[string]any     `bson:"result,omitempty"`
+	Error             string             `bson:"error,omitempty"`
+	Attempt           int                `bson:"attempt"`
+	MaxAttempts       int                `bson:"max_attempts"`
+	DedupeKey         string             `bson:"dedupe_key,omitempty"`
+	LockedBy          string             `bson:"locked_by,omitempty"`
+	LockedUntil       *int64             `bson:"locked_until,omitempty"`
+	CancelRequestedAt *int64             `bson:"cancel_requested_at,omitempty"`
+	CancelReason      string             `bson:"cancel_reason,omitempty"`
+	ScheduledAt       *int64             `bson:"scheduled_at,omitempty"`
+	StartedAt         *int64             `bson:"started_at,omitempty"`
+	CompletedAt       *int64             `bson:"completed_at,omitempty"`
+	CreateAt          int64              `bson:"create_at"`
+	UpdateAt          int64              `bson:"update_at"`
+}
diff --git a/haixun-backend/internal/model/job/domain/entity/schedule.go b/haixun-backend/internal/model/job/domain/entity/schedule.go
new file mode 100644
index 0000000..3e62b95
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/entity/schedule.go
@@ -0,0 +1,20 @@
+package entity
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+const ScheduleCollectionName = "job_schedules"
+
+type Schedule struct {
+	ID              primitive.ObjectID `bson:"_id,omitempty"`
+	TemplateType    string             `bson:"template_type"`
+	Scope           string             `bson:"scope"`
+	ScopeID         string             `bson:"scope_id"`
+	Enabled         bool               `bson:"enabled"`
+	Cron            string             `bson:"cron"`
+	Timezone        string             `bson:"timezone"`
+	PayloadTemplate map[string]any     `bson:"payload_template"`
+	LastRunAt       *int64             `bson:"last_run_at,omitempty"`
+	NextRunAt       int64              `bson:"next_run_at"`
+	CreateAt        int64              `bson:"create_at"`
+	UpdateAt        int64              `bson:"update_at"`
+}
diff --git a/haixun-backend/internal/model/job/domain/entity/template.go b/haixun-backend/internal/model/job/domain/entity/template.go
new file mode 100644
index 0000000..5531f95
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/entity/template.go
@@ -0,0 +1,42 @@
+package entity
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+const TemplateCollectionName = "job_templates"
+
+type CancelPolicy struct {
+	Supported    bool   `bson:"supported"`
+	Mode         string `bson:"mode"`
+	GraceSeconds int    `bson:"grace_seconds"`
+}
+
+type RetryPolicy struct {
+	MaxAttempts    int   `bson:"max_attempts"`
+	BackoffSeconds []int `bson:"backoff_seconds"`
+}
+
+type TemplateStep struct {
+	ID             string `bson:"id"`
+	Name           string `bson:"name"`
+	WorkerType     string `bson:"worker_type"`
+	TimeoutSeconds int    `bson:"timeout_seconds"`
+	Cancelable     bool   `bson:"cancelable"`
+}
+
+type Template struct {
+	ID                primitive.ObjectID `bson:"_id,omitempty"`
+	Type              string             `bson:"type"`
+	Version           int                `bson:"version"`
+	Name              string             `bson:"name"`
+	Description       string             `bson:"description"`
+	Enabled           bool               `bson:"enabled"`
+	Repeatable        bool               `bson:"repeatable"`
+	ConcurrencyPolicy string             `bson:"concurrency_policy"`
+	DedupeKeys        []string           `bson:"dedupe_keys"`
+	TimeoutSeconds    int                `bson:"timeout_seconds"`
+	CancelPolicy      CancelPolicy       `bson:"cancel_policy"`
+	RetryPolicy       RetryPolicy        `bson:"retry_policy"`
+	Steps             []TemplateStep     `bson:"steps"`
+	CreateAt          int64              `bson:"create_at"`
+	UpdateAt          int64              `bson:"update_at"`
+}
diff --git a/haixun-backend/internal/model/job/domain/enum/status.go b/haixun-backend/internal/model/job/domain/enum/status.go
new file mode 100644
index 0000000..bc13c2f
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/enum/status.go
@@ -0,0 +1,58 @@
+package enum
+
+type RunStatus string
+
+const (
+	RunStatusPending         RunStatus = "pending"
+	RunStatusQueued          RunStatus = "queued"
+	RunStatusRunning         RunStatus = "running"
+	RunStatusWaitingWorker   RunStatus = "waiting_worker"
+	RunStatusCancelRequested RunStatus = "cancel_requested"
+	RunStatusSucceeded       RunStatus = "succeeded"
+	RunStatusFailed          RunStatus = "failed"
+	RunStatusCancelled       RunStatus = "cancelled"
+	RunStatusExpired         RunStatus = "expired"
+)
+
+func (s RunStatus) IsTerminal() bool {
+	switch s {
+	case RunStatusSucceeded, RunStatusFailed, RunStatusCancelled, RunStatusExpired:
+		return true
+	default:
+		return false
+	}
+}
+
+func (s RunStatus) IsCancellable() bool {
+	switch s {
+	case RunStatusPending, RunStatusQueued, RunStatusRunning, RunStatusWaitingWorker:
+		return true
+	default:
+		return false
+	}
+}
+
+type StepStatus string
+
+const (
+	StepStatusPending   StepStatus = "pending"
+	StepStatusRunning   StepStatus = "running"
+	StepStatusSucceeded StepStatus = "succeeded"
+	StepStatusFailed    StepStatus = "failed"
+	StepStatusSkipped   StepStatus = "skipped"
+	StepStatusCancelled StepStatus = "cancelled"
+)
+
+type ConcurrencyPolicy string
+
+const (
+	ConcurrencyRejectSameScope ConcurrencyPolicy = "reject_same_scope"
+	ConcurrencyAllowParallel   ConcurrencyPolicy = "allow_parallel"
+	ConcurrencyReplaceExisting ConcurrencyPolicy = "replace_existing"
+)
+
+type WorkerType string
+
+const (
+	WorkerTypeGo WorkerType = "go"
+)
diff --git a/haixun-backend/internal/model/job/domain/repository/event.go b/haixun-backend/internal/model/job/domain/repository/event.go
new file mode 100644
index 0000000..ab82c12
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/repository/event.go
@@ -0,0 +1,13 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/job/domain/entity"
+)
+
+type EventRepository interface {
+	EnsureIndexes(ctx context.Context) error
+	Append(ctx context.Context, event *entity.Event) error
+	ListByJobID(ctx context.Context, jobID string, limit int64) ([]*entity.Event, error)
+}
diff --git a/haixun-backend/internal/model/job/domain/repository/queue.go b/haixun-backend/internal/model/job/domain/repository/queue.go
new file mode 100644
index 0000000..03cf668
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/repository/queue.go
@@ -0,0 +1,19 @@
+package repository
+
+import "context"
+
+type QueueRepository interface {
+	Enqueue(ctx context.Context, workerType, jobID string) error
+	Dequeue(ctx context.Context, workerType string, timeoutSeconds int) (string, error)
+	RemoveJob(ctx context.Context, workerType, jobID string) error
+	SetCancelSignal(ctx context.Context, jobID, reason string) error
+	GetCancelSignal(ctx context.Context, jobID string) (bool, string, error)
+	ClearCancelSignal(ctx context.Context, jobID string) error
+	TryLock(ctx context.Context, jobID, workerID string, ttlSeconds int) (bool, error)
+	RefreshLock(ctx context.Context, jobID, workerID string, ttlSeconds int) error
+	ReleaseLock(ctx context.Context, jobID, workerID string) error
+	TryAcquireDedupe(ctx context.Context, templateType, dedupeHash, jobID string, ttlSeconds int) (bool, error)
+	ReleaseDedupe(ctx context.Context, templateType, dedupeHash string) error
+	TrySchedulerLock(ctx context.Context, holder string, ttlSeconds int) (bool, error)
+	ReleaseSchedulerLock(ctx context.Context, holder string) error
+}
diff --git a/haixun-backend/internal/model/job/domain/repository/run.go b/haixun-backend/internal/model/job/domain/repository/run.go
new file mode 100644
index 0000000..e6cc02f
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/repository/run.go
@@ -0,0 +1,29 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+)
+
+type RunListFilter struct {
+	Scope    string
+	ScopeID  string
+	Statuses []enum.RunStatus
+}
+
+type RunRepository interface {
+	EnsureIndexes(ctx context.Context) error
+	Create(ctx context.Context, run *entity.Run) (*entity.Run, error)
+	Update(ctx context.Context, run *entity.Run) (*entity.Run, error)
+	UpdateIfStatus(ctx context.Context, run *entity.Run, allowed []enum.RunStatus) (*entity.Run, error)
+	UpdateIfLocked(ctx context.Context, run *entity.Run, workerID string, allowed []enum.RunStatus) (*entity.Run, error)
+	FindByID(ctx context.Context, id string) (*entity.Run, error)
+	List(ctx context.Context, filter RunListFilter, offset, limit int64) ([]*entity.Run, int64, error)
+	FindActiveByScope(ctx context.Context, templateType, scope, scopeID string) ([]*entity.Run, error)
+	FindSucceededByDedupeKey(ctx context.Context, templateType, dedupeKey string) (*entity.Run, error)
+	FindPendingDue(ctx context.Context, now int64, limit int64) ([]*entity.Run, error)
+	FindCancelRequestedBefore(ctx context.Context, before int64, limit int64) ([]*entity.Run, error)
+	FindRunningTimedOut(ctx context.Context, now int64, limit int64) ([]*entity.Run, error)
+}
diff --git a/haixun-backend/internal/model/job/domain/repository/schedule.go b/haixun-backend/internal/model/job/domain/repository/schedule.go
new file mode 100644
index 0000000..9e26ced
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/repository/schedule.go
@@ -0,0 +1,21 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/job/domain/entity"
+)
+
+type ScheduleListFilter struct {
+	Scope   string
+	ScopeID string
+}
+
+type ScheduleRepository interface {
+	EnsureIndexes(ctx context.Context) error
+	Create(ctx context.Context, schedule *entity.Schedule) (*entity.Schedule, error)
+	Update(ctx context.Context, schedule *entity.Schedule) (*entity.Schedule, error)
+	FindByID(ctx context.Context, id string) (*entity.Schedule, error)
+	List(ctx context.Context, filter ScheduleListFilter, offset, limit int64) ([]*entity.Schedule, int64, error)
+	FindDue(ctx context.Context, now int64, limit int64) ([]*entity.Schedule, error)
+}
diff --git a/haixun-backend/internal/model/job/domain/repository/template.go b/haixun-backend/internal/model/job/domain/repository/template.go
new file mode 100644
index 0000000..6ba253e
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/repository/template.go
@@ -0,0 +1,14 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/job/domain/entity"
+)
+
+type TemplateRepository interface {
+	EnsureIndexes(ctx context.Context) error
+	List(ctx context.Context) ([]*entity.Template, error)
+	FindByType(ctx context.Context, templateType string) (*entity.Template, error)
+	Upsert(ctx context.Context, template *entity.Template) (*entity.Template, error)
+}
diff --git a/haixun-backend/internal/model/job/domain/usecase/job.go b/haixun-backend/internal/model/job/domain/usecase/job.go
new file mode 100644
index 0000000..63cac56
--- /dev/null
+++ b/haixun-backend/internal/model/job/domain/usecase/job.go
@@ -0,0 +1,122 @@
+package usecase
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/job/domain/entity"
+)
+
+type CreateRunRequest struct {
+	TemplateType string
+	Scope        string
+	ScopeID      string
+	Payload      map[string]any
+}
+
+type CancelRunRequest struct {
+	JobID  string
+	Reason string
+}
+
+type ClaimNextRequest struct {
+	WorkerType string
+	WorkerID   string
+}
+
+type UpdateProgressRequest struct {
+	JobID      string
+	WorkerID   string
+	Phase      string
+	Summary    string
+	Percentage int
+	Steps      []entity.StepProgress
+}
+
+type CompleteRunRequest struct {
+	JobID    string
+	WorkerID string
+	Result   map[string]any
+}
+
+type FailRunRequest struct {
+	JobID    string
+	WorkerID string
+	Error    string
+	Phase    string
+}
+
+type AcknowledgeCancelRequest struct {
+	JobID    string
+	WorkerID string
+}
+
+type UpsertTemplateRequest struct {
+	Type              string
+	Version           int
+	Name              string
+	Description       string
+	Enabled           bool
+	Repeatable        bool
+	ConcurrencyPolicy string
+	DedupeKeys        []string
+	TimeoutSeconds    int
+	CancelPolicy      entity.CancelPolicy
+	RetryPolicy       entity.RetryPolicy
+	Steps             []entity.TemplateStep
+}
+
+type CreateScheduleRequest struct {
+	TemplateType    string
+	Scope           string
+	ScopeID         string
+	Cron            string
+	Timezone        string
+	PayloadTemplate map[string]any
+	Enabled         bool
+}
+
+type UpdateScheduleRequest struct {
+	ID              string
+	Cron            string
+	Timezone        string
+	PayloadTemplate map[string]any
+	Enabled         *bool
+}
+
+type UseCase interface {
+	ListTemplates(ctx context.Context) ([]*entity.Template, error)
+	GetTemplate(ctx context.Context, templateType string) (*entity.Template, error)
+	UpsertTemplate(ctx context.Context, req UpsertTemplateRequest) (*entity.Template, error)
+	EnsureDemoTemplate(ctx context.Context) error
+
+	CreateRun(ctx context.Context, req CreateRunRequest) (*entity.Run, error)
+	GetRun(ctx context.Context, jobID string) (*entity.Run, error)
+	ListRuns(ctx context.Context, scope, scopeID string, page, pageSize int64) ([]*entity.Run, int64, int64, int64, int64, error)
+	RequestCancel(ctx context.Context, req CancelRunRequest) (*entity.Run, error)
+	RetryRun(ctx context.Context, jobID string) (*entity.Run, error)
+	ListJobEvents(ctx context.Context, jobID string, limit int64) ([]*entity.Event, error)
+
+	ClaimNext(ctx context.Context, req ClaimNextRequest) (*entity.Run, error)
+	RefreshRunLock(ctx context.Context, jobID, workerID string, ttlSeconds int) error
+	IsCancelRequested(ctx context.Context, jobID string) (bool, error)
+	AcknowledgeCancel(ctx context.Context, req AcknowledgeCancelRequest) (*entity.Run, error)
+	UpdateProgress(ctx context.Context, req UpdateProgressRequest) (*entity.Run, error)
+	CompleteRun(ctx context.Context, req CompleteRunRequest) (*entity.Run, error)
+	FailRun(ctx context.Context, req FailRunRequest) (*entity.Run, error)
+
+	ListSchedules(ctx context.Context, scope, scopeID string, page, pageSize int64) ([]*entity.Schedule, int64, int64, int64, int64, error)
+	GetSchedule(ctx context.Context, scheduleID string) (*entity.Schedule, error)
+	CreateSchedule(ctx context.Context, req CreateScheduleRequest) (*entity.Schedule, error)
+	UpdateSchedule(ctx context.Context, req UpdateScheduleRequest) (*entity.Schedule, error)
+	EnableSchedule(ctx context.Context, scheduleID string) (*entity.Schedule, error)
+	DisableSchedule(ctx context.Context, scheduleID string) (*entity.Schedule, error)
+
+	RunSchedulerTick(ctx context.Context, holder string) (int, error)
+	RunMaintenance(ctx context.Context) (MaintenanceResult, error)
+}
+
+type MaintenanceResult struct {
+	EnqueuedPending    int
+	ReapedCancelGrace  int
+	ReapedExpiredLocks int
+}
diff --git a/haixun-backend/internal/model/job/repository/mongo_event.go b/haixun-backend/internal/model/job/repository/mongo_event.go
new file mode 100644
index 0000000..43acf32
--- /dev/null
+++ b/haixun-backend/internal/model/job/repository/mongo_event.go
@@ -0,0 +1,71 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoEventRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoEventRepository(db *mongo.Database) domrepo.EventRepository {
+	if db == nil {
+		return &mongoEventRepository{}
+	}
+	return &mongoEventRepository{collection: db.Collection(entity.EventCollectionName)}
+}
+
+func (r *mongoEventRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	_, err := r.collection.Indexes().CreateOne(ctx, mongo.IndexModel{
+		Keys: bson.D{{Key: "job_id", Value: 1}, {Key: "create_at", Value: -1}},
+	})
+	return err
+}
+
+func (r *mongoEventRepository) Append(ctx context.Context, event *entity.Event) error {
+	if r.collection == nil {
+		return app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if event.CreateAt == 0 {
+		event.CreateAt = clock.NowUnixNano()
+	}
+	_, err := r.collection.InsertOne(ctx, event)
+	return err
+}
+
+func (r *mongoEventRepository) ListByJobID(ctx context.Context, jobID string, limit int64) ([]*entity.Event, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if limit <= 0 {
+		limit = 50
+	}
+	cursor, err := r.collection.Find(
+		ctx,
+		bson.M{"job_id": jobID},
+		options.Find().SetSort(bson.D{{Key: "create_at", Value: -1}}).SetLimit(limit),
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var items []*entity.Event
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
diff --git a/haixun-backend/internal/model/job/repository/mongo_run.go b/haixun-backend/internal/model/job/repository/mongo_run.go
new file mode 100644
index 0000000..0bab8ed
--- /dev/null
+++ b/haixun-backend/internal/model/job/repository/mongo_run.go
@@ -0,0 +1,317 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoRunRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoRunRepository(db *mongo.Database) domrepo.RunRepository {
+	if db == nil {
+		return &mongoRunRepository{}
+	}
+	return &mongoRunRepository{collection: db.Collection(entity.RunCollectionName)}
+}
+
+func (r *mongoRunRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	models := []mongo.IndexModel{
+		{Keys: bson.D{{Key: "template_type", Value: 1}, {Key: "scope", Value: 1}, {Key: "scope_id", Value: 1}, {Key: "status", Value: 1}}},
+		{Keys: bson.D{{Key: "create_at", Value: -1}}},
+		{Keys: bson.D{{Key: "dedupe_key", Value: 1}}},
+	}
+	_, err := r.collection.Indexes().CreateMany(ctx, models)
+	return err
+}
+
+func (r *mongoRunRepository) Create(ctx context.Context, run *entity.Run) (*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	now := clock.NowUnixNano()
+	run.CreateAt = now
+	run.UpdateAt = now
+	res, err := r.collection.InsertOne(ctx, run)
+	if err != nil {
+		return nil, err
+	}
+	run.ID = res.InsertedID.(primitive.ObjectID)
+	return run, nil
+}
+
+func (r *mongoRunRepository) Update(ctx context.Context, run *entity.Run) (*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	run.UpdateAt = clock.NowUnixNano()
+	filter := bson.M{"_id": run.ID}
+	update, err := runSet(run)
+	if err != nil {
+		return nil, err
+	}
+	opts := options.FindOneAndUpdate().SetReturnDocument(options.After)
+	var out entity.Run
+	err = r.collection.FindOneAndUpdate(ctx, filter, update, opts).Decode(&out)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Job).ResNotFound("job run not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
+func (r *mongoRunRepository) UpdateIfStatus(ctx context.Context, run *entity.Run, allowed []enum.RunStatus) (*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if len(allowed) == 0 {
+		return nil, app.For(code.Job).ResInvalidState("allowed statuses are required")
+	}
+	run.UpdateAt = clock.NowUnixNano()
+	filter := bson.M{"_id": run.ID, "status": bson.M{"$in": allowed}}
+	return r.updateWithFilter(ctx, filter, run)
+}
+
+func (r *mongoRunRepository) UpdateIfLocked(ctx context.Context, run *entity.Run, workerID string, allowed []enum.RunStatus) (*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if workerID == "" {
+		return nil, app.For(code.Job).InputMissingRequired("worker id is required")
+	}
+	if len(allowed) == 0 {
+		return nil, app.For(code.Job).ResInvalidState("allowed statuses are required")
+	}
+	run.UpdateAt = clock.NowUnixNano()
+	filter := bson.M{
+		"_id":       run.ID,
+		"locked_by": workerID,
+		"status":    bson.M{"$in": allowed},
+	}
+	return r.updateWithFilter(ctx, filter, run)
+}
+
+func (r *mongoRunRepository) updateWithFilter(ctx context.Context, filter bson.M, run *entity.Run) (*entity.Run, error) {
+	update, err := runSet(run)
+	if err != nil {
+		return nil, err
+	}
+	opts := options.FindOneAndUpdate().SetReturnDocument(options.After)
+	var out entity.Run
+	err = r.collection.FindOneAndUpdate(ctx, filter, update, opts).Decode(&out)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Job).ResInvalidState("job state changed; update rejected")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
+func runSet(run *entity.Run) (bson.M, error) {
+	raw, err := bson.Marshal(run)
+	if err != nil {
+		return nil, err
+	}
+	set := bson.M{}
+	if err := bson.Unmarshal(raw, &set); err != nil {
+		return nil, err
+	}
+	delete(set, "_id")
+	return bson.M{"$set": set}, nil
+}
+
+func (r *mongoRunRepository) FindByID(ctx context.Context, id string) (*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	objectID, err := primitive.ObjectIDFromHex(id)
+	if err != nil {
+		return nil, app.For(code.Job).InputInvalidFormat("invalid job id")
+	}
+	var run entity.Run
+	err = r.collection.FindOne(ctx, bson.M{"_id": objectID}).Decode(&run)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Job).ResNotFound("job run not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &run, nil
+}
+
+func (r *mongoRunRepository) List(ctx context.Context, filter domrepo.RunListFilter, offset, limit int64) ([]*entity.Run, int64, error) {
+	if r.collection == nil {
+		return nil, 0, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	query := bson.M{}
+	if filter.Scope != "" {
+		query["scope"] = filter.Scope
+	}
+	if filter.ScopeID != "" {
+		query["scope_id"] = filter.ScopeID
+	}
+	if len(filter.Statuses) > 0 {
+		query["status"] = bson.M{"$in": filter.Statuses}
+	}
+
+	total, err := r.collection.CountDocuments(ctx, query)
+	if err != nil {
+		return nil, 0, err
+	}
+	cursor, err := r.collection.Find(
+		ctx,
+		query,
+		options.Find().SetSort(bson.D{{Key: "create_at", Value: -1}}).SetSkip(offset).SetLimit(limit),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer cursor.Close(ctx)
+
+	var items []*entity.Run
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, 0, err
+	}
+	return items, total, nil
+}
+
+func (r *mongoRunRepository) FindActiveByScope(ctx context.Context, templateType, scope, scopeID string) ([]*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	active := []enum.RunStatus{
+		enum.RunStatusPending,
+		enum.RunStatusQueued,
+		enum.RunStatusRunning,
+		enum.RunStatusWaitingWorker,
+		enum.RunStatusCancelRequested,
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{
+		"template_type": templateType,
+		"scope":         scope,
+		"scope_id":      scopeID,
+		"status":        bson.M{"$in": active},
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var items []*entity.Run
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+func (r *mongoRunRepository) FindSucceededByDedupeKey(ctx context.Context, templateType, dedupeKey string) (*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	var run entity.Run
+	err := r.collection.FindOne(ctx, bson.M{
+		"template_type": templateType,
+		"dedupe_key":    dedupeKey,
+		"status":        enum.RunStatusSucceeded,
+	}).Decode(&run)
+	if err == mongo.ErrNoDocuments {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &run, nil
+}
+
+func (r *mongoRunRepository) FindPendingDue(ctx context.Context, now int64, limit int64) ([]*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if limit <= 0 {
+		limit = 50
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{
+		"status": enum.RunStatusPending,
+		"scheduled_at": bson.M{
+			"$lte": now,
+			"$ne":  nil,
+		},
+	}, options.Find().SetSort(bson.D{{Key: "scheduled_at", Value: 1}}).SetLimit(limit))
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var items []*entity.Run
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+func (r *mongoRunRepository) FindCancelRequestedBefore(ctx context.Context, before int64, limit int64) ([]*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if limit <= 0 {
+		limit = 50
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{
+		"status": enum.RunStatusCancelRequested,
+		"cancel_requested_at": bson.M{
+			"$lte": before,
+			"$ne":  nil,
+		},
+	}, options.Find().SetSort(bson.D{{Key: "cancel_requested_at", Value: 1}}).SetLimit(limit))
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var items []*entity.Run
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+func (r *mongoRunRepository) FindRunningTimedOut(ctx context.Context, now int64, limit int64) ([]*entity.Run, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if limit <= 0 {
+		limit = 50
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{
+		"status": bson.M{"$in": []enum.RunStatus{enum.RunStatusRunning, enum.RunStatusWaitingWorker}},
+		"locked_until": bson.M{
+			"$lte": now,
+			"$ne":  nil,
+		},
+	}, options.Find().SetSort(bson.D{{Key: "locked_until", Value: 1}}).SetLimit(limit))
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var items []*entity.Run
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
diff --git a/haixun-backend/internal/model/job/repository/mongo_schedule.go b/haixun-backend/internal/model/job/repository/mongo_schedule.go
new file mode 100644
index 0000000..51e2a09
--- /dev/null
+++ b/haixun-backend/internal/model/job/repository/mongo_schedule.go
@@ -0,0 +1,145 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoScheduleRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoScheduleRepository(db *mongo.Database) domrepo.ScheduleRepository {
+	if db == nil {
+		return &mongoScheduleRepository{}
+	}
+	return &mongoScheduleRepository{collection: db.Collection(entity.ScheduleCollectionName)}
+}
+
+func (r *mongoScheduleRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	models := []mongo.IndexModel{
+		{Keys: bson.D{{Key: "enabled", Value: 1}, {Key: "next_run_at", Value: 1}}},
+		{Keys: bson.D{{Key: "template_type", Value: 1}, {Key: "scope", Value: 1}, {Key: "scope_id", Value: 1}}},
+	}
+	_, err := r.collection.Indexes().CreateMany(ctx, models)
+	return err
+}
+
+func (r *mongoScheduleRepository) Create(ctx context.Context, schedule *entity.Schedule) (*entity.Schedule, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	now := clock.NowUnixNano()
+	schedule.CreateAt = now
+	schedule.UpdateAt = now
+	res, err := r.collection.InsertOne(ctx, schedule)
+	if err != nil {
+		return nil, err
+	}
+	schedule.ID = res.InsertedID.(primitive.ObjectID)
+	return schedule, nil
+}
+
+func (r *mongoScheduleRepository) Update(ctx context.Context, schedule *entity.Schedule) (*entity.Schedule, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	schedule.UpdateAt = clock.NowUnixNano()
+	filter := bson.M{"_id": schedule.ID}
+	update := bson.M{"$set": schedule}
+	opts := options.FindOneAndUpdate().SetReturnDocument(options.After)
+	var out entity.Schedule
+	err := r.collection.FindOneAndUpdate(ctx, filter, update, opts).Decode(&out)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Job).ResNotFound("job schedule not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
+func (r *mongoScheduleRepository) FindByID(ctx context.Context, id string) (*entity.Schedule, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	objectID, err := primitive.ObjectIDFromHex(id)
+	if err != nil {
+		return nil, app.For(code.Job).InputInvalidFormat("invalid schedule id")
+	}
+	var schedule entity.Schedule
+	err = r.collection.FindOne(ctx, bson.M{"_id": objectID}).Decode(&schedule)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Job).ResNotFound("job schedule not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &schedule, nil
+}
+
+func (r *mongoScheduleRepository) List(ctx context.Context, filter domrepo.ScheduleListFilter, offset, limit int64) ([]*entity.Schedule, int64, error) {
+	if r.collection == nil {
+		return nil, 0, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	query := bson.M{}
+	if filter.Scope != "" {
+		query["scope"] = filter.Scope
+	}
+	if filter.ScopeID != "" {
+		query["scope_id"] = filter.ScopeID
+	}
+	total, err := r.collection.CountDocuments(ctx, query)
+	if err != nil {
+		return nil, 0, err
+	}
+	cursor, err := r.collection.Find(
+		ctx,
+		query,
+		options.Find().SetSort(bson.D{{Key: "next_run_at", Value: 1}}).SetSkip(offset).SetLimit(limit),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer cursor.Close(ctx)
+	var items []*entity.Schedule
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, 0, err
+	}
+	return items, total, nil
+}
+
+func (r *mongoScheduleRepository) FindDue(ctx context.Context, now int64, limit int64) ([]*entity.Schedule, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	if limit <= 0 {
+		limit = 50
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{
+		"enabled":     true,
+		"next_run_at": bson.M{"$lte": now},
+	}, options.Find().SetSort(bson.D{{Key: "next_run_at", Value: 1}}).SetLimit(limit))
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var items []*entity.Schedule
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
diff --git a/haixun-backend/internal/model/job/repository/mongo_template.go b/haixun-backend/internal/model/job/repository/mongo_template.go
new file mode 100644
index 0000000..d84508b
--- /dev/null
+++ b/haixun-backend/internal/model/job/repository/mongo_template.go
@@ -0,0 +1,90 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoTemplateRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoTemplateRepository(db *mongo.Database) domrepo.TemplateRepository {
+	if db == nil {
+		return &mongoTemplateRepository{}
+	}
+	return &mongoTemplateRepository{collection: db.Collection(entity.TemplateCollectionName)}
+}
+
+func (r *mongoTemplateRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	_, err := r.collection.Indexes().CreateOne(ctx, mongo.IndexModel{
+		Keys:    bson.D{{Key: "type", Value: 1}},
+		Options: options.Index().SetUnique(true),
+	})
+	return err
+}
+
+func (r *mongoTemplateRepository) List(ctx context.Context) ([]*entity.Template, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{}, options.Find().SetSort(bson.D{{Key: "type", Value: 1}}))
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+
+	var items []*entity.Template
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+func (r *mongoTemplateRepository) FindByType(ctx context.Context, templateType string) (*entity.Template, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	var item entity.Template
+	err := r.collection.FindOne(ctx, bson.M{"type": templateType}).Decode(&item)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Job).ResNotFound("job template not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &item, nil
+}
+
+func (r *mongoTemplateRepository) Upsert(ctx context.Context, template *entity.Template) (*entity.Template, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Job).DBUnavailable("Mongo is not configured")
+	}
+	now := clock.NowUnixNano()
+	if template.CreateAt == 0 {
+		template.CreateAt = now
+	}
+	template.UpdateAt = now
+
+	filter := bson.M{"type": template.Type}
+	update := bson.M{"$set": template}
+	opts := options.FindOneAndUpdate().SetUpsert(true).SetReturnDocument(options.After)
+	var out entity.Template
+	err := r.collection.FindOneAndUpdate(ctx, filter, update, opts).Decode(&out)
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
diff --git a/haixun-backend/internal/model/job/repository/redis_queue.go b/haixun-backend/internal/model/job/repository/redis_queue.go
new file mode 100644
index 0000000..6085e09
--- /dev/null
+++ b/haixun-backend/internal/model/job/repository/redis_queue.go
@@ -0,0 +1,220 @@
+package repository
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+
+	goredis "github.com/redis/go-redis/v9"
+)
+
+const (
+	queueKeyPrefix   = "jobs:queue:"
+	lockKeyPrefix    = "jobs:lock:"
+	cancelKeyPrefix  = "jobs:cancel:"
+	dedupeKeyPrefix  = "jobs:dedupe:"
+	schedulerLockKey = "jobs:scheduler:lock"
+)
+
+type redisQueueRepository struct {
+	client *goredis.Client
+}
+
+func NewRedisQueueRepository(client *goredis.Client) domrepo.QueueRepository {
+	return &redisQueueRepository{client: client}
+}
+
+func (r *redisQueueRepository) requireRedis() error {
+	if r.client == nil {
+		return app.For(code.Job).DBUnavailable("Redis is not configured")
+	}
+	return nil
+}
+
+func queueKey(workerType string) string {
+	return queueKeyPrefix + workerType
+}
+
+func lockKey(jobID string) string {
+	return lockKeyPrefix + jobID
+}
+
+func cancelKey(jobID string) string {
+	return cancelKeyPrefix + jobID
+}
+
+func (r *redisQueueRepository) Enqueue(ctx context.Context, workerType, jobID string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	return r.client.LPush(ctx, queueKey(workerType), jobID).Err()
+}
+
+func (r *redisQueueRepository) Dequeue(ctx context.Context, workerType string, timeoutSeconds int) (string, error) {
+	if err := r.requireRedis(); err != nil {
+		return "", err
+	}
+	if timeoutSeconds <= 0 {
+		timeoutSeconds = 2
+	}
+	result, err := r.client.BRPop(ctx, time.Duration(timeoutSeconds)*time.Second, queueKey(workerType)).Result()
+	if err == goredis.Nil {
+		return "", nil
+	}
+	if err != nil {
+		return "", err
+	}
+	if len(result) < 2 {
+		return "", nil
+	}
+	return result[1], nil
+}
+
+func (r *redisQueueRepository) RemoveJob(ctx context.Context, workerType, jobID string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	return r.client.LRem(ctx, queueKey(workerType), 0, jobID).Err()
+}
+
+func (r *redisQueueRepository) SetCancelSignal(ctx context.Context, jobID, reason string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	payload := reason
+	if payload == "" {
+		payload = "cancel_requested"
+	}
+	return r.client.Set(ctx, cancelKey(jobID), payload, 24*time.Hour).Err()
+}
+
+func (r *redisQueueRepository) GetCancelSignal(ctx context.Context, jobID string) (bool, string, error) {
+	if err := r.requireRedis(); err != nil {
+		return false, "", err
+	}
+	value, err := r.client.Get(ctx, cancelKey(jobID)).Result()
+	if err == goredis.Nil {
+		return false, "", nil
+	}
+	if err != nil {
+		return false, "", err
+	}
+	return true, value, nil
+}
+
+func (r *redisQueueRepository) ClearCancelSignal(ctx context.Context, jobID string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	return r.client.Del(ctx, cancelKey(jobID)).Err()
+}
+
+func (r *redisQueueRepository) TryLock(ctx context.Context, jobID, workerID string, ttlSeconds int) (bool, error) {
+	if err := r.requireRedis(); err != nil {
+		return false, err
+	}
+	if ttlSeconds <= 0 {
+		ttlSeconds = 300
+	}
+	ok, err := r.client.SetNX(ctx, lockKey(jobID), workerID, time.Duration(ttlSeconds)*time.Second).Result()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+func (r *redisQueueRepository) ReleaseLock(ctx context.Context, jobID, workerID string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	if workerID == "" {
+		return app.For(code.Job).InputMissingRequired("worker id is required")
+	}
+	const script = `
+if redis.call("GET", KEYS[1]) == ARGV[1] then
+  return redis.call("DEL", KEYS[1])
+end
+return 0
+`
+	return r.client.Eval(ctx, script, []string{lockKey(jobID)}, workerID).Err()
+}
+
+func dedupeRedisKey(templateType, dedupeHash string) string {
+	return dedupeKeyPrefix + templateType + ":" + dedupeHash
+}
+
+func (r *redisQueueRepository) TryAcquireDedupe(ctx context.Context, templateType, dedupeHash, jobID string, ttlSeconds int) (bool, error) {
+	if err := r.requireRedis(); err != nil {
+		return false, err
+	}
+	if ttlSeconds <= 0 {
+		ttlSeconds = 3600
+	}
+	ok, err := r.client.SetNX(ctx, dedupeRedisKey(templateType, dedupeHash), jobID, time.Duration(ttlSeconds)*time.Second).Result()
+	return ok, err
+}
+
+func (r *redisQueueRepository) ReleaseDedupe(ctx context.Context, templateType, dedupeHash string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	return r.client.Del(ctx, dedupeRedisKey(templateType, dedupeHash)).Err()
+}
+
+func (r *redisQueueRepository) TrySchedulerLock(ctx context.Context, holder string, ttlSeconds int) (bool, error) {
+	if err := r.requireRedis(); err != nil {
+		return false, err
+	}
+	if ttlSeconds <= 0 {
+		ttlSeconds = 60
+	}
+	ok, err := r.client.SetNX(ctx, schedulerLockKey, holder, time.Duration(ttlSeconds)*time.Second).Result()
+	return ok, err
+}
+
+func (r *redisQueueRepository) ReleaseSchedulerLock(ctx context.Context, holder string) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	current, err := r.client.Get(ctx, schedulerLockKey).Result()
+	if err == goredis.Nil {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+	if current != holder {
+		return nil
+	}
+	return r.client.Del(ctx, schedulerLockKey).Err()
+}
+
+func (r *redisQueueRepository) RefreshLock(ctx context.Context, jobID, workerID string, ttlSeconds int) error {
+	if err := r.requireRedis(); err != nil {
+		return err
+	}
+	if workerID == "" {
+		return app.For(code.Job).InputMissingRequired("worker id is required")
+	}
+	if ttlSeconds <= 0 {
+		ttlSeconds = 300
+	}
+	const script = `
+if redis.call("GET", KEYS[1]) == ARGV[1] then
+  return redis.call("EXPIRE", KEYS[1], ARGV[2])
+end
+return 0
+`
+	result, err := r.client.Eval(ctx, script, []string{lockKey(jobID)}, workerID, ttlSeconds).Int()
+	if err != nil {
+		return err
+	}
+	if result == 0 {
+		return app.For(code.Job).ResInvalidState(fmt.Sprintf("job lock is not held by worker %s", workerID))
+	}
+	return nil
+}
diff --git a/haixun-backend/internal/model/job/repository/redis_queue_test.go b/haixun-backend/internal/model/job/repository/redis_queue_test.go
new file mode 100644
index 0000000..5449f4e
--- /dev/null
+++ b/haixun-backend/internal/model/job/repository/redis_queue_test.go
@@ -0,0 +1,71 @@
+package repository
+
+import (
+	"context"
+	"testing"
+
+	goredis "github.com/redis/go-redis/v9"
+)
+
+func TestRedisQueue_DedupeAndSchedulerLock(t *testing.T) {
+	ctx := context.Background()
+	client := goredis.NewClient(&goredis.Options{Addr: "127.0.0.1:6379"})
+	if err := client.Ping(ctx).Err(); err != nil {
+		t.Skip("redis not available:", err)
+	}
+	defer client.Close()
+
+	repo := NewRedisQueueRepository(client)
+	ok, err := repo.TryAcquireDedupe(ctx, "demo", "hash1", "job-1", 60)
+	if err != nil || !ok {
+		t.Fatalf("TryAcquireDedupe() = %v, %v", ok, err)
+	}
+	ok, err = repo.TryAcquireDedupe(ctx, "demo", "hash1", "job-2", 60)
+	if err != nil || ok {
+		t.Fatalf("duplicate TryAcquireDedupe() = %v, %v", ok, err)
+	}
+	if err := repo.ReleaseDedupe(ctx, "demo", "hash1"); err != nil {
+		t.Fatalf("ReleaseDedupe() error = %v", err)
+	}
+
+	ok, err = repo.TrySchedulerLock(ctx, "holder-a", 30)
+	if err != nil || !ok {
+		t.Fatalf("TrySchedulerLock() = %v, %v", ok, err)
+	}
+	ok, err = repo.TrySchedulerLock(ctx, "holder-b", 30)
+	if err != nil || ok {
+		t.Fatalf("duplicate TrySchedulerLock() = %v, %v", ok, err)
+	}
+	_ = repo.ReleaseSchedulerLock(ctx, "holder-a")
+}
+
+func TestRedisQueue_LockOwnerGuards(t *testing.T) {
+	ctx := context.Background()
+	client := goredis.NewClient(&goredis.Options{Addr: "127.0.0.1:6379"})
+	if err := client.Ping(ctx).Err(); err != nil {
+		t.Skip("redis not available:", err)
+	}
+	defer client.Close()
+
+	repo := NewRedisQueueRepository(client)
+	jobID := "owner-guard-job"
+	_ = client.Del(ctx, lockKey(jobID))
+
+	ok, err := repo.TryLock(ctx, jobID, "worker-a", 30)
+	if err != nil || !ok {
+		t.Fatalf("TryLock() = %v, %v", ok, err)
+	}
+	if err := repo.ReleaseLock(ctx, jobID, "worker-b"); err != nil {
+		t.Fatalf("ReleaseLock(worker-b) error = %v", err)
+	}
+	if value, err := client.Get(ctx, lockKey(jobID)).Result(); err != nil || value != "worker-a" {
+		t.Fatalf("lock value after wrong release = %q, %v", value, err)
+	}
+	if err := repo.RefreshLock(ctx, jobID, "worker-b", 30); err == nil {
+		t.Fatal("RefreshLock(worker-b) error = nil, want error")
+	}
+	if err := repo.ReleaseLock(ctx, jobID, "worker-a"); err != nil {
+		t.Fatalf("ReleaseLock(worker-a) error = %v", err)
+	}
+	_ = client.Del(ctx, lockKey(jobID))
+}
diff --git a/haixun-backend/internal/model/job/resume/resume.go b/haixun-backend/internal/model/job/resume/resume.go
new file mode 100644
index 0000000..413f5fe
--- /dev/null
+++ b/haixun-backend/internal/model/job/resume/resume.go
@@ -0,0 +1,69 @@
+package resume
+
+import (
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+)
+
+func ShouldSkipStep(status enum.StepStatus) bool {
+	return status == enum.StepStatusSucceeded
+}
+
+func StepProgressByID(steps []entity.StepProgress, stepID string) *entity.StepProgress {
+	for i := range steps {
+		if steps[i].ID == stepID {
+			return &steps[i]
+		}
+	}
+	return nil
+}
+
+func PrepareStepsForRetry(steps []entity.StepProgress) []entity.StepProgress {
+	out := make([]entity.StepProgress, len(steps))
+	for i, step := range steps {
+		out[i] = step
+		if step.Status == enum.StepStatusSucceeded {
+			continue
+		}
+		out[i].Status = enum.StepStatusPending
+		out[i].StartedAt = nil
+		out[i].EndedAt = nil
+		out[i].Message = ""
+	}
+	return out
+}
+
+func FirstResumablePhase(steps []entity.StepProgress) string {
+	for _, step := range steps {
+		if step.Status != enum.StepStatusSucceeded {
+			return step.ID
+		}
+	}
+	if len(steps) == 0 {
+		return ""
+	}
+	return steps[len(steps)-1].ID
+}
+
+func CalcProgressPercentage(steps []entity.StepProgress) int {
+	if len(steps) == 0 {
+		return 0
+	}
+	done := 0
+	for _, step := range steps {
+		if step.Status == enum.StepStatusSucceeded {
+			done++
+		}
+	}
+	return (done * 100) / len(steps)
+}
+
+func CountSucceededSteps(steps []entity.StepProgress) int {
+	count := 0
+	for _, step := range steps {
+		if step.Status == enum.StepStatusSucceeded {
+			count++
+		}
+	}
+	return count
+}
diff --git a/haixun-backend/internal/model/job/resume/resume_test.go b/haixun-backend/internal/model/job/resume/resume_test.go
new file mode 100644
index 0000000..2229b6e
--- /dev/null
+++ b/haixun-backend/internal/model/job/resume/resume_test.go
@@ -0,0 +1,46 @@
+package resume
+
+import (
+	"testing"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+)
+
+func TestPrepareStepsForRetry_PreservesSucceeded(t *testing.T) {
+	started := int64(100)
+	ended := int64(200)
+	steps := []entity.StepProgress{
+		{ID: "prepare", Status: enum.StepStatusSucceeded, StartedAt: &started, EndedAt: &ended, Message: "done"},
+		{ID: "execute", Status: enum.StepStatusFailed, Message: "boom"},
+	}
+	out := PrepareStepsForRetry(steps)
+	if out[0].Status != enum.StepStatusSucceeded {
+		t.Fatalf("prepare status = %s", out[0].Status)
+	}
+	if out[1].Status != enum.StepStatusPending {
+		t.Fatalf("execute status = %s", out[1].Status)
+	}
+	if out[1].Message != "" {
+		t.Fatalf("execute message = %q", out[1].Message)
+	}
+}
+
+func TestFirstResumablePhase(t *testing.T) {
+	steps := []entity.StepProgress{
+		{ID: "prepare", Status: enum.StepStatusSucceeded},
+		{ID: "execute", Status: enum.StepStatusPending},
+	}
+	if got := FirstResumablePhase(steps); got != "execute" {
+		t.Fatalf("phase = %s, want execute", got)
+	}
+}
+
+func TestShouldSkipStep(t *testing.T) {
+	if !ShouldSkipStep(enum.StepStatusSucceeded) {
+		t.Fatal("succeeded should be skipped")
+	}
+	if ShouldSkipStep(enum.StepStatusPending) {
+		t.Fatal("pending should not be skipped")
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/cancel_test.go b/haixun-backend/internal/model/job/usecase/cancel_test.go
new file mode 100644
index 0000000..36faa96
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/cancel_test.go
@@ -0,0 +1,58 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	jobrepo "haixun-backend/internal/model/job/repository"
+
+	goredis "github.com/redis/go-redis/v9"
+)
+
+func TestRequestCancel_RunningSetsRedisCancelSignal(t *testing.T) {
+	ctx := context.Background()
+	client := goredis.NewClient(&goredis.Options{Addr: "127.0.0.1:6379"})
+	if err := client.Ping(ctx).Err(); err != nil {
+		t.Skip("redis not available:", err)
+	}
+	defer client.Close()
+
+	jobID := "507f1f77bcf86cd799439011"
+	template := demoTemplate()
+	run := &entity.Run{
+		TemplateType: template.Type,
+		Status:       enum.RunStatusRunning,
+		WorkerType:   string(enum.WorkerTypeGo),
+	}
+
+	uc := NewUseCase(
+		&memoryTemplateRepo{template: template},
+		newMemoryRunRepo(run),
+		&memoryScheduleRepo{},
+		&memoryEventRepo{},
+		jobrepo.NewRedisQueueRepository(client),
+	)
+
+	updated, err := uc.RequestCancel(ctx, domusecase.CancelRunRequest{
+		JobID:  jobID,
+		Reason: "test cancel",
+	})
+	if err != nil {
+		t.Fatalf("RequestCancel() error = %v", err)
+	}
+	if updated.Status != enum.RunStatusCancelRequested {
+		t.Fatalf("status = %s, want cancel_requested", updated.Status)
+	}
+
+	value, err := client.Get(ctx, "jobs:cancel:"+jobID).Result()
+	if err != nil {
+		t.Fatalf("redis cancel key missing: %v", err)
+	}
+	if value != "test cancel" {
+		t.Fatalf("cancel value = %q, want test cancel", value)
+	}
+	_ = client.Del(ctx, "jobs:cancel:"+jobID)
+}
diff --git a/haixun-backend/internal/model/job/usecase/dedupe_test.go b/haixun-backend/internal/model/job/usecase/dedupe_test.go
new file mode 100644
index 0000000..b43c6a4
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/dedupe_test.go
@@ -0,0 +1,85 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+func TestCreateRun_BlocksNonRepeatableAfterSuccess(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	template.Repeatable = false
+	template.DedupeKeys = []string{"scope_id"}
+
+	runs := newMemoryRunRepo(nil)
+	queue := newMemoryQueueRepo()
+	uc := testUseCaseFull(template, runs, nil, queue)
+
+	first, err := uc.CreateRun(ctx, domusecase.CreateRunRequest{
+		TemplateType: template.Type,
+		Scope:        "user",
+		ScopeID:      "u1",
+	})
+	if err != nil {
+		t.Fatalf("first CreateRun() error = %v", err)
+	}
+	first.Status = enum.RunStatusSucceeded
+	first.DedupeKey = buildDedupeKey(template, "user", "u1", nil)
+	_, _ = runs.Update(ctx, first)
+
+	_, err = uc.CreateRun(ctx, domusecase.CreateRunRequest{
+		TemplateType: template.Type,
+		Scope:        "user",
+		ScopeID:      "u1",
+	})
+	if err == nil {
+		t.Fatal("expected duplicate completed job error")
+	}
+}
+
+func TestCreateRun_DedupeLeaseBlocksParallel(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	template.Repeatable = true
+	template.DedupeKeys = []string{"scope_id"}
+
+	queue := newMemoryQueueRepo()
+	uc := testUseCaseFull(template, newMemoryRunRepo(nil), nil, queue)
+
+	first, err := uc.CreateRun(ctx, domusecase.CreateRunRequest{
+		TemplateType: template.Type,
+		Scope:        "user",
+		ScopeID:      "u1",
+	})
+	if err != nil {
+		t.Fatalf("first CreateRun() error = %v", err)
+	}
+	if first.Status != enum.RunStatusQueued {
+		t.Fatalf("first status = %s, want queued", first.Status)
+	}
+
+	_, err = uc.CreateRun(ctx, domusecase.CreateRunRequest{
+		TemplateType: template.Type,
+		Scope:        "user",
+		ScopeID:      "u1",
+	})
+	if err == nil {
+		t.Fatal("expected in-progress dedupe error")
+	}
+}
+
+func TestBuildDedupeKey_IncludesScopeID(t *testing.T) {
+	template := &entity.Template{
+		Type:       "demo",
+		DedupeKeys: []string{"scope_id", "target"},
+	}
+	key1 := buildDedupeKey(template, "user", "a", map[string]any{"target": "x"})
+	key2 := buildDedupeKey(template, "user", "b", map[string]any{"target": "x"})
+	if key1 == key2 {
+		t.Fatal("dedupe keys should differ by scope_id")
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/helpers.go b/haixun-backend/internal/model/job/usecase/helpers.go
new file mode 100644
index 0000000..c8b87e0
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/helpers.go
@@ -0,0 +1,146 @@
+package usecase
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"strings"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+)
+
+func buildDedupeKey(template *entity.Template, scope, scopeID string, payload map[string]any) string {
+	parts := []string{template.Type, scope}
+	for _, key := range template.DedupeKeys {
+		switch key {
+		case "scope_id":
+			parts = append(parts, scopeID)
+		case "target":
+			if payload != nil {
+				if target, ok := payload["target"].(string); ok {
+					parts = append(parts, target)
+				}
+			}
+		}
+	}
+	raw := strings.Join(parts, "|")
+	sum := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(sum[:])
+}
+
+func firstPhaseFromTemplateSteps(steps []entity.StepProgress) string {
+	if len(steps) == 0 {
+		return ""
+	}
+	return steps[0].ID
+}
+
+func firstPhaseFromTemplate(template *entity.Template) string {
+	if len(template.Steps) == 0 {
+		return ""
+	}
+	return template.Steps[0].ID
+}
+
+func buildStepProgress(template *entity.Template) []entity.StepProgress {
+	steps := make([]entity.StepProgress, 0, len(template.Steps))
+	for _, step := range template.Steps {
+		steps = append(steps, entity.StepProgress{ID: step.ID, Status: enum.StepStatusPending})
+	}
+	return steps
+}
+
+func workerTypeFromTemplate(template *entity.Template) string {
+	if len(template.Steps) > 0 && strings.TrimSpace(template.Steps[0].WorkerType) != "" {
+		return template.Steps[0].WorkerType
+	}
+	return string(enum.WorkerTypeGo)
+}
+
+func (u *jobUseCase) appendEvent(ctx context.Context, jobID, eventType, from, to, message string, metadata map[string]any) error {
+	return u.events.Append(ctx, &entity.Event{
+		JobID:    jobID,
+		Type:     eventType,
+		From:     from,
+		To:       to,
+		Message:  message,
+		Metadata: metadata,
+	})
+}
+
+func (u *jobUseCase) enqueueRun(ctx context.Context, run *entity.Run) (*entity.Run, error) {
+	jobID := run.ID.Hex()
+	if run.ScheduledAt != nil && *run.ScheduledAt > clock.NowUnixNano() {
+		return run, nil
+	}
+	if err := u.queue.Enqueue(ctx, run.WorkerType, jobID); err != nil {
+		return nil, err
+	}
+	fromStatus := string(run.Status)
+	run.Status = enum.RunStatusQueued
+	updated, err := u.runs.Update(ctx, run)
+	if err != nil {
+		return nil, err
+	}
+	_ = u.appendEvent(ctx, jobID, "status_changed", fromStatus, string(enum.RunStatusQueued), "job enqueued", nil)
+	return updated, nil
+}
+
+func (u *jobUseCase) releaseDedupe(ctx context.Context, run *entity.Run) {
+	if run.DedupeKey == "" {
+		return
+	}
+	_ = u.queue.ReleaseDedupe(ctx, run.TemplateType, run.DedupeKey)
+}
+
+func (u *jobUseCase) enforceDedupe(ctx context.Context, template *entity.Template, dedupeKey string) error {
+	if dedupeKey == "" {
+		return nil
+	}
+	if !template.Repeatable {
+		existing, err := u.runs.FindSucceededByDedupeKey(ctx, template.Type, dedupeKey)
+		if err != nil {
+			return err
+		}
+		if existing != nil {
+			return app.For(code.Job).ResInvalidState("job already completed for dedupe key")
+		}
+	}
+	return nil
+}
+
+func (u *jobUseCase) acquireDedupeLease(ctx context.Context, template *entity.Template, dedupeKey, jobID string) error {
+	if dedupeKey == "" {
+		return nil
+	}
+	ttl := template.TimeoutSeconds
+	if ttl <= 0 {
+		ttl = 3600
+	}
+	ok, err := u.queue.TryAcquireDedupe(ctx, template.Type, dedupeKey, jobID, ttl)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return app.For(code.Job).ResInvalidState("duplicate job already in progress")
+	}
+	return nil
+}
+
+func retryBackoffSeconds(template *entity.Template, attempt int) int {
+	if len(template.RetryPolicy.BackoffSeconds) == 0 {
+		return 0
+	}
+	idx := attempt - 2
+	if idx < 0 {
+		idx = 0
+	}
+	if idx >= len(template.RetryPolicy.BackoffSeconds) {
+		idx = len(template.RetryPolicy.BackoffSeconds) - 1
+	}
+	return template.RetryPolicy.BackoffSeconds[idx]
+}
diff --git a/haixun-backend/internal/model/job/usecase/maintenance.go b/haixun-backend/internal/model/job/usecase/maintenance.go
new file mode 100644
index 0000000..ca677a1
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/maintenance.go
@@ -0,0 +1,76 @@
+package usecase
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/enum"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+func (u *jobUseCase) RunMaintenance(ctx context.Context) (domusecase.MaintenanceResult, error) {
+	result := domusecase.MaintenanceResult{}
+
+	pending, err := u.runs.FindPendingDue(ctx, clock.NowUnixNano(), 50)
+	if err != nil {
+		return result, err
+	}
+	for _, run := range pending {
+		if _, err := u.enqueueRun(ctx, run); err == nil {
+			result.EnqueuedPending++
+		}
+	}
+
+	now := clock.NowUnixNano()
+	cancelRuns, err := u.runs.FindCancelRequestedBefore(ctx, now, 50)
+	if err != nil {
+		return result, err
+	}
+	for _, run := range cancelRuns {
+		template, err := u.templates.FindByType(ctx, run.TemplateType)
+		if err != nil {
+			continue
+		}
+		grace := clock.SecondsToNanos(template.CancelPolicy.GraceSeconds)
+		if run.CancelRequestedAt == nil || now-*run.CancelRequestedAt < grace {
+			continue
+		}
+		jobID := run.ID.Hex()
+		fromStatus := string(run.Status)
+		run.Status = enum.RunStatusCancelled
+		run.CompletedAt = &now
+		run.Progress.Summary = "cancelled after grace timeout"
+		updated, err := u.runs.Update(ctx, run)
+		if err != nil {
+			continue
+		}
+		_ = u.queue.ReleaseLock(ctx, jobID, run.LockedBy)
+		_ = u.queue.ClearCancelSignal(ctx, jobID)
+		u.releaseDedupe(ctx, updated)
+		_ = u.appendEvent(ctx, jobID, "status_changed", fromStatus, string(enum.RunStatusCancelled), "cancel grace timeout", nil)
+		result.ReapedCancelGrace++
+	}
+
+	expiredRuns, err := u.runs.FindRunningTimedOut(ctx, now, 50)
+	if err != nil {
+		return result, err
+	}
+	for _, run := range expiredRuns {
+		jobID := run.ID.Hex()
+		fromStatus := string(run.Status)
+		run.Status = enum.RunStatusExpired
+		run.CompletedAt = &now
+		run.Progress.Summary = "job lock expired"
+		updated, err := u.runs.Update(ctx, run)
+		if err != nil {
+			continue
+		}
+		_ = u.queue.ReleaseLock(ctx, jobID, run.LockedBy)
+		_ = u.queue.ClearCancelSignal(ctx, jobID)
+		u.releaseDedupe(ctx, updated)
+		_ = u.appendEvent(ctx, jobID, "status_changed", fromStatus, string(enum.RunStatusExpired), "job lock expired", nil)
+		result.ReapedExpiredLocks++
+	}
+
+	return result, nil
+}
diff --git a/haixun-backend/internal/model/job/usecase/maintenance_test.go b/haixun-backend/internal/model/job/usecase/maintenance_test.go
new file mode 100644
index 0000000..631d184
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/maintenance_test.go
@@ -0,0 +1,90 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+)
+
+func TestRunMaintenance_EnqueuePendingRetry(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	queue := newMemoryQueueRepo()
+	runs := newMemoryRunRepo(nil)
+	scheduled := clock.Now().Add(-time.Second).UnixNano()
+	runs.run = &entity.Run{
+		TemplateType: template.Type,
+		Status:       enum.RunStatusPending,
+		WorkerType:   "go",
+		ScheduledAt:  &scheduled,
+	}
+	uc := testUseCaseFull(template, runs, nil, queue)
+
+	result, err := uc.RunMaintenance(ctx)
+	if err != nil {
+		t.Fatalf("RunMaintenance() error = %v", err)
+	}
+	if result.EnqueuedPending != 1 {
+		t.Fatalf("EnqueuedPending = %d, want 1", result.EnqueuedPending)
+	}
+	if runs.run.Status != enum.RunStatusQueued {
+		t.Fatalf("status = %s, want queued", runs.run.Status)
+	}
+}
+
+func TestRunMaintenance_ReapCancelGrace(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	template.CancelPolicy.GraceSeconds = 1
+	queue := newMemoryQueueRepo()
+	runs := newMemoryRunRepo(nil)
+	cancelAt := clock.Now().Add(-2 * time.Second).UnixNano()
+	runs.run = &entity.Run{
+		TemplateType:      template.Type,
+		Status:            enum.RunStatusCancelRequested,
+		CancelRequestedAt: &cancelAt,
+		DedupeKey:         "dedupe-1",
+	}
+	uc := testUseCaseFull(template, runs, nil, queue)
+
+	result, err := uc.RunMaintenance(ctx)
+	if err != nil {
+		t.Fatalf("RunMaintenance() error = %v", err)
+	}
+	if result.ReapedCancelGrace != 1 {
+		t.Fatalf("ReapedCancelGrace = %d, want 1", result.ReapedCancelGrace)
+	}
+	if runs.run.Status != enum.RunStatusCancelled {
+		t.Fatalf("status = %s, want cancelled", runs.run.Status)
+	}
+}
+
+func TestRunMaintenance_ReapExpiredLock(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	queue := newMemoryQueueRepo()
+	runs := newMemoryRunRepo(nil)
+	lockedUntil := clock.Now().Add(-time.Second).UnixNano()
+	runs.run = &entity.Run{
+		TemplateType: template.Type,
+		Status:       enum.RunStatusRunning,
+		LockedUntil:  &lockedUntil,
+		DedupeKey:    "dedupe-2",
+	}
+	uc := testUseCaseFull(template, runs, nil, queue)
+
+	result, err := uc.RunMaintenance(ctx)
+	if err != nil {
+		t.Fatalf("RunMaintenance() error = %v", err)
+	}
+	if result.ReapedExpiredLocks != 1 {
+		t.Fatalf("ReapedExpiredLocks = %d, want 1", result.ReapedExpiredLocks)
+	}
+	if runs.run.Status != enum.RunStatusExpired {
+		t.Fatalf("status = %s, want expired", runs.run.Status)
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/retry_resume_test.go b/haixun-backend/internal/model/job/usecase/retry_resume_test.go
new file mode 100644
index 0000000..747bb7a
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/retry_resume_test.go
@@ -0,0 +1,85 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+func TestRetryRun_PreservesSucceededSteps(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	jobID := primitive.NewObjectID()
+	runs := newMemoryRunRepo(&entity.Run{
+		ID:           jobID,
+		TemplateType: template.Type,
+		Status:       enum.RunStatusFailed,
+		WorkerType:   "go",
+		Attempt:      1,
+		MaxAttempts:  3,
+		Phase:        "execute",
+		Progress: entity.RunProgress{
+			Steps: []entity.StepProgress{
+				{ID: "prepare", Status: enum.StepStatusSucceeded, Message: "done"},
+				{ID: "execute", Status: enum.StepStatusFailed, Message: "boom"},
+				{ID: "finalize", Status: enum.StepStatusPending},
+			},
+		},
+	})
+	uc := testUseCaseFull(template, runs, nil, newMemoryQueueRepo())
+
+	updated, err := uc.RetryRun(ctx, jobID.Hex())
+	if err != nil {
+		t.Fatalf("RetryRun() error = %v", err)
+	}
+	if updated.Progress.Steps[0].Status != enum.StepStatusSucceeded {
+		t.Fatalf("prepare = %s, want succeeded", updated.Progress.Steps[0].Status)
+	}
+	if updated.Progress.Steps[1].Status != enum.StepStatusPending {
+		t.Fatalf("execute = %s, want pending", updated.Progress.Steps[1].Status)
+	}
+	if updated.Phase != "execute" {
+		t.Fatalf("phase = %s, want execute", updated.Phase)
+	}
+	if updated.Progress.Percentage != 33 {
+		t.Fatalf("percentage = %d, want 33", updated.Progress.Percentage)
+	}
+}
+
+func TestRetryRun_ExpiredResumesFromCheckpoint(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	jobID := primitive.NewObjectID()
+	runs := newMemoryRunRepo(&entity.Run{
+		ID:           jobID,
+		TemplateType: template.Type,
+		Status:       enum.RunStatusExpired,
+		WorkerType:   "go",
+		Attempt:      1,
+		MaxAttempts:  3,
+		DedupeKey:    "dedupe-expired",
+		Progress: entity.RunProgress{
+			Steps: []entity.StepProgress{
+				{ID: "prepare", Status: enum.StepStatusSucceeded},
+				{ID: "execute", Status: enum.StepStatusRunning},
+				{ID: "finalize", Status: enum.StepStatusPending},
+			},
+		},
+	})
+	uc := testUseCaseFull(template, runs, nil, newMemoryQueueRepo())
+
+	updated, err := uc.RetryRun(ctx, jobID.Hex())
+	if err != nil {
+		t.Fatalf("RetryRun() error = %v", err)
+	}
+	if updated.Progress.Steps[0].Status != enum.StepStatusSucceeded {
+		t.Fatalf("prepare = %s, want succeeded", updated.Progress.Steps[0].Status)
+	}
+	if updated.Phase != "execute" {
+		t.Fatalf("phase = %s, want execute", updated.Phase)
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/retry_test.go b/haixun-backend/internal/model/job/usecase/retry_test.go
new file mode 100644
index 0000000..2c3611b
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/retry_test.go
@@ -0,0 +1,52 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+func TestRetryRun_SchedulesBackoff(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	template.RetryPolicy = entity.RetryPolicy{
+		MaxAttempts:    3,
+		BackoffSeconds: []int{30, 60},
+	}
+	jobID := primitive.NewObjectID()
+	runs := newMemoryRunRepo(&entity.Run{
+		ID:           jobID,
+		TemplateType: template.Type,
+		Status:       enum.RunStatusFailed,
+		WorkerType:   "go",
+		Attempt:      1,
+		MaxAttempts:  3,
+		Progress: entity.RunProgress{
+			Steps: []entity.StepProgress{{ID: "prepare", Status: enum.StepStatusFailed}},
+		},
+	})
+	queue := newMemoryQueueRepo()
+	uc := testUseCaseFull(template, runs, nil, queue)
+
+	updated, err := uc.RetryRun(ctx, jobID.Hex())
+	if err != nil {
+		t.Fatalf("RetryRun() error = %v", err)
+	}
+	if updated.Status != enum.RunStatusPending {
+		t.Fatalf("status = %s, want pending", updated.Status)
+	}
+	if updated.ScheduledAt == nil {
+		t.Fatal("expected scheduled_at for backoff retry")
+	}
+	if *updated.ScheduledAt <= clock.NowUnixNano() {
+		t.Fatal("scheduled_at should be in the future")
+	}
+	if len(queue.queued("go")) != 0 {
+		t.Fatal("backoff retry should not enqueue immediately")
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/schedule.go b/haixun-backend/internal/model/job/usecase/schedule.go
new file mode 100644
index 0000000..151a42f
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/schedule.go
@@ -0,0 +1,171 @@
+package usecase
+
+import (
+	"context"
+	"strings"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	jobcron "haixun-backend/internal/model/job/cron"
+	"haixun-backend/internal/model/job/domain/entity"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+func (u *jobUseCase) ListSchedules(ctx context.Context, scope, scopeID string, page, pageSize int64) ([]*entity.Schedule, int64, int64, int64, int64, error) {
+	if page <= 0 {
+		page = 1
+	}
+	if pageSize <= 0 {
+		pageSize = 20
+	}
+	if pageSize > 200 {
+		pageSize = 200
+	}
+	offset := (page - 1) * pageSize
+	items, total, err := u.schedules.List(ctx, domrepo.ScheduleListFilter{
+		Scope:   scope,
+		ScopeID: scopeID,
+	}, offset, pageSize)
+	if err != nil {
+		return nil, 0, 0, 0, 0, err
+	}
+	totalPages := int64(0)
+	if total > 0 {
+		totalPages = (total + pageSize - 1) / pageSize
+	}
+	return items, total, page, pageSize, totalPages, nil
+}
+
+func (u *jobUseCase) GetSchedule(ctx context.Context, scheduleID string) (*entity.Schedule, error) {
+	return u.schedules.FindByID(ctx, scheduleID)
+}
+
+func (u *jobUseCase) CreateSchedule(ctx context.Context, req domusecase.CreateScheduleRequest) (*entity.Schedule, error) {
+	templateType := strings.TrimSpace(req.TemplateType)
+	scope := strings.TrimSpace(req.Scope)
+	scopeID := strings.TrimSpace(req.ScopeID)
+	cronExpr := strings.TrimSpace(req.Cron)
+	if templateType == "" || scope == "" || scopeID == "" || cronExpr == "" {
+		return nil, app.For(code.Job).InputMissingRequired("template_type, scope, scope_id, and cron are required")
+	}
+	if _, err := u.templates.FindByType(ctx, templateType); err != nil {
+		return nil, err
+	}
+
+	timezone := req.Timezone
+	if timezone == "" {
+		timezone = "UTC"
+	}
+	nextRunAt, err := jobcron.NextRunAt(cronExpr, timezone, clock.Now())
+	if err != nil {
+		return nil, app.For(code.Job).InputInvalidFormat(err.Error())
+	}
+
+	schedule := &entity.Schedule{
+		TemplateType:    templateType,
+		Scope:           scope,
+		ScopeID:         scopeID,
+		Enabled:         req.Enabled,
+		Cron:            cronExpr,
+		Timezone:        timezone,
+		PayloadTemplate: req.PayloadTemplate,
+		NextRunAt:       nextRunAt,
+	}
+	return u.schedules.Create(ctx, schedule)
+}
+
+func (u *jobUseCase) UpdateSchedule(ctx context.Context, req domusecase.UpdateScheduleRequest) (*entity.Schedule, error) {
+	schedule, err := u.schedules.FindByID(ctx, req.ID)
+	if err != nil {
+		return nil, err
+	}
+	if cronExpr := strings.TrimSpace(req.Cron); cronExpr != "" {
+		schedule.Cron = cronExpr
+	}
+	if tz := strings.TrimSpace(req.Timezone); tz != "" {
+		schedule.Timezone = tz
+	}
+	if req.PayloadTemplate != nil {
+		schedule.PayloadTemplate = req.PayloadTemplate
+	}
+	if req.Enabled != nil {
+		schedule.Enabled = *req.Enabled
+	}
+
+	nextRunAt, err := jobcron.NextRunAt(schedule.Cron, schedule.Timezone, clock.Now())
+	if err != nil {
+		return nil, app.For(code.Job).InputInvalidFormat(err.Error())
+	}
+	schedule.NextRunAt = nextRunAt
+	return u.schedules.Update(ctx, schedule)
+}
+
+func (u *jobUseCase) EnableSchedule(ctx context.Context, scheduleID string) (*entity.Schedule, error) {
+	schedule, err := u.schedules.FindByID(ctx, scheduleID)
+	if err != nil {
+		return nil, err
+	}
+	schedule.Enabled = true
+	nextRunAt, err := jobcron.NextRunAt(schedule.Cron, schedule.Timezone, clock.Now())
+	if err != nil {
+		return nil, app.For(code.Job).InputInvalidFormat(err.Error())
+	}
+	schedule.NextRunAt = nextRunAt
+	return u.schedules.Update(ctx, schedule)
+}
+
+func (u *jobUseCase) DisableSchedule(ctx context.Context, scheduleID string) (*entity.Schedule, error) {
+	schedule, err := u.schedules.FindByID(ctx, scheduleID)
+	if err != nil {
+		return nil, err
+	}
+	schedule.Enabled = false
+	return u.schedules.Update(ctx, schedule)
+}
+
+func (u *jobUseCase) RunSchedulerTick(ctx context.Context, holder string) (int, error) {
+	ok, err := u.queue.TrySchedulerLock(ctx, holder, 55)
+	if err != nil {
+		return 0, err
+	}
+	if !ok {
+		return 0, nil
+	}
+	defer func() { _ = u.queue.ReleaseSchedulerLock(ctx, holder) }()
+
+	now := clock.NowUnixNano()
+	due, err := u.schedules.FindDue(ctx, now, 50)
+	if err != nil {
+		return 0, err
+	}
+
+	created := 0
+	var firstErr error
+	for _, schedule := range due {
+		payload := buildScheduleRunPayload(schedule, now)
+		if _, err := u.CreateRun(ctx, domusecase.CreateRunRequest{
+			TemplateType: schedule.TemplateType,
+			Scope:        schedule.Scope,
+			ScopeID:      schedule.ScopeID,
+			Payload:      payload,
+		}); err != nil {
+			if firstErr == nil {
+				firstErr = err
+			}
+			continue
+		}
+		created++
+
+		lastRun := now
+		schedule.LastRunAt = &lastRun
+		nextRunAt, calcErr := jobcron.NextRunAt(schedule.Cron, schedule.Timezone, clock.Now())
+		if calcErr != nil {
+			continue
+		}
+		schedule.NextRunAt = nextRunAt
+		_, _ = u.schedules.Update(ctx, schedule)
+	}
+	return created, firstErr
+}
diff --git a/haixun-backend/internal/model/job/usecase/schedule_payload.go b/haixun-backend/internal/model/job/usecase/schedule_payload.go
new file mode 100644
index 0000000..667ce59
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/schedule_payload.go
@@ -0,0 +1,25 @@
+package usecase
+
+import (
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+)
+
+const schedulePayloadKey = "_schedule"
+
+// buildScheduleRunPayload clones the schedule template payload and injects scheduler metadata.
+// Persisted timestamps use UTC unix nanoseconds; timezone is the cron interpretation zone.
+func buildScheduleRunPayload(schedule *entity.Schedule, triggeredAtUTC int64) map[string]any {
+	payload := map[string]any{}
+	for key, value := range schedule.PayloadTemplate {
+		payload[key] = value
+	}
+	payload[schedulePayloadKey] = map[string]any{
+		"id":           schedule.ID.Hex(),
+		"timezone":     schedule.Timezone,
+		"cron":         schedule.Cron,
+		"triggered_at": triggeredAtUTC,
+		"storage_tz":   clock.StorageTimezone,
+	}
+	return payload
+}
diff --git a/haixun-backend/internal/model/job/usecase/schedule_payload_test.go b/haixun-backend/internal/model/job/usecase/schedule_payload_test.go
new file mode 100644
index 0000000..3bc06ec
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/schedule_payload_test.go
@@ -0,0 +1,40 @@
+package usecase
+
+import (
+	"testing"
+
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+func TestBuildScheduleRunPayload_InjectsTimezoneMetadata(t *testing.T) {
+	triggeredAt := clock.NowUnixNano()
+	schedule := &entity.Schedule{
+		ID:       primitive.NewObjectID(),
+		Timezone: "Asia/Taipei",
+		Cron:     "0 9 * * *",
+		PayloadTemplate: map[string]any{
+			"target": "demo",
+		},
+	}
+
+	payload := buildScheduleRunPayload(schedule, triggeredAt)
+	if payload["target"] != "demo" {
+		t.Fatalf("target = %v, want demo", payload["target"])
+	}
+	meta, ok := payload[schedulePayloadKey].(map[string]any)
+	if !ok {
+		t.Fatal("expected _schedule metadata")
+	}
+	if meta["timezone"] != "Asia/Taipei" {
+		t.Fatalf("timezone = %v", meta["timezone"])
+	}
+	if meta["storage_tz"] != clock.StorageTimezone {
+		t.Fatalf("storage_tz = %v", meta["storage_tz"])
+	}
+	if meta["triggered_at"] != triggeredAt {
+		t.Fatalf("triggered_at = %v", meta["triggered_at"])
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/schedule_test.go b/haixun-backend/internal/model/job/usecase/schedule_test.go
new file mode 100644
index 0000000..05fb629
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/schedule_test.go
@@ -0,0 +1,75 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+func TestRunSchedulerTick_CreatesRun(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	schedules := &memoryScheduleRepo{}
+	queue := newMemoryQueueRepo()
+	runs := newMemoryRunRepo(nil)
+	uc := testUseCaseFull(template, runs, schedules, queue)
+
+	now := clock.NowUnixNano()
+	schedule := &entity.Schedule{
+		TemplateType: template.Type,
+		Scope:        "user",
+		ScopeID:      "scheduler-user",
+		Enabled:      true,
+		Cron:         "0 * * * *",
+		Timezone:     "Asia/Taipei",
+		NextRunAt:    now - 1,
+	}
+	_, _ = schedules.Create(ctx, schedule)
+
+	created, err := uc.RunSchedulerTick(ctx, "test-holder")
+	if err != nil {
+		t.Fatalf("RunSchedulerTick() error = %v", err)
+	}
+	if created != 1 {
+		t.Fatalf("created = %d, want 1", created)
+	}
+	if len(queue.queued("go")) == 0 {
+		t.Fatal("expected queued job from scheduler tick")
+	}
+	if runs.run == nil {
+		t.Fatal("expected run to be created")
+	}
+	meta, ok := runs.run.Payload[schedulePayloadKey].(map[string]any)
+	if !ok {
+		t.Fatal("expected _schedule payload metadata")
+	}
+	if meta["timezone"] != "Asia/Taipei" {
+		t.Fatalf("timezone = %v, want Asia/Taipei", meta["timezone"])
+	}
+	if meta["storage_tz"] != clock.StorageTimezone {
+		t.Fatalf("storage_tz = %v, want %s", meta["storage_tz"], clock.StorageTimezone)
+	}
+	triggeredAt, ok := meta["triggered_at"].(int64)
+	if !ok || triggeredAt <= 0 {
+		t.Fatalf("triggered_at = %v, want positive unix nano UTC", meta["triggered_at"])
+	}
+}
+
+func TestCreateSchedule_InvalidCron(t *testing.T) {
+	ctx := context.Background()
+	template := demoTemplate()
+	uc := testUseCaseFull(template, newMemoryRunRepo(nil), &memoryScheduleRepo{}, newMemoryQueueRepo())
+
+	_, err := uc.CreateSchedule(ctx, domusecase.CreateScheduleRequest{
+		TemplateType: template.Type,
+		Scope:        "user",
+		ScopeID:      "u1",
+		Cron:         "invalid",
+	})
+	if err == nil {
+		t.Fatal("expected invalid cron error")
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/step_resume.go b/haixun-backend/internal/model/job/usecase/step_resume.go
new file mode 100644
index 0000000..bf28b74
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/step_resume.go
@@ -0,0 +1,18 @@
+package usecase
+
+import (
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/resume"
+)
+
+func prepareStepsForRetry(steps []entity.StepProgress) []entity.StepProgress {
+	return resume.PrepareStepsForRetry(steps)
+}
+
+func firstResumablePhase(steps []entity.StepProgress) string {
+	return resume.FirstResumablePhase(steps)
+}
+
+func calcProgressPercentage(steps []entity.StepProgress) int {
+	return resume.CalcProgressPercentage(steps)
+}
diff --git a/haixun-backend/internal/model/job/usecase/template.go b/haixun-backend/internal/model/job/usecase/template.go
new file mode 100644
index 0000000..c2f2916
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/template.go
@@ -0,0 +1,68 @@
+package usecase
+
+import (
+	"context"
+	"strings"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+func (u *jobUseCase) UpsertTemplate(ctx context.Context, req domusecase.UpsertTemplateRequest) (*entity.Template, error) {
+	templateType := strings.TrimSpace(req.Type)
+	if templateType == "" {
+		return nil, app.For(code.Job).InputMissingRequired("template type is required")
+	}
+	if strings.TrimSpace(req.Name) == "" {
+		return nil, app.For(code.Job).InputMissingRequired("template name is required")
+	}
+	if len(req.Steps) == 0 {
+		return nil, app.For(code.Job).InputMissingRequired("template steps are required")
+	}
+
+	version := req.Version
+	if version <= 0 {
+		version = 1
+	}
+	timeout := req.TimeoutSeconds
+	if timeout <= 0 {
+		timeout = 600
+	}
+
+	template := &entity.Template{
+		Type:              templateType,
+		Version:           version,
+		Name:              req.Name,
+		Description:       req.Description,
+		Enabled:           req.Enabled,
+		Repeatable:        req.Repeatable,
+		ConcurrencyPolicy: req.ConcurrencyPolicy,
+		DedupeKeys:        req.DedupeKeys,
+		TimeoutSeconds:    timeout,
+		CancelPolicy:      req.CancelPolicy,
+		RetryPolicy:       req.RetryPolicy,
+		Steps:             req.Steps,
+	}
+	if template.ConcurrencyPolicy == "" {
+		template.ConcurrencyPolicy = "reject_same_scope"
+	}
+	if template.CancelPolicy.Mode == "" {
+		template.CancelPolicy.Mode = "cooperative"
+	}
+	if template.CancelPolicy.GraceSeconds <= 0 {
+		template.CancelPolicy.GraceSeconds = 30
+	}
+	return u.templates.Upsert(ctx, template)
+}
+
+func (u *jobUseCase) ListJobEvents(ctx context.Context, jobID string, limit int64) ([]*entity.Event, error) {
+	if strings.TrimSpace(jobID) == "" {
+		return nil, app.For(code.Job).InputMissingRequired("job id is required")
+	}
+	if _, err := u.runs.FindByID(ctx, jobID); err != nil {
+		return nil, err
+	}
+	return u.events.ListByJobID(ctx, jobID, limit)
+}
diff --git a/haixun-backend/internal/model/job/usecase/template_test.go b/haixun-backend/internal/model/job/usecase/template_test.go
new file mode 100644
index 0000000..f6bba02
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/template_test.go
@@ -0,0 +1,35 @@
+package usecase
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+func TestUpsertTemplate_SetsDefaults(t *testing.T) {
+	ctx := context.Background()
+	repo := &memoryTemplateRepo{}
+	uc := NewUseCase(repo, newMemoryRunRepo(nil), &memoryScheduleRepo{}, &memoryEventRepo{}, newMemoryQueueRepo())
+
+	template, err := uc.UpsertTemplate(ctx, domusecase.UpsertTemplateRequest{
+		Type:    "custom_job",
+		Name:    "Custom Job",
+		Enabled: true,
+		Steps: []entity.TemplateStep{{
+			ID:         "step1",
+			Name:       "Step 1",
+			WorkerType: "go",
+		}},
+	})
+	if err != nil {
+		t.Fatalf("UpsertTemplate() error = %v", err)
+	}
+	if template.ConcurrencyPolicy != "reject_same_scope" {
+		t.Fatalf("ConcurrencyPolicy = %q", template.ConcurrencyPolicy)
+	}
+	if template.CancelPolicy.GraceSeconds != 30 {
+		t.Fatalf("GraceSeconds = %d, want 30", template.CancelPolicy.GraceSeconds)
+	}
+}
diff --git a/haixun-backend/internal/model/job/usecase/test_mocks.go b/haixun-backend/internal/model/job/usecase/test_mocks.go
new file mode 100644
index 0000000..9c7e253
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/test_mocks.go
@@ -0,0 +1,430 @@
+package usecase
+
+import (
+	"context"
+	"errors"
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"sync"
+
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+type memoryTemplateRepo struct {
+	template *entity.Template
+}
+
+func (m *memoryTemplateRepo) EnsureIndexes(context.Context) error { return nil }
+func (m *memoryTemplateRepo) List(context.Context) ([]*entity.Template, error) {
+	if m.template == nil {
+		return nil, nil
+	}
+	return []*entity.Template{m.template}, nil
+}
+func (m *memoryTemplateRepo) FindByType(context.Context, string) (*entity.Template, error) {
+	return m.template, nil
+}
+func (m *memoryTemplateRepo) Upsert(_ context.Context, template *entity.Template) (*entity.Template, error) {
+	m.template = template
+	return template, nil
+}
+
+type memoryRunRepo struct {
+	mu        sync.Mutex
+	run       *entity.Run
+	succeeded map[string]*entity.Run
+}
+
+func newMemoryRunRepo(run *entity.Run) *memoryRunRepo {
+	return &memoryRunRepo{run: run, succeeded: map[string]*entity.Run{}}
+}
+
+func (m *memoryRunRepo) EnsureIndexes(context.Context) error { return nil }
+func (m *memoryRunRepo) Create(ctx context.Context, run *entity.Run) (*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if run.ID.IsZero() {
+		run.ID = primitive.NewObjectID()
+	}
+	now := clock.NowUnixNano()
+	run.CreateAt = now
+	run.UpdateAt = now
+	m.run = run
+	return run, nil
+}
+func (m *memoryRunRepo) Update(ctx context.Context, run *entity.Run) (*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	run.UpdateAt = clock.NowUnixNano()
+	m.run = run
+	if run.Status == enum.RunStatusSucceeded && run.DedupeKey != "" {
+		m.succeeded[run.TemplateType+":"+run.DedupeKey] = run
+	}
+	return run, nil
+}
+func (m *memoryRunRepo) UpdateIfStatus(ctx context.Context, run *entity.Run, allowed []enum.RunStatus) (*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.run != nil {
+		ok := false
+		for _, status := range allowed {
+			if m.run.Status == status {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			return nil, errors.New("job state changed; update rejected")
+		}
+	}
+	run.UpdateAt = clock.NowUnixNano()
+	m.run = run
+	if run.Status == enum.RunStatusSucceeded && run.DedupeKey != "" {
+		m.succeeded[run.TemplateType+":"+run.DedupeKey] = run
+	}
+	return run, nil
+}
+func (m *memoryRunRepo) UpdateIfLocked(ctx context.Context, run *entity.Run, workerID string, allowed []enum.RunStatus) (*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.run != nil {
+		if m.run.LockedBy != "" && m.run.LockedBy != workerID {
+			return nil, errors.New("job lock held by another worker")
+		}
+		ok := false
+		for _, status := range allowed {
+			if m.run.Status == status {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			return nil, errors.New("job state changed; update rejected")
+		}
+	}
+	run.UpdateAt = clock.NowUnixNano()
+	m.run = run
+	if run.Status == enum.RunStatusSucceeded && run.DedupeKey != "" {
+		m.succeeded[run.TemplateType+":"+run.DedupeKey] = run
+	}
+	return run, nil
+}
+func (m *memoryRunRepo) FindByID(context.Context, string) (*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return cloneRun(m.run), nil
+}
+func (m *memoryRunRepo) List(context.Context, domrepo.RunListFilter, int64, int64) ([]*entity.Run, int64, error) {
+	return nil, 0, nil
+}
+func (m *memoryRunRepo) FindActiveByScope(context.Context, string, string, string) ([]*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.run == nil {
+		return nil, nil
+	}
+	switch m.run.Status {
+	case enum.RunStatusPending, enum.RunStatusQueued, enum.RunStatusRunning, enum.RunStatusWaitingWorker, enum.RunStatusCancelRequested:
+		return []*entity.Run{m.run}, nil
+	default:
+		return nil, nil
+	}
+}
+func (m *memoryRunRepo) FindSucceededByDedupeKey(_ context.Context, templateType, dedupeKey string) (*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.succeeded[templateType+":"+dedupeKey], nil
+}
+func (m *memoryRunRepo) FindPendingDue(_ context.Context, now int64, _ int64) ([]*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.run == nil || m.run.Status != enum.RunStatusPending || m.run.ScheduledAt == nil {
+		return nil, nil
+	}
+	if *m.run.ScheduledAt <= now {
+		return []*entity.Run{m.run}, nil
+	}
+	return nil, nil
+}
+func (m *memoryRunRepo) FindCancelRequestedBefore(_ context.Context, before int64, _ int64) ([]*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.run == nil || m.run.Status != enum.RunStatusCancelRequested || m.run.CancelRequestedAt == nil {
+		return nil, nil
+	}
+	if *m.run.CancelRequestedAt <= before {
+		return []*entity.Run{m.run}, nil
+	}
+	return nil, nil
+}
+func (m *memoryRunRepo) FindRunningTimedOut(_ context.Context, now int64, _ int64) ([]*entity.Run, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.run == nil || m.run.LockedUntil == nil {
+		return nil, nil
+	}
+	if m.run.Status != enum.RunStatusRunning && m.run.Status != enum.RunStatusWaitingWorker {
+		return nil, nil
+	}
+	if *m.run.LockedUntil <= now {
+		return []*entity.Run{m.run}, nil
+	}
+	return nil, nil
+}
+
+type memoryScheduleRepo struct {
+	mu        sync.Mutex
+	schedules []*entity.Schedule
+}
+
+func (m *memoryScheduleRepo) EnsureIndexes(context.Context) error { return nil }
+func (m *memoryScheduleRepo) Create(_ context.Context, schedule *entity.Schedule) (*entity.Schedule, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if schedule.ID.IsZero() {
+		schedule.ID = primitive.NewObjectID()
+	}
+	now := clock.NowUnixNano()
+	schedule.CreateAt = now
+	schedule.UpdateAt = now
+	m.schedules = append(m.schedules, schedule)
+	return schedule, nil
+}
+func (m *memoryScheduleRepo) Update(_ context.Context, schedule *entity.Schedule) (*entity.Schedule, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	schedule.UpdateAt = clock.NowUnixNano()
+	for i, item := range m.schedules {
+		if item.ID == schedule.ID {
+			m.schedules[i] = schedule
+			return schedule, nil
+		}
+	}
+	m.schedules = append(m.schedules, schedule)
+	return schedule, nil
+}
+func (m *memoryScheduleRepo) FindByID(_ context.Context, id string) (*entity.Schedule, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	objectID, _ := primitive.ObjectIDFromHex(id)
+	for _, item := range m.schedules {
+		if item.ID == objectID {
+			return item, nil
+		}
+	}
+	return nil, nil
+}
+func (m *memoryScheduleRepo) List(_ context.Context, _ domrepo.ScheduleListFilter, _, _ int64) ([]*entity.Schedule, int64, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.schedules, int64(len(m.schedules)), nil
+}
+func (m *memoryScheduleRepo) FindDue(_ context.Context, now int64, _ int64) ([]*entity.Schedule, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	var due []*entity.Schedule
+	for _, item := range m.schedules {
+		if item.Enabled && item.NextRunAt <= now {
+			due = append(due, item)
+		}
+	}
+	return due, nil
+}
+
+type memoryEventRepo struct {
+	events []*entity.Event
+}
+
+func (m *memoryEventRepo) EnsureIndexes(context.Context) error { return nil }
+func (m *memoryEventRepo) Append(_ context.Context, event *entity.Event) error {
+	m.events = append(m.events, event)
+	return nil
+}
+func (m *memoryEventRepo) ListByJobID(_ context.Context, jobID string, limit int64) ([]*entity.Event, error) {
+	if limit <= 0 {
+		limit = 50
+	}
+	var out []*entity.Event
+	for _, event := range m.events {
+		if event.JobID == jobID {
+			out = append(out, event)
+		}
+	}
+	if int64(len(out)) > limit {
+		out = out[:limit]
+	}
+	return out, nil
+}
+
+type memoryQueueRepo struct {
+	mu            sync.Mutex
+	queues        map[string][]string
+	cancel        map[string]string
+	locks         map[string]string
+	dedupe        map[string]string
+	schedulerLock string
+}
+
+func newMemoryQueueRepo() *memoryQueueRepo {
+	return &memoryQueueRepo{
+		queues: map[string][]string{},
+		cancel: map[string]string{},
+		locks:  map[string]string{},
+		dedupe: map[string]string{},
+	}
+}
+
+func (m *memoryQueueRepo) Enqueue(_ context.Context, workerType, jobID string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.queues[workerType] = append(m.queues[workerType], jobID)
+	return nil
+}
+func (m *memoryQueueRepo) Dequeue(context.Context, string, int) (string, error) { return "", nil }
+func (m *memoryQueueRepo) RemoveJob(_ context.Context, workerType, jobID string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	items := m.queues[workerType]
+	filtered := make([]string, 0, len(items))
+	for _, item := range items {
+		if item != jobID {
+			filtered = append(filtered, item)
+		}
+	}
+	m.queues[workerType] = filtered
+	return nil
+}
+func (m *memoryQueueRepo) SetCancelSignal(_ context.Context, jobID, reason string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.cancel[jobID] = reason
+	return nil
+}
+func (m *memoryQueueRepo) GetCancelSignal(_ context.Context, jobID string) (bool, string, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	reason, ok := m.cancel[jobID]
+	return ok, reason, nil
+}
+func (m *memoryQueueRepo) ClearCancelSignal(_ context.Context, jobID string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	delete(m.cancel, jobID)
+	return nil
+}
+func (m *memoryQueueRepo) TryLock(_ context.Context, jobID, workerID string, _ int) (bool, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if current, ok := m.locks[jobID]; ok && current != workerID {
+		return false, nil
+	}
+	m.locks[jobID] = workerID
+	return true, nil
+}
+func (m *memoryQueueRepo) RefreshLock(_ context.Context, jobID, workerID string, _ int) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if current, ok := m.locks[jobID]; ok && current == workerID {
+		return nil
+	}
+	return errors.New("job lock is not held by worker")
+}
+func (m *memoryQueueRepo) ReleaseLock(_ context.Context, jobID, workerID string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if current, ok := m.locks[jobID]; ok && current == workerID {
+		delete(m.locks, jobID)
+	}
+	return nil
+}
+func (m *memoryQueueRepo) TryAcquireDedupe(_ context.Context, templateType, dedupeHash, jobID string, _ int) (bool, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	key := templateType + ":" + dedupeHash
+	if _, ok := m.dedupe[key]; ok {
+		return false, nil
+	}
+	m.dedupe[key] = jobID
+	return true, nil
+}
+func (m *memoryQueueRepo) ReleaseDedupe(_ context.Context, templateType, dedupeHash string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	delete(m.dedupe, templateType+":"+dedupeHash)
+	return nil
+}
+func (m *memoryQueueRepo) TrySchedulerLock(_ context.Context, holder string, _ int) (bool, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.schedulerLock != "" && m.schedulerLock != holder {
+		return false, nil
+	}
+	m.schedulerLock = holder
+	return true, nil
+}
+func (m *memoryQueueRepo) ReleaseSchedulerLock(_ context.Context, holder string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.schedulerLock == holder {
+		m.schedulerLock = ""
+	}
+	return nil
+}
+
+func (m *memoryQueueRepo) queued(workerType string) []string {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return append([]string(nil), m.queues[workerType]...)
+}
+
+func testUseCase(template *entity.Template, run *entity.Run) domusecase.UseCase {
+	return NewUseCase(
+		&memoryTemplateRepo{template: template},
+		newMemoryRunRepo(run),
+		&memoryScheduleRepo{},
+		&memoryEventRepo{},
+		newMemoryQueueRepo(),
+	)
+}
+
+func testUseCaseFull(template *entity.Template, runs *memoryRunRepo, schedules *memoryScheduleRepo, queue *memoryQueueRepo) domusecase.UseCase {
+	if schedules == nil {
+		schedules = &memoryScheduleRepo{}
+	}
+	if queue == nil {
+		queue = newMemoryQueueRepo()
+	}
+	return NewUseCase(
+		&memoryTemplateRepo{template: template},
+		runs,
+		schedules,
+		&memoryEventRepo{},
+		queue,
+	)
+}
+
+func cloneRun(run *entity.Run) *entity.Run {
+	if run == nil {
+		return nil
+	}
+	out := *run
+	if run.Progress.Steps != nil {
+		out.Progress.Steps = append([]entity.StepProgress(nil), run.Progress.Steps...)
+	}
+	if run.Payload != nil {
+		out.Payload = map[string]any{}
+		for k, v := range run.Payload {
+			out.Payload[k] = v
+		}
+	}
+	if run.Result != nil {
+		out.Result = map[string]any{}
+		for k, v := range run.Result {
+			out.Result[k] = v
+		}
+	}
+	return &out
+}
diff --git a/haixun-backend/internal/model/job/usecase/usecase.go b/haixun-backend/internal/model/job/usecase/usecase.go
new file mode 100644
index 0000000..c00971b
--- /dev/null
+++ b/haixun-backend/internal/model/job/usecase/usecase.go
@@ -0,0 +1,562 @@
+package usecase
+
+import (
+	"context"
+	"strings"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domrepo "haixun-backend/internal/model/job/domain/repository"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+const demoTemplateType = "demo_long_task"
+
+type UseCase = domusecase.UseCase
+
+type jobUseCase struct {
+	templates domrepo.TemplateRepository
+	runs      domrepo.RunRepository
+	schedules domrepo.ScheduleRepository
+	events    domrepo.EventRepository
+	queue     domrepo.QueueRepository
+}
+
+func NewUseCase(
+	templates domrepo.TemplateRepository,
+	runs domrepo.RunRepository,
+	schedules domrepo.ScheduleRepository,
+	events domrepo.EventRepository,
+	queue domrepo.QueueRepository,
+) domusecase.UseCase {
+	return &jobUseCase{
+		templates: templates,
+		runs:      runs,
+		schedules: schedules,
+		events:    events,
+		queue:     queue,
+	}
+}
+
+func (u *jobUseCase) ListTemplates(ctx context.Context) ([]*entity.Template, error) {
+	return u.templates.List(ctx)
+}
+
+func (u *jobUseCase) GetTemplate(ctx context.Context, templateType string) (*entity.Template, error) {
+	return u.templates.FindByType(ctx, templateType)
+}
+
+func (u *jobUseCase) EnsureDemoTemplate(ctx context.Context) error {
+	_, err := u.templates.Upsert(ctx, demoTemplate())
+	return err
+}
+
+func demoTemplate() *entity.Template {
+	return &entity.Template{
+		Type:              demoTemplateType,
+		Version:           1,
+		Name:              "Demo Long Task",
+		Description:       "Demonstrates job progress, cancel, retry, and worker cooperative stop",
+		Enabled:           true,
+		Repeatable:        true,
+		ConcurrencyPolicy: string(enum.ConcurrencyRejectSameScope),
+		DedupeKeys:        []string{"scope_id"},
+		TimeoutSeconds:    600,
+		CancelPolicy: entity.CancelPolicy{
+			Supported:    true,
+			Mode:         "cooperative",
+			GraceSeconds: 30,
+		},
+		RetryPolicy: entity.RetryPolicy{
+			MaxAttempts:    2,
+			BackoffSeconds: []int{30, 120},
+		},
+		Steps: []entity.TemplateStep{
+			{ID: "prepare", Name: "Prepare data", WorkerType: string(enum.WorkerTypeGo), TimeoutSeconds: 60, Cancelable: true},
+			{ID: "execute", Name: "Execute task", WorkerType: string(enum.WorkerTypeGo), TimeoutSeconds: 300, Cancelable: true},
+			{ID: "finalize", Name: "Finalize result", WorkerType: string(enum.WorkerTypeGo), TimeoutSeconds: 30, Cancelable: false},
+		},
+	}
+}
+
+func (u *jobUseCase) CreateRun(ctx context.Context, req domusecase.CreateRunRequest) (*entity.Run, error) {
+	templateType := strings.TrimSpace(req.TemplateType)
+	scope := strings.TrimSpace(req.Scope)
+	scopeID := strings.TrimSpace(req.ScopeID)
+	if templateType == "" || scope == "" || scopeID == "" {
+		return nil, app.For(code.Job).InputMissingRequired("template_type, scope, and scope_id are required")
+	}
+
+	template, err := u.templates.FindByType(ctx, templateType)
+	if err != nil {
+		return nil, err
+	}
+	if !template.Enabled {
+		return nil, app.For(code.Job).ResInvalidState("job template is disabled")
+	}
+
+	if err := u.enforceConcurrency(ctx, template, scope, scopeID); err != nil {
+		return nil, err
+	}
+
+	dedupeKey := buildDedupeKey(template, scope, scopeID, req.Payload)
+	if err := u.enforceDedupe(ctx, template, dedupeKey); err != nil {
+		return nil, err
+	}
+
+	run := &entity.Run{
+		TemplateType:    template.Type,
+		TemplateVersion: template.Version,
+		Scope:           scope,
+		ScopeID:         scopeID,
+		Status:          enum.RunStatusPending,
+		Phase:           firstPhaseFromTemplate(template),
+		WorkerType:      workerTypeFromTemplate(template),
+		Payload:         req.Payload,
+		Progress: entity.RunProgress{
+			Summary:    "waiting for worker",
+			Percentage: 0,
+			Steps:      buildStepProgress(template),
+		},
+		Attempt:     1,
+		MaxAttempts: maxAttemptsOrDefault(template.RetryPolicy.MaxAttempts),
+		DedupeKey:   dedupeKey,
+	}
+
+	created, err := u.runs.Create(ctx, run)
+	if err != nil {
+		return nil, err
+	}
+	jobID := created.ID.Hex()
+	if err := u.acquireDedupeLease(ctx, template, dedupeKey, jobID); err != nil {
+		created.Status = enum.RunStatusCancelled
+		_, _ = u.runs.Update(ctx, created)
+		return nil, err
+	}
+
+	return u.enqueueRun(ctx, created)
+}
+
+func (u *jobUseCase) enforceConcurrency(ctx context.Context, template *entity.Template, scope, scopeID string) error {
+	active, err := u.runs.FindActiveByScope(ctx, template.Type, scope, scopeID)
+	if err != nil {
+		return err
+	}
+	if len(active) == 0 {
+		return nil
+	}
+
+	switch enum.ConcurrencyPolicy(template.ConcurrencyPolicy) {
+	case enum.ConcurrencyAllowParallel:
+		return nil
+	case enum.ConcurrencyRejectSameScope:
+		return app.For(code.Job).ResInvalidState("an active job already exists for this scope")
+	case enum.ConcurrencyReplaceExisting:
+		for _, run := range active {
+			if _, err := u.RequestCancel(ctx, domusecase.CancelRunRequest{
+				JobID:  run.ID.Hex(),
+				Reason: "replaced by new job",
+			}); err != nil {
+				return err
+			}
+		}
+		return nil
+	default:
+		return app.For(code.Job).ResInvalidState("an active job already exists for this scope")
+	}
+}
+
+func (u *jobUseCase) GetRun(ctx context.Context, jobID string) (*entity.Run, error) {
+	return u.runs.FindByID(ctx, jobID)
+}
+
+func (u *jobUseCase) ListRuns(ctx context.Context, scope, scopeID string, page, pageSize int64) ([]*entity.Run, int64, int64, int64, int64, error) {
+	if page <= 0 {
+		page = 1
+	}
+	if pageSize <= 0 {
+		pageSize = 20
+	}
+	if pageSize > 200 {
+		pageSize = 200
+	}
+	offset := (page - 1) * pageSize
+	items, total, err := u.runs.List(ctx, domrepo.RunListFilter{
+		Scope:   scope,
+		ScopeID: scopeID,
+	}, offset, pageSize)
+	if err != nil {
+		return nil, 0, 0, 0, 0, err
+	}
+	totalPages := int64(0)
+	if total > 0 {
+		totalPages = (total + pageSize - 1) / pageSize
+	}
+	return items, total, page, pageSize, totalPages, nil
+}
+
+func (u *jobUseCase) RequestCancel(ctx context.Context, req domusecase.CancelRunRequest) (*entity.Run, error) {
+	jobID := strings.TrimSpace(req.JobID)
+	if jobID == "" {
+		return nil, app.For(code.Job).InputMissingRequired("job id is required")
+	}
+
+	run, err := u.runs.FindByID(ctx, jobID)
+	if err != nil {
+		return nil, err
+	}
+	if !run.Status.IsCancellable() {
+		return nil, app.For(code.Job).ResInvalidState("job cannot be cancelled in current status")
+	}
+
+	template, err := u.templates.FindByType(ctx, run.TemplateType)
+	if err != nil {
+		return nil, err
+	}
+	if !template.CancelPolicy.Supported {
+		return nil, app.For(code.Job).ResInvalidState("job template does not support cancel")
+	}
+
+	reason := strings.TrimSpace(req.Reason)
+	if reason == "" {
+		reason = "user requested cancel"
+	}
+	now := clock.NowUnixNano()
+	fromStatus := string(run.Status)
+
+	switch run.Status {
+	case enum.RunStatusPending, enum.RunStatusQueued:
+		_ = u.queue.RemoveJob(ctx, run.WorkerType, jobID)
+		run.Status = enum.RunStatusCancelled
+		run.CancelReason = reason
+		run.CompletedAt = &now
+		updated, err := u.runs.UpdateIfStatus(ctx, run, []enum.RunStatus{
+			enum.RunStatusPending,
+			enum.RunStatusQueued,
+		})
+		if err != nil {
+			return nil, err
+		}
+		u.releaseDedupe(ctx, updated)
+		_ = u.appendEvent(ctx, jobID, "status_changed", fromStatus, string(enum.RunStatusCancelled), "job cancelled before execution", map[string]any{"reason": reason})
+		return updated, nil
+
+	case enum.RunStatusRunning, enum.RunStatusWaitingWorker:
+		run.Status = enum.RunStatusCancelRequested
+		run.CancelRequestedAt = &now
+		run.CancelReason = reason
+		updated, err := u.runs.UpdateIfStatus(ctx, run, []enum.RunStatus{
+			enum.RunStatusRunning,
+			enum.RunStatusWaitingWorker,
+		})
+		if err != nil {
+			return nil, err
+		}
+		// Poke running worker via Redis cancel signal.
+		if err := u.queue.SetCancelSignal(ctx, jobID, reason); err != nil {
+			return nil, err
+		}
+		_ = u.appendEvent(ctx, jobID, "cancel_requested", fromStatus, string(enum.RunStatusCancelRequested), "cancel signal sent to worker", map[string]any{"reason": reason})
+		return updated, nil
+
+	default:
+		return nil, app.For(code.Job).ResInvalidState("job cannot be cancelled in current status")
+	}
+}
+
+func (u *jobUseCase) RetryRun(ctx context.Context, jobID string) (*entity.Run, error) {
+	run, err := u.runs.FindByID(ctx, jobID)
+	if err != nil {
+		return nil, err
+	}
+	if run.Status != enum.RunStatusFailed &&
+		run.Status != enum.RunStatusCancelled &&
+		run.Status != enum.RunStatusExpired {
+		return nil, app.For(code.Job).ResInvalidState("only failed, cancelled, or expired jobs can be retried")
+	}
+	if run.Attempt >= run.MaxAttempts {
+		return nil, app.For(code.Job).ResInvalidState("job has reached max attempts")
+	}
+
+	fromStatus := string(run.Status)
+	template, err := u.templates.FindByType(ctx, run.TemplateType)
+	if err != nil {
+		return nil, err
+	}
+	if err := u.acquireDedupeLease(ctx, template, run.DedupeKey, jobID); err != nil {
+		return nil, err
+	}
+
+	run.Status = enum.RunStatusPending
+	run.Progress.Steps = prepareStepsForRetry(run.Progress.Steps)
+	run.Phase = firstResumablePhase(run.Progress.Steps)
+	run.Error = ""
+	run.Result = nil
+	run.Attempt++
+	run.LockedBy = ""
+	run.LockedUntil = nil
+	run.CancelRequestedAt = nil
+	run.CancelReason = ""
+	run.StartedAt = nil
+	run.CompletedAt = nil
+	run.Progress.Summary = "waiting for retry"
+	run.Progress.Percentage = calcProgressPercentage(run.Progress.Steps)
+
+	run.ScheduledAt = nil
+	updated, err := u.runs.UpdateIfStatus(ctx, run, []enum.RunStatus{
+		enum.RunStatusFailed,
+		enum.RunStatusCancelled,
+		enum.RunStatusExpired,
+	})
+	if err != nil {
+		u.releaseDedupe(ctx, run)
+		return nil, err
+	}
+
+	backoff := retryBackoffSeconds(template, updated.Attempt)
+	if backoff > 0 {
+		scheduled := clock.AddSecondsFromNow(backoff)
+		updated.ScheduledAt = &scheduled
+		updated, err = u.runs.Update(ctx, updated)
+		if err != nil {
+			u.releaseDedupe(ctx, updated)
+			return nil, err
+		}
+		_ = u.appendEvent(ctx, jobID, "retried", fromStatus, string(enum.RunStatusPending), "job scheduled for retry", map[string]any{"attempt": updated.Attempt, "backoff_seconds": backoff})
+		return updated, nil
+	}
+
+	updated, err = u.enqueueRun(ctx, updated)
+	if err != nil {
+		u.releaseDedupe(ctx, updated)
+		return nil, err
+	}
+	_ = u.appendEvent(ctx, jobID, "retried", fromStatus, string(enum.RunStatusQueued), "job requeued", map[string]any{"attempt": updated.Attempt})
+	return updated, nil
+}
+
+func (u *jobUseCase) ClaimNext(ctx context.Context, req domusecase.ClaimNextRequest) (*entity.Run, error) {
+	workerType := strings.TrimSpace(req.WorkerType)
+	workerID := strings.TrimSpace(req.WorkerID)
+	if workerType == "" || workerID == "" {
+		return nil, app.For(code.Job).InputMissingRequired("worker_type and worker_id are required")
+	}
+
+	for {
+		jobID, err := u.queue.Dequeue(ctx, workerType, 2)
+		if err != nil {
+			return nil, err
+		}
+		if jobID == "" {
+			return nil, nil
+		}
+
+		run, err := u.runs.FindByID(ctx, jobID)
+		if err != nil {
+			continue
+		}
+		if run.Status.IsTerminal() || run.Status == enum.RunStatusCancelRequested {
+			continue
+		}
+
+		ok, err := u.queue.TryLock(ctx, jobID, workerID, 300)
+		if err != nil {
+			return nil, err
+		}
+		if !ok {
+			_ = u.queue.Enqueue(ctx, workerType, jobID)
+			continue
+		}
+
+		cancelled, _, err := u.queue.GetCancelSignal(ctx, jobID)
+		if err != nil {
+			_ = u.queue.ReleaseLock(ctx, jobID, workerID)
+			return nil, err
+		}
+		if cancelled || run.Status == enum.RunStatusCancelRequested {
+			_ = u.queue.ReleaseLock(ctx, jobID, workerID)
+			continue
+		}
+
+		now := clock.NowUnixNano()
+		fromStatus := string(run.Status)
+		lockUntil := now + clock.SecondsToNanos(300)
+		run.Status = enum.RunStatusRunning
+		run.LockedBy = workerID
+		run.LockedUntil = &lockUntil
+		run.StartedAt = &now
+		run.Progress.Summary = "worker claimed job"
+
+		updated, err := u.runs.UpdateIfStatus(ctx, run, []enum.RunStatus{
+			enum.RunStatusPending,
+			enum.RunStatusQueued,
+		})
+		if err != nil {
+			_ = u.queue.ReleaseLock(ctx, jobID, workerID)
+			return nil, err
+		}
+		_ = u.appendEvent(ctx, jobID, "status_changed", fromStatus, string(enum.RunStatusRunning), "worker claimed job", map[string]any{"worker_id": workerID})
+		return updated, nil
+	}
+}
+
+func (u *jobUseCase) RefreshRunLock(ctx context.Context, jobID, workerID string, ttlSeconds int) error {
+	jobID = strings.TrimSpace(jobID)
+	workerID = strings.TrimSpace(workerID)
+	if jobID == "" || workerID == "" {
+		return app.For(code.Job).InputMissingRequired("job id and worker id are required")
+	}
+	return u.queue.RefreshLock(ctx, jobID, workerID, ttlSeconds)
+}
+
+func (u *jobUseCase) IsCancelRequested(ctx context.Context, jobID string) (bool, error) {
+	run, err := u.runs.FindByID(ctx, jobID)
+	if err != nil {
+		return false, err
+	}
+	if run.Status == enum.RunStatusCancelRequested || run.Status == enum.RunStatusCancelled {
+		return true, nil
+	}
+	requested, _, err := u.queue.GetCancelSignal(ctx, jobID)
+	return requested, err
+}
+
+func (u *jobUseCase) AcknowledgeCancel(ctx context.Context, req domusecase.AcknowledgeCancelRequest) (*entity.Run, error) {
+	jobID := strings.TrimSpace(req.JobID)
+	workerID := strings.TrimSpace(req.WorkerID)
+	if jobID == "" || workerID == "" {
+		return nil, app.For(code.Job).InputMissingRequired("job id and worker id are required")
+	}
+
+	run, err := u.runs.FindByID(ctx, jobID)
+	if err != nil {
+		return nil, err
+	}
+	if run.LockedBy != "" && run.LockedBy != workerID {
+		return nil, app.For(code.Job).ResInvalidState("job is locked by another worker")
+	}
+
+	now := clock.NowUnixNano()
+	fromStatus := string(run.Status)
+	run.Status = enum.RunStatusCancelled
+	run.CompletedAt = &now
+	run.LockedBy = ""
+	run.LockedUntil = nil
+	run.Progress.Summary = "job cancelled"
+
+	for i := range run.Progress.Steps {
+		if run.Progress.Steps[i].Status == enum.StepStatusRunning {
+			run.Progress.Steps[i].Status = enum.StepStatusCancelled
+			run.Progress.Steps[i].EndedAt = &now
+		}
+	}
+
+	updated, err := u.runs.UpdateIfLocked(ctx, run, workerID, []enum.RunStatus{
+		enum.RunStatusRunning,
+		enum.RunStatusCancelRequested,
+	})
+	if err != nil {
+		return nil, err
+	}
+	_ = u.queue.ReleaseLock(ctx, jobID, workerID)
+	_ = u.queue.ClearCancelSignal(ctx, jobID)
+	u.releaseDedupe(ctx, updated)
+	_ = u.appendEvent(ctx, jobID, "status_changed", fromStatus, string(enum.RunStatusCancelled), "worker acknowledged cancel", map[string]any{"worker_id": workerID})
+	return updated, nil
+}
+
+func (u *jobUseCase) UpdateProgress(ctx context.Context, req domusecase.UpdateProgressRequest) (*entity.Run, error) {
+	run, err := u.runs.FindByID(ctx, req.JobID)
+	if err != nil {
+		return nil, err
+	}
+	if req.Phase != "" {
+		run.Phase = req.Phase
+	}
+	if req.Summary != "" {
+		run.Progress.Summary = req.Summary
+	}
+	if req.Percentage >= 0 {
+		run.Progress.Percentage = req.Percentage
+	}
+	if len(req.Steps) > 0 {
+		run.Progress.Steps = req.Steps
+	}
+	return u.runs.UpdateIfLocked(ctx, run, req.WorkerID, []enum.RunStatus{enum.RunStatusRunning})
+}
+
+func (u *jobUseCase) CompleteRun(ctx context.Context, req domusecase.CompleteRunRequest) (*entity.Run, error) {
+	run, err := u.runs.FindByID(ctx, req.JobID)
+	if err != nil {
+		return nil, err
+	}
+	workerID := strings.TrimSpace(req.WorkerID)
+	if workerID == "" {
+		workerID = run.LockedBy
+	}
+	now := clock.NowUnixNano()
+	fromStatus := string(run.Status)
+	run.Status = enum.RunStatusSucceeded
+	run.Result = req.Result
+	run.CompletedAt = &now
+	run.Progress.Summary = "job completed"
+	run.Progress.Percentage = 100
+	run.LockedBy = ""
+	run.LockedUntil = nil
+
+	updated, err := u.runs.UpdateIfLocked(ctx, run, workerID, []enum.RunStatus{enum.RunStatusRunning})
+	if err != nil {
+		return nil, err
+	}
+	_ = u.queue.ReleaseLock(ctx, req.JobID, workerID)
+	_ = u.queue.ClearCancelSignal(ctx, req.JobID)
+	u.releaseDedupe(ctx, updated)
+	_ = u.appendEvent(ctx, req.JobID, "status_changed", fromStatus, string(enum.RunStatusSucceeded), "job completed", nil)
+	return updated, nil
+}
+
+func (u *jobUseCase) FailRun(ctx context.Context, req domusecase.FailRunRequest) (*entity.Run, error) {
+	run, err := u.runs.FindByID(ctx, req.JobID)
+	if err != nil {
+		return nil, err
+	}
+	workerID := strings.TrimSpace(req.WorkerID)
+	if workerID == "" {
+		workerID = run.LockedBy
+	}
+	now := clock.NowUnixNano()
+	fromStatus := string(run.Status)
+	run.Status = enum.RunStatusFailed
+	run.Error = req.Error
+	if req.Phase != "" {
+		run.Phase = req.Phase
+	}
+	run.CompletedAt = &now
+	run.Progress.Summary = "job failed"
+	run.Progress.Percentage = calcProgressPercentage(run.Progress.Steps)
+	run.LockedBy = ""
+	run.LockedUntil = nil
+
+	updated, err := u.runs.UpdateIfLocked(ctx, run, workerID, []enum.RunStatus{
+		enum.RunStatusRunning,
+		enum.RunStatusCancelRequested,
+	})
+	if err != nil {
+		return nil, err
+	}
+	_ = u.queue.ReleaseLock(ctx, req.JobID, workerID)
+	_ = u.queue.ClearCancelSignal(ctx, req.JobID)
+	u.releaseDedupe(ctx, updated)
+	_ = u.appendEvent(ctx, req.JobID, "status_changed", fromStatus, string(enum.RunStatusFailed), req.Error, nil)
+	return updated, nil
+}
+
+func maxAttemptsOrDefault(maxAttempts int) int {
+	if maxAttempts <= 0 {
+		return 1
+	}
+	return maxAttempts
+}
diff --git a/haixun-backend/internal/model/member/domain/entity/member.go b/haixun-backend/internal/model/member/domain/entity/member.go
new file mode 100644
index 0000000..e111090
--- /dev/null
+++ b/haixun-backend/internal/model/member/domain/entity/member.go
@@ -0,0 +1,41 @@
+package entity
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+const CollectionName = "members"
+
+type Status string
+
+const (
+	StatusOpen      Status = "open"
+	StatusSuspended Status = "suspended"
+	StatusDeleted   Status = "deleted"
+)
+
+type Origin string
+
+const (
+	OriginNative Origin = "native"
+)
+
+type Member struct {
+	ID                    primitive.ObjectID `bson:"_id,omitempty"`
+	TenantID              string             `bson:"tenant_id"`
+	UID                   string             `bson:"uid"`
+	Email                 string             `bson:"email"`
+	DisplayName           string             `bson:"display_name,omitempty"`
+	Avatar                string             `bson:"avatar,omitempty"`
+	Phone                 string             `bson:"phone,omitempty"`
+	Language              string             `bson:"language,omitempty"`
+	Currency              string             `bson:"currency,omitempty"`
+	Status                Status             `bson:"status"`
+	Origin                Origin             `bson:"origin"`
+	PasswordHash          string             `bson:"password_hash,omitempty"`
+	Roles                 []string           `bson:"roles,omitempty"`
+	BusinessEmail         string             `bson:"business_email,omitempty"`
+	BusinessEmailVerified bool               `bson:"business_email_verified"`
+	BusinessPhone         string             `bson:"business_phone,omitempty"`
+	BusinessPhoneVerified bool               `bson:"business_phone_verified"`
+	CreateAt              int64              `bson:"create_at"`
+	UpdateAt              int64              `bson:"update_at"`
+}
diff --git a/haixun-backend/internal/model/member/domain/repository/member.go b/haixun-backend/internal/model/member/domain/repository/member.go
new file mode 100644
index 0000000..aae8fac
--- /dev/null
+++ b/haixun-backend/internal/model/member/domain/repository/member.go
@@ -0,0 +1,24 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/member/domain/entity"
+)
+
+type ProfileUpdate struct {
+	DisplayName *string
+	Avatar      *string
+	Language    *string
+	Currency    *string
+	Phone       *string
+}
+
+type Repository interface {
+	EnsureIndexes(ctx context.Context) error
+	Create(ctx context.Context, member *entity.Member) (*entity.Member, error)
+	FindByUID(ctx context.Context, tenantID, uid string) (*entity.Member, error)
+	FindByEmail(ctx context.Context, tenantID, email string) (*entity.Member, error)
+	UpdateProfile(ctx context.Context, tenantID, uid string, update ProfileUpdate) (*entity.Member, error)
+	SetRoles(ctx context.Context, tenantID, uid string, roles []string) error
+}
diff --git a/haixun-backend/internal/model/member/domain/usecase/member.go b/haixun-backend/internal/model/member/domain/usecase/member.go
new file mode 100644
index 0000000..734c20f
--- /dev/null
+++ b/haixun-backend/internal/model/member/domain/usecase/member.go
@@ -0,0 +1,46 @@
+package usecase
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/member/domain/entity"
+)
+
+type RegisterRequest struct {
+	TenantID    string
+	Email       string
+	Password    string
+	DisplayName string
+	Language    string
+}
+
+type LoginRequest struct {
+	TenantID string
+	Email    string
+	Password string
+}
+
+type UpdateProfileRequest struct {
+	TenantID    string
+	UID         string
+	DisplayName *string
+	Avatar      *string
+	Language    *string
+	Currency    *string
+	Phone       *string
+}
+
+type AuthToken struct {
+	AccessToken  string
+	RefreshToken string
+	ExpiresIn    int64
+	UID          string
+	TokenType    string
+}
+
+type UseCase interface {
+	Register(ctx context.Context, req RegisterRequest) (*entity.Member, *AuthToken, error)
+	Login(ctx context.Context, req LoginRequest) (*entity.Member, *AuthToken, error)
+	GetByUID(ctx context.Context, tenantID, uid string) (*entity.Member, error)
+	UpdateProfile(ctx context.Context, req UpdateProfileRequest) (*entity.Member, error)
+}
diff --git a/haixun-backend/internal/model/member/repository/mongo.go b/haixun-backend/internal/model/member/repository/mongo.go
new file mode 100644
index 0000000..6945af0
--- /dev/null
+++ b/haixun-backend/internal/model/member/repository/mongo.go
@@ -0,0 +1,147 @@
+package repository
+
+import (
+	"context"
+	"strings"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/member/domain/entity"
+	domrepo "haixun-backend/internal/model/member/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoRepository(db *mongo.Database) domrepo.Repository {
+	if db == nil {
+		return &mongoRepository{}
+	}
+	return &mongoRepository{collection: db.Collection(entity.CollectionName)}
+}
+
+func (r *mongoRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	_, err := r.collection.Indexes().CreateMany(ctx, []mongo.IndexModel{
+		{Keys: bson.D{{Key: "tenant_id", Value: 1}, {Key: "uid", Value: 1}}, Options: options.Index().SetUnique(true)},
+		{Keys: bson.D{{Key: "tenant_id", Value: 1}, {Key: "email", Value: 1}}, Options: options.Index().SetUnique(true)},
+	})
+	return err
+}
+
+func (r *mongoRepository) Create(ctx context.Context, member *entity.Member) (*entity.Member, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Member).DBUnavailable("Mongo is not configured")
+	}
+	now := clock.NowUnixNano()
+	member.Email = normalizeEmail(member.Email)
+	member.CreateAt = now
+	member.UpdateAt = now
+	if member.ID.IsZero() {
+		member.ID = primitive.NewObjectID()
+	}
+	if member.Status == "" {
+		member.Status = entity.StatusOpen
+	}
+	if member.Origin == "" {
+		member.Origin = entity.OriginNative
+	}
+	_, err := r.collection.InsertOne(ctx, member)
+	if mongo.IsDuplicateKeyError(err) {
+		return nil, app.For(code.Member).ResConflict("member already exists")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return member, nil
+}
+
+func (r *mongoRepository) FindByUID(ctx context.Context, tenantID, uid string) (*entity.Member, error) {
+	return r.findOne(ctx, bson.M{"tenant_id": tenantID, "uid": uid})
+}
+
+func (r *mongoRepository) FindByEmail(ctx context.Context, tenantID, email string) (*entity.Member, error) {
+	return r.findOne(ctx, bson.M{"tenant_id": tenantID, "email": normalizeEmail(email)})
+}
+
+func (r *mongoRepository) SetRoles(ctx context.Context, tenantID, uid string, roles []string) error {
+	if r.collection == nil {
+		return app.For(code.Member).DBUnavailable("Mongo is not configured")
+	}
+	if tenantID == "" || uid == "" {
+		return app.For(code.Member).InputMissingRequired("tenant_id and uid are required")
+	}
+	res, err := r.collection.UpdateOne(
+		ctx,
+		bson.M{"tenant_id": tenantID, "uid": uid},
+		bson.M{"$set": bson.M{"roles": roles, "update_at": clock.NowUnixNano()}},
+	)
+	if err != nil {
+		return err
+	}
+	if res.MatchedCount == 0 {
+		return app.For(code.Member).ResNotFound("member not found")
+	}
+	return nil
+}
+
+func (r *mongoRepository) UpdateProfile(ctx context.Context, tenantID, uid string, update domrepo.ProfileUpdate) (*entity.Member, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Member).DBUnavailable("Mongo is not configured")
+	}
+	set := bson.M{"update_at": clock.NowUnixNano()}
+	if update.DisplayName != nil {
+		set["display_name"] = *update.DisplayName
+	}
+	if update.Avatar != nil {
+		set["avatar"] = *update.Avatar
+	}
+	if update.Language != nil {
+		set["language"] = *update.Language
+	}
+	if update.Currency != nil {
+		set["currency"] = *update.Currency
+	}
+	if update.Phone != nil {
+		set["phone"] = *update.Phone
+	}
+	var out entity.Member
+	err := r.collection.FindOneAndUpdate(
+		ctx,
+		bson.M{"tenant_id": tenantID, "uid": uid},
+		bson.M{"$set": set},
+		options.FindOneAndUpdate().SetReturnDocument(options.After),
+	).Decode(&out)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Member).ResNotFound("member not found")
+	}
+	return &out, err
+}
+
+func (r *mongoRepository) findOne(ctx context.Context, filter bson.M) (*entity.Member, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Member).DBUnavailable("Mongo is not configured")
+	}
+	var out entity.Member
+	err := r.collection.FindOne(ctx, filter).Decode(&out)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Member).ResNotFound("member not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
+func normalizeEmail(email string) string {
+	return strings.ToLower(strings.TrimSpace(email))
+}
diff --git a/haixun-backend/internal/model/member/usecase/usecase.go b/haixun-backend/internal/model/member/usecase/usecase.go
new file mode 100644
index 0000000..3c1e771
--- /dev/null
+++ b/haixun-backend/internal/model/member/usecase/usecase.go
@@ -0,0 +1,120 @@
+package usecase
+
+import (
+	"context"
+	"strings"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	authusecase "haixun-backend/internal/model/auth/domain/usecase"
+	"haixun-backend/internal/model/member/domain/entity"
+	domrepo "haixun-backend/internal/model/member/domain/repository"
+	domusecase "haixun-backend/internal/model/member/domain/usecase"
+
+	"github.com/google/uuid"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type memberUseCase struct {
+	repo   domrepo.Repository
+	tokens authusecase.TokenUseCase
+}
+
+func NewUseCase(repo domrepo.Repository, tokens authusecase.TokenUseCase) domusecase.UseCase {
+	return &memberUseCase{repo: repo, tokens: tokens}
+}
+
+func (u *memberUseCase) Register(ctx context.Context, req domusecase.RegisterRequest) (*entity.Member, *domusecase.AuthToken, error) {
+	tenantID := strings.TrimSpace(req.TenantID)
+	email := normalizeEmail(req.Email)
+	if tenantID == "" || email == "" || req.Password == "" {
+		return nil, nil, app.For(code.Member).InputMissingRequired("tenant_id, email, and password are required")
+	}
+	if len(req.Password) < 8 {
+		return nil, nil, app.For(code.Member).InputInvalidFormat("password must be at least 8 characters")
+	}
+	hash, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, nil, app.For(code.Member).SysInternal("hash password failed").WithCause(err)
+	}
+	member, err := u.repo.Create(ctx, &entity.Member{
+		TenantID:     tenantID,
+		UID:          uuid.NewString(),
+		Email:        email,
+		DisplayName:  strings.TrimSpace(req.DisplayName),
+		Language:     strings.TrimSpace(req.Language),
+		Status:       entity.StatusOpen,
+		Origin:       entity.OriginNative,
+		PasswordHash: string(hash),
+		Roles:        []string{"user"},
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	token, err := u.issue(ctx, member)
+	return member, token, err
+}
+
+func (u *memberUseCase) Login(ctx context.Context, req domusecase.LoginRequest) (*entity.Member, *domusecase.AuthToken, error) {
+	tenantID := strings.TrimSpace(req.TenantID)
+	email := normalizeEmail(req.Email)
+	if tenantID == "" || email == "" || req.Password == "" {
+		return nil, nil, app.For(code.Auth).InputMissingRequired("tenant_id, email, and password are required")
+	}
+	member, err := u.repo.FindByEmail(ctx, tenantID, email)
+	if err != nil {
+		return nil, nil, app.For(code.Auth).AuthUnauthorized("invalid email or password").WithCause(err)
+	}
+	if member.Status != entity.StatusOpen {
+		return nil, nil, app.For(code.Auth).AuthForbidden("member is not active")
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(member.PasswordHash), []byte(req.Password)); err != nil {
+		return nil, nil, app.For(code.Auth).AuthUnauthorized("invalid email or password")
+	}
+	token, err := u.issue(ctx, member)
+	return member, token, err
+}
+
+func (u *memberUseCase) GetByUID(ctx context.Context, tenantID, uid string) (*entity.Member, error) {
+	if tenantID == "" || uid == "" {
+		return nil, app.For(code.Member).InputMissingRequired("tenant_id and uid are required")
+	}
+	return u.repo.FindByUID(ctx, tenantID, uid)
+}
+
+func (u *memberUseCase) UpdateProfile(ctx context.Context, req domusecase.UpdateProfileRequest) (*entity.Member, error) {
+	if req.TenantID == "" || req.UID == "" {
+		return nil, app.For(code.Member).InputMissingRequired("tenant_id and uid are required")
+	}
+	return u.repo.UpdateProfile(ctx, req.TenantID, req.UID, domrepo.ProfileUpdate{
+		DisplayName: req.DisplayName,
+		Avatar:      req.Avatar,
+		Language:    req.Language,
+		Currency:    req.Currency,
+		Phone:       req.Phone,
+	})
+}
+
+func (u *memberUseCase) issue(ctx context.Context, member *entity.Member) (*domusecase.AuthToken, error) {
+	if u.tokens == nil {
+		return nil, app.For(code.Auth).SysNotImplemented("token usecase is not configured")
+	}
+	pair, err := u.tokens.IssuePair(ctx, authusecase.IssuePairRequest{
+		TenantID: member.TenantID,
+		UID:      member.UID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &domusecase.AuthToken{
+		AccessToken:  pair.AccessToken,
+		RefreshToken: pair.RefreshToken,
+		ExpiresIn:    pair.ExpiresIn,
+		UID:          member.UID,
+		TokenType:    pair.TokenType,
+	}, nil
+}
+
+func normalizeEmail(email string) string {
+	return strings.ToLower(strings.TrimSpace(email))
+}
diff --git a/haixun-backend/internal/model/permission/domain/entity/permission.go b/haixun-backend/internal/model/permission/domain/entity/permission.go
new file mode 100644
index 0000000..55c2559
--- /dev/null
+++ b/haixun-backend/internal/model/permission/domain/entity/permission.go
@@ -0,0 +1,42 @@
+package entity
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+const PermissionCollectionName = "permissions"
+
+type Status string
+
+const (
+	StatusOpen  Status = "open"
+	StatusClose Status = "close"
+)
+
+type Type string
+
+const (
+	TypeBackendUser  Type = "backend_user"
+	TypeFrontendUser Type = "frontend_user"
+)
+
+type Permission struct {
+	ID          primitive.ObjectID `bson:"_id,omitempty"`
+	Parent      string             `bson:"parent,omitempty"`
+	Name        string             `bson:"name"`
+	HTTPMethods string             `bson:"http_methods,omitempty"`
+	HTTPPath    string             `bson:"http_path,omitempty"`
+	Status      Status             `bson:"status"`
+	Type        Type               `bson:"type"`
+	CreateAt    int64              `bson:"create_at"`
+	UpdateAt    int64              `bson:"update_at"`
+}
+
+type RolePermission struct {
+	ID           primitive.ObjectID `bson:"_id,omitempty"`
+	TenantID     string             `bson:"tenant_id"`
+	RoleKey      string             `bson:"role_key"`
+	PermissionID string             `bson:"permission_id"`
+	CreateAt     int64              `bson:"create_at"`
+	UpdateAt     int64              `bson:"update_at"`
+}
+
+const RolePermissionCollectionName = "role_permissions"
diff --git a/haixun-backend/internal/model/permission/domain/repository/permission.go b/haixun-backend/internal/model/permission/domain/repository/permission.go
new file mode 100644
index 0000000..1d006ba
--- /dev/null
+++ b/haixun-backend/internal/model/permission/domain/repository/permission.go
@@ -0,0 +1,25 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/permission/domain/entity"
+)
+
+type PermissionFilter struct {
+	Status entity.Status
+	Type   entity.Type
+}
+
+type PermissionRepository interface {
+	EnsureIndexes(ctx context.Context) error
+	UpsertByName(ctx context.Context, permission *entity.Permission) error
+	List(ctx context.Context, filter PermissionFilter) ([]*entity.Permission, error)
+	ListByIDs(ctx context.Context, ids []string) ([]*entity.Permission, error)
+}
+
+type RolePermissionRepository interface {
+	EnsureIndexes(ctx context.Context) error
+	ListByRoles(ctx context.Context, tenantID string, roleKeys []string) ([]*entity.RolePermission, error)
+	SetForRole(ctx context.Context, tenantID, roleKey string, permissionIDs []string) error
+}
diff --git a/haixun-backend/internal/model/permission/domain/usecase/permission.go b/haixun-backend/internal/model/permission/domain/usecase/permission.go
new file mode 100644
index 0000000..60b2f33
--- /dev/null
+++ b/haixun-backend/internal/model/permission/domain/usecase/permission.go
@@ -0,0 +1,43 @@
+package usecase
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/member/domain/entity"
+	permissionentity "haixun-backend/internal/model/permission/domain/entity"
+)
+
+type PermissionNode struct {
+	ID          string
+	Parent      string
+	Name        string
+	HTTPMethods string
+	HTTPPath    string
+	Status      string
+	Type        string
+	Children    []PermissionNode
+}
+
+type CatalogRequest struct {
+	Status string
+	Type   string
+	Tree   bool
+}
+
+type MePermissions struct {
+	TenantID    string
+	UID         string
+	Roles       []string
+	Permissions map[string]string
+	Tree        []PermissionNode
+}
+
+type UseCase interface {
+	EnsureDefaultPermissions(ctx context.Context) error
+	EnsureDefaultRolePermissions(ctx context.Context, tenantID string) error
+	Catalog(ctx context.Context, req CatalogRequest) ([]PermissionNode, []PermissionNode, error)
+	Me(ctx context.Context, member *entity.Member, includeTree bool) (*MePermissions, error)
+	ReplaceRolePermissions(ctx context.Context, tenantID, roleKey string, permissionIDs []string) error
+}
+
+type RawPermission = permissionentity.Permission
diff --git a/haixun-backend/internal/model/permission/repository/mongo_permission.go b/haixun-backend/internal/model/permission/repository/mongo_permission.go
new file mode 100644
index 0000000..7f4d3fb
--- /dev/null
+++ b/haixun-backend/internal/model/permission/repository/mongo_permission.go
@@ -0,0 +1,112 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/permission/domain/entity"
+	domrepo "haixun-backend/internal/model/permission/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoPermissionRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoPermissionRepository(db *mongo.Database) domrepo.PermissionRepository {
+	if db == nil {
+		return &mongoPermissionRepository{}
+	}
+	return &mongoPermissionRepository{collection: db.Collection(entity.PermissionCollectionName)}
+}
+
+func (r *mongoPermissionRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	_, err := r.collection.Indexes().CreateMany(ctx, []mongo.IndexModel{
+		{Keys: bson.D{{Key: "name", Value: 1}}, Options: options.Index().SetUnique(true)},
+		{Keys: bson.D{{Key: "parent", Value: 1}}},
+		{Keys: bson.D{{Key: "status", Value: 1}}},
+		{Keys: bson.D{{Key: "type", Value: 1}}},
+	})
+	return err
+}
+
+func (r *mongoPermissionRepository) UpsertByName(ctx context.Context, permission *entity.Permission) error {
+	if r.collection == nil {
+		return app.For(code.Permission).DBUnavailable("Mongo is not configured")
+	}
+	now := clock.NowUnixNano()
+	if permission.Status == "" {
+		permission.Status = entity.StatusOpen
+	}
+	if permission.Type == "" {
+		permission.Type = entity.TypeBackendUser
+	}
+	_, err := r.collection.UpdateOne(
+		ctx,
+		bson.M{"name": permission.Name},
+		bson.M{
+			"$set": bson.M{
+				"parent":       permission.Parent,
+				"name":         permission.Name,
+				"http_methods": permission.HTTPMethods,
+				"http_path":    permission.HTTPPath,
+				"status":       permission.Status,
+				"type":         permission.Type,
+				"update_at":    now,
+			},
+			"$setOnInsert": bson.M{"create_at": now},
+		},
+		options.Update().SetUpsert(true),
+	)
+	return err
+}
+
+func (r *mongoPermissionRepository) List(ctx context.Context, filter domrepo.PermissionFilter) ([]*entity.Permission, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Permission).DBUnavailable("Mongo is not configured")
+	}
+	query := bson.M{}
+	if filter.Status != "" {
+		query["status"] = filter.Status
+	}
+	if filter.Type != "" {
+		query["type"] = filter.Type
+	}
+	cursor, err := r.collection.Find(ctx, query, options.Find().SetSort(bson.D{{Key: "name", Value: 1}}))
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var out []*entity.Permission
+	if err := cursor.All(ctx, &out); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (r *mongoPermissionRepository) ListByIDs(ctx context.Context, ids []string) ([]*entity.Permission, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Permission).DBUnavailable("Mongo is not configured")
+	}
+	if len(ids) == 0 {
+		return nil, nil
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{"_id": bson.M{"$in": objectIDs(ids)}})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var out []*entity.Permission
+	if err := cursor.All(ctx, &out); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
diff --git a/haixun-backend/internal/model/permission/repository/mongo_role_permission.go b/haixun-backend/internal/model/permission/repository/mongo_role_permission.go
new file mode 100644
index 0000000..5becfdf
--- /dev/null
+++ b/haixun-backend/internal/model/permission/repository/mongo_role_permission.go
@@ -0,0 +1,89 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/permission/domain/entity"
+	domrepo "haixun-backend/internal/model/permission/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoRolePermissionRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoRolePermissionRepository(db *mongo.Database) domrepo.RolePermissionRepository {
+	if db == nil {
+		return &mongoRolePermissionRepository{}
+	}
+	return &mongoRolePermissionRepository{collection: db.Collection(entity.RolePermissionCollectionName)}
+}
+
+func (r *mongoRolePermissionRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	_, err := r.collection.Indexes().CreateMany(ctx, []mongo.IndexModel{
+		{Keys: bson.D{{Key: "tenant_id", Value: 1}, {Key: "role_key", Value: 1}, {Key: "permission_id", Value: 1}}, Options: options.Index().SetUnique(true)},
+		{Keys: bson.D{{Key: "tenant_id", Value: 1}, {Key: "role_key", Value: 1}}},
+	})
+	return err
+}
+
+func (r *mongoRolePermissionRepository) ListByRoles(ctx context.Context, tenantID string, roleKeys []string) ([]*entity.RolePermission, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Permission).DBUnavailable("Mongo is not configured")
+	}
+	if tenantID == "" || len(roleKeys) == 0 {
+		return nil, nil
+	}
+	cursor, err := r.collection.Find(ctx, bson.M{"tenant_id": tenantID, "role_key": bson.M{"$in": roleKeys}})
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close(ctx)
+	var out []*entity.RolePermission
+	if err := cursor.All(ctx, &out); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (r *mongoRolePermissionRepository) SetForRole(ctx context.Context, tenantID, roleKey string, permissionIDs []string) error {
+	if r.collection == nil {
+		return app.For(code.Permission).DBUnavailable("Mongo is not configured")
+	}
+	if tenantID == "" || roleKey == "" {
+		return app.For(code.Permission).InputMissingRequired("tenant_id and role_key are required")
+	}
+	if _, err := r.collection.DeleteMany(ctx, bson.M{"tenant_id": tenantID, "role_key": roleKey}); err != nil {
+		return err
+	}
+	if len(permissionIDs) == 0 {
+		return nil
+	}
+	now := clock.NowUnixNano()
+	docs := make([]any, 0, len(permissionIDs))
+	for _, permissionID := range permissionIDs {
+		docs = append(docs, &entity.RolePermission{
+			ID:           primitive.NewObjectID(),
+			TenantID:     tenantID,
+			RoleKey:      roleKey,
+			PermissionID: permissionID,
+			CreateAt:     now,
+			UpdateAt:     now,
+		})
+	}
+	_, err := r.collection.InsertMany(ctx, docs)
+	if mongo.IsDuplicateKeyError(err) {
+		return nil
+	}
+	return err
+}
diff --git a/haixun-backend/internal/model/permission/repository/object_id.go b/haixun-backend/internal/model/permission/repository/object_id.go
new file mode 100644
index 0000000..c617161
--- /dev/null
+++ b/haixun-backend/internal/model/permission/repository/object_id.go
@@ -0,0 +1,14 @@
+package repository
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+func objectIDs(ids []string) []primitive.ObjectID {
+	out := make([]primitive.ObjectID, 0, len(ids))
+	for _, id := range ids {
+		objectID, err := primitive.ObjectIDFromHex(id)
+		if err == nil {
+			out = append(out, objectID)
+		}
+	}
+	return out
+}
diff --git a/haixun-backend/internal/model/permission/usecase/usecase.go b/haixun-backend/internal/model/permission/usecase/usecase.go
new file mode 100644
index 0000000..162777c
--- /dev/null
+++ b/haixun-backend/internal/model/permission/usecase/usecase.go
@@ -0,0 +1,209 @@
+package usecase
+
+import (
+	"context"
+	"sort"
+
+	memberentity "haixun-backend/internal/model/member/domain/entity"
+	"haixun-backend/internal/model/permission/domain/entity"
+	domrepo "haixun-backend/internal/model/permission/domain/repository"
+	domusecase "haixun-backend/internal/model/permission/domain/usecase"
+)
+
+type permissionUseCase struct {
+	permissions     domrepo.PermissionRepository
+	rolePermissions domrepo.RolePermissionRepository
+}
+
+func NewUseCase(permissions domrepo.PermissionRepository, rolePermissions domrepo.RolePermissionRepository) domusecase.UseCase {
+	return &permissionUseCase{permissions: permissions, rolePermissions: rolePermissions}
+}
+
+func (u *permissionUseCase) EnsureDefaultPermissions(ctx context.Context) error {
+	for _, permission := range defaultPermissions() {
+		if err := u.permissions.UpsertByName(ctx, permission); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (u *permissionUseCase) EnsureDefaultRolePermissions(ctx context.Context, tenantID string) error {
+	if tenantID == "" {
+		return nil
+	}
+	perms, err := u.permissions.List(ctx, domrepo.PermissionFilter{Status: entity.StatusOpen})
+	if err != nil {
+		return err
+	}
+	allIDs := make([]string, 0, len(perms))
+	byName := make(map[string]string, len(perms))
+	for _, item := range perms {
+		id := item.ID.Hex()
+		allIDs = append(allIDs, id)
+		byName[item.Name] = id
+	}
+	if err := u.rolePermissions.SetForRole(ctx, tenantID, "admin", allIDs); err != nil {
+		return err
+	}
+	userIDs := make([]string, 0, len(defaultUserPermissionNames()))
+	for _, name := range defaultUserPermissionNames() {
+		if id, ok := byName[name]; ok {
+			userIDs = append(userIDs, id)
+		}
+	}
+	return u.rolePermissions.SetForRole(ctx, tenantID, "user", userIDs)
+}
+
+func (u *permissionUseCase) Catalog(ctx context.Context, req domusecase.CatalogRequest) ([]domusecase.PermissionNode, []domusecase.PermissionNode, error) {
+	filter := domrepo.PermissionFilter{}
+	if req.Status != "" {
+		filter.Status = entity.Status(req.Status)
+	}
+	if req.Type != "" {
+		filter.Type = entity.Type(req.Type)
+	}
+	items, err := u.permissions.List(ctx, filter)
+	if err != nil {
+		return nil, nil, err
+	}
+	list := permissionNodes(items)
+	if req.Tree {
+		return buildTree(list), nil, nil
+	}
+	return nil, list, nil
+}
+
+func (u *permissionUseCase) Me(ctx context.Context, member *memberentity.Member, includeTree bool) (*domusecase.MePermissions, error) {
+	if member == nil {
+		return nil, nil
+	}
+	roles := member.Roles
+	if len(roles) == 0 {
+		roles = []string{"user"}
+	}
+	rolePermissions, err := u.rolePermissions.ListByRoles(ctx, member.TenantID, roles)
+	if err != nil {
+		return nil, err
+	}
+	ids := make([]string, 0, len(rolePermissions))
+	for _, item := range rolePermissions {
+		ids = append(ids, item.PermissionID)
+	}
+	perms, err := u.permissions.ListByIDs(ctx, ids)
+	if err != nil {
+		return nil, err
+	}
+	if len(perms) == 0 {
+		perms, err = u.permissions.List(ctx, domrepo.PermissionFilter{Status: entity.StatusOpen})
+		if err != nil {
+			return nil, err
+		}
+		if !hasRole(roles, "admin") {
+			perms = filterPermissionsByName(perms, defaultUserPermissionNames())
+		}
+	}
+	nodes := permissionNodes(perms)
+	result := &domusecase.MePermissions{
+		TenantID:    member.TenantID,
+		UID:         member.UID,
+		Roles:       roles,
+		Permissions: map[string]string{},
+	}
+	for _, node := range nodes {
+		if node.HTTPPath != "" && node.HTTPMethods != "" {
+			result.Permissions[node.HTTPPath] = node.HTTPMethods
+		}
+	}
+	if includeTree {
+		result.Tree = buildTree(nodes)
+	}
+	return result, nil
+}
+
+func hasRole(roles []string, role string) bool {
+	for _, item := range roles {
+		if item == role {
+			return true
+		}
+	}
+	return false
+}
+
+func filterPermissionsByName(items []*entity.Permission, names []string) []*entity.Permission {
+	allowed := map[string]struct{}{}
+	for _, name := range names {
+		allowed[name] = struct{}{}
+	}
+	out := make([]*entity.Permission, 0, len(items))
+	for _, item := range items {
+		if _, ok := allowed[item.Name]; ok {
+			out = append(out, item)
+		}
+	}
+	return out
+}
+
+func defaultUserPermissionNames() []string {
+	return []string{
+		"member.me.read",
+		"member.me.update",
+		"permission.me.read",
+		"ai.use",
+	}
+}
+
+func (u *permissionUseCase) ReplaceRolePermissions(ctx context.Context, tenantID, roleKey string, permissionIDs []string) error {
+	return u.rolePermissions.SetForRole(ctx, tenantID, roleKey, permissionIDs)
+}
+
+func permissionNodes(items []*entity.Permission) []domusecase.PermissionNode {
+	out := make([]domusecase.PermissionNode, 0, len(items))
+	for _, item := range items {
+		out = append(out, domusecase.PermissionNode{
+			ID:          item.ID.Hex(),
+			Parent:      item.Parent,
+			Name:        item.Name,
+			HTTPMethods: item.HTTPMethods,
+			HTTPPath:    item.HTTPPath,
+			Status:      string(item.Status),
+			Type:        string(item.Type),
+		})
+	}
+	sort.SliceStable(out, func(i, j int) bool { return out[i].Name < out[j].Name })
+	return out
+}
+
+func buildTree(items []domusecase.PermissionNode) []domusecase.PermissionNode {
+	byParent := map[string][]domusecase.PermissionNode{}
+	index := map[string]*domusecase.PermissionNode{}
+	nodes := make([]domusecase.PermissionNode, len(items))
+	copy(nodes, items)
+	for i := range nodes {
+		index[nodes[i].ID] = &nodes[i]
+		byParent[nodes[i].Parent] = append(byParent[nodes[i].Parent], nodes[i])
+	}
+	for parent, children := range byParent {
+		sort.SliceStable(children, func(i, j int) bool { return children[i].Name < children[j].Name })
+		byParent[parent] = children
+	}
+	for parent, children := range byParent {
+		if node, ok := index[parent]; ok {
+			node.Children = children
+		}
+	}
+	return byParent[""]
+}
+
+func defaultPermissions() []*entity.Permission {
+	return []*entity.Permission{
+		{Name: "member.me.read", HTTPMethods: "GET", HTTPPath: "/api/v1/members/me", Status: entity.StatusOpen, Type: entity.TypeFrontendUser},
+		{Name: "member.me.update", HTTPMethods: "PATCH", HTTPPath: "/api/v1/members/me", Status: entity.StatusOpen, Type: entity.TypeFrontendUser},
+		{Name: "permission.catalog.read", HTTPMethods: "GET", HTTPPath: "/api/v1/permissions/catalog", Status: entity.StatusOpen, Type: entity.TypeBackendUser},
+		{Name: "permission.me.read", HTTPMethods: "GET", HTTPPath: "/api/v1/permissions/me", Status: entity.StatusOpen, Type: entity.TypeFrontendUser},
+		{Name: "setting.manage", HTTPMethods: "GET|PUT|DELETE", HTTPPath: "/api/v1/settings/*", Status: entity.StatusOpen, Type: entity.TypeBackendUser},
+		{Name: "ai.use", HTTPMethods: "GET|POST", HTTPPath: "/api/v1/ai/*", Status: entity.StatusOpen, Type: entity.TypeFrontendUser},
+		{Name: "job.manage", HTTPMethods: "GET|POST|PUT", HTTPPath: "/api/v1/jobs/*", Status: entity.StatusOpen, Type: entity.TypeBackendUser},
+		{Name: "job.template.manage", HTTPMethods: "GET|PUT", HTTPPath: "/api/v1/job/templates/*", Status: entity.StatusOpen, Type: entity.TypeBackendUser},
+	}
+}
diff --git a/haixun-backend/internal/model/setting/domain/entity/setting.go b/haixun-backend/internal/model/setting/domain/entity/setting.go
new file mode 100644
index 0000000..b4c3b84
--- /dev/null
+++ b/haixun-backend/internal/model/setting/domain/entity/setting.go
@@ -0,0 +1,16 @@
+package entity
+
+import "go.mongodb.org/mongo-driver/bson/primitive"
+
+const CollectionName = "settings"
+
+type Setting struct {
+	ID       primitive.ObjectID `bson:"_id,omitempty"`
+	Scope    string             `bson:"scope"`
+	ScopeID  string             `bson:"scope_id"`
+	Key      string             `bson:"key"`
+	Value    map[string]any     `bson:"value"`
+	Version  int                `bson:"version"`
+	CreateAt int64              `bson:"create_at"`
+	UpdateAt int64              `bson:"update_at"`
+}
diff --git a/haixun-backend/internal/model/setting/domain/repository/setting.go b/haixun-backend/internal/model/setting/domain/repository/setting.go
new file mode 100644
index 0000000..6cfbf4e
--- /dev/null
+++ b/haixun-backend/internal/model/setting/domain/repository/setting.go
@@ -0,0 +1,15 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/setting/domain/entity"
+)
+
+type Repository interface {
+	List(ctx context.Context, scope, scopeID string, offset, limit int64) ([]*entity.Setting, int64, error)
+	Find(ctx context.Context, scope, scopeID, key string) (*entity.Setting, error)
+	Upsert(ctx context.Context, setting *entity.Setting) (*entity.Setting, error)
+	Delete(ctx context.Context, scope, scopeID, key string) error
+	EnsureIndexes(ctx context.Context) error
+}
diff --git a/haixun-backend/internal/model/setting/domain/usecase/setting.go b/haixun-backend/internal/model/setting/domain/usecase/setting.go
new file mode 100644
index 0000000..20519f5
--- /dev/null
+++ b/haixun-backend/internal/model/setting/domain/usecase/setting.go
@@ -0,0 +1,22 @@
+package usecase
+
+import (
+	"context"
+
+	"haixun-backend/internal/model/setting/domain/entity"
+)
+
+type UpsertRequest struct {
+	Scope   string
+	ScopeID string
+	Key     string
+	Value   map[string]any
+	Version int
+}
+
+type UseCase interface {
+	List(ctx context.Context, scope, scopeID string, page, pageSize int64) ([]*entity.Setting, int64, int64, int64, error)
+	Get(ctx context.Context, scope, scopeID, key string) (*entity.Setting, error)
+	Upsert(ctx context.Context, req UpsertRequest) (*entity.Setting, error)
+	Delete(ctx context.Context, scope, scopeID, key string) error
+}
diff --git a/haixun-backend/internal/model/setting/repository/mongo.go b/haixun-backend/internal/model/setting/repository/mongo.go
new file mode 100644
index 0000000..88211de
--- /dev/null
+++ b/haixun-backend/internal/model/setting/repository/mongo.go
@@ -0,0 +1,135 @@
+package repository
+
+import (
+	"context"
+
+	"haixun-backend/internal/library/clock"
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/setting/domain/entity"
+	domrepo "haixun-backend/internal/model/setting/domain/repository"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+type mongoRepository struct {
+	collection *mongo.Collection
+}
+
+func NewMongoRepository(db *mongo.Database) domrepo.Repository {
+	if db == nil {
+		return &mongoRepository{}
+	}
+	return &mongoRepository{collection: db.Collection(entity.CollectionName)}
+}
+
+func (r *mongoRepository) EnsureIndexes(ctx context.Context) error {
+	if r.collection == nil {
+		return nil
+	}
+	_, err := r.collection.Indexes().CreateOne(ctx, mongo.IndexModel{
+		Keys:    bson.D{{Key: "scope", Value: 1}, {Key: "scope_id", Value: 1}, {Key: "key", Value: 1}},
+		Options: options.Index().SetUnique(true),
+	})
+	return err
+}
+
+func (r *mongoRepository) List(ctx context.Context, scope, scopeID string, offset, limit int64) ([]*entity.Setting, int64, error) {
+	if r.collection == nil {
+		return nil, 0, app.For(code.Setting).DBUnavailable("Mongo is not configured")
+	}
+	filter := bson.M{"scope": scope, "scope_id": scopeID}
+	total, err := r.collection.CountDocuments(ctx, filter)
+	if err != nil {
+		return nil, 0, err
+	}
+	cursor, err := r.collection.Find(
+		ctx,
+		filter,
+		options.Find().SetSort(bson.D{{Key: "key", Value: 1}}).SetSkip(offset).SetLimit(limit),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer cursor.Close(ctx)
+
+	var items []*entity.Setting
+	if err := cursor.All(ctx, &items); err != nil {
+		return nil, 0, err
+	}
+	return items, total, nil
+}
+
+func (r *mongoRepository) Find(ctx context.Context, scope, scopeID, key string) (*entity.Setting, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Setting).DBUnavailable("Mongo is not configured")
+	}
+	var item entity.Setting
+	err := r.collection.FindOne(ctx, identityFilter(scope, scopeID, key)).Decode(&item)
+	if err == mongo.ErrNoDocuments {
+		return nil, app.For(code.Setting).ResNotFound("setting not found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &item, nil
+}
+
+func (r *mongoRepository) Upsert(ctx context.Context, setting *entity.Setting) (*entity.Setting, error) {
+	if r.collection == nil {
+		return nil, app.For(code.Setting).DBUnavailable("Mongo is not configured")
+	}
+	now := clock.NowUnixNano()
+	setting.UpdateAt = now
+	if setting.CreateAt == 0 {
+		setting.CreateAt = now
+	}
+	if setting.Version <= 0 {
+		setting.Version = 1
+	}
+
+	after := options.After
+	result := r.collection.FindOneAndUpdate(
+		ctx,
+		identityFilter(setting.Scope, setting.ScopeID, setting.Key),
+		bson.M{
+			"$set": bson.M{
+				"scope":     setting.Scope,
+				"scope_id":  setting.ScopeID,
+				"key":       setting.Key,
+				"value":     setting.Value,
+				"version":   setting.Version,
+				"update_at": setting.UpdateAt,
+			},
+			"$setOnInsert": bson.M{"create_at": setting.CreateAt},
+		},
+		&options.FindOneAndUpdateOptions{
+			Upsert:         ptr(true),
+			ReturnDocument: &after,
+		},
+	)
+
+	var saved entity.Setting
+	if err := result.Decode(&saved); err != nil {
+		return nil, err
+	}
+	return &saved, nil
+}
+
+func (r *mongoRepository) Delete(ctx context.Context, scope, scopeID, key string) error {
+	if r.collection == nil {
+		return app.For(code.Setting).DBUnavailable("Mongo is not configured")
+	}
+	_, err := r.collection.DeleteOne(ctx, identityFilter(scope, scopeID, key))
+	return err
+}
+
+func identityFilter(scope, scopeID, key string) bson.M {
+	return bson.M{"scope": scope, "scope_id": scopeID, "key": key}
+}
+
+func ptr[T any](v T) *T {
+	return &v
+}
diff --git a/haixun-backend/internal/model/setting/usecase/usecase.go b/haixun-backend/internal/model/setting/usecase/usecase.go
new file mode 100644
index 0000000..3d15f4e
--- /dev/null
+++ b/haixun-backend/internal/model/setting/usecase/usecase.go
@@ -0,0 +1,88 @@
+package usecase
+
+import (
+	"context"
+	"strings"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/model/setting/domain/entity"
+	domrepo "haixun-backend/internal/model/setting/domain/repository"
+	domusecase "haixun-backend/internal/model/setting/domain/usecase"
+)
+
+type UseCase = domusecase.UseCase
+
+type settingUseCase struct {
+	repo domrepo.Repository
+}
+
+const (
+	defaultLimit = int64(50)
+	maxLimit     = int64(200)
+)
+
+func NewUseCase(repo domrepo.Repository) UseCase {
+	return &settingUseCase{repo: repo}
+}
+
+func (u *settingUseCase) List(ctx context.Context, scope, scopeID string, page, pageSize int64) ([]*entity.Setting, int64, int64, int64, error) {
+	if err := validateIdentity(scope, scopeID, "x"); err != nil {
+		return nil, 0, 0, 0, err
+	}
+	if page <= 0 {
+		page = 1
+	}
+	if pageSize <= 0 {
+		pageSize = defaultLimit
+	}
+	if pageSize > maxLimit {
+		pageSize = maxLimit
+	}
+	offset := (page - 1) * pageSize
+	items, total, err := u.repo.List(ctx, scope, scopeID, offset, pageSize)
+	return items, total, page, pageSize, err
+}
+
+func (u *settingUseCase) Get(ctx context.Context, scope, scopeID, key string) (*entity.Setting, error) {
+	if err := validateIdentity(scope, scopeID, key); err != nil {
+		return nil, err
+	}
+
+	return u.repo.Find(ctx, scope, scopeID, key)
+}
+
+func (u *settingUseCase) Upsert(ctx context.Context, req domusecase.UpsertRequest) (*entity.Setting, error) {
+	if err := validateIdentity(req.Scope, req.ScopeID, req.Key); err != nil {
+		return nil, err
+	}
+	if req.Value == nil {
+		return nil, app.For(code.Setting).InputMissingRequired("setting value must not be empty")
+	}
+	return u.repo.Upsert(ctx, &entity.Setting{
+		Scope:   req.Scope,
+		ScopeID: req.ScopeID,
+		Key:     req.Key,
+		Value:   req.Value,
+		Version: req.Version,
+	})
+}
+
+func (u *settingUseCase) Delete(ctx context.Context, scope, scopeID, key string) error {
+	if err := validateIdentity(scope, scopeID, key); err != nil {
+		return err
+	}
+	return u.repo.Delete(ctx, scope, scopeID, key)
+}
+
+func validateIdentity(scope, scopeID, key string) error {
+	switch scope {
+	case "user", "account", "system":
+	default:
+		return app.For(code.Setting).InputInvalidFormat("invalid setting scope")
+	}
+	if strings.TrimSpace(scopeID) == "" || strings.TrimSpace(key) == "" {
+		return app.For(code.Setting).InputMissingRequired("setting scope_id and key must not be empty")
+	}
+	return nil
+}
diff --git a/haixun-backend/internal/response/request.go b/haixun-backend/internal/response/request.go
new file mode 100644
index 0000000..4ff241d
--- /dev/null
+++ b/haixun-backend/internal/response/request.go
@@ -0,0 +1,14 @@
+package response
+
+import (
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/library/redact"
+)
+
+func WrapRequestError(err error) error {
+	if err == nil {
+		return nil
+	}
+	return app.For(code.Facade).InputInvalidFormat(redact.Message(err.Error()))
+}
diff --git a/haixun-backend/internal/response/response.go b/haixun-backend/internal/response/response.go
new file mode 100644
index 0000000..51bf648
--- /dev/null
+++ b/haixun-backend/internal/response/response.go
@@ -0,0 +1,53 @@
+package response
+
+import (
+	"context"
+	"net/http"
+
+	app "haixun-backend/internal/library/errors"
+	"haixun-backend/internal/library/errors/code"
+	"haixun-backend/internal/types"
+
+	"github.com/zeromicro/go-zero/rest/httpx"
+)
+
+func Write(ctx context.Context, w http.ResponseWriter, data any, err error) {
+	if err != nil {
+		status, body := buildError(err)
+		httpx.WriteJsonCtx(ctx, w, status, body)
+		return
+	}
+
+	httpx.WriteJsonCtx(ctx, w, http.StatusOK, types.Status{
+		Code:    code.DefaultSuccessFullCodeInt,
+		Message: code.DefaultSuccessMessage,
+		Data:    data,
+	})
+}
+
+func buildError(err error) (int, types.Status) {
+	if appErr := app.FromError(err); appErr != nil {
+		return appErr.HTTPStatus(), types.Status{
+			Code:    int64(appErr.Code()),
+			Message: appErr.Error(),
+			Error: types.ErrorDetail{
+				BizCode:  appErr.DisplayCode(),
+				Scope:    int64(appErr.Scope()),
+				Category: int64(appErr.Category()),
+				Detail:   int64(appErr.Detail()),
+			},
+		}
+	}
+
+	fallback := app.For(code.Unset).SysInternal("internal server error")
+	return http.StatusInternalServerError, types.Status{
+		Code:    int64(fallback.Code()),
+		Message: fallback.Error(),
+		Error: types.ErrorDetail{
+			BizCode:  fallback.DisplayCode(),
+			Scope:    int64(fallback.Scope()),
+			Category: int64(fallback.Category()),
+			Detail:   int64(fallback.Detail()),
+		},
+	}
+}
diff --git a/haixun-backend/internal/svc/service_context.go b/haixun-backend/internal/svc/service_context.go
new file mode 100644
index 0000000..df0a7c7
--- /dev/null
+++ b/haixun-backend/internal/svc/service_context.go
@@ -0,0 +1,194 @@
+package svc
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"haixun-backend/internal/config"
+	libmongo "haixun-backend/internal/library/mongo"
+	libredis "haixun-backend/internal/library/redis"
+	"haixun-backend/internal/library/validate"
+	"haixun-backend/internal/middleware"
+	aisettings "haixun-backend/internal/model/ai/usecase"
+	authrepodomain "haixun-backend/internal/model/auth/domain/repository"
+	authdomain "haixun-backend/internal/model/auth/domain/usecase"
+	authrepo "haixun-backend/internal/model/auth/repository"
+	authuc "haixun-backend/internal/model/auth/usecase"
+	jobrepo "haixun-backend/internal/model/job/repository"
+	jobusecase "haixun-backend/internal/model/job/usecase"
+	memberdomain "haixun-backend/internal/model/member/domain/usecase"
+	memberrepo "haixun-backend/internal/model/member/repository"
+	memberuc "haixun-backend/internal/model/member/usecase"
+	permissiondomain "haixun-backend/internal/model/permission/domain/usecase"
+	permissionrepo "haixun-backend/internal/model/permission/repository"
+	permissionuc "haixun-backend/internal/model/permission/usecase"
+	settingrepo "haixun-backend/internal/model/setting/repository"
+	settingusecase "haixun-backend/internal/model/setting/usecase"
+	jobworker "haixun-backend/internal/worker/job"
+
+	goredis "github.com/redis/go-redis/v9"
+	"github.com/zeromicro/go-zero/rest"
+)
+
+type ServiceContext struct {
+	Config    config.Config
+	Validator *validate.Validate
+	Mongo     *libmongo.Client
+	Redis     *goredis.Client
+
+	Setting    settingusecase.UseCase
+	AI         aisettings.UseCase
+	Job        jobusecase.UseCase
+	AuthToken  authdomain.TokenUseCase
+	Member     memberdomain.UseCase
+	Permission permissiondomain.UseCase
+
+	// Middlewares mounted per route group via generate/api `middleware:` directive.
+	AuthJWT    rest.Middleware
+	MemberAuth rest.Middleware
+
+	stopWorker    context.CancelFunc
+	stopScheduler context.CancelFunc
+	stopReaper    context.CancelFunc
+}
+
+func NewServiceContext(c config.Config) *ServiceContext {
+	ctx := context.Background()
+	mongoClient, err := libmongo.NewClient(ctx, c.Mongo)
+	if err != nil {
+		panic(err)
+	}
+	redisClient := libredis.NewClient(c.Redis)
+
+	settingRepository := settingrepo.NewMongoRepository(mongoClient.Database())
+	if err := settingRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	settingUseCase := settingusecase.NewUseCase(settingRepository)
+
+	var tokenRevokeStore authrepodomain.TokenRevokeStore
+	if redisClient != nil {
+		tokenRevokeStore = authrepo.NewRedisTokenRevokeStore(redisClient)
+	}
+	authTokenUseCase := authuc.NewTokenUseCase(c.Auth, tokenRevokeStore)
+
+	memberRepository := memberrepo.NewMongoRepository(mongoClient.Database())
+	if err := memberRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	memberUseCase := memberuc.NewUseCase(memberRepository, authTokenUseCase)
+
+	permissionRepository := permissionrepo.NewMongoPermissionRepository(mongoClient.Database())
+	rolePermissionRepository := permissionrepo.NewMongoRolePermissionRepository(mongoClient.Database())
+	if err := permissionRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	if err := rolePermissionRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	permissionUseCase := permissionuc.NewUseCase(permissionRepository, rolePermissionRepository)
+	if err := permissionUseCase.EnsureDefaultPermissions(ctx); err != nil {
+		panic(err)
+	}
+
+	jobTemplateRepository := jobrepo.NewMongoTemplateRepository(mongoClient.Database())
+	jobRunRepository := jobrepo.NewMongoRunRepository(mongoClient.Database())
+	jobScheduleRepository := jobrepo.NewMongoScheduleRepository(mongoClient.Database())
+	jobEventRepository := jobrepo.NewMongoEventRepository(mongoClient.Database())
+	jobQueueRepository := jobrepo.NewRedisQueueRepository(redisClient)
+	if err := jobTemplateRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	if err := jobRunRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	if err := jobScheduleRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+	if err := jobEventRepository.EnsureIndexes(ctx); err != nil {
+		panic(err)
+	}
+
+	jobUseCase := jobusecase.NewUseCase(jobTemplateRepository, jobRunRepository, jobScheduleRepository, jobEventRepository, jobQueueRepository)
+	if err := jobUseCase.EnsureDemoTemplate(ctx); err != nil {
+		panic(err)
+	}
+
+	sc := &ServiceContext{
+		Config:     c,
+		Validator:  validate.New(),
+		Mongo:      mongoClient,
+		Redis:      redisClient,
+		Setting:    settingUseCase,
+		AI:         aisettings.NewUseCase(),
+		Job:        jobUseCase,
+		AuthToken:  authTokenUseCase,
+		Member:     memberUseCase,
+		Permission: permissionUseCase,
+	}
+
+	hostname, _ := os.Hostname()
+	if c.JobWorker.Enabled && redisClient != nil {
+		workerType := c.JobWorker.WorkerType
+		if workerType == "" {
+			workerType = "go"
+		}
+		workerID := c.JobWorker.WorkerID
+		if workerID == "" {
+			workerID = fmt.Sprintf("%s-%s-worker", hostname, workerType)
+		}
+		workerCtx, cancel := context.WithCancel(context.Background())
+		sc.stopWorker = cancel
+		runner := jobworker.NewRunner(workerID, workerType, jobUseCase)
+		go runner.Start(workerCtx)
+	}
+
+	if c.JobScheduler.Enabled && redisClient != nil {
+		schedulerHolder := fmt.Sprintf("%s-scheduler", hostname)
+		interval := time.Duration(c.JobScheduler.IntervalSeconds) * time.Second
+		if interval <= 0 {
+			interval = time.Minute
+		}
+		schedulerCtx, cancel := context.WithCancel(context.Background())
+		sc.stopScheduler = cancel
+		scheduler := jobworker.NewScheduler(schedulerHolder, jobUseCase)
+		go scheduler.Start(schedulerCtx, interval)
+	}
+
+	if c.JobReaper.Enabled && redisClient != nil {
+		interval := time.Duration(c.JobReaper.IntervalSeconds) * time.Second
+		if interval <= 0 {
+			interval = 30 * time.Second
+		}
+		reaperCtx, cancel := context.WithCancel(context.Background())
+		sc.stopReaper = cancel
+		reaper := jobworker.NewReaper(jobUseCase)
+		go reaper.Start(reaperCtx, interval)
+	}
+
+	sc.AuthJWT = middleware.NewAuthJWTMiddleware(sc.AuthToken, sc.Config.Auth).Handle
+	sc.MemberAuth = middleware.NewMemberAuthMiddleware(sc.AuthToken, sc.Config.Auth).Handle
+
+	return sc
+}
+
+func (sc *ServiceContext) Close(ctx context.Context) {
+	if sc == nil {
+		return
+	}
+	if sc.stopWorker != nil {
+		sc.stopWorker()
+	}
+	if sc.stopScheduler != nil {
+		sc.stopScheduler()
+	}
+	if sc.stopReaper != nil {
+		sc.stopReaper()
+	}
+	_ = sc.Mongo.Close(ctx)
+	if sc.Redis != nil {
+		_ = sc.Redis.Close()
+	}
+}
diff --git a/haixun-backend/internal/types/types.go b/haixun-backend/internal/types/types.go
new file mode 100644
index 0000000..90da4fc
--- /dev/null
+++ b/haixun-backend/internal/types/types.go
@@ -0,0 +1,390 @@
+// Code generated by goctl. DO NOT EDIT.
+// goctl 1.10.1
+
+package types
+
+type AIChatData struct {
+	Text         string `json:"text"`
+	FinishReason string `json:"finish_reason,optional"`
+}
+
+type AIChatReq struct {
+	Provider    string      `json:"provider" validate:"required,oneof=opencode-go xai"` // AI provider
+	Model       string      `json:"model" validate:"required"`                          // 模型 ID
+	System      string      `json:"system,optional"`                                    // system prompt
+	Messages    []AIMessage `json:"messages" validate:"required,min=1,dive"`            // 對話訊息
+	Temperature *float64    `json:"temperature,optional"`                               // 溫度
+	MaxTokens   *int        `json:"max_tokens,optional"`                                // 最大輸出 token
+}
+
+type AIMessage struct {
+	Role    string `json:"role" validate:"required,oneof=system user assistant"` // 訊息角色
+	Content string `json:"content" validate:"required"`                          // 訊息內容
+}
+
+type AIProviderModelsData struct {
+	ID      string   `json:"id"`
+	Label   string   `json:"label"`
+	Models  []string `json:"models"`
+	Streams bool     `json:"streams"`
+	Error   string   `json:"error,optional"` // 拉 models 失敗時的摘要
+}
+
+type AIProviderOption struct {
+	ID      string `json:"id"`
+	Label   string `json:"label"`
+	Streams bool   `json:"streams"`
+}
+
+type AIProviderPath struct {
+	Provider string `path:"provider" validate:"required,oneof=opencode-go xai"` // 要查模型的 provider
+}
+
+type AIProvidersData struct {
+	Providers []AIProviderOption `json:"providers"`
+}
+
+type AuthLoginReq struct {
+	TenantID string `json:"tenant_id" validate:"required"`
+	Email    string `json:"email" validate:"required,email"`
+	Password string `json:"password" validate:"required,min=8,max=128"`
+}
+
+type AuthRefreshReq struct {
+	RefreshToken string `json:"refresh_token" validate:"required"`
+}
+
+type AuthRegisterReq struct {
+	TenantID    string `json:"tenant_id" validate:"required"`
+	Email       string `json:"email" validate:"required,email"`
+	Password    string `json:"password" validate:"required,min=8,max=128"`
+	DisplayName string `json:"display_name,optional"`
+	Language    string `json:"language,optional"`
+}
+
+type AuthTokenData struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int64  `json:"expires_in"`
+	UID          string `json:"uid"`
+	TokenType    string `json:"token_type"`
+}
+
+type CancelJobReq struct {
+	ID     string `path:"id" validate:"required"` // job run id
+	Reason string `json:"reason,optional"`        // cancel reason
+}
+
+type CreateJobReq struct {
+	TemplateType string                 `json:"template_type" validate:"required"`                   // job template type
+	Scope        string                 `json:"scope" validate:"required,oneof=user account system"` // job scope
+	ScopeID      string                 `json:"scope_id" validate:"required"`                        // scope id
+	Payload      map[string]interface{} `json:"payload,optional"`                                    // job payload
+}
+
+type CreateJobScheduleReq struct {
+	TemplateType    string                 `json:"template_type" validate:"required"`                   // template type
+	Scope           string                 `json:"scope" validate:"required,oneof=user account system"` // scope
+	ScopeID         string                 `json:"scope_id" validate:"required"`                        // scope id
+	Cron            string                 `json:"cron" validate:"required"`                            // cron expression
+	Timezone        string                 `json:"timezone,optional"`                                   // timezone
+	PayloadTemplate map[string]interface{} `json:"payload_template,optional"`                           // payload template
+	Enabled         bool                   `json:"enabled"`                                             // enabled flag
+}
+
+type ErrorDetail struct {
+	BizCode  string `json:"biz_code,optional"`
+	Scope    int64  `json:"scope,optional"`
+	Category int64  `json:"category,optional"`
+	Detail   int64  `json:"detail,optional"`
+}
+
+type HealthData struct {
+	Pong string `json:"pong"`
+}
+
+type JobCancelPolicyData struct {
+	Supported    bool   `json:"supported"`
+	Mode         string `json:"mode"`
+	GraceSeconds int    `json:"grace_seconds"`
+}
+
+type JobData struct {
+	ID                string                 `json:"id"`
+	TemplateType      string                 `json:"template_type"`
+	TemplateVersion   int                    `json:"template_version"`
+	Scope             string                 `json:"scope"`
+	ScopeID           string                 `json:"scope_id"`
+	Status            string                 `json:"status"`
+	Phase             string                 `json:"phase"`
+	WorkerType        string                 `json:"worker_type"`
+	Payload           map[string]interface{} `json:"payload"`
+	Progress          JobProgressData        `json:"progress"`
+	Result            map[string]interface{} `json:"result,optional"`
+	Error             string                 `json:"error,optional"`
+	Attempt           int                    `json:"attempt"`
+	MaxAttempts       int                    `json:"max_attempts"`
+	CancelRequestedAt *int64                 `json:"cancel_requested_at,optional"`
+	CancelReason      string                 `json:"cancel_reason,optional"`
+	StartedAt         *int64                 `json:"started_at,optional"`
+	CompletedAt       *int64                 `json:"completed_at,optional"`
+	CreateAt          int64                  `json:"create_at"`
+	UpdateAt          int64                  `json:"update_at"`
+}
+
+type JobEventData struct {
+	ID       string                 `json:"id"`
+	JobID    string                 `json:"job_id"`
+	Type     string                 `json:"type"`
+	From     string                 `json:"from,optional"`
+	To       string                 `json:"to,optional"`
+	Message  string                 `json:"message"`
+	Metadata map[string]interface{} `json:"metadata,optional"`
+	CreateAt int64                  `json:"create_at"`
+}
+
+type JobEventListData struct {
+	List []JobEventData `json:"list"`
+}
+
+type JobIDPath struct {
+	ID string `path:"id" validate:"required"` // job run id
+}
+
+type JobListData struct {
+	Pagination PaginationData `json:"pagination"`
+	List       []JobData      `json:"list"`
+}
+
+type JobProgressData struct {
+	Summary    string                `json:"summary"`
+	Percentage int                   `json:"percentage"`
+	Steps      []JobStepProgressData `json:"steps"`
+}
+
+type JobRetryPolicyData struct {
+	MaxAttempts    int   `json:"max_attempts"`
+	BackoffSeconds []int `json:"backoff_seconds"`
+}
+
+type JobScheduleData struct {
+	ID              string                 `json:"id"`
+	TemplateType    string                 `json:"template_type"`
+	Scope           string                 `json:"scope"`
+	ScopeID         string                 `json:"scope_id"`
+	Enabled         bool                   `json:"enabled"`
+	Cron            string                 `json:"cron"`
+	Timezone        string                 `json:"timezone"`
+	PayloadTemplate map[string]interface{} `json:"payload_template"`
+	LastRunAt       *int64                 `json:"last_run_at,optional"`
+	NextRunAt       int64                  `json:"next_run_at"`
+	CreateAt        int64                  `json:"create_at"`
+	UpdateAt        int64                  `json:"update_at"`
+}
+
+type JobScheduleIDPath struct {
+	ID string `path:"id" validate:"required"` // schedule id
+}
+
+type JobScheduleListData struct {
+	Pagination PaginationData    `json:"pagination"`
+	List       []JobScheduleData `json:"list"`
+}
+
+type JobStepProgressData struct {
+	ID        string `json:"id"`
+	Status    string `json:"status"`
+	StartedAt *int64 `json:"started_at,optional"`
+	EndedAt   *int64 `json:"ended_at,optional"`
+	Message   string `json:"message,optional"`
+}
+
+type JobTemplateData struct {
+	Type              string                `json:"type"`
+	Version           int                   `json:"version"`
+	Name              string                `json:"name"`
+	Description       string                `json:"description"`
+	Enabled           bool                  `json:"enabled"`
+	Repeatable        bool                  `json:"repeatable"`
+	ConcurrencyPolicy string                `json:"concurrency_policy"`
+	DedupeKeys        []string              `json:"dedupe_keys"`
+	TimeoutSeconds    int                   `json:"timeout_seconds"`
+	CancelPolicy      JobCancelPolicyData   `json:"cancel_policy"`
+	RetryPolicy       JobRetryPolicyData    `json:"retry_policy"`
+	Steps             []JobTemplateStepData `json:"steps"`
+}
+
+type JobTemplateListData struct {
+	List []JobTemplateData `json:"list"`
+}
+
+type JobTemplatePath struct {
+	Type string `path:"type" validate:"required"` // template type
+}
+
+type JobTemplateStepData struct {
+	ID             string `json:"id"`
+	Name           string `json:"name"`
+	WorkerType     string `json:"worker_type"`
+	TimeoutSeconds int    `json:"timeout_seconds"`
+	Cancelable     bool   `json:"cancelable"`
+}
+
+type ListJobEventsReq struct {
+	ID    string `path:"id" validate:"required"` // job run id
+	Limit int64  `form:"limit,optional"`         // max events
+}
+
+type ListJobSchedulesReq struct {
+	Scope    string `form:"scope,optional"`    // filter by scope
+	ScopeID  string `form:"scope_id,optional"` // filter by scope id
+	Page     int64  `form:"page,optional"`     // page number starting at 1
+	PageSize int64  `form:"pageSize,optional"` // page size
+}
+
+type ListJobsReq struct {
+	Scope    string `form:"scope,optional"`    // filter by scope
+	ScopeID  string `form:"scope_id,optional"` // filter by scope id
+	Page     int64  `form:"page,optional"`     // page number starting at 1
+	PageSize int64  `form:"pageSize,optional"` // page size
+}
+
+type LogoutData struct {
+	OK bool `json:"ok"`
+}
+
+type MePermissionsData struct {
+	UID         string            `json:"uid"`
+	TenantID    string            `json:"tenant_id"`
+	Roles       []string          `json:"roles"`
+	Permissions map[string]string `json:"permissions"`
+	Tree        []PermissionNode  `json:"tree,omitempty"`
+}
+
+type MePermissionsQuery struct {
+	IncludeTree bool `form:"include_tree,optional"`
+}
+
+type MemberMeData struct {
+	TenantID              string   `json:"tenant_id"`
+	UID                   string   `json:"uid"`
+	Email                 string   `json:"email"`
+	DisplayName           string   `json:"display_name,omitempty"`
+	Avatar                string   `json:"avatar,omitempty"`
+	Phone                 string   `json:"phone,omitempty"`
+	Language              string   `json:"language,omitempty"`
+	Currency              string   `json:"currency,omitempty"`
+	Status                string   `json:"status"`
+	Origin                string   `json:"origin"`
+	Roles                 []string `json:"roles,omitempty"`
+	BusinessEmail         string   `json:"business_email,omitempty"`
+	BusinessEmailVerified bool     `json:"business_email_verified"`
+	BusinessPhone         string   `json:"business_phone,omitempty"`
+	BusinessPhoneVerified bool     `json:"business_phone_verified"`
+	CreateAt              int64    `json:"create_at"`
+	UpdateAt              int64    `json:"update_at"`
+}
+
+type PaginationData struct {
+	Total      int64 `json:"total"`
+	Page       int64 `json:"page"`
+	PageSize   int64 `json:"pageSize"`
+	TotalPages int64 `json:"totalPages"`
+}
+
+type PermissionCatalogData struct {
+	Tree []PermissionNode `json:"tree,omitempty"`
+	List []PermissionNode `json:"list,omitempty"`
+}
+
+type PermissionCatalogQuery struct {
+	Status string `form:"status,optional" validate:"omitempty,oneof=open close"`
+	Type   string `form:"type,optional" validate:"omitempty,oneof=backend_user frontend_user"`
+	Tree   bool   `form:"tree,optional"`
+}
+
+type PermissionNode struct {
+	ID          string           `json:"id"`
+	Parent      string           `json:"parent,omitempty"`
+	Name        string           `json:"name"`
+	HTTPMethods string           `json:"http_methods,omitempty"`
+	HTTPPath    string           `json:"http_path,omitempty"`
+	Status      string           `json:"status"`
+	Type        string           `json:"type"`
+	Children    []PermissionNode `json:"children,omitempty"`
+}
+
+type SettingData struct {
+	ID       string                 `json:"id"`
+	Scope    string                 `json:"scope"`
+	ScopeID  string                 `json:"scope_id"`
+	Key      string                 `json:"key"`
+	Value    map[string]interface{} `json:"value"`
+	Version  int                    `json:"version"`
+	CreateAt int64                  `json:"create_at"`
+	UpdateAt int64                  `json:"update_at"`
+}
+
+type SettingKeyPath struct {
+	Scope   string `path:"scope" validate:"required,oneof=user account system"` // 設定範圍，可選 user / account / system
+	ScopeID string `path:"scope_id" validate:"required"`                        // 範圍 ID，例如 user_id、account_id 或 global
+	Key     string `path:"key" validate:"required"`                             // 設定 key，例如 ai.default
+}
+
+type SettingListData struct {
+	Pagination PaginationData `json:"pagination"`
+	List       []SettingData  `json:"list"`
+}
+
+type SettingPath struct {
+	Scope    string `path:"scope" validate:"required,oneof=user account system"` // 設定範圍，可選 user / account / system
+	ScopeID  string `path:"scope_id" validate:"required"`                        // 範圍 ID，例如 user_id、account_id 或 global
+	Page     int64  `form:"page,optional"`                                       // 頁碼，從 1 開始
+	PageSize int64  `form:"pageSize,optional"`                                   // 每頁筆數，server 會限制最大值
+}
+
+type SettingUpsertReq struct {
+	Scope   string                 `path:"scope" validate:"required,oneof=user account system"` // 設定範圍，可選 user / account / system
+	ScopeID string                 `path:"scope_id" validate:"required"`                        // 範圍 ID，例如 user_id、account_id 或 global
+	Key     string                 `path:"key" validate:"required"`                             // 設定 key，例如 ai.default
+	Value   map[string]interface{} `json:"value" validate:"required"`                           // 設定內容 JSON object
+	Version int                    `json:"version,optional"`                                    // schema version，未帶入時預設 1
+}
+
+type Status struct {
+	Code    int64       `json:"code"`
+	Message string      `json:"message"`
+	Data    interface{} `json:"data,optional"`
+	Error   ErrorDetail `json:"error,optional"`
+}
+
+type UpdateJobScheduleReq struct {
+	ID              string                 `path:"id" validate:"required"`    // schedule id
+	Cron            string                 `json:"cron,optional"`             // cron expression
+	Timezone        string                 `json:"timezone,optional"`         // timezone
+	PayloadTemplate map[string]interface{} `json:"payload_template,optional"` // payload template
+	Enabled         *bool                  `json:"enabled,optional"`          // enabled flag
+}
+
+type UpdateMemberMeReq struct {
+	DisplayName string `json:"display_name,optional"`
+	Avatar      string `json:"avatar,optional"`
+	Language    string `json:"language,optional"`
+	Currency    string `json:"currency,optional"`
+	Phone       string `json:"phone,optional"`
+}
+
+type UpsertJobTemplateReq struct {
+	Type              string                `path:"type" validate:"required"`             // template type
+	Version           int                   `json:"version,optional"`                     // template version
+	Name              string                `json:"name" validate:"required"`             // display name
+	Description       string                `json:"description,optional"`                 // description
+	Enabled           bool                  `json:"enabled"`                              // enabled flag
+	Repeatable        bool                  `json:"repeatable"`                           // repeatable flag
+	ConcurrencyPolicy string                `json:"concurrency_policy,optional"`          // concurrency policy
+	DedupeKeys        []string              `json:"dedupe_keys,optional"`                 // dedupe keys
+	TimeoutSeconds    int                   `json:"timeout_seconds,optional"`             // timeout seconds
+	CancelPolicy      JobCancelPolicyData   `json:"cancel_policy,optional"`               // cancel policy
+	RetryPolicy       JobRetryPolicyData    `json:"retry_policy,optional"`                // retry policy
+	Steps             []JobTemplateStepData `json:"steps" validate:"required,min=1,dive"` // steps
+}
diff --git a/haixun-backend/internal/worker/job/reaper.go b/haixun-backend/internal/worker/job/reaper.go
new file mode 100644
index 0000000..fd3dedf
--- /dev/null
+++ b/haixun-backend/internal/worker/job/reaper.go
@@ -0,0 +1,44 @@
+package job
+
+import (
+	"context"
+	"log"
+	"time"
+
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+type Reaper struct {
+	jobs domusecase.UseCase
+}
+
+func NewReaper(jobs domusecase.UseCase) *Reaper {
+	return &Reaper{jobs: jobs}
+}
+
+func (r *Reaper) Start(ctx context.Context, interval time.Duration) {
+	if interval <= 0 {
+		interval = 30 * time.Second
+	}
+	log.Printf("job reaper started: interval=%s", interval)
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Printf("job reaper stopped")
+			return
+		case <-ticker.C:
+			result, err := r.jobs.RunMaintenance(ctx)
+			if err != nil {
+				log.Printf("job reaper error: %v", err)
+				continue
+			}
+			if result.EnqueuedPending > 0 || result.ReapedCancelGrace > 0 || result.ReapedExpiredLocks > 0 {
+				log.Printf("job reaper: enqueued=%d cancel_grace=%d expired=%d",
+					result.EnqueuedPending, result.ReapedCancelGrace, result.ReapedExpiredLocks)
+			}
+		}
+	}
+}
diff --git a/haixun-backend/internal/worker/job/runner.go b/haixun-backend/internal/worker/job/runner.go
new file mode 100644
index 0000000..467103d
--- /dev/null
+++ b/haixun-backend/internal/worker/job/runner.go
@@ -0,0 +1,221 @@
+package job
+
+import (
+	"context"
+	"errors"
+	"log"
+	"time"
+
+	"haixun-backend/internal/library/clock"
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/model/job/resume"
+)
+
+type Runner struct {
+	workerID   string
+	workerType string
+	jobs       domusecase.UseCase
+	handlers   map[string]StepHandler
+}
+
+type StepContext struct {
+	JobID     string
+	WorkerID  string
+	Run       *entity.Run
+	Template  *entity.Template
+	Step      entity.TemplateStep
+	Heartbeat func(ctx context.Context) error
+}
+
+type StepHandler func(ctx context.Context, step StepContext) error
+
+func NewRunner(workerID, workerType string, jobs domusecase.UseCase) *Runner {
+	return &Runner{
+		workerID:   workerID,
+		workerType: workerType,
+		jobs:       jobs,
+		handlers:   map[string]StepHandler{},
+	}
+}
+
+func (r *Runner) RegisterStepHandler(stepID string, handler StepHandler) {
+	if stepID == "" || handler == nil {
+		return
+	}
+	r.handlers[stepID] = handler
+}
+
+func (r *Runner) Start(ctx context.Context) {
+	log.Printf("job worker started: id=%s type=%s", r.workerID, r.workerType)
+	for {
+		select {
+		case <-ctx.Done():
+			log.Printf("job worker stopped: id=%s", r.workerID)
+			return
+		default:
+			run, err := r.jobs.ClaimNext(ctx, domusecase.ClaimNextRequest{
+				WorkerType: r.workerType,
+				WorkerID:   r.workerID,
+			})
+			if err != nil {
+				log.Printf("job worker claim error: %v", err)
+				time.Sleep(time.Second)
+				continue
+			}
+			if run == nil {
+				continue
+			}
+			r.execute(ctx, run)
+		}
+	}
+}
+
+func (r *Runner) execute(ctx context.Context, run *entity.Run) {
+	jobID := run.ID.Hex()
+	template, err := r.jobs.GetTemplate(ctx, run.TemplateType)
+	if err != nil {
+		_, _ = r.jobs.FailRun(ctx, domusecase.FailRunRequest{JobID: jobID, WorkerID: r.workerID, Error: err.Error()})
+		return
+	}
+
+	steps := make([]entity.StepProgress, len(run.Progress.Steps))
+	copy(steps, run.Progress.Steps)
+	totalSteps := len(template.Steps)
+	if totalSteps == 0 {
+		totalSteps = 1
+	}
+	completedBefore := resume.CountSucceededSteps(steps)
+
+	for _, step := range template.Steps {
+		existing := resume.StepProgressByID(steps, step.ID)
+		if existing != nil && resume.ShouldSkipStep(existing.Status) {
+			continue
+		}
+
+		if cancelled, _ := r.jobs.IsCancelRequested(ctx, jobID); cancelled {
+			_, _ = r.jobs.AcknowledgeCancel(ctx, domusecase.AcknowledgeCancelRequest{
+				JobID:    jobID,
+				WorkerID: r.workerID,
+			})
+			return
+		}
+
+		now := clock.NowUnixNano()
+		for i := range steps {
+			if steps[i].ID == step.ID {
+				steps[i].Status = enum.StepStatusRunning
+				steps[i].StartedAt = &now
+				steps[i].Message = "running"
+			}
+		}
+		percentage := (completedBefore * 100) / totalSteps
+		_, _ = r.jobs.UpdateProgress(ctx, domusecase.UpdateProgressRequest{
+			JobID:      jobID,
+			WorkerID:   r.workerID,
+			Phase:      step.ID,
+			Summary:    "running step " + step.ID,
+			Percentage: percentage,
+			Steps:      steps,
+		})
+
+		if err := r.runStep(ctx, run, template, step); err != nil {
+			if err == errJobCancelled {
+				_, _ = r.jobs.AcknowledgeCancel(ctx, domusecase.AcknowledgeCancelRequest{
+					JobID:    jobID,
+					WorkerID: r.workerID,
+				})
+				return
+			}
+			for i := range steps {
+				if steps[i].ID == step.ID {
+					steps[i].Status = enum.StepStatusFailed
+					ended := clock.NowUnixNano()
+					steps[i].EndedAt = &ended
+					steps[i].Message = err.Error()
+				}
+			}
+			_, _ = r.jobs.UpdateProgress(ctx, domusecase.UpdateProgressRequest{
+				JobID: jobID, WorkerID: r.workerID, Phase: step.ID, Summary: "step failed", Steps: steps,
+			})
+			_, _ = r.jobs.FailRun(ctx, domusecase.FailRunRequest{
+				JobID: jobID, WorkerID: r.workerID, Error: err.Error(), Phase: step.ID,
+			})
+			return
+		}
+
+		ended := clock.NowUnixNano()
+		for i := range steps {
+			if steps[i].ID == step.ID {
+				steps[i].Status = enum.StepStatusSucceeded
+				steps[i].EndedAt = &ended
+				steps[i].Message = "done"
+			}
+		}
+		completedBefore++
+		percentage = (completedBefore * 100) / totalSteps
+		_, _ = r.jobs.UpdateProgress(ctx, domusecase.UpdateProgressRequest{
+			JobID:      jobID,
+			WorkerID:   r.workerID,
+			Phase:      step.ID,
+			Summary:    "completed step " + step.ID,
+			Percentage: percentage,
+			Steps:      steps,
+		})
+	}
+
+	_, _ = r.jobs.CompleteRun(ctx, domusecase.CompleteRunRequest{
+		JobID:    jobID,
+		WorkerID: r.workerID,
+		Result: map[string]any{
+			"message": "demo long task completed",
+			"steps":   len(template.Steps),
+		},
+	})
+}
+
+var errJobCancelled = errors.New("job cancelled")
+
+func (r *Runner) runStep(ctx context.Context, run *entity.Run, template *entity.Template, step entity.TemplateStep) error {
+	jobID := run.ID.Hex()
+	if handler := r.handlers[step.ID]; handler != nil {
+		return handler(ctx, StepContext{
+			JobID:    jobID,
+			WorkerID: r.workerID,
+			Run:      run,
+			Template: template,
+			Step:     step,
+			Heartbeat: func(ctx context.Context) error {
+				return r.jobs.RefreshRunLock(ctx, jobID, r.workerID, 300)
+			},
+		})
+	}
+	ticks := 10
+	sleepEach := 500 * time.Millisecond
+	if step.ID == "execute" {
+		ticks = 20
+	}
+
+	for i := 0; i < ticks; i++ {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		if err := r.jobs.RefreshRunLock(ctx, jobID, r.workerID, 300); err != nil {
+			return err
+		}
+		cancelled, err := r.jobs.IsCancelRequested(ctx, jobID)
+		if err != nil {
+			return err
+		}
+		if cancelled {
+			return errJobCancelled
+		}
+
+		time.Sleep(sleepEach)
+	}
+	return nil
+}
diff --git a/haixun-backend/internal/worker/job/runner_test.go b/haixun-backend/internal/worker/job/runner_test.go
new file mode 100644
index 0000000..06526c9
--- /dev/null
+++ b/haixun-backend/internal/worker/job/runner_test.go
@@ -0,0 +1,52 @@
+package job
+
+import (
+	"context"
+	"testing"
+
+	"haixun-backend/internal/model/job/domain/entity"
+	"haixun-backend/internal/model/job/domain/enum"
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+	"haixun-backend/internal/model/job/resume"
+
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+type stubJobUseCase struct {
+	domusecase.UseCase
+	template *entity.Template
+}
+
+func (s *stubJobUseCase) GetTemplate(context.Context, string) (*entity.Template, error) {
+	return s.template, nil
+}
+
+func TestRunner_SkipsSucceededSteps(t *testing.T) {
+	steps := []entity.StepProgress{
+		{ID: "prepare", Status: enum.StepStatusSucceeded},
+		{ID: "execute", Status: enum.StepStatusPending},
+		{ID: "finalize", Status: enum.StepStatusPending},
+	}
+	template := &entity.Template{
+		Type: "demo",
+		Steps: []entity.TemplateStep{
+			{ID: "prepare", WorkerType: "go"},
+			{ID: "execute", WorkerType: "go"},
+			{ID: "finalize", WorkerType: "go"},
+		},
+	}
+
+	ran := make([]string, 0, 3)
+	for _, step := range template.Steps {
+		existing := resume.StepProgressByID(steps, step.ID)
+		if existing != nil && resume.ShouldSkipStep(existing.Status) {
+			continue
+		}
+		ran = append(ran, step.ID)
+	}
+
+	if len(ran) != 2 || ran[0] != "execute" || ran[1] != "finalize" {
+		t.Fatalf("ran = %v, want [execute finalize]", ran)
+	}
+	_ = primitive.NewObjectID()
+}
diff --git a/haixun-backend/internal/worker/job/scheduler.go b/haixun-backend/internal/worker/job/scheduler.go
new file mode 100644
index 0000000..a6479ce
--- /dev/null
+++ b/haixun-backend/internal/worker/job/scheduler.go
@@ -0,0 +1,44 @@
+package job
+
+import (
+	"context"
+	"log"
+	"time"
+
+	domusecase "haixun-backend/internal/model/job/domain/usecase"
+)
+
+type Scheduler struct {
+	holder string
+	jobs   domusecase.UseCase
+}
+
+func NewScheduler(holder string, jobs domusecase.UseCase) *Scheduler {
+	return &Scheduler{holder: holder, jobs: jobs}
+}
+
+func (s *Scheduler) Start(ctx context.Context, interval time.Duration) {
+	if interval <= 0 {
+		interval = time.Minute
+	}
+	log.Printf("job scheduler started: holder=%s interval=%s", s.holder, interval)
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Printf("job scheduler stopped: holder=%s", s.holder)
+			return
+		case <-ticker.C:
+			created, err := s.jobs.RunSchedulerTick(ctx, s.holder)
+			if err != nil {
+				log.Printf("job scheduler tick error: %v", err)
+				continue
+			}
+			if created > 0 {
+				log.Printf("job scheduler created %d run(s)", created)
+			}
+		}
+	}
+}
diff --git a/haixun-backend/scripts/debug-opencode-raw.sh b/haixun-backend/scripts/debug-opencode-raw.sh
new file mode 100755
index 0000000..b92e53c
--- /dev/null
+++ b/haixun-backend/scripts/debug-opencode-raw.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# 直接對比 OpenCode upstream 與本機 gateway 的原始 JSON/SSE，方便排查空回應
+#
+# 用法:
+#   OPENCODE_TOKEN=sk-xxx ./scripts/debug-opencode-raw.sh
+
+set -u
+
+BASE_URL="${BASE_URL:-http://127.0.0.1:8890}"
+OPENCODE_TOKEN="${OPENCODE_TOKEN:-}"
+MODEL="${MODEL:-deepseek-v4-flash}"
+MESSAGE="${MESSAGE:-Introduce yourself in one sentence.}"
+
+if [[ -z "$OPENCODE_TOKEN" ]]; then
+  echo "OPENCODE_TOKEN is required"
+  exit 1
+fi
+
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || { echo "missing command: $1"; exit 1; }
+}
+
+require_cmd curl
+require_cmd jq
+
+payload="$(jq -n \
+  --arg model "$MODEL" \
+  --arg message "$MESSAGE" \
+  '{
+    model: $model,
+    messages: [{role: "user", content: $message}],
+    max_tokens: 2048,
+    thinking: {type: "disabled"}
+  }')"
+
+echo "=== OpenCode upstream (non-stream) ==="
+curl -sS -m 120 -X POST "https://opencode.ai/zen/go/v1/chat/completions" \
+  -H "Authorization: Bearer ${OPENCODE_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d "$payload" | jq .
+
+echo ""
+echo "=== Local gateway (non-stream) ==="
+curl -sS -m 120 -X POST "${BASE_URL}/api/v1/ai/chat" \
+  -H "Authorization: Bearer ${OPENCODE_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d "$(jq -n \
+    --arg provider "opencode-go" \
+    --arg model "$MODEL" \
+    --arg message "$MESSAGE" \
+    '{provider:$provider,model:$model,messages:[{role:"user",content:$message}],max_tokens:2048}')" | jq .
+
+echo ""
+echo "=== OpenCode upstream (stream, first 20 lines) ==="
+curl -sS -N -m 120 -X POST "https://opencode.ai/zen/go/v1/chat/completions" \
+  -H "Authorization: Bearer ${OPENCODE_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -H "Accept: text/event-stream" \
+  -d "$(echo "$payload" | jq '.stream=true')" | head -n 20
+
+echo ""
+echo "=== Local gateway (stream, first 20 lines) ==="
+curl -sS -N -m 120 -X POST "${BASE_URL}/api/v1/ai/chat/stream" \
+  -H "Authorization: Bearer ${OPENCODE_TOKEN}" \
+  -H "Content-Type: application/json" \
+  -H "Accept: text/event-stream" \
+  -d "$(jq -n \
+    --arg provider "opencode-go" \
+    --arg model "$MODEL" \
+    --arg message "$MESSAGE" \
+    '{provider:$provider,model:$model,messages:[{role:"user",content:$message}],max_tokens:2048}')" | head -n 20
\ No newline at end of file
diff --git a/haixun-backend/scripts/test-job-cancel.sh b/haixun-backend/scripts/test-job-cancel.sh
new file mode 100755
index 0000000..abdad27
--- /dev/null
+++ b/haixun-backend/scripts/test-job-cancel.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# 示範 job 建立與取消：running 時會透過 Redis jobs:cancel:<id> 戳 worker
+#
+# 用法:
+#   ./scripts/test-job-cancel.sh
+
+set -u
+
+BASE_URL="${BASE_URL:-http://127.0.0.1:8890}"
+SCOPE="${SCOPE:-user}"
+SCOPE_ID="${SCOPE_ID:-demo_user_1}"
+
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || { echo "missing command: $1"; exit 1; }
+}
+
+require_cmd curl
+require_cmd jq
+
+echo "== create demo_long_task =="
+CREATE_BODY="$(curl -sS -X POST "${BASE_URL}/api/v1/jobs" \
+  -H "Content-Type: application/json" \
+  -d "$(jq -n --arg scope "$SCOPE" --arg scope_id "$SCOPE_ID" '{
+    template_type: "demo_long_task",
+    scope: $scope,
+    scope_id: $scope_id,
+    payload: {target: "demo"}
+  }')")"
+
+echo "$CREATE_BODY" | jq .
+JOB_ID="$(echo "$CREATE_BODY" | jq -r '.data.id // empty')"
+if [[ -z "$JOB_ID" ]]; then
+  echo "failed to create job"
+  exit 1
+fi
+
+echo ""
+echo "== wait until running (max 10s) =="
+for _ in $(seq 1 20); do
+  STATUS="$(curl -sS "${BASE_URL}/api/v1/jobs/${JOB_ID}" | jq -r '.data.status')"
+  echo "status: $STATUS"
+  if [[ "$STATUS" == "running" || "$STATUS" == "cancel_requested" ]]; then
+    break
+  fi
+  if [[ "$STATUS" == "succeeded" || "$STATUS" == "cancelled" ]]; then
+    echo "job finished before cancel test: $STATUS"
+    exit 0
+  fi
+  sleep 0.5
+done
+
+echo ""
+echo "== cancel while worker is active =="
+CANCEL_BODY="$(curl -sS -X POST "${BASE_URL}/api/v1/jobs/${JOB_ID}/cancel" \
+  -H "Content-Type: application/json" \
+  -d '{"reason":"demo cancel from script"}')"
+echo "$CANCEL_BODY" | jq .
+
+echo ""
+echo "== poll until cancelled (max 20s) =="
+for _ in $(seq 1 40); do
+  BODY="$(curl -sS "${BASE_URL}/api/v1/jobs/${JOB_ID}")"
+  STATUS="$(echo "$BODY" | jq -r '.data.status')"
+  PHASE="$(echo "$BODY" | jq -r '.data.phase')"
+  SUMMARY="$(echo "$BODY" | jq -r '.data.progress.summary')"
+  echo "status=$STATUS phase=$PHASE summary=$SUMMARY"
+  if [[ "$STATUS" == "cancelled" ]]; then
+    echo ""
+    echo "ok: worker acknowledged cancel"
+    exit 0
+  fi
+  sleep 0.5
+done
+
+echo "timeout waiting for cancelled status"
+exit 1
\ No newline at end of file
diff --git a/haixun-backend/scripts/test-job-concurrency.sh b/haixun-backend/scripts/test-job-concurrency.sh
new file mode 100755
index 0000000..02dd3db
--- /dev/null
+++ b/haixun-backend/scripts/test-job-concurrency.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+# Verify scheme B: same scope_id+target blocks concurrent runs; different targets allow parallel.
+#
+# Usage:
+#   ./scripts/test-job-concurrency.sh
+
+set -u
+
+BASE_URL="${BASE_URL:-http://127.0.0.1:8890}"
+SCOPE="${SCOPE:-user}"
+SCOPE_ID="${SCOPE_ID:-concurrency_demo_user}"
+TEMPLATE_TYPE="${TEMPLATE_TYPE:-demo_long_task}"
+TARGET_A="${TARGET_A:-building_A}"
+TARGET_B="${TARGET_B:-building_B}"
+
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || { echo "missing command: $1"; exit 1; }
+}
+
+require_cmd curl
+require_cmd jq
+
+create_job() {
+  local target="$1"
+  curl -sS -X POST "${BASE_URL}/api/v1/jobs" \
+    -H "Content-Type: application/json" \
+    -d "$(jq -n --arg scope "$SCOPE" --arg scope_id "$SCOPE_ID" --arg template "$TEMPLATE_TYPE" --arg target "$target" '{
+      template_type: $template,
+      scope: $scope,
+      scope_id: $scope_id,
+      payload: {target: $target}
+    }')"
+}
+
+echo "== configure template for scheme B =="
+PUT_BODY="$(curl -sS -X PUT "${BASE_URL}/api/v1/job/templates/${TEMPLATE_TYPE}" \
+  -H "Content-Type: application/json" \
+  -d "$(jq -n '{
+    name: "Demo Long Task",
+    enabled: true,
+    repeatable: true,
+    concurrency_policy: "allow_parallel",
+    dedupe_keys: ["scope_id", "target"],
+    timeout_seconds: 600,
+    cancel_policy: {supported: true, mode: "cooperative", grace_seconds: 30},
+    retry_policy: {max_attempts: 2, backoff_seconds: [30, 120]},
+    steps: [
+      {id: "prepare", name: "Prepare", worker_type: "go", timeout_seconds: 60, cancelable: true},
+      {id: "execute", name: "Execute", worker_type: "go", timeout_seconds: 300, cancelable: true},
+      {id: "finalize", name: "Finalize", worker_type: "go", timeout_seconds: 30, cancelable: false}
+    ]
+  }')")"
+echo "$PUT_BODY" | jq .
+if [[ "$(echo "$PUT_BODY" | jq -r '.code')" != "102000" ]]; then
+  echo "failed to upsert template"
+  exit 1
+fi
+
+echo ""
+echo "== same target: first create should succeed =="
+FIRST="$(create_job "$TARGET_A")"
+echo "$FIRST" | jq .
+if [[ "$(echo "$FIRST" | jq -r '.code')" != "102000" ]]; then
+  echo "first create failed"
+  exit 1
+fi
+
+echo ""
+echo "== same target: second create should fail while first is active =="
+SECOND="$(create_job "$TARGET_A")"
+echo "$SECOND" | jq .
+if [[ "$(echo "$SECOND" | jq -r '.code')" == "102000" ]]; then
+  echo "expected duplicate create to fail"
+  exit 1
+fi
+
+echo ""
+echo "== different target: should succeed in parallel =="
+THIRD="$(create_job "$TARGET_B")"
+echo "$THIRD" | jq .
+if [[ "$(echo "$THIRD" | jq -r '.code')" != "102000" ]]; then
+  echo "different target create failed"
+  exit 1
+fi
+
+echo ""
+echo "ok: scheme B concurrency behaves as expected"
\ No newline at end of file
diff --git a/haixun-backend/web/.gitignore b/haixun-backend/web/.gitignore
new file mode 100644
index 0000000..e9b06f0
--- /dev/null
+++ b/haixun-backend/web/.gitignore
@@ -0,0 +1,4 @@
+node_modules
+dist
+.DS_Store
+*.local
\ No newline at end of file
diff --git a/haixun-backend/web/index.html b/haixun-backend/web/index.html
new file mode 100644
index 0000000..02ed6e4
--- /dev/null
+++ b/haixun-backend/web/index.html
@@ -0,0 +1,25 @@
+<!doctype html>
+<html lang="zh-Hant">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>海巡 · 巡樓管理</title>
+    <script>
+      (function () {
+        var t = localStorage.getItem('haixun.theme')
+        var dark = t === 'dark' || (!t && window.matchMedia('(prefers-color-scheme: dark)').matches)
+        document.documentElement.setAttribute('data-theme', dark ? 'dark' : 'light')
+      })()
+    </script>
+    <link rel="preconnect" href="https://fonts.googleapis.com" />
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+    <link
+      href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap"
+      rel="stylesheet"
+    />
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
\ No newline at end of file
diff --git a/haixun-backend/web/package-lock.json b/haixun-backend/web/package-lock.json
new file mode 100644
index 0000000..4bb8ace
--- /dev/null
+++ b/haixun-backend/web/package-lock.json
@@ -0,0 +1,2558 @@
+{
+  "name": "haixun-web",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "haixun-web",
+      "version": "0.1.0",
+      "dependencies": {
+        "react": "^19.1.0",
+        "react-dom": "^19.1.0",
+        "react-router-dom": "^7.6.2",
+        "taipei-sans-tc": "^0.1.1"
+      },
+      "devDependencies": {
+        "@tailwindcss/vite": "^4.1.8",
+        "@types/react": "^19.1.6",
+        "@types/react-dom": "^19.1.5",
+        "@vitejs/plugin-react": "^4.5.2",
+        "tailwindcss": "^4.1.8",
+        "typescript": "^5.8.3",
+        "vite": "^6.3.5"
+      }
+    },
+    "node_modules/@babel/code-frame": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz",
+      "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-validator-identifier": "^7.29.7",
+        "js-tokens": "^4.0.0",
+        "picocolors": "^1.1.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/compat-data": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz",
+      "integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/core": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.7.tgz",
+      "integrity": "sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.29.7",
+        "@babel/generator": "^7.29.7",
+        "@babel/helper-compilation-targets": "^7.29.7",
+        "@babel/helper-module-transforms": "^7.29.7",
+        "@babel/helpers": "^7.29.7",
+        "@babel/parser": "^7.29.7",
+        "@babel/template": "^7.29.7",
+        "@babel/traverse": "^7.29.7",
+        "@babel/types": "^7.29.7",
+        "@jridgewell/remapping": "^2.3.5",
+        "convert-source-map": "^2.0.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.2",
+        "json5": "^2.2.3",
+        "semver": "^6.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/babel"
+      }
+    },
+    "node_modules/@babel/generator": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz",
+      "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.29.7",
+        "@babel/types": "^7.29.7",
+        "@jridgewell/gen-mapping": "^0.3.12",
+        "@jridgewell/trace-mapping": "^0.3.28",
+        "jsesc": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-compilation-targets": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz",
+      "integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/compat-data": "^7.29.7",
+        "@babel/helper-validator-option": "^7.29.7",
+        "browserslist": "^4.24.0",
+        "lru-cache": "^5.1.1",
+        "semver": "^6.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-globals": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz",
+      "integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-module-imports": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz",
+      "integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/traverse": "^7.29.7",
+        "@babel/types": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-module-transforms": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz",
+      "integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-module-imports": "^7.29.7",
+        "@babel/helper-validator-identifier": "^7.29.7",
+        "@babel/traverse": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/@babel/helper-plugin-utils": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.29.7.tgz",
+      "integrity": "sha512-G7sHYigPY17oO5SYWnfD/0MTBwVR781S/JI643e/JhUYgVgWE/61SoW3NH9KWUKyKq5LVh3npif99Wkt6j86Jw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz",
+      "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz",
+      "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-option": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz",
+      "integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helpers": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.7.tgz",
+      "integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/template": "^7.29.7",
+        "@babel/types": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/parser": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz",
+      "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.29.7"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@babel/plugin-transform-react-jsx-self": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-self/-/plugin-transform-react-jsx-self-7.29.7.tgz",
+      "integrity": "sha512-TL0hMc9xzy86VD31nUiwzd5otRAcyEPcsegCxolO0PvcXuH1v0kECe/UIznYFihpkvU5wg/jk4v0TTEFfm53fw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-transform-react-jsx-source": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-source/-/plugin-transform-react-jsx-source-7.29.7.tgz",
+      "integrity": "sha512-06IyK09H3wi4cGbhDBwp5gUGo0IKtnYa8tyTiephirPCK6fbobVGiXMMI5zLQ4aKEYP3wZ3ArU44o+8KMrSG/Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/template": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz",
+      "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.29.7",
+        "@babel/parser": "^7.29.7",
+        "@babel/types": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/traverse": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz",
+      "integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.29.7",
+        "@babel/generator": "^7.29.7",
+        "@babel/helper-globals": "^7.29.7",
+        "@babel/parser": "^7.29.7",
+        "@babel/template": "^7.29.7",
+        "@babel/types": "^7.29.7",
+        "debug": "^4.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/types": {
+      "version": "7.29.7",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz",
+      "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.29.7",
+        "@babel/helper-validator-identifier": "^7.29.7"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.12.tgz",
+      "integrity": "sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.12.tgz",
+      "integrity": "sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.12.tgz",
+      "integrity": "sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.12.tgz",
+      "integrity": "sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.12.tgz",
+      "integrity": "sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.12.tgz",
+      "integrity": "sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.12.tgz",
+      "integrity": "sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.12.tgz",
+      "integrity": "sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.12.tgz",
+      "integrity": "sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.12.tgz",
+      "integrity": "sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.12.tgz",
+      "integrity": "sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.12.tgz",
+      "integrity": "sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.12.tgz",
+      "integrity": "sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.12.tgz",
+      "integrity": "sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.12.tgz",
+      "integrity": "sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.12.tgz",
+      "integrity": "sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.12.tgz",
+      "integrity": "sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.12.tgz",
+      "integrity": "sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.12.tgz",
+      "integrity": "sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.12.tgz",
+      "integrity": "sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.12.tgz",
+      "integrity": "sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.12.tgz",
+      "integrity": "sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.12.tgz",
+      "integrity": "sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.12.tgz",
+      "integrity": "sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.12.tgz",
+      "integrity": "sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.12.tgz",
+      "integrity": "sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@jridgewell/gen-mapping": {
+      "version": "0.3.13",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.0",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/remapping": {
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/resolve-uri": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@jridgewell/sourcemap-codec": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.31",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
+      "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.1.0",
+        "@jridgewell/sourcemap-codec": "^1.4.14"
+      }
+    },
+    "node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-beta.27",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.27.tgz",
+      "integrity": "sha512-+d0F4MKMCbeVUJwG96uQ4SgAznZNSq93I3V+9NHA4OpvqG8mRCpGdKmK8l/dl02h2CCDHwW2FqilnTyDcAnqjA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@rollup/rollup-android-arm-eabi": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.62.2.tgz",
+      "integrity": "sha512-6o7ZLZK+BeenkZCFNDXqpbjw9bD6nuWonvS/lwQJp7NoVVxm6p3qE7qQ5jGuBjiFsgvqjD8mZAU5oWxTmbOeOg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-android-arm64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.62.2.tgz",
+      "integrity": "sha512-BaH7BllCACHoH1LguOU56UItGfUWjujlO65kS9LAodViaN4bwIKd7oeW/ZHJ/4ljr/7MIiENnNy3HJ0zXv8Zkw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-arm64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.62.2.tgz",
+      "integrity": "sha512-v39RCCvj4He82I9sFmk+M1VZ0PLM9sfsLVikjfx2hYBNALhrrOR2D3JjQA6AhlaSOgcR+RzrKY7e1+bT6SUO/A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-x64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.62.2.tgz",
+      "integrity": "sha512-yl0y2vq3S3lHeuXhEdss6TWfKW8vkujImO12tn4ZkG/4oghr09LvdYm2RElVjokTQiUvDUGXLGsYeLqUMCKpGA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-arm64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.62.2.tgz",
+      "integrity": "sha512-tT4pvt4qXD+vEoezupCWi+a1F0vvDiksiHc+PxRlYTOH1I6/X4id9jPxTP+Fg+545euaFT1jJVs4CEdHZAU1vw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-x64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.62.2.tgz",
+      "integrity": "sha512-6nU5F2wCW+qvCBhTn1pdIU3bzsIoF7EUwsCDRxilWGprQR6yd508YnH9+OKFCwpfS8pjZqDUmnCAr7exax0XCg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.62.2.tgz",
+      "integrity": "sha512-n1GJHPOvpIfhi3TmrCeh6S6URt9BFCt0KQE3qvexyGCTAKpR4Lg+eWvNZEqu7epxwus/8ElT3hacYEucm49SZg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.62.2.tgz",
+      "integrity": "sha512-JqgflS8wEB+UXV/vS1RpRbifGBeN4D5lz8D8oOFbFZw4vedvdOgCFAjfBmIMdW3yL10XpQQ0Ambepw6MXrhOnA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.62.2.tgz",
+      "integrity": "sha512-wnFJkogWvN4jm/hQRF2UBaeUmk20j5+DmHvoyWii2b8HJDyvz1MF2OU/6ynXt2KR63rbZLWkFpoytpdc/yBuSA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-musl": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.62.2.tgz",
+      "integrity": "sha512-HVu2bp0zhvJ8xHEV9+UUs7S90VadmBSY3LcIMvozbPo4AuMGDWlz3ymHLHZPX4hR67TKTt8Qp5PJ5RBg/i+RMQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.62.2.tgz",
+      "integrity": "sha512-mQqqAV8QaoSgr9I2fKDLY2BAVvmKjWoGiu/cSYQonsLvtqwEn1E4QYfnCOcp5zoEqNhsDYin1s6jx/VJmrxlZg==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-musl": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.62.2.tgz",
+      "integrity": "sha512-IxKLoxCQ2IWi6bT2akyDUBGsOImDKB+sPp4EsTmwFQ/fMwpCKm8uLSSgP/Kx/QYUgKis6SEZ5/Nlhup0DIA0PQ==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.62.2.tgz",
+      "integrity": "sha512-Mk5ha2RQSgyFfmYYLkBpPnUk8D8FriBxesO1u9O75X0mHgXL1UQcH5Itl2lurWL2tj0RxV9b9tJgipac0hRY9A==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-musl": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.62.2.tgz",
+      "integrity": "sha512-CjvEnqJL/0/TQ3TXX3OPIJ/kmBellrWd4heXUmHeJlTnmwjKpSJzoehLaL6Xk0ZnMHBu9dZuFADNOrtjF4v+2w==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.62.2.tgz",
+      "integrity": "sha512-1SiZbzwdkaDURsew/tSOrooKiYy7EQGT6m8ufavAi9NEyQb/6VuIxFXAL1fqa4iZe3g4NbNk4P7J32z2tw5Mgg==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-musl": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.62.2.tgz",
+      "integrity": "sha512-nQts12zJ3NQRoE6uYljOH89v7szzLDvG2JD/vsX+vGXU8w/At1GowTZ5/7qeFQ8m7L55rpR8Okugnuo5bgjy2Q==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-s390x-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.62.2.tgz",
+      "integrity": "sha512-E9/ll019jhPIJgpzfZoIkBGhcz+kKNgVWYRY0zr9srBdPPFVpvOKW8VaJKUbeK+eZXyQF9ltME+Kk6affeaPgg==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.62.2.tgz",
+      "integrity": "sha512-5BqxR/pshjey51iliyzTD5Xi3EN0aLmQ2lZ3lvefVV9c82BvrLo2/6OT55iifpWBufs6kdwWbuOKS841DrmK9A==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-musl": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.62.2.tgz",
+      "integrity": "sha512-uNN83XxQrRAh/w0/pmAfibcwyb6YWt4gP+dpnQKPVJshAloQ785ii8CT8ZCIxkGg9opVsvAlGhFitSm6D1Jjpg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-openbsd-x64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.62.2.tgz",
+      "integrity": "sha512-srjEIxSH3LRnJN6THczDHWQplqEMFiAJrTab0msUryh9kwNpkICf3Ea6q6MN/2cZwRFUNx5w+h6Hpi4QuHS6Zg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-openharmony-arm64": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.62.2.tgz",
+      "integrity": "sha512-8hOJnxgbyObnCm5AlRA3A931xX19xq80RjVTKgJOvEKWqJruP/Uf12IbAOaDjjEXYRewwHLfmF0YRIdK3OwKWA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-arm64-msvc": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.62.2.tgz",
+      "integrity": "sha512-mmF4AY1i0hG/bLWUctUq59gtmgaSIRa3cu/A3JFRp/sCNEme2bgDEiDS22P9FbnJB8NJNF4jPJiSP5RHQpUTDg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-ia32-msvc": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.62.2.tgz",
+      "integrity": "sha512-DZgkknc6jhHrk46V25vbAM0zZkyP0nSDkJB8/dRkLTxv470dOmWDqGoEJl/9A0dFfS7yE3REOwNDxpHwSLSt0Q==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-gnu": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.62.2.tgz",
+      "integrity": "sha512-T6xr6ucWSFto+VGajA8YH26LdpHRuP4YLHEKAtCWvJDOlnmWcDZVCI2Jmjr+IFHDlt2zRaTAKE4tfjTaWLgJBg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-msvc": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.62.2.tgz",
+      "integrity": "sha512-BfzEnDJOt9T8M989/lA37EcJgat01wLRnoi5dQf3QzOH7jzpqTAzdDbVfRljVr5r+jzKqpbHeyOfAaXxAd0PAA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@tailwindcss/node": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.3.1.tgz",
+      "integrity": "sha512-6NDaqRoAMSXD1mr/RXu0HBvNE9a2n5tHPsxu9XHLws8o4Twes5rBM2205SUUiJ9goAtadrN6xTGX0UDEwp/N4A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/remapping": "^2.3.5",
+        "enhanced-resolve": "5.21.6",
+        "jiti": "^2.7.0",
+        "lightningcss": "1.32.0",
+        "magic-string": "^0.30.21",
+        "source-map-js": "^1.2.1",
+        "tailwindcss": "4.3.1"
+      }
+    },
+    "node_modules/@tailwindcss/oxide": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.3.1.tgz",
+      "integrity": "sha512-yVPyo8RNkabVr3O2EhHEE0Rewu7YKzc1DhIqfL46LKveFrmu9XbDazNOJY7/GRuvw1h6u3utWnR29H/p5JPlgA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 20"
+      },
+      "optionalDependencies": {
+        "@tailwindcss/oxide-android-arm64": "4.3.1",
+        "@tailwindcss/oxide-darwin-arm64": "4.3.1",
+        "@tailwindcss/oxide-darwin-x64": "4.3.1",
+        "@tailwindcss/oxide-freebsd-x64": "4.3.1",
+        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.3.1",
+        "@tailwindcss/oxide-linux-arm64-gnu": "4.3.1",
+        "@tailwindcss/oxide-linux-arm64-musl": "4.3.1",
+        "@tailwindcss/oxide-linux-x64-gnu": "4.3.1",
+        "@tailwindcss/oxide-linux-x64-musl": "4.3.1",
+        "@tailwindcss/oxide-wasm32-wasi": "4.3.1",
+        "@tailwindcss/oxide-win32-arm64-msvc": "4.3.1",
+        "@tailwindcss/oxide-win32-x64-msvc": "4.3.1"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-android-arm64": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.3.1.tgz",
+      "integrity": "sha512-SVlyf61g374l5cHyg8x9kf5xmLcOaxvOTsbsqDnSsDJaKOEFZ7GCvi84VAVGpxojYOs1+3K6M0UjXfqPU8vmOQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-darwin-arm64": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.3.1.tgz",
+      "integrity": "sha512-hVnWLwv+e/l7c4WKyVtHVrIPvYdqWHjRB3MDIqARynzFtnQg85kmQEFCbV9Ja0VVx4xXTIiDWY60Y7iz/iNoDA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-darwin-x64": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.3.1.tgz",
+      "integrity": "sha512-Cf7abu0WVgbhU7ANgPUnSAvm7nCvMweusHb8FnaHlLfv/Caq4GYaEZg7ZImzzmjx4lIAfuS8q+eLIS7A7IzxIg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-freebsd-x64": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.3.1.tgz",
+      "integrity": "sha512-ZZqzX2Y+GXtXXfqSfpJhDm60OoZfvLHLCgm+J7NVqgHHJjG/m9ugZI77RwTsVd4fnBJuCFP6Ae6kTJb71UdS8g==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.3.1.tgz",
+      "integrity": "sha512-/Ah/xik0LaMYfv9DZ0S/t4pBlBNYOcqtRwusjgovHkvT8ixueWCLyJjsaF5kQIckjb4IT8Q6K6p/iPmZMixYgg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.3.1.tgz",
+      "integrity": "sha512-gqdFoVJlw444GvpnheZLHmvTzSxI/cOUUh2KSNejQjTcYkW062SVD+En0rUgD+QV91bz1XGIGtt1HJd48xUGbQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.3.1.tgz",
+      "integrity": "sha512-Bwv9KwOvE0VKa86xPFif9b9c3Y1NxOV1P0gLti/IYaWEsQYZXDlxfGEtA8mdDZ7SG3wyNXAWYT5SIn3giL57oA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.3.1.tgz",
+      "integrity": "sha512-Ymi8O8T15HYQdOUWUtTI6ldN0neHP85FC+Qz32xTcZ7iJXtem/x8ITev0o1e9e5rkqj4lONZfTRLvkmin1+tKg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-linux-x64-musl": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.3.1.tgz",
+      "integrity": "sha512-M+P/91qJ6uILLw4k2G93GMDRAXj61SMvFQYt39AqvUqYgExXpLL5aepfns7sj4HiAQeolirQF9E0lzRvdf4zPQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-wasm32-wasi": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.3.1.tgz",
+      "integrity": "sha512-zsM8uOeqvVGHsAXsJxsT28ttosFahLJKCLOTUBqRAtKnVgGSRitds9T432QiT8b77Yga7JIBkulIRRlJPtYhRA==",
+      "bundleDependencies": [
+        "@napi-rs/wasm-runtime",
+        "@emnapi/core",
+        "@emnapi/runtime",
+        "@tybys/wasm-util",
+        "@emnapi/wasi-threads",
+        "tslib"
+      ],
+      "cpu": [
+        "wasm32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/core": "^1.10.0",
+        "@emnapi/runtime": "^1.10.0",
+        "@emnapi/wasi-threads": "^1.2.1",
+        "@napi-rs/wasm-runtime": "^1.1.4",
+        "@tybys/wasm-util": "^0.10.2",
+        "tslib": "^2.8.1"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.3.1.tgz",
+      "integrity": "sha512-aiNvSq9BsVk8V513lDKlrCFAgf8qBMPZTpgEhInL+NwQqs97mYmupVMrPrgBBSL8Pv/0zXu9MrMF9rMun1ZeNg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.3.1.tgz",
+      "integrity": "sha512-xDEyu1rg290472FEGaKHnzyDyh5QH+AlWvsU5hMoMtPpzmKlRI0jaYKCgSHDYtaQWZOYbMaduSyCwFwY4n1HmA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 20"
+      }
+    },
+    "node_modules/@tailwindcss/vite": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.3.1.tgz",
+      "integrity": "sha512-hItDHuIIlEV61R+faXu66s1K36aTurO/Qw0e45Vskz57gXl9pWOT6eg3zmcEui6CZXddbN7zd41bwmvag4JGwQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@tailwindcss/node": "4.3.1",
+        "@tailwindcss/oxide": "4.3.1",
+        "tailwindcss": "4.3.1"
+      },
+      "peerDependencies": {
+        "vite": "^5.2.0 || ^6 || ^7 || ^8"
+      }
+    },
+    "node_modules/@types/babel__core": {
+      "version": "7.20.5",
+      "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.20.5.tgz",
+      "integrity": "sha512-qoQprZvz5wQFJwMDqeseRXWv3rqMvhgpbXFfVyWhbx9X47POIA6i/+dXefEmZKoAgOaTdaIgNSMqMIU61yRyzA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.20.7",
+        "@babel/types": "^7.20.7",
+        "@types/babel__generator": "*",
+        "@types/babel__template": "*",
+        "@types/babel__traverse": "*"
+      }
+    },
+    "node_modules/@types/babel__generator": {
+      "version": "7.27.0",
+      "resolved": "https://registry.npmjs.org/@types/babel__generator/-/babel__generator-7.27.0.tgz",
+      "integrity": "sha512-ufFd2Xi92OAVPYsy+P4n7/U7e68fex0+Ee8gSG9KX7eo084CWiQ4sdxktvdl0bOPupXtVJPY19zk6EwWqUQ8lg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "node_modules/@types/babel__template": {
+      "version": "7.4.4",
+      "resolved": "https://registry.npmjs.org/@types/babel__template/-/babel__template-7.4.4.tgz",
+      "integrity": "sha512-h/NUaSyG5EyxBIp8YRxo4RMe2/qQgvyowRwVMzhYhBCONbW8PUsg4lkFMrhgZhUe5z3L3MiLDuvyJ/CaPa2A8A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.1.0",
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "node_modules/@types/babel__traverse": {
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.28.0.tgz",
+      "integrity": "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.28.2"
+      }
+    },
+    "node_modules/@types/estree": {
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.9.tgz",
+      "integrity": "sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/react": {
+      "version": "19.2.17",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.17.tgz",
+      "integrity": "sha512-MXfmqaVPEVgkBT/aY0aGCkRWWtByiYQXo3xdQ8r5RzuFrPiRn8Gar2tQdXSUQ2GKV3bkXckek89V8wQBY2Q/Aw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "csstype": "^3.2.2"
+      }
+    },
+    "node_modules/@types/react-dom": {
+      "version": "19.2.3",
+      "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-19.2.3.tgz",
+      "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
+      "dev": true,
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "^19.2.0"
+      }
+    },
+    "node_modules/@vitejs/plugin-react": {
+      "version": "4.7.0",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-react/-/plugin-react-4.7.0.tgz",
+      "integrity": "sha512-gUu9hwfWvvEDBBmgtAowQCojwZmJ5mcLn3aufeCsitijs3+f2NsrPtlAWIR6OPiqljl96GVCUbLe0HyqIpVaoA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/core": "^7.28.0",
+        "@babel/plugin-transform-react-jsx-self": "^7.27.1",
+        "@babel/plugin-transform-react-jsx-source": "^7.27.1",
+        "@rolldown/pluginutils": "1.0.0-beta.27",
+        "@types/babel__core": "^7.20.5",
+        "react-refresh": "^0.17.0"
+      },
+      "engines": {
+        "node": "^14.18.0 || >=16.0.0"
+      },
+      "peerDependencies": {
+        "vite": "^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0"
+      }
+    },
+    "node_modules/baseline-browser-mapping": {
+      "version": "2.10.38",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.38.tgz",
+      "integrity": "sha512-31/02mVB4yuQU6adKk5SlY6m+mxDwUq5KZkyYgnLrrKl7TEm1+3PyDtDBz2kOv/wxZz41GHsvV1A/u6RmiyBvw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "baseline-browser-mapping": "dist/cli.cjs"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/browserslist": {
+      "version": "4.28.4",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.4.tgz",
+      "integrity": "sha512-MTc8i/x9jBQd1iMw2CFGS+rwMa07eYjLR0CCTLDACl9xhxy+nIs3KeML/biicXtk9JrZ6dnnTatmc7ErPXIxqw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "baseline-browser-mapping": "^2.10.38",
+        "caniuse-lite": "^1.0.30001799",
+        "electron-to-chromium": "^1.5.376",
+        "node-releases": "^2.0.48",
+        "update-browserslist-db": "^1.2.3"
+      },
+      "bin": {
+        "browserslist": "cli.js"
+      },
+      "engines": {
+        "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
+      }
+    },
+    "node_modules/caniuse-lite": {
+      "version": "1.0.30001799",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001799.tgz",
+      "integrity": "sha512-hG1bReV+OUU+MOqK4t/ZWI0tZOyz3rqS9XuhOUz1cIcbwBKjOyJEJuw9ER5JuNyqxNk8u/JUVbGibBOL1yrjFw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/caniuse-lite"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "CC-BY-4.0"
+    },
+    "node_modules/convert-source-map": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
+      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/cookie": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
+      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/csstype": {
+      "version": "3.2.3",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
+      "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/electron-to-chromium": {
+      "version": "1.5.377",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.377.tgz",
+      "integrity": "sha512-cH1jZgJHoezfTnKfKwnScpHywTFVnJUNITDPREFdhNjiuD502+QFpG0Qk7G8jhsV/f+CEAFlIrzP1fT+IMb92g==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/enhanced-resolve": {
+      "version": "5.21.6",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.21.6.tgz",
+      "integrity": "sha512-aNnGCvbJ/RIyWo1IuhNdVjnNF+EjH9wpzpNHt+ci/m9He9LJvUN8wrCcXjp9cWsGNAuvSpVFTx/vraAFQ8qGjQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "graceful-fs": "^4.2.4",
+        "tapable": "^2.3.3"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/esbuild": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.12.tgz",
+      "integrity": "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.25.12",
+        "@esbuild/android-arm": "0.25.12",
+        "@esbuild/android-arm64": "0.25.12",
+        "@esbuild/android-x64": "0.25.12",
+        "@esbuild/darwin-arm64": "0.25.12",
+        "@esbuild/darwin-x64": "0.25.12",
+        "@esbuild/freebsd-arm64": "0.25.12",
+        "@esbuild/freebsd-x64": "0.25.12",
+        "@esbuild/linux-arm": "0.25.12",
+        "@esbuild/linux-arm64": "0.25.12",
+        "@esbuild/linux-ia32": "0.25.12",
+        "@esbuild/linux-loong64": "0.25.12",
+        "@esbuild/linux-mips64el": "0.25.12",
+        "@esbuild/linux-ppc64": "0.25.12",
+        "@esbuild/linux-riscv64": "0.25.12",
+        "@esbuild/linux-s390x": "0.25.12",
+        "@esbuild/linux-x64": "0.25.12",
+        "@esbuild/netbsd-arm64": "0.25.12",
+        "@esbuild/netbsd-x64": "0.25.12",
+        "@esbuild/openbsd-arm64": "0.25.12",
+        "@esbuild/openbsd-x64": "0.25.12",
+        "@esbuild/openharmony-arm64": "0.25.12",
+        "@esbuild/sunos-x64": "0.25.12",
+        "@esbuild/win32-arm64": "0.25.12",
+        "@esbuild/win32-ia32": "0.25.12",
+        "@esbuild/win32-x64": "0.25.12"
+      }
+    },
+    "node_modules/escalade": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
+      "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/fdir": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+      "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "peerDependencies": {
+        "picomatch": "^3 || ^4"
+      },
+      "peerDependenciesMeta": {
+        "picomatch": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/gensync": {
+      "version": "1.0.0-beta.2",
+      "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz",
+      "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/graceful-fs": {
+      "version": "4.2.11",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
+      "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/jiti": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/jiti/-/jiti-2.7.0.tgz",
+      "integrity": "sha512-AC/7JofJvZGrrneWNaEnJeOLUx+JlGt7tNa0wZiRPT4MY1wmfKjt2+6O2p2uz2+skll8OZZmJMNqeke7kKbNgQ==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "jiti": "lib/jiti-cli.mjs"
+      }
+    },
+    "node_modules/js-tokens": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/jsesc": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
+      "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "jsesc": "bin/jsesc"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/json5": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "json5": "lib/cli.js"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/lightningcss": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
+      "dev": true,
+      "license": "MPL-2.0",
+      "dependencies": {
+        "detect-libc": "^2.0.3"
+      },
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      },
+      "optionalDependencies": {
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
+      }
+    },
+    "node_modules/lightningcss-android-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-freebsd-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm-gnueabihf": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-arm64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-x64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lru-cache": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
+      "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "yallist": "^3.0.2"
+      }
+    },
+    "node_modules/magic-string": {
+      "version": "0.30.21",
+      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
+      "integrity": "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.5"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/nanoid": {
+      "version": "3.3.15",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.15.tgz",
+      "integrity": "sha512-y7Wygv/7mEOvxTuEQDB8StXdMRBWf1kR/tlhAzBRUFkB2jfcLOAxO/SHmOO2zgz1pVgK29/kyupn059/bCHdjA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "bin": {
+        "nanoid": "bin/nanoid.cjs"
+      },
+      "engines": {
+        "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+      }
+    },
+    "node_modules/node-releases": {
+      "version": "2.0.48",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.48.tgz",
+      "integrity": "sha512-1uz8041X6LoI6ZSdZacM9lVY28vuzDlSKitnpbSNK0RfKoIJkX29NBPVEFXhnuSuEOA9Ww0xnPJ+ILWbGAv8DA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/picocolors": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/picomatch": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/postcss": {
+      "version": "8.5.15",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz",
+      "integrity": "sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "nanoid": "^3.3.12",
+        "picocolors": "^1.1.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
+    "node_modules/react": {
+      "version": "19.2.7",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.7.tgz",
+      "integrity": "sha512-HNe9WslTbXmFK8o8cmwgAeJFSBvt1bPdHCVKtaaV+WlAN36mpT4hcRpwbf3fY56ar2oIXzsBpOAiIRHAdY0OlQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/react-dom": {
+      "version": "19.2.7",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.7.tgz",
+      "integrity": "sha512-t0BRVXvbiE/o20Hfw669rLbMCDWtYZLvmJigy2f0MxsXF+71pxhR3xOkspmsO8h3ZlNzyibAmtCa3l4lYKk6gQ==",
+      "license": "MIT",
+      "dependencies": {
+        "scheduler": "^0.27.0"
+      },
+      "peerDependencies": {
+        "react": "^19.2.7"
+      }
+    },
+    "node_modules/react-refresh": {
+      "version": "0.17.0",
+      "resolved": "https://registry.npmjs.org/react-refresh/-/react-refresh-0.17.0.tgz",
+      "integrity": "sha512-z6F7K9bV85EfseRCp2bzrpyQ0Gkw1uLoCel9XBVWPg/TjRj94SkJzUTGfOa4bs7iJvBWtQG0Wq7wnI0syw3EBQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/react-router": {
+      "version": "7.18.0",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.18.0.tgz",
+      "integrity": "sha512-pTTGt8J+ji1NOmYnjzT+bAJy/1zD+Jp4ziO6cL7T3ZLvXKtusO7BpFqlRXitqpcPVqllsIXFHRMt+2/k3Xn6HQ==",
+      "license": "MIT",
+      "dependencies": {
+        "cookie": "^1.0.1",
+        "set-cookie-parser": "^2.6.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      },
+      "peerDependencies": {
+        "react": ">=18",
+        "react-dom": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/react-router-dom": {
+      "version": "7.18.0",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.18.0.tgz",
+      "integrity": "sha512-Fi0yY6kgtKae/Th2xibdWK0KSdYZ4B53Gyf6wRtomOKWgpNm7H7+DyfDhncdz9FKbpS+1jmDhg3F4WoGJ+yFOA==",
+      "license": "MIT",
+      "dependencies": {
+        "react-router": "7.18.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      },
+      "peerDependencies": {
+        "react": ">=18",
+        "react-dom": ">=18"
+      }
+    },
+    "node_modules/rollup": {
+      "version": "4.62.2",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.62.2.tgz",
+      "integrity": "sha512-RFnrW4lhXA3s3eqHDZvN654g8OTjzRfqpIRJYczCGB6HzphckVAi/Qh4tbPUbRuDi7s1Llv8g/NspLkttY3gTA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "1.0.9"
+      },
+      "bin": {
+        "rollup": "dist/bin/rollup"
+      },
+      "engines": {
+        "node": ">=18.0.0",
+        "npm": ">=8.0.0"
+      },
+      "optionalDependencies": {
+        "@rollup/rollup-android-arm-eabi": "4.62.2",
+        "@rollup/rollup-android-arm64": "4.62.2",
+        "@rollup/rollup-darwin-arm64": "4.62.2",
+        "@rollup/rollup-darwin-x64": "4.62.2",
+        "@rollup/rollup-freebsd-arm64": "4.62.2",
+        "@rollup/rollup-freebsd-x64": "4.62.2",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.62.2",
+        "@rollup/rollup-linux-arm-musleabihf": "4.62.2",
+        "@rollup/rollup-linux-arm64-gnu": "4.62.2",
+        "@rollup/rollup-linux-arm64-musl": "4.62.2",
+        "@rollup/rollup-linux-loong64-gnu": "4.62.2",
+        "@rollup/rollup-linux-loong64-musl": "4.62.2",
+        "@rollup/rollup-linux-ppc64-gnu": "4.62.2",
+        "@rollup/rollup-linux-ppc64-musl": "4.62.2",
+        "@rollup/rollup-linux-riscv64-gnu": "4.62.2",
+        "@rollup/rollup-linux-riscv64-musl": "4.62.2",
+        "@rollup/rollup-linux-s390x-gnu": "4.62.2",
+        "@rollup/rollup-linux-x64-gnu": "4.62.2",
+        "@rollup/rollup-linux-x64-musl": "4.62.2",
+        "@rollup/rollup-openbsd-x64": "4.62.2",
+        "@rollup/rollup-openharmony-arm64": "4.62.2",
+        "@rollup/rollup-win32-arm64-msvc": "4.62.2",
+        "@rollup/rollup-win32-ia32-msvc": "4.62.2",
+        "@rollup/rollup-win32-x64-gnu": "4.62.2",
+        "@rollup/rollup-win32-x64-msvc": "4.62.2",
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/scheduler": {
+      "version": "0.27.0",
+      "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.27.0.tgz",
+      "integrity": "sha512-eNv+WrVbKu1f3vbYJT/xtiF5syA5HPIMtf9IgY/nKg0sWqzAUEvqY/xm7OcZc/qafLx/iO9FgOmeSAp4v5ti/Q==",
+      "license": "MIT"
+    },
+    "node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/set-cookie-parser": {
+      "version": "2.7.2",
+      "resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-2.7.2.tgz",
+      "integrity": "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==",
+      "license": "MIT"
+    },
+    "node_modules/source-map-js": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/tailwindcss": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.3.1.tgz",
+      "integrity": "sha512-hk+TB1m+K8CYNrP6rjQaq/Y+4Zylwpa87mLYBKCunwnnQ9p+fHb7kmSfGqyEJoxF/O6CDyABWVFEafNSYKll+Q==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/taipei-sans-tc": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/taipei-sans-tc/-/taipei-sans-tc-0.1.1.tgz",
+      "integrity": "sha512-GCvdO+SATITfm128bT+fFmbpVW8+o0zLMVlNskSOk3CBghNzfqj4tvwTbIQ9vmvftd31s5UNypLA3aIw/IG6RQ==",
+      "license": "MIT"
+    },
+    "node_modules/tapable": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.3.tgz",
+      "integrity": "sha512-uxc/zpqFg6x7C8vOE7lh6Lbda8eEL9zmVm/PLeTPBRhh1xCgdWaQ+J1CUieGpIfm2HdtsUpRv+HshiasBMcc6A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/webpack"
+      }
+    },
+    "node_modules/tinyglobby": {
+      "version": "0.2.17",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.17.tgz",
+      "integrity": "sha512-wXR/dYpcqKmfWpEdZjiKJOwCNFndD0DMnrW/cYjVGttEkBfVgcLFHoNrlj47mjOVic9yyNu65alsgF4NQyTa2g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/SuperchupuDev"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/update-browserslist-db": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",
+      "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "escalade": "^3.2.0",
+        "picocolors": "^1.1.1"
+      },
+      "bin": {
+        "update-browserslist-db": "cli.js"
+      },
+      "peerDependencies": {
+        "browserslist": ">= 4.21.0"
+      }
+    },
+    "node_modules/vite": {
+      "version": "6.4.3",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.3.tgz",
+      "integrity": "sha512-NTKlcQjlAK7MlQoyb6LgaqHc8sso/pVyUJYWMws3jg21uTJw/LddqIFPcPqP6PzpgbIcZyKI85sFE4HBrQDA8A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "esbuild": "^0.25.0",
+        "fdir": "^6.4.4",
+        "picomatch": "^4.0.2",
+        "postcss": "^8.5.3",
+        "rollup": "^4.34.9",
+        "tinyglobby": "^0.2.13"
+      },
+      "bin": {
+        "vite": "bin/vite.js"
+      },
+      "engines": {
+        "node": "^18.0.0 || ^20.0.0 || >=22.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/vitejs/vite?sponsor=1"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      },
+      "peerDependencies": {
+        "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0",
+        "jiti": ">=1.21.0",
+        "less": "*",
+        "lightningcss": "^1.21.0",
+        "sass": "*",
+        "sass-embedded": "*",
+        "stylus": "*",
+        "sugarss": "*",
+        "terser": "^5.16.0",
+        "tsx": "^4.8.1",
+        "yaml": "^2.4.2"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        },
+        "jiti": {
+          "optional": true
+        },
+        "less": {
+          "optional": true
+        },
+        "lightningcss": {
+          "optional": true
+        },
+        "sass": {
+          "optional": true
+        },
+        "sass-embedded": {
+          "optional": true
+        },
+        "stylus": {
+          "optional": true
+        },
+        "sugarss": {
+          "optional": true
+        },
+        "terser": {
+          "optional": true
+        },
+        "tsx": {
+          "optional": true
+        },
+        "yaml": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/yallist": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
+      "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
+      "dev": true,
+      "license": "ISC"
+    }
+  }
+}
diff --git a/haixun-backend/web/package.json b/haixun-backend/web/package.json
new file mode 100644
index 0000000..781672f
--- /dev/null
+++ b/haixun-backend/web/package.json
@@ -0,0 +1,26 @@
+{
+  "name": "haixun-web",
+  "private": true,
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "tsc -b && vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "react": "^19.1.0",
+    "react-dom": "^19.1.0",
+    "react-router-dom": "^7.6.2",
+    "taipei-sans-tc": "^0.1.1"
+  },
+  "devDependencies": {
+    "@tailwindcss/vite": "^4.1.8",
+    "@types/react": "^19.1.6",
+    "@types/react-dom": "^19.1.5",
+    "@vitejs/plugin-react": "^4.5.2",
+    "tailwindcss": "^4.1.8",
+    "typescript": "^5.8.3",
+    "vite": "^6.3.5"
+  }
+}
diff --git a/haixun-backend/web/src/App.tsx b/haixun-backend/web/src/App.tsx
new file mode 100644
index 0000000..67a10c7
--- /dev/null
+++ b/haixun-backend/web/src/App.tsx
@@ -0,0 +1,45 @@
+import { BrowserRouter, Navigate, Route, Routes } from 'react-router-dom'
+import { AuthProvider } from './auth/AuthContext'
+import { ThemeProvider } from './theme/ThemeContext'
+import { Layout } from './components/Layout'
+import { ProtectedRoute } from './components/ProtectedRoute'
+import { AiPage } from './pages/AiPage'
+import { DashboardPage } from './pages/DashboardPage'
+import { JobDetailPage } from './pages/JobDetailPage'
+import { JobSchedulesPage } from './pages/JobSchedulesPage'
+import { JobTemplatesPage } from './pages/JobTemplatesPage'
+import { JobsPage } from './pages/JobsPage'
+import { LoginPage } from './pages/LoginPage'
+import { PermissionsPage } from './pages/PermissionsPage'
+import { ProfilePage } from './pages/ProfilePage'
+import { RegisterPage } from './pages/RegisterPage'
+import { SettingsPage } from './pages/SettingsPage'
+
+export default function App() {
+  return (
+    <ThemeProvider>
+      <AuthProvider>
+        <BrowserRouter>
+          <Routes>
+            <Route path="/login" element={<LoginPage />} />
+            <Route path="/register" element={<RegisterPage />} />
+            <Route element={<ProtectedRoute />}>
+              <Route element={<Layout />}>
+                <Route path="/" element={<DashboardPage />} />
+                <Route path="/profile" element={<ProfilePage />} />
+                <Route path="/permissions" element={<PermissionsPage />} />
+                <Route path="/settings" element={<SettingsPage />} />
+                <Route path="/ai" element={<AiPage />} />
+                <Route path="/jobs" element={<JobsPage />} />
+                <Route path="/jobs/:id" element={<JobDetailPage />} />
+                <Route path="/job-templates" element={<JobTemplatesPage />} />
+                <Route path="/job-schedules" element={<JobSchedulesPage />} />
+              </Route>
+            </Route>
+            <Route path="*" element={<Navigate to="/" replace />} />
+          </Routes>
+        </BrowserRouter>
+      </AuthProvider>
+    </ThemeProvider>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/api/client.ts b/haixun-backend/web/src/api/client.ts
new file mode 100644
index 0000000..a3b5250
--- /dev/null
+++ b/haixun-backend/web/src/api/client.ts
@@ -0,0 +1,167 @@
+import { SUCCESS_CODE, type ApiEnvelope } from '../types/api'
+import { storage } from '../lib/storage'
+
+export class ApiError extends Error {
+  code: number
+  constructor(code: number, message: string) {
+    super(message)
+    this.code = code
+  }
+}
+
+type RequestOptions = {
+  method?: string
+  body?: unknown
+  auth?: boolean
+  memberAuth?: boolean
+  providerToken?: string
+  query?: Record<string, string | number | boolean | undefined>
+}
+
+let refreshPromise: Promise<void> | null = null
+
+async function refreshTokens() {
+  const refreshToken = storage.getRefreshToken()
+  if (!refreshToken) throw new ApiError(0, '缺少 refresh token')
+  const res = await fetch('/api/v1/auth/refresh', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ refresh_token: refreshToken }),
+  })
+  const json = (await res.json()) as ApiEnvelope<{
+    access_token: string
+    refresh_token: string
+    uid: string
+  }>
+  if (json.code !== SUCCESS_CODE || !json.data) {
+    storage.clearSession()
+    throw new ApiError(json.code, json.message || 'refresh failed')
+  }
+  storage.setAccessToken(json.data.access_token)
+  storage.setRefreshToken(json.data.refresh_token)
+  storage.setUid(json.data.uid)
+}
+
+function buildURL(path: string, query?: RequestOptions['query']) {
+  const url = new URL(path, window.location.origin)
+  if (query) {
+    for (const [k, v] of Object.entries(query)) {
+      if (v !== undefined && v !== '') url.searchParams.set(k, String(v))
+    }
+  }
+  return url.pathname + url.search
+}
+
+async function request<T>(path: string, opts: RequestOptions = {}): Promise<T> {
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' }
+  if (opts.auth) {
+    const token = storage.getAccessToken()
+    if (token) headers.Authorization = `Bearer ${token}`
+  }
+  if (opts.memberAuth) {
+    const token = storage.getAccessToken()
+    if (token) headers['X-Member-Authorization'] = `Bearer ${token}`
+  }
+  if (opts.providerToken) {
+    headers.Authorization = `Bearer ${opts.providerToken}`
+  }
+
+  const doFetch = () =>
+    fetch(buildURL(path, opts.query), {
+      method: opts.method ?? (opts.body ? 'POST' : 'GET'),
+      headers,
+      body: opts.body ? JSON.stringify(opts.body) : undefined,
+    })
+
+  let res = await doFetch()
+  let json = (await res.json()) as ApiEnvelope<T>
+
+  if (json.code !== SUCCESS_CODE && opts.auth && storage.getRefreshToken()) {
+    if (!refreshPromise) {
+      refreshPromise = refreshTokens().finally(() => {
+        refreshPromise = null
+      })
+    }
+    try {
+      await refreshPromise
+      res = await doFetch()
+      json = (await res.json()) as ApiEnvelope<T>
+    } catch {
+      /* fall through */
+    }
+  }
+
+  if (json.code !== SUCCESS_CODE) {
+    throw new ApiError(json.code, json.message || 'request failed')
+  }
+  return json.data as T
+}
+
+export const api = {
+  get: <T>(path: string, opts?: Omit<RequestOptions, 'method' | 'body'>) =>
+    request<T>(path, { ...opts, method: 'GET' }),
+  post: <T>(path: string, body?: unknown, opts?: Omit<RequestOptions, 'method' | 'body'>) =>
+    request<T>(path, { ...opts, method: 'POST', body }),
+  put: <T>(path: string, body?: unknown, opts?: Omit<RequestOptions, 'method' | 'body'>) =>
+    request<T>(path, { ...opts, method: 'PUT', body }),
+  patch: <T>(path: string, body?: unknown, opts?: Omit<RequestOptions, 'method' | 'body'>) =>
+    request<T>(path, { ...opts, method: 'PATCH', body }),
+  delete: <T>(path: string, opts?: Omit<RequestOptions, 'method' | 'body'>) =>
+    request<T>(path, { ...opts, method: 'DELETE' }),
+}
+
+export async function streamAIChat(
+  body: Record<string, unknown>,
+  onDelta: (text: string) => void,
+  onDone: (finishReason?: string) => void,
+  onError: (msg: string) => void,
+) {
+  const memberToken = storage.getAccessToken()
+  const providerToken = storage.getAiProviderToken()
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' }
+  if (memberToken) headers['X-Member-Authorization'] = `Bearer ${memberToken}`
+  if (providerToken) headers.Authorization = `Bearer ${providerToken}`
+
+  const res = await fetch('/api/v1/ai/chat/stream', {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(body),
+  })
+  if (!res.ok || !res.body) {
+    onError(`HTTP ${res.status}`)
+    return
+  }
+
+  const reader = res.body.getReader()
+  const decoder = new TextDecoder()
+  let buffer = ''
+
+  while (true) {
+    const { done, value } = await reader.read()
+    if (done) break
+    buffer += decoder.decode(value, { stream: true })
+    const parts = buffer.split('\n\n')
+    buffer = parts.pop() ?? ''
+    for (const part of parts) {
+      const lines = part.split('\n')
+      let event = ''
+      let data = ''
+      for (const line of lines) {
+        if (line.startsWith('event:')) event = line.slice(6).trim()
+        if (line.startsWith('data:')) data = line.slice(5).trim()
+      }
+      if (!data) continue
+      try {
+        const parsed = JSON.parse(data) as { type?: string; text?: string; finish_reason?: string; message?: string }
+        if (event === 'error' || parsed.type === 'error') {
+          onError(parsed.message || 'stream error')
+          return
+        }
+        if (parsed.type === 'delta' && parsed.text) onDelta(parsed.text)
+        if (parsed.type === 'done') onDone(parsed.finish_reason)
+      } catch {
+        /* ignore malformed chunk */
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/auth/AuthContext.tsx b/haixun-backend/web/src/auth/AuthContext.tsx
new file mode 100644
index 0000000..3007fc9
--- /dev/null
+++ b/haixun-backend/web/src/auth/AuthContext.tsx
@@ -0,0 +1,132 @@
+import {
+  createContext,
+  useCallback,
+  useContext,
+  useEffect,
+  useMemo,
+  useState,
+  type ReactNode,
+} from 'react'
+import { api } from '../api/client'
+import { storage } from '../lib/storage'
+import type { AuthTokenData, MemberMeData } from '../types/api'
+
+type AuthContextValue = {
+  tenantId: string
+  uid: string
+  member: MemberMeData | null
+  loading: boolean
+  setTenantId: (v: string) => void
+  login: (email: string, password: string) => Promise<void>
+  register: (input: {
+    email: string
+    password: string
+    displayName?: string
+    language?: string
+  }) => Promise<void>
+  logout: () => Promise<void>
+  refreshMember: () => Promise<void>
+  isAuthenticated: boolean
+}
+
+const AuthContext = createContext<AuthContextValue | null>(null)
+
+export function AuthProvider({ children }: { children: ReactNode }) {
+  const [tenantId, setTenantIdState] = useState(() => storage.getTenantId() || 'default')
+  const [uid, setUid] = useState(() => storage.getUid())
+  const [member, setMember] = useState<MemberMeData | null>(null)
+  const [loading, setLoading] = useState(!!storage.getAccessToken())
+
+  const setTenantId = useCallback((v: string) => {
+    storage.setTenantId(v)
+    setTenantIdState(v)
+  }, [])
+
+  const persistToken = useCallback((data: AuthTokenData) => {
+    storage.setAccessToken(data.access_token)
+    storage.setRefreshToken(data.refresh_token)
+    storage.setUid(data.uid)
+    setUid(data.uid)
+  }, [])
+
+  const refreshMember = useCallback(async () => {
+    if (!storage.getAccessToken()) {
+      setMember(null)
+      return
+    }
+    const me = await api.get<MemberMeData>('/api/v1/members/me', { auth: true })
+    setMember(me)
+  }, [])
+
+  useEffect(() => {
+    if (!storage.getAccessToken()) {
+      setLoading(false)
+      return
+    }
+    refreshMember()
+      .catch(() => storage.clearSession())
+      .finally(() => setLoading(false))
+  }, [refreshMember])
+
+  const login = useCallback(
+    async (email: string, password: string) => {
+      const data = await api.post<AuthTokenData>('/api/v1/auth/login', {
+        tenant_id: tenantId,
+        email,
+        password,
+      })
+      persistToken(data)
+      await refreshMember()
+    },
+    [tenantId, persistToken, refreshMember],
+  )
+
+  const register = useCallback(
+    async (input: { email: string; password: string; displayName?: string; language?: string }) => {
+      const data = await api.post<AuthTokenData>('/api/v1/auth/register', {
+        tenant_id: tenantId,
+        email: input.email,
+        password: input.password,
+        display_name: input.displayName,
+        language: input.language,
+      })
+      persistToken(data)
+      await refreshMember()
+    },
+    [tenantId, persistToken, refreshMember],
+  )
+
+  const logout = useCallback(async () => {
+    try {
+      await api.post('/api/v1/auth/logout', undefined, { auth: true })
+    } finally {
+      storage.clearSession()
+      setMember(null)
+      setUid('')
+    }
+  }, [])
+
+  const value = useMemo(
+    () => ({
+      tenantId,
+      uid,
+      member,
+      loading,
+      setTenantId,
+      login,
+      register,
+      logout,
+      refreshMember,
+      isAuthenticated: !!storage.getAccessToken(),
+    }),
+    [tenantId, uid, member, loading, setTenantId, login, register, logout, refreshMember],
+  )
+
+  return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>
+}
+
+export function useAuth() {
+  const ctx = useContext(AuthContext)
+  if (!ctx) throw new Error('useAuth must be used within AuthProvider')
+  return ctx
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/components/AuthShell.tsx b/haixun-backend/web/src/components/AuthShell.tsx
new file mode 100644
index 0000000..ce7f2fb
--- /dev/null
+++ b/haixun-backend/web/src/components/AuthShell.tsx
@@ -0,0 +1,28 @@
+import type { ReactNode } from 'react'
+import { ThemeToggle } from './ThemeToggle'
+
+export function AuthShell({ children }: { children: ReactNode }) {
+  return (
+    <div className="relative flex min-h-screen items-center justify-center overflow-hidden bg-canvas p-6">
+      <div className="absolute top-5 right-5 z-20">
+        <ThemeToggle />
+      </div>
+      <div
+        aria-hidden
+        className="glow-blob pointer-events-none absolute -top-24 -right-16 h-72 w-72 rounded-full opacity-70 blur-3xl"
+      />
+      <div
+        aria-hidden
+        className="glow-blob-alt pointer-events-none absolute -bottom-20 -left-10 h-64 w-64 rounded-full opacity-80 blur-3xl"
+      />
+      <div className="relative z-10 w-full max-w-md">
+        <div className="mb-8 text-center">
+          <p className="display-en text-xs font-semibold tracking-[0.2em] text-brand uppercase">Haixun Patrol</p>
+          <h1 className="mt-2 text-3xl font-black text-ink">巡樓管理系統</h1>
+          <p className="mt-2 text-sm text-ink-secondary">智慧巡檢 · 任務追蹤 · 即時協作</p>
+        </div>
+        {children}
+      </div>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/components/Layout.tsx b/haixun-backend/web/src/components/Layout.tsx
new file mode 100644
index 0000000..15f11ed
--- /dev/null
+++ b/haixun-backend/web/src/components/Layout.tsx
@@ -0,0 +1,110 @@
+import { NavLink, Outlet } from 'react-router-dom'
+import { useAuth } from '../auth/AuthContext'
+import { MobileBottomNav } from './MobileBottomNav'
+import { ThemeToggle } from './ThemeToggle'
+
+const navMain = [
+  { to: '/', label: '總覽' },
+  { to: '/jobs', label: '背景任務' },
+  { to: '/job-schedules', label: '排程' },
+  { to: '/ai', label: 'AI' },
+]
+
+const navMore = [
+  { to: '/job-templates', label: '模板' },
+  { to: '/settings', label: '設定' },
+  { to: '/profile', label: '會員' },
+  { to: '/permissions', label: '權限' },
+]
+
+function NavItem({ to, label, end }: { to: string; label: string; end?: boolean }) {
+  return (
+    <NavLink
+      to={to}
+      end={end}
+      className={({ isActive }) =>
+        `rounded-[var(--radius-pill)] px-4 py-2 text-sm font-semibold transition ${
+          isActive
+            ? 'bg-brand text-white shadow-soft'
+            : 'text-ink hover:bg-brand-soft hover:text-brand'
+        }`
+      }
+    >
+      {label}
+    </NavLink>
+  )
+}
+
+export function Layout() {
+  const { member, uid, logout } = useAuth()
+
+  return (
+    <div className="flex min-h-screen bg-canvas">
+      <aside className="hidden w-60 shrink-0 flex-col border-r border-line bg-surface/90 p-4 backdrop-blur-md lg:flex lg:w-64 lg:p-5">
+        <div className="rounded-[var(--radius-xl)] border border-line bg-surface-muted px-4 py-4">
+          <div className="display-en text-[10px] font-bold tracking-[0.22em] text-brand uppercase">Haixun</div>
+          <div className="mt-1 text-2xl font-black text-brand">巡樓</div>
+        </div>
+
+        <nav className="mt-6 flex flex-1 flex-col gap-5">
+          <div>
+            <p className="mb-2 px-2 text-xs font-bold tracking-wide text-ink-secondary uppercase">工作區</p>
+            <div className="flex flex-col gap-1">
+              {navMain.map((item) => (
+                <NavItem key={item.to} to={item.to} label={item.label} end={item.to === '/'} />
+              ))}
+            </div>
+          </div>
+          <div>
+            <p className="mb-2 px-2 text-xs font-bold tracking-wide text-ink-secondary uppercase">管理</p>
+            <div className="flex flex-col gap-1">
+              {navMore.map((item) => (
+                <NavItem key={item.to} to={item.to} label={item.label} />
+              ))}
+            </div>
+          </div>
+        </nav>
+
+        <div className="rounded-[var(--radius-lg)] border border-line bg-surface-muted p-3 text-sm">
+          <div className="truncate font-semibold text-ink">{member?.email}</div>
+          <div className="mt-1.5">
+            <BadgePill>{member?.roles?.join(', ') || 'user'}</BadgePill>
+          </div>
+          <button
+            type="button"
+            onClick={() => logout()}
+            className="mt-3 w-full rounded-[var(--radius-pill)] border border-line bg-surface px-3 py-2 font-semibold text-ink transition hover:border-brand/30 hover:text-brand"
+          >
+            登出
+          </button>
+        </div>
+      </aside>
+
+      <div className="flex min-w-0 flex-1 flex-col">
+        <header className="sticky top-0 z-10 flex items-center justify-between border-b border-line bg-canvas/85 px-4 py-3 backdrop-blur-md sm:px-5 lg:px-8">
+          <div className="min-w-0 lg:hidden">
+            <p className="text-lg font-black text-brand">巡樓</p>
+            <p className="truncate font-mono text-[11px] text-ink-secondary">{uid || member?.uid}</p>
+          </div>
+          <p className="hidden truncate text-sm text-ink-secondary lg:block">
+            <span className="font-mono text-xs text-ink">{uid || member?.uid}</span>
+          </p>
+          <ThemeToggle compact className="shrink-0" />
+        </header>
+        <main className="layout-main flex-1 overflow-auto px-4 py-5 sm:px-5 md:px-8 md:py-8">
+          <Outlet />
+        </main>
+      </div>
+
+      <MobileBottomNav />
+    </div>
+  )
+}
+
+function BadgePill({ children }: { children: React.ReactNode }) {
+  return (
+    <span className="inline-block rounded-[var(--radius-pill)] bg-brand-soft px-2.5 py-0.5 text-xs font-bold text-brand">
+      {children}
+    </span>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/components/MobileBottomNav.tsx b/haixun-backend/web/src/components/MobileBottomNav.tsx
new file mode 100644
index 0000000..f6d0f3b
--- /dev/null
+++ b/haixun-backend/web/src/components/MobileBottomNav.tsx
@@ -0,0 +1,187 @@
+import { useEffect, useState } from 'react'
+import { NavLink, useLocation, useNavigate } from 'react-router-dom'
+import { useAuth } from '../auth/AuthContext'
+import { ThemeToggle } from './ThemeToggle'
+
+const mobileTabs = [
+  { to: '/', label: '總覽', end: true },
+  { to: '/jobs', label: '任務', matchPrefix: '/jobs' },
+  { to: '/job-schedules', label: '排程' },
+] as const
+
+const moreRoutes = [
+  { to: '/ai', label: 'AI' },
+  { to: '/job-templates', label: '模板' },
+  { to: '/settings', label: '設定' },
+  { to: '/profile', label: '會員' },
+  { to: '/permissions', label: '權限' },
+]
+
+function isMoreActive(pathname: string) {
+  return moreRoutes.some((r) => pathname === r.to || pathname.startsWith(`${r.to}/`))
+}
+
+export function MobileBottomNav() {
+  const [moreOpen, setMoreOpen] = useState(false)
+  const location = useLocation()
+  const navigate = useNavigate()
+  const { member, logout } = useAuth()
+
+  useEffect(() => {
+    setMoreOpen(false)
+  }, [location.pathname])
+
+  useEffect(() => {
+    if (!moreOpen) return
+    const onKey = (e: KeyboardEvent) => {
+      if (e.key === 'Escape') setMoreOpen(false)
+    }
+    document.addEventListener('keydown', onKey)
+    document.body.style.overflow = 'hidden'
+    return () => {
+      document.removeEventListener('keydown', onKey)
+      document.body.style.overflow = ''
+    }
+  }, [moreOpen])
+
+  const goMore = (to: string) => {
+    setMoreOpen(false)
+    navigate(to)
+  }
+
+  return (
+    <>
+      <nav
+        className="mobile-bottom-nav fixed inset-x-0 bottom-0 z-30 border-t border-line bg-surface/95 backdrop-blur-md lg:hidden"
+        aria-label="主要導覽"
+      >
+        <div className="mx-auto grid max-w-lg grid-cols-4">
+          {mobileTabs.map((tab) => (
+            <NavLink
+              key={tab.to}
+              to={tab.to}
+              end={'end' in tab ? tab.end : false}
+              className={({ isActive }) => {
+                const prefixActive =
+                  'matchPrefix' in tab && location.pathname.startsWith(tab.matchPrefix)
+                const active = isActive || prefixActive
+                return `flex min-h-[3.25rem] flex-col items-center justify-center gap-0.5 px-1 py-2 text-center text-xs font-bold transition ${
+                  active ? 'text-brand' : 'text-ink-secondary hover:text-brand'
+                }`
+              }}
+            >
+              <TabIcon name={tab.label} />
+              <span>{tab.label}</span>
+            </NavLink>
+          ))}
+          <button
+            type="button"
+            onClick={() => setMoreOpen(true)}
+            className={`flex min-h-[3.25rem] flex-col items-center justify-center gap-0.5 px-1 py-2 text-center text-xs font-bold transition ${
+              isMoreActive(location.pathname) ? 'text-brand' : 'text-ink-secondary hover:text-brand'
+            }`}
+            aria-expanded={moreOpen}
+            aria-haspopup="dialog"
+          >
+            <MoreIcon />
+            <span>更多</span>
+          </button>
+        </div>
+      </nav>
+
+      {moreOpen ? (
+        <div className="fixed inset-0 z-40 lg:hidden" role="presentation">
+          <button
+            type="button"
+            className="absolute inset-0 bg-ink/40"
+            aria-label="關閉選單"
+            onClick={() => setMoreOpen(false)}
+          />
+          <div
+            role="dialog"
+            aria-modal="true"
+            aria-label="更多功能"
+            className="mobile-more-sheet absolute inset-x-0 bottom-0 max-h-[min(85vh,32rem)] overflow-y-auto rounded-t-[var(--radius-xl)] border border-line bg-surface shadow-card"
+          >
+            <div className="sticky top-0 z-10 flex items-center justify-between border-b border-line bg-surface px-5 py-4">
+              <h2 className="text-lg font-bold text-ink">更多</h2>
+              <button
+                type="button"
+                onClick={() => setMoreOpen(false)}
+                className="rounded-[var(--radius-pill)] border border-line px-4 py-2 text-sm font-semibold text-ink transition hover:bg-surface-muted"
+              >
+                關閉
+              </button>
+            </div>
+
+            <div className="grid grid-cols-2 gap-2 p-4 sm:grid-cols-3">
+              {moreRoutes.map((item) => {
+                const active = location.pathname === item.to
+                return (
+                  <button
+                    key={item.to}
+                    type="button"
+                    onClick={() => goMore(item.to)}
+                    className={`rounded-[var(--radius-lg)] border px-4 py-4 text-left text-sm font-bold transition ${
+                      active
+                        ? 'border-brand bg-brand-soft text-brand'
+                        : 'border-line bg-surface-muted text-ink hover:border-brand/30 hover:text-brand'
+                    }`}
+                  >
+                    {item.label}
+                  </button>
+                )
+              })}
+            </div>
+
+            <div className="border-t border-line p-4">
+              <div className="rounded-[var(--radius-lg)] border border-line bg-surface-muted p-4">
+                <div className="truncate font-semibold text-ink">{member?.email}</div>
+                <div className="mt-2 text-xs font-semibold text-ink-secondary">
+                  {member?.roles?.join(', ') || 'user'}
+                </div>
+                <div className="mt-4 flex flex-wrap items-center gap-2">
+                  <ThemeToggle />
+                  <button
+                    type="button"
+                    onClick={() => {
+                      setMoreOpen(false)
+                      logout()
+                    }}
+                    className="rounded-[var(--radius-pill)] border border-line bg-surface px-4 py-2 text-sm font-semibold text-ink transition hover:border-danger/40 hover:text-danger"
+                  >
+                    登出
+                  </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      ) : null}
+    </>
+  )
+}
+
+function TabIcon({ name }: { name: string }) {
+  const paths: Record<string, string> = {
+    總覽: 'M4 10.5 12 4l8 6.5V20a1 1 0 0 1-1 1h-5v-6H10v6H5a1 1 0 0 1-1-1v-9.5Z',
+    任務: 'M6 4h12a1 1 0 0 1 1 1v14l-7-3.5L5 19V5a1 1 0 0 1 1-1Z',
+    排程: 'M8 2v4M16 2v4M4 8h16M6 4h12a2 2 0 0 1 2 2v12a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2Z',
+  }
+  const d = paths[name] ?? paths['總覽']
+  return (
+    <svg aria-hidden className="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75">
+      <path d={d} strokeLinecap="round" strokeLinejoin="round" />
+    </svg>
+  )
+}
+
+function MoreIcon() {
+  return (
+    <svg aria-hidden className="h-5 w-5" viewBox="0 0 24 24" fill="currentColor">
+      <circle cx="5" cy="12" r="2" />
+      <circle cx="12" cy="12" r="2" />
+      <circle cx="19" cy="12" r="2" />
+    </svg>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/components/ProtectedRoute.tsx b/haixun-backend/web/src/components/ProtectedRoute.tsx
new file mode 100644
index 0000000..7606244
--- /dev/null
+++ b/haixun-backend/web/src/components/ProtectedRoute.tsx
@@ -0,0 +1,15 @@
+import { Navigate, Outlet } from 'react-router-dom'
+import { useAuth } from '../auth/AuthContext'
+
+export function ProtectedRoute() {
+  const { isAuthenticated, loading } = useAuth()
+  if (loading) {
+    return (
+      <div className="flex min-h-screen items-center justify-center bg-canvas text-muted">
+        載入中…
+      </div>
+    )
+  }
+  if (!isAuthenticated) return <Navigate to="/login" replace />
+  return <Outlet />
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/components/ThemeToggle.tsx b/haixun-backend/web/src/components/ThemeToggle.tsx
new file mode 100644
index 0000000..a0f7740
--- /dev/null
+++ b/haixun-backend/web/src/components/ThemeToggle.tsx
@@ -0,0 +1,28 @@
+import { useTheme } from '../theme/ThemeContext'
+import { Button } from './ui'
+
+export function ThemeToggle({
+  className = '',
+  compact = false,
+}: {
+  className?: string
+  compact?: boolean
+}) {
+  const { theme, toggleTheme } = useTheme()
+  const isDark = theme === 'dark'
+
+  return (
+    <Button
+      type="button"
+      variant="ghost"
+      onClick={toggleTheme}
+      className={`gap-2 ${compact ? 'px-3 py-2' : 'px-4'} ${className}`}
+      aria-label={isDark ? '切換為淺色模式' : '切換為深色模式'}
+    >
+      <span aria-hidden className="text-base leading-none">
+        {isDark ? '☀️' : '🌙'}
+      </span>
+      <span className={compact ? 'hidden sm:inline' : ''}>{isDark ? '淺色' : '深色'}</span>
+    </Button>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/components/ui.tsx b/haixun-backend/web/src/components/ui.tsx
new file mode 100644
index 0000000..ae35bff
--- /dev/null
+++ b/haixun-backend/web/src/components/ui.tsx
@@ -0,0 +1,178 @@
+import type { ReactNode } from 'react'
+import { Link } from 'react-router-dom'
+
+export function PageTitle({ title, subtitle }: { title: string; subtitle?: string }) {
+  return (
+    <div className="mb-8">
+      <h1 className="text-balance text-3xl font-bold tracking-tight text-ink md:text-4xl">{title}</h1>
+      {subtitle ? (
+        <p className="mt-2 max-w-2xl text-base leading-relaxed text-ink-secondary">{subtitle}</p>
+      ) : null}
+    </div>
+  )
+}
+
+export function Card({ children, className = '' }: { children: ReactNode; className?: string }) {
+  return (
+    <div className={`rounded-[var(--radius-lg)] border border-line bg-surface p-6 shadow-card ${className}`}>
+      {children}
+    </div>
+  )
+}
+
+export function Field({
+  label,
+  children,
+}: {
+  label: string
+  children: ReactNode
+}) {
+  return (
+    <label className="block text-sm">
+      <span className="mb-2 block font-semibold text-ink">{label}</span>
+      {children}
+    </label>
+  )
+}
+
+export function Input(props: React.InputHTMLAttributes<HTMLInputElement>) {
+  return (
+    <input
+      {...props}
+      className={`w-full rounded-[var(--radius-md)] border border-line bg-surface px-4 py-3 text-[15px] font-normal text-ink outline-none transition placeholder:text-subtle focus:border-brand focus:ring-4 focus:ring-brand-soft ${props.className ?? ''}`}
+    />
+  )
+}
+
+export function Textarea(props: React.TextareaHTMLAttributes<HTMLTextAreaElement>) {
+  return (
+    <textarea
+      {...props}
+      className={`w-full rounded-[var(--radius-md)] border border-line bg-surface px-4 py-3 font-mono text-[15px] text-ink outline-none transition placeholder:text-subtle focus:border-brand focus:ring-4 focus:ring-brand-soft ${props.className ?? ''}`}
+    />
+  )
+}
+
+export function Button({
+  children,
+  variant = 'primary',
+  ...props
+}: React.ButtonHTMLAttributes<HTMLButtonElement> & { variant?: 'primary' | 'ghost' | 'danger' | 'soft' }) {
+  const styles =
+    variant === 'primary'
+      ? 'bg-brand text-white hover:bg-brand-hover shadow-soft'
+      : variant === 'danger'
+        ? 'bg-danger text-white hover:opacity-90'
+        : variant === 'soft'
+          ? 'bg-brand-soft text-brand hover:opacity-90'
+          : 'border border-line bg-surface text-ink hover:bg-surface-muted'
+  const { className, ...rest } = props
+  return (
+    <button
+      {...rest}
+      className={`inline-flex min-h-11 items-center justify-center rounded-[var(--radius-pill)] px-5 py-2.5 text-sm font-semibold whitespace-nowrap transition active:scale-[0.98] disabled:opacity-50 ${styles} ${className ?? ''}`}
+    >
+      {children}
+    </button>
+  )
+}
+
+export function Badge({
+  children,
+  tone = 'neutral',
+}: {
+  children: ReactNode
+  tone?: 'neutral' | 'brand' | 'sky' | 'success' | 'warning' | 'danger'
+}) {
+  const tones = {
+    neutral: 'bg-accent-soft text-ink',
+    brand: 'bg-brand-soft text-brand',
+    sky: 'bg-glow text-brand',
+    success: 'bg-success-soft text-success',
+    warning: 'bg-warning-soft text-warning',
+    danger: 'bg-danger-soft text-danger',
+  }
+  return (
+    <span
+      className={`inline-flex items-center rounded-[var(--radius-pill)] px-3 py-1 text-[13px] font-bold ${tones[tone]}`}
+    >
+      {children}
+    </span>
+  )
+}
+
+export function ErrorText({ message }: { message?: string }) {
+  if (!message) return null
+  return <p className="mt-2 text-sm text-danger">{message}</p>
+}
+
+export function CopyableId({ label, value }: { label: string; value: string }) {
+  const copy = async () => {
+    if (!value) return
+    await navigator.clipboard.writeText(value)
+  }
+  return (
+    <div className="rounded-[var(--radius-md)] border border-line bg-surface-muted px-4 py-3">
+      <div className="text-xs font-semibold text-ink-secondary">{label}</div>
+      <div className="mt-1 flex items-start justify-between gap-2">
+        <code className="break-all text-sm text-ink">{value || '—'}</code>
+        {value ? (
+          <button
+            type="button"
+            onClick={copy}
+            className="shrink-0 rounded-[var(--radius-pill)] border border-line bg-surface px-3 py-1 text-xs font-semibold text-ink transition hover:bg-brand-soft hover:text-brand"
+          >
+            複製
+          </button>
+        ) : null}
+      </div>
+    </div>
+  )
+}
+
+export function QuickLinkCard({
+  to,
+  title,
+  desc,
+  tag,
+}: {
+  to: string
+  title: string
+  desc: string
+  tag?: string
+}) {
+  return (
+    <Link
+      to={to}
+      className="group block rounded-[var(--radius-xl)] border border-line bg-surface p-6 shadow-card transition hover:-translate-y-1 hover:border-brand/40 hover:shadow-soft"
+    >
+      {tag ? <Badge tone="brand">{tag}</Badge> : null}
+      <h3 className="mt-3 text-lg font-bold text-ink transition group-hover:text-brand">{title}</h3>
+      <p className="mt-2 text-[15px] leading-relaxed text-ink-secondary">{desc}</p>
+      <span className="mt-4 inline-flex items-center gap-1 text-sm font-semibold text-brand">
+        前往 <span className="transition group-hover:translate-x-0.5">→</span>
+      </span>
+    </Link>
+  )
+}
+
+export function StatCard({
+  label,
+  value,
+  hint,
+  tone = 'default',
+}: {
+  label: string
+  value: ReactNode
+  hint?: string
+  tone?: 'default' | 'brand' | 'sky'
+}) {
+  const bg = tone === 'brand' ? 'bg-brand-soft' : tone === 'sky' ? 'bg-glow' : 'bg-surface'
+  return (
+    <div className={`rounded-[var(--radius-xl)] border border-line p-6 shadow-card ${bg}`}>
+      <p className="text-sm font-semibold text-ink-secondary">{label}</p>
+      <div className="mt-3 text-3xl font-bold tracking-tight text-ink">{value}</div>
+      {hint ? <p className="mt-2 text-sm text-muted">{hint}</p> : null}
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/index.css b/haixun-backend/web/src/index.css
new file mode 100644
index 0000000..3f6ee03
--- /dev/null
+++ b/haixun-backend/web/src/index.css
@@ -0,0 +1,181 @@
+@import "tailwindcss";
+@import "taipei-sans-tc/dist/Regular/TaipeiSansTCBeta-Regular.css";
+@import "taipei-sans-tc/dist/Bold/TaipeiSansTCBeta-Bold.css";
+
+/* ── Light：明亮、對比足夠（小字也清楚） ── */
+:root,
+[data-theme="light"] {
+  color-scheme: light;
+
+  --hx-canvas: #f0f4fc;
+  --hx-surface: #ffffff;
+  --hx-surface-muted: #e8eef8;
+  --hx-ink: #0c1222;
+  --hx-ink-secondary: #334155;
+  --hx-muted: #5a6578;
+  --hx-subtle: #6b7589;
+  --hx-line: #d5dde8;
+  --hx-brand: #3b57e8;
+  --hx-brand-hover: #2f46d4;
+  --hx-brand-soft: #dce4ff;
+  --hx-glow: #cfe0ff;
+  --hx-accent: #3b57e8;
+  --hx-accent-hover: #2f46d4;
+  --hx-accent-soft: #e8eeff;
+  --hx-success: #15803d;
+  --hx-success-soft: #d1fae5;
+  --hx-warning: #b45309;
+  --hx-warning-soft: #fde68a;
+  --hx-danger: #dc2626;
+  --hx-danger-soft: #fecaca;
+  --hx-shadow-soft: 0 12px 40px -16px rgb(59 87 232 / 0.2);
+  --hx-shadow-card: 0 4px 24px -10px rgb(12 18 34 / 0.1);
+  --hx-hero-gradient: linear-gradient(135deg, #dce4ff 0%, #f0f4fc 55%, #ffffff 100%);
+}
+
+/* ── Dark：正文與輔助字都拉高亮度 ── */
+[data-theme="dark"] {
+  color-scheme: dark;
+
+  --hx-canvas: #080d18;
+  --hx-surface: #111827;
+  --hx-surface-muted: #1a2438;
+  --hx-ink: #f8fafc;
+  --hx-ink-secondary: #e2e8f0;
+  --hx-muted: #b8c4d6;
+  --hx-subtle: #9aa8bc;
+  --hx-line: #2a3a52;
+  --hx-brand: #8ba3ff;
+  --hx-brand-hover: #a5b8ff;
+  --hx-brand-soft: #243560;
+  --hx-glow: #1e3356;
+  --hx-accent: #8ba3ff;
+  --hx-accent-hover: #a5b8ff;
+  --hx-accent-soft: #1c2844;
+  --hx-success: #4ade80;
+  --hx-success-soft: #14532d;
+  --hx-warning: #fcd34d;
+  --hx-warning-soft: #78350f;
+  --hx-danger: #fca5a5;
+  --hx-danger-soft: #7f1d1d;
+  --hx-shadow-soft: 0 12px 40px -16px rgb(0 0 0 / 0.55);
+  --hx-shadow-card: 0 4px 24px -10px rgb(0 0 0 / 0.35);
+  --hx-hero-gradient: linear-gradient(135deg, #1a2848 0%, #111827 50%, #080d18 100%);
+}
+
+@theme {
+  --font-sans: "Inter", "Taipei Sans TC", "PingFang TC", "Microsoft JhengHei", sans-serif;
+  --font-zh: "Taipei Sans TC", "PingFang TC", "Microsoft JhengHei", sans-serif;
+  --font-en: "Inter", system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+
+  --color-canvas: var(--hx-canvas);
+  --color-surface: var(--hx-surface);
+  --color-surface-muted: var(--hx-surface-muted);
+  --color-ink: var(--hx-ink);
+  --color-ink-secondary: var(--hx-ink-secondary);
+  --color-muted: var(--hx-muted);
+  --color-subtle: var(--hx-subtle);
+  --color-line: var(--hx-line);
+  --color-brand: var(--hx-brand);
+  --color-brand-hover: var(--hx-brand-hover);
+  --color-brand-soft: var(--hx-brand-soft);
+  --color-glow: var(--hx-glow);
+  --color-accent: var(--hx-accent);
+  --color-accent-hover: var(--hx-accent-hover);
+  --color-accent-soft: var(--hx-accent-soft);
+  --color-success: var(--hx-success);
+  --color-success-soft: var(--hx-success-soft);
+  --color-warning: var(--hx-warning);
+  --color-warning-soft: var(--hx-warning-soft);
+  --color-danger: var(--hx-danger);
+  --color-danger-soft: var(--hx-danger-soft);
+
+  --radius-sm: 0.75rem;
+  --radius-md: 1.25rem;
+  --radius-lg: 1.75rem;
+  --radius-xl: 2.25rem;
+  --radius-pill: 9999px;
+}
+
+body {
+  margin: 0;
+  min-height: 100vh;
+  font-family: var(--font-sans);
+  font-size: 1rem;
+  font-weight: 400;
+  line-height: 1.7;
+  background: var(--hx-canvas);
+  color: var(--hx-ink);
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+  text-rendering: optimizeLegibility;
+  font-feature-settings: "cv02", "cv03", "cv04", "cv11";
+  transition: background-color 0.25s ease, color 0.25s ease;
+}
+
+* {
+  box-sizing: border-box;
+}
+
+h1,
+h2,
+h3 {
+  font-family: var(--font-sans);
+  font-weight: 700;
+  letter-spacing: -0.02em;
+  color: var(--hx-ink);
+}
+
+.display-en {
+  font-family: var(--font-en);
+  letter-spacing: -0.02em;
+}
+
+.text-balance {
+  text-wrap: balance;
+}
+
+/* 表頭、欄位標籤：小字也要清楚 */
+th {
+  color: var(--hx-ink-secondary);
+  font-weight: 600;
+}
+
+.shadow-soft {
+  box-shadow: var(--hx-shadow-soft);
+}
+
+.shadow-card {
+  box-shadow: var(--hx-shadow-card);
+}
+
+.hero-panel {
+  background: var(--hx-hero-gradient);
+}
+
+.glow-blob {
+  background: var(--hx-brand-soft);
+}
+
+.glow-blob-alt {
+  background: var(--hx-glow);
+}
+
+/* 手機底部導覽：預留安全區 + 主內容底部間距 */
+.mobile-bottom-nav {
+  padding-bottom: env(safe-area-inset-bottom, 0px);
+}
+
+.mobile-more-sheet {
+  padding-bottom: calc(env(safe-area-inset-bottom, 0px) + 0.5rem);
+}
+
+.layout-main {
+  padding-bottom: calc(5.5rem + env(safe-area-inset-bottom, 0px));
+}
+
+@media (min-width: 1024px) {
+  .layout-main {
+    padding-bottom: 2rem;
+  }
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/lib/jobStatus.ts b/haixun-backend/web/src/lib/jobStatus.ts
new file mode 100644
index 0000000..ad68c7b
--- /dev/null
+++ b/haixun-backend/web/src/lib/jobStatus.ts
@@ -0,0 +1,52 @@
+const TERMINAL = new Set(['succeeded', 'failed', 'cancelled', 'expired'])
+
+export function isTerminalJobStatus(status: string): boolean {
+  return TERMINAL.has(status)
+}
+
+export function jobStatusLabel(status: string): string {
+  switch (status) {
+    case 'pending':
+      return '等待中'
+    case 'queued':
+      return '已排隊'
+    case 'running':
+      return '執行中'
+    case 'waiting_worker':
+      return '等待 Worker'
+    case 'cancel_requested':
+      return '取消中'
+    case 'succeeded':
+      return '已完成'
+    case 'failed':
+      return '失敗'
+    case 'cancelled':
+      return '已取消'
+    case 'expired':
+      return '已過期'
+    default:
+      return status
+  }
+}
+
+export function jobStatusBadgeClass(status: string): string {
+  switch (status) {
+    case 'running':
+      return 'bg-brand-soft text-brand'
+    case 'queued':
+    case 'pending':
+    case 'waiting_worker':
+      return 'bg-warning-soft text-warning'
+    case 'cancel_requested':
+      return 'bg-warning-soft text-warning'
+    case 'succeeded':
+      return 'bg-success-soft text-success'
+    case 'failed':
+    case 'expired':
+      return 'bg-danger-soft text-danger'
+    case 'cancelled':
+      return 'bg-accent-soft text-muted'
+    default:
+      return 'bg-accent-soft text-ink-secondary'
+  }
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/lib/storage.ts b/haixun-backend/web/src/lib/storage.ts
new file mode 100644
index 0000000..68fc0c2
--- /dev/null
+++ b/haixun-backend/web/src/lib/storage.ts
@@ -0,0 +1,25 @@
+const KEYS = {
+  tenantId: 'haixun.tenant_id',
+  accessToken: 'haixun.access_token',
+  refreshToken: 'haixun.refresh_token',
+  uid: 'haixun.uid',
+  aiProviderToken: 'haixun.ai_provider_token',
+} as const
+
+export const storage = {
+  getTenantId: () => localStorage.getItem(KEYS.tenantId) ?? '',
+  setTenantId: (v: string) => localStorage.setItem(KEYS.tenantId, v),
+  getAccessToken: () => localStorage.getItem(KEYS.accessToken) ?? '',
+  setAccessToken: (v: string) => localStorage.setItem(KEYS.accessToken, v),
+  getRefreshToken: () => localStorage.getItem(KEYS.refreshToken) ?? '',
+  setRefreshToken: (v: string) => localStorage.setItem(KEYS.refreshToken, v),
+  getUid: () => localStorage.getItem(KEYS.uid) ?? '',
+  setUid: (v: string) => localStorage.setItem(KEYS.uid, v),
+  getAiProviderToken: () => localStorage.getItem(KEYS.aiProviderToken) ?? '',
+  setAiProviderToken: (v: string) => localStorage.setItem(KEYS.aiProviderToken, v),
+  clearSession: () => {
+    localStorage.removeItem(KEYS.accessToken)
+    localStorage.removeItem(KEYS.refreshToken)
+    localStorage.removeItem(KEYS.uid)
+  },
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/main.tsx b/haixun-backend/web/src/main.tsx
new file mode 100644
index 0000000..4f9ad12
--- /dev/null
+++ b/haixun-backend/web/src/main.tsx
@@ -0,0 +1,10 @@
+import { StrictMode } from 'react'
+import { createRoot } from 'react-dom/client'
+import App from './App'
+import './index.css'
+
+createRoot(document.getElementById('root')!).render(
+  <StrictMode>
+    <App />
+  </StrictMode>,
+)
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/AiPage.tsx b/haixun-backend/web/src/pages/AiPage.tsx
new file mode 100644
index 0000000..4e8a08a
--- /dev/null
+++ b/haixun-backend/web/src/pages/AiPage.tsx
@@ -0,0 +1,148 @@
+import { useEffect, useState } from 'react'
+import { api, streamAIChat } from '../api/client'
+import { ApiError } from '../api/client'
+import { storage } from '../lib/storage'
+import { Button, Card, ErrorText, Field, Input, PageTitle, Textarea } from '../components/ui'
+import type { AIProviderOption } from '../types/api'
+
+export function AiPage() {
+  const [providers, setProviders] = useState<AIProviderOption[]>([])
+  const [provider, setProvider] = useState('opencode-go')
+  const [model, setModel] = useState('')
+  const [models, setModels] = useState<string[]>([])
+  const [providerToken, setProviderToken] = useState(() => storage.getAiProviderToken())
+  const [prompt, setPrompt] = useState('用一句話介紹巡樓系統')
+  const [reply, setReply] = useState('')
+  const [streaming, setStreaming] = useState(false)
+  const [error, setError] = useState('')
+
+  useEffect(() => {
+    api
+      .get<{ providers: AIProviderOption[] }>('/api/v1/ai/providers')
+      .then((d) => {
+        setProviders(d.providers)
+        if (d.providers[0]) setProvider(d.providers[0].id)
+      })
+      .catch((e: ApiError) => setError(e.message))
+  }, [])
+
+  const loadModels = async () => {
+    setError('')
+    storage.setAiProviderToken(providerToken)
+    try {
+      const data = await api.post<{ models: string[]; error?: string }>(
+        `/api/v1/ai/providers/${provider}/models`,
+        { provider },
+        { memberAuth: true, providerToken },
+      )
+      setModels(data.models)
+      if (data.models[0]) setModel(data.models[0])
+      if (data.error) setError(data.error)
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '拉 models 失敗')
+    }
+  }
+
+  const chatOnce = async () => {
+    setError('')
+    setReply('')
+    storage.setAiProviderToken(providerToken)
+    try {
+      const data = await api.post<{ text: string }>(
+        '/api/v1/ai/chat',
+        {
+          provider,
+          model,
+          messages: [{ role: 'user', content: prompt }],
+        },
+        { memberAuth: true, providerToken },
+      )
+      setReply(data.text)
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : 'chat 失敗')
+    }
+  }
+
+  const chatStream = async () => {
+    setError('')
+    setReply('')
+    setStreaming(true)
+    storage.setAiProviderToken(providerToken)
+    await streamAIChat(
+      { provider, model, messages: [{ role: 'user', content: prompt }] },
+      (t) => setReply((r) => r + t),
+      () => setStreaming(false),
+      (msg) => {
+        setError(msg)
+        setStreaming(false)
+      },
+    )
+    setStreaming(false)
+  }
+
+  return (
+    <div>
+      <PageTitle
+        title="AI"
+        subtitle="Provider token 放 Authorization；會員 JWT 放 X-Member-Authorization"
+      />
+      <div className="grid gap-4 lg:grid-cols-2">
+        <Card className="space-y-4">
+          <Field label="Provider API Token">
+            <Input
+              type="password"
+              value={providerToken}
+              onChange={(e) => setProviderToken(e.target.value)}
+              placeholder="sk-..."
+            />
+          </Field>
+          <Field label="Provider">
+            <select
+              className="w-full rounded-[var(--radius-md)] border border-line bg-surface px-4 py-3 text-[15px] text-ink outline-none focus:border-brand focus:ring-4 focus:ring-brand-soft"
+              value={provider}
+              onChange={(e) => setProvider(e.target.value)}
+            >
+              {providers.map((p) => (
+                <option key={p.id} value={p.id}>
+                  {p.label} {p.streams ? '(stream)' : ''}
+                </option>
+              ))}
+            </select>
+          </Field>
+          <div className="flex gap-2">
+            <Button variant="ghost" onClick={loadModels}>
+              從 Provider 載入模型清單
+            </Button>
+            <select
+              className="flex-1 rounded-[var(--radius-md)] border border-line bg-surface px-4 py-3 text-[15px] text-ink outline-none focus:border-brand focus:ring-4 focus:ring-brand-soft"
+              value={model}
+              onChange={(e) => setModel(e.target.value)}
+            >
+              {models.map((m) => (
+                <option key={m} value={m}>
+                  {m}
+                </option>
+              ))}
+            </select>
+          </div>
+          <Field label="Prompt">
+            <Textarea rows={4} value={prompt} onChange={(e) => setPrompt(e.target.value)} />
+          </Field>
+          <div className="flex gap-2">
+            <Button onClick={chatOnce} disabled={!model || streaming}>
+              送出對話（一次完整回覆）
+            </Button>
+            <Button variant="ghost" onClick={chatStream} disabled={!model || streaming}>
+              {streaming ? '串流回覆中…' : '送出對話（SSE 串流回覆）'}
+            </Button>
+          </div>
+          <ErrorText message={error} />
+        </Card>
+        <Card>
+          <h2 className="font-semibold text-ink">回應</h2>
+          <pre className="mt-3 whitespace-pre-wrap text-[15px] leading-relaxed text-ink">{reply || '—'}</pre>
+        </Card>
+      </div>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/DashboardPage.tsx b/haixun-backend/web/src/pages/DashboardPage.tsx
new file mode 100644
index 0000000..3c44ba3
--- /dev/null
+++ b/haixun-backend/web/src/pages/DashboardPage.tsx
@@ -0,0 +1,85 @@
+import { useEffect, useState } from 'react'
+import { api } from '../api/client'
+import { useAuth } from '../auth/AuthContext'
+import { Badge, Card, PageTitle, QuickLinkCard, StatCard } from '../components/ui'
+
+export function DashboardPage() {
+  const { member, tenantId, uid } = useAuth()
+  const [health, setHealth] = useState('')
+
+  useEffect(() => {
+    api
+      .get<{ pong: string }>('/api/v1/health')
+      .then((d) => setHealth(d.pong))
+      .catch(() => setHealth('unreachable'))
+  }, [])
+
+  const healthy = health === 'pong'
+
+  return (
+    <div className="max-w-6xl">
+      <section className="hero-panel relative mb-10 overflow-hidden rounded-[var(--radius-xl)] border border-line p-8 shadow-soft md:p-10">
+        <div
+          aria-hidden
+          className="glow-blob pointer-events-none absolute -top-16 -right-10 h-48 w-48 rounded-full opacity-60 blur-2xl"
+        />
+        <div
+          aria-hidden
+          className="glow-blob-alt pointer-events-none absolute bottom-4 left-1/3 h-28 w-28 rounded-full opacity-50 blur-xl"
+        />
+        <p className="display-en relative text-xs font-bold tracking-[0.24em] text-brand uppercase">
+          Patrol Hub
+        </p>
+        <h1 className="relative mt-3 max-w-2xl text-balance text-4xl font-black tracking-tight text-ink md:text-[2.75rem] md:leading-tight">
+          今天也要
+          <span className="text-brand">順利巡完</span>
+        </h1>
+        <p className="relative mt-4 max-w-lg text-base text-ink-secondary">
+          任務、排程、AI 助手都在這裡。狀態一眼看懂，不用到處找。
+        </p>
+        <div className="relative mt-6 flex flex-wrap gap-2">
+          <Badge tone="brand">巡檢</Badge>
+          <Badge tone="sky">任務</Badge>
+          <Badge tone="neutral">即時</Badge>
+        </div>
+      </section>
+
+      <PageTitle title="系統狀態" subtitle="連線與登入資訊" />
+
+      <div className="mb-10 grid gap-4 sm:grid-cols-2 lg:grid-cols-3">
+        <StatCard
+          label="API"
+          value={healthy ? '連線正常' : health || '…'}
+          hint="GET /api/v1/health"
+          tone={healthy ? 'brand' : 'sky'}
+        />
+        <StatCard label="Tenant" value={tenantId} hint="租戶 ID" />
+        <StatCard label="角色" value={member?.roles?.join(', ') || 'user'} hint={member?.email} />
+      </div>
+
+      <PageTitle title="快速開始" subtitle="常用功能" />
+
+      <div className="mb-10 grid gap-4 sm:grid-cols-2 xl:grid-cols-3">
+        <QuickLinkCard to="/jobs" tag="任務" title="背景任務" desc="建立、追蹤、取消或重試巡檢任務。" />
+        <QuickLinkCard to="/job-schedules" tag="排程" title="定時排程" desc="用 cron 自動觸發，不用手動按。" />
+        <QuickLinkCard to="/ai" tag="AI" title="AI 助手" desc="串流對話，輔助紀錄與分析。" />
+        <QuickLinkCard to="/settings" tag="設定" title="系統設定" desc="管理 key-value 設定。" />
+        <QuickLinkCard to="/profile" tag="會員" title="個人資料" desc="更新顯示名稱與偏好。" />
+      </div>
+
+      <Card>
+        <h2 className="text-lg font-bold text-ink">Session</h2>
+        <dl className="mt-4 grid gap-3 text-sm sm:grid-cols-2">
+          <div className="rounded-[var(--radius-md)] bg-surface-muted px-4 py-3">
+            <dt className="text-xs font-semibold text-ink-secondary">UID</dt>
+            <dd className="mt-1 break-all font-mono text-sm text-ink">{member?.uid || uid}</dd>
+          </div>
+          <div className="rounded-[var(--radius-md)] bg-surface-muted px-4 py-3">
+            <dt className="text-xs font-semibold text-ink-secondary">Email</dt>
+            <dd className="mt-1 text-ink">{member?.email}</dd>
+          </div>
+        </dl>
+      </Card>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/JobDetailPage.tsx b/haixun-backend/web/src/pages/JobDetailPage.tsx
new file mode 100644
index 0000000..eb65c23
--- /dev/null
+++ b/haixun-backend/web/src/pages/JobDetailPage.tsx
@@ -0,0 +1,90 @@
+import { useCallback, useEffect, useState } from 'react'
+import { Link, useParams } from 'react-router-dom'
+import { api } from '../api/client'
+import { ApiError } from '../api/client'
+import { Card, PageTitle } from '../components/ui'
+import { isTerminalJobStatus, jobStatusBadgeClass, jobStatusLabel } from '../lib/jobStatus'
+import type { JobData, JobEventData } from '../types/api'
+
+export function JobDetailPage() {
+  const { id } = useParams()
+  const [job, setJob] = useState<JobData | null>(null)
+  const [events, setEvents] = useState<JobEventData[]>([])
+  const [error, setError] = useState('')
+
+  const load = useCallback(async () => {
+    if (!id) return
+    const [j, ev] = await Promise.all([
+      api.get<JobData>(`/api/v1/jobs/${id}`, { auth: true }),
+      api.get<{ list: JobEventData[] }>(`/api/v1/jobs/${id}/events`, {
+        auth: true,
+        query: { limit: 50 },
+      }),
+    ])
+    setJob(j)
+    setEvents(ev.list)
+  }, [id])
+
+  useEffect(() => {
+    load().catch((e: ApiError) => setError(e.message))
+  }, [load])
+
+  useEffect(() => {
+    if (!job || isTerminalJobStatus(job.status)) return
+    const timer = window.setInterval(() => {
+      load().catch(() => {})
+    }, 3000)
+    return () => window.clearInterval(timer)
+  }, [job, load])
+
+  if (error) return <p className="text-rose-600">{error}</p>
+  if (!job) return <p className="text-ink-secondary">載入中…</p>
+
+  return (
+    <div>
+      <PageTitle
+        title={`Job ${id?.slice(0, 8)}…`}
+        subtitle={`${jobStatusLabel(job.status)} · ${job.phase}`}
+      />
+      <Card className="mb-4">
+        <div className="flex flex-wrap items-center gap-3">
+          <span
+            className={`rounded-[var(--radius-pill)] px-4 py-1.5 text-sm font-medium ${jobStatusBadgeClass(job.status)}`}
+          >
+            {jobStatusLabel(job.status)}
+          </span>
+          <span className="text-sm text-ink-secondary">{job.progress.summary || '—'}</span>
+        </div>
+        <div className="mt-3 h-3 overflow-hidden rounded-[var(--radius-pill)] bg-accent-soft">
+          <div
+            className="h-full rounded-[var(--radius-pill)] bg-gradient-to-r from-brand to-brand-hover transition-all"
+            style={{ width: `${Math.min(100, Math.max(0, job.progress.percentage))}%` }}
+          />
+        </div>
+        <p className="mt-1 text-sm font-medium text-ink-secondary">{job.progress.percentage}%</p>
+      </Card>
+      <Link
+        to="/jobs"
+        className="mb-4 inline-block rounded-[var(--radius-pill)] border border-line bg-surface px-4 py-2 text-sm font-medium text-brand hover:bg-brand-soft"
+      >
+        ← 返回任務列表
+      </Link>
+      <div className="grid gap-4 lg:grid-cols-2">
+        <Card>
+          <pre className="overflow-auto text-xs">{JSON.stringify(job, null, 2)}</pre>
+        </Card>
+        <Card>
+          <h2 className="font-medium">Events</h2>
+          <ul className="mt-3 max-h-[32rem] space-y-2 overflow-auto text-sm">
+            {events.map((e) => (
+              <li key={e.id} className="rounded-[var(--radius-md)] border border-line bg-surface-muted p-3">
+                <div className="font-mono text-xs font-semibold text-ink-secondary">{e.type}</div>
+                <div>{e.message}</div>
+              </li>
+            ))}
+          </ul>
+        </Card>
+      </div>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/JobSchedulesPage.tsx b/haixun-backend/web/src/pages/JobSchedulesPage.tsx
new file mode 100644
index 0000000..ed1c6e3
--- /dev/null
+++ b/haixun-backend/web/src/pages/JobSchedulesPage.tsx
@@ -0,0 +1,125 @@
+import { useEffect, useState } from 'react'
+import { api } from '../api/client'
+import { ApiError } from '../api/client'
+import { useAuth } from '../auth/AuthContext'
+import { Button, Card, ErrorText, Field, Input, PageTitle } from '../components/ui'
+import type { JobScheduleData, Pagination } from '../types/api'
+
+export function JobSchedulesPage() {
+  const { uid } = useAuth()
+  const [schedules, setSchedules] = useState<JobScheduleData[]>([])
+  const [pagination, setPagination] = useState<Pagination | null>(null)
+  const [error, setError] = useState('')
+  const [form, setForm] = useState({
+    template_type: 'demo_long_task',
+    scope: 'user',
+    scope_id: uid,
+    cron: '0 */6 * * *',
+    timezone: 'Asia/Taipei',
+    enabled: true,
+  })
+
+  const load = async () => {
+    setError('')
+    try {
+      const data = await api.get<{ list: JobScheduleData[]; pagination: Pagination }>(
+        '/api/v1/job/schedules',
+        { auth: true, query: { page: 1, pageSize: 20 } },
+      )
+      setSchedules(data.list)
+      setPagination(data.pagination)
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '載入失敗')
+    }
+  }
+
+  useEffect(() => {
+    if (uid) setForm((f) => ({ ...f, scope_id: uid }))
+    load()
+  }, [uid])
+
+  const create = async () => {
+    setError('')
+    try {
+      await api.post('/api/v1/job/schedules', form, { auth: true })
+      await load()
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '建立失敗')
+    }
+  }
+
+  const toggle = async (id: string, enabled: boolean) => {
+    const path = enabled ? 'disable' : 'enable'
+    await api.post(`/api/v1/job/schedules/${id}/${path}`, {}, { auth: true })
+    await load()
+  }
+
+  return (
+    <div>
+      <PageTitle title="Job 排程" subtitle="建立、列表、啟用/停用" />
+      <Card className="mb-4 grid gap-3 md:grid-cols-2">
+        <Field label="Template Type">
+          <Input
+            value={form.template_type}
+            onChange={(e) => setForm((f) => ({ ...f, template_type: e.target.value }))}
+          />
+        </Field>
+        <Field label="Cron">
+          <Input value={form.cron} onChange={(e) => setForm((f) => ({ ...f, cron: e.target.value }))} />
+        </Field>
+        <Field label="Scope ID">
+          <Input
+            value={form.scope_id}
+            onChange={(e) => setForm((f) => ({ ...f, scope_id: e.target.value }))}
+          />
+        </Field>
+        <Field label="Timezone">
+          <Input
+            value={form.timezone}
+            onChange={(e) => setForm((f) => ({ ...f, timezone: e.target.value }))}
+          />
+        </Field>
+        <div className="flex flex-wrap gap-2 md:col-span-2">
+          <Button onClick={create}>建立定時排程任務</Button>
+          <Button variant="ghost" onClick={load}>
+            重新載入排程列表
+          </Button>
+        </div>
+        <ErrorText message={error} />
+      </Card>
+      {pagination ? <p className="mb-2 text-sm text-muted">共 {pagination.total} 筆</p> : null}
+      <Card className="overflow-x-auto">
+        <table className="w-full min-w-[40rem] text-left text-sm">
+          <thead>
+            <tr className="border-b border-line text-ink-secondary">
+              <th className="py-2">ID</th>
+              <th>Cron</th>
+              <th>Template</th>
+              <th>Enabled</th>
+              <th>操作</th>
+            </tr>
+          </thead>
+          <tbody>
+            {schedules.map((s) => (
+              <tr key={s.id} className="border-b border-line">
+                <td className="py-2 font-mono text-xs">{s.id.slice(0, 8)}…</td>
+                <td>{s.cron}</td>
+                <td>{s.template_type}</td>
+                <td>{s.enabled ? 'yes' : 'no'}</td>
+                <td>
+                  <button
+                    type="button"
+                    className="text-xs font-medium text-brand"
+                    onClick={() => toggle(s.id, s.enabled)}
+                  >
+                    {s.enabled ? '停用此排程' : '啟用此排程'}
+                  </button>
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </Card>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/JobTemplatesPage.tsx b/haixun-backend/web/src/pages/JobTemplatesPage.tsx
new file mode 100644
index 0000000..7ceadcf
--- /dev/null
+++ b/haixun-backend/web/src/pages/JobTemplatesPage.tsx
@@ -0,0 +1,43 @@
+import { useEffect, useState } from 'react'
+import { api } from '../api/client'
+import { ApiError } from '../api/client'
+import { Card, PageTitle } from '../components/ui'
+import type { JobTemplateData } from '../types/api'
+
+export function JobTemplatesPage() {
+  const [templates, setTemplates] = useState<JobTemplateData[]>([])
+  const [error, setError] = useState('')
+
+  useEffect(() => {
+    api
+      .get<{ list: JobTemplateData[] }>('/api/v1/job/templates', { auth: true })
+      .then((d) => setTemplates(d.list))
+      .catch((e: ApiError) => setError(e.message))
+  }, [])
+
+  return (
+    <div>
+      <PageTitle title="Job 模板" subtitle="GET /api/v1/job/templates" />
+      {error ? <p className="text-rose-600">{error}</p> : null}
+      <div className="grid gap-4">
+        {templates.map((t) => (
+          <Card key={t.type}>
+            <div className="flex items-start justify-between gap-4">
+              <div>
+                <h2 className="font-semibold">{t.name}</h2>
+                <p className="text-sm text-ink-secondary">{t.type} · v{t.version}</p>
+                <p className="mt-2 text-sm">{t.description || '—'}</p>
+              </div>
+              <span className={`rounded-[var(--radius-pill)] px-3 py-1 text-xs font-medium ${t.enabled ? 'bg-brand-soft text-brand' : 'bg-accent-soft text-muted'}`}>
+                {t.enabled ? 'enabled' : 'disabled'}
+              </span>
+            </div>
+            <pre className="mt-4 overflow-auto rounded-[var(--radius-md)] bg-surface-muted p-4 text-xs">
+              {JSON.stringify(t.steps, null, 2)}
+            </pre>
+          </Card>
+        ))}
+      </div>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/JobsPage.tsx b/haixun-backend/web/src/pages/JobsPage.tsx
new file mode 100644
index 0000000..882c4fd
--- /dev/null
+++ b/haixun-backend/web/src/pages/JobsPage.tsx
@@ -0,0 +1,183 @@
+import { useCallback, useEffect, useState } from 'react'
+import { Link } from 'react-router-dom'
+import { api } from '../api/client'
+import { ApiError } from '../api/client'
+import { useAuth } from '../auth/AuthContext'
+import { Button, Card, ErrorText, Field, Input, PageTitle, Textarea } from '../components/ui'
+import { isTerminalJobStatus, jobStatusBadgeClass, jobStatusLabel } from '../lib/jobStatus'
+import type { JobData, Pagination } from '../types/api'
+
+export function JobsPage() {
+  const { uid } = useAuth()
+  const [jobs, setJobs] = useState<JobData[]>([])
+  const [pagination, setPagination] = useState<Pagination | null>(null)
+  const [error, setError] = useState('')
+  const [templateType, setTemplateType] = useState('demo_long_task')
+  const [scope, setScope] = useState('user')
+  const [scopeId, setScopeId] = useState(uid)
+  const [payload, setPayload] = useState('{}')
+
+  const load = useCallback(async () => {
+    setError('')
+    try {
+      const data = await api.get<{ list: JobData[]; pagination: Pagination }>('/api/v1/jobs', {
+        auth: true,
+        query: { page: 1, pageSize: 20, scope, scope_id: scopeId },
+      })
+      setJobs(data.list)
+      setPagination(data.pagination)
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '載入失敗')
+    }
+  }, [scope, scopeId])
+
+  useEffect(() => {
+    if (uid) setScopeId(uid)
+  }, [uid])
+
+  useEffect(() => {
+    load()
+  }, [load])
+
+  useEffect(() => {
+    const hasActive = jobs.some((j) => !isTerminalJobStatus(j.status))
+    if (!hasActive) return
+    const timer = window.setInterval(load, 3000)
+    return () => window.clearInterval(timer)
+  }, [jobs, load])
+
+  const create = async () => {
+    setError('')
+    try {
+      await api.post(
+        '/api/v1/jobs',
+        {
+          template_type: templateType,
+          scope,
+          scope_id: scopeId,
+          payload: JSON.parse(payload),
+        },
+        { auth: true },
+      )
+      await load()
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '建立失敗')
+    }
+  }
+
+  const cancel = async (id: string) => {
+    await api.post(`/api/v1/jobs/${id}/cancel`, { reason: 'ui cancel' }, { auth: true })
+    await load()
+  }
+
+  const retry = async (id: string) => {
+    await api.post(`/api/v1/jobs/${id}/retry`, {}, { auth: true })
+    await load()
+  }
+
+  return (
+    <div>
+      <PageTitle title="Jobs" subtitle="建立、列表、取消、重試" />
+      <Card className="mb-4 border-brand/20 bg-brand-soft/50 text-sm text-ink-secondary">
+        <p className="font-semibold text-ink">怎麼知道任務有沒有在跑？</p>
+        <ul className="mt-2 list-inside list-disc space-y-1">
+          <li>
+            啟動 API（<code className="rounded-[var(--radius-sm)] bg-surface px-1.5 py-0.5">make run</code>）只會建立預設模板{' '}
+            <code className="rounded-[var(--radius-sm)] bg-surface px-1.5 py-0.5">demo_long_task</code>，不會自動產生執行紀錄。
+          </li>
+          <li>按下方「建立背景任務」或到「排程」頁建立 cron，才會真正產生一筆 Job。</li>
+          <li>
+            看列表「狀態」：<strong>執行中</strong> = 正在跑；<strong>已排隊 / 等待中</strong> = 還沒被
+            worker 接手（確認 Redis 與 gateway 的 <code className="rounded-[var(--radius-sm)] bg-surface px-1.5 py-0.5">JobWorker.Enabled</code>）。
+          </li>
+          <li>點「查看任務詳情」可看進度與事件；有進行中任務時此頁每 3 秒自動刷新。</li>
+        </ul>
+      </Card>
+      <Card className="mb-4 space-y-3">
+        <div className="grid gap-3 md:grid-cols-3">
+          <Field label="Template Type">
+            <Input value={templateType} onChange={(e) => setTemplateType(e.target.value)} />
+          </Field>
+          <Field label="Scope">
+            <Input value={scope} onChange={(e) => setScope(e.target.value)} />
+          </Field>
+          <Field label="Scope ID">
+            <Input value={scopeId} onChange={(e) => setScopeId(e.target.value)} />
+          </Field>
+        </div>
+        <Field label="Payload JSON">
+          <Textarea rows={3} value={payload} onChange={(e) => setPayload(e.target.value)} />
+        </Field>
+        <div className="flex gap-2">
+          <Button onClick={create}>建立背景任務</Button>
+          <Button variant="ghost" onClick={load}>
+            重新載入任務列表
+          </Button>
+        </div>
+        <ErrorText message={error} />
+      </Card>
+      {pagination ? (
+        <p className="mb-2 text-sm text-muted">共 {pagination.total} 筆</p>
+      ) : null}
+      <Card className="overflow-x-auto">
+        <table className="w-full min-w-[48rem] text-left text-sm">
+          <thead>
+            <tr className="border-b border-line text-ink-secondary">
+              <th className="py-2">ID</th>
+              <th>Status</th>
+              <th>Progress</th>
+              <th>Template</th>
+              <th>操作</th>
+            </tr>
+          </thead>
+          <tbody>
+            {jobs.map((j) => (
+              <tr key={j.id} className="border-b border-line">
+                <td className="py-2">
+                  <div className="font-mono text-xs text-ink-secondary">{j.id.slice(0, 8)}…</div>
+                  <Link
+                    className="mt-1 inline-block rounded-[var(--radius-pill)] border border-line bg-surface-muted px-3 py-1 text-xs font-medium text-brand hover:bg-brand-soft"
+                    to={`/jobs/${j.id}`}
+                  >
+                    查看任務詳情與事件
+                  </Link>
+                </td>
+                <td>
+                  <span
+                    className={`inline-block rounded-[var(--radius-pill)] px-3 py-1 text-[13px] font-bold ${jobStatusBadgeClass(j.status)}`}
+                  >
+                    {jobStatusLabel(j.status)}
+                  </span>
+                  <span className="ml-1 text-ink-secondary">/ {j.phase}</span>
+                </td>
+                <td>
+                  {j.progress.percentage}%
+                  {j.progress.summary ? (
+                    <div className="text-sm text-ink-secondary">{j.progress.summary}</div>
+                  ) : null}
+                </td>
+                <td>{j.template_type}</td>
+                <td className="space-x-2">
+                  <button
+                    type="button"
+                    className="rounded-[var(--radius-pill)] border border-line px-3 py-1 text-xs text-danger hover:bg-danger-soft"
+                    onClick={() => cancel(j.id)}
+                  >
+                    取消此任務
+                  </button>
+                  <button
+                    type="button"
+                    className="rounded-[var(--radius-pill)] border border-line px-3 py-1 text-xs text-brand hover:bg-brand-soft"
+                    onClick={() => retry(j.id)}
+                  >
+                    重試此任務
+                  </button>
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </Card>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/LoginPage.tsx b/haixun-backend/web/src/pages/LoginPage.tsx
new file mode 100644
index 0000000..91ce393
--- /dev/null
+++ b/haixun-backend/web/src/pages/LoginPage.tsx
@@ -0,0 +1,66 @@
+import { useState } from 'react'
+import { Link, Navigate, useNavigate } from 'react-router-dom'
+import { useAuth } from '../auth/AuthContext'
+import { ApiError } from '../api/client'
+import { AuthShell } from '../components/AuthShell'
+import { Button, Card, ErrorText, Field, Input } from '../components/ui'
+
+export function LoginPage() {
+  const { login, setTenantId, tenantId, isAuthenticated } = useAuth()
+  const navigate = useNavigate()
+  const [email, setEmail] = useState('admin@haixun.local')
+  const [password, setPassword] = useState('Admin-Pass-1!')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+
+  if (isAuthenticated) return <Navigate to="/" replace />
+
+  const onSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    setError('')
+    setLoading(true)
+    try {
+      await login(email, password)
+      navigate('/')
+    } catch (err) {
+      setError(err instanceof ApiError ? err.message : '登入失敗')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <AuthShell>
+      <Card>
+        <h2 className="text-xl font-bold text-ink">登入系統</h2>
+        <p className="mt-1 text-sm text-ink-secondary">Email / 密碼驗證</p>
+        <form className="mt-6 space-y-4" onSubmit={onSubmit}>
+          <Field label="Tenant ID">
+            <Input value={tenantId} onChange={(e) => setTenantId(e.target.value)} required />
+          </Field>
+          <Field label="Email">
+            <Input type="email" value={email} onChange={(e) => setEmail(e.target.value)} required />
+          </Field>
+          <Field label="Password">
+            <Input
+              type="password"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              required
+            />
+          </Field>
+          <ErrorText message={error} />
+          <Button type="submit" disabled={loading} className="w-full">
+            {loading ? '登入中…' : '登入巡樓系統'}
+          </Button>
+        </form>
+        <p className="mt-5 text-center text-sm text-muted">
+          還沒有帳號？{' '}
+          <Link className="font-semibold text-brand hover:underline" to="/register">
+            前往註冊
+          </Link>
+        </p>
+      </Card>
+    </AuthShell>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/PermissionsPage.tsx b/haixun-backend/web/src/pages/PermissionsPage.tsx
new file mode 100644
index 0000000..2862346
--- /dev/null
+++ b/haixun-backend/web/src/pages/PermissionsPage.tsx
@@ -0,0 +1,86 @@
+import { useEffect, useState } from 'react'
+import { api } from '../api/client'
+import { ApiError } from '../api/client'
+import { Card, PageTitle } from '../components/ui'
+import type { PermissionNode } from '../types/api'
+
+function Tree({ nodes, depth = 0 }: { nodes: PermissionNode[]; depth?: number }) {
+  return (
+    <ul className={depth ? 'ml-4 border-l border-line pl-3' : ''}>
+      {nodes.map((n) => (
+        <li key={n.id} className="py-1 text-sm">
+          <span className="font-medium">{n.name}</span>
+          {n.http_path ? (
+            <span className="ml-2 text-xs text-ink-secondary">
+              {n.http_methods} {n.http_path}
+            </span>
+          ) : null}
+          {n.children?.length ? <Tree nodes={n.children} depth={depth + 1} /> : null}
+        </li>
+      ))}
+    </ul>
+  )
+}
+
+export function PermissionsPage() {
+  const [catalog, setCatalog] = useState<PermissionNode[]>([])
+  const [me, setMe] = useState<Record<string, string>>({})
+  const [roles, setRoles] = useState<string[]>([])
+  const [error, setError] = useState('')
+
+  useEffect(() => {
+    Promise.all([
+      api.get<{ tree?: PermissionNode[] }>('/api/v1/permissions/catalog', {
+        auth: true,
+        query: { tree: true },
+      }),
+      api.get<{ permissions: Record<string, string>; roles: string[]; tree?: PermissionNode[] }>(
+        '/api/v1/permissions/me',
+        { auth: true, query: { include_tree: true } },
+      ),
+    ])
+      .then(([cat, mine]) => {
+        setCatalog(cat.tree ?? [])
+        setMe(mine.permissions)
+        setRoles(mine.roles)
+      })
+      .catch((e: ApiError) => setError(e.message))
+  }, [])
+
+  return (
+    <div>
+      <PageTitle title="權限" subtitle="Catalog 與目前會員權限" />
+      {error ? <p className="mb-4 text-sm text-rose-600">{error}</p> : null}
+      <div className="grid gap-4 lg:grid-cols-2">
+        <Card>
+          <h2 className="font-medium">Catalog（tree）</h2>
+          <div className="mt-3 max-h-[28rem] overflow-auto">
+            <Tree nodes={catalog} />
+          </div>
+        </Card>
+        <Card>
+          <h2 className="font-medium">我的權限</h2>
+          <p className="mt-2 text-sm text-ink-secondary">Roles: {roles.join(', ') || '—'}</p>
+          <div className="mt-4 overflow-x-auto">
+          <table className="w-full min-w-[24rem] text-left text-sm">
+            <thead>
+              <tr className="border-b border-line text-ink-secondary">
+                <th className="py-2">Path</th>
+                <th>Methods</th>
+              </tr>
+            </thead>
+            <tbody>
+              {Object.entries(me).map(([path, methods]) => (
+                <tr key={path} className="border-b border-line">
+                  <td className="py-2 font-mono text-xs">{path}</td>
+                  <td>{methods}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+          </div>
+        </Card>
+      </div>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/ProfilePage.tsx b/haixun-backend/web/src/pages/ProfilePage.tsx
new file mode 100644
index 0000000..b8cfd5f
--- /dev/null
+++ b/haixun-backend/web/src/pages/ProfilePage.tsx
@@ -0,0 +1,90 @@
+import { useEffect, useState } from 'react'
+import { api } from '../api/client'
+import { useAuth } from '../auth/AuthContext'
+import { ApiError } from '../api/client'
+import { Button, Card, CopyableId, ErrorText, Field, Input, PageTitle } from '../components/ui'
+import type { MemberMeData } from '../types/api'
+
+export function ProfilePage() {
+  const { refreshMember, member, tenantId, uid } = useAuth()
+  const [form, setForm] = useState({
+    display_name: '',
+    language: '',
+    currency: '',
+    phone: '',
+  })
+  const [error, setError] = useState('')
+  const [saved, setSaved] = useState(false)
+
+  useEffect(() => {
+    api
+      .get<MemberMeData>('/api/v1/members/me', { auth: true })
+      .then((m) =>
+        setForm({
+          display_name: m.display_name ?? '',
+          language: m.language ?? '',
+          currency: m.currency ?? '',
+          phone: m.phone ?? '',
+        }),
+      )
+      .catch((e: ApiError) => setError(e.message))
+  }, [])
+
+  const save = async () => {
+    setError('')
+    setSaved(false)
+    try {
+      await api.patch<MemberMeData>(
+        '/api/v1/members/me',
+        {
+          display_name: form.display_name || undefined,
+          language: form.language || undefined,
+          currency: form.currency || undefined,
+          phone: form.phone || undefined,
+        },
+        { auth: true },
+      )
+      await refreshMember()
+      setSaved(true)
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '更新失敗')
+    }
+  }
+
+  return (
+    <div>
+      <PageTitle title="會員 Profile" subtitle="GET/PATCH /api/v1/members/me" />
+      <Card className="mb-4 max-w-xl space-y-3">
+        <CopyableId label="UID" value={member?.uid || uid} />
+        <CopyableId label="Tenant ID" value={member?.tenant_id || tenantId} />
+        <CopyableId label="Email" value={member?.email ?? ''} />
+      </Card>
+      <Card className="max-w-xl space-y-4">
+        <Field label="Display Name">
+          <Input
+            value={form.display_name}
+            onChange={(e) => setForm((f) => ({ ...f, display_name: e.target.value }))}
+          />
+        </Field>
+        <Field label="Language">
+          <Input
+            value={form.language}
+            onChange={(e) => setForm((f) => ({ ...f, language: e.target.value }))}
+          />
+        </Field>
+        <Field label="Currency">
+          <Input
+            value={form.currency}
+            onChange={(e) => setForm((f) => ({ ...f, currency: e.target.value }))}
+          />
+        </Field>
+        <Field label="Phone">
+          <Input value={form.phone} onChange={(e) => setForm((f) => ({ ...f, phone: e.target.value }))} />
+        </Field>
+        <ErrorText message={error} />
+        {saved ? <p className="text-sm text-success">已儲存</p> : null}
+        <Button onClick={save}>儲存個人資料</Button>
+      </Card>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/RegisterPage.tsx b/haixun-backend/web/src/pages/RegisterPage.tsx
new file mode 100644
index 0000000..dce3894
--- /dev/null
+++ b/haixun-backend/web/src/pages/RegisterPage.tsx
@@ -0,0 +1,71 @@
+import { useState } from 'react'
+import { Link, Navigate, useNavigate } from 'react-router-dom'
+import { useAuth } from '../auth/AuthContext'
+import { ApiError } from '../api/client'
+import { AuthShell } from '../components/AuthShell'
+import { Button, Card, ErrorText, Field, Input } from '../components/ui'
+
+export function RegisterPage() {
+  const { register, setTenantId, tenantId, isAuthenticated } = useAuth()
+  const navigate = useNavigate()
+  const [email, setEmail] = useState('')
+  const [password, setPassword] = useState('')
+  const [displayName, setDisplayName] = useState('')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+
+  if (isAuthenticated) return <Navigate to="/" replace />
+
+  const onSubmit = async (e: React.FormEvent) => {
+    e.preventDefault()
+    setError('')
+    setLoading(true)
+    try {
+      await register({ email, password, displayName, language: 'zh-TW' })
+      navigate('/')
+    } catch (err) {
+      setError(err instanceof ApiError ? err.message : '註冊失敗')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <AuthShell>
+      <Card>
+        <h2 className="text-xl font-bold text-ink">註冊帳號</h2>
+        <p className="mt-1 text-sm text-ink-secondary">建立巡樓管理帳號</p>
+        <form className="mt-6 space-y-4" onSubmit={onSubmit}>
+          <Field label="Tenant ID">
+            <Input value={tenantId} onChange={(e) => setTenantId(e.target.value)} required />
+          </Field>
+          <Field label="Email">
+            <Input type="email" value={email} onChange={(e) => setEmail(e.target.value)} required />
+          </Field>
+          <Field label="Display Name">
+            <Input value={displayName} onChange={(e) => setDisplayName(e.target.value)} />
+          </Field>
+          <Field label="Password（至少 8 字）">
+            <Input
+              type="password"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              minLength={8}
+              required
+            />
+          </Field>
+          <ErrorText message={error} />
+          <Button type="submit" disabled={loading} className="w-full">
+            {loading ? '註冊中…' : '建立帳號並登入'}
+          </Button>
+        </form>
+        <p className="mt-5 text-center text-sm text-muted">
+          已有帳號？{' '}
+          <Link className="font-semibold text-brand hover:underline" to="/login">
+            前往登入
+          </Link>
+        </p>
+      </Card>
+    </AuthShell>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/pages/SettingsPage.tsx b/haixun-backend/web/src/pages/SettingsPage.tsx
new file mode 100644
index 0000000..125e78a
--- /dev/null
+++ b/haixun-backend/web/src/pages/SettingsPage.tsx
@@ -0,0 +1,124 @@
+import { useState } from 'react'
+import { api } from '../api/client'
+import { ApiError } from '../api/client'
+import { Button, Card, ErrorText, Field, Input, PageTitle, Textarea } from '../components/ui'
+import type { Pagination, SettingData } from '../types/api'
+
+export function SettingsPage() {
+  const [scope, setScope] = useState('user')
+  const [scopeId, setScopeId] = useState('')
+  const [key, setKey] = useState('ai.default')
+  const [valueJson, setValueJson] = useState('{\n  "provider": "opencode-go",\n  "model": "deepseek-v4-pro"\n}')
+  const [list, setList] = useState<SettingData[]>([])
+  const [pagination, setPagination] = useState<Pagination | null>(null)
+  const [error, setError] = useState('')
+  const [message, setMessage] = useState('')
+
+  const loadList = async () => {
+    setError('')
+    try {
+      const data = await api.get<{ list: SettingData[]; pagination: Pagination }>(
+        `/api/v1/settings/${scope}/${scopeId}`,
+        { auth: true, query: { page: 1, pageSize: 20 } },
+      )
+      setList(data.list)
+      setPagination(data.pagination)
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '載入失敗')
+    }
+  }
+
+  const upsert = async () => {
+    setError('')
+    setMessage('')
+    try {
+      const value = JSON.parse(valueJson) as Record<string, unknown>
+      await api.put<SettingData>(`/api/v1/settings/${scope}/${scopeId}/${key}`, { value }, { auth: true })
+      setMessage('已 upsert')
+      await loadList()
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : 'upsert 失敗')
+    }
+  }
+
+  const loadOne = async () => {
+    setError('')
+    try {
+      const data = await api.get<SettingData>(`/api/v1/settings/${scope}/${scopeId}/${key}`, { auth: true })
+      setValueJson(JSON.stringify(data.value, null, 2))
+      setMessage('已載入單筆')
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '讀取失敗')
+    }
+  }
+
+  const remove = async () => {
+    setError('')
+    try {
+      await api.delete(`/api/v1/settings/${scope}/${scopeId}/${key}`, { auth: true })
+      setMessage('已刪除')
+      await loadList()
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : '刪除失敗')
+    }
+  }
+
+  return (
+    <div>
+      <PageTitle title="設定" subtitle="scope / scope_id / key 通用設定模型" />
+      <Card className="mb-4 grid gap-4 md:grid-cols-3">
+        <Field label="Scope">
+          <Input value={scope} onChange={(e) => setScope(e.target.value)} placeholder="user|account|system" />
+        </Field>
+        <Field label="Scope ID">
+          <Input value={scopeId} onChange={(e) => setScopeId(e.target.value)} placeholder="uid 或 global" />
+        </Field>
+        <Field label="Key">
+          <Input value={key} onChange={(e) => setKey(e.target.value)} />
+        </Field>
+        <div className="md:col-span-3">
+          <Field label="Value (JSON)">
+            <Textarea rows={8} value={valueJson} onChange={(e) => setValueJson(e.target.value)} />
+          </Field>
+        </div>
+        <div className="flex flex-wrap gap-2 md:col-span-3">
+          <Button onClick={loadList}>查詢此範圍的設定列表</Button>
+          <Button variant="ghost" onClick={loadOne}>
+            讀取上方 Key 的設定
+          </Button>
+          <Button onClick={upsert}>儲存設定（新增或更新）</Button>
+          <Button variant="danger" onClick={remove}>
+            刪除上方 Key 的設定
+          </Button>
+        </div>
+        <ErrorText message={error} />
+        {message ? <p className="text-sm text-success md:col-span-3">{message}</p> : null}
+      </Card>
+      {pagination ? (
+        <p className="mb-2 text-sm text-muted">
+          共 {pagination.total} 筆 · 第 {pagination.page}/{pagination.totalPages} 頁
+        </p>
+      ) : null}
+      <Card className="overflow-x-auto">
+        <table className="w-full min-w-[36rem] text-left text-sm">
+          <thead>
+            <tr className="border-b border-line text-ink-secondary">
+              <th className="py-2">Key</th>
+              <th>Version</th>
+              <th>Value</th>
+            </tr>
+          </thead>
+          <tbody>
+            {list.map((s) => (
+              <tr key={s.id} className="border-b border-line align-top">
+                <td className="py-2 font-mono text-xs">{s.key}</td>
+                <td>{s.version}</td>
+                <td className="max-w-md truncate font-mono text-xs">{JSON.stringify(s.value)}</td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </Card>
+    </div>
+  )
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/theme/ThemeContext.tsx b/haixun-backend/web/src/theme/ThemeContext.tsx
new file mode 100644
index 0000000..b36c3cb
--- /dev/null
+++ b/haixun-backend/web/src/theme/ThemeContext.tsx
@@ -0,0 +1,48 @@
+import { createContext, useCallback, useContext, useEffect, useMemo, useState } from 'react'
+
+export type ThemeMode = 'light' | 'dark'
+
+const STORAGE_KEY = 'haixun.theme'
+
+function readStoredTheme(): ThemeMode {
+  const stored = localStorage.getItem(STORAGE_KEY)
+  if (stored === 'light' || stored === 'dark') return stored
+  return window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light'
+}
+
+function applyTheme(mode: ThemeMode) {
+  document.documentElement.setAttribute('data-theme', mode)
+  document.documentElement.style.colorScheme = mode
+}
+
+type ThemeContextValue = {
+  theme: ThemeMode
+  setTheme: (mode: ThemeMode) => void
+  toggleTheme: () => void
+}
+
+const ThemeContext = createContext<ThemeContextValue | null>(null)
+
+export function ThemeProvider({ children }: { children: React.ReactNode }) {
+  const [theme, setThemeState] = useState<ThemeMode>(() => readStoredTheme())
+
+  useEffect(() => {
+    applyTheme(theme)
+    localStorage.setItem(STORAGE_KEY, theme)
+  }, [theme])
+
+  const setTheme = useCallback((mode: ThemeMode) => setThemeState(mode), [])
+  const toggleTheme = useCallback(() => {
+    setThemeState((t) => (t === 'light' ? 'dark' : 'light'))
+  }, [])
+
+  const value = useMemo(() => ({ theme, setTheme, toggleTheme }), [theme, setTheme, toggleTheme])
+
+  return <ThemeContext.Provider value={value}>{children}</ThemeContext.Provider>
+}
+
+export function useTheme() {
+  const ctx = useContext(ThemeContext)
+  if (!ctx) throw new Error('useTheme must be used within ThemeProvider')
+  return ctx
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/types/api.ts b/haixun-backend/web/src/types/api.ts
new file mode 100644
index 0000000..6df54f1
--- /dev/null
+++ b/haixun-backend/web/src/types/api.ts
@@ -0,0 +1,138 @@
+export const SUCCESS_CODE = 102000
+
+export interface ApiEnvelope<T> {
+  code: number
+  message: string
+  data?: T
+  error?: {
+    biz_code?: string
+    scope?: number
+    category?: number
+    detail?: number
+  }
+}
+
+export interface Pagination {
+  total: number
+  page: number
+  pageSize: number
+  totalPages: number
+}
+
+export interface AuthTokenData {
+  access_token: string
+  refresh_token: string
+  expires_in: number
+  uid: string
+  token_type: string
+}
+
+export interface MemberMeData {
+  tenant_id: string
+  uid: string
+  email: string
+  display_name?: string
+  avatar?: string
+  phone?: string
+  language?: string
+  currency?: string
+  status: string
+  origin: string
+  roles?: string[]
+  create_at: number
+  update_at: number
+}
+
+export interface PermissionNode {
+  id: string
+  parent?: string
+  name: string
+  http_methods?: string
+  http_path?: string
+  status: string
+  type: string
+  children?: PermissionNode[]
+}
+
+export interface SettingData {
+  id: string
+  scope: string
+  scope_id: string
+  key: string
+  value: Record<string, unknown>
+  version: number
+  create_at: number
+  update_at: number
+}
+
+export interface AIProviderOption {
+  id: string
+  label: string
+  streams: boolean
+}
+
+export interface JobData {
+  id: string
+  template_type: string
+  template_version: number
+  scope: string
+  scope_id: string
+  status: string
+  phase: string
+  worker_type: string
+  payload: Record<string, unknown>
+  progress: {
+    summary: string
+    percentage: number
+    steps: Array<{
+      id: string
+      status: string
+      message?: string
+    }>
+  }
+  result?: Record<string, unknown>
+  error?: string
+  attempt: number
+  max_attempts: number
+  create_at: number
+  update_at: number
+}
+
+export interface JobEventData {
+  id: string
+  job_id: string
+  type: string
+  from?: string
+  to?: string
+  message: string
+  create_at: number
+}
+
+export interface JobTemplateData {
+  type: string
+  version: number
+  name: string
+  description: string
+  enabled: boolean
+  repeatable: boolean
+  steps: Array<{
+    id: string
+    name: string
+    worker_type: string
+    timeout_seconds: number
+    cancelable: boolean
+  }>
+}
+
+export interface JobScheduleData {
+  id: string
+  template_type: string
+  scope: string
+  scope_id: string
+  enabled: boolean
+  cron: string
+  timezone: string
+  next_run_at: number
+  create_at: number
+  update_at: number
+}
\ No newline at end of file
diff --git a/haixun-backend/web/src/vite-env.d.ts b/haixun-backend/web/src/vite-env.d.ts
new file mode 100644
index 0000000..151aa68
--- /dev/null
+++ b/haixun-backend/web/src/vite-env.d.ts
@@ -0,0 +1 @@
+/// <reference types="vite/client" />
\ No newline at end of file
diff --git a/haixun-backend/web/tsconfig.app.json b/haixun-backend/web/tsconfig.app.json
new file mode 100644
index 0000000..ca88d7f
--- /dev/null
+++ b/haixun-backend/web/tsconfig.app.json
@@ -0,0 +1,22 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
+    "target": "ES2022",
+    "useDefineForClassFields": true,
+    "lib": ["ES2022", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "skipLibCheck": true,
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+    "jsx": "react-jsx",
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["src"]
+}
\ No newline at end of file
diff --git a/haixun-backend/web/tsconfig.json b/haixun-backend/web/tsconfig.json
new file mode 100644
index 0000000..c452f43
--- /dev/null
+++ b/haixun-backend/web/tsconfig.json
@@ -0,0 +1,7 @@
+{
+  "files": [],
+  "references": [
+    { "path": "./tsconfig.app.json" },
+    { "path": "./tsconfig.node.json" }
+  ]
+}
\ No newline at end of file
diff --git a/haixun-backend/web/tsconfig.node.json b/haixun-backend/web/tsconfig.node.json
new file mode 100644
index 0000000..b5404bb
--- /dev/null
+++ b/haixun-backend/web/tsconfig.node.json
@@ -0,0 +1,20 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
+    "target": "ES2023",
+    "lib": ["ES2023"],
+    "module": "ESNext",
+    "skipLibCheck": true,
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["vite.config.ts"]
+}
\ No newline at end of file
diff --git a/haixun-backend/web/vite.config.ts b/haixun-backend/web/vite.config.ts
new file mode 100644
index 0000000..857218e
--- /dev/null
+++ b/haixun-backend/web/vite.config.ts
@@ -0,0 +1,16 @@
+import { defineConfig } from 'vite'
+import react from '@vitejs/plugin-react'
+import tailwindcss from '@tailwindcss/vite'
+
+export default defineConfig({
+  plugins: [react(), tailwindcss()],
+  server: {
+    port: 5173,
+    proxy: {
+      '/api': {
+        target: 'http://127.0.0.1:8890',
+        changeOrigin: true,
+      },
+    },
+  },
+})
\ No newline at end of file
diff --git a/template-monorepo b/template-monorepo
new file mode 160000
index 0000000..859f8ce
--- /dev/null
+++ b/template-monorepo
@@ -0,0 +1 @@
+Subproject commit 859f8ce782ce4d3b3914f09356d30ed55a676e44