fix(iam): preserve decrypt-failed credentials instead of deleting them (#1312 )

Signed-off-by: loverustfs <github@rustfs.com> Co-authored-by: loverustfs <github@rustfs.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: loverustfs <hello@rustfs.com>
Restore globals and add unified TLS/mTLS loading from RUSTFS_TLS_PATH (#1309 )
2026-01-17 09:40:32 +00:00 · 2025-12-30 22:41:10 +08:00 · 2025-12-30 21:55:43 +08:00 · 2025-12-30 16:54:48 +08:00 · 2025-12-30 13:03:15 +08:00 · 2025-12-29 23:48:32 +08:00
774 changed files with 132331 additions and 40118 deletions
--- a/.config/make/build-docker-buildx-dev.mak
+++ b/.config/make/build-docker-buildx-dev.mak
@@ -0,0 +1,64 @@
+## —— Development/Source builds using direct buildx commands ---------------------------------------
+
+.PHONY: docker-dev
+docker-dev: ## Build dev multi-arch image (cannot load locally)
+	@echo "🏗️ Building multi-architecture development Docker images with buildx..."
+	@echo "💡 This builds from source code and is intended for local development and testing"
+	@echo "⚠️  Multi-arch images cannot be loaded locally, use docker-dev-push to push to registry"
+	$(DOCKER_CLI) buildx build \
+		--platform linux/amd64,linux/arm64 \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag rustfs:source-latest \
+		--tag rustfs:dev-latest \
+		.
+
+.PHONY: docker-dev-local
+docker-dev-local: ## Build dev single-arch image (local load)
+	@echo "🏗️ Building single-architecture development Docker image for local use..."
+	@echo "💡 This builds from source code for the current platform and loads locally"
+	$(DOCKER_CLI) buildx build \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag rustfs:source-latest \
+		--tag rustfs:dev-latest \
+		--load \
+		.
+
+.PHONY: docker-dev-push
+docker-dev-push: ## Build and push multi-arch development image # e.g (make docker-dev-push REGISTRY=xxx)
+	@if [ -z "$(REGISTRY)" ]; then \
+		echo "❌ Error: Please specify registry, example: make docker-dev-push REGISTRY=ghcr.io/username"; \
+		exit 1; \
+	fi
+	@echo "🚀 Building and pushing multi-architecture development Docker images..."
+	@echo "💡 Pushing to registry: $(REGISTRY)"
+	$(DOCKER_CLI) buildx build \
+		--platform linux/amd64,linux/arm64 \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag $(REGISTRY)/rustfs:source-latest \
+		--tag $(REGISTRY)/rustfs:dev-latest \
+		--push \
+		.
+
+.PHONY: dev-env-start
+dev-env-start: ## Start development container environment
+	@echo "🚀 Starting development environment..."
+	$(DOCKER_CLI) buildx build \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag rustfs:dev \
+		--load \
+		.
+	$(DOCKER_CLI) stop $(CONTAINER_NAME) 2>/dev/null || true
+	$(DOCKER_CLI) rm $(CONTAINER_NAME) 2>/dev/null || true
+	$(DOCKER_CLI) run -d --name $(CONTAINER_NAME) \
+		-p 9010:9010 -p 9000:9000 \
+		-v $(shell pwd):/workspace \
+		-it rustfs:dev
+
+.PHONY: dev-env-stop
+dev-env-stop: ## Stop development container environment
+	@echo "🛑 Stopping development environment..."
+	$(DOCKER_CLI) stop $(CONTAINER_NAME) 2>/dev/null || true
+	$(DOCKER_CLI) rm $(CONTAINER_NAME) 2>/dev/null || true
+
+.PHONY: dev-env-restart
+dev-env-restart: dev-env-stop dev-env-start ## Restart development container environment
--- a/.config/make/build-docker-buildx-production.mak
+++ b/.config/make/build-docker-buildx-production.mak
@@ -0,0 +1,41 @@
+## —— Production builds using docker buildx (for CI/CD and production) -----------------------------
+
+.PHONY: docker-buildx
+docker-buildx: ## Build production multi-arch image (no push)
+	@echo "🏗️ Building multi-architecture production Docker images with buildx..."
+	./docker-buildx.sh
+
+.PHONY: docker-buildx-push
+docker-buildx-push: ## Build and push production multi-arch image
+	@echo "🚀 Building and pushing multi-architecture production Docker images with buildx..."
+	./docker-buildx.sh --push
+
+.PHONY: docker-buildx-version
+docker-buildx-version: ## Build and version production multi-arch image # e.g (make docker-buildx-version VERSION=v1.0.0)
+	@if [ -z "$(VERSION)" ]; then \
+		echo "❌ Error: Please specify version, example: make docker-buildx-version VERSION=v1.0.0"; \
+		exit 1; \
+	fi
+	@echo "🏗️ Building multi-architecture production Docker images (version: $(VERSION))..."
+	./docker-buildx.sh --release $(VERSION)
+
+.PHONY: docker-buildx-push-version
+docker-buildx-push-version: ## Build and version and push production multi-arch image # e.g (make docker-buildx-push-version VERSION=v1.0.0)
+	@if [ -z "$(VERSION)" ]; then \
+		echo "❌ Error: Please specify version, example: make docker-buildx-push-version VERSION=v1.0.0"; \
+		exit 1; \
+	fi
+	@echo "🚀 Building and pushing multi-architecture production Docker images (version: $(VERSION))..."
+	./docker-buildx.sh --release $(VERSION) --push
+
+.PHONY: docker-buildx-production-local
+docker-buildx-production-local: ## Build production single-arch image locally
+	@echo "🏗️ Building single-architecture production Docker image locally..."
+	@echo "💡 Alternative to docker-buildx.sh for local testing"
+	$(DOCKER_CLI) buildx build \
+		--file $(DOCKERFILE_PRODUCTION) \
+		--tag rustfs:production-latest \
+		--tag rustfs:latest \
+		--load \
+		--build-arg RELEASE=latest \
+		.
--- a/.config/make/build-docker-production.mak
+++ b/.config/make/build-docker-production.mak
@@ -0,0 +1,16 @@
+## —— Single Architecture Docker Builds (Traditional) ----------------------------------------------
+
+.PHONY: docker-build-production
+docker-build-production: ## Build single-arch production image
+	@echo "🏗️ Building single-architecture production Docker image..."
+	@echo "💡 Consider using 'make docker-buildx-production-local' for multi-arch support"
+	$(DOCKER_CLI) build -f $(DOCKERFILE_PRODUCTION) -t rustfs:latest .
+
+.PHONY: docker-build-source
+docker-build-source: ## Build single-arch source image
+	@echo "🏗️ Building single-architecture source Docker image..."
+	@echo "💡 Consider using 'make docker-dev-local' for multi-arch support"
+	DOCKER_BUILDKIT=1 $(DOCKER_CLI) build \
+		--build-arg BUILDKIT_INLINE_CACHE=1 \
+		-f $(DOCKERFILE_SOURCE) -t rustfs:source .
+
--- a/.config/make/build-docker.mak
+++ b/.config/make/build-docker.mak
@@ -0,0 +1,22 @@
+## —— Docker-based build (alternative approach) ----------------------------------------------------
+
+# Usage: make BUILD_OS=ubuntu22.04 build-docker
+# Output: target/ubuntu22.04/release/rustfs
+
+.PHONY: build-docker
+build-docker: SOURCE_BUILD_IMAGE_NAME = rustfs-$(BUILD_OS):v1
+build-docker: SOURCE_BUILD_CONTAINER_NAME = rustfs-$(BUILD_OS)-build
+build-docker: BUILD_CMD = /root/.cargo/bin/cargo build --release --bin rustfs --target-dir /root/s3-rustfs/target/$(BUILD_OS)
+build-docker: ## Build using Docker container # e.g (make build-docker BUILD_OS=ubuntu22.04)
+	@echo "🐳 Building RustFS using Docker ($(BUILD_OS))..."
+	$(DOCKER_CLI) buildx build -t $(SOURCE_BUILD_IMAGE_NAME) -f $(DOCKERFILE_SOURCE) .
+	$(DOCKER_CLI) run --rm --name $(SOURCE_BUILD_CONTAINER_NAME) -v $(shell pwd):/root/s3-rustfs -it $(SOURCE_BUILD_IMAGE_NAME) $(BUILD_CMD)
+
+.PHONY: docker-inspect-multiarch
+docker-inspect-multiarch: ## Check image architecture support
+	@if [ -z "$(IMAGE)" ]; then \
+		echo "❌ Error: Please specify image, example: make docker-inspect-multiarch IMAGE=rustfs/rustfs:latest"; \
+		exit 1; \
+	fi
+	@echo "🔍 Inspecting multi-architecture image: $(IMAGE)"
+	docker buildx imagetools inspect $(IMAGE)
--- a/.config/make/build.mak
+++ b/.config/make/build.mak
@@ -0,0 +1,55 @@
+## —— Local Native Build using build-rustfs.sh script (Recommended) --------------------------------
+
+.PHONY: build
+build: ## Build RustFS binary (includes console by default)
+	@echo "🔨 Building RustFS using build-rustfs.sh script..."
+	./build-rustfs.sh
+
+.PHONY: build-dev
+build-dev: ## Build RustFS in Development mode
+	@echo "🔨 Building RustFS in development mode..."
+	./build-rustfs.sh --dev
+
+.PHONY: build-musl
+build-musl: ## Build x86_64 musl version
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-musl..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform x86_64-unknown-linux-musl
+
+.PHONY: build-gnu
+build-gnu: ## Build x86_64 GNU version
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-gnu..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform x86_64-unknown-linux-gnu
+
+.PHONY: build-musl-arm64
+build-musl-arm64: ## Build aarch64 musl version
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-musl..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform aarch64-unknown-linux-musl
+
+.PHONY: build-gnu-arm64
+build-gnu-arm64: ## Build aarch64 GNU version
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-gnu..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform aarch64-unknown-linux-gnu
+
+
+.PHONY: build-cross-all
+build-cross-all: core-deps ## Build binaries for all architectures
+	@echo "🔧 Building all target architectures..."
+	@echo "💡 On macOS/Windows, use 'make docker-dev' for reliable multi-arch builds"
+	@echo "🔨 Generating protobuf code..."
+	cargo run --bin gproto || true
+
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-musl..."
+	./build-rustfs.sh --platform x86_64-unknown-linux-musl
+
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-gnu..."
+	./build-rustfs.sh --platform x86_64-unknown-linux-gnu
+
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-musl..."
+	./build-rustfs.sh --platform aarch64-unknown-linux-musl
+
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-gnu..."
+	./build-rustfs.sh --platform aarch64-unknown-linux-gnu
--- a/.config/make/check.mak
+++ b/.config/make/check.mak
@@ -0,0 +1,24 @@
+## —— Check and Inform Dependencies ----------------------------------------------------------------
+
+# Fatal check
+# Checks all required dependencies and exits with error if not found
+# (e.g., cargo, rustfmt)
+check-%:
+	@command -v $* >/dev/null 2>&1 || { \
+		echo >&2 "❌ '$*' is not installed."; \
+		exit 1; \
+	}
+
+# Warning-only check
+# Checks for optional dependencies and issues a warning if not found
+# (e.g., cargo-nextest for enhanced testing)
+warn-%:
+	@command -v $* >/dev/null 2>&1 || { \
+		echo >&2 "⚠️ '$*' is not installed."; \
+	}
+
+# For checking dependencies use check-<dep-name> or warn-<dep-name>
+.PHONY: core-deps fmt-deps test-deps
+core-deps: check-cargo ## Check core dependencies
+fmt-deps: check-rustfmt ## Check lint and formatting dependencies
+test-deps: warn-cargo-nextest ## Check tests dependencies
--- a/.config/make/deploy.mak
+++ b/.config/make/deploy.mak
@@ -0,0 +1,6 @@
+## —— Deploy using dev_deploy.sh script ------------------------------------------------------------
+
+.PHONY: deploy-dev
+deploy-dev: build-musl ## Deploy to dev server
+	@echo "🚀 Deploying to dev server: $${IP}"
+	./scripts/dev_deploy.sh $${IP}
--- a/.config/make/help.mak
+++ b/.config/make/help.mak
@@ -0,0 +1,38 @@
+## —— Help, Help Build and Help Docker -------------------------------------------------------------
+
+
+.PHONY: help
+help: ## Shows This Help Menu
+	echo -e "$$HEADER"
+	grep -E '(^[a-zA-Z0-9_-]+:.*?## .*$$)|(^## )' $(MAKEFILE_LIST) | sed 's/^[^:]*://g' | awk 'BEGIN {FS = ":.*?## | #"} ; {printf "${cyan}%-30s${reset} ${white}%s${reset} ${green}%s${reset}\n", $$1, $$2, $$3}' | sed -e 's/\[36m##/\n[32m##/'
+
+.PHONY: help-build
+help-build: ## Shows RustFS build help
+	@echo ""
+	@echo "💡 build-rustfs.sh script provides more options, smart detection and binary verification"
+	@echo ""
+	@echo "🔧 Direct usage of build-rustfs.sh script:"
+	@echo ""
+	@echo "	./build-rustfs.sh --help                                # View script help"
+	@echo "	./build-rustfs.sh --no-console                          # Build without console resources"
+	@echo "	./build-rustfs.sh --force-console-update                # Force update console resources"
+	@echo "	./build-rustfs.sh --dev                                 # Development mode build"
+	@echo "	./build-rustfs.sh --sign                                # Sign binary files"
+	@echo "	./build-rustfs.sh --platform x86_64-unknown-linux-gnu   # Specify target platform"
+	@echo "	./build-rustfs.sh --skip-verification                   # Skip binary verification"
+	@echo ""
+
+.PHONY: help-docker
+help-docker: ## Shows docker environment and suggestion help
+	@echo ""
+	@echo "📋 Environment Variables:"
+	@echo "	REGISTRY                 Image registry address (required for push)"
+	@echo "	DOCKERHUB_USERNAME       Docker Hub username"
+	@echo "	DOCKERHUB_TOKEN          Docker Hub access token"
+	@echo "	GITHUB_TOKEN             GitHub access token"
+	@echo ""
+	@echo "💡 Suggestions:"
+	@echo "	Production use:          Use docker-buildx* commands (based on precompiled binaries)"
+	@echo "	Local development:       Use docker-dev* commands (build from source)"
+	@echo "	Development environment: Use dev-env-* commands to manage dev containers"
+	@echo ""
--- a/.config/make/lint-fmt.mak
+++ b/.config/make/lint-fmt.mak
@@ -0,0 +1,22 @@
+## —— Code quality and Formatting ------------------------------------------------------------------
+
+.PHONY: fmt
+fmt: core-deps fmt-deps ## Format code
+	@echo "🔧 Formatting code..."
+	cargo fmt --all
+
+.PHONY: fmt-check
+fmt-check: core-deps fmt-deps ## Check code formatting
+	@echo "📝 Checking code formatting..."
+	cargo fmt --all --check
+
+.PHONY: clippy-check
+clippy-check: core-deps ## Run clippy checks
+	@echo "🔍 Running clippy checks..."
+	cargo clippy --fix --allow-dirty
+	cargo clippy --all-targets --all-features -- -D warnings
+
+.PHONY: compilation-check
+compilation-check: core-deps ## Run compilation check
+	@echo "🔨 Running compilation check..."
+	cargo check --all-targets
--- a/.config/make/pre-commit.mak
+++ b/.config/make/pre-commit.mak
@@ -0,0 +1,11 @@
+## —— Pre Commit Checks ----------------------------------------------------------------------------
+
+.PHONY: setup-hooks
+setup-hooks: ## Set up git hooks
+	@echo "🔧 Setting up git hooks..."
+	chmod +x .git/hooks/pre-commit
+	@echo "✅ Git hooks setup complete!"
+
+.PHONY: pre-commit
+pre-commit: fmt clippy-check compilation-check test ## Run pre-commit checks
+	@echo "✅ All pre-commit checks passed!"
--- a/.config/make/tests.mak
+++ b/.config/make/tests.mak
@@ -0,0 +1,20 @@
+## —— Tests and e2e test ---------------------------------------------------------------------------
+
+.PHONY: test
+test: core-deps test-deps ## Run all tests
+	@echo "🧪 Running tests..."
+	@if command -v cargo-nextest >/dev/null 2>&1; then \
+		cargo nextest run --all --exclude e2e_test; \
+	else \
+		echo "ℹ️ cargo-nextest not found; falling back to 'cargo test'"; \
+		cargo test --workspace --exclude e2e_test -- --nocapture; \
+	fi
+	cargo test --all --doc
+
+.PHONY: e2e-server
+e2e-server: ## Run e2e-server tests
+	sh $(shell pwd)/scripts/run.sh
+
+.PHONY: probe-e2e
+probe-e2e: ## Probe e2e tests
+	sh $(shell pwd)/scripts/probe.sh
--- a/.docker/compose/docker-compose.cluster.yaml
+++ b/.docker/compose/docker-compose.cluster.yaml
@@ -27,7 +27,7 @@ services:
    ports:
      - "9000:9000" # Map port 9001 of the host to port 9000 of the container
    volumes:
-      - ../../target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
    command: "/app/rustfs"

  node1:
@@ -44,7 +44,7 @@ services:
    ports:
      - "9001:9000" # Map port 9002 of the host to port 9000 of the container
    volumes:
-      - ../../target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
    command: "/app/rustfs"

  node2:
@@ -61,7 +61,7 @@ services:
    ports:
      - "9002:9000" # Map port 9003 of the host to port 9000 of the container
    volumes:
-      - ../../target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
    command: "/app/rustfs"

  node3:
@@ -78,5 +78,5 @@ services:
    ports:
      - "9003:9000" # Map port 9004 of the host to port 9000 of the container
    volumes:
-      - ../../target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
    command: "/app/rustfs"
--- a/.docker/observability/docker-compose.yml
+++ b/.docker/observability/docker-compose.yml
@@ -14,84 +14,165 @@

 services:

+  tempo-init:
+    image: busybox:latest
+    command: [ "sh", "-c", "chown -R 10001:10001 /var/tempo" ]
+    volumes:
+      - ./tempo-data:/var/tempo
+    user: root
+    networks:
+      - otel-network
+    restart: "no"
+
  tempo:
    image: grafana/tempo:latest
-    #user: root # The container must be started with root to execute chown in the script
-    #entrypoint: [ "/etc/tempo/entrypoint.sh" ]  # Specify a custom entry point
+    user: "10001" # The container must be started with root to execute chown in the script
    command: [ "-config.file=/etc/tempo.yaml" ] # This is passed as a parameter to the entry point script
    volumes:
-      - ./tempo-entrypoint.sh:/etc/tempo/entrypoint.sh # Mount entry point script
-      - ./tempo.yaml:/etc/tempo.yaml
+      - ./tempo.yaml:/etc/tempo.yaml:ro
      - ./tempo-data:/var/tempo
    ports:
      - "3200:3200" # tempo
      - "24317:4317" # otlp grpc
+      - "24318:4318" # otlp http
+    restart: unless-stopped
    networks:
      - otel-network
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3200/metrics" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s

  otel-collector:
-    image: otel/opentelemetry-collector-contrib:0.129.1
+    image: otel/opentelemetry-collector-contrib:latest
    environment:
      - TZ=Asia/Shanghai
    volumes:
-      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml
+      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro
    ports:
-      - "1888:1888"
-      - "8888:8888"
-      - "8889:8889"
-      - "13133:13133"
-      - "4317:4317"
-      - "4318:4318"
-      - "55679:55679"
+      - "1888:1888" # pprof
+      - "8888:8888" # Prometheus metrics for Collector
+      - "8889:8889" # Prometheus metrics for application indicators
+      - "13133:13133" # health check
+      - "4317:4317" # OTLP gRPC
+      - "4318:4318" # OTLP HTTP
+      - "55679:55679" # zpages
    networks:
      - otel-network
+    depends_on:
+      jaeger:
+        condition: service_started
+      tempo:
+        condition: service_started
+      prometheus:
+        condition: service_started
+      loki:
+        condition: service_started
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:13133" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
  jaeger:
-    image: jaegertracing/jaeger:2.8.0
+    image: jaegertracing/jaeger:latest
    environment:
      - TZ=Asia/Shanghai
+      - SPAN_STORAGE_TYPE=memory
+      - COLLECTOR_OTLP_ENABLED=true
    ports:
-      - "16686:16686"
-      - "14317:4317"
-      - "14318:4318"
+      - "16686:16686" # Web UI
+      - "14317:4317" # OTLP gRPC
+      - "14318:4318" # OTLP HTTP
+      - "18888:8888" # collector
    networks:
      - otel-network
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:16686" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
  prometheus:
-    image: prom/prometheus:v3.4.2
+    image: prom/prometheus:latest
    environment:
      - TZ=Asia/Shanghai
    volumes:
-      - ./prometheus.yml:/etc/prometheus/prometheus.yml
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - ./prometheus-data:/prometheus
    ports:
      - "9090:9090"
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--web.enable-otlp-receiver' # Enable OTLP
+      - '--web.enable-remote-write-receiver' # Enable remote write
+      - '--enable-feature=promql-experimental-functions' # Enable info()
+      - '--storage.tsdb.min-block-duration=15m' # Minimum block duration
+      - '--storage.tsdb.max-block-duration=1h'  # Maximum block duration
+      - '--log.level=info'
+      - '--storage.tsdb.retention.time=30d'
+      - '--storage.tsdb.path=/prometheus'
+      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
+      - '--web.console.templates=/usr/share/prometheus/consoles'
+    restart: unless-stopped
    networks:
      - otel-network
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:9090/-/healthy" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
  loki:
-    image: grafana/loki:3.5.1
+    image: grafana/loki:latest
    environment:
      - TZ=Asia/Shanghai
    volumes:
-      - ./loki-config.yaml:/etc/loki/local-config.yaml
+      - ./loki-config.yaml:/etc/loki/local-config.yaml:ro
    ports:
      - "3100:3100"
    command: -config.file=/etc/loki/local-config.yaml
    networks:
      - otel-network
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3100/ready" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
  grafana:
-    image: grafana/grafana:12.0.2
+    image: grafana/grafana:latest
    ports:
      - "3000:3000"  # Web UI
    volumes:
      - ./grafana-datasources.yaml:/etc/grafana/provisioning/datasources/datasources.yaml
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=admin
+      - GF_SECURITY_ADMIN_USER=admin
      - TZ=Asia/Shanghai
+      - GF_INSTALL_PLUGINS=grafana-pyroscope-datasource
+    restart: unless-stopped
    networks:
      - otel-network
+    depends_on:
+      - prometheus
+      - tempo
+      - loki
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3000/api/health" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3

+volumes:
+  prometheus-data:
+  tempo-data:

 networks:
  otel-network:
    driver: bridge
    name: "network_otel_config"
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
    driver_opts:
-      com.docker.network.enable_ipv6: "true"    
+      com.docker.network.enable_ipv6: "true"
--- a/.docker/observability/grafana-datasources.yaml
+++ b/.docker/observability/grafana-datasources.yaml
@@ -29,4 +29,80 @@ datasources:
      serviceMap:
        datasourceUid: prometheus
      streamingEnabled:
-        search: true
+        search: true
+      tracesToLogsV2:
+        # Field with an internal link pointing to a logs data source in Grafana.
+        # datasourceUid value must match the uid value of the logs data source.
+        datasourceUid: 'loki'
+        spanStartTimeShift: '-1h'
+        spanEndTimeShift: '1h'
+        tags: [ 'job', 'instance', 'pod', 'namespace' ]
+        filterByTraceID: false
+        filterBySpanID: false
+        customQuery: true
+        query: 'method="$${__span.tags.method}"'
+        tracesToMetrics:
+          datasourceUid: 'prometheus'
+          spanStartTimeShift: '-1h'
+          spanEndTimeShift: '1h'
+          tags: [ { key: 'service.name', value: 'service' }, { key: 'job' } ]
+          queries:
+            - name: 'Sample query'
+              query: 'sum(rate(traces_spanmetrics_latency_bucket{$$__tags}[5m]))'
+        tracesToProfiles:
+          datasourceUid: 'grafana-pyroscope-datasource'
+          tags: [ 'job', 'instance', 'pod', 'namespace' ]
+          profileTypeId: 'process_cpu:cpu:nanoseconds:cpu:nanoseconds'
+          customQuery: true
+          query: 'method="$${__span.tags.method}"'
+        serviceMap:
+          datasourceUid: 'prometheus'
+        nodeGraph:
+          enabled: true
+        search:
+          hide: false
+        traceQuery:
+          timeShiftEnabled: true
+          spanStartTimeShift: '-1h'
+          spanEndTimeShift: '1h'
+        spanBar:
+          type: 'Tag'
+          tag: 'http.path'
+        streamingEnabled:
+          search: true
+  - name: Jaeger
+    type: jaeger
+    uid: Jaeger
+    url: http://jaeger:16686
+    basicAuth: false
+    access: proxy
+    readOnly: false
+    isDefault: false
+    jsonData:
+      tracesToLogsV2:
+        # Field with an internal link pointing to a logs data source in Grafana.
+        # datasourceUid value must match the uid value of the logs data source.
+        datasourceUid: 'loki'
+        spanStartTimeShift: '1h'
+        spanEndTimeShift: '-1h'
+        tags: [ 'job', 'instance', 'pod', 'namespace' ]
+        filterByTraceID: false
+        filterBySpanID: false
+        customQuery: true
+        query: 'method="$${__span.tags.method}"'
+      tracesToMetrics:
+        datasourceUid: 'Prometheus'
+        spanStartTimeShift: '1h'
+        spanEndTimeShift: '-1h'
+        tags: [ { key: 'service.name', value: 'service' }, { key: 'job' } ]
+        queries:
+          - name: 'Sample query'
+            query: 'sum(rate(traces_spanmetrics_latency_bucket{$$__tags}[5m]))'
+      nodeGraph:
+        enabled: true
+      traceQuery:
+        timeShiftEnabled: true
+        spanStartTimeShift: '1h'
+        spanEndTimeShift: '-1h'
+      spanBar:
+        type: 'None'
--- a/.docker/observability/jaeger-config.yaml
+++ b/.docker/observability/jaeger-config.yaml
@@ -65,6 +65,7 @@ extensions:
      some_store:
        memory:
          max_traces: 1000000
+          max_events: 100000
      another_store:
        memory:
          max_traces: 1000000
@@ -102,6 +103,7 @@ receivers:

 processors:
  batch:
+  metadata_keys: [ "span.kind", "http.method", "http.status_code", "db.system", "db.statement", "messaging.system", "messaging.destination", "messaging.operation","span.events","span.links" ]
  # Adaptive Sampling Processor is required to support adaptive sampling.
  # It expects remote_sampling extension with `adaptive:` config to be enabled.
  adaptive_sampling:
--- a/.docker/observability/loki-config.yaml
+++ b/.docker/observability/loki-config.yaml
@@ -41,6 +41,9 @@ query_range:

 limits_config:
  metric_aggregation_enabled: true
+  max_line_size: 256KB
+  max_line_size_truncate: false
+  allow_structured_metadata: true

 schema_config:
  configs:
@@ -51,6 +54,7 @@ schema_config:
      index:
        prefix: index_
        period: 24h
+      row_shards: 16

 pattern_ingester:
  enabled: true
@@ -63,6 +67,7 @@ ruler:
 frontend:
  encoding: protobuf

+
 # By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
 # analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
 #
--- a/.docker/observability/otel-collector-config.yaml
+++ b/.docker/observability/otel-collector-config.yaml
@@ -15,67 +15,108 @@
 receivers:
  otlp:
    protocols:
-      grpc: # OTLP gRPC 接收器
+      grpc: # OTLP gRPC receiver
        endpoint: 0.0.0.0:4317
-      http: # OTLP HTTP 接收器
+      http: # OTLP HTTP receiver
        endpoint: 0.0.0.0:4318

 processors:
-  batch: # 批处理处理器，提升吞吐量
+  batch: # Batch processor to improve throughput
    timeout: 5s
    send_batch_size: 1000
+    metadata_keys: [ ]
+    metadata_cardinality_limit: 1000
  memory_limiter:
    check_interval: 1s
    limit_mib: 512
+  transform/logs:
+    log_statements:
+      - context: log
+        statements:
+          # Extract Body as attribute "message"
+          - set(attributes["message"], body.string)
+          # Retain the original Body
+          - set(attributes["log.body"], body.string)

 exporters:
-  otlp/traces: # OTLP 导出器，用于跟踪数据
-    endpoint: "jaeger:4317"  # Jaeger 的 OTLP gRPC 端点
+  otlp/traces: # OTLP exporter for trace data
+    endpoint: "http://jaeger:4317"  # OTLP gRPC endpoint for Jaeger
    tls:
-      insecure: true  # 开发环境禁用 TLS，生产环境需配置证书
-  otlp/tempo: # OTLP 导出器，用于跟踪数据
-    endpoint: "tempo:4317"  # tempo 的 OTLP gRPC 端点
+      insecure: true  # TLS is disabled in the development environment and a certificate needs to be configured in the production environment.
+    compression: gzip  # Enable compression to reduce network bandwidth
+    retry_on_failure:
+      enabled: true  # Enable retry on failure
+      initial_interval: 1s  # Initial interval for retry
+      max_interval: 30s  # Maximum interval for retry
+      max_elapsed_time: 300s  # Maximum elapsed time for retry
+    sending_queue:
+      enabled: true  # Enable sending queue
+      num_consumers: 10  # Number of consumers
+      queue_size: 5000  # Queue size
+  otlp/tempo: # OTLP exporter for trace data
+    endpoint: "http://tempo:4317"  # OTLP gRPC endpoint for tempo
    tls:
-      insecure: true  # 开发环境禁用 TLS，生产环境需配置证书
-  prometheus: # Prometheus 导出器，用于指标数据
-    endpoint: "0.0.0.0:8889"  # Prometheus 刮取端点
-    namespace: "rustfs"  # 指标前缀
-    send_timestamps: true  # 发送时间戳
-    # enable_open_metrics: true
-  loki: # Loki 导出器，用于日志数据
-    # endpoint: "http://loki:3100/otlp/v1/logs"
-    endpoint: "http://loki:3100/loki/api/v1/push"
+      insecure: true  # TLS is disabled in the development environment and a certificate needs to be configured in the production environment.
+    compression: gzip  # Enable compression to reduce network bandwidth
+    retry_on_failure:
+      enabled: true  # Enable retry on failure
+      initial_interval: 1s  # Initial interval for retry
+      max_interval: 30s  # Maximum interval for retry
+      max_elapsed_time: 300s  # Maximum elapsed time for retry
+    sending_queue:
+      enabled: true  # Enable sending queue
+      num_consumers: 10  # Number of consumers
+      queue_size: 5000  # Queue size
+  prometheus: # Prometheus exporter for metrics data
+    endpoint: "0.0.0.0:8889"  # Prometheus scraping endpoint
+    namespace: "metrics"  # indicator prefix
+    send_timestamps: true  # Send timestamp
+    metric_expiration: 5m  # Metric expiration time
+    resource_to_telemetry_conversion:
+      enabled: true  # Enable resource to telemetry conversion
+  otlphttp/loki: # Loki exporter for log data
+    endpoint: "http://loki:3100/otlp"
    tls:
      insecure: true
+    compression: gzip  # Enable compression to reduce network bandwidth
 extensions:
  health_check:
+    endpoint: 0.0.0.0:13133
  pprof:
+    endpoint: 0.0.0.0:1888
  zpages:
+    endpoint: 0.0.0.0:55679
 service:
-  extensions: [ health_check, pprof, zpages ]  # 启用扩展
+  extensions: [ health_check, pprof, zpages ]  # Enable extension
  pipelines:
    traces:
      receivers: [ otlp ]
-      processors: [ memory_limiter,batch ]
-      exporters: [ otlp/traces,otlp/tempo ]
+      processors: [ memory_limiter, batch ]
+      exporters: [ otlp/traces, otlp/tempo ]
    metrics:
      receivers: [ otlp ]
      processors: [ batch ]
      exporters: [ prometheus ]
    logs:
      receivers: [ otlp ]
-      processors: [ batch ]
-      exporters: [ loki ]
+      processors: [ batch, transform/logs ]
+      exporters: [ otlphttp/loki ]
  telemetry:
    logs:
-      level: "info"  # Collector 日志级别
+      level: "debug"  # Collector log level
+      encoding: "json"  # Log encoding: console or json
    metrics:
-      level: "detailed" # 可以是 basic, normal, detailed
+      level: "detailed" # Can be basic, normal, detailed
      readers:
        - periodic:
            exporter:
              otlp:
                protocol: http/protobuf
                endpoint: http://otel-collector:4318
+        - pull:
+            exporter:
+              prometheus:
+                host: '0.0.0.0'
+                port: 8888


--- a/.docker/observability/prometheus-data/.gitignore
+++ b/.docker/observability/prometheus-data/.gitignore
@@ -0,0 +1 @@
+*
--- a/.docker/observability/prometheus.yml
+++ b/.docker/observability/prometheus.yml
@@ -13,16 +13,53 @@
 # limitations under the License.

 global:
-  scrape_interval: 5s  # 刮取间隔
+  scrape_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  evaluation_interval: 15s
+  external_labels:
+    cluster: 'rustfs-dev'  # Label to identify the cluster
+    relica: '1'  # Replica identifier

 scrape_configs:
-  - job_name: 'otel-collector'
+  - job_name: 'otel-collector-internal'
    static_configs:
-      - targets: [ 'otel-collector:8888' ]  # 从 Collector 刮取指标
-  - job_name: 'otel-metrics'
+      - targets: [ 'otel-collector:8888' ]  # Scrape metrics from Collector
+    scrape_interval: 10s
+  - job_name: 'rustfs-app-metrics'
    static_configs:
-      - targets: [ 'otel-collector:8889' ]  # 应用指标
+      - targets: [ 'otel-collector:8889' ]  # Application indicators
+    scrape_interval: 15s
+    metric_relabel_configs:
  - job_name: 'tempo'
    static_configs:
-      - targets: [ 'tempo:3200' ]
-      
+      - targets: [ 'tempo:3200' ]  # Scrape metrics from Tempo
+  - job_name: 'jaeger'
+    static_configs:
+      - targets: [ 'jaeger:8888' ]  # Jaeger admin port
+
+otlp:
+  # Recommended attributes to be promoted to labels.
+  promote_resource_attributes:
+    - service.instance.id
+    - service.name
+    - service.namespace
+    - cloud.availability_zone
+    - cloud.region
+    - container.name
+    - deployment.environment.name
+    - k8s.cluster.name
+    - k8s.container.name
+    - k8s.cronjob.name
+    - k8s.daemonset.name
+    - k8s.deployment.name
+    - k8s.job.name
+    - k8s.namespace.name
+    - k8s.pod.name
+    - k8s.replicaset.name
+    - k8s.statefulset.name
+  # Ingest OTLP data keeping all characters in metric/label names.
+  translation_strategy: NoUTF8EscapingWithSuffixes
+
+storage:
+  # OTLP is a push-based protocol, Out of order samples is a common scenario.
+  tsdb:
+    out_of_order_time_window: 30m
--- a/.docker/observability/tempo-entrypoint.sh
+++ b/.docker/observability/tempo-entrypoint.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-# Run as root to fix directory permissions
-chown -R 10001:10001 /var/tempo
-
-# Use su-exec (a lightweight sudo/gosu alternative, commonly used in Alpine mirroring)
-# Switch to user 10001 and execute the original command (CMD) passed to the script
-# "$@" represents all parameters passed to this script, i.e. command in docker-compose
-exec su-exec 10001:10001 /tempo "$@"
--- a/.docker/observability/tempo.yaml
+++ b/.docker/observability/tempo.yaml
@@ -18,7 +18,9 @@ distributor:
    otlp:
      protocols:
        grpc:
-          endpoint: "tempo:4317"
+          endpoint: "0.0.0.0:4317"
+        http:
+          endpoint: "0.0.0.0:4318"

 ingester:
  max_block_duration: 5m # cut the headblock when this much time passes. this is being set for demo purposes and should probably be left alone normally
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1 @@
+target
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -52,24 +52,19 @@ runs:
        sudo apt-get install -y \
          musl-tools \
          build-essential \
-          lld \
-          libdbus-1-dev \
-          libwayland-dev \
-          libwebkit2gtk-4.1-dev \
-          libxdo-dev \
          pkg-config \
          libssl-dev

    - name: Install protoc
      uses: arduino/setup-protoc@v3
      with:
-        version: "31.1"
+        version: "33.1"
        repo-token: ${{ inputs.github-token }}

    - name: Install flatc
      uses: Nugine/setup-flatc@v1
      with:
-        version: "25.2.10"
+        version: "25.9.23"

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -22,8 +22,18 @@ updates:
  - package-ecosystem: "cargo" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
-      interval: "monthly"
+      interval: "weekly"
+      day: "monday"
+      timezone: "Asia/Shanghai"
+      time: "08:00"
    groups:
+      s3s:
+        update-types:
+          - "minor"
+          - "patch"
+        patterns:
+          - "s3s"
+          - "s3s-*"
      dependencies:
        patterns:
          - "*"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -19,9 +19,7 @@ Pull Request Template for RustFS

 ## Checklist
 - [ ] I have read and followed the [CONTRIBUTING.md](CONTRIBUTING.md) guidelines
- [ ] Code is formatted with `cargo fmt --all`
- [ ] Passed `cargo clippy --all-targets --all-features -- -D warnings`
- [ ] Passed `cargo check --all-targets`
+- [ ] Passed `make pre-commit`
 - [ ] Added/updated necessary tests
 - [ ] Documentation updated (if needed)
 - [ ] CI/CD passed (if applicable)
--- a/.github/s3tests/README.md
+++ b/.github/s3tests/README.md
@@ -0,0 +1,103 @@
+# S3 Compatibility Tests Configuration
+
+This directory contains the configuration for running [Ceph S3 compatibility tests](https://github.com/ceph/s3-tests) against RustFS.
+
+## Configuration File
+
+The `s3tests.conf` file is based on the official `s3tests.conf.SAMPLE` from the ceph/s3-tests repository. It uses environment variable substitution via `envsubst` to configure the endpoint and credentials.
+
+### Key Configuration Points
+
+- **Host**: Set via `${S3_HOST}` environment variable (e.g., `rustfs-single` for single-node, `lb` for multi-node)
+- **Port**: 9000 (standard RustFS port)
+- **Credentials**: Uses `${S3_ACCESS_KEY}` and `${S3_SECRET_KEY}` from workflow environment
+- **TLS**: Disabled (`is_secure = False`)
+
+## Test Execution Strategy
+
+### Network Connectivity Fix
+
+Tests run inside a Docker container on the `rustfs-net` network, which allows them to resolve and connect to the RustFS container hostnames. This fixes the "Temporary failure in name resolution" error that occurred when tests ran on the GitHub runner host.
+
+### Performance Optimizations
+
+1. **Parallel Execution**: Uses `pytest-xdist` with `-n 4` to run tests in parallel across 4 workers
+2. **Load Distribution**: Uses `--dist=loadgroup` to distribute test groups across workers
+3. **Fail-Fast**: Uses `--maxfail=50` to stop after 50 failures, saving time on catastrophic failures
+
+### Feature Filtering
+
+Tests are filtered using pytest markers (`-m`) to skip features not yet supported by RustFS:
+
+- `lifecycle` - Bucket lifecycle policies
+- `versioning` - Object versioning
+- `s3website` - Static website hosting
+- `bucket_logging` - Bucket logging
+- `encryption` / `sse_s3` - Server-side encryption
+- `cloud_transition` / `cloud_restore` - Cloud storage transitions
+- `lifecycle_expiration` / `lifecycle_transition` - Lifecycle operations
+
+This filtering:
+1. Reduces test execution time significantly (from 1+ hour to ~10-15 minutes)
+2. Focuses on features RustFS currently supports
+3. Avoids hundreds of expected failures
+
+## Running Tests Locally
+
+### Single-Node Test
+
+```bash
+# Set credentials
+export S3_ACCESS_KEY=rustfsadmin
+export S3_SECRET_KEY=rustfsadmin
+
+# Start RustFS container
+docker run -d --name rustfs-single \
+  --network rustfs-net \
+  -e RUSTFS_ADDRESS=0.0.0.0:9000 \
+  -e RUSTFS_ACCESS_KEY=$S3_ACCESS_KEY \
+  -e RUSTFS_SECRET_KEY=$S3_SECRET_KEY \
+  -e RUSTFS_VOLUMES="/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3" \
+  rustfs-ci
+
+# Generate config
+export S3_HOST=rustfs-single
+envsubst < .github/s3tests/s3tests.conf > /tmp/s3tests.conf
+
+# Run tests
+docker run --rm \
+  --network rustfs-net \
+  -v /tmp/s3tests.conf:/etc/s3tests.conf:ro \
+  python:3.12-slim \
+  bash -c '
+    apt-get update -qq && apt-get install -y -qq git
+    git clone --depth 1 https://github.com/ceph/s3-tests.git /s3-tests
+    cd /s3-tests
+    pip install -q -r requirements.txt pytest-xdist
+    S3TEST_CONF=/etc/s3tests.conf pytest -v -n 4 \
+      s3tests/functional/test_s3.py \
+      -m "not lifecycle and not versioning and not s3website and not bucket_logging and not encryption and not sse_s3"
+  '
+```
+
+## Test Results Interpretation
+
+- **PASSED**: Test succeeded, feature works correctly
+- **FAILED**: Test failed, indicates a potential bug or incompatibility
+- **ERROR**: Test setup failed (e.g., network issues, missing dependencies)
+- **SKIPPED**: Test skipped due to marker filtering
+
+## Adding New Feature Support
+
+When adding support for a new S3 feature to RustFS:
+
+1. Remove the corresponding marker from the filter in `.github/workflows/e2e-s3tests.yml`
+2. Run the tests to verify compatibility
+3. Fix any failing tests
+4. Update this README to reflect the newly supported feature
+
+## References
+
+- [Ceph S3 Tests Repository](https://github.com/ceph/s3-tests)
+- [S3 API Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/API/)
+- [pytest-xdist Documentation](https://pytest-xdist.readthedocs.io/)
--- a/.github/s3tests/s3tests.conf
+++ b/.github/s3tests/s3tests.conf
@@ -0,0 +1,185 @@
+# RustFS s3-tests configuration
+# Based on: https://github.com/ceph/s3-tests/blob/master/s3tests.conf.SAMPLE
+#
+# Usage:
+#   Single-node: S3_HOST=rustfs-single envsubst < s3tests.conf > /tmp/s3tests.conf
+#   Multi-node:  S3_HOST=lb envsubst < s3tests.conf > /tmp/s3tests.conf
+
+[DEFAULT]
+## this section is just used for host, port and bucket_prefix
+
+# host set for RustFS - will be substituted via envsubst
+host = ${S3_HOST}
+
+# port for RustFS
+port = 9000
+
+## say "False" to disable TLS
+is_secure = False
+
+## say "False" to disable SSL Verify
+ssl_verify = False
+
+[fixtures]
+## all the buckets created will start with this prefix;
+## {random} will be filled with random characters to pad
+## the prefix to 30 characters long, and avoid collisions
+bucket prefix = rustfs-{random}-
+
+# all the iam account resources (users, roles, etc) created
+# will start with this name prefix
+iam name prefix = s3-tests-
+
+# all the iam account resources (users, roles, etc) created
+# will start with this path prefix
+iam path prefix = /s3-tests/
+
+[s3 main]
+# main display_name
+display_name = RustFS Tester
+
+# main user_id
+user_id = rustfsadmin
+
+# main email
+email = tester@rustfs.local
+
+# zonegroup api_name for bucket location
+api_name = default
+
+## main AWS access key
+access_key = ${S3_ACCESS_KEY}
+
+## main AWS secret key
+secret_key = ${S3_SECRET_KEY}
+
+## replace with key id obtained when secret is created, or delete if KMS not tested
+#kms_keyid = 01234567-89ab-cdef-0123-456789abcdef
+
+## Storage classes
+#storage_classes = "LUKEWARM, FROZEN"
+
+## Lifecycle debug interval (default: 10)
+#lc_debug_interval = 20
+## Restore debug interval (default: 100)
+#rgw_restore_debug_interval = 60
+#rgw_restore_processor_period = 60
+
+[s3 alt]
+# alt display_name
+display_name = RustFS Alt Tester
+
+## alt email
+email = alt@rustfs.local
+
+# alt user_id
+user_id = rustfsalt
+
+# alt AWS access key (must be different from s3 main for many tests)
+access_key = ${S3_ALT_ACCESS_KEY}
+
+# alt AWS secret key
+secret_key = ${S3_ALT_SECRET_KEY}
+
+#[s3 cloud]
+## to run the testcases with "cloud_transition" for transition
+## and "cloud_restore" for restore attribute.
+## Note: the waiting time may have to tweaked depending on
+## the I/O latency to the cloud endpoint.
+
+## host set for cloud endpoint
+# host = localhost
+
+## port set for cloud endpoint
+# port = 8001
+
+## say "False" to disable TLS
+# is_secure = False
+
+## cloud endpoint credentials
+# access_key = 0555b35654ad1656d804
+# secret_key = h7GhxuBLTrlhVUyxSPUKUV8r/2EI4ngqJxD7iBdBYLhwluN30JaT3Q==
+
+## storage class configured as cloud tier on local rgw server
+# cloud_storage_class = CLOUDTIER
+
+## Below are optional -
+
+## Above configured cloud storage class config options
+# retain_head_object = false
+# allow_read_through = false    # change it to enable read_through
+# read_through_restore_days = 2
+# target_storage_class = Target_SC
+# target_path = cloud-bucket
+
+## another regular storage class to test multiple transition rules,
+# storage_class = S1
+
+[s3 tenant]
+# tenant display_name
+display_name = RustFS Tenant Tester
+
+# tenant user_id
+user_id = rustfstenant
+
+# tenant AWS access key
+access_key = ${S3_ACCESS_KEY}
+
+# tenant AWS secret key
+secret_key = ${S3_SECRET_KEY}
+
+# tenant email
+email = tenant@rustfs.local
+
+# tenant name
+tenant = testx
+
+#following section needs to be added for all sts-tests
+[iam]
+#used for iam operations in sts-tests
+#email
+email = s3@rustfs.local
+
+#user_id
+user_id = rustfsiam
+
+#access_key
+access_key = ${S3_ACCESS_KEY}
+
+#secret_key
+secret_key = ${S3_SECRET_KEY}
+
+#display_name
+display_name = RustFS IAM User
+
+# iam account root user for iam_account tests
+[iam root]
+access_key = ${S3_ACCESS_KEY}
+secret_key = ${S3_SECRET_KEY}
+user_id = RGW11111111111111111
+email = account1@rustfs.local
+
+# iam account root user in a different account than [iam root]
+[iam alt root]
+access_key = ${S3_ACCESS_KEY}
+secret_key = ${S3_SECRET_KEY}
+user_id = RGW22222222222222222
+email = account2@rustfs.local
+
+#following section needs to be added when you want to run Assume Role With Webidentity test
+[webidentity]
+#used for assume role with web identity test in sts-tests
+#all parameters will be obtained from ceph/qa/tasks/keycloak.py
+#token=<access_token>
+
+#aud=<obtained after introspecting token>
+
+#sub=<obtained after introspecting token>
+
+#azp=<obtained after introspecting token>
+
+#user_token=<access token for a user, with attribute Department=[Engineering, Marketing>]
+
+#thumbprint=<obtained from x509 certificate>
+
+#KC_REALM=<name of the realm>
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -16,13 +16,13 @@ name: Security Audit

 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
      - '.github/workflows/audit.yml'
  pull_request:
-    branches: [main]
+    branches: [ main ]
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
@@ -31,17 +31,20 @@ on:
    - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
  workflow_dispatch:

+permissions:
+  contents: read
+
 env:
  CARGO_TERM_COLOR: always

 jobs:
  security-audit:
    name: Security Audit
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    timeout-minutes: 15
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Install cargo-audit
        uses: taiki-e/install-action@v2
@@ -62,14 +65,14 @@ jobs:

  dependency-review:
    name: Dependency Review
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    if: github.event_name == 'pull_request'
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -28,8 +28,8 @@ name: Build and Release

 on:
  push:
-    tags: ["*.*.*"]
-    branches: [main]
+    tags: [ "*.*.*" ]
+    branches: [ main ]
    paths-ignore:
      - "**.md"
      - "**.txt"
@@ -45,7 +45,7 @@ on:
      - ".gitignore"
      - ".dockerignore"
  pull_request:
-    branches: [main]
+    branches: [ main ]
    paths-ignore:
      - "**.md"
      - "**.txt"
@@ -70,6 +70,9 @@ on:
        default: true
        type: boolean

+permissions:
+  contents: read
+
 env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
@@ -80,7 +83,7 @@ jobs:
  # Build strategy check - determine build type based on trigger
  build-check:
    name: Build Strategy Check
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    outputs:
      should_build: ${{ steps.check.outputs.should_build }}
      build_type: ${{ steps.check.outputs.build_type }}
@@ -89,7 +92,7 @@ jobs:
      is_prerelease: ${{ steps.check.outputs.is_prerelease }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

@@ -153,7 +156,7 @@ jobs:
  # Build RustFS binaries
  build-rustfs:
    name: Build RustFS
-    needs: [build-check]
+    needs: [ build-check ]
    if: needs.build-check.outputs.should_build == 'true'
    runs-on: ${{ matrix.os }}
    timeout-minutes: 60
@@ -164,14 +167,22 @@ jobs:
      matrix:
        include:
          # Linux builds
-          - os: ubuntu-latest
+          - os: ubicloud-standard-2
            target: x86_64-unknown-linux-musl
            cross: false
            platform: linux
-          - os: ubuntu-latest
+          - os: ubicloud-standard-2
            target: aarch64-unknown-linux-musl
            cross: true
            platform: linux
+          - os: ubicloud-standard-2
+            target: x86_64-unknown-linux-gnu
+            cross: false
+            platform: linux
+          - os: ubicloud-standard-2
+            target: aarch64-unknown-linux-gnu
+            cross: true
+            platform: linux
          # macOS builds
          - os: macos-latest
            target: aarch64-apple-darwin
@@ -181,18 +192,18 @@ jobs:
            target: x86_64-apple-darwin
            cross: false
            platform: macos
-          # # Windows builds (temporarily disabled)
-          # - os: windows-latest
-          #   target: x86_64-pc-windows-msvc
-          #   cross: false
-          #   platform: windows
-          # - os: windows-latest
-          #   target: aarch64-pc-windows-msvc
-          #   cross: true
-          #   platform: windows
+          # Windows builds (temporarily disabled)
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            cross: false
+            platform: windows
+          #- os: windows-latest
+          #  target: aarch64-pc-windows-msvc
+          #  cross: true
+          #  platform: windows
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

@@ -207,6 +218,7 @@ jobs:
          install-cross-tools: ${{ matrix.cross }}

      - name: Download static console assets
+        shell: bash
        run: |
          mkdir -p ./rustfs/static
          if [[ "${{ matrix.platform }}" == "windows" ]]; then
@@ -232,6 +244,7 @@ jobs:
          fi

      - name: Build RustFS
+        shell: bash
        run: |
          # Force rebuild by touching build.rs
          touch rustfs/build.rs
@@ -260,30 +273,55 @@ jobs:
          # Extract platform and arch from target
          TARGET="${{ matrix.target }}"
          PLATFORM="${{ matrix.platform }}"
-
-          # Map target to architecture
+          # Map target to architecture and variant
          case "$TARGET" in
+            *x86_64*musl*)
+              ARCH="x86_64"
+              VARIANT="musl"
+              ;;
+            *x86_64*gnu*)
+              ARCH="x86_64"
+              VARIANT="gnu"
+              ;;
            *x86_64*)
              ARCH="x86_64"
+              VARIANT=""
+              ;;
+            *aarch64*musl*|*arm64*musl*)
+              ARCH="aarch64"
+              VARIANT="musl"
+              ;;
+            *aarch64*gnu*|*arm64*gnu*)
+              ARCH="aarch64"
+              VARIANT="gnu"
              ;;
            *aarch64*|*arm64*)
              ARCH="aarch64"
+              VARIANT=""
              ;;
            *armv7*)
              ARCH="armv7"
+              VARIANT=""
              ;;
            *)
              ARCH="unknown"
+              VARIANT=""
              ;;
          esac

          # Generate package name based on build type
-          if [[ "$BUILD_TYPE" == "development" ]]; then
-            # Development build: rustfs-${platform}-${arch}-dev-${short_sha}.zip
-            PACKAGE_NAME="rustfs-${PLATFORM}-${ARCH}-dev-${SHORT_SHA}"
+          if [[ -n "$VARIANT" ]]; then
+            ARCH_WITH_VARIANT="${ARCH}-${VARIANT}"
          else
-            # Release/Prerelease build: rustfs-${platform}-${arch}-v${version}.zip
-            PACKAGE_NAME="rustfs-${PLATFORM}-${ARCH}-v${VERSION}"
+            ARCH_WITH_VARIANT="${ARCH}"
+          fi
+
+          if [[ "$BUILD_TYPE" == "development" ]]; then
+            # Development build: rustfs-${platform}-${arch}-${variant}-dev-${short_sha}.zip
+            PACKAGE_NAME="rustfs-${PLATFORM}-${ARCH_WITH_VARIANT}-dev-${SHORT_SHA}"
+          else
+            # Release/Prerelease build: rustfs-${platform}-${arch}-${variant}-v${version}.zip
+            PACKAGE_NAME="rustfs-${PLATFORM}-${ARCH_WITH_VARIANT}-v${VERSION}"
          fi

          # Create zip packages for all platforms
@@ -295,23 +333,119 @@ jobs:
          fi

          cd target/${{ matrix.target }}/release
-          zip "../../../${PACKAGE_NAME}.zip" rustfs
+          # Determine the binary name based on platform
+          if [[ "${{ matrix.platform }}" == "windows" ]]; then
+            BINARY_NAME="rustfs.exe"
+          else
+            BINARY_NAME="rustfs"
+          fi
+
+          # Verify the binary exists before packaging
+          if [[ ! -f "$BINARY_NAME" ]]; then
+            echo "❌ Binary $BINARY_NAME not found in $(pwd)"
+            if [[ "${{ matrix.platform }}" == "windows" ]]; then
+              dir
+            else
+              ls -la
+            fi
+            exit 1
+          fi
+
+          # Universal packaging function
+          package_zip() {
+            local src=$1
+            local dst=$2
+            if [[ "${{ matrix.platform }}" == "windows" ]]; then
+              # Windows uses PowerShell Compress-Archive
+              powershell -Command "Compress-Archive -Path '$src' -DestinationPath '$dst' -Force"
+            elif command -v zip &> /dev/null; then
+              # Unix systems use zip command
+              zip "$dst" "$src"
+            else
+              echo "❌ No zip utility available"
+              exit 1
+            fi
+          }
+
+          # Create the zip package
+          echo "Start packaging: $BINARY_NAME -> ../../../${PACKAGE_NAME}.zip"
+          package_zip "$BINARY_NAME" "../../../${PACKAGE_NAME}.zip"
+
          cd ../../..

+          # Verify the package was created
+          if [[ -f "${PACKAGE_NAME}.zip" ]]; then
+            echo "✅ Package created successfully: ${PACKAGE_NAME}.zip"
+            if [[ "${{ matrix.platform }}" == "windows" ]]; then
+              dir
+            else
+              ls -lh ${PACKAGE_NAME}.zip
+            fi
+          else
+            echo "❌ Failed to create package: ${PACKAGE_NAME}.zip"
+            exit 1
+          fi
+
+          # Create latest version files right after the main package
+          LATEST_FILES=""
+          if [[ "$BUILD_TYPE" == "release" ]] || [[ "$BUILD_TYPE" == "prerelease" ]]; then
+            # Create latest version filename
+            # Convert from rustfs-linux-x86_64-musl-v1.0.0 to rustfs-linux-x86_64-musl-latest
+            LATEST_FILE="${PACKAGE_NAME%-v*}-latest.zip"
+
+            echo "🔄 Creating latest version: ${PACKAGE_NAME}.zip -> $LATEST_FILE"
+            cp "${PACKAGE_NAME}.zip" "$LATEST_FILE"
+
+            if [[ -f "$LATEST_FILE" ]]; then
+              echo "✅ Latest version created: $LATEST_FILE"
+              LATEST_FILES="$LATEST_FILE"
+            fi
+          elif [[ "$BUILD_TYPE" == "development" ]]; then
+            # Development builds (only main branch triggers development builds)
+            # Create main-latest version filename
+            # Convert from rustfs-linux-x86_64-dev-abc123 to rustfs-linux-x86_64-main-latest
+            MAIN_LATEST_FILE="${PACKAGE_NAME%-dev-*}-main-latest.zip"
+
+            echo "🔄 Creating main-latest version: ${PACKAGE_NAME}.zip -> $MAIN_LATEST_FILE"
+            cp "${PACKAGE_NAME}.zip" "$MAIN_LATEST_FILE"
+
+            if [[ -f "$MAIN_LATEST_FILE" ]]; then
+              echo "✅ Main-latest version created: $MAIN_LATEST_FILE"
+              LATEST_FILES="$MAIN_LATEST_FILE"
+
+              # Also create a generic main-latest for Docker builds (Linux only)
+              if [[ "${{ matrix.platform }}" == "linux" ]]; then
+                DOCKER_MAIN_LATEST_FILE="rustfs-linux-${ARCH_WITH_VARIANT}-main-latest.zip"
+
+                echo "🔄 Creating Docker main-latest version: ${PACKAGE_NAME}.zip -> $DOCKER_MAIN_LATEST_FILE"
+                cp "${PACKAGE_NAME}.zip" "$DOCKER_MAIN_LATEST_FILE"
+
+                if [[ -f "$DOCKER_MAIN_LATEST_FILE" ]]; then
+                  echo "✅ Docker main-latest version created: $DOCKER_MAIN_LATEST_FILE"
+                  LATEST_FILES="$LATEST_FILES $DOCKER_MAIN_LATEST_FILE"
+                fi
+              fi
+            fi
+          fi
+
          echo "package_name=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
          echo "package_file=${PACKAGE_NAME}.zip" >> $GITHUB_OUTPUT
+          echo "latest_files=${LATEST_FILES}" >> $GITHUB_OUTPUT
          echo "build_type=${BUILD_TYPE}" >> $GITHUB_OUTPUT
          echo "version=${VERSION}" >> $GITHUB_OUTPUT

          echo "📦 Package created: ${PACKAGE_NAME}.zip"
+          if [[ -n "$LATEST_FILES" ]]; then
+            echo "📦 Latest files created: $LATEST_FILES"
+          fi
          echo "🔧 Build type: ${BUILD_TYPE}"
          echo "📊 Version: ${VERSION}"

-      - name: Upload artifacts
+      - name: Upload to GitHub artifacts
        uses: actions/upload-artifact@v4
        with:
          name: ${{ steps.package.outputs.package_name }}
-          path: ${{ steps.package.outputs.package_file }}
+          path: "rustfs-*.zip"
          retention-days: ${{ startsWith(github.ref, 'refs/tags/') && 30 || 7 }}

      - name: Upload to Aliyun OSS
@@ -320,7 +454,8 @@ jobs:
          OSS_ACCESS_KEY_ID: ${{ secrets.ALICLOUDOSS_KEY_ID }}
          OSS_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUDOSS_KEY_SECRET }}
          OSS_REGION: cn-beijing
-          OSS_ENDPOINT: https://oss-cn-beijing.aliyuncs.com
+          OSS_ENDPOINT: https://oss-accelerate.aliyuncs.com
+        shell: bash
        run: |
          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"

@@ -359,6 +494,16 @@ jobs:
              chmod +x /usr/local/bin/ossutil
              OSSUTIL_BIN=ossutil
              ;;
+            windows)
+              OSSUTIL_ZIP="ossutil-${OSSUTIL_VERSION}-windows-amd64.zip"
+              OSSUTIL_DIR="ossutil-${OSSUTIL_VERSION}-windows-amd64"
+
+              curl -o "$OSSUTIL_ZIP" "https://gosspublic.alicdn.com/ossutil/v2/${OSSUTIL_VERSION}/${OSSUTIL_ZIP}"
+              unzip "$OSSUTIL_ZIP"
+              mv "${OSSUTIL_DIR}/ossutil.exe" ./ossutil.exe
+              rm -rf "$OSSUTIL_DIR" "$OSSUTIL_ZIP"
+              OSSUTIL_BIN=./ossutil.exe
+              ;;
          esac

          # Determine upload path based on build type
@@ -370,83 +515,27 @@ jobs:
            echo "📤 Uploading release build to OSS release directory"
          fi

-          # Upload the package file to OSS
-          echo "Uploading ${{ steps.package.outputs.package_file }} to $OSS_PATH..."
-          $OSSUTIL_BIN cp "${{ steps.package.outputs.package_file }}" "$OSS_PATH" --force
-
-          # For release and prerelease builds, also create a latest version
-          if [[ "$BUILD_TYPE" == "release" ]] || [[ "$BUILD_TYPE" == "prerelease" ]]; then
-            # Extract platform and arch from package name
-            PACKAGE_NAME="${{ steps.package.outputs.package_name }}"
-
-            # Create latest version filename
-            # Convert from rustfs-linux-x86_64-v1.0.0 to rustfs-linux-x86_64-latest
-            LATEST_FILE="${PACKAGE_NAME%-v*}-latest.zip"
-
-            # Copy the original file to latest version
-            cp "${{ steps.package.outputs.package_file }}" "$LATEST_FILE"
-
-            # Upload the latest version
-            echo "Uploading latest version: $LATEST_FILE to $OSS_PATH..."
-            $OSSUTIL_BIN cp "$LATEST_FILE" "$OSS_PATH" --force
-
-            echo "✅ Latest version uploaded: $LATEST_FILE"
-          fi
-
-          # For development builds, create dev-latest version
-          if [[ "$BUILD_TYPE" == "development" ]]; then
-            # Extract platform and arch from package name
-            PACKAGE_NAME="${{ steps.package.outputs.package_name }}"
-
-            # Create dev-latest version filename
-            # Convert from rustfs-linux-x86_64-dev-abc123 to rustfs-linux-x86_64-dev-latest
-            DEV_LATEST_FILE="${PACKAGE_NAME%-*}-latest.zip"
-
-            # Copy the original file to dev-latest version
-            cp "${{ steps.package.outputs.package_file }}" "$DEV_LATEST_FILE"
-
-            # Upload the dev-latest version
-            echo "Uploading dev-latest version: $DEV_LATEST_FILE to $OSS_PATH..."
-            $OSSUTIL_BIN cp "$DEV_LATEST_FILE" "$OSS_PATH" --force
-
-            echo "✅ Dev-latest version uploaded: $DEV_LATEST_FILE"
-
-            # For main branch builds, also create a main-latest version
-            if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
-              # Create main-latest version filename
-              # Convert from rustfs-linux-x86_64-dev-abc123 to rustfs-linux-x86_64-main-latest
-              MAIN_LATEST_FILE="${PACKAGE_NAME%-dev-*}-main-latest.zip"
-
-              # Copy the original file to main-latest version
-              cp "${{ steps.package.outputs.package_file }}" "$MAIN_LATEST_FILE"
-
-              # Upload the main-latest version
-              echo "Uploading main-latest version: $MAIN_LATEST_FILE to $OSS_PATH..."
-              $OSSUTIL_BIN cp "$MAIN_LATEST_FILE" "$OSS_PATH" --force
-
-              echo "✅ Main-latest version uploaded: $MAIN_LATEST_FILE"
-
-              # Also create a generic main-latest for Docker builds
-              if [[ "${{ matrix.platform }}" == "linux" ]]; then
-                DOCKER_MAIN_LATEST_FILE="rustfs-linux-${{ matrix.target == 'x86_64-unknown-linux-musl' && 'x86_64' || 'aarch64' }}-main-latest.zip"
-
-                cp "${{ steps.package.outputs.package_file }}" "$DOCKER_MAIN_LATEST_FILE"
-                $OSSUTIL_BIN cp "$DOCKER_MAIN_LATEST_FILE" "$OSS_PATH" --force
-                echo "✅ Docker main-latest version uploaded: $DOCKER_MAIN_LATEST_FILE"
-              fi
+          # Upload all rustfs zip files to OSS using glob pattern
+          echo "📤 Uploading all rustfs-*.zip files to $OSS_PATH..."
+          for zip_file in rustfs-*.zip; do
+            if [[ -f "$zip_file" ]]; then
+              echo "Uploading: $zip_file to $OSS_PATH..."
+              $OSSUTIL_BIN cp "$zip_file" "$OSS_PATH" --force
+              echo "✅ Uploaded: $zip_file"
            fi
-          fi
+          done

          echo "✅ Upload completed successfully"

  # Build summary
  build-summary:
    name: Build Summary
-    needs: [build-check, build-rustfs]
+    needs: [ build-check, build-rustfs ]
    if: always() && needs.build-check.outputs.should_build == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    steps:
      - name: Build completion summary
+        shell: bash
        run: |
          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
          VERSION="${{ needs.build-check.outputs.version }}"
@@ -493,9 +582,9 @@ jobs:
  # Create GitHub Release (only for tag pushes)
  create-release:
    name: Create GitHub Release
-    needs: [build-check, build-rustfs]
+    needs: [ build-check, build-rustfs ]
    if: startsWith(github.ref, 'refs/tags/') && needs.build-check.outputs.build_type != 'development'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    permissions:
      contents: write
    outputs:
@@ -503,7 +592,7 @@ jobs:
      release_url: ${{ steps.create.outputs.release_url }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

@@ -511,6 +600,7 @@ jobs:
        id: create
        env:
          GH_TOKEN: ${{ github.token }}
+        shell: bash
        run: |
          TAG="${{ needs.build-check.outputs.version }}"
          VERSION="${{ needs.build-check.outputs.version }}"
@@ -578,18 +668,18 @@ jobs:
  # Prepare and upload release assets
  upload-release-assets:
    name: Upload Release Assets
-    needs: [build-check, build-rustfs, create-release]
+    needs: [ build-check, build-rustfs, create-release ]
    if: startsWith(github.ref, 'refs/tags/') && needs.build-check.outputs.build_type != 'development'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    permissions:
      contents: write
      actions: read
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Download all build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
        with:
          path: ./artifacts
          pattern: rustfs-*
@@ -597,13 +687,14 @@ jobs:

      - name: Prepare release assets
        id: prepare
+        shell: bash
        run: |
          VERSION="${{ needs.build-check.outputs.version }}"
          TAG="${{ needs.build-check.outputs.version }}"

          mkdir -p ./release-assets

-          # Copy and verify artifacts
+          # Copy and verify artifacts (including latest files created during build)
          ASSETS_COUNT=0
          for file in ./artifacts/*.zip; do
            if [[ -f "$file" ]]; then
@@ -619,7 +710,7 @@ jobs:

          cd ./release-assets

-          # Generate checksums
+          # Generate checksums for all files (including latest versions)
          if ls *.zip >/dev/null 2>&1; then
            sha256sum *.zip > SHA256SUMS
            sha512sum *.zip > SHA512SUMS
@@ -634,11 +725,12 @@ jobs:
          echo "📦 Prepared assets:"
          ls -la

-          echo "🔢 Asset count: $ASSETS_COUNT"
+          echo "🔢 Total asset count: $ASSETS_COUNT"

      - name: Upload to GitHub Release
        env:
          GH_TOKEN: ${{ github.token }}
+        shell: bash
        run: |
          TAG="${{ needs.build-check.outputs.version }}"

@@ -657,9 +749,9 @@ jobs:
  # Update latest.json for stable releases only
  update-latest-version:
    name: Update Latest Version
-    needs: [build-check, upload-release-assets]
+    needs: [ build-check, upload-release-assets ]
    if: startsWith(github.ref, 'refs/tags/')
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    steps:
      - name: Update latest.json
        env:
@@ -667,6 +759,7 @@ jobs:
          OSS_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUDOSS_KEY_SECRET }}
          OSS_REGION: cn-beijing
          OSS_ENDPOINT: https://oss-cn-beijing.aliyuncs.com
+        shell: bash
        run: |
          if [[ -z "$OSS_ACCESS_KEY_ID" ]]; then
            echo "⚠️ OSS credentials not available, skipping latest.json update"
@@ -706,18 +799,19 @@ jobs:
  # Publish release (remove draft status)
  publish-release:
    name: Publish Release
-    needs: [build-check, create-release, upload-release-assets]
+    needs: [ build-check, create-release, upload-release-assets ]
    if: startsWith(github.ref, 'refs/tags/') && needs.build-check.outputs.build_type != 'development'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    permissions:
      contents: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Update release notes and publish
        env:
          GH_TOKEN: ${{ github.token }}
+        shell: bash
        run: |
          TAG="${{ needs.build-check.outputs.version }}"
          VERSION="${{ needs.build-check.outputs.version }}"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,7 +4,7 @@
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,7 +16,7 @@ name: Continuous Integration

 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths-ignore:
      - "**.md"
      - "**.txt"
@@ -36,7 +36,7 @@ on:
      - ".github/workflows/audit.yml"
      - ".github/workflows/performance.yml"
  pull_request:
-    branches: [main]
+    branches: [ main ]
    paths-ignore:
      - "**.md"
      - "**.txt"
@@ -59,17 +59,26 @@ on:
    - cron: "0 0 * * 0" # Weekly on Sunday at midnight UTC
  workflow_dispatch:

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
+  CARGO_BUILD_JOBS: 2

 jobs:
+
  skip-check:
    name: Skip Duplicate Actions
    permissions:
      actions: write
      contents: read
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    outputs:
      should_skip: ${{ steps.skip_check.outputs.should_skip }}
    steps:
@@ -80,15 +89,13 @@ jobs:
          concurrent_skipping: "same_content_newer"
          cancel_others: true
          paths_ignore: '["*.md", "docs/**", "deploy/**"]'
-          # Never skip release events and tag pushes
          do_not_skip: '["workflow_dispatch", "schedule", "merge_group", "release", "push"]'

-
  typos:
    name: Typos
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@stable
      - name: Typos check with custom config file
        uses: crate-ci/typos@master
@@ -97,11 +104,11 @@ jobs:
    name: Test and Lint
    needs: skip-check
    if: needs.skip-check.outputs.should_skip != 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-4
    timeout-minutes: 60
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Rust environment
        uses: ./.github/actions/setup
@@ -111,6 +118,9 @@ jobs:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          cache-save-if: ${{ github.ref == 'refs/heads/main' }}

+      - name: Install cargo-nextest
+        uses: taiki-e/install-action@nextest
+
      - name: Run tests
        run: |
          cargo nextest run --all --exclude e2e_test
@@ -126,11 +136,16 @@ jobs:
    name: End-to-End Tests
    needs: skip-check
    if: needs.skip-check.outputs.should_skip != 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    timeout-minutes: 30
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+
+      - name: Clean up previous test run
+        run: |
+          rm -rf /tmp/rustfs
+          rm -f /tmp/rustfs.log

      - name: Setup Rust environment
        uses: ./.github/actions/setup
@@ -150,7 +165,8 @@ jobs:
      - name: Build debug binary
        run: |
          touch rustfs/build.rs
-          cargo build -p rustfs --bins
+          # Limit concurrency to prevent OOM
+          cargo build -p rustfs --bins --jobs 2

      - name: Run end-to-end tests
        run: |
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -36,8 +36,8 @@ permissions:
 on:
  # Automatically triggered when build workflow completes
  workflow_run:
-    workflows: ["Build and Release"]
-    types: [completed]
+    workflows: [ "Build and Release" ]
+    types: [ completed ]
  # Manual trigger with same parameters for consistency
  workflow_dispatch:
    inputs:
@@ -58,6 +58,10 @@ on:
        type: boolean

 env:
+  CONCLUSION: ${{ github.event.workflow_run.conclusion }}
+  HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+  HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+  TRIGGERING_EVENT: ${{ github.event.workflow_run.event }}
  DOCKERHUB_USERNAME: rustfs
  CARGO_TERM_COLOR: always
  REGISTRY_DOCKERHUB: rustfs/rustfs
@@ -68,7 +72,7 @@ jobs:
  # Check if we should build Docker images
  build-check:
    name: Docker Build Check
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    outputs:
      should_build: ${{ steps.check.outputs.should_build }}
      should_push: ${{ steps.check.outputs.should_push }}
@@ -79,7 +83,7 @@ jobs:
      create_latest: ${{ steps.check.outputs.create_latest }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          # For workflow_run events, checkout the specific commit that triggered the workflow
@@ -102,27 +106,27 @@ jobs:

            # Check if the triggering workflow was successful
            # If the workflow succeeded, it means ALL builds (including Linux x86_64 and aarch64) succeeded
-            if [[ "${{ github.event.workflow_run.conclusion }}" == "success" ]]; then
+            if [[ "$CONCLUSION" == "success" ]]; then
              echo "✅ Build workflow succeeded, all builds including Linux are successful"
              should_build=true
              should_push=true
            else
-              echo "❌ Build workflow failed (conclusion: ${{ github.event.workflow_run.conclusion }}), skipping Docker build"
+              echo "❌ Build workflow failed (conclusion: $CONCLUSION), skipping Docker build"
              should_build=false
            fi

            # Extract version info from commit message or use commit SHA
            # Use Git to generate consistent short SHA (ensures uniqueness like build.yml)
-            short_sha=$(git rev-parse --short "${{ github.event.workflow_run.head_sha }}")
+            short_sha=$(git rev-parse --short "$HEAD_SHA")

            # Determine build type based on triggering workflow event and ref
-            triggering_event="${{ github.event.workflow_run.event }}"
-            head_branch="${{ github.event.workflow_run.head_branch }}"
+            triggering_event="$TRIGGERING_EVENT"
+            head_branch="$HEAD_BRANCH"

            echo "🔍 Analyzing triggering workflow:"
            echo "   📋 Event: $triggering_event"
            echo "   🌿 Head branch: $head_branch"
-            echo "   📎 Head SHA: ${{ github.event.workflow_run.head_sha }}"
+            echo "   📎 Head SHA: $HEAD_SHA"

            # Check if this was triggered by a tag push
            if [[ "$triggering_event" == "push" ]]; then
@@ -158,7 +162,14 @@ jobs:
                if [[ "$version" == *"alpha"* ]] || [[ "$version" == *"beta"* ]] || [[ "$version" == *"rc"* ]]; then
                  build_type="prerelease"
                  is_prerelease=true
-                  echo "🧪 Building Docker image for prerelease: $version"
+                  # TODO: Temporary change - currently allows alpha versions to also create latest tags
+                  # After the version is stable, you need to remove the following line and restore the original logic (latest is created only for stable versions)
+                  if [[ "$version" == *"alpha"* ]]; then
+                    create_latest=true
+                     echo "🧪 Building Docker image for prerelease: $version (temporarily allowing creation of latest tag)"
+                  else
+                    echo "🧪 Building Docker image for prerelease: $version"
+                  fi
                else
                  build_type="release"
                  create_latest=true
@@ -174,10 +185,10 @@ jobs:
            fi

            echo "🔄 Build triggered by workflow_run:"
-            echo "   📋 Conclusion: ${{ github.event.workflow_run.conclusion }}"
-            echo "   🌿 Branch: ${{ github.event.workflow_run.head_branch }}"
-            echo "   📎 SHA: ${{ github.event.workflow_run.head_sha }}"
-            echo "   🎯 Event: ${{ github.event.workflow_run.event }}"
+            echo "   📋 Conclusion: $CONCLUSION"
+            echo "   🌿 Branch: $HEAD_BRANCH"
+            echo "   📎 SHA: $HEAD_SHA"
+            echo "   🎯 Event: $TRIGGERING_EVENT"

          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            # Manual trigger
@@ -204,7 +215,14 @@ jobs:
              v*alpha*|v*beta*|v*rc*|*alpha*|*beta*|*rc*)
                build_type="prerelease"
                is_prerelease=true
-                echo "🧪 Building with prerelease version: $input_version"
+                # TODO: Temporary change - currently allows alpha versions to also create latest tags
+                # After the version is stable, you need to remove the if block below and restore the original logic.
+                if [[ "$input_version" == *"alpha"* ]]; then
+                  create_latest=true
+                   echo "🧪 Building with prerelease version: $input_version (temporarily allowing creation of latest tag)"
+                else
+                  echo "🧪 Building with prerelease version: $input_version"
+                fi
                ;;
              # Release versions (match after prereleases, more general)
              v[0-9]*|[0-9]*.*.*)
@@ -246,11 +264,11 @@ jobs:
    name: Build Docker Images
    needs: build-check
    if: needs.build-check.outputs.should_build == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    timeout-minutes: 60
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Login to Docker Hub
        uses: docker/login-action@v3
@@ -312,7 +330,9 @@ jobs:

          # Add channel tags for prereleases and latest for stable
          if [[ "$CREATE_LATEST" == "true" ]]; then
-            # Stable release
+            # TODO: Temporary change - the current alpha version will also create the latest tag
+            # After the version is stabilized, the logic here remains unchanged, but the upstream CREATE_LATEST setting needs to be restored.
+            # Stable release (and temporary alpha versions)
            TAGS="$TAGS,${{ env.REGISTRY_DOCKERHUB }}:latest"
          elif [[ "$BUILD_TYPE" == "prerelease" ]]; then
            # Prerelease channel tags (alpha, beta, rc)
@@ -382,9 +402,9 @@ jobs:
  # Docker build summary
  docker-summary:
    name: Docker Build Summary
-    needs: [build-check, build-docker]
+    needs: [ build-check, build-docker ]
    if: always() && needs.build-check.outputs.should_build == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    steps:
      - name: Docker build completion summary
        run: |
@@ -409,7 +429,13 @@ jobs:
            "prerelease")
              echo "🧪 Prerelease Docker image has been built with ${VERSION} tags"
              echo "⚠️  This is a prerelease image - use with caution"
-              echo "🚫 Latest tag NOT created for prerelease"
+              # TODO: Temporary change - alpha versions currently create the latest tag
+              # After the version is stable, you need to restore the following prompt information
+              if [[ "$VERSION" == *"alpha"* ]] && [[ "$CREATE_LATEST" == "true" ]]; then
+                echo "🏷️  Latest tag has been created for alpha version (temporary measures)"
+              else
+                echo "🚫 Latest tag NOT created for prerelease"
+              fi
              ;;
            *)
              echo "❌ Unexpected build type: $BUILD_TYPE"
--- a/.github/workflows/e2e-s3tests.yml
+++ b/.github/workflows/e2e-s3tests.yml
@@ -0,0 +1,422 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: e2e-s3tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      test-mode:
+        description: "Test mode to run"
+        required: true
+        type: choice
+        default: "single"
+        options:
+          - single
+          - multi
+      xdist:
+        description: "Enable pytest-xdist (parallel). '0' to disable."
+        required: false
+        default: "0"
+      maxfail:
+        description: "Stop after N failures (debug friendly)"
+        required: false
+        default: "1"
+      markexpr:
+        description: "pytest -m expression (feature filters)"
+        required: false
+        default: "not lifecycle and not versioning and not s3website and not bucket_logging and not encryption"
+
+env:
+  # main user
+  S3_ACCESS_KEY: rustfsadmin
+  S3_SECRET_KEY: rustfsadmin
+  # alt user (must be different from main for many s3-tests)
+  S3_ALT_ACCESS_KEY: rustfsalt
+  S3_ALT_SECRET_KEY: rustfsalt
+
+  S3_REGION: us-east-1
+
+  RUST_LOG: info
+  PLATFORM: linux/amd64
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  s3tests-single:
+    if: github.event.inputs.test-mode == 'single'
+    runs-on: ubicloud-standard-2
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Enable buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build RustFS image (source, cached)
+        run: |
+          DOCKER_BUILDKIT=1 docker buildx build --load \
+            --platform ${PLATFORM} \
+            --cache-from type=gha \
+            --cache-to type=gha,mode=max \
+            -t rustfs-ci \
+            -f Dockerfile.source .
+
+      - name: Create network
+        run: docker network inspect rustfs-net >/dev/null 2>&1 || docker network create rustfs-net
+
+      - name: Remove existing rustfs-single (if any)
+        run: docker rm -f rustfs-single >/dev/null 2>&1 || true
+
+      - name: Start single RustFS
+        run: |
+          docker run -d --name rustfs-single \
+            --network rustfs-net \
+            -p 9000:9000 \
+            -e RUSTFS_ADDRESS=0.0.0.0:9000 \
+            -e RUSTFS_ACCESS_KEY=$S3_ACCESS_KEY \
+            -e RUSTFS_SECRET_KEY=$S3_SECRET_KEY \
+            -e RUSTFS_VOLUMES="/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3" \
+            -v /tmp/rustfs-single:/data \
+            rustfs-ci
+
+      - name: Wait for RustFS ready
+        run: |
+          for i in {1..60}; do
+            if curl -sf http://127.0.0.1:9000/health >/dev/null 2>&1; then
+              echo "RustFS is ready"
+              exit 0
+            fi
+
+            if [ "$(docker inspect -f '{{.State.Running}}' rustfs-single 2>/dev/null)" != "true" ]; then
+              echo "RustFS container not running" >&2
+              docker logs rustfs-single || true
+              exit 1
+            fi
+
+            sleep 2
+          done
+
+          echo "Health check timed out" >&2
+          docker logs rustfs-single || true
+          exit 1
+
+      - name: Generate s3tests config
+        run: |
+          export S3_HOST=127.0.0.1
+          envsubst < .github/s3tests/s3tests.conf > s3tests.conf
+
+      - name: Provision s3-tests alt user (required by suite)
+        run: |
+          python3 -m pip install --user --upgrade pip awscurl
+          export PATH="$HOME/.local/bin:$PATH"
+
+          # Admin API requires AWS SigV4 signing. awscurl is used by RustFS codebase as well.
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            -H 'Content-Type: application/json' \
+            -d '{"secretKey":"'"${S3_ALT_SECRET_KEY}"'","status":"enabled","policy":"readwrite"}' \
+            "http://127.0.0.1:9000/rustfs/admin/v3/add-user?accessKey=${S3_ALT_ACCESS_KEY}"
+
+          # Explicitly attach built-in policy via policy mapping.
+          # s3-tests relies on alt client being able to ListBuckets during setup cleanup.
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            "http://127.0.0.1:9000/rustfs/admin/v3/set-user-or-group-policy?policyName=readwrite&userOrGroup=${S3_ALT_ACCESS_KEY}&isGroup=false"
+
+          # Sanity check: alt user can list buckets (should not be AccessDenied).
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ALT_ACCESS_KEY}" \
+            --secret_key "${S3_ALT_SECRET_KEY}" \
+            -X GET \
+            "http://127.0.0.1:9000/" >/dev/null
+
+      - name: Prepare s3-tests
+        run: |
+          python3 -m pip install --user --upgrade pip tox
+          export PATH="$HOME/.local/bin:$PATH"
+          git clone --depth 1 https://github.com/ceph/s3-tests.git s3-tests
+
+      - name: Run ceph s3-tests (debug friendly)
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          mkdir -p artifacts/s3tests-single
+
+          cd s3-tests
+
+          set -o pipefail
+
+          MAXFAIL="${{ github.event.inputs.maxfail }}"
+          if [ -z "$MAXFAIL" ]; then MAXFAIL="1"; fi
+
+          MARKEXPR="${{ github.event.inputs.markexpr }}"
+          if [ -z "$MARKEXPR" ]; then MARKEXPR="not lifecycle and not versioning and not s3website and not bucket_logging and not encryption"; fi
+
+          XDIST="${{ github.event.inputs.xdist }}"
+          if [ -z "$XDIST" ]; then XDIST="0"; fi
+          XDIST_ARGS=""
+          if [ "$XDIST" != "0" ]; then
+            # Add pytest-xdist to requirements.txt so tox installs it inside
+            # its virtualenv. Installing outside tox does NOT work.
+            echo "pytest-xdist" >> requirements.txt
+            XDIST_ARGS="-n $XDIST --dist=loadgroup"
+          fi
+
+          # Run tests from s3tests/functional (boto2+boto3 combined directory).
+          S3TEST_CONF=${GITHUB_WORKSPACE}/s3tests.conf \
+            tox -- \
+              -vv -ra --showlocals --tb=long \
+              --maxfail="$MAXFAIL" \
+              --junitxml=${GITHUB_WORKSPACE}/artifacts/s3tests-single/junit.xml \
+              $XDIST_ARGS \
+              s3tests/functional/test_s3.py \
+              -m "$MARKEXPR" \
+              2>&1 | tee ${GITHUB_WORKSPACE}/artifacts/s3tests-single/pytest.log
+
+      - name: Collect RustFS logs
+        if: always()
+        run: |
+          mkdir -p artifacts/rustfs-single
+          docker logs rustfs-single > artifacts/rustfs-single/rustfs.log 2>&1 || true
+          docker inspect rustfs-single > artifacts/rustfs-single/inspect.json || true
+
+      - name: Upload artifacts
+        if: always() && env.ACT != 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: s3tests-single
+          path: artifacts/**
+
+  s3tests-multi:
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.test-mode == 'multi'
+    runs-on: ubicloud-standard-2
+    timeout-minutes: 150
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Enable buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build RustFS image (source, cached)
+        run: |
+          DOCKER_BUILDKIT=1 docker buildx build --load \
+            --platform ${PLATFORM} \
+            --cache-from type=gha \
+            --cache-to type=gha,mode=max \
+            -t rustfs-ci \
+            -f Dockerfile.source .
+
+      - name: Prepare cluster compose
+        run: |
+          cat > compose.yml <<'EOF'
+          services:
+            rustfs1:
+              image: rustfs-ci
+              hostname: rustfs1
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs1-data:/data
+            rustfs2:
+              image: rustfs-ci
+              hostname: rustfs2
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs2-data:/data
+            rustfs3:
+              image: rustfs-ci
+              hostname: rustfs3
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs3-data:/data
+            rustfs4:
+              image: rustfs-ci
+              hostname: rustfs4
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs4-data:/data
+            lb:
+              image: haproxy:2.9
+              hostname: lb
+              networks: [rustfs-net]
+              ports:
+                - "9000:9000"
+              volumes:
+                - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+          networks:
+            rustfs-net:
+              name: rustfs-net
+          volumes:
+            rustfs1-data:
+            rustfs2-data:
+            rustfs3-data:
+            rustfs4-data:
+          EOF
+
+          cat > haproxy.cfg <<'EOF'
+          defaults
+            mode http
+            timeout connect 5s
+            timeout client  30s
+            timeout server  30s
+
+          frontend fe_s3
+            bind *:9000
+            default_backend be_s3
+
+          backend be_s3
+            balance roundrobin
+            server s1 rustfs1:9000 check
+            server s2 rustfs2:9000 check
+            server s3 rustfs3:9000 check
+            server s4 rustfs4:9000 check
+          EOF
+
+      - name: Launch cluster
+        run: docker compose -f compose.yml up -d
+
+      - name: Wait for LB ready
+        run: |
+          for i in {1..90}; do
+            if curl -sf http://127.0.0.1:9000/health >/dev/null 2>&1; then
+              echo "Load balancer is ready"
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "LB or backend not ready" >&2
+          docker compose -f compose.yml logs --tail=200 || true
+          exit 1
+
+      - name: Generate s3tests config
+        run: |
+          export S3_HOST=127.0.0.1
+          envsubst < .github/s3tests/s3tests.conf > s3tests.conf
+
+      - name: Provision s3-tests alt user (required by suite)
+        run: |
+          python3 -m pip install --user --upgrade pip awscurl
+          export PATH="$HOME/.local/bin:$PATH"
+
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            -H 'Content-Type: application/json' \
+            -d '{"secretKey":"'"${S3_ALT_SECRET_KEY}"'","status":"enabled","policy":"readwrite"}' \
+            "http://127.0.0.1:9000/rustfs/admin/v3/add-user?accessKey=${S3_ALT_ACCESS_KEY}"
+
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            "http://127.0.0.1:9000/rustfs/admin/v3/set-user-or-group-policy?policyName=readwrite&userOrGroup=${S3_ALT_ACCESS_KEY}&isGroup=false"
+
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ALT_ACCESS_KEY}" \
+            --secret_key "${S3_ALT_SECRET_KEY}" \
+            -X GET \
+            "http://127.0.0.1:9000/" >/dev/null
+
+      - name: Prepare s3-tests
+        run: |
+          python3 -m pip install --user --upgrade pip tox
+          export PATH="$HOME/.local/bin:$PATH"
+          git clone --depth 1 https://github.com/ceph/s3-tests.git s3-tests
+
+      - name: Run ceph s3-tests (multi, debug friendly)
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          mkdir -p artifacts/s3tests-multi
+
+          cd s3-tests
+
+          set -o pipefail
+
+          MAXFAIL="${{ github.event.inputs.maxfail }}"
+          if [ -z "$MAXFAIL" ]; then MAXFAIL="1"; fi
+
+          MARKEXPR="${{ github.event.inputs.markexpr }}"
+          if [ -z "$MARKEXPR" ]; then MARKEXPR="not lifecycle and not versioning and not s3website and not bucket_logging and not encryption"; fi
+
+          XDIST="${{ github.event.inputs.xdist }}"
+          if [ -z "$XDIST" ]; then XDIST="0"; fi
+          XDIST_ARGS=""
+          if [ "$XDIST" != "0" ]; then
+            # Add pytest-xdist to requirements.txt so tox installs it inside
+            # its virtualenv. Installing outside tox does NOT work.
+            echo "pytest-xdist" >> requirements.txt
+            XDIST_ARGS="-n $XDIST --dist=loadgroup"
+          fi
+
+          # Run tests from s3tests/functional (boto2+boto3 combined directory).
+          S3TEST_CONF=${GITHUB_WORKSPACE}/s3tests.conf \
+            tox -- \
+              -vv -ra --showlocals --tb=long \
+              --maxfail="$MAXFAIL" \
+              --junitxml=${GITHUB_WORKSPACE}/artifacts/s3tests-multi/junit.xml \
+              $XDIST_ARGS \
+              s3tests/functional/test_s3.py \
+              -m "$MARKEXPR" \
+              2>&1 | tee ${GITHUB_WORKSPACE}/artifacts/s3tests-multi/pytest.log
+
+      - name: Collect logs
+        if: always()
+        run: |
+          mkdir -p artifacts/cluster
+          docker compose -f compose.yml logs --no-color > artifacts/cluster/cluster.log 2>&1 || true
+
+      - name: Upload artifacts
+        if: always() && env.ACT != 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: s3tests-multi
+          path: artifacts/**
--- a/.github/workflows/helm-package.yml
+++ b/.github/workflows/helm-package.yml
@@ -0,0 +1,95 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Publish helm chart to artifacthub
+
+on:
+  workflow_run:
+    workflows: [ "Build and Release" ]
+    types: [ completed ]
+
+permissions:
+  contents: read
+
+env:
+  new_version: ${{ github.event.workflow_run.head_branch }}
+
+jobs:
+  build-helm-package:
+    runs-on: ubicloud-standard-2
+    # Only run on successful builds triggered by tag pushes (version format: x.y.z or x.y.z-suffix)
+    if: |
+      github.event.workflow_run.conclusion == 'success' && 
+      github.event.workflow_run.event == 'push' &&
+      contains(github.event.workflow_run.head_branch, '.')
+
+    steps:
+      - name: Checkout helm chart repo
+        uses: actions/checkout@v6
+
+      - name: Replace chart app version
+        run: |
+          set -e
+          set -x
+          old_version=$(grep "^appVersion:" helm/rustfs/Chart.yaml | awk '{print $2}')
+          sed -i "s/$old_version/$new_version/g" helm/rustfs/Chart.yaml
+          sed  -i "/^image:/,/^[^ ]/ s/tag:.*/tag: "$new_version"/" helm/rustfs/values.yaml
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+
+      - name: Package Helm Chart
+        run: |
+          cp helm/README.md helm/rustfs/
+          package_version=$(echo $new_version | awk -F '-' '{print $2}' | awk -F '.' '{print $NF}') 
+          helm package ./helm/rustfs --destination helm/rustfs/ --version "0.0.$package_version"
+
+      - name: Upload helm package as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: helm-package
+          path: helm/rustfs/*.tgz
+          retention-days: 1
+
+  publish-helm-package:
+    runs-on: ubicloud-standard-2
+    needs: [ build-helm-package ]
+
+    steps:
+      - name: Checkout helm package repo
+        uses: actions/checkout@v6
+        with:
+          repository: rustfs/helm
+          token: ${{ secrets.RUSTFS_HELM_PACKAGE }}
+
+      - name: Download helm package
+        uses: actions/download-artifact@v4
+        with:
+          name: helm-package
+          path: ./
+
+      - name: Set up helm
+        uses: azure/setup-helm@v4.3.0
+
+      - name: Generate index
+        run: helm repo index . --url https://charts.rustfs.com
+
+      - name: Push helm package and index file
+        run: |
+          git config --global user.name "${{ secrets.USERNAME }}"
+          git config --global user.email "${{ secrets.EMAIL_ADDRESS }}"
+          git status .
+          git add .
+          git commit -m "Update rustfs helm package with $new_version."
+          git push origin main
--- a/.github/workflows/issue-translator.yml
+++ b/.github/workflows/issue-translator.yml
@@ -15,13 +15,17 @@
 name: "issue-translator"
 on:
  issue_comment:
-    types: [created]
+    types: [ created ]
  issues:
-    types: [opened]
+    types: [ opened ]
+
+permissions:
+  contents: read
+  issues: write

 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-4
    steps:
      - uses: usthe/issues-translate-action@v2.7
        with:
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@@ -16,7 +16,7 @@ name: Performance Testing

 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
      - "**/*.rs"
      - "**/Cargo.toml"
@@ -30,6 +30,9 @@ on:
        default: "120"
        type: string

+permissions:
+  contents: read
+
 env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
@@ -37,11 +40,11 @@ env:
 jobs:
  performance-profile:
    name: Performance Profiling
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    timeout-minutes: 30
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Rust environment
        uses: ./.github/actions/setup
@@ -112,11 +115,11 @@ jobs:

  benchmark:
    name: Benchmark Tests
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    timeout-minutes: 45
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Rust environment
        uses: ./.github/actions/setup
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 .DS_Store
 .idea
 .vscode
+.direnv/
 /test
 /logs
 /data
@@ -20,3 +21,16 @@ profile.json
 .docker/openobserve-otel/data
 *.zst
 .secrets
+*.go
+*.pb
+*.svg
+deploy/logs/*.log.*
+artifacts/
+# s3-tests local artifacts (root directory only)
+/s3-tests/
+/s3-tests-local/
+/s3tests.conf
+/s3tests.conf.*
+*.events
+*.audit
+*.snappy
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,32 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        entry: cargo fmt --all --check
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-clippy
+        name: cargo clippy
+        entry: cargo clippy --all-targets --all-features -- -D warnings
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-check
+        name: cargo check
+        entry: cargo check --all-targets
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-test
+        name: cargo test
+        entry: bash -c 'cargo test --workspace --exclude e2e_test && cargo test --all --doc'
+        language: system
+        types: [rust]
+        pass_filenames: false
--- a/.cursorrules
+++ b/.cursorrules
@@ -1,4 +1,4 @@
-# RustFS Project Cursor Rules
+# RustFS Project AI Coding Rules

 ## 🚨🚨🚨 CRITICAL DEVELOPMENT RULES - ZERO TOLERANCE 🚨🚨🚨

@@ -35,6 +35,47 @@
 - **Code review requirement**: At least one approval needed
 - **Automated reversal**: Direct commits to main will be automatically reverted

+## 🎯 Core AI Development Principles
+
+### Five Execution Steps
+
+#### 1. Task Analysis and Planning
+- **Clear Objectives**: Deeply understand task requirements and expected results before starting coding
+- **Plan Development**: List specific files, components, and functions that need modification, explaining the reasons for changes
+- **Risk Assessment**: Evaluate the impact of changes on existing functionality, develop rollback plans
+
+#### 2. Precise Code Location
+- **File Identification**: Determine specific files and line numbers that need modification
+- **Impact Analysis**: Avoid modifying irrelevant files, clearly state the reason for each file modification
+- **Minimization Principle**: Unless explicitly required by the task, do not create new abstraction layers or refactor existing code
+
+#### 3. Minimal Code Changes
+- **Focus on Core**: Only write code directly required by the task
+- **Avoid Redundancy**: Do not add unnecessary logs, comments, tests, or error handling
+- **Isolation**: Ensure new code does not interfere with existing functionality, maintain code independence
+
+#### 4. Strict Code Review
+- **Correctness Check**: Verify the correctness and completeness of code logic
+- **Style Consistency**: Ensure code conforms to established project coding style
+- **Side Effect Assessment**: Evaluate the impact of changes on downstream systems
+
+#### 5. Clear Delivery Documentation
+- **Change Summary**: Detailed explanation of all modifications and reasons
+- **File List**: List all modified files and their specific changes
+- **Risk Statement**: Mark any assumptions or potential risk points
+
+### Core Principles
+- **🎯 Precise Execution**: Strictly follow task requirements, no arbitrary innovation
+- **⚡ Efficient Development**: Avoid over-design, only do necessary work
+- **🛡️ Safe and Reliable**: Always follow development processes, ensure code quality and system stability
+- **🔒 Cautious Modification**: Only modify when clearly knowing what needs to be changed and having confidence
+
+### Additional AI Behavior Rules
+
+1. **Use English for all code comments and documentation** - All comments, variable names, function names, documentation, and user-facing text in code should be in English
+2. **Clean up temporary scripts after use** - Any temporary scripts, test files, or helper files created during AI work should be removed after task completion
+3. **Only make confident modifications** - Do not make speculative changes or "convenient" modifications outside the task scope. If uncertain about a change, ask for clarification rather than guessing
+
 ## Project Overview

 RustFS is a high-performance distributed object storage system written in Rust, compatible with S3 API. The project adopts a modular architecture, supporting erasure coding storage, multi-tenant management, observability, and other enterprise-level features.
@@ -66,15 +107,6 @@ RustFS is a high-performance distributed object storage system written in Rust,
 - Use `#[error("description")]` attributes for clear error messages
 - Support error downcasting when needed through `other()` helper methods
 - Implement `Clone` for errors when required by the domain logic
- **Current module error types:**
-  - `ecstore::error::StorageError` - Storage layer errors
-  - `ecstore::disk::error::DiskError` - Disk operation errors
-  - `iam::error::Error` - Identity and access management errors
-  - `policy::error::Error` - Policy-related errors
-  - `crypto::error::Error` - Cryptographic operation errors
-  - `filemeta::error::Error` - File metadata errors
-  - `rustfs::error::ApiError` - API layer errors
-  - Module-specific error types for specialized functionality

 ## Code Style Guidelines

@@ -95,25 +127,21 @@ single_line_let_else_max_width = 100
 Before every commit, you **MUST**:

 1. **Format your code**:
-
   ```bash
   cargo fmt --all
   ```

 2. **Verify formatting**:
-
   ```bash
   cargo fmt --all --check
   ```

 3. **Pass clippy checks**:
-
   ```bash
   cargo clippy --all-targets --all-features -- -D warnings
   ```

 4. **Ensure compilation**:
-
   ```bash
   cargo check --all-targets
   ```
@@ -145,48 +173,6 @@ make pre-commit
 make setup-hooks
 ```

-#### 🔒 Automated Pre-commit Hooks
-
-This project includes a pre-commit hook that automatically runs before each commit to ensure:
-
- ✅ Code is properly formatted (`cargo fmt --all --check`)
- ✅ No clippy warnings (`cargo clippy --all-targets --all-features -- -D warnings`)
- ✅ Code compiles successfully (`cargo check --all-targets`)
-
-**Setting Up Pre-commit Hooks** (MANDATORY for all developers):
-
-Run this command once after cloning the repository:
-
-```bash
-make setup-hooks
-```
-
-Or manually:
-
-```bash
-chmod +x .git/hooks/pre-commit
-```
-
-#### 🚫 Commit Prevention
-
-If your code doesn't meet the formatting requirements, the pre-commit hook will:
-
-1. **Block the commit** and show clear error messages
-2. **Provide exact commands** to fix the issues
-3. **Guide you through** the resolution process
-
-Example output when formatting fails:
-
-```
-❌ Code formatting check failed!
-💡 Please run 'cargo fmt --all' to format your code before committing.
-
-🔧 Quick fix:
-   cargo fmt --all
-   git add .
-   git commit
-```
-
 ### 3. Naming Conventions

 - Use `snake_case` for functions, variables, modules
@@ -207,40 +193,6 @@ Example output when formatting fails:
  - Required for API boundaries (function signatures, public struct fields)
  - Needed to resolve ambiguity between multiple possible types

-**Good examples (prefer these):**
-
-```rust
-// Compiler can infer the type
-let items = vec![1, 2, 3, 4];
-let config = Config::default();
-let result = process_data(&input);
-
-// Iterator chains with clear context
-let filtered: Vec<_> = items.iter().filter(|&&x| x > 2).collect();
-```
-
-**Avoid unnecessary explicit types:**
-
-```rust
-// Unnecessary - type is obvious
-let items: Vec<i32> = vec![1, 2, 3, 4];
-let config: Config = Config::default();
-let result: ProcessResult = process_data(&input);
-```
-
-**When explicit types are beneficial:**
-
-```rust
-// API boundaries - always specify types
-pub fn process_data(input: &[u8]) -> Result<ProcessResult, Error> { ... }
-
-// Ambiguous cases - explicit type needed
-let value: f64 = "3.14".parse().unwrap();
-
-// Complex generic types - explicit for clarity
-let cache: HashMap<String, Arc<Mutex<CacheEntry>>> = HashMap::new();
-```
-
 ### 5. Documentation Comments

 - Public APIs must have documentation comments
@@ -358,34 +310,7 @@ impl MyError {
 }
 ```

-### 3. Error Conversion Between Modules
-
-```rust
-// Convert between different module error types
-impl From<ecstore::error::StorageError> for MyError {
-    fn from(e: ecstore::error::StorageError) -> Self {
-        match e {
-            ecstore::error::StorageError::FileNotFound => {
-                MyError::FileNotFound { path: "unknown".to_string() }
-            }
-            _ => MyError::Storage(e),
-        }
-    }
-}
-
-// Provide reverse conversion when needed
-impl From<MyError> for ecstore::error::StorageError {
-    fn from(e: MyError) -> Self {
-        match e {
-            MyError::FileNotFound { .. } => ecstore::error::StorageError::FileNotFound,
-            MyError::Storage(e) => e,
-            _ => ecstore::error::StorageError::other(e),
-        }
-    }
-}
-```
-
-### 4. Error Context and Propagation
+### 3. Error Context and Propagation

 ```rust
 // Use ? operator for clean error propagation
@@ -405,117 +330,6 @@ fn process_with_context(path: &str) -> Result<()> {
 }
 ```

-### 5. API Error Conversion (S3 Example)
-
-```rust
-// Convert storage errors to API-specific errors
-use s3s::{S3Error, S3ErrorCode};
-
-#[derive(Debug)]
-pub struct ApiError {
-    pub code: S3ErrorCode,
-    pub message: String,
-    pub source: Option<Box<dyn std::error::Error + Send + Sync>>,
-}
-
-impl From<ecstore::error::StorageError> for ApiError {
-    fn from(err: ecstore::error::StorageError) -> Self {
-        let code = match &err {
-            ecstore::error::StorageError::BucketNotFound(_) => S3ErrorCode::NoSuchBucket,
-            ecstore::error::StorageError::ObjectNotFound(_, _) => S3ErrorCode::NoSuchKey,
-            ecstore::error::StorageError::BucketExists(_) => S3ErrorCode::BucketAlreadyExists,
-            ecstore::error::StorageError::InvalidArgument(_, _, _) => S3ErrorCode::InvalidArgument,
-            ecstore::error::StorageError::MethodNotAllowed => S3ErrorCode::MethodNotAllowed,
-            ecstore::error::StorageError::StorageFull => S3ErrorCode::ServiceUnavailable,
-            _ => S3ErrorCode::InternalError,
-        };
-
-        ApiError {
-            code,
-            message: err.to_string(),
-            source: Some(Box::new(err)),
-        }
-    }
-}
-
-impl From<ApiError> for S3Error {
-    fn from(err: ApiError) -> Self {
-        let mut s3e = S3Error::with_message(err.code, err.message);
-        if let Some(source) = err.source {
-            s3e.set_source(source);
-        }
-        s3e
-    }
-}
-```
-
-### 6. Error Handling Best Practices
-
-#### Pattern Matching and Error Classification
-
-```rust
-// Use pattern matching for specific error handling
-async fn handle_storage_operation() -> Result<()> {
-    match storage.get_object("bucket", "key").await {
-        Ok(object) => process_object(object),
-        Err(ecstore::error::StorageError::ObjectNotFound(bucket, key)) => {
-            warn!("Object not found: {}/{}", bucket, key);
-            create_default_object(bucket, key).await
-        }
-        Err(ecstore::error::StorageError::BucketNotFound(bucket)) => {
-            error!("Bucket not found: {}", bucket);
-            Err(MyError::Custom {
-                message: format!("Bucket {} does not exist", bucket)
-            })
-        }
-        Err(e) => {
-            error!("Storage operation failed: {}", e);
-            Err(MyError::Storage(e))
-        }
-    }
-}
-```
-
-#### Error Aggregation and Reporting
-
-```rust
-// Collect and report multiple errors
-pub fn validate_configuration(config: &Config) -> Result<()> {
-    let mut errors = Vec::new();
-
-    if config.bucket_name.is_empty() {
-        errors.push("Bucket name cannot be empty");
-    }
-
-    if config.region.is_empty() {
-        errors.push("Region must be specified");
-    }
-
-    if !errors.is_empty() {
-        return Err(MyError::Custom {
-            message: format!("Configuration validation failed: {}", errors.join(", "))
-        });
-    }
-
-    Ok(())
-}
-```
-
-#### Contextual Error Information
-
-```rust
-// Add operation context to errors
-#[tracing::instrument(skip(self))]
-async fn upload_file(&self, bucket: &str, key: &str, data: Vec<u8>) -> Result<()> {
-    self.storage
-        .put_object(bucket, key, data)
-        .await
-        .map_err(|e| MyError::Custom {
-            message: format!("Failed to upload {}/{}: {}", bucket, key, e)
-        })
-}
-```
-
 ## Performance Optimization Guidelines

 ### 1. Memory Management
@@ -558,45 +372,6 @@ mod tests {
    fn test_with_cases(input: &str, expected: &str) {
        assert_eq!(function(input), expected);
    }
-
-    #[test]
-    fn test_error_conversion() {
-        use ecstore::error::StorageError;
-
-        let storage_err = StorageError::BucketNotFound("test-bucket".to_string());
-        let api_err: ApiError = storage_err.into();
-
-        assert_eq!(api_err.code, S3ErrorCode::NoSuchBucket);
-        assert!(api_err.message.contains("test-bucket"));
-        assert!(api_err.source.is_some());
-    }
-
-    #[test]
-    fn test_error_types() {
-        let io_err = std::io::Error::new(std::io::ErrorKind::NotFound, "file not found");
-        let my_err = MyError::Io(io_err);
-
-        // Test error matching
-        match my_err {
-            MyError::Io(_) => {}, // Expected
-            _ => panic!("Unexpected error type"),
-        }
-    }
-
-    #[test]
-    fn test_error_context() {
-        let result = process_with_context("nonexistent_file.txt");
-        assert!(result.is_err());
-
-        let err = result.unwrap_err();
-        match err {
-            MyError::Custom { message } => {
-                assert!(message.contains("Failed to read"));
-                assert!(message.contains("nonexistent_file.txt"));
-            }
-            _ => panic!("Expected Custom error"),
-        }
-    }
 }
 ```

@@ -829,17 +604,15 @@ async fn shutdown_gracefully(shutdown_rx: &mut Receiver<()>) {
 - Support version control and migration
 - Implement metadata caching

-These rules should serve as guiding principles when developing the RustFS project, ensuring code quality, performance, and maintainability.
+## Branch Management and Development Workflow

-### 4. Code Operations
-
-#### Branch Management
+### Branch Management

 - **🚨 CRITICAL: NEVER modify code directly on main or master branch - THIS IS ABSOLUTELY FORBIDDEN 🚨**
 - **⚠️ ANY DIRECT COMMITS TO MASTER/MAIN WILL BE REJECTED AND MUST BE REVERTED IMMEDIATELY ⚠️**
 - **🔒 ALL CHANGES MUST GO THROUGH PULL REQUESTS - NO DIRECT COMMITS TO MAIN UNDER ANY CIRCUMSTANCES 🔒**
 - **Always work on feature branches - NO EXCEPTIONS**
- Always check the .cursorrules file before starting to ensure you understand the project guidelines
+- Always check the .rules.md file before starting to ensure you understand the project guidelines
 - **MANDATORY workflow for ALL changes:**
   1. `git checkout main` (switch to main branch)
   2. `git pull` (get latest changes)
@@ -862,7 +635,7 @@ These rules should serve as guiding principles when developing the RustFS projec
  - Direct pushes to main should be blocked by repository settings
  - Any accidental direct commits to main must be immediately reverted via PR

-#### Development Workflow
+### Development Workflow

 ## 🎯 **Core Development Principles**

@@ -901,27 +674,29 @@ These rules should serve as guiding principles when developing the RustFS projec
  - Testing information and verification steps
 - **Provide PR descriptions in copyable markdown format** enclosed in code blocks for easy one-click copying

-## 🚫 AI 文档生成限制
+## 🚫 AI Documentation Generation Restrictions

-### 禁止生成总结文档
+### Forbidden Summary Documents

- **严格禁止创建任何形式的AI生成总结文档**
- **不得创建包含大量表情符号、详细格式化表格和典型AI风格的文档**
- **不得在项目中生成以下类型的文档：**
-  - 基准测试总结文档（BENCHMARK*.md）
-  - 实现对比分析文档（IMPLEMENTATION_COMPARISON*.md）
-  - 性能分析报告文档
-  - 架构总结文档
-  - 功能对比文档
-  - 任何带有大量表情符号和格式化内容的文档
- **如果需要文档，请只在用户明确要求时创建，并保持简洁实用的风格**
- **文档应当专注于实际需要的信息，避免过度格式化和装饰性内容**
- **任何发现的AI生成总结文档都应该立即删除**
+- **Strictly forbidden to create any form of AI-generated summary documents**
+- **Do not create documents containing large amounts of emoji, detailed formatting tables and typical AI style**
+- **Do not generate the following types of documents in the project:**
+  - Benchmark summary documents (BENCHMARK*.md)
+  - Implementation comparison analysis documents (IMPLEMENTATION_COMPARISON*.md)
+  - Performance analysis report documents
+  - Architecture summary documents
+  - Feature comparison documents
+  - Any documents with large amounts of emoji and formatted content
+- **If documentation is needed, only create when explicitly requested by the user, and maintain a concise and practical style**
+- **Documentation should focus on actually needed information, avoiding excessive formatting and decorative content**
+- **Any discovered AI-generated summary documents should be immediately deleted**

-### 允许的文档类型
+### Allowed Documentation Types

- README.md（项目介绍，保持简洁）
- 技术文档（仅在明确需要时创建）
- 用户手册（仅在明确需要时创建）
- API文档（从代码生成）
- 变更日志（CHANGELOG.md）
+- README.md (project introduction, keep concise)
+- Technical documentation (only create when explicitly needed)
+- User manual (only create when explicitly needed)
+- API documentation (generated from code)
+- Changelog (CHANGELOG.md)
+
+These rules should serve as guiding principles when developing the RustFS project, ensuring code quality, performance, and maintainability.
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -1,9 +1,31 @@
 {
-    // 使用 IntelliSense 了解相关属性。 
-    // 悬停以查看现有属性的描述。
-    // 欲了解更多信息，请访问: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
+          {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug(only) executable 'rustfs'",
+            "env": {
+              "RUST_LOG": "rustfs=info,ecstore=info,s3s=info,iam=info",
+              "RUSTFS_SKIP_BACKGROUND_TASK": "on"
+              //"RUSTFS_OBS_LOG_DIRECTORY": "./deploy/logs",
+              // "RUSTFS_POLICY_PLUGIN_URL":"http://localhost:8181/v1/data/rustfs/authz/allow",
+              // "RUSTFS_POLICY_PLUGIN_AUTH_TOKEN":"your-opa-token"
+            },
+            "program": "${workspaceFolder}/target/debug/rustfs",
+            "args": [
+              "--access-key",
+              "rustfsadmin",
+              "--secret-key",
+              "rustfsadmin",
+              "--address",
+              "0.0.0.0:9010",
+              "--server-domains",
+              "127.0.0.1:9010",
+              "./target/volume/test{1...4}"
+            ],
+            "cwd": "${workspaceFolder}"
+        },
        {
            "type": "lldb",
            "request": "launch",
@@ -20,18 +42,22 @@
                }
            },
            "env": {
-                "RUST_LOG": "rustfs=debug,ecstore=info,s3s=debug"
+                "RUST_LOG": "rustfs=debug,ecstore=info,s3s=debug,iam=debug",
+                "RUSTFS_SKIP_BACKGROUND_TASK": "on",
+                //"RUSTFS_OBS_LOG_DIRECTORY": "./deploy/logs",
+                // "RUSTFS_POLICY_PLUGIN_URL":"http://localhost:8181/v1/data/rustfs/authz/allow",
+                // "RUSTFS_POLICY_PLUGIN_AUTH_TOKEN":"your-opa-token" 
            },
            "args": [
                "--access-key",
-                "AKEXAMPLERUSTFS",
+                "rustfsadmin",
                "--secret-key",
-                "SKEXAMPLERUSTFS",
+                "rustfsadmin",
                "--address",
                "0.0.0.0:9010",
-                "--domain-name",
+                "--server-domains",
                "127.0.0.1:9010",
-                "./target/volume/test{0...4}"
+                "./target/volume/test{1...4}"
            ],
            "cwd": "${workspaceFolder}"
        },
@@ -63,12 +89,8 @@
                    "test",
                    "--no-run",
                    "--lib",
-                    "--package=ecstore"
-                ],
-                "filter": {
-                    "name": "ecstore",
-                    "kind": "lib"
-                }
+                    "--package=rustfs-ecstore"
+                ]
            },
            "args": [],
            "cwd": "${workspaceFolder}"
@@ -82,6 +104,39 @@
            "cwd": "${workspaceFolder}",
            //"stopAtEntry": false,
            //"preLaunchTask": "cargo build",
+            "env": {
+                "RUSTFS_ACCESS_KEY": "rustfsadmin",
+                "RUSTFS_SECRET_KEY": "rustfsadmin",
+                "RUSTFS_VOLUMES": "./target/volume/test{1...4}",
+                "RUSTFS_ADDRESS": ":9000",
+                "RUSTFS_CONSOLE_ENABLE": "true",
+                // "RUSTFS_OBS_TRACE_ENDPOINT": "http://127.0.0.1:4318/v1/traces", // jeager otlp http endpoint
+                // "RUSTFS_OBS_METRIC_ENDPOINT": "http://127.0.0.1:4318/v1/metrics", // default otlp http endpoint
+                // "RUSTFS_OBS_LOG_ENDPOINT": "http://127.0.0.1:4318/v1/logs", // default otlp http endpoint
+                // "RUSTFS_COMPRESS_ENABLE": "true",
+                "RUSTFS_CONSOLE_ADDRESS": "127.0.0.1:9001",
+                "RUSTFS_OBS_LOG_DIRECTORY": "./target/logs",
+            },
+            "sourceLanguages": [
+                "rust"
+            ],
+        },
+        {
+            "name": "Debug executable target/debug/test",
+            "type":  "lldb",
+            "request": "launch",
+            "program": "${workspaceFolder}/target/debug/deps/lifecycle_integration_test-5915cbfcab491b3b",
+            "args": [
+              "--skip",
+              "test_lifecycle_expiry_basic",
+              "--skip",
+              "test_lifecycle_expiry_deletemarker",
+              //"--skip",
+              //"test_lifecycle_transition_basic",
+            ],
+            "cwd": "${workspaceFolder}",
+            //"stopAtEntry": false,
+            //"preLaunchTask": "cargo build",
            "sourceLanguages": [
                "rust"
            ],
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,25 @@
+# Repository Guidelines
+
+## Communication Rules
+- Respond to the user in Chinese; use English in all other contexts.
+- Code and documentation must be written in English only. Chinese text is allowed solely as test data/fixtures when a case explicitly requires Chinese-language content for validation.
+
+## Project Structure & Module Organization
+The workspace root hosts shared dependencies in `Cargo.toml`. The service binary lives under `rustfs/src/main.rs`, while reusable crates sit in `crates/` (`crypto`, `iam`, `kms`, and `e2e_test`). Local fixtures for standalone flows reside in `test_standalone/`, deployment manifests are under `deploy/`, Docker assets sit at the root, and automation lives in `scripts/`. Skim each crate’s README or module docs before contributing changes.
+
+## Build, Test, and Development Commands
+Run `cargo check --all-targets` for fast validation. Build release binaries via `cargo build --release` or the pipeline-aligned `make build`. Use `./build-rustfs.sh --dev` for iterative development and `./build-rustfs.sh --platform <target>` for cross-compiles. Prefer `make pre-commit` before pushing to cover formatting, clippy, checks, and tests.
+Always ensure `cargo fmt --all --check`, `cargo test --workspace --exclude e2e_test`, and `cargo clippy --all-targets --all-features -- -D warnings` complete successfully after each code change to keep the tree healthy and warning-free.
+
+## Coding Style & Naming Conventions
+Formatting follows the repo `rustfmt.toml` (130-column width). Use `snake_case` for items, `PascalCase` for types, and `SCREAMING_SNAKE_CASE` for constants. Avoid `unwrap()` or `expect()` outside tests; bubble errors with `Result` and crate-specific `thiserror` types. Keep async code non-blocking and offload CPU-heavy work with `tokio::task::spawn_blocking` when necessary.
+
+## Testing Guidelines
+Co-locate unit tests with their modules and give behavior-led names such as `handles_expired_token`. Integration suites belong in each crate’s `tests/` directory, while exhaustive end-to-end scenarios live in `crates/e2e_test/`. Run `cargo test --workspace --exclude e2e_test` during iteration, `cargo nextest run --all --exclude e2e_test` when available, and finish with `cargo test --all` before requesting review. Use `NO_PROXY=127.0.0.1,localhost HTTP_PROXY= HTTPS_PROXY=` for KMS e2e tests.
+When fixing bugs or adding features, include regression tests that capture the new behavior so future changes cannot silently break it.
+
+## Commit & Pull Request Guidelines
+Work on feature branches (e.g., `feat/...`) after syncing `main`. Follow Conventional Commits under 72 characters (e.g., `feat: add kms key rotation`). Each commit must compile, format cleanly, and pass `make pre-commit`. Open PRs with a concise summary, note verification commands, link relevant issues, and wait for reviewer approval.
+
+## Security & Configuration Tips
+Do not commit secrets or cloud credentials; prefer environment variables or vault tooling. Review IAM- and KMS-related changes with a second maintainer. Confirm proxy settings before running sensitive tests to avoid leaking traffic outside localhost.
--- a/CLA.md
+++ b/CLA.md
@@ -1,39 +1,88 @@
 RustFS Individual Contributor License Agreement

-Thank you for your interest in contributing documentation and related software code to a project hosted or managed by RustFS. In order to clarify the intellectual property license granted with Contributions from any person or entity, RustFS must have a Contributor License Agreement (“CLA”) on file that has been signed by each Contributor, indicating agreement to the license terms below. This version of the Contributor License Agreement allows an individual to submit Contributions to the applicable project. If you are making a submission on behalf of a legal entity, then you should sign the separate Corporate Contributor License Agreement.
+Thank you for your interest in contributing documentation and related software code to a project hosted or managed by
+RustFS. In order to clarify the intellectual property license granted with Contributions from any person or entity,
+RustFS must have a Contributor License Agreement ("CLA") on file that has been signed by each Contributor, indicating
+agreement to the license terms below. This version of the Contributor License Agreement allows an individual to submit
+Contributions to the applicable project. If you are making a submission on behalf of a legal entity, then you should
+sign the separate Corporate Contributor License Agreement.

-You accept and agree to the following terms and conditions for Your present and future Contributions submitted to RustFS. You hereby irrevocably assign and transfer to RustFS all right, title, and interest in and to Your Contributions, including all copyrights and other intellectual property rights therein.
+You accept and agree to the following terms and conditions for Your present and future Contributions submitted to
+RustFS. You hereby irrevocably assign and transfer to RustFS all right, title, and interest in and to Your
+Contributions, including all copyrights and other intellectual property rights therein.

 Definitions

-“You” (or “Your”) shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with RustFS. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+“You” (or “Your”) shall mean the copyright owner or legal entity authorized by the copyright owner that is making this
+Agreement with RustFS. For legal entities, the entity making a Contribution and all other entities that control, are
+controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes
+of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such
+entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares,
+or (iii) beneficial ownership of such entity.

-“Contribution” shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to RustFS for inclusion in, or documentation of, any of the products or projects owned or managed by RustFS (the “Work”), including without limitation any Work described in Schedule A. For the purposes of this definition, “submitted” means any form of electronic or written communication sent to RustFS or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, RustFS for the purpose of discussing and improving the Work.
+“Contribution” shall mean any original work of authorship, including any modifications or additions to an existing work,
+that is intentionally submitted by You to RustFS for inclusion in, or documentation of, any of the products or projects
+owned or managed by RustFS (the "Work"), including without limitation any Work described in Schedule A. For the purposes
+of this definition, "submitted" means any form of electronic or written communication sent to RustFS or its
+representatives, including but not limited to communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, RustFS for the purpose of discussing and improving the
+Work.

 Assignment of Copyright

-Subject to the terms and conditions of this Agreement, You hereby irrevocably assign and transfer to RustFS all right, title, and interest in and to Your Contributions, including all copyrights and other intellectual property rights therein, for the entire term of such rights, including all renewals and extensions. You agree to execute all documents and take all actions as may be reasonably necessary to vest in RustFS the ownership of Your Contributions and to assist RustFS in perfecting, maintaining, and enforcing its rights in Your Contributions.
+Subject to the terms and conditions of this Agreement, You hereby irrevocably assign and transfer to RustFS all right,
+title, and interest in and to Your Contributions, including all copyrights and other intellectual property rights
+therein, for the entire term of such rights, including all renewals and extensions. You agree to execute all documents
+and take all actions as may be reasonably necessary to vest in RustFS the ownership of Your Contributions and to assist
+RustFS in perfecting, maintaining, and enforcing its rights in Your Contributions.

 Grant of Patent License

-Subject to the terms and conditions of this Agreement, You hereby grant to RustFS and to recipients of documentation and software distributed by RustFS a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+Subject to the terms and conditions of this Agreement, You hereby grant to RustFS and to recipients of documentation and
+software distributed by RustFS a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as
+stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the
+Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your
+Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was
+submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or
+counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes
+direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for
+that Contribution or Work shall terminate as of the date such litigation is filed.

 You represent that you are legally entitled to grant the above assignment and license.

-You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
+You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of
+others). You represent that Your Contribution submissions include complete details of any third-party license or other
+restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which
+are associated with any part of Your Contributions.

-You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You
+may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You
+provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR
+A PARTICULAR PURPOSE.

-Should You wish to submit work that is not Your original creation, You may submit it to RustFS separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as “Submitted on behalf of a third-party: [named here]”.
+Should You wish to submit work that is not Your original creation, You may submit it to RustFS separately from any
+Contribution, identifying the complete details of its source and of any license or other restriction (including, but not
+limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously
+marking the work as "Submitted on behalf of a third-party: [named here]”.

-You agree to notify RustFS of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
+You agree to notify RustFS of any facts or circumstances of which you become aware that would make these representations
+inaccurate in any respect.

 Modification of CLA

-RustFS reserves the right to update or modify this CLA in the future. Any updates or modifications to this CLA shall apply only to Contributions made after the effective date of the revised CLA. Contributions made prior to the update shall remain governed by the version of the CLA that was in effect at the time of submission. It is not necessary for all Contributors to re-sign the CLA when the CLA is updated or modified.
+RustFS reserves the right to update or modify this CLA in the future. Any updates or modifications to this CLA shall
+apply only to Contributions made after the effective date of the revised CLA. Contributions made prior to the update
+shall remain governed by the version of the CLA that was in effect at the time of submission. It is not necessary for
+all Contributors to re-sign the CLA when the CLA is updated or modified.

 Governing Law and Dispute Resolution

-This Agreement will be governed by and construed in accordance with the laws of the People’s Republic of China excluding that body of laws known as conflict of laws. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the courts located in Beijing, China, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.
+This Agreement will be governed by and construed in accordance with the laws of the People's Republic of China excluding
+that body of laws known as conflict of laws. The parties expressly agree that the United Nations Convention on Contracts
+for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be
+brought exclusively in the courts located in Beijing, China, and the parties hereby irrevocably consent to the personal
+jurisdiction and venue therein.

-For your reading convenience, this Agreement is written in parallel English and Chinese sections. To the extent there is a conflict between the English and Chinese sections, the English sections shall govern.
+For your reading convenience, this Agreement is written in parallel English and Chinese sections. To the extent there is
+a conflict between the English and Chinese sections, the English sections shall govern.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,275 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+RustFS is a high-performance distributed object storage software built with Rust, providing S3-compatible APIs and
+advanced features like data lakes, AI, and big data support. It's designed as an alternative to MinIO with better
+performance and a more business-friendly Apache 2.0 license.
+
+## Build Commands
+
+### Primary Build Commands
+
+- `cargo build --release` - Build the main RustFS binary
+- `./build-rustfs.sh` - Recommended build script that handles console resources and cross-platform compilation
+- `./build-rustfs.sh --dev` - Development build with debug symbols
+- `make build` or `just build` - Use Make/Just for standardized builds
+
+### Platform-Specific Builds
+
+- `./build-rustfs.sh --platform x86_64-unknown-linux-musl` - Build for musl target
+- `./build-rustfs.sh --platform aarch64-unknown-linux-gnu` - Build for ARM64
+- `make build-musl` or `just build-musl` - Build musl variant
+- `make build-cross-all` - Build all supported architectures
+
+### Testing Commands
+
+- `cargo test --workspace --exclude e2e_test` - Run unit tests (excluding e2e tests)
+- `cargo nextest run --all --exclude e2e_test` - Use nextest if available (faster)
+- `cargo test --all --doc` - Run documentation tests
+- `make test` or `just test` - Run full test suite
+- `make pre-commit` - Run all quality checks (fmt, clippy, check, test)
+
+### End-to-End Testing
+
+- `cargo test --package e2e_test` - Run all e2e tests
+- `./scripts/run_e2e_tests.sh` - Run e2e tests via script
+- `./scripts/run_scanner_benchmarks.sh` - Run scanner performance benchmarks
+
+### KMS-Specific Testing (with proxy bypass)
+
+-
+`NO_PROXY=127.0.0.1,localhost HTTP_PROXY= HTTPS_PROXY= http_proxy= https_proxy= cargo test --package e2e_test test_local_kms_end_to_end -- --nocapture --test-threads=1` -
+Run complete KMS end-to-end test
+-
+`NO_PROXY=127.0.0.1,localhost HTTP_PROXY= HTTPS_PROXY= http_proxy= https_proxy= cargo test --package e2e_test kms:: -- --nocapture --test-threads=1` -
+Run all KMS tests
+- `cargo test --package e2e_test test_local_kms_key_isolation -- --nocapture --test-threads=1` - Test KMS key isolation
+- `cargo test --package e2e_test test_local_kms_large_file -- --nocapture --test-threads=1` - Test KMS with large files
+
+### Code Quality
+
+- `cargo fmt --all` - Format code
+- `cargo clippy --all-targets --all-features -- -D warnings` - Lint code
+- `make pre-commit` or `just pre-commit` - Run all quality checks (fmt, clippy, check, test)
+
+### Quick Development Commands
+
+- `make help` or `just help` - Show all available commands with descriptions
+- `make help-build` - Show detailed build options and cross-compilation help
+- `make help-docker` - Show comprehensive Docker build and deployment options
+- `./scripts/dev_deploy.sh <IP>` - Deploy development build to remote server
+- `./scripts/run.sh` - Start local development server
+- `./scripts/probe.sh` - Health check and connectivity testing
+
+### Docker Build Commands
+
+- `make docker-buildx` - Build multi-architecture production images
+- `make docker-dev-local` - Build development image for local use
+- `./docker-buildx.sh --push` - Build and push production images
+
+## Architecture Overview
+
+### Core Components
+
+**Main Binary (`rustfs/`):**
+
+- Entry point at `rustfs/src/main.rs`
+- Core modules: admin, auth, config, server, storage, license management, profiling
+- HTTP server with S3-compatible APIs
+- Service state management and graceful shutdown
+- Parallel service initialization with DNS resolver, bucket metadata, and IAM
+
+**Key Crates (`crates/`):**
+
+- `ecstore` - Erasure coding storage implementation (core storage layer)
+- `iam` - Identity and Access Management
+- `kms` - Key Management Service for encryption and key handling
+- `madmin` - Management dashboard and admin API interface
+- `s3select-api` & `s3select-query` - S3 Select API and query engine
+- `config` - Configuration management with notify features
+- `crypto` - Cryptography and security features
+- `lock` - Distributed locking implementation
+- `filemeta` - File metadata management
+- `rio` - Rust I/O utilities and abstractions
+- `common` - Shared utilities and data structures
+- `protos` - Protocol buffer definitions
+- `audit-logger` - Audit logging for file operations
+- `notify` - Event notification system
+- `obs` - Observability utilities
+- `workers` - Worker thread pools and task scheduling
+- `appauth` - Application authentication and authorization
+- `ahm` - Asynchronous Hash Map for concurrent data structures
+- `mcp` - MCP server for S3 operations
+- `signer` - Client request signing utilities
+- `checksums` - Client checksum calculation utilities
+- `utils` - General utility functions and helpers
+- `zip` - ZIP file handling and compression
+- `targets` - Target-specific configurations and utilities
+
+### Build System
+
+- Cargo workspace with 25+ crates (including new KMS functionality)
+- Custom `build-rustfs.sh` script for advanced build options
+- Multi-architecture Docker builds via `docker-buildx.sh`
+- Both Make and Just task runners supported with comprehensive help
+- Cross-compilation support for multiple Linux targets
+- Automated CI/CD with GitHub Actions for testing, building, and Docker publishing
+- Performance benchmarking and audit workflows
+
+### Key Dependencies
+
+- `axum` - HTTP framework for S3 API server
+- `tokio` - Async runtime
+- `s3s` - S3 protocol implementation library
+- `datafusion` - For S3 Select query processing
+- `hyper`/`hyper-util` - HTTP client/server utilities
+- `rustls` - TLS implementation
+- `serde`/`serde_json` - Serialization
+- `tracing` - Structured logging and observability
+- `pprof` - Performance profiling with flamegraph support
+- `tikv-jemallocator` - Memory allocator for Linux GNU builds
+
+### Development Workflow
+
+- Console resources are embedded during build via `rust-embed`
+- Protocol buffers generated via custom `gproto` binary
+- E2E tests in separate crate (`e2e_test`) with comprehensive KMS testing
+- Shadow build for version/metadata embedding
+- Support for both GNU and musl libc targets
+- Development scripts in `scripts/` directory for common tasks
+- Git hooks setup available via `make setup-hooks` or `just setup-hooks`
+
+### Performance & Observability
+
+- Performance profiling available with `pprof` integration (disabled on Windows)
+- Profiling enabled via environment variables in production
+- Built-in observability with OpenTelemetry integration
+- Background services (scanner, heal) can be controlled via environment variables:
+    - `RUSTFS_ENABLE_SCANNER` (default: true)
+    - `RUSTFS_ENABLE_HEAL` (default: true)
+
+### Service Architecture
+
+- Service state management with graceful shutdown handling
+- Parallel initialization of core systems (DNS, bucket metadata, IAM)
+- Event notification system with MQTT and webhook support
+- Auto-heal and data scanner for storage integrity
+- Jemalloc allocator for Linux GNU targets for better performance
+
+## Environment Variables
+
+- `RUSTFS_ENABLE_SCANNER` - Enable/disable background data scanner (default: true)
+- `RUSTFS_ENABLE_HEAL` - Enable/disable auto-heal functionality (default: true)
+- Various profiling and observability controls
+- Build-time variables for Docker builds (RELEASE, REGISTRY, etc.)
+- Test environment configurations in `scripts/dev_rustfs.env`
+
+### KMS Environment Variables
+
+- `NO_PROXY=127.0.0.1,localhost` - Required for KMS E2E tests to bypass proxy
+- `HTTP_PROXY=` `HTTPS_PROXY=` `http_proxy=` `https_proxy=` - Clear proxy settings for local KMS testing
+
+## KMS (Key Management Service) Architecture
+
+### KMS Implementation Status
+
+- **Full KMS Integration:** Complete implementation with Local and Vault backends
+- **Automatic Configuration:** KMS auto-configures on startup with `--kms-enable` flag
+- **Encryption Support:** Full S3-compatible server-side encryption (SSE-S3, SSE-KMS, SSE-C)
+- **Admin API:** Complete KMS management via HTTP admin endpoints
+- **Production Ready:** Comprehensive testing including large files and key isolation
+
+### KMS Configuration
+
+- **Local Backend:** `--kms-backend local --kms-key-dir <path> --kms-default-key-id <id>`
+- **Vault Backend:** `--kms-backend vault --kms-vault-endpoint <url> --kms-vault-key-name <name>`
+- **Auto-startup:** KMS automatically initializes when `--kms-enable` is provided
+- **Manual Configuration:** Also supports dynamic configuration via admin API
+
+### S3 Encryption Support
+
+- **SSE-S3:** Server-side encryption with S3-managed keys (`ServerSideEncryption: AES256`)
+- **SSE-KMS:** Server-side encryption with KMS-managed keys (`ServerSideEncryption: aws:kms`)
+- **SSE-C:** Server-side encryption with customer-provided keys
+- **Response Headers:** All encryption types return correct `server_side_encryption` headers in PUT/GET responses
+
+### KMS Testing Architecture
+
+- **Comprehensive E2E Tests:** Located in `crates/e2e_test/src/kms/`
+- **Test Environments:** Automated test environment setup with temporary directories
+- **Encryption Coverage:** Tests all three encryption types (SSE-S3, SSE-KMS, SSE-C)
+- **API Coverage:** Tests all KMS admin APIs (CreateKey, DescribeKey, ListKeys, etc.)
+- **Edge Cases:** Key isolation, large file handling, error scenarios
+
+### Key Files for KMS
+
+- `crates/kms/` - Core KMS implementation with Local/Vault backends
+- `rustfs/src/main.rs` - KMS auto-initialization in `init_kms_system()`
+- `rustfs/src/storage/ecfs.rs` - SSE encryption/decryption in PUT/GET operations
+- `rustfs/src/admin/handlers/kms*.rs` - KMS admin endpoints
+- `crates/e2e_test/src/kms/` - Comprehensive KMS test suite
+- `crates/rio/src/encrypt_reader.rs` - Streaming encryption for large files
+
+## Code Style and Safety Requirements
+
+- **Language Requirements:**
+    - Communicate with me in Chinese, but **only English can be used in code files**
+    - Code comments, function names, variable names, and all text in source files must be in English only
+    - No Chinese characters, emojis, or non-ASCII characters are allowed in any source code files
+    - This includes comments, strings, documentation, and any other text within code files
+- **Safety-Critical Rules:**
+    - `unsafe_code = "deny"` enforced at workspace level
+    - Never use `unwrap()`, `expect()`, or panic-inducing code except in tests
+    - Avoid blocking I/O operations in async contexts
+    - Use proper error handling with `Result<T, E>` and `Option<T>`
+    - Follow Rust's ownership and borrowing rules strictly
+- **Performance Guidelines:**
+    - Use `cargo clippy --all-targets --all-features -- -D warnings` to catch issues
+    - Prefer `anyhow` for error handling in applications, `thiserror` for libraries
+    - Use appropriate async runtimes and avoid blocking calls
+- **Testing Standards:**
+    - All new features must include comprehensive tests
+    - Use `#[cfg(test)]` for test-only code that may use panic macros
+    - E2E tests should cover KMS integration scenarios
+
+## Common Development Tasks
+
+### Running KMS Tests Locally
+
+1. **Clear proxy settings:** KMS tests require direct localhost connections
+2. **Use serial execution:** `--test-threads=1` prevents port conflicts
+3. **Enable output:** `--nocapture` shows detailed test logs
+4. **Full command:**
+   `NO_PROXY=127.0.0.1,localhost HTTP_PROXY= HTTPS_PROXY= http_proxy= https_proxy= cargo test --package e2e_test test_local_kms_end_to_end -- --nocapture --test-threads=1`
+
+### KMS Development Workflow
+
+1. **Code changes:** Modify KMS-related code in `crates/kms/` or `rustfs/src/`
+2. **Compile:** Always run `cargo build` after changes
+3. **Test specific functionality:** Use targeted test commands for faster iteration
+4. **Full validation:** Run complete end-to-end tests before commits
+
+### Debugging KMS Issues
+
+- **Server startup:** Check that KMS auto-initializes with debug logs
+- **Encryption failures:** Verify SSE headers are correctly set in both PUT and GET responses
+- **Test failures:** Use `--nocapture` to see detailed error messages
+- **Key management:** Test admin API endpoints with proper authentication
+
+## Important Reminders
+
+- **Always compile after code changes:** Use `cargo build` to catch errors early
+- **Don't bypass tests:** All functionality must be properly tested, not worked around
+- **Use proper error handling:** Never use `unwrap()` or `expect()` in production code (except tests)
+- **Follow S3 compatibility:** Ensure all encryption types return correct HTTP response headers
+
+# important-instruction-reminders
+
+Do what has been asked; nothing more, nothing less.
+NEVER create files unless they're absolutely necessary for achieving your goal.
+ALWAYS prefer editing an existing file to creating a new one.
+NEVER proactively create documentation files (*.md) or README files. Only create documentation files if explicitly
+requested by the User.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,6 +2,8 @@

 ## 📋 Code Quality Requirements

+For instructions on setting up and running the local development environment, please see [Development Guide](docs/DEVELOPMENT.md).
+
 ### 🔧 Code Formatting Rules

 **MANDATORY**: All code must be properly formatted before committing. This project enforces strict formatting standards to maintain code consistency and readability.
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,10 +15,11 @@
 [workspace]
 members = [
    "rustfs", # Core file system implementation
-    "cli/rustfs-gui", # Graphical user interface client
    "crates/appauth", # Application authentication and authorization
+    "crates/audit", # Audit target management system with multi-target fan-out
    "crates/common", # Shared utilities and data structures
    "crates/config", # Configuration management
+    "crates/credentials", # Credential management system
    "crates/crypto", # Cryptography and security features
    "crates/ecstore", # Erasure coding storage implementation
    "crates/e2e_test", # End-to-end test suite
@@ -28,15 +29,20 @@ members = [
    "crates/madmin", # Management dashboard and admin API interface
    "crates/notify", # Notification system for events
    "crates/obs", # Observability utilities
+    "crates/policy", # Policy management
    "crates/protos", # Protocol buffer definitions
    "crates/rio", # Rust I/O utilities and abstractions
+    "crates/targets", # Target-specific configurations and utilities
    "crates/s3select-api", # S3 Select API interface
    "crates/s3select-query", # S3 Select query engine
    "crates/signer", # client signer
+    "crates/checksums", # client checksums
    "crates/utils", # Utility functions and helpers
    "crates/workers", # Worker thread pools and task scheduling
    "crates/zip", # ZIP file handling and compression
-    "crates/ahm",
+    "crates/ahm", # Asynchronous Hash Map for concurrent data structures
+    "crates/mcp", # MCP server for S3 operations
+    "crates/kms", # Key Management Service
 ]
 resolver = "2"

@@ -57,226 +63,222 @@ unsafe_code = "deny"
 [workspace.lints.clippy]
 all = "warn"

-[patch.crates-io]
-rustfs-utils = { path = "crates/utils" }
-rustfs-filemeta = { path = "crates/filemeta" }
-rustfs-rio = { path = "crates/rio" }
-
 [workspace.dependencies]
+# RustFS Internal Crates
+rustfs = { path = "./rustfs", version = "0.0.5" }
 rustfs-ahm = { path = "crates/ahm", version = "0.0.5" }
-rustfs-s3select-api = { path = "crates/s3select-api", version = "0.0.5" }
 rustfs-appauth = { path = "crates/appauth", version = "0.0.5" }
+rustfs-audit = { path = "crates/audit", version = "0.0.5" }
+rustfs-checksums = { path = "crates/checksums", version = "0.0.5" }
 rustfs-common = { path = "crates/common", version = "0.0.5" }
+rustfs-config = { path = "./crates/config", version = "0.0.5" }
+rustfs-credentials = { path = "crates/credentials", version = "0.0.5" }
 rustfs-crypto = { path = "crates/crypto", version = "0.0.5" }
 rustfs-ecstore = { path = "crates/ecstore", version = "0.0.5" }
+rustfs-filemeta = { path = "crates/filemeta", version = "0.0.5" }
 rustfs-iam = { path = "crates/iam", version = "0.0.5" }
+rustfs-kms = { path = "crates/kms", version = "0.0.5" }
 rustfs-lock = { path = "crates/lock", version = "0.0.5" }
 rustfs-madmin = { path = "crates/madmin", version = "0.0.5" }
+rustfs-mcp = { path = "crates/mcp", version = "0.0.5" }
+rustfs-notify = { path = "crates/notify", version = "0.0.5" }
+rustfs-obs = { path = "crates/obs", version = "0.0.5" }
 rustfs-policy = { path = "crates/policy", version = "0.0.5" }
 rustfs-protos = { path = "crates/protos", version = "0.0.5" }
-rustfs-s3select-query = { path = "crates/s3select-query", version = "0.0.5" }
-rustfs = { path = "./rustfs", version = "0.0.5" }
-rustfs-zip = { path = "./crates/zip", version = "0.0.5" }
-rustfs-config = { path = "./crates/config", version = "0.0.5" }
-rustfs-obs = { path = "crates/obs", version = "0.0.5" }
-rustfs-notify = { path = "crates/notify", version = "0.0.5" }
-rustfs-utils = { path = "crates/utils", version = "0.0.5" }
 rustfs-rio = { path = "crates/rio", version = "0.0.5" }
-rustfs-filemeta = { path = "crates/filemeta", version = "0.0.5" }
+rustfs-s3select-api = { path = "crates/s3select-api", version = "0.0.5" }
+rustfs-s3select-query = { path = "crates/s3select-query", version = "0.0.5" }
 rustfs-signer = { path = "crates/signer", version = "0.0.5" }
+rustfs-targets = { path = "crates/targets", version = "0.0.5" }
+rustfs-utils = { path = "crates/utils", version = "0.0.5" }
 rustfs-workers = { path = "crates/workers", version = "0.0.5" }
-aes-gcm = { version = "0.10.3", features = ["std"] }
-arc-swap = "1.7.1"
-argon2 = { version = "0.5.3", features = ["std"] }
-atoi = "2.0.0"
+rustfs-zip = { path = "./crates/zip", version = "0.0.5" }
+
+# Async Runtime and Networking
 async-channel = "2.5.0"
+async-compression = { version = "0.4.19" }
 async-recursion = "1.1.1"
-async-trait = "0.1.88"
-async-compression = { version = "0.4.0" }
-atomic_enum = "0.3.0"
-aws-sdk-s3 = "1.96.0"
-axum = "0.8.4"
-axum-extra = "0.10.1"
-axum-server = { version = "0.7.2", features = ["tls-rustls"] }
-base64-simd = "0.8.0"
-base64 = "0.22.1"
-brotli = "8.0.1"
-bytes = { version = "1.10.1", features = ["serde"] }
-bytesize = "2.0.1"
-byteorder = "1.5.0"
-cfg-if = "1.0.1"
-chacha20poly1305 = { version = "0.10.1" }
-chrono = { version = "0.4.41", features = ["serde"] }
-clap = { version = "4.5.41", features = ["derive", "env"] }
-const-str = { version = "0.6.3", features = ["std", "proc"] }
-crc32fast = "1.5.0"
-criterion = { version = "0.5", features = ["html_reports"] }
-dashmap = "6.1.0"
-datafusion = "46.0.1"
-derive_builder = "0.20.2"
-dioxus = { version = "0.6.3", features = ["router"] }
-dirs = "6.0.0"
-enumset = "1.1.7"
-flatbuffers = "25.2.10"
-flate2 = "1.1.2"
-flexi_logger = { version = "0.31.2", features = ["trc", "dont_minimize_extra_stacks"] }
-form_urlencoded = "1.2.1"
+async-trait = "0.1.89"
+axum = "0.8.8"
+axum-server = { version = "0.8.0", features = ["tls-rustls-no-provider"], default-features = false }
 futures = "0.3.31"
 futures-core = "0.3.31"
 futures-util = "0.3.31"
-glob = "0.3.2"
-hex = "0.4.3"
+pollster = "0.4.0"
+hyper = { version = "1.8.1", features = ["http2", "http1", "server"] }
+hyper-rustls = { version = "0.27.7", default-features = false, features = ["native-tokio", "http1", "tls12", "logging", "http2", "ring", "webpki-roots"] }
+hyper-util = { version = "0.1.19", features = ["tokio", "server-auto", "server-graceful"] }
+http = "1.4.0"
+http-body = "1.0.1"
+http-body-util = "0.1.3"
+reqwest = { version = "0.12.28", default-features = false, features = ["rustls-tls-webpki-roots", "charset", "http2", "system-proxy", "stream", "json", "blocking"] }
+socket2 = "0.6.1"
+tokio = { version = "1.48.0", features = ["fs", "rt-multi-thread"] }
+tokio-rustls = { version = "0.26.4", default-features = false, features = ["logging", "tls12", "ring"] }
+tokio-stream = { version = "0.1.17" }
+tokio-test = "0.4.4"
+tokio-util = { version = "0.7.17", features = ["io", "compat"] }
+tonic = { version = "0.14.2", features = ["gzip"] }
+tonic-prost = { version = "0.14.2" }
+tonic-prost-build = { version = "0.14.2" }
+tower = { version = "0.5.2", features = ["timeout"] }
+tower-http = { version = "0.6.8", features = ["cors"] }
+
+# Serialization and Data Formats
+bytes = { version = "1.11.0", features = ["serde"] }
+bytesize = "2.3.1"
+byteorder = "1.5.0"
+flatbuffers = "25.12.19"
+form_urlencoded = "1.2.2"
+prost = "0.14.1"
+quick-xml = "0.38.4"
+rmcp = { version = "0.12.0" }
+rmp = { version = "0.8.15" }
+rmp-serde = { version = "1.3.1" }
+serde = { version = "1.0.228", features = ["derive"] }
+serde_json = { version = "1.0.148", features = ["raw_value"] }
+serde_urlencoded = "0.7.1"
+schemars = "1.2.0"
+
+# Cryptography and Security
+aes-gcm = { version = "0.11.0-rc.2", features = ["rand_core"] }
+argon2 = { version = "0.6.0-rc.5" }
+blake3 = { version = "1.8.2", features = ["rayon", "mmap"] }
+chacha20poly1305 = { version = "0.11.0-rc.2" }
+crc-fast = "1.6.0"
+hmac = { version = "0.13.0-rc.3" }
+jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
+pbkdf2 = "0.13.0-rc.5"
+rsa = { version = "0.10.0-rc.10" }
+rustls = { version = "0.23.35", features = ["ring", "logging", "std", "tls12"], default-features = false }
+rustls-pemfile = "2.2.0"
+rustls-pki-types = "1.13.2"
+sha1 = "0.11.0-rc.3"
+sha2 = "0.11.0-rc.3"
+subtle = "2.6"
+zeroize = { version = "1.8.2", features = ["derive"] }
+
+# Time and Date
+chrono = { version = "0.4.42", features = ["serde"] }
+humantime = "2.3.0"
+time = { version = "0.3.44", features = ["std", "parsing", "formatting", "macros", "serde"] }
+
+# Utilities and Tools
+anyhow = "1.0.100"
+arc-swap = "1.8.0"
+astral-tokio-tar = "0.5.6"
+atoi = "2.0.0"
+atomic_enum = "0.3.0"
+aws-config = { version = "1.8.12" }
+aws-credential-types = { version = "1.2.11" }
+aws-sdk-s3 = { version = "1.119.0", default-features = false, features = ["sigv4a", "rustls", "rt-tokio"] }
+aws-smithy-types = { version = "1.3.5" }
+base64 = "0.22.1"
+base64-simd = "0.8.0"
+brotli = "8.0.2"
+cfg-if = "1.0.4"
+clap = { version = "4.5.53", features = ["derive", "env"] }
+const-str = { version = "0.7.1", features = ["std", "proc"] }
+convert_case = "0.10.0"
+criterion = { version = "0.8", features = ["html_reports"] }
+crossbeam-queue = "0.3.12"
+datafusion = "51.0.0"
+derive_builder = "0.20.2"
+enumset = "1.1.10"
+faster-hex = "0.10.0"
+flate2 = "1.1.5"
+flexi_logger = { version = "0.31.7", features = ["trc", "dont_minimize_extra_stacks", "compress", "kv", "json"] }
+glob = "0.3.3"
+google-cloud-storage = "1.5.0"
+google-cloud-auth = "1.3.0"
+hashbrown = { version = "0.16.1", features = ["serde", "rayon"] }
+heed = { version = "0.22.0" }
 hex-simd = "0.8.0"
 highway = { version = "1.3.0" }
-hmac = "0.12.1"
-hyper = "1.6.0"
-hyper-util = { version = "0.1.15", features = [
-    "tokio",
-    "server-auto",
-    "server-graceful",
-] }
-hyper-rustls = "0.27.7"
-http = "1.3.1"
-http-body = "1.0.1"
-humantime = "2.2.0"
 ipnetwork = { version = "0.21.1", features = ["serde"] }
-jsonwebtoken = "9.3.1"
-keyring = { version = "3.6.2", features = [
-    "apple-native",
-    "windows-native",
-    "sync-secret-service",
-] }
 lazy_static = "1.5.0"
-libsystemd = { version = "0.7.2" }
-local-ip-address = "0.6.5"
+libc = "0.2.178"
+libsystemd = "0.7.2"
+local-ip-address = "0.6.8"
 lz4 = "1.28.1"
-matchit = "0.8.4"
-md-5 = "0.10.6"
+matchit = "0.9.1"
+md-5 = "0.11.0-rc.3"
+md5 = "0.8.0"
 mime_guess = "2.0.5"
+moka = { version = "0.12.12", features = ["future"] }
 netif = "0.1.6"
 nix = { version = "0.30.1", features = ["fs"] }
-nu-ansi-term = "0.50.1"
+nu-ansi-term = "0.50.3"
 num_cpus = { version = "1.17.0" }
 nvml-wrapper = "0.11.0"
-object_store = "0.11.2"
-once_cell = "1.21.3"
-opentelemetry = { version = "0.30.0" }
-opentelemetry-appender-tracing = { version = "0.30.1", features = [
-    "experimental_use_tracing_span_context",
-    "experimental_metadata_attributes",
-    "spec_unstable_logs_enabled"
-] }
-opentelemetry_sdk = { version = "0.30.0" }
-opentelemetry-stdout = { version = "0.30.0" }
-opentelemetry-otlp = { version = "0.30.0", default-features = false, features = [
-    "grpc-tonic", "gzip-tonic", "trace", "metrics", "logs", "internal-logs"
-] }
-opentelemetry-semantic-conventions = { version = "0.30.0", features = [
-    "semconv_experimental",
-] }
-parking_lot = "0.12.4"
+object_store = "0.12.4"
+parking_lot = "0.12.5"
 path-absolutize = "3.1.1"
 path-clean = "1.0.1"
-blake3 = { version = "1.8.2" }
-pbkdf2 = "0.12.2"
-percent-encoding = "2.3.1"
 pin-project-lite = "0.2.16"
-prost = "0.13.5"
-quick-xml = "0.38.0"
-rand = "0.9.1"
-rdkafka = { version = "0.38.0", features = ["tokio"] }
-reed-solomon-simd = { version = "3.0.1" }
-regex = { version = "1.11.1" }
-reqwest = { version = "0.12.22", default-features = false, features = [
-    "rustls-tls",
-    "charset",
-    "http2",
-    "system-proxy",
-    "stream",
-    "json",
-    "blocking",
-] }
-rfd = { version = "0.15.4", default-features = false, features = [
-    "xdg-portal",
-    "tokio",
-] }
-rmp = "0.8.14"
-rmp-serde = "1.3.0"
-rsa = "0.9.8"
-rumqttc = { version = "0.24" }
-rust-embed = { version = "8.7.2" }
-rust-i18n = { version = "3.1.5" }
-rustfs-rsc = "2025.506.1"
-rustls = { version = "0.23.29" }
-rustls-pki-types = "1.12.0"
-rustls-pemfile = "2.2.0"
-s3s = { version = "0.12.0-minio-preview.2" }
-shadow-rs = { version = "1.2.0", default-features = false }
-serde = { version = "1.0.219", features = ["derive"] }
-serde_json = { version = "1.0.140", features = ["raw_value"] }
-serde-xml-rs = "0.8.1"
-serde_urlencoded = "0.7.1"
-sha1 = "0.10.6"
-sha2 = "0.10.9"
+pretty_assertions = "1.4.1"
+rand = { version = "0.10.0-rc.5", features = ["serde"] }
+rayon = "1.11.0"
+reed-solomon-simd = { version = "3.1.0" }
+regex = { version = "1.12.2" }
+rumqttc = { version = "0.25.1" }
+rust-embed = { version = "8.9.0" }
+rustc-hash = { version = "2.1.1" }
+s3s = { version = "0.13.0-alpha", features = ["minio"], git = "https://github.com/s3s-project/s3s.git", branch = "main" }
+serial_test = "3.2.0"
+shadow-rs = { version = "1.5.0", default-features = false }
 siphasher = "1.0.1"
 smallvec = { version = "1.15.1", features = ["serde"] }
-snafu = "0.8.6"
+smartstring = "1.0.1"
+snafu = "0.8.9"
 snap = "1.1.1"
-socket2 = "0.6.0"
-strum = { version = "0.27.1", features = ["derive"] }
-sysinfo = "0.36.0"
-sysctl = "0.6.0"
-tempfile = "3.20.0"
+starshard = { version = "0.6.0", features = ["rayon", "async", "serde"] }
+strum = { version = "0.27.2", features = ["derive"] }
+sysctl = "0.7.1"
+sysinfo = "0.37.2"
 temp-env = "0.3.6"
+tempfile = "3.24.0"
 test-case = "3.3.1"
-thiserror = "2.0.12"
-time = { version = "0.3.41", features = [
-    "std",
-    "parsing",
-    "formatting",
-    "macros",
-    "serde",
-] }
-tokio = { version = "1.46.1", features = ["fs", "rt-multi-thread"] }
-tokio-rustls = { version = "0.26.2", default-features = false }
-tokio-stream = { version = "0.1.17" }
-tokio-tar = "0.3.1"
-tokio-test = "0.4.4"
-tokio-util = { version = "0.7.15", features = ["io", "compat"] }
-tonic = { version = "0.13.1", features = ["gzip"] }
-tonic-build = { version = "0.13.1" }
-tower = { version = "0.5.2", features = ["timeout"] }
-tower-http = { version = "0.6.6", features = ["cors"] }
-tracing = "0.1.41"
-tracing-core = "0.1.34"
+thiserror = "2.0.17"
+tracing = { version = "0.1.44" }
+tracing-appender = "0.2.4"
 tracing-error = "0.2.1"
-tracing-subscriber = { version = "0.3.19", features = ["env-filter", "time"] }
-tracing-appender = "0.2.3"
-tracing-opentelemetry = "0.31.0"
+tracing-opentelemetry = "0.32.0"
+tracing-subscriber = { version = "0.3.22", features = ["env-filter", "time"] }
 transform-stream = "0.3.1"
-url = "2.5.4"
+url = "2.5.7"
 urlencoding = "2.1.3"
-uuid = { version = "1.17.0", features = [
-    "v4",
-    "fast-rng",
-    "macro-diagnostics",
-] }
-wildmatch = { version = "2.4.0", features = ["serde"] }
+uuid = { version = "1.19.0", features = ["v4", "fast-rng", "macro-diagnostics"] }
+vaultrs = { version = "0.7.4" }
+walkdir = "2.5.0"
+wildmatch = { version = "2.6.1", features = ["serde"] }
 winapi = { version = "0.3.9" }
 xxhash-rust = { version = "0.8.15", features = ["xxh64", "xxh3"] }
-zip = "2.4.2"
+zip = "7.0.0"
 zstd = "0.13.3"
-anyhow = "1.0.98"

-[profile.wasm-dev]
-inherits = "dev"
-opt-level = 1
+# Observability and Metrics
+metrics = "0.24.3"
+opentelemetry = { version = "0.31.0" }
+opentelemetry-appender-tracing = { version = "0.31.1", features = ["experimental_use_tracing_span_context", "experimental_metadata_attributes", "spec_unstable_logs_enabled"] }
+opentelemetry-otlp = { version = "0.31.0", features = ["gzip-http", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.31.0" }
+opentelemetry-semantic-conventions = { version = "0.31.0", features = ["semconv_experimental"] }
+opentelemetry-stdout = { version = "0.31.0" }

-[profile.server-dev]
-inherits = "dev"
+# Performance Analysis and Memory Profiling
+mimalloc = "0.1"
+# Use tikv-jemallocator as memory allocator and enable performance analysis
+tikv-jemallocator = { version = "0.6", features = ["profiling", "stats", "unprefixed_malloc_on_supported_platforms", "background_threads"] }
+# Used to control and obtain statistics for jemalloc at runtime
+tikv-jemalloc-ctl = { version = "0.6", features = ["use_std", "stats", "profiling"] }
+# Used to generate pprof-compatible memory profiling data and support symbolization and flame graphs
+jemalloc_pprof = { version = "0.8.1", features = ["symbolize", "flamegraph"] }
+# Used to generate CPU performance analysis data and flame diagrams
+pprof = { version = "0.15.0", features = ["flamegraph", "protobuf-codec"] }

-[profile.android-dev]
-inherits = "dev"
+[workspace.metadata.cargo-shear]
+ignored = ["rustfs", "rustfs-mcp"]

 [profile.release]
 opt-level = 3
--- a/113
+++ b/113
@@ -1,42 +1,47 @@
-# Multi-stage build for RustFS production image
-
-# Build stage: Download and extract RustFS binary
 FROM alpine:3.22 AS build

-# Build arguments for platform and release
 ARG TARGETARCH
 ARG RELEASE=latest

-# Install minimal dependencies for downloading and extracting
 RUN apk add --no-cache ca-certificates curl unzip
-
-# Create build directory
 WORKDIR /build

-# Detect architecture and download corresponding binary
-RUN case "${TARGETARCH}" in \
-        amd64) ARCH="x86_64" ;; \
-        arm64) ARCH="aarch64" ;; \
-        *) echo "Unsupported architecture: ${TARGETARCH}" >&2 && exit 1 ;; \
-    esac && \
-    if [ "${RELEASE}" = "latest" ]; then \
-        VERSION="latest"; \
+RUN set -eux; \
+    case "$TARGETARCH" in \
+      amd64)  ARCH_SUBSTR="x86_64-musl"  ;; \
+      arm64)  ARCH_SUBSTR="aarch64-musl" ;; \
+      *) echo "Unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
+    esac; \
+    if [ "$RELEASE" = "latest" ]; then \
+      TAG="$(curl -fsSL https://api.github.com/repos/rustfs/rustfs/releases \
+              | grep -o '"tag_name": "[^"]*"' | cut -d'"' -f4 | head -n 1)"; \
    else \
-        VERSION="v${RELEASE#v}"; \
-    fi && \
-    BASE_URL="https://dl.rustfs.com/artifacts/rustfs/release" && \
-    PACKAGE_NAME="rustfs-linux-${ARCH}-${VERSION}.zip" && \
-    DOWNLOAD_URL="${BASE_URL}/${PACKAGE_NAME}" && \
-    echo "Downloading ${PACKAGE_NAME} from ${DOWNLOAD_URL}" >&2 && \
-    curl -f -L "${DOWNLOAD_URL}" -o rustfs.zip && \
-    unzip rustfs.zip -d /build && \
-    chmod +x /build/rustfs && \
-    rm rustfs.zip || { echo "Failed to download or extract ${PACKAGE_NAME}" >&2; exit 1; }
+      TAG="$RELEASE"; \
+    fi; \
+    echo "Using tag: $TAG (arch pattern: $ARCH_SUBSTR)"; \
+    # Find download URL in assets list for this tag that contains arch substring and ends with .zip
+    URL="$(curl -fsSL "https://api.github.com/repos/rustfs/rustfs/releases/tags/$TAG" \
+           | grep -o "\"browser_download_url\": \"[^\"]*${ARCH_SUBSTR}[^\"]*\\.zip\"" \
+           | cut -d'"' -f4 | head -n 1)"; \
+    if [ -z "$URL" ]; then echo "Failed to locate release asset for $ARCH_SUBSTR at tag $TAG" >&2; exit 1; fi; \
+    echo "Downloading: $URL"; \
+    curl -fL "$URL" -o rustfs.zip; \
+    unzip -q rustfs.zip -d /build; \
+    # If binary is not in root directory, try to locate and move from zip to /build/rustfs
+    if [ ! -x /build/rustfs ]; then \
+      BIN_PATH="$(unzip -Z -1 rustfs.zip | grep -E '(^|/)rustfs$' | head -n 1 || true)"; \
+      if [ -n "$BIN_PATH" ]; then \
+        mkdir -p /build/.tmp && unzip -q rustfs.zip "$BIN_PATH" -d /build/.tmp && \
+        mv "/build/.tmp/$BIN_PATH" /build/rustfs; \
+      fi; \
+    fi; \
+    [ -x /build/rustfs ] || { echo "rustfs binary not found in asset" >&2; exit 1; }; \
+    chmod +x /build/rustfs; \
+    rm -rf rustfs.zip /build/.tmp || true

-# Runtime stage: Configure runtime environment
-FROM alpine:3.22.1

-# Build arguments and labels
+FROM alpine:3.22
+
 ARG RELEASE=latest
 ARG BUILD_DATE
 ARG VCS_REF
@@ -44,7 +49,7 @@ ARG VCS_REF
 LABEL name="RustFS" \
      vendor="RustFS Team" \
      maintainer="RustFS Team <dev@rustfs.com>" \
-      version="${RELEASE}" \
+      version="v${RELEASE#v}" \
      release="${RELEASE}" \
      build-date="${BUILD_DATE}" \
      vcs-ref="${VCS_REF}" \
@@ -53,43 +58,37 @@ LABEL name="RustFS" \
      url="https://rustfs.com" \
      license="Apache-2.0"

-# Install runtime dependencies
-RUN echo "https://dl-cdn.alpinelinux.org/alpine/v3.20/community" >> /etc/apk/repositories && \
-    apk update && \
-    apk add --no-cache ca-certificates bash gosu coreutils shadow && \
-    addgroup -g 1000 rustfs && \
-    adduser -u 1000 -G rustfs -s /bin/bash -D rustfs
+RUN apk add --no-cache ca-certificates coreutils curl

-# Copy CA certificates and RustFS binary from build stage
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=build /build/rustfs /usr/bin/rustfs
-
-# Copy entry point script
 COPY entrypoint.sh /entrypoint.sh

-# Set permissions
-RUN chmod +x /usr/bin/rustfs /entrypoint.sh && \
+RUN chmod +x /usr/bin/rustfs /entrypoint.sh
+
+RUN addgroup -g 10001 -S rustfs && \
+    adduser -u 10001 -G rustfs -S rustfs -D && \
    mkdir -p /data /logs && \
-    chown rustfs:rustfs /data /logs && \
-    chmod 700 /data /logs
+    chown -R rustfs:rustfs /data /logs && \
+    chmod 0750 /data /logs

-# Environment variables (credentials should be set via environment or secrets)
-ENV RUSTFS_ADDRESS=:9000 \
-    RUSTFS_ACCESS_KEY=rustfsadmin \
-    RUSTFS_SECRET_KEY=rustfsadmin \
-    RUSTFS_CONSOLE_ENABLE=true \
-    RUSTFS_VOLUMES=/data \
-    RUST_LOG=warn \
-    RUSTFS_OBS_LOG_DIRECTORY=/logs \
-    RUSTFS_SINKS_FILE_PATH=/logs
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_CONSOLE_ADDRESS=":9001" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_EXTERNAL_ADDRESS="" \
+    RUSTFS_CORS_ALLOWED_ORIGINS="*" \
+    RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS="*" \
+    RUSTFS_VOLUMES="/data" \
+    RUST_LOG="warn"
+    
+EXPOSE 9000 9001

-# Expose port
-EXPOSE 9000
+VOLUME ["/data"]

-# Volumes for data and logs
-VOLUME ["/data", "/logs"]
+USER rustfs

-# Set entry point
 ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/usr/bin/rustfs"]

+CMD ["rustfs"]
--- a/Dockerfile.source
+++ b/Dockerfile.source
@@ -1,80 +1,89 @@
+# syntax=docker/dockerfile:1.6
 # Multi-stage Dockerfile for RustFS - LOCAL DEVELOPMENT ONLY
 #
-# ⚠️  IMPORTANT: This Dockerfile is for local development and testing only.
-# ⚠️  It builds RustFS from source code and is NOT used in CI/CD pipelines.
-# ⚠️  CI/CD pipeline uses pre-built binaries from Dockerfile instead.
+# IMPORTANT: This Dockerfile builds RustFS from source for local development and testing.
+# CI/CD uses the production Dockerfile with prebuilt binaries instead.
 #
-# Usage for local development:
+# Example:
 #   docker build -f Dockerfile.source -t rustfs:dev-local .
 #   docker run --rm -p 9000:9000 rustfs:dev-local
 #
-# Supports cross-compilation for amd64 and arm64 architectures
+# Supports cross-compilation for amd64 and arm64 via TARGETPLATFORM.
+
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM

+# -----------------------------
 # Build stage
-FROM --platform=$BUILDPLATFORM rust:1.88-bookworm AS builder
+# -----------------------------
+FROM rust:1.88-bookworm AS builder

-# Re-declare build arguments after FROM (required for multi-stage builds)
+# Re-declare args after FROM
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM

-# Debug: Print platform information
-RUN echo "🐳 Build Info: BUILDPLATFORM=$BUILDPLATFORM, TARGETPLATFORM=$TARGETPLATFORM"
+# Debug: print platforms
+RUN echo "Build info -> BUILDPLATFORM=${BUILDPLATFORM}, TARGETPLATFORM=${TARGETPLATFORM}"

-# Install required build dependencies
-RUN apt-get update && apt-get install -y \
-    wget \
-    git \
+# Install build toolchain and headers
+# Use distro packages for protoc/flatc to avoid host-arch mismatch
+RUN set -eux; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
    curl \
-    unzip \
-    gcc \
+    git \
    pkg-config \
    libssl-dev \
    lld \
-    && rm -rf /var/lib/apt/lists/*
+    protobuf-compiler \
+    flatbuffers-compiler \
+    gcc-aarch64-linux-gnu \
+    gcc-x86-64-linux-gnu; \
+    rm -rf /var/lib/apt/lists/*

-# Note: sccache removed for simpler builds
-
-# Install cross-compilation tools for ARM64
-RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-        apt-get update && \
-        apt-get install -y gcc-aarch64-linux-gnu && \
-        rm -rf /var/lib/apt/lists/*; \
+# Optional: cross toolchain for aarch64 (only when targeting linux/arm64)
+RUN set -eux; \
+    if [ "${TARGETPLATFORM:-linux/amd64}" = "linux/arm64" ]; then \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu; \
+    rm -rf /var/lib/apt/lists/*; \
    fi

-# Install protoc
-RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip \
-    && unzip protoc-31.1-linux-x86_64.zip -d protoc3 \
-    && mv protoc3/bin/* /usr/local/bin/ && chmod +x /usr/local/bin/protoc \
-    && mv protoc3/include/* /usr/local/include/ && rm -rf protoc-31.1-linux-x86_64.zip protoc3
+# Add Rust targets for both arches (to support cross-builds on multi-arch runners)
+RUN set -eux; \
+    rustup target add x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu; \
+    rustup component add rust-std-x86_64-unknown-linux-gnu rust-std-aarch64-unknown-linux-gnu

-# Install flatc
-RUN wget https://github.com/google/flatbuffers/releases/download/v25.2.10/Linux.flatc.binary.g++-13.zip \
-    && unzip Linux.flatc.binary.g++-13.zip \
-    && mv flatc /usr/local/bin/ && chmod +x /usr/local/bin/flatc && rm -rf Linux.flatc.binary.g++-13.zip
-
-# Set up Rust targets based on platform
-RUN set -e && \
-    PLATFORM="${TARGETPLATFORM:-linux/amd64}" && \
-    echo "🎯 Setting up Rust target for platform: $PLATFORM" && \
-    case "$PLATFORM" in \
-        "linux/amd64") rustup target add x86_64-unknown-linux-gnu ;; \
-        "linux/arm64") rustup target add aarch64-unknown-linux-gnu ;; \
-        *) echo "❌ Unsupported platform: $PLATFORM" && exit 1 ;; \
-    esac
-
-# Set up environment for cross-compilation
+# Cross-compilation environment (used only when targeting aarch64)
 ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
 ENV CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
 ENV CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
+ENV CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=x86_64-linux-gnu-gcc
+ENV CC_x86_64_unknown_linux_gnu=x86_64-linux-gnu-gcc
+ENV CXX_x86_64_unknown_linux_gnu=x86_64-linux-gnu-g++

 WORKDIR /usr/src/rustfs

-# Copy all source code
+# Layered copy to maximize caching:
+# 1) top-level manifests
+COPY Cargo.toml Cargo.lock ./
+# 2) workspace member manifests (adjust if workspace layout changes)
+COPY rustfs/Cargo.toml rustfs/Cargo.toml
+COPY crates/*/Cargo.toml crates/
+
+# Pre-fetch dependencies for better caching
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    cargo fetch --locked || true
+
+# 3) copy full sources (this is the main cache invalidation point)
 COPY . .

-# Configure cargo for optimized builds
+# Cargo build configuration for lean release artifacts
 ENV CARGO_NET_GIT_FETCH_WITH_CLI=true \
    CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
    CARGO_INCREMENTAL=0 \
@@ -82,75 +91,133 @@ ENV CARGO_NET_GIT_FETCH_WITH_CLI=true \
    CARGO_PROFILE_RELEASE_SPLIT_DEBUGINFO=off \
    CARGO_PROFILE_RELEASE_STRIP=symbols

-# Generate protobuf code
-RUN cargo run --bin gproto
+# Generate protobuf/flatbuffers code (uses protoc/flatc from distro)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/usr/src/rustfs/target \
+    cargo run --bin gproto

-# Build the actual application with optimizations
-RUN case "$TARGETPLATFORM" in \
-        "linux/amd64") \
-            echo "🔨 Building for amd64..." && \
-            rustup target add x86_64-unknown-linux-gnu && \
-            cargo build --release --target x86_64-unknown-linux-gnu --bin rustfs -j $(nproc) && \
-            cp target/x86_64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
-            ;; \
-        "linux/arm64") \
-            echo "🔨 Building for arm64..." && \
-            rustup target add aarch64-unknown-linux-gnu && \
-            cargo build --release --target aarch64-unknown-linux-gnu --bin rustfs -j $(nproc) && \
-            cp target/aarch64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
-            ;; \
-        *) \
-            echo "❌ Unsupported platform: $TARGETPLATFORM" && exit 1 \
-            ;; \
+# Build RustFS (target depends on TARGETPLATFORM)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/usr/src/rustfs/target \
+    set -eux; \
+    case "${TARGETPLATFORM:-linux/amd64}" in \
+    linux/amd64) \
+    echo "Building for x86_64-unknown-linux-gnu"; \
+    cargo build --release --locked --target x86_64-unknown-linux-gnu --bin rustfs -j "$(nproc)"; \
+    install -m 0755 target/x86_64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
+    ;; \
+    linux/arm64) \
+    echo "Building for aarch64-unknown-linux-gnu"; \
+    cargo build --release --locked --target aarch64-unknown-linux-gnu --bin rustfs -j "$(nproc)"; \
+    install -m 0755 target/aarch64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
+    ;; \
+    *) \
+    echo "Unsupported TARGETPLATFORM=${TARGETPLATFORM}" >&2; exit 1 \
+    ;; \
    esac

-# Runtime stage - Ubuntu minimal for better compatibility
-FROM ubuntu:22.04
+# -----------------------------
+# Development stage (keeps toolchain)
+# -----------------------------
+FROM builder AS dev

-# Install runtime dependencies
-RUN apt-get update && apt-get install -y \
-    ca-certificates \
-    tzdata \
-    wget \
-    coreutils \
-    passwd \
-    && rm -rf /var/lib/apt/lists/*
+ARG BUILD_DATE
+ARG VCS_REF

-# Create rustfs user and group
-RUN groupadd -g 1000 rustfs && \
-    useradd -d /app -g rustfs -u 1000 -s /bin/bash rustfs
+LABEL name="RustFS (dev-source)" \
+    maintainer="RustFS Team" \
+    build-date="${BUILD_DATE}" \
+    vcs-ref="${VCS_REF}" \
+    description="RustFS - local development with Rust toolchain."

+# Install runtime dependencies that might be missing in partial builder
+# (builder already has build-essential, lld, etc.)
 WORKDIR /app

-# Create data directories
-RUN mkdir -p /data/rustfs{0,1,2,3} && \
-    chown -R rustfs:rustfs /data /app
+ENV CARGO_INCREMENTAL=1

-# Copy binary from builder stage
-COPY --from=builder /usr/local/bin/rustfs /app/rustfs
-RUN chmod +x /app/rustfs && chown rustfs:rustfs /app/rustfs
+# Ensure we have the same default env vars available
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_VOLUMES="/data" \
+    RUST_LOG="warn" \
+    RUSTFS_OBS_LOG_DIRECTORY="/logs" \
+    RUSTFS_USERNAME="rustfs" \
+    RUSTFS_GROUPNAME="rustfs" \
+    RUSTFS_UID="10001" \
+    RUSTFS_GID="10001"
+
+# Note: We don't COPY source here because we expect it to be mounted at /app
+# We rely on cargo run to build and run
+EXPOSE 9000 9001

-# Copy entrypoint script
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

-# Switch to non-root user
-USER rustfs
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["cargo", "run", "--bin", "rustfs", "--"]
+
+# -----------------------------
+# Runtime stage (Ubuntu minimal)
+# -----------------------------
+FROM ubuntu:22.04
+
+ARG BUILD_DATE
+ARG VCS_REF
+
+LABEL name="RustFS (dev-local)" \
+    maintainer="RustFS Team" \
+    build-date="${BUILD_DATE}" \
+    vcs-ref="${VCS_REF}" \
+    description="RustFS - local development image built from source (NOT for production)."
+
+# Minimal runtime deps: certificates + tzdata + coreutils (for chroot --userspec)
+RUN set -eux; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    tzdata \
+    coreutils; \
+    rm -rf /var/lib/apt/lists/*
+
+# Create a conventional runtime user/group (final switch happens in entrypoint via chroot --userspec)
+RUN set -eux; \
+    groupadd -g 10001 rustfs; \
+    useradd -u 10001 -g rustfs -M -s /usr/sbin/nologin rustfs
+
+WORKDIR /app
+
+# Prepare data/log directories with sane defaults
+RUN set -eux; \
+    mkdir -p /data /logs; \
+    chown -R rustfs:rustfs /data /logs /app; \
+    chmod 0750 /data /logs
+
+# Copy the freshly built binary and the entrypoint
+COPY --from=builder /usr/local/bin/rustfs /usr/bin/rustfs
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /usr/bin/rustfs /entrypoint.sh
+
+# Default environment (override in docker run/compose as needed)
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_VOLUMES="/data" \
+    RUST_LOG="warn" \
+    RUSTFS_USERNAME="rustfs" \
+    RUSTFS_GROUPNAME="rustfs" \
+    RUSTFS_UID="10001" \
+    RUSTFS_GID="10001"

-# Expose ports
 EXPOSE 9000
-
-# Environment variables
-ENV RUSTFS_ACCESS_KEY=rustfsadmin \
-    RUSTFS_SECRET_KEY=rustfsadmin \
-    RUSTFS_ADDRESS=":9000" \
-    RUSTFS_CONSOLE_ENABLE=true \
-    RUSTFS_VOLUMES=/data \
-    RUST_LOG=warn
-
-# Volume for data
 VOLUME ["/data"]

-# Set entrypoint and default command
+# Keep root here; entrypoint will drop privileges using chroot --userspec
 ENTRYPOINT ["/entrypoint.sh"]
-CMD ["/app/rustfs"]
+CMD ["/usr/bin/rustfs"]
--- a/258
+++ b/258
@@ -0,0 +1,258 @@
+DOCKER_CLI := env("DOCKER_CLI", "docker")
+IMAGE_NAME := env("IMAGE_NAME", "rustfs:v1.0.0")
+DOCKERFILE_SOURCE := env("DOCKERFILE_SOURCE", "Dockerfile.source")
+DOCKERFILE_PRODUCTION := env("DOCKERFILE_PRODUCTION", "Dockerfile")
+CONTAINER_NAME := env("CONTAINER_NAME", "rustfs-dev")
+
+[group("📒 Help")]
+[private]
+default:
+    @just --list --list-heading $'🦀 RustFS justfile manual page:\n'
+
+[doc("show help")]
+[group("📒 Help")]
+help: default
+
+[doc("run `cargo fmt` to format codes")]
+[group("👆 Code Quality")]
+fmt:
+    @echo "🔧 Formatting code..."
+    cargo fmt --all
+
+[doc("run `cargo fmt` in check mode")]
+[group("👆 Code Quality")]
+fmt-check:
+    @echo "📝 Checking code formatting..."
+    cargo fmt --all --check
+
+[doc("run `cargo clippy`")]
+[group("👆 Code Quality")]
+clippy:
+    @echo "🔍 Running clippy checks..."
+    cargo clippy --all-targets --all-features --fix --allow-dirty -- -D warnings
+
+[doc("run `cargo check`")]
+[group("👆 Code Quality")]
+check:
+    @echo "🔨 Running compilation check..."
+    cargo check --all-targets
+
+[doc("run `cargo test`")]
+[group("👆 Code Quality")]
+test:
+    @echo "🧪 Running tests..."
+    cargo nextest run --all --exclude e2e_test
+    cargo test --all --doc
+
+[doc("run `fmt` `clippy` `check` `test` at once")]
+[group("👆 Code Quality")]
+pre-commit: fmt clippy check test
+    @echo "✅ All pre-commit checks passed!"
+
+[group("🤔 Git")]
+setup-hooks:
+    @echo "🔧 Setting up git hooks..."
+    chmod +x .git/hooks/pre-commit
+    @echo "✅ Git hooks setup complete!"
+
+[doc("use `release` mode for building")]
+[group("🔨 Build")]
+build:
+    @echo "🔨 Building RustFS using build-rustfs.sh script..."
+    ./build-rustfs.sh
+
+[doc("use `debug` mode for building")]
+[group("🔨 Build")]
+build-dev:
+    @echo "🔨 Building RustFS in development mode..."
+    ./build-rustfs.sh --dev
+
+[group("🔨 Build")]
+[private]
+build-target target:
+    @echo "🔨 Building rustfs for {{ target }}..."
+    @echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+    ./build-rustfs.sh --platform {{ target }}
+
+[doc("use `x86_64-unknown-linux-musl` target for building")]
+[group("🔨 Build")]
+build-musl: (build-target "x86_64-unknown-linux-musl")
+
+[doc("use `x86_64-unknown-linux-gnu` target for building")]
+[group("🔨 Build")]
+build-gnu: (build-target "x86_64-unknown-linux-gnu")
+
+[doc("use `aarch64-unknown-linux-musl` target for building")]
+[group("🔨 Build")]
+build-musl-arm64: (build-target "aarch64-unknown-linux-musl")
+
+[doc("use `aarch64-unknown-linux-gnu` target for building")]
+[group("🔨 Build")]
+build-gnu-arm64: (build-target "aarch64-unknown-linux-gnu")
+
+[doc("build and deploy to server")]
+[group("🔨 Build")]
+deploy-dev ip: build-musl
+    @echo "🚀 Deploying to dev server: {{ ip }}"
+    ./scripts/dev_deploy.sh {{ ip }}
+
+[group("🔨 Build")]
+[private]
+build-cross-all-pre:
+    @echo "🔧 Building all target architectures..."
+    @echo "💡 On macOS/Windows, use 'make docker-dev' for reliable multi-arch builds"
+    @echo "🔨 Generating protobuf code..."
+    -cargo run --bin gproto
+
+[doc("build all targets at once")]
+[group("🔨 Build")]
+build-cross-all: build-cross-all-pre && build-gnu build-gnu-arm64 build-musl build-musl-arm64
+
+# ========================================================================================
+# Docker Multi-Architecture Builds (Primary Methods)
+# ========================================================================================
+
+[doc("build an image and run it")]
+[group("🐳 Build Image")]
+build-docker os="rockylinux9.3" cli=(DOCKER_CLI) dockerfile=(DOCKERFILE_SOURCE):
+    #!/usr/bin/env bash
+    SOURCE_BUILD_IMAGE_NAME="rustfs/rustfs-{{ os }}:v1"
+    SOURCE_BUILD_CONTAINER_NAME="rustfs-{{ os }}-build"
+    BUILD_CMD="/root/.cargo/bin/cargo build --release --bin rustfs --target-dir /root/s3-rustfs/target/{{ os }}"
+    echo "🐳 Building RustFS using Docker ({{ os }})..."
+    {{ cli }} buildx build -t $SOURCE_BUILD_IMAGE_NAME -f {{ dockerfile }} .
+    {{ cli }} run --rm --name $SOURCE_BUILD_CONTAINER_NAME -v $(pwd):/root/s3-rustfs -it $SOURCE_BUILD_IMAGE_NAME $BUILD_CMD
+
+[doc("build an image")]
+[group("🐳 Build Image")]
+docker-buildx:
+    @echo "🏗️ Building multi-architecture production Docker images with buildx..."
+    ./docker-buildx.sh
+
+[doc("build an image and push it")]
+[group("🐳 Build Image")]
+docker-buildx-push:
+    @echo "🚀 Building and pushing multi-architecture production Docker images with buildx..."
+    ./docker-buildx.sh --push
+
+[doc("build an image with a version")]
+[group("🐳 Build Image")]
+docker-buildx-version version:
+    @echo "🏗️ Building multi-architecture production Docker images (version: {{ version }}..."
+    ./docker-buildx.sh --release {{ version }}
+
+[doc("build an image with a version and push it")]
+[group("🐳 Build Image")]
+docker-buildx-push-version version:
+    @echo "🚀 Building and pushing multi-architecture production Docker images (version: {{ version }}..."
+    ./docker-buildx.sh --release {{ version }} --push
+
+[doc("build an image with a version and push it to registry")]
+[group("🐳 Build Image")]
+docker-dev-push registry cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🚀 Building and pushing multi-architecture development Docker images..."
+    @echo "💡 push to registry: {{ registry }}"
+    {{ cli }} buildx build \
+    	--platform linux/amd64,linux/arm64 \
+    	--file {{ source }} \
+    	--tag {{ registry }}/rustfs:source-latest \
+    	--tag {{ registry }}/rustfs:dev-latest \
+    	--push \
+    	.
+
+# Local production builds using direct buildx (alternative to docker-buildx.sh)
+
+[group("🐳 Build Image")]
+docker-buildx-production-local cli=(DOCKER_CLI) source=(DOCKERFILE_PRODUCTION):
+    @echo "🏗️ Building single-architecture production Docker image locally..."
+    @echo "💡 Alternative to docker-buildx.sh for local testing"
+    {{ cli }} buildx build \
+    	--file {{ source }} \
+    	--tag rustfs:production-latest \
+    	--tag rustfs:latest \
+    	--load \
+    	--build-arg RELEASE=latest \
+    	.
+
+# Development/Source builds using direct buildx commands
+
+[group("🐳 Build Image")]
+docker-dev cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🏗️ Building multi-architecture development Docker images with buildx..."
+    @echo "💡 This builds from source code and is intended for local development and testing"
+    @echo "⚠️  Multi-arch images cannot be loaded locally, use docker-dev-push to push to registry"
+    {{ cli }} buildx build \
+    	--platform linux/amd64,linux/arm64 \
+    	--file {{ source }} \
+    	--tag rustfs:source-latest \
+    	--tag rustfs:dev-latest \
+    	.
+
+[group("🐳 Build Image")]
+docker-dev-local cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🏗️ Building single-architecture development Docker image for local use..."
+    @echo "💡 This builds from source code for the current platform and loads locally"
+    {{ cli }} buildx build \
+    	--file {{ source }} \
+    	--tag rustfs:source-latest \
+    	--tag rustfs:dev-latest \
+    	--load \
+    	.
+
+# ========================================================================================
+# Single Architecture Docker Builds (Traditional)
+# ========================================================================================
+
+[group("🐳 Build Image")]
+docker-build-production cli=(DOCKER_CLI) source=(DOCKERFILE_PRODUCTION):
+    @echo "🏗️ Building single-architecture production Docker image..."
+    @echo "💡 Consider using 'make docker-buildx-production-local' for multi-arch support"
+    {{ cli }} build -f {{ source }} -t rustfs:latest .
+
+[group("🐳 Build Image")]
+docker-build-source cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🏗️ Building single-architecture source Docker image..."
+    @echo "💡 Consider using 'make docker-dev-local' for multi-arch support"
+    {{ cli }} build -f {{ source }} -t rustfs:source .
+
+# ========================================================================================
+# Development Environment
+# ========================================================================================
+
+[group("🏃 Running")]
+dev-env-start cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE) container=(CONTAINER_NAME):
+    @echo "🚀 Starting development environment..."
+    {{ cli }} buildx build \
+    	--file {{ source }} \
+    	--tag rustfs:dev \
+    	--load \
+    	.
+    -{{ cli }} stop {{ container }} 2>/dev/null
+    -{{ cli }} rm {{ container }} 2>/dev/null
+    {{ cli }} run -d --name {{ container }} \
+    	-p 9010:9010 -p 9000:9000 \
+    	-v {{ invocation_directory() }}:/workspace \
+    	-it rustfs:dev
+
+[group("🏃 Running")]
+dev-env-stop cli=(DOCKER_CLI) container=(CONTAINER_NAME):
+    @echo "🛑 Stopping development environment..."
+    -{{ cli }} stop {{ container }} 2>/dev/null
+    -{{ cli }}  rm {{ container }} 2>/dev/null
+
+[group("🏃 Running")]
+dev-env-restart: dev-env-stop dev-env-start
+
+[group("👍 E2E")]
+e2e-server:
+    sh scripts/run.sh
+
+[group("👍 E2E")]
+probe-e2e:
+    sh scripts/probe.sh
+
+[doc("inspect one image")]
+[group("🚚 Other")]
+docker-inspect-multiarch image cli=(DOCKER_CLI):
+    @echo "🔍 Inspecting multi-architecture image: {{ image }}"
+    {{ cli }} buildx imagetools inspect {{ image }}
--- a/387
+++ b/387
@@ -1,350 +1,81 @@
 ###########
-# 远程开发，需要 VSCode 安装 Dev Containers, Remote SSH, Remote Explorer
+# Remote development requires VSCode with Dev Containers, Remote SSH, Remote Explorer
 # https://code.visualstudio.com/docs/remote/containers
 ###########
+
+.PHONY: SHELL
+
+# Makefile global config
+# Use config.mak to override any of the following variables.
+# Do not make changes here.
+
+.DEFAULT_GOAL := help
+.EXPORT_ALL_VARIABLES:
+.ONESHELL:
+.SILENT:
+
+NUM_CORES := $(shell nproc 2>/dev/null || sysctl -n hw.ncpu)
+
+MAKEFLAGS += -j$(NUM_CORES) -l$(NUM_CORES)
+MAKEFLAGS += --silent
+
+SHELL:= /bin/bash
+.SHELLFLAGS = -eu -o pipefail -c
+
 DOCKER_CLI ?= docker
 IMAGE_NAME ?= rustfs:v1.0.0
 CONTAINER_NAME ?= rustfs-dev
 # Docker build configurations
 DOCKERFILE_PRODUCTION = Dockerfile
 DOCKERFILE_SOURCE = Dockerfile.source
-
-# Code quality and formatting targets
-.PHONY: fmt
-fmt:
-	@echo "🔧 Formatting code..."
-	cargo fmt --all
-
-.PHONY: fmt-check
-fmt-check:
-	@echo "📝 Checking code formatting..."
-	cargo fmt --all --check
-
-.PHONY: clippy
-clippy:
-	@echo "🔍 Running clippy checks..."
-	cargo clippy --all-targets --all-features -- -D warnings
-
-.PHONY: check
-check:
-	@echo "🔨 Running compilation check..."
-	cargo check --all-targets
-
-.PHONY: test
-test:
-	@echo "🧪 Running tests..."
-	cargo nextest run --all --exclude e2e_test
-	cargo test --all --doc
-
-.PHONY: pre-commit
-pre-commit: fmt clippy check test
-	@echo "✅ All pre-commit checks passed!"
-
-.PHONY: setup-hooks
-setup-hooks:
-	@echo "🔧 Setting up git hooks..."
-	chmod +x .git/hooks/pre-commit
-	@echo "✅ Git hooks setup complete!"
-
-.PHONY: e2e-server
-e2e-server:
-	sh $(shell pwd)/scripts/run.sh
-
-.PHONY: probe-e2e
-probe-e2e:
-	sh $(shell pwd)/scripts/probe.sh
-
-# Native build using build-rustfs.sh script
-.PHONY: build
-build:
-	@echo "🔨 Building RustFS using build-rustfs.sh script..."
-	./build-rustfs.sh
-
-.PHONY: build-dev
-build-dev:
-	@echo "🔨 Building RustFS in development mode..."
-	./build-rustfs.sh --dev
-
-# Docker-based build (alternative approach)
-# Usage: make BUILD_OS=ubuntu22.04 build-docker
-# Output: target/ubuntu22.04/release/rustfs
 BUILD_OS ?= rockylinux9.3
-.PHONY: build-docker
-build-docker: SOURCE_BUILD_IMAGE_NAME = rustfs-$(BUILD_OS):v1
-build-docker: SOURCE_BUILD_CONTAINER_NAME = rustfs-$(BUILD_OS)-build
-build-docker: BUILD_CMD = /root/.cargo/bin/cargo build --release --bin rustfs --target-dir /root/s3-rustfs/target/$(BUILD_OS)
-build-docker:
-	@echo "🐳 Building RustFS using Docker ($(BUILD_OS))..."
-	$(DOCKER_CLI) build -t $(SOURCE_BUILD_IMAGE_NAME) -f $(DOCKERFILE_SOURCE) .
-	$(DOCKER_CLI) run --rm --name $(SOURCE_BUILD_CONTAINER_NAME) -v $(shell pwd):/root/s3-rustfs -it $(SOURCE_BUILD_IMAGE_NAME) $(BUILD_CMD)

-.PHONY: build-musl
-build-musl:
-	@echo "🔨 Building rustfs for x86_64-unknown-linux-musl..."
-	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
-	./build-rustfs.sh --platform x86_64-unknown-linux-musl
+# Makefile colors config
+bold := $(shell tput bold)
+normal := $(shell tput sgr0)
+errorTitle := $(shell tput setab 1 && tput bold && echo '\n')
+recommendation := $(shell tput setab 4)
+underline := $(shell tput smul)
+reset := $(shell tput -Txterm sgr0)
+black := $(shell tput setaf 0)
+red := $(shell tput setaf 1)
+green := $(shell tput setaf 2)
+yellow := $(shell tput setaf 3)
+blue := $(shell tput setaf 4)
+magenta := $(shell tput setaf 5)
+cyan := $(shell tput setaf 6)
+white := $(shell tput setaf 7)

-.PHONY: build-gnu
-build-gnu:
-	@echo "🔨 Building rustfs for x86_64-unknown-linux-gnu..."
-	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
-	./build-rustfs.sh --platform x86_64-unknown-linux-gnu
+define HEADER
+How to use me:
+	# To get help for each target
+	${bold}make help${reset}

-.PHONY: deploy-dev
-deploy-dev: build-musl
-	@echo "🚀 Deploying to dev server: $${IP}"
-	./scripts/dev_deploy.sh $${IP}
+	# To run and execute a target
+	${bold}make ${cyan}<target>${reset}

-# ========================================================================================
-# Docker Multi-Architecture Builds (Primary Methods)
-# ========================================================================================
+	💡 For more help use 'make help', 'make help-build' or 'make help-docker'

-# Production builds using docker-buildx.sh (for CI/CD and production)
-.PHONY: docker-buildx
-docker-buildx:
-	@echo "🏗️ Building multi-architecture production Docker images with buildx..."
-	./docker-buildx.sh
+	🦀 RustFS Makefile Help:

-.PHONY: docker-buildx-push
-docker-buildx-push:
-	@echo "🚀 Building and pushing multi-architecture production Docker images with buildx..."
-	./docker-buildx.sh --push
+	📋 Main Command Categories:
+	 	make help-build                          # Show build-related help
+	 	make help-docker                         # Show Docker-related help

-.PHONY: docker-buildx-version
-docker-buildx-version:
-	@if [ -z "$(VERSION)" ]; then \
-		echo "❌ 错误: 请指定版本, 例如: make docker-buildx-version VERSION=v1.0.0"; \
-		exit 1; \
-	fi
-	@echo "🏗️ Building multi-architecture production Docker images (version: $(VERSION))..."
-	./docker-buildx.sh --release $(VERSION)
+	🔧 Code Quality:
+		make fmt                                 # Format code
+		make clippy                              # Run clippy checks
+		make test                                # Run tests
+		make pre-commit                          # Run all pre-commit checks

-.PHONY: docker-buildx-push-version
-docker-buildx-push-version:
-	@if [ -z "$(VERSION)" ]; then \
-		echo "❌ 错误: 请指定版本, 例如: make docker-buildx-push-version VERSION=v1.0.0"; \
-		exit 1; \
-	fi
-	@echo "🚀 Building and pushing multi-architecture production Docker images (version: $(VERSION))..."
-	./docker-buildx.sh --release $(VERSION) --push
-
-# Development/Source builds using direct buildx commands
-.PHONY: docker-dev
-docker-dev:
-	@echo "🏗️ Building multi-architecture development Docker images with buildx..."
-	@echo "💡 This builds from source code and is intended for local development and testing"
-	@echo "⚠️  Multi-arch images cannot be loaded locally, use docker-dev-push to push to registry"
-	$(DOCKER_CLI) buildx build \
-		--platform linux/amd64,linux/arm64 \
-		--file $(DOCKERFILE_SOURCE) \
-		--tag rustfs:source-latest \
-		--tag rustfs:dev-latest \
-		.
-
-.PHONY: docker-dev-local
-docker-dev-local:
-	@echo "🏗️ Building single-architecture development Docker image for local use..."
-	@echo "💡 This builds from source code for the current platform and loads locally"
-	$(DOCKER_CLI) buildx build \
-		--file $(DOCKERFILE_SOURCE) \
-		--tag rustfs:source-latest \
-		--tag rustfs:dev-latest \
-		--load \
-		.
-
-.PHONY: docker-dev-push
-docker-dev-push:
-	@if [ -z "$(REGISTRY)" ]; then \
-		echo "❌ 错误: 请指定镜像仓库, 例如: make docker-dev-push REGISTRY=ghcr.io/username"; \
-		exit 1; \
-	fi
-	@echo "🚀 Building and pushing multi-architecture development Docker images..."
-	@echo "💡 推送到仓库: $(REGISTRY)"
-	$(DOCKER_CLI) buildx build \
-		--platform linux/amd64,linux/arm64 \
-		--file $(DOCKERFILE_SOURCE) \
-		--tag $(REGISTRY)/rustfs:source-latest \
-		--tag $(REGISTRY)/rustfs:dev-latest \
-		--push \
-		.
+	🚀 Quick Start:
+		make build                               # Build RustFS binary
+		make docker-dev-local                    # Build development Docker image (local)
+		make dev-env-start                       # Start development environment


+endef
+export HEADER

-# Local production builds using direct buildx (alternative to docker-buildx.sh)
-.PHONY: docker-buildx-production-local
-docker-buildx-production-local:
-	@echo "🏗️ Building single-architecture production Docker image locally..."
-	@echo "💡 Alternative to docker-buildx.sh for local testing"
-	$(DOCKER_CLI) buildx build \
-		--file $(DOCKERFILE_PRODUCTION) \
-		--tag rustfs:production-latest \
-		--tag rustfs:latest \
-		--load \
-		--build-arg RELEASE=latest \
-		.
+-include $(addsuffix /*.mak, $(shell find .config/make -type d))

-# ========================================================================================
-# Single Architecture Docker Builds (Traditional)
-# ========================================================================================
-
-.PHONY: docker-build-production
-docker-build-production:
-	@echo "🏗️ Building single-architecture production Docker image..."
-	@echo "💡 Consider using 'make docker-buildx-production-local' for multi-arch support"
-	$(DOCKER_CLI) build -f $(DOCKERFILE_PRODUCTION) -t rustfs:latest .
-
-.PHONY: docker-build-source
-docker-build-source:
-	@echo "🏗️ Building single-architecture source Docker image..."
-	@echo "💡 Consider using 'make docker-dev-local' for multi-arch support"
-	$(DOCKER_CLI) build -f $(DOCKERFILE_SOURCE) -t rustfs:source .
-
-# ========================================================================================
-# Development Environment
-# ========================================================================================
-
-.PHONY: dev-env-start
-dev-env-start:
-	@echo "🚀 Starting development environment..."
-	$(DOCKER_CLI) buildx build \
-		--file $(DOCKERFILE_SOURCE) \
-		--tag rustfs:dev \
-		--load \
-		.
-	$(DOCKER_CLI) stop $(CONTAINER_NAME) 2>/dev/null || true
-	$(DOCKER_CLI) rm $(CONTAINER_NAME) 2>/dev/null || true
-	$(DOCKER_CLI) run -d --name $(CONTAINER_NAME) \
-		-p 9010:9010 -p 9000:9000 \
-		-v $(shell pwd):/workspace \
-		-it rustfs:dev
-
-.PHONY: dev-env-stop
-dev-env-stop:
-	@echo "🛑 Stopping development environment..."
-	$(DOCKER_CLI) stop $(CONTAINER_NAME) 2>/dev/null || true
-	$(DOCKER_CLI) rm $(CONTAINER_NAME) 2>/dev/null || true
-
-.PHONY: dev-env-restart
-dev-env-restart: dev-env-stop dev-env-start
-
-
-
-# ========================================================================================
-# Build Utilities
-# ========================================================================================
-
-.PHONY: docker-inspect-multiarch
-docker-inspect-multiarch:
-	@if [ -z "$(IMAGE)" ]; then \
-		echo "❌ 错误: 请指定镜像, 例如: make docker-inspect-multiarch IMAGE=rustfs/rustfs:latest"; \
-		exit 1; \
-	fi
-	@echo "🔍 Inspecting multi-architecture image: $(IMAGE)"
-	docker buildx imagetools inspect $(IMAGE)
-
-.PHONY: build-cross-all
-build-cross-all:
-	@echo "🔧 Building all target architectures..."
-	@echo "💡 On macOS/Windows, use 'make docker-dev' for reliable multi-arch builds"
-	@echo "🔨 Generating protobuf code..."
-	cargo run --bin gproto || true
-	@echo "🔨 Building x86_64-unknown-linux-musl..."
-	./build-rustfs.sh --platform x86_64-unknown-linux-musl
-	@echo "🔨 Building aarch64-unknown-linux-gnu..."
-	./build-rustfs.sh --platform aarch64-unknown-linux-gnu
-	@echo "✅ All architectures built successfully!"
-
-# ========================================================================================
-# Help and Documentation
-# ========================================================================================
-
-.PHONY: help-build
-help-build:
-	@echo "🔨 RustFS 构建帮助："
-	@echo ""
-	@echo "🚀 本地构建 (推荐使用):"
-	@echo "  make build                               # 构建 RustFS 二进制文件 (默认包含 console)"
-	@echo "  make build-dev                           # 开发模式构建"
-	@echo "  make build-musl                          # 构建 musl 版本"
-	@echo "  make build-gnu                           # 构建 GNU 版本"
-	@echo ""
-	@echo "🐳 Docker 构建:"
-	@echo "  make build-docker                        # 使用 Docker 容器构建"
-	@echo "  make build-docker BUILD_OS=ubuntu22.04   # 指定构建系统"
-	@echo ""
-	@echo "🏗️ 跨架构构建:"
-	@echo "  make build-cross-all                     # 构建所有架构的二进制文件"
-	@echo ""
-	@echo "🔧 直接使用 build-rustfs.sh 脚本:"
-	@echo "  ./build-rustfs.sh --help                 # 查看脚本帮助"
-	@echo "  ./build-rustfs.sh --no-console           # 构建时跳过 console 资源"
-	@echo "  ./build-rustfs.sh --force-console-update # 强制更新 console 资源"
-	@echo "  ./build-rustfs.sh --dev                  # 开发模式构建"
-	@echo "  ./build-rustfs.sh --sign                 # 签名二进制文件"
-	@echo "  ./build-rustfs.sh --platform x86_64-unknown-linux-musl  # 指定目标平台"
-	@echo "  ./build-rustfs.sh --skip-verification    # 跳过二进制验证"
-	@echo ""
-	@echo "💡 build-rustfs.sh 脚本提供了更多选项、智能检测和二进制验证功能"
-
-.PHONY: help-docker
-help-docker:
-	@echo "🐳 Docker 多架构构建帮助："
-	@echo ""
-	@echo "🚀 生产镜像构建 (推荐使用 docker-buildx.sh):"
-	@echo "  make docker-buildx                       # 构建生产多架构镜像（不推送）"
-	@echo "  make docker-buildx-push                  # 构建并推送生产多架构镜像"
-	@echo "  make docker-buildx-version VERSION=v1.0.0        # 构建指定版本"
-	@echo "  make docker-buildx-push-version VERSION=v1.0.0   # 构建并推送指定版本"
-	@echo ""
-	@echo "🔧 开发/源码镜像构建 (本地开发测试):"
-	@echo "  make docker-dev                          # 构建开发多架构镜像（无法本地加载）"
-	@echo "  make docker-dev-local                    # 构建开发单架构镜像（本地加载）"
-	@echo "  make docker-dev-push REGISTRY=xxx       # 构建并推送开发镜像"
-	@echo ""
-	@echo "🏗️ 本地生产镜像构建 (替代方案):"
-	@echo "  make docker-buildx-production-local      # 本地构建生产单架构镜像"
-	@echo ""
-	@echo "📦 单架构构建 (传统方式):"
-	@echo "  make docker-build-production             # 构建单架构生产镜像"
-	@echo "  make docker-build-source                 # 构建单架构源码镜像"
-	@echo ""
-	@echo "🚀 开发环境管理:"
-	@echo "  make dev-env-start                       # 启动开发容器环境"
-	@echo "  make dev-env-stop                        # 停止开发容器环境"
-	@echo "  make dev-env-restart                     # 重启开发容器环境"
-	@echo ""
-	@echo "🔧 辅助工具:"
-	@echo "  make build-cross-all                     # 构建所有架构的二进制文件"
-	@echo "  make docker-inspect-multiarch IMAGE=xxx  # 检查镜像的架构支持"
-	@echo ""
-	@echo "📋 环境变量:"
-	@echo "  REGISTRY          镜像仓库地址 (推送时需要)"
-	@echo "  DOCKERHUB_USERNAME    Docker Hub 用户名"
-	@echo "  DOCKERHUB_TOKEN       Docker Hub 访问令牌"
-	@echo "  GITHUB_TOKEN          GitHub 访问令牌"
-	@echo ""
-	@echo "💡 建议："
-	@echo "  - 生产用途: 使用 docker-buildx* 命令 (基于预编译二进制)"
-	@echo "  - 本地开发: 使用 docker-dev* 命令 (从源码构建)"
-	@echo "  - 开发环境: 使用 dev-env-* 命令管理开发容器"
-
-.PHONY: help
-help:
-	@echo "🦀 RustFS Makefile 帮助："
-	@echo ""
-	@echo "📋 主要命令分类："
-	@echo "  make help-build                          # 显示构建相关帮助"
-	@echo "  make help-docker                         # 显示 Docker 相关帮助"
-	@echo ""
-	@echo "🔧 代码质量："
-	@echo "  make fmt                                 # 格式化代码"
-	@echo "  make clippy                              # 运行 clippy 检查"
-	@echo "  make test                                # 运行测试"
-	@echo "  make pre-commit                          # 运行所有预提交检查"
-	@echo ""
-	@echo "🚀 快速开始："
-	@echo "  make build                               # 构建 RustFS 二进制"
-	@echo "  make docker-dev-local                    # 构建开发 Docker 镜像（本地）"
-	@echo "  make dev-env-start                       # 启动开发环境"
-	@echo ""
-	@echo "💡 更多帮助请使用 'make help-build' 或 'make help-docker'"
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 [![RustFS](https://rustfs.com/images/rustfs-github.png)](https://rustfs.com)

-<p align="center">RustFS is a high-performance distributed object storage software built using Rust</p>
+<p align="center">RustFS is a high-performance, distributed object storage system built in Rust.</p>

 <p align="center">
  <a href="https://github.com/rustfs/rustfs/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/rustfs/rustfs/actions/workflows/ci.yml/badge.svg" /></a>
@@ -11,122 +11,180 @@
 </p>

 <p align="center">
-  <a href="https://docs.rustfs.com/en/introduction.html">Getting Started</a>
-  · <a href="https://docs.rustfs.com/en/">Docs</a>
+<a href="https://trendshift.io/repositories/14181" target="_blank"><img src="https://trendshift.io/api/badge/repositories/14181" alt="rustfs%2Frustfs | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</p>
+
+
+<p align="center">
+  <a href="https://docs.rustfs.com/installation/">Getting Started</a>
+  · <a href="https://docs.rustfs.com/">Docs</a>
  · <a href="https://github.com/rustfs/rustfs/issues">Bug reports</a>
  · <a href="https://github.com/rustfs/rustfs/discussions">Discussions</a>
 </p>

 <p align="center">
 English | <a href="https://github.com/rustfs/rustfs/blob/main/README_ZH.md">简体中文</a> |
-  <!-- Keep these links. Translations will automatically update with the README. -->
  <a href="https://readme-i18n.com/rustfs/rustfs?lang=de">Deutsch</a> |
  <a href="https://readme-i18n.com/rustfs/rustfs?lang=es">Español</a> |
  <a href="https://readme-i18n.com/rustfs/rustfs?lang=fr">français</a> |
  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ja">日本語</a> |
  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ko">한국어</a> |
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=pt">Português</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=pt">Portuguese</a> |
  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ru">Русский</a>
 </p>

-RustFS is a high-performance distributed object storage software built using Rust, one of the most popular languages worldwide. Along with MinIO, it shares a range of advantages such as simplicity, S3 compatibility, open-source nature, support for data lakes, AI, and big data. Furthermore, it has a better and more user-friendly open-source license in comparison to other storage systems, being constructed under the Apache license. As Rust serves as its foundation, RustFS provides faster speed and safer distributed features for high-performance object storage.
+RustFS is a high-performance, distributed object storage system built in Rust—one of the most loved programming languages worldwide. RustFS combines the simplicity of MinIO with the memory safety and raw performance of Rust. It offers full S3 compatibility, is completely open-source, and is optimized for data lakes, AI, and big data workloads.

-> ⚠️ **RustFS is under rapid development. Do NOT use in production environments!**
+Unlike other storage systems, RustFS is released under the permissible Apache 2.0 license, avoiding the restrictions of AGPL. With Rust as its foundation, RustFS delivers superior speed and secure distributed features for next-generation object storage.

-## Features
+## Feature & Status

- **High Performance**: Built with Rust, ensuring speed and efficiency.
- **Distributed Architecture**: Scalable and fault-tolerant design for large-scale deployments.
- **S3 Compatibility**: Seamless integration with existing S3-compatible applications.
- **Data Lake Support**: Optimized for big data and AI workloads.
- **Open Source**: Licensed under Apache 2.0, encouraging community contributions and transparency.
- **User-Friendly**: Designed with simplicity in mind, making it easy to deploy and manage.
+- **High Performance**: Built with Rust to ensure maximum speed and resource efficiency.
+- **Distributed Architecture**: Scalable and fault-tolerant design suitable for large-scale deployments.
+- **S3 Compatibility**: Seamless integration with existing S3-compatible applications and tools.
+- **Data Lake Support**: Optimized for high-throughput big data and AI workloads.
+- **Open Source**: Licensed under Apache 2.0, encouraging unrestricted community contributions and commercial usage.
+- **User-Friendly**: Designed with simplicity in mind for easy deployment and management.

-## RustFS vs MinIO
+| Feature | Status | Feature | Status |
+| :--- | :--- | :--- | :--- |
+| **S3 Core Features** | ✅ Available | **Bitrot Protection** | ✅ Available |
+| **Upload / Download** | ✅ Available | **Single Node Mode** | ✅ Available |
+| **Versioning** | ✅ Available |  **Bucket Replication** | ✅ Available |
+| **Logging** | ✅ Available |  **Lifecycle Management** | 🚧 Under Testing |
+| **Event Notifications** | ✅ Available |  **Distributed Mode** | 🚧 Under Testing |
+| **K8s Helm Charts** | ✅ Available |   **RustFS KMS** | 🚧 Under Testing | 

-Stress test server parameters

-|  Type  |  parameter   | Remark |
-| - | - | - |
-|CPU | 2 Core | Intel Xeon(Sapphire Rapids) Platinum 8475B , 2.7/3.2 GHz|   |
-|Memory| 4GB |     |
-|Network | 15Gbp |      |
-|Driver  | 40GB x 4 |   IOPS 3800 / Driver |
+
+
+## RustFS vs MinIO Performance
+
+**Stress Test Environment:**
+
+| Type    | Parameter | Remark                                                   |
+|---------|-----------|----------------------------------------------------------|
+| CPU     | 2 Core    | Intel Xeon (Sapphire Rapids) Platinum 8475B, 2.7/3.2 GHz |
+| Memory  | 4GB       |                                                          |
+| Network | 15Gbps    |                                                          |
+| Drive   | 40GB x 4  | IOPS 3800 / Drive                                        |

 <https://github.com/user-attachments/assets/2e4979b5-260c-4f2c-ac12-c87fd558072a>

-### RustFS vs Other object storage
+### RustFS vs Other Object Storage

-| RustFS | Other object storage|
-| - | - |
-| Powerful Console | Simple and useless Console |
-| Developed based on Rust language, memory is safer | Developed in Go or C, with potential issues like memory GC/leaks |
-| Does not report logs to third-party countries  | Reporting logs to other third countries may violate national security laws |
-| Licensed under Apache, more business-friendly  | AGPL V3 License and other License, polluted open source and License traps, infringement of intellectual property rights |
-| Comprehensive S3 support, works with domestic and international cloud providers  | Full support for S3, but no local cloud vendor support |
-| Rust-based development, strong support for secure and innovative devices  | Poor support for edge gateways and secure innovative devices|
-| Stable commercial prices, free community support | High pricing, with costs up to $250,000 for 1PiB |
-| No risk | Intellectual property risks and risks of prohibited uses |
+| Feature | RustFS | Other Object Storage |
+| :--- | :--- | :--- |
+| **Console Experience** | **Powerful Console**<br>Comprehensive management interface. | **Basic / Limited Console**<br>Often overly simple or lacking critical features. |
+| **Language & Safety** | **Rust-based**<br>Memory safety by design. | **Go or C-based**<br>Potential for memory GC pauses or leaks. |
+| **Data Sovereignty** | **No Telemetry / Full Compliance**<br>Guards against unauthorized cross-border data egress. Compliant with GDPR (EU/UK), CCPA (US), and APPI (Japan). | **Potential Risk**<br>Possible legal exposure and unwanted data telemetry. |
+| **Licensing** | **Permissive Apache 2.0**<br>Business-friendly, no "poison pill" clauses. | **Restrictive AGPL v3**<br>Risk of license traps and intellectual property pollution. |
+| **Compatibility** | **100% S3 Compatible**<br>Works with any cloud provider or client, anywhere. | **Variable Compatibility**<br>May lack support for local cloud vendors or specific APIs. |
+| **Edge & IoT** | **Strong Edge Support**<br>Ideal for secure, innovative edge devices. | **Weak Edge Support**<br>Often too heavy for edge gateways. |
+| **Risk Profile** | **Enterprise Risk Mitigation**<br>Clear IP rights and safe for commercial use. | **Legal Risks**<br>Intellectual property ambiguity and usage restrictions. |

 ## Quickstart

 To get started with RustFS, follow these steps:

-1. **One-click installation script (Option 1)**
-
-   ```bash
-   curl -O  https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
-   ```
-
-2. **Docker Quick Start (Option 2)**
+### 1. One-click Installation (Option 1)

  ```bash
-   # Latest stable release
-   docker run -d -p 9000:9000 -v /data:/data rustfs/rustfs:latest
+  curl -O https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
+````

-   # Development version (main branch)
-   docker run -d -p 9000:9000 -v /data:/data rustfs/rustfs:main-latest
+### 2\. Docker Quick Start (Option 2)

-   # Specific version
-   docker run -d -p 9000:9000 -v /data:/data rustfs/rustfs:v1.0.0
-   ```
+The RustFS container runs as a non-root user `rustfs` (UID `10001`). If you run Docker with `-v` to mount a host directory, please ensure the host directory owner is set to `10001`, otherwise you will encounter permission denied errors.

-3. **Build from Source (Option 3) - Advanced Users**
+```bash
+ # Create data and logs directories
+ mkdir -p data logs

-   For developers who want to build RustFS Docker images from source with multi-architecture support:
+ # Change the owner of these directories
+ chown -R 10001:10001 data logs

-   ```bash
-   # Build multi-architecture images locally
-   ./docker-buildx.sh --build-arg RELEASE=latest
+ # Using latest version
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:latest

-   # Build and push to registry
-   ./docker-buildx.sh --push
+ # Using specific version
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:1.0.0-alpha.76
+```

-   # Build specific version
-   ./docker-buildx.sh --release v1.0.0 --push
+You can also use Docker Compose. Using the `docker-compose.yml` file in the root directory:

-   # Build for custom registry
-   ./docker-buildx.sh --registry your-registry.com --namespace yourname --push
-   ```
+```bash
+docker compose --profile observability up -d
+```

-   The `docker-buildx.sh` script supports:
-   - **Multi-architecture builds**: `linux/amd64`, `linux/arm64`
-   - **Automatic version detection**: Uses git tags or commit hashes
-   - **Registry flexibility**: Supports Docker Hub, GitHub Container Registry, etc.
-   - **Build optimization**: Includes caching and parallel builds
+**NOTE**: We recommend reviewing the `docker-compose.yaml` file before running. It defines several services including Grafana, Prometheus, and Jaeger, which are helpful for RustFS observability. If you wish to start Redis or Nginx containers, you can specify the corresponding profiles.

-   You can also use Make targets for convenience:
+### 3\. Build from Source (Option 3) - Advanced Users

-   ```bash
-   make docker-buildx                    # Build locally
-   make docker-buildx-push               # Build and push
-   make docker-buildx-version VERSION=v1.0.0  # Build specific version
-   make help-docker                      # Show all Docker-related commands
-   ```
+For developers who want to build RustFS Docker images from source with multi-architecture support:

-4. **Access the Console**: Open your web browser and navigate to `http://localhost:9000` to access the RustFS console, default username and password is `rustfsadmin` .
-5. **Create a Bucket**: Use the console to create a new bucket for your objects.
-6. **Upload Objects**: You can upload files directly through the console or use S3-compatible APIs to interact with your RustFS instance.
+```bash
+# Build multi-architecture images locally
+./docker-buildx.sh --build-arg RELEASE=latest
+
+# Build and push to registry
+./docker-buildx.sh --push
+
+# Build specific version
+./docker-buildx.sh --release v1.0.0 --push
+
+# Build for custom registry
+./docker-buildx.sh --registry your-registry.com --namespace yourname --push
+```
+
+The `docker-buildx.sh` script supports:
+\- **Multi-architecture builds**: `linux/amd64`, `linux/arm64`
+\- **Automatic version detection**: Uses git tags or commit hashes
+\- **Registry flexibility**: Supports Docker Hub, GitHub Container Registry, etc.
+\- **Build optimization**: Includes caching and parallel builds
+
+You can also use Make targets for convenience:
+
+```bash
+make docker-buildx                    # Build locally
+make docker-buildx-push               # Build and push
+make docker-buildx-version VERSION=v1.0.0  # Build specific version
+make help-docker                      # Show all Docker-related commands
+```
+
+> **Heads-up (macOS cross-compilation)**: macOS keeps the default `ulimit -n` at 256, so `cargo zigbuild` or `./build-rustfs.sh --platform ...` may fail with `ProcessFdQuotaExceeded` when targeting Linux. The build script attempts to raise the limit automatically, but if you still see the warning, run `ulimit -n 4096` (or higher) in your shell before building.
+
+### 4\. Build with Helm Chart (Option 4) - Cloud Native
+
+Follow the instructions in the [Helm Chart README](https://charts.rustfs.com/) to install RustFS on a Kubernetes cluster.
+
+### 5\. Nix Flake (Option 5)
+
+If you have [Nix with flakes enabled](https://nixos.wiki/wiki/Flakes#Enable_flakes):
+
+```bash
+# Run directly without installing
+nix run github:rustfs/rustfs
+
+# Build the binary
+nix build github:rustfs/rustfs
+./result/bin/rustfs --help
+
+# Or from a local checkout
+nix build
+nix run
+```
+
+-----
+
+### Accessing RustFS
+
+5.  **Access the Console**: Open your web browser and navigate to `http://localhost:9001` to access the RustFS console.
+      * Default credentials: `rustfsadmin` / `rustfsadmin`
+6.  **Create a Bucket**: Use the console to create a new bucket for your objects.
+7.  **Upload Objects**: You can upload files directly through the console or use S3-compatible APIs/clients to interact with your RustFS instance.
+
+**NOTE**: To access the RustFS instance via `https`, please refer to the [TLS Configuration Docs](https://docs.rustfs.com/integration/tls-configured.html).

 ## Documentation

@@ -134,36 +192,42 @@ For detailed documentation, including configuration options, API references, and

 ## Getting Help

-If you have any questions or need assistance, you can:
+If you have any questions or need assistance:

- Check the [FAQ](https://github.com/rustfs/rustfs/discussions/categories/q-a) for common issues and solutions.
- Join our [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) to ask questions and share your experiences.
- Open an issue on our [GitHub Issues](https://github.com/rustfs/rustfs/issues) page for bug reports or feature requests.
+  - Check the [FAQ](https://github.com/rustfs/rustfs/discussions/categories/q-a) for common issues and solutions.
+  - Join our [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) to ask questions and share your experiences.
+  - Open an issue on our [GitHub Issues](https://github.com/rustfs/rustfs/issues) page for bug reports or feature requests.

 ## Links

- [Documentation](https://docs.rustfs.com) - The manual you should read
- [Changelog](https://github.com/rustfs/rustfs/releases) - What we broke and fixed
- [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) - Where the community lives
+  - [Documentation](https://docs.rustfs.com) - The manual you should read
+  - [Changelog](https://github.com/rustfs/rustfs/releases) - What we broke and fixed
+  - [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) - Where the community lives

 ## Contact

- **Bugs**: [GitHub Issues](https://github.com/rustfs/rustfs/issues)
- **Business**: <hello@rustfs.com>
- **Jobs**: <jobs@rustfs.com>
- **General Discussion**: [GitHub Discussions](https://github.com/rustfs/rustfs/discussions)
- **Contributing**: [CONTRIBUTING.md](CONTRIBUTING.md)
+  - **Bugs**: [GitHub Issues](https://github.com/rustfs/rustfs/issues)
+  - **Business**: [hello@rustfs.com](mailto:hello@rustfs.com)
+  - **Jobs**: [jobs@rustfs.com](mailto:jobs@rustfs.com)
+  - **General Discussion**: [GitHub Discussions](https://github.com/rustfs/rustfs/discussions)
+  - **Contributing**: [CONTRIBUTING.md](CONTRIBUTING.md)

 ## Contributors

 RustFS is a community-driven project, and we appreciate all contributions. Check out the [Contributors](https://github.com/rustfs/rustfs/graphs/contributors) page to see the amazing people who have helped make RustFS better.

 <a href="https://github.com/rustfs/rustfs/graphs/contributors">
-  <img src="https://opencollective.com/rustfs/contributors.svg?width=890&limit=500&button=false" />
+<img src="https://opencollective.com/rustfs/contributors.svg?width=890&limit=500&button=false" alt="Contributors" />
 </a>

+
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=rustfs/rustfs&type=date&legend=top-left)](https://www.star-history.com/#rustfs/rustfs&type=date&legend=top-left)
+
 ## License

 [Apache 2.0](https://opensource.org/licenses/Apache-2.0)

 **RustFS** is a trademark of RustFS, Inc. All other trademarks are the property of their respective owners.
+
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -1,119 +1,221 @@
 [![RustFS](https://rustfs.com/images/rustfs-github.png)](https://rustfs.com)

-<p align="center">RustFS 是一个使用 Rust 构建的高性能分布式对象存储软件</p >
+<p align="center">RustFS 是一个基于 Rust 构建的高性能分布式对象存储系统。</p>

 <p align="center">
  <a href="https://github.com/rustfs/rustfs/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/rustfs/rustfs/actions/workflows/ci.yml/badge.svg" /></a>
-  <a href="https://github.com/rustfs/rustfs/actions/workflows/docker.yml"><img alt="Build and Push Docker Images" src="https://github.com/rustfs/rustfs/actions/workflows/docker.yml/badge.svg" /></a>
-  <img alt="GitHub commit activity" src="https://img.shields.io/github/commit-activity/m/rustfs/rustfs"/>
-  <img alt="Github Last Commit" src="https://img.shields.io/github/last-commit/rustfs/rustfs"/>
+  <a href="https://github.com/rustfs/rustfs/actions/workflows/docker.yml"><img alt="构建并推送 Docker 镜像" src="https://github.com/rustfs/rustfs/actions/workflows/docker.yml/badge.svg" /></a>
+  <img alt="GitHub 提交活跃度" src="https://img.shields.io/github/commit-activity/m/rustfs/rustfs"/>
+  <img alt="Github 最新提交" src="https://img.shields.io/github/last-commit/rustfs/rustfs"/>
  <a href="https://hellogithub.com/repository/rustfs/rustfs" target="_blank"><img src="https://abroad.hellogithub.com/v1/widgets/recommend.svg?rid=b95bcb72bdc340b68f16fdf6790b7d5b&claim_uid=MsbvjYeLDKAH457&theme=small" alt="Featured｜HelloGitHub" /></a>
-</p >
+</p>

 <p align="center">
-  <a href="https://docs.rustfs.com/zh/introduction.html">快速开始</a >
-  · <a href="https://docs.rustfs.com/zh/">文档</a >
-  · <a href="https://github.com/rustfs/rustfs/issues">问题报告</a >
-  · <a href="https://github.com/rustfs/rustfs/discussions">讨论</a >
-</p >
+<a href="https://trendshift.io/repositories/14181" target="_blank"><img src="https://trendshift.io/api/badge/repositories/14181" alt="rustfs%2Frustfs | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</p>

 <p align="center">
-<a href="https://github.com/rustfs/rustfs/blob/main/README.md">English</a > | 简体中文
-</p >
+  <a href="https://docs.rustfs.com/installation/">快速开始</a>
+  · <a href="https://docs.rustfs.com/">文档</a>
+  · <a href="https://github.com/rustfs/rustfs/issues">报告 Bug</a>
+  · <a href="https://github.com/rustfs/rustfs/discussions">社区讨论</a>
+</p>

-RustFS 是一个使用 Rust（全球最受欢迎的编程语言之一）构建的高性能分布式对象存储软件。与 MinIO 一样，它具有简单性、S3 兼容性、开源特性以及对数据湖、AI 和大数据的支持等一系列优势。此外，与其他存储系统相比，它采用 Apache 许可证构建，拥有更好、更用户友好的开源许可证。由于以 Rust 为基础，RustFS 为高性能对象存储提供了更快的速度和更安全的分布式功能。

-## 特性

- **高性能**：使用 Rust 构建，确保速度和效率。
+<p align="center">
+  <a href="https://github.com/rustfs/rustfs/blob/main/README.md">English</a> | 简体中文 |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=de">Deutsch</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=es">Español</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=fr">français</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ja">日本語</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ko">한국어</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=pt">Portuguese</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ru">Русский</a>
+</p>
+
+RustFS 是一个基于 Rust 构建的高性能分布式对象存储系统。Rust 是全球最受开发者喜爱的编程语言之一，RustFS 完美结合了 MinIO 的简洁性与 Rust 的内存安全及高性能优势。它提供完整的 S3 兼容性，完全开源，并专为数据湖、人工智能（AI）和大数据负载进行了优化。
+
+与其他存储系统不同，RustFS 采用更宽松、商业友好的 Apache 2.0 许可证，避免了 AGPL 协议的限制。以 Rust 为基石，RustFS 为下一代对象存储提供了更快的速度和更安全的分布式特性。
+
+## 特征和功能状态
+
+- **高性能**：基于 Rust 构建，确保极致的速度和资源效率。
 - **分布式架构**：可扩展且容错的设计，适用于大规模部署。
- **S3 兼容性**：与现有 S3 兼容应用程序无缝集成。
- **数据湖支持**：针对大数据和 AI 工作负载进行了优化。
- **开源**：采用 Apache 2.0 许可证，鼓励社区贡献和透明度。
- **用户友好**：设计简单，易于部署和管理。
+- **S3 兼容性**：与现有的 S3 兼容应用和工具无缝集成。
+- **数据湖支持**：专为高吞吐量的大数据和 AI 工作负载优化。
+- **完全开源**：采用 Apache 2.0 许可证，鼓励社区贡献和商业使用。
+- **简单易用**：设计简洁，易于部署和管理。

-## RustFS vs MinIO

-压力测试服务器参数
+| 功能 | 状态 |   功能 | 状态 | 
+| :--- | :--- | :--- | :--- |
+| **S3 核心功能** | ✅ 可用 |    **Bitrot (防数据腐烂)** | ✅ 可用 |
+| **上传 / 下载** | ✅ 可用 |     **单机模式** | ✅ 可用 |
+| **版本控制** | ✅ 可用 | **存储桶复制** | ✅ 可用 |
+| **日志功能** | ✅ 可用 |  **生命周期管理** | 🚧 测试中 |
+| **事件通知** | ✅ 可用 |  **分布式模式** | 🚧 测试中 |
+| **K8s Helm Chart** | ✅ 可用 |  **OPA (策略引擎)** | 🚧 测试中 |

-|  类型  |  参数   | 备注 |
-| - | - | - |
-|CPU | 2 核心 | Intel Xeon(Sapphire Rapids) Platinum 8475B , 2.7/3.2 GHz|   |
-|内存| 4GB |     |
-|网络 | 15Gbp |      |
-|驱动器  | 40GB x 4 |   IOPS 3800 / 驱动器 |
+
+
+
+## RustFS vs MinIO 性能对比
+
+**压力测试环境参数：**
+
+| 类型    | 参数 | 备注                                                   |
+|---------|-----------|----------------------------------------------------------|
+| CPU     | 2 核    | Intel Xeon (Sapphire Rapids) Platinum 8475B , 2.7/3.2 GHz |
+| 内存  | 4GB       |                                                          |
+| 网络 | 15Gbps     |                                                          |
+| 硬盘  | 40GB x 4  | IOPS 3800 / Drive                                       |

 <https://github.com/user-attachments/assets/2e4979b5-260c-4f2c-ac12-c87fd558072a>

 ### RustFS vs 其他对象存储

-| RustFS | 其他对象存储|
-| - | - |
-| 强大的控制台 | 简单且无用的控制台 |
-| 基于 Rust 语言开发，内存更安全 | 使用 Go 或 C 开发，存在内存 GC/泄漏等潜在问题 |
-| 不向第三方国家报告日志  | 向其他第三方国家报告日志可能违反国家安全法律 |
-| 采用 Apache 许可证，对商业更友好  | AGPL V3 许可证等其他许可证，污染开源和许可证陷阱，侵犯知识产权 |
-| 全面的 S3 支持，适用于国内外云提供商  | 完全支持 S3，但不支持本地云厂商 |
-| 基于 Rust 开发，对安全和创新设备有强大支持  | 对边缘网关和安全创新设备支持较差|
-| 稳定的商业价格，免费社区支持 | 高昂的定价，1PiB 成本高达 $250,000 |
-| 无风险 | 知识产权风险和禁止使用的风险 |
+| 特性 | RustFS | 其他对象存储 |
+| :--- | :--- | :--- |
+| **控制台体验** | **功能强大的控制台**<br>提供全面的管理界面。 | **基础/简陋的控制台**<br>通常功能过于简单或缺失关键特性。 |
+| **语言与安全** | **基于 Rust 开发**<br>天生的内存安全。 | **基于 Go 或 C 开发**<br>存在内存 GC 停顿或内存泄漏的潜在风险。 |
+| **数据主权** | **无遥测 / 完全合规**<br>防止未经授权的数据跨境传输。完全符合 GDPR (欧盟/英国)、CCPA (美国) 和 APPI (日本) 等法规。 | **潜在风险**<br>可能存在法律风险和隐蔽的数据遥测（Telemetry）。 |
+| **开源协议** | **宽松的 Apache 2.0**<br>商业友好，无“毒丸”条款。 | **受限的 AGPL v3**<br>存在许可证陷阱和知识产权污染的风险。 |
+| **兼容性** | **100% S3 兼容**<br>适用于任何云提供商和客户端，随处运行。 | **兼容性不一**<br>虽然支持 S3，但可能缺乏对本地云厂商或特定 API 的支持。 |
+| **边缘与 IoT** | **强大的边缘支持**<br>非常适合安全、创新的边缘设备。 | **边缘支持较弱**<br>对于边缘网关来说通常过于沉重。 |
+| **成本** | **稳定且免费**<br>免费社区支持，稳定的商业定价。 | **高昂成本**<br>1PiB 的成本可能高达 250,000 美元。 |
+| **风险控制** | **企业级风险规避**<br>清晰的知识产权，商业使用安全无忧。 | **法律风险**<br>知识产权归属模糊及使用限制风险。 |

 ## 快速开始

-要开始使用 RustFS，请按照以下步骤操作：
+请按照以下步骤快速上手 RustFS：

-1. **一键脚本快速启动 (方案一)**
-
-   ```bash
-   curl -O  https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
-   ```
-
-2. **Docker快速启动（方案二）**
+### 1. 一键安装脚本 (选项 1)

  ```bash
-   docker run -d -p 9000:9000  -v /data:/data rustfs/rustfs
-   ```
+  curl -O https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
+````

-3. **访问控制台**：打开 Web 浏览器并导航到 `http://localhost:9000` 以访问 RustFS 控制台，默认的用户名和密码是 `rustfsadmin` 。
-4. **创建存储桶**：使用控制台为您的对象创建新的存储桶。
-5. **上传对象**：您可以直接通过控制台上传文件，或使用 S3 兼容的 API 与您的 RustFS 实例交互。
+### 2\. Docker 快速启动 (选项 2)
+
+RustFS 容器以非 root 用户 `rustfs` (UID `10001`) 运行。如果您使用 Docker 的 `-v` 参数挂载宿主机目录，请务必确保宿主机目录的所有者已更改为 `1000`，否则会遇到权限拒绝错误。
+
+```bash
+ # 创建数据和日志目录
+ mkdir -p data logs
+
+ # 更改这两个目录的所有者
+ chown -R 10001:10001 data logs
+
+ # 使用最新版本运行
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:latest
+
+ # 使用指定版本运行
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:1.0.0.alpha.68
+```
+
+您也可以使用 Docker Compose。使用根目录下的 `docker-compose.yml` 文件：
+
+```bash
+docker compose --profile observability up -d
+```
+
+**注意**: 我们建议您在运行前查看 `docker-compose.yaml` 文件。该文件定义了包括 Grafana、Prometheus 和 Jaeger 在内的多个服务，有助于 RustFS 的可观测性监控。如果您还想启动 Redis 或 Nginx 容器，可以指定相应的 profile。
+
+### 3\. 源码编译 (选项 3) - 进阶用户
+
+适用于希望从源码构建支持多架构 RustFS Docker 镜像的开发者：
+
+```bash
+# 在本地构建多架构镜像
+./docker-buildx.sh --build-arg RELEASE=latest
+
+# 构建并推送到仓库
+./docker-buildx.sh --push
+
+# 构建指定版本
+./docker-buildx.sh --release v1.0.0 --push
+
+# 构建并推送到自定义仓库
+./docker-buildx.sh --registry your-registry.com --namespace yourname --push
+```
+
+`docker-buildx.sh` 脚本支持：
+\- **多架构构建**: `linux/amd64`, `linux/arm64`
+\- **自动版本检测**: 使用 git tags 或 commit hash
+\- **灵活的仓库支持**: 支持 Docker Hub, GitHub Container Registry 等
+\- **构建优化**: 包含缓存和并行构建
+
+为了方便起见，您也可以使用 Make 命令：
+
+```bash
+make docker-buildx                    # 本地构建
+make docker-buildx-push               # 构建并推送
+make docker-buildx-version VERSION=v1.0.0  # 构建指定版本
+make help-docker                      # 显示所有 Docker 相关命令
+```
+
+> **注意 (macOS 交叉编译)**: macOS 默认的 `ulimit -n` 限制为 256，因此在使用 `cargo zigbuild` 或 `./build-rustfs.sh --platform ...` 交叉编译 Linux 版本时，可能会因 `ProcessFdQuotaExceeded` 失败。构建脚本会尝试自动提高限制，但如果您仍然看到警告，请在构建前在终端运行 `ulimit -n 4096` (或更高)。
+
+### 4\. 使用 Helm Chart 安装 (选项 4) - 云原生环境
+
+请按照 [Helm Chart README](https://charts.rustfs.com) 上的说明在 Kubernetes 集群上安装 RustFS。
+
+-----
+
+### 访问 RustFS
+
+5.  **访问控制台**: 打开浏览器并访问 `http://localhost:9000` 进入 RustFS 控制台。
+      * 默认账号/密码: `rustfsadmin` / `rustfsadmin`
+6.  **创建存储桶**: 使用控制台为您的对象创建一个新的存储桶 (Bucket)。
+7.  **上传对象**: 您可以直接通过控制台上传文件，或使用 S3 兼容的 API/客户端与您的 RustFS 实例进行交互。
+
+**注意**: 如果您希望通过 `https` 访问 RustFS 实例，请参考 [TLS 配置文档](https://docs.rustfs.com/integration/tls-configured.html)。

 ## 文档

-有关详细文档，包括配置选项、API 参考和高级用法，请访问我们的[文档](https://docs.rustfs.com)。
+有关详细文档，包括配置选项、API 参考和高级用法，请访问我们的 [官方文档](https://docs.rustfs.com)。

 ## 获取帮助

-如果您有任何问题或需要帮助，您可以：
+如果您有任何问题或需要帮助：

- 查看[常见问题解答](https://github.com/rustfs/rustfs/discussions/categories/q-a)以获取常见问题和解决方案。
- 加入我们的 [GitHub 讨论](https://github.com/rustfs/rustfs/discussions)来提问和分享您的经验。
- 在我们的 [GitHub Issues](https://github.com/rustfs/rustfs/issues) 页面上开启问题，报告错误或功能请求。
+  - 查看 [FAQ](https://github.com/rustfs/rustfs/discussions/categories/q-a) 寻找常见问题和解决方案。
+  - 加入我们的 [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) 提问并分享您的经验。
+  - 在我们的 [GitHub Issues](https://github.com/rustfs/rustfs/issues) 页面提交 Bug 报告或功能请求。

 ## 链接

- [文档](https://docs.rustfs.com) - 您应该阅读的手册
- [更新日志](https://docs.rustfs.com/changelog) - 我们破坏和修复的内容
- [GitHub 讨论](https://github.com/rustfs/rustfs/discussions) - 社区所在地
+  - [官方文档](https://docs.rustfs.com) - 必读手册
+  - [更新日志](https://github.com/rustfs/rustfs/releases) - 版本变更记录
+  - [社区讨论](https://github.com/rustfs/rustfs/discussions) - 社区交流地

-## 联系
+## 联系方式

- **错误报告**：[GitHub Issues](https://github.com/rustfs/rustfs/issues)
- **商务合作**：<hello@rustfs.com>
- **招聘**：<jobs@rustfs.com>
- **一般讨论**：[GitHub 讨论](https://github.com/rustfs/rustfs/discussions)
- **贡献**：[CONTRIBUTING.md](CONTRIBUTING.md)
+  - **Bug 反馈**: [GitHub Issues](https://github.com/rustfs/rustfs/issues)
+  - **商务合作**: [hello@rustfs.com](mailto:hello@rustfs.com)
+  - **工作机会**: [jobs@rustfs.com](mailto:jobs@rustfs.com)
+  - **一般讨论**: [GitHub Discussions](https://github.com/rustfs/rustfs/discussions)
+  - **贡献指南**: [CONTRIBUTING.md](https://www.google.com/search?q=CONTRIBUTING.md)

 ## 贡献者

-RustFS 是一个社区驱动的项目，我们感谢所有的贡献。查看[贡献者](https://github.com/rustfs/rustfs/graphs/contributors)页面，了解帮助 RustFS 变得更好的杰出人员。
+RustFS 是一个社区驱动的项目，我们感谢所有的贡献。请查看 [贡献者](https://github.com/rustfs/rustfs/graphs/contributors) 页面，看看那些让 RustFS 变得更好的了不起的人们。

 <a href="https://github.com/rustfs/rustfs/graphs/contributors">
-  <img src="https://opencollective.com/rustfs/contributors.svg?width=890&limit=500&button=false" />
-</a >
+<img src="https://opencollective.com/rustfs/contributors.svg?width=890&limit=500&button=false" alt="Contributors" />
+</a>
+
+
+
+## Star 历史
+
+[![Star History Chart](https://api.star-history.com/svg?repos=rustfs/rustfs&type=date&legend=top-left)](https://www.star-history.com/#rustfs/rustfs&type=date&legend=top-left)
+

 ## 许可证

 [Apache 2.0](https://opensource.org/licenses/Apache-2.0)

 **RustFS** 是 RustFS, Inc. 的商标。所有其他商标均为其各自所有者的财产。
+
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,8 +2,7 @@

 ## Supported Versions

-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+Security updates are provided for the latest released version of this project.

 | Version | Supported          |
 | ------- | ------------------ |
@@ -11,8 +10,10 @@ currently being supported with security updates.

 ## Reporting a Vulnerability

-Use this section to tell people how to report a vulnerability.
+Please report security vulnerabilities **privately** via GitHub Security Advisories:

-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+https://github.com/rustfs/rustfs/security/advisories/new
+
+Do **not** open a public issue for security-sensitive bugs.
+
+You can expect an initial response within a reasonable timeframe. Further updates will be provided as the report is triaged.
--- a/_typos.toml
+++ b/_typos.toml
@@ -36,6 +36,7 @@ clen = "clen"
 datas = "datas"
 bre = "bre"
 abd = "abd"
+mak = "mak"

 [files]
 extend-exclude = []
--- a/build-rustfs.sh
+++ b/build-rustfs.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash

 # RustFS Binary Build Script
 # This script compiles RustFS binaries for different platforms and architectures
@@ -21,13 +21,17 @@ detect_platform() {
        "linux")
            case "$arch" in
                "x86_64")
-                    echo "x86_64-unknown-linux-musl"
+                    # Default to GNU for better compatibility
+                    echo "x86_64-unknown-linux-gnu"
                    ;;
                "aarch64"|"arm64")
-                    echo "aarch64-unknown-linux-musl"
+                    echo "aarch64-unknown-linux-gnu"
                    ;;
                "armv7l")
-                    echo "armv7-unknown-linux-musleabihf"
+                    echo "armv7-unknown-linux-gnueabihf"
+                    ;;
+                "loongarch64")
+                    echo "loongarch64-unknown-linux-musl"
                    ;;
                *)
                    echo "unknown-platform"
@@ -119,6 +123,17 @@ usage() {
    echo "  -o, --output-dir DIR       Output directory (default: target/release)"
    echo "  -b, --binary-name NAME     Binary name (default: rustfs)"
    echo "  -p, --platform TARGET      Target platform (default: auto-detect)"
+    echo "                              Supported platforms:"
+    echo "                                x86_64-unknown-linux-gnu"
+    echo "                                aarch64-unknown-linux-gnu"
+    echo "                                armv7-unknown-linux-gnueabihf"
+    echo "                                x86_64-unknown-linux-musl"
+    echo "                                aarch64-unknown-linux-musl"
+    echo "                                armv7-unknown-linux-musleabihf"
+    echo "                                x86_64-apple-darwin"
+    echo "                                aarch64-apple-darwin"
+    echo "                                x86_64-pc-windows-msvc"
+    echo "                                aarch64-pc-windows-msvc"
    echo "  --dev                      Build in dev mode"
    echo "  --sign                     Sign binaries after build"
    echo "  --with-console             Download console static assets (default)"
@@ -148,6 +163,35 @@ print_message() {
    echo -e "${color}${message}${NC}"
 }

+# Prevent zig/ld from hitting macOS file descriptor defaults during linking
+ensure_file_descriptor_limit() {
+    local required_limit=4096
+    local current_limit
+    current_limit=$(ulimit -Sn 2>/dev/null || echo "")
+
+    if [ -z "$current_limit" ] || [ "$current_limit" = "unlimited" ]; then
+        return
+    fi
+
+    if (( current_limit >= required_limit )); then
+        return
+    fi
+
+    local hard_limit target_limit
+    hard_limit=$(ulimit -Hn 2>/dev/null || echo "")
+    target_limit=$required_limit
+
+    if [ -n "$hard_limit" ] && [ "$hard_limit" != "unlimited" ] && (( hard_limit < required_limit )); then
+        target_limit=$hard_limit
+    fi
+
+    if ulimit -Sn "$target_limit" 2>/dev/null; then
+        print_message $YELLOW "🔧 Increased open file limit from $current_limit to $target_limit to avoid ProcessFdQuotaExceeded"
+    else
+        print_message $YELLOW "⚠️ Unable to raise ulimit -n automatically (current: $current_limit, needed: $required_limit). Please run 'ulimit -n $required_limit' manually before building."
+    fi
+}
+
 # Get version from git
 get_version() {
    if git describe --abbrev=0 --tags >/dev/null 2>&1; then
@@ -385,7 +429,7 @@ build_binary() {
        fi
    else
        # Native compilation
-        build_cmd="cargo build"
+        build_cmd="RUSTFLAGS=-Clink-arg=-lm cargo build"
    fi

    if [ "$BUILD_TYPE" = "release" ]; then
@@ -555,10 +599,11 @@ main() {
        fi
    fi

+    ensure_file_descriptor_limit
+
    # Start build process
    build_rustfs
 }

 # Run main function
 main
-
--- a/cli/rustfs-gui/Dioxus.toml
+++ b/cli/rustfs-gui/Dioxus.toml
@@ -1,52 +0,0 @@
-[application]
-
-# App (Project) Name
-name = "rustfs-gui"
-
-# The static resource path
-asset_dir = "public"
-
-[web.app]
-
-# HTML title tag content
-title = "rustfs-gui"
-
-# include `assets` in web platform
-[web.resource]
-
-# Additional CSS style files
-style = []
-
-# Additional JavaScript files
-script = []
-
-[web.resource.dev]
-
-# Javascript code file
-# serve: [dev-server] only
-script = []
-
-[bundle]
-identifier = "com.rustfs.cli.gui"
-
-publisher = "RustFsGUI"
-
-category = "Utility"
-
-copyright = "Copyright 2025 rustfs.com"
-
-icon = [
-    "assets/icons/icon.icns",
-    "assets/icons/icon.ico",
-    "assets/icons/icon.png",
-    "assets/icons/rustfs-icon.png",
-]
-#[bundle.macos]
-#provider_short_name = "RustFs"
-[bundle.windows]
-tsp = true
-icon_path = "assets/icons/icon.ico"
-allow_downgrades = true
-[bundle.windows.webview_install_mode]
-[bundle.windows.webview_install_mode.EmbedBootstrapper]
-silent = true
--- a/cli/rustfs-gui/README.md
+++ b/cli/rustfs-gui/README.md
@@ -1,34 +0,0 @@
-## Rustfs GUI
-
-### Tailwind
-
-1. Install npm: https://docs.npmjs.com/downloading-and-installing-node-js-and-npm
-2. Install the Tailwind CSS CLI: https://tailwindcss.com/docs/installation
-3. Run the following command in the root of the project to start the Tailwind CSS compiler:
-
-```bash
-npx tailwindcss -i ./input.css -o ./assets/tailwind.css --watch
-```
-
-### Dioxus CLI
-
-#### Install the stable version (recommended)
-
-```shell
-cargo install dioxus-cli
-```
-
-### Serving Your App
-
-Run the following command in the root of your project to start developing with the default platform:
-
-```bash
-dx serve
-```
-
-To run for a different platform, use the `--platform platform` flag. E.g.
-
-```bash
-dx serve --platform desktop
-```
-
--- a/cli/rustfs-gui/assets/favicon.ico
+++ b/cli/rustfs-gui/assets/favicon.ico
--- a/cli/rustfs-gui/assets/icon.png
+++ b/cli/rustfs-gui/assets/icon.png
--- a/cli/rustfs-gui/assets/icons/icon-all.icns
+++ b/cli/rustfs-gui/assets/icons/icon-all.icns
--- a/cli/rustfs-gui/assets/icons/icon-all.ico
+++ b/cli/rustfs-gui/assets/icons/icon-all.ico
--- a/cli/rustfs-gui/assets/icons/icon.icns
+++ b/cli/rustfs-gui/assets/icons/icon.icns
--- a/cli/rustfs-gui/assets/icons/icon.ico
+++ b/cli/rustfs-gui/assets/icons/icon.ico
--- a/cli/rustfs-gui/assets/icons/icon.png
+++ b/cli/rustfs-gui/assets/icons/icon.png
--- a/cli/rustfs-gui/assets/icons/icon_128x128.png
+++ b/cli/rustfs-gui/assets/icons/icon_128x128.png
--- a/cli/rustfs-gui/assets/icons/icon_128x128@2x.png
+++ b/cli/rustfs-gui/assets/icons/icon_128x128@2x.png
--- a/cli/rustfs-gui/assets/icons/icon_16x16.png
+++ b/cli/rustfs-gui/assets/icons/icon_16x16.png
--- a/cli/rustfs-gui/assets/icons/icon_16x16@2x.png
+++ b/cli/rustfs-gui/assets/icons/icon_16x16@2x.png
--- a/cli/rustfs-gui/assets/icons/icon_256x256.png
+++ b/cli/rustfs-gui/assets/icons/icon_256x256.png
--- a/cli/rustfs-gui/assets/icons/icon_256x256@2x.png
+++ b/cli/rustfs-gui/assets/icons/icon_256x256@2x.png
--- a/cli/rustfs-gui/assets/icons/icon_32x32.png
+++ b/cli/rustfs-gui/assets/icons/icon_32x32.png
--- a/cli/rustfs-gui/assets/icons/icon_32x32@2x.png
+++ b/cli/rustfs-gui/assets/icons/icon_32x32@2x.png
--- a/cli/rustfs-gui/assets/icons/icon_512x512.png
+++ b/cli/rustfs-gui/assets/icons/icon_512x512.png
--- a/cli/rustfs-gui/assets/icons/icon_512x512@2x.png
+++ b/cli/rustfs-gui/assets/icons/icon_512x512@2x.png
--- a/cli/rustfs-gui/assets/icons/rustfs-icon.png
+++ b/cli/rustfs-gui/assets/icons/rustfs-icon.png
--- a/cli/rustfs-gui/assets/js/sts.js
+++ b/cli/rustfs-gui/assets/js/sts.js
@@ -1,48 +0,0 @@
-/**
- * Copyright 2024 RustFS Team
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-window.switchTab = function (tabId) {
-    // Hide everything
-    document.querySelectorAll('.tab-content').forEach(content => {
-        content.classList.add('hidden');
-    });
-
-    // Reset all label styles
-    document.querySelectorAll('.tab-btn').forEach(btn => {
-        btn.classList.remove('border-b-2', 'border-black');
-        btn.classList.add('text-gray-500');
-    });
-
-    // Displays the selected content
-    const activeContent = document.getElementById(tabId);
-    if (activeContent) {
-        activeContent.classList.remove('hidden');
-    }
-
-    // Updates the selected label style
-    const activeBtn = document.querySelector(`[data-tab="${tabId}"]`);
-    if (activeBtn) {
-        activeBtn.classList.add('border-b-2', 'border-black');
-        activeBtn.classList.remove('text-gray-500');
-    }
-};
-
-window.togglePassword = function (button) {
-    const input = button.parentElement.querySelector('input[type="password"], input[type="text"]');
-    if (input) {
-        input.type = input.type === 'password' ? 'text' : 'password';
-    }
-};
--- a/cli/rustfs-gui/assets/rustfs-icon.png
+++ b/cli/rustfs-gui/assets/rustfs-icon.png
--- a/cli/rustfs-gui/assets/rustfs-logo-square.png
+++ b/cli/rustfs-gui/assets/rustfs-logo-square.png
--- a/cli/rustfs-gui/assets/rustfs-logo.svg
+++ b/cli/rustfs-gui/assets/rustfs-logo.svg
@@ -1,15 +0,0 @@
-<svg width="1558" height="260" viewBox="0 0 1558 260" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_0_3)">
-<path d="M1288.5 112.905H1159.75V58.4404H1262L1270 0L1074 0V260H1159.75V162.997H1296.95L1288.5 112.905Z" fill="#0196D0"/>
-<path d="M1058.62 58.4404V0H789V58.4404H881.133V260H966.885V58.4404H1058.62Z" fill="#0196D0"/>
-<path d="M521 179.102V0L454.973 15V161C454.973 181.124 452.084 193.146 443.5 202C434.916 211.257 419.318 214.5 400.5 214.5C381.022 214.5 366.744 210.854 357.5 202C348.916 193.548 346.357 175.721 346.357 156V0L280 15V175.48C280 208.08 290.234 229.412 309.712 241.486C329.19 253.56 358.903 260 400.5 260C440.447 260 470.159 253.56 490.297 241.486C510.766 229.412 521 208.483 521 179.102Z" fill="#0196D0"/>
-<path d="M172.84 84.2813C172.84 97.7982 168.249 107.737 158.41 113.303C149.883 118.471 137.092 121.254 120.693 122.049V162.997C129.876 163.792 138.076 166.177 144.307 176.514L184.647 260H265L225.316 180.489C213.181 155.046 201.374 149.48 178.744 143.517C212.197 138.349 241.386 118.471 241.386 73.1499C241.386 53.2722 233.843 30.2141 218.756 17.8899C203.998 5.56575 183.991 0 159.394 0H120.693V48.5015H127.58C142.23 48.5015 153.6 51.4169 161.689 57.2477C169.233 62.8135 172.84 71.5596 172.84 84.2813ZM120.693 122.049C119.163 122.049 117.741 122.049 116.43 122.049H68.5457V48.5015H120.693V0H0V260H70.5137V162.997H110.526C113.806 162.997 117.741 162.997 120.693 162.997V122.049Z" fill="#0196D0"/>
-<path d="M774 179.297C774 160.829 766.671 144.669 752.013 131.972C738.127 119.66 712.025 110.169 673.708 103.5C662.136 101.191 651.722 99.6523 643.235 97.3437C586.532 84.6467 594.632 52.7118 650.564 52.7118C680.651 52.7118 709.582 61.946 738.127 66.9478C742.37 67.7174 743.913 68.1021 744.298 68.1021L750.47 12.697C720.383 3.46282 684.895 0 654.036 0C616.619 0 587.689 6.54088 567.245 19.2379C546.801 31.9349 536 57.7137 536 82.3382C536 103.5 543.715 119.66 559.916 131.972C575.731 143.515 604.276 152.749 645.55 160.059C658.279 162.368 668.694 163.907 676.794 166.215C685.023 168.524 691.066 170.704 694.924 172.756C702.253 176.604 706.11 182.375 706.11 188.531C706.11 196.611 701.481 202.767 692.224 207C664.836 220.081 587.689 212.001 556.83 198.15L543.715 247.784C547.186 248.169 552.972 249.323 559.916 250.477C616.619 259.327 690.681 270.869 741.212 238.935C762.814 225.468 774 206.23 774 179.297Z" fill="#0196D0"/>
-<path d="M1558 179.568C1558 160.383 1550.42 144.268 1535.67 131.99C1521.32 119.968 1494.34 110.631 1454.74 103.981C1442.38 101.679 1432.01 99.3764 1422.84 97.8416C1422.44 97.8416 1422.04 97.8416 1422.04 97.4579V112.422L1361.04 75.2038L1422.04 38.3692V52.9496C1424.7 52.9496 1427.49 52.9496 1430.41 52.9496C1461.51 52.9496 1491.42 62.5419 1521.32 67.5299C1525.31 67.9136 1526.9 67.9136 1527.3 67.9136L1533.68 12.6619C1502.98 3.83692 1465.9 0 1434 0C1395.33 0 1365.43 6.52277 1345.09 19.5683C1323.16 32.6139 1312 57.9376 1312 82.8776C1312 103.981 1320.37 120.096 1336.72 131.607C1353.46 143.885 1382.97 153.093 1425.23 160.383C1434 161.535 1441.18 162.686 1447.56 164.22L1448.36 150.791L1507.36 190.312L1445.57 224.844L1445.96 212.949C1409.68 215.635 1357.45 209.112 1333.53 197.985L1320.37 247.482C1323.56 248.249 1329.54 248.633 1336.72 250.551C1395.33 259.376 1471.88 270.887 1524.11 238.657C1546.84 225.611 1558 205.659 1558 179.568Z" fill="#0196D0"/>
-</g>
-<defs>
-<clipPath id="clip0_0_3">
-<rect width="1558" height="260" fill="white"/>
-</clipPath>
-</defs>
-</svg>
--- a/cli/rustfs-gui/assets/styling/navbar.css
+++ b/cli/rustfs-gui/assets/styling/navbar.css
@@ -1,33 +0,0 @@
-/**
- * Copyright 2024 RustFS Team
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#navbar {
-    display: flex;
-    flex-direction: row;
-}
-
-#navbar a {
-    color: #ffffff;
-    margin-right: 20px;
-    text-decoration: none;
-    transition: color 0.2s ease;
-}
-
-#navbar a:hover {
-    cursor: pointer;
-    color: #ffffff;
-/ / #91a4d2;
-}
--- a/cli/rustfs-gui/assets/tailwind.css
+++ b/cli/rustfs-gui/assets/tailwind.css
@@ -1,972 +0,0 @@
-/**
- * Copyright 2024 RustFS Team
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-*, ::before, ::after {
-  --tw-border-spacing-x: 0;
-  --tw-border-spacing-y: 0;
-  --tw-translate-x: 0;
-  --tw-translate-y: 0;
-  --tw-rotate: 0;
-  --tw-skew-x: 0;
-  --tw-skew-y: 0;
-  --tw-scale-x: 1;
-  --tw-scale-y: 1;
-  --tw-pan-x:  ;
-  --tw-pan-y:  ;
-  --tw-pinch-zoom:  ;
-  --tw-scroll-snap-strictness: proximity;
-  --tw-gradient-from-position:  ;
-  --tw-gradient-via-position:  ;
-  --tw-gradient-to-position:  ;
-  --tw-ordinal:  ;
-  --tw-slashed-zero:  ;
-  --tw-numeric-figure:  ;
-  --tw-numeric-spacing:  ;
-  --tw-numeric-fraction:  ;
-  --tw-ring-inset:  ;
-  --tw-ring-offset-width: 0px;
-  --tw-ring-offset-color: #fff;
-  --tw-ring-color: rgb(59 130 246 / 0.5);
-  --tw-ring-offset-shadow: 0 0 #0000;
-  --tw-ring-shadow: 0 0 #0000;
-  --tw-shadow: 0 0 #0000;
-  --tw-shadow-colored: 0 0 #0000;
-  --tw-blur:  ;
-  --tw-brightness:  ;
-  --tw-contrast:  ;
-  --tw-grayscale:  ;
-  --tw-hue-rotate:  ;
-  --tw-invert:  ;
-  --tw-saturate:  ;
-  --tw-sepia:  ;
-  --tw-drop-shadow:  ;
-  --tw-backdrop-blur:  ;
-  --tw-backdrop-brightness:  ;
-  --tw-backdrop-contrast:  ;
-  --tw-backdrop-grayscale:  ;
-  --tw-backdrop-hue-rotate:  ;
-  --tw-backdrop-invert:  ;
-  --tw-backdrop-opacity:  ;
-  --tw-backdrop-saturate:  ;
-  --tw-backdrop-sepia:  ;
-  --tw-contain-size:  ;
-  --tw-contain-layout:  ;
-  --tw-contain-paint:  ;
-  --tw-contain-style:  ;
-}
-
-::backdrop {
-  --tw-border-spacing-x: 0;
-  --tw-border-spacing-y: 0;
-  --tw-translate-x: 0;
-  --tw-translate-y: 0;
-  --tw-rotate: 0;
-  --tw-skew-x: 0;
-  --tw-skew-y: 0;
-  --tw-scale-x: 1;
-  --tw-scale-y: 1;
-  --tw-pan-x:  ;
-  --tw-pan-y:  ;
-  --tw-pinch-zoom:  ;
-  --tw-scroll-snap-strictness: proximity;
-  --tw-gradient-from-position:  ;
-  --tw-gradient-via-position:  ;
-  --tw-gradient-to-position:  ;
-  --tw-ordinal:  ;
-  --tw-slashed-zero:  ;
-  --tw-numeric-figure:  ;
-  --tw-numeric-spacing:  ;
-  --tw-numeric-fraction:  ;
-  --tw-ring-inset:  ;
-  --tw-ring-offset-width: 0px;
-  --tw-ring-offset-color: #fff;
-  --tw-ring-color: rgb(59 130 246 / 0.5);
-  --tw-ring-offset-shadow: 0 0 #0000;
-  --tw-ring-shadow: 0 0 #0000;
-  --tw-shadow: 0 0 #0000;
-  --tw-shadow-colored: 0 0 #0000;
-  --tw-blur:  ;
-  --tw-brightness:  ;
-  --tw-contrast:  ;
-  --tw-grayscale:  ;
-  --tw-hue-rotate:  ;
-  --tw-invert:  ;
-  --tw-saturate:  ;
-  --tw-sepia:  ;
-  --tw-drop-shadow:  ;
-  --tw-backdrop-blur:  ;
-  --tw-backdrop-brightness:  ;
-  --tw-backdrop-contrast:  ;
-  --tw-backdrop-grayscale:  ;
-  --tw-backdrop-hue-rotate:  ;
-  --tw-backdrop-invert:  ;
-  --tw-backdrop-opacity:  ;
-  --tw-backdrop-saturate:  ;
-  --tw-backdrop-sepia:  ;
-  --tw-contain-size:  ;
-  --tw-contain-layout:  ;
-  --tw-contain-paint:  ;
-  --tw-contain-style:  ;
-}
-
-/*
-! tailwindcss v3.4.17 | MIT License | https://tailwindcss.com
-*/
-
-/*
-1. Prevent padding and border from affecting element width. (https://github.com/mozdevs/cssremedy/issues/4)
-2. Allow adding a border to an element by just adding a border-width. (https://github.com/tailwindcss/tailwindcss/pull/116)
-*/
-
-*,
-::before,
-::after {
-  box-sizing: border-box;
-  /* 1 */
-  border-width: 0;
-  /* 2 */
-  border-style: solid;
-  /* 2 */
-  border-color: #e5e7eb;
-  /* 2 */
-}
-
-::before,
-::after {
-  --tw-content: '';
-}
-
-/*
-1. Use a consistent sensible line-height in all browsers.
-2. Prevent adjustments of font size after orientation changes in iOS.
-3. Use a more readable tab size.
-4. Use the user's configured `sans` font-family by default.
-5. Use the user's configured `sans` font-feature-settings by default.
-6. Use the user's configured `sans` font-variation-settings by default.
-7. Disable tap highlights on iOS
-*/
-
-html,
-:host {
-  line-height: 1.5;
-  /* 1 */
-  -webkit-text-size-adjust: 100%;
-  /* 2 */
-  -moz-tab-size: 4;
-  /* 3 */
-  -o-tab-size: 4;
-     tab-size: 4;
-  /* 3 */
-  font-family: ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-  /* 4 */
-  font-feature-settings: normal;
-  /* 5 */
-  font-variation-settings: normal;
-  /* 6 */
-  -webkit-tap-highlight-color: transparent;
-  /* 7 */
-}
-
-/*
-1. Remove the margin in all browsers.
-2. Inherit line-height from `html` so users can set them as a class directly on the `html` element.
-*/
-
-body {
-  margin: 0;
-  /* 1 */
-  line-height: inherit;
-  /* 2 */
-}
-
-/*
-1. Add the correct height in Firefox.
-2. Correct the inheritance of border color in Firefox. (https://bugzilla.mozilla.org/show_bug.cgi?id=190655)
-3. Ensure horizontal rules are visible by default.
-*/
-
-hr {
-  height: 0;
-  /* 1 */
-  color: inherit;
-  /* 2 */
-  border-top-width: 1px;
-  /* 3 */
-}
-
-/*
-Add the correct text decoration in Chrome, Edge, and Safari.
-*/
-
-abbr:where([title]) {
-  -webkit-text-decoration: underline dotted;
-          text-decoration: underline dotted;
-}
-
-/*
-Remove the default font size and weight for headings.
-*/
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6 {
-  font-size: inherit;
-  font-weight: inherit;
-}
-
-/*
-Reset links to optimize for opt-in styling instead of opt-out.
-*/
-
-a {
-  color: inherit;
-  text-decoration: inherit;
-}
-
-/*
-Add the correct font weight in Edge and Safari.
-*/
-
-b,
-strong {
-  font-weight: bolder;
-}
-
-/*
-1. Use the user's configured `mono` font-family by default.
-2. Use the user's configured `mono` font-feature-settings by default.
-3. Use the user's configured `mono` font-variation-settings by default.
-4. Correct the odd `em` font sizing in all browsers.
-*/
-
-code,
-kbd,
-samp,
-pre {
-  font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
-  /* 1 */
-  font-feature-settings: normal;
-  /* 2 */
-  font-variation-settings: normal;
-  /* 3 */
-  font-size: 1em;
-  /* 4 */
-}
-
-/*
-Add the correct font size in all browsers.
-*/
-
-small {
-  font-size: 80%;
-}
-
-/*
-Prevent `sub` and `sup` elements from affecting the line height in all browsers.
-*/
-
-sub,
-sup {
-  font-size: 75%;
-  line-height: 0;
-  position: relative;
-  vertical-align: baseline;
-}
-
-sub {
-  bottom: -0.25em;
-}
-
-sup {
-  top: -0.5em;
-}
-
-/*
-1. Remove text indentation from table contents in Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=999088, https://bugs.webkit.org/show_bug.cgi?id=201297)
-2. Correct table border color inheritance in all Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=935729, https://bugs.webkit.org/show_bug.cgi?id=195016)
-3. Remove gaps between table borders by default.
-*/
-
-table {
-  text-indent: 0;
-  /* 1 */
-  border-color: inherit;
-  /* 2 */
-  border-collapse: collapse;
-  /* 3 */
-}
-
-/*
-1. Change the font styles in all browsers.
-2. Remove the margin in Firefox and Safari.
-3. Remove default padding in all browsers.
-*/
-
-button,
-input,
-optgroup,
-select,
-textarea {
-  font-family: inherit;
-  /* 1 */
-  font-feature-settings: inherit;
-  /* 1 */
-  font-variation-settings: inherit;
-  /* 1 */
-  font-size: 100%;
-  /* 1 */
-  font-weight: inherit;
-  /* 1 */
-  line-height: inherit;
-  /* 1 */
-  letter-spacing: inherit;
-  /* 1 */
-  color: inherit;
-  /* 1 */
-  margin: 0;
-  /* 2 */
-  padding: 0;
-  /* 3 */
-}
-
-/*
-Remove the inheritance of text transform in Edge and Firefox.
-*/
-
-button,
-select {
-  text-transform: none;
-}
-
-/*
-1. Correct the inability to style clickable types in iOS and Safari.
-2. Remove default button styles.
-*/
-
-button,
-input:where([type='button']),
-input:where([type='reset']),
-input:where([type='submit']) {
-  -webkit-appearance: button;
-  /* 1 */
-  background-color: transparent;
-  /* 2 */
-  background-image: none;
-  /* 2 */
-}
-
-/*
-Use the modern Firefox focus style for all focusable elements.
-*/
-
-:-moz-focusring {
-  outline: auto;
-}
-
-/*
-Remove the additional `:invalid` styles in Firefox. (https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737)
-*/
-
-:-moz-ui-invalid {
-  box-shadow: none;
-}
-
-/*
-Add the correct vertical alignment in Chrome and Firefox.
-*/
-
-progress {
-  vertical-align: baseline;
-}
-
-/*
-Correct the cursor style of increment and decrement buttons in Safari.
-*/
-
-::-webkit-inner-spin-button,
-::-webkit-outer-spin-button {
-  height: auto;
-}
-
-/*
-1. Correct the odd appearance in Chrome and Safari.
-2. Correct the outline style in Safari.
-*/
-
-[type='search'] {
-  -webkit-appearance: textfield;
-  /* 1 */
-  outline-offset: -2px;
-  /* 2 */
-}
-
-/*
-Remove the inner padding in Chrome and Safari on macOS.
-*/
-
-::-webkit-search-decoration {
-  -webkit-appearance: none;
-}
-
-/*
-1. Correct the inability to style clickable types in iOS and Safari.
-2. Change font properties to `inherit` in Safari.
-*/
-
-::-webkit-file-upload-button {
-  -webkit-appearance: button;
-  /* 1 */
-  font: inherit;
-  /* 2 */
-}
-
-/*
-Add the correct display in Chrome and Safari.
-*/
-
-summary {
-  display: list-item;
-}
-
-/*
-Removes the default spacing and border for appropriate elements.
-*/
-
-blockquote,
-dl,
-dd,
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-hr,
-figure,
-p,
-pre {
-  margin: 0;
-}
-
-fieldset {
-  margin: 0;
-  padding: 0;
-}
-
-legend {
-  padding: 0;
-}
-
-ol,
-ul,
-menu {
-  list-style: none;
-  margin: 0;
-  padding: 0;
-}
-
-/*
-Reset default styling for dialogs.
-*/
-
-dialog {
-  padding: 0;
-}
-
-/*
-Prevent resizing textareas horizontally by default.
-*/
-
-textarea {
-  resize: vertical;
-}
-
-/*
-1. Reset the default placeholder opacity in Firefox. (https://github.com/tailwindlabs/tailwindcss/issues/3300)
-2. Set the default placeholder color to the user's configured gray 400 color.
-*/
-
-input::-moz-placeholder, textarea::-moz-placeholder {
-  opacity: 1;
-  /* 1 */
-  color: #9ca3af;
-  /* 2 */
-}
-
-input::placeholder,
-textarea::placeholder {
-  opacity: 1;
-  /* 1 */
-  color: #9ca3af;
-  /* 2 */
-}
-
-/*
-Set the default cursor for buttons.
-*/
-
-button,
-[role="button"] {
-  cursor: pointer;
-}
-
-/*
-Make sure disabled buttons don't get the pointer cursor.
-*/
-
-:disabled {
-  cursor: default;
-}
-
-/*
-1. Make replaced elements `display: block` by default. (https://github.com/mozdevs/cssremedy/issues/14)
-2. Add `vertical-align: middle` to align replaced elements more sensibly by default. (https://github.com/jensimmons/cssremedy/issues/14#issuecomment-634934210)
-   This can trigger a poorly considered lint error in some tools but is included by design.
-*/
-
-img,
-svg,
-video,
-canvas,
-audio,
-iframe,
-embed,
-object {
-  display: block;
-  /* 1 */
-  vertical-align: middle;
-  /* 2 */
-}
-
-/*
-Constrain images and videos to the parent width and preserve their intrinsic aspect ratio. (https://github.com/mozdevs/cssremedy/issues/14)
-*/
-
-img,
-video {
-  max-width: 100%;
-  height: auto;
-}
-
-/* Make elements with the HTML hidden attribute stay hidden by default */
-
-[hidden]:where(:not([hidden="until-found"])) {
-  display: none;
-}
-
-.static {
-  position: static;
-}
-
-.absolute {
-  position: absolute;
-}
-
-.relative {
-  position: relative;
-}
-
-.right-2 {
-  right: 0.5rem;
-}
-
-.right-6 {
-  right: 1.5rem;
-}
-
-.top-1\/2 {
-  top: 50%;
-}
-
-.top-4 {
-  top: 1rem;
-}
-
-.z-10 {
-  z-index: 10;
-}
-
-.mb-2 {
-  margin-bottom: 0.5rem;
-}
-
-.mb-4 {
-  margin-bottom: 1rem;
-}
-
-.mb-6 {
-  margin-bottom: 1.5rem;
-}
-
-.mb-8 {
-  margin-bottom: 2rem;
-}
-
-.ml-2 {
-  margin-left: 0.5rem;
-}
-
-.flex {
-  display: flex;
-}
-
-.hidden {
-  display: none;
-}
-
-.h-16 {
-  height: 4rem;
-}
-
-.h-24 {
-  height: 6rem;
-}
-
-.h-4 {
-  height: 1rem;
-}
-
-.h-5 {
-  height: 1.25rem;
-}
-
-.h-6 {
-  height: 1.5rem;
-}
-
-.min-h-screen {
-  min-height: 100vh;
-}
-
-.w-16 {
-  width: 4rem;
-}
-
-.w-20 {
-  width: 5rem;
-}
-
-.w-24 {
-  width: 6rem;
-}
-
-.w-4 {
-  width: 1rem;
-}
-
-.w-48 {
-  width: 12rem;
-}
-
-.w-5 {
-  width: 1.25rem;
-}
-
-.w-6 {
-  width: 1.5rem;
-}
-
-.w-full {
-  width: 100%;
-}
-
-.flex-1 {
-  flex: 1 1 0%;
-}
-
-.-translate-y-1\/2 {
-  --tw-translate-y: -50%;
-  transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
-}
-
-.transform {
-  transform: translate(var(--tw-translate-x), var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));
-}
-
-@keyframes spin {
-  to {
-    transform: rotate(360deg);
-  }
-}
-
-.animate-spin {
-  animation: spin 1s linear infinite;
-}
-
-.flex-col {
-  flex-direction: column;
-}
-
-.items-center {
-  align-items: center;
-}
-
-.justify-center {
-  justify-content: center;
-}
-
-.space-x-2 > :not([hidden]) ~ :not([hidden]) {
-  --tw-space-x-reverse: 0;
-  margin-right: calc(0.5rem * var(--tw-space-x-reverse));
-  margin-left: calc(0.5rem * calc(1 - var(--tw-space-x-reverse)));
-}
-
-.space-x-4 > :not([hidden]) ~ :not([hidden]) {
-  --tw-space-x-reverse: 0;
-  margin-right: calc(1rem * var(--tw-space-x-reverse));
-  margin-left: calc(1rem * calc(1 - var(--tw-space-x-reverse)));
-}
-
-.space-x-8 > :not([hidden]) ~ :not([hidden]) {
-  --tw-space-x-reverse: 0;
-  margin-right: calc(2rem * var(--tw-space-x-reverse));
-  margin-left: calc(2rem * calc(1 - var(--tw-space-x-reverse)));
-}
-
-.space-y-4 > :not([hidden]) ~ :not([hidden]) {
-  --tw-space-y-reverse: 0;
-  margin-top: calc(1rem * calc(1 - var(--tw-space-y-reverse)));
-  margin-bottom: calc(1rem * var(--tw-space-y-reverse));
-}
-
-.space-y-6 > :not([hidden]) ~ :not([hidden]) {
-  --tw-space-y-reverse: 0;
-  margin-top: calc(1.5rem * calc(1 - var(--tw-space-y-reverse)));
-  margin-bottom: calc(1.5rem * var(--tw-space-y-reverse));
-}
-
-.rounded {
-  border-radius: 0.25rem;
-}
-
-.rounded-full {
-  border-radius: 9999px;
-}
-
-.rounded-lg {
-  border-radius: 0.5rem;
-}
-
-.rounded-md {
-  border-radius: 0.375rem;
-}
-
-.border {
-  border-width: 1px;
-}
-
-.border-b {
-  border-bottom-width: 1px;
-}
-
-.border-b-2 {
-  border-bottom-width: 2px;
-}
-
-.border-black {
-  --tw-border-opacity: 1;
-  border-color: rgb(0 0 0 / var(--tw-border-opacity, 1));
-}
-
-.border-gray-200 {
-  --tw-border-opacity: 1;
-  border-color: rgb(229 231 235 / var(--tw-border-opacity, 1));
-}
-
-.bg-\[\#111827\] {
-  --tw-bg-opacity: 1;
-  background-color: rgb(17 24 39 / var(--tw-bg-opacity, 1));
-}
-
-.bg-gray-100 {
-  --tw-bg-opacity: 1;
-  background-color: rgb(243 244 246 / var(--tw-bg-opacity, 1));
-}
-
-.bg-gray-900 {
-  --tw-bg-opacity: 1;
-  background-color: rgb(17 24 39 / var(--tw-bg-opacity, 1));
-}
-
-.bg-red-500 {
-  --tw-bg-opacity: 1;
-  background-color: rgb(239 68 68 / var(--tw-bg-opacity, 1));
-}
-
-.bg-white {
-  --tw-bg-opacity: 1;
-  background-color: rgb(255 255 255 / var(--tw-bg-opacity, 1));
-}
-
-.p-2 {
-  padding: 0.5rem;
-}
-
-.p-4 {
-  padding: 1rem;
-}
-
-.p-8 {
-  padding: 2rem;
-}
-
-.px-1 {
-  padding-left: 0.25rem;
-  padding-right: 0.25rem;
-}
-
-.px-3 {
-  padding-left: 0.75rem;
-  padding-right: 0.75rem;
-}
-
-.px-4 {
-  padding-left: 1rem;
-  padding-right: 1rem;
-}
-
-.py-0\.5 {
-  padding-top: 0.125rem;
-  padding-bottom: 0.125rem;
-}
-
-.py-2 {
-  padding-top: 0.5rem;
-  padding-bottom: 0.5rem;
-}
-
-.py-4 {
-  padding-top: 1rem;
-  padding-bottom: 1rem;
-}
-
-.py-6 {
-  padding-top: 1.5rem;
-  padding-bottom: 1.5rem;
-}
-
-.pr-10 {
-  padding-right: 2.5rem;
-}
-
-.text-2xl {
-  font-size: 1.5rem;
-  line-height: 2rem;
-}
-
-.text-base {
-  font-size: 1rem;
-  line-height: 1.5rem;
-}
-
-.text-sm {
-  font-size: 0.875rem;
-  line-height: 1.25rem;
-}
-
-.font-medium {
-  font-weight: 500;
-}
-
-.font-semibold {
-  font-weight: 600;
-}
-
-.text-blue-500 {
-  --tw-text-opacity: 1;
-  color: rgb(59 130 246 / var(--tw-text-opacity, 1));
-}
-
-.text-blue-600 {
-  --tw-text-opacity: 1;
-  color: rgb(37 99 235 / var(--tw-text-opacity, 1));
-}
-
-.text-gray-400 {
-  --tw-text-opacity: 1;
-  color: rgb(156 163 175 / var(--tw-text-opacity, 1));
-}
-
-.text-gray-500 {
-  --tw-text-opacity: 1;
-  color: rgb(107 114 128 / var(--tw-text-opacity, 1));
-}
-
-.text-gray-600 {
-  --tw-text-opacity: 1;
-  color: rgb(75 85 99 / var(--tw-text-opacity, 1));
-}
-
-.text-white {
-  --tw-text-opacity: 1;
-  color: rgb(255 255 255 / var(--tw-text-opacity, 1));
-}
-
-.opacity-25 {
-  opacity: 0.25;
-}
-
-.opacity-75 {
-  opacity: 0.75;
-}
-
-.filter {
-  filter: var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow);
-}
-
-.hover\:bg-\[\#1f2937\]:hover {
-  --tw-bg-opacity: 1;
-  background-color: rgb(31 41 55 / var(--tw-bg-opacity, 1));
-}
-
-.hover\:bg-gray-100:hover {
-  --tw-bg-opacity: 1;
-  background-color: rgb(243 244 246 / var(--tw-bg-opacity, 1));
-}
-
-.hover\:bg-red-600:hover {
-  --tw-bg-opacity: 1;
-  background-color: rgb(220 38 38 / var(--tw-bg-opacity, 1));
-}
-
-.hover\:text-gray-700:hover {
-  --tw-text-opacity: 1;
-  color: rgb(55 65 81 / var(--tw-text-opacity, 1));
-}
-
-.hover\:text-gray-900:hover {
-  --tw-text-opacity: 1;
-  color: rgb(17 24 39 / var(--tw-text-opacity, 1));
-}
-
-.focus\:outline-none:focus {
-  outline: 2px solid transparent;
-  outline-offset: 2px;
-}
-
-.focus\:ring-2:focus {
-  --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
-  --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color);
-  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow, 0 0 #0000);
-}
-
-.focus\:ring-blue-500:focus {
-  --tw-ring-opacity: 1;
-  --tw-ring-color: rgb(59 130 246 / var(--tw-ring-opacity, 1));
-}
--- a/cli/rustfs-gui/embedded-rustfs/README.md
+++ b/cli/rustfs-gui/embedded-rustfs/README.md
@@ -1 +0,0 @@
-rustfs bin path, do not delete
--- a/cli/rustfs-gui/input.css
+++ b/cli/rustfs-gui/input.css
@@ -1,19 +0,0 @@
-/**
- * Copyright 2024 RustFS Team
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
--- a/cli/rustfs-gui/src/components/home.rs
+++ b/cli/rustfs-gui/src/components/home.rs
@@ -1,330 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::components::navbar::LoadingSpinner;
-use crate::route::Route;
-use crate::utils::{RustFSConfig, ServiceManager};
-use chrono::Datelike;
-use dioxus::logger::tracing::debug;
-use dioxus::prelude::*;
-use std::time::Duration;
-
-const HEADER_LOGO: Asset = asset!("/assets/rustfs-logo.svg");
-const TAILWIND_CSS: Asset = asset!("/assets/tailwind.css");
-
-/// Define the state of the service
-#[derive(PartialEq, Debug, Clone)]
-enum ServiceState {
-    Start,
-    Stop,
-}
-
-/// Define the Home component
-/// The Home component is the main component of the application
-/// It is responsible for starting and stopping the service
-/// It also displays the service status and provides a button to toggle the service
-/// The Home component also displays the footer of the application
-/// The footer contains links to the official site, documentation, GitHub, and license
-/// The footer also displays the version of the application
-/// The Home component also contains a button to change the theme of the application
-/// The Home component also contains a button to go to the settings page
-#[component]
-pub fn Home() -> Element {
-    #[allow(clippy::redundant_closure)]
-    let service = use_signal(|| ServiceManager::new());
-    let conf = RustFSConfig::load().unwrap_or_else(|e| {
-        ServiceManager::show_error(&format!("load config failed: {e}"));
-        RustFSConfig::default()
-    });
-
-    debug!("loaded configurations: {:?}", conf);
-    let config = use_signal(|| conf.clone());
-
-    use dioxus_router::prelude::Link;
-    use document::{Meta, Stylesheet, Title};
-    let mut service_state = use_signal(|| ServiceState::Start);
-    // Create a periodic check on the effect of the service status
-    use_effect(move || {
-        spawn(async move {
-            loop {
-                if let Some(pid) = ServiceManager::check_service_status().await {
-                    debug!("service_running true pid: {:?}", pid);
-                    service_state.set(ServiceState::Stop);
-                } else {
-                    debug!("service_running true pid: 0");
-                    service_state.set(ServiceState::Start);
-                }
-                tokio::time::sleep(Duration::from_secs(2)).await;
-            }
-        });
-    });
-    debug!("project start service_state: {:?}", service_state.read());
-    // Use 'use_signal' to manage service status
-    let mut loading = use_signal(|| false);
-    let mut start_service = move |_| {
-        let service = service;
-        let config = config.read().clone();
-        let mut service_state = service_state;
-        // set the loading status
-        loading.set(true);
-        debug!("stop loading_state: {:?}", loading.read());
-        spawn(async move {
-            match service.read().start(config).await {
-                Ok(result) => {
-                    if result.success {
-                        let duration = result.end_time - result.start_time;
-                        debug!("The service starts successfully and takes a long time:{}ms", duration.num_milliseconds());
-                        service_state.set(ServiceState::Stop);
-                    } else {
-                        ServiceManager::show_error(&result.message);
-                        service_state.set(ServiceState::Start);
-                    }
-                }
-                Err(e) => {
-                    ServiceManager::show_error(&format!("start service failed: {e}"));
-                }
-            }
-            // Only set loading to false when it's actually done
-            loading.set(false);
-            debug!("start loading_state: {:?}", loading.read());
-        });
-    };
-
-    let mut stop_service = move |_| {
-        let service = service;
-        let mut service_state = service_state;
-        // set the loading status
-        loading.set(true);
-        spawn(async move {
-            match service.read().stop().await {
-                Ok(result) => {
-                    if result.success {
-                        let duration = result.end_time - result.start_time;
-                        debug!("The service stops successfully and takes a long time:{}ms", duration.num_milliseconds());
-                        service_state.set(ServiceState::Start);
-                    } else {
-                        ServiceManager::show_error(&result.message);
-                    }
-                }
-                Err(e) => {
-                    ServiceManager::show_error(&format!("stop service failed: {e}"));
-                }
-            }
-            debug!("service_state: {:?}", service_state.read());
-            // Only set loading to false when it's actually done
-            loading.set(false);
-            debug!("stop loading_state: {:?}", loading.read());
-        });
-    };
-
-    // Toggle the state when the button is clicked
-    let toggle_service = {
-        let mut service_state = service_state;
-        debug!("toggle_service service_state: {:?}", service_state.read());
-        move |_| {
-            if service_state.read().eq(&ServiceState::Stop) {
-                // If the service status is started, you need to run a command to stop the service
-                stop_service(());
-                service_state.set(ServiceState::Start);
-            } else {
-                start_service(());
-                service_state.set(ServiceState::Stop);
-            }
-        }
-    };
-
-    // Define dynamic styles based on state
-    let button_class = if service_state.read().eq(&ServiceState::Start) {
-        "bg-[#111827] hover:bg-[#1f2937] text-white px-4 py-2 rounded-md flex items-center space-x-2"
-    } else {
-        "bg-red-500 hover:bg-red-600 text-white px-4 py-2 rounded-md flex items-center space-x-2"
-    };
-
-    rsx! {
-        // The Stylesheet component inserts a style link into the head of the document
-        Stylesheet {href: TAILWIND_CSS,}
-        Title { "RustFS APP" }
-        Meta {
-            name: "description",
-            // TODO: translate to english
-            content: "RustFS RustFS 用热门安全的 Rust 语言开发，兼容 S3 协议。适用于 AI/ML 及海量数据存储、大数据、互联网、工业和保密存储等全部场景。近乎免费使用。遵循 Apache 2 协议，支持国产保密设备和系统。",
-        }
-        div { class: "min-h-screen flex flex-col items-center bg-white",
-            div { class: "absolute top-4 right-6 flex space-x-2",
-                // change theme
-                button { class: "p-2 hover:bg-gray-100 rounded-lg", ChangeThemeButton {} }
-                // setting button
-                Link {
-                    class: "p-2 hover:bg-gray-100 rounded-lg",
-                    to: Route::SettingViews {},
-                    SettingButton {}
-                }
-            }
-            main { class: "flex-1 flex flex-col items-center justify-center space-y-6 p-4",
-                div { class: "w-24 h-24 bg-gray-900 rounded-full flex items-center justify-center",
-                    img { alt: "Logo", class: "w-16 h-16", src: HEADER_LOGO }
-                }
-                div { class: "text-gray-600",
-                    "Service is running on "
-                    span { class: "text-blue-600", " 127.0.0.1:9000 " }
-                }
-                LoadingSpinner {
-                    loading: loading.read().to_owned(),
-                    text: "processing...",
-                }
-                button { class: button_class, onclick: toggle_service,
-                    svg {
-                        class: "h-4 w-4",
-                        fill: "none",
-                        stroke: "currentColor",
-                        view_box: "0 0 24 24",
-                        xmlns: "http://www.w3.org/2000/svg",
-                        if service_state.read().eq(&ServiceState::Start) {
-                            path {
-                                d: "M14.752 11.168l-3.197-2.132A1 1 0 0010 9.87v4.263a1 1 0 001.555.832l3.197-2.132a1 1 0 000-1.664z",
-                                stroke_linecap: "round",
-                                stroke_linejoin: "round",
-                                stroke_width: "2",
-                            }
-                            path {
-                                d: "M21 12a9 9 0 11-18 0 9 9 0 0118 0z",
-                                stroke_linecap: "round",
-                                stroke_linejoin: "round",
-                                stroke_width: "2",
-                            }
-                        } else {
-                            path {
-                                stroke_linecap: "round",
-                                stroke_linejoin: "round",
-                                stroke_width: "2",
-                                d: "M21 12a9 9 0 11-18 0 9 9 0 0118 0z",
-                            }
-                            path {
-                                stroke_linecap: "round",
-                                stroke_linejoin: "round",
-                                stroke_width: "2",
-                                d: "M9 10h6v4H9z",
-                            }
-                        }
-                    }
-                    span { id: "serviceStatus",
-                        if service_state.read().eq(&ServiceState::Start) {
-                            "Start service"
-                        } else {
-                            "Stop service"
-                        }
-                    }
-                }
-            }
-            Footer { version: "v1.0.0".to_string() }
-        }
-    }
-}
-
-#[component]
-pub fn Footer(version: String) -> Element {
-    let now = chrono::Local::now();
-    let year = now.naive_local().year();
-    rsx! {
-        footer { class: "w-full py-6 flex flex-col items-center space-y-4 mb-6",
-            nav { class: "flex space-x-4 text-gray-600",
-                a { class: "hover:text-gray-900", href: "https://rustfs.com", "Official Site" }
-                a {
-                    class: "hover:text-gray-900",
-                    href: "https://rustfs.com/docs",
-                    "Documentation"
-                }
-                a {
-                    class: "hover:text-gray-900",
-                    href: "https://github.com/rustfs/rustfs",
-                    "GitHub"
-                }
-                a {
-                    class: "hover:text-gray-900",
-                    href: "https://rustfs.com/docs/license/",
-                    "License"
-                }
-                a { class: "hover:text-gray-900", href: "#", "Sponsors" }
-            }
-            div { class: "text-gray-500 text-sm", " © rustfs.com {year}, All rights reserved." }
-            div { class: "text-gray-400 text-sm mb-8", " version {version} " }
-        }
-    }
-}
-
-#[component]
-pub fn GoBackButtons() -> Element {
-    rsx! {
-        button {
-            class: "p-2 hover:bg-gray-100 rounded-lg",
-            "onclick": "window.history.back()",
-            "Back to the Past"
-        }
-    }
-}
-
-#[component]
-pub fn GoForwardButtons() -> Element {
-    rsx! {
-        button {
-            class: "p-2 hover:bg-gray-100 rounded-lg",
-            "onclick": "window.history.forward()",
-            "Back to the Future"
-        }
-    }
-}
-
-#[component]
-pub fn ChangeThemeButton() -> Element {
-    rsx! {
-        svg {
-            class: "h-6 w-6 text-gray-600",
-            fill: "none",
-            stroke: "currentColor",
-            view_box: "0 0 24 24",
-            xmlns: "http://www.w3.org/2000/svg",
-            path {
-                d: "M9 3v2m6-2v2M9 19v2m6-2v2M5 9H3m2 6H3m18-6h-2m2 6h-2M7 19h10a2 2 0 002-2V7a2 2 0 00-2-2H7a2 2 0 00-2 2v10a2 2 0 002 2zM9 9h6v6H9V9z",
-                stroke_linecap: "round",
-                stroke_linejoin: "round",
-                stroke_width: "2",
-            }
-        }
-    }
-}
-
-#[component]
-pub fn SettingButton() -> Element {
-    rsx! {
-        svg {
-            class: "h-6 w-6 text-gray-600",
-            fill: "none",
-            stroke: "currentColor",
-            view_box: "0 0 24 24",
-            xmlns: "http://www.w3.org/2000/svg",
-            path {
-                d: "M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z",
-                stroke_linecap: "round",
-                stroke_linejoin: "round",
-                stroke_width: "2",
-            }
-            path {
-                d: "M15 12a3 3 0 11-6 0 3 3 0 016 0z",
-                stroke_linecap: "round",
-                stroke_linejoin: "round",
-                stroke_width: "2",
-            }
-        }
-    }
-}
--- a/cli/rustfs-gui/src/components/mod.rs
+++ b/cli/rustfs-gui/src/components/mod.rs
@@ -1,20 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-mod home;
-pub use home::Home;
-mod navbar;
-pub use navbar::Navbar;
-mod setting;
-pub use setting::Setting;
--- a/cli/rustfs-gui/src/components/navbar.rs
+++ b/cli/rustfs-gui/src/components/navbar.rs
@@ -1,74 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::route::Route;
-use dioxus::logger::tracing::debug;
-use dioxus::prelude::*;
-
-const NAVBAR_CSS: Asset = asset!("/assets/styling/navbar.css");
-
-#[component]
-pub fn Navbar() -> Element {
-    rsx! {
-        document::Link { rel: "stylesheet", href: NAVBAR_CSS }
-
-        div { id: "navbar", class: "hidden", style: "display: none;",
-            Link { to: Route::HomeViews {}, "Home" }
-            Link { to: Route::SettingViews {}, "Setting" }
-        }
-
-        Outlet::<Route> {}
-    }
-}
-
-#[derive(Props, PartialEq, Debug, Clone)]
-pub struct LoadingSpinnerProps {
-    #[props(default = true)]
-    loading: bool,
-    #[props(default = "正在处理中...")]
-    text: &'static str,
-}
-
-#[component]
-pub fn LoadingSpinner(props: LoadingSpinnerProps) -> Element {
-    debug!("loading: {}", props.loading);
-    if !props.loading {
-        debug!("LoadingSpinner false loading: {}", props.loading);
-        return rsx! {};
-    }
-    rsx! {
-        div { class: "flex items-center justify-center z-10",
-            svg {
-                class: "animate-spin h-5 w-5 text-blue-500",
-                xmlns: "http://www.w3.org/2000/svg",
-                fill: "none",
-                view_box: "0 0 24 24",
-                circle {
-                    class: "opacity-25",
-                    cx: "12",
-                    cy: "12",
-                    r: "10",
-                    stroke: "currentColor",
-                    stroke_width: "4",
-                }
-                path {
-                    class: "opacity-75",
-                    fill: "currentColor",
-                    d: "M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z",
-                }
-            }
-            span { class: "ml-2 text-gray-600", "{props.text}" }
-        }
-    }
-}
--- a/cli/rustfs-gui/src/components/setting.rs
+++ b/cli/rustfs-gui/src/components/setting.rs
@@ -1,216 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::components::navbar::LoadingSpinner;
-use dioxus::logger::tracing::{debug, error};
-use dioxus::prelude::*;
-
-const SETTINGS_JS: Asset = asset!("/assets/js/sts.js");
-const TAILWIND_CSS: Asset = asset!("/assets/tailwind.css");
-#[component]
-pub fn Setting() -> Element {
-    use crate::utils::{RustFSConfig, ServiceManager};
-    use document::{Meta, Script, Stylesheet, Title};
-
-    #[allow(clippy::redundant_closure)]
-    let service = use_signal(|| ServiceManager::new());
-    let conf = RustFSConfig::load().unwrap_or_else(|e| {
-        error!("load config error: {}", e);
-        RustFSConfig::default_config()
-    });
-    debug!("conf address: {:?}", conf.clone().address);
-
-    let config = use_signal(|| conf.clone());
-    let address_state = use_signal(|| conf.address.to_string());
-    let mut host_state = use_signal(|| conf.host.to_string());
-    let mut port_state = use_signal(|| conf.port.to_string());
-    let mut access_key_state = use_signal(|| conf.access_key.to_string());
-    let mut secret_key_state = use_signal(|| conf.secret_key.to_string());
-    let mut volume_name_state = use_signal(|| conf.volume_name.to_string());
-    let loading = use_signal(|| false);
-
-    let save_and_restart = {
-        let host_state = host_state;
-        let port_state = port_state;
-        let access_key_state = access_key_state;
-        let secret_key_state = secret_key_state;
-        let volume_name_state = volume_name_state;
-        let mut loading = loading;
-        debug!("save_and_restart access_key:{}", access_key_state.read());
-        move |_| {
-            // set the loading status
-            loading.set(true);
-            let mut config = config;
-            config.write().address = format!("{}:{}", host_state.read(), port_state.read());
-            config.write().host = host_state.read().to_string();
-            config.write().port = port_state.read().to_string();
-            config.write().access_key = access_key_state.read().to_string();
-            config.write().secret_key = secret_key_state.read().to_string();
-            config.write().volume_name = volume_name_state.read().to_string();
-            // restart service
-            let service = service;
-            let config = config.read().clone();
-            spawn(async move {
-                if let Err(e) = service.read().restart(config).await {
-                    ServiceManager::show_error(&format!("发送重启命令失败：{e}"));
-                }
-                // reset the status when you're done
-                loading.set(false);
-            });
-        }
-    };
-
-    rsx! {
-        Title { "Settings - RustFS App" }
-        Meta { name: "description", content: "Settings - RustFS App." }
-        // The Stylesheet component inserts a style link into the head of the document
-        Stylesheet { href: TAILWIND_CSS }
-        Script { src: SETTINGS_JS }
-        div { class: "bg-white p-8",
-            h1 { class: "text-2xl font-semibold mb-6", "Settings" }
-            div { class: "border-b border-gray-200 mb-6",
-                nav { class: "flex space-x-8",
-                    button {
-                        class: "tab-btn px-1 py-4 text-sm font-medium border-b-2 border-black",
-                        "data-tab": "service",
-                        "onclick": "switchTab('service')",
-                        "Service "
-                    }
-                    button {
-                        class: "tab-btn px-1 py-4 text-sm font-medium text-gray-500 hover:text-gray-700",
-                        "data-tab": "user",
-                        "onclick": "switchTab('user')",
-                        "User "
-                    }
-                    button {
-                        class: "tab-btn px-1 py-4 text-sm font-medium text-gray-500 hover:text-gray-700 hidden",
-                        "data-tab": "logs",
-                        "onclick": "switchTab('logs')",
-                        "Logs "
-                    }
-                }
-            }
-            div { id: "tabContent",
-                div { class: "tab-content", id: "service",
-                    div { class: "mb-8",
-                        h2 { class: "text-base font-medium mb-2", "Service address" }
-                        p { class: "text-gray-600 mb-4",
-                            " The service address is the IP address and port number of the service. the default address is "
-                            code { class: "bg-gray-100 px-1 py-0.5 rounded", {address_state} }
-                            ". "
-                        }
-                        div { class: "flex space-x-2",
-                            input {
-                                class: "border rounded px-3 py-2 w-48 focus:outline-none focus:ring-2 focus:ring-blue-500",
-                                r#type: "text",
-                                value: host_state,
-                                oninput: move |evt| host_state.set(evt.value().clone()),
-                            }
-                            span { class: "flex items-center", ":" }
-                            input {
-                                class: "border rounded px-3 py-2 w-20 focus:outline-none focus:ring-2 focus:ring-blue-500",
-                                r#type: "text",
-                                value: port_state,
-                                oninput: move |evt| port_state.set(evt.value().clone()),
-                            }
-                        }
-                    }
-                    div { class: "mb-8",
-                        h2 { class: "text-base font-medium mb-2", "Storage path" }
-                        p { class: "text-gray-600 mb-4",
-                            "Update the storage path of the service. the default path is {volume_name_state}."
-                        }
-                        input {
-                            class: "border rounded px-3 py-2 w-full focus:outline-none focus:ring-2 focus:ring-blue-500",
-                            r#type: "text",
-                            value: volume_name_state,
-                            oninput: move |evt| volume_name_state.set(evt.value().clone()),
-                        }
-                    }
-                }
-                div { class: "tab-content hidden", id: "user",
-                    div { class: "mb-8",
-                        h2 { class: "text-base font-medium mb-2", "User" }
-                        p { class: "text-gray-600 mb-4",
-                            "The user is the owner of the service. the default user is "
-                            code { class: "bg-gray-100 px-1 py-0.5 rounded", {access_key_state} }
-                        }
-                        input {
-                            class: "border rounded px-3 py-2 w-full focus:outline-none focus:ring-2 focus:ring-blue-500",
-                            r#type: "text",
-                            value: access_key_state,
-                            oninput: move |evt| access_key_state.set(evt.value().clone()),
-                        }
-                    }
-                    div { class: "mb-8",
-                        h2 { class: "text-base font-medium mb-2", "Password" }
-                        p { class: "text-gray-600 mb-4",
-                            "The password is the password of the user. the default password is "
-                            code { class: "bg-gray-100 px-1 py-0.5 rounded", {secret_key_state} }
-                        }
-                        div { class: "relative",
-                            input {
-                                class: "border rounded px-3 py-2 w-full pr-10 focus:outline-none focus:ring-2 focus:ring-blue-500",
-                                r#type: "password",
-                                value: secret_key_state,
-                                oninput: move |evt| secret_key_state.set(evt.value().clone()),
-                            }
-                            button {
-                                class: "absolute right-2 top-1/2 transform -translate-y-1/2 text-gray-500 hover:text-gray-700",
-                                "onclick": "togglePassword(this)",
-                                svg {
-                                    class: "h-5 w-5",
-                                    fill: "currentColor",
-                                    view_box: "0 0 20 20",
-                                    xmlns: "http://www.w3.org/2000/svg",
-                                    path { d: "M10 12a2 2 0 100-4 2 2 0 000 4z" }
-                                    path {
-                                        clip_rule: "evenodd",
-                                        d: "M.458 10C1.732 5.943 5.522 3 10 3s8.268 2.943 9.542 7c-1.274 4.057-5.064 7-9.542 7S1.732 14.057.458 10zM14 10a4 4 0 11-8 0 4 4 0 018 0z",
-                                        fill_rule: "evenodd",
-                                    }
-                                }
-                            }
-                        }
-                    }
-                }
-                div { class: "tab-content hidden", id: "logs",
-                    div { class: "mb-8",
-                        h2 { class: "text-base font-medium mb-2", "Logs storage path" }
-                        p { class: "text-gray-600 mb-4",
-                            "The logs storage path is the path where the logs are stored. the default path is /var/log/rustfs. "
-                        }
-                        input {
-                            class: "border rounded px-3 py-2 w-full focus:outline-none focus:ring-2 focus:ring-blue-500",
-                            r#type: "text",
-                            value: "/var/logs/rustfs",
-                        }
-                    }
-                }
-            }
-            div { class: "flex space-x-4",
-                button {
-                    class: "bg-[#111827] text-white px-4 py-2 rounded hover:bg-[#1f2937]",
-                    onclick: save_and_restart,
-                    " Save and restart "
-                }
-                GoBackButton { "Back" }
-            }
-            LoadingSpinner {
-                loading: loading.read().to_owned(),
-                text: "服务处理中...",
-            }
-        }
-    }
-}
--- a/cli/rustfs-gui/src/utils/config.rs
+++ b/cli/rustfs-gui/src/utils/config.rs
@@ -1,564 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use keyring::Entry;
-use serde::{Deserialize, Serialize};
-use std::error::Error;
-
-/// Configuration for the RustFS service
-///
-/// # Fields
-/// * `address` - The address of the RustFS service
-/// * `host` - The host of the RustFS service
-/// * `port` - The port of the RustFS service
-/// * `access_key` - The access key of the RustFS service
-/// * `secret_key` - The secret key of the RustFS service
-/// * `domain_name` - The domain name of the RustFS service
-/// * `volume_name` - The volume name of the RustFS service
-/// * `console_address` - The console address of the RustFS service
-///
-/// # Example
-/// ```
-/// let config = RustFSConfig {
-///    address: "127.0.0.1:9000".to_string(),
-///    host: "127.0.0.1".to_string(),
-///    port: "9000".to_string(),
-///    access_key: "rustfsadmin".to_string(),
-///    secret_key: "rustfsadmin".to_string(),
-///    domain_name: "demo.rustfs.com".to_string(),
-///    volume_name: "data".to_string(),
-///    console_address: "127.0.0.1:9001".to_string(),
-/// };
-/// println!("{:?}", config);
-/// assert_eq!(config.address, "127.0.0.1:9000");
-/// ```
-#[derive(Debug, Clone, Default, Deserialize, Serialize, Ord, PartialOrd, Eq, PartialEq)]
-pub struct RustFSConfig {
-    pub address: String,
-    pub host: String,
-    pub port: String,
-    pub access_key: String,
-    pub secret_key: String,
-    pub domain_name: String,
-    pub volume_name: String,
-    pub console_address: String,
-}
-
-impl RustFSConfig {
-    /// keyring the name of the service
-    const SERVICE_NAME: &'static str = "rustfs-service";
-    /// keyring the key of the service
-    const SERVICE_KEY: &'static str = "rustfs_key";
-    /// default domain name
-    const DEFAULT_DOMAIN_NAME_VALUE: &'static str = "demo.rustfs.com";
-    /// default address value
-    const DEFAULT_ADDRESS_VALUE: &'static str = "127.0.0.1:9000";
-    /// default port value
-    const DEFAULT_PORT_VALUE: &'static str = "9000";
-    /// default host value
-    const DEFAULT_HOST_VALUE: &'static str = "127.0.0.1";
-    /// default access key value
-    const DEFAULT_ACCESS_KEY_VALUE: &'static str = "rustfsadmin";
-    /// default secret key value
-    const DEFAULT_SECRET_KEY_VALUE: &'static str = "rustfsadmin";
-    /// default console address value
-    const DEFAULT_CONSOLE_ADDRESS_VALUE: &'static str = "127.0.0.1:9001";
-
-    /// get the default volume_name
-    ///
-    /// # Returns
-    /// * The default volume name
-    ///
-    /// # Example
-    /// ```
-    /// let volume_name = RustFSConfig::default_volume_name();
-    /// ```
-    pub fn default_volume_name() -> String {
-        dirs::home_dir()
-            .map(|home| home.join("rustfs").join("data"))
-            .and_then(|path| path.to_str().map(String::from))
-            .unwrap_or_else(|| "data".to_string())
-    }
-
-    /// create a default configuration
-    ///
-    /// # Returns
-    /// * The default configuration
-    ///
-    /// # Example
-    /// ```
-    /// let config = RustFSConfig::default_config();
-    /// println!("{:?}", config);
-    /// assert_eq!(config.address, "127.0.0.1:9000");
-    /// ```
-    pub fn default_config() -> Self {
-        Self {
-            address: Self::DEFAULT_ADDRESS_VALUE.to_string(),
-            host: Self::DEFAULT_HOST_VALUE.to_string(),
-            port: Self::DEFAULT_PORT_VALUE.to_string(),
-            access_key: Self::DEFAULT_ACCESS_KEY_VALUE.to_string(),
-            secret_key: Self::DEFAULT_SECRET_KEY_VALUE.to_string(),
-            domain_name: Self::DEFAULT_DOMAIN_NAME_VALUE.to_string(),
-            volume_name: Self::default_volume_name(),
-            console_address: Self::DEFAULT_CONSOLE_ADDRESS_VALUE.to_string(),
-        }
-    }
-
-    /// Load the configuration from the keyring
-    ///
-    /// # Errors
-    /// * If the configuration cannot be loaded from the keyring
-    /// * If the configuration cannot be deserialized
-    /// * If the address cannot be extracted from the configuration
-    ///
-    /// # Example
-    /// ```
-    /// let config = RustFSConfig::load().unwrap();
-    /// println!("{:?}", config);
-    /// assert_eq!(config.address, "127.0.0.1:9000");
-    /// ```
-    pub fn load() -> Result<Self, Box<dyn Error>> {
-        let mut config = Self::default_config();
-
-        // Try to get the configuration of the storage from the keyring
-        let entry = Entry::new(Self::SERVICE_NAME, Self::SERVICE_KEY)?;
-        if let Ok(stored_json) = entry.get_password() {
-            if let Ok(stored_config) = serde_json::from_str::<RustFSConfig>(&stored_json) {
-                // update fields that are not empty and non default
-                if !stored_config.address.is_empty() && stored_config.address != Self::DEFAULT_ADDRESS_VALUE {
-                    config.address = stored_config.address;
-                    let (host, port) = Self::extract_host_port(config.address.as_str())
-                        .ok_or_else(|| format!("无法从地址 '{}' 中提取主机和端口", config.address))?;
-                    config.host = host.to_string();
-                    config.port = port.to_string();
-                }
-                if !stored_config.access_key.is_empty() && stored_config.access_key != Self::DEFAULT_ACCESS_KEY_VALUE {
-                    config.access_key = stored_config.access_key;
-                }
-                if !stored_config.secret_key.is_empty() && stored_config.secret_key != Self::DEFAULT_SECRET_KEY_VALUE {
-                    config.secret_key = stored_config.secret_key;
-                }
-                if !stored_config.domain_name.is_empty() && stored_config.domain_name != Self::DEFAULT_DOMAIN_NAME_VALUE {
-                    config.domain_name = stored_config.domain_name;
-                }
-                // The stored volume_name is updated only if it is not empty and different from the default
-                if !stored_config.volume_name.is_empty() && stored_config.volume_name != Self::default_volume_name() {
-                    config.volume_name = stored_config.volume_name;
-                }
-                if !stored_config.console_address.is_empty()
-                    && stored_config.console_address != Self::DEFAULT_CONSOLE_ADDRESS_VALUE
-                {
-                    config.console_address = stored_config.console_address;
-                }
-            }
-        }
-
-        Ok(config)
-    }
-
-    /// Auxiliary method: Extract the host and port from the address string
-    /// # Arguments
-    /// * `address` - The address string
-    ///
-    /// # Returns
-    /// * `Some((host, port))` - The host and port
-    ///
-    /// # Errors
-    /// * If the address is not in the form 'host:port'
-    /// * If the port is not a valid u16
-    ///
-    /// # Example
-    /// ```
-    /// let (host, port) = RustFSConfig::extract_host_port("127.0.0.1:9000").unwrap();
-    /// assert_eq!(host, "127.0.0.1");
-    /// assert_eq!(port, 9000);
-    /// ```
-    pub fn extract_host_port(address: &str) -> Option<(&str, u16)> {
-        let parts: Vec<&str> = address.split(':').collect();
-        if parts.len() == 2 {
-            if let Ok(port) = parts[1].parse::<u16>() {
-                return Some((parts[0], port));
-            }
-        }
-        None
-    }
-
-    /// save the configuration to keyring
-    ///
-    /// # Errors
-    /// * If the configuration cannot be serialized
-    /// * If the configuration cannot be saved to the keyring
-    ///
-    /// # Example
-    /// ```
-    /// let config = RustFSConfig::default_config();
-    /// config.save().unwrap();
-    /// ```
-    pub fn save(&self) -> Result<(), Box<dyn Error>> {
-        let entry = Entry::new(Self::SERVICE_NAME, Self::SERVICE_KEY)?;
-        let json = serde_json::to_string(self)?;
-        entry.set_password(&json)?;
-        Ok(())
-    }
-
-    /// Clear the stored configuration from the system keyring
-    ///
-    /// # Returns
-    /// `Ok(())` if the configuration was successfully cleared, or an error if the operation failed.
-    ///
-    /// # Example
-    /// ```
-    /// RustFSConfig::clear().unwrap();
-    /// ```
-    #[allow(dead_code)]
-    pub fn clear() -> Result<(), Box<dyn Error>> {
-        let entry = Entry::new(Self::SERVICE_NAME, Self::SERVICE_KEY)?;
-        entry.delete_credential()?;
-        Ok(())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_rustfs_config_default() {
-        let config = RustFSConfig::default();
-        assert!(config.address.is_empty());
-        assert!(config.host.is_empty());
-        assert!(config.port.is_empty());
-        assert!(config.access_key.is_empty());
-        assert!(config.secret_key.is_empty());
-        assert!(config.domain_name.is_empty());
-        assert!(config.volume_name.is_empty());
-        assert!(config.console_address.is_empty());
-    }
-
-    #[test]
-    fn test_rustfs_config_creation() {
-        let config = RustFSConfig {
-            address: "192.168.1.100:9000".to_string(),
-            host: "192.168.1.100".to_string(),
-            port: "9000".to_string(),
-            access_key: "testuser".to_string(),
-            secret_key: "testpass".to_string(),
-            domain_name: "test.rustfs.com".to_string(),
-            volume_name: "/data/rustfs".to_string(),
-            console_address: "192.168.1.100:9001".to_string(),
-        };
-
-        assert_eq!(config.address, "192.168.1.100:9000");
-        assert_eq!(config.host, "192.168.1.100");
-        assert_eq!(config.port, "9000");
-        assert_eq!(config.access_key, "testuser");
-        assert_eq!(config.secret_key, "testpass");
-        assert_eq!(config.domain_name, "test.rustfs.com");
-        assert_eq!(config.volume_name, "/data/rustfs");
-        assert_eq!(config.console_address, "192.168.1.100:9001");
-    }
-
-    #[test]
-    fn test_default_volume_name() {
-        let volume_name = RustFSConfig::default_volume_name();
-        assert!(!volume_name.is_empty());
-        // Should either be the home directory path or fallback to "data"
-        assert!(volume_name.contains("rustfs") || volume_name == "data");
-    }
-
-    #[test]
-    fn test_default_config() {
-        let config = RustFSConfig::default_config();
-        assert_eq!(config.address, RustFSConfig::DEFAULT_ADDRESS_VALUE);
-        assert_eq!(config.host, RustFSConfig::DEFAULT_HOST_VALUE);
-        assert_eq!(config.port, RustFSConfig::DEFAULT_PORT_VALUE);
-        assert_eq!(config.access_key, RustFSConfig::DEFAULT_ACCESS_KEY_VALUE);
-        assert_eq!(config.secret_key, RustFSConfig::DEFAULT_SECRET_KEY_VALUE);
-        assert_eq!(config.domain_name, RustFSConfig::DEFAULT_DOMAIN_NAME_VALUE);
-        assert_eq!(config.console_address, RustFSConfig::DEFAULT_CONSOLE_ADDRESS_VALUE);
-        assert!(!config.volume_name.is_empty());
-    }
-
-    #[test]
-    fn test_extract_host_port_valid() {
-        let test_cases = vec![
-            ("127.0.0.1:9000", Some(("127.0.0.1", 9000))),
-            ("localhost:8080", Some(("localhost", 8080))),
-            ("192.168.1.100:3000", Some(("192.168.1.100", 3000))),
-            ("0.0.0.0:80", Some(("0.0.0.0", 80))),
-            ("example.com:443", Some(("example.com", 443))),
-        ];
-
-        for (input, expected) in test_cases {
-            let result = RustFSConfig::extract_host_port(input);
-            assert_eq!(result, expected, "Failed for input: {input}");
-        }
-    }
-
-    #[test]
-    fn test_extract_host_port_invalid() {
-        let invalid_cases = vec![
-            "127.0.0.1",            // Missing port
-            "127.0.0.1:",           // Empty port
-            "127.0.0.1:abc",        // Invalid port
-            "127.0.0.1:99999",      // Port out of range
-            "",                     // Empty string
-            "127.0.0.1:9000:extra", // Too many parts
-            "invalid",              // No colon
-        ];
-
-        for input in invalid_cases {
-            let result = RustFSConfig::extract_host_port(input);
-            assert_eq!(result, None, "Should be None for input: {input}");
-        }
-
-        // Special case: empty host but valid port should still work
-        let result = RustFSConfig::extract_host_port(":9000");
-        assert_eq!(result, Some(("", 9000)));
-    }
-
-    #[test]
-    fn test_extract_host_port_edge_cases() {
-        // Test edge cases for port numbers
-        assert_eq!(RustFSConfig::extract_host_port("host:0"), Some(("host", 0)));
-        assert_eq!(RustFSConfig::extract_host_port("host:65535"), Some(("host", 65535)));
-        assert_eq!(RustFSConfig::extract_host_port("host:65536"), None); // Out of range
-    }
-
-    #[test]
-    fn test_serialization() {
-        let config = RustFSConfig {
-            address: "127.0.0.1:9000".to_string(),
-            host: "127.0.0.1".to_string(),
-            port: "9000".to_string(),
-            access_key: "admin".to_string(),
-            secret_key: "password".to_string(),
-            domain_name: "test.com".to_string(),
-            volume_name: "/data".to_string(),
-            console_address: "127.0.0.1:9001".to_string(),
-        };
-
-        let json = serde_json::to_string(&config).unwrap();
-        assert!(json.contains("127.0.0.1:9000"));
-        assert!(json.contains("admin"));
-        assert!(json.contains("test.com"));
-    }
-
-    #[test]
-    fn test_deserialization() {
-        let json = r#"{
-            "address": "192.168.1.100:9000",
-            "host": "192.168.1.100",
-            "port": "9000",
-            "access_key": "testuser",
-            "secret_key": "testpass",
-            "domain_name": "example.com",
-            "volume_name": "/opt/data",
-            "console_address": "192.168.1.100:9001"
-        }"#;
-
-        let config: RustFSConfig = serde_json::from_str(json).unwrap();
-        assert_eq!(config.address, "192.168.1.100:9000");
-        assert_eq!(config.host, "192.168.1.100");
-        assert_eq!(config.port, "9000");
-        assert_eq!(config.access_key, "testuser");
-        assert_eq!(config.secret_key, "testpass");
-        assert_eq!(config.domain_name, "example.com");
-        assert_eq!(config.volume_name, "/opt/data");
-        assert_eq!(config.console_address, "192.168.1.100:9001");
-    }
-
-    #[test]
-    fn test_serialization_deserialization_roundtrip() {
-        let original_config = RustFSConfig {
-            address: "10.0.0.1:8080".to_string(),
-            host: "10.0.0.1".to_string(),
-            port: "8080".to_string(),
-            access_key: "roundtrip_user".to_string(),
-            secret_key: "roundtrip_pass".to_string(),
-            domain_name: "roundtrip.test".to_string(),
-            volume_name: "/tmp/roundtrip".to_string(),
-            console_address: "10.0.0.1:8081".to_string(),
-        };
-
-        let json = serde_json::to_string(&original_config).unwrap();
-        let deserialized_config: RustFSConfig = serde_json::from_str(&json).unwrap();
-
-        assert_eq!(original_config, deserialized_config);
-    }
-
-    #[test]
-    fn test_config_ordering() {
-        let config1 = RustFSConfig {
-            address: "127.0.0.1:9000".to_string(),
-            host: "127.0.0.1".to_string(),
-            port: "9000".to_string(),
-            access_key: "admin".to_string(),
-            secret_key: "password".to_string(),
-            domain_name: "test.com".to_string(),
-            volume_name: "/data".to_string(),
-            console_address: "127.0.0.1:9001".to_string(),
-        };
-
-        let config2 = RustFSConfig {
-            address: "127.0.0.1:9000".to_string(),
-            host: "127.0.0.1".to_string(),
-            port: "9000".to_string(),
-            access_key: "admin".to_string(),
-            secret_key: "password".to_string(),
-            domain_name: "test.com".to_string(),
-            volume_name: "/data".to_string(),
-            console_address: "127.0.0.1:9001".to_string(),
-        };
-
-        let config3 = RustFSConfig {
-            address: "127.0.0.1:9001".to_string(), // Different port
-            host: "127.0.0.1".to_string(),
-            port: "9001".to_string(),
-            access_key: "admin".to_string(),
-            secret_key: "password".to_string(),
-            domain_name: "test.com".to_string(),
-            volume_name: "/data".to_string(),
-            console_address: "127.0.0.1:9002".to_string(),
-        };
-
-        assert_eq!(config1, config2);
-        assert_ne!(config1, config3);
-        assert!(config1 < config3); // Lexicographic ordering
-    }
-
-    #[test]
-    fn test_clone() {
-        let original = RustFSConfig::default_config();
-        let cloned = original.clone();
-
-        assert_eq!(original, cloned);
-        assert_eq!(original.address, cloned.address);
-        assert_eq!(original.access_key, cloned.access_key);
-    }
-
-    #[test]
-    fn test_debug_format() {
-        let config = RustFSConfig::default_config();
-        let debug_str = format!("{config:?}");
-
-        assert!(debug_str.contains("RustFSConfig"));
-        assert!(debug_str.contains("address"));
-        assert!(debug_str.contains("127.0.0.1:9000"));
-    }
-
-    #[test]
-    fn test_constants() {
-        assert_eq!(RustFSConfig::SERVICE_NAME, "rustfs-service");
-        assert_eq!(RustFSConfig::SERVICE_KEY, "rustfs_key");
-        assert_eq!(RustFSConfig::DEFAULT_DOMAIN_NAME_VALUE, "demo.rustfs.com");
-        assert_eq!(RustFSConfig::DEFAULT_ADDRESS_VALUE, "127.0.0.1:9000");
-        assert_eq!(RustFSConfig::DEFAULT_PORT_VALUE, "9000");
-        assert_eq!(RustFSConfig::DEFAULT_HOST_VALUE, "127.0.0.1");
-        assert_eq!(RustFSConfig::DEFAULT_ACCESS_KEY_VALUE, "rustfsadmin");
-        assert_eq!(RustFSConfig::DEFAULT_SECRET_KEY_VALUE, "rustfsadmin");
-        assert_eq!(RustFSConfig::DEFAULT_CONSOLE_ADDRESS_VALUE, "127.0.0.1:9001");
-    }
-
-    #[test]
-    fn test_empty_strings() {
-        let config = RustFSConfig {
-            address: "".to_string(),
-            host: "".to_string(),
-            port: "".to_string(),
-            access_key: "".to_string(),
-            secret_key: "".to_string(),
-            domain_name: "".to_string(),
-            volume_name: "".to_string(),
-            console_address: "".to_string(),
-        };
-
-        assert!(config.address.is_empty());
-        assert!(config.host.is_empty());
-        assert!(config.port.is_empty());
-        assert!(config.access_key.is_empty());
-        assert!(config.secret_key.is_empty());
-        assert!(config.domain_name.is_empty());
-        assert!(config.volume_name.is_empty());
-        assert!(config.console_address.is_empty());
-    }
-
-    #[test]
-    fn test_very_long_strings() {
-        let long_string = "a".repeat(1000);
-        let config = RustFSConfig {
-            address: format!("{long_string}:9000"),
-            host: long_string.clone(),
-            port: "9000".to_string(),
-            access_key: long_string.clone(),
-            secret_key: long_string.clone(),
-            domain_name: format!("{long_string}.com"),
-            volume_name: format!("/data/{long_string}"),
-            console_address: format!("{long_string}:9001"),
-        };
-
-        assert_eq!(config.host.len(), 1000);
-        assert_eq!(config.access_key.len(), 1000);
-        assert_eq!(config.secret_key.len(), 1000);
-    }
-
-    #[test]
-    fn test_special_characters() {
-        let config = RustFSConfig {
-            address: "127.0.0.1:9000".to_string(),
-            host: "127.0.0.1".to_string(),
-            port: "9000".to_string(),
-            access_key: "user@domain.com".to_string(),
-            secret_key: "p@ssw0rd!#$%".to_string(),
-            domain_name: "test-domain.example.com".to_string(),
-            volume_name: "/data/rust-fs/storage".to_string(),
-            console_address: "127.0.0.1:9001".to_string(),
-        };
-
-        assert!(config.access_key.contains("@"));
-        assert!(config.secret_key.contains("!#$%"));
-        assert!(config.domain_name.contains("-"));
-        assert!(config.volume_name.contains("/"));
-    }
-
-    #[test]
-    fn test_unicode_strings() {
-        let config = RustFSConfig {
-            address: "127.0.0.1:9000".to_string(),
-            host: "127.0.0.1".to_string(),
-            port: "9000".to_string(),
-            access_key: "用户名".to_string(),
-            secret_key: "密码 123".to_string(),
-            domain_name: "测试.com".to_string(),
-            volume_name: "/数据/存储".to_string(),
-            console_address: "127.0.0.1:9001".to_string(),
-        };
-
-        assert_eq!(config.access_key, "用户名");
-        assert_eq!(config.secret_key, "密码 123");
-        assert_eq!(config.domain_name, "测试.com");
-        assert_eq!(config.volume_name, "/数据/存储");
-    }
-
-    #[test]
-    fn test_memory_efficiency() {
-        // Test that the structure doesn't use excessive memory
-        assert!(std::mem::size_of::<RustFSConfig>() < 1000);
-    }
-
-    // Note: Keyring-related tests (load, save, clear) are not included here
-    // because they require actual keyring access and would be integration tests
-    // rather than unit tests. They should be tested separately in an integration
-    // test environment where keyring access can be properly mocked or controlled.
-}
--- a/cli/rustfs-gui/src/utils/helper.rs
+++ b/cli/rustfs-gui/src/utils/helper.rs
@@ -1,899 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::utils::RustFSConfig;
-use dioxus::logger::tracing::{debug, error, info};
-use rust_embed::RustEmbed;
-use sha2::{Digest, Sha256};
-use std::error::Error;
-use std::path::{Path, PathBuf};
-use std::process::Command as StdCommand;
-use std::sync::LazyLock;
-use std::time::Duration;
-use tokio::fs;
-use tokio::fs::File;
-use tokio::io::AsyncWriteExt;
-use tokio::net::TcpStream;
-use tokio::sync::{Mutex, mpsc};
-
-#[derive(RustEmbed)]
-#[folder = "$CARGO_MANIFEST_DIR/embedded-rustfs/"]
-struct Asset;
-
-// Use `LazyLock` to cache the checksum of embedded resources
-static RUSTFS_HASH: LazyLock<Mutex<String>> = LazyLock::new(|| {
-    let rustfs_file = if cfg!(windows) { "rustfs.exe" } else { "rustfs" };
-    let rustfs_data = Asset::get(rustfs_file).expect("RustFs binary not embedded");
-    let hash = hex::encode(Sha256::digest(&rustfs_data.data));
-    Mutex::new(hash)
-});
-
-/// Service command
-/// This enum represents the commands that can be sent to the service manager
-/// to start, stop, or restart the service
-/// The `Start` variant contains the configuration for the service
-/// The `Restart` variant contains the configuration for the service
-///
-/// # Example
-/// ```
-/// let config = RustFSConfig {
-///    address: "127.0.0.1:9000".to_string(),
-///    host: "127.0.0.1".to_string(),
-///    port: "9000".to_string(),
-///    access_key: "rustfsadmin".to_string(),
-///    secret_key: "rustfsadmin".to_string(),
-///    domain_name: "demo.rustfs.com".to_string(),
-///    volume_name: "data".to_string(),
-///    console_address: "127.0.0.1:9001".to_string(),
-/// };
-///
-/// let command = ServiceCommand::Start(config);
-/// println!("{:?}", command);
-///
-/// assert_eq!(command, ServiceCommand::Start(config));
-/// ```
-pub enum ServiceCommand {
-    Start(RustFSConfig),
-    Stop,
-    Restart(RustFSConfig),
-}
-
-/// Service operation result
-/// This struct represents the result of a service operation
-/// It contains information about the success of the operation,
-///
-/// # Example
-/// ```
-/// use chrono::Local;
-///
-/// let result = ServiceOperationResult {
-///     success: true,
-///     start_time: chrono::Local::now(),
-///     end_time: chrono::Local::now(),
-///     message: "服务启动成功".to_string(),
-/// };
-///
-/// println!("{:?}", result);
-/// assert_eq!(result.success, true);
-/// ```
-#[derive(Debug)]
-pub struct ServiceOperationResult {
-    pub success: bool,
-    pub start_time: chrono::DateTime<chrono::Local>,
-    pub end_time: chrono::DateTime<chrono::Local>,
-    pub message: String,
-}
-
-/// Service manager
-/// This struct represents a service manager that can be used to start, stop, or restart a service
-/// It contains a command sender that can be used to send commands to the service manager
-///
-/// # Example
-/// ```
-/// let service_manager = ServiceManager::new();
-/// println!("{:?}", service_manager);
-/// ```
-#[derive(Debug, Clone)]
-pub struct ServiceManager {
-    command_tx: mpsc::Sender<ServiceCommand>,
-    // process: Arc<Mutex<Option<Child>>>,
-    // pid: Arc<Mutex<Option<u32>>>,                     // Add PID storage
-    // current_config: Arc<Mutex<Option<RustFSConfig>>>, // Add configuration storage
-}
-
-impl ServiceManager {
-    /// check if the service is running and return a pid
-    /// This function is platform dependent
-    /// On Unix systems, it uses the `ps` command to check for the service
-    /// On Windows systems, it uses the `wmic` command to check for the service
-    ///
-    /// # Example
-    /// ```
-    /// let pid = check_service_status().await;
-    /// println!("{:?}", pid);
-    /// ```
-    pub async fn check_service_status() -> Option<u32> {
-        #[cfg(unix)]
-        {
-            // use the ps command on a unix system
-            if let Ok(output) = StdCommand::new("ps").arg("-ef").output() {
-                let output_str = String::from_utf8_lossy(&output.stdout);
-                for line in output_str.lines() {
-                    // match contains `rustfs/bin/rustfs` of the line
-                    if line.contains("rustfs/bin/rustfs") && !line.contains("grep") {
-                        if let Some(pid_str) = line.split_whitespace().nth(1) {
-                            if let Ok(pid) = pid_str.parse::<u32>() {
-                                return Some(pid);
-                            }
-                        }
-                    }
-                }
-            }
-        }
-
-        #[cfg(windows)]
-        {
-            if let Ok(output) = StdCommand::new("wmic")
-                .arg("process")
-                .arg("where")
-                .arg("caption='rustfs.exe'")
-                .arg("get")
-                .arg("processid")
-                .output()
-            {
-                let output_str = String::from_utf8_lossy(&output.stdout);
-                for line in output_str.lines() {
-                    if let Ok(pid) = line.trim().parse::<u32>() {
-                        return Some(pid);
-                    }
-                }
-            }
-        }
-
-        None
-    }
-
-    /// Prepare the service
-    /// This function downloads the service executable if it doesn't exist
-    /// It also creates the necessary directories for the service
-    ///
-    /// # Example
-    /// ```
-    /// let executable_path = prepare_service().await;
-    /// println!("{:?}", executable_path);
-    /// ```
-    async fn prepare_service() -> Result<PathBuf, Box<dyn Error>> {
-        // get the user directory
-        let home_dir = dirs::home_dir().ok_or("无法获取用户目录")?;
-        let rustfs_dir = home_dir.join("rustfs");
-        let bin_dir = rustfs_dir.join("bin");
-        let data_dir = rustfs_dir.join("data");
-        let logs_dir = rustfs_dir.join("logs");
-
-        // create the necessary directories
-        for dir in [&bin_dir, &data_dir, &logs_dir] {
-            if !dir.exists() {
-                tokio::fs::create_dir_all(dir).await?;
-            }
-        }
-
-        let rustfs_file = if cfg!(windows) { "rustfs.exe" } else { "rustfs" };
-        let executable_path = bin_dir.join(rustfs_file);
-        let hash_path = bin_dir.join("embedded_rustfs.sha256");
-
-        if executable_path.exists() && hash_path.exists() {
-            let cached_hash = fs::read_to_string(&hash_path).await?;
-            let expected_hash = RUSTFS_HASH.lock().await;
-            if cached_hash == *expected_hash {
-                println!("Use cached rustfs: {executable_path:?}");
-                return Ok(executable_path);
-            }
-        }
-
-        // Extract and write files
-        let rustfs_data = Asset::get(rustfs_file).expect("RustFS binary not embedded");
-        let mut file = File::create(&executable_path).await?;
-        file.write_all(&rustfs_data.data).await?;
-        let expected_hash = hex::encode(Sha256::digest(&rustfs_data.data));
-        fs::write(&hash_path, expected_hash).await?;
-
-        // set execution permissions on unix systems
-        #[cfg(unix)]
-        {
-            use std::os::unix::fs::PermissionsExt;
-            let mut perms = std::fs::metadata(&executable_path)?.permissions();
-            perms.set_mode(0o755);
-            std::fs::set_permissions(&executable_path, perms)?;
-        }
-
-        Ok(executable_path)
-    }
-
-    /// Helper function: Extracts the port from the address string
-    ///
-    /// # Example
-    /// ```
-    /// let address = "127.0.0.1:9000";
-    /// let port = extract_port(address);
-    /// println!("{:?}", port);
-    /// ```
-    fn extract_port(address: &str) -> Option<u16> {
-        address.split(':').nth(1)?.parse().ok()
-    }
-
-    /// Create a new instance of the service manager
-    ///
-    /// # Example
-    /// ```
-    /// let service_manager = ServiceManager::new();
-    /// println!("{:?}", service_manager);
-    /// ```
-    pub(crate) fn new() -> Self {
-        let (command_tx, mut command_rx) = mpsc::channel(10);
-        // Start the control loop
-        tokio::spawn(async move {
-            while let Some(cmd) = command_rx.recv().await {
-                match cmd {
-                    ServiceCommand::Start(config) => {
-                        if let Err(e) = Self::start_service(&config).await {
-                            Self::show_error(&format!("启动服务失败：{e}"));
-                        }
-                    }
-                    ServiceCommand::Stop => {
-                        if let Err(e) = Self::stop_service().await {
-                            Self::show_error(&format!("停止服务失败：{e}"));
-                        }
-                    }
-                    ServiceCommand::Restart(config) => {
-                        if Self::check_service_status().await.is_some() {
-                            if let Err(e) = Self::stop_service().await {
-                                Self::show_error(&format!("重启服务失败：{e}"));
-                                continue;
-                            }
-                        }
-                        if let Err(e) = Self::start_service(&config).await {
-                            Self::show_error(&format!("重启服务失败：{e}"));
-                        }
-                    }
-                }
-            }
-        });
-
-        ServiceManager { command_tx }
-    }
-
-    /// Start the service
-    /// This function starts the service with the given configuration
-    ///
-    /// # Example
-    /// ```
-    /// let config = RustFSConfig {
-    ///    address: "127.0.0.1:9000".to_string(),
-    ///    host: "127.0.0.1".to_string(),
-    ///    port: "9000".to_string(),
-    ///    access_key: "rustfsadmin".to_string(),
-    ///    secret_key: "rustfsadmin".to_string(),
-    ///    domain_name: "demo.rustfs.com".to_string(),
-    ///    volume_name: "data".to_string(),
-    ///    console_address: "127.0.0.1:9001".to_string(),
-    /// };
-    ///
-    /// let result = start_service(&config).await;
-    /// println!("{:?}", result);
-    /// ```
-    async fn start_service(config: &RustFSConfig) -> Result<(), Box<dyn Error>> {
-        // Check if the service is already running
-        if let Some(existing_pid) = Self::check_service_status().await {
-            return Err(format!("服务已经在运行，PID: {existing_pid}").into());
-        }
-
-        // Prepare the service program
-        let executable_path = Self::prepare_service().await?;
-        // Check the data catalog
-        let volume_name_path = Path::new(&config.volume_name);
-        if !volume_name_path.exists() {
-            tokio::fs::create_dir_all(&config.volume_name).await?;
-        }
-
-        // Extract the port from the configuration
-        let main_port = Self::extract_port(&config.address).ok_or("无法解析主服务端口")?;
-        let console_port = Self::extract_port(&config.console_address).ok_or("无法解析控制台端口")?;
-
-        let host = config.address.split(':').next().ok_or("无法解析主机地址")?;
-
-        // Check the port
-        let ports = vec![main_port, console_port];
-        for port in ports {
-            if Self::is_port_in_use(host, port).await {
-                return Err(format!("端口 {port} 已被占用").into());
-            }
-        }
-
-        // Start the service
-        let mut child = tokio::process::Command::new(executable_path)
-            .arg("--address")
-            .arg(&config.address)
-            .arg("--access-key")
-            .arg(&config.access_key)
-            .arg("--secret-key")
-            .arg(&config.secret_key)
-            .arg("--console-address")
-            .arg(&config.console_address)
-            .arg(config.volume_name.clone())
-            .spawn()?;
-
-        let process_pid = child.id().unwrap();
-        // Wait for the service to start
-        tokio::time::sleep(Duration::from_secs(2)).await;
-
-        // Check if the service started successfully
-        if Self::is_port_in_use(host, main_port).await {
-            Self::show_info(&format!("服务启动成功！进程 ID: {process_pid}"));
-
-            Ok(())
-        } else {
-            child.kill().await?;
-            Err("服务启动失败".into())
-        }
-    }
-
-    /// Stop the service
-    /// This function stops the service
-    ///
-    /// # Example
-    /// ```
-    /// let result = stop_service().await;
-    /// println!("{:?}", result);
-    /// ```
-    async fn stop_service() -> Result<(), Box<dyn Error>> {
-        let existing_pid = Self::check_service_status().await;
-        debug!("existing_pid: {:?}", existing_pid);
-        if let Some(service_pid) = existing_pid {
-            // An attempt was made to terminate the process
-            #[cfg(unix)]
-            {
-                StdCommand::new("kill").arg("-9").arg(service_pid.to_string()).output()?;
-            }
-
-            #[cfg(windows)]
-            {
-                StdCommand::new("taskkill")
-                    .arg("/F")
-                    .arg("/PID")
-                    .arg(&service_pid.to_string())
-                    .output()?;
-            }
-
-            // Verify that the service is indeed stopped
-            tokio::time::sleep(Duration::from_secs(1)).await;
-            if Self::check_service_status().await.is_some() {
-                return Err("服务停止失败".into());
-            }
-            Self::show_info("服务已成功停止");
-
-            Ok(())
-        } else {
-            Err("服务未运行".into())
-        }
-    }
-
-    /// Check if the port is in use
-    /// This function checks if the given port is in use on the given host
-    ///
-    /// # Example
-    /// ```
-    /// let host = "127.0.0.1";
-    /// let port = 9000;
-    /// let result = is_port_in_use(host, port).await;
-    /// println!("{:?}", result);
-    /// ```
-    async fn is_port_in_use(host: &str, port: u16) -> bool {
-        TcpStream::connect(format!("{host}:{port}")).await.is_ok()
-    }
-
-    /// Show an error message
-    /// This function shows an error message dialog
-    ///
-    /// # Example
-    /// ```
-    /// show_error("This is an error message");
-    /// ```
-    pub(crate) fn show_error(message: &str) {
-        rfd::MessageDialog::new()
-            .set_title("错误")
-            .set_description(message)
-            .set_level(rfd::MessageLevel::Error)
-            .show();
-    }
-
-    /// Show an information message
-    /// This function shows an information message dialog
-    ///
-    /// # Example
-    /// ```
-    /// show_info("This is an information message");
-    /// ```
-    pub(crate) fn show_info(message: &str) {
-        rfd::MessageDialog::new()
-            .set_title("成功")
-            .set_description(message)
-            .set_level(rfd::MessageLevel::Info)
-            .show();
-    }
-
-    /// Start the service
-    /// This function sends a `Start` command to the service manager
-    ///
-    /// # Example
-    /// ```
-    /// let config = RustFSConfig {
-    ///    address: "127.0.0.1:9000".to_string(),
-    ///    host: "127.0.0.1".to_string(),
-    ///    port: "9000".to_string(),
-    ///    access_key: "rustfsadmin".to_string(),
-    ///    secret_key: "rustfsadmin".to_string(),
-    ///    domain_name: "demo.rustfs.com".to_string(),
-    ///    volume_name: "data".to_string(),
-    ///    console_address: "127.0.0.1:9001".to_string(),
-    /// };
-    ///
-    /// let service_manager = ServiceManager::new();
-    /// let result = service_manager.start(config).await;
-    /// println!("{:?}", result);
-    /// ```
-    ///
-    /// # Errors
-    /// This function returns an error if the service fails to start
-    ///
-    /// # Panics
-    /// This function panics if the port number is invalid
-    ///
-    /// # Safety
-    /// This function is not marked as unsafe
-    ///
-    /// # Performance
-    /// This function is not optimized for performance
-    ///
-    /// # Design
-    /// This function is designed to be simple and easy to use
-    ///
-    /// # Security
-    /// This function does not have any security implications
-    pub async fn start(&self, config: RustFSConfig) -> Result<ServiceOperationResult, Box<dyn Error>> {
-        let start_time = chrono::Local::now();
-        self.command_tx.send(ServiceCommand::Start(config.clone())).await?;
-
-        let host = &config.host;
-        let port = config.port.parse::<u16>().expect("无效的端口号");
-        // wait for the service to actually start
-        let mut retries = 0;
-        while retries < 30 {
-            // wait up to 30 seconds
-            if Self::check_service_status().await.is_some() && Self::is_port_in_use(host, port).await {
-                let end_time = chrono::Local::now();
-                return Ok(ServiceOperationResult {
-                    success: true,
-                    start_time,
-                    end_time,
-                    message: "服务启动成功".to_string(),
-                });
-            }
-            tokio::time::sleep(Duration::from_secs(1)).await;
-            retries += 1;
-        }
-
-        Err("服务启动超时".into())
-    }
-
-    /// Stop the service
-    /// This function sends a `Stop` command to the service manager
-    ///
-    /// # Example
-    /// ```
-    /// let service_manager = ServiceManager::new();
-    /// let result = service_manager.stop().await;
-    /// println!("{:?}", result);
-    /// ```
-    ///
-    /// # Errors
-    /// This function returns an error if the service fails to stop
-    ///
-    /// # Panics
-    /// This function panics if the port number is invalid
-    ///
-    /// # Safety
-    /// This function is not marked as unsafe
-    ///
-    /// # Performance
-    /// This function is not optimized for performance
-    ///
-    /// # Design
-    /// This function is designed to be simple and easy to use
-    ///
-    /// # Security
-    /// This function does not have any security implications
-    pub async fn stop(&self) -> Result<ServiceOperationResult, Box<dyn Error>> {
-        let start_time = chrono::Local::now();
-        self.command_tx.send(ServiceCommand::Stop).await?;
-
-        // Wait for the service to actually stop
-        let mut retries = 0;
-        while retries < 15 {
-            // Wait up to 15 seconds
-            if Self::check_service_status().await.is_none() {
-                let end_time = chrono::Local::now();
-                return Ok(ServiceOperationResult {
-                    success: true,
-                    start_time,
-                    end_time,
-                    message: "服务停止成功".to_string(),
-                });
-            }
-            tokio::time::sleep(Duration::from_secs(1)).await;
-            retries += 1;
-        }
-
-        Err("服务停止超时".into())
-    }
-
-    /// Restart the service
-    /// This function sends a `Restart` command to the service manager
-    ///
-    /// # Example
-    /// ```
-    /// let config = RustFSConfig {
-    ///    address: "127.0.0.1:9000".to_string(),
-    ///    host: "127.0.0.1".to_string(),
-    ///    port: "9000".to_string(),
-    ///    access_key: "rustfsadmin".to_string(),
-    ///    secret_key: "rustfsadmin".to_string(),
-    ///    domain_name: "demo.rustfs.com".to_string(),
-    ///    volume_name: "data".to_string(),
-    ///    console_address: "127.0.0.1:9001".to_string(),
-    /// };
-    ///
-    /// let service_manager = ServiceManager::new();
-    /// let result = service_manager.restart(config).await;
-    /// println!("{:?}", result);
-    /// ```
-    ///
-    /// # Errors
-    /// This function returns an error if the service fails to restart
-    ///
-    /// # Panics
-    /// This function panics if the port number is invalid
-    ///
-    /// # Safety
-    /// This function is not marked as unsafe
-    ///
-    /// # Performance
-    /// This function is not optimized for performance
-    ///
-    /// # Design
-    /// This function is designed to be simple and easy to use
-    ///
-    /// # Security
-    /// This function does not have any security implications
-    pub async fn restart(&self, config: RustFSConfig) -> Result<ServiceOperationResult, Box<dyn Error>> {
-        let start_time = chrono::Local::now();
-        self.command_tx.send(ServiceCommand::Restart(config.clone())).await?;
-
-        let host = &config.host;
-        let port = config.port.parse::<u16>().expect("无效的端口号");
-
-        // wait for the service to restart
-        let mut retries = 0;
-        while retries < 45 {
-            // Longer waiting time is given as both the stop and start processes are involved
-            if Self::check_service_status().await.is_some() && Self::is_port_in_use(host, port).await {
-                match config.save() {
-                    Ok(_) => info!("save config success"),
-                    Err(e) => {
-                        error!("save config error: {}", e);
-                        self.command_tx.send(ServiceCommand::Stop).await?;
-                        Self::show_error("保存配置失败");
-                        return Err("保存配置失败".into());
-                    }
-                }
-                let end_time = chrono::Local::now();
-                return Ok(ServiceOperationResult {
-                    success: true,
-                    start_time,
-                    end_time,
-                    message: "服务重启成功".to_string(),
-                });
-            }
-            tokio::time::sleep(Duration::from_secs(1)).await;
-            retries += 1;
-        }
-        Err("服务重启超时".into())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::time::Duration;
-
-    #[test]
-    fn test_service_command_creation() {
-        let config = RustFSConfig::default_config();
-
-        let start_cmd = ServiceCommand::Start(config.clone());
-        let stop_cmd = ServiceCommand::Stop;
-        let restart_cmd = ServiceCommand::Restart(config);
-
-        // Test that commands can be created
-        match start_cmd {
-            ServiceCommand::Start(_) => {}
-            _ => panic!("Expected Start command"),
-        }
-
-        match stop_cmd {
-            ServiceCommand::Stop => {}
-            _ => panic!("Expected Stop command"),
-        }
-
-        match restart_cmd {
-            ServiceCommand::Restart(_) => {}
-            _ => panic!("Expected Restart command"),
-        }
-    }
-
-    #[test]
-    fn test_service_operation_result_creation() {
-        let start_time = chrono::Local::now();
-        let end_time = chrono::Local::now();
-
-        let success_result = ServiceOperationResult {
-            success: true,
-            start_time,
-            end_time,
-            message: "Operation successful".to_string(),
-        };
-
-        let failure_result = ServiceOperationResult {
-            success: false,
-            start_time,
-            end_time,
-            message: "Operation failed".to_string(),
-        };
-
-        assert!(success_result.success);
-        assert_eq!(success_result.message, "Operation successful");
-
-        assert!(!failure_result.success);
-        assert_eq!(failure_result.message, "Operation failed");
-    }
-
-    #[test]
-    fn test_service_operation_result_debug() {
-        let result = ServiceOperationResult {
-            success: true,
-            start_time: chrono::Local::now(),
-            end_time: chrono::Local::now(),
-            message: "Test message".to_string(),
-        };
-
-        let debug_str = format!("{result:?}");
-        assert!(debug_str.contains("ServiceOperationResult"));
-        assert!(debug_str.contains("success: true"));
-        assert!(debug_str.contains("Test message"));
-    }
-
-    #[test]
-    fn test_service_manager_creation() {
-        // Test ServiceManager creation in a tokio runtime
-        let rt = tokio::runtime::Runtime::new().unwrap();
-        rt.block_on(async {
-            let service_manager = ServiceManager::new();
-
-            // Test that ServiceManager can be created and cloned
-            let cloned_manager = service_manager.clone();
-
-            // Both should be valid (we can't test much more without async runtime)
-            assert!(format!("{service_manager:?}").contains("ServiceManager"));
-            assert!(format!("{cloned_manager:?}").contains("ServiceManager"));
-        });
-    }
-
-    #[test]
-    fn test_extract_port_valid() {
-        let test_cases = vec![
-            ("127.0.0.1:9000", Some(9000)),
-            ("localhost:8080", Some(8080)),
-            ("192.168.1.100:3000", Some(3000)),
-            ("0.0.0.0:80", Some(80)),
-            ("example.com:443", Some(443)),
-            ("host:65535", Some(65535)),
-            ("host:1", Some(1)),
-        ];
-
-        for (input, expected) in test_cases {
-            let result = ServiceManager::extract_port(input);
-            assert_eq!(result, expected, "Failed for input: {input}");
-        }
-    }
-
-    #[test]
-    fn test_extract_port_invalid() {
-        let invalid_cases = vec![
-            "127.0.0.1",       // Missing port
-            "127.0.0.1:",      // Empty port
-            "127.0.0.1:abc",   // Invalid port
-            "127.0.0.1:99999", // Port out of range
-            "",                // Empty string
-            "invalid",         // No colon
-            "host:-1",         // Negative port
-            "host:0.5",        // Decimal port
-        ];
-
-        for input in invalid_cases {
-            let result = ServiceManager::extract_port(input);
-            assert_eq!(result, None, "Should be None for input: {input}");
-        }
-
-        // Special case: empty host but valid port should still work
-        assert_eq!(ServiceManager::extract_port(":9000"), Some(9000));
-
-        // Special case: multiple colons - extract_port takes the second part
-        // For "127.0.0.1:9000:extra", it takes "9000" which is valid
-        assert_eq!(ServiceManager::extract_port("127.0.0.1:9000:extra"), Some(9000));
-    }
-
-    #[test]
-    fn test_extract_port_edge_cases() {
-        // Test edge cases for port numbers
-        assert_eq!(ServiceManager::extract_port("host:0"), Some(0));
-        assert_eq!(ServiceManager::extract_port("host:65535"), Some(65535));
-        assert_eq!(ServiceManager::extract_port("host:65536"), None); // Out of range
-        // IPv6-like address - extract_port takes the second part after split(':')
-        // For "::1:8080", split(':') gives ["", "", "1", "8080"], nth(1) gives ""
-        assert_eq!(ServiceManager::extract_port("::1:8080"), None); // Second part is empty
-        // For "[::1]:8080", split(':') gives ["[", "", "1]", "8080"], nth(1) gives ""
-        assert_eq!(ServiceManager::extract_port("[::1]:8080"), None); // Second part is empty
-    }
-
-    #[test]
-    fn test_show_error() {
-        // Test that show_error function exists and can be called
-        // We can't actually test the dialog in a test environment
-        // so we just verify the function signature
-    }
-
-    #[test]
-    fn test_show_info() {
-        // Test that show_info function exists and can be called
-        // We can't actually test the dialog in a test environment
-        // so we just verify the function signature
-    }
-
-    #[test]
-    fn test_service_operation_result_timing() {
-        let start_time = chrono::Local::now();
-        std::thread::sleep(Duration::from_millis(10)); // Small delay
-        let end_time = chrono::Local::now();
-
-        let result = ServiceOperationResult {
-            success: true,
-            start_time,
-            end_time,
-            message: "Timing test".to_string(),
-        };
-
-        // End time should be after start time
-        assert!(result.end_time >= result.start_time);
-    }
-
-    #[test]
-    fn test_service_operation_result_with_unicode() {
-        let result = ServiceOperationResult {
-            success: true,
-            start_time: chrono::Local::now(),
-            end_time: chrono::Local::now(),
-            message: "操作成功 🎉".to_string(),
-        };
-
-        assert_eq!(result.message, "操作成功 🎉");
-        assert!(result.success);
-    }
-
-    #[test]
-    fn test_service_operation_result_with_long_message() {
-        let long_message = "A".repeat(10000);
-        let result = ServiceOperationResult {
-            success: false,
-            start_time: chrono::Local::now(),
-            end_time: chrono::Local::now(),
-            message: long_message.clone(),
-        };
-
-        assert_eq!(result.message.len(), 10000);
-        assert_eq!(result.message, long_message);
-        assert!(!result.success);
-    }
-
-    #[test]
-    fn test_service_command_with_different_configs() {
-        let config1 = RustFSConfig {
-            address: "127.0.0.1:9000".to_string(),
-            host: "127.0.0.1".to_string(),
-            port: "9000".to_string(),
-            access_key: "admin1".to_string(),
-            secret_key: "pass1".to_string(),
-            domain_name: "test1.com".to_string(),
-            volume_name: "/data1".to_string(),
-            console_address: "127.0.0.1:9001".to_string(),
-        };
-
-        let config2 = RustFSConfig {
-            address: "192.168.1.100:8080".to_string(),
-            host: "192.168.1.100".to_string(),
-            port: "8080".to_string(),
-            access_key: "admin2".to_string(),
-            secret_key: "pass2".to_string(),
-            domain_name: "test2.com".to_string(),
-            volume_name: "/data2".to_string(),
-            console_address: "192.168.1.100:8081".to_string(),
-        };
-
-        let start_cmd1 = ServiceCommand::Start(config1);
-        let restart_cmd2 = ServiceCommand::Restart(config2);
-
-        // Test that different configs can be used
-        match start_cmd1 {
-            ServiceCommand::Start(config) => {
-                assert_eq!(config.address, "127.0.0.1:9000");
-                assert_eq!(config.access_key, "admin1");
-            }
-            _ => panic!("Expected Start command"),
-        }
-
-        match restart_cmd2 {
-            ServiceCommand::Restart(config) => {
-                assert_eq!(config.address, "192.168.1.100:8080");
-                assert_eq!(config.access_key, "admin2");
-            }
-            _ => panic!("Expected Restart command"),
-        }
-    }
-
-    #[test]
-    fn test_memory_efficiency() {
-        // Test that structures don't use excessive memory
-        assert!(std::mem::size_of::<ServiceCommand>() < 2000);
-        assert!(std::mem::size_of::<ServiceOperationResult>() < 1000);
-        assert!(std::mem::size_of::<ServiceManager>() < 1000);
-    }
-
-    // Note: The following methods are not tested here because they require:
-    // - Async runtime (tokio)
-    // - File system access
-    // - Network access
-    // - Process management
-    // - External dependencies (embedded assets)
-    //
-    // These should be tested in integration tests:
-    // - check_service_status()
-    // - prepare_service()
-    // - start_service()
-    // - stop_service()
-    // - is_port_in_use()
-    // - ServiceManager::start()
-    // - ServiceManager::stop()
-    // - ServiceManager::restart()
-    //
-    // The RUSTFS_HASH lazy_static is also not tested here as it depends
-    // on embedded assets that may not be available in unit test environment.
-}
--- a/cli/rustfs-gui/src/utils/logger.rs
+++ b/cli/rustfs-gui/src/utils/logger.rs
@@ -1,300 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use dioxus::logger::tracing::debug;
-use tracing_appender::non_blocking::WorkerGuard;
-use tracing_appender::rolling::{RollingFileAppender, Rotation};
-use tracing_subscriber::fmt;
-use tracing_subscriber::layer::SubscriberExt;
-use tracing_subscriber::util::SubscriberInitExt;
-
-/// Initialize the logger with a rolling file appender
-/// that rotates log files daily
-pub fn init_logger() -> WorkerGuard {
-    // configuring rolling logs rolling by day
-    let home_dir = dirs::home_dir().expect("无法获取用户目录");
-    let rustfs_dir = home_dir.join("rustfs");
-    let logs_dir = rustfs_dir.join("logs");
-    let file_appender = RollingFileAppender::builder()
-        .rotation(Rotation::DAILY) // rotate log files once every hour
-        .filename_prefix("rustfs-cli") // log file names will be prefixed with `myapp.`
-        .filename_suffix("log") // log file names will be suffixed with `.log`
-        .build(logs_dir) // try to build an appender that stores log files in `/ var/ log`
-        .expect("initializing rolling file appender failed");
-    // non-blocking writer for improved performance
-    let (non_blocking_file, worker_guard) = tracing_appender::non_blocking(file_appender);
-
-    // console output layer
-    let console_layer = fmt::layer()
-        .with_writer(std::io::stdout)
-        .with_ansi(true)
-        .with_line_number(true); // enable colors in the console
-
-    // file output layer
-    let file_layer = fmt::layer()
-        .with_writer(non_blocking_file)
-        .with_ansi(false)
-        .with_thread_names(true)
-        .with_target(true)
-        .with_thread_ids(true)
-        .with_level(true)
-        .with_line_number(true); // disable colors in the file
-
-    // Combine all tiers and initialize global subscribers
-    tracing_subscriber::registry()
-        .with(console_layer)
-        .with(file_layer)
-        .with(tracing_subscriber::EnvFilter::new("info")) // filter the log level by environment variables
-        .init();
-    debug!("Logger initialized");
-    worker_guard
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::sync::Once;
-
-    static INIT: Once = Once::new();
-
-    // Helper function to ensure logger is only initialized once in tests
-    fn ensure_logger_init() {
-        INIT.call_once(|| {
-            // Initialize a simple test logger to avoid conflicts
-            let _ = tracing_subscriber::fmt().with_test_writer().try_init();
-        });
-    }
-
-    #[test]
-    fn test_logger_initialization_components() {
-        ensure_logger_init();
-
-        // Test that we can create the components used in init_logger
-        // without actually initializing the global logger again
-
-        // Test home directory access
-        let home_dir_result = dirs::home_dir();
-        assert!(home_dir_result.is_some(), "Should be able to get home directory");
-
-        let home_dir = home_dir_result.unwrap();
-        let rustfs_dir = home_dir.join("rustfs");
-        let logs_dir = rustfs_dir.join("logs");
-
-        // Test path construction
-        assert!(rustfs_dir.to_string_lossy().contains("rustfs"));
-        assert!(logs_dir.to_string_lossy().contains("logs"));
-    }
-
-    #[test]
-    fn test_rolling_file_appender_builder() {
-        ensure_logger_init();
-
-        // Test that we can create a RollingFileAppender builder
-        let builder = RollingFileAppender::builder()
-            .rotation(Rotation::DAILY)
-            .filename_prefix("test-rustfs-cli")
-            .filename_suffix("log");
-
-        // We can't actually build it without creating directories,
-        // but we can verify the builder pattern works
-        let debug_str = format!("{builder:?}");
-        // The actual debug format might be different, so just check it's not empty
-        assert!(!debug_str.is_empty());
-        // Check that it contains some expected parts
-        assert!(debug_str.contains("Builder") || debug_str.contains("builder") || debug_str.contains("RollingFileAppender"));
-    }
-
-    #[test]
-    fn test_rotation_types() {
-        ensure_logger_init();
-
-        // Test different rotation types
-        let daily = Rotation::DAILY;
-        let hourly = Rotation::HOURLY;
-        let minutely = Rotation::MINUTELY;
-        let never = Rotation::NEVER;
-
-        // Test that rotation types can be created and formatted
-        assert!(!format!("{daily:?}").is_empty());
-        assert!(!format!("{hourly:?}").is_empty());
-        assert!(!format!("{minutely:?}").is_empty());
-        assert!(!format!("{never:?}").is_empty());
-    }
-
-    #[test]
-    fn test_fmt_layer_configuration() {
-        ensure_logger_init();
-
-        // Test that we can create fmt layers with different configurations
-        // We can't actually test the layers directly due to type complexity,
-        // but we can test that the configuration values are correct
-
-        // Test console layer settings
-        let console_ansi = true;
-        let console_line_number = true;
-        assert!(console_ansi);
-        assert!(console_line_number);
-
-        // Test file layer settings
-        let file_ansi = false;
-        let file_thread_names = true;
-        let file_target = true;
-        let file_thread_ids = true;
-        let file_level = true;
-        let file_line_number = true;
-
-        assert!(!file_ansi);
-        assert!(file_thread_names);
-        assert!(file_target);
-        assert!(file_thread_ids);
-        assert!(file_level);
-        assert!(file_line_number);
-    }
-
-    #[test]
-    fn test_env_filter_creation() {
-        ensure_logger_init();
-
-        // Test that EnvFilter can be created with different levels
-        let info_filter = tracing_subscriber::EnvFilter::new("info");
-        let debug_filter = tracing_subscriber::EnvFilter::new("debug");
-        let warn_filter = tracing_subscriber::EnvFilter::new("warn");
-        let error_filter = tracing_subscriber::EnvFilter::new("error");
-
-        // Test that filters can be created
-        assert!(!format!("{info_filter:?}").is_empty());
-        assert!(!format!("{debug_filter:?}").is_empty());
-        assert!(!format!("{warn_filter:?}").is_empty());
-        assert!(!format!("{error_filter:?}").is_empty());
-    }
-
-    #[test]
-    fn test_path_construction() {
-        ensure_logger_init();
-
-        // Test path construction logic used in init_logger
-        if let Some(home_dir) = dirs::home_dir() {
-            let rustfs_dir = home_dir.join("rustfs");
-            let logs_dir = rustfs_dir.join("logs");
-
-            // Test that paths are constructed correctly
-            assert!(rustfs_dir.ends_with("rustfs"));
-            assert!(logs_dir.ends_with("logs"));
-            assert!(logs_dir.parent().unwrap().ends_with("rustfs"));
-
-            // Test path string representation
-            let rustfs_str = rustfs_dir.to_string_lossy();
-            let logs_str = logs_dir.to_string_lossy();
-
-            assert!(rustfs_str.contains("rustfs"));
-            assert!(logs_str.contains("rustfs"));
-            assert!(logs_str.contains("logs"));
-        }
-    }
-
-    #[test]
-    fn test_filename_patterns() {
-        ensure_logger_init();
-
-        // Test the filename patterns used in the logger
-        let prefix = "rustfs-cli";
-        let suffix = "log";
-
-        assert_eq!(prefix, "rustfs-cli");
-        assert_eq!(suffix, "log");
-
-        // Test that these would create valid filenames
-        let sample_filename = format!("{prefix}.2024-01-01.{suffix}");
-        assert_eq!(sample_filename, "rustfs-cli.2024-01-01.log");
-    }
-
-    #[test]
-    fn test_worker_guard_type() {
-        ensure_logger_init();
-
-        // Test that WorkerGuard type exists and can be referenced
-        // We can't actually create one without the full setup, but we can test the type
-        let guard_size = std::mem::size_of::<WorkerGuard>();
-        assert!(guard_size > 0, "WorkerGuard should have non-zero size");
-    }
-
-    #[test]
-    fn test_logger_configuration_constants() {
-        ensure_logger_init();
-
-        // Test the configuration values used in the logger
-        let default_log_level = "info";
-        let filename_prefix = "rustfs-cli";
-        let filename_suffix = "log";
-        let rotation = Rotation::DAILY;
-
-        assert_eq!(default_log_level, "info");
-        assert_eq!(filename_prefix, "rustfs-cli");
-        assert_eq!(filename_suffix, "log");
-        assert!(matches!(rotation, Rotation::DAILY));
-    }
-
-    #[test]
-    fn test_directory_names() {
-        ensure_logger_init();
-
-        // Test the directory names used in the logger setup
-        let rustfs_dir_name = "rustfs";
-        let logs_dir_name = "logs";
-
-        assert_eq!(rustfs_dir_name, "rustfs");
-        assert_eq!(logs_dir_name, "logs");
-
-        // Test path joining
-        let combined = format!("{rustfs_dir_name}/{logs_dir_name}");
-        assert_eq!(combined, "rustfs/logs");
-    }
-
-    #[test]
-    fn test_layer_settings() {
-        ensure_logger_init();
-
-        // Test the boolean settings used in layer configuration
-        let console_ansi = true;
-        let console_line_number = true;
-        let file_ansi = false;
-        let file_thread_names = true;
-        let file_target = true;
-        let file_thread_ids = true;
-        let file_level = true;
-        let file_line_number = true;
-
-        // Verify the settings
-        assert!(console_ansi);
-        assert!(console_line_number);
-        assert!(!file_ansi);
-        assert!(file_thread_names);
-        assert!(file_target);
-        assert!(file_thread_ids);
-        assert!(file_level);
-        assert!(file_line_number);
-    }
-
-    // Note: The actual init_logger() function is not tested here because:
-    // 1. It initializes a global tracing subscriber which can only be done once
-    // 2. It requires file system access to create directories
-    // 3. It has side effects that would interfere with other tests
-    // 4. It returns a WorkerGuard that needs to be kept alive
-    //
-    // This function should be tested in integration tests where:
-    // - File system access can be properly controlled
-    // - The global state can be managed
-    // - The actual logging behavior can be verified
-    // - The WorkerGuard lifecycle can be properly managed
-}
--- a/cli/rustfs-gui/src/views/app.rs
+++ b/cli/rustfs-gui/src/views/app.rs
@@ -1,38 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::route::Route;
-use dioxus::logger::tracing::info;
-use dioxus::prelude::*;
-
-const FAVICON: Asset = asset!("/assets/favicon.ico");
-const TAILWIND_CSS: Asset = asset!("/assets/tailwind.css");
-
-/// The main application component
-/// This is the root component of the application
-/// It contains the global resources and the router
-/// for the application
-#[component]
-pub fn App() -> Element {
-    // Build cool things ✌️
-    use document::{Link, Title};
-    info!("App rendered");
-    rsx! {
-        // Global app resources
-        Link { rel: "icon", href: FAVICON }
-        Link { rel: "stylesheet", href: TAILWIND_CSS }
-        Title { "RustFS" }
-        Router::<Route> {}
-    }
-}
--- a/cli/rustfs-gui/src/views/home.rs
+++ b/cli/rustfs-gui/src/views/home.rs
@@ -1,23 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::components::Home;
-use dioxus::prelude::*;
-
-#[component]
-pub fn HomeViews() -> Element {
-    rsx! {
-        Home {}
-    }
-}
--- a/cli/rustfs-gui/src/views/setting.rs
+++ b/cli/rustfs-gui/src/views/setting.rs
@@ -1,23 +0,0 @@
-// Copyright 2024 RustFS Team
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-use crate::components::Setting;
-use dioxus::prelude::*;
-
-#[component]
-pub fn SettingViews() -> Element {
-    rsx! {
-        Setting {}
-    }
-}
--- a/cli/rustfs-gui/tailwind.config.js
+++ b/cli/rustfs-gui/tailwind.config.js
@@ -1,24 +0,0 @@
-/**
- * Copyright 2024 RustFS Team
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-module.exports = {
-    mode: "all",
-    content: ["./src/**/*.{rs,html,css}", "./dist/**/*.html"],
-    theme: {
-        extend: {},
-    },
-    plugins: [],
-};
--- a/crates/ahm/Cargo.toml
+++ b/crates/ahm/Cargo.toml
@@ -13,6 +13,7 @@ keywords = ["RustFS", "AHM", "health-management", "scanner", "Minio"]
 categories = ["web-programming", "development-tools", "filesystem"]

 [dependencies]
+rustfs-config = { workspace = true }
 rustfs-ecstore = { workspace = true }
 rustfs-common = { workspace = true }
 rustfs-filemeta = { workspace = true }
@@ -22,20 +23,23 @@ tokio = { workspace = true, features = ["full"] }
 tokio-util = { workspace = true }
 tracing = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
+time = { workspace = true }
 serde_json = { workspace = true }
 thiserror = { workspace = true }
-bytes = { workspace = true }
-time = { workspace = true, features = ["serde"] }
 uuid = { workspace = true, features = ["v4", "serde"] }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
 futures = { workspace = true }
-url = { workspace = true }
-rustfs-lock = { workspace = true }
-
-lazy_static = { workspace = true }
+s3s = { workspace = true }
+chrono = { workspace = true }
+rand = { workspace = true }
+reqwest = { workspace = true }
+tempfile = { workspace = true }
+walkdir = { workspace = true }

 [dev-dependencies]
-rmp-serde = { workspace = true }
-tokio-test = { workspace = true }
 serde_json = { workspace = true }
+serial_test = { workspace = true }
+tracing-subscriber = { workspace = true }
+tempfile = { workspace = true }
+heed = { workspace = true }
--- a/crates/ahm/src/error.rs
+++ b/crates/ahm/src/error.rs
@@ -14,6 +14,10 @@

 use thiserror::Error;

+/// Custom error type for AHM operations
+/// This enum defines various error variants that can occur during
+/// the execution of AHM-related tasks, such as I/O errors, storage errors,
+/// configuration errors, and specific errors related to healing operations.
 #[derive(Debug, Error)]
 pub enum Error {
    #[error("I/O error: {0}")]
@@ -22,22 +26,84 @@ pub enum Error {
    #[error("Storage error: {0}")]
    Storage(#[from] rustfs_ecstore::error::Error),

+    #[error("Disk error: {0}")]
+    Disk(#[from] rustfs_ecstore::disk::error::DiskError),
+
    #[error("Configuration error: {0}")]
    Config(String),

+    #[error("Heal configuration error: {message}")]
+    ConfigurationError { message: String },
+
+    #[error("Other error: {0}")]
+    Other(String),
+
+    #[error(transparent)]
+    Anyhow(#[from] anyhow::Error),
+
+    // Scanner
    #[error("Scanner error: {0}")]
    Scanner(String),

    #[error("Metrics error: {0}")]
    Metrics(String),

-    #[error(transparent)]
-    Other(#[from] anyhow::Error),
+    #[error("Serialization error: {0}")]
+    Serialization(String),
+
+    #[error("IO error: {0}")]
+    IO(String),
+
+    #[error("Not found: {0}")]
+    NotFound(String),
+
+    #[error("Invalid checkpoint: {0}")]
+    InvalidCheckpoint(String),
+
+    // Heal
+    #[error("Heal task not found: {task_id}")]
+    TaskNotFound { task_id: String },
+
+    #[error("Heal task already exists: {task_id}")]
+    TaskAlreadyExists { task_id: String },
+
+    #[error("Heal manager is not running")]
+    ManagerNotRunning,
+
+    #[error("Heal task execution failed: {message}")]
+    TaskExecutionFailed { message: String },
+
+    #[error("Invalid heal type: {heal_type}")]
+    InvalidHealType { heal_type: String },
+
+    #[error("Heal task cancelled")]
+    TaskCancelled,
+
+    #[error("Heal task timeout")]
+    TaskTimeout,
+
+    #[error("Heal event processing failed: {message}")]
+    EventProcessingFailed { message: String },
+
+    #[error("Heal progress tracking failed: {message}")]
+    ProgressTrackingFailed { message: String },
 }

+/// A specialized Result type for AHM operations
+///This type is a convenient alias for results returned by functions in the AHM crate,
+/// using the custom Error type defined above.
 pub type Result<T, E = Error> = std::result::Result<T, E>;

-// Implement conversion from ahm::Error to std::io::Error for use in main.rs
+impl Error {
+    /// Create an Other error from any error type
+    pub fn other<E>(error: E) -> Self
+    where
+        E: Into<Box<dyn std::error::Error + Send + Sync>>,
+    {
+        Error::Other(error.into().to_string())
+    }
+}
+
 impl From<Error> for std::io::Error {
    fn from(err: Error) -> Self {
        std::io::Error::other(err)
--- a/crates/ahm/src/heal/channel.rs
+++ b/crates/ahm/src/heal/channel.rs
@@ -0,0 +1,565 @@
+// Copyright 2024 RustFS Team
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::heal::{
+    manager::HealManager,
+    task::{HealOptions, HealPriority, HealRequest, HealType},
+    utils,
+};
+use crate::{Error, Result};
+use rustfs_common::heal_channel::{
+    HealChannelCommand, HealChannelPriority, HealChannelReceiver, HealChannelRequest, HealChannelResponse, HealScanMode,
+    publish_heal_response,
+};
+use std::sync::Arc;
+use tokio::sync::mpsc;
+use tracing::{debug, error, info};
+
+/// Heal channel processor
+pub struct HealChannelProcessor {
+    /// Heal manager
+    heal_manager: Arc<HealManager>,
+    /// Response sender
+    response_sender: mpsc::UnboundedSender<HealChannelResponse>,
+    /// Response receiver
+    response_receiver: mpsc::UnboundedReceiver<HealChannelResponse>,
+}
+
+impl HealChannelProcessor {
+    /// Create new HealChannelProcessor
+    pub fn new(heal_manager: Arc<HealManager>) -> Self {
+        let (response_tx, response_rx) = mpsc::unbounded_channel();
+        Self {
+            heal_manager,
+            response_sender: response_tx,
+            response_receiver: response_rx,
+        }
+    }
+
+    /// Start processing heal channel requests
+    pub async fn start(&mut self, mut receiver: HealChannelReceiver) -> Result<()> {
+        info!("Starting heal channel processor");
+
+        loop {
+            tokio::select! {
+                command = receiver.recv() => {
+                    match command {
+                        Some(command) => {
+                            if let Err(e) = self.process_command(command).await {
+                                error!("Failed to process heal command: {}", e);
+                            }
+                        }
+                        None => {
+                            debug!("Heal channel receiver closed, stopping processor");
+                            break;
+                        }
+                    }
+                }
+                response = self.response_receiver.recv() => {
+                    if let Some(response) = response {
+                        // Handle response if needed
+                        info!("Received heal response for request: {}", response.request_id);
+                    }
+                }
+            }
+        }
+
+        info!("Heal channel processor stopped");
+        Ok(())
+    }
+
+    /// Process heal command
+    async fn process_command(&self, command: HealChannelCommand) -> Result<()> {
+        match command {
+            HealChannelCommand::Start(request) => self.process_start_request(request).await,
+            HealChannelCommand::Query { heal_path, client_token } => self.process_query_request(heal_path, client_token).await,
+            HealChannelCommand::Cancel { heal_path } => self.process_cancel_request(heal_path).await,
+        }
+    }
+
+    /// Process start request
+    async fn process_start_request(&self, request: HealChannelRequest) -> Result<()> {
+        info!(
+            "Processing heal start request: {} for bucket: {}/{}",
+            request.id,
+            request.bucket,
+            request.object_prefix.as_deref().unwrap_or("")
+        );
+
+        // Convert channel request to heal request
+        let heal_request = self.convert_to_heal_request(request.clone())?;
+
+        // Submit to heal manager
+        match self.heal_manager.submit_heal_request(heal_request).await {
+            Ok(task_id) => {
+                info!("Successfully submitted heal request: {} as task: {}", request.id, task_id);
+
+                let response = HealChannelResponse {
+                    request_id: request.id,
+                    success: true,
+                    data: Some(format!("Task ID: {task_id}").into_bytes()),
+                    error: None,
+                };
+
+                self.publish_response(response);
+            }
+            Err(e) => {
+                error!("Failed to submit heal request: {} - {}", request.id, e);
+
+                // Send error response
+                let response = HealChannelResponse {
+                    request_id: request.id,
+                    success: false,
+                    data: None,
+                    error: Some(e.to_string()),
+                };
+
+                self.publish_response(response);
+            }
+        }
+
+        Ok(())
+    }
+
+    /// Process query request
+    async fn process_query_request(&self, heal_path: String, client_token: String) -> Result<()> {
+        info!("Processing heal query request for path: {}", heal_path);
+
+        // TODO: Implement query logic based on heal_path and client_token
+        // For now, return a placeholder response
+        let response = HealChannelResponse {
+            request_id: client_token,
+            success: true,
+            data: Some(format!("Query result for path: {heal_path}").into_bytes()),
+            error: None,
+        };
+
+        self.publish_response(response);
+
+        Ok(())
+    }
+
+    /// Process cancel request
+    async fn process_cancel_request(&self, heal_path: String) -> Result<()> {
+        info!("Processing heal cancel request for path: {}", heal_path);
+
+        // TODO: Implement cancel logic based on heal_path
+        // For now, return a placeholder response
+        let response = HealChannelResponse {
+            request_id: heal_path.clone(),
+            success: true,
+            data: Some(format!("Cancel request for path: {heal_path}").into_bytes()),
+            error: None,
+        };
+
+        self.publish_response(response);
+
+        Ok(())
+    }
+
+    /// Convert channel request to heal request
+    fn convert_to_heal_request(&self, request: HealChannelRequest) -> Result<HealRequest> {
+        let heal_type = if let Some(disk_id) = &request.disk {
+            let set_disk_id = utils::normalize_set_disk_id(disk_id).ok_or_else(|| Error::InvalidHealType {
+                heal_type: format!("erasure-set({disk_id})"),
+            })?;
+            HealType::ErasureSet {
+                buckets: vec![],
+                set_disk_id,
+            }
+        } else if let Some(prefix) = &request.object_prefix {
+            if !prefix.is_empty() {
+                HealType::Object {
+                    bucket: request.bucket.clone(),
+                    object: prefix.clone(),
+                    version_id: None,
+                }
+            } else {
+                HealType::Bucket {
+                    bucket: request.bucket.clone(),
+                }
+            }
+        } else {
+            HealType::Bucket {
+                bucket: request.bucket.clone(),
+            }
+        };
+
+        let priority = match request.priority {
+            HealChannelPriority::Low => HealPriority::Low,
+            HealChannelPriority::Normal => HealPriority::Normal,
+            HealChannelPriority::High => HealPriority::High,
+            HealChannelPriority::Critical => HealPriority::Urgent,
+        };
+
+        // Build HealOptions with all available fields
+        let mut options = HealOptions {
+            scan_mode: request.scan_mode.unwrap_or(HealScanMode::Normal),
+            remove_corrupted: request.remove_corrupted.unwrap_or(false),
+            recreate_missing: request.recreate_missing.unwrap_or(true),
+            update_parity: request.update_parity.unwrap_or(true),
+            recursive: request.recursive.unwrap_or(false),
+            dry_run: request.dry_run.unwrap_or(false),
+            timeout: request.timeout_seconds.map(std::time::Duration::from_secs),
+            pool_index: request.pool_index,
+            set_index: request.set_index,
+        };
+
+        // Apply force_start overrides
+        if request.force_start {
+            options.remove_corrupted = true;
+            options.recreate_missing = true;
+            options.update_parity = true;
+        }
+
+        Ok(HealRequest::new(heal_type, options, priority))
+    }
+
+    fn publish_response(&self, response: HealChannelResponse) {
+        // Try to send to local channel first, but don't block broadcast on failure
+        if let Err(e) = self.response_sender.send(response.clone()) {
+            error!("Failed to enqueue heal response locally: {}", e);
+        }
+        // Always attempt to broadcast, even if local send failed
+        // Use the original response for broadcast; local send uses a clone
+        if let Err(e) = publish_heal_response(response) {
+            error!("Failed to broadcast heal response: {}", e);
+        }
+    }
+
+    /// Get response sender for external use
+    pub fn get_response_sender(&self) -> mpsc::UnboundedSender<HealChannelResponse> {
+        self.response_sender.clone()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::heal::storage::HealStorageAPI;
+    use rustfs_common::heal_channel::{HealChannelPriority, HealChannelRequest, HealScanMode};
+    use std::sync::Arc;
+
+    // Mock storage for testing
+    struct MockStorage;
+    #[async_trait::async_trait]
+    impl HealStorageAPI for MockStorage {
+        async fn get_object_meta(
+            &self,
+            _bucket: &str,
+            _object: &str,
+        ) -> crate::Result<Option<rustfs_ecstore::store_api::ObjectInfo>> {
+            Ok(None)
+        }
+        async fn get_object_data(&self, _bucket: &str, _object: &str) -> crate::Result<Option<Vec<u8>>> {
+            Ok(None)
+        }
+        async fn put_object_data(&self, _bucket: &str, _object: &str, _data: &[u8]) -> crate::Result<()> {
+            Ok(())
+        }
+        async fn delete_object(&self, _bucket: &str, _object: &str) -> crate::Result<()> {
+            Ok(())
+        }
+        async fn verify_object_integrity(&self, _bucket: &str, _object: &str) -> crate::Result<bool> {
+            Ok(true)
+        }
+        async fn ec_decode_rebuild(&self, _bucket: &str, _object: &str) -> crate::Result<Vec<u8>> {
+            Ok(vec![])
+        }
+        async fn get_disk_status(
+            &self,
+            _endpoint: &rustfs_ecstore::disk::endpoint::Endpoint,
+        ) -> crate::Result<crate::heal::storage::DiskStatus> {
+            Ok(crate::heal::storage::DiskStatus::Ok)
+        }
+        async fn format_disk(&self, _endpoint: &rustfs_ecstore::disk::endpoint::Endpoint) -> crate::Result<()> {
+            Ok(())
+        }
+        async fn get_bucket_info(&self, _bucket: &str) -> crate::Result<Option<rustfs_ecstore::store_api::BucketInfo>> {
+            Ok(None)
+        }
+        async fn heal_bucket_metadata(&self, _bucket: &str) -> crate::Result<()> {
+            Ok(())
+        }
+        async fn list_buckets(&self) -> crate::Result<Vec<rustfs_ecstore::store_api::BucketInfo>> {
+            Ok(vec![])
+        }
+        async fn object_exists(&self, _bucket: &str, _object: &str) -> crate::Result<bool> {
+            Ok(false)
+        }
+        async fn get_object_size(&self, _bucket: &str, _object: &str) -> crate::Result<Option<u64>> {
+            Ok(None)
+        }
+        async fn get_object_checksum(&self, _bucket: &str, _object: &str) -> crate::Result<Option<String>> {
+            Ok(None)
+        }
+        async fn heal_object(
+            &self,
+            _bucket: &str,
+            _object: &str,
+            _version_id: Option<&str>,
+            _opts: &rustfs_common::heal_channel::HealOpts,
+        ) -> crate::Result<(rustfs_madmin::heal_commands::HealResultItem, Option<crate::Error>)> {
+            Ok((rustfs_madmin::heal_commands::HealResultItem::default(), None))
+        }
+        async fn heal_bucket(
+            &self,
+            _bucket: &str,
+            _opts: &rustfs_common::heal_channel::HealOpts,
+        ) -> crate::Result<rustfs_madmin::heal_commands::HealResultItem> {
+            Ok(rustfs_madmin::heal_commands::HealResultItem::default())
+        }
+        async fn heal_format(
+            &self,
+            _dry_run: bool,
+        ) -> crate::Result<(rustfs_madmin::heal_commands::HealResultItem, Option<crate::Error>)> {
+            Ok((rustfs_madmin::heal_commands::HealResultItem::default(), None))
+        }
+        async fn list_objects_for_heal(&self, _bucket: &str, _prefix: &str) -> crate::Result<Vec<String>> {
+            Ok(vec![])
+        }
+        async fn list_objects_for_heal_page(
+            &self,
+            _bucket: &str,
+            _prefix: &str,
+            _continuation_token: Option<&str>,
+        ) -> crate::Result<(Vec<String>, Option<String>, bool)> {
+            Ok((vec![], None, false))
+        }
+        async fn get_disk_for_resume(&self, _set_disk_id: &str) -> crate::Result<rustfs_ecstore::disk::DiskStore> {
+            Err(crate::Error::other("Not implemented in mock"))
+        }
+    }
+
+    fn create_test_heal_manager() -> Arc<HealManager> {
+        let storage: Arc<dyn HealStorageAPI> = Arc::new(MockStorage);
+        Arc::new(HealManager::new(storage, None))
+    }
+
+    #[test]
+    fn test_heal_channel_processor_new() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        // Verify processor is created successfully
+        let _sender = processor.get_response_sender();
+        // If we can get the sender, processor was created correctly
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_bucket() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let channel_request = HealChannelRequest {
+            id: "test-id".to_string(),
+            bucket: "test-bucket".to_string(),
+            object_prefix: None,
+            disk: None,
+            priority: HealChannelPriority::Normal,
+            scan_mode: None,
+            remove_corrupted: None,
+            recreate_missing: None,
+            update_parity: None,
+            recursive: None,
+            dry_run: None,
+            timeout_seconds: None,
+            pool_index: None,
+            set_index: None,
+            force_start: false,
+        };
+
+        let heal_request = processor.convert_to_heal_request(channel_request).unwrap();
+        assert!(matches!(heal_request.heal_type, HealType::Bucket { .. }));
+        assert_eq!(heal_request.priority, HealPriority::Normal);
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_object() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let channel_request = HealChannelRequest {
+            id: "test-id".to_string(),
+            bucket: "test-bucket".to_string(),
+            object_prefix: Some("test-object".to_string()),
+            disk: None,
+            priority: HealChannelPriority::High,
+            scan_mode: Some(HealScanMode::Deep),
+            remove_corrupted: Some(true),
+            recreate_missing: Some(true),
+            update_parity: Some(true),
+            recursive: Some(false),
+            dry_run: Some(false),
+            timeout_seconds: Some(300),
+            pool_index: Some(0),
+            set_index: Some(1),
+            force_start: false,
+        };
+
+        let heal_request = processor.convert_to_heal_request(channel_request).unwrap();
+        assert!(matches!(heal_request.heal_type, HealType::Object { .. }));
+        assert_eq!(heal_request.priority, HealPriority::High);
+        assert_eq!(heal_request.options.scan_mode, HealScanMode::Deep);
+        assert!(heal_request.options.remove_corrupted);
+        assert!(heal_request.options.recreate_missing);
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_erasure_set() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let channel_request = HealChannelRequest {
+            id: "test-id".to_string(),
+            bucket: "test-bucket".to_string(),
+            object_prefix: None,
+            disk: Some("pool_0_set_1".to_string()),
+            priority: HealChannelPriority::Critical,
+            scan_mode: None,
+            remove_corrupted: None,
+            recreate_missing: None,
+            update_parity: None,
+            recursive: None,
+            dry_run: None,
+            timeout_seconds: None,
+            pool_index: None,
+            set_index: None,
+            force_start: false,
+        };
+
+        let heal_request = processor.convert_to_heal_request(channel_request).unwrap();
+        assert!(matches!(heal_request.heal_type, HealType::ErasureSet { .. }));
+        assert_eq!(heal_request.priority, HealPriority::Urgent);
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_invalid_disk_id() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let channel_request = HealChannelRequest {
+            id: "test-id".to_string(),
+            bucket: "test-bucket".to_string(),
+            object_prefix: None,
+            disk: Some("invalid-disk-id".to_string()),
+            priority: HealChannelPriority::Normal,
+            scan_mode: None,
+            remove_corrupted: None,
+            recreate_missing: None,
+            update_parity: None,
+            recursive: None,
+            dry_run: None,
+            timeout_seconds: None,
+            pool_index: None,
+            set_index: None,
+            force_start: false,
+        };
+
+        let result = processor.convert_to_heal_request(channel_request);
+        assert!(result.is_err());
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_priority_mapping() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let priorities = vec![
+            (HealChannelPriority::Low, HealPriority::Low),
+            (HealChannelPriority::Normal, HealPriority::Normal),
+            (HealChannelPriority::High, HealPriority::High),
+            (HealChannelPriority::Critical, HealPriority::Urgent),
+        ];
+
+        for (channel_priority, expected_heal_priority) in priorities {
+            let channel_request = HealChannelRequest {
+                id: "test-id".to_string(),
+                bucket: "test-bucket".to_string(),
+                object_prefix: None,
+                disk: None,
+                priority: channel_priority,
+                scan_mode: None,
+                remove_corrupted: None,
+                recreate_missing: None,
+                update_parity: None,
+                recursive: None,
+                dry_run: None,
+                timeout_seconds: None,
+                pool_index: None,
+                set_index: None,
+                force_start: false,
+            };
+
+            let heal_request = processor.convert_to_heal_request(channel_request).unwrap();
+            assert_eq!(heal_request.priority, expected_heal_priority);
+        }
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_force_start() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let channel_request = HealChannelRequest {
+            id: "test-id".to_string(),
+            bucket: "test-bucket".to_string(),
+            object_prefix: None,
+            disk: None,
+            priority: HealChannelPriority::Normal,
+            scan_mode: None,
+            remove_corrupted: Some(false),
+            recreate_missing: Some(false),
+            update_parity: Some(false),
+            recursive: None,
+            dry_run: None,
+            timeout_seconds: None,
+            pool_index: None,
+            set_index: None,
+            force_start: true, // Should override the above false values
+        };
+
+        let heal_request = processor.convert_to_heal_request(channel_request).unwrap();
+        assert!(heal_request.options.remove_corrupted);
+        assert!(heal_request.options.recreate_missing);
+        assert!(heal_request.options.update_parity);
+    }
+
+    #[tokio::test]
+    async fn test_convert_to_heal_request_empty_object_prefix() {
+        let heal_manager = create_test_heal_manager();
+        let processor = HealChannelProcessor::new(heal_manager);
+
+        let channel_request = HealChannelRequest {
+            id: "test-id".to_string(),
+            bucket: "test-bucket".to_string(),
+            object_prefix: Some("".to_string()), // Empty prefix should be treated as bucket heal
+            disk: None,
+            priority: HealChannelPriority::Normal,
+            scan_mode: None,
+            remove_corrupted: None,
+            recreate_missing: None,
+            update_parity: None,
+            recursive: None,
+            dry_run: None,
+            timeout_seconds: None,
+            pool_index: None,
+            set_index: None,
+            force_start: false,
+        };
+
+        let heal_request = processor.convert_to_heal_request(channel_request).unwrap();
+        assert!(matches!(heal_request.heal_type, HealType::Bucket { .. }));
+    }
+}
--- a/crates/ahm/src/heal/erasure_healer.rs
+++ b/crates/ahm/src/heal/erasure_healer.rs
@@ -0,0 +1,574 @@
+// Copyright 2024 RustFS Team
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::heal::{
+    progress::HealProgress,
+    resume::{CheckpointManager, ResumeManager, ResumeUtils},
+    storage::HealStorageAPI,
+};
+use crate::{Error, Result};
+use futures::future::join_all;
+use rustfs_common::heal_channel::{HealOpts, HealScanMode};
+use rustfs_ecstore::disk::DiskStore;
+use std::sync::Arc;
+use tokio::sync::RwLock;
+use tracing::{error, info, warn};
+
+/// Erasure Set Healer
+pub struct ErasureSetHealer {
+    storage: Arc<dyn HealStorageAPI>,
+    progress: Arc<RwLock<HealProgress>>,
+    cancel_token: tokio_util::sync::CancellationToken,
+    disk: DiskStore,
+}
+
+impl ErasureSetHealer {
+    pub fn new(
+        storage: Arc<dyn HealStorageAPI>,
+        progress: Arc<RwLock<HealProgress>>,
+        cancel_token: tokio_util::sync::CancellationToken,
+        disk: DiskStore,
+    ) -> Self {
+        Self {
+            storage,
+            progress,
+            cancel_token,
+            disk,
+        }
+    }
+
+    /// execute erasure set heal with resume
+    #[tracing::instrument(skip(self, buckets), fields(set_disk_id = %set_disk_id, bucket_count = buckets.len()))]
+    pub async fn heal_erasure_set(&self, buckets: &[String], set_disk_id: &str) -> Result<()> {
+        info!("Starting erasure set heal");
+
+        // 1. generate or get task id
+        let task_id = self.get_or_create_task_id(set_disk_id).await?;
+
+        // 2. initialize or resume resume state
+        let (resume_manager, checkpoint_manager) = self.initialize_resume_state(&task_id, set_disk_id, buckets).await?;
+
+        // 3. execute heal with resume
+        let result = self
+            .execute_heal_with_resume(buckets, &resume_manager, &checkpoint_manager)
+            .await;
+
+        // 4. cleanup resume state
+        if result.is_ok() {
+            if let Err(e) = resume_manager.cleanup().await {
+                warn!("Failed to cleanup resume state: {}", e);
+            }
+            if let Err(e) = checkpoint_manager.cleanup().await {
+                warn!("Failed to cleanup checkpoint: {}", e);
+            }
+        }
+
+        result
+    }
+
+    /// get or create task id
+    async fn get_or_create_task_id(&self, set_disk_id: &str) -> Result<String> {
+        // check if there are resumable tasks
+        let resumable_tasks = ResumeUtils::get_resumable_tasks(&self.disk).await?;
+
+        for task_id in resumable_tasks {
+            match ResumeManager::load_from_disk(self.disk.clone(), &task_id).await {
+                Ok(manager) => {
+                    let state = manager.get_state().await;
+                    if state.set_disk_id == set_disk_id && ResumeUtils::can_resume_task(&self.disk, &task_id).await {
+                        info!("Found resumable task: {} for set {}", task_id, set_disk_id);
+                        return Ok(task_id);
+                    }
+                }
+                Err(e) => {
+                    warn!("Failed to load resume state for task {}: {}", task_id, e);
+                }
+            }
+        }
+
+        // create new task id
+        let task_id = format!("{}_{}", set_disk_id, ResumeUtils::generate_task_id());
+        info!("Created new heal task: {}", task_id);
+        Ok(task_id)
+    }
+
+    /// initialize or resume resume state
+    async fn initialize_resume_state(
+        &self,
+        task_id: &str,
+        set_disk_id: &str,
+        buckets: &[String],
+    ) -> Result<(ResumeManager, CheckpointManager)> {
+        // check if resume state exists
+        if ResumeManager::has_resume_state(&self.disk, task_id).await {
+            info!("Loading existing resume state for task: {}", task_id);
+
+            let resume_manager = ResumeManager::load_from_disk(self.disk.clone(), task_id).await?;
+            let checkpoint_manager = if CheckpointManager::has_checkpoint(&self.disk, task_id).await {
+                CheckpointManager::load_from_disk(self.disk.clone(), task_id).await?
+            } else {
+                CheckpointManager::new(self.disk.clone(), task_id.to_string()).await?
+            };
+
+            Ok((resume_manager, checkpoint_manager))
+        } else {
+            info!("Creating new resume state for task: {}", task_id);
+
+            let resume_manager = ResumeManager::new(
+                self.disk.clone(),
+                task_id.to_string(),
+                "erasure_set".to_string(),
+                set_disk_id.to_string(),
+                buckets.to_vec(),
+            )
+            .await?;
+
+            let checkpoint_manager = CheckpointManager::new(self.disk.clone(), task_id.to_string()).await?;
+
+            Ok((resume_manager, checkpoint_manager))
+        }
+    }
+
+    /// execute heal with resume
+    async fn execute_heal_with_resume(
+        &self,
+        buckets: &[String],
+        resume_manager: &ResumeManager,
+        checkpoint_manager: &CheckpointManager,
+    ) -> Result<()> {
+        // 1. get current state
+        let state = resume_manager.get_state().await;
+        let checkpoint = checkpoint_manager.get_checkpoint().await;
+
+        info!(
+            "Resuming from bucket {} object {}",
+            checkpoint.current_bucket_index, checkpoint.current_object_index
+        );
+
+        // 2. initialize progress
+        self.initialize_progress(buckets, &state).await;
+
+        // 3. continue from checkpoint
+        let current_bucket_index = checkpoint.current_bucket_index;
+        let mut current_object_index = checkpoint.current_object_index;
+
+        let mut processed_objects = state.processed_objects;
+        let mut successful_objects = state.successful_objects;
+        let mut failed_objects = state.failed_objects;
+        let mut skipped_objects = state.skipped_objects;
+
+        // 4. process remaining buckets
+        for (bucket_idx, bucket) in buckets.iter().enumerate().skip(current_bucket_index) {
+            // check if completed
+            if state.completed_buckets.contains(bucket) {
+                continue;
+            }
+
+            // update current bucket
+            resume_manager.set_current_item(Some(bucket.clone()), None).await?;
+
+            // process objects in bucket
+            let bucket_result = self
+                .heal_bucket_with_resume(
+                    bucket,
+                    bucket_idx,
+                    &mut current_object_index,
+                    &mut processed_objects,
+                    &mut successful_objects,
+                    &mut failed_objects,
+                    &mut skipped_objects,
+                    resume_manager,
+                    checkpoint_manager,
+                )
+                .await;
+
+            // update checkpoint position
+            checkpoint_manager.update_position(bucket_idx, current_object_index).await?;
+
+            // update progress
+            resume_manager
+                .update_progress(processed_objects, successful_objects, failed_objects, skipped_objects)
+                .await?;
+
+            // check cancel status
+            if self.cancel_token.is_cancelled() {
+                warn!("Heal task cancelled");
+                return Err(Error::TaskCancelled);
+            }
+
+            // process bucket result
+            match bucket_result {
+                Ok(_) => {
+                    resume_manager.complete_bucket(bucket).await?;
+                    info!("Completed heal for bucket: {}", bucket);
+                }
+                Err(e) => {
+                    error!("Failed to heal bucket {}: {}", bucket, e);
+                    // continue to next bucket, do not interrupt the whole process
+                }
+            }
+
+            // reset object index
+            current_object_index = 0;
+        }
+
+        // 5. mark task completed
+        resume_manager.mark_completed().await?;
+
+        info!("Erasure set heal completed successfully");
+        Ok(())
+    }
+
+    /// heal single bucket with resume
+    #[allow(clippy::too_many_arguments)]
+    #[tracing::instrument(skip(self, current_object_index, processed_objects, successful_objects, failed_objects, _skipped_objects, resume_manager, checkpoint_manager), fields(bucket = %bucket, bucket_index = bucket_index))]
+    async fn heal_bucket_with_resume(
+        &self,
+        bucket: &str,
+        bucket_index: usize,
+        current_object_index: &mut usize,
+        processed_objects: &mut u64,
+        successful_objects: &mut u64,
+        failed_objects: &mut u64,
+        _skipped_objects: &mut u64,
+        resume_manager: &ResumeManager,
+        checkpoint_manager: &CheckpointManager,
+    ) -> Result<()> {
+        info!(target: "rustfs:ahm:heal_bucket_with_resume" ,"Starting heal for bucket from object index {}", current_object_index);
+
+        // 1. get bucket info
+        let _bucket_info = match self.storage.get_bucket_info(bucket).await? {
+            Some(info) => info,
+            None => {
+                warn!("Bucket {} not found, skipping", bucket);
+                return Ok(());
+            }
+        };
+
+        // 2. process objects with pagination to avoid loading all objects into memory
+        let mut continuation_token: Option<String> = None;
+        let mut global_obj_idx = 0usize;
+
+        loop {
+            // Get one page of objects
+            let (objects, next_token, is_truncated) = self
+                .storage
+                .list_objects_for_heal_page(bucket, "", continuation_token.as_deref())
+                .await?;
+
+            // Process objects in this page
+            for object in objects {
+                // Skip objects before the checkpoint
+                if global_obj_idx < *current_object_index {
+                    global_obj_idx += 1;
+                    continue;
+                }
+
+                // check if already processed
+                if checkpoint_manager.get_checkpoint().await.processed_objects.contains(&object) {
+                    global_obj_idx += 1;
+                    continue;
+                }
+
+                // update current object
+                resume_manager
+                    .set_current_item(Some(bucket.to_string()), Some(object.clone()))
+                    .await?;
+
+                // Check if object still exists before attempting heal
+                let object_exists = match self.storage.object_exists(bucket, &object).await {
+                    Ok(exists) => exists,
+                    Err(e) => {
+                        warn!("Failed to check existence of {}/{}: {}, marking as failed", bucket, object, e);
+                        *failed_objects += 1;
+                        checkpoint_manager.add_failed_object(object.clone()).await?;
+                        global_obj_idx += 1;
+                        *current_object_index = global_obj_idx;
+                        continue;
+                    }
+                };
+
+                if !object_exists {
+                    info!(
+                        target: "rustfs:ahm:heal_bucket_with_resume" ,"Object {}/{} no longer exists, skipping heal (likely deleted intentionally)",
+                        bucket, object
+                    );
+                    checkpoint_manager.add_processed_object(object.clone()).await?;
+                    *successful_objects += 1; // Treat as successful - object is gone as intended
+                    global_obj_idx += 1;
+                    *current_object_index = global_obj_idx;
+                    continue;
+                }
+
+                // heal object
+                let heal_opts = HealOpts {
+                    scan_mode: HealScanMode::Normal,
+                    remove: true,
+                    recreate: true, // Keep recreate enabled for legitimate heal scenarios
+                    ..Default::default()
+                };
+
+                match self.storage.heal_object(bucket, &object, None, &heal_opts).await {
+                    Ok((_result, None)) => {
+                        *successful_objects += 1;
+                        checkpoint_manager.add_processed_object(object.clone()).await?;
+                        info!("Successfully healed object {}/{}", bucket, object);
+                    }
+                    Ok((_, Some(err))) => {
+                        *failed_objects += 1;
+                        checkpoint_manager.add_failed_object(object.clone()).await?;
+                        warn!("Failed to heal object {}/{}: {}", bucket, object, err);
+                    }
+                    Err(err) => {
+                        *failed_objects += 1;
+                        checkpoint_manager.add_failed_object(object.clone()).await?;
+                        warn!("Error healing object {}/{}: {}", bucket, object, err);
+                    }
+                }
+
+                *processed_objects += 1;
+                global_obj_idx += 1;
+                *current_object_index = global_obj_idx;
+
+                // check cancel status
+                if self.cancel_token.is_cancelled() {
+                    info!("Heal task cancelled during object processing");
+                    return Err(Error::TaskCancelled);
+                }
+
+                // save checkpoint periodically
+                if global_obj_idx % 100 == 0 {
+                    checkpoint_manager
+                        .update_position(bucket_index, *current_object_index)
+                        .await?;
+                }
+            }
+
+            // Check if there are more pages
+            if !is_truncated {
+                break;
+            }
+
+            continuation_token = next_token;
+            if continuation_token.is_none() {
+                warn!("List is truncated but no continuation token provided for {}", bucket);
+                break;
+            }
+        }
+
+        Ok(())
+    }
+
+    /// initialize progress tracking
+    async fn initialize_progress(&self, _buckets: &[String], state: &crate::heal::resume::ResumeState) {
+        let mut progress = self.progress.write().await;
+        progress.objects_scanned = state.total_objects;
+        progress.objects_healed = state.successful_objects;
+        progress.objects_failed = state.failed_objects;
+        progress.bytes_processed = 0; // set to 0 for now, can be extended later
+        progress.set_current_object(state.current_object.clone());
+    }
+
+    /// heal all buckets concurrently
+    #[allow(dead_code)]
+    async fn heal_buckets_concurrently(&self, buckets: &[String]) -> Vec<Result<()>> {
+        // use semaphore to control concurrency, avoid too many concurrent healings
+        let semaphore = Arc::new(tokio::sync::Semaphore::new(4)); // max 4 concurrent healings
+
+        let heal_futures = buckets.iter().map(|bucket| {
+            let bucket = bucket.clone();
+            let storage = self.storage.clone();
+            let progress = self.progress.clone();
+            let semaphore = semaphore.clone();
+            let cancel_token = self.cancel_token.clone();
+
+            async move {
+                let _permit = semaphore
+                    .acquire()
+                    .await
+                    .map_err(|e| Error::other(format!("Failed to acquire semaphore for bucket heal: {e}")))?;
+
+                if cancel_token.is_cancelled() {
+                    return Err(Error::TaskCancelled);
+                }
+
+                Self::heal_single_bucket(&storage, &bucket, &progress).await
+            }
+        });
+
+        // use join_all to process concurrently
+        join_all(heal_futures).await
+    }
+
+    /// heal single bucket
+    #[allow(dead_code)]
+    async fn heal_single_bucket(
+        storage: &Arc<dyn HealStorageAPI>,
+        bucket: &str,
+        progress: &Arc<RwLock<HealProgress>>,
+    ) -> Result<()> {
+        info!("Starting heal for bucket: {}", bucket);
+
+        // 1. get bucket info
+        let _bucket_info = match storage.get_bucket_info(bucket).await? {
+            Some(info) => info,
+            None => {
+                warn!("Bucket {} not found, skipping", bucket);
+                return Ok(());
+            }
+        };
+
+        // 2. process objects with pagination to avoid loading all objects into memory
+        let mut continuation_token: Option<String> = None;
+        let mut total_scanned = 0u64;
+        let mut total_success = 0u64;
+        let mut total_failed = 0u64;
+
+        let heal_opts = HealOpts {
+            scan_mode: HealScanMode::Normal,
+            remove: true,   // remove corrupted data
+            recreate: true, // recreate missing data
+            ..Default::default()
+        };
+
+        loop {
+            // Get one page of objects
+            let (objects, next_token, is_truncated) = storage
+                .list_objects_for_heal_page(bucket, "", continuation_token.as_deref())
+                .await?;
+
+            let page_count = objects.len() as u64;
+            total_scanned += page_count;
+
+            // 3. update progress
+            {
+                let mut p = progress.write().await;
+                p.objects_scanned = total_scanned;
+            }
+
+            // 4. heal objects concurrently for this page
+            let object_results = Self::heal_objects_concurrently(storage, bucket, &objects, &heal_opts, progress).await;
+
+            // 5. count results for this page
+            let (success_count, failure_count) =
+                object_results
+                    .into_iter()
+                    .fold((0, 0), |(success, failure), result| match result {
+                        Ok(_) => (success + 1, failure),
+                        Err(_) => (success, failure + 1),
+                    });
+
+            total_success += success_count;
+            total_failed += failure_count;
+
+            // 6. update progress
+            {
+                let mut p = progress.write().await;
+                p.objects_healed = total_success;
+                p.objects_failed = total_failed;
+                p.set_current_object(Some(format!("processing bucket: {bucket} (page)")));
+            }
+
+            // Check if there are more pages
+            if !is_truncated {
+                break;
+            }
+
+            continuation_token = next_token;
+            if continuation_token.is_none() {
+                warn!("List is truncated but no continuation token provided for {}", bucket);
+                break;
+            }
+        }
+
+        // 7. final progress update
+        {
+            let mut p = progress.write().await;
+            p.set_current_object(Some(format!("completed bucket: {bucket}")));
+        }
+
+        info!(
+            "Completed heal for bucket {}: {} success, {} failures (total scanned: {})",
+            bucket, total_success, total_failed, total_scanned
+        );
+
+        Ok(())
+    }
+
+    /// heal objects concurrently
+    #[allow(dead_code)]
+    async fn heal_objects_concurrently(
+        storage: &Arc<dyn HealStorageAPI>,
+        bucket: &str,
+        objects: &[String],
+        heal_opts: &HealOpts,
+        _progress: &Arc<RwLock<HealProgress>>,
+    ) -> Vec<Result<()>> {
+        // use semaphore to control object healing concurrency
+        let semaphore = Arc::new(tokio::sync::Semaphore::new(8)); // max 8 concurrent object healings
+
+        let heal_futures = objects.iter().map(|object| {
+            let object = object.clone();
+            let bucket = bucket.to_string();
+            let storage = storage.clone();
+            let heal_opts = *heal_opts;
+            let semaphore = semaphore.clone();
+
+            async move {
+                let _permit = semaphore
+                    .acquire()
+                    .await
+                    .map_err(|e| Error::other(format!("Failed to acquire semaphore for object heal: {e}")))?;
+
+                match storage.heal_object(&bucket, &object, None, &heal_opts).await {
+                    Ok((_result, None)) => {
+                        info!("Successfully healed object {}/{}", bucket, object);
+                        Ok(())
+                    }
+                    Ok((_, Some(err))) => {
+                        warn!("Failed to heal object {}/{}: {}", bucket, object, err);
+                        Err(Error::other(err))
+                    }
+                    Err(err) => {
+                        warn!("Error healing object {}/{}: {}", bucket, object, err);
+                        Err(err)
+                    }
+                }
+            }
+        });
+
+        join_all(heal_futures).await
+    }
+
+    /// process results
+    #[allow(dead_code)]
+    async fn process_results(&self, results: Vec<Result<()>>) -> Result<()> {
+        let (success_count, failure_count): (usize, usize) =
+            results.into_iter().fold((0, 0), |(success, failure), result| match result {
+                Ok(_) => (success + 1, failure),
+                Err(_) => (success, failure + 1),
+            });
+
+        let total = success_count + failure_count;
+
+        info!("Erasure set heal completed: {}/{} buckets successful", success_count, total);
+
+        if failure_count > 0 {
+            warn!("{} buckets failed to heal", failure_count);
+            return Err(Error::other(format!("{failure_count} buckets failed to heal")));
+        }
+
+        Ok(())
+    }
+}
--- a/crates/ahm/src/heal/event.rs
+++ b/crates/ahm/src/heal/event.rs
@@ -0,0 +1,682 @@
+// Copyright 2024 RustFS Team
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::heal::{HealOptions, HealPriority, HealRequest, HealType};
+use crate::{Error, Result};
+use rustfs_ecstore::disk::endpoint::Endpoint;
+use serde::{Deserialize, Serialize};
+use std::time::SystemTime;
+
+/// Corruption type
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum CorruptionType {
+    /// Data corruption
+    DataCorruption,
+    /// Metadata corruption
+    MetadataCorruption,
+    /// Partial corruption
+    PartialCorruption,
+    /// Complete corruption
+    CompleteCorruption,
+}
+
+/// Severity level
+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
+pub enum Severity {
+    /// Low severity
+    Low = 0,
+    /// Medium severity
+    Medium = 1,
+    /// High severity
+    High = 2,
+    /// Critical severity
+    Critical = 3,
+}
+
+/// Heal event
+#[derive(Debug, Clone)]
+pub enum HealEvent {
+    /// Object corruption event
+    ObjectCorruption {
+        bucket: String,
+        object: String,
+        version_id: Option<String>,
+        corruption_type: CorruptionType,
+        severity: Severity,
+    },
+    /// Object missing event
+    ObjectMissing {
+        bucket: String,
+        object: String,
+        version_id: Option<String>,
+        expected_locations: Vec<usize>,
+        available_locations: Vec<usize>,
+    },
+    /// Metadata corruption event
+    MetadataCorruption {
+        bucket: String,
+        object: String,
+        corruption_type: CorruptionType,
+    },
+    /// Disk status change event
+    DiskStatusChange {
+        endpoint: Endpoint,
+        old_status: String,
+        new_status: String,
+    },
+    /// EC decode failure event
+    ECDecodeFailure {
+        bucket: String,
+        object: String,
+        version_id: Option<String>,
+        missing_shards: Vec<usize>,
+        available_shards: Vec<usize>,
+    },
+    /// Checksum mismatch event
+    ChecksumMismatch {
+        bucket: String,
+        object: String,
+        version_id: Option<String>,
+        expected_checksum: String,
+        actual_checksum: String,
+    },
+    /// Bucket metadata corruption event
+    BucketMetadataCorruption {
+        bucket: String,
+        corruption_type: CorruptionType,
+    },
+    /// MRF metadata corruption event
+    MRFMetadataCorruption {
+        meta_path: String,
+        corruption_type: CorruptionType,
+    },
+}
+
+impl HealEvent {
+    /// Convert HealEvent to HealRequest
+    pub fn to_heal_request(&self) -> Result<HealRequest> {
+        match self {
+            HealEvent::ObjectCorruption {
+                bucket,
+                object,
+                version_id,
+                severity,
+                ..
+            } => Ok(HealRequest::new(
+                HealType::Object {
+                    bucket: bucket.clone(),
+                    object: object.clone(),
+                    version_id: version_id.clone(),
+                },
+                HealOptions::default(),
+                Self::severity_to_priority(severity),
+            )),
+            HealEvent::ObjectMissing {
+                bucket,
+                object,
+                version_id,
+                ..
+            } => Ok(HealRequest::new(
+                HealType::Object {
+                    bucket: bucket.clone(),
+                    object: object.clone(),
+                    version_id: version_id.clone(),
+                },
+                HealOptions::default(),
+                HealPriority::High,
+            )),
+            HealEvent::MetadataCorruption { bucket, object, .. } => Ok(HealRequest::new(
+                HealType::Metadata {
+                    bucket: bucket.clone(),
+                    object: object.clone(),
+                },
+                HealOptions::default(),
+                HealPriority::High,
+            )),
+            HealEvent::DiskStatusChange { endpoint, .. } => {
+                // Convert disk status change to erasure set heal
+                // Note: This requires access to storage to get bucket list, which is not available here
+                // The actual bucket list will need to be provided by the caller or retrieved differently
+                let set_disk_id = crate::heal::utils::format_set_disk_id_from_i32(endpoint.pool_idx, endpoint.set_idx)
+                    .ok_or_else(|| Error::InvalidHealType {
+                        heal_type: format!("erasure-set(pool={}, set={})", endpoint.pool_idx, endpoint.set_idx),
+                    })?;
+                Ok(HealRequest::new(
+                    HealType::ErasureSet {
+                        buckets: vec![], // Empty bucket list - caller should populate this
+                        set_disk_id,
+                    },
+                    HealOptions::default(),
+                    HealPriority::High,
+                ))
+            }
+            HealEvent::ECDecodeFailure {
+                bucket,
+                object,
+                version_id,
+                ..
+            } => Ok(HealRequest::new(
+                HealType::ECDecode {
+                    bucket: bucket.clone(),
+                    object: object.clone(),
+                    version_id: version_id.clone(),
+                },
+                HealOptions::default(),
+                HealPriority::Urgent,
+            )),
+            HealEvent::ChecksumMismatch {
+                bucket,
+                object,
+                version_id,
+                ..
+            } => Ok(HealRequest::new(
+                HealType::Object {
+                    bucket: bucket.clone(),
+                    object: object.clone(),
+                    version_id: version_id.clone(),
+                },
+                HealOptions::default(),
+                HealPriority::High,
+            )),
+            HealEvent::BucketMetadataCorruption { bucket, .. } => Ok(HealRequest::new(
+                HealType::Bucket { bucket: bucket.clone() },
+                HealOptions::default(),
+                HealPriority::High,
+            )),
+            HealEvent::MRFMetadataCorruption { meta_path, .. } => Ok(HealRequest::new(
+                HealType::MRF {
+                    meta_path: meta_path.clone(),
+                },
+                HealOptions::default(),
+                HealPriority::High,
+            )),
+        }
+    }
+
+    /// Convert severity to priority
+    fn severity_to_priority(severity: &Severity) -> HealPriority {
+        match severity {
+            Severity::Low => HealPriority::Low,
+            Severity::Medium => HealPriority::Normal,
+            Severity::High => HealPriority::High,
+            Severity::Critical => HealPriority::Urgent,
+        }
+    }
+
+    /// Get event description
+    pub fn description(&self) -> String {
+        match self {
+            HealEvent::ObjectCorruption {
+                bucket,
+                object,
+                corruption_type,
+                ..
+            } => {
+                format!("Object corruption detected: {bucket}/{object} - {corruption_type:?}")
+            }
+            HealEvent::ObjectMissing { bucket, object, .. } => {
+                format!("Object missing: {bucket}/{object}")
+            }
+            HealEvent::MetadataCorruption {
+                bucket,
+                object,
+                corruption_type,
+                ..
+            } => {
+                format!("Metadata corruption: {bucket}/{object} - {corruption_type:?}")
+            }
+            HealEvent::DiskStatusChange {
+                endpoint,
+                old_status,
+                new_status,
+                ..
+            } => {
+                format!("Disk status changed: {endpoint:?} {old_status} -> {new_status}")
+            }
+            HealEvent::ECDecodeFailure {
+                bucket,
+                object,
+                missing_shards,
+                ..
+            } => {
+                format!("EC decode failure: {bucket}/{object} - missing shards: {missing_shards:?}")
+            }
+            HealEvent::ChecksumMismatch {
+                bucket,
+                object,
+                expected_checksum,
+                actual_checksum,
+                ..
+            } => {
+                format!("Checksum mismatch: {bucket}/{object} - expected: {expected_checksum}, actual: {actual_checksum}")
+            }
+            HealEvent::BucketMetadataCorruption {
+                bucket, corruption_type, ..
+            } => {
+                format!("Bucket metadata corruption: {bucket} - {corruption_type:?}")
+            }
+            HealEvent::MRFMetadataCorruption {
+                meta_path,
+                corruption_type,
+                ..
+            } => {
+                format!("MRF metadata corruption: {meta_path} - {corruption_type:?}")
+            }
+        }
+    }
+
+    /// Get event severity
+    pub fn severity(&self) -> Severity {
+        match self {
+            HealEvent::ObjectCorruption { severity, .. } => severity.clone(),
+            HealEvent::ObjectMissing { .. } => Severity::High,
+            HealEvent::MetadataCorruption { .. } => Severity::High,
+            HealEvent::DiskStatusChange { .. } => Severity::High,
+            HealEvent::ECDecodeFailure { .. } => Severity::Critical,
+            HealEvent::ChecksumMismatch { .. } => Severity::High,
+            HealEvent::BucketMetadataCorruption { .. } => Severity::High,
+            HealEvent::MRFMetadataCorruption { .. } => Severity::High,
+        }
+    }
+
+    /// Get event timestamp
+    pub fn timestamp(&self) -> SystemTime {
+        SystemTime::now()
+    }
+}
+
+/// Heal event handler
+pub struct HealEventHandler {
+    /// Event queue
+    events: Vec<HealEvent>,
+    /// Maximum number of events
+    max_events: usize,
+}
+
+impl HealEventHandler {
+    pub fn new(max_events: usize) -> Self {
+        Self {
+            events: Vec::new(),
+            max_events,
+        }
+    }
+
+    /// Add event
+    pub fn add_event(&mut self, event: HealEvent) {
+        if self.events.len() >= self.max_events {
+            // Remove oldest event
+            self.events.remove(0);
+        }
+        self.events.push(event);
+    }
+
+    /// Get all events
+    pub fn get_events(&self) -> &[HealEvent] {
+        &self.events
+    }
+
+    /// Clear events
+    pub fn clear_events(&mut self) {
+        self.events.clear();
+    }
+
+    /// Get event count
+    pub fn event_count(&self) -> usize {
+        self.events.len()
+    }
+
+    /// Filter events by severity
+    pub fn filter_by_severity(&self, min_severity: Severity) -> Vec<&HealEvent> {
+        self.events.iter().filter(|event| event.severity() >= min_severity).collect()
+    }
+
+    /// Filter events by type
+    pub fn filter_by_type(&self, event_type: &str) -> Vec<&HealEvent> {
+        self.events
+            .iter()
+            .filter(|event| match event {
+                HealEvent::ObjectCorruption { .. } => event_type == "ObjectCorruption",
+                HealEvent::ObjectMissing { .. } => event_type == "ObjectMissing",
+                HealEvent::MetadataCorruption { .. } => event_type == "MetadataCorruption",
+                HealEvent::DiskStatusChange { .. } => event_type == "DiskStatusChange",
+                HealEvent::ECDecodeFailure { .. } => event_type == "ECDecodeFailure",
+                HealEvent::ChecksumMismatch { .. } => event_type == "ChecksumMismatch",
+                HealEvent::BucketMetadataCorruption { .. } => event_type == "BucketMetadataCorruption",
+                HealEvent::MRFMetadataCorruption { .. } => event_type == "MRFMetadataCorruption",
+            })
+            .collect()
+    }
+}
+
+impl Default for HealEventHandler {
+    fn default() -> Self {
+        Self::new(1000)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::heal::task::{HealPriority, HealType};
+
+    #[test]
+    fn test_heal_event_object_corruption_to_request() {
+        let event = HealEvent::ObjectCorruption {
+            bucket: "test-bucket".to_string(),
+            object: "test-object".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::Object { .. }));
+        assert_eq!(request.priority, HealPriority::High);
+    }
+
+    #[test]
+    fn test_heal_event_object_missing_to_request() {
+        let event = HealEvent::ObjectMissing {
+            bucket: "test-bucket".to_string(),
+            object: "test-object".to_string(),
+            version_id: Some("v1".to_string()),
+            expected_locations: vec![0, 1],
+            available_locations: vec![2, 3],
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::Object { .. }));
+        assert_eq!(request.priority, HealPriority::High);
+    }
+
+    #[test]
+    fn test_heal_event_metadata_corruption_to_request() {
+        let event = HealEvent::MetadataCorruption {
+            bucket: "test-bucket".to_string(),
+            object: "test-object".to_string(),
+            corruption_type: CorruptionType::MetadataCorruption,
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::Metadata { .. }));
+        assert_eq!(request.priority, HealPriority::High);
+    }
+
+    #[test]
+    fn test_heal_event_ec_decode_failure_to_request() {
+        let event = HealEvent::ECDecodeFailure {
+            bucket: "test-bucket".to_string(),
+            object: "test-object".to_string(),
+            version_id: None,
+            missing_shards: vec![0, 1],
+            available_shards: vec![2, 3, 4],
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::ECDecode { .. }));
+        assert_eq!(request.priority, HealPriority::Urgent);
+    }
+
+    #[test]
+    fn test_heal_event_checksum_mismatch_to_request() {
+        let event = HealEvent::ChecksumMismatch {
+            bucket: "test-bucket".to_string(),
+            object: "test-object".to_string(),
+            version_id: None,
+            expected_checksum: "abc123".to_string(),
+            actual_checksum: "def456".to_string(),
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::Object { .. }));
+        assert_eq!(request.priority, HealPriority::High);
+    }
+
+    #[test]
+    fn test_heal_event_bucket_metadata_corruption_to_request() {
+        let event = HealEvent::BucketMetadataCorruption {
+            bucket: "test-bucket".to_string(),
+            corruption_type: CorruptionType::MetadataCorruption,
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::Bucket { .. }));
+        assert_eq!(request.priority, HealPriority::High);
+    }
+
+    #[test]
+    fn test_heal_event_mrf_metadata_corruption_to_request() {
+        let event = HealEvent::MRFMetadataCorruption {
+            meta_path: "test-bucket/test-object".to_string(),
+            corruption_type: CorruptionType::MetadataCorruption,
+        };
+
+        let request = event.to_heal_request().unwrap();
+        assert!(matches!(request.heal_type, HealType::MRF { .. }));
+        assert_eq!(request.priority, HealPriority::High);
+    }
+
+    #[test]
+    fn test_heal_event_severity_to_priority() {
+        let event_low = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::Low,
+        };
+        let request = event_low.to_heal_request().unwrap();
+        assert_eq!(request.priority, HealPriority::Low);
+
+        let event_medium = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::Medium,
+        };
+        let request = event_medium.to_heal_request().unwrap();
+        assert_eq!(request.priority, HealPriority::Normal);
+
+        let event_high = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+        let request = event_high.to_heal_request().unwrap();
+        assert_eq!(request.priority, HealPriority::High);
+
+        let event_critical = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::Critical,
+        };
+        let request = event_critical.to_heal_request().unwrap();
+        assert_eq!(request.priority, HealPriority::Urgent);
+    }
+
+    #[test]
+    fn test_heal_event_description() {
+        let event = HealEvent::ObjectCorruption {
+            bucket: "test-bucket".to_string(),
+            object: "test-object".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+
+        let desc = event.description();
+        assert!(desc.contains("Object corruption detected"));
+        assert!(desc.contains("test-bucket/test-object"));
+        assert!(desc.contains("DataCorruption"));
+    }
+
+    #[test]
+    fn test_heal_event_severity() {
+        let event = HealEvent::ECDecodeFailure {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            missing_shards: vec![],
+            available_shards: vec![],
+        };
+        assert_eq!(event.severity(), Severity::Critical);
+
+        let event = HealEvent::ObjectMissing {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            expected_locations: vec![],
+            available_locations: vec![],
+        };
+        assert_eq!(event.severity(), Severity::High);
+    }
+
+    #[test]
+    fn test_heal_event_handler_new() {
+        let handler = HealEventHandler::new(10);
+        assert_eq!(handler.event_count(), 0);
+        assert_eq!(handler.max_events, 10);
+    }
+
+    #[test]
+    fn test_heal_event_handler_default() {
+        let handler = HealEventHandler::default();
+        assert_eq!(handler.max_events, 1000);
+    }
+
+    #[test]
+    fn test_heal_event_handler_add_event() {
+        let mut handler = HealEventHandler::new(3);
+        let event = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+
+        handler.add_event(event.clone());
+        assert_eq!(handler.event_count(), 1);
+
+        handler.add_event(event.clone());
+        handler.add_event(event.clone());
+        assert_eq!(handler.event_count(), 3);
+    }
+
+    #[test]
+    fn test_heal_event_handler_max_events() {
+        let mut handler = HealEventHandler::new(2);
+        let event = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+
+        handler.add_event(event.clone());
+        handler.add_event(event.clone());
+        handler.add_event(event.clone()); // Should remove oldest
+
+        assert_eq!(handler.event_count(), 2);
+    }
+
+    #[test]
+    fn test_heal_event_handler_get_events() {
+        let mut handler = HealEventHandler::new(10);
+        let event = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+
+        handler.add_event(event.clone());
+        handler.add_event(event.clone());
+
+        let events = handler.get_events();
+        assert_eq!(events.len(), 2);
+    }
+
+    #[test]
+    fn test_heal_event_handler_clear_events() {
+        let mut handler = HealEventHandler::new(10);
+        let event = HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        };
+
+        handler.add_event(event);
+        assert_eq!(handler.event_count(), 1);
+
+        handler.clear_events();
+        assert_eq!(handler.event_count(), 0);
+    }
+
+    #[test]
+    fn test_heal_event_handler_filter_by_severity() {
+        let mut handler = HealEventHandler::new(10);
+        handler.add_event(HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::Low,
+        });
+        handler.add_event(HealEvent::ECDecodeFailure {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            missing_shards: vec![],
+            available_shards: vec![],
+        });
+
+        let high_severity = handler.filter_by_severity(Severity::High);
+        assert_eq!(high_severity.len(), 1); // Only ECDecodeFailure is Critical >= High
+    }
+
+    #[test]
+    fn test_heal_event_handler_filter_by_type() {
+        let mut handler = HealEventHandler::new(10);
+        handler.add_event(HealEvent::ObjectCorruption {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            corruption_type: CorruptionType::DataCorruption,
+            severity: Severity::High,
+        });
+        handler.add_event(HealEvent::ObjectMissing {
+            bucket: "test".to_string(),
+            object: "test".to_string(),
+            version_id: None,
+            expected_locations: vec![],
+            available_locations: vec![],
+        });
+
+        let corruption_events = handler.filter_by_type("ObjectCorruption");
+        assert_eq!(corruption_events.len(), 1);
+
+        let missing_events = handler.filter_by_type("ObjectMissing");
+        assert_eq!(missing_events.len(), 1);
+    }
+}
--- a/crates/ahm/src/heal/manager.rs
+++ b/crates/ahm/src/heal/manager.rs
--- a/Show More
+++ b/Show More