Merge remote-tracking branch 'origin/main' into feat/queue-based-graph-engine

2025-09-08 19:55:43 +08:00 · 2025-09-08 19:55:43 +08:00 · 5ab6838849
parent ef974e484b ec0800eb1a
commit 5ab6838849
43 changed files with 1433 additions and 56 deletions
--- a/api/.env.example
+++ b/api/.env.example
@ -579,3 +579,7 @@ QUEUE_MONITOR_INTERVAL=30
 # Swagger UI configuration
 SWAGGER_UI_ENABLED=true
 SWAGGER_UI_PATH=/swagger-ui.html
+
+# Whether to encrypt dataset IDs when exporting DSL files (default: true)
+# Set to false to export dataset IDs as plain text for easier cross-environment import
+DSL_EXPORT_ENCRYPT_DATASET_ID=true
--- a/api/configs/feature/init.py
+++ b/api/configs/feature/init.py
@ -818,6 +818,11 @@ class DataSetConfig(BaseSettings):
        default=30,
    )

+    DSL_EXPORT_ENCRYPT_DATASET_ID: bool = Field(
+        description="Enable or disable dataset ID encryption when exporting DSL files",
+        default=True,
+    )
+

 class WorkspaceConfig(BaseSettings):
    """
--- a/api/controllers/console/workspace/tool_providers.py
+++ b/api/controllers/console/workspace/tool_providers.py
@ -865,6 +865,7 @@ class ToolProviderMCPApi(Resource):
        parser.add_argument(
            "sse_read_timeout", type=float, required=False, nullable=False, location="json", default=300
        )
+        parser.add_argument("headers", type=dict, required=False, nullable=True, location="json", default={})
        args = parser.parse_args()
        user = current_user
        if not is_valid_url(args["server_url"]):
@ -881,6 +882,7 @@ class ToolProviderMCPApi(Resource):
                server_identifier=args["server_identifier"],
                timeout=args["timeout"],
                sse_read_timeout=args["sse_read_timeout"],
+                headers=args["headers"],
            )
        )

@ -898,6 +900,7 @@ class ToolProviderMCPApi(Resource):
        parser.add_argument("server_identifier", type=str, required=True, nullable=False, location="json")
        parser.add_argument("timeout", type=float, required=False, nullable=True, location="json")
        parser.add_argument("sse_read_timeout", type=float, required=False, nullable=True, location="json")
+        parser.add_argument("headers", type=dict, required=False, nullable=True, location="json")
        args = parser.parse_args()
        if not is_valid_url(args["server_url"]):
            if "[__HIDDEN__]" in args["server_url"]:
@ -915,6 +918,7 @@ class ToolProviderMCPApi(Resource):
            server_identifier=args["server_identifier"],
            timeout=args.get("timeout"),
            sse_read_timeout=args.get("sse_read_timeout"),
+            headers=args.get("headers"),
        )
        return {"result": "success"}

@ -951,6 +955,9 @@ class ToolMCPAuthApi(Resource):
                authed=False,
                authorization_code=args["authorization_code"],
                for_list=True,
+                headers=provider.decrypted_headers,
+                timeout=provider.timeout,
+                sse_read_timeout=provider.sse_read_timeout,
            ):
                MCPToolManageService.update_mcp_provider_credentials(
                    mcp_provider=provider,
--- a/api/core/ops/ops_trace_manager.py
+++ b/api/core/ops/ops_trace_manager.py
@ -325,14 +325,11 @@ class OpsTraceManager:
        :return:
        """
        # auth check
-        if enabled:
-            try:
+        try:
+            if enabled or tracing_provider is not None:
                provider_config_map[tracing_provider]
-            except KeyError:
-                raise ValueError(f"Invalid tracing provider: {tracing_provider}")
-        else:
-            if tracing_provider is None:
-                raise ValueError(f"Invalid tracing provider: {tracing_provider}")
+        except KeyError:
+            raise ValueError(f"Invalid tracing provider: {tracing_provider}")

        app_config: Optional[App] = db.session.query(App).where(App.id == app_id).first()
        if not app_config:
--- a/api/core/tools/entities/api_entities.py
+++ b/api/core/tools/entities/api_entities.py
@ -43,6 +43,10 @@ class ToolProviderApiEntity(BaseModel):
    server_url: Optional[str] = Field(default="", description="The server url of the tool")
    updated_at: int = Field(default_factory=lambda: int(datetime.now().timestamp()))
    server_identifier: Optional[str] = Field(default="", description="The server identifier of the MCP tool")
+    timeout: Optional[float] = Field(default=30.0, description="The timeout of the MCP tool")
+    sse_read_timeout: Optional[float] = Field(default=300.0, description="The SSE read timeout of the MCP tool")
+    masked_headers: Optional[dict[str, str]] = Field(default=None, description="The masked headers of the MCP tool")
+    original_headers: Optional[dict[str, str]] = Field(default=None, description="The original headers of the MCP tool")

    @field_validator("tools", mode="before")
    @classmethod
@ -65,6 +69,10 @@ class ToolProviderApiEntity(BaseModel):
        if self.type == ToolProviderType.MCP:
            optional_fields.update(self.optional_field("updated_at", self.updated_at))
            optional_fields.update(self.optional_field("server_identifier", self.server_identifier))
+            optional_fields.update(self.optional_field("timeout", self.timeout))
+            optional_fields.update(self.optional_field("sse_read_timeout", self.sse_read_timeout))
+            optional_fields.update(self.optional_field("masked_headers", self.masked_headers))
+            optional_fields.update(self.optional_field("original_headers", self.original_headers))
        return {
            "id": self.id,
            "author": self.author,
--- a/api/core/tools/mcp_tool/provider.py
+++ b/api/core/tools/mcp_tool/provider.py
@ -94,7 +94,7 @@ class MCPToolProviderController(ToolProviderController):
            provider_id=db_provider.server_identifier or "",
            tenant_id=db_provider.tenant_id or "",
            server_url=db_provider.decrypted_server_url,
-            headers={},  # TODO: get headers from db provider
+            headers=db_provider.decrypted_headers or {},
            timeout=db_provider.timeout,
            sse_read_timeout=db_provider.sse_read_timeout,
        )
--- a/api/migrations/versions/2025_09_08_1007-c20211f18133_add_headers_to_mcp_provider.py
+++ b/api/migrations/versions/2025_09_08_1007-c20211f18133_add_headers_to_mcp_provider.py
@ -0,0 +1,27 @@
+"""add_headers_to_mcp_provider
+
+Revision ID: c20211f18133
+Revises: 8d289573e1da
+Create Date: 2025-08-29 10:07:54.163626
+
+"""
+from alembic import op
+import models as models
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'c20211f18133'
+down_revision = 'b95962a3885c'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Add encrypted_headers column to tool_mcp_providers table
+    op.add_column('tool_mcp_providers', sa.Column('encrypted_headers', sa.Text(), nullable=True))
+    
+
+def downgrade():
+    # Remove encrypted_headers column from tool_mcp_providers table
+    op.drop_column('tool_mcp_providers', 'encrypted_headers')
--- a/api/models/tools.py
+++ b/api/models/tools.py
@ -290,6 +290,8 @@ class MCPToolProvider(Base):
    )
    timeout: Mapped[float] = mapped_column(sa.Float, nullable=False, server_default=sa.text("30"))
    sse_read_timeout: Mapped[float] = mapped_column(sa.Float, nullable=False, server_default=sa.text("300"))
+    # encrypted headers for MCP server requests
+    encrypted_headers: Mapped[str | None] = mapped_column(sa.Text, nullable=True)

    def load_user(self) -> Account | None:
        return db.session.query(Account).where(Account.id == self.user_id).first()
@ -324,6 +326,62 @@ class MCPToolProvider(Base):
    def decrypted_server_url(self) -> str:
        return encrypter.decrypt_token(self.tenant_id, self.server_url)

+    @property
+    def decrypted_headers(self) -> dict[str, Any]:
+        """Get decrypted headers for MCP server requests."""
+        from core.entities.provider_entities import BasicProviderConfig
+        from core.helper.provider_cache import NoOpProviderCredentialCache
+        from core.tools.utils.encryption import create_provider_encrypter
+
+        try:
+            if not self.encrypted_headers:
+                return {}
+
+            headers_data = json.loads(self.encrypted_headers)
+
+            # Create dynamic config for all headers as SECRET_INPUT
+            config = [BasicProviderConfig(type=BasicProviderConfig.Type.SECRET_INPUT, name=key) for key in headers_data]
+
+            encrypter_instance, _ = create_provider_encrypter(
+                tenant_id=self.tenant_id,
+                config=config,
+                cache=NoOpProviderCredentialCache(),
+            )
+
+            result = encrypter_instance.decrypt(headers_data)
+            return result
+        except Exception:
+            return {}
+
+    @property
+    def masked_headers(self) -> dict[str, Any]:
+        """Get masked headers for frontend display."""
+        from core.entities.provider_entities import BasicProviderConfig
+        from core.helper.provider_cache import NoOpProviderCredentialCache
+        from core.tools.utils.encryption import create_provider_encrypter
+
+        try:
+            if not self.encrypted_headers:
+                return {}
+
+            headers_data = json.loads(self.encrypted_headers)
+
+            # Create dynamic config for all headers as SECRET_INPUT
+            config = [BasicProviderConfig(type=BasicProviderConfig.Type.SECRET_INPUT, name=key) for key in headers_data]
+
+            encrypter_instance, _ = create_provider_encrypter(
+                tenant_id=self.tenant_id,
+                config=config,
+                cache=NoOpProviderCredentialCache(),
+            )
+
+            # First decrypt, then mask
+            decrypted_headers = encrypter_instance.decrypt(headers_data)
+            result = encrypter_instance.mask_tool_credentials(decrypted_headers)
+            return result
+        except Exception:
+            return {}
+
    @property
    def masked_server_url(self) -> str:
        def mask_url(url: str, mask_char: str = "*") -> str:
--- a/api/pyrightconfig.json
+++ b/api/pyrightconfig.json
@ -1,11 +1,7 @@
 {
-  "include": [
-    "."
-  ],
-  "exclude": [
-    "tests/",
-    "migrations/",
-    ".venv/",
+  "include": ["models", "configs"],
+  "exclude": [".venv", "tests/", "migrations/"],
+  "ignore": [
    "core/",
    "controllers/",
    "tasks/",
@ -25,4 +21,4 @@
  "typeCheckingMode": "strict",
  "pythonVersion": "3.11",
  "pythonPlatform": "All"
-}
+}
--- a/api/services/app_dsl_service.py
+++ b/api/services/app_dsl_service.py
@ -17,6 +17,7 @@ from pydantic import BaseModel, Field
 from sqlalchemy import select
 from sqlalchemy.orm import Session

+from configs import dify_config
 from core.helper import ssrf_proxy
 from core.model_runtime.utils.encoders import jsonable_encoder
 from core.plugin.entities.plugin import PluginDependency
@ -786,7 +787,10 @@ class AppDslService:

    @classmethod
    def encrypt_dataset_id(cls, dataset_id: str, tenant_id: str) -> str:
-        """Encrypt dataset_id using AES-CBC mode"""
+        """Encrypt dataset_id using AES-CBC mode or return plain text based on configuration"""
+        if not dify_config.DSL_EXPORT_ENCRYPT_DATASET_ID:
+            return dataset_id
+
        key = cls._generate_aes_key(tenant_id)
        iv = key[:16]
        cipher = AES.new(key, AES.MODE_CBC, iv)
@ -795,12 +799,34 @@ class AppDslService:

    @classmethod
    def decrypt_dataset_id(cls, encrypted_data: str, tenant_id: str) -> str | None:
-        """AES decryption"""
+        """AES decryption with fallback to plain text UUID"""
+        # First, check if it's already a plain UUID (not encrypted)
+        if cls._is_valid_uuid(encrypted_data):
+            return encrypted_data
+
+        # If it's not a UUID, try to decrypt it
        try:
            key = cls._generate_aes_key(tenant_id)
            iv = key[:16]
            cipher = AES.new(key, AES.MODE_CBC, iv)
            pt = unpad(cipher.decrypt(base64.b64decode(encrypted_data)), AES.block_size)
-            return pt.decode()
+            decrypted_text = pt.decode()
+
+            # Validate that the decrypted result is a valid UUID
+            if cls._is_valid_uuid(decrypted_text):
+                return decrypted_text
+            else:
+                # If decrypted result is not a valid UUID, it's probably not our encrypted data
+                return None
        except Exception:
+            # If decryption fails completely, return None
            return None
+
+    @staticmethod
+    def _is_valid_uuid(value: str) -> bool:
+        """Check if string is a valid UUID format"""
+        try:
+            uuid.UUID(value)
+            return True
+        except (ValueError, TypeError):
+            return False
--- a/api/services/tools/mcp_tools_manage_service.py
+++ b/api/services/tools/mcp_tools_manage_service.py
@ -1,7 +1,7 @@
 import hashlib
 import json
 from datetime import datetime
-from typing import Any
+from typing import Any, cast

 from sqlalchemy import or_
 from sqlalchemy.exc import IntegrityError
@ -27,6 +27,36 @@ class MCPToolManageService:
    Service class for managing mcp tools.
    """

+    @staticmethod
+    def _encrypt_headers(headers: dict[str, str], tenant_id: str) -> dict[str, str]:
+        """
+        Encrypt headers using ProviderConfigEncrypter with all headers as SECRET_INPUT.
+
+        Args:
+            headers: Dictionary of headers to encrypt
+            tenant_id: Tenant ID for encryption
+
+        Returns:
+            Dictionary with all headers encrypted
+        """
+        if not headers:
+            return {}
+
+        from core.entities.provider_entities import BasicProviderConfig
+        from core.helper.provider_cache import NoOpProviderCredentialCache
+        from core.tools.utils.encryption import create_provider_encrypter
+
+        # Create dynamic config for all headers as SECRET_INPUT
+        config = [BasicProviderConfig(type=BasicProviderConfig.Type.SECRET_INPUT, name=key) for key in headers]
+
+        encrypter_instance, _ = create_provider_encrypter(
+            tenant_id=tenant_id,
+            config=config,
+            cache=NoOpProviderCredentialCache(),
+        )
+
+        return cast(dict[str, str], encrypter_instance.encrypt(headers))
+
    @staticmethod
    def get_mcp_provider_by_provider_id(provider_id: str, tenant_id: str) -> MCPToolProvider:
        res = (
@ -61,6 +91,7 @@ class MCPToolManageService:
        server_identifier: str,
        timeout: float,
        sse_read_timeout: float,
+        headers: dict[str, str] | None = None,
    ) -> ToolProviderApiEntity:
        server_url_hash = hashlib.sha256(server_url.encode()).hexdigest()
        existing_provider = (
@ -83,6 +114,12 @@ class MCPToolManageService:
            if existing_provider.server_identifier == server_identifier:
                raise ValueError(f"MCP tool {server_identifier} already exists")
        encrypted_server_url = encrypter.encrypt_token(tenant_id, server_url)
+        # Encrypt headers
+        encrypted_headers = None
+        if headers:
+            encrypted_headers_dict = MCPToolManageService._encrypt_headers(headers, tenant_id)
+            encrypted_headers = json.dumps(encrypted_headers_dict)
+
        mcp_tool = MCPToolProvider(
            tenant_id=tenant_id,
            name=name,
@ -95,6 +132,7 @@ class MCPToolManageService:
            server_identifier=server_identifier,
            timeout=timeout,
            sse_read_timeout=sse_read_timeout,
+            encrypted_headers=encrypted_headers,
        )
        db.session.add(mcp_tool)
        db.session.commit()
@ -118,9 +156,21 @@ class MCPToolManageService:
        mcp_provider = cls.get_mcp_provider_by_provider_id(provider_id, tenant_id)
        server_url = mcp_provider.decrypted_server_url
        authed = mcp_provider.authed
+        headers = mcp_provider.decrypted_headers
+        timeout = mcp_provider.timeout
+        sse_read_timeout = mcp_provider.sse_read_timeout

        try:
-            with MCPClient(server_url, provider_id, tenant_id, authed=authed, for_list=True) as mcp_client:
+            with MCPClient(
+                server_url,
+                provider_id,
+                tenant_id,
+                authed=authed,
+                for_list=True,
+                headers=headers,
+                timeout=timeout,
+                sse_read_timeout=sse_read_timeout,
+            ) as mcp_client:
                tools = mcp_client.list_tools()
        except MCPAuthError:
            raise ValueError("Please auth the tool first")
@ -172,6 +222,7 @@ class MCPToolManageService:
        server_identifier: str,
        timeout: float | None = None,
        sse_read_timeout: float | None = None,
+        headers: dict[str, str] | None = None,
    ):
        mcp_provider = cls.get_mcp_provider_by_provider_id(provider_id, tenant_id)

@ -207,6 +258,13 @@ class MCPToolManageService:
                mcp_provider.timeout = timeout
            if sse_read_timeout is not None:
                mcp_provider.sse_read_timeout = sse_read_timeout
+            if headers is not None:
+                # Encrypt headers
+                if headers:
+                    encrypted_headers_dict = MCPToolManageService._encrypt_headers(headers, tenant_id)
+                    mcp_provider.encrypted_headers = json.dumps(encrypted_headers_dict)
+                else:
+                    mcp_provider.encrypted_headers = None
            db.session.commit()
        except IntegrityError as e:
            db.session.rollback()
@ -242,6 +300,12 @@ class MCPToolManageService:

    @classmethod
    def _re_connect_mcp_provider(cls, server_url: str, provider_id: str, tenant_id: str):
+        # Get the existing provider to access headers and timeout settings
+        mcp_provider = cls.get_mcp_provider_by_provider_id(provider_id, tenant_id)
+        headers = mcp_provider.decrypted_headers
+        timeout = mcp_provider.timeout
+        sse_read_timeout = mcp_provider.sse_read_timeout
+
        try:
            with MCPClient(
                server_url,
@ -249,6 +313,9 @@ class MCPToolManageService:
                tenant_id,
                authed=False,
                for_list=True,
+                headers=headers,
+                timeout=timeout,
+                sse_read_timeout=sse_read_timeout,
            ) as mcp_client:
                tools = mcp_client.list_tools()
                return {
--- a/api/services/tools/tools_transform_service.py
+++ b/api/services/tools/tools_transform_service.py
@ -237,6 +237,10 @@ class ToolTransformService:
            label=I18nObject(en_US=db_provider.name, zh_Hans=db_provider.name),
            description=I18nObject(en_US="", zh_Hans=""),
            server_identifier=db_provider.server_identifier,
+            timeout=db_provider.timeout,
+            sse_read_timeout=db_provider.sse_read_timeout,
+            masked_headers=db_provider.masked_headers,
+            original_headers=db_provider.decrypted_headers,
        )

    @staticmethod
--- a/api/tests/test_containers_integration_tests/services/tools/test_mcp_tools_manage_service.py
+++ b/api/tests/test_containers_integration_tests/services/tools/test_mcp_tools_manage_service.py
@ -706,7 +706,14 @@ class TestMCPToolManageService:

        # Verify mock interactions
        mock_mcp_client.assert_called_once_with(
-            "https://example.com/mcp", mcp_provider.id, tenant.id, authed=False, for_list=True
+            "https://example.com/mcp",
+            mcp_provider.id,
+            tenant.id,
+            authed=False,
+            for_list=True,
+            headers={},
+            timeout=30.0,
+            sse_read_timeout=300.0,
        )

    def test_list_mcp_tool_from_remote_server_auth_error(
@ -1181,6 +1188,11 @@ class TestMCPToolManageService:
            db_session_with_containers, mock_external_service_dependencies
        )

+        # Create MCP provider first
+        mcp_provider = self._create_test_mcp_provider(
+            db_session_with_containers, mock_external_service_dependencies, tenant.id, account.id
+        )
+
        # Mock MCPClient and its context manager
        mock_tools = [
            type("MockTool", (), {"model_dump": lambda self: {"name": "test_tool_1", "description": "Test tool 1"}})(),
@ -1194,7 +1206,7 @@ class TestMCPToolManageService:

            # Act: Execute the method under test
            result = MCPToolManageService._re_connect_mcp_provider(
-                "https://example.com/mcp", "test_provider_id", tenant.id
+                "https://example.com/mcp", mcp_provider.id, tenant.id
            )

        # Assert: Verify the expected outcomes
@ -1213,7 +1225,14 @@ class TestMCPToolManageService:

        # Verify mock interactions
        mock_mcp_client.assert_called_once_with(
-            "https://example.com/mcp", "test_provider_id", tenant.id, authed=False, for_list=True
+            "https://example.com/mcp",
+            mcp_provider.id,
+            tenant.id,
+            authed=False,
+            for_list=True,
+            headers={},
+            timeout=30.0,
+            sse_read_timeout=300.0,
        )

    def test_re_connect_mcp_provider_auth_error(self, db_session_with_containers, mock_external_service_dependencies):
@ -1231,6 +1250,11 @@ class TestMCPToolManageService:
            db_session_with_containers, mock_external_service_dependencies
        )

+        # Create MCP provider first
+        mcp_provider = self._create_test_mcp_provider(
+            db_session_with_containers, mock_external_service_dependencies, tenant.id, account.id
+        )
+
        # Mock MCPClient to raise authentication error
        with patch("services.tools.mcp_tools_manage_service.MCPClient") as mock_mcp_client:
            from core.mcp.error import MCPAuthError
@ -1240,7 +1264,7 @@ class TestMCPToolManageService:

            # Act: Execute the method under test
            result = MCPToolManageService._re_connect_mcp_provider(
-                "https://example.com/mcp", "test_provider_id", tenant.id
+                "https://example.com/mcp", mcp_provider.id, tenant.id
            )

        # Assert: Verify the expected outcomes
@ -1265,6 +1289,11 @@ class TestMCPToolManageService:
            db_session_with_containers, mock_external_service_dependencies
        )

+        # Create MCP provider first
+        mcp_provider = self._create_test_mcp_provider(
+            db_session_with_containers, mock_external_service_dependencies, tenant.id, account.id
+        )
+
        # Mock MCPClient to raise connection error
        with patch("services.tools.mcp_tools_manage_service.MCPClient") as mock_mcp_client:
            from core.mcp.error import MCPError
@ -1274,4 +1303,4 @@ class TestMCPToolManageService:

            # Act & Assert: Verify proper error handling
            with pytest.raises(ValueError, match="Failed to re-connect MCP server: Connection failed"):
-                MCPToolManageService._re_connect_mcp_provider("https://example.com/mcp", "test_provider_id", tenant.id)
+                MCPToolManageService._re_connect_mcp_provider("https://example.com/mcp", mcp_provider.id, tenant.id)
--- a/api/tests/test_containers_integration_tests/tasks/test_batch_create_segment_to_index_task.py
+++ b/api/tests/test_containers_integration_tests/tasks/test_batch_create_segment_to_index_task.py
@ -0,0 +1,734 @@
+"""
+Integration tests for batch_create_segment_to_index_task using testcontainers.
+
+This module provides comprehensive integration tests for the batch segment creation
+and indexing task using TestContainers infrastructure. The tests ensure that the
+task properly processes CSV files, creates document segments, and establishes
+vector indexes in a real database environment.
+
+All tests use the testcontainers infrastructure to ensure proper database isolation
+and realistic testing scenarios with actual PostgreSQL and Redis instances.
+"""
+
+import uuid
+from datetime import datetime
+from unittest.mock import MagicMock, patch
+
+import pytest
+from faker import Faker
+
+from models.account import Account, Tenant, TenantAccountJoin, TenantAccountRole
+from models.dataset import Dataset, Document, DocumentSegment
+from models.enums import CreatorUserRole
+from models.model import UploadFile
+from tasks.batch_create_segment_to_index_task import batch_create_segment_to_index_task
+
+
+class TestBatchCreateSegmentToIndexTask:
+    """Integration tests for batch_create_segment_to_index_task using testcontainers."""
+
+    @pytest.fixture(autouse=True)
+    def cleanup_database(self, db_session_with_containers):
+        """Clean up database before each test to ensure isolation."""
+        from extensions.ext_database import db
+        from extensions.ext_redis import redis_client
+
+        # Clear all test data
+        db.session.query(DocumentSegment).delete()
+        db.session.query(Document).delete()
+        db.session.query(Dataset).delete()
+        db.session.query(UploadFile).delete()
+        db.session.query(TenantAccountJoin).delete()
+        db.session.query(Tenant).delete()
+        db.session.query(Account).delete()
+        db.session.commit()
+
+        # Clear Redis cache
+        redis_client.flushdb()
+
+    @pytest.fixture
+    def mock_external_service_dependencies(self):
+        """Mock setup for external service dependencies."""
+        with (
+            patch("tasks.batch_create_segment_to_index_task.storage") as mock_storage,
+            patch("tasks.batch_create_segment_to_index_task.ModelManager") as mock_model_manager,
+            patch("tasks.batch_create_segment_to_index_task.VectorService") as mock_vector_service,
+        ):
+            # Setup default mock returns
+            mock_storage.download.return_value = None
+
+            # Mock embedding model for high quality indexing
+            mock_embedding_model = MagicMock()
+            mock_embedding_model.get_text_embedding_num_tokens.return_value = [10, 15, 20]
+            mock_model_manager_instance = MagicMock()
+            mock_model_manager_instance.get_model_instance.return_value = mock_embedding_model
+            mock_model_manager.return_value = mock_model_manager_instance
+
+            # Mock vector service
+            mock_vector_service.create_segments_vector.return_value = None
+
+            yield {
+                "storage": mock_storage,
+                "model_manager": mock_model_manager,
+                "vector_service": mock_vector_service,
+                "embedding_model": mock_embedding_model,
+            }
+
+    def _create_test_account_and_tenant(self, db_session_with_containers):
+        """
+        Helper method to create a test account and tenant for testing.
+
+        Args:
+            db_session_with_containers: Database session from testcontainers infrastructure
+
+        Returns:
+            tuple: (Account, Tenant) created instances
+        """
+        fake = Faker()
+
+        # Create account
+        account = Account(
+            email=fake.email(),
+            name=fake.name(),
+            interface_language="en-US",
+            status="active",
+        )
+
+        from extensions.ext_database import db
+
+        db.session.add(account)
+        db.session.commit()
+
+        # Create tenant for the account
+        tenant = Tenant(
+            name=fake.company(),
+            status="normal",
+        )
+        db.session.add(tenant)
+        db.session.commit()
+
+        # Create tenant-account join
+        join = TenantAccountJoin(
+            tenant_id=tenant.id,
+            account_id=account.id,
+            role=TenantAccountRole.OWNER.value,
+            current=True,
+        )
+        db.session.add(join)
+        db.session.commit()
+
+        # Set current tenant for account
+        account.current_tenant = tenant
+
+        return account, tenant
+
+    def _create_test_dataset(self, db_session_with_containers, account, tenant):
+        """
+        Helper method to create a test dataset for testing.
+
+        Args:
+            db_session_with_containers: Database session from testcontainers infrastructure
+            account: Account instance
+            tenant: Tenant instance
+
+        Returns:
+            Dataset: Created dataset instance
+        """
+        fake = Faker()
+
+        dataset = Dataset(
+            tenant_id=tenant.id,
+            name=fake.company(),
+            description=fake.text(),
+            data_source_type="upload_file",
+            indexing_technique="high_quality",
+            embedding_model="text-embedding-ada-002",
+            embedding_model_provider="openai",
+            created_by=account.id,
+        )
+
+        from extensions.ext_database import db
+
+        db.session.add(dataset)
+        db.session.commit()
+
+        return dataset
+
+    def _create_test_document(self, db_session_with_containers, account, tenant, dataset):
+        """
+        Helper method to create a test document for testing.
+
+        Args:
+            db_session_with_containers: Database session from testcontainers infrastructure
+            account: Account instance
+            tenant: Tenant instance
+            dataset: Dataset instance
+
+        Returns:
+            Document: Created document instance
+        """
+        fake = Faker()
+
+        document = Document(
+            tenant_id=tenant.id,
+            dataset_id=dataset.id,
+            position=1,
+            data_source_type="upload_file",
+            batch="test_batch",
+            name=fake.file_name(),
+            created_from="upload_file",
+            created_by=account.id,
+            indexing_status="completed",
+            enabled=True,
+            archived=False,
+            doc_form="text_model",
+            word_count=0,
+        )
+
+        from extensions.ext_database import db
+
+        db.session.add(document)
+        db.session.commit()
+
+        return document
+
+    def _create_test_upload_file(self, db_session_with_containers, account, tenant):
+        """
+        Helper method to create a test upload file for testing.
+
+        Args:
+            db_session_with_containers: Database session from testcontainers infrastructure
+            account: Account instance
+            tenant: Tenant instance
+
+        Returns:
+            UploadFile: Created upload file instance
+        """
+        fake = Faker()
+
+        upload_file = UploadFile(
+            tenant_id=tenant.id,
+            storage_type="local",
+            key=f"test_files/{fake.file_name()}",
+            name=fake.file_name(),
+            size=1024,
+            extension=".csv",
+            mime_type="text/csv",
+            created_by_role=CreatorUserRole.ACCOUNT,
+            created_by=account.id,
+            created_at=datetime.now(),
+            used=False,
+        )
+
+        from extensions.ext_database import db
+
+        db.session.add(upload_file)
+        db.session.commit()
+
+        return upload_file
+
+    def _create_test_csv_content(self, content_type="text_model"):
+        """
+        Helper method to create test CSV content.
+
+        Args:
+            content_type: Type of content to create ("text_model" or "qa_model")
+
+        Returns:
+            str: CSV content as string
+        """
+        if content_type == "qa_model":
+            csv_content = "content,answer\n"
+            csv_content += "This is the first segment content,This is the first answer\n"
+            csv_content += "This is the second segment content,This is the second answer\n"
+            csv_content += "This is the third segment content,This is the third answer\n"
+        else:
+            csv_content = "content\n"
+            csv_content += "This is the first segment content\n"
+            csv_content += "This is the second segment content\n"
+            csv_content += "This is the third segment content\n"
+
+        return csv_content
+
+    def test_batch_create_segment_to_index_task_success_text_model(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test successful batch creation of segments for text model documents.
+
+        This test verifies that the task can successfully:
+        1. Process a CSV file with text content
+        2. Create document segments with proper metadata
+        3. Update document word count
+        4. Create vector indexes
+        5. Set Redis cache status
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        dataset = self._create_test_dataset(db_session_with_containers, account, tenant)
+        document = self._create_test_document(db_session_with_containers, account, tenant, dataset)
+        upload_file = self._create_test_upload_file(db_session_with_containers, account, tenant)
+
+        # Create CSV content
+        csv_content = self._create_test_csv_content("text_model")
+
+        # Mock storage to return our CSV content
+        mock_storage = mock_external_service_dependencies["storage"]
+
+        def mock_download(key, file_path):
+            with open(file_path, "w", encoding="utf-8") as f:
+                f.write(csv_content)
+
+        mock_storage.download.side_effect = mock_download
+
+        # Execute the task
+        job_id = str(uuid.uuid4())
+        batch_create_segment_to_index_task(
+            job_id=job_id,
+            upload_file_id=upload_file.id,
+            dataset_id=dataset.id,
+            document_id=document.id,
+            tenant_id=tenant.id,
+            user_id=account.id,
+        )
+
+        # Verify results
+        from extensions.ext_database import db
+
+        # Check that segments were created
+        segments = db.session.query(DocumentSegment).filter_by(document_id=document.id).all()
+        assert len(segments) == 3
+
+        # Verify segment content and metadata
+        for i, segment in enumerate(segments):
+            assert segment.tenant_id == tenant.id
+            assert segment.dataset_id == dataset.id
+            assert segment.document_id == document.id
+            assert segment.position == i + 1
+            assert segment.status == "completed"
+            assert segment.indexing_at is not None
+            assert segment.completed_at is not None
+            assert segment.answer is None  # text_model doesn't have answers
+
+        # Check that document word count was updated
+        db.session.refresh(document)
+        assert document.word_count > 0
+
+        # Verify vector service was called
+        mock_vector_service = mock_external_service_dependencies["vector_service"]
+        mock_vector_service.create_segments_vector.assert_called_once()
+
+        # Check Redis cache was set
+        from extensions.ext_redis import redis_client
+
+        cache_key = f"segment_batch_import_{job_id}"
+        cache_value = redis_client.get(cache_key)
+        assert cache_value == b"completed"
+
+    def test_batch_create_segment_to_index_task_dataset_not_found(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test task failure when dataset does not exist.
+
+        This test verifies that the task properly handles error cases:
+        1. Fails gracefully when dataset is not found
+        2. Sets appropriate Redis cache status
+        3. Logs error information
+        4. Maintains database integrity
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        upload_file = self._create_test_upload_file(db_session_with_containers, account, tenant)
+
+        # Use non-existent IDs
+        non_existent_dataset_id = str(uuid.uuid4())
+        non_existent_document_id = str(uuid.uuid4())
+
+        # Execute the task with non-existent dataset
+        job_id = str(uuid.uuid4())
+        batch_create_segment_to_index_task(
+            job_id=job_id,
+            upload_file_id=upload_file.id,
+            dataset_id=non_existent_dataset_id,
+            document_id=non_existent_document_id,
+            tenant_id=tenant.id,
+            user_id=account.id,
+        )
+
+        # Verify error handling
+        # Check Redis cache was set to error status
+        from extensions.ext_redis import redis_client
+
+        cache_key = f"segment_batch_import_{job_id}"
+        cache_value = redis_client.get(cache_key)
+        assert cache_value == b"error"
+
+        # Verify no segments were created (since dataset doesn't exist)
+        from extensions.ext_database import db
+
+        segments = db.session.query(DocumentSegment).all()
+        assert len(segments) == 0
+
+        # Verify no documents were modified
+        documents = db.session.query(Document).all()
+        assert len(documents) == 0
+
+    def test_batch_create_segment_to_index_task_document_not_found(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test task failure when document does not exist.
+
+        This test verifies that the task properly handles error cases:
+        1. Fails gracefully when document is not found
+        2. Sets appropriate Redis cache status
+        3. Maintains database integrity
+        4. Logs appropriate error information
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        dataset = self._create_test_dataset(db_session_with_containers, account, tenant)
+        upload_file = self._create_test_upload_file(db_session_with_containers, account, tenant)
+
+        # Use non-existent document ID
+        non_existent_document_id = str(uuid.uuid4())
+
+        # Execute the task with non-existent document
+        job_id = str(uuid.uuid4())
+        batch_create_segment_to_index_task(
+            job_id=job_id,
+            upload_file_id=upload_file.id,
+            dataset_id=dataset.id,
+            document_id=non_existent_document_id,
+            tenant_id=tenant.id,
+            user_id=account.id,
+        )
+
+        # Verify error handling
+        # Check Redis cache was set to error status
+        from extensions.ext_redis import redis_client
+
+        cache_key = f"segment_batch_import_{job_id}"
+        cache_value = redis_client.get(cache_key)
+        assert cache_value == b"error"
+
+        # Verify no segments were created
+        from extensions.ext_database import db
+
+        segments = db.session.query(DocumentSegment).all()
+        assert len(segments) == 0
+
+        # Verify dataset remains unchanged (no segments were added to the dataset)
+        db.session.refresh(dataset)
+        segments_for_dataset = db.session.query(DocumentSegment).filter_by(dataset_id=dataset.id).all()
+        assert len(segments_for_dataset) == 0
+
+    def test_batch_create_segment_to_index_task_document_not_available(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test task failure when document is not available for indexing.
+
+        This test verifies that the task properly handles error cases:
+        1. Fails when document is disabled
+        2. Fails when document is archived
+        3. Fails when document indexing status is not completed
+        4. Sets appropriate Redis cache status
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        dataset = self._create_test_dataset(db_session_with_containers, account, tenant)
+        upload_file = self._create_test_upload_file(db_session_with_containers, account, tenant)
+
+        # Create document with various unavailable states
+        test_cases = [
+            # Disabled document
+            Document(
+                tenant_id=tenant.id,
+                dataset_id=dataset.id,
+                position=1,
+                data_source_type="upload_file",
+                batch="test_batch",
+                name="disabled_document",
+                created_from="upload_file",
+                created_by=account.id,
+                indexing_status="completed",
+                enabled=False,  # Document is disabled
+                archived=False,
+                doc_form="text_model",
+                word_count=0,
+            ),
+            # Archived document
+            Document(
+                tenant_id=tenant.id,
+                dataset_id=dataset.id,
+                position=2,
+                data_source_type="upload_file",
+                batch="test_batch",
+                name="archived_document",
+                created_from="upload_file",
+                created_by=account.id,
+                indexing_status="completed",
+                enabled=True,
+                archived=True,  # Document is archived
+                doc_form="text_model",
+                word_count=0,
+            ),
+            # Document with incomplete indexing
+            Document(
+                tenant_id=tenant.id,
+                dataset_id=dataset.id,
+                position=3,
+                data_source_type="upload_file",
+                batch="test_batch",
+                name="incomplete_document",
+                created_from="upload_file",
+                created_by=account.id,
+                indexing_status="indexing",  # Not completed
+                enabled=True,
+                archived=False,
+                doc_form="text_model",
+                word_count=0,
+            ),
+        ]
+
+        from extensions.ext_database import db
+
+        for document in test_cases:
+            db.session.add(document)
+        db.session.commit()
+
+        # Test each unavailable document
+        for i, document in enumerate(test_cases):
+            job_id = str(uuid.uuid4())
+            batch_create_segment_to_index_task(
+                job_id=job_id,
+                upload_file_id=upload_file.id,
+                dataset_id=dataset.id,
+                document_id=document.id,
+                tenant_id=tenant.id,
+                user_id=account.id,
+            )
+
+            # Verify error handling for each case
+            from extensions.ext_redis import redis_client
+
+            cache_key = f"segment_batch_import_{job_id}"
+            cache_value = redis_client.get(cache_key)
+            assert cache_value == b"error"
+
+            # Verify no segments were created
+            segments = db.session.query(DocumentSegment).filter_by(document_id=document.id).all()
+            assert len(segments) == 0
+
+    def test_batch_create_segment_to_index_task_upload_file_not_found(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test task failure when upload file does not exist.
+
+        This test verifies that the task properly handles error cases:
+        1. Fails gracefully when upload file is not found
+        2. Sets appropriate Redis cache status
+        3. Maintains database integrity
+        4. Logs appropriate error information
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        dataset = self._create_test_dataset(db_session_with_containers, account, tenant)
+        document = self._create_test_document(db_session_with_containers, account, tenant, dataset)
+
+        # Use non-existent upload file ID
+        non_existent_upload_file_id = str(uuid.uuid4())
+
+        # Execute the task with non-existent upload file
+        job_id = str(uuid.uuid4())
+        batch_create_segment_to_index_task(
+            job_id=job_id,
+            upload_file_id=non_existent_upload_file_id,
+            dataset_id=dataset.id,
+            document_id=document.id,
+            tenant_id=tenant.id,
+            user_id=account.id,
+        )
+
+        # Verify error handling
+        # Check Redis cache was set to error status
+        from extensions.ext_redis import redis_client
+
+        cache_key = f"segment_batch_import_{job_id}"
+        cache_value = redis_client.get(cache_key)
+        assert cache_value == b"error"
+
+        # Verify no segments were created
+        from extensions.ext_database import db
+
+        segments = db.session.query(DocumentSegment).all()
+        assert len(segments) == 0
+
+        # Verify document remains unchanged
+        db.session.refresh(document)
+        assert document.word_count == 0
+
+    def test_batch_create_segment_to_index_task_empty_csv_file(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test task failure when CSV file is empty.
+
+        This test verifies that the task properly handles error cases:
+        1. Fails when CSV file contains no data
+        2. Sets appropriate Redis cache status
+        3. Maintains database integrity
+        4. Logs appropriate error information
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        dataset = self._create_test_dataset(db_session_with_containers, account, tenant)
+        document = self._create_test_document(db_session_with_containers, account, tenant, dataset)
+        upload_file = self._create_test_upload_file(db_session_with_containers, account, tenant)
+
+        # Create empty CSV content
+        empty_csv_content = "content\n"  # Only header, no data rows
+
+        # Mock storage to return empty CSV content
+        mock_storage = mock_external_service_dependencies["storage"]
+
+        def mock_download(key, file_path):
+            with open(file_path, "w", encoding="utf-8") as f:
+                f.write(empty_csv_content)
+
+        mock_storage.download.side_effect = mock_download
+
+        # Execute the task
+        job_id = str(uuid.uuid4())
+        batch_create_segment_to_index_task(
+            job_id=job_id,
+            upload_file_id=upload_file.id,
+            dataset_id=dataset.id,
+            document_id=document.id,
+            tenant_id=tenant.id,
+            user_id=account.id,
+        )
+
+        # Verify error handling
+        # Check Redis cache was set to error status
+        from extensions.ext_redis import redis_client
+
+        cache_key = f"segment_batch_import_{job_id}"
+        cache_value = redis_client.get(cache_key)
+        assert cache_value == b"error"
+
+        # Verify no segments were created
+        from extensions.ext_database import db
+
+        segments = db.session.query(DocumentSegment).all()
+        assert len(segments) == 0
+
+        # Verify document remains unchanged
+        db.session.refresh(document)
+        assert document.word_count == 0
+
+    def test_batch_create_segment_to_index_task_position_calculation(
+        self, db_session_with_containers, mock_external_service_dependencies
+    ):
+        """
+        Test proper position calculation for segments when existing segments exist.
+
+        This test verifies that the task correctly:
+        1. Calculates positions for new segments based on existing ones
+        2. Handles position increment logic properly
+        3. Maintains proper segment ordering
+        4. Works with existing segment data
+        """
+        # Create test data
+        account, tenant = self._create_test_account_and_tenant(db_session_with_containers)
+        dataset = self._create_test_dataset(db_session_with_containers, account, tenant)
+        document = self._create_test_document(db_session_with_containers, account, tenant, dataset)
+        upload_file = self._create_test_upload_file(db_session_with_containers, account, tenant)
+
+        # Create existing segments to test position calculation
+        existing_segments = []
+        for i in range(3):
+            segment = DocumentSegment(
+                tenant_id=tenant.id,
+                dataset_id=dataset.id,
+                document_id=document.id,
+                position=i + 1,
+                content=f"Existing segment {i + 1}",
+                word_count=len(f"Existing segment {i + 1}"),
+                tokens=10,
+                created_by=account.id,
+                status="completed",
+                index_node_id=str(uuid.uuid4()),
+                index_node_hash=f"hash_{i}",
+            )
+            existing_segments.append(segment)
+
+        from extensions.ext_database import db
+
+        for segment in existing_segments:
+            db.session.add(segment)
+        db.session.commit()
+
+        # Create CSV content
+        csv_content = self._create_test_csv_content("text_model")
+
+        # Mock storage to return our CSV content
+        mock_storage = mock_external_service_dependencies["storage"]
+
+        def mock_download(key, file_path):
+            with open(file_path, "w", encoding="utf-8") as f:
+                f.write(csv_content)
+
+        mock_storage.download.side_effect = mock_download
+
+        # Execute the task
+        job_id = str(uuid.uuid4())
+        batch_create_segment_to_index_task(
+            job_id=job_id,
+            upload_file_id=upload_file.id,
+            dataset_id=dataset.id,
+            document_id=document.id,
+            tenant_id=tenant.id,
+            user_id=account.id,
+        )
+
+        # Verify results
+        # Check that new segments were created with correct positions
+        all_segments = (
+            db.session.query(DocumentSegment)
+            .filter_by(document_id=document.id)
+            .order_by(DocumentSegment.position)
+            .all()
+        )
+        assert len(all_segments) == 6  # 3 existing + 3 new
+
+        # Verify position ordering
+        for i, segment in enumerate(all_segments):
+            assert segment.position == i + 1
+
+        # Verify new segments have correct positions (4, 5, 6)
+        new_segments = all_segments[3:]
+        for i, segment in enumerate(new_segments):
+            expected_position = 4 + i  # Should start at position 4
+            assert segment.position == expected_position
+            assert segment.status == "completed"
+            assert segment.indexing_at is not None
+            assert segment.completed_at is not None
+
+        # Check that document word count was updated
+        db.session.refresh(document)
+        assert document.word_count > 0
+
+        # Verify vector service was called
+        mock_vector_service = mock_external_service_dependencies["vector_service"]
+        mock_vector_service.create_segments_vector.assert_called_once()
+
+        # Check Redis cache was set
+        from extensions.ext_redis import redis_client
+
+        cache_key = f"segment_batch_import_{job_id}"
+        cache_value = redis_client.get(cache_key)
+        assert cache_value == b"completed"
--- a/docker/.env.example
+++ b/docker/.env.example
@ -917,6 +917,12 @@ WORKFLOW_LOG_CLEANUP_BATCH_SIZE=100
 HTTP_REQUEST_NODE_MAX_BINARY_SIZE=10485760
 HTTP_REQUEST_NODE_MAX_TEXT_SIZE=1048576
 HTTP_REQUEST_NODE_SSL_VERIFY=True
+# Base64 encoded CA certificate data for custom certificate verification (PEM format, optional)
+# HTTP_REQUEST_NODE_SSL_CERT_DATA=LS0tLS1CRUdJTi...
+# Base64 encoded client certificate data for mutual TLS authentication (PEM format, optional)
+# HTTP_REQUEST_NODE_SSL_CLIENT_CERT_DATA=LS0tLS1CRUdJTi...
+# Base64 encoded client private key data for mutual TLS authentication (PEM format, optional)
+# HTTP_REQUEST_NODE_SSL_CLIENT_KEY_DATA=LS0tLS1CRUdJTi...

 # Respect X-* headers to redirect clients
 RESPECT_XFORWARD_HEADERS_ENABLED=false
@ -1270,6 +1276,10 @@ QUEUE_MONITOR_INTERVAL=30
 SWAGGER_UI_ENABLED=true
 SWAGGER_UI_PATH=/swagger-ui.html

+# Whether to encrypt dataset IDs when exporting DSL files (default: true)
+# Set to false to export dataset IDs as plain text for easier cross-environment import
+DSL_EXPORT_ENCRYPT_DATASET_ID=true
+
 # Celery schedule tasks configuration
 ENABLE_CLEAN_EMBEDDING_CACHE_TASK=false
 ENABLE_CLEAN_UNUSED_DATASETS_TASK=false
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@ -574,6 +574,7 @@ x-shared-env: &shared-api-worker-env
  QUEUE_MONITOR_INTERVAL: ${QUEUE_MONITOR_INTERVAL:-30}
  SWAGGER_UI_ENABLED: ${SWAGGER_UI_ENABLED:-true}
  SWAGGER_UI_PATH: ${SWAGGER_UI_PATH:-/swagger-ui.html}
+  DSL_EXPORT_ENCRYPT_DATASET_ID: ${DSL_EXPORT_ENCRYPT_DATASET_ID:-true}
  ENABLE_CLEAN_EMBEDDING_CACHE_TASK: ${ENABLE_CLEAN_EMBEDDING_CACHE_TASK:-false}
  ENABLE_CLEAN_UNUSED_DATASETS_TASK: ${ENABLE_CLEAN_UNUSED_DATASETS_TASK:-false}
  ENABLE_CREATE_TIDB_SERVERLESS_TASK: ${ENABLE_CREATE_TIDB_SERVERLESS_TASK:-false}
--- a/web/app/components/base/chat/utils.ts
+++ b/web/app/components/base/chat/utils.ts
@ -43,6 +43,16 @@ async function getProcessedInputsFromUrlParams(): Promise<Record<string, any>> {

 async function getProcessedSystemVariablesFromUrlParams(): Promise<Record<string, any>> {
  const urlParams = new URLSearchParams(window.location.search)
+  const redirectUrl = urlParams.get('redirect_url')
+  if (redirectUrl) {
+    const decodedRedirectUrl = decodeURIComponent(redirectUrl)
+    const queryString = decodedRedirectUrl.split('?')[1]
+    if (queryString) {
+      const redirectParams = new URLSearchParams(queryString)
+      for (const [key, value] of redirectParams.entries())
+        urlParams.set(key, value)
+    }
+  }
  const systemVariables: Record<string, any> = {}
  const entriesArray = Array.from(urlParams.entries())
  await Promise.all(
--- a/web/app/components/tools/mcp/headers-input.tsx
+++ b/web/app/components/tools/mcp/headers-input.tsx
@ -0,0 +1,143 @@
+'use client'
+import React, { useCallback } from 'react'
+import { useTranslation } from 'react-i18next'
+import { RiAddLine, RiDeleteBinLine } from '@remixicon/react'
+import Input from '@/app/components/base/input'
+import Button from '@/app/components/base/button'
+import ActionButton from '@/app/components/base/action-button'
+import cn from '@/utils/classnames'
+
+export type HeaderItem = {
+  key: string
+  value: string
+}
+
+type Props = {
+  headers: Record<string, string>
+  onChange: (headers: Record<string, string>) => void
+  readonly?: boolean
+  isMasked?: boolean
+}
+
+const HeadersInput = ({
+  headers,
+  onChange,
+  readonly = false,
+  isMasked = false,
+}: Props) => {
+  const { t } = useTranslation()
+
+  const headerItems = Object.entries(headers).map(([key, value]) => ({ key, value }))
+
+  const handleItemChange = useCallback((index: number, field: 'key' | 'value', value: string) => {
+    const newItems = [...headerItems]
+    newItems[index] = { ...newItems[index], [field]: value }
+
+    const newHeaders = newItems.reduce((acc, item) => {
+      if (item.key.trim())
+        acc[item.key.trim()] = item.value
+      return acc
+    }, {} as Record<string, string>)
+
+    onChange(newHeaders)
+  }, [headerItems, onChange])
+
+  const handleRemoveItem = useCallback((index: number) => {
+    const newItems = headerItems.filter((_, i) => i !== index)
+    const newHeaders = newItems.reduce((acc, item) => {
+      if (item.key.trim())
+        acc[item.key.trim()] = item.value
+
+      return acc
+    }, {} as Record<string, string>)
+    onChange(newHeaders)
+  }, [headerItems, onChange])
+
+  const handleAddItem = useCallback(() => {
+    const newHeaders = { ...headers, '': '' }
+    onChange(newHeaders)
+  }, [headers, onChange])
+
+  if (headerItems.length === 0) {
+    return (
+      <div className='space-y-2'>
+        <div className='body-xs-regular text-text-tertiary'>
+          {t('tools.mcp.modal.noHeaders')}
+        </div>
+        {!readonly && (
+          <Button
+            variant='secondary'
+            size='small'
+            onClick={handleAddItem}
+            className='w-full'
+          >
+            <RiAddLine className='mr-1 h-4 w-4' />
+            {t('tools.mcp.modal.addHeader')}
+          </Button>
+        )}
+      </div>
+    )
+  }
+
+  return (
+    <div className='space-y-2'>
+      {isMasked && (
+        <div className='body-xs-regular text-text-tertiary'>
+          {t('tools.mcp.modal.maskedHeadersTip')}
+        </div>
+      )}
+      <div className='overflow-hidden rounded-lg border border-divider-regular'>
+        <div className='system-xs-medium-uppercase bg-background-secondary flex h-7 items-center leading-7 text-text-tertiary'>
+          <div className='h-full w-1/2 border-r border-divider-regular pl-3'>{t('tools.mcp.modal.headerKey')}</div>
+          <div className='h-full w-1/2 pl-3 pr-1'>{t('tools.mcp.modal.headerValue')}</div>
+        </div>
+        {headerItems.map((item, index) => (
+          <div key={index} className={cn(
+            'flex items-center border-divider-regular',
+            index < headerItems.length - 1 && 'border-b',
+          )}>
+            <div className='w-1/2 border-r border-divider-regular'>
+              <Input
+                value={item.key}
+                onChange={e => handleItemChange(index, 'key', e.target.value)}
+                placeholder={t('tools.mcp.modal.headerKeyPlaceholder')}
+                className='rounded-none border-0'
+                readOnly={readonly}
+              />
+            </div>
+            <div className='flex w-1/2 items-center'>
+              <Input
+                value={item.value}
+                onChange={e => handleItemChange(index, 'value', e.target.value)}
+                placeholder={t('tools.mcp.modal.headerValuePlaceholder')}
+                className='flex-1 rounded-none border-0'
+                readOnly={readonly}
+              />
+              {!readonly && headerItems.length > 1 && (
+                <ActionButton
+                  onClick={() => handleRemoveItem(index)}
+                  className='mr-2'
+                >
+                  <RiDeleteBinLine className='h-4 w-4 text-text-destructive' />
+                </ActionButton>
+              )}
+            </div>
+          </div>
+        ))}
+      </div>
+      {!readonly && (
+        <Button
+          variant='secondary'
+          size='small'
+          onClick={handleAddItem}
+          className='w-full'
+        >
+          <RiAddLine className='mr-1 h-4 w-4' />
+          {t('tools.mcp.modal.addHeader')}
+        </Button>
+      )}
+    </div>
+  )
+}
+
+export default React.memo(HeadersInput)
--- a/web/app/components/tools/mcp/modal.tsx
+++ b/web/app/components/tools/mcp/modal.tsx
@ -9,6 +9,7 @@ import AppIcon from '@/app/components/base/app-icon'
 import Modal from '@/app/components/base/modal'
 import Button from '@/app/components/base/button'
 import Input from '@/app/components/base/input'
+import HeadersInput from './headers-input'
 import type { AppIconType } from '@/types/app'
 import type { ToolWithProvider } from '@/app/components/workflow/types'
 import { noop } from 'lodash-es'
@ -29,6 +30,7 @@ export type DuplicateAppModalProps = {
    server_identifier: string
    timeout: number
    sse_read_timeout: number
+    headers?: Record<string, string>
  }) => void
  onHide: () => void
 }
@ -66,12 +68,38 @@ const MCPModal = ({
  const [appIcon, setAppIcon] = useState<AppIconSelection>(getIcon(data))
  const [showAppIconPicker, setShowAppIconPicker] = useState(false)
  const [serverIdentifier, setServerIdentifier] = React.useState(data?.server_identifier || '')
-  const [timeout, setMcpTimeout] = React.useState(30)
-  const [sseReadTimeout, setSseReadTimeout] = React.useState(300)
+  const [timeout, setMcpTimeout] = React.useState(data?.timeout || 30)
+  const [sseReadTimeout, setSseReadTimeout] = React.useState(data?.sse_read_timeout || 300)
+  const [headers, setHeaders] = React.useState<Record<string, string>>(
+    data?.masked_headers || {},
+  )
  const [isFetchingIcon, setIsFetchingIcon] = useState(false)
  const appIconRef = useRef<HTMLDivElement>(null)
  const isHovering = useHover(appIconRef)

+  // Update states when data changes (for edit mode)
+  React.useEffect(() => {
+    if (data) {
+      setUrl(data.server_url || '')
+      setName(data.name || '')
+      setServerIdentifier(data.server_identifier || '')
+      setMcpTimeout(data.timeout || 30)
+      setSseReadTimeout(data.sse_read_timeout || 300)
+      setHeaders(data.masked_headers || {})
+      setAppIcon(getIcon(data))
+    }
+    else {
+      // Reset for create mode
+      setUrl('')
+      setName('')
+      setServerIdentifier('')
+      setMcpTimeout(30)
+      setSseReadTimeout(300)
+      setHeaders({})
+      setAppIcon(DEFAULT_ICON as AppIconSelection)
+    }
+  }, [data])
+
  const isValidUrl = (string: string) => {
    try {
      const urlPattern = /^(https?:\/\/)((([a-z\d]([a-z\d-]*[a-z\d])*)\.)+[a-z]{2,}|((\d{1,3}\.){3}\d{1,3})|localhost)(\:\d+)?(\/[-a-z\d%_.~+]*)*(\?[;&a-z\d%_.~+=-]*)?/i
@ -129,6 +157,7 @@ const MCPModal = ({
      server_identifier: serverIdentifier.trim(),
      timeout: timeout || 30,
      sse_read_timeout: sseReadTimeout || 300,
+      headers: Object.keys(headers).length > 0 ? headers : undefined,
    })
    if(isCreate)
      onHide()
@ -231,6 +260,18 @@ const MCPModal = ({
              placeholder={t('tools.mcp.modal.timeoutPlaceholder')}
            />
          </div>
+          <div>
+            <div className='mb-1 flex h-6 items-center'>
+              <span className='system-sm-medium text-text-secondary'>{t('tools.mcp.modal.headers')}</span>
+            </div>
+            <div className='body-xs-regular mb-2 text-text-tertiary'>{t('tools.mcp.modal.headersTip')}</div>
+            <HeadersInput
+              headers={headers}
+              onChange={setHeaders}
+              readonly={false}
+              isMasked={!isCreate && Object.keys(headers).length > 0}
+            />
+          </div>
        </div>
        <div className='flex flex-row-reverse pt-5'>
          <Button disabled={!name || !url || !serverIdentifier || isFetchingIcon} className='ml-2' variant='primary' onClick={submit}>{data ? t('tools.mcp.modal.save') : t('tools.mcp.modal.confirm')}</Button>
--- a/web/app/components/tools/types.ts
+++ b/web/app/components/tools/types.ts
@ -59,6 +59,8 @@ export type Collection = {
  server_identifier?: string
  timeout?: number
  sse_read_timeout?: number
+  headers?: Record<string, string>
+  masked_headers?: Record<string, string>
 }

 export type ToolParameter = {
@ -184,4 +186,5 @@ export type MCPServerDetail = {
  description: string
  status: string
  parameters?: Record<string, string>
+  headers?: Record<string, string>
 }
--- a/web/i18n/de-DE/tools.ts
+++ b/web/i18n/de-DE/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Hinzufügen & Autorisieren',
      sseReadTimeout: 'SSE-Lesezeitüberschreitung',
      timeout: 'Zeitüberschreitung',
+      headers: 'Kopfzeilen',
+      timeoutPlaceholder: 'dreißig',
+      headerKeyPlaceholder: 'z.B., Autorisierung',
+      addHeader: 'Kopfzeile hinzufügen',
+      headerValuePlaceholder: 'z.B., Träger Token123',
+      headerValue: 'Header-Wert',
+      headerKey: 'Kopfzeilenname',
+      noHeaders: 'Keine benutzerdefinierten Header konfiguriert',
+      maskedHeadersTip: 'Headerwerte sind zum Schutz maskiert. Änderungen werden die tatsächlichen Werte aktualisieren.',
+      headersTip: 'Zusätzliche HTTP-Header, die mit MCP-Serveranfragen gesendet werden sollen',
    },
    delete: 'MCP-Server entfernen',
    deleteConfirmTitle: 'Möchten Sie {{mcp}} entfernen?',
--- a/web/i18n/en-US/tools.ts
+++ b/web/i18n/en-US/tools.ts
@ -187,12 +187,22 @@ const translation = {
      serverIdentifier: 'Server Identifier',
      serverIdentifierTip: 'Unique identifier for the MCP server within the workspace. Lowercase letters, numbers, underscores, and hyphens only. Up to 24 characters.',
      serverIdentifierPlaceholder: 'Unique identifier, e.g., my-mcp-server',
-      serverIdentifierWarning: 'The server won’t be recognized by existing apps after an ID change',
+      serverIdentifierWarning: 'The server won\'t be recognized by existing apps after an ID change',
+      headers: 'Headers',
+      headersTip: 'Additional HTTP headers to send with MCP server requests',
+      headerKey: 'Header Name',
+      headerValue: 'Header Value',
+      headerKeyPlaceholder: 'e.g., Authorization',
+      headerValuePlaceholder: 'e.g., Bearer token123',
+      addHeader: 'Add Header',
+      noHeaders: 'No custom headers configured',
+      maskedHeadersTip: 'Header values are masked for security. Changes will update the actual values.',
      cancel: 'Cancel',
      save: 'Save',
      confirm: 'Add & Authorize',
      timeout: 'Timeout',
      sseReadTimeout: 'SSE Read Timeout',
+      timeoutPlaceholder: '30',
    },
    delete: 'Remove MCP Server',
    deleteConfirmTitle: 'Would you like to remove {{mcp}}?',
--- a/web/i18n/es-ES/tools.ts
+++ b/web/i18n/es-ES/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Añadir y Autorizar',
      sseReadTimeout: 'Tiempo de espera de lectura SSE',
      timeout: 'Tiempo de espera',
+      timeoutPlaceholder: 'treinta',
+      headers: 'Encabezados',
+      addHeader: 'Agregar encabezado',
+      headerValuePlaceholder: 'por ejemplo, token de portador123',
+      headersTip: 'Encabezados HTTP adicionales para enviar con las solicitudes del servidor MCP',
+      maskedHeadersTip: 'Los valores del encabezado están enmascarados por seguridad. Los cambios actualizarán los valores reales.',
+      headerKeyPlaceholder: 'por ejemplo, Autorización',
+      headerValue: 'Valor del encabezado',
+      noHeaders: 'No se han configurado encabezados personalizados',
+      headerKey: 'Nombre del encabezado',
    },
    delete: 'Eliminar servidor MCP',
    deleteConfirmTitle: '¿Eliminar {{mcp}}?',
--- a/web/i18n/fa-IR/tools.ts
+++ b/web/i18n/fa-IR/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'افزودن و مجوزدهی',
      timeout: 'مهلت',
      sseReadTimeout: 'زمان.out خواندن SSE',
+      headers: 'عناوین',
+      timeoutPlaceholder: 'سی',
+      headerKey: 'نام هدر',
+      headerValue: 'مقدار هدر',
+      addHeader: 'هدر اضافه کنید',
+      headerKeyPlaceholder: 'به عنوان مثال، مجوز',
+      headerValuePlaceholder: 'مثلاً، توکن حامل ۱۲۳',
+      noHeaders: 'هیچ هدر سفارشی پیکربندی نشده است',
+      headersTip: 'سرفصل‌های اضافی HTTP برای ارسال با درخواست‌های سرور MCP',
+      maskedHeadersTip: 'مقدارهای هدر به خاطر امنیت مخفی شده‌اند. تغییرات مقادیر واقعی را به‌روزرسانی خواهد کرد.',
    },
    delete: 'حذف سرور MCP',
    deleteConfirmTitle: 'آیا مایل به حذف {mcp} هستید؟',
--- a/web/i18n/fr-FR/tools.ts
+++ b/web/i18n/fr-FR/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Ajouter & Authoriser',
      sseReadTimeout: 'Délai d\'attente de lecture SSE',
      timeout: 'Délai d\'attente',
+      timeoutPlaceholder: 'trente',
+      headerValue: 'Valeur d\'en-tête',
+      headerKey: 'Nom de l\'en-tête',
+      noHeaders: 'Aucun en-tête personnalisé configuré',
+      headers: 'En-têtes',
+      headerKeyPlaceholder: 'par exemple, Autorisation',
+      headerValuePlaceholder: 'par exemple, Jeton d\'accès123',
+      headersTip: 'En-têtes HTTP supplémentaires à envoyer avec les requêtes au serveur MCP',
+      addHeader: 'Ajouter un en-tête',
+      maskedHeadersTip: 'Les valeurs d\'en-tête sont masquées pour des raisons de sécurité. Les modifications mettront à jour les valeurs réelles.',
    },
    delete: 'Supprimer le Serveur MCP',
    deleteConfirmTitle: 'Souhaitez-vous supprimer {mcp}?',
--- a/web/i18n/hi-IN/tools.ts
+++ b/web/i18n/hi-IN/tools.ts
@ -198,6 +198,16 @@ const translation = {
      confirm: 'जोड़ें और अधिकृत करें',
      timeout: 'टाइमआउट',
      sseReadTimeout: 'एसएसई पढ़ने का टाइमआउट',
+      headerKey: 'हेडर नाम',
+      headers: 'हेडर',
+      headerValue: 'हेडर मान',
+      timeoutPlaceholder: 'तीस',
+      headerValuePlaceholder: 'उदाहरण के लिए, बियरर टोकन123',
+      addHeader: 'हेडर जोड़ें',
+      headerKeyPlaceholder: 'उदाहरण के लिए, प्राधिकरण',
+      noHeaders: 'कोई कस्टम हेडर कॉन्फ़िगर नहीं किए गए हैं',
+      maskedHeadersTip: 'सुरक्षा के लिए हेडर मानों को छिपाया गया है। परिवर्तन वास्तविक मानों को अपडेट करेगा।',
+      headersTip: 'MCP सर्वर अनुरोधों के साथ भेजने के लिए अतिरिक्त HTTP हेडर्स',
    },
    delete: 'MCP सर्वर हटाएँ',
    deleteConfirmTitle: '{mcp} हटाना चाहते हैं?',
--- a/web/i18n/id-ID/tools.ts
+++ b/web/i18n/id-ID/tools.ts
@ -175,6 +175,16 @@ const translation = {
      cancel: 'Membatalkan',
      serverIdentifierPlaceholder: 'Pengidentifikasi unik, misalnya, my-mcp-server',
      serverUrl: 'Server URL',
+      headers: 'Header',
+      timeoutPlaceholder: 'tiga puluh',
+      addHeader: 'Tambahkan Judul',
+      headerKey: 'Nama Header',
+      headerValue: 'Nilai Header',
+      headersTip: 'Header HTTP tambahan untuk dikirim bersama permintaan server MCP',
+      headerKeyPlaceholder: 'misalnya, Otorisasi',
+      headerValuePlaceholder: 'misalnya, Token Pengganti 123',
+      noHeaders: 'Tidak ada header kustom yang dikonfigurasi',
+      maskedHeadersTip: 'Nilai header disembunyikan untuk keamanan. Perubahan akan memperbarui nilai yang sebenarnya.',
    },
    operation: {
      edit: 'Mengedit',
--- a/web/i18n/it-IT/tools.ts
+++ b/web/i18n/it-IT/tools.ts
@ -203,6 +203,16 @@ const translation = {
      confirm: 'Aggiungi & Autorizza',
      timeout: 'Tempo scaduto',
      sseReadTimeout: 'Timeout di lettura SSE',
+      headerKey: 'Nome intestazione',
+      timeoutPlaceholder: 'trenta',
+      headers: 'Intestazioni',
+      addHeader: 'Aggiungi intestazione',
+      noHeaders: 'Nessuna intestazione personalizzata configurata',
+      headerKeyPlaceholder: 'ad es., Autorizzazione',
+      headerValue: 'Valore dell\'intestazione',
+      headerValuePlaceholder: 'ad esempio, Token di accesso123',
+      headersTip: 'Intestazioni HTTP aggiuntive da inviare con le richieste al server MCP',
+      maskedHeadersTip: 'I valori dell\'intestazione sono mascherati per motivi di sicurezza. Le modifiche aggiorneranno i valori effettivi.',
    },
    delete: 'Rimuovi Server MCP',
    deleteConfirmTitle: 'Vuoi rimuovere {mcp}?',
--- a/web/i18n/ja-JP/tools.ts
+++ b/web/i18n/ja-JP/tools.ts
@ -37,8 +37,8 @@ const translation = {
      tip: 'スタジオでワークフローをツールに公開する',
    },
    mcp: {
-      title: '利用可能なMCPツールはありません',
-      tip: 'MCPサーバーを追加する',
+      title: '利用可能な MCP ツールはありません',
+      tip: 'MCP サーバーを追加する',
    },
    agent: {
      title: 'Agent strategy は利用できません',
@ -85,13 +85,13 @@ const translation = {
        apiKeyPlaceholder: 'API キーの HTTP ヘッダー名',
        apiValuePlaceholder: 'API キーを入力してください',
        api_key_query: 'クエリパラメータ',
-        queryParamPlaceholder: 'APIキーのクエリパラメータ名',
+        queryParamPlaceholder: 'API キーのクエリパラメータ名',
        api_key_header: 'ヘッダー',
      },
      key: 'キー',
      value: '値',
      queryParam: 'クエリパラメータ',
-      queryParamTooltip: 'APIキーのクエリパラメータとして渡す名前、例えば「https://example.com/test?key=API_KEY」の「key」。',
+      queryParamTooltip: 'API キーのクエリパラメータとして渡す名前、例えば「https://example.com/test?key=API_KEY」の「key」。',
    },
    authHeaderPrefix: {
      title: '認証タイプ',
@ -169,32 +169,42 @@ const translation = {
  noTools: 'ツールが見つかりませんでした',
  mcp: {
    create: {
-      cardTitle: 'MCPサーバー（HTTP）を追加',
-      cardLink: 'MCPサーバー統合について詳しく知る',
+      cardTitle: 'MCP サーバー（HTTP）を追加',
+      cardLink: 'MCP サーバー統合について詳しく知る',
    },
    noConfigured: '未設定',
    updateTime: '更新日時',
    toolsCount: '{{count}} 個のツール',
    noTools: '利用可能なツールはありません',
    modal: {
-      title: 'MCPサーバー（HTTP）を追加',
-      editTitle: 'MCPサーバー（HTTP）を編集',
+      title: 'MCP サーバー（HTTP）を追加',
+      editTitle: 'MCP サーバー（HTTP）を編集',
      name: '名前とアイコン',
-      namePlaceholder: 'MCPサーバーの名前を入力',
+      namePlaceholder: 'MCP サーバーの名前を入力',
      serverUrl: 'サーバーURL',
-      serverUrlPlaceholder: 'サーバーエンドポイントのURLを入力',
+      serverUrlPlaceholder: 'サーバーエンドポイントの URL を入力',
      serverUrlWarning: 'サーバーアドレスを更新すると、このサーバーに依存するアプリケーションに影響を与える可能性があります。',
      serverIdentifier: 'サーバー識別子',
-      serverIdentifierTip: 'ワークスペース内でのMCPサーバーのユニーク識別子です。使用可能な文字は小文字、数字、アンダースコア、ハイフンで、最大24文字です。',
+      serverIdentifierTip: 'ワークスペース内での MCP サーバーのユニーク識別子です。使用可能な文字は小文字、数字、アンダースコア、ハイフンで、最大 24 文字です。',
      serverIdentifierPlaceholder: 'ユニーク識別子（例：my-mcp-server）',
-      serverIdentifierWarning: 'IDを変更すると、既存のアプリケーションではサーバーが認識できなくなります。',
+      serverIdentifierWarning: 'ID を変更すると、既存のアプリケーションではサーバーが認識できなくなります。',
      cancel: 'キャンセル',
      save: '保存',
      confirm: '追加して承認',
      timeout: 'タイムアウト',
      sseReadTimeout: 'SSE 読み取りタイムアウト',
+      headerValuePlaceholder: '例：ベアラートークン123',
+      headerKeyPlaceholder: '例えば、承認',
+      headers: 'ヘッダー',
+      timeoutPlaceholder: '三十',
+      headerKey: 'ヘッダー名',
+      addHeader: 'ヘッダーを追加',
+      headerValue: 'ヘッダーの値',
+      noHeaders: 'カスタムヘッダーは設定されていません',
+      headersTip: 'MCPサーバーへのリクエストに送信する追加のHTTPヘッダー',
+      maskedHeadersTip: 'ヘッダー値はセキュリティのためマスクされています。変更は実際の値を更新します。',
    },
-    delete: 'MCPサーバーを削除',
+    delete: 'MCP サーバーを削除',
    deleteConfirmTitle: '{{mcp}} を削除しますか？',
    operation: {
      edit: '編集',
@ -213,23 +223,23 @@ const translation = {
    toolUpdateConfirmTitle: 'ツールリストの更新',
    toolUpdateConfirmContent: 'ツールリストを更新すると、既存のアプリケーションに重大な影響を与える可能性があります。続行しますか？',
    toolsNum: '{{count}} 個のツールが含まれています',
-    onlyTool: '1つのツールが含まれています',
+    onlyTool: '1 つのツールが含まれています',
    identifier: 'サーバー識別子（クリックしてコピー）',
    server: {
-      title: 'MCPサーバー',
+      title: 'MCP サーバー',
      url: 'サーバーURL',
-      reGen: 'サーバーURLを再生成しますか？',
+      reGen: 'サーバーURL を再生成しますか？',
      addDescription: '説明を追加',
      edit: '説明を編集',
      modal: {
-        addTitle: 'MCPサーバーを有効化するための説明を追加',
+        addTitle: 'MCP サーバーを有効化するための説明を追加',
        editTitle: '説明を編集',
        description: '説明',
-        descriptionPlaceholder: 'このツールの機能とLLM（大規模言語モデル）での使用方法を説明してください。',
+        descriptionPlaceholder: 'このツールの機能と LLM（大規模言語モデル）での使用方法を説明してください。',
        parameters: 'パラメータ',
-        parametersTip: '各パラメータの説明を追加して、LLMがその目的と制約を理解できるようにします。',
+        parametersTip: '各パラメータの説明を追加して、LLM がその目的と制約を理解できるようにします。',
        parametersPlaceholder: 'パラメータの目的と制約',
-        confirm: 'MCPサーバーを有効にする',
+        confirm: 'MCP サーバーを有効にする',
      },
      publishTip: 'アプリが公開されていません。まずアプリを公開してください。',
    },
--- a/web/i18n/ko-KR/tools.ts
+++ b/web/i18n/ko-KR/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: '추가 및 승인',
      timeout: '타임아웃',
      sseReadTimeout: 'SSE 읽기 타임아웃',
+      headers: '헤더',
+      headerKeyPlaceholder: '예: 승인',
+      headerKey: '헤더 이름',
+      headerValuePlaceholder: '예: 베어러 토큰123',
+      timeoutPlaceholder: '서른',
+      headerValue: '헤더 값',
+      addHeader: '헤더 추가',
+      noHeaders: '사용자 정의 헤더가 구성되어 있지 않습니다.',
+      headersTip: 'MCP 서버 요청과 함께 보낼 추가 HTTP 헤더',
+      maskedHeadersTip: '헤더 값은 보안상 마스킹 처리되어 있습니다. 변경 사항은 실제 값에 업데이트됩니다.',
    },
    delete: 'MCP 서버 제거',
    deleteConfirmTitle: '{mcp}를 제거하시겠습니까?',
--- a/web/i18n/pl-PL/tools.ts
+++ b/web/i18n/pl-PL/tools.ts
@ -197,6 +197,16 @@ const translation = {
      confirm: 'Dodaj i autoryzuj',
      timeout: 'Limit czasu',
      sseReadTimeout: 'Przekroczenie czasu oczekiwania na odczyt SSE',
+      addHeader: 'Dodaj nagłówek',
+      headers: 'Nagłówki',
+      headerKeyPlaceholder: 'np. Autoryzacja',
+      timeoutPlaceholder: 'trzydzieści',
+      headerValuePlaceholder: 'np. Token dostępu 123',
+      headerKey: 'Nazwa nagłówka',
+      headersTip: 'Dodatkowe nagłówki HTTP do wysłania z żądaniami serwera MCP',
+      headerValue: 'Wartość nagłówka',
+      noHeaders: 'Brak skonfigurowanych nagłówków niestandardowych',
+      maskedHeadersTip: 'Wartości nagłówków są ukryte dla bezpieczeństwa. Zmiany zaktualizują rzeczywiste wartości.',
    },
    delete: 'Usuń serwer MCP',
    deleteConfirmTitle: 'Usunąć {mcp}?',
--- a/web/i18n/pt-BR/tools.ts
+++ b/web/i18n/pt-BR/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Adicionar e Autorizar',
      sseReadTimeout: 'Tempo limite de leitura SSE',
      timeout: 'Tempo esgotado',
+      timeoutPlaceholder: 'trinta',
+      headerValue: 'Valor do Cabeçalho',
+      headerKeyPlaceholder: 'por exemplo, Autorização',
+      addHeader: 'Adicionar Cabeçalho',
+      headersTip: 'Cabeçalhos HTTP adicionais a serem enviados com as solicitações do servidor MCP',
+      headers: 'Cabeçalhos',
+      maskedHeadersTip: 'Os valores do cabeçalho estão mascarados por segurança. As alterações atualizarão os valores reais.',
+      headerKey: 'Nome do Cabeçalho',
+      noHeaders: 'Nenhum cabeçalho personalizado configurado',
+      headerValuePlaceholder: 'ex: Token de portador 123',
    },
    delete: 'Remover Servidor MCP',
    deleteConfirmTitle: 'Você gostaria de remover {{mcp}}?',
--- a/web/i18n/ro-RO/tools.ts
+++ b/web/i18n/ro-RO/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Adăugare și Autorizare',
      timeout: 'Timp de așteptare',
      sseReadTimeout: 'Timp de așteptare pentru citirea SSE',
+      headerKeyPlaceholder: 'de exemplu, Autorizație',
+      headers: 'Antete',
+      addHeader: 'Adăugați antet',
+      headerValuePlaceholder: 'de exemplu, Bearer token123',
+      timeoutPlaceholder: 'treizeci',
+      headerKey: 'Numele antetului',
+      headerValue: 'Valoare Antet',
+      maskedHeadersTip: 'Valorile de antet sunt mascate pentru securitate. Modificările vor actualiza valorile reale.',
+      headersTip: 'Header-uri HTTP suplimentare de trimis cu cererile către serverul MCP',
+      noHeaders: 'Nu sunt configurate antete personalizate.',
    },
    delete: 'Eliminare Server MCP',
    deleteConfirmTitle: 'Ștergeți {mcp}?',
--- a/web/i18n/ru-RU/tools.ts
+++ b/web/i18n/ru-RU/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Добавить и авторизовать',
      timeout: 'Тайм-аут',
      sseReadTimeout: 'Таймаут чтения SSE',
+      headerValuePlaceholder: 'например, Токен носителя 123',
+      headers: 'Заголовки',
+      headerKey: 'Название заголовка',
+      timeoutPlaceholder: 'тридцать',
+      addHeader: 'Добавить заголовок',
+      headerValue: 'Значение заголовка',
+      headerKeyPlaceholder: 'например, Авторизация',
+      noHeaders: 'Нет настроенных пользовательских заголовков',
+      maskedHeadersTip: 'Значения заголовков скрыты для безопасности. Изменения обновят фактические значения.',
+      headersTip: 'Дополнительные HTTP заголовки для отправки с запросами к серверу MCP',
    },
    delete: 'Удалить MCP сервер',
    deleteConfirmTitle: 'Вы действительно хотите удалить {mcp}?',
--- a/web/i18n/sl-SI/tools.ts
+++ b/web/i18n/sl-SI/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Dodaj in avtoriziraj',
      timeout: 'Časovna omejitev',
      sseReadTimeout: 'SSE časovna omejitev branja',
+      timeoutPlaceholder: 'trideset',
+      headers: 'Naslovi',
+      headerKeyPlaceholder: 'npr., Pooblastitev',
+      headerValue: 'Vrednost glave',
+      headerKey: 'Ime glave',
+      addHeader: 'Dodaj naslov',
+      headersTip: 'Dodatni HTTP glavi za poslati z zahtevami MCP strežnika',
+      headerValuePlaceholder: 'npr., nosilec žeton123',
+      noHeaders: 'Nobenih prilagojenih glave ni konfiguriranih',
+      maskedHeadersTip: 'Vrednosti glave so zakrite zaradi varnosti. Spremembe bodo posodobile dejanske vrednosti.',
    },
    delete: 'Odstrani strežnik MCP',
    deleteConfirmTitle: 'Odstraniti {mcp}?',
--- a/web/i18n/th-TH/tools.ts
+++ b/web/i18n/th-TH/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'เพิ่มและอนุญาต',
      timeout: 'หมดเวลา',
      sseReadTimeout: 'หมดเวลาการอ่าน SSE',
+      timeoutPlaceholder: 'สามสิบ',
+      headerValue: 'ค่าหัวข้อ',
+      addHeader: 'เพิ่มหัวเรื่อง',
+      headerKey: 'ชื่อหัวเรื่อง',
+      headerKeyPlaceholder: 'เช่น การอนุญาต',
+      headerValuePlaceholder: 'ตัวอย่าง: รหัสตัวแทน token123',
+      headers: 'หัวเรื่อง',
+      noHeaders: 'ไม่มีการกำหนดหัวข้อที่กำหนดเอง',
+      headersTip: 'HTTP header เพิ่มเติมที่จะส่งไปกับคำขอ MCP server',
+      maskedHeadersTip: 'ค่าหัวถูกปกปิดเพื่อความปลอดภัย การเปลี่ยนแปลงจะปรับปรุงค่าที่แท้จริง',
    },
    delete: 'ลบเซิร์ฟเวอร์ MCP',
    deleteConfirmTitle: 'คุณต้องการลบ {mcp} หรือไม่?',
--- a/web/i18n/tr-TR/tools.ts
+++ b/web/i18n/tr-TR/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Ekle ve Yetkilendir',
      timeout: 'Zaman aşımı',
      sseReadTimeout: 'SSE Okuma Zaman Aşımı',
+      headers: 'Başlıklar',
+      headerKeyPlaceholder: 'örneğin, Yetkilendirme',
+      addHeader: 'Başlık Ekle',
+      headerValue: 'Başlık Değeri',
+      noHeaders: 'Özel başlıklar yapılandırılmamış',
+      headerKey: 'Başlık Adı',
+      timeoutPlaceholder: 'otuz',
+      headersTip: 'MCP sunucu istekleri ile gönderilecek ek HTTP başlıkları',
+      headerValuePlaceholder: 'örneğin, Taşıyıcı jeton123',
+      maskedHeadersTip: 'Başlık değerleri güvenlik amacıyla gizlenmiştir. Değişiklikler gerçek değerleri güncelleyecektir.',
    },
    delete: 'MCP Sunucusunu Kaldır',
    deleteConfirmTitle: '{mcp} kaldırılsın mı?',
--- a/web/i18n/uk-UA/tools.ts
+++ b/web/i18n/uk-UA/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Додати та Авторизувати',
      timeout: 'Час вичерпано',
      sseReadTimeout: 'Тайм-аут читання SSE',
+      headers: 'Заголовки',
+      headerValuePlaceholder: 'наприклад, токен носія 123',
+      headerValue: 'Значення заголовка',
+      headerKey: 'Назва заголовка',
+      timeoutPlaceholder: 'тридцять',
+      addHeader: 'Додати заголовок',
+      noHeaders: 'Не налаштовано спеціальні заголовки',
+      headerKeyPlaceholder: 'наприклад, Авторизація',
+      maskedHeadersTip: 'Значення заголовків маскуються для безпеки. Зміни оновлять фактичні значення.',
+      headersTip: 'Додаткові HTTP заголовки для відправлення з запитами до сервера MCP',
    },
    delete: 'Видалити сервер MCP',
    deleteConfirmTitle: 'Видалити {mcp}?',
--- a/web/i18n/vi-VN/tools.ts
+++ b/web/i18n/vi-VN/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: 'Thêm & Ủy quyền',
      sseReadTimeout: 'Thời gian chờ Đọc SSE',
      timeout: 'Thời gian chờ',
+      headerKeyPlaceholder: 'ví dụ, Ủy quyền',
+      timeoutPlaceholder: 'ba mươi',
+      addHeader: 'Thêm tiêu đề',
+      headers: 'Tiêu đề',
+      headerValuePlaceholder: 'ví dụ: mã thông báo Bearer123',
+      headerKey: 'Tên tiêu đề',
+      noHeaders: 'Không có tiêu đề tùy chỉnh nào được cấu hình',
+      headerValue: 'Giá trị tiêu đề',
+      maskedHeadersTip: 'Các giá trị tiêu đề được mã hóa để đảm bảo an ninh. Các thay đổi sẽ cập nhật các giá trị thực tế.',
+      headersTip: 'Các tiêu đề HTTP bổ sung để gửi cùng với các yêu cầu máy chủ MCP',
    },
    delete: 'Xóa Máy chủ MCP',
    deleteConfirmTitle: 'Xóa {mcp}?',
--- a/web/i18n/zh-Hans/tools.ts
+++ b/web/i18n/zh-Hans/tools.ts
@ -81,7 +81,7 @@ const translation = {
      type: '鉴权类型',
      keyTooltip: 'HTTP 头部名称，如果你不知道是什么，可以将其保留为 Authorization 或设置为自定义值',
      queryParam: '查询参数',
-      queryParamTooltip: '用于传递 API 密钥查询参数的名称, 如 "https://example.com/test?key=API_KEY" 中的 "key"参数',
+      queryParamTooltip: '用于传递 API 密钥查询参数的名称，如 "https://example.com/test?key=API_KEY" 中的 "key"参数',
      types: {
        none: '无',
        api_key_header: '请求头',
@ -188,11 +188,21 @@ const translation = {
      serverIdentifierTip: '工作空间内服务器的唯一标识。支持小写字母、数字、下划线和连字符，最多 24 个字符。',
      serverIdentifierPlaceholder: '服务器唯一标识，例如 my-mcp-server',
      serverIdentifierWarning: '更改服务器标识符后，现有应用将无法识别此服务器',
+      headers: '请求头',
+      headersTip: '发送到 MCP 服务器的额外 HTTP 请求头',
+      headerKey: '请求头名称',
+      headerValue: '请求头值',
+      headerKeyPlaceholder: '例如：Authorization',
+      headerValuePlaceholder: '例如：Bearer token123',
+      addHeader: '添加请求头',
+      noHeaders: '未配置自定义请求头',
+      maskedHeadersTip: '为了安全，请求头值已被掩码处理。修改将更新实际值。',
      cancel: '取消',
      save: '保存',
      confirm: '添加并授权',
      timeout: '超时时间',
      sseReadTimeout: 'SSE 读取超时时间',
+      timeoutPlaceholder: '30',
    },
    delete: '删除 MCP 服务',
    deleteConfirmTitle: '你想要删除 {{mcp}} 吗？',
--- a/web/i18n/zh-Hant/tools.ts
+++ b/web/i18n/zh-Hant/tools.ts
@ -193,6 +193,16 @@ const translation = {
      confirm: '新增並授權',
      sseReadTimeout: 'SSE 讀取超時',
      timeout: '超時',
+      headerValue: '標題值',
+      headerKey: '標題名稱',
+      noHeaders: '沒有配置自定義標頭',
+      timeoutPlaceholder: '三十',
+      headerValuePlaceholder: '例如，承載者令牌123',
+      addHeader: '添加標題',
+      headerKeyPlaceholder: '例如，授權',
+      headersTip: '與 MCP 伺服器請求一同發送的附加 HTTP 標頭',
+      maskedHeadersTip: '標頭值已被遮罩以保障安全。更改將更新實際值。',
+      headers: '標題',
    },
    delete: '刪除 MCP 伺服器',
    deleteConfirmTitle: '您確定要刪除 {{mcp}} 嗎？',
--- a/web/models/datasets.ts
+++ b/web/models/datasets.ts
@ -391,11 +391,6 @@ export type createDocumentResponse = {
  documents: InitialDocumentDetail[]
 }

-export type PrecessRule = {
-  mode: ProcessMode
-  rules: Rules
-}
-
 export type FullDocumentDetail = SimpleDocumentDetail & {
  batch: string
  created_api_request_id: string
@ -418,7 +413,7 @@ export type FullDocumentDetail = SimpleDocumentDetail & {
  doc_type?: DocType | null | 'others'
  doc_metadata?: DocMetadata | null
  segment_count: number
-  dataset_process_rule: PrecessRule
+  dataset_process_rule: ProcessRule
  document_process_rule: ProcessRule
  [key: string]: any
 }
--- a/web/service/use-tools.ts
+++ b/web/service/use-tools.ts
@ -87,6 +87,7 @@ export const useCreateMCP = () => {
      icon_background?: string | null
      timeout?: number
      sse_read_timeout?: number
+      headers?: Record<string, string>
    }) => {
      return post<ToolWithProvider>('workspaces/current/tool-provider/mcp', {
        body: {
@ -113,6 +114,7 @@ export const useUpdateMCP = ({
      provider_id: string
      timeout?: number
      sse_read_timeout?: number
+      headers?: Record<string, string>
    }) => {
      return put('workspaces/current/tool-provider/mcp', {
        body: {