authelia: update bridge builder to accept pointer to configuration

* docs: updated installation env vars and runtime values references

* docs: fix content

* docs: update content

* Update table of contents, and refactored docs.

* Fixed capitalization.

* batch update to fix readability

* refactored declarative env var

* Updated translation.

* Updated based on suggestions.

* Updated based on suggestions.

---------

Co-authored-by: yajing wang <413741312@qq.com>

apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml

@@ -317,7 +317,7 @@ spec:
             chown -R 1000:1000 /uploadstemp && \
             chown -R 1000:1000 /appdata 
         - name: olares-app-init
-          image: beclab/system-frontend:v1.9.9
+          image: beclab/system-frontend:v1.9.12
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh

cli/pkg/core/connector/system.go

@@ -512,7 +512,6 @@ func getCpu() *CpuInfo {
 	if err == nil && strings.TrimSpace(string(output)) != "" {
 		isGB10Chip = true
 	} else {
-		fmt.Printf("Error checking GB10 chip: %v\n", err)
 		gb10env := os.Getenv(common.ENV_GB10_CHIP)
 		if gb10env == "1" || strings.EqualFold(gb10env, "true") {
 			isGB10Chip = true

daemon/internel/watcher/usb/watchers.go

@@ -27,7 +27,7 @@ func WithSerial(ctx context.Context, serial string) context.Context {
 }
 
 func (w *usbWatcher) Watch(ctx context.Context) {
-	retry := 1
+	retry := 3
 	devs, err := utils.DetectdUsbDevices(ctx)
 	for {
 		if err != nil {

daemon/pkg/cluster/state/current.go

@@ -131,7 +131,8 @@ func CheckCurrentStatus(ctx context.Context) error {
 		klog.Info("current state: ", CurrentState.TerminusState)
 	}()
 
-	utils.ForceMountHdd(ctx)
+	// Deprecated, only for Olares Zero
+	// utils.ForceMountHdd(ctx)
 
 	// set default value
 	if CurrentState.TerminusVersion == nil {

docs/.vitepress/developer.en.ts

@@ -213,12 +213,28 @@ export const developerSidebar: DefaultTheme.Sidebar = {
         //      },
         //   ],
         //   },
+        {
+          text: "Application environment variables",
+          link: "/developer/develop/app-env-index",
+          collapsed: true,
+          items: [
+            {
+              text: "Declarative environment variables",
+              link: "/developer/develop/app-env-vars",
+              collapsed: true,
+            },
+            {
+              text: "System-injected variables",
+              link: "/developer/develop/app-sys-injected-variables",
+            },
+          ]
+        },
         {
           text: "Middleware",
           link: "/developer/develop/mw-overview",
           collapsed: true,
           items: [
-            {
+            /*{
               text: "Elasticsearch",
               collapsed: true,
               items :[
@@ -230,7 +246,7 @@ export const developerSidebar: DefaultTheme.Sidebar = {
                   link: "/developer/develop/mw-view-es-data",
                 },
               ]
-            },
+            },*/
             {
               text: "Grafana",
               link :"/developer/develop/mw-view-grafana-data",

docs/.vitepress/developer.zh.ts

@@ -228,12 +228,27 @@ export const developerSidebar: DefaultTheme.Sidebar = {
             //         },
             //       ],
             //      },
+        {
+          text: "应用环境变量",
+          link: "/zh/developer/develop/app-env-index",
+          collapsed: true,
+          items: [
+            {
+              text: "声明式环境变量",
+              link: "/zh/developer/develop/app-env-vars",        
+            },
+            {
+              text: "系统注入的运行时变量",
+              link: "/zh/developer/develop/app-sys-injected-variables",
+            },
+          ]
+        },
     {
               text: "中间件",
               link: "/zh/developer/develop/mw-overview",
               collapsed: true,
               items: [
-                {
+                /*{
                   text: "Elasticsearch",
                   collapsed: true,
                   items :[
@@ -245,7 +260,7 @@ export const developerSidebar: DefaultTheme.Sidebar = {
                       link: "zh/developer/develop/mw-view-es-data",
                     },
                   ]
-                },
+                },*/
                 {
                   text: "Grafana",
                   link: "zh/developer/develop/mw-view-grafana-data",

docs/.vitepress/en.ts

@@ -45,6 +45,10 @@ const side = {
               text: "Missing apps in Market",
               link: "/manual/help/ts-missing-apps",
             },
+            {
+              text: "LarePass VPN not working",
+              link: "/manual/help/ts-larepass-vpn-not-working",
+            },
           ],
         },
       ],
@@ -148,7 +152,6 @@ const side = {
     },
     {
       text: "Olares applications",
-      link: "/manual/olares/",
       items: [
         { text: "Desktop", link: "/manual/olares/desktop", },
         {

docs/.vitepress/zh.ts

@@ -43,6 +43,10 @@ const side = {
             {
               text: "应用市场应用缺失",
               link: "/zh/manual/help/ts-missing-apps",
+            },
+            {
+              text: "LarePass VPN 无法使用",
+              link: "/zh/manual/help/ts-larepass-vpn-not-working",
             }
           ],
         },
@@ -146,7 +150,6 @@ const side = {
     },
     {
       "text": "Olares 应用",
-      "link": "/zh/manual/olares/",
       "items": [
         { "text": "桌面", "link": "/zh/manual/olares/desktop" },
         {
@@ -462,10 +465,10 @@ const side = {
           text: "设置自定义域名",
           link: "/zh/manual/best-practices/set-custom-domain",
         },
-        {
+        /*{
           text: "使用 Wise 管理知识",
           link: "/zh/manual/best-practices/organize-content",
-        },
+        },*/
         {
           text: "安装多节点",
           link: "/zh/manual/best-practices/install-olares-multi-node",

docs/developer/develop/app-env-index.md

@@ -0,0 +1,25 @@
+---
+outline: [2, 3]
+description: Learn how variables are injected during Olares app deployment, including declarative environment variables (.Values.olaresEnv) and system-injected runtime Helm values (.Values.*).
+---
+
+# Environment variables overview
+
+Olares apps use app-service to inject runtime context and configuration into the app's `values.yaml`. In Helm templates, you can reference these values via `.Values.*`.
+
+:::info Variables and Helm values
+In this document, "variables" mainly refer to Helm values. They are not automatically passed into container environment variables. If you need them inside containers, explicitly map them to `env:` in your templates.
+:::
+
+## How variables are injected
+
+Olares injects variables through two channels:
+
+- **Declarative environment variables**: The developer declares variables under `envs` in `OlaresManifest.yaml`. At deployment, app-service resolves and injects the values into `.Values.olaresEnv` in `values.yaml`.
+
+- **System-injected runtime variables**: Injected automatically by Olares at deployment time. No declaration is required, though some values are only available after you declare the relevant dependency, such as middleware.
+
+## Next steps
+
+1. [Declarative environment variables](app-env-vars.md): Field reference for the `envs` schema, including variable mapping and variable references.
+2. [System-injected runtime variables](app-sys-injected-variables.md): Full reference for all system-injected runtime variables.

docs/developer/develop/app-env-vars.md

@@ -0,0 +1,199 @@
+---
+outline: [2, 4]
+description: Declare and validate app configuration via envs in `OlaresManifest.yaml`, and reference values in templates through `.Values.olaresEnv`.
+---
+# Declarative environment variables
+
+Use `envs` in `OlaresManifest.yaml` to declare the configuration parameters, such as passwords, API endpoints, or feature flags. During deployment, app-service resolves the values and injects them into `.Values.olaresEnv` in `values.yaml`. Reference them in Helm templates as <code v-pre>{{ .Values.olaresEnv.&lt;envName&gt; }}</code>.
+
+## Variable sources
+
+Declarative variables can obtain values from configurations managed outside the application:
+
+- **System variables**: Environment variables defined at the Olares cluster level. They are set during system installation or centrally managed by administrators, and are shared by all users within the cluster.
+- **User variables**: Environment variables defined at the Olares user level. They are managed individually by each user, and are isolated from one another within the same cluster.
+
+Applications cannot modify these variables directly. To use them, map the variable via the `valueFrom` field.
+
+## Map environment variables
+
+Both system environment variables and user environment variables use the same mapping mechanism via `valueFrom`.
+
+The following example maps the system variable `OLARES_SYSTEM_CDN_SERVICE` to an application variable `APP_CDN_ENDPOINT`:
+
+1. In `OlaresManifest.yaml`, declare an app variable under `envs` and set `valueFrom.envName` to the system variable name.
+
+    ```yaml
+    # Map system variable OLARES_SYSTEM_CDN_SERVICE to app variable APP_CDN_ENDPOINT
+    olaresManifest.version: '0.10.0'
+    olaresManifest.type: app
+
+    envs:
+      - envName: APP_CDN_ENDPOINT
+        required: true
+        applyOnChange: true
+        valueFrom:
+          envName: OLARES_SYSTEM_CDN_SERVICE
+    ```
+
+2. In your Helm template, reference the app variable via `.Values.olaresEnv.<envName>`.
+
+    ```yaml
+    # Use APP_CDN_ENDPOINT in a container environment variable
+    env:
+      - name: CDN_ENDPOINT
+        value: "{{ .Values.olaresEnv.APP_CDN_ENDPOINT }}"
+    ```
+
+At deployment, app-service resolves the referenced variable and injects the value into `values.yaml`:
+
+```yaml
+# Injected by app-service into values.yaml at deployment
+olaresEnv:
+  APP_CDN_ENDPOINT: "https://cdn.olares.com"
+```
+
+For the full list of available environment variables, see [Variable references](#variable-references).
+
+## Declaration fields
+
+The following fields are available under each `envs` entry.
+
+### envName
+
+The name of the variable as injected into `values.yaml`. Reference it in templates as <code v-pre>{{ .Values.olaresEnv.&lt;envName&gt; }}</code>.
+
+### default
+
+The default value for the variable. Provided by the developer at authoring time. Users cannot modify it. Used when no value is supplied by the user or by `valueFrom`.
+
+### valueFrom
+
+Maps this variable to a system or user environment variable. When set, the current variable inherits all fields from the referenced variable (`type`, `editable`, `regex`, and so on). Any fields defined locally on the current variable are ignored. `default` and `options` have no effect when `valueFrom` is used.
+
+**Example**: map the app variable `APP_CDN_ENDPOINT` to the system variable `OLARES_SYSTEM_CDN_SERVICE`.
+
+```yaml
+# Map app env APP_CDN_ENDPOINT to system variable OLARES_SYSTEM_CDN_SERVICE
+envs:
+  - envName: APP_CDN_ENDPOINT
+    required: true
+    applyOnChange: true
+    valueFrom:
+      envName: OLARES_SYSTEM_CDN_SERVICE
+```
+
+### required
+
+Boolean. When `true`, the variable must have a value for installation to proceed. If no `default` is set, the user is prompted to enter one. After installation, the value cannot be set to empty.
+
+### editable
+
+Boolean. When `true`, the variable can be modified after installation.
+
+### applyOnChange
+
+Boolean. When `true`, changing this variable automatically restarts all apps or components that use it. When `false`, a change only takes effect after the app is upgraded or reinstalled. Stopping and starting the app manually has no effect.
+
+### type
+
+The expected type of the value. Used for validation before the value is accepted. Supported types: `int`, `bool`, `url`, `ip`, `domain`, `email`, `string`, `password`.
+
+### regex
+
+A regular expression the value must match. If validation fails, the value cannot be set and installation or upgrade may fail.
+
+### options
+
+Restricts the variable to a fixed list of allowed values. The system presents users with a selection UI.
+
+**Example**: a dropdown list of supported Windows versions for installation.
+
+```yaml
+# Dropdown: title shown in UI, value stored internally
+envs:
+  - envName: VERSION
+    options:
+      - title: "Windows 11 Pro"
+        value: "iso/Win11_24H2_English_x64.iso"
+      - title: "Windows 7 Ultimate"
+        value: "iso/win7_sp1_x64_1.iso"
+```
+
+### remoteOptions
+
+Loads the options list from a URL instead of defining it inline. The response body must be a JSON-encoded array in the same format as `options`.
+
+**Example**: options fetched from a remote endpoint.
+
+```yaml
+# Options list fetched from remote URL at install time
+envs:
+  - envName: VERSION
+    remoteOptions: https://app.cdn.olares.com/appstore/windows/version_options.json
+```
+
+### description
+
+A human-readable description of the variable's purpose and valid values. Displayed in the Olares interface.
+
+## Variable references
+
+### System environment variables
+
+The following table lists system-level environment variables that can be referenced via `valueFrom`.
+
+| Variable | Type | Default | Editable | Required | Description |
+| --- | --- | --- | --- | --- | --- |
+| `OLARES_SYSTEM_REMOTE_SERVICE` | `url` | `https://api.olares.com` | Yes | Yes | Remote service endpoint for Olares, such as Market and Olares Space. |
+| `OLARES_SYSTEM_CDN_SERVICE` | `url` | `https://cdn.olares.com` | Yes | Yes | CDN endpoint for system resources. |
+| `OLARES_SYSTEM_DOCKERHUB_SERVICE` | `url` | None | Yes | No | Docker Hub mirror or accelerator endpoint. |
+| `OLARES_SYSTEM_ROOT_PATH` | `string` | `/olares` | No | Yes | Olares root directory path. |
+| `OLARES_SYSTEM_ROOTFS_TYPE` | `string` | `fs` |  No | Yes | Olares filesystem type. |
+| `OLARES_SYSTEM_CUDA_VERSION` | `string` | None | No | No | Host CUDA version. |
+
+### User environment variables
+
+All user environment variables are editable by the user.
+
+#### User information
+
+| Variable | Type | Default | Description |
+| --- | --- | --- | --- |
+| `OLARES_USER_EMAIL` | `string` | None | User email address. |
+| `OLARES_USER_USERNAME` | `string` | None | Username. |
+| `OLARES_USER_PASSWORD` | `password` | None | User password. |
+| `OLARES_USER_TIMEZONE` | `string` | None | User timezone. For example, `Asia/Shanghai`. |
+
+#### SMTP settings
+
+| Variable | Type | Default | Description |
+| --- | --- | --- | --- |
+| `OLARES_USER_SMTP_ENABLED` | `bool` | None | Whether to enable SMTP. |
+| `OLARES_USER_SMTP_SERVER` | `domain` | None | SMTP server domain. |
+| `OLARES_USER_SMTP_PORT` | `int` | None | SMTP server port. Typically `465` or `587`. |
+| `OLARES_USER_SMTP_USERNAME` | `string` | None | SMTP username. |
+| `OLARES_USER_SMTP_PASSWORD` | `password` | None | SMTP password or authorization code. |
+| `OLARES_USER_SMTP_FROM_ADDRESS` | `email` | None | Sender email address. |
+| `OLARES_USER_SMTP_SECURE` | `bool` | `"true"` | Whether to use a secure protocol. |
+| `OLARES_USER_SMTP_USE_TLS` | `bool` | None | Whether to use TLS. |
+| `OLARES_USER_SMTP_USE_SSL` | `bool` | None | Whether to use SSL. |
+| `OLARES_USER_SMTP_SECURITY_PROTOCOLS` | `string` | None | Security protocol. Allowed values: `tls`, `ssl`, `starttls`, `none`. |
+
+#### Mirror and proxy endpoints
+
+| Variable | Type | Default | Description |
+| --- | --- | --- | --- |
+| `OLARES_USER_HUGGINGFACE_SERVICE` | `url` | `https://huggingface.co/` | Hugging Face service URL. |
+| `OLARES_USER_HUGGINGFACE_TOKEN` | `string` | None | Hugging Face access token. |
+| `OLARES_USER_PYPI_SERVICE` | `url` | `https://pypi.org/simple/` | PyPI mirror URL. |
+| `OLARES_USER_GITHUB_SERVICE` | `url` | `https://github.com/` | GitHub mirror URL. |
+| `OLARES_USER_GITHUB_TOKEN` | `string` | None | GitHub personal access token. |
+
+#### API keys
+
+| Variable | Type | Default | Description |
+| --- | --- | --- | --- |
+| `OLARES_USER_OPENAI_APIKEY` | `password` | None | OpenAI API key. |
+| `OLARES_USER_CUSTOM_OPENAI_SERVICE` | `url` | None | Custom OpenAI-compatible service URL. |
+| `OLARES_USER_CUSTOM_OPENAI_APIKEY` | `password` | None | API key for the custom OpenAI-compatible service. |

docs/developer/develop/app-sys-injected-variables.md

@@ -0,0 +1,216 @@
+---
+outline: [2, 4]
+description: Reference for runtime values injected into application `values.yaml` during Olares deployment.
+---
+
+# System-injected runtime values
+
+At deployment, Olares automatically injects a set of system-managed values into the app's `values.yaml`. These values are read-only and cover user identity, storage paths, cluster metadata, app dependencies, and middleware credentials.
+
+Because they are Helm values, they are not automatically available inside containers. To pass one into a container, map it explicitly under `env:` in your deployment template.
+
+## Use in your app
+
+Reference these values directly in your Helm templates, such as `deployment.yaml`.
+
+**Example**: pass the current username and Postgres host into container environment variables.
+
+```yaml
+# Pass system-injected runtime values into container environment variables
+spec:
+  containers:
+    - name: my-app
+      env:
+        - name: APP_USER
+          value: "{{ .Values.bfl.username }}"
+        - name: DB_HOST
+          value: "{{ .Values.postgres.host }}"
+```
+
+For the full list of available values, see [Value reference](#value-reference).
+
+## Value references
+
+The Type column describes the Helm value data type. It does not correspond to the `type` field in `OlaresManifest.yaml`.
+
+### User and identity
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.bfl.username` | String | Current username. |
+| `.Values.user.zone` | String | Current user's domain. |
+| `.Values.admin` | String | Administrator username. |
+
+### Application and system information
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.domain` | Map\<String,String> | App entrance URLs. Each entry maps an entrance name to its URL. |
+| `.Values.sysVersion` | String | Current Olares system version. |
+| `.Values.deviceName` | String | Device name. |
+| `.Values.downloadCdnURL` | String | CDN address used for system resource downloads. |
+
+### Storage paths
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.userspace.appData` | String | Cluster storage path for the app. Path: `/Data/<appname>`. |
+| `.Values.userspace.appCache` | String | Node-local cache path for the app. Path: `/Cache/<appname>`. |
+| `.Values.userspace.userData` | String | User's home data directory. Path: `/Files/Home/`. |
+| `.Values.sharedlib` | String | User's external storage directory. Path: `/Files/External/<devicename>/`. |
+
+### Cluster hardware metadata
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.cluster.arch` | String | Cluster CPU architecture, such as `amd64`. Mixed-architecture clusters are not supported. |
+| `.Values.nodes` | List\<NodeInfo> | Hardware metadata for each node in the cluster. |
+
+Each entry in `.Values.nodes` follows this structure:
+
+```json
+// Single entry in the .Values.nodes list
+[
+  {
+    "cudaVersion": "12.9",
+    "cpu": [
+      {
+        "coreNumber": 16,
+        "arch": "amd64",
+        "frequency": 4900000000,
+        "model": "151",
+        "modelName": "12th Gen Intel(R) Core(TM) i5-12600KF",
+        "vendor": "GenuineIntel"
+      }
+    ],
+    "memory": {
+      "total": 50351353856
+    },
+    "gpus": [
+      {
+        "vendor": "NVIDIA",
+        "arch": "Ada Lovelace",
+        "model": "4060",
+        "memory": 17175674880,
+        "modelName": "NVIDIA GeForce RTX 4060 Ti"
+      }
+    ]
+  }
+]
+```
+
+### Application dependencies
+
+When an app declares a dependency in `OlaresManifest.yaml`, Olares injects connection information into `values.yaml`.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.deps` | Map\<String,Value> | Main entry host and port for each declared dependency. Keys follow the pattern `<entry_name>_host` and `<entry_name>_port`. |
+| `.Values.svcs` | Map\<String,Value> | All service hosts and ports for each declared dependency. Keys follow the pattern `<service_name>_host` and `<service_name>_port`. Port values are lists to support multiple ports per service. |
+
+**Example**: for a dependency with entry name `aserver` and service name `aserver-svc`.
+
+`.Values.deps`:
+```json
+{
+  "aserver_host": "aserver-svc.<namespace>",
+  "aserver_port": 80
+}
+```
+
+`.Values.svcs`:
+```json
+{
+  "aserver-svc_host": "aserver-svc.<namespace>",
+  "aserver-svc_port": [80]
+}
+```
+
+### Middleware values
+
+Middleware values are injected only after you declare the middleware dependency in the `middleware` section of `OlaresManifest.yaml`.
+
+PostgreSQL and Redis are preinstalled. MongoDB, MinIO, RabbitMQ, MySQL and MariaDB must be installed separately before your app can use them.
+
+#### MariaDB
+
+See [Integrate with MariaDB](/developer/develop/mw-integrate-with-mariadb.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.mariadb.host` | String | MariaDB host. |
+| `.Values.mariadb.port` | Number | MariaDB port. |
+| `.Values.mariadb.username` | String | MariaDB username. |
+| `.Values.mariadb.password` | String | MariaDB password. |
+| `.Values.mariadb.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.mariadb.databases.app_db`. |
+
+#### MinIO
+
+See [Integrate with MinIO](/developer/develop/mw-integrate-with-minio.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.minio.host` | String | MinIO service host. |
+| `.Values.minio.port` | Number | MinIO service port. |
+| `.Values.minio.username` | String | MinIO access key. |
+| `.Values.minio.password` | String | MinIO secret key. |
+| `.Values.minio.buckets` | Map\<String,String> | Requested buckets, keyed by bucket name. For example, a request for `mybucket` is available at `.Values.minio.buckets.mybucket`. |
+
+#### MongoDB
+
+See [Integrate with MongoDB](/developer/develop/mw-integrate-with-mongodb.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.mongodb.host` | String | MongoDB host. |
+| `.Values.mongodb.port` | Number | MongoDB port. |
+| `.Values.mongodb.username` | String | MongoDB username. |
+| `.Values.mongodb.password` | String | MongoDB password. |
+| `.Values.mongodb.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.mongodb.databases.app_db`. |
+
+#### MySQL
+
+See [Integrate with MySQL](/developer/develop/mw-integrate-with-mysql.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.mysql.host` | String | MySQL host. |
+| `.Values.mysql.port` | Number | MySQL port. |
+| `.Values.mysql.username` | String | MySQL username. |
+| `.Values.mysql.password` | String | MySQL password. |
+| `.Values.mysql.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.mysql.databases.app_db`. |
+
+#### PostgreSQL
+
+See [Integrate with PostgreSQL](/developer/develop/mw-integrate-with-pg.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.postgres.host` | String | PostgreSQL host. |
+| `.Values.postgres.port` | Number | PostgreSQL port. |
+| `.Values.postgres.username` | String | PostgreSQL username. |
+| `.Values.postgres.password` | String | PostgreSQL password. |
+| `.Values.postgres.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.postgres.databases.app_db`. |
+
+#### RabbitMQ
+
+See [Integrate with RabbitMQ](/developer/develop/mw-integrate-with-rabbitmq.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.rabbitmq.host` | String | RabbitMQ host. |
+| `.Values.rabbitmq.port` | Number | RabbitMQ port. |
+| `.Values.rabbitmq.username` | String | RabbitMQ username. |
+| `.Values.rabbitmq.password` | String | RabbitMQ password. |
+| `.Values.rabbitmq.vhosts` | Map\<String,String> | Requested vhosts, keyed by vhost name. For example, a request for `myvhost` is available at `.Values.rabbitmq.vhosts.myvhost`. |
+
+#### Redis
+
+See [Integrate with Redis](/developer/develop/mw-integrate-with-redis.md) for installation and configuration details.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.redis.host` | String | Redis host. |
+| `.Values.redis.port` | Number | Redis port. |
+| `.Values.redis.password` | String | Redis password. |
+| `.Values.redis.namespaces` | Map\<String,String> | Requested namespaces, keyed by namespace name. For example, a request for `app_ns` is available at `.Values.redis.namespaces.app_ns`. |

docs/developer/develop/mw-integrate-with-es.md

@@ -32,9 +32,8 @@ middleware:
       - name: aaa
 ```
 
-## Inject environment variables
-
-In your deployment YAML, map the injected `.Values.elasticsearch.*` fields to the environment variables your app uses.
+## Map to environment variables
+In your deployment YAML, map the injected `.Values.elasticsearch.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -59,14 +58,14 @@ containers:
         value: "{{ .Values.elasticsearch.indexes.aaa }}"
 ```
 
-## Elasticsearch Values reference
+## Elasticsearch values reference
 
-Elasticsearch Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+Elasticsearch values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
 
-| Key  | Type  | Description  |
-|--|--|--|
-|`.Values.elasticsearch.host`| String | Elasticsearch service host |
-|`.Values.elasticsearch.port`| Number | Elasticsearch service port |
-|`.Values.elasticsearch.username`| String | Elasticsearch username |
-|`.Values.elasticsearch.password`| String | Elasticsearch password |
-|`.Values.elasticsearch.indexes` | Map<String,String> | The requested index name is used<br> as the key. For example, if you request `aaa`, the value is available at `.Values.elasticsearch.indexes.aaa`. |
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.elasticsearch.host` | String | Elasticsearch service host. |
+| `.Values.elasticsearch.port` | Number | Elasticsearch service port. |
+| `.Values.elasticsearch.username` | String | Elasticsearch username. |
+| `.Values.elasticsearch.password` | String | Elasticsearch password. |
+| `.Values.elasticsearch.indexes` | Map\<String,String> | Requested indexes, keyed by index name. For example, a request for `aaa` is available at `.Values.elasticsearch.indexes.aaa`. |

docs/developer/develop/mw-integrate-with-mariadb.md

@@ -31,9 +31,8 @@ middleware:
       - name: aaa
 ```
 
-## Inject environment variables
-
-In your deployment YAML, map the injected `.Values.mariadb.*` fields to the environment variables your app uses.
+## Map to environment variables
+In your deployment YAML, map the injected `.Values.mariadb.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -59,14 +58,13 @@ containers:
         value: "{{ .Values.mariadb.databases.aaa }}"
 ```
 
-## MariaDB Values reference
+## MariaDB values reference
+MariaDB values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
 
-MariaDB Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
-
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.mariadb.host` | String | MariaDB database host |
-| `.Values.mariadb.port` | Number | MariaDB database port |
-| `.Values.mariadb.username` | String | MariaDB database username |
-| `.Values.mariadb.password` | String | MariaDB database password |
-| `.Values.mariadb.databases` | Map<String,String> | The requested database name is used as the key. <br/>For example, if you request `aaa`, the value is available at `.Values.mariadb.databases.aaa`. |
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.mariadb.host` | String | MariaDB host. |
+| `.Values.mariadb.port` | Number | MariaDB port. |
+| `.Values.mariadb.username` | String | MariaDB username. |
+| `.Values.mariadb.password` | String | MariaDB password. |
+| `.Values.mariadb.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.mariadb.databases.app_db`. |

docs/developer/develop/mw-integrate-with-minio.md

@@ -31,9 +31,8 @@ middleware:
       - name: mybucket
 ```
 
-## Inject environment variables
-
-In your deployment YAML, map the injected `.Values.minio.*` fields to the environment variables your app uses.
+## Map to environment variables
+In your deployment YAML, map the injected `.Values.minio.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -60,14 +59,14 @@ containers:
         value: "{{ .Values.minio.buckets.mybucket }}"
 ```
 
-## MinIO Values reference
+## MinIO values reference
 
-MinIO Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+MinIO values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
 
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.minio.host` | String | MinIO service host |
-| `.Values.minio.port` | Number | MinIO service port |
-| `.Values.minio.username` | String | MinIO access key |
-| `.Values.minio.password` | String | MinIO secret key |
-| `.Values.minio.buckets` | Map<String,String> | The requested bucket name is used as the key. <br>For example, if you request `mybucket`, the value is available at `.Values.minio.buckets.mybucket`. |
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.minio.host` | String | MinIO service host. |
+| `.Values.minio.port` | Number | MinIO service port. |
+| `.Values.minio.username` | String | MinIO access key. |
+| `.Values.minio.password` | String | MinIO secret key. |
+| `.Values.minio.buckets` | Map\<String,String> | Requested buckets, keyed by bucket name. For example, a request for `mybucket` is available at `.Values.minio.buckets.mybucket`. |

docs/developer/develop/mw-integrate-with-mongodb.md

@@ -35,9 +35,9 @@ middleware:
       # Please make sure each line is a complete query.
 ```
 
-## Inject environment variables
+## Map to environment variables
 
-In your deployment YAML, map the injected `.Values.mongodb.*` fields to the environment variables your app uses.
+In your deployment YAML, map the injected `.Values.mongodb.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -63,14 +63,14 @@ containers:
         value: "{{ .Values.mongodb.databases.app_db }}"
 ```
 
-## MongoDB Values reference
+## MongoDB values reference
 
-MongoDB Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+MongoDB values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
 
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.mongodb.host` | String  | MongoDB database host |
-| `.Values.mongodb.port` | Number  | MongoDB database port |
-| `.Values.mongodb.username` | String | MongoDB database username |
-| `.Values.mongodb.password`  | String | MongoDB database password |
-| `.Values.mongodb.databases` | Map<String,String> | The requested database name is used as the key. <br/>For example, if you request `app_db`, the value is available at `.Values.mongodb.databases.app_db`. |
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.mongodb.host` | String | MongoDB host. |
+| `.Values.mongodb.port` | Number | MongoDB port. |
+| `.Values.mongodb.username` | String | MongoDB username. |
+| `.Values.mongodb.password` | String | MongoDB password. |
+| `.Values.mongodb.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.mongodb.databases.app_db`. |

docs/developer/develop/mw-integrate-with-mysql.md

@@ -31,9 +31,9 @@ middleware:
       - name: aaa
 ```
 
-## Inject environment variables
+## Map to environment variables
 
-In your deployment YAML, map the injected `.Values.mysql.*` fields to the environment variables your app uses.
+In your deployment YAML, map the injected `.Values.mysql.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -59,14 +59,14 @@ containers:
         value: "{{ .Values.mysql.databases.aaa }}"
 ```
 
-## MySQL Values reference
+## MySQL values reference
 
-MySQL Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+MySQL values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
 
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.mysql.host` | String | MySQL database host |
-| `.Values.mysql.port` | Number | MySQL database port |
-| `.Values.mysql.username` | String | MySQL database username |
-| `.Values.mysql.password` | String | MySQL database password |
-| `.Values.mysql.databases` | Map<String,String> | The requested database name is used as the key. <br/>For example, if you request `aaa`, the value is available at `.Values.mysql.databases.aaa`. |
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.mysql.host` | String | MySQL host. |
+| `.Values.mysql.port` | Number | MySQL port. |
+| `.Values.mysql.username` | String | MySQL username. |
+| `.Values.mysql.password` | String | MySQL password. |
+| `.Values.mysql.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.mysql.databases.app_db`. |

docs/developer/develop/mw-integrate-with-pg.md

@@ -38,9 +38,9 @@ middleware:
       - COMMIT;
 ```
 
-## Inject environment variables
+## Map to environment variables
 
-In your deployment YAML, map the injected `.Values.postgres.*` fields to the environment variables your app uses.
+In your deployment YAML, map the injected `.Values.postgres.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -69,13 +69,14 @@ containers:
         value: {{ .Values.postgres.password }}
 ```
 
-## PostgreSQL Values reference
+## PostgreSQL values reference
 
-PostgreSQL Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.postgres.host` | String  | PostgreSQL database host |
-| `.Values.postgres.port` | Number | PostgreSQL database port |
-| `.Values.postgres.username`  | String | PostgreSQL database username |
-| `.Values.postgres.password`  | String | PostgreSQL database password |
-| `.Values.postgres.databases` | Map<String,String> | The requested database name is used as the key. <br>For example, if you request `app_db`, the value is available at `.Values.postgres.databases.app_db`|
+PostgreSQL values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.postgres.host` | String | PostgreSQL host. |
+| `.Values.postgres.port` | Number | PostgreSQL port. |
+| `.Values.postgres.username` | String | PostgreSQL username. |
+| `.Values.postgres.password` | String | PostgreSQL password. |
+| `.Values.postgres.databases` | Map\<String,String> | Requested databases, keyed by database name. For example, a request for `app_db` is available at `.Values.postgres.databases.app_db`. |

docs/developer/develop/mw-integrate-with-rabbitmq.md

@@ -31,9 +31,9 @@ middleware:
       - name: aaa
 ```
 
-## Inject environment variables
+## Map to environment variables
 
-In your deployment YAML, map the injected `.Values.rabbitmq.*` fields to the environment variables your app uses.
+In your deployment YAML, map the injected `.Values.rabbitmq.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -78,14 +78,14 @@ portMQ := os.Getenv("RABBITMQ_PORT")
 url := fmt.Sprintf("amqp://%s:%s@%s:%s/%s", user, password, host, portMQ, vhost)
 ```
 
-## RabbitMQ Values reference
+## RabbitMQ values reference
 
-RabbitMQ Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+RabbitMQ values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
 
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.rabbitmq.host` | String | RabbitMQ service host |
-| `.Values.rabbitmq.port` | Number | RabbitMQ service port |
-| `.Values.rabbitmq.username` | String | RabbitMQ username |
-| `.Values.rabbitmq.password` | String | RabbitMQ password |
-| `.Values.rabbitmq.vhosts` | Map<String,String> | The requested vhost name is used as the key. <br/>For example, if you request `aaa`, the value is available at `.Values.rabbitmq.vhosts.aaa`. |
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.rabbitmq.host` | String | RabbitMQ host. |
+| `.Values.rabbitmq.port` | Number | RabbitMQ port. |
+| `.Values.rabbitmq.username` | String | RabbitMQ username. |
+| `.Values.rabbitmq.password` | String | RabbitMQ password. |
+| `.Values.rabbitmq.vhosts` | Map\<String,String> | Requested vhosts, keyed by vhost name. For example, a request for `myvhost` is available at `.Values.rabbitmq.vhosts.myvhost`. |

docs/developer/develop/mw-integrate-with-redis.md

@@ -25,9 +25,9 @@ middleware:
     namespace: db0
 ```
 
-## Inject environment variables
+## Map to environment variables
 
-In your deployment YAML, map the injected `.Values.redis.*` fields to the environment variables your app uses.
+In your deployment YAML, map the injected `.Values.redis.*` fields to the container environment variables your app requires.
 
 **Example**
 ```yaml
@@ -54,12 +54,13 @@ containers:
         value: {{ .Values.redis.namespaces.<namespace> }}
 ```
 
-## Redis Values reference
+## Redis values reference
 
-Redis Values are predefined environment variables injected into `values.yaml` during deployment. They are system-managed and not user-editable.
-| Key  | Type  | Description  |
-|--|--|--|
-| `.Values.redis.host` | String | Redis service host |
-| `.Values.redis.port` | Number  | Redis service port |
-| `.Values.redis.password`| String | Redis service password |
-| `.Values.redis.namespaces` | Map<String, String> | The requested namespace is used as the key. <br>For example, if you request `app_ns`, the value is available at `.Values.redis.namespaces.app_ns`. |
+Redis values are predefined runtime values injected into `values.yaml` during deployment. They are system-managed and not user-editable.
+
+| Value | Type | Description |
+| --- | --- | --- |
+| `.Values.redis.host` | String | Redis host. |
+| `.Values.redis.port` | Number | Redis port. |
+| `.Values.redis.password` | String | Redis password. |
+| `.Values.redis.namespaces` | Map\<String,String> | Requested namespaces, keyed by namespace name. For example, a request for `app_ns` is available at `.Values.redis.namespaces.app_ns`. |

docs/developer/develop/package/manifest.md

@@ -7,7 +7,15 @@ outline: [2, 3]
 Every **Olares Application Chart** should include an `OlaresManifest.yaml` file in the root directory. `OlaresManifest.yaml` provides all the essential information about an Olares App. Both the **Olares Market protocol** and the Olares depend on this information to distribute and install applications.
 
 :::info NOTE
-Latest Olares Manifest version: `0.10.0`
+Latest Olares Manifest version: `0.11.0`
+- Removed deprecated fields of sysData
+- Updated the example of shared app
+- Added the apiVersion
+- Added the sharedEntrance section
+
+:::
+:::details Changelog
+`0.10.0`
 - Modified the `categories` field
 - Added the `provider` field in the Permission section
 - Added the Provider section, to allow apps to expose specific service interfaces within the cluster
@@ -15,8 +23,7 @@ Latest Olares Manifest version: `0.10.0`
 - Removed some deprecated fields from the Option section
 - Added the `allowMultipleInstall` field, allowing the app to be installed as multiple independent instances
 - Added the Envs section, to define environment variables required by the application
-:::
-:::details Changelog
+
 `0.9.0`
 - Added a `conflict` field in `options` to declare incompatible applications
 - Removed `analytics` field in `options`
@@ -82,7 +89,7 @@ spec:
   website: https://link.to.your.website
   sourceCode: https://link.to.sourceCode
   submitter: Submitter's Name
-  language:
+  locale:
   - en
   doc: https://link.to.documents
   supportArch:
@@ -130,6 +137,13 @@ olaresManifest.version: 1.1.0
 olaresManifest.version: '2.2'
 olaresManifest.version: "3.0.122"
 ```
+## apiVersion
+- Type: `string`
+- Optional
+- Accepted Value: `v1`,`v2`
+- Default: `v1`
+
+For shared applications, use version `v2`, which supports multiple subcharts in a single OAC. For other applications, use `v1`.
 
 ## Metadata
 
@@ -152,7 +166,7 @@ metadata:
 ### name
 
 - Type: `string`
-- Accepted Value: `[a-z][a-z0-9]?`
+- Accepted Value: `^[a-z][a-z0-9]{0,29}$`
 
 App’s namespace in Olares, lowercase alphanumeric characters only. It can be up to 30 characters, and needs to be consistent with `FolderName` and `name` field in `Chart.yaml`.
 
@@ -160,7 +174,7 @@ App’s namespace in Olares, lowercase alphanumeric characters only. It can be u
 
 - Type: `string`
 
-The title of your app title shown in the Olares Market.  Must be within `30` characters.
+The title of your app shown in the Olares Market. Must be within `30` characters.
 
 ### description
 
@@ -189,8 +203,7 @@ The **Chart Version** of the application. It should be incremented each time the
 Used to display your app on different category page in Olares Market.
 
 Accepted Value for OS 1.11:
-
-`Blockchain`, `Utilities`, `Social Network`, `Entertainment`, `Productivity`
+- `Blockchain`, `Utilities`, `Social Network`, `Entertainment`, `Productivity`
 
 Accepted Value for OS 1.12: 
 - `Creativity`
@@ -201,14 +214,13 @@ Accepted Value for OS 1.12:
 - `Utilities_v112` (displayed as Utilities)
 - `AI`
 
-
 :::info NOTE
 Olares Market categories were updated in OS 1.12.0. To ensure your app is compatible with both versions 1.11 and 1.12, include category values for both versions in your configuration.
 :::
 
 ## Entrances
 
-The number of entrances through which to access the app.  You must specify at least 1 access method, with a maximum of 10 allowed.
+The entrances (up to 10) that users can use to access the app. At least 1 is required.
 
 :::info Example
 ```yaml
@@ -322,6 +334,24 @@ To ensure a seamless user experience, you can enable this option by setting it t
 ```
 :::
 
+
+## sharedEntrances
+
+A shared entrance is an internal address provided by a shared application for other applications within the cluster to access. The field configuration for shared entrances is basically the same as for regular entrances. A typical shared entrance configuration is shown below.
+
+:::info Example
+```yaml
+sharedEntrances:
+  - name: ollamav2
+    host: sharedentrances-ollama
+    port: 0
+    title: Ollama API
+    icon: https://app.cdn.olares.com/appstore/ollama/icon.png
+    invisible: true
+    authLevel: internal
+```
+:::
+
 ## Ports
 
 Specify exposed ports
@@ -338,15 +368,50 @@ ports:
 ```
 :::
 
+### exposePort
+- Type: `int`
+- Optional
+- Accepted Value: `0-65535`, except reserved ports `22`, `80`, `81`, `443`, `444`, `2379`, `18088`.
+
 Olares will expose the ports you specify for an application, which are accessible via the application domain name in the local network, for example: `84864c1f.your_olares_id.olares.com:46879`. For each port you expose, Olares configures both TCP and UDP with the same port number.
 
-When the `addToTailscaleAcl` field is set to `true`, the system will automatically assign a random port and add it to the Tailscale ACLs.
-
-
 :::info NOTE
 The exposed ports can only be accessed on the local network or through a VPN.
 :::
 
+### protocol
+- Type: `string`
+- Optional
+- Accepted Value: `udp`, `tcp`
+
+The protocol used for the exposed port. If specified, Olares exposes only the specified protocol. If omitted, Olares exposes both UDP and TCP by default.
+
+### addToTailscaleAcl
+- Type: `boolean`
+- Optional
+- Default: `false`
+
+When the `addToTailscaleAcl` field is set to `true`, the system will automatically assign a random port and add it to the Tailscale ACLs.
+
+## Tailscale
+- Type: `map`
+- Optional
+
+Allow applications to add Access Control Lists (ACL) in Tailscale to open specified ports.
+
+:::info Example
+```yaml
+tailscale:
+  acls:
+  - proto: tcp
+    dst:
+    - "*:46879"
+  - proto: "" # Optional. If not specified, all supported protocols will be allowed.
+    dst:
+    -  "*:4557"    
+```
+:::
+
 ## Permission
 
 :::info Example
@@ -380,51 +445,6 @@ Whether the app requires read and write permission to the `Data` folder. If `.Va
 
 Whether the app requires read and write permission to user's `Home` folder. List all directories that the application needs to access under the user's `Home`. All `userData` directory configured in the deployment YAML, must be included here.
 
-### sysData
-
-- Type: `list<map>`
-- Optional
-
-Declare the list of APIs that this app needs to access.
-
-:::info NOTE
-This configuration has been deprecated since version 1.12.0.
-:::
-
-:::info Example
-```yaml
-  sysData:
-  - group: service.bfl
-    dataType: app
-    version: v1
-    ops:
-    - InstallDevApp
-  - dataType: legacy_prowlarr
-    appName: prowlarr
-    port: 9696
-    group: api.prowlarr
-    version: v2
-    ops:
-    - All
-```
-:::
-
-All system API [providers](../advanced/provider.md) are list below:
-| Group | version | dataType | ops |
-| ----------- | ----------- | ----------- | ----------- |
-| service.appstore | v1 | app | InstallDevApp, UninstallDevApp
-| message-dispatcher.system-server | v1 | event | Create, List
-| service.desktop | v1 | ai_message | AIMessage
-| service.did | v1 | did | ResolveByDID, ResolveByName, Verify
-| api.intent | v1 | legacy_api | POST
-| service.intent | v1 | intent | RegisterIntentFilter, UnregisterIntentFilter, SendIntent, QueryIntent, ListDefaultChoice, CreateDefaultChoice, RemoveDefaultChoice, ReplaceDefaultChoice
-| service.message | v1 | message | GetContactLogs, GetMessages, Message
-| service.notification | v1 | message | Create
-| service.notification | v1 | token | Create
-| service.search | v1 | search | Input, Delete, InputRSS, DeleteRSS, QueryRSS, QuestionAI
-| secret.infisical | v1 | secret | CreateSecret, RetrieveSecret
-| secret.vault | v1 | key | List, Info, Sign
-
 ### provider
 
 - Type: `list<map>`
@@ -461,25 +481,6 @@ provider:
 ```
 :::
 
-## Tailscale
-- Type: `map`
-- Optional
-
-Allow applications to add Access Control Lists (ACL) in Tailscale to open specified ports.
-
-:::info Example
-```yaml
-tailscale:
-  acls:
-  - proto: tcp
-    dst:
-    - "*:46879"
-  - proto: "" # Optional. If not specified, all supported protocols will be allowed.
-    dst:
-    -  "*:4557"    
-```
-:::
-
 ## Spec
 Additional information about the application, primarily used for display in the Olares Market.
 
@@ -607,7 +608,7 @@ When set to `true`, Olares forces the application to run under user ID `1000` (a
 - Type: `map`
 - Optional
 
-The Olares provides highly available middleware services. Developers do not need to install middleware repeatedly. Just simply add required middleware here, You can then directly use the corresponding middleware information in the application's deployment YAML file.
+Olares provides highly available middleware services. Developers do not need to install middleware repeatedly. Add the required middleware here, then use the corresponding middleware values in the application's deployment YAML file.
 
 Use the `scripts` field to specify scripts that should be executed after the database is created. Additionally, use the `extension` field to add the corresponding extension in the  database.
 
@@ -803,10 +804,10 @@ Use the middleware information in deployment YAML
 
 ## Options
 
-Configure system-related options here.
+Configure Olares OS related options here.
 
 ### policies
-- Type: `map`
+- Type: `list<map>`
 - Optional
 
 Define detailed access control for subdomains of the app.
@@ -823,38 +824,35 @@ options:
 ```
 :::
 
-### clusterScoped
+### appScope
 - Type: `map`
 - Optional
 
-Whether this app is installed for all users in an Olares cluster.
+Specifies whether the app should be installed for all users in the Olares cluster. For shared apps, set `clusterScoped` to `true` and provide the current app's name in the `appRef` field.
 
-:::info Example For Server
+:::info Example of ollamav2
 ```yaml
 metadata:
-  name: gitlab
+  name: ollamav2
 options:
   appScope:
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}  # Only the administrator installs the shared service
     clusterScoped: true
     appRef:
-      - gitlabclienta #app name of clients
-      - gitlabclientb
-```
-:::
-
-:::info Example For Client
-```yaml
-metadata:
-  name: gitlabclienta
-options:
+      - ollamav2 # the name of current app specified in metadata.name
+  {{- else }}
+    clusterScoped: false
+  {{- end }}
   dependencies:
     - name: olares
-      version: ">=0.3.6-0"
+      version: '>=1.12.3-0'
       type: system
-    - name: gitlab #app name of server
-      version: ">=0.0.1"
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}
+  {{- else }}
       type: application
-      mandatory: true
+      version: '>=1.0.1'
+      mandatory: true   # Other users install the client, depend on the shared service installed by the admin
+  {{- end }}
 ```
 :::
 
@@ -880,6 +878,24 @@ options:
 ```
 :::
 
+### conflicts
+- Type: `list<map>`
+- Optional
+
+List other applications that conflict with this app here. Conflicting apps must be uninstalled before this app can be installed.
+
+:::info Example
+```yaml
+options:
+  conflicts:
+  - name: comfyui
+    type: application
+  - name: comfyuiclient
+    type: application  
+```
+:::
+
+
 ### mobileSupported
 - Type: `boolean`
 - Default: `false`
@@ -927,9 +943,8 @@ apiTimeout: 0
 :::
 
 
-
 ### allowedOutboundPorts
-- Type: `map`
+- Type: `list<int>`
 - Optional
 
 ​​The specified ports will be opened to allow external access via non-HTTP protocols, such as SMTP.
@@ -1027,4 +1042,4 @@ provider:
   paths: ["/api*"]       # API paths to expose; cannot consist of * only
   verbs: ["*"]           # Supported: post, get, put, delete, patch; "*" allows all methods
 ```
-:::
+:::

docs/developer/install/environment-variables.md

@@ -15,128 +15,147 @@ To customize the installation process, you can set the environment variables bef
 export KUBE_TYPE=k8s \
 && curl -sSfL https://olares.sh | bash -
 ```
+
 Or, if you have already downloaded the installation script `install.sh`:
 
 ```bash
 # Specify Kubernetes (k8s) instead of k3s
 export KUBE_TYPE=k8s && bash install.sh
 ```
-Both methods achieve the same result. The environment variable `KUBE_TYPE` will be passed to the script, and the script will use it to modify its behavior.
+
+Both methods achieve the same result. The environment variable `KUBE_TYPE` is passed to the installation script and modifies its behavior accordingly.
 
 ## Environment variables reference
 
-The section lists all the environment variables, along with their default values, optional values, and descriptions. Configure them as needed.
+The section lists all the environment variables, along with their default values, optional values, and descriptions. Configure them as needed. 
 
-### `CLOUDFLARE_ENABLE`
-Specifies whether to enable the Cloudflare proxy.
+### CLOUDFLARE_ENABLE 
+
+Specifies whether to enable the Cloudflare proxy. 
+- **Valid values**: 
+    - `0` (disable) 
+    - `1` (enable) 
+- **Default**: `0` 
+
+### FRP_AUTH_METHOD 
+
+Sets the FRP authentication method. 
+- **Valid values**: 
+    - `jws `
+    - `token` (requires `FRP_AUTH_TOKEN`) 
+    - (empty) – No authentication 
+- **Default**: `jws` 
+
+### FRP_AUTH_TOKEN 
+
+Specifies the token for FRP communication (required if `FRP_AUTH_METHOD=token`). 
+- **Valid values**: Any non-empty string 
+- **Default**: None 
+
+### FRP_ENABLE 
+
+Specifies whether to enable FRP for internal network tunneling. Requires additional FRP-related variables if using a custom server. 
+- **Valid values**: 
+    - `0` (disable) 
+    - `1` (enable) 
+- **Default**: `0` 
+
+### FRP_PORT 
+
+Specifies the FRP server's listening port. 
+- **Valid values**: An integer in the range `1–65535` 
+- **Default**: `7000` (if not set or set to `0`) 
+
+### JUICEFS 
+
+Installs [JuiceFS](https://juicefs.com/) alongside Olares. 
+- **Valid values**: `1` 
+- **Default**: None (does not install JuiceFS if not set) 
+
+### KUBE_TYPE 
+
+Determines the Kubernetes distribution to install. 
+- **Valid values**: 
+    - `k8s`(full Kubernetes) 
+    - `k3s` (lightweight Kubernetes) 
+- **Default**: `k3s` 
+
+### LOCAL_GPU_ENABLE 
+Specifies whether to enable GPU support and install related drivers. 
+- **Valid values**: 
+    - `0` (disable) 
+    - `1` (enable) 
+- **Default**: `0` 
+
+### LOCAL_GPU_SHARE 
+
+Specifies whether to enable GPU sharing. Applies only if GPU is enabled. 
 - **Valid values**:
-  - `0` (disable)
-  - `1` (enable)
-- **Default**: `0`
+    - `0` (disable) 
+    - `1` (enable) 
+- **Default**: `0` 
 
-### `FRP_AUTH_METHOD`
-Sets the FRP authentication method.
-- **Valid values**:
-  - `jws`
-  - `token` (requires `FRP_AUTH_TOKEN`)
-  - (empty) – No authentication
-- **Default**: `jws`
+### NVIDIA_CONTAINER_REPO_MIRROR 
 
-### `FRP_AUTH_TOKEN`
-Specifies the token for FRP communication (required if `FRP_AUTH_METHOD=token`).
-- **Valid values**: Any non-empty string
-- **Default**: None
+Specifies the APT repository mirror for installing NVIDIA Container Toolkit. 
+- **Valid values**: 
+    - `nvidia.github.io` 
+    - `mirrors.ustc.edu.cn` (recommended for better connectivity in mainland China) 
+- **Default**: `nvidia.github.io` 
 
-### `FRP_ENABLE`
-Specifies whether to enable FRP for internal network tunneling. Requires additional FRP-related variables if using a custom server.
-- **Valid values**:
-  - `0` (disable)
-  - `1` (enable)
-- **Default**: `0`
+### PREINSTALL 
 
-### `FRP_PORT`
-Specifies the FRP server's listening port.
-- **Valid values**: An integer in the range `1–65535`
-- **Default**: `7000` (if not set or set to `0`)
+Runs only the pre-installation phase (system dependency setup) without proceeding to the full Olares installation. 
+- **Valid values**: `1` 
+- **Default**: None (performs full installation if not set) 
 
-### `JUICEFS`
-Installs [JuiceFS](https://juicefs.com/) alongside Olares.
-- **Valid values**: `1`
-- **Default**: None (does not install JuiceFS if not set)
+### PUBLICLY_ACCESSIBLE 
 
-### `KUBE_TYPE`
-Determines the Kubernetes distribution to install.
-- **Valid values**:
-  - `k8s` (full Kubernetes)
-  - `k3s` (lightweight Kubernetes)
-- **Default**: `k3s`
-
-### `LOCAL_GPU_ENABLE`
-Specifies whether to enable GPU support and install related drivers.
-- **Valid values**:
-  - `0` (disable)
-  - `1` (enable)
-- **Default**: `0`
-
-### `LOCAL_GPU_SHARE`
-Specifies whether to enable GPU sharing. Applies only if GPU is enabled.
-- **Valid values**:
-  - `0` (disable)
-  - `1` (enable)
-- **Default**: `0`
-
-### `NVIDIA_CONTAINER_REPO_MIRROR`
-Specifies the APT repository mirror for installing NVIDIA Container Toolkit.
-- **Valid values**:
-  - `nvidia.github.io`
-  - `mirrors.ustc.edu.cn` (recommended for better connectivity in mainland China)
-- **Default**: `nvidia.github.io`
-
-### `PREINSTALL`
-Runs only the pre-installation phase (system dependency setup) without proceeding to the full Olares installation.
-- **Valid values**: `1`
-- **Default**: None (performs full installation if not set)
-
-### `PUBLICLY_ACCESSIBLE`
 Explicitly specifies that this machine is accessible publicly on the internet, and a reverse proxy should not be used.
 - **Valid values**: 
-  - `0` (false)
-  - `1` (true)
-- **Default**: `0`
+    - `0` (false) 
+    - `1` (true) 
+- **Default**: `0` 
 
+### REGISTRY_MIRRORS 
 
-### `REGISTRY_MIRRORS`
-Specifies a custom Docker registry mirror for faster image pulls.
-- **Valid values**: `https://mirrors.olares.com` or any other valid URL
-- **Default**: `https://registry-1.docker.io`
+Specifies a custom Docker registry mirror for faster image pulls. 
+- **Valid values**: `https://mirrors.olares.com` or any other valid URL 
+- **Default**: `https://registry-1.docker.io` 
 
-### `TERMINUS_IS_CLOUD_VERSION`
-Marks the machine explicitly as a cloud instance.
-- **Valid values**: `true`
-- **Default**: None
+### TERMINUS_IS_CLOUD_VERSION 
 
-### `TERMINUS_OS_DOMAINNAME`
-Sets the domain name before installation to skip the interactive prompt.
-- **Valid values**: Any valid domain name
-- **Default**: None (prompts for domain name if not set)
+Marks the machine explicitly as a cloud instance. 
+- **Valid values**: `true` 
+- **Default**: None 
 
-### `TERMINUS_OS_EMAIL`
-Specifies the email address to use instead of a generated one.
-- **Valid values**: Any valid email address
-- **Default**: None (a temporary email is generated if not set)
+### TERMINUS_OS_DOMAINNAME 
 
-### `TERMINUS_OS_PASSWORD`
-Specifies the password to use instead of a generated one.
-- **Valid values**: A valid password with 6–32 characters
-- **Default**: A randomly generated 8-character password
+Sets the domain name before installation to skip the interactive prompt. 
+- **Valid values**: Any valid domain name 
+- **Default**: None (prompts for domain name if not set) 
 
-### `TERMINUS_OS_USERNAME`
-Specifies the username before installation to skip the interactive prompt.
-- **Valid values**: Any valid username (2–250 characters, excluding reserved keywords)
-- **Default**: None (prompts for username if not set)
-- **Validation**: Reserved keywords include `user`, `system`, `space`, `default`, `os`, `kubesphere`, `kube`, `kubekey`, `kubernetes`, `gpu`, `tapr`, `bfl`, `bytetrade`, `project`, `pod`
+### TERMINUS_OS_EMAIL 
 
-### `TOKEN_MAX_AGE`
-Sets the maximum validity period for a token (in seconds).
-- **Valid values**: Any integer (in seconds)
+Specifies the email address to use instead of a generated one. 
+- **Valid values**: Any valid email address 
+- **Default**: None (a temporary email is generated if not set) 
+
+### TERMINUS_OS_PASSWORD 
+
+Specifies the password to use instead of a generated one. 
+- **Valid values**: A valid password with 6–32 characters 
+- **Default**: A randomly generated 8-character password 
+
+### TERMINUS_OS_USERNAME 
+
+Specifies the username before installation to skip the interactive prompt. 
+- **Valid values**: Any valid username (2–250 characters, excluding reserved keywords) 
+- **Default**: None (prompts for username if not set) 
+- **Validation**: Reserved keywords include `user`, `system`, `space`, `default`, `os`, `kubesphere`, `kube`, `kubekey`, `kubernetes`, `gpu`, `tapr`, `bfl`, `bytetrade`, `project`, `pod`. 
+
+### TOKEN_MAX_AGE 
+
+Sets the maximum validity period for a token (in seconds). 
+- **Valid values**: Any integer (in seconds) 
 - **Default**: `31536000` (365 days)

docs/manual/best-practices/local-access.md

@@ -187,6 +187,6 @@ If the IP address starts with `192.168`, it indicates successful configuration.
 
 ## FAQs
 
-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->
 
 <!--@include: ../../reusables/local-domain.md{42,75}-->

docs/manual/get-started/local-access.md

@@ -39,7 +39,7 @@ No setup is needed. Use the local URL in your browser (for example, `http://desk
 
 ### FAQs
 
-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->
 
 <!--@include: ../../reusables/local-domain.md{42,75}-->
 

docs/manual/help/ts-larepass-vpn-not-working.md

@@ -0,0 +1,65 @@
+---
+outline: [2, 3]
+description: Troubleshoot LarePass VPN not working on macOS or Windows.
+---
+
+# LarePass VPN not working
+
+Use this guide when the LarePass VPN toggle does nothing, the VPN stays stuck in "connecting", or a previously working VPN connection suddenly stops on macOS or Windows.
+
+## Condition
+
+**macOS** 
+- Clicking the VPN toggle in the LarePass desktop client does nothing, or the VPN status stays stuck in "connecting".
+- LarePass VPN used to work on this device but now fails to connect or drops immediately.
+**Windows** 
+- Clicking the VPN toggle in the LarePass desktop client does nothing, or the VPN cannot be enabled.
+
+## Cause
+
+-  **macOS**: LarePass VPN requires both a system-level network extension and a VPN configuration to be fully set up. If you skipped or did not complete either step during the initial setup prompt, or if the network extension has become stuck or corrupted, macOS will block LarePass from creating the VPN tunnel.
+
+- **Windows**: Third-party antivirus or security software may mistakenly flag the LarePass desktop client as suspicious, preventing the VPN service from starting.
+
+## Solution
+
+### macOS
+
+Reset the network extension and complete the full setup flow to restore the VPN.
+
+:::info
+Depending on your macOS version, the UI might look slightly different.
+:::
+
+1. Open **System Settings**, search for "Extension", and select **Extensions**.
+2. Scroll to the **Network Extensions** section and click <span class="material-symbols-outlined">info</span> to view loaded extensions.
+   ![Network Extensions section in System Settings](/images/manual/help/ts-vpn-network-extensions.png#bordered){width=70%}
+
+3. Find **LarePass**, click the three dots (**...**), and select **Delete Extension**.
+4. Confirm the uninstallation.
+5. Restart your Mac.
+6. Open the LarePass desktop client and re-enable the VPN.
+7. Complete the system prompts to restore the extension and VPN configuration:
+
+   a. When macOS prompts to add the LarePass network extension, click **Open System Settings**.
+   ![Prompt to add LarePass network extension](/images/manual/help/ts-vpn-add-network-extension.png#bordered){width=40%}
+
+   b. Toggle on **LarePass**.
+   ![Toggle on LarePass network extension](/images/manual/help/ts-vpn-toggle-on-network-extension.png#bordered){width=70%}
+
+   c. When prompted to add VPN configurations, click **Allow**.
+   ![Prompt to add VPN configuration](/images/manual/help/ts-vpn-add-vpn-configuration.png#bordered){width=40%}
+
+### Windows
+
+:::info LarePass blocked on first launch
+If your antivirus blocked LarePass when you first opened it after installation, allow the app in your security software before following the steps below.
+:::
+
+1. In your antivirus or security software, open the **Allowlist**, **Exclusions**, or **Exceptions** settings.
+2. Add the main LarePass executable or installation directory to the allowlist. Common locations include:
+   - `C:\Users\<your-username>\AppData\Local\LarePass\`
+   - `C:\Program Files\LarePass\`
+3. Apply the changes and restart your antivirus or security software if required.
+4. Quit and reopen the LarePass desktop client.
+5. Try enabling **VPN connection** again from within LarePass.

docs/one/access-olares-via-vpn.md

@@ -34,4 +34,4 @@ While this address works from anywhere, it's recommended to enable the LarePass
 
 ## Troubleshooting
 
-<!--@include: ../reusables/larepass-vpn.md{50,74}-->
+<!--@include: ../reusables/larepass-vpn.md{50,57}-->

docs/one/redeem-membership.md

@@ -4,12 +4,12 @@ description: Learn how to redeem your complimentary Olares Space Basic membershi
 head:
   - - meta
     - name: keywords
-      content: Olares, Olares One, Olares Space, redeem membership card, kickstarter backers, Basic plan
+      content: Olares, Olares One, Olares Space, redeem membership card, Basic plan, kickstarter backers
 ---
 
-# Redeem Olares Space membership <Badge type="tip" text="Kickstarter Backers Only" />
+# Redeem Olares Space membership
 
-If you backed Olares One on Kickstarter, your package includes an "Olares Space Membership" card. This card grants you a complimentary 2-year Basic membership to use the enhanced connectivity services provided by Olares Space.
+Depending on your purchase channel such as the Kickstarter campaign, your Olares One package might include an Olares Space Membership card. This card grants you a complimentary 2-year Basic membership to use the enhanced connectivity services provided by Olares Space.
 
 :::tip Olares One is a one-time purchase
 Your Olares One hardware and system updates are free forever.
@@ -24,6 +24,7 @@ Olares Space is a secure connectivity platform that extends the capabilities of
 * **Remote access (FRP)**: High-speed remote connection with 50 GB of monthly traffic at speeds up to 50 Mbps. This includes access to regional acceleration nodes for faster response times. If you exceed the monthly quota, speed is throttled to 5 Mbps. The free alternative is to use the LarePass VPN or host your own FRP server.
 
 ## Log in to Olares Space
+
 1. Go to https://space.olares.com.
 
     ![Olares Space login page](/images/one/olares-space-login.png#bordered)
@@ -40,21 +41,23 @@ Olares Space is a secure connectivity platform that extends the capabilities of
     ![Log in to Olares Space](/images/one/login-olares-space.png#bordered)
 
 ## Redeem Basic plan
+
 :::info
 The 2-year validity period begins the moment you successfully bind your email to an Olares ID.
 :::
-To redeem your benefits, you must verify the email address associated with your Kickstarter order using the Olares Space dashboard.
+
+To redeem the Basic plan benefits, you must link your account to the email address associated with your purchase order using the Olares Space dashboard. For example, the email associated with your Kickstarter order.
+
 1. In Olares Space, from the left navigation pane, click **Usage & billing**. 
 2. On the **Account email** tab, click **Email address**.
 
     ![Olares Space account email](/images/one/account-email.png#bordered)
 
-3. In the **Add email** window, enter the email address used for your Kickstarter order.
+3. In the **Add email** window, enter the email address used for your purchase order.
 
     ![Olares Space bind email](/images/one/bind-email.png#bordered)
 
 4. Click **Send verification code**.
-
 5. Follow the on-screen instructions to complete the verification.
  
     :::tip 
@@ -67,29 +70,32 @@ To redeem your benefits, you must verify the email address associated with your
 
     ![Olares Space Basic plan](/images/one/basic-plan.png#bordered)   
 
-## Switch membership to a different Olares ID
+## Transfer membership to a different Olares ID
+
 :::warning Validity period adjustment
-Transferring your membership to a new Olares ID reduces your remaining validity period by one month. If you transfer multiple times within the same month, the deduction only occurs once.
-:::
-:::warning Changing your bound email
-The Basic membership is tied strictly to the specific email address used on Kickstarter. If you change the email, you will lose the Basic membership immediately.
+Transferring your membership to a new Olares ID reduces your remaining validity period by one month. If you transfer multiple times within the same calendar month, the deduction only occurs once.
 :::
 
-If you want to move your Basic membership to a new Olares ID:
+:::warning Changing bound email
+The Basic membership is tied strictly to the specific email address used for your purchase order. If you change the email, the current account loses the Basic membership immediately.
+:::
+
+If you want to transfer your Basic membership to a new Olares ID:
 
 1. Log in to Olares Space with your old Olares ID. 
 2. Go to **Usage & billing** > **Account email**. 
-3. Click **Unbind** to remove the Kickstarter email from the account email settings. 
+3. Click **Unbind** to remove the purchase order email from the account email settings. 
 
     ![Unbind email](/images/one/unbind-button.png#bordered) 
 
 4. Click **Send verification code**.
 5. Follow the on-screen instructions to complete the verification.
     
-    A notification message will confirm that the email was removed. Your account automatically changes to the Free plan.
+    A notification message will confirm that the email was removed. The current account changes to the Free plan immediately.
 
 6. Log in to Olares Space with the new Olares ID. 
-7. Bind and verify the Kickstarter email using the steps in the [Activate membership](#activate-membership) section. This will immediately upgrade the new Olares ID to the Basic plan.
+7. Bind the purchase order email using the steps in the [Redeem Basic plan](#redeem-basic-plan) section. This will upgrade the new Olares ID to the Basic plan immediately.
+
 ## Resources
 
 - [Monitor traffic in Olares Space](space.md)

docs/one/windows.md

@@ -87,8 +87,8 @@ Make sure you check the **ACLs** for the specific instance you want to connect t
 
 1. Open Settings, and navigate to **Application** > **Windows**.
 2. Under **Permissions**, click **ACLs**.
-3. Note the port number listed in the **Dst** column. You will need this for the connection step.
-   ![Locate port number](/images/one/win-port-no.png#bordered)
+3. Note the port number listed in the **Port** column. You will need this for the connection step.
+   ![Locate port number](/images/one/win-port-number.png#bordered)
 
 #### Connect to Windows
 
@@ -97,6 +97,7 @@ The following steps show the macOS interface, but the workflow is similar on all
 ::: 
 
 1. Open Windows from the Launchpad. Copy the domain from the address bar (exclude `https://` and any text after the domain).
+   ![Domain address](/images/one/win-url.png#bordered)
 2. Open the Windows App (or Remote Desktop) on your device.
 3. Add your Windows VM as an RDP connection. 
 

docs/reusables/README.md

@@ -5,6 +5,6 @@ This directory holds shared content included in multiple docs via `<!--@include:
 Add new reusable fragments here and document line ranges in a comment at the top of each file.
 
 - **local-domain.md**: .local domain description, URL format, HTTP note, and troubleshooting (Chrome, Safari). Used by `manual/get-started/local-access.md`, `manual/best-practices/local-access.md`, and `one/access-olares-via-local-domain.md`.
-- **larepass-vpn.md**: LarePass VPN procedure (Download, Enable, Verify connection type) and FAQs (Mac extension reset, Windows antivirus). Used by `manual/get-started/local-access.md`, `manual/best-practices/local-access.md`, and `one/access-olares-via-vpn.md`.
+- **larepass-vpn.md**: LarePass VPN procedure (Download, Enable, Verify connection type) and FAQs linking to the troubleshooting doc. Used by `manual/get-started/local-access.md`, `manual/best-practices/local-access.md`, and `one/access-olares-via-vpn.md`.
 
 

docs/reusables/larepass-vpn.md

@@ -3,7 +3,7 @@ search: false
 ---
 <!-- Reusable LarePass VPN content. Include by line range.
      Steps (no headings): Step 1 7-16, Step 2 18-41, Step 3 42-49.
-     FAQs: 50-75 -->
+     FAQs: 50-57 -->
 
 To use the secure VPN connection, the LarePass client must be installed on the device you are using to access Olares.
 
@@ -50,25 +50,8 @@ Once enabled, check the status indicator in LarePass to verify the connection ty
 
 ### Why doesn't LarePass VPN work on my Mac anymore?
 
-If you successfully enabled the VPN previously, but it has stopped working, you might need to reset the system extension.
-
-:::info
-Depending on your macOS version, the UI might look slightly different.
-:::
-
-1. Open **System Settings**, search for "Extension", and select **Login Items & Extensions**.
-2. Scroll to the **Network Extensions** section and click the info icon (ⓘ) to view loaded extensions.
-3. Find LarePass, click the three dots (...), and select **Delete Extension**.
-4. Confirm the uninstallation.
-5. Restart your Mac and re-enable the VPN in the LarePass desktop client.
+macOS blocks the VPN tunnel if the network extension or VPN configuration was not fully set up, or if the extension has become stuck or corrupted. See [LarePass VPN not working](/manual/help/ts-larepass-vpn-not-working) to reset the extension and restore the VPN.
 
 ### Why can't I enable LarePass VPN on Windows?
 
-Third-party antivirus software might mistakenly flag the LarePass desktop client as suspicious, preventing it from launching the VPN service.
-
-If prompted by your antivirus when opening LarePass for the first time, allow the application to continue.
-
-If the VPN still fails to enable:
-1. Open your security software and check if LarePass was blocked.
-2. Add the main LarePass executable to the allowlist or exclusions of your antivirus.
-3. Restart LarePass and enable the VPN.
+Third-party antivirus or security software may mistakenly flag LarePass as suspicious, preventing the VPN service from starting. See [LarePass VPN not working](/manual/help/ts-larepass-vpn-not-working) to resolve the issue.

docs/use-cases/openclaw.md

@@ -206,6 +206,14 @@ Connect the Control UI to the OpenClaw CLI to use the graphical dashboard.
     ```
 4. Click **Save** in the upper-right corner. The system validates the config and restarts automatically to apply the changes.
 
+    ::: tip Manual restart
+    If you need to restart OpenClaw manually, do not use the OpenClaw CLI. Use one of the following methods:
+    - **Restart the app from Settings or Market**: 
+        - Open **Settings**, go to **Applications** > **OpenClaw**, click **Stop**, and then click **Resume**.
+        - Open **Market**, go to **My Olares**, find **OpenClaw**, click <i class="material-symbols-outlined">keyboard_arrow_down</i> next to the operation button, select **Stop**, and then select **Resume**.
+    - **Restart the container**: Open **Control Hub**, click `clawdbot` under **Deployments**, and then click **Restart**.
+    :::
+
 ## (Optional) Personalize OpenClaw
 
 To make your OpenClaw bot more personalized, it is highly recommended to complete the persona setup process. 
@@ -311,14 +319,16 @@ To chat with your agent remotely, connect it to a Discord bot.
 
 ### Step 3: Configure channel
 
-Configure the Discord channel in Control UI.
+Connect OpenClaw to your Discord bot by adding its configuration in the Control UI.
+
+:::info About channel configuration
+This tutorial provides the basic setup to get your bot running in Discord quickly. For more detailed configurations, see the official [OpenClaw documentation](https://docs.openclaw.ai/channels).
+:::
 
 1. Return to the **Control UI** > **Config** > **Raw** tab.
-2. Find the `channels` section:
+2. Add the following `channels` section to the configuration file. 
 
-    a. Update with your Discord bot token.
-
-    b. Enable Discord DM (Direct Messages) and set the Discord DM Policy to **Pairing**.
+    This configuration enables Discord Direct Messages (DMs) and sets the DM policy to pairing for security.
 
     ```json
     "channels": {
@@ -336,8 +346,9 @@ Configure the Discord channel in Control UI.
 
     ![Discord channel added](/images/manual/use-cases/channels.png#bordered)
 
-3. Click **Save**.
-4. From the left sidebar, select **Channels**. On the Discord card, **Probe ok** indicates successful connection.
+3. Replace `{YOUR_BOT_TOKEN}` with your Discord bot token.
+4. Click **Save**.
+5. From the left sidebar, select **Channels**. On the Discord card, **Probe ok** indicates successful connection.
 
    ![Probe OK](/images/manual/use-cases/probe-ok.png#bordered)
 
@@ -502,7 +513,35 @@ To manage skills and plugins, install ClawHub. It is the package manager for Ope
 
     ![Toggle on plugin](/images/manual/use-cases/toggle-plugin.png#bordered)
 
-6. Click **Save** in the upper-right corner. The system validates the config and restarts automatically to apply the changes.      
+6. Click **Save** in the upper-right corner. The system validates the config and restarts automatically to apply the changes.
+
+    ::: tip Manual restart
+    If you need to restart OpenClaw manually, do not use the OpenClaw CLI. Use one of the following methods:
+    - **Restart the app from Settings or Market**: 
+        - Open **Settings**, go to **Applications** > **OpenClaw**, click **Stop**, and then click **Resume**.
+        - Open **Market**, go to **My Olares**, find **OpenClaw**, click <i class="material-symbols-outlined">keyboard_arrow_down</i> next to the operation button, select **Stop**, and then select **Resume**.
+    - **Restart the container**: Open **Control Hub**, click `clawdbot` under **Deployments**, and then click **Restart**.
+    :::
+
+## FAQ
+
+### Cannot restart OpenClaw in CLI
+
+If you attempt to manually start, stop, or restart OpenClaw using commands like `openclaw gateway` or `openclaw gateway stop` in the OpenClaw CLI, you receive the following error messages:
+- `Gateway failed to start: gateway already running (pid 1); lock timeout after 5000ms`
+- `Gateway service check failed: Error: systemctl --user unavailable: spawn systemctl ENOENT`
+
+#### Cause
+
+OpenClaw is deployed as a containerized app in Olares, where the gateway runs as the primary container process `pid 1` and is always active. This environment does not use standard Linux system and service management tools such as `systemd` and `systemctl`, so these commands do not work. 
+
+#### Solution
+
+Do not use the OpenClaw CLI to manage the gateway service. Instead, restart OpenClaw using one of the following methods:
+- **Restart OpenClaw from Settings or Market**: 
+    - Open **Settings**, go to **Applications** > **OpenClaw**, click **Stop**, and then click then **Resume**.
+    - Open **Market**, go to **My Olares**, find **OpenClaw**, click <i class="material-symbols-outlined">keyboard_arrow_down</i> next to the operation button, select **Stop**, and then select **Resume**.
+- **Restart the container**: Open **Control Hub**, click `clawdbot` under **Deployments**, and then click **Restart**.
 
 ## Resources
 

docs/use-cases/windows.md

@@ -30,7 +30,7 @@ Windows is available as an app in the Olares Market.
 ### Install Windows
 1. Open the Market, and search for "Windows".
 2. Click **Get**, then click **Install**.
-   ![Install Windows](../public/images/manual/use-cases/win-install1.png#bordered)
+   ![Install Windows](/images/manual/use-cases/win-install1.png#bordered)
 
 3. When prompted, set environment variables:
     - **USERNAME:** Create a username for accessing Windows.
@@ -70,8 +70,8 @@ Each Windows instance uses a unique port. If you have cloned the Windows app, en
 :::
 1. Open Settings, and navigate to **Application** > **Windows**.
 2. Under **Permissions**, click **ACLs**.
-3. Note the port number listed in the **Dst** column. You will need this for the connection step.
-   ![Locate port number](../public/images/manual/use-cases/win-port-number.png#bordered)
+3. Note the port number listed in the **Port** column. You will need this for the connection step.
+   ![Locate port number](/images/manual/use-cases/win-port-number.png#bordered){width=90%}
 
 #### Connect to Windows via RDP
 :::info
@@ -87,6 +87,8 @@ The following steps show the macOS interface, but the workflow is similar on all
    - **Android:** Download [Windows App from Google Play](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx).
 
 3. Open Windows from the Launchpad in your browser. Copy the domain from the address bar (exclude `https://` and any text after the domain).
+   ![Domain address](/images/manual/use-cases/win-url.png#bordered)
+
 4. Add your Windows VM as an RDP connection. 
 
     a. Open the Windows App on your device.
@@ -95,9 +97,9 @@ The following steps show the macOS interface, but the workflow is similar on all
 
     c. In **PC name**, enter the domain you get from the previous step, followed by a colon and the port number.
 
-      For example, if your URL is `https://7e89d2a1.<username>.olares.com`, and the port is `49268`, enter:
+      For example, if your URL is `https://0f4137ed.<username>.olares.com`, and the port is `47374`, enter:
       ```
-      7e89d2a1.<username>.olares.com:49268
+      0f4137ed.<username>.olares.com:47374
       ```
 
    ![Add PC](../public/images/manual/use-cases/win-add-pc1.png#bordered)

docs/zh/developer/develop/app-env-index.md

@@ -0,0 +1,24 @@
+---
+outline: [2, 3]
+description: 了解 Olares 应用在部署期间的变量注入机制：声明式环境变量（.Values.olaresEnv）与系统自动注入的运行时 Helm Values（.Values.*）。
+---
+
+# 环境变量概览
+
+Olares 应用通过 app-service 将运行时信息与配置项注入到应用的 `values.yaml` 中。应用在 Helm 模板中通过 `.Values.*` 引用这些值。
+
+:::info 变量与 Helm 值
+本文提到的“变量”主要指 Helm 值。它们不会自动进入容器环境变量。如需在容器内使用，请在模板中显式映射到 `env:`。
+:::
+
+## 变量注入通道
+
+Olares 通过两种通道注入变量：
+
+- **声明式环境变量**：开发者在 `OlaresManifest.yaml` 的 `envs` 下声明变量。在部署时，app-service 会解析这些值并将其注入到 `values.yaml` 的 `.Values.olaresEnv` 路径下。
+- **系统注入的运行时变量**：由 Olares 在部署时自动注入，无需声明。不过，某些值（例如中间件）只有在声明相关依赖后才可用。
+
+## 下一步
+
+1. [声明式环境变量](app-env-vars.md)：`envs` 字段说明、变量映射以及变量参考。
+2. [系统注入的运行时变量](app-sys-injected-variables.md)：所有系统注入运行时变量的完整参考。

docs/zh/developer/develop/app-env-vars.md

@@ -0,0 +1,197 @@
+---
+outline: [2, 4]
+description: 通过 `OlaresManifest.yaml` 中的 `envs` 声明并校验应用配置，并在模板中通过 `.Values.olaresEnv` 引用变量值。
+---
+
+# 声明式环境变量
+
+在 `OlaresManifest.yaml` 中使用 `envs` 字段来声明配置参数，例如密码、API 端点或功能开关。在部署过程中，app-service 会解析这些变量，并将其注入到 `values.yaml` 的 `.Values.olaresEnv` 中。你可以在 Helm 模板中通过 <code v-pre>{{ .Values.olaresEnv.&lt;envName&gt; }}</code> 引用。
+
+## 变量来源
+
+声明式变量可以从应用外部管理的配置中获取值：
+
+- **系统变量**：Olares 集群实例级别的环境变量，在系统安装时设置，或由管理员统一管理。集群中的所有用户共享。
+- **用户变量**：Olares 用户级别的环境变量，由用户自行管理。在同一集群中，不同用户的变量彼此独立。
+
+应用本身无法直接修改这些变量。如需使用，需通过 `valueFrom` 字段映射。
+
+## 映射环境变量
+
+系统环境变量和用户环境变量都通过 `valueFrom` 使用相同的映射机制。
+
+以下示例演示了如何将系统变量 `OLARES_SYSTEM_CDN_SERVICE` 映射为应用变量 `APP_CDN_ENDPOINT`：
+
+1. 在 `OlaresManifest.yaml` 中，在 `envs` 下声明一个应用变量，并将 `valueFrom.envName` 设置为系统变量名。
+
+    ```yaml
+    # 将系统变量 OLARES_SYSTEM_CDN_SERVICE 映射为应用变量 APP_CDN_ENDPOINT
+    olaresManifest.version: '0.10.0'
+    olaresManifest.type: app
+
+    envs:
+      - envName: APP_CDN_ENDPOINT
+        required: true
+        applyOnChange: true
+        valueFrom:
+          envName: OLARES_SYSTEM_CDN_SERVICE
+    ```
+
+2. 在 Helm 模板中，通过 `.Values.olaresEnv.<envName>` 引用该应用变量。
+
+    ```yaml
+    # 在容器环境变量中使用 APP_CDN_ENDPOINT
+    env:
+      - name: CDN_ENDPOINT
+        value: "{{ .Values.olaresEnv.APP_CDN_ENDPOINT }}"
+    ```
+
+部署时，app-service 会解析引用的变量，并将值注入到 `values.yaml` 中：
+
+```yaml
+# 由 app-service 在部署时注入
+olaresEnv:
+  APP_CDN_ENDPOINT: "https://cdn.olares.com"
+```
+
+可用环境变量的完整列表，请参阅[变量参考](#变量参考)。
+
+## 声明字段
+
+`envs` 列表中的每个条目支持以下字段。
+
+### envName
+
+注入到 `values.yaml` 中的变量名。在模板中通过 <code v-pre>{{ .Values.olaresEnv.&lt;envName&gt; }}</code> 引用。
+
+### default
+
+变量的默认值。由开发者在编写应用时提供。用户不可修改。当用户未提供值或未通过 `valueFrom` 引用时使用。
+
+### valueFrom
+
+将当前变量映射到系统或用户环境变量。设置后，当前变量将继承所引用变量的所有字段（如 `type`、`editable`、`regex` 等）。当前变量本地定义的同名字段将被忽略。使用 `valueFrom` `时，default` 和 `options` 不生效。
+
+**示例**： 将应用变量 `APP_CDN_ENDPOINT` 映射到系统变量 `OLARES_SYSTEM_CDN_SERVICE`。
+
+```yaml
+envs:
+  - envName: APP_CDN_ENDPOINT
+    required: true
+    applyOnChange: true
+    valueFrom:
+      envName: OLARES_SYSTEM_CDN_SERVICE
+```
+
+### required
+
+布尔值。为 `true` 时，安装必须提供该变量值。如果未设置 `default`，系统会提示用户输入。安装后该值不能设为空。
+
+### editable
+
+布尔值。为 `true` 时，该变量在安装后允许修改。
+
+### applyOnChange
+
+布尔值。为 `true` 时，修改该变量会自动重启使用该变量的应用或组件。为 `false` 时，修改仅在应用升级或重装后生效。手动停止和启动应用不会使其生效。
+
+### type
+
+值的预期类型。用于在接受输入前进行校验。支持的类型包括：`int`、`bool`、`url`、`ip`、`domain`、`email`、`string`、`password`。
+
+### regex
+
+值必须匹配的正则表达式。如果校验失败，则无法设置该值，且安装或升级可能失败。
+
+### options
+
+将变量限制为固定的可选值列表。系统会在界面中提供选择界面。
+
+**示例**：显示可安装的 Windows 版本的下拉列表。
+
+```yaml
+envs:
+  - envName: VERSION
+    options:
+      - title: "Windows 11 Pro"
+        value: "iso/Win11_24H2_English_x64.iso"
+      - title: "Windows 7 Ultimate"
+        value: "iso/win7_sp1_x64_1.iso"
+```
+
+### remoteOptions
+
+从 URL 加载选项列表，而不是在行内定义。响应体必须是与 `options` 格式相同的 JSON 编码数组。
+
+**示例**：在安装时从远程端点获取选项列表。
+
+```yaml
+envs:
+  - envName: VERSION
+    remoteOptions: https://app.cdn.olares.com/appstore/windows/version_options.json
+```
+
+### description
+
+变量用途及有效取值范围的说明。显示在 Olares 界面中。
+
+## 变量参考
+
+### 系统环境变量
+
+下表列出了可通过 `valueFrom` 引用的系统级环境变量。
+
+| 变量 | 类型 | 默认值 | 可编辑 | 必填 | 描述 |
+| --- | --- | --- | --- | --- | --- |
+| `OLARES_SYSTEM_REMOTE_SERVICE` | `url` | `https://api.olares.com` | 是 | 是 | Olares 远程服务端点，例如应用商店与 Olares Space。 |
+| `OLARES_SYSTEM_CDN_SERVICE` | `url` | `https://cdn.olares.com` | 是 | 是 | 系统资源 CDN 端点。 |
+| `OLARES_SYSTEM_DOCKERHUB_SERVICE` | `url` | 无 | 是 | 否 | Docker Hub 镜像或加速端点。 |
+| `OLARES_SYSTEM_ROOT_PATH` | `string` | `/olares` | 否 | 是 | Olares 根目录路径。 |
+| `OLARES_SYSTEM_ROOTFS_TYPE` | `string` | `fs` | 否 | 是 | Olares 文件系统类型。 |
+| `OLARES_SYSTEM_CUDA_VERSION` | `string` | 无 | 否 | 否 | 主机 CUDA 版本。 |
+
+### 用户环境变量
+
+所有用户环境变量均可由用户编辑。
+
+#### 用户信息
+
+| 变量 | 类型 | 默认值 | 描述 |
+| --- | --- | --- | --- |
+| `OLARES_USER_EMAIL` | `string` | 无 | 用户邮箱地址。 |
+| `OLARES_USER_USERNAME` | `string` | 无 | 用户名。 |
+| `OLARES_USER_PASSWORD` | `password` | 无 | 用户密码。 |
+| `OLARES_USER_TIMEZONE` | `string` | 无 | 用户时区，例如 `Asia/Shanghai`。 |
+
+#### SMTP 设置
+
+| 变量 | 类型 | 默认值 | 描述 |
+| --- | --- | --- | --- |
+| `OLARES_USER_SMTP_ENABLED` | `bool` | 无 | 是否启用 SMTP。 |
+| `OLARES_USER_SMTP_SERVER` | `domain` | 无 | SMTP 服务器域名。 |
+| `OLARES_USER_SMTP_PORT` | `int` | 无 | SMTP 服务端口，通常为 `465` 或 `587`。 |
+| `OLARES_USER_SMTP_USERNAME` | `string` | 无 | SMTP 用户名。 |
+| `OLARES_USER_SMTP_PASSWORD` | `password` | 无 | SMTP 密码或授权码。 |
+| `OLARES_USER_SMTP_FROM_ADDRESS` | `email` | 无 | 发件人邮箱地址。 |
+| `OLARES_USER_SMTP_SECURE` | `bool` | `"true"` | 是否使用安全协议。 |
+| `OLARES_USER_SMTP_USE_TLS` | `bool` | 无 | 是否使用 TLS。 |
+| `OLARES_USER_SMTP_USE_SSL` | `bool` | 无 | 是否使用 SSL。 |
+| `OLARES_USER_SMTP_SECURITY_PROTOCOLS` | `string` | 无 | 安全协议类型，可选值包括：`tls`、`ssl`、`starttls`、`none`。 |
+
+#### 镜像与代理端点
+
+| 变量 | 类型 | 默认值 | 描述 |
+| --- | --- | --- | --- |
+| `OLARES_USER_HUGGINGFACE_SERVICE` | `url` | `https://huggingface.co/` | Hugging Face 服务地址。 |
+| `OLARES_USER_HUGGINGFACE_TOKEN` | `string` | 无 | Hugging Face 访问令牌。 |
+| `OLARES_USER_PYPI_SERVICE` | `url` | `https://pypi.org/simple/` | PyPI 镜像地址。 |
+| `OLARES_USER_GITHUB_SERVICE` | `url` | `https://github.com/` | GitHub 镜像地址。 |
+| `OLARES_USER_GITHUB_TOKEN` | `string` | 无 | GitHub 个人访问令牌。 |
+
+#### API keys
+
+| 变量 | 类型 | 默认值 | 描述 |
+| --- | --- | --- | --- |
+| `OLARES_USER_OPENAI_APIKEY` | `password` | 无 | OpenAI API key。 |
+| `OLARES_USER_CUSTOM_OPENAI_SERVICE` | `url` | 无 | 自定义 OpenAI 兼容服务地址。 |
+| `OLARES_USER_CUSTOM_OPENAI_APIKEY` | `password` | 无 | 自定义 OpenAI 兼容服务的 API key。 |

docs/zh/developer/develop/app-sys-injected-variables.md

@@ -0,0 +1,218 @@
+---
+outline: [2, 4]
+description: Olares 在应用部署期间注入到 `application values.yaml` 中的运行时变量。
+---
+
+# 系统注入的运行时变量
+
+在部署时，Olares 会自动向应用的 `values.yaml` 注入由系统管理的变量。这些变量为只读，涵盖用户身份、存储路径、集群元数据、应用依赖以及中间件凭据等信息。
+
+由于它们属于 Helm values，因此不会自动传递到容器内部。如需在容器内部使用，请在部署模板中通过 `env:` 显式映射。
+
+## 在应用中使用
+
+你可以在 Helm 模板（如 `deployment.yaml`）中直接引用这些值。
+
+**示例**：将当前用户名和 Postgres 主机地址传入容器环境变量。
+
+```yaml
+# 将系统注入的运行时变量传入容器环境变量
+spec:
+  containers:
+    - name: my-app
+      env:
+        - name: APP_USER
+          value: "{{ .Values.bfl.username }}"
+        - name: DB_HOST
+          value: "{{ .Values.postgres.host }}"
+```
+
+完整变量列表请参见[变量参考](#变量参考)。
+
+## 变量参考
+
+“类型”列描述的是 Helm value 的数据类型，并不对应 `OlaresManifest.yaml` 中的 `type` 字段。
+
+### 用户与身份信息
+| 变量 | 类型 | 说明 |
+| -- | -- | -- |
+| `.Values.bfl.username` | String | 当前用户名。 |
+| `.Values.user.zone`    | String | 当前用户的域名。 |
+| `.Values.admin`        | String | 管理员用户名。 |
+
+### 应用与系统信息
+
+| 变量 | 类型 | 说明 |
+| -- | -- | -- |
+| `.Values.domain` | Map<String,String> | 应用入口地址映射，每个条目将入口名称映射为对应的 URL。 |
+| `.Values.sysVersion` | String | 系统版本号。 |
+| `.Values.deviceName` | String  | 设备名称。 |
+| `.Values.downloadCdnURL` | String | 系统资源下载使用的 CDN 地址。 |
+
+### 存储路径
+
+| 变量 | 类型 | 说明 |
+| -- | -- | -- |
+| `.Values.userspace.appData` | String | 应用的集群存储路径，路径为 `/Data/<appname>`。 |
+| `.Values.userspace.appCache` | String | 应用的节点本地缓存路径，路径为 `/Cache/<appname>`。 |
+| `.Values.userspace.userData` | String | 用户数据目录，路径为 `/Files/Home/`。 |
+| `.Values.sharedlib` | String | 用户外部存储目录，路径为 `/Files/External/<devicename>/`。 |
+
+### 集群硬件信息
+
+集群硬件信息会在部署时注入到 `values.yaml` 中。
+
+| 变量 | 类型 | 说明 |
+| -- | -- | -- |
+| `.Values.cluster.arch` | String | 集群 CPU 架构（例如 `amd64`）。Olares 目前不支持混合架构组成集群。 |
+| `.Values.nodes` | List\<NodeInfo> | 节点硬件元数据列表，注入在 `values["nodes"]`下。 |
+
+`.Values.nodes` 中每个条目结构如下：
+
+```json
+[
+  {
+    "cudaVersion": "12.9",
+    "cpu": [
+      {
+        "coreNumber": 16,
+        "arch": "amd64",
+        "frequency": 4900000000,
+        "model": "151",
+        "modelName": "12th Gen Intel(R) Core(TM) i5-12600KF",
+        "vendor": "GenuineIntel"
+      }
+    ],
+    "memory": {
+      "total": 50351353856
+    },
+    "gpus": [
+      {
+        "vendor": "NVIDIA",
+        "arch": "Ada Lovelace",
+        "model": "4060",
+        "memory": 17175674880,
+        "modelName": "NVIDIA GeForce RTX 4060 Ti"
+      }
+    ]
+  }
+]
+```
+
+### 应用依赖
+
+当应用在 `OlaresManifest.yaml` 中声明对其他应用的依赖时，Olares 会将连接信息注入到 `values.yaml`。
+
+| 变量 | 类型 | 说明 |
+| -- | -- | -- |
+| `.Values.deps` | Map<String,Value> | 每个声明依赖的服务主机地址与端口。键名格式为 `<entry_name>_host` 与 `<entry_name>_port`。|
+| `.Values.svcs` | Map<String,Value> | 每个声明依赖的所有服务主机地址与端口。键名格式为 `<service_name>_host` 与 `<service_name>_port`。端口值为列表类型，用于支持多端口服务。 |
+
+**示例**：依赖入口名为 `aserver`，服务名为 `aserver-svc`。
+
+`.Values.deps`：
+
+```json
+{
+  "aserver_host": "aserver-svc.<namespace>",
+  "aserver_port": 80
+}
+```
+
+`.Values.svcs`：
+
+```json
+{
+  "aserver-svc_host": "aserver-svc.<namespace>",
+  "aserver-svc_port": [80]
+}
+```
+
+### 中间件变量
+
+仅当在 `OlaresManifest.yaml` 的 `middleware` 部分声明中间件依赖时，才会注入对应变量。
+
+PostgreSQL 与 Redis 为预安装组件。MongoDB、MinIO、RabbitMQ、MySQL 和 MariaDB 需要单独安装后方可使用。
+
+#### MariaDB
+
+安装与配置详情请参见[集成 MariaDB](/zh/developer/develop/mw-integrate-with-mariadb.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.mariadb.host` | String | MariaDB 主机地址。 |
+| `.Values.mariadb.port` | Number | MariaDB 端口。 |
+| `.Values.mariadb.username` | String | MariaDB 用户名。 |
+| `.Values.mariadb.password` | String | MariaDB 密码。 |
+| `.Values.mariadb.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。<br/>例如申请 `app_db`，可通过 `.Values.mariadb.databases.app_db` 获取对应的值。 |
+
+#### MinIO
+
+安装与配置详情请参见[集成 MinIO](/zh/developer/develop/mw-integrate-with-minio.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.minio.host` | String | MinIO 服务地址。 |
+| `.Values.minio.port` | Number | MinIO 服务端口。 |
+| `.Values.minio.username` | String | MinIO 访问密钥。 |
+| `.Values.minio.password` | String | MinIO 密钥。 |
+| `.Values.minio.buckets` | Map<String,String> | 请求的存储桶集合，按桶名为键。例如申请 `mybucket`，可通过 `.Values.minio.buckets.mybucket` 获取对应的值。 |
+
+#### MongoDB
+
+安装与配置详情请参见[集成 MongoDB](/zh/developer/develop/mw-integrate-with-mongodb.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.mongodb.host` | String | MongoDB 主机地址。 |
+| `.Values.mongodb.port` | Number | MongoDB 端口。 |
+| `.Values.mongodb.username` | String | MongoDB 用户名。 |
+| `.Values.mongodb.password` | String  | MongoDB 密码。 |
+| `.Values.mongodb.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。<br/>例如申请 `app_db`，可通过 `.Values.mongodb.databases.app_db` 获取对应的值。 |
+
+#### MySQL
+
+安装与配置详情请参见[集成 MySQL](/zh/developer/develop/mw-integrate-with-mysql.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.mysql.host` | String | MySQL 主机地址。 |
+| `.Values.mysql.port` | Number | MySQL端口。 |
+| `.Values.mysql.username` | String | MySQL 用户名。 |
+| `.Values.mysql.password` | String | MySQL 密码。 |
+| `.Values.mysql.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。<br/>例如申请 `app_db`，可通过 `.Values.mysql.databases.app_db` 获取对应的值。 |
+
+#### PostgreSQL
+
+安装与配置详情请参见[集成 PostgreSQL](/zh/developer/develop/mw-integrate-with-pg.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.postgres.host` | String  | PostgreSQL 主机地址。 |
+| `.Values.postgres.port` | Number | PostgreSQL 端口。 |
+| `.Values.postgres.username`  | String | PostgreSQL 用户名。 |
+| `.Values.postgres.password`  | String | PostgreSQL 密码。 |
+| `.Values.postgres.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。例如，若申请的数据库名为 `app_db`，可通过 `.Values.postgres.databases.app_db`获取对应值。|
+
+#### RabbitMQ
+
+安装与配置详情请参见[集成 RabbitMQ](/zh/developer/develop/mw-integrate-with-rabbitmq.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.rabbitmq.host` | String | RabbitMQ 主机地址。 |
+| `.Values.rabbitmq.port` | Number | RabbitMQ 端口。 |
+| `.Values.rabbitmq.username` | String | RabbitMQ 用户名。 |
+| `.Values.rabbitmq.password` | String | RabbitMQ 密码。 |
+| `.Values.rabbitmq.vhosts` | Map<String,String> | 请求的虚拟主机集合，按名称为键。<br/>例如申请 `myvhost`，可通过 `.Values.rabbitmq.vhosts.myvhost` 获取对应的值。 |
+
+#### Redis
+
+安装与配置详情请参见[集成 Redis](/zh/developer/develop/mw-integrate-with-redis.md)。
+
+| 变量 | 类型 | 说明 |
+|--|--|--|
+| `.Values.redis.host` | String | Redis 主机地址。 |
+| `.Values.redis.port` | Number  | Redis 端口。 |
+| `.Values.redis.password`| String | Redis 密码。 |
+| `.Values.redis.namespaces` | Map<String, String> | 请求的命名空间集合，按名称为键。<br>例如，请求 `app_ns`，可通过 `.Values.redis.namespaces.app_ns`获取对应值。 |

docs/zh/developer/develop/mw-integrate-with-es.md

@@ -31,9 +31,9 @@ middleware:
       - name: aaa
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.elasticsearch.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.elasticsearch.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -58,14 +58,14 @@ containers:
         value: "{{ .Values.elasticsearch.indexes.aaa }}"
 ```
 
-## Elasticsearch Values 参考
+## Elasticsearch 变量参考
 
-Elasticsearch Values 是在部署过程中由系统自动注入到 `values.yaml` 中的预定义变量。这些值由系统统一管理，用户无法自行修改。
+Elasticsearch 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.elasticsearch.host` | String | Elasticsearch 服务地址 |
-| `.Values.elasticsearch.port` | Number  | Elasticsearch 服务端口 |
-| `.Values.elasticsearch.username` | String | Elasticsearch 用户名 |
-| `.Values.elasticsearch.password` | String | Elasticsearch 密码 |
-| `.Values.elasticsearch.indexes`  | Map<String,String> | 以申请的索引名称作为键。例如申请 `aaa`，可通过 `.Values.elasticsearch.indexes.aaa` 获取对应的值。 |
+| `.Values.elasticsearch.host` | String | Elasticsearch 服务地址。 |
+| `.Values.elasticsearch.port` | Number  | Elasticsearch 服务端口。 |
+| `.Values.elasticsearch.username` | String | Elasticsearch 用户名。 |
+| `.Values.elasticsearch.password` | String | Elasticsearch 密码。 |
+| `.Values.elasticsearch.indexes`  | Map<String,String> | 请求的索引集合，按索引名为键。例如申请 `aaa`，可通过 `.Values.elasticsearch.indexes.aaa` 获取对应的值。 |

docs/zh/developer/develop/mw-integrate-with-mariadb.md

@@ -31,9 +31,9 @@ middleware:
       - name: aaa
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.mariadb.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.mariadb.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -59,14 +59,14 @@ containers:
         value: "{{ .Values.mariadb.databases.aaa }}"
 ```
 
-## MariaDB Values 参考
+## MariaDB 变量参考
 
-MariaDB Values 是在部署过程中由系统自动注入到 `values.yaml` 中的预定义变量。这些值由系统统一管理，用户无法自行修改。
+MariaDB 运运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.mariadb.host` | String | MariaDB 数据库地址 |
-| `.Values.mariadb.port` | Number | MariaDB 数据库端口 |
-| `.Values.mariadb.username` | String | MariaDB 数据库用户名 |
-| `.Values.mariadb.password` | String | MariaDB 数据库密码 |
-| `.Values.mariadb.databases` | Map<String,String> | 以申请的数据库名作为键。<br/>例如申请 `aaa`，可通过 `.Values.mariadb.databases.aaa` 获取对应的值。 |
+| `.Values.mariadb.host` | String | MariaDB 主机地址。 |
+| `.Values.mariadb.port` | Number | MariaDB 端口。 |
+| `.Values.mariadb.username` | String | MariaDB 用户名。 |
+| `.Values.mariadb.password` | String | MariaDB 密码。 |
+| `.Values.mariadb.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。<br/>例如申请 `app_db`，可通过 `.Values.mariadb.databases.app_db` 获取对应的值。 |

docs/zh/developer/develop/mw-integrate-with-minio.md

@@ -31,9 +31,9 @@ middleware:
       - name: mybucket
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.minio.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.minio.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -60,14 +60,14 @@ containers:
         value: "{{ .Values.minio.buckets.mybucket }}"
 ```
 
-## MinIO Values 参考
+## MinIO 变量参考
 
-MinIO Values 是在部署过程中由系统自动注入到 `values.yaml` 中的预定义变量。这些值由系统统一管理，用户无法自行修改。
+MinIO 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.minio.host` | String | MinIO 服务地址 |
-| `.Values.minio.port` | Number | MinIO 服务端口 |
-| `.Values.minio.username` | String | MinIO 访问密钥（Access Key） |
-| `.Values.minio.password` | String | MinIO 密钥（Secret Key） |
-| `.Values.minio.buckets` | Map<String,String> | 以申请的存储桶名称作为键。例如申请 `mybucket`，可通过 `.Values.minio.buckets.mybucket` 获取对应的值。 |
+| `.Values.minio.host` | String | MinIO 服务地址。 |
+| `.Values.minio.port` | Number | MinIO 服务端口。 |
+| `.Values.minio.username` | String | MinIO 访问密钥。 |
+| `.Values.minio.password` | String | MinIO 密钥。 |
+| `.Values.minio.buckets` | Map<String,String> | 请求的存储桶集合，按桶名为键。例如申请 `mybucket`，可通过 `.Values.minio.buckets.mybucket` 获取对应的值。 |

docs/zh/developer/develop/mw-integrate-with-mongodb.md

@@ -35,9 +35,9 @@ middleware:
       # 请确保每一行都是完整的查询语句。
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.mongodb.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.mongodb.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -63,14 +63,14 @@ containers:
         value: "{{ .Values.mongodb.databases.app_db }}"
 ```
 
-## MongoDB Values 参考
+## MongoDB 变量参考
 
-MongoDB Values 是在部署过程中自动注入到 `values.yaml` 中的预定义变量，由系统统一管理，用户不可手动修改。
+MongoDB 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.mongodb.host` | String | MongoDB 数据库地址 |
-| `.Values.mongodb.port` | Number | MongoDB 数据库端口 |
-| `.Values.mongodb.username` | String | MongoDB 数据库用户名 |
-| `.Values.mongodb.password` | String  | MongoDB 数据库密码 |
-| `.Values.mongodb.databases` | Map<String,String> | 以申请的数据库名作为键。<br/>例如申请 `app_db`，可通过 `.Values.mongodb.databases.app_db` 获取对应的值。 |
+| `.Values.mongodb.host` | String | MongoDB 主机地址。 |
+| `.Values.mongodb.port` | Number | MongoDB 端口。 |
+| `.Values.mongodb.username` | String | MongoDB 用户名。 |
+| `.Values.mongodb.password` | String  | MongoDB 密码。 |
+| `.Values.mongodb.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。<br/>例如申请 `app_db`，可通过 `.Values.mongodb.databases.app_db` 获取对应的值。 |

docs/zh/developer/develop/mw-integrate-with-mysql.md

@@ -31,9 +31,9 @@ middleware:
       - name: aaa
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.mysql.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.mysql.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -59,14 +59,14 @@ containers:
         value: "{{ .Values.mysql.databases.aaa }}"
 ```
 
-## MySQL Values 参考
+## MySQL 变量参考
 
-MySQL Values 是在部署过程中由系统自动注入到 `values.yaml` 中的预定义变量。这些值由系统统一管理，用户无法自行修改。
+MySQL 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.mysql.host` | String | MySQL 数据库地址 |
-| `.Values.mysql.port` | Number | MySQL 数据库端口 |
-| `.Values.mysql.username` | String | MySQL 数据库用户名 |
-| `.Values.mysql.password` | String | MySQL 数据库密码 |
-| `.Values.mysql.databases` | Map<String,String> | 以申请的数据库名作为键。<br/>例如申请 `aaa`，可通过 `.Values.mysql.databases.aaa` 获取对应的值。 |
+| `.Values.mysql.host` | String | MySQL 主机地址。 |
+| `.Values.mysql.port` | Number | MySQL端口。 |
+| `.Values.mysql.username` | String | MySQL 用户名。 |
+| `.Values.mysql.password` | String | MySQL 密码。 |
+| `.Values.mysql.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。<br/>例如申请 `app_db`，可通过 `.Values.mysql.databases.app_db` 获取对应的值。 |

docs/zh/developer/develop/mw-integrate-with-pg.md

@@ -38,9 +38,9 @@ middleware:
       - COMMIT;
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.postgres.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.postgres.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -70,13 +70,14 @@ containers:
         value: {{ .Values.postgres.password }}
 ```
 
-## PostgreSQL Values 参考
-PostgreSQL Values 是在部署过程中由系统自动注入到 `values.yaml` 中的预定义变量。这些值由系统统一管理，用户无法自行修改。
+## PostgreSQL 变量参考
 
-| 键  | 类型  | 说明  |
+PostgreSQL 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
+
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.postgres.host` | String  | PostgreSQL 数据库地址 |
-| `.Values.postgres.port` | Number | PostgreSQL 数据库端口 |
-| `.Values.postgres.username`  | String | PostgreSQL 数据库用户名 |
-| `.Values.postgres.password`  | String | PostgreSQL 数据库密码 |
-| `.Values.postgres.databases` | Map<String,String> | PostgreSQL 数据库以申请的数据库名作为键。例如，若申请的数据库名为 `app_db`，可通过 `.Values.postgres.databases.app_db`获取对应值。|
+| `.Values.postgres.host` | String  | PostgreSQL 主机地址。 |
+| `.Values.postgres.port` | Number | PostgreSQL 端口。 |
+| `.Values.postgres.username`  | String | PostgreSQL 用户名。 |
+| `.Values.postgres.password`  | String | PostgreSQL 密码。 |
+| `.Values.postgres.databases` | Map<String,String> | 请求的数据库集合，按数据库名为键。例如，若申请的数据库名为 `app_db`，可通过 `.Values.postgres.databases.app_db`获取对应值。|

docs/zh/developer/develop/mw-integrate-with-rabbitmq.md

@@ -31,9 +31,9 @@ middleware:
       - name: aaa
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.rabbitmq.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.rabbitmq.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -78,14 +78,14 @@ portMQ := os.Getenv("RABBITMQ_PORT")
 url := fmt.Sprintf("amqp://%s:%s@%s:%s/%s", user, password, host, portMQ, vhost)
 ```
 
-## RabbitMQ Values 参考
+## RabbitMQ 变量参考
 
-RabbitMQ Values 是在部署过程中自动注入到 `values.yaml` 中的预定义变量，由系统统一管理，用户不可手动修改。
+RabbitMQ 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.rabbitmq.host` | String | RabbitMQ 服务地址 |
-| `.Values.rabbitmq.port` | Number | RabbitMQ 服务端口 |
-| `.Values.rabbitmq.username` | String | RabbitMQ 用户名 |
-| `.Values.rabbitmq.password` | String | RabbitMQ 密码 |
-| `.Values.rabbitmq.vhosts` | Map<String,String> | 以申请的 vhost 名作为键。<br/>例如申请 `aaa`，可通过 `.Values.rabbitmq.vhosts.aaa` 获取对应的值。 |
+| `.Values.rabbitmq.host` | String | RabbitMQ 主机地址。 |
+| `.Values.rabbitmq.port` | Number | RabbitMQ 端口。 |
+| `.Values.rabbitmq.username` | String | RabbitMQ 用户名。 |
+| `.Values.rabbitmq.password` | String | RabbitMQ 密码。 |
+| `.Values.rabbitmq.vhosts` | Map<String,String> | 请求的虚拟主机集合，按名称为键。<br/>例如申请 `myvhost`，可通过 `.Values.rabbitmq.vhosts.myvhost` 获取对应的值。 |

docs/zh/developer/develop/mw-integrate-with-redis.md

@@ -25,9 +25,9 @@ middleware:
     namespace: db0
 ```
 
-## 注入环境变量
+## 映射环境变量
 
-在应用的部署 YAML 中，将系统注入的 `.Values.redis.*` 字段映射为应用所使用的环境变量。
+在应用的部署 YAML 中，将系统注入的 `.Values.redis.*` 字段映射为应用所需的环境变量。
 
 **示例**
 ```yaml
@@ -54,13 +54,13 @@ containers:
         value: {{ .Values.redis.namespaces.<namespace> }}
 ```
 
-## Redis Values 参考
+## Redis 变量参考
 
-Redis Values 是在部署过程中由系统自动注入到 `values.yaml` 中的预定义变量。这些值由系统统一管理，用户无法自行修改。
+Redis 运行时变量会在部署过程中注入到 `values.yaml` 中。这些变量由系统统一管理，用户无法自行修改。
 
-| 键  | 类型  | 说明  |
+| 变量 | 类型 | 说明 |
 |--|--|--|
-| `.Values.redis.host` | String | Redis 数据库地址 |
-| `.Values.redis.port` | Number  | Redis 数据库端口 |
-| `.Values.redis.password`| String | Redis 数据库密码 |
-| `.Values.redis.namespaces` | Map<String, String> | Redis 命名空间名称，以申请命名空间作为键。例如，若申请的命名空间名为 `app_ns`，可通过 `.Values.redis.namespaces.app_ns`获取对应值。 |
+| `.Values.redis.host` | String | Redis 主机地址。 |
+| `.Values.redis.port` | Number  | Redis 端口。 |
+| `.Values.redis.password`| String | Redis 密码。 |
+| `.Values.redis.namespaces` | Map<String, String> | 请求的命名空间集合，按名称为键。<br>例如，请求 `app_ns`，可通过 `.Values.redis.namespaces.app_ns`获取对应值。 |

docs/zh/developer/develop/package/manifest.md

@@ -7,7 +7,15 @@ outline: [2, 3]
 每一个 Olares 应用的 Chart 根目录下都必须有一个名为 `OlaresManifest.yaml` 的文件。`OlaresManifest.yaml` 描述了一个 Olares 应用的所有基本信息。Olares 应用市场协议和 Olares 系统依赖这些关键信息来正确分发和安装应用。
 
 :::info 提示
-最新的 Olares 系统使用的 Manifest 版本为: `0.10.0`
+最新的 Olares 系统使用的 Manifest 版本为: `0.11.0`
+- 移除 已不支持的sysData 配置项
+- 修改 共享应用的案例
+- 增加 apiVersion 字段说明
+- 增加 共享入口的配置说明
+
+:::
+:::details Changelog
+`0.10.0`
 - 修改 `categories` 分类
 - 增加 Permission 部分中 `provider` 权限的申请
 - 增加 Provider 部分，用于让应用对集群内暴露指定服务接口
@@ -15,8 +23,7 @@ outline: [2, 3]
 - 移除 Option 部分已不支持的一些配置项
 - 增加 `allowMultipleInstall` 配置，允许应用克隆出多个独立的实例
 - 增加 Envs 部分，支持应用声明需要的环境变量
-:::
-:::details Changelog
+
 `0.9.0`
 - 在 `options` 中增加 `conflict` 字段, 用于声明不兼容的应用
 - 移除 `options` 中 `analytics` 配置项
@@ -82,7 +89,7 @@ spec:
   website: https://link.to.your.website
   sourceCode: https://link.to.sourceCode
   submitter: Submitter's Name
-  language:
+  locale:
   - en
   doc: https://link.to.documents
   supportArch:
@@ -131,6 +138,14 @@ olaresManifest.version: '2.2'
 olaresManifest.version: "3.0.122"
 ```
 
+## apiVersion
+- 类型：`string`
+- 可选
+- 有效值：`v1`,`v2`
+- 默认值：`v1`
+
+共享应用需使用 `v2` 版本，支持一个 OAC 中包含多个子图表。其他应用请使用`v1`
+
 ## Metadata
 
 应用的基本信息，用于在 Olares 系统和应用市场中展示应用。
@@ -152,7 +167,7 @@ metadata:
 ### name
 
 - 类型：`string`
-- Accepted Value: `[a-z][a-z0-9]?`
+- 有效值：`^[a-z][a-z0-9]{0,29}$`
 
 Olares 中的应用的命名空间，仅限小写字母数字字符。最多 30 个字符，需要与 `Chart.yaml` 中的 `FolderName` 和 `name` 字段保持一致。
 
@@ -200,8 +215,6 @@ OS 1.12 有效值：
 - `Utilities_v112`：实用工具
 - `AI`：AI
 
-
-
 :::info 提示
 Olares OS 1.12.0 版本对应用商店的应用分类进行了调整，因此如果应用需要同时兼容 1.11 和 1.12 版本，请同时填写两个版本所需的分类。
 :::
@@ -322,6 +335,23 @@ entrances:
 ```
 :::
 
+## sharedEntrances
+
+共享入口是共享应用为集群内其他应用调用提供的接口地址。共享入口的字段配置和常规入口基本一致，一个典型的共享入口配置如下
+
+:::info 示例
+```yaml
+sharedEntrances:
+  - name: ollamav2
+    host: sharedentrances-ollama
+    port: 0
+    title: Ollama API
+    icon: https://app.cdn.olares.com/appstore/ollama/icon.png
+    invisible: true
+    authLevel: internal
+```
+:::
+
 ## Ports
 
 定义暴露的端口
@@ -338,14 +368,48 @@ ports:
 ```
 :::
 
+### exposePort
+- 类型： `int`
+- 可选
+- 有效值： `0-65535`，保留端口 `22`, `80`, `81`, `443`, `444`, `2379`, `18088` 除外
 Olares 会为你的应用暴露指定的端口，这些端口可通过应用域名在本地网络下访问，如`84864c1f.your_olares_id.olares.com:46879`。对于每个公开的端口，Olares 会自动配置相同端口号的 TCP 和 UDP。
 
-当将 `addToTailscaleAcl` 字段设置为 `true` 时，系统会为该端口分配一个随机端口，并自动将其加入到 Tailscale 的 ACL 中。
-
 :::info 提示
 暴露的端口只能通过本地网络或 Olares 专用网络访问。
 :::
 
+### protocol
+- 类型： `string`
+- 可选
+- 有效值： `udp`、`tcp`
+
+暴露端口使用的协议 ，如果不填默认同时开通udp和tcp。
+
+### addToTailscaleAcl
+- 类型： `boolean`
+- 可选
+- 默认值：`false`
+
+当将 addToTailscaleAcl 字段设置为 true 时，系统会为该端口分配一个随机端口，并自动将其加入到 Tailscale 的 ACL 中。
+
+## Tailscale
+- 类型：`map`
+- 可选
+
+允许应用在 Tailscale 的ACL(Access Control Lists)中开放指定端口。
+
+:::info 示例
+```yaml
+tailscale:
+  acls:
+  - proto: tcp
+    dst:
+    - "*:46879"
+  - proto: "" # 可选, 如果未指定，则允许使用所有支持的协议
+    dst:
+    -  "*:4557"  
+```
+:::
 
 ## Permission
 
@@ -380,51 +444,6 @@ permission:
 
 应用是否需要对用户的 `Home` 文件夹进行读写权限。列出应用需要访问的用户 `Home` 下的所有目录。部署 YAML 中配置的所有 `userData` 目录都必须包含在此处。
 
-### sysData
-
-- 类型：`list<map>`
-- 可选
-
-声明该应用程序需要访问的 API 列表。
-
-:::info 提示
-从 1.12.0 版本开始，该权限配置已经被废弃。
-:::
-
-:::info 示例
-```yaml
-  sysData:
-  - group: service.bfl
-    dataType: app
-    version: v1
-    ops:
-    - InstallDevApp
-  - dataType: legacy_prowlarr
-    appName: prowlarr
-    port: 9696
-    group: api.prowlarr
-    version: v2
-    ops:
-    - All
-```
-:::
-
-所有系统 API [providers](../advanced/provider.md) 如下：
-| Group | version | dataType | ops |
-| ----------- | ----------- | ----------- | ----------- |
-| service.appstore | v1 | app | InstallDevApp, UninstallDevApp
-| message-disptahcer.system-server | v1 | event | Create, List
-| service.desktop | v1 | ai_message | AIMessage
-| service.did | v1 | did | ResolveByDID, ResolveByName, Verify
-| api.intent | v1 | legacy_api | POST
-| service.intent | v1 | intent | RegisterIntentFilter, UnregisterIntentFilter, SendIntent, QueryIntent, ListDefaultChoice, CreateDefaultChoice, RemoveDefaultChoice, ReplaceDefaultChoice
-| service.message | v1 | message | GetContactLogs, GetMessages, Message
-| service.notification | v1 | message | Create
-| service.notification | v1 | token | Create
-| service.search | v1 | search | Input, Delete, InputRSS, DeleteRSS, QueryRSS, QuestionAI
-| secret.infisical | v1 | secret | CreateSecret, RetrieveSecret
-| secret.vault | v1 | key | List, Info, Sign
-
 ### provider
 
 - 类型：`list<map>`
@@ -432,7 +451,11 @@ permission:
 
 用于声明本应用需访问的其他应用接口。被访问的应用需在其 `provider` 部分声明对外开放的 `providerName`，详见下方 Provider 章节。
 
-此处 `appName` 应填写目标应用的 `name`，`providerName` 填写目标应用 `provider` 配置中的 `name` 字段。`podSelectors` 字段用于指定本应用中哪些 pod 需要访问目标应用。如果未声明此字段，则默认为本应用的所有 pod 注入 `outbound envoy sidecar`。
+配置访问的方式如下
+1. 在 `appName` 字段填写目标应用的 `name` 字段。
+2. 在`providerName` 字段填写目标应用 `provider` 配置中的 `name` 字段。
+
+你可以使用 `podSelectors` 字段来指定本应用中哪些 pod 需要访问目标应用。如果未声明此字段，则默认为本应用的所有 pod 注入 `outbound envoy sidecar`。
 
 :::info 调用应用示例
 ```yaml
@@ -458,25 +481,6 @@ provider:
 :::
 
 
-## Tailscale
-- 类型：`map`
-- 可选
-
-允许应用在 Tailscale 的ACL(Access Control Lists)中开放指定端口。
-
-:::info 示例
-```yaml
-tailscale:
-  acls:
-  - proto: tcp
-    dst:
-    - "*:46879"
-  - proto: "" # 可选, 如果未指定，则允许使用所有支持的协议
-    dst:
-    -  "*:4557"  
-```
-:::
-
 ## Spec
 记录额外的应用信息，主要用于应用商店的展示。
 
@@ -796,10 +800,10 @@ middleware:
 
 ## Options
 
-在此部分配置系统相关的选项。
+此部分用于配置与Olares系统相关的选项。
 
 ### policies
-- 类型：`map`
+- 类型：`list<map>`
 - 可选
 
 定义应用子域的详细访问控制。
@@ -816,40 +820,40 @@ options:
 ```
 :::
 
-### clusterScoped
+### appScope
 - 类型：`map`
 - 可选
 
-是否为 Olares 集群中的所有用户安装此应用程序。
+是否为 Olares 集群中的所有用户安装此应用程序。对用共享应用，需要设置 `clusterScoped` 为 `true`, 同时在 `appRef` 字段填入应用名称
 
-:::info 服务端示例
+
+:::info 应用ollamav2示例
 ```yaml
 metadata:
-  name: gitlab
+  name: ollamav2
 options:
   appScope:
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}  # 仅管理员安装共享服务
     clusterScoped: true
     appRef:
-      - gitlabclienta # 客户端的应用名称
-      - gitlabclientb
+      - ollamav2  # 此应用在 metadata.name 中声明的名字
+  {{- else }}
+    clusterScoped: false
+  {{- end }}
+  dependencies:
+    - name: olares
+      version: '>=1.12.3-0'
+      type: system
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}
+  {{- else }} 
+    - name: ollamav2
+      type: application
+      version: '>=1.0.1'
+      mandatory: true  # 其他用户安装客户端，依赖管理员安装的共享服务
+  {{- end }}
 ```
 :::
 
-:::info 客户端示例
-```yaml
-metadata:
-  name: gitlabclienta
-options:
-  dependencies:
-    - name: olares
-      version: ">=0.3.6-0"
-      type: system
-    - name: gitlab # 服务器端的应用名称
-      version: ">=0.0.1"
-      type: application
-      mandatory: true
-```
-:::
 
 ### dependencies
 - 类型：`list<map>`
@@ -872,6 +876,24 @@ options:
 ```
 :::
 
+### conflicts
+- 类型：`list<map>`
+- 可选
+
+请在此处声明与该应用冲突的其他应用。必须卸载冲突应用后才能安装此应用。
+
+:::info 示例
+```yaml
+options:
+  conflicts:
+  - name: comfyui
+    type: application
+  - name: comfyuiclient
+    type: application  
+```
+:::
+
+
 ### mobileSupported
 - 类型： `boolean`
 - 默认值： `false`
@@ -919,7 +941,7 @@ apiTimeout: 0
 :::
 
 ### allowedOutboundPorts
-- 类型： `map`
+- 类型： `list<int>`
 - 可选
 
 要求开通以下端口进行非 HTTP 协议的对外访问，例如 SMTP 服务等。

docs/zh/developer/install/environment-variables.md

@@ -1,6 +1,6 @@
 ---
 outline: [2, 3]
-description: Olares 提供的环境变量，用于自定义网络、认证、GPU 支持等功能。包含配置示例和详细规格说明。
+description: Olares 提供了丰富的环境变量以满足定制化安装需求。通过修改这些变量，你可以覆盖默认安装设置，实现灵活的个性化安装配置。
 ---
 # Olares 环境变量参考
 
@@ -22,7 +22,7 @@ export KUBE_TYPE=k8s \
 # 指定使用完整的 Kubernetes (k8s) 而非轻量级 k3s
 export KUBE_TYPE=k8s && bash install.sh
 ```
-两种方式的执行效果相同：环境变量 `KUBE_TYPE` 会传递给安装脚本，脚本会根据这个变量来调整其安装逻辑。
+两种方式的执行效果相同。环境变量 `KUBE_TYPE` 会传递给安装脚本，并据此修改安装行为。
 
 当然，你也可以组合多个环境变量来实现更灵活的自定义效果。例如中国大陆的用户通过`cn.olares.sh`获取的安装脚本，就是一个在默认安装脚本之上设置了一系列环境变量的脚本：
 
@@ -45,115 +45,133 @@ curl -sSfL https://olares.sh | bash
 
 以下列出了安装脚本所支持的环境变量及其默认值、可选值和说明。请根据具体需求进行配置。
 
-### `CLOUDFLARE_ENABLE`
-指定是否启用 Cloudflare 代理。  
-- **可选值**：
-  - `0`（禁用）
-  - `1`（启用）
-- **默认值**：`0`（禁用）
+### CLOUDFLARE_ENABLE 
+
+指定是否启用 Cloudflare 代理。
+- **可选值**：
+    - `0`（禁用） 
+    - `1`（启用） 
+- **默认值**：`0` 
+
+### FRP_AUTH_METHOD 
 
-### `FRP_AUTH_METHOD`
 设置 FRP 的认证方式。
 - **可选值**：
-  - `jws`
-  - `token`（需要设置 `FRP_AUTH_TOKEN`）
-  - *（空字符串）* —— 不使用认证
-- **默认值**：`jws`
+    - `jws `
+    - `token`（需要设置`FRP_AUTH_TOKEN`）
+    - *（空字符串）* —— 不使用认证 
+- **默认值**：`jws` 
 
-### `FRP_AUTH_TOKEN`
-当 `FRP_AUTH_METHOD=token` 时，用于指定服务器通信所需的 Token。  
-- **可选值**：任意非空字符串  
+### FRP_AUTH_TOKEN 
+
+当 `FRP_AUTH_METHOD=token` 时，用于指定服务器通信所需的 Token。
+- **可选值**：任意非空字符串
 - **默认值**：无
 
-### `FRP_ENABLE`
-指定是否启用 FRP 内网穿透。如果使用自定义 FRP 服务器，还需额外设置相关变量。  
-- **可选值**：
-  - `0`（禁用）
-  - `1`（启用） 
-- **默认值**：`0`（禁用）
+### FRP_ENABLE 
+
+指定是否启用 FRP 内网穿透。如果使用自定义 FRP 服务器，还需额外设置相关变量。
+- **可选值**：
+    - `0`（禁用） 
+    - `1`（启用） 
+- **默认值**：`0` 
+
+### FRP_PORT 
 
-### `FRP_PORT`
 设置 FRP 服务端监听端口。
-- **可选值**：整数范围 `1～65535`  
+- **可选值**：整数范围 `1–65535` 
 - **默认值**：未设置或设为 `0` 时默认为 `7000`
 
-### `JUICEFS`
-随 Olares 一起安装 [JuiceFS](https://juicefs.com/)。
-- **可选值**：`1`  
+### JUICEFS 
+
+随 Olares 一起安装  [JuiceFS]。
+- **可选值**：`1` 
 - **默认值**：无（若不设置则不安装 JuiceFS）
 
-### `KUBE_TYPE`
-指定要使用的 Kubernetes 发行版。
-- **可选值**：
-  - `k8s`（完整的 Kubernetes）
-  - `k3s`（Kubernetes 的轻量级发行版）
-- **默认值**：`k3s`
+### KUBE_TYPE 
 
-### `LOCAL_GPU_ENABLE`
-指定是否启用 GPU 并安装相关驱动。  
+指定要使用的 Kubernetes 发行版。 
 - **可选值**：
-  - `0`（禁用）
-  - `1`（启用）
-- **默认值**：`0`（禁用）
+    - `k8s`（完整的 Kubernetes）
+    - `k3s`（Kubernetes 的轻量级发行版）
+- **默认值**：`k3s` 
 
-### `LOCAL_GPU_SHARE`
-指定是否启用 GPU 共享功能。仅在已启用 GPU 时生效。  
+### LOCAL_GPU_ENABLE 
+指定是否启用 GPU 并安装相关驱动。
 - **可选值**：
-  - `0`（禁用）
-  - `1`（启用）
-- **默认值**：`0`（禁用）
+    - `0`（禁用） 
+    - `1`（启用） 
+- **默认值**：`0` 
+
+### LOCAL_GPU_SHARE 
+
+指定是否启用 GPU 共享功能。仅在已启用 GPU 时生效。
+- **Valid values**:
+    - `0`（禁用） 
+    - `1`（启用） 
+- **默认值**：`0` 
+
+### NVIDIA_CONTAINER_REPO_MIRROR 
 
-### `NVIDIA_CONTAINER_REPO_MIRROR`
 配置 `nvidia-container-toolkit` 的 APT 安装镜像源。
 - **可选值**：
-  - `nvidia.github.io`
-  - `mirrors.ustc.edu.cn`（推荐中国大陆用户使用，连接性更好）
-- **默认值**：`nvidia.github.io`
+    - `nvidia.github.io` 
+    - `mirrors.ustc.edu.cn`（推荐中国大陆用户使用，连接性更好）
+- **默认值**：`nvidia.github.io` 
+
+### PREINSTALL 
 
-### `PREINSTALL`
 仅执行预安装阶段（系统依赖配置），不进行完整的 Olares 安装。
-- **可选值**：`1`  
+- **可选值**：`1` 
 - **默认值**：无（若不设置则执行完整安装）
 
-### `PUBLICLY_ACCESSIBLE`
+### PUBLICLY_ACCESSIBLE 
+
 明确指定该机器可以在互联网上公开访问，同时不设置反向代理。
-- **可选值**： 
-  - `0` (否)
-  - `1` (是)
-- **默认值**: `0`
+- **可选值**：
+    - `0`（否）
+    - `1`（是）
+- **默认值**：`0` 
+
+### REGISTRY_MIRRORS 
 
-### `REGISTRY_MIRRORS`
 设置 Docker 镜像加速地址。
-- **可选值**：`https://mirrors.olares.cn` 或其他镜像源地址  
-- **默认值**：`https://registry-1.docker.io`
+- **可选值**：`https://mirrors.olares.com`或其他镜像源地址
+- **默认值**：`https://registry-1.docker.io` 
 
-### `TERMINUS_IS_CLOUD_VERSION`
-明确将此机器标记为云端实例（cloud instance）。  
-- **可选值**：`true`  
+### TERMINUS_IS_CLOUD_VERSION 
+
+明确将此机器标记为云端实例（cloud instance）。 
+- **可选值**：`true` 
 - **默认值**：无
 
-### `TERMINUS_OS_DOMAINNAME`
-在安装前预先设置域名，会跳过安装过程中的交互式提示。  
-- **可选值**：任意有效域名  
+### TERMINUS_OS_DOMAINNAME 
+
+在安装前预先设置域名，会跳过安装过程中的交互式提示。
+- **可选值**：任意有效域名
 - **默认值**：无（若不设置则会提示输入域名）
 
-### `TERMINUS_OS_EMAIL`
-在安装前预先设置邮箱地址，会跳过安装过程中的交互式提示。  
-- **可选值**：任意有效邮箱地址  
+### TERMINUS_OS_EMAIL 
+
+在安装前预先设置邮箱地址，会跳过安装过程中的交互式提示。
+- **可选值**：任意有效邮箱地址
 - **默认值**：无（若不设置则自动生成临时邮箱）
 
-### `TERMINUS_OS_PASSWORD`
-在安装前预先设置密码，会跳过安装过程中的交互式提示。  
-- **可选值**：6～32 个字符的有效密码
-- **默认值**：随机生成 8 位密码
+### TERMINUS_OS_PASSWORD 
+
+在安装前预先设置密码，会跳过安装过程中的交互式提示。
+- **可选值**：6～32 个字符的有效密码
+- **默认值**：随机生成 8 位密码 
+
+### TERMINUS_OS_USERNAME 
 
-### `TERMINUS_OS_USERNAME`
 在安装前预先设置用户名，会跳过安装过程中的对应交互式提示。
-- **可选值**：任意有效用户名（长度 2～250，且不与保留关键词冲突）  
+- **可选值**：任意有效用户名（长度 2～250，且不与保留关键词冲突）
 - **默认值**：无（若不设置则会提示输入用户名）
 - **验证规则**：保留关键词包括 `user`、`system`、`space`、`default`、`os`、`kubesphere`、`kube`、`kubekey`、`kubernetes`、`gpu`、`tapr`、`bfl`、`bytetrade`、`project`、`pod`
 
-### `TOKEN_MAX_AGE`
-设置 Token 的最大有效时长（单位：秒）。  
-- **可选值**：任意整数（单位：秒）  
+### TOKEN_MAX_AGE 
+
+设置 Token 的最大有效时长（单位：秒）。
+- **可选值**：任意整数（单位：秒）
 - **默认值**：`31536000`（365 天）

docs/zh/manual/best-practices/local-access.md

@@ -187,6 +187,6 @@ ping desktop.<username>.olares.cn
 
 ## 常见问题
 
-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->
 
 <!--@include: ../../reusables/local-domain.md{42,75}-->

docs/zh/manual/get-started/local-access.md

@@ -39,7 +39,7 @@ description: 了解如何使用 LarePass VPN 或 .local 域名安全访问 Olare
 
 ### 常见问题
 
-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->
 
 <!--@include: ../../reusables/local-domain.md{42,75}-->
 

docs/zh/manual/help/ts-larepass-vpn-not-working.md

@@ -0,0 +1,66 @@
+---
+outline: [2, 3]
+description: 排查 LarePass VPN 在 macOS 或 Windows 上无法使用的问题。
+---
+
+# LarePass VPN 无法使用
+
+当 LarePass VPN 开关没有反应、连接停滞在“连接中”，或之前可以正常使用的 VPN 连接在 macOS 或 Windows 上突然失效时，可参考本指南。
+
+## 适用情况
+
+**macOS**
+- 点击 LarePass 桌面客户端的 VPN 开关没有反应，或 VPN 停滞在“连接中”。
+- LarePass VPN 之前在此设备上可以正常使用，但现在无法连接或连接后立即断开。
+ 
+**Windows**
+- 点击 LarePass 桌面客户端的 VPN 开关没有反应，或 VPN 无法启用。
+
+## 原因
+
+- **macOS**：LarePass VPN 需要完整设置系统级网络扩展和 VPN 配置。如果在初次设置时跳过或未完成任一步骤，或者网络扩展出现卡死或损坏，macOS 将阻止 LarePass 建立 VPN 隧道。
+
+- **Windows**：第三方杀毒或安全软件可能误将 LarePass 桌面客户端标记为可疑程序，导致 VPN 服务无法启动。
+
+## 解决方案
+
+### macOS
+
+重置网络扩展并完整走完系统设置流程，以恢复 VPN 连接。
+
+:::info
+不同 macOS 版本下界面可能略有差异。
+:::
+
+1. 打开**系统设置**，搜索"扩展"，选择**扩展**。
+2. 滚动到**网络扩展**部分，点击 <span class="material-symbols-outlined">info</span> 查看已加载的扩展。
+   ![系统设置中的网络扩展部分](/images/manual/help/ts-vpn-network-extensions.png#bordered){width=70%}
+
+3. 找到 **LarePass**，点击三个点（**...**），选择**删除扩展**。
+4. 确认卸载。
+5. 重启 Mac。
+6. 重新打开 LarePass 桌面客户端并启用 VPN。
+7. 按照系统提示完成扩展和 VPN 配置的恢复：
+
+   a. 当 macOS 提示添加 LarePass 网络扩展时，点击**打开系统设置**。
+   ![添加 LarePass 网络扩展的提示](/images/manual/help/ts-vpn-add-network-extension.png#bordered){width=40%}
+
+   b. 打开 **LarePass** 开关。
+   ![打开 LarePass 网络扩展开关](/images/manual/help/ts-vpn-toggle-on-network-extension.png#bordered){width=70%}
+
+   c. 当提示添加 VPN 配置时，点击**允许**。
+   ![添加 VPN 配置的提示](/images/manual/help/ts-vpn-add-vpn-configuration.png#bordered){width=40%}
+
+### Windows
+
+:::info LarePass 在首次启动时被拦截
+如果杀毒软件在安装后首次打开 LarePass 时将其拦截，先在安全软件中放行该应用，再执行以下步骤。
+:::
+
+1. 在杀毒或安全软件中，打开**白名单**、**排除项**或**例外**设置。
+2. 将 LarePass 主程序或安装目录加入白名单。常见路径包括：
+   - `C:\Users\<用户名>\AppData\Local\LarePass\`
+   - `C:\Program Files\LarePass\`
+3. 应用更改，如有需要重启杀毒软件。
+4. 退出并重新打开 LarePass 桌面客户端。
+5. 在 LarePass 中再次尝试启用**专用网络连接**。

docs/zh/one/access-olares-via-vpn.md

@@ -34,4 +34,4 @@ While this address works from anywhere, it's recommended to enable the LarePass
 
 ## Troubleshooting
 
-<!--@include: ../../reusables/larepass-vpn.md{50,74}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->

docs/zh/one/redeem-membership.md

@@ -4,12 +4,12 @@ description: Learn how to redeem your complimentary Olares Space Basic membershi
 head:
   - - meta
     - name: keywords
-      content: Olares, Olares One, Olares Space, redeem membership card, kickstarter backers, Basic plan
+      content: Olares, Olares One, Olares Space, redeem membership card, Basic plan, kickstarter backers
 ---
 
-# Redeem Olares Space membership <Badge type="tip" text="Kickstarter Backers Only" />
+# Redeem Olares Space membership
 
-If you backed Olares One on Kickstarter, your package includes an "Olares Space Membership" card. This card grants you a complimentary 2-year Basic membership to use the enhanced connectivity services provided by Olares Space.
+Depending on your purchase channel such as the Kickstarter campaign, your Olares One package might include an Olares Space Membership card. This card grants you a complimentary 2-year Basic membership to use the enhanced connectivity services provided by Olares Space.
 
 :::tip Olares One is a one-time purchase
 Your Olares One hardware and system updates are free forever.
@@ -24,6 +24,7 @@ Olares Space is a secure connectivity platform that extends the capabilities of
 * **Remote access (FRP)**: High-speed remote connection with 50 GB of monthly traffic at speeds up to 50 Mbps. This includes access to regional acceleration nodes for faster response times. If you exceed the monthly quota, speed is throttled to 5 Mbps. The free alternative is to use the LarePass VPN or host your own FRP server.
 
 ## Log in to Olares Space
+
 1. Go to https://space.olares.com.
 
     ![Olares Space login page](/images/one/olares-space-login.png#bordered)
@@ -40,21 +41,23 @@ Olares Space is a secure connectivity platform that extends the capabilities of
     ![Log in to Olares Space](/images/one/login-olares-space.png#bordered)
 
 ## Redeem Basic plan
+
 :::info
 The 2-year validity period begins the moment you successfully bind your email to an Olares ID.
 :::
-To redeem your benefits, you must verify the email address associated with your Kickstarter order using the Olares Space dashboard.
+
+To redeem the Basic plan benefits, you must link your account to the email address associated with your purchase order using the Olares Space dashboard. For example, the email associated with your Kickstarter order.
+
 1. In Olares Space, from the left navigation pane, click **Usage & billing**. 
 2. On the **Account email** tab, click **Email address**.
 
     ![Olares Space account email](/images/one/account-email.png#bordered)
 
-3. In the **Add email** window, enter the email address used for your Kickstarter order.
+3. In the **Add email** window, enter the email address used for your purchase order.
 
     ![Olares Space bind email](/images/one/bind-email.png#bordered)
 
 4. Click **Send verification code**.
-
 5. Follow the on-screen instructions to complete the verification.
  
     :::tip 
@@ -67,29 +70,32 @@ To redeem your benefits, you must verify the email address associated with your
 
     ![Olares Space Basic plan](/images/one/basic-plan.png#bordered)   
 
-## Switch membership to a different Olares ID
+## Transfer membership to a different Olares ID
+
 :::warning Validity period adjustment
-Transferring your membership to a new Olares ID reduces your remaining validity period by one month. If you transfer multiple times within the same month, the deduction only occurs once.
-:::
-:::warning Changing your bound email
-The Basic membership is tied strictly to the specific email address used on Kickstarter. If you change the email, you will lose the Basic membership immediately.
+Transferring your membership to a new Olares ID reduces your remaining validity period by one month. If you transfer multiple times within the same calendar month, the deduction only occurs once.
 :::
 
-If you want to move your Basic membership to a new Olares ID:
+:::warning Changing bound email
+The Basic membership is tied strictly to the specific email address used for your purchase order. If you change the email, the current account loses the Basic membership immediately.
+:::
+
+If you want to transfer your Basic membership to a new Olares ID:
 
 1. Log in to Olares Space with your old Olares ID. 
 2. Go to **Usage & billing** > **Account email**. 
-3. Click **Unbind** to remove the Kickstarter email from the account email settings. 
+3. Click **Unbind** to remove the purchase order email from the account email settings. 
 
     ![Unbind email](/images/one/unbind-button.png#bordered) 
 
 4. Click **Send verification code**.
 5. Follow the on-screen instructions to complete the verification.
     
-    A notification message will confirm that the email was removed. Your account automatically changes to the Free plan.
+    A notification message will confirm that the email was removed. The current account changes to the Free plan immediately.
 
 6. Log in to Olares Space with the new Olares ID. 
-7. Bind and verify the Kickstarter email using the steps in the [Activate membership](#activate-membership) section. This will immediately upgrade the new Olares ID to the Basic plan.
+7. Bind the purchase order email using the steps in the [Redeem Basic plan](#redeem-basic-plan) section. This will upgrade the new Olares ID to the Basic plan immediately.
+
 ## Resources
 
 - [Monitor traffic in Olares Space](space.md)

docs/zh/one/windows.md

@@ -97,6 +97,7 @@ The following steps show the macOS interface, but the workflow is similar on all
 ::: 
 
 1. Open Windows from the Launchpad. Copy the domain from the address bar (exclude `https://` and any text after the domain).
+   ![Domain address](/images/one/win-url.png#bordered)
 2. Open the Windows App (or Remote Desktop) on your device.
 3. Add your Windows VM as an RDP connection. 
 

docs/zh/reusables/README.md

@@ -3,6 +3,6 @@
 本目录存放通过 `<!--@include: path/to/reusables/file.md{start,end}-->` 在多个文档中引用的共享内容。
 
 - **local-domain.md**：`.local` 域名说明、URL 格式、HTTP 说明及故障排除（Chrome、Safari）。被 `manual/get-started/local-access.md`、`manual/best-practices/local-access.md` 引用。
-- **larepass-vpn.md**：LarePass VPN 步骤（下载、启用、确认连接类型）及常见问题（Mac 扩展重置、Windows 杀毒软件）。被 `manual/get-started/local-access.md`、`manual/best-practices/local-access.md` 引用。
+- **larepass-vpn.md**：LarePass VPN 步骤（下载、启用、确认连接类型）及常见问题（链接至故障排查文档）。被 `manual/get-started/local-access.md`、`manual/best-practices/local-access.md` 引用。
 
 在各文件顶部注释中注明可引用的行号范围。

docs/zh/reusables/larepass-vpn.md

@@ -3,7 +3,7 @@ search: false
 ---
 <!-- 可复用的 LarePass VPN 内容。按行号范围引用。
      步骤（无标题）：Step 1 7-16，Step 2 18-41，Step 3 42-49。
-     常见问题：50-75 -->
+     常见问题：50-57 -->
 
 要使用安全 VPN 连接，必须在用来访问 Olares 的设备上安装 LarePass 客户端。
 
@@ -50,25 +50,8 @@ search: false
 
 ### 为什么在 Mac 上无法再启用 LarePass VPN？
 
-如果之前能正常启用 VPN 但现在失效，可能需要重置系统扩展。
-
-:::info
-不同 macOS 版本下界面可能略有差异。
-:::
-
-1. 打开**系统设置**，搜索“扩展”，选择**登录项与扩展**。
-2. 滚动到**网络扩展**，点击信息图标 (ⓘ) 查看已加载的扩展。
-3. 找到 LarePass，点击三点 (...)，选择**删除扩展**。
-4. 确认卸载。
-5. 重启 Mac，在 LarePass 桌面客户端中重新启用 VPN。
+如果网络扩展或 VPN 配置未完整设置，或网络扩展出现卡死、损坏，macOS 会阻止 LarePass 建立 VPN 隧道。参考 [LarePass VPN 无法使用](/zh/manual/help/ts-larepass-vpn-not-working)，重置扩展并恢复 VPN。
 
 ### 为什么在 Windows 上无法启用 LarePass VPN？
 
-第三方杀毒软件可能误将 LarePass 桌面客户端标记为可疑，导致无法启动 VPN 服务。
-
-首次打开 LarePass 时如果杀毒软件有提示，选择允许应用继续运行。
-
-如果 VPN 仍然无法启用：
-1. 打开安全软件，查看是否拦截了 LarePass。
-2. 将 LarePass 主程序加入杀毒软件的白名单或排除项。
-3. 重启 LarePass 并再次启用 VPN。
+第三方杀毒或安全软件可能误将 LarePass 标记为可疑程序，导致 VPN 服务无法启动。参考 [LarePass VPN 无法使用](/zh/manual/help/ts-larepass-vpn-not-working) 解决该问题。

framework/authelia/.olares/config/cluster/deploy/auth_backend_deploy.yaml

@@ -431,7 +431,7 @@ spec:
           privileged: true
       containers:      
       - name: authelia
-        image: beclab/auth:0.2.48
+        image: beclab/auth:0.2.49
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 9091

framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml

@@ -26,6 +26,7 @@ metadata:
 rules:
   - nonResourceURLs: 
       - "/api/reset/*"
+      - "/cli/api/reset/*"
     verbs: ["*"]
 
 ---

framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml

@@ -266,7 +266,7 @@ spec:
 
       containers:
       - name: api
-        image: beclab/bfl:v0.4.41
+        image: beclab/bfl:v0.4.42
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 1000

framework/bfl/pkg/apis/settings/v1alpha1/handler_application.go

@@ -178,8 +178,8 @@ func (h *Handler) setupAppCustomDomain(req *restful.Request, resp *restful.Respo
 	var settings app_service.ApplicationsSettings
 	appServiceClient := app_service.NewAppServiceClient()
 
-	var terminusName, zone string
-	terminusName, zone, err = h.getUserInfo()
+	var zone string
+	_, zone, err = h.getUserInfo()
 	if err != nil {
 		response.HandleError(resp, err)
 		return
@@ -223,8 +223,6 @@ func (h *Handler) setupAppCustomDomain(req *restful.Request, resp *restful.Respo
 		return
 	}
 
-	cm := certmanager.NewCertManager(constants.TerminusName(terminusName))
-
 	var operate = h.getCustomDomainOperation(reqCustomDomain, existsAppCustomDomain)
 	log.Infof("setAppCustomDomain: app: %s-%s, reqDomain: %s, existsDomain: %s, operate: %d, req: %s",
 		appName, entranceName, reqCustomDomain, existsAppCustomDomain, operate, utils.ToJSON(customDomain))
@@ -260,12 +258,6 @@ func (h *Handler) setupAppCustomDomain(req *restful.Request, resp *restful.Respo
 			customDomain = entranceCustomDomainMap
 		}
 	case constants.CustomDomainDelete, constants.CustomDomainUpdate:
-		_, err := cm.DeleteCustomDomainOnCloudflare(existsAppCustomDomain)
-		if err != nil {
-			log.Errorf("setAppCustomDomain: app: %s-%s, delete custom domain error %v", appName, entranceName, err)
-			response.HandleError(resp, err)
-			return
-		}
 		fallthrough
 	case constants.CustomDomainAdd:
 		formatSettings(customDomain, zone, "", "")