fix(bfl): update l4 version

fix(cli): remove error logging for GB10 chip check (#2626 )
docs: add LarePass VPN troubleshooting docs (#2606 )
2026-03-05 15:46:30 +08:00 · 2026-03-05 14:15:11 +08:00 · 2026-03-05 12:38:30 +08:00 · 2026-03-05 11:04:15 +08:00 · 2026-03-05 10:29:42 +08:00 · 2026-03-04 23:51:04 +08:00
69 changed files with 1134 additions and 795 deletions
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -220,6 +220,7 @@ jobs:

      # test
      - env:
+          VERSION: ${{ needs.test-version.outputs.version }}
          REPO_PATH: '${{ secrets.REPO_PATH }}'
        run: |
          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
@@ -261,8 +262,8 @@ jobs:
    - name: Upload package
      run: |
        md5sum install-wizard-v${{ needs.test-version.outputs.version }}.tar.gz > install-wizard-v${{ needs.test-version.outputs.version }}.md5sum.txt && \
-        coscmd upload install-wizard-v${{ needs.test-version.outputs.version }}.md5sum.txt /install-wizard-v${{ needs.test-version.outputs.version }}.md5sum.txt --acl=public-read && \
-        coscmd upload install-wizard-v${{ needs.test-version.outputs.version }}.tar.gz /install-wizard-v${{ needs.test-version.outputs.version }}.tar.gz --acl=public-read
+        coscmd upload install-wizard-v${{ needs.test-version.outputs.version }}.md5sum.txt /install-wizard-v${{ needs.test-version.outputs.version }}.md5sum.txt && \
+        coscmd upload install-wizard-v${{ needs.test-version.outputs.version }}.tar.gz /install-wizard-v${{ needs.test-version.outputs.version }}.tar.gz


  install-test:
--- a/README.md
+++ b/README.md
@@ -3,10 +3,10 @@
 # Olares: An Open-Source Personal Cloud to </br>Reclaim Your Data<!-- omit in toc -->

 [![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
-[![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
+[![Last Commit](https://img.shields.io/github/last-commit/beclab/Olares)](https://github.com/beclab/olares/commits/main)
 ![Build Status](https://github.com/beclab/olares/actions/workflows/release-daily.yaml/badge.svg)
-[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/olares)](https://github.com/beclab/olares/releases)
-[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/olares?style=social)](https://github.com/beclab/olares/stargazers)
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/Olares)](https://github.com/beclab/olares/releases)
+[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/Olares?style=social)](https://github.com/beclab/Olares/stargazers)
 [![Discord](https://img.shields.io/badge/Discord-7289DA?logo=discord&logoColor=white)](https://discord.gg/olares)
 [![License](https://img.shields.io/badge/License-AGPL--3.0-blue)](https://github.com/beclab/olares/blob/main/LICENSE)

@@ -45,7 +45,7 @@ Just as Public clouds offer IaaS, PaaS, and SaaS layers, Olares provides open-so

  ![Tech Stacks](https://app.cdn.olares.com/github/olares/olares-architecture.jpg)

- For detailed description of each component, refer to [Olares architecture](https://docs.olares.com/manual/concepts/system-architecture.html).
+ For detailed description of each component, refer to [Olares architecture](https://docs.olares.com/developer/concepts/system-architecture.html).

 > 🔍 **How is Olares different from traditional NAS?**
 >
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml
@@ -317,7 +317,7 @@ spec:
            chown -R 1000:1000 /uploadstemp && \
            chown -R 1000:1000 /appdata 
        - name: olares-app-init
-          image: beclab/system-frontend:v1.9.6
+          image: beclab/system-frontend:v1.9.12
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
--- a/build/upload-deps.sh
+++ b/build/upload-deps.sh
@@ -31,7 +31,7 @@ while read line; do
    curl -fsSLI https://cdn.olares.com/$path$name > /dev/null
    if [ $? -ne 0 ]; then
        code=$(curl -o /dev/null -fsSLI -w "%{http_code}" https://cdn.olares.com/$path$name)
-        if [ $code -eq 403 ]; then
+        if [[ $code -eq 403 || $code -eq 404 ]]; then

            bash ${BASE_DIR}/download-deps.sh $PLATFORM $line
            if [ $? -ne 0 ]; then
--- a/build/upload-images.sh
+++ b/build/upload-images.sh
@@ -15,7 +15,7 @@ cat $1|while read image; do
    curl -fsSLI https://cdn.olares.com/$path$name.tar.gz > /dev/null
    if [ $? -ne 0 ]; then
        code=$(curl -o /dev/null -fsSLI -w "%{http_code}" https://cdn.olares.com/$path$name.tar.gz)
-        if [ $code -eq 403 ]; then
+        if [[ $code -eq 403 || $code -eq 404 ]]; then
            set -ex
            skopeo copy --insecure-policy docker://$image oci-archive:$name.tar
            gzip $name.tar
@@ -53,7 +53,7 @@ cat $1|while read image; do
    curl -fsSLI https://cdn.olares.com/$path$checksum > /dev/null
    if [ $? -ne 0 ]; then
        code=$(curl -o /dev/null -fsSLI -w "%{http_code}" https://cdn.olares.com/$path$checksum)
-        if [ $code -eq 403 ]; then
+        if [[ $code -eq 403 || $code -eq 404 ]]; then
            set -ex
            skopeo copy --insecure-policy docker://$image oci-archive:$name.tar
            gzip $name.tar
@@ -88,7 +88,7 @@ cat $1|while read image; do
    curl -fsSLI https://cdn.olares.com/$path$manifest > /dev/null
    if [ $? -ne 0 ]; then   
        code=$(curl -o /dev/null -fsSLI -w "%{http_code}" https://cdn.olares.com/$path$manifest)
-        if [ $code -eq 403 ]; then
+        if [[ $code -eq 403 || $code -eq 404 ]]; then
            set -ex
            BASE_DIR=$(dirname $(realpath -s $0))
            python3 $BASE_DIR/get-manifest.py $image -o $manifest
--- a/cli/pkg/common/common.go
+++ b/cli/pkg/common/common.go
@@ -159,6 +159,7 @@ const (
 	CommandUpdatePciids = "update-pciids"
 	CommandNmcli        = "nmcli"
 	CommandZRAMCtl      = "zramctl"
+	CommandChronyc      = "chronyc"

 	CacheCommandKubectlPath  = "kubectl_bin_path"
 	CacheCommandMinikubePath = "minikube_bin_path"
--- a/cli/pkg/core/connector/system.go
+++ b/cli/pkg/core/connector/system.go
@@ -512,7 +512,6 @@ func getCpu() *CpuInfo {
 	if err == nil && strings.TrimSpace(string(output)) != "" {
 		isGB10Chip = true
 	} else {
-		fmt.Printf("Error checking GB10 chip: %v\n", err)
 		gb10env := os.Getenv(common.ENV_GB10_CHIP)
 		if gb10env == "1" || strings.EqualFold(gb10env, "true") {
 			isGB10Chip = true
--- a/cli/pkg/etcd/templates/etcd_service.go
+++ b/cli/pkg/etcd/templates/etcd_service.go
@@ -27,7 +27,7 @@ var (
 	ETCDService = template.Must(template.New("etcd.service").Parse(
 		dedent.Dedent(`[Unit]
 Description=etcd
-After=network.target
+After=network-online.target
 StartLimitIntervalSec=0

 [Service]
--- a/cli/pkg/terminus/modules.go
+++ b/cli/pkg/terminus/modules.go
@@ -116,8 +116,14 @@ func (m *CheckPreparedModule) Init() {
 		Action: &CheckPrepared{Force: m.Force},
 	}

+	checkTimeSync := &task.LocalTask{
+		Name:   "CheckTimeSynced",
+		Action: &WaitTimeSyncTask{},
+	}
+
 	m.Tasks = []task.Interface{
 		checkPrepared,
+		checkTimeSync,
 	}
 }

--- a/cli/pkg/terminus/tasks.go
+++ b/cli/pkg/terminus/tasks.go
@@ -1033,3 +1033,37 @@ func (a *SaveMasterHostConfig) Execute(runtime connector.Runtime) error {
 	}
 	return os.WriteFile(filepath.Join(runtime.GetBaseDir(), common.MasterHostConfigFile), content, 0644)
 }
+
+type WaitTimeSyncTask struct {
+	common.KubeAction
+}
+
+func (t *WaitTimeSyncTask) Execute(runtime connector.Runtime) error {
+	if chronyc, err := util.GetCommand(common.CommandChronyc); err == nil && chronyc != "" {
+		ticker := time.NewTicker(2 * time.Second)
+		timeout := time.NewTimer(5 * time.Minute)
+		defer ticker.Stop()
+		defer timeout.Stop()
+		for {
+			select {
+			case <-ticker.C:
+				// output format:
+				// 68839BAF,104.131.155.175,3,1772592384.619310832,-0.001840593,0.001674238,0.001874871,-5.194,-0.001,0.112,0.162520304,0.010412607,1035.0,Normal
+				if res, err := runtime.GetRunner().Cmd(fmt.Sprintf("%s -c tracking", chronyc), false, true); err != nil {
+					logger.Errorf("failed to execute chronyc tracking: %v", err)
+					return err
+				} else {
+					resToken := strings.Split(res, ",")
+					// if the stratum of the server is 10 which means the local reference (hardware RTC) is active.
+					if strings.ToLower(resToken[2]) != "10" { // Stratum
+						logger.Infof("time synchronization is normal")
+						return nil
+					}
+				}
+			case <-timeout.C:
+				return fmt.Errorf("timeout waiting for time synchronization")
+			}
+		}
+	}
+	return nil
+}
--- a/daemon/internel/watcher/usb/watchers.go
+++ b/daemon/internel/watcher/usb/watchers.go
@@ -27,7 +27,7 @@ func WithSerial(ctx context.Context, serial string) context.Context {
 }

 func (w *usbWatcher) Watch(ctx context.Context) {
-	retry := 1
+	retry := 3
 	devs, err := utils.DetectdUsbDevices(ctx)
 	for {
 		if err != nil {
--- a/daemon/pkg/cluster/state/current.go
+++ b/daemon/pkg/cluster/state/current.go
@@ -43,11 +43,12 @@ type state struct {
 	Disk       string  `json:"disk"`

 	// network info
-	WikiConnected  bool    `json:"wifiConnected"`
-	WifiSSID       *string `json:"wifiSSID,omitempty"`
-	WiredConnected bool    `json:"wiredConnected"`
-	HostIP         string  `json:"hostIp"`
-	ExternalIP     string  `json:"externalIp"`
+	WikiConnected       bool      `json:"wifiConnected"`
+	WifiSSID            *string   `json:"wifiSSID,omitempty"`
+	WiredConnected      bool      `json:"wiredConnected"`
+	HostIP              string    `json:"hostIp"`
+	ExternalIP          string    `json:"externalIp"`
+	ExternalIPProbeTime time.Time `json:"-"`

 	// installing / uninstalling / upgrading state
 	InstallingState         ProcessingState `json:"installingState"`
@@ -130,7 +131,8 @@ func CheckCurrentStatus(ctx context.Context) error {
 		klog.Info("current state: ", CurrentState.TerminusState)
 	}()

-	utils.ForceMountHdd(ctx)
+	// Deprecated, only for Olares Zero
+	// utils.ForceMountHdd(ctx)

 	// set default value
 	if CurrentState.TerminusVersion == nil {
@@ -255,7 +257,10 @@ func CheckCurrentStatus(ctx context.Context) error {
 	}

 	CurrentState.HostIP = hostIp
-	CurrentState.ExternalIP = nets.GetMyExternalIPAddr()
+	if time.Since(CurrentState.ExternalIPProbeTime) > 1*time.Minute {
+		CurrentState.ExternalIP = nets.GetMyExternalIPAddr()
+		CurrentState.ExternalIPProbeTime = time.Now()
+	}

 	// get olares state

--- a/daemon/pkg/commands/install/cmd.go
+++ b/daemon/pkg/commands/install/cmd.go
@@ -181,6 +181,7 @@ var (
 		// {"installing k8s and kubesphere", "3%", 3},
 		// {"Generating \"ca\" certificate and key", "3%", 3},
 		// {"PatchKsCoreStatus success", "6%", 6},
+		{"time synchronization is normal", "3%", 3},
 		{"k8s and kubesphere installation is complete", "10%", 10},
 		{"Installing account ...", "15%", 15},
 		{"Installing settings ...", "20%", 20},
--- a/daemon/pkg/nets/net.go
+++ b/daemon/pkg/nets/net.go
@@ -4,14 +4,17 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
-	"io/ioutil"
+	"io"
 	"net"
 	"net/http"
 	"net/netip"
+	"net/url"
 	"os"
 	"strings"
 	"time"

+	"github.com/beclab/Olares/daemon/pkg/commands"
+	"github.com/gofiber/fiber/v2/log"
 	"github.com/libp2p/go-netroute"
 	pkg_errors "github.com/pkg/errors"
 	"github.com/txn2/txeh"
@@ -267,15 +270,7 @@ func GetHostIpFromHostsFile(domain string) (string, error) {
 	return ip, nil
 }

-// GetMyExternalIPAddr get my network outgoing ip address
 func GetMyExternalIPAddr() string {
-	sites := map[string]string{
-		"httpbin":    "https://httpbin.org/ip",
-		"ifconfigme": "https://ifconfig.me/all.json",
-		"externalip": "https://myexternalip.com/json",
-		"joinolares": "https://myip.joinolares.cn/ip",
-	}
-
 	type httpBin struct {
 		Origin string `json:"origin"`
 	}
@@ -295,80 +290,80 @@ func GetMyExternalIPAddr() string {
 		IP string `json:"ip"`
 	}

-	var unmarshalFuncs = map[string]func(v []byte) string{
-		"httpbin": func(v []byte) string {
-			var hb httpBin
-			if err := json.Unmarshal(v, &hb); err == nil && hb.Origin != "" {
-				return hb.Origin
-			}
-			return ""
-		},
-		"ifconfigme": func(v []byte) string {
-			var ifMe ifconfigMe
-			if err := json.Unmarshal(v, &ifMe); err == nil && ifMe.IPAddr != "" {
-				return ifMe.IPAddr
-			}
-			return ""
-		},
-		"externalip": func(v []byte) string {
-			var extip externalIP
-			if err := json.Unmarshal(v, &extip); err == nil && extip.IP != "" {
-				return extip.IP
-			}
-			return ""
-		},
-		"joinolares": func(v []byte) string {
-			return strings.TrimSpace(string(v))
-		},
+	type siteConfig struct {
+		url           string
+		unmarshalFunc func(v []byte) string
 	}

-	ch := make(chan any, len(sites))
-
-	for site := range sites {
-		go func(name string) {
-			http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-			c := http.Client{Timeout: 5 * time.Second}
-			resp, err := c.Get(sites[name])
-			if err != nil {
-				ch <- err
-				return
-			}
-			defer resp.Body.Close()
-			respBytes, err := ioutil.ReadAll(resp.Body)
-			if err != nil {
-				ch <- err
-				return
-			}
-
-			ip := unmarshalFuncs[name](respBytes)
-			//println(name, site, ip)
-			ch <- ip
-		}(site)
+	externalIPServiceURL, err := url.JoinPath(commands.OLARES_REMOTE_SERVICE, "/myip/ip")
+	if err != nil {
+		klog.Error("failed to parse external IP service URL, ", err)
+		return ""
 	}

-	tr := time.NewTimer(time.Duration(5*len(sites)+3) * time.Second)
-
-LOOP:
-	for i := 0; i < len(sites); i++ {
-		select {
-		case r, ok := <-ch:
-			if !ok {
-				continue
-			}
-
-			switch v := r.(type) {
-			case string:
-				ip := net.ParseIP(v)
-				if ip != nil && ip.To4() != nil && !ip.IsLoopback() && !ip.IsMulticast() {
-					return v
+	sites := []siteConfig{
+		{
+			url: externalIPServiceURL,
+			unmarshalFunc: func(v []byte) string {
+				return strings.TrimSpace(string(v))
+			},
+		},
+		{
+			url: "https://httpbin.org/ip",
+			unmarshalFunc: func(v []byte) string {
+				var hb httpBin
+				if err := json.Unmarshal(v, &hb); err == nil && hb.Origin != "" {
+					return hb.Origin
 				}
-			case error:
-				klog.Warningf("got an error, %v", v)
-			}
-		case <-tr.C:
-			tr.Stop()
-			klog.Warning("timed out")
-			break LOOP
+				return ""
+			},
+		},
+		{
+			url: "https://ifconfig.me/all.json",
+			unmarshalFunc: func(v []byte) string {
+				var ifMe ifconfigMe
+				if err := json.Unmarshal(v, &ifMe); err == nil && ifMe.IPAddr != "" {
+					return ifMe.IPAddr
+				}
+				return ""
+			},
+		},
+		{
+			url: "https://myexternalip.com/json",
+			unmarshalFunc: func(v []byte) string {
+				var extip externalIP
+				if err := json.Unmarshal(v, &extip); err == nil && extip.IP != "" {
+					return extip.IP
+				}
+				return ""
+			},
+		},
+	}
+
+	client := http.Client{
+		Timeout: 3 * time.Second,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+	for _, site := range sites {
+		resp, err := client.Get(site.url)
+		if err != nil {
+			log.Warnf("failed to get external ip from %s, %v", site.url, err)
+			continue
+		}
+
+		respBytes, readErr := io.ReadAll(resp.Body)
+		resp.Body.Close()
+		if readErr != nil {
+			log.Warnf("failed to read response from %s, %v", site.url, readErr)
+			continue
+		}
+
+		ipStr := site.unmarshalFunc(respBytes)
+		ip := net.ParseIP(ipStr)
+		if ip != nil && ip.To4() != nil && !ip.IsLoopback() && !ip.IsMulticast() {
+			return ipStr
 		}
 	}

--- a/daemon/pkg/utils/drivers_linux.go
+++ b/daemon/pkg/utils/drivers_linux.go
@@ -5,6 +5,7 @@ package utils

 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
@@ -277,7 +278,17 @@ func MountUsbDevice(ctx context.Context, mountBaseDir string, dev []storageDevic
 			continue
 		}

-		if err = mounter.Mount(d.DevPath, mkMountDir, "", []string{"uid=1000", "gid=1000"}); err != nil {
+		options := []string{}
+		fsType, err := getFsTypeOfDevice(ctx, d.DevPath)
+		if err != nil {
+			klog.Warning("get fs type of device error, ", err, ", ", d.DevPath)
+		} else {
+			if strings.Contains(fsType, "FAT") || strings.Contains(fsType, "NTFS") {
+				options = append(options, "uid=1000", "gid=1000")
+			}
+		}
+
+		if err = mounter.Mount(d.DevPath, mkMountDir, "", options); err != nil {
 			klog.Warning("mount usb error, ", err, ", ", d.DevPath, ", ", mkMountDir)
 			// clear the empty mount dir
 			// do not use remove all, only remove the mount point path, assume it's an empty dir
@@ -692,3 +703,35 @@ func isDeviceExists(devicePath string) bool {
 	_, err := os.Stat(devicePath)
 	return !os.IsNotExist(err)
 }
+
+func getFsTypeOfDevice(ctx context.Context, devicePath string) (string, error) {
+	// output format
+	// {
+	// "blockdevices": [
+	// 	{
+	// 		"fstype": "ext4"
+	// 	}
+	// ]
+	// }
+	cmd := exec.CommandContext(ctx, "lsblk", "-f", devicePath, "-o", "fstype", "-J")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", err
+	}
+
+	var result struct {
+		BlockDevices []struct {
+			FsType string `json:"fstype"`
+		} `json:"blockdevices"`
+	}
+
+	if err := json.Unmarshal(output, &result); err != nil {
+		return "", err
+	}
+
+	if len(result.BlockDevices) == 0 {
+		return "", fmt.Errorf("no block devices found for %s", devicePath)
+	}
+
+	return result.BlockDevices[0].FsType, nil
+}
--- a/docs/.vitepress/en.ts
+++ b/docs/.vitepress/en.ts
@@ -45,6 +45,10 @@ const side = {
              text: "Missing apps in Market",
              link: "/manual/help/ts-missing-apps",
            },
+            {
+              text: "LarePass VPN not working",
+              link: "/manual/help/ts-larepass-vpn-not-working",
+            },
          ],
        },
      ],
--- a/docs/.vitepress/one.en.ts
+++ b/docs/.vitepress/one.en.ts
@@ -216,23 +216,23 @@ export const oneSidebar: DefaultTheme.Sidebar = {
          link: "/one/update",
        },
        {
-          text: "Back up & restore",
+          text: "Back up & restore data",
          link: "/one/backup-resotre",
        },
        {
-          text: "Factory reset",
+          text: "Restore Olares One",
          collapsed: true,
          items: [
            {
-              text: "Using LarePass",
+              text: "Factory reset",
              link: "/one/factory-reset",
            },
            {
-              text: "In BIOS",
+              text: "Restore BIOS defaults",
              link: "/one/factory-reset-in-bios",
            },
            {
-              text: "Using bootable USB",
+              text: "Reinstall Olares OS",
              link: "/one/create-drive",
            },
          ],
--- a/docs/.vitepress/one.zh.ts
+++ b/docs/.vitepress/one.zh.ts
@@ -216,23 +216,23 @@ export const oneSidebar: DefaultTheme.Sidebar = {
          link: "/zh/one/update",
        },
        {
-          text: "Back up & restore",
+          text: "Back up & restore data",
          link: "/zh/one/backup-resotre",
        },
        {
-          text: "Factory reset",
+          text: "Restore Olares One",
          collapsed: true,
          items: [
            {
-              text: "Using LarePass",
+              text: "Factory reset",
              link: "/zh/one/factory-reset",
            },
            {
-              text: "In BIOS",
+              text: "Restore BIOS defaults",
              link: "/zh/one/factory-reset-in-bios",
            },
            {
-              text: "Using bootable USB",
+              text: "Reinstall Olares OS",
              link: "/zh/one/create-drive",
            },
          ],
--- a/docs/.vitepress/zh.ts
+++ b/docs/.vitepress/zh.ts
@@ -43,6 +43,10 @@ const side = {
            {
              text: "应用市场应用缺失",
              link: "/zh/manual/help/ts-missing-apps",
+            },
+            {
+              text: "LarePass VPN 无法使用",
+              link: "/zh/manual/help/ts-larepass-vpn-not-working",
            }
          ],
        },
--- a/docs/developer/develop/package/manifest.md
+++ b/docs/developer/develop/package/manifest.md
@@ -7,7 +7,15 @@ outline: [2, 3]
 Every **Olares Application Chart** should include an `OlaresManifest.yaml` file in the root directory. `OlaresManifest.yaml` provides all the essential information about an Olares App. Both the **Olares Market protocol** and the Olares depend on this information to distribute and install applications.

 :::info NOTE
-Latest Olares Manifest version: `0.10.0`
+Latest Olares Manifest version: `0.11.0`
+- Removed deprecated fields of sysData
+- Updated the example of shared app
+- Added the apiVersion
+- Added the sharedEntrance section
+
+:::
+:::details Changelog
+`0.10.0`
 - Modified the `categories` field
 - Added the `provider` field in the Permission section
 - Added the Provider section, to allow apps to expose specific service interfaces within the cluster
@@ -15,8 +23,7 @@ Latest Olares Manifest version: `0.10.0`
 - Removed some deprecated fields from the Option section
 - Added the `allowMultipleInstall` field, allowing the app to be installed as multiple independent instances
 - Added the Envs section, to define environment variables required by the application
-:::
-:::details Changelog
+
 `0.9.0`
 - Added a `conflict` field in `options` to declare incompatible applications
 - Removed `analytics` field in `options`
@@ -82,7 +89,7 @@ spec:
  website: https://link.to.your.website
  sourceCode: https://link.to.sourceCode
  submitter: Submitter's Name
-  language:
+  locale:
  - en
  doc: https://link.to.documents
  supportArch:
@@ -130,6 +137,13 @@ olaresManifest.version: 1.1.0
 olaresManifest.version: '2.2'
 olaresManifest.version: "3.0.122"
 ```
+## apiVersion
+- Type: `string`
+- Optional
+- Accepted Value: `v1`,`v2`
+- Default: `v1`
+
+For shared applications, use version `v2`, which supports multiple subcharts in a single OAC. For other applications, use `v1`.

 ## Metadata

@@ -152,7 +166,7 @@ metadata:
 ### name

 - Type: `string`
- Accepted Value: `[a-z][a-z0-9]?`
+- Accepted Value: `^[a-z][a-z0-9]{0,29}$`

 App’s namespace in Olares, lowercase alphanumeric characters only. It can be up to 30 characters, and needs to be consistent with `FolderName` and `name` field in `Chart.yaml`.

@@ -160,7 +174,7 @@ App’s namespace in Olares, lowercase alphanumeric characters only. It can be u

 - Type: `string`

-The title of your app title shown in the Olares Market.  Must be within `30` characters.
+The title of your app shown in the Olares Market. Must be within `30` characters.

 ### description

@@ -189,8 +203,7 @@ The **Chart Version** of the application. It should be incremented each time the
 Used to display your app on different category page in Olares Market.

 Accepted Value for OS 1.11:
-
-`Blockchain`, `Utilities`, `Social Network`, `Entertainment`, `Productivity`
+- `Blockchain`, `Utilities`, `Social Network`, `Entertainment`, `Productivity`

 Accepted Value for OS 1.12: 
 - `Creativity`
@@ -201,14 +214,13 @@ Accepted Value for OS 1.12:
 - `Utilities_v112` (displayed as Utilities)
 - `AI`

-
 :::info NOTE
 Olares Market categories were updated in OS 1.12.0. To ensure your app is compatible with both versions 1.11 and 1.12, include category values for both versions in your configuration.
 :::

 ## Entrances

-The number of entrances through which to access the app.  You must specify at least 1 access method, with a maximum of 10 allowed.
+The entrances (up to 10) that users can use to access the app. At least 1 is required.

 :::info Example
 ```yaml
@@ -322,6 +334,24 @@ To ensure a seamless user experience, you can enable this option by setting it t
 ```
 :::

+
+## sharedEntrances
+
+A shared entrance is an internal address provided by a shared application for other applications within the cluster to access. The field configuration for shared entrances is basically the same as for regular entrances. A typical shared entrance configuration is shown below.
+
+:::info Example
+```yaml
+sharedEntrances:
+  - name: ollamav2
+    host: sharedentrances-ollama
+    port: 0
+    title: Ollama API
+    icon: https://app.cdn.olares.com/appstore/ollama/icon.png
+    invisible: true
+    authLevel: internal
+```
+:::
+
 ## Ports

 Specify exposed ports
@@ -338,15 +368,50 @@ ports:
 ```
 :::

+### exposePort
+- Type: `int`
+- Optional
+- Accepted Value: `0-65535`, except reserved ports `22`, `80`, `81`, `443`, `444`, `2379`, `18088`.
+
 Olares will expose the ports you specify for an application, which are accessible via the application domain name in the local network, for example: `84864c1f.your_olares_id.olares.com:46879`. For each port you expose, Olares configures both TCP and UDP with the same port number.

-When the `addToTailscaleAcl` field is set to `true`, the system will automatically assign a random port and add it to the Tailscale ACLs.
-
-
 :::info NOTE
 The exposed ports can only be accessed on the local network or through a VPN.
 :::

+### protocol
+- Type: `string`
+- Optional
+- Accepted Value: `udp`, `tcp`
+
+The protocol used for the exposed port. If specified, Olares exposes only the specified protocol. If omitted, Olares exposes both UDP and TCP by default.
+
+### addToTailscaleAcl
+- Type: `boolean`
+- Optional
+- Default: `false`
+
+When the `addToTailscaleAcl` field is set to `true`, the system will automatically assign a random port and add it to the Tailscale ACLs.
+
+## Tailscale
+- Type: `map`
+- Optional
+
+Allow applications to add Access Control Lists (ACL) in Tailscale to open specified ports.
+
+:::info Example
+```yaml
+tailscale:
+  acls:
+  - proto: tcp
+    dst:
+    - "*:46879"
+  - proto: "" # Optional. If not specified, all supported protocols will be allowed.
+    dst:
+    -  "*:4557"    
+```
+:::
+
 ## Permission

 :::info Example
@@ -380,51 +445,6 @@ Whether the app requires read and write permission to the `Data` folder. If `.Va

 Whether the app requires read and write permission to user's `Home` folder. List all directories that the application needs to access under the user's `Home`. All `userData` directory configured in the deployment YAML, must be included here.

-### sysData
-
- Type: `list<map>`
- Optional
-
-Declare the list of APIs that this app needs to access.
-
-:::info NOTE
-This configuration has been deprecated since version 1.12.0.
-:::
-
-:::info Example
-```yaml
-  sysData:
-  - group: service.bfl
-    dataType: app
-    version: v1
-    ops:
-    - InstallDevApp
-  - dataType: legacy_prowlarr
-    appName: prowlarr
-    port: 9696
-    group: api.prowlarr
-    version: v2
-    ops:
-    - All
-```
-:::
-
-All system API [providers](../advanced/provider.md) are list below:
-| Group | version | dataType | ops |
-| ----------- | ----------- | ----------- | ----------- |
-| service.appstore | v1 | app | InstallDevApp, UninstallDevApp
-| message-dispatcher.system-server | v1 | event | Create, List
-| service.desktop | v1 | ai_message | AIMessage
-| service.did | v1 | did | ResolveByDID, ResolveByName, Verify
-| api.intent | v1 | legacy_api | POST
-| service.intent | v1 | intent | RegisterIntentFilter, UnregisterIntentFilter, SendIntent, QueryIntent, ListDefaultChoice, CreateDefaultChoice, RemoveDefaultChoice, ReplaceDefaultChoice
-| service.message | v1 | message | GetContactLogs, GetMessages, Message
-| service.notification | v1 | message | Create
-| service.notification | v1 | token | Create
-| service.search | v1 | search | Input, Delete, InputRSS, DeleteRSS, QueryRSS, QuestionAI
-| secret.infisical | v1 | secret | CreateSecret, RetrieveSecret
-| secret.vault | v1 | key | List, Info, Sign
-
 ### provider

 - Type: `list<map>`
@@ -461,25 +481,6 @@ provider:
 ```
 :::

-## Tailscale
- Type: `map`
- Optional
-
-Allow applications to add Access Control Lists (ACL) in Tailscale to open specified ports.
-
-:::info Example
-```yaml
-tailscale:
-  acls:
-  - proto: tcp
-    dst:
-    - "*:46879"
-  - proto: "" # Optional. If not specified, all supported protocols will be allowed.
-    dst:
-    -  "*:4557"    
-```
-:::
-
 ## Spec
 Additional information about the application, primarily used for display in the Olares Market.

@@ -607,7 +608,7 @@ When set to `true`, Olares forces the application to run under user ID `1000` (a
 - Type: `map`
 - Optional

-The Olares provides highly available middleware services. Developers do not need to install middleware repeatedly. Just simply add required middleware here, You can then directly use the corresponding middleware information in the application's deployment YAML file.
+Olares provides highly available middleware services. Developers do not need to install middleware repeatedly. Add the required middleware here, then use the corresponding middleware values in the application's deployment YAML file.

 Use the `scripts` field to specify scripts that should be executed after the database is created. Additionally, use the `extension` field to add the corresponding extension in the  database.

@@ -803,10 +804,10 @@ Use the middleware information in deployment YAML

 ## Options

-Configure system-related options here.
+Configure Olares OS related options here.

 ### policies
- Type: `map`
+- Type: `list<map>`
 - Optional

 Define detailed access control for subdomains of the app.
@@ -823,38 +824,35 @@ options:
 ```
 :::

-### clusterScoped
+### appScope
 - Type: `map`
 - Optional

-Whether this app is installed for all users in an Olares cluster.
+Specifies whether the app should be installed for all users in the Olares cluster. For shared apps, set `clusterScoped` to `true` and provide the current app's name in the `appRef` field.

-:::info Example For Server
+:::info Example of ollamav2
 ```yaml
 metadata:
-  name: gitlab
+  name: ollamav2
 options:
  appScope:
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}  # Only the administrator installs the shared service
    clusterScoped: true
    appRef:
-      - gitlabclienta #app name of clients
-      - gitlabclientb
-```
-:::
-
-:::info Example For Client
-```yaml
-metadata:
-  name: gitlabclienta
-options:
+      - ollamav2 # the name of current app specified in metadata.name
+  {{- else }}
+    clusterScoped: false
+  {{- end }}
  dependencies:
    - name: olares
-      version: ">=0.3.6-0"
+      version: '>=1.12.3-0'
      type: system
-    - name: gitlab #app name of server
-      version: ">=0.0.1"
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}
+  {{- else }}
      type: application
-      mandatory: true
+      version: '>=1.0.1'
+      mandatory: true   # Other users install the client, depend on the shared service installed by the admin
+  {{- end }}
 ```
 :::

@@ -880,6 +878,24 @@ options:
 ```
 :::

+### conflicts
+- Type: `list<map>`
+- Optional
+
+List other applications that conflict with this app here. Conflicting apps must be uninstalled before this app can be installed.
+
+:::info Example
+```yaml
+options:
+  conflicts:
+  - name: comfyui
+    type: application
+  - name: comfyuiclient
+    type: application  
+```
+:::
+
+
 ### mobileSupported
 - Type: `boolean`
 - Default: `false`
@@ -927,9 +943,8 @@ apiTimeout: 0
 :::


-
 ### allowedOutboundPorts
- Type: `map`
+- Type: `list<int>`
 - Optional

 The specified ports will be opened to allow external access via non-HTTP protocols, such as SMTP.
@@ -1027,4 +1042,4 @@ provider:
  paths: ["/api*"]       # API paths to expose; cannot consist of * only
  verbs: ["*"]           # Supported: post, get, put, delete, patch; "*" allows all methods
 ```
-:::
+:::
--- a/docs/manual/best-practices/local-access.md
+++ b/docs/manual/best-practices/local-access.md
@@ -187,6 +187,6 @@ If the IP address starts with `192.168`, it indicates successful configuration.

 ## FAQs

-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->

 <!--@include: ../../reusables/local-domain.md{42,75}-->
--- a/docs/manual/get-started/local-access.md
+++ b/docs/manual/get-started/local-access.md
@@ -39,7 +39,7 @@ No setup is needed. Use the local URL in your browser (for example, `http://desk

 ### FAQs

-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->

 <!--@include: ../../reusables/local-domain.md{42,75}-->

--- a/docs/manual/help/ts-larepass-vpn-not-working.md
+++ b/docs/manual/help/ts-larepass-vpn-not-working.md
@@ -0,0 +1,65 @@
+---
+outline: [2, 3]
+description: Troubleshoot LarePass VPN not working on macOS or Windows.
+---
+
+# LarePass VPN not working
+
+Use this guide when the LarePass VPN toggle does nothing, the VPN stays stuck in "connecting", or a previously working VPN connection suddenly stops on macOS or Windows.
+
+## Condition
+
+**macOS** 
+- Clicking the VPN toggle in the LarePass desktop client does nothing, or the VPN status stays stuck in "connecting".
+- LarePass VPN used to work on this device but now fails to connect or drops immediately.
+**Windows** 
+- Clicking the VPN toggle in the LarePass desktop client does nothing, or the VPN cannot be enabled.
+
+## Cause
+
+-  **macOS**: LarePass VPN requires both a system-level network extension and a VPN configuration to be fully set up. If you skipped or did not complete either step during the initial setup prompt, or if the network extension has become stuck or corrupted, macOS will block LarePass from creating the VPN tunnel.
+
+- **Windows**: Third-party antivirus or security software may mistakenly flag the LarePass desktop client as suspicious, preventing the VPN service from starting.
+
+## Solution
+
+### macOS
+
+Reset the network extension and complete the full setup flow to restore the VPN.
+
+:::info
+Depending on your macOS version, the UI might look slightly different.
+:::
+
+1. Open **System Settings**, search for "Extension", and select **Extensions**.
+2. Scroll to the **Network Extensions** section and click <span class="material-symbols-outlined">info</span> to view loaded extensions.
+   ![Network Extensions section in System Settings](/images/manual/help/ts-vpn-network-extensions.png#bordered){width=70%}
+
+3. Find **LarePass**, click the three dots (**...**), and select **Delete Extension**.
+4. Confirm the uninstallation.
+5. Restart your Mac.
+6. Open the LarePass desktop client and re-enable the VPN.
+7. Complete the system prompts to restore the extension and VPN configuration:
+
+   a. When macOS prompts to add the LarePass network extension, click **Open System Settings**.
+   ![Prompt to add LarePass network extension](/images/manual/help/ts-vpn-add-network-extension.png#bordered){width=40%}
+
+   b. Toggle on **LarePass**.
+   ![Toggle on LarePass network extension](/images/manual/help/ts-vpn-toggle-on-network-extension.png#bordered){width=70%}
+
+   c. When prompted to add VPN configurations, click **Allow**.
+   ![Prompt to add VPN configuration](/images/manual/help/ts-vpn-add-vpn-configuration.png#bordered){width=40%}
+
+### Windows
+
+:::info LarePass blocked on first launch
+If your antivirus blocked LarePass when you first opened it after installation, allow the app in your security software before following the steps below.
+:::
+
+1. In your antivirus or security software, open the **Allowlist**, **Exclusions**, or **Exceptions** settings.
+2. Add the main LarePass executable or installation directory to the allowlist. Common locations include:
+   - `C:\Users\<your-username>\AppData\Local\LarePass\`
+   - `C:\Program Files\LarePass\`
+3. Apply the changes and restart your antivirus or security software if required.
+4. Quit and reopen the LarePass desktop client.
+5. Try enabling **VPN connection** again from within LarePass.
--- a/docs/manual/larepass/create-account.md
+++ b/docs/manual/larepass/create-account.md
@@ -65,13 +65,38 @@ Upon completion, you will receive an Organization Olares ID.
 </template>
 </Tabs>

-## Import an existing account
+## Import an account

-You can also set up an account by importing an existing Olares ID:
+You can import an existing Olares ID to LarePass using its 12-word mnemonic phrase to access your Olares services on a new device or another LarePass client.

 :::tip Back up mnemonic phrase
-You must have already [backed up the mnemonic phrase](back-up-mnemonics.md) for the Olares ID to import.
+Make sure you have already [backed up the mnemonic phrase](back-up-mnemonics.md) for the Olares ID to import.
 :::

-1. In LarePass app, tap **Import an account**.
-2. Enter the 12-word mnemonic phrase to import your Olares ID.
+<Tabs>
+<template #iOS-&-Android>
+
+1. Open the LarePass app.
+2. Tap your profile avatar.
+3. On the Switch account page, tap **Add a new account** at the bottom. 
+4. Tap **Import an account**.
+5. Enter the 12-word mnemonic phrase for your Olares ID.
+
+</template>
+<template #macOS-&-Windows>
+
+1. Open the LarePass desktop client.
+2. Click your profile avatar.
+3. Click **Switch account**.
+4. Click **Add a new account** at the bottom.
+5. Enter the 12-word mnemonic phrase for your Olares ID.
+
+</template>
+<template #Chrome-extension>
+
+1. Open the LarePass extension in Chrome.
+2. Click the options icon above your profile avatar.
+3. Click **Add a new account**.
+4. Enter the 12-word mnemonic phrase for your Olares ID.
+</template>
+</Tabs>
--- a/docs/manual/larepass/index.md
+++ b/docs/manual/larepass/index.md
@@ -9,37 +9,46 @@ LarePass is the official cross-platform client software for Olares. It acts as a

 ![LarePass](/images/manual/larepass/larepass.png)

-
 ## Key features
+- Account and identity management
+- Secure file access and sync
+- Device and network management
+- Password and secret management
+- Knowledge collection

-### Account & identity management
-Create and manage your Olares ID, connect integrations with other services, and back up your credentials securely.
- [Create an Olares ID](create-account.md)
- [Back up mnemonics](back-up-mnemonics.md)
- [Set or reset local password](back-up-mnemonics.md#set-up-local-password)
- [Manage integrations](integrations.md)
+## Download LarePass

-### Secure file access & sync
- [Manage files with LarePass](manage-files.md)
+### iOS
+Visit the [App Store product page](https://apps.apple.com/us/app/larepass/id6448082605) to download LarePass.

-### Device & network management
-Activate and manage Olares devices, and securely connect to Olares via LarePass VPN.
- [Activate your Olares device](activate-olares.md)
- [Upgrade Olares](manage-olares.md#upgrade-olares)
- [Log in to Olares with 2FA](activate-olares.md#two-factor-verification-with-larepass)
- [Manage Olares](manage-olares.md)
- [Switch networks](manage-olares.md#switch-from-wired-to-wireless-network)
- [Enable VPN for remote access](private-network.md)
+### Android
+Visit the [Google Play product page](https://play.google.com/store/apps/details?id=com.terminus.termipass), or download the latest APK directly from the [LarePass website](https://www.olares.com/larepass).

-### Password & secret management
-Use Vault to autofill credentials, store passwords, and generate 2FA codes across devices.
- [Autofill passwords](/manual/larepass/autofill.md)
- [Generate 2FA codes](/manual/larepass/two-factor-verification.md)
+### macOS & Windows
+Download the latest desktop client from the [LarePass website](https://www.olares.com/larepass).

-### Knowledge collection
-Use LarePass to collect web content and follow RSS feeds.
- [Collect content via LarePass extension](manage-knowledge.md#collect-content-via-the-larepass-extension)
- [Subscribe to RSS feeds](manage-knowledge.md#subscribe-to-rss-feeds)
+### Chrome extension
+
+The LarePass extension allows you to collect content and manage passwords directly from your browser. It currently supports Google Chrome only and must be installed manually.
+
+:::warning Keep the extension folder
+Your browser loads the extension from the folder you select. If you delete, move, or rename that folder, the extension will stop working.  
+Extract the ZIP file to a permanent location, such as a folder under your user directory, rather than a temporary directory.
+:::
+
+1. Visit the [LarePass website](https://www.olares.com/larepass) and download the extension ZIP file.
+2. Extract the ZIP file to a permanent folder on your computer.
+3. In Chrome, go to `chrome://extensions/`.
+4. Enable **Developer mode** in the top-right corner.
+5. Click **Load unpacked** and select the extracted extension folder.
+
+:::tip Quick access
+After installation, click the puzzle icon in your browser toolbar and pin the LarePass extension for one-click access.
+:::
+
+## Set up account 
+- On mobile devices, you can [create an Olares ID](/manual/larepass/create-account.md#create-an-olares-id) directly in the app.
+- On the desktop client or Chrome extension, you must [import an Olares account](/manual/larepass/create-account.md#import-an-account).

 ## Feature comparison

@@ -180,39 +189,3 @@ Use LarePass to collect web content and follow RSS feeds.
    </tr>
  </tbody>
 </table>
-
-
-## Download and install LarePass
-
-Get the latest version for your device at the [LarePass website](https://www.olares.com/larepass).
-
-### Install the LarePass browser extension
-
-<tabs>
-<template #Install-from-Chrome-Web-Store>
-
-1. Search for **LarePass** in the [Chrome Web Store](https://chrome.google.com/webstore).
-2. Open the details page and click **Add to Chrome**.
-3. Log into the LarePass extension by importing your Olares ID:
-   - Open the LarePass extension, and click **Import an account**.
-   - Enter the mnemonics for your Olares ID.
-   - Enter your Olares password to complete login.
-
-</template>
-
-<template #Install-offline>
-
-1. Visit [https://www.olares.com/larepass](https://www.olares.com/larepass) and download the extension ZIP file.
-2. Go to `chrome://extensions/` in your browser.
-3. Enable **Developer mode** in the top-right corner.
-4. Click **Load unpacked** and select the extracted LarePass extension folder.
-5. Log in:
-   - Open the LarePass extension, and click **Import an account**.
-   - Enter the mnemonics for your Olares ID.
-   - Enter your Olares password to complete login.
-</template>
-</tabs>
-
-  :::tip Quick access
-  After installation, pin the LarePass extension from Chrome’s extension menu for one-click access.
-  :::
--- a/docs/manual/olares/desktop.md
+++ b/docs/manual/olares/desktop.md
@@ -1,53 +1,53 @@
 # Get familiar with Desktop

-The Desktop application serves as the primary interface for user interaction with the Olares system. It offers an intuitive and efficient way to manage and utilize both built-in system applications and those you install.
+Desktop is the primary interface for interacting with Olares. From here, you can open and manage built-in system apps as well as the apps you install.

-## Desktop concepts
+## Desktop basics

-![Desktp[]](/images/manual/olares/desktop.png)
+![Desktop](/images/manual/olares/desktop.png#bordered)

-### Dock & Launchpad
+### Dock

-* **Dock:** An application quick-launch bar located on the side of the screen.
-* **Launchpad:** Accessed by clicking the "Launchpad" icon on the Dock, it displays all installed applications.
+The Dock is an application quick-launch bar on the left side of the screen. Use it to open frequently used apps and access key Desktop features.
+
+### Launchpad
+
+Launchpad shows all installed applications. Click the Launchpad icon in the Dock to open it.

 ### Application windows

-* Applications open in "window" mode by default.
-* Windows support standard operations: dragging, resizing, minimizing, maximizing, and closing.
-* **Search:** Enables quick application launching, file searching, and more.
+By default, applications open in window mode as an embedded page within Desktop. You can manage windows like you would on a standard computer:

-## Use the Launchpad
+- Drag the title bar to move the window.
+- Drag the window edges to resize it.
+- Minimize, maximize, or close the window.
+- Click <i class="material-symbols-outlined">open_in_new</i> to open the app in a new browser tab.

-From the Launchpad, you can:
+:::info
+Some applications only support opening in a browser tab.
+:::

-* View all installed applications.
-* Click an application icon to open it.
-* Drag icons to reorder them within the Launchpad.
-* Drag an icon to the Dock for quick access.
+### Search and notifications
+
+- **Search**: Quickly launch applications and find supported content across Olares.
+- **Notifications**: Click the notification icon to view system and application notifications.
+
+## Use Launchpad
+
+From Launchpad, you can:
+
+- View all installed applications.
+- Click an application icon to open it.
+- Drag icons to reorder them within Launchpad.
+- Drag an icon to the Dock for quick access.

 ### Uninstall applications

-1. Press and hold an application icon to enter the editing mode.
-2. If an "X" appears in the top-right corner of the application icon, click it to delete the application.
+1. Press and hold an application icon to enter editing mode.
+2. If a <i class="material-symbols-outlined">close_small</i> icon appears in the top-left corner of the app icon, click it to uninstall the application.

-::: tip Note
-Built-in system applications such as Files, Market, and Profile cannot be uninstalled.
-:::
-
-### Control application windows
-
-You can access applications via two modes.
-
-By default, applications open in "window" mode, which is an iframe page embedded within the desktop. You can manipulate these windows much like standard computer windows:
-
-* Drag the title bar to move the window.
-* Drag the window's edges to resize it.
-* Minimize, maximize, or close the window.
-* Click the <i class="material-symbols-outlined">open_in_new</i> button to open the application in a new browser tab.
-
-::: tip Note
-Some applications only support opening in a tabbed view.
+:::info
+Built-in system applications such as Files, Market, and Settings cannot be uninstalled.
 :::

 ## Search within Olares
--- a/docs/manual/olares/wise/basics.md
+++ b/docs/manual/olares/wise/basics.md
@@ -15,9 +15,10 @@ To unlock the full potential of Wise, it is recommended to install the following

 - **Rss Subscribe**: Use it to subscribe to RSS feeds directly while browsing web pages.
 - **YT-DLP**: Use it to download audio and video from supported web pages into Wise.
+- **Twitter/X plugin**: Use it to save posts and download attached files from Twitter/X into Wise.

 :::tip 
-Wise works without these apps, but in-browser subscription and media download will be unavailable until you install them.
+Wise works without these apps, but some features require them, such as in-browser subscriptions, media downloads, and Twitter/X link recognition and saving.
 :::

 ## Build your library
@@ -40,6 +41,10 @@ Import files directly from your computer, including PDFs, EPUBs, audio, video, a

 1. Click <i class="material-symbols-outlined">add_circle</i> in the bottom-left menu bar, and select **Upload**.
 2. Select one or more files from your local computer.
+    :::tip 
+    You can also drag and drop files into the Wise interface.
+    :::
+3. In the Upload files window, select the destination folder, then click **Confirm**.

 #### Add items via link

@@ -52,11 +57,16 @@ If a link requires login or other access control, Wise may need cookies to fetch
 1. Click <i class="material-symbols-outlined">add_circle</i> in the bottom-left menu bar, and select **Add Link**.
 2. Paste or type a URL.

-    Wise analyzes the link and lists all actions available:
-    - **Save to library**: The content will be saved as an item in your library and added to **Inbox**.
+    Wise analyzes the link and lists all the available actions:
+    - **Save to library**: The content will be saved as an item in your library and added to **Inbox**. Twitter/X posts are supported when the Twitter/X plugin is installed.
    - **Subscribe to RSS feed**: If Wise detects one or more RSS feeds for the site, they will be listed here. Select the feed you want to follow, and new items from that feed will be automatically [added to **Feeds**](./subscribe).
    ![Subscribe to RSS feed](/images/manual/olares/wise-add-link-subscribe.png#bordered){width=300}
-    - **Download file**: If Wise detects videos or other downloadable files on the page, this option will appear. Select the file you want to download to save it for offline access. **[YT-DLP](https://market.olares.com/app/market.olares/ytdlp)** is required.
+    - **Download file**: If Wise detects downloadable media (such as audio, video, or attached files in Twitter/X posts), this option will appear. Select the file you want to download to save it for offline access. 
+        :::tip Install helper services
+        Some downloads require helper services: 
+        - [YT-DLP](https://market.olares.com/app/market.olares/ytdlp) is commonly used to download audio or video from supported pages when downloadable media is available.
+        - [Twitter/X plugin](https://market.olares.com/app/market.olares/twitter) is required to download attached files from Twitter/X posts.
+        :::
    ![Download files](/images/manual/olares/wise-add-link-download.png#bordered){width=300}

 Newly saved items will appear under their content type.
@@ -72,22 +82,23 @@ You can also save content to Wise directly from your browser using the [LarePass

 Items saved via LarePass are added to your Wise library and appear in the main **Inbox** folder and under the appropriate content type.

-### Monitor and manage media downloads
+### Monitor and manage file tasks

-When you add new audio or video content, Wise automatically creates download tasks and save media files to Olares. This:
+Wise tracks background transfer tasks in two lists:

- Ensures your media is available offline.
- Protects your library if the original source is removed. 
- Makes it faster to open and play items.
+- **Download list**: Created when you add downloadable media. Wise downloads the files to Olares so you can access them offline.
+- **Upload list**: Created when you upload local files into Wise. Wise tracks the upload progress and results.

-To manage all download tasks:
+To manage transfer tasks:

-1. Go to **<i class="material-symbols-outlined">settings</i> Settings** > **Transmission** > **Download**.
-2. Review the list of media downloads and their status.
-3. You can:
-
-    - Click <i class="material-symbols-outlined">folder_open</i> to locate a downloaded file in Files.
-    - Click <i class="material-symbols-outlined">do_not_disturb_on</i> to remove it from the list.
+1. Go to **<i class="material-symbols-outlined">settings</i> Settings** > **Download list** or **Upload list**.
+2. Use the tabs to filter tasks: 
+    - Download list tabs: **All**, **Downloading**, **Completed**, **Failed**
+    - Upload list tabs: **All**, **Uploading**, **Completed**, **Failed**.
+3. Review the task list and status.
+4. You can:
+   - Click <i class="material-symbols-outlined">folder_open</i> to locate the transferred file in Files.
+   - Click <i class="material-symbols-outlined">do_not_disturb_on</i> to remove it from the list.

 ## Use reading tools

--- a/docs/manual/olares/wise/manage-cookies.md
+++ b/docs/manual/olares/wise/manage-cookies.md
@@ -5,9 +5,9 @@ description: Manage cookies for Wise so it can access protected websites and fee

 # Manage cookies for Wise

-Some websites require a login to access their content. To allow Wise to fetch content from these protected sources, you may need to upload cookies so it can authenticate the connection.
+Some websites require you to log in to access their content. To allow Wise to fetch content from these protected sources, you may need to upload cookies so Wise can authenticate its requests.

-This grants Wise permission to pass login checks, ensuring that features like **Save to library** or **Subscribe to RSS feed** work securely on restricted sites.
+This allows Wise to authenticate access, ensuring that features like **Save to library**, **Subscribe to RSS feed** and **Download file** work securely on restricted sites.

 This guide explains how to manage cookies in Olares for Wise.

--- a/docs/one/access-olares-via-vpn.md
+++ b/docs/one/access-olares-via-vpn.md
@@ -34,4 +34,4 @@ While this address works from anywhere, it's recommended to enable the LarePass

 ## Troubleshooting

-<!--@include: ../reusables/larepass-vpn.md{50,74}-->
+<!--@include: ../reusables/larepass-vpn.md{50,57}-->
--- a/docs/one/create-drive.md
+++ b/docs/one/create-drive.md
@@ -1,15 +1,15 @@
 ---
 outline: [2, 3]
-description: Reinstall Olares OS on Olares One using a bootable USB to restore the device to factory state.
+description: Reinstall Olares OS on Olares One using a bootable USB drive to restore the device to a clean initial state.
 head:
  - - meta
    - name: keywords
-      content: Olares One, reinstall, factory reset, bootable USB, installation USB
+      content: Olares One, reinstall, Olares OS, bootable USB, installation USB
 ---

-# Reset to factory settings using installation USB <Badge type="tip" text="15 min"/>
+# Reinstall Olares OS using bootable USB <Badge type="tip" text="15 min"/>

-Resetting to factory settings returns your Olares One to the initial setup state. You can reinstall Olares OS using the bootable USB drive included with Olares One.
+Reinstalling Olares OS returns your Olares One to a clean initial state. You can do this using the bootable USB drive included with Olares One.

 :::warning Data loss
 This will permanently delete all accounts, settings, and data on the device. This action cannot be undone.
@@ -18,6 +18,9 @@ This will permanently delete all accounts, settings, and data on the device. Thi
 ## Prerequisites
 **Hardware**<br>
 - The bootable USB drive that came with Olares One.
+   :::tip Don't have the USB drive?
+   Download the [Olares One ISO](https://cdn.olares.com/one/v1.12.4-amd64.iso), which is device-specific and different from the standard Olares ISO, and flash it to a USB drive (8 GB or larger) using a tool such as [Balena Etcher](https://etcher.balena.io/).
+   :::
 - A monitor and keyboard connected to Olares One.

 ## Step 1: Boot from the USB drive
--- a/docs/one/factory-reset-in-bios.md
+++ b/docs/one/factory-reset-in-bios.md
@@ -1,14 +1,14 @@
 ---
 outline: [2, 3]
-description: Learn how to restore your Olares One to factory settings in BIOS.
+description: Learn how to restore BIOS defaults on Olares One to return the device to its initial setup state.
 head:
  - - meta
    - name: keywords
-      content: Factory reset, Olares One, BIOS
+      content: Olares One, BIOS defaults, restore, BIOS setup
 ---
-# Reset to factory settings in BIOS <Badge type="tip" text="10 min" />
+# Restore BIOS defaults <Badge type="tip" text="10 min" />

-Resetting to factory settings returns your Olares One to its initial setup state. If you have a monitor and keyboard connected, you can perform this reset directly in BIOS instead of using LarePass.
+Restoring BIOS defaults resets the firmware configuration and returns your Olares One to its initial setup state. If you have a monitor and keyboard connected, you can perform this directly in BIOS.

 :::warning Data loss
 This will permanently delete all accounts, settings, and data on the device. This action cannot be undone.
--- a/docs/one/factory-reset.md
+++ b/docs/one/factory-reset.md
@@ -1,12 +1,12 @@
 ---
 outline: [2, 3]
-description: Learn how to restore your Olares One to factory settings using LarePass.
+description: Learn how to factory reset your Olares One using LarePass.
 head:
  - - meta
    - name: keywords
-      content: Factory reset, Olares One
+      content: factory reset, Olares One, LarePass
 ---
-# Reset to factory settings using LarePass <Badge type="tip" text="10 min" />
+# Factory reset via LarePass <Badge type="tip" text="10 min" />

 If you have already activated Olares One and want to return it to the factory state, you can perform a reset in LarePass.

--- a/docs/one/wise-download.md
+++ b/docs/one/wise-download.md
@@ -59,12 +59,12 @@ If you frequently save videos while browsing, the [LarePass extension](https://w

 When you save a video to the library, Wise creates a record immediately, and the file download runs in the background.

-1. In Wise, click <i class="material-symbols-outlined">settings</i> in the bottom-left menu bar, then select **Transmission**.
-2. In the Download tab, check the list of downloads and their status.
-3. You can:
-
-    - Click <i class="material-symbols-outlined">folder_open</i> to locate a downloaded file in Files.
-    - Click <i class="material-symbols-outlined">do_not_disturb_on</i> to remove it from the list.
+1. In Wise, click <i class="material-symbols-outlined">settings</i> in the bottom-left menu bar, then select **Download list**.
+2. Use the tabs to filter tasks: **All**, **Downloading**, **Completed**, **Failed**.
+3. Review the task list and status.
+4. You can:
+   - Click <i class="material-symbols-outlined">folder_open</i> to locate the transferred file in Files.
+   - Click <i class="material-symbols-outlined">do_not_disturb_on</i> to remove it from the list.

 Once the download is complete, you can play the video directly inside Wise even without an internet connection.

--- a/docs/public/images/manual/help/ts-vpn-add-network-extension.png
+++ b/docs/public/images/manual/help/ts-vpn-add-network-extension.png
--- a/docs/public/images/manual/help/ts-vpn-add-vpn-configuration.png
+++ b/docs/public/images/manual/help/ts-vpn-add-vpn-configuration.png
--- a/docs/public/images/manual/help/ts-vpn-network-extensions.png
+++ b/docs/public/images/manual/help/ts-vpn-network-extensions.png
--- a/docs/public/images/manual/help/ts-vpn-toggle-on-network-extension.png
+++ b/docs/public/images/manual/help/ts-vpn-toggle-on-network-extension.png
--- a/docs/public/images/manual/olares/desktop.png
+++ b/docs/public/images/manual/olares/desktop.png
--- a/docs/public/images/manual/use-cases/openclaw-connected1.png
+++ b/docs/public/images/manual/use-cases/openclaw-connected1.png
--- a/docs/public/images/manual/use-cases/openclaw-hatch-finish.png
+++ b/docs/public/images/manual/use-cases/openclaw-hatch-finish.png
--- a/docs/public/images/manual/use-cases/openclaw-persona-files.png
+++ b/docs/public/images/manual/use-cases/openclaw-persona-files.png
--- a/docs/public/images/manual/use-cases/openclaw-persona-recording.png
+++ b/docs/public/images/manual/use-cases/openclaw-persona-recording.png
--- a/docs/public/images/zh/manual/olares/desktop.png
+++ b/docs/public/images/zh/manual/olares/desktop.png
--- a/docs/reusables/README.md
+++ b/docs/reusables/README.md
@@ -5,6 +5,6 @@ This directory holds shared content included in multiple docs via `<!--@include:
 Add new reusable fragments here and document line ranges in a comment at the top of each file.

 - **local-domain.md**: .local domain description, URL format, HTTP note, and troubleshooting (Chrome, Safari). Used by `manual/get-started/local-access.md`, `manual/best-practices/local-access.md`, and `one/access-olares-via-local-domain.md`.
- **larepass-vpn.md**: LarePass VPN procedure (Download, Enable, Verify connection type) and FAQs (Mac extension reset, Windows antivirus). Used by `manual/get-started/local-access.md`, `manual/best-practices/local-access.md`, and `one/access-olares-via-vpn.md`.
+- **larepass-vpn.md**: LarePass VPN procedure (Download, Enable, Verify connection type) and FAQs linking to the troubleshooting doc. Used by `manual/get-started/local-access.md`, `manual/best-practices/local-access.md`, and `one/access-olares-via-vpn.md`.


--- a/docs/reusables/larepass-vpn.md
+++ b/docs/reusables/larepass-vpn.md
@@ -3,7 +3,7 @@ search: false
 ---
 <!-- Reusable LarePass VPN content. Include by line range.
     Steps (no headings): Step 1 7-16, Step 2 18-41, Step 3 42-49.
-     FAQs: 50-75 -->
+     FAQs: 50-57 -->

 To use the secure VPN connection, the LarePass client must be installed on the device you are using to access Olares.

@@ -50,25 +50,8 @@ Once enabled, check the status indicator in LarePass to verify the connection ty

 ### Why doesn't LarePass VPN work on my Mac anymore?

-If you successfully enabled the VPN previously, but it has stopped working, you might need to reset the system extension.
-
-:::info
-Depending on your macOS version, the UI might look slightly different.
-:::
-
-1. Open **System Settings**, search for "Extension", and select **Login Items & Extensions**.
-2. Scroll to the **Network Extensions** section and click the info icon (ⓘ) to view loaded extensions.
-3. Find LarePass, click the three dots (...), and select **Delete Extension**.
-4. Confirm the uninstallation.
-5. Restart your Mac and re-enable the VPN in the LarePass desktop client.
+macOS blocks the VPN tunnel if the network extension or VPN configuration was not fully set up, or if the extension has become stuck or corrupted. See [LarePass VPN not working](/manual/help/ts-larepass-vpn-not-working) to reset the extension and restore the VPN.

 ### Why can't I enable LarePass VPN on Windows?

-Third-party antivirus software might mistakenly flag the LarePass desktop client as suspicious, preventing it from launching the VPN service.
-
-If prompted by your antivirus when opening LarePass for the first time, allow the application to continue.
-
-If the VPN still fails to enable:
-1. Open your security software and check if LarePass was blocked.
-2. Add the main LarePass executable to the allowlist or exclusions of your antivirus.
-3. Restart LarePass and enable the VPN.
+Third-party antivirus or security software may mistakenly flag LarePass as suspicious, preventing the VPN service from starting. See [LarePass VPN not working](/manual/help/ts-larepass-vpn-not-working) to resolve the issue.
--- a/docs/use-cases/openclaw.md
+++ b/docs/use-cases/openclaw.md
@@ -1,6 +1,6 @@
 ---
 outline: [2, 3]
-description: Learn how to install, configure, and integrate OpenClaw with Discord.
+description: Learn how to install, configure, personalize, and integrate OpenClaw with Discord.
 head:
  - - meta
    - name: keywords
@@ -15,11 +15,10 @@ It acts as an "always-on" operator that can execute real tasks, such as searchin

 ## Learning objectives

-By the end of this tutorial, you are be able to:
-
 - Install and initialize the OpenClaw environment.
 - Pair and connect the OpenClaw CLI and the Control UI.
 - Configure OpenClaw to use the local AI model Ollama.
+- Personalize OpenClaw to establish its identity and behavior.
 - Integrate OpenClaw with Discord.
 - Enable the web search capability using Brave Search.
 - Manage skills and plug-ins.
@@ -132,18 +131,18 @@ Run a quick setup for the agent in the OpenClaw CLI.
    - **Default Session Key**: Enter `agent:main:main`.
 7. Click **Connect**.

-    The connection error `disconnected[1008]:pairing required` occurs. This is expected and means the device connection is waiting for approval.
+    The connection error `pairing required` occurs. This is expected and means the device connection is waiting for approval.
 8. Return to the OpenClaw CLI window and enter the following command:

    ```bash
    openclaw devices approve --latest
    ```
-9. When the terminal displays the approval message, return to the Control UI and refresh it.
+9. When the terminal displays the approval message, return to the Control UI.
    ![Pair sucess](/images/manual/use-cases/new-pair-success.png#bordered)

-    Now the **STATUS** in the **Snapshot** panel should be **Connected**.
+    Now the **STATUS** in the **Snapshot** panel should be **OK**.

-    ![Health OK](/images/manual/use-cases/openclaw-connected.png#bordered)
+    ![Health OK](/images/manual/use-cases/openclaw-connected1.png#bordered)

 :::tip For advanced users
 If you prefer to fully customize your initial setup, you can run the `openclaw onboard` command instead to launch the interactive configuration wizard.
@@ -163,7 +162,7 @@ Connect the Control UI to the OpenClaw CLI to use the graphical dashboard.
    - **Default Session Key**: Enter `agent:main:main`.
 3. Click **Connect**. 

-    The connection error `disconnected[1008]:pairing required` occurs. This is expected and means the device connection is waiting for approval.
+    The connection error `pairing required` occurs. This is expected and means the device connection is waiting for approval.
 4. Return to the OpenClaw CLI window and enter the following command:
    ```bash
    openclaw devices list
@@ -181,9 +180,9 @@ Connect the Control UI to the OpenClaw CLI to use the graphical dashboard.
    ```bash
    openclaw devices approve {RequestID}
    ```
-7. When the terminal displays the approval message, return to the Control UI. Now the **STATUS** in the **Snapshot** panel should be **Connected**.
+7. When the terminal displays the approval message, return to the Control UI. Now the **STATUS** in the **Snapshot** panel should be **OK**.

-    ![Health OK](/images/manual/use-cases/openclaw-connected.png#bordered)
+    ![Health OK](/images/manual/use-cases/openclaw-connected1.png#bordered)

 ## Configure local AI model

@@ -207,6 +206,75 @@ Connect the Control UI to the OpenClaw CLI to use the graphical dashboard.
    ```
 4. Click **Save** in the upper-right corner. The system validates the config and restarts automatically to apply the changes.

+    ::: tip Manual restart
+    If you need to restart OpenClaw manually, do not use the OpenClaw CLI. Use one of the following methods:
+    - **Restart the app from Settings or Market**: 
+        - Open **Settings**, go to **Applications** > **OpenClaw**, click **Stop**, and then click **Resume**.
+        - Open **Market**, go to **My Olares**, find **OpenClaw**, click <i class="material-symbols-outlined">keyboard_arrow_down</i> next to the operation button, select **Stop**, and then select **Resume**.
+    - **Restart the container**: Open **Control Hub**, click `clawdbot` under **Deployments**, and then click **Restart**.
+    :::
+
+## (Optional) Personalize OpenClaw
+
+To make your OpenClaw bot more personalized, it is highly recommended to complete the persona setup process. 
+
+This process establishes the agent's identity, behavioral boundaries, and long-term memory through persona files. These files keep your agent's behavior consistent across all platforms and channels.
+
+1. In the Control UI, select **Chat** from the left sidebar.
+2. Ensure <i class="material-symbols-outlined">neurology</i> at the upper-right corner is enabled. This allows you to watch the agent think and edit persona files in real time.
+3. Enter and send the following message to start:
+    ```text
+    Wake up please!
+    ```
+    The agent responds and starts interviewing you. You can establish rules, personality traits, and preferences. For example,
+
+    ```text
+    - Call me Bella. I like simple language without technical jargons and 
+    concise bulleted answers.
+    - You are John, a witty assistant who uses emojis.
+    - Never access my calendar without asking first, and never execute any 
+    financial operations.
+    ```
+4. As you chat with the agent, look for the **Edit** messages. These indicate the agent is successfully writing your preferences to its core persona files, such as `IDENTITY.md`, `USER.md`, and `SOUL.md`. 
+
+    ![Persona files editing by OpenClaw](/images/manual/use-cases/openclaw-persona-recording.png#bordered){width=90%}
+
+    :::tip
+    If you do not see the intermediate persona file operations, refresh the page by clicking <i class="material-symbols-outlined">refresh</i> at the upper-right corner or by pressing F5.
+    :::
+5. Continue the conversation until the agent gathers enough information. Then, it automatically deletes the temporary `BOOTSTRAP.md` file to finish the personalization process.
+
+    ![Finish hatch agent](/images/manual/use-cases/openclaw-hatch-finish.png#bordered){width=90%}
+
+6. (Optional) If the agent fails to update the persona files or delete `BOOTSTRAP.md`, explicitly instruct it to do so in the chat. 
+
+    If the issue persists, resolve it using one of the following methods:
+    - **Increase the context window**: Select **Config** from the left sidebar, switch to the **Raw** tab, find the `models` section, and then increase the `contextWindow` value to at least 64K (200K is recommended). 
+    
+        :::tip
+        Note that a larger context window consumes more VRAM, so choose a value that your hardware can support.
+        :::
+
+    - **Change the model**: Switch to a model with better tool-calling and instruction‑following capabilities.
+
+7. Verify your agent's persona files are updated:
+
+    a. Open Files from the Launchpad.
+    
+    b. Go to **Application** > **Data** > **clawdbot** > **config** > **workspace**.
+    
+    c. Check the modified time of the `.md` files to identify which ones were recently updated, such as `USER.md` and `IDENTITY.md`.
+
+    ![Persona files generated by OpenClaw](/images/manual/use-cases/openclaw-persona-files.png#bordered){width=90%}
+
+    d. (Optional) Double-click a file to verify that it contains your newly established rules such as name, language style, and restrictions.
+      
+    :::tip Modify persona settings
+    To change these settings in the future, use one of the following methods:
+    - Ask the agent in the chat to update its rules.
+    - Download the `.md` files from this folder, edit them in a text editor, and re-upload them to overwrite the old ones. 
+    :::
+
 ## Integrate with Discord

 To chat with your agent remotely, connect it to a Discord bot.
@@ -251,14 +319,16 @@ To chat with your agent remotely, connect it to a Discord bot.

 ### Step 3: Configure channel

-Configure the Discord channel in Control UI.
+Connect OpenClaw to your Discord bot by adding its configuration in the Control UI.
+
+:::info About channel configuration
+This tutorial provides the basic setup to get your bot running in Discord quickly. For more detailed configurations, see the official [OpenClaw documentation](https://docs.openclaw.ai/channels).
+:::

 1. Return to the **Control UI** > **Config** > **Raw** tab.
-2. Find the `channels` section:
+2. Add the following `channels` section to the configuration file. 

-    a. Update with your Discord bot token.
-
-    b. Enable Discord DM (Direct Messages) and set the Discord DM Policy to **Pairing**.
+    This configuration enables Discord Direct Messages (DMs) and sets the DM policy to pairing for security.

    ```json
    "channels": {
@@ -276,8 +346,9 @@ Configure the Discord channel in Control UI.

    ![Discord channel added](/images/manual/use-cases/channels.png#bordered)

-3. Click **Save**.
-4. From the left sidebar, select **Channels**. On the Discord card, **Probe ok** indicates successful connection.
+3. Replace `{YOUR_BOT_TOKEN}` with your Discord bot token.
+4. Click **Save**.
+5. From the left sidebar, select **Channels**. On the Discord card, **Probe ok** indicates successful connection.

   ![Probe OK](/images/manual/use-cases/probe-ok.png#bordered)

@@ -345,7 +416,7 @@ OpenClaw officially recommends Brave Search. It uses an independent web index op

 ## Manage skills and plugins

-OpenClaw can be extended using skills and plugins：
+OpenClaw can be extended using skills and plugins:
 - Skills add new capabilities to the AI. For example, managing Model Context Protocol servers.
 - Plugins extend the system to support additional channels or community features. For example, adding iMessage via BlueBubbles.

@@ -442,7 +513,35 @@ To manage skills and plugins, install ClawHub. It is the package manager for Ope

    ![Toggle on plugin](/images/manual/use-cases/toggle-plugin.png#bordered)

-6. Click **Save** in the upper-right corner. The system validates the config and restarts automatically to apply the changes.      
+6. Click **Save** in the upper-right corner. The system validates the config and restarts automatically to apply the changes.
+
+    ::: tip Manual restart
+    If you need to restart OpenClaw manually, do not use the OpenClaw CLI. Use one of the following methods:
+    - **Restart the app from Settings or Market**: 
+        - Open **Settings**, go to **Applications** > **OpenClaw**, click **Stop**, and then click **Resume**.
+        - Open **Market**, go to **My Olares**, find **OpenClaw**, click <i class="material-symbols-outlined">keyboard_arrow_down</i> next to the operation button, select **Stop**, and then select **Resume**.
+    - **Restart the container**: Open **Control Hub**, click `clawdbot` under **Deployments**, and then click **Restart**.
+    :::
+
+## FAQ
+
+### Cannot restart OpenClaw in CLI
+
+If you attempt to manually start, stop, or restart OpenClaw using commands like `openclaw gateway` or `openclaw gateway stop` in the OpenClaw CLI, you receive the following error messages:
+- `Gateway failed to start: gateway already running (pid 1); lock timeout after 5000ms`
+- `Gateway service check failed: Error: systemctl --user unavailable: spawn systemctl ENOENT`
+
+#### Cause
+
+OpenClaw is deployed as a containerized app in Olares, where the gateway runs as the primary container process `pid 1` and is always active. This environment does not use standard Linux system and service management tools such as `systemd` and `systemctl`, so these commands do not work. 
+
+#### Solution
+
+Do not use the OpenClaw CLI to manage the gateway service. Instead, restart OpenClaw using one of the following methods:
+- **Restart OpenClaw from Settings or Market**: 
+    - Open **Settings**, go to **Applications** > **OpenClaw**, click **Stop**, and then click then **Resume**.
+    - Open **Market**, go to **My Olares**, find **OpenClaw**, click <i class="material-symbols-outlined">keyboard_arrow_down</i> next to the operation button, select **Stop**, and then select **Resume**.
+- **Restart the container**: Open **Control Hub**, click `clawdbot` under **Deployments**, and then click **Restart**.

 ## Resources

--- a/docs/zh/developer/develop/package/manifest.md
+++ b/docs/zh/developer/develop/package/manifest.md
@@ -7,7 +7,15 @@ outline: [2, 3]
 每一个 Olares 应用的 Chart 根目录下都必须有一个名为 `OlaresManifest.yaml` 的文件。`OlaresManifest.yaml` 描述了一个 Olares 应用的所有基本信息。Olares 应用市场协议和 Olares 系统依赖这些关键信息来正确分发和安装应用。

 :::info 提示
-最新的 Olares 系统使用的 Manifest 版本为: `0.10.0`
+最新的 Olares 系统使用的 Manifest 版本为: `0.11.0`
+- 移除 已不支持的sysData 配置项
+- 修改 共享应用的案例
+- 增加 apiVersion 字段说明
+- 增加 共享入口的配置说明
+
+:::
+:::details Changelog
+`0.10.0`
 - 修改 `categories` 分类
 - 增加 Permission 部分中 `provider` 权限的申请
 - 增加 Provider 部分，用于让应用对集群内暴露指定服务接口
@@ -15,8 +23,7 @@ outline: [2, 3]
 - 移除 Option 部分已不支持的一些配置项
 - 增加 `allowMultipleInstall` 配置，允许应用克隆出多个独立的实例
 - 增加 Envs 部分，支持应用声明需要的环境变量
-:::
-:::details Changelog
+
 `0.9.0`
 - 在 `options` 中增加 `conflict` 字段, 用于声明不兼容的应用
 - 移除 `options` 中 `analytics` 配置项
@@ -82,7 +89,7 @@ spec:
  website: https://link.to.your.website
  sourceCode: https://link.to.sourceCode
  submitter: Submitter's Name
-  language:
+  locale:
  - en
  doc: https://link.to.documents
  supportArch:
@@ -131,6 +138,14 @@ olaresManifest.version: '2.2'
 olaresManifest.version: "3.0.122"
 ```

+## apiVersion
+- 类型：`string`
+- 可选
+- 有效值：`v1`,`v2`
+- 默认值：`v1`
+
+共享应用需使用 `v2` 版本，支持一个 OAC 中包含多个子图表。其他应用请使用`v1`
+
 ## Metadata

 应用的基本信息，用于在 Olares 系统和应用市场中展示应用。
@@ -152,7 +167,7 @@ metadata:
 ### name

 - 类型：`string`
- Accepted Value: `[a-z][a-z0-9]?`
+- 有效值：`^[a-z][a-z0-9]{0,29}$`

 Olares 中的应用的命名空间，仅限小写字母数字字符。最多 30 个字符，需要与 `Chart.yaml` 中的 `FolderName` 和 `name` 字段保持一致。

@@ -200,8 +215,6 @@ OS 1.12 有效值：
 - `Utilities_v112`：实用工具
 - `AI`：AI

-
-
 :::info 提示
 Olares OS 1.12.0 版本对应用商店的应用分类进行了调整，因此如果应用需要同时兼容 1.11 和 1.12 版本，请同时填写两个版本所需的分类。
 :::
@@ -322,6 +335,23 @@ entrances:
 ```
 :::

+## sharedEntrances
+
+共享入口是共享应用为集群内其他应用调用提供的接口地址。共享入口的字段配置和常规入口基本一致，一个典型的共享入口配置如下
+
+:::info 示例
+```yaml
+sharedEntrances:
+  - name: ollamav2
+    host: sharedentrances-ollama
+    port: 0
+    title: Ollama API
+    icon: https://app.cdn.olares.com/appstore/ollama/icon.png
+    invisible: true
+    authLevel: internal
+```
+:::
+
 ## Ports

 定义暴露的端口
@@ -338,14 +368,48 @@ ports:
 ```
 :::

+### exposePort
+- 类型： `int`
+- 可选
+- 有效值： `0-65535`，保留端口 `22`, `80`, `81`, `443`, `444`, `2379`, `18088` 除外
 Olares 会为你的应用暴露指定的端口，这些端口可通过应用域名在本地网络下访问，如`84864c1f.your_olares_id.olares.com:46879`。对于每个公开的端口，Olares 会自动配置相同端口号的 TCP 和 UDP。

-当将 `addToTailscaleAcl` 字段设置为 `true` 时，系统会为该端口分配一个随机端口，并自动将其加入到 Tailscale 的 ACL 中。
-
 :::info 提示
 暴露的端口只能通过本地网络或 Olares 专用网络访问。
 :::

+### protocol
+- 类型： `string`
+- 可选
+- 有效值： `udp`、`tcp`
+
+暴露端口使用的协议 ，如果不填默认同时开通udp和tcp。
+
+### addToTailscaleAcl
+- 类型： `boolean`
+- 可选
+- 默认值：`false`
+
+当将 addToTailscaleAcl 字段设置为 true 时，系统会为该端口分配一个随机端口，并自动将其加入到 Tailscale 的 ACL 中。
+
+## Tailscale
+- 类型：`map`
+- 可选
+
+允许应用在 Tailscale 的ACL(Access Control Lists)中开放指定端口。
+
+:::info 示例
+```yaml
+tailscale:
+  acls:
+  - proto: tcp
+    dst:
+    - "*:46879"
+  - proto: "" # 可选, 如果未指定，则允许使用所有支持的协议
+    dst:
+    -  "*:4557"  
+```
+:::

 ## Permission

@@ -380,51 +444,6 @@ permission:

 应用是否需要对用户的 `Home` 文件夹进行读写权限。列出应用需要访问的用户 `Home` 下的所有目录。部署 YAML 中配置的所有 `userData` 目录都必须包含在此处。

-### sysData
-
- 类型：`list<map>`
- 可选
-
-声明该应用程序需要访问的 API 列表。
-
-:::info 提示
-从 1.12.0 版本开始，该权限配置已经被废弃。
-:::
-
-:::info 示例
-```yaml
-  sysData:
-  - group: service.bfl
-    dataType: app
-    version: v1
-    ops:
-    - InstallDevApp
-  - dataType: legacy_prowlarr
-    appName: prowlarr
-    port: 9696
-    group: api.prowlarr
-    version: v2
-    ops:
-    - All
-```
-:::
-
-所有系统 API [providers](../advanced/provider.md) 如下：
-| Group | version | dataType | ops |
-| ----------- | ----------- | ----------- | ----------- |
-| service.appstore | v1 | app | InstallDevApp, UninstallDevApp
-| message-disptahcer.system-server | v1 | event | Create, List
-| service.desktop | v1 | ai_message | AIMessage
-| service.did | v1 | did | ResolveByDID, ResolveByName, Verify
-| api.intent | v1 | legacy_api | POST
-| service.intent | v1 | intent | RegisterIntentFilter, UnregisterIntentFilter, SendIntent, QueryIntent, ListDefaultChoice, CreateDefaultChoice, RemoveDefaultChoice, ReplaceDefaultChoice
-| service.message | v1 | message | GetContactLogs, GetMessages, Message
-| service.notification | v1 | message | Create
-| service.notification | v1 | token | Create
-| service.search | v1 | search | Input, Delete, InputRSS, DeleteRSS, QueryRSS, QuestionAI
-| secret.infisical | v1 | secret | CreateSecret, RetrieveSecret
-| secret.vault | v1 | key | List, Info, Sign
-
 ### provider

 - 类型：`list<map>`
@@ -432,7 +451,11 @@ permission:

 用于声明本应用需访问的其他应用接口。被访问的应用需在其 `provider` 部分声明对外开放的 `providerName`，详见下方 Provider 章节。

-此处 `appName` 应填写目标应用的 `name`，`providerName` 填写目标应用 `provider` 配置中的 `name` 字段。`podSelectors` 字段用于指定本应用中哪些 pod 需要访问目标应用。如果未声明此字段，则默认为本应用的所有 pod 注入 `outbound envoy sidecar`。
+配置访问的方式如下
+1. 在 `appName` 字段填写目标应用的 `name` 字段。
+2. 在`providerName` 字段填写目标应用 `provider` 配置中的 `name` 字段。
+
+你可以使用 `podSelectors` 字段来指定本应用中哪些 pod 需要访问目标应用。如果未声明此字段，则默认为本应用的所有 pod 注入 `outbound envoy sidecar`。

 :::info 调用应用示例
 ```yaml
@@ -458,25 +481,6 @@ provider:
 :::


-## Tailscale
- 类型：`map`
- 可选
-
-允许应用在 Tailscale 的ACL(Access Control Lists)中开放指定端口。
-
-:::info 示例
-```yaml
-tailscale:
-  acls:
-  - proto: tcp
-    dst:
-    - "*:46879"
-  - proto: "" # 可选, 如果未指定，则允许使用所有支持的协议
-    dst:
-    -  "*:4557"  
-```
-:::
-
 ## Spec
 记录额外的应用信息，主要用于应用商店的展示。

@@ -796,10 +800,10 @@ middleware:

 ## Options

-在此部分配置系统相关的选项。
+此部分用于配置与Olares系统相关的选项。

 ### policies
- 类型：`map`
+- 类型：`list<map>`
 - 可选

 定义应用子域的详细访问控制。
@@ -816,40 +820,40 @@ options:
 ```
 :::

-### clusterScoped
+### appScope
 - 类型：`map`
 - 可选

-是否为 Olares 集群中的所有用户安装此应用程序。
+是否为 Olares 集群中的所有用户安装此应用程序。对用共享应用，需要设置 `clusterScoped` 为 `true`, 同时在 `appRef` 字段填入应用名称

-:::info 服务端示例
+
+:::info 应用ollamav2示例
 ```yaml
 metadata:
-  name: gitlab
+  name: ollamav2
 options:
  appScope:
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}  # 仅管理员安装共享服务
    clusterScoped: true
    appRef:
-      - gitlabclienta # 客户端的应用名称
-      - gitlabclientb
+      - ollamav2  # 此应用在 metadata.name 中声明的名字
+  {{- else }}
+    clusterScoped: false
+  {{- end }}
+  dependencies:
+    - name: olares
+      version: '>=1.12.3-0'
+      type: system
+  {{- if and .Values.admin .Values.bfl.username (eq .Values.admin .Values.bfl.username) }}
+  {{- else }} 
+    - name: ollamav2
+      type: application
+      version: '>=1.0.1'
+      mandatory: true  # 其他用户安装客户端，依赖管理员安装的共享服务
+  {{- end }}
 ```
 :::

-:::info 客户端示例
-```yaml
-metadata:
-  name: gitlabclienta
-options:
-  dependencies:
-    - name: olares
-      version: ">=0.3.6-0"
-      type: system
-    - name: gitlab # 服务器端的应用名称
-      version: ">=0.0.1"
-      type: application
-      mandatory: true
-```
-:::

 ### dependencies
 - 类型：`list<map>`
@@ -872,6 +876,24 @@ options:
 ```
 :::

+### conflicts
+- 类型：`list<map>`
+- 可选
+
+请在此处声明与该应用冲突的其他应用。必须卸载冲突应用后才能安装此应用。
+
+:::info 示例
+```yaml
+options:
+  conflicts:
+  - name: comfyui
+    type: application
+  - name: comfyuiclient
+    type: application  
+```
+:::
+
+
 ### mobileSupported
 - 类型： `boolean`
 - 默认值： `false`
@@ -919,7 +941,7 @@ apiTimeout: 0
 :::

 ### allowedOutboundPorts
- 类型： `map`
+- 类型： `list<int>`
 - 可选

 要求开通以下端口进行非 HTTP 协议的对外访问，例如 SMTP 服务等。
--- a/docs/zh/manual/best-practices/local-access.md
+++ b/docs/zh/manual/best-practices/local-access.md
@@ -187,6 +187,6 @@ ping desktop.<username>.olares.cn

 ## 常见问题

-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->

 <!--@include: ../../reusables/local-domain.md{42,75}-->
--- a/docs/zh/manual/get-started/local-access.md
+++ b/docs/zh/manual/get-started/local-access.md
@@ -39,7 +39,7 @@ description: 了解如何使用 LarePass VPN 或 .local 域名安全访问 Olare

 ### 常见问题

-<!--@include: ../../reusables/larepass-vpn.md{50,75}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->

 <!--@include: ../../reusables/local-domain.md{42,75}-->

--- a/docs/zh/manual/help/ts-larepass-vpn-not-working.md
+++ b/docs/zh/manual/help/ts-larepass-vpn-not-working.md
@@ -0,0 +1,66 @@
+---
+outline: [2, 3]
+description: 排查 LarePass VPN 在 macOS 或 Windows 上无法使用的问题。
+---
+
+# LarePass VPN 无法使用
+
+当 LarePass VPN 开关没有反应、连接停滞在“连接中”，或之前可以正常使用的 VPN 连接在 macOS 或 Windows 上突然失效时，可参考本指南。
+
+## 适用情况
+
+**macOS**
+- 点击 LarePass 桌面客户端的 VPN 开关没有反应，或 VPN 停滞在“连接中”。
+- LarePass VPN 之前在此设备上可以正常使用，但现在无法连接或连接后立即断开。
+ 
+**Windows**
+- 点击 LarePass 桌面客户端的 VPN 开关没有反应，或 VPN 无法启用。
+
+## 原因
+
+- **macOS**：LarePass VPN 需要完整设置系统级网络扩展和 VPN 配置。如果在初次设置时跳过或未完成任一步骤，或者网络扩展出现卡死或损坏，macOS 将阻止 LarePass 建立 VPN 隧道。
+
+- **Windows**：第三方杀毒或安全软件可能误将 LarePass 桌面客户端标记为可疑程序，导致 VPN 服务无法启动。
+
+## 解决方案
+
+### macOS
+
+重置网络扩展并完整走完系统设置流程，以恢复 VPN 连接。
+
+:::info
+不同 macOS 版本下界面可能略有差异。
+:::
+
+1. 打开**系统设置**，搜索"扩展"，选择**扩展**。
+2. 滚动到**网络扩展**部分，点击 <span class="material-symbols-outlined">info</span> 查看已加载的扩展。
+   ![系统设置中的网络扩展部分](/images/manual/help/ts-vpn-network-extensions.png#bordered){width=70%}
+
+3. 找到 **LarePass**，点击三个点（**...**），选择**删除扩展**。
+4. 确认卸载。
+5. 重启 Mac。
+6. 重新打开 LarePass 桌面客户端并启用 VPN。
+7. 按照系统提示完成扩展和 VPN 配置的恢复：
+
+   a. 当 macOS 提示添加 LarePass 网络扩展时，点击**打开系统设置**。
+   ![添加 LarePass 网络扩展的提示](/images/manual/help/ts-vpn-add-network-extension.png#bordered){width=40%}
+
+   b. 打开 **LarePass** 开关。
+   ![打开 LarePass 网络扩展开关](/images/manual/help/ts-vpn-toggle-on-network-extension.png#bordered){width=70%}
+
+   c. 当提示添加 VPN 配置时，点击**允许**。
+   ![添加 VPN 配置的提示](/images/manual/help/ts-vpn-add-vpn-configuration.png#bordered){width=40%}
+
+### Windows
+
+:::info LarePass 在首次启动时被拦截
+如果杀毒软件在安装后首次打开 LarePass 时将其拦截，先在安全软件中放行该应用，再执行以下步骤。
+:::
+
+1. 在杀毒或安全软件中，打开**白名单**、**排除项**或**例外**设置。
+2. 将 LarePass 主程序或安装目录加入白名单。常见路径包括：
+   - `C:\Users\<用户名>\AppData\Local\LarePass\`
+   - `C:\Program Files\LarePass\`
+3. 应用更改，如有需要重启杀毒软件。
+4. 退出并重新打开 LarePass 桌面客户端。
+5. 在 LarePass 中再次尝试启用**专用网络连接**。
--- a/docs/zh/manual/larepass/create-account.md
+++ b/docs/zh/manual/larepass/create-account.md
@@ -65,13 +65,40 @@ Olares 目前通过 Gmail 提供 VC 支持，详情参见 [Gmail Issuer Service]
 </template>
 </Tabs>

-## 导入现有账户
+## 导入账户

-你也可以通过导入已存在的 Olares ID 来设置账户。
+你可以使用 12 个单词的助记词，将已有的 Olares ID 导入到 LarePass，从而在新设备或其他 LarePass 客户端上访问你的 Olares 服务。

 ::: tip 备份助记词
-确保已 [备份助记词](back-up-mnemonics.md)，否则无法导入。
+确保已 [备份助记词](back-up-mnemonics.md)，否则无法完成账户导入。
 :::

-1. 在 LarePass 中点击**导入账户**。  
-2. 输入 12 个助记词导入你的 Olares ID。  
+
+<Tabs>
+<template #iOS-&-Android>
+
+1. 打开 LarePass 应用。
+2. 点击你的头像。
+3. 在**切换账户**页面底部，点击**添加新账户**。
+4. 点击**导入账户**。
+5. 输入 Olares ID 对应的 12 个助记词。
+
+</template>
+<template #macOS-&-Windows>
+
+1. 打开 LarePass 桌面客户端。
+2. 点击你的头像。
+3. 点击**切换账户**。
+4. 点击底部的**添加新账户**。
+5. 输入 Olares ID 对应的 12 个助记词。
+
+</template>
+<template #Chrome-extension>
+
+1. 打开 Chrome 浏览器中的 LarePass 扩展程序。
+2. 点击头像上方的选项图标。
+3. 点击**添加新账户**。
+4. 输入 Olares ID 对应的 12 个助记词。
+
+</template>
+</Tabs>
--- a/docs/zh/manual/larepass/index.md
+++ b/docs/zh/manual/larepass/index.md
@@ -11,38 +11,47 @@ description: LarePass 用户文档。了解 LarePass 的核心功能与使用方

 ## 主要功能

-### 账户与身份管理
-创建和管理 Olares ID，安全备份凭证并连接外部服务。
- [创建 Olares ID](create-account.md)
- [备份助记词](back-up-mnemonics.md)
- [设置或重置本地密码](back-up-mnemonics.md#设置本地密码)
- [管理集成服务](integrations.md)
+- 账户与身份管理
+- 安全文件访问与同步
+- 设备与网络管理
+- 密码与密钥管理
+- 知识收藏

-### 启用专用网络
-随时随地通过 LarePass 专用网络访问 Olares。
- [打开专用网络](private-network.md#在-larepass-中启用专用网络)
- [排查连接问题](private-network.md#故障排查)
+## 下载 LarePass

-### 设备管理
-激活并管理 Olares 设备，通过 LarePass VPN 安全连接。
- [激活 Olares 设备](activate-olares.md)
- [升级 Olares](manage-olares.md#升级-olares)
- [双因素登录 Olares](activate-olares.md#使用-larepass-进行双因素验证)
- [管理 Olares](manage-olares.md)
- [切换有线/无线网络](manage-olares.md#有线切换至无线)
+### iOS
+请前往 [App Store 产品页面](https://apps.apple.com/cn/app/larepass/id6448082605)下载 LarePass。

-### 安全文件访问与同步
- [使用 LarePass 管理文件](manage-files.md)
+### Android
+请前往 [Google Play 产品页面](https://play.google.com/store/apps/details?id=com.terminus.termipass)，或直接从 [LarePass 官网](https://www.olares.cn/larepass)下载最新 APK。

-### 密码与密钥管理
-使用 Vault 自动填充凭证、存储密码并生成 2FA 代码。
- [自动填充密码](autofill.md)
- [生成 2FA 代码](two-factor-verification.md)
+### macOS & Windows
+请从 [LarePass 官网](https://www.olares.cn/larepass)下载最新桌面客户端。

-### 知识收藏
-通过 LarePass 收集网页内容并订阅 RSS。
- [通过 LarePass 扩展收集内容](manage-knowledge.md#通过-larepass-扩展收集内容)
- [订阅 RSS 源](manage-knowledge.md#订阅-rss-源)
+### Chrome 扩展
+
+使用 LarePass 扩展可以直接在浏览器中收集内容并管理密码。目前仅支持 Google Chrome 浏览器，且必须手动安装。
+
+:::warning 保留扩展程序文件夹
+浏览器会从你选择的文件夹中加载扩展。如果删除、移动或重命名该文件夹，扩展将无法正常使用。
+
+请将 ZIP 文件解压到一个长期保留的位置，例如用户目录下的文件夹，而不要解压到临时目录。
+:::
+
+1. 访问 [LarePass 网站](https://olares.cn/olares) 下载扩展 ZIP 包。
+2. 将 ZIP 文件解压到电脑中的一个固定文件夹。
+3. 在 Chrome 浏览器打开 `chrome://extensions/`。
+4. 开启右上角**开发者模式**。
+5. 点击**加载已解压的扩展程序**，选择解压后的 LarePass 文件夹。
+
+::: tip 快速访问
+安装完成后，点击浏览器工具栏中的拼图图标，将 LarePass 扩展固定，以便一键访问。
+:::
+
+## 设置账户
+
+- 在移动设备上，你可以使用 LarePass 直接[创建 Olares ID](/zh/manual/larepass/create-account.md#创建-olares-id)。
+- 在桌面客户端或 Chrome 扩展上，你需要[导入 Olares 账户](/zh/manual/larepass/create-account.md#导入账户)。

 ## 功能对比

@@ -183,38 +192,3 @@ description: LarePass 用户文档。了解 LarePass 的核心功能与使用方
    </tr>
  </tbody>
 </table>
-
-## 下载与安装 LarePass
-
-前往 [LarePass 官网](https://www.olares.cn/larepass) 获取适用于你设备的最新版本。
-
-### 安装 LarePass 浏览器扩展
-
-<tabs>
-<template #从-Chrome-Web-Store-安装>
-
-1. 在 [Chrome 网上应用店](https://chrome.google.com/webstore) 搜索 **LarePass**。
-2. 打开详情页并点击 **添加至 Chrome**。
-3. 通过导入 Olares ID 登录扩展：
-    - 打开 LarePass 扩展，点击 **导入账户**。
-    - 输入 Olares ID 的助记词。
-    - 输入 Olares 密码完成登录。
-
-</template>
-
-<template #离线安装>
-
-1. 访问 [LarePass 网站](https://olares.cn/olares) 下载扩展 ZIP 包。
-2. 在浏览器地址栏输入 `chrome://extensions/`。
-3. 打开右上角 **开发者模式**。
-4. 点击 **加载已解压的扩展程序**，选择解压后的 LarePass 文件夹。
-5. 登录流程：
-    - 打开 LarePass 扩展，点击 **导入账户**。
-    - 输入 Olares ID 的助记词。
-    - 输入 Olares 密码完成登录。
-</template>
-</tabs>
-
-::: tip 快速访问
-安装完成后，可在 Chrome 扩展菜单中固定 LarePass，方便一键启动。
-:::
--- a/docs/zh/manual/olares/desktop.md
+++ b/docs/zh/manual/olares/desktop.md
@@ -4,54 +4,53 @@ description: 了解 Olares 桌面的基本概念与操作方式，包括如何

 # 了解桌面

-桌面应用是用户与 Olares 系统交互的主要入口。它提供直观高效的方式来管理和使用系统内置应用以及用户安装的应用。
+桌面应用是用户与 Olares 交互的主要界面。在这里，你可以打开和管理内置系统应用，以及你自行安装的应用。

 ## 桌面基础概念
+
 ![桌面](/images/zh/manual/olares/desktop.png)

-### Dock 与启动台
+### 应用坞

- **Dock（应用坞）：** 屏幕侧边的快速启动栏，用于固定常用应用。
- **启动台（Launchpad）：** 点击 Dock 中的启动台图标可打开，展示所有已安装应用。
+应用坞是位于屏幕左侧的应用快捷启动栏。你可以通过它快速打开常用应用，并访问桌面的关键功能。
+
+### 启动台
+
+启动台展示所有已安装的应用。点击应用坞中的启动台图标即可打开。

 ### 应用窗口

- 应用默认以窗口模式打开。
- 支持以下窗口操作：
-  - 拖动标题栏移动窗口
-  - 拖动边缘调整大小
-  - 最小化、最大化或关闭窗口
- **搜索功能：** 快速启动应用、查找文件等。
+默认情况下，应用会以窗口模式在桌面中以内嵌页面的形式打开。你可以像在普通电脑上一样管理窗口：
+- 拖动标题栏移动窗口。
+- 拖动窗口边缘调整大小。
+- 最小化、最大化或关闭窗口。
+- 点击 <i class="material-symbols-outlined">open_in_new</i> 在新的浏览器标签页中打开应用。
+
+:::info 信息
+部分应用仅支持在浏览器标签页中打开。
+:::
+
+### 搜索与通知
+
+- **搜索**：快速启动应用，并查找 Olares 中支持的内容。
+- **通知**：点击通知图标查看系统和应用通知。

 ## 使用启动台

-通过启动台，你可以：
+在启动台中，你可以：
+- 查看所有已安装的应用。
+- 点击应用图标打开应用。
+- 拖动图标调整其在启动台中的顺序。
+- 将图标拖动到应用坞以便快速访问。

- 查看所有已安装应用
- 点击图标打开对应应用
- 拖动图标调整在启动台中的顺序
- 拖动图标到 Dock，固定为常用应用

 ### 卸载应用

 1. 长按应用图标进入编辑模式。
-2. 若图标右上角出现 **X**，点击即可卸载该应用。
+2. 如果应用图标左上角出现 <i class="material-symbols-outlined">close_small</i> 图标，点击即可卸载该应用。

-::: tip 注意
-系统内置应用（如文件管理器、应用市场、个人主页）无法卸载。
-:::
-
-## 管理应用窗口
-
-应用默认以窗口模式打开，即以嵌入桌面的 iframe 页面形式展示。你可以像使用传统桌面系统一样操作窗口：
-
- 拖动标题栏移动窗口
- 拖动边缘调整窗口大小
- 最小化、最大化或关闭窗口
- 点击<i class="material-symbols-outlined">open_in_new</i>按钮，在新浏览器标签页中打开应用
-
-::: tip 提示
-部分应用仅支持标签页视图打开。
+:::info 信息
+文件管理器、应用市场、设置等内置系统应用无法卸载。
 :::

 ## 使用全局搜索
--- a/docs/zh/one/access-olares-via-vpn.md
+++ b/docs/zh/one/access-olares-via-vpn.md
@@ -34,4 +34,4 @@ While this address works from anywhere, it's recommended to enable the LarePass

 ## Troubleshooting

-<!--@include: ../../reusables/larepass-vpn.md{50,74}-->
+<!--@include: ../../reusables/larepass-vpn.md{50,57}-->
--- a/docs/zh/one/create-drive.md
+++ b/docs/zh/one/create-drive.md
@@ -1,15 +1,15 @@
 ---
 outline: [2, 3]
-description: Reinstall Olares OS on Olares One using a bootable USB to restore the device to factory state.
+description: Reinstall Olares OS on Olares One using a bootable USB drive to restore the device to a clean initial state.
 head:
  - - meta
    - name: keywords
-      content: Olares One, reinstall, factory reset, bootable USB, installation USB
+      content: Olares One, reinstall, Olares OS, bootable USB, installation USB
 ---

-# Reset to factory settings using installation USB <Badge type="tip" text="15 min"/>
+# Reinstall Olares OS using bootable USB <Badge type="tip" text="15 min"/>

-Resetting to factory settings returns your Olares One to the initial setup state. You can reinstall Olares OS using the bootable USB drive included with Olares One.
+Reinstalling Olares OS returns your Olares One to a clean initial state. You can do this using the bootable USB drive included with Olares One.

 :::warning Data loss
 This will permanently delete all accounts, settings, and data on the device. This action cannot be undone.
@@ -18,6 +18,9 @@ This will permanently delete all accounts, settings, and data on the device. Thi
 ## Prerequisites
 **Hardware**<br>
 - The bootable USB drive that came with Olares One.
+   :::tip Don't have the USB drive?
+   Download the [Olares One ISO](https://cdn.olares.com/one/v1.12.4-amd64.iso), which is device-specific and different from the standard Olares ISO, and flash it to a USB drive (8 GB or larger) using a tool such as [Balena Etcher](https://etcher.balena.io/).
+   :::
 - A monitor and keyboard connected to Olares One.

 ## Step 1: Boot from the USB drive
--- a/docs/zh/one/factory-reset-in-bios.md
+++ b/docs/zh/one/factory-reset-in-bios.md
@@ -1,14 +1,14 @@
 ---
 outline: [2, 3]
-description: Learn how to restore your Olares One to factory settings in BIOS.
+description: Learn how to restore BIOS defaults on Olares One to return the device to its initial setup state.
 head:
  - - meta
    - name: keywords
-      content: Factory reset, Olares One, BIOS
+      content: Olares One, BIOS defaults, restore, BIOS setup
 ---
-# Reset to factory settings in BIOS <Badge type="tip" text="10 min" />
+# Restore BIOS defaults <Badge type="tip" text="10 min" />

-Resetting to factory settings returns your Olares One to its initial setup state. If you have a monitor and keyboard connected, you can perform this reset directly in BIOS instead of using LarePass.
+Restoring BIOS defaults resets the firmware configuration and returns your Olares One to its initial setup state. If you have a monitor and keyboard connected, you can perform this directly in BIOS.

 :::warning Data loss
 This will permanently delete all accounts, settings, and data on the device. This action cannot be undone.
--- a/docs/zh/one/factory-reset.md
+++ b/docs/zh/one/factory-reset.md
@@ -1,12 +1,12 @@
 ---
 outline: [2, 3]
-description: Learn how to restore your Olares One to factory settings using LarePass.
+description: Learn how to factory reset your Olares One using LarePass.
 head:
  - - meta
    - name: keywords
-      content: Factory reset, Olares One
+      content: factory reset, Olares One, LarePass
 ---
-# Reset to factory settings using LarePass <Badge type="tip" text="10 min" />
+# Factory reset via LarePass <Badge type="tip" text="10 min" />

 If you have already activated Olares One and want to return it to the factory state, you can perform a reset in LarePass.

--- a/docs/zh/reusables/README.md
+++ b/docs/zh/reusables/README.md
@@ -3,6 +3,6 @@
 本目录存放通过 `<!--@include: path/to/reusables/file.md{start,end}-->` 在多个文档中引用的共享内容。

 - **local-domain.md**：`.local` 域名说明、URL 格式、HTTP 说明及故障排除（Chrome、Safari）。被 `manual/get-started/local-access.md`、`manual/best-practices/local-access.md` 引用。
- **larepass-vpn.md**：LarePass VPN 步骤（下载、启用、确认连接类型）及常见问题（Mac 扩展重置、Windows 杀毒软件）。被 `manual/get-started/local-access.md`、`manual/best-practices/local-access.md` 引用。
+- **larepass-vpn.md**：LarePass VPN 步骤（下载、启用、确认连接类型）及常见问题（链接至故障排查文档）。被 `manual/get-started/local-access.md`、`manual/best-practices/local-access.md` 引用。

 在各文件顶部注释中注明可引用的行号范围。
--- a/docs/zh/reusables/larepass-vpn.md
+++ b/docs/zh/reusables/larepass-vpn.md
@@ -3,7 +3,7 @@ search: false
 ---
 <!-- 可复用的 LarePass VPN 内容。按行号范围引用。
     步骤（无标题）：Step 1 7-16，Step 2 18-41，Step 3 42-49。
-     常见问题：50-75 -->
+     常见问题：50-57 -->

 要使用安全 VPN 连接，必须在用来访问 Olares 的设备上安装 LarePass 客户端。

@@ -50,25 +50,8 @@ search: false

 ### 为什么在 Mac 上无法再启用 LarePass VPN？

-如果之前能正常启用 VPN 但现在失效，可能需要重置系统扩展。
-
-:::info
-不同 macOS 版本下界面可能略有差异。
-:::
-
-1. 打开**系统设置**，搜索“扩展”，选择**登录项与扩展**。
-2. 滚动到**网络扩展**，点击信息图标 (ⓘ) 查看已加载的扩展。
-3. 找到 LarePass，点击三点 (...)，选择**删除扩展**。
-4. 确认卸载。
-5. 重启 Mac，在 LarePass 桌面客户端中重新启用 VPN。
+如果网络扩展或 VPN 配置未完整设置，或网络扩展出现卡死、损坏，macOS 会阻止 LarePass 建立 VPN 隧道。参考 [LarePass VPN 无法使用](/zh/manual/help/ts-larepass-vpn-not-working)，重置扩展并恢复 VPN。

 ### 为什么在 Windows 上无法启用 LarePass VPN？

-第三方杀毒软件可能误将 LarePass 桌面客户端标记为可疑，导致无法启动 VPN 服务。
-
-首次打开 LarePass 时如果杀毒软件有提示，选择允许应用继续运行。
-
-如果 VPN 仍然无法启用：
-1. 打开安全软件，查看是否拦截了 LarePass。
-2. 将 LarePass 主程序加入杀毒软件的白名单或排除项。
-3. 重启 LarePass 并再次启用 VPN。
+第三方杀毒或安全软件可能误将 LarePass 标记为可疑程序，导致 VPN 服务无法启动。参考 [LarePass VPN 无法使用](/zh/manual/help/ts-larepass-vpn-not-working) 解决该问题。
--- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
+++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
@@ -170,7 +170,7 @@ spec:
      priorityClassName: "system-cluster-critical"
      containers:
      - name: app-service
-        image: beclab/app-service:0.5.4
+        image: beclab/app-service:0.5.5
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 6755
--- a/framework/app-service/pkg/apiserver/handler_installer_upgrade.go
+++ b/framework/app-service/pkg/apiserver/handler_installer_upgrade.go
@@ -342,6 +342,19 @@ func (h *Handler) appUpgrade(req *restful.Request, resp *restful.Response) {
 		return
 	}

+	// hold env batch lease during upgrade kickoff
+	// to avoid AppEnv controller racing and switching app manager op/state to ApplyEnv in this window
+	userNamespace := utils.UserspaceName(owner)
+	releaseLease, err := h.acquireUserEnvBatchLease(req.Request.Context(), userNamespace)
+	if err != nil {
+		klog.Errorf("Failed to acquire user env batch lease err=%v", err)
+		api.HandleError(resp, req, err)
+		return
+	}
+	if releaseLease != nil {
+		defer releaseLease()
+	}
+
 	err = helper.applyAppEnv(req.Request.Context())
 	if err != nil {
 		klog.Errorf("Failed to apply app env err=%v", err)
--- a/framework/authelia/.olares/config/cluster/deploy/auth_backend_deploy.yaml
+++ b/framework/authelia/.olares/config/cluster/deploy/auth_backend_deploy.yaml
@@ -431,7 +431,7 @@ spec:
          privileged: true
      containers:      
      - name: authelia
-        image: beclab/auth:0.2.47
+        image: beclab/auth:0.2.48
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9091
--- a/framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml
+++ b/framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml
@@ -26,6 +26,7 @@ metadata:
 rules:
  - nonResourceURLs: 
      - "/api/reset/*"
+      - "/cli/api/reset/*"
    verbs: ["*"]

 ---
--- a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
+++ b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
@@ -266,7 +266,7 @@ spec:

      containers:
      - name: api
-        image: beclab/bfl:v0.4.40
+        image: beclab/bfl:v0.4.42
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 1000
@@ -304,7 +304,7 @@ spec:
        - name: BACKUP_SERVER
          value: backup-server.os-framework:8082
        - name: L4_PROXY_IMAGE_VERSION
-          value: v0.3.11
+          value: v0.3.12
        - name: L4_PROXY_SERVICE_ACCOUNT
          value: os-network-internal
        - name: L4_PROXY_NAMESPACE
--- a/framework/bfl/pkg/apis/settings/v1alpha1/handler_application.go
+++ b/framework/bfl/pkg/apis/settings/v1alpha1/handler_application.go
@@ -178,8 +178,8 @@ func (h *Handler) setupAppCustomDomain(req *restful.Request, resp *restful.Respo
 	var settings app_service.ApplicationsSettings
 	appServiceClient := app_service.NewAppServiceClient()

-	var terminusName, zone string
-	terminusName, zone, err = h.getUserInfo()
+	var zone string
+	_, zone, err = h.getUserInfo()
 	if err != nil {
 		response.HandleError(resp, err)
 		return
@@ -223,8 +223,6 @@ func (h *Handler) setupAppCustomDomain(req *restful.Request, resp *restful.Respo
 		return
 	}

-	cm := certmanager.NewCertManager(constants.TerminusName(terminusName))
-
 	var operate = h.getCustomDomainOperation(reqCustomDomain, existsAppCustomDomain)
 	log.Infof("setAppCustomDomain: app: %s-%s, reqDomain: %s, existsDomain: %s, operate: %d, req: %s",
 		appName, entranceName, reqCustomDomain, existsAppCustomDomain, operate, utils.ToJSON(customDomain))
@@ -260,12 +258,6 @@ func (h *Handler) setupAppCustomDomain(req *restful.Request, resp *restful.Respo
 			customDomain = entranceCustomDomainMap
 		}
 	case constants.CustomDomainDelete, constants.CustomDomainUpdate:
-		_, err := cm.DeleteCustomDomainOnCloudflare(existsAppCustomDomain)
-		if err != nil {
-			log.Errorf("setAppCustomDomain: app: %s-%s, delete custom domain error %v", appName, entranceName, err)
-			response.HandleError(resp, err)
-			return
-		}
 		fallthrough
 	case constants.CustomDomainAdd:
 		formatSettings(customDomain, zone, "", "")
--- a/framework/bfl/pkg/constants/constants.go
+++ b/framework/bfl/pkg/constants/constants.go
@@ -97,6 +97,8 @@ var (

 	APIDNSSetCloudFlareTunnel string

+	APIMyExternalIP string
+
 	NameSSLConfigMapName = "zone-ssl-config"

 	nameParamters = "name=%s"
@@ -319,6 +321,11 @@ func ReloadEnvDependantVars() error {
 		return err
 	}

+	APIMyExternalIP, err = url.JoinPath(OlaresRemoteService, "/myip/ip")
+	if err != nil {
+		return err
+	}
+
 	APIFormatCertGenerateRequest = APIPrefixCertService + "/generate?" + nameParamters

 	APIFormatCertGenerateStatus = APIPrefixCertService + "/status?" + nameParamters
--- a/framework/bfl/pkg/utils/iputils.go
+++ b/framework/bfl/pkg/utils/iputils.go
@@ -3,14 +3,14 @@ package utils
 import (
 	"crypto/tls"
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net"
 	"net/http"
 	"strings"
-	"sync"
 	"time"

 	"bytetrade.io/web3os/bfl/internal/log"
+	"bytetrade.io/web3os/bfl/pkg/constants"
 )

 const (
@@ -40,13 +40,6 @@ func RemoteIp(req *http.Request) string {

 // GetMyExternalIPAddr get my network outgoing ip address
 func GetMyExternalIPAddr() string {
-	sites := map[string]string{
-		"httpbin":    "https://httpbin.org/ip",
-		"ifconfigme": "https://ifconfig.me/all.json",
-		"externalip": "https://myexternalip.com/json",
-		"joinolares": "https://myip.joinolares.cn/ip",
-	}
-
 	type httpBin struct {
 		Origin string `json:"origin"`
 	}
@@ -66,96 +59,74 @@ func GetMyExternalIPAddr() string {
 		IP string `json:"ip"`
 	}

-	var unmarshalFuncs = map[string]func(v []byte) string{
-		"httpbin": func(v []byte) string {
-			var hb httpBin
-			if err := json.Unmarshal(v, &hb); err == nil && hb.Origin != "" {
-				return hb.Origin
-			}
-			return ""
-		},
-		"ifconfigme": func(v []byte) string {
-			var ifMe ifconfigMe
-			if err := json.Unmarshal(v, &ifMe); err == nil && ifMe.IPAddr != "" {
-				return ifMe.IPAddr
-			}
-			return ""
-		},
-		"externalip": func(v []byte) string {
-			var extip externalIP
-			if err := json.Unmarshal(v, &extip); err == nil && extip.IP != "" {
-				return extip.IP
-			}
-			return ""
-		},
-		"joinolares": func(v []byte) string {
-			return strings.TrimSpace(string(v))
-		},
+	type siteConfig struct {
+		url           string
+		unmarshalFunc func(v []byte) string
 	}

-	var mu sync.Mutex
-	ch := make(chan any, len(sites))
-	chSyncOp := func(f func()) {
-		mu.Lock()
-		defer mu.Unlock()
-		if ch != nil {
-			f()
-		}
-	}
-
-	for site := range sites {
-		go func(name string) {
-			http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-			c := http.Client{Timeout: 5 * time.Second}
-			resp, err := c.Get(sites[name])
-			if err != nil {
-				chSyncOp(func() { ch <- err })
-				return
-			}
-			defer resp.Body.Close()
-			respBytes, err := ioutil.ReadAll(resp.Body)
-			if err != nil {
-				chSyncOp(func() { ch <- err })
-				return
-			}
-
-			ip := unmarshalFuncs[name](respBytes)
-			//println(name, site, ip)
-			chSyncOp(func() { ch <- ip })
-
-		}(site)
-	}
-
-	tr := time.NewTimer(time.Duration(5*len(sites)+3) * time.Second)
-	defer func() {
-		tr.Stop()
-		chSyncOp(func() {
-			close(ch)
-			ch = nil
-		})
-	}()
-
-LOOP:
-	for i := 0; i < len(sites); i++ {
-		select {
-		case r, ok := <-ch:
-			if !ok {
-				continue
-			}
-
-			switch v := r.(type) {
-			case string:
-				ip := net.ParseIP(v)
-				if ip != nil && ip.To4() != nil && !ip.IsLoopback() && !ip.IsMulticast() {
-					return v
+	sites := []siteConfig{
+		{
+			url: constants.APIMyExternalIP,
+			unmarshalFunc: func(v []byte) string {
+				return strings.TrimSpace(string(v))
+			},
+		},
+		{
+			url: "https://httpbin.org/ip",
+			unmarshalFunc: func(v []byte) string {
+				var hb httpBin
+				if err := json.Unmarshal(v, &hb); err == nil && hb.Origin != "" {
+					return hb.Origin
 				}
-			case error:
-				log.Warnf("got an error, %v", v)
-			}
-		case <-tr.C:
-			tr.Stop()
-			log.Warnf("timed out")
-			break LOOP
+				return ""
+			},
+		},
+		{
+			url: "https://ifconfig.me/all.json",
+			unmarshalFunc: func(v []byte) string {
+				var ifMe ifconfigMe
+				if err := json.Unmarshal(v, &ifMe); err == nil && ifMe.IPAddr != "" {
+					return ifMe.IPAddr
+				}
+				return ""
+			},
+		},
+		{
+			url: "https://myexternalip.com/json",
+			unmarshalFunc: func(v []byte) string {
+				var extip externalIP
+				if err := json.Unmarshal(v, &extip); err == nil && extip.IP != "" {
+					return extip.IP
+				}
+				return ""
+			},
+		},
+	}
+
+	client := http.Client{
+		Timeout: 3 * time.Second,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+	for _, site := range sites {
+		resp, err := client.Get(site.url)
+		if err != nil {
+			log.Warnf("failed to get external ip from %s, %v", site.url, err)
+			continue
+		}
+
+		respBytes, readErr := io.ReadAll(resp.Body)
+		resp.Body.Close()
+		if readErr != nil {
+			log.Warnf("failed to read response from %s, %v", site.url, readErr)
+			continue
+		}
+
+		ipStr := site.unmarshalFunc(respBytes)
+		ip := net.ParseIP(ipStr)
+		if ip != nil && ip.To4() != nil && !ip.IsLoopback() && !ip.IsMulticast() {
+			return ipStr
 		}
 	}

--- a/framework/l4-bfl-proxy/.olares/Olares.yaml
+++ b/framework/l4-bfl-proxy/.olares/Olares.yaml
@@ -3,5 +3,5 @@ target: prebuilt
 output:
  containers:
    - 
-      name: beclab/l4-bfl-proxy:v0.3.11
-# must have blank new line            
+      name: beclab/l4-bfl-proxy:v0.3.12
+# must have blank new line            
--- a/framework/l4-bfl-proxy/main.go
+++ b/framework/l4-bfl-proxy/main.go
@@ -371,87 +371,96 @@ func (s *Server) lookupHostAddr(svc string) (string, error) {
 	return "", fmt.Errorf("svc %s, no host lookup", svc)
 }

-func (s *Server) listApplications() ([]string, []string, []string) {
+func (s *Server) listApplications() ([]string, []string, []string, map[string][]string) {
 	publicApps := []string{"headscale"} // hardcode headscale appid
 	var publicCustomDomainApps []string
 	var customDomainApps []string
+	var customDomainAppsWithUsers = make(map[string][]string)

-	// DEPRECATED:
-	//
-	// list, err := s.client.Resource(appGVR).List(context.TODO(), metav1.ListOptions{})
-	// if err != nil {
-	// 	return nil, nil, nil
-	// }
+	list, err := s.client.Resource(appGVR).List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		return nil, nil, nil, nil
+	}

-	// data, err := list.MarshalJSON()
-	// if err != nil {
-	// 	return nil, nil, nil
-	// }
+	data, err := list.MarshalJSON()
+	if err != nil {
+		return nil, nil, nil, nil
+	}

-	// var appList appv2alpha1.ApplicationList
-	// if err = json.Unmarshal(data, &appList); err != nil {
-	// 	return nil, nil, nil
-	// }
+	var appList appv2alpha1.ApplicationList
+	if err = json.Unmarshal(data, &appList); err != nil {
+		return nil, nil, nil, nil
+	}

-	// getAppPrefix := func(entrancecount, index int, appid string) string {
-	// 	if entrancecount == 1 {
-	// 		return appid
-	// 	}
-	// 	return fmt.Sprintf("%s%d", appid, index)
-	// }
+	getAppPrefix := func(entrancecount, index int, appid string) string {
+		if entrancecount == 1 {
+			return appid
+		}
+		return fmt.Sprintf("%s%d", appid, index)
+	}

-	// for _, app := range appList.Items {
-	// 	if len(app.Spec.Entrances) == 0 {
-	// 		continue
-	// 	}
+	for _, app := range appList.Items {
+		if len(app.Spec.Entrances) == 0 {
+			continue
+		}

-	// 	var customDomains []string
-	// 	var customDomainsPrefix []string
-	// 	var entrancecounts = len(app.Spec.Entrances)
+		var customDomains []string
+		var customDomainsPrefix []string
+		var entrancecounts = len(app.Spec.Entrances)
+		var name = app.Spec.Owner

-	// 	for index, entrance := range app.Spec.Entrances {
-	// 		prefix := getAppPrefix(entrancecounts, index, app.Spec.Appid)
+		for index, entrance := range app.Spec.Entrances {
+			prefix := getAppPrefix(entrancecounts, index, app.Spec.Appid)

-	// 		customDomainEntrancesMap := getSettingsKeyMap(&app, settingsCustomDomain)
-	// 		entranceAuthorizationLevel := entrance.AuthLevel
+			customDomainEntrancesMap := getSettingsKeyMap(&app, settingsCustomDomain)
+			entranceAuthorizationLevel := entrance.AuthLevel

-	// 		customDomainEntrance, ok := customDomainEntrancesMap[entrance.Name]
-	// 		if ok {
-	// 			if entrancePrefix := customDomainEntrance[settingsCustomDomainThirdLevelDomain]; entrancePrefix != "" {
-	// 				if entranceAuthorizationLevel == ApplicationAuthorizationLevelPublic {
-	// 					customDomainsPrefix = append(customDomainsPrefix, entrancePrefix)
-	// 				}
-	// 			}
-	// 			if entranceCustomDomain := customDomainEntrance[settingsCustomDomainThirdPartyDomain]; entranceCustomDomain != "" {
-	// 				customDomainApps = append(customDomainApps, entranceCustomDomain)
+			customDomainEntrance, ok := customDomainEntrancesMap[entrance.Name]
+			if ok {
+				if entrancePrefix := customDomainEntrance[settingsCustomDomainThirdLevelDomain]; entrancePrefix != "" {
+					if entranceAuthorizationLevel == ApplicationAuthorizationLevelPublic {
+						customDomainsPrefix = append(customDomainsPrefix, entrancePrefix)
+					}
+				}
+				if entranceCustomDomain := customDomainEntrance[settingsCustomDomainThirdPartyDomain]; entranceCustomDomain != "" {
+					customDomainApps = append(customDomainApps, entranceCustomDomain)

-	// 				if entranceAuthorizationLevel == ApplicationAuthorizationLevelPublic {
-	// 					customDomains = append(customDomains, entranceCustomDomain)
-	// 				}
-	// 			}
-	// 		}
+					val, userExists := customDomainAppsWithUsers[name]
+					if !userExists {
+						customDomainAppsWithUsers[name] = []string{entranceCustomDomain}
+					} else {
+						val = append(val, entranceCustomDomain)
+						customDomainAppsWithUsers[name] = val
+					}

-	// 		if prefix != "" {
-	// 			if entranceAuthorizationLevel == ApplicationAuthorizationLevelPublic {
-	// 				publicApps = append(publicApps, prefix)
-	// 			}
+					if entranceAuthorizationLevel == ApplicationAuthorizationLevelPublic {
+						customDomains = append(customDomains, entranceCustomDomain)
+					}
+				}
+			}

-	// 			if len(customDomainsPrefix) > 0 {
-	// 				publicApps = append(publicApps, customDomainsPrefix...)
-	// 			}
+			if prefix != "" {
+				if entranceAuthorizationLevel == ApplicationAuthorizationLevelPublic {
+					publicApps = append(publicApps, prefix)
+				}

-	// 			if len(customDomains) > 0 {
-	// 				publicCustomDomainApps = append(publicCustomDomainApps, customDomains...)
-	// 			}
-	// 		}
-	// 	}
-	// }
+				if len(customDomainsPrefix) > 0 {
+					publicApps = append(publicApps, customDomainsPrefix...)
+				}

-	return publicApps, publicCustomDomainApps, customDomainApps
+				if len(customDomains) > 0 {
+					publicCustomDomainApps = append(publicCustomDomainApps, customDomains...)
+				}
+			}
+		}
+	}
+
+	return publicApps, publicCustomDomainApps, customDomainApps, customDomainAppsWithUsers
 }

 func (s *Server) listUsers() (Users, error) {
-	publicAppIdList, publicCustomDomainAppList, customDomainAppList := s.listApplications()
+	publicAppIdList, publicCustomDomainAppList, customDomainAppList, customDomainAppListWithUsers := s.listApplications()
+	_ = customDomainAppList

 	list, err := s.client.Resource(iamUserGVR).List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
@@ -530,9 +539,14 @@ func (s *Server) listUsers() (Users, error) {
 			denyAllStatus = getUserAnnotation(&user, userDenyAllPolicy)
 			allowedDomainsAnno = getPublicAccessDomain(zone, publicAppIdList, publicCustomDomainAppList, denyAllStatus)

-			if len(customDomainAppList) > 0 {
-				ngxServerNameDomains = append(ngxServerNameDomains, customDomainAppList...)
+			userCustomDomains, ok := customDomainAppListWithUsers[user.Name]
+			if ok && len(userCustomDomains) > 0 {
+				ngxServerNameDomains = append(ngxServerNameDomains, userCustomDomains...)
 			}
+
+			// if len(customDomainAppList) > 0 {
+			// 	ngxServerNameDomains = append(ngxServerNameDomains, customDomainAppList...)
+			// }
 		} else {
 			// creator user
 			creator := getUserAnnotation(&user, userAnnotationCreator)
Author	SHA1	Message	Date
aby913	bd96f9712d	fix(bfl): update l4 version	2026-03-05 15:46:30 +08:00
eball	683e31c6ef	fix(cli): remove error logging for GB10 chip check (#2626 )	2026-03-05 14:15:11 +08:00
Yajing	1ae3a78286	docs: add LarePass VPN troubleshooting docs (#2606 ) * add larepass vpn troubleshooting * Apply suggestions Co-authored-by: Meow33 <supermonkey03@163.com> --------- Co-authored-by: Meow33 <supermonkey03@163.com>	2026-03-05 12:38:30 +08:00
aby913	7404674a20	fix(bfl): remove set custom domain on cloudflare (#2624 ) * fix(bfl): remove set custom domain on cloudflare (#2619) * fix(bfl): remove set custom domain on cloudflare	2026-03-05 11:04:15 +08:00
Power-One-2025	f116970ad0	docs: add manual restart instructions and refine discord channel config (#2617 ) * add note and faq for manual restart * update channel configuration for accuracy * change for consistency	2026-03-05 10:29:42 +08:00
wiy	b6e866ce75	feat(olares-app): update version to v1.9.12 (#2623 )	2026-03-04 23:51:04 +08:00
dkeven	39bd546ac8	fix(manifest): add password reset path for cli in auth provider (#2622 )	2026-03-04 23:50:19 +08:00
eball	5820b5612e	fix(daemon): increase retry count for USB device detection (#2620 )	2026-03-04 23:49:37 +08:00
Teng	ef78e21933	docs: update Olares Manifest to 0.11.0 (#2527 ) * update Olares Manifest to 0.11.0 * fix typo * Update manifest.md * Update manifest.md * Update manifest.md * Apply suggestions from code review Co-authored-by: Meow33 <supermonkey03@163.com> * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Meow33 <supermonkey03@163.com> --------- Co-authored-by: Meow33 <supermonkey03@163.com>	2026-03-04 19:11:16 +08:00
eball	8ce8b6c976	feat(cli): add time synchronization check using chronyc (#2616 ) * feat(cli): add time synchronization check using chronyc * feat(cli): update time synchronization check to validate stratum value	2026-03-04 14:43:42 +08:00
dkeven	cbab40a597	feat(bfl): use unified remote api env to query external ip (#2614 ) * feat(bfl): use unified remote api env to query external ip (#2611) * chore(bfl): update bfl image version to v0.4.41	2026-03-04 00:19:03 +08:00
dkeven	14691ea3ec	feat(daemon): use unified remote api env to query external ip (#2613 )	2026-03-04 00:18:25 +08:00
Power-One-2025	98f123fbf1	docs: add persona setup for OpenClaw tutorial (#2605 ) * Add: Personalize OpenClaw * simplify a message * refinements for accuracy * remove redundant text * tag the step with Optional * address comments * adjust image size * adjust image size	2026-03-03 21:43:07 +08:00
Jeremiah Lee	8f5023ce17	docs: fix broken shields images and architecture link in README (#2608 ) - shields.io is case sensitive for the repo name (capital O Olares), resulting in "invalid" text rendering in badge - architecture URL in docs moved without redirect	2026-03-03 20:39:48 +08:00
Yajing	4467bc61df	docs: restructure factory reset and reinstall docs for Olares One (#2607 ) * restructure factory reset and reinstall docs * address comment	2026-03-03 20:35:52 +08:00
eball	85f1224616	cli: update etcd service template to use network-online.target (#2603 )	2026-03-03 15:00:56 +08:00
eball	4b3a42d728	authelia: fix bug of sub-policy failed if set it to two-factor (#2601 ) authelia: fix sub-policy failed when the main policy is internal	2026-03-03 13:11:00 +08:00
berg	3c821cbedb	system frontend: fix system app launch and display bugs. (#2600 ) * feat: update system frontend version * feat: update system frontend version --------- Co-authored-by: eball <liuy102@hotmail.com>	2026-03-03 13:10:36 +08:00
aby913	3129b295ce	l4-bfl-proxy: fix multi users app custom domain (#2599 ) * l4-bfl-proxy: fix multi users app custom domain (#2597) * l4-bfl-proxy: fix multi users app custom domain * fix: update error handling to check for both 403 and 404 HTTP status codes in upload scripts --------- Co-authored-by: eball <liuy102@hotmail.com>	2026-03-03 13:09:56 +08:00
eball	76bde01b86	daemon: enhance USB device mounting by dynamically setting options based on filesystem type (#2596 ) fix: enhance USB device mounting by dynamically setting options based on filesystem type	2026-03-03 13:09:11 +08:00
dkeven	32c652205d	fix(appservice): avoid race condition between upgrade & applyenv (#2594 ) * fix(appservice): avoid race condition between upgrade & applyenv (#2593) * chore(appservice): update image version to 0.5.5 --------- Co-authored-by: eball <liuy102@hotmail.com>	2026-03-03 13:08:33 +08:00
Meow33	817316c1d6	docs: updated wise and desktop docs (#2586 ) * docs: updated wise and desktop docs * Refined expressions. * Updated larepass index * refine wording * Updated translation. * Update docs/manual/larepass/index.md Co-authored-by: Yajing <110797546+fnalways@users.noreply.github.com> --------- Co-authored-by: yajing wang <413741312@qq.com> Co-authored-by: Yajing <110797546+fnalways@users.noreply.github.com>	2026-03-03 11:54:15 +08:00
eball	e03eb40ed8	fix: coscmd invalid parameters	2026-03-03 00:44:47 +08:00
eball	79b7d82748	Add VERSION environment variable to workflow	2026-03-02 23:59:23 +08:00
eball	20344416f8	fix: update error handling to check for both 403 and 404 HTTP status codes in upload scripts	2026-03-02 22:33:27 +08:00