🐛 Fix sphere rewind

🗑️ Remove debug include in timeline

.github/workflows/docker-build.yml

@@ -27,8 +27,8 @@ jobs:
         run: |
           files="${{ steps.changed-files.outputs.files }}"
           matrix="{\"include\":[]}"
-          services=("Sphere" "Pass" "Ring" "Drive" "Develop" "Gateway" "Insight")
+          services=("Sphere" "Pass" "Ring" "Drive" "Develop" "Gateway" "Insight" "Zone")
-          images=("sphere" "pass" "ring" "drive" "develop" "gateway" "insight")
+          images=("sphere" "pass" "ring" "drive" "develop" "gateway" "insight" "zone")
           changed_services=()
 
           for file in $files; do

DysonNetwork.Control/AppHost.cs

@@ -4,8 +4,8 @@ var builder = DistributedApplication.CreateBuilder(args);
 
 var isDev = builder.Environment.IsDevelopment();
 
-var cache = builder.AddRedis("cache");
+var cache = builder.AddRedis("Cache");
-var queue = builder.AddNats("queue").WithJetStream();
+var queue = builder.AddNats("Queue").WithJetStream();
 
 var ringService = builder.AddProject<Projects.DysonNetwork_Ring>("ring");
 var passService = builder.AddProject<Projects.DysonNetwork_Pass>("pass")
@@ -26,11 +26,17 @@ var insightService = builder.AddProject<Projects.DysonNetwork_Insight>("insight"
     .WithReference(ringService)
     .WithReference(sphereService)
     .WithReference(developService);
+var zoneService = builder.AddProject<Projects.DysonNetwork_Zone>("zone")
+    .WithReference(passService)
+    .WithReference(ringService)
+    .WithReference(sphereService)
+    .WithReference(developService)
+    .WithReference(insightService);
 
 passService.WithReference(developService).WithReference(driveService);
 
 List<IResourceBuilder<ProjectResource>> services =
-    [ringService, passService, driveService, sphereService, developService, insightService];
+    [ringService, passService, driveService, sphereService, developService, insightService, zoneService];
 
 for (var idx = 0; idx < services.Count; idx++)
 {

DysonNetwork.Control/DysonNetwork.Control.csproj

@@ -1,28 +1,29 @@
 <Project Sdk="Microsoft.NET.Sdk">
-  <Sdk Name="Aspire.AppHost.Sdk" Version="13.0.0" />
+    <Sdk Name="Aspire.AppHost.Sdk" Version="13.0.0"/>
 
-  <PropertyGroup>
+    <PropertyGroup>
-    <OutputType>Exe</OutputType>
+        <OutputType>Exe</OutputType>
-    <TargetFramework>net10.0</TargetFramework>
+        <TargetFramework>net10.0</TargetFramework>
-    <ImplicitUsings>enable</ImplicitUsings>
+        <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
+        <Nullable>enable</Nullable>
-    <UserSecretsId>a68b3195-a00d-40c2-b5ed-d675356b7cde</UserSecretsId>
+        <UserSecretsId>a68b3195-a00d-40c2-b5ed-d675356b7cde</UserSecretsId>
-    <RootNamespace>DysonNetwork.Control</RootNamespace>
+        <RootNamespace>DysonNetwork.Control</RootNamespace>
-  </PropertyGroup>
+    </PropertyGroup>
 
-  <ItemGroup>
+    <ItemGroup>
-    <PackageReference Include="Aspire.Hosting.AppHost" Version="13.0.0" />
+        <PackageReference Include="Aspire.Hosting.AppHost" Version="13.0.0"/>
-    <PackageReference Include="Aspire.Hosting.Docker" Version="13.0.0-preview.1.25560.3" />
+        <PackageReference Include="Aspire.Hosting.Docker" Version="13.0.0-preview.1.25560.3"/>
-    <PackageReference Include="Aspire.Hosting.Nats" Version="13.0.0" />
+        <PackageReference Include="Aspire.Hosting.Nats" Version="13.0.0"/>
-    <PackageReference Include="Aspire.Hosting.Redis" Version="13.0.0" />
+        <PackageReference Include="Aspire.Hosting.Redis" Version="13.0.0"/>
-  </ItemGroup>
+    </ItemGroup>
-  <ItemGroup>
+    <ItemGroup>
-    <ProjectReference Include="..\DysonNetwork.Develop\DysonNetwork.Develop.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Develop\DysonNetwork.Develop.csproj"/>
-    <ProjectReference Include="..\DysonNetwork.Drive\DysonNetwork.Drive.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Drive\DysonNetwork.Drive.csproj"/>
-    <ProjectReference Include="..\DysonNetwork.Pass\DysonNetwork.Pass.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Pass\DysonNetwork.Pass.csproj"/>
-    <ProjectReference Include="..\DysonNetwork.Ring\DysonNetwork.Ring.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Ring\DysonNetwork.Ring.csproj"/>
-    <ProjectReference Include="..\DysonNetwork.Sphere\DysonNetwork.Sphere.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Sphere\DysonNetwork.Sphere.csproj"/>
-    <ProjectReference Include="..\DysonNetwork.Gateway\DysonNetwork.Gateway.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Gateway\DysonNetwork.Gateway.csproj"/>
-    <ProjectReference Include="..\DysonNetwork.Insight\DysonNetwork.Insight.csproj" />
+        <ProjectReference Include="..\DysonNetwork.Insight\DysonNetwork.Insight.csproj"/>
-  </ItemGroup>
+        <ProjectReference Include="..\DysonNetwork.Zone\DysonNetwork.Zone.csproj"/>
+    </ItemGroup>
 </Project>

DysonNetwork.Develop/AppDatabase.cs

@@ -1,3 +1,4 @@
+using DysonNetwork.Shared.Data;
 using DysonNetwork.Shared.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Design;
@@ -33,36 +34,15 @@ public class AppDatabase(
     
     public override async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
     {
-        var now = SystemClock.Instance.GetCurrentInstant();
+        this.ApplyAuditableAndSoftDelete();
-
-        foreach (var entry in ChangeTracker.Entries<ModelBase>())
-        {
-            switch (entry.State)
-            {
-                case EntityState.Added:
-                    entry.Entity.CreatedAt = now;
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Modified:
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Deleted:
-                    entry.State = EntityState.Modified;
-                    entry.Entity.DeletedAt = now;
-                    break;
-                case EntityState.Detached:
-                case EntityState.Unchanged:
-                default:
-                    break;
-            }
-        }
-
         return await base.SaveChangesAsync(cancellationToken);
     }
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
         base.OnModelCreating(modelBuilder);
+        
+        modelBuilder.ApplySoftDeleteFilters();
     }
 }
 

DysonNetwork.Develop/Identity/DeveloperController.cs

@@ -69,7 +69,7 @@ public class DeveloperController(
 
     [HttpPost("{name}/enroll")]
     [Authorize]
-    [RequiredPermission("global", "developers.create")]
+    [AskPermission("developers.create")]
     public async Task<ActionResult<SnDeveloper>> EnrollDeveloperProgram(string name)
     {
         if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();

DysonNetwork.Develop/Startup/ApplicationConfiguration.cs

@@ -16,7 +16,7 @@ public static class ApplicationConfiguration
 
         app.UseAuthentication();
         app.UseAuthorization();
-        app.UseMiddleware<PermissionMiddleware>();
+        app.UseMiddleware<RemotePermissionMiddleware>();
 
         app.MapControllers();
         

DysonNetwork.Develop/Startup/ServiceCollectionExtensions.cs

@@ -16,9 +16,7 @@ public static class ServiceCollectionExtensions
         services.AddLocalization();
 
         services.AddDbContext<AppDatabase>();
-        services.AddSingleton<IClock>(SystemClock.Instance);
         services.AddHttpContextAccessor();
-        services.AddSingleton<ICacheService, CacheServiceRedis>();
 
         services.AddHttpClient();
 

DysonNetwork.Develop/appsettings.json

@@ -1,22 +1,25 @@
 {
-  "Debug": true,
+    "Debug": true,
-  "BaseUrl": "http://localhost:5071",
+    "BaseUrl": "http://localhost:5071",
-  "SiteUrl": "https://solian.app",
+    "SiteUrl": "https://solian.app",
-  "Logging": {
+    "Logging": {
-    "LogLevel": {
+        "LogLevel": {
-      "Default": "Information",
+            "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
+            "Microsoft.AspNetCore": "Warning"
+        }
+    },
+    "AllowedHosts": "*",
+    "ConnectionStrings": {
+        "App": "Host=localhost;Port=5432;Database=dyson_develop;Username=postgres;Password=postgres;Include Error Detail=True;Maximum Pool Size=20;Connection Idle Lifetime=60"
+    },
+    "KnownProxies": [
+        "127.0.0.1",
+        "::1"
+    ],
+    "Swagger": {
+        "PublicBasePath": "/develop"
+    },
+    "Cache": {
+        "Serializer": "MessagePack"
     }
-  },
-  "AllowedHosts": "*",
-  "ConnectionStrings": {
-    "App": "Host=localhost;Port=5432;Database=dyson_develop;Username=postgres;Password=postgres;Include Error Detail=True;Maximum Pool Size=20;Connection Idle Lifetime=60"
-  },
-  "KnownProxies": ["127.0.0.1", "::1"],
-  "Swagger": {
-    "PublicBasePath": "/develop"
-  },
-  "Etcd": {
-    "Insecure": true
-  }
 }

DysonNetwork.Drive/AppDatabase.cs

@@ -1,12 +1,11 @@
 using System.Linq.Expressions;
-using System.Reflection;
 using DysonNetwork.Drive.Billing;
 using DysonNetwork.Drive.Storage;
 using DysonNetwork.Drive.Storage.Model;
+using DysonNetwork.Shared.Data;
 using DysonNetwork.Shared.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Design;
-using Microsoft.EntityFrameworkCore.Query;
 using NodaTime;
 using Quartz;
 using TaskStatus = DysonNetwork.Drive.Storage.Model.TaskStatus;
@@ -24,7 +23,7 @@ public class AppDatabase(
     public DbSet<QuotaRecord> QuotaRecords { get; set; } = null!;
     
     public DbSet<SnCloudFile> Files { get; set; } = null!;
-    public DbSet<CloudFileReference> FileReferences { get; set; } = null!;
+    public DbSet<SnCloudFileReference> FileReferences { get; set; } = null!;
     public DbSet<SnCloudFileIndex> FileIndexes { get; set; }
 
     public DbSet<PersistentTask> Tasks { get; set; } = null!;
@@ -46,61 +45,12 @@ public class AppDatabase(
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
         base.OnModelCreating(modelBuilder);
-
+        modelBuilder.ApplySoftDeleteFilters();
-        // Apply soft-delete filter only to root entities, not derived types
-        foreach (var entityType in modelBuilder.Model.GetEntityTypes())
-        {
-            if (!typeof(ModelBase).IsAssignableFrom(entityType.ClrType)) continue;
-
-            // Skip derived types to avoid filter conflicts
-            var clrType = entityType.ClrType;
-            if (clrType.BaseType != typeof(object) &&
-                typeof(ModelBase).IsAssignableFrom(clrType.BaseType))
-            {
-                continue; // Skip derived types
-            }
-
-            var method = typeof(AppDatabase)
-                .GetMethod(nameof(SetSoftDeleteFilter),
-                    BindingFlags.NonPublic | BindingFlags.Static)!
-                .MakeGenericMethod(clrType);
-
-            method.Invoke(null, [modelBuilder]);
-        }
-    }
-
-    private static void SetSoftDeleteFilter<TEntity>(ModelBuilder modelBuilder)
-        where TEntity : ModelBase
-    {
-        modelBuilder.Entity<TEntity>().HasQueryFilter(e => e.DeletedAt == null);
     }
 
     public override async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
     {
-        var now = SystemClock.Instance.GetCurrentInstant();
+        this.ApplyAuditableAndSoftDelete();
-
-        foreach (var entry in ChangeTracker.Entries<ModelBase>())
-        {
-            switch (entry.State)
-            {
-                case EntityState.Added:
-                    entry.Entity.CreatedAt = now;
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Modified:
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Deleted:
-                    entry.State = EntityState.Modified;
-                    entry.Entity.DeletedAt = now;
-                    break;
-                case EntityState.Detached:
-                case EntityState.Unchanged:
-                default:
-                    break;
-            }
-        }
-
         return await base.SaveChangesAsync(cancellationToken);
     }
 }
@@ -204,35 +154,3 @@ public class AppDatabaseFactory : IDesignTimeDbContextFactory<AppDatabase>
         return new AppDatabase(optionsBuilder.Options, configuration);
     }
 }
-
-public static class OptionalQueryExtensions
-{
-    public static IQueryable<T> If<T>(
-        this IQueryable<T> source,
-        bool condition,
-        Func<IQueryable<T>, IQueryable<T>> transform
-    )
-    {
-        return condition ? transform(source) : source;
-    }
-
-    public static IQueryable<T> If<T, TP>(
-        this IIncludableQueryable<T, TP> source,
-        bool condition,
-        Func<IIncludableQueryable<T, TP>, IQueryable<T>> transform
-    )
-        where T : class
-    {
-        return condition ? transform(source) : source;
-    }
-
-    public static IQueryable<T> If<T, TP>(
-        this IIncludableQueryable<T, IEnumerable<TP>> source,
-        bool condition,
-        Func<IIncludableQueryable<T, IEnumerable<TP>>, IQueryable<T>> transform
-    )
-        where T : class
-    {
-        return condition ? transform(source) : source;
-    }
-}

DysonNetwork.Drive/Index/FileIndexController.cs

@@ -23,9 +23,17 @@ public class FileIndexController(
     /// Gets files in a specific path for the current user
     /// </summary>
     /// <param name="path">The path to browse (defaults to root "/")</param>
+    /// <param name="query">Optional query to filter files by name</param>
+    /// <param name="order">The field to order by (date, size, name - defaults to date)</param>
+    /// <param name="orderDesc">Whether to order in descending order (defaults to true)</param>
     /// <returns>List of files in the specified path</returns>
     [HttpGet("browse")]
-    public async Task<IActionResult> BrowseFiles([FromQuery] string path = "/")
+    public async Task<IActionResult> BrowseFiles(
+        [FromQuery] string path = "/",
+        [FromQuery] string? query = null,
+        [FromQuery] string order = "date",
+        [FromQuery] bool orderDesc = true
+    )
     {
         if (HttpContext.Items["CurrentUser"] is not Account currentUser)
             return new ObjectResult(ApiError.Unauthorized()) { StatusCode = 401 };
@@ -36,6 +44,24 @@ public class FileIndexController(
         {
             var fileIndexes = await fileIndexService.GetByPathAsync(accountId, path);
 
+            if (!string.IsNullOrWhiteSpace(query))
+            {
+                fileIndexes = fileIndexes
+                    .Where(fi => fi.File.Name.Contains(query, StringComparison.OrdinalIgnoreCase))
+                    .ToList();
+            }
+
+            // Apply sorting
+            fileIndexes = order.ToLower() switch
+            {
+                "name" => orderDesc ? fileIndexes.OrderByDescending(fi => fi.File.Name).ToList()
+                                   : fileIndexes.OrderBy(fi => fi.File.Name).ToList(),
+                "size" => orderDesc ? fileIndexes.OrderByDescending(fi => fi.File.Size).ToList()
+                                   : fileIndexes.OrderBy(fi => fi.File.Size).ToList(),
+                _ => orderDesc ? fileIndexes.OrderByDescending(fi => fi.File.CreatedAt).ToList()
+                              : fileIndexes.OrderBy(fi => fi.File.CreatedAt).ToList()
+            };
+
             // Get all file indexes for this account to extract child folders
             var allFileIndexes = await fileIndexService.GetByAccountIdAsync(accountId);
 
@@ -100,9 +126,16 @@ public class FileIndexController(
     /// <summary>
     /// Gets all files for the current user (across all paths)
     /// </summary>
+    /// <param name="query">Optional query to filter files by name</param>
+    /// <param name="order">The field to order by (date, size, name - defaults to date)</param>
+    /// <param name="orderDesc">Whether to order in descending order (defaults to true)</param>
     /// <returns>List of all files for the user</returns>
     [HttpGet("all")]
-    public async Task<IActionResult> GetAllFiles()
+    public async Task<IActionResult> GetAllFiles(
+        [FromQuery] string? query = null,
+        [FromQuery] string order = "date",
+        [FromQuery] bool orderDesc = true
+    )
     {
         if (HttpContext.Items["CurrentUser"] is not Account currentUser)
             return new ObjectResult(ApiError.Unauthorized()) { StatusCode = 401 };
@@ -113,6 +146,24 @@ public class FileIndexController(
         {
             var fileIndexes = await fileIndexService.GetByAccountIdAsync(accountId);
 
+            if (!string.IsNullOrWhiteSpace(query))
+            {
+                fileIndexes = fileIndexes
+                    .Where(fi => fi.File.Name.Contains(query, StringComparison.OrdinalIgnoreCase))
+                    .ToList();
+            }
+
+            // Apply sorting
+            fileIndexes = order.ToLower() switch
+            {
+                "name" => orderDesc ? fileIndexes.OrderByDescending(fi => fi.File.Name).ToList()
+                                   : fileIndexes.OrderBy(fi => fi.File.Name).ToList(),
+                "size" => orderDesc ? fileIndexes.OrderByDescending(fi => fi.File.Size).ToList()
+                                   : fileIndexes.OrderBy(fi => fi.File.Size).ToList(),
+                _ => orderDesc ? fileIndexes.OrderByDescending(fi => fi.File.CreatedAt).ToList()
+                              : fileIndexes.OrderBy(fi => fi.File.CreatedAt).ToList()
+            };
+
             return Ok(new
             {
                 Files = fileIndexes,
@@ -134,11 +185,24 @@ public class FileIndexController(
     /// <summary>
     /// Gets files that have not been indexed for the current user.
     /// </summary>
+    /// <param name="recycled">Shows recycled files or not</param>
     /// <param name="offset">The number of files to skip</param>
     /// <param name="take">The number of files to return</param>
+    /// <param name="pool">The pool ID of those files</param>
+    /// <param name="query">Optional query to filter files by name</param>
+    /// <param name="order">The field to order by (date, size, name - defaults to date)</param>
+    /// <param name="orderDesc">Whether to order in descending order (defaults to true)</param>
     /// <returns>List of unindexed files</returns>
     [HttpGet("unindexed")]
-    public async Task<IActionResult> GetUnindexedFiles([FromQuery] int offset = 0, [FromQuery] int take = 20)
+    public async Task<IActionResult> GetUnindexedFiles(
+        [FromQuery] Guid? pool,
+        [FromQuery] bool recycled = false,
+        [FromQuery] int offset = 0,
+        [FromQuery] int take = 20,
+        [FromQuery] string? query = null,
+        [FromQuery] string order = "date",
+        [FromQuery] bool orderDesc = true
+    )
     {
         if (HttpContext.Items["CurrentUser"] is not Account currentUser)
             return new ObjectResult(ApiError.Unauthorized()) { StatusCode = 401 };
@@ -147,17 +211,36 @@ public class FileIndexController(
 
         try
         {
-            var query = db.Files
+            var filesQuery = db.Files
                 .Where(f => f.AccountId == accountId
-                            && !f.IsMarkedRecycle
+                            && f.IsMarkedRecycle == recycled
-                            && !db.FileIndexes.Any(fi => fi.FileId == f.Id && fi.AccountId == accountId))
+                            && !db.FileIndexes.Any(fi => fi.FileId == f.Id && fi.AccountId == accountId)
-                .OrderByDescending(f => f.CreatedAt);
+                )
+                .AsQueryable();
 
-            var totalCount = await query.CountAsync();
+            // Apply sorting
+            filesQuery = order.ToLower() switch
+            {
+                "name" => orderDesc ? filesQuery.OrderByDescending(f => f.Name)
+                                   : filesQuery.OrderBy(f => f.Name),
+                "size" => orderDesc ? filesQuery.OrderByDescending(f => f.Size)
+                                   : filesQuery.OrderBy(f => f.Size),
+                _ => orderDesc ? filesQuery.OrderByDescending(f => f.CreatedAt)
+                              : filesQuery.OrderBy(f => f.CreatedAt)
+            };
+
+            if (pool.HasValue) filesQuery = filesQuery.Where(f => f.PoolId == pool);
+
+            if (!string.IsNullOrWhiteSpace(query))
+            {
+                filesQuery = filesQuery.Where(f => f.Name.Contains(query));
+            }
+
+            var totalCount = await filesQuery.CountAsync();
 
             Response.Headers.Append("X-Total", totalCount.ToString());
 
-            var unindexedFiles = await query
+            var unindexedFiles = await filesQuery
                 .Skip(offset)
                 .Take(take)
                 .ToListAsync();
@@ -296,7 +379,9 @@ public class FileIndexController(
 
             return Ok(new
             {
-                Message = deleteFile ? "File index and file data removed successfully" : "File index removed successfully",
+                Message = deleteFile
+                    ? "File index and file data removed successfully"
+                    : "File index removed successfully",
                 FileId = fileId,
                 FileName = fileName,
                 Path = filePath,
@@ -357,13 +442,14 @@ public class FileIndexController(
                 db.Files.Remove(file);
                 logger.LogInformation("Deleted orphaned file {FileId} after clearing path {Path}", fileId, path);
             }
+
             await db.SaveChangesAsync();
 
             return Ok(new
             {
-                Message = deleteFiles ? 
+                Message = deleteFiles
-                    $"Cleared {removedCount} file indexes from path and deleted orphaned files" :
+                    ? $"Cleared {removedCount} file indexes from path and deleted orphaned files"
-                    $"Cleared {removedCount} file indexes from path",
+                    : $"Cleared {removedCount} file indexes from path",
                 Path = path,
                 RemovedCount = removedCount,
                 FilesDeleted = deleteFiles
@@ -406,7 +492,8 @@ public class FileIndexController(
 
             // Check if index already exists for this file and path
             var existingIndex = await db.FileIndexes
-                .FirstOrDefaultAsync(fi => fi.FileId == request.FileId && fi.Path == request.Path && fi.AccountId == accountId);
+                .FirstOrDefaultAsync(fi =>
+                    fi.FileId == request.FileId && fi.Path == request.Path && fi.AccountId == accountId);
 
             if (existingIndex != null)
                 return new ObjectResult(ApiError.Validation(new Dictionary<string, string[]>

DysonNetwork.Drive/Migrations/AppDatabaseModelSnapshot.cs

@@ -179,7 +179,7 @@ namespace DysonNetwork.Drive.Migrations
                     b.UseTphMappingStrategy();
                 });
 
-            modelBuilder.Entity("DysonNetwork.Shared.Models.CloudFileReference", b =>
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnCloudFileReference", b =>
                 {
                     b.Property<Guid>("Id")
                         .ValueGeneratedOnAdd()
@@ -571,7 +571,7 @@ namespace DysonNetwork.Drive.Migrations
                     b.HasDiscriminator().HasValue("PersistentUploadTask");
                 });
 
-            modelBuilder.Entity("DysonNetwork.Shared.Models.CloudFileReference", b =>
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnCloudFileReference", b =>
                 {
                     b.HasOne("DysonNetwork.Shared.Models.SnCloudFile", "File")
                         .WithMany("References")

DysonNetwork.Drive/Startup/BroadcastEventHandler.cs

@@ -3,7 +3,7 @@ using DysonNetwork.Drive.Storage;
 using DysonNetwork.Drive.Storage.Model;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
-using DysonNetwork.Shared.Stream;
+using DysonNetwork.Shared.Queue;
 using FFMpegCore;
 using Microsoft.EntityFrameworkCore;
 using NATS.Client.Core;

DysonNetwork.Drive/Startup/ServiceCollectionExtensions.cs

@@ -12,9 +12,7 @@ public static class ServiceCollectionExtensions
     public static IServiceCollection AddAppServices(this IServiceCollection services, IConfiguration configuration)
     {
         services.AddDbContext<AppDatabase>(); // Assuming you'll have an AppDatabase
-        services.AddSingleton<IClock>(SystemClock.Instance);
         services.AddHttpContextAccessor();
-        services.AddSingleton<ICacheService, CacheServiceRedis>(); // Uncomment if you have CacheServiceRedis
 
         services.AddHttpClient();
 

DysonNetwork.Drive/Storage/FileController.cs

@@ -1,4 +1,3 @@
-using DysonNetwork.Drive.Billing;
 using DysonNetwork.Shared.Auth;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
@@ -14,9 +13,9 @@ namespace DysonNetwork.Drive.Storage;
 public class FileController(
     AppDatabase db,
     FileService fs,
-    QuotaService qs,
     IConfiguration configuration,
-    IWebHostEnvironment env
+    IWebHostEnvironment env,
+    FileReferenceService fileReferenceService
 ) : ControllerBase
 {
     [HttpGet("{id}")]
@@ -63,30 +62,31 @@ public class FileController(
         return null;
     }
 
-    private async Task<ActionResult> ServeLocalFile(SnCloudFile file)
+    private Task<ActionResult> ServeLocalFile(SnCloudFile file)
     {
         // Try temp storage first
         var tempFilePath = Path.Combine(Path.GetTempPath(), file.Id);
         if (System.IO.File.Exists(tempFilePath))
         {
             if (file.IsEncrypted)
-                return StatusCode(StatusCodes.Status403Forbidden, "Encrypted files cannot be accessed before they are processed and stored.");
+                return Task.FromResult<ActionResult>(StatusCode(StatusCodes.Status403Forbidden,
+                    "Encrypted files cannot be accessed before they are processed and stored."));
 
-            return PhysicalFile(tempFilePath, file.MimeType ?? "application/octet-stream", file.Name, enableRangeProcessing: true);
+            return Task.FromResult<ActionResult>(PhysicalFile(tempFilePath, file.MimeType ?? "application/octet-stream",
+                file.Name, enableRangeProcessing: true));
         }
 
         // Fallback for tus uploads
         var tusStorePath = configuration.GetValue<string>("Storage:Uploads");
-        if (!string.IsNullOrEmpty(tusStorePath))
+        if (string.IsNullOrEmpty(tusStorePath))
-        {
+            return Task.FromResult<ActionResult>(StatusCode(StatusCodes.Status400BadRequest,
-            var tusFilePath = Path.Combine(env.ContentRootPath, tusStorePath, file.Id);
+                "File is being processed. Please try again later."));
-            if (System.IO.File.Exists(tusFilePath))
+        var tusFilePath = Path.Combine(env.ContentRootPath, tusStorePath, file.Id);
-            {
+        return System.IO.File.Exists(tusFilePath)
-                return PhysicalFile(tusFilePath, file.MimeType ?? "application/octet-stream", file.Name, enableRangeProcessing: true);
+            ? Task.FromResult<ActionResult>(PhysicalFile(tusFilePath, file.MimeType ?? "application/octet-stream",
-            }
+                file.Name, enableRangeProcessing: true))
-        }
+            : Task.FromResult<ActionResult>(StatusCode(StatusCodes.Status400BadRequest,
-
+                "File is being processed. Please try again later."));
-        return StatusCode(StatusCodes.Status400BadRequest, "File is being processed. Please try again later.");
     }
 
     private async Task<ActionResult> ServeRemoteFile(
@@ -99,7 +99,8 @@ public class FileController(
     )
     {
         if (!file.PoolId.HasValue)
-            return StatusCode(StatusCodes.Status500InternalServerError, "File is in an inconsistent state: uploaded but no pool ID.");
+            return StatusCode(StatusCodes.Status500InternalServerError,
+                "File is in an inconsistent state: uploaded but no pool ID.");
 
         var pool = await fs.GetPoolAsync(file.PoolId.Value);
         if (pool is null)
@@ -148,15 +149,10 @@ public class FileController(
             return Redirect(BuildProxyUrl(dest.ImageProxy, fileName));
         }
 
-        if (dest.AccessProxy is not null)
+        return dest.AccessProxy is not null ? Redirect(BuildProxyUrl(dest.AccessProxy, fileName)) : null;
-        {
-            return Redirect(BuildProxyUrl(dest.AccessProxy, fileName));
-        }
-
-        return null;
     }
 
-    private string BuildProxyUrl(string proxyUrl, string fileName)
+    private static string BuildProxyUrl(string proxyUrl, string fileName)
     {
         var baseUri = new Uri(proxyUrl.EndsWith('/') ? proxyUrl : $"{proxyUrl}/");
         var fullUri = new Uri(baseUri, fileName);
@@ -189,7 +185,7 @@ public class FileController(
         return Redirect(openUrl);
     }
 
-    private Dictionary<string, string> BuildSignedUrlHeaders(
+    private static Dictionary<string, string> BuildSignedUrlHeaders(
         SnCloudFile file,
         string? fileExtension,
         string? overrideMimeType,
@@ -234,6 +230,21 @@ public class FileController(
         return file;
     }
 
+    [HttpGet("{id}/references")]
+    public async Task<ActionResult<List<Shared.Models.SnCloudFileReference>>> GetFileReferences(string id)
+    {
+        var file = await fs.GetFileAsync(id);
+        if (file is null) return NotFound("File not found.");
+
+        // Check if user has access to the file
+        var accessResult = await ValidateFileAccess(file, null);
+        if (accessResult is not null) return accessResult;
+
+        // Get references using the injected FileReferenceService
+        var references = await fileReferenceService.GetReferencesAsync(id);
+        return Ok(references);
+    }
+
     [Authorize]
     [HttpPatch("{id}/name")]
     public async Task<ActionResult<SnCloudFile>> UpdateFileName(string id, [FromBody] string name)
@@ -281,25 +292,40 @@ public class FileController(
         [FromQuery] Guid? pool,
         [FromQuery] bool recycled = false,
         [FromQuery] int offset = 0,
-        [FromQuery] int take = 20
+        [FromQuery] int take = 20,
+        [FromQuery] string? query = null,
+        [FromQuery] string order = "date",
+        [FromQuery] bool orderDesc = true
     )
     {
         if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
         var accountId = Guid.Parse(currentUser.Id);
 
-        var query = db.Files
+        var filesQuery = db.Files
             .Where(e => e.IsMarkedRecycle == recycled)
             .Where(e => e.AccountId == accountId)
             .Include(e => e.Pool)
-            .OrderByDescending(e => e.CreatedAt)
             .AsQueryable();
 
-        if (pool.HasValue) query = query.Where(e => e.PoolId == pool);
+        if (pool.HasValue) filesQuery = filesQuery.Where(e => e.PoolId == pool);
 
-        var total = await query.CountAsync();
+        if (!string.IsNullOrWhiteSpace(query))
+        {
+            filesQuery = filesQuery.Where(e => e.Name.Contains(query));
+        }
+
+        filesQuery = order.ToLower() switch
+        {
+            "date" => orderDesc ? filesQuery.OrderByDescending(e => e.CreatedAt) : filesQuery.OrderBy(e => e.CreatedAt),
+            "size" => orderDesc ? filesQuery.OrderByDescending(e => e.Size) : filesQuery.OrderBy(e => e.Size),
+            "name" => orderDesc ? filesQuery.OrderByDescending(e => e.Name) : filesQuery.OrderBy(e => e.Name),
+            _ => filesQuery.OrderByDescending(e => e.CreatedAt)
+        };
+
+        var total = await filesQuery.CountAsync();
         Response.Headers.Append("X-Total", total.ToString());
 
-        var files = await query
+        var files = await filesQuery
             .Skip(offset)
             .Take(take)
             .ToListAsync();
@@ -307,9 +333,25 @@ public class FileController(
         return Ok(files);
     }
 
+    public class FileBatchDeletionRequest
+    {
+        public List<string> FileIds { get; set; } = [];
+    }
+
+    [Authorize]
+    [HttpPost("batches/delete")]
+    public async Task<ActionResult> DeleteFileBatch([FromBody] FileBatchDeletionRequest request)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
+        var userId = Guid.Parse(currentUser.Id);
+
+        var count = await fs.DeleteAccountFileBatchAsync(userId, request.FileIds);
+        return Ok(new { Count = count });
+    }
+
     [Authorize]
     [HttpDelete("{id}")]
-    public async Task<ActionResult> DeleteFile(string id)
+    public async Task<ActionResult<SnCloudFile>> DeleteFile(string id)
     {
         if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
         var userId = Guid.Parse(currentUser.Id);
@@ -321,9 +363,9 @@ public class FileController(
         if (file is null) return NotFound();
 
         await fs.DeleteFileDataAsync(file, force: true);
-        await fs.DeleteFileAsync(file);
+        await fs.DeleteFileAsync(file, skipData: true);
 
-        return NoContent();
+        return Ok(file);
     }
 
     [Authorize]
@@ -339,116 +381,10 @@ public class FileController(
 
     [Authorize]
     [HttpDelete("recycle")]
-    [RequiredPermission("maintenance", "files.delete.recycle")]
+    [AskPermission("files.delete.recycle")]
     public async Task<ActionResult> DeleteAllRecycledFiles()
     {
         var count = await fs.DeleteAllRecycledFilesAsync();
         return Ok(new { Count = count });
     }
-
-    public class CreateFastFileRequest
-    {
-        public string Name { get; set; } = null!;
-        public long Size { get; set; }
-        public string Hash { get; set; } = null!;
-        public string? MimeType { get; set; }
-        public string? Description { get; set; }
-        public Dictionary<string, object?>? UserMeta { get; set; }
-        public Dictionary<string, object?>? FileMeta { get; set; }
-        public List<Shared.Models.ContentSensitiveMark>? SensitiveMarks { get; set; }
-        public Guid PoolId { get; set; }
-    }
-
-    [Authorize]
-    [HttpPost("fast")]
-    [RequiredPermission("global", "files.create")]
-    public async Task<ActionResult<SnCloudFile>> CreateFastFile([FromBody] CreateFastFileRequest request)
-    {
-        if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
-        var accountId = Guid.Parse(currentUser.Id);
-
-        var pool = await db.Pools.FirstOrDefaultAsync(p => p.Id == request.PoolId);
-        if (pool is null) return BadRequest();
-        if (!currentUser.IsSuperuser && pool.AccountId != accountId)
-            return StatusCode(403, "You don't have permission to create files in this pool.");
-
-        if (!pool.PolicyConfig.EnableFastUpload)
-            return StatusCode(
-                403,
-                "This pool does not allow fast upload"
-            );
-
-        if (pool.PolicyConfig.RequirePrivilege > 0)
-        {
-            if (currentUser.PerkSubscription is null)
-            {
-                return StatusCode(
-                    403,
-                    $"You need to have join the Stellar Program to use this pool"
-                );
-            }
-
-            var privilege =
-                PerkSubscriptionPrivilege.GetPrivilegeFromIdentifier(currentUser.PerkSubscription.Identifier);
-            if (privilege < pool.PolicyConfig.RequirePrivilege)
-            {
-                return StatusCode(
-                    403,
-                    $"You need Stellar Program tier {pool.PolicyConfig.RequirePrivilege} to use this pool, you are tier {privilege}"
-                );
-            }
-        }
-
-        if (request.Size > pool.PolicyConfig.MaxFileSize)
-        {
-            return StatusCode(
-                403,
-                $"File size {request.Size} is larger than the pool's maximum file size {pool.PolicyConfig.MaxFileSize}"
-            );
-        }
-
-        var (ok, billableUnit, quota) = await qs.IsFileAcceptable(
-            accountId,
-            pool.BillingConfig.CostMultiplier ?? 1.0,
-            request.Size
-        );
-        if (!ok)
-        {
-            return StatusCode(
-                403,
-                $"File size {billableUnit} is larger than the user's quota {quota}"
-            );
-        }
-
-        await using var transaction = await db.Database.BeginTransactionAsync();
-        try
-        {
-            var file = new SnCloudFile
-            {
-                Name = request.Name,
-                Size = request.Size,
-                Hash = request.Hash,
-                MimeType = request.MimeType,
-                Description = request.Description,
-                AccountId = accountId,
-                UserMeta = request.UserMeta,
-                FileMeta = request.FileMeta,
-                SensitiveMarks = request.SensitiveMarks,
-                PoolId = request.PoolId
-            };
-            db.Files.Add(file);
-            await db.SaveChangesAsync();
-            await fs._PurgeCacheAsync(file.Id);
-            await transaction.CommitAsync();
-
-            file.FastUploadLink = await fs.CreateFastUploadLinkAsync(file);
-
-            return file;
-        }
-        catch (Exception)
-        {
-            await transaction.RollbackAsync();
-            throw;
-        }
-    }
 }

DysonNetwork.Drive/Storage/FileReferenceService.cs

@@ -1,4 +1,5 @@
 using DysonNetwork.Shared.Cache;
+using DysonNetwork.Shared.Data;
 using DysonNetwork.Shared.Models;
 using EFCore.BulkExtensions;
 using Microsoft.EntityFrameworkCore;
@@ -20,7 +21,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
     /// <param name="expiredAt">Optional expiration time for the file</param>
     /// <param name="duration">Optional duration after which the file expires (alternative to expiredAt)</param>
     /// <returns>The created file reference</returns>
-    public async Task<CloudFileReference> CreateReferenceAsync(
+    public async Task<SnCloudFileReference> CreateReferenceAsync(
         string fileId,
         string usage,
         string resourceId,
@@ -33,7 +34,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
         if (duration.HasValue)
             finalExpiration = SystemClock.Instance.GetCurrentInstant() + duration.Value;
 
-        var reference = new CloudFileReference
+        var reference = new SnCloudFileReference
         {
             FileId = fileId,
             Usage = usage,
@@ -49,7 +50,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
         return reference;
     }
 
-    public async Task<List<CloudFileReference>> CreateReferencesAsync(
+    public async Task<List<SnCloudFileReference>> CreateReferencesAsync(
         List<string> fileId,
         string usage,
         string resourceId,
@@ -57,12 +58,15 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
         Duration? duration = null
     )
     {
-        var data = fileId.Select(id => new CloudFileReference
+        var now = SystemClock.Instance.GetCurrentInstant();
+        var data = fileId.Select(id => new SnCloudFileReference
         {
             FileId = id,
             Usage = usage,
             ResourceId = resourceId,
-            ExpiredAt = expiredAt ?? SystemClock.Instance.GetCurrentInstant() + duration
+            ExpiredAt = expiredAt ?? now + duration,
+            CreatedAt = now,
+            UpdatedAt = now
         }).ToList();
         await db.BulkInsertAsync(data);
         return data;
@@ -73,11 +77,11 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
     /// </summary>
     /// <param name="fileId">The ID of the file</param>
     /// <returns>A list of all references to the file</returns>
-    public async Task<List<CloudFileReference>> GetReferencesAsync(string fileId)
+    public async Task<List<SnCloudFileReference>> GetReferencesAsync(string fileId)
     {
         var cacheKey = $"{CacheKeyPrefix}list:{fileId}";
 
-        var cachedReferences = await cache.GetAsync<List<CloudFileReference>>(cacheKey);
+        var cachedReferences = await cache.GetAsync<List<SnCloudFileReference>>(cacheKey);
         if (cachedReferences is not null)
             return cachedReferences;
 
@@ -90,17 +94,17 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
         return references;
     }
 
-    public async Task<Dictionary<string, List<CloudFileReference>>> GetReferencesAsync(IEnumerable<string> fileIds)
+    public async Task<Dictionary<string, List<SnCloudFileReference>>> GetReferencesAsync(IEnumerable<string> fileIds)
     {
         var fileIdList = fileIds.ToList();
-        var result = new Dictionary<string, List<CloudFileReference>>();
+        var result = new Dictionary<string, List<SnCloudFileReference>>();
 
         // Check cache for each file ID
         var uncachedFileIds = new List<string>();
         foreach (var fileId in fileIdList)
         {
             var cacheKey = $"{CacheKeyPrefix}list:{fileId}";
-            var cachedReferences = await cache.GetAsync<List<CloudFileReference>>(cacheKey);
+            var cachedReferences = await cache.GetAsync<List<SnCloudFileReference>>(cacheKey);
             if (cachedReferences is not null)
             {
                 result[fileId] = cachedReferences;
@@ -158,11 +162,11 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
     /// </summary>
     /// <param name="resourceId">The ID of the resource</param>
     /// <returns>A list of file references associated with the resource</returns>
-    public async Task<List<CloudFileReference>> GetResourceReferencesAsync(string resourceId)
+    public async Task<List<SnCloudFileReference>> GetResourceReferencesAsync(string resourceId)
     {
         var cacheKey = $"{CacheKeyPrefix}resource:{resourceId}";
 
-        var cachedReferences = await cache.GetAsync<List<CloudFileReference>>(cacheKey);
+        var cachedReferences = await cache.GetAsync<List<SnCloudFileReference>>(cacheKey);
         if (cachedReferences is not null)
             return cachedReferences;
 
@@ -180,11 +184,11 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
     /// </summary>
     /// <param name="usage">The usage context</param>
     /// <returns>A list of file references with the specified usage</returns>
-    public async Task<List<CloudFileReference>> GetUsageReferencesAsync(string usage)
+    public async Task<List<SnCloudFileReference>> GetUsageReferencesAsync(string usage)
     {
         var cacheKey = $"{CacheKeyPrefix}usage:{usage}";
 
-        var cachedReferences = await cache.GetAsync<List<CloudFileReference>>(cacheKey);
+        var cachedReferences = await cache.GetAsync<List<SnCloudFileReference>>(cacheKey);
         if (cachedReferences is not null)
             return cachedReferences;
 
@@ -306,7 +310,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
     /// <param name="expiredAt">Optional expiration time for newly added files</param>
     /// <param name="duration">Optional duration after which newly added files expire</param>
     /// <returns>A list of the updated file references</returns>
-    public async Task<List<CloudFileReference>> UpdateResourceFilesAsync(
+    public async Task<List<SnCloudFileReference>> UpdateResourceFilesAsync(
         string resourceId,
         IEnumerable<string>? newFileIds,
         string usage,
@@ -314,7 +318,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
         Duration? duration = null)
     {
         if (newFileIds == null)
-            return new List<CloudFileReference>();
+            return new List<SnCloudFileReference>();
 
         var existingReferences = await db.FileReferences
             .Where(r => r.ResourceId == resourceId && r.Usage == usage)
@@ -332,7 +336,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
         // Files to add
         var toAdd = newFileIdsList
             .Where(id => !existingFileIds.Contains(id))
-            .Select(id => new CloudFileReference
+            .Select(id => new SnCloudFileReference
             {
                 FileId = id,
                 Usage = usage,
@@ -484,7 +488,7 @@ public class FileReferenceService(AppDatabase db, FileService fileService, ICach
     /// <param name="resourceId">The resource ID</param>
     /// <param name="usageType">The usage type</param>
     /// <returns>List of file references</returns>
-    public async Task<List<CloudFileReference>> GetResourceReferencesAsync(string resourceId, string usageType)
+    public async Task<List<SnCloudFileReference>> GetResourceReferencesAsync(string resourceId, string usageType)
     {
         return await db.FileReferences
             .Where(r => r.ResourceId == resourceId && r.Usage == usageType)

DysonNetwork.Drive/Storage/FileService.cs

@@ -103,7 +103,8 @@ public class FileService(
         var bundle = await ValidateAndGetBundleAsync(fileBundleId, accountId);
         var finalExpiredAt = CalculateFinalExpiration(expiredAt, pool, bundle);
 
-        var (managedTempPath, fileSize, finalContentType) = await PrepareFileAsync(fileId, filePath, fileName, contentType);
+        var (managedTempPath, fileSize, finalContentType) =
+            await PrepareFileAsync(fileId, filePath, fileName, contentType);
 
         var file = CreateFileObject(fileId, fileName, finalContentType, fileSize, finalExpiredAt, bundle, accountId);
 
@@ -112,7 +113,8 @@ public class FileService(
             await ExtractMetadataAsync(file, managedTempPath);
         }
 
-        var (processingPath, isTempFile) = await ProcessEncryptionAsync(fileId, managedTempPath, encryptPassword, pool, file);
+        var (processingPath, isTempFile) =
+            await ProcessEncryptionAsync(fileId, managedTempPath, encryptPassword, pool, file);
 
         file.Hash = await HashFileAsync(processingPath);
 
@@ -231,7 +233,8 @@ public class FileService(
         file.StorageId ??= file.Id;
     }
 
-    private async Task PublishFileUploadedEventAsync(SnCloudFile file, FilePool pool, string processingPath, bool isTempFile)
+    private async Task PublishFileUploadedEventAsync(SnCloudFile file, FilePool pool, string processingPath,
+        bool isTempFile)
     {
         var js = nats.CreateJetStreamContext();
         await js.PublishAsync(
@@ -471,13 +474,14 @@ public class FileService(
         return await db.Files.AsNoTracking().FirstAsync(f => f.Id == file.Id);
     }
 
-    public async Task DeleteFileAsync(SnCloudFile file)
+    public async Task DeleteFileAsync(SnCloudFile file, bool skipData = false)
     {
         db.Remove(file);
         await db.SaveChangesAsync();
         await _PurgeCacheAsync(file.Id);
 
-        await DeleteFileDataAsync(file);
+        if (!skipData)
+            await DeleteFileDataAsync(file);
     }
 
     public async Task DeleteFileDataAsync(SnCloudFile file, bool force = false)
@@ -660,9 +664,12 @@ public class FileService(
             }
         }
 
-        return [.. references
+        return
-            .Select(r => cachedFiles.GetValueOrDefault(r.Id))
+        [
-            .Where(f => f != null)];
+            .. references
+                .Select(r => cachedFiles.GetValueOrDefault(r.Id))
+                .Where(f => f != null)
+        ];
     }
 
     public async Task<int> GetReferenceCountAsync(string fileId)
@@ -711,6 +718,21 @@ public class FileService(
         return count;
     }
 
+    public async Task<int> DeleteAccountFileBatchAsync(Guid accountId, List<string> fileIds)
+    {
+        var files = await db.Files
+            .Where(f => f.AccountId == accountId && fileIds.Contains(f.Id))
+            .ToListAsync();
+        var count = files.Count;
+        var tasks = files.Select(f => DeleteFileDataAsync(f, true));
+        await Task.WhenAll(tasks);
+        var fileIdsList = files.Select(f => f.Id).ToList();
+        await _PurgeCacheRangeAsync(fileIdsList);
+        db.RemoveRange(files);
+        await db.SaveChangesAsync();
+        return count;
+    }
+
     public async Task<int> DeletePoolRecycledFilesAsync(Guid poolId)
     {
         var files = await db.Files

DysonNetwork.Drive/Storage/FileUploadController.cs

@@ -113,7 +113,7 @@ public class FileUploadController(
         if (currentUser.IsSuperuser) return null;
 
         var allowed = await permission.HasPermissionAsync(new HasPermissionRequest
-            { Actor = $"user:{currentUser.Id}", Area = "global", Key = "files.create" });
+            { Actor = currentUser.Id, Key = "files.create" });
 
         return allowed.HasPermission
             ? null

DysonNetwork.Drive/appsettings.json

@@ -1,118 +1,121 @@
 {
-  "Debug": true,
+    "Debug": true,
-  "BaseUrl": "http://localhost:5090",
+    "BaseUrl": "http://localhost:5090",
-  "GatewayUrl": "http://localhost:5094",
+    "GatewayUrl": "http://localhost:5094",
-  "Logging": {
+    "Logging": {
-    "LogLevel": {
+        "LogLevel": {
-      "Default": "Information",
+            "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
+            "Microsoft.AspNetCore": "Warning"
-    }
+        }
-  },
+    },
-  "AllowedHosts": "*",
+    "AllowedHosts": "*",
-  "ConnectionStrings": {
+    "ConnectionStrings": {
-    "App": "Host=localhost;Port=5432;Database=dyson_drive;Username=postgres;Password=postgres;Include Error Detail=True;Maximum Pool Size=20;Connection Idle Lifetime=60"
+        "App": "Host=localhost;Port=5432;Database=dyson_drive;Username=postgres;Password=postgres;Include Error Detail=True;Maximum Pool Size=20;Connection Idle Lifetime=60"
-  },
+    },
-  "Authentication": {
+    "Authentication": {
-    "Schemes": {
+        "Schemes": {
-      "Bearer": {
+            "Bearer": {
-        "ValidAudiences": [
+                "ValidAudiences": [
-          "http://localhost:5071",
+                    "http://localhost:5071",
-          "https://localhost:7099"
+                    "https://localhost:7099"
-        ],
+                ],
-        "ValidIssuer": "solar-network"
+                "ValidIssuer": "solar-network"
-      }
+            }
-    }
+        }
-  },
+    },
-  "AuthToken": {
+    "AuthToken": {
-    "PublicKeyPath": "Keys/PublicKey.pem",
+        "PublicKeyPath": "Keys/PublicKey.pem",
-    "PrivateKeyPath": "Keys/PrivateKey.pem"
+        "PrivateKeyPath": "Keys/PrivateKey.pem"
-  },
+    },
-  "Storage": {
+    "Storage": {
-    "Uploads": "Uploads",
+        "Uploads": "Uploads",
-    "PreferredRemote": "c53136a6-9152-4ecb-9f88-43c41438c23e",
+        "PreferredRemote": "c53136a6-9152-4ecb-9f88-43c41438c23e",
-    "Remote": [
+        "Remote": [
-      {
+            {
-        "Id": "minio",
+                "Id": "minio",
-        "Label": "Minio",
+                "Label": "Minio",
-        "Region": "auto",
+                "Region": "auto",
-        "Bucket": "solar-network-development",
+                "Bucket": "solar-network-development",
-        "Endpoint": "localhost:9000",
+                "Endpoint": "localhost:9000",
-        "SecretId": "littlesheep",
+                "SecretId": "littlesheep",
-        "SecretKey": "password",
+                "SecretKey": "password",
-        "EnabledSigned": true,
+                "EnabledSigned": true,
-        "EnableSsl": false
+                "EnableSsl": false
-      },
+            },
-      {
+            {
-        "Id": "cloudflare",
+                "Id": "cloudflare",
-        "Label": "Cloudflare R2",
+                "Label": "Cloudflare R2",
-        "Region": "auto",
+                "Region": "auto",
-        "Bucket": "solar-network",
+                "Bucket": "solar-network",
-        "Endpoint": "0a70a6d1b7128888c823359d0008f4e1.r2.cloudflarestorage.com",
+                "Endpoint": "0a70a6d1b7128888c823359d0008f4e1.r2.cloudflarestorage.com",
-        "SecretId": "8ff5d06c7b1639829d60bc6838a542e6",
+                "SecretId": "8ff5d06c7b1639829d60bc6838a542e6",
-        "SecretKey": "fd58158c5201be16d1872c9209d9cf199421dae3c2f9972f94b2305976580d67",
+                "SecretKey": "fd58158c5201be16d1872c9209d9cf199421dae3c2f9972f94b2305976580d67",
-        "EnableSigned": true,
+                "EnableSigned": true,
-        "EnableSsl": true
+                "EnableSsl": true
-      }
+            }
+        ]
+    },
+    "Captcha": {
+        "Provider": "cloudflare",
+        "ApiKey": "0x4AAAAAABCDUdOujj4feOb_",
+        "ApiSecret": "0x4AAAAAABCDUWABiJQweqlB7tYq-IqIm8U"
+    },
+    "Notifications": {
+        "Topic": "dev.solsynth.solian",
+        "Endpoint": "http://localhost:8088"
+    },
+    "Email": {
+        "Server": "smtp4dev.orb.local",
+        "Port": 25,
+        "UseSsl": false,
+        "Username": "no-reply@mail.solsynth.dev",
+        "Password": "password",
+        "FromAddress": "no-reply@mail.solsynth.dev",
+        "FromName": "Alphabot",
+        "SubjectPrefix": "Solar Network"
+    },
+    "RealtimeChat": {
+        "Endpoint": "https://solar-network-im44o8gq.livekit.cloud",
+        "ApiKey": "APIs6TiL8wj3A4j",
+        "ApiSecret": "SffxRneIwTnlHPtEf3zicmmv3LUEl7xXael4PvWZrEhE"
+    },
+    "GeoIp": {
+        "DatabasePath": "./Keys/GeoLite2-City.mmdb"
+    },
+    "Oidc": {
+        "Google": {
+            "ClientId": "961776991058-963m1qin2vtp8fv693b5fdrab5hmpl89.apps.googleusercontent.com",
+            "ClientSecret": ""
+        },
+        "Apple": {
+            "ClientId": "dev.solsynth.solian",
+            "TeamId": "W7HPZ53V6B",
+            "KeyId": "B668YP4KBG",
+            "PrivateKeyPath": "./Keys/Solarpass.p8"
+        },
+        "Microsoft": {
+            "ClientId": "YOUR_MICROSOFT_CLIENT_ID",
+            "ClientSecret": "YOUR_MICROSOFT_CLIENT_SECRET",
+            "DiscoveryEndpoint": "YOUR_MICROSOFT_DISCOVERY_ENDPOINT"
+        }
+    },
+    "Payment": {
+        "Auth": {
+            "Afdian": "<token here>"
+        },
+        "Subscriptions": {
+            "Afdian": {
+                "7d17aae23c9611f0b5705254001e7c00": "solian.stellar.primary",
+                "7dfae4743c9611f0b3a55254001e7c00": "solian.stellar.nova",
+                "141713ee3d6211f085b352540025c377": "solian.stellar.supernova"
+            }
+        }
+    },
+    "Cache": {
+        "Serializer": "MessagePack"
+    },
+    "KnownProxies": [
+        "127.0.0.1",
+        "::1"
     ]
-  },
-  "Captcha": {
-    "Provider": "cloudflare",
-    "ApiKey": "0x4AAAAAABCDUdOujj4feOb_",
-    "ApiSecret": "0x4AAAAAABCDUWABiJQweqlB7tYq-IqIm8U"
-  },
-  "Notifications": {
-    "Topic": "dev.solsynth.solian",
-    "Endpoint": "http://localhost:8088"
-  },
-  "Email": {
-    "Server": "smtp4dev.orb.local",
-    "Port": 25,
-    "UseSsl": false,
-    "Username": "no-reply@mail.solsynth.dev",
-    "Password": "password",
-    "FromAddress": "no-reply@mail.solsynth.dev",
-    "FromName": "Alphabot",
-    "SubjectPrefix": "Solar Network"
-  },
-  "RealtimeChat": {
-    "Endpoint": "https://solar-network-im44o8gq.livekit.cloud",
-    "ApiKey": "APIs6TiL8wj3A4j",
-    "ApiSecret": "SffxRneIwTnlHPtEf3zicmmv3LUEl7xXael4PvWZrEhE"
-  },
-  "GeoIp": {
-    "DatabasePath": "./Keys/GeoLite2-City.mmdb"
-  },
-  "Oidc": {
-    "Google": {
-      "ClientId": "961776991058-963m1qin2vtp8fv693b5fdrab5hmpl89.apps.googleusercontent.com",
-      "ClientSecret": ""
-    },
-    "Apple": {
-      "ClientId": "dev.solsynth.solian",
-      "TeamId": "W7HPZ53V6B",
-      "KeyId": "B668YP4KBG",
-      "PrivateKeyPath": "./Keys/Solarpass.p8"
-    },
-    "Microsoft": {
-      "ClientId": "YOUR_MICROSOFT_CLIENT_ID",
-      "ClientSecret": "YOUR_MICROSOFT_CLIENT_SECRET",
-      "DiscoveryEndpoint": "YOUR_MICROSOFT_DISCOVERY_ENDPOINT"
-    }
-  },
-  "Payment": {
-    "Auth": {
-      "Afdian": "<token here>"
-    },
-    "Subscriptions": {
-      "Afdian": {
-        "7d17aae23c9611f0b5705254001e7c00": "solian.stellar.primary",
-        "7dfae4743c9611f0b3a55254001e7c00": "solian.stellar.nova",
-        "141713ee3d6211f085b352540025c377": "solian.stellar.supernova"
-      }
-    }
-  },
-  "KnownProxies": [
-    "127.0.0.1",
-    "::1"
-  ]
 }

DysonNetwork.Gateway/Health/GatewayConstant.cs

@@ -0,0 +1,9 @@
+namespace DysonNetwork.Gateway.Health;
+
+public abstract class GatewayConstant
+{
+    public static readonly string[] ServiceNames = ["ring", "pass", "drive", "sphere", "develop", "insight", "zone"];
+    
+    // Core services stands with w/o these services the functional of entire app will broke.
+    public static readonly string[] CoreServiceNames = ["ring", "pass", "drive", "sphere"];
+}

DysonNetwork.Gateway/Health/GatewayHealthAggregator.cs

@@ -0,0 +1,60 @@
+using NodaTime;
+
+namespace DysonNetwork.Gateway.Health;
+
+public class GatewayHealthAggregator(IHttpClientFactory httpClientFactory, GatewayReadinessStore store)
+    : BackgroundService
+{
+    private async Task<ServiceHealthState> CheckService(string serviceName)
+    {
+        var client = httpClientFactory.CreateClient("health");
+        var now = SystemClock.Instance.GetCurrentInstant();
+
+        try
+        {
+            // Use the service discovery to lookup service
+            // The service defaults give every single service a health endpoint that we can use here
+            using var response = await client.GetAsync($"http://{serviceName}/health");
+
+            if (response.IsSuccessStatusCode)
+            {
+                return new ServiceHealthState(
+                    serviceName,
+                    true,
+                    now,
+                    null
+                );
+            }
+
+            return new ServiceHealthState(
+                serviceName,
+                false,
+                now,
+                $"StatusCode: {(int)response.StatusCode}"
+            );
+        }
+        catch (Exception ex)
+        {
+            return new ServiceHealthState(
+                serviceName,
+                false,
+                now,
+                ex.Message
+            );
+        }
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            foreach (var service in GatewayConstant.ServiceNames)
+            {
+                var result = await CheckService(service);
+                store.Update(result);
+            }
+
+            await Task.Delay(TimeSpan.FromSeconds(5), stoppingToken);
+        }
+    }
+}

DysonNetwork.Gateway/Health/GatewayReadinessMiddleware.cs

@@ -0,0 +1,35 @@
+namespace DysonNetwork.Gateway.Health;
+
+using Microsoft.AspNetCore.Http;
+
+public sealed class GatewayReadinessMiddleware(RequestDelegate next)
+{
+    public async Task InvokeAsync(HttpContext context, GatewayReadinessStore store)
+    {
+        if (context.Request.Path.StartsWithSegments("/health"))
+        {
+            await next(context);
+            return;
+        }
+
+        var readiness = store.Current;
+
+        // Only core services participate in readiness gating
+        var notReadyCoreServices = readiness.Services
+            .Where(kv => GatewayConstant.CoreServiceNames.Contains(kv.Key))
+            .Where(kv => !kv.Value.IsHealthy)
+            .Select(kv => kv.Key)
+            .ToArray();
+
+        if (notReadyCoreServices.Length > 0)
+        {
+            context.Response.StatusCode = StatusCodes.Status503ServiceUnavailable;
+            var unavailableServices = string.Join(", ", notReadyCoreServices);
+            context.Response.Headers["X-NotReady"] = unavailableServices;
+            await context.Response.WriteAsync("Solar Network is warming up. Try again later please.");
+            return;
+        }
+
+        await next(context);
+    }
+}

DysonNetwork.Gateway/Health/GatewayReadinessStore.cs

@@ -0,0 +1,76 @@
+using NodaTime;
+
+namespace DysonNetwork.Gateway.Health;
+
+public record ServiceHealthState(
+    string ServiceName,
+    bool IsHealthy,
+    Instant LastChecked,
+    string? Error
+);
+
+public record GatewayReadinessState(
+    bool IsReady,
+    IReadOnlyDictionary<string, ServiceHealthState> Services,
+    Instant LastUpdated
+);
+
+public class GatewayReadinessStore
+{
+    private readonly Lock _lock = new();
+
+    private readonly Dictionary<string, ServiceHealthState> _services = new();
+
+    public GatewayReadinessState Current { get; private set; } = new(
+        IsReady: false,
+        Services: new Dictionary<string, ServiceHealthState>(),
+        LastUpdated: SystemClock.Instance.GetCurrentInstant()
+    );
+
+    public IReadOnlyCollection<string> ServiceNames => _services.Keys;
+
+    public GatewayReadinessStore()
+    {
+        InitializeServices(GatewayConstant.ServiceNames);
+    }
+
+    private void InitializeServices(IEnumerable<string> serviceNames)
+    {
+        lock (_lock)
+        {
+            _services.Clear();
+
+            foreach (var name in serviceNames)
+            {
+                _services[name] = new ServiceHealthState(
+                    name,
+                    IsHealthy: false,
+                    LastChecked: SystemClock.Instance.GetCurrentInstant(),
+                    Error: "Not checked yet"
+                );
+            }
+
+            RecalculateLocked();
+        }
+    }
+
+    public void Update(ServiceHealthState state)
+    {
+        lock (_lock)
+        {
+            _services[state.ServiceName] = state;
+            RecalculateLocked();
+        }
+    }
+
+    private void RecalculateLocked()
+    {
+        var isReady = _services.Count > 0 && _services.Values.All(s => s.IsHealthy);
+
+        Current = new GatewayReadinessState(
+            IsReady: isReady,
+            Services: new Dictionary<string, ServiceHealthState>(_services),
+            LastUpdated: SystemClock.Instance.GetCurrentInstant()
+        );
+    }
+}

DysonNetwork.Gateway/Health/GatewayStatusController.cs

@@ -0,0 +1,14 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace DysonNetwork.Gateway.Health;
+
+[ApiController]
+[Route("/health")]
+public class GatewayStatusController(GatewayReadinessStore readinessStore) : ControllerBase
+{
+    [HttpGet]
+    public ActionResult<GatewayReadinessState> GetHealthStatus()
+    {
+        return Ok(readinessStore.Current);
+    }
+}

DysonNetwork.Gateway/Program.cs

@@ -1,7 +1,12 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
 using System.Threading.RateLimiting;
+using DysonNetwork.Gateway.Health;
 using DysonNetwork.Shared.Http;
 using Yarp.ReverseProxy.Configuration;
 using Microsoft.AspNetCore.HttpOverrides;
+using NodaTime;
+using NodaTime.Serialization.SystemTextJson;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -9,17 +14,19 @@ builder.AddServiceDefaults();
 
 builder.ConfigureAppKestrel(builder.Configuration, maxRequestBodySize: long.MaxValue, enableGrpc: false);
 
+builder.Services.AddSingleton<GatewayReadinessStore>();
+builder.Services.AddHostedService<GatewayHealthAggregator>();
+
 builder.Services.AddCors(options =>
 {
-    options.AddDefaultPolicy(
+    options.AddDefaultPolicy(policy =>
-        policy =>
+    {
-        {
+        policy.SetIsOriginAllowed(origin => true)
-            policy.SetIsOriginAllowed(origin => true)
+            .AllowAnyMethod()
-                .AllowAnyMethod()
+            .AllowAnyHeader()
-                .AllowAnyHeader()
+            .AllowCredentials()
-                .AllowCredentials()
+            .WithExposedHeaders("X-Total", "X-NotReady");
-                .WithExposedHeaders("X-Total");
+    });
-        });
 });
 
 builder.Services.AddRateLimiter(options =>
@@ -40,23 +47,22 @@ builder.Services.AddRateLimiter(options =>
     });
 
     options.OnRejected = async (context, token) =>
-        {
+    {
-            // Log the rejected IP
+        // Log the rejected IP
-            var logger = context.HttpContext.RequestServices
+        var logger = context.HttpContext.RequestServices
-                .GetRequiredService<ILoggerFactory>()
+            .GetRequiredService<ILoggerFactory>()
-                .CreateLogger("RateLimiter");
+            .CreateLogger("RateLimiter");
 
-            var ip = context.HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
+        var ip = context.HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
-            logger.LogWarning("Rate limit exceeded for IP: {IP}", ip);
+        logger.LogWarning("Rate limit exceeded for IP: {IP}", ip);
 
-            // Respond to the client
+        // Respond to the client
-            context.HttpContext.Response.StatusCode = StatusCodes.Status429TooManyRequests;
+        context.HttpContext.Response.StatusCode = StatusCodes.Status429TooManyRequests;
-            await context.HttpContext.Response.WriteAsync(
+        await context.HttpContext.Response.WriteAsync(
-                "Rate limit exceeded. Try again later.", token);
+            "Rate limit exceeded. Try again later.", token);
-        };
+    };
 });
 
-var serviceNames = new[] { "ring", "pass", "drive", "sphere", "develop", "insight" };
 
 var specialRoutes = new[]
 {
@@ -86,7 +92,7 @@ var specialRoutes = new[]
     }
 };
 
-var apiRoutes = serviceNames.Select(serviceName =>
+var apiRoutes = GatewayConstant.ServiceNames.Select(serviceName =>
 {
     var apiPath = serviceName switch
     {
@@ -105,7 +111,7 @@ var apiRoutes = serviceNames.Select(serviceName =>
     };
 });
 
-var swaggerRoutes = serviceNames.Select(serviceName => new RouteConfig
+var swaggerRoutes = GatewayConstant.ServiceNames.Select(serviceName => new RouteConfig
 {
     RouteId = $"{serviceName}-swagger",
     ClusterId = serviceName,
@@ -119,7 +125,7 @@ var swaggerRoutes = serviceNames.Select(serviceName => new RouteConfig
 
 var routes = specialRoutes.Concat(apiRoutes).Concat(swaggerRoutes).ToArray();
 
-var clusters = serviceNames.Select(serviceName => new ClusterConfig
+var clusters = GatewayConstant.ServiceNames.Select(serviceName => new ClusterConfig
 {
     ClusterId = serviceName,
     HealthCheck = new HealthCheckConfig
@@ -131,7 +137,7 @@ var clusters = serviceNames.Select(serviceName => new ClusterConfig
             Timeout = TimeSpan.FromSeconds(5),
             Path = "/health"
         },
-        Passive = new()
+        Passive = new PassiveHealthCheckConfig
         {
             Enabled = true
         }
@@ -147,7 +153,14 @@ builder.Services
     .LoadFromMemory(routes, clusters)
     .AddServiceDiscoveryDestinationResolver();
 
-builder.Services.AddControllers();
+builder.Services.AddControllers().AddJsonOptions(options =>
+{
+    options.JsonSerializerOptions.NumberHandling = JsonNumberHandling.AllowNamedFloatingPointLiterals;
+    options.JsonSerializerOptions.PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower;
+    options.JsonSerializerOptions.DictionaryKeyPolicy = JsonNamingPolicy.SnakeCaseLower;
+
+    options.JsonSerializerOptions.ConfigureForNodaTime(DateTimeZoneProviders.Tzdb);
+});
 
 var app = builder.Build();
 
@@ -155,12 +168,14 @@ var forwardedHeadersOptions = new ForwardedHeadersOptions
 {
     ForwardedHeaders = ForwardedHeaders.All
 };
-forwardedHeadersOptions.KnownNetworks.Clear();
+forwardedHeadersOptions.KnownIPNetworks.Clear();
 forwardedHeadersOptions.KnownProxies.Clear();
 app.UseForwardedHeaders(forwardedHeadersOptions);
 
 app.UseCors();
 
+app.UseMiddleware<GatewayReadinessMiddleware>();
+
 app.MapReverseProxy().RequireRateLimiting("fixed");
 
 app.MapControllers();

DysonNetwork.Gateway/appsettings.json

@@ -1,13 +1,16 @@
 {
-  "Logging": {
+    "Logging": {
-    "LogLevel": {
+        "LogLevel": {
-      "Default": "Information",
+            "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
+            "Microsoft.AspNetCore": "Warning"
+        }
+    },
+    "Cache": {
+        "Serializer": "MessagePack"
+    },
+    "AllowedHosts": "*",
+    "SiteUrl": "http://localhost:3000",
+    "Client": {
+        "SomeSetting": "SomeValue"
     }
-  },
-  "AllowedHosts": "*",
-  "SiteUrl": "http://localhost:3000",
-  "Client": {
-    "SomeSetting": "SomeValue"
-  }
 }

DysonNetwork.Insight/AppDatabase.cs

@@ -1,3 +1,4 @@
+using DysonNetwork.Shared.Data;
 using DysonNetwork.Shared.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Design;
@@ -12,6 +13,7 @@ public class AppDatabase(
 {
     public DbSet<SnThinkingSequence> ThinkingSequences { get; set; }
     public DbSet<SnThinkingThought> ThinkingThoughts { get; set; }
+    public DbSet<SnUnpaidAccount> UnpaidAccounts { get; set; }
     
     protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
     {
@@ -28,36 +30,15 @@ public class AppDatabase(
     
     public override async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
     {
-        var now = SystemClock.Instance.GetCurrentInstant();
+        this.ApplyAuditableAndSoftDelete();
-
-        foreach (var entry in ChangeTracker.Entries<ModelBase>())
-        {
-            switch (entry.State)
-            {
-                case EntityState.Added:
-                    entry.Entity.CreatedAt = now;
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Modified:
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Deleted:
-                    entry.State = EntityState.Modified;
-                    entry.Entity.DeletedAt = now;
-                    break;
-                case EntityState.Detached:
-                case EntityState.Unchanged:
-                default:
-                    break;
-            }
-        }
-
         return await base.SaveChangesAsync(cancellationToken);
     }
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
         base.OnModelCreating(modelBuilder);
+        
+        modelBuilder.ApplySoftDeleteFilters();
     }
 }
 

DysonNetwork.Insight/Controllers/BillingController.cs

@@ -1,21 +1,42 @@
 using DysonNetwork.Insight.Thought;
-using DysonNetwork.Shared.Auth;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Logging;
+using Microsoft.EntityFrameworkCore;
+using DysonNetwork.Shared.Proto;
 
 namespace DysonNetwork.Insight.Controllers;
 
 [ApiController]
-[Route("/api/billing")]
+[Route("api/billing")]
-public class BillingController(ThoughtService thoughtService, ILogger<BillingController> logger) : ControllerBase
+public class BillingController(AppDatabase db, ThoughtService thoughtService, ILogger<BillingController> logger)
+    : ControllerBase
 {
-    [HttpPost("settle")]
+    [HttpGet("status")]
-    [Authorize]
+    public async Task<IActionResult> GetBillingStatus()
-    [RequiredPermission("maintenance", "insight.billing.settle")]
-    public async Task<IActionResult> ProcessTokenBilling()
     {
-        await thoughtService.SettleThoughtBills(logger);
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
-        return Ok();
+            return Unauthorized();
+        var accountId = Guid.Parse(currentUser.Id);
+
+        var isMarked = await db.UnpaidAccounts.AnyAsync(u => u.AccountId == accountId);
+        return Ok(isMarked ? new { status = "unpaid" } : new { status = "ok" });
+    }
+
+    [HttpPost("retry")]
+    public async Task<IActionResult> RetryBilling()
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser)
+            return Unauthorized();
+        var accountId = Guid.Parse(currentUser.Id);
+
+        var (success, cost) = await thoughtService.RetryBillingForAccountAsync(accountId, logger);
+
+        if (success)
+        {
+            return Ok(cost > 0
+                ? new { message = $"Billing retry successful. Billed {cost} points." }
+                : new { message = "No outstanding payment found." });
+        }
+
+        return BadRequest(new { message = "Billing retry failed. Please check your balance and try again." });
     }
 }

DysonNetwork.Insight/Migrations/20251115165833_AddUnpaidAccounts.Designer.cs

@@ -0,0 +1,159 @@
+// <auto-generated />
+using System;
+using System.Collections.Generic;
+using DysonNetwork.Insight;
+using DysonNetwork.Shared.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using NodaTime;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace DysonNetwork.Insight.Migrations
+{
+    [DbContext(typeof(AppDatabase))]
+    [Migration("20251115165833_AddUnpaidAccounts")]
+    partial class AddUnpaidAccounts
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.11")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingSequence", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("id");
+
+                    b.Property<Guid>("AccountId")
+                        .HasColumnType("uuid")
+                        .HasColumnName("account_id");
+
+                    b.Property<Instant>("CreatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("created_at");
+
+                    b.Property<Instant?>("DeletedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("deleted_at");
+
+                    b.Property<long>("PaidToken")
+                        .HasColumnType("bigint")
+                        .HasColumnName("paid_token");
+
+                    b.Property<string>("Topic")
+                        .HasMaxLength(4096)
+                        .HasColumnType("character varying(4096)")
+                        .HasColumnName("topic");
+
+                    b.Property<long>("TotalToken")
+                        .HasColumnType("bigint")
+                        .HasColumnName("total_token");
+
+                    b.Property<Instant>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("updated_at");
+
+                    b.HasKey("Id")
+                        .HasName("pk_thinking_sequences");
+
+                    b.ToTable("thinking_sequences", (string)null);
+                });
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingThought", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("id");
+
+                    b.Property<Instant>("CreatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("created_at");
+
+                    b.Property<Instant?>("DeletedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("deleted_at");
+
+                    b.Property<List<SnCloudFileReferenceObject>>("Files")
+                        .IsRequired()
+                        .HasColumnType("jsonb")
+                        .HasColumnName("files");
+
+                    b.Property<string>("ModelName")
+                        .HasMaxLength(4096)
+                        .HasColumnType("character varying(4096)")
+                        .HasColumnName("model_name");
+
+                    b.Property<List<SnThinkingMessagePart>>("Parts")
+                        .IsRequired()
+                        .HasColumnType("jsonb")
+                        .HasColumnName("parts");
+
+                    b.Property<int>("Role")
+                        .HasColumnType("integer")
+                        .HasColumnName("role");
+
+                    b.Property<Guid>("SequenceId")
+                        .HasColumnType("uuid")
+                        .HasColumnName("sequence_id");
+
+                    b.Property<long>("TokenCount")
+                        .HasColumnType("bigint")
+                        .HasColumnName("token_count");
+
+                    b.Property<Instant>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("updated_at");
+
+                    b.HasKey("Id")
+                        .HasName("pk_thinking_thoughts");
+
+                    b.HasIndex("SequenceId")
+                        .HasDatabaseName("ix_thinking_thoughts_sequence_id");
+
+                    b.ToTable("thinking_thoughts", (string)null);
+                });
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnUnpaidAccount", b =>
+                {
+                    b.Property<Guid>("AccountId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("account_id");
+
+                    b.Property<DateTime>("MarkedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("marked_at");
+
+                    b.HasKey("AccountId")
+                        .HasName("pk_unpaid_accounts");
+
+                    b.ToTable("unpaid_accounts", (string)null);
+                });
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingThought", b =>
+                {
+                    b.HasOne("DysonNetwork.Shared.Models.SnThinkingSequence", "Sequence")
+                        .WithMany()
+                        .HasForeignKey("SequenceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired()
+                        .HasConstraintName("fk_thinking_thoughts_thinking_sequences_sequence_id");
+
+                    b.Navigation("Sequence");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

DysonNetwork.Insight/Migrations/20251115165833_AddUnpaidAccounts.cs

@@ -0,0 +1,34 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace DysonNetwork.Insight.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddUnpaidAccounts : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "unpaid_accounts",
+                columns: table => new
+                {
+                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
+                    marked_at = table.Column<DateTime>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("pk_unpaid_accounts", x => x.account_id);
+                });
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "unpaid_accounts");
+        }
+    }
+}

DysonNetwork.Insight/Migrations/20251116123552_SharableThought.Designer.cs

@@ -0,0 +1,163 @@
+// <auto-generated />
+using System;
+using System.Collections.Generic;
+using DysonNetwork.Insight;
+using DysonNetwork.Shared.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using NodaTime;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace DysonNetwork.Insight.Migrations
+{
+    [DbContext(typeof(AppDatabase))]
+    [Migration("20251116123552_SharableThought")]
+    partial class SharableThought
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "9.0.11")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingSequence", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("id");
+
+                    b.Property<Guid>("AccountId")
+                        .HasColumnType("uuid")
+                        .HasColumnName("account_id");
+
+                    b.Property<Instant>("CreatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("created_at");
+
+                    b.Property<Instant?>("DeletedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("deleted_at");
+
+                    b.Property<bool>("IsPublic")
+                        .HasColumnType("boolean")
+                        .HasColumnName("is_public");
+
+                    b.Property<long>("PaidToken")
+                        .HasColumnType("bigint")
+                        .HasColumnName("paid_token");
+
+                    b.Property<string>("Topic")
+                        .HasMaxLength(4096)
+                        .HasColumnType("character varying(4096)")
+                        .HasColumnName("topic");
+
+                    b.Property<long>("TotalToken")
+                        .HasColumnType("bigint")
+                        .HasColumnName("total_token");
+
+                    b.Property<Instant>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("updated_at");
+
+                    b.HasKey("Id")
+                        .HasName("pk_thinking_sequences");
+
+                    b.ToTable("thinking_sequences", (string)null);
+                });
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingThought", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("id");
+
+                    b.Property<Instant>("CreatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("created_at");
+
+                    b.Property<Instant?>("DeletedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("deleted_at");
+
+                    b.Property<List<SnCloudFileReferenceObject>>("Files")
+                        .IsRequired()
+                        .HasColumnType("jsonb")
+                        .HasColumnName("files");
+
+                    b.Property<string>("ModelName")
+                        .HasMaxLength(4096)
+                        .HasColumnType("character varying(4096)")
+                        .HasColumnName("model_name");
+
+                    b.Property<List<SnThinkingMessagePart>>("Parts")
+                        .IsRequired()
+                        .HasColumnType("jsonb")
+                        .HasColumnName("parts");
+
+                    b.Property<int>("Role")
+                        .HasColumnType("integer")
+                        .HasColumnName("role");
+
+                    b.Property<Guid>("SequenceId")
+                        .HasColumnType("uuid")
+                        .HasColumnName("sequence_id");
+
+                    b.Property<long>("TokenCount")
+                        .HasColumnType("bigint")
+                        .HasColumnName("token_count");
+
+                    b.Property<Instant>("UpdatedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("updated_at");
+
+                    b.HasKey("Id")
+                        .HasName("pk_thinking_thoughts");
+
+                    b.HasIndex("SequenceId")
+                        .HasDatabaseName("ix_thinking_thoughts_sequence_id");
+
+                    b.ToTable("thinking_thoughts", (string)null);
+                });
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnUnpaidAccount", b =>
+                {
+                    b.Property<Guid>("AccountId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("account_id");
+
+                    b.Property<DateTime>("MarkedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("marked_at");
+
+                    b.HasKey("AccountId")
+                        .HasName("pk_unpaid_accounts");
+
+                    b.ToTable("unpaid_accounts", (string)null);
+                });
+
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingThought", b =>
+                {
+                    b.HasOne("DysonNetwork.Shared.Models.SnThinkingSequence", "Sequence")
+                        .WithMany()
+                        .HasForeignKey("SequenceId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired()
+                        .HasConstraintName("fk_thinking_thoughts_thinking_sequences_sequence_id");
+
+                    b.Navigation("Sequence");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

DysonNetwork.Insight/Migrations/20251116123552_SharableThought.cs

@@ -2,17 +2,17 @@
 
 #nullable disable
 
-namespace DysonNetwork.Pass.Migrations
+namespace DysonNetwork.Insight.Migrations
 {
     /// <inheritdoc />
-    public partial class AddPublicContact : Migration
+    public partial class SharableThought : Migration
     {
         /// <inheritdoc />
         protected override void Up(MigrationBuilder migrationBuilder)
         {
             migrationBuilder.AddColumn<bool>(
                 name: "is_public",
-                table: "account_contacts",
+                table: "thinking_sequences",
                 type: "boolean",
                 nullable: false,
                 defaultValue: false);
@@ -23,7 +23,7 @@ namespace DysonNetwork.Pass.Migrations
         {
             migrationBuilder.DropColumn(
                 name: "is_public",
-                table: "account_contacts");
+                table: "thinking_sequences");
         }
     }
 }

DysonNetwork.Insight/Migrations/AppDatabaseModelSnapshot.cs

@@ -44,6 +44,10 @@ namespace DysonNetwork.Insight.Migrations
                         .HasColumnType("timestamp with time zone")
                         .HasColumnName("deleted_at");
 
+                    b.Property<bool>("IsPublic")
+                        .HasColumnType("boolean")
+                        .HasColumnName("is_public");
+
                     b.Property<long>("PaidToken")
                         .HasColumnType("bigint")
                         .HasColumnName("paid_token");
@@ -122,6 +126,23 @@ namespace DysonNetwork.Insight.Migrations
                     b.ToTable("thinking_thoughts", (string)null);
                 });
 
+            modelBuilder.Entity("DysonNetwork.Shared.Models.SnUnpaidAccount", b =>
+                {
+                    b.Property<Guid>("AccountId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid")
+                        .HasColumnName("account_id");
+
+                    b.Property<DateTime>("MarkedAt")
+                        .HasColumnType("timestamp with time zone")
+                        .HasColumnName("marked_at");
+
+                    b.HasKey("AccountId")
+                        .HasName("pk_unpaid_accounts");
+
+                    b.ToTable("unpaid_accounts", (string)null);
+                });
+
             modelBuilder.Entity("DysonNetwork.Shared.Models.SnThinkingThought", b =>
                 {
                     b.HasOne("DysonNetwork.Shared.Models.SnThinkingSequence", "Sequence")

DysonNetwork.Insight/Startup/ServiceCollectionExtensions.cs

@@ -14,9 +14,7 @@ public static class ServiceCollectionExtensions
     public static IServiceCollection AddAppServices(this IServiceCollection services)
     {
         services.AddDbContext<AppDatabase>();
-        services.AddSingleton<IClock>(SystemClock.Instance);
         services.AddHttpContextAccessor();
-        services.AddSingleton<ICacheService, CacheServiceRedis>();
 
         services.AddHttpClient();
 

DysonNetwork.Insight/Thought/ThoughtController.cs

@@ -2,6 +2,7 @@ using System.ComponentModel.DataAnnotations;
 using System.Diagnostics.CodeAnalysis;
 using System.Text;
 using System.Text.Json;
+using DysonNetwork.Shared.Auth;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
 using Microsoft.AspNetCore.Mvc;
@@ -19,12 +20,50 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
     public class StreamThinkingRequest
     {
         [Required] public string UserMessage { get; set; } = null!;
+        public string? ServiceId { get; set; }
         public Guid? SequenceId { get; set; }
-        public List<string>? AttachedPosts { get; set; }
+        public List<string>? AttachedPosts { get; set; } = [];
         public List<Dictionary<string, dynamic>>? AttachedMessages { get; set; }
         public List<string> AcceptProposals { get; set; } = [];
     }
 
+    public class UpdateSharingRequest
+    {
+        public bool IsPublic { get; set; }
+    }
+
+    public class ThoughtServiceInfo
+    {
+        public string ServiceId { get; set; } = null!;
+        public double BillingMultiplier { get; set; }
+        public int PerkLevel { get; set; }
+    }
+
+    public class ThoughtServicesResponse
+    {
+        public string DefaultService { get; set; } = null!;
+        public IEnumerable<ThoughtServiceInfo> Services { get; set; } = null!;
+    }
+
+    [HttpGet("services")]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    public ActionResult<ThoughtServicesResponse> GetAvailableServices()
+    {
+        var services = provider.GetAvailableServicesInfo()
+            .Select(s => new ThoughtServiceInfo
+            {
+                ServiceId = s.ServiceId,
+                BillingMultiplier = s.BillingMultiplier,
+                PerkLevel = s.PerkLevel
+            });
+
+        return Ok(new ThoughtServicesResponse
+        {
+            DefaultService = provider.GetDefaultServiceId(),
+            Services = services
+        });
+    }
+
     [HttpPost]
     [Experimental("SKEXP0110")]
     public async Task<ActionResult> Think([FromBody] StreamThinkingRequest request)
@@ -35,6 +74,25 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
         if (request.AcceptProposals.Any(e => !AvailableProposals.Contains(e)))
             return BadRequest("Request contains unavailable proposal");
 
+        var serviceId = provider.GetServiceId(request.ServiceId);
+        var serviceInfo = provider.GetServiceInfo(serviceId);
+        if (serviceInfo is null)
+        {
+            return BadRequest("Service not found or configured.");
+        }
+
+        if (serviceInfo.PerkLevel > 0 && !currentUser.IsSuperuser)
+            if (currentUser.PerkSubscription is null ||
+                PerkSubscriptionPrivilege.GetPrivilegeFromIdentifier(currentUser.PerkSubscription.Identifier) <
+                serviceInfo.PerkLevel)
+                return StatusCode(403, "Not enough perk level");
+
+        var kernel = provider.GetKernel(request.ServiceId);
+        if (kernel is null)
+        {
+            return BadRequest("Service not found or configured.");
+        }
+
         // Generate a topic if creating a new sequence
         string? topic = null;
         if (!request.SequenceId.HasValue)
@@ -46,7 +104,13 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
             );
             summaryHistory.AddUserMessage(request.UserMessage);
 
-            var summaryResult = await provider.Kernel
+            var summaryKernel = provider.GetKernel(); // Get default kernel
+            if (summaryKernel is null)
+            {
+                return BadRequest("Default service not found or configured.");
+            }
+
+            var summaryResult = await summaryKernel
                 .GetRequiredService<IChatCompletionService>()
                 .GetChatMessageContentAsync(summaryHistory);
 
@@ -58,14 +122,13 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
         if (sequence == null) return Forbid(); // or NotFound
 
         // Save user thought
-        await service.SaveThoughtAsync(sequence, new List<SnThinkingMessagePart>
+        await service.SaveThoughtAsync(sequence, [
-        {
+            new SnThinkingMessagePart
-            new()
             {
                 Type = ThinkingMessagePartType.Text,
                 Text = request.UserMessage
             }
-        }, ThinkingThoughtRole.User);
+        ], ThinkingThoughtRole.User);
 
         // Build chat history
         var chatHistory = new ChatHistory(
@@ -172,12 +235,10 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
 
                 chatHistory.Add(assistantMessage);
 
-                if (functionResults.Count > 0)
+                if (functionResults.Count <= 0) continue;
+                foreach (var fr in functionResults)
                 {
-                    foreach (var fr in functionResults)
+                    chatHistory.Add(fr.ToChatMessage());
-                    {
-                        chatHistory.Add(fr.ToChatMessage());
-                    }
                 }
             }
         }
@@ -188,9 +249,8 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
         Response.Headers.Append("Content-Type", "text/event-stream");
         Response.StatusCode = 200;
 
-        var kernel = provider.Kernel;
         var chatCompletionService = kernel.GetRequiredService<IChatCompletionService>();
-        var executionSettings = provider.CreatePromptExecutionSettings();
+        var executionSettings = provider.CreatePromptExecutionSettings(request.ServiceId);
 
         var assistantParts = new List<SnThinkingMessagePart>();
 
@@ -300,7 +360,7 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
             sequence,
             assistantParts,
             ThinkingThoughtRole.Assistant,
-            provider.ModelDefault
+            serviceId
         );
 
         // Write the topic if it was newly set, then the thought object as JSON to the stream
@@ -351,6 +411,25 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
         return Ok(sequences);
     }
 
+    [HttpPatch("sequences/{sequenceId:guid}/sharing")]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public async Task<ActionResult> UpdateSequenceSharing(Guid sequenceId, [FromBody] UpdateSharingRequest request)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
+        var accountId = Guid.Parse(currentUser.Id);
+
+        var sequence = await service.GetSequenceAsync(sequenceId);
+        if (sequence == null) return NotFound();
+        if (sequence.AccountId != accountId) return Forbid();
+
+        sequence.IsPublic = request.IsPublic;
+        await service.UpdateSequenceAsync(sequence);
+
+        return NoContent();
+    }
+
     /// <summary>
     /// Retrieves the thoughts in a specific thinking sequence.
     /// </summary>
@@ -363,12 +442,18 @@ public class ThoughtController(ThoughtProvider provider, ThoughtService service)
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult<List<SnThinkingThought>>> GetSequenceThoughts(Guid sequenceId)
     {
-        if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
+        var sequence = await service.GetSequenceAsync(sequenceId);
-        var accountId = Guid.Parse(currentUser.Id);
-
-        var sequence = await service.GetOrCreateSequenceAsync(accountId, sequenceId);
         if (sequence == null) return NotFound();
 
+        if (!sequence.IsPublic)
+        {
+            if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
+            var accountId = Guid.Parse(currentUser.Id);
+
+            if (sequence.AccountId != accountId)
+                return StatusCode(403);
+        }
+
         var thoughts = await service.GetPreviousThoughtsAsync(sequence);
 
         return Ok(thoughts);

DysonNetwork.Insight/Thought/ThoughtProvider.cs

@@ -1,23 +1,27 @@
 using System.ClientModel;
 using System.Diagnostics.CodeAnalysis;
-using System.Text.Json;
 using DysonNetwork.Insight.Thought.Plugins;
-using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
 using DysonNetwork.Shared.Registry;
 using Microsoft.SemanticKernel;
 using Microsoft.SemanticKernel.Connectors.Ollama;
 using Microsoft.SemanticKernel.Connectors.OpenAI;
 using OpenAI;
-using PostType = DysonNetwork.Shared.Proto.PostType;
 using Microsoft.SemanticKernel.Plugins.Web;
 using Microsoft.SemanticKernel.Plugins.Web.Bing;
 using Microsoft.SemanticKernel.Plugins.Web.Google;
-using NodaTime.Serialization.Protobuf;
-using NodaTime.Text;
 
 namespace DysonNetwork.Insight.Thought;
 
+public class ThoughtServiceModel
+{
+    public string ServiceId { get; set; } = null!;
+    public string? Provider { get; set; }
+    public string? Model { get; set; }
+    public double BillingMultiplier { get; set; }
+    public int PerkLevel { get; set; }
+}
+
 public class ThoughtProvider
 {
     private readonly PostService.PostServiceClient _postClient;
@@ -25,10 +29,10 @@ public class ThoughtProvider
     private readonly IConfiguration _configuration;
     private readonly ILogger<ThoughtProvider> _logger;
 
-    public Kernel Kernel { get; }
+    private readonly Dictionary<string, Kernel> _kernels = new();
-
+    private readonly Dictionary<string, string> _serviceProviders = new();
-    private string? ModelProviderType { get; set; }
+    private readonly Dictionary<string, ThoughtServiceModel> _serviceModels = new();
-    public string? ModelDefault { get; set; }
+    private readonly string _defaultServiceId;
 
     [Experimental("SKEXP0050")]
     public ThoughtProvider(
@@ -43,34 +47,59 @@ public class ThoughtProvider
         _accountClient = accountServiceClient;
         _configuration = configuration;
 
-        Kernel = InitializeThinkingProvider(configuration);
+        var cfg = configuration.GetSection("Thinking");
-        InitializeHelperFunctions();
+        _defaultServiceId = cfg.GetValue<string>("DefaultService")!;
+        var services = cfg.GetSection("Services").GetChildren();
+
+        foreach (var service in services)
+        {
+            var serviceId = service.Key;
+            var serviceModel = new ThoughtServiceModel
+            {
+                ServiceId = serviceId,
+                Provider = service.GetValue<string>("Provider"),
+                Model = service.GetValue<string>("Model"),
+                BillingMultiplier = service.GetValue<double>("BillingMultiplier", 1.0),
+                PerkLevel = service.GetValue<int>("PerkLevel", 0)
+            };
+            _serviceModels[serviceId] = serviceModel;
+            
+            var providerType = service.GetValue<string>("Provider")?.ToLower();
+            if (providerType is null) continue;
+
+            var kernel = InitializeThinkingService(service);
+            InitializeHelperFunctions(kernel);
+            _kernels[serviceId] = kernel;
+            _serviceProviders[serviceId] = providerType;
+        }
     }
 
-    private Kernel InitializeThinkingProvider(IConfiguration configuration)
+    private Kernel InitializeThinkingService(IConfigurationSection serviceConfig)
     {
-        var cfg = configuration.GetSection("Thinking");
+        var providerType = serviceConfig.GetValue<string>("Provider")?.ToLower();
-        ModelProviderType = cfg.GetValue<string>("Provider")?.ToLower();
+        var model = serviceConfig.GetValue<string>("Model");
-        ModelDefault = cfg.GetValue<string>("Model");
+        var endpoint = serviceConfig.GetValue<string>("Endpoint");
-        var endpoint = cfg.GetValue<string>("Endpoint");
+        var apiKey = serviceConfig.GetValue<string>("ApiKey");
-        var apiKey = cfg.GetValue<string>("ApiKey");
 
         var builder = Kernel.CreateBuilder();
 
-        switch (ModelProviderType)
+        switch (providerType)
         {
             case "ollama":
-                builder.AddOllamaChatCompletion(ModelDefault!, new Uri(endpoint ?? "http://localhost:11434/api"));
+                builder.AddOllamaChatCompletion(
+                    model!,
+                    new Uri(endpoint ?? "http://localhost:11434/api")
+                );
                 break;
             case "deepseek":
                 var client = new OpenAIClient(
                     new ApiKeyCredential(apiKey!),
                     new OpenAIClientOptions { Endpoint = new Uri(endpoint ?? "https://api.deepseek.com/v1") }
                 );
-                builder.AddOpenAIChatCompletion(ModelDefault!, client);
+                builder.AddOpenAIChatCompletion(model!, client);
                 break;
             default:
-                throw new IndexOutOfRangeException("Unknown thinking provider: " + ModelProviderType);
+                throw new IndexOutOfRangeException("Unknown thinking provider: " + providerType);
         }
 
         // Add gRPC clients for Thought Plugins
@@ -86,7 +115,7 @@ public class ThoughtProvider
     }
 
     [Experimental("SKEXP0050")]
-    private void InitializeHelperFunctions()
+    private void InitializeHelperFunctions(Kernel kernel)
     {
         // Add web search plugins if configured
         var bingApiKey = _configuration.GetValue<string>("Thinking:BingApiKey");
@@ -94,7 +123,7 @@ public class ThoughtProvider
         {
             var bingConnector = new BingConnector(bingApiKey);
             var bing = new WebSearchEnginePlugin(bingConnector);
-            Kernel.ImportPluginFromObject(bing, "bing");
+            kernel.ImportPluginFromObject(bing, "bing");
         }
 
         var googleApiKey = _configuration.GetValue<string>("Thinking:GoogleApiKey");
@@ -105,26 +134,58 @@ public class ThoughtProvider
                 apiKey: googleApiKey,
                 searchEngineId: googleCx);
             var google = new WebSearchEnginePlugin(googleConnector);
-            Kernel.ImportPluginFromObject(google, "google");
+            kernel.ImportPluginFromObject(google, "google");
         }
     }
 
-    public PromptExecutionSettings CreatePromptExecutionSettings()
+    public Kernel? GetKernel(string? serviceId = null)
     {
-        switch (ModelProviderType)
+        serviceId ??= _defaultServiceId;
+        return _kernels.GetValueOrDefault(serviceId);
+    }
+
+    public string GetServiceId(string? serviceId = null)
+    {
+        return serviceId ?? _defaultServiceId;
+    }
+
+    public IEnumerable<string> GetAvailableServices()
+    {
+        return _kernels.Keys;
+    }
+    
+    public IEnumerable<ThoughtServiceModel> GetAvailableServicesInfo()
+    {
+        return _serviceModels.Values;
+    }
+
+    public ThoughtServiceModel? GetServiceInfo(string? serviceId)
+    {
+        serviceId ??= _defaultServiceId;
+        return _serviceModels.GetValueOrDefault(serviceId);
+    }
+
+    public string GetDefaultServiceId()
+    {
+        return _defaultServiceId;
+    }
+
+    public PromptExecutionSettings CreatePromptExecutionSettings(string? serviceId = null)
+    {
+        serviceId ??= _defaultServiceId;
+        var providerType = _serviceProviders.GetValueOrDefault(serviceId);
+
+        return providerType switch
         {
-            case "ollama":
+            "ollama" => new OllamaPromptExecutionSettings
-                return new OllamaPromptExecutionSettings
+            {
-                {
+                FunctionChoiceBehavior = FunctionChoiceBehavior.Auto(autoInvoke: false)
-                    FunctionChoiceBehavior = FunctionChoiceBehavior.Auto(autoInvoke: false)
+            },
-                };
+            "deepseek" => new OpenAIPromptExecutionSettings
-            case "deepseek":
+            {
-                return new OpenAIPromptExecutionSettings
+                FunctionChoiceBehavior = FunctionChoiceBehavior.Auto(autoInvoke: false), ModelId = serviceId
-                {
+            },
-                    FunctionChoiceBehavior = FunctionChoiceBehavior.Auto(autoInvoke: false)
+            _ => throw new InvalidOperationException("Unknown provider for service: " + serviceId)
-                };
+        };
-            default:
-                throw new InvalidOperationException("Unknown provider: " + ModelProviderType);
-        }
     }
 }

DysonNetwork.Insight/Thought/ThoughtService.cs

@@ -36,6 +36,17 @@ public class ThoughtService(
         }
     }
 
+    public async Task<SnThinkingSequence?> GetSequenceAsync(Guid sequenceId)
+    {
+        return await db.ThinkingSequences.FindAsync(sequenceId);
+    }
+
+    public async Task UpdateSequenceAsync(SnThinkingSequence sequence)
+    {
+        db.ThinkingSequences.Update(sequence);
+        await db.SaveChangesAsync();
+    }
+
     public async Task<SnThinkingThought> SaveThoughtAsync(
         SnThinkingSequence sequence,
         List<SnThinkingMessagePart> parts,
@@ -133,6 +144,13 @@ public class ThoughtService(
         foreach (var accountGroup in groupedByAccount)
         {
             var accountId = accountGroup.Key;
+            
+            if (await db.UnpaidAccounts.AnyAsync(u => u.AccountId == accountId))
+            {
+                logger.LogWarning("Skipping billing for marked account {accountId}", accountId);
+                continue;
+            }
+            
             var totalUnpaidTokens = accountGroup.Sum(s => s.TotalToken - s.PaidToken);
             var cost = (long)Math.Ceiling(totalUnpaidTokens / 10.0);
 
@@ -166,9 +184,86 @@ public class ThoughtService(
             catch (Exception ex)
             {
                 logger.LogError(ex, "Error billing for account {accountId}", accountId);
+                if (!await db.UnpaidAccounts.AnyAsync(u => u.AccountId == accountId))
+                {
+                    db.UnpaidAccounts.Add(new SnUnpaidAccount { AccountId = accountId, MarkedAt = DateTime.UtcNow });
+                }
             }
         }
 
         await db.SaveChangesAsync();
     }
+
+    public async Task<(bool success, long cost)> RetryBillingForAccountAsync(Guid accountId, ILogger logger)
+    {
+        var isMarked = await db.UnpaidAccounts.FirstOrDefaultAsync(u => u.AccountId == accountId);
+        if (isMarked == null)
+        {
+            logger.LogInformation("Account {accountId} is not marked for unpaid bills.", accountId);
+            return (true, 0);
+        }
+
+        var sequences = await db
+            .ThinkingSequences.Where(s => s.AccountId == accountId && s.PaidToken < s.TotalToken)
+            .ToListAsync();
+
+        if (!sequences.Any())
+        {
+            logger.LogInformation("No unpaid sequences found for account {accountId}. Unmarking.", accountId);
+            db.UnpaidAccounts.Remove(isMarked);
+            await db.SaveChangesAsync();
+            return (true, 0);
+        }
+
+        var totalUnpaidTokens = sequences.Sum(s => s.TotalToken - s.PaidToken);
+        var cost = (long)Math.Ceiling(totalUnpaidTokens / 10.0);
+
+        if (cost == 0)
+        {
+            logger.LogInformation("Unpaid tokens for {accountId} resulted in zero cost. Marking as paid and unmarking.", accountId);
+            foreach (var sequence in sequences)
+            {
+                sequence.PaidToken = sequence.TotalToken;
+            }
+            db.UnpaidAccounts.Remove(isMarked);
+            await db.SaveChangesAsync();
+            return (true, 0);
+        }
+
+        try
+        {
+            var date = DateTime.Now.ToString("yyyy-MM-dd");
+            await paymentService.CreateTransactionWithAccountAsync(
+                new CreateTransactionWithAccountRequest
+                {
+                    PayerAccountId = accountId.ToString(),
+                    Currency = WalletCurrency.SourcePoint,
+                    Amount = cost.ToString(),
+                    Remarks = $"Wage for SN-chan on {date} (Retry)",
+                    Type = TransactionType.System,
+                }
+            );
+
+            foreach (var sequence in sequences)
+            {
+                sequence.PaidToken = sequence.TotalToken;
+            }
+
+            db.UnpaidAccounts.Remove(isMarked);
+            
+            logger.LogInformation(
+                "Successfully billed {cost} points for account {accountId} on retry.",
+                cost,
+                accountId
+            );
+            
+            await db.SaveChangesAsync();
+            return (true, cost);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Error retrying billing for account {accountId}", accountId);
+            return (false, cost);
+        }
+    }
 }

DysonNetwork.Insight/appsettings.json

@@ -19,9 +19,26 @@
     "Etcd": {
         "Insecure": true
     },
+    "Cache": {
+        "Serializer": "MessagePack"
+    },
     "Thinking": {
-        "Provider": "deepseek",
+        "DefaultService": "deepseek-chat",
-        "Model": "deepseek-chat",
+        "Services": {
-        "ApiKey": "sk-bd20f6a2e9fa40b98c46899baa0e9f09"
+            "deepseek-chat": {
+                "Provider": "deepseek",
+                "Model": "deepseek-chat",
+                "ApiKey": "sk-",
+                "BillingMultiplier": 1.0,
+                "PerkLevel": 0
+            },
+            "deepseek-reasoner": {
+                "Provider": "deepseek",
+                "Model": "deepseek-reasoner",
+                "ApiKey": "sk-",
+                "BillingMultiplier": 1.5,
+                "PerkLevel": 1
+            }
+        }
     }
 }    

DysonNetwork.Pass/Account/AccountController.cs

@@ -1,9 +1,11 @@
 using System.ComponentModel.DataAnnotations;
+using DysonNetwork.Pass.Affiliation;
 using DysonNetwork.Pass.Auth;
 using DysonNetwork.Pass.Credit;
 using DysonNetwork.Pass.Permission;
 using DysonNetwork.Pass.Wallet;
-using DysonNetwork.Shared.GeoIp;
+using DysonNetwork.Shared.Auth;
+using DysonNetwork.Shared.Geometry;
 using DysonNetwork.Shared.Http;
 using DysonNetwork.Shared.Models;
 using Microsoft.AspNetCore.Authorization;
@@ -22,7 +24,8 @@ public class AccountController(
     SubscriptionService subscriptions,
     AccountEventService events,
     SocialCreditService socialCreditService,
-    GeoIpService geo
+    AffiliationSpellService ars,
+    GeoService geo
 ) : ControllerBase
 {
     [HttpGet("{name}")]
@@ -34,7 +37,7 @@ public class AccountController(
             .Include(e => e.Badges)
             .Include(e => e.Profile)
             .Include(e => e.Contacts.Where(c => c.IsPublic))
-            .Where(a => a.Name == name)
+            .Where(a => EF.Functions.Like(a.Name, name))
             .FirstOrDefaultAsync();
         if (account is null) return NotFound(ApiError.NotFound(name, traceId: HttpContext.TraceIdentifier));
 
@@ -103,6 +106,52 @@ public class AccountController(
         [MaxLength(32)] public string Language { get; set; } = "en-us";
 
         [Required] public string CaptchaToken { get; set; } = string.Empty;
+        
+        public string? AffiliationSpell { get; set; }
+    }
+
+    public class AccountCreateValidateRequest
+    {
+        [MinLength(2)]
+        [MaxLength(256)]
+        [RegularExpression(@"^[A-Za-z0-9_-]+$",
+            ErrorMessage = "Name can only contain letters, numbers, underscores, and hyphens.")
+        ]
+        public string? Name { get; set; }
+
+        [EmailAddress]
+        [RegularExpression(@"^[^+]+@[^@]+\.[^@]+$", ErrorMessage = "Email address cannot contain '+' symbol.")]
+        [MaxLength(1024)]
+        public string? Email { get; set; }
+        
+        public string? AffiliationSpell { get; set; }
+    }
+
+    [HttpPost("validate")]
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<ActionResult<string>> ValidateCreateAccountRequest(
+        [FromBody] AccountCreateValidateRequest request)
+    {
+        if (request.Name is not null)
+        {
+            if (await accounts.CheckAccountNameHasTaken(request.Name))
+                return BadRequest("Account name has already been taken.");
+        }
+
+        if (request.Email is not null)
+        {
+            if (await accounts.CheckEmailHasBeenUsed(request.Email))
+                return BadRequest("Email has already been used.");
+        }
+
+        if (request.AffiliationSpell is not null)
+        {
+            if (!await ars.CheckAffiliationSpellHasTaken(request.AffiliationSpell))
+                return BadRequest("No affiliation spell has been found.");
+        }
+
+        return Ok("Everything seems good.");
     }
 
     [HttpPost]
@@ -271,10 +320,21 @@ public class AccountController(
 
     [HttpPost("credits/validate")]
     [Authorize]
-    [RequiredPermission("maintenance", "credits.validate.perform")]
+    [AskPermission("credits.validate.perform")]
     public async Task<IActionResult> PerformSocialCreditValidation()
     {
         await socialCreditService.ValidateSocialCredits();
         return Ok();
     }
+
+    [HttpDelete("{name}")]
+    [Authorize]
+    [AskPermission("accounts.deletion")]
+    public async Task<IActionResult> AdminDeleteAccount(string name)
+    {
+        var account = await accounts.LookupAccount(name);
+        if (account is null) return NotFound();
+        await accounts.DeleteAccount(account);
+        return Ok();
+    }
 }

DysonNetwork.Pass/Account/AccountCurrentController.cs

@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using DysonNetwork.Pass.Permission;
 using DysonNetwork.Pass.Wallet;
+using DysonNetwork.Shared.Auth;
 using DysonNetwork.Shared.Http;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
@@ -82,7 +83,7 @@ public class AccountCurrentController(
         [MaxLength(4096)] public string? Bio { get; set; }
         public Shared.Models.UsernameColor? UsernameColor { get; set; }
         public Instant? Birthday { get; set; }
-        public List<ProfileLink>? Links { get; set; }
+        public List<SnProfileLink>? Links { get; set; }
 
         [MaxLength(32)] public string? PictureId { get; set; }
         [MaxLength(32)] public string? BackgroundId { get; set; }
@@ -194,7 +195,7 @@ public class AccountCurrentController(
     }
 
     [HttpPatch("statuses")]
-    [RequiredPermission("global", "accounts.statuses.update")]
+    [AskPermission("accounts.statuses.update")]
     public async Task<ActionResult<SnAccountStatus>> UpdateStatus([FromBody] AccountController.StatusRequest request)
     {
         if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
@@ -228,7 +229,7 @@ public class AccountCurrentController(
     }
 
     [HttpPost("statuses")]
-    [RequiredPermission("global", "accounts.statuses.create")]
+    [AskPermission("accounts.statuses.create")]
     public async Task<ActionResult<SnAccountStatus>> CreateStatus([FromBody] AccountController.StatusRequest request)
     {
         if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
@@ -559,7 +560,7 @@ public class AccountCurrentController(
 
     [HttpGet("devices")]
     [Authorize]
-    public async Task<ActionResult<List<SnAuthClientWithChallenge>>> GetDevices()
+    public async Task<ActionResult<List<SnAuthClientWithSessions>>> GetDevices()
     {
         if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser ||
             HttpContext.Items["CurrentSession"] is not SnAuthSession currentSession) return Unauthorized();
@@ -570,18 +571,41 @@ public class AccountCurrentController(
             .Where(device => device.AccountId == currentUser.Id)
             .ToListAsync();
 
-        var challengeDevices = devices.Select(SnAuthClientWithChallenge.FromClient).ToList();
+        var sessionDevices = devices.ConvertAll(SnAuthClientWithSessions.FromClient).ToList();
-        var deviceIds = challengeDevices.Select(x => x.Id).ToList();
+        var clientIds = sessionDevices.Select(x => x.Id).ToList();
 
-        var authChallenges = await db.AuthChallenges
+        var authSessions = await db.AuthSessions
-            .Where(c => c.ClientId != null && deviceIds.Contains(c.ClientId.Value))
+            .Where(c => c.ClientId != null && clientIds.Contains(c.ClientId.Value))
-            .GroupBy(c => c.ClientId)
+            .GroupBy(c => c.ClientId!.Value)
-            .ToDictionaryAsync(c => c.Key!.Value, c => c.ToList());
+            .ToDictionaryAsync(c => c.Key, c => c.ToList());
-        foreach (var challengeDevice in challengeDevices)
+        foreach (var dev in sessionDevices)
-            if (authChallenges.TryGetValue(challengeDevice.Id, out var challenge))
+            if (authSessions.TryGetValue(dev.Id, out var challenge))
-                challengeDevice.Challenges = challenge;
+                dev.Sessions = challenge;
 
-        return Ok(challengeDevices);
+        return Ok(sessionDevices);
+    }
+
+    [HttpGet("challenges")]
+    [Authorize]
+    public async Task<ActionResult<List<SnAuthChallenge>>> GetChallenges(
+        [FromQuery] int take = 20,
+        [FromQuery] int offset = 0
+    )
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var query = db.AuthChallenges
+            .Where(challenge => challenge.AccountId == currentUser.Id)
+            .OrderByDescending(c => c.CreatedAt);
+
+        var total = await query.CountAsync();
+        Response.Headers.Append("X-Total", total.ToString());
+
+        var challenges = await query
+            .Skip(offset)
+            .Take(take)
+            .ToListAsync();
+        return Ok(challenges);
     }
 
     [HttpGet("sessions")]
@@ -595,8 +619,8 @@ public class AccountCurrentController(
             HttpContext.Items["CurrentSession"] is not SnAuthSession currentSession) return Unauthorized();
 
         var query = db.AuthSessions
+            .OrderByDescending(x => x.LastGrantedAt)
             .Include(session => session.Account)
-            .Include(session => session.Challenge)
             .Where(session => session.Account.Id == currentUser.Id);
 
         var total = await query.CountAsync();
@@ -604,7 +628,6 @@ public class AccountCurrentController(
         Response.Headers.Append("X-Auth-Session", currentSession.Id.ToString());
 
         var sessions = await query
-            .OrderByDescending(x => x.LastGrantedAt)
             .Skip(offset)
             .Take(take)
             .ToListAsync();
@@ -688,7 +711,7 @@ public class AccountCurrentController(
         if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser ||
             HttpContext.Items["CurrentSession"] is not SnAuthSession currentSession) return Unauthorized();
 
-        var device = await db.AuthClients.FirstOrDefaultAsync(d => d.Id == currentSession.Challenge.ClientId);
+        var device = await db.AuthClients.FirstOrDefaultAsync(d => d.Id == currentSession.ClientId);
         if (device is null) return NotFound();
 
         try

DysonNetwork.Pass/Account/AccountEventService.cs

@@ -3,7 +3,7 @@ using DysonNetwork.Pass.Wallet;
 using DysonNetwork.Shared.Cache;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
-using DysonNetwork.Shared.Stream;
+using DysonNetwork.Shared.Queue;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Localization;
 using NATS.Client.Core;
@@ -313,52 +313,84 @@ public class AccountEventService(
         CultureInfo.CurrentCulture = cultureInfo;
         CultureInfo.CurrentUICulture = cultureInfo;
 
-        // Generate 2 positive tips
+        var accountProfile = await db.AccountProfiles
-        var positiveIndices = Enumerable.Range(1, FortuneTipCount)
-            .OrderBy(_ => Random.Next())
-            .Take(2)
-            .ToList();
-        var tips = positiveIndices.Select(index => new CheckInFortuneTip
-        {
-            IsPositive = true,
-            Title = localizer[$"FortuneTipPositiveTitle_{index}"].Value,
-            Content = localizer[$"FortuneTipPositiveContent_{index}"].Value
-        }).ToList();
-
-        // Generate 2 negative tips
-        var negativeIndices = Enumerable.Range(1, FortuneTipCount)
-            .Except(positiveIndices)
-            .OrderBy(_ => Random.Next())
-            .Take(2)
-            .ToList();
-        tips.AddRange(negativeIndices.Select(index => new CheckInFortuneTip
-        {
-            IsPositive = false,
-            Title = localizer[$"FortuneTipNegativeTitle_{index}"].Value,
-            Content = localizer[$"FortuneTipNegativeContent_{index}"].Value
-        }));
-
-        // The 5 is specialized, keep it alone.
-        // Use weighted random distribution to make all levels reasonably achievable
-        // Weights: Worst: 10%, Worse: 20%, Normal: 40%, Better: 20%, Best: 10%
-        var randomValue = Random.Next(100);
-        var checkInLevel = randomValue switch
-        {
-            < 10 => CheckInResultLevel.Worst,    // 0-9: 10% chance
-            < 30 => CheckInResultLevel.Worse,    // 10-29: 20% chance  
-            < 70 => CheckInResultLevel.Normal,   // 30-69: 40% chance
-            < 90 => CheckInResultLevel.Better,   // 70-89: 20% chance
-            _ => CheckInResultLevel.Best         // 90-99: 10% chance
-        };
-
-        var accountBirthday = await db.AccountProfiles
             .Where(x => x.AccountId == user.Id)
-            .Select(x => x.Birthday)
+            .Select(x => new { x.Birthday, x.TimeZone })
             .FirstOrDefaultAsync();
         
-        var now = SystemClock.Instance.GetCurrentInstant().InUtc().Date;
+        var accountBirthday = accountProfile?.Birthday;
-        if (accountBirthday.HasValue && accountBirthday.Value.InUtc().Date == now)
+
+        var now = SystemClock.Instance.GetCurrentInstant();
+        
+        var userTimeZone = DateTimeZone.Utc;
+        if (!string.IsNullOrEmpty(accountProfile?.TimeZone))
+        {
+            userTimeZone = DateTimeZoneProviders.Tzdb.GetZoneOrNull(accountProfile.TimeZone) ?? DateTimeZone.Utc;
+        }
+
+        var todayInUserTz = now.InZone(userTimeZone).Date;
+        var birthdayDate = accountBirthday?.InZone(userTimeZone).Date;
+        
+        var isBirthday = birthdayDate.HasValue && 
+                         birthdayDate.Value.Month == todayInUserTz.Month && 
+                         birthdayDate.Value.Day == todayInUserTz.Day;
+
+        List<CheckInFortuneTip> tips;
+        CheckInResultLevel checkInLevel;
+
+        if (isBirthday)
+        {
+            // Skip random logic and tips generation for birthday
             checkInLevel = CheckInResultLevel.Special;
+            tips = [
+                new CheckInFortuneTip()
+                {
+                    IsPositive = true,
+                    Title = localizer["FortuneTipSpecialTitle_Birthday"].Value,
+                    Content = localizer["FortuneTipSpecialContent_Birthday", user.Nick].Value,
+                }
+            ];
+        }
+        else
+        {
+            // Generate 2 positive tips
+            var positiveIndices = Enumerable.Range(1, FortuneTipCount)
+                .OrderBy(_ => Random.Next())
+                .Take(2)
+                .ToList();
+            tips = positiveIndices.Select(index => new CheckInFortuneTip
+            {
+                IsPositive = true,
+                Title = localizer[$"FortuneTipPositiveTitle_{index}"].Value,
+                Content = localizer[$"FortuneTipPositiveContent_{index}"].Value
+            }).ToList();
+
+            // Generate 2 negative tips
+            var negativeIndices = Enumerable.Range(1, FortuneTipCount)
+                .Except(positiveIndices)
+                .OrderBy(_ => Random.Next())
+                .Take(2)
+                .ToList();
+            tips.AddRange(negativeIndices.Select(index => new CheckInFortuneTip
+            {
+                IsPositive = false,
+                Title = localizer[$"FortuneTipNegativeTitle_{index}"].Value,
+                Content = localizer[$"FortuneTipNegativeContent_{index}"].Value
+            }));
+
+            // The 5 is specialized, keep it alone.
+            // Use weighted random distribution to make all levels reasonably achievable
+            // Weights: Worst: 10%, Worse: 20%, Normal: 40%, Better: 20%, Best: 10%
+            var randomValue = Random.Next(100);
+            checkInLevel = randomValue switch
+            {
+                < 10 => CheckInResultLevel.Worst,    // 0-9: 10% chance
+                < 30 => CheckInResultLevel.Worse,    // 10-29: 20% chance
+                < 70 => CheckInResultLevel.Normal,   // 30-69: 40% chance
+                < 90 => CheckInResultLevel.Better,   // 70-89: 20% chance
+                _ => CheckInResultLevel.Best         // 90-99: 10% chance
+            };
+        }
 
         var result = new SnCheckInResult
         {
@@ -478,6 +510,54 @@ public class AccountEventService(
         return activities;
     }
 
+    public async Task<Dictionary<Guid, List<SnPresenceActivity>>> GetActiveActivitiesBatch(List<Guid> userIds)
+    {
+        var results = new Dictionary<Guid, List<SnPresenceActivity>>();
+        var cacheMissUserIds = new List<Guid>();
+
+        // Try to get activities from cache first
+        foreach (var userId in userIds)
+        {
+            var cacheKey = $"{ActivityCacheKey}{userId}";
+            var cachedActivities = await cache.GetAsync<List<SnPresenceActivity>>(cacheKey);
+            if (cachedActivities != null)
+            {
+                results[userId] = cachedActivities;
+            }
+            else
+            {
+                cacheMissUserIds.Add(userId);
+            }
+        }
+
+        // If all activities were found in cache, return early
+        if (cacheMissUserIds.Count == 0) return results;
+
+        // Fetch remaining activities from database in a single query
+        var now = SystemClock.Instance.GetCurrentInstant();
+        var activitiesFromDb = await db.PresenceActivities
+            .Where(e => cacheMissUserIds.Contains(e.AccountId) && e.LeaseExpiresAt > now && e.DeletedAt == null)
+            .ToListAsync();
+
+        // Group activities by user ID and update cache
+        var activitiesByUser = activitiesFromDb
+            .GroupBy(a => a.AccountId)
+            .ToDictionary(g => g.Key, g => g.ToList());
+
+        foreach (var userId in cacheMissUserIds)
+        {
+            var userActivities = activitiesByUser.GetValueOrDefault(userId, new List<SnPresenceActivity>());
+            results[userId] = userActivities;
+            
+            // Update cache for this user
+            var cacheKey = $"{ActivityCacheKey}{userId}";
+            await cache.SetWithGroupsAsync(cacheKey, userActivities, [$"{AccountService.AccountCachePrefix}{userId}"],
+                TimeSpan.FromMinutes(1));
+        }
+
+        return results;
+    }
+
     public async Task<(List<SnPresenceActivity>, int)> GetAllActivities(Guid userId, int offset = 0, int take = 20)
     {
         var query = db.PresenceActivities

DysonNetwork.Pass/Account/AccountService.cs

@@ -1,12 +1,14 @@
 using System.Globalization;
+using DysonNetwork.Pass.Affiliation;
 using DysonNetwork.Pass.Auth.OpenId;
 using DysonNetwork.Pass.Localization;
 using DysonNetwork.Pass.Mailer;
 using DysonNetwork.Pass.Resources.Emails;
 using DysonNetwork.Shared.Cache;
+using DysonNetwork.Shared.Data;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Shared.Proto;
-using DysonNetwork.Shared.Stream;
+using DysonNetwork.Shared.Queue;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Localization;
 using NATS.Client.Core;
@@ -23,6 +25,7 @@ public class AccountService(
     FileService.FileServiceClient files,
     FileReferenceService.FileReferenceServiceClient fileRefs,
     AccountUsernameService uname,
+    AffiliationSpellService ars,
     EmailService mailer,
     RingService.RingServiceClient pusher,
     IStringLocalizer<NotificationResource> localizer,
@@ -53,11 +56,13 @@ public class AccountService(
 
     public async Task<SnAccount?> LookupAccount(string probe)
     {
-        var account = await db.Accounts.Where(a => a.Name == probe).FirstOrDefaultAsync();
+        var account = await db.Accounts.Where(a => EF.Functions.ILike(a.Name, probe)).FirstOrDefaultAsync();
         if (account is not null) return account;
 
         var contact = await db.AccountContacts
-            .Where(c => c.Content == probe)
+            .Where(c => c.Type == Shared.Models.AccountContactType.Email ||
+                        c.Type == Shared.Models.AccountContactType.PhoneNumber)
+            .Where(c => EF.Functions.ILike(c.Content, probe))
             .Include(c => c.Account)
             .FirstOrDefaultAsync();
         return contact?.Account;
@@ -80,6 +85,17 @@ public class AccountService(
         return profile?.Level;
     }
 
+    public async Task<bool> CheckAccountNameHasTaken(string name)
+    {
+        return await db.Accounts.AnyAsync(a => EF.Functions.ILike(a.Name, name));
+    }
+
+    public async Task<bool> CheckEmailHasBeenUsed(string email)
+    {
+        return await db.AccountContacts.AnyAsync(c =>
+            c.Type == Shared.Models.AccountContactType.Email && EF.Functions.ILike(c.Content, email));
+    }
+
     public async Task<SnAccount> CreateAccount(
         string name,
         string nick,
@@ -87,12 +103,12 @@ public class AccountService(
         string? password,
         string language = "en-US",
         string region = "en",
+        string? affiliationSpell = null,
         bool isEmailVerified = false,
         bool isActivated = false
     )
     {
-        var dupeNameCount = await db.Accounts.Where(a => a.Name == name).CountAsync();
+        if (await CheckAccountNameHasTaken(name))
-        if (dupeNameCount > 0)
             throw new InvalidOperationException("Account name has already been taken.");
 
         var dupeEmailCount = await db.AccountContacts
@@ -109,7 +125,7 @@ public class AccountService(
             Region = region,
             Contacts =
             [
-                new()
+                new SnAccountContact
                 {
                     Type = Shared.Models.AccountContactType.Email,
                     Content = email,
@@ -131,6 +147,9 @@ public class AccountService(
             Profile = new SnAccountProfile()
         };
 
+        if (affiliationSpell is not null)
+            await ars.CreateAffiliationResult(affiliationSpell, $"account:{account.Id}");
+
         if (isActivated)
         {
             account.ActivatedAt = SystemClock.Instance.GetCurrentInstant();
@@ -139,7 +158,7 @@ public class AccountService(
             {
                 db.PermissionGroupMembers.Add(new SnPermissionGroupMember
                 {
-                    Actor = $"user:{account.Id}",
+                    Actor = account.Id.ToString(),
                     Group = defaultGroup
                 });
             }
@@ -180,10 +199,7 @@ public class AccountService(
             displayName,
             userInfo.Email,
             null,
-            "en-US",
+            isEmailVerified: userInfo.EmailVerified
-            "en",
-            userInfo.EmailVerified,
-            userInfo.EmailVerified
         );
     }
 
@@ -273,7 +289,8 @@ public class AccountService(
         return isExists;
     }
 
-    public async Task<SnAccountAuthFactor?> CreateAuthFactor(SnAccount account, Shared.Models.AccountAuthFactorType type, string? secret)
+    public async Task<SnAccountAuthFactor?> CreateAuthFactor(SnAccount account,
+        Shared.Models.AccountAuthFactorType type, string? secret)
     {
         SnAccountAuthFactor? factor = null;
         switch (type)
@@ -351,7 +368,8 @@ public class AccountService(
     public async Task<SnAccountAuthFactor> EnableAuthFactor(SnAccountAuthFactor factor, string? code)
     {
         if (factor.EnabledAt is not null) throw new ArgumentException("The factor has been enabled.");
-        if (factor.Type is Shared.Models.AccountAuthFactorType.Password or Shared.Models.AccountAuthFactorType.TimedCode)
+        if (factor.Type is Shared.Models.AccountAuthFactorType.Password
+            or Shared.Models.AccountAuthFactorType.TimedCode)
         {
             if (code is null || !factor.VerifyPassword(code))
                 throw new InvalidOperationException(
@@ -507,9 +525,7 @@ public class AccountService(
 
     private async Task<bool> IsDeviceActive(Guid id)
     {
-        return await db.AuthSessions
+        return await db.AuthSessions.AnyAsync(s => s.ClientId == id);
-            .Include(s => s.Challenge)
-            .AnyAsync(s => s.Challenge.ClientId == id);
     }
 
     public async Task<SnAuthClient> UpdateDeviceName(SnAccount account, string deviceId, string label)
@@ -528,8 +544,7 @@ public class AccountService(
     public async Task DeleteSession(SnAccount account, Guid sessionId)
     {
         var session = await db.AuthSessions
-            .Include(s => s.Challenge)
+            .Include(s => s.Client)
-            .ThenInclude(s => s.Client)
             .Where(s => s.Id == sessionId && s.AccountId == account.Id)
             .FirstOrDefaultAsync();
         if (session is null) throw new InvalidOperationException("Session was not found.");
@@ -538,11 +553,11 @@ public class AccountService(
         db.AuthSessions.Remove(session);
         await db.SaveChangesAsync();
 
-        if (session.Challenge.ClientId.HasValue)
+        if (session.ClientId.HasValue)
         {
-            if (!await IsDeviceActive(session.Challenge.ClientId.Value))
+            if (!await IsDeviceActive(session.ClientId.Value))
                 await pusher.UnsubscribePushNotificationsAsync(new UnsubscribePushNotificationsRequest()
-                    { DeviceId = session.Challenge.Client!.DeviceId }
+                    { DeviceId = session.Client!.DeviceId }
                 );
         }
 
@@ -563,15 +578,13 @@ public class AccountService(
         );
 
         var sessions = await db.AuthSessions
-            .Include(s => s.Challenge)
+            .Where(s => s.ClientId == device.Id && s.AccountId == account.Id)
-            .Where(s => s.Challenge.ClientId == device.Id && s.AccountId == account.Id)
             .ToListAsync();
 
         // The current session should be included in the sessions' list
         var now = SystemClock.Instance.GetCurrentInstant();
         await db.AuthSessions
-            .Include(s => s.Challenge)
+            .Where(s => s.ClientId == device.Id)
-            .Where(s => s.Challenge.ClientId == device.Id)
             .ExecuteUpdateAsync(p => p.SetProperty(s => s.DeletedAt, s => now));
 
         db.AuthClients.Remove(device);
@@ -581,7 +594,8 @@ public class AccountService(
             await cache.RemoveAsync($"{AuthService.AuthCachePrefix}{item.Id}");
     }
 
-    public async Task<SnAccountContact> CreateContactMethod(SnAccount account, Shared.Models.AccountContactType type, string content)
+    public async Task<SnAccountContact> CreateContactMethod(SnAccount account, Shared.Models.AccountContactType type,
+        string content)
     {
         var isExists = await db.AccountContacts
             .Where(x => x.AccountId == account.Id && x.Type == type && x.Content == content)
@@ -643,7 +657,8 @@ public class AccountService(
         }
     }
 
-    public async Task<SnAccountContact> SetContactMethodPublic(SnAccount account, SnAccountContact contact, bool isPublic)
+    public async Task<SnAccountContact> SetContactMethodPublic(SnAccount account, SnAccountContact contact,
+        bool isPublic)
     {
         contact.IsPublic = isPublic;
         db.AccountContacts.Update(contact);

DysonNetwork.Pass/Account/AccountServiceGrpc.cs

@@ -24,15 +24,16 @@ public class AccountServiceGrpc(
     public override async Task<Shared.Proto.Account> GetAccount(GetAccountRequest request, ServerCallContext context)
     {
         if (!Guid.TryParse(request.Id, out var accountId))
-            throw new RpcException(new Grpc.Core.Status(StatusCode.InvalidArgument, "Invalid account ID format"));
+            throw new RpcException(new Status(StatusCode.InvalidArgument, "Invalid account ID format"));
 
         var account = await _db.Accounts
             .AsNoTracking()
             .Include(a => a.Profile)
+            .Include(a => a.Contacts.Where(c => c.IsPublic))
             .FirstOrDefaultAsync(a => a.Id == accountId);
 
         if (account == null)
-            throw new RpcException(new Grpc.Core.Status(StatusCode.NotFound, $"Account {request.Id} not found"));
+            throw new RpcException(new Status(StatusCode.NotFound, $"Account {request.Id} not found"));
 
         var perk = await subscriptions.GetPerkSubscriptionAsync(account.Id);
         account.PerkSubscription = perk?.ToReference();

DysonNetwork.Pass/Account/ActionLogService.cs

@@ -1,10 +1,10 @@
 using DysonNetwork.Shared.Cache;
-using DysonNetwork.Shared.GeoIp;
+using DysonNetwork.Shared.Geometry;
 using DysonNetwork.Shared.Models;
 
 namespace DysonNetwork.Pass.Account;
 
-public class ActionLogService(GeoIpService geo, FlushBufferService fbs)
+public class ActionLogService(GeoService geo, FlushBufferService fbs)
 {
     public void CreateActionLog(Guid accountId, string action, Dictionary<string, object> meta)
     {

DysonNetwork.Pass/Account/FortuneSayingController.cs

@@ -0,0 +1,141 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace DysonNetwork.Pass.Account;
+
+public record FortuneSaying(
+    string Content,
+    string Source,
+    string Language
+);
+
+[ApiController]
+[Route("/api/fortune")]
+public class FortuneSayingController : ControllerBase
+{
+    private static readonly FortuneSaying[] Sayings =
+    [
+        // Chinese sayings
+        new("天行健，君子以自强不息。", "周易", "zh"),
+        new("地势坤，君子以厚德载物。", "周易", "zh"),
+        new("天道酬勤。", "谚语", "zh"),
+        new("天时不如地利，地利不如人和。", "孟子", "zh"),
+        new("君子有三畏：畏天命，畏大人，畏圣人之言。", "论语", "zh"),
+        new("己所不欲，勿施于人。", "孔子", "zh"),
+        new("学而时习之，不亦说乎？", "论语", "zh"),
+        new("有朋自远方来，不亦乐乎？", "论语", "zh"),
+        new("人不知而不愠，不亦君子乎？", "论语", "zh"),
+        new("不愤不启，不悱不发。", "论语", "zh"),
+        new("温故而知新，可以为师矣。", "论语", "zh"),
+        new("见贤思齐焉，见不贤而内自省也。", "论语", "zh"),
+        new("君子坦荡荡，小人长戚戚。", "论语", "zh"),
+        new("道不远人。人之为道而远人，不可以为道。", "论语", "zh"),
+        new("巧言令色，鲜矣仁。", "论语", "zh"),
+        new("岁寒，然后知松柏之后凋也。", "孔子", "zh"),
+        new("志于道，据于德，依于仁，游于艺。", "论语", "zh"),
+        new("博学而笃志，切问而近思。", "论语", "zh"),
+        new("知之者不如好之者，好之者不如乐之者。", "论语", "zh"),
+        new("君子欲讷于言而敏于行。", "论语", "zh"),
+        new("君子周而不比，小人比而不周。", "论语", "zh"),
+        new("君子喻于义，小人喻于利。", "论语", "zh"),
+        new("君子怀德，小人怀土。", "论语", "zh"),
+        new("君子矜而不争，群而不党。", "论语", "zh"),
+        new("君子和而不同，小人同而不和。", "论语", "zh"),
+        new("君子泰而不骄，小人骄而不泰。", "论语", "zh"),
+        new("君子谋道不谋食。", "论语", "zh"),
+        new("君子食无求饱，居无求安。", "论语", "zh"),
+        new("君子学以致其道。", "论语", "zh"),
+        new("君子耻其言而过其行。", "论语", "zh"),
+        new("君子敬而无失，与人恭而有礼。", "论语", "zh"),
+        new("君子求诸己，小人求诸人。", "论语", "zh"),
+        new("君子慎独。", "论语", "zh"),
+        new("君子不以言举人，不以人废言。", "论语", "zh"),
+        new("君子不器。", "论语", "zh"),
+        new("君子有终身之忧，无一朝之患。", "论语", "zh"),
+        new("君子固穷，小人穷斯滥矣。", "论语", "zh"),
+        new("君子疾没世而名不称焉。", "论语", "zh"),
+        new("君子而不仁者有矣夫，未有小人而仁者也。", "论语", "zh"),
+        new("君子义以为质，礼以行之，逊以出之，信以成之。", "论语", "zh"),
+        new("君子之德风，小人之德草。", "论语", "zh"),
+        new("君子之过也，如日月之食焉。", "论语", "zh"),
+        new("君子之言，寡而实；小人之言，多而虚。", "论语", "zh"),
+        new("君子之行，静以修身；小人之行，躁以求名。", "论语", "zh"),
+        new("君子之交淡若水，小人之交甘若醴。", "论语", "zh"),
+        new("君子之泽，五世而斩；小人之泽，亦五世而斩。", "孟子", "zh"),
+        new("君子有三乐，而王天下不与存焉。", "孟子", "zh"),
+        new("君子有三戒：少之时，血气未定，戒之在色；及其壮也，血气方刚，戒之在斗；及其老也，血气既衰，戒之在得。", "论语", "zh"),
+        new("君子莫大乎与人为善。", "孟子", "zh"),
+        new("君子远庖厨。", "孟子", "zh"),
+        // English sayings
+        new("The only way to do great work is to love what you do.", "Steve Jobs", "en"),
+        new("Believe you can and you're halfway there.", "Theodore Roosevelt", "en"),
+        new("The future belongs to those who believe in the beauty of their dreams.", "Eleanor Roosevelt", "en"),
+        new("You miss 100% of the shots you don't take.", "Wayne Gretzky", "en"),
+        new("The best way to predict the future is to create it.", "Peter Drucker", "en"),
+        new("Fortune favors the bold.", "Virgil", "en"),
+        new("Luck is what happens when preparation meets opportunity.", "Seneca", "en"),
+        new("The harder you work, the luckier you get.", "Gary Player", "en"),
+        new("Success is not final, failure is not fatal: It is the courage to continue that counts.", "Winston Churchill", "en"),
+        new("The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails.", "William Arthur Ward", "en"),
+        new("The road to success is dotted with many tempting parking spaces.", "Will Rogers", "en"),
+        new("Don't watch the clock; do what it does. Keep going.", "Sam Levenson", "en"),
+        new("The only limit to our realization of tomorrow will be our doubts of today.", "Franklin D. Roosevelt", "en"),
+        new("Your time is limited, so don't waste it living someone else's life.", "Steve Jobs", "en"),
+        new("The way to get started is to quit talking and begin doing.", "Walt Disney", "en"),
+        new("If you look at what you have in life, you'll always have more.", "Oprah Winfrey", "en"),
+        new("The best revenge is massive success.", "Frank Sinatra", "en"),
+        new("You must do the things you think you cannot do.", "Eleanor Roosevelt", "en"),
+        new("Keep your face always toward the sunshine—and shadows will fall behind you.", "Walt Whitman", "en"),
+        new("The greatest glory in living lies not in never falling, but in rising every time we fall.", "Nelson Mandela", "en"),
+        new("Life is what happens to you while you're busy making other plans.", "John Lennon", "en"),
+        new("The secret of getting ahead is getting started.", "Mark Twain", "en"),
+        new("Believe in yourself and all that you are.", "Christian D. Larson", "en"),
+        new("The only person you are destined to become is the person you decide to be.", "Ralph Waldo Emerson", "en"),
+        new("Dream big and dare to fail.", "Norman Vaughan", "en"),
+        new("What lies behind us and what lies before us are tiny matters compared to what lies within us.", "Ralph Waldo Emerson", "en"),
+        new("You can't use up creativity. The more you use, the more you have.", "Maya Angelou", "en"),
+        new("The mind is everything. What you think you become.", "Buddha", "en"),
+        new("The best time to plant a tree was 20 years ago. The second best time is now.", "Chinese Proverb", "en"),
+        new("Fall seven times, stand up eight.", "Japanese Proverb", "en"),
+        new("The journey of a thousand miles begins with a single step.", "Lao Tzu", "en"),
+        new("Be not afraid of growing slowly, be afraid only of standing still.", "Chinese Proverb", "en"),
+        new("A bird does not sing because it has an answer. It sings because it has a song.", "Chinese Proverb", "en"),
+        new("Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment.", "Buddha", "en"),
+        new("The best and most beautiful things in the world cannot be seen or even touched - they must be felt with the heart.", "Helen Keller", "en"),
+        new("Keep your eyes on the stars, and your feet on the ground.", "Theodore Roosevelt", "en"),
+        new("The only true wisdom is in knowing you know nothing.", "Socrates", "en"),
+        new("In the middle of every difficulty lies opportunity.", "Albert Einstein", "en"),
+        new("What you get by achieving your goals is not as important as what you become by achieving your goals.", "Zig Ziglar", "en"),
+        new("The purpose of life is a life of purpose.", "Robert Byrne", "en"),
+        new("You become what you believe.", "Oprah Winfrey", "en"),
+        new("The difference between a successful person and others is not a lack of strength, not a lack of knowledge, but rather a lack in will.", "Vince Lombardi", "en"),
+        new("The only way to make sense out of change is to plunge into it, move with it, and join the dance.", "Alan Watts", "en"),
+        new("Your work is going to fill a large part of your life, and the only way to be truly satisfied is to do what you believe is great work.", "Steve Jobs", "en"),
+        new("The man who has confidence in himself gains the confidence of others.", "Hasidic Proverb", "en"),
+        new("Courage is not the absence of fear, but rather the assessment that something else is more important than fear.", "Franklin D. Roosevelt", "en"),
+        new("The best preparation for tomorrow is doing your best today.", "H. Jackson Brown Jr.", "en"),
+        new("Believe in the power of your own voice. The more you use it, the stronger it becomes.", "Unknown", "en"),
+        new("Opportunities don't happen, you create them.", "Chris Grosser", "en")
+    ];
+
+    [HttpGet]
+    public ActionResult<List<FortuneSaying>> ListFortunes()
+    {
+        return Ok(Sayings);
+    }
+
+    [HttpGet("random")]
+    public ActionResult<List<FortuneSaying>> GetRandomFortunes([FromQuery] string? language)
+    {
+        var filteredSayings = string.IsNullOrEmpty(language)
+            ? Sayings
+            : Sayings.Where(s => s.Language.Equals(language, StringComparison.OrdinalIgnoreCase)).ToArray();
+
+        if (filteredSayings.Length == 0)
+            return NotFound("No fortunes found for the specified language.");
+
+        var random = new Random();
+        var randomSaying = filteredSayings[random.Next(filteredSayings.Length)];
+
+        return Ok(new List<FortuneSaying> { randomSaying });
+    }
+}

DysonNetwork.Pass/Account/FriendsController.cs

@@ -0,0 +1,55 @@
+using DysonNetwork.Shared.Models;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+
+namespace DysonNetwork.Pass.Account;
+
+[ApiController]
+[Route("/api/friends")]
+public class FriendsController(AppDatabase db, RelationshipService rels, AccountEventService events) : ControllerBase
+{
+    public class FriendOverviewItem
+    {
+        public SnAccount Account { get; set; } = null!;
+        public SnAccountStatus Status { get; set; } = null!;
+        public List<SnPresenceActivity> Activities { get; set; } = [];
+    }
+
+    [HttpGet("overview")]
+    [Authorize]
+    public async Task<ActionResult<List<FriendOverviewItem>>> GetOverview([FromQuery] bool includeOffline = false)
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var friendIds = await rels.ListAccountFriends(currentUser);
+
+        // Fetch data in parallel using batch methods for better performance
+        var accountsTask = db.Accounts
+            .Where(a => friendIds.Contains(a.Id))
+            .Include(a => a.Profile)
+            .ToListAsync();
+
+        var statusesTask = events.GetStatuses(friendIds);
+        var activitiesTask = events.GetActiveActivitiesBatch(friendIds);
+
+        // Wait for all data to be fetched
+        await Task.WhenAll(accountsTask, statusesTask, activitiesTask);
+
+        var accounts = accountsTask.Result;
+        var statuses = statusesTask.Result;
+        var activities = activitiesTask.Result;
+
+        var result = (from account in accounts
+            let status = statuses.GetValueOrDefault(account.Id)
+            where includeOffline || status is { IsOnline: true }
+            let accountActivities = activities.GetValueOrDefault(account.Id, new List<SnPresenceActivity>())
+            select new FriendOverviewItem
+            {
+                Account = account, Status = status ?? new SnAccountStatus { AccountId = account.Id },
+                Activities = accountActivities
+            }).ToList();
+
+        return Ok(result);
+    }
+}

DysonNetwork.Pass/Account/MagicSpellController.cs

@@ -1,3 +1,5 @@
+using DysonNetwork.Shared.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 
@@ -7,6 +9,20 @@ namespace DysonNetwork.Pass.Account;
 [Route("/api/spells")]
 public class MagicSpellController(AppDatabase db, MagicSpellService sp) : ControllerBase
 {
+    [HttpPost("activation/resend")]
+    [Authorize]
+    public async Task<ActionResult> ResendActivationMagicSpell()
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var spell = await db.MagicSpells.FirstOrDefaultAsync(s =>
+            s.Type == MagicSpellType.AccountActivation && s.AccountId == currentUser.Id);
+        if (spell is null) return BadRequest("Unable to find activation magic spell.");
+        
+        await sp.NotifyMagicSpell(spell, true);
+        return Ok();
+    }
+
     [HttpPost("{spellId:guid}/resend")]
     public async Task<ActionResult> ResendMagicSpell(Guid spellId)
     {
@@ -38,7 +54,8 @@ public class MagicSpellController(AppDatabase db, MagicSpellService sp) : Contro
     }
 
     [HttpPost("{spellWord}/apply")]
-    public async Task<ActionResult> ApplyMagicSpell([FromRoute] string spellWord, [FromBody] MagicSpellApplyRequest? request)
+    public async Task<ActionResult> ApplyMagicSpell([FromRoute] string spellWord,
+        [FromBody] MagicSpellApplyRequest? request)
     {
         var word = Uri.UnescapeDataString(spellWord);
         var spell = await db.MagicSpells
@@ -59,6 +76,7 @@ public class MagicSpellController(AppDatabase db, MagicSpellService sp) : Contro
         {
             return BadRequest(ex.Message);
         }
+
         return Ok();
     }
 }

DysonNetwork.Pass/Account/MagicSpellService.cs

@@ -26,6 +26,7 @@ public class MagicSpellService(
         Dictionary<string, object> meta,
         Instant? expiredAt = null,
         Instant? affectedAt = null,
+        string? code = null,
         bool preventRepeat = false
     )
     {
@@ -41,7 +42,7 @@ public class MagicSpellService(
                 return existingSpell;
         }
 
-        var spellWord = _GenerateRandomString(128);
+        var spellWord = code ?? _GenerateRandomString(128);
         var spell = new SnMagicSpell
         {
             Spell = spellWord,
@@ -193,7 +194,7 @@ public class MagicSpellService(
                 {
                     db.PermissionGroupMembers.Add(new SnPermissionGroupMember
                     {
-                        Actor = $"user:{account.Id}",
+                        Actor = account.Id.ToString(),
                         Group = defaultGroup
                     });
                 }

DysonNetwork.Pass/Account/NotableDay.cs

@@ -28,6 +28,7 @@ public class NotableDay
     public Instant Date { get; set; }
     public string? LocalName { get; set; }
     public string? GlobalName { get; set; }
+    public string? LocalizableKey { get; set; }
     public string? CountryCode { get; set; }
     public NotableHolidayType[] Holidays { get; set; } = [];
 

DysonNetwork.Pass/Account/NotableDaysController.cs

@@ -77,4 +77,52 @@ public class NotableDaysController(NotableDaysService days) : ControllerBase
         }
         return Ok(result);
     }
+
+    [HttpGet("{regionCode}/current")]
+    public async Task<ActionResult<NotableDay?>> GetCurrentHoliday(string regionCode)
+    {
+        var result = await days.GetCurrentHoliday(regionCode);
+        if (result == null)
+        {
+            return NotFound("No holiday today");
+        }
+        return Ok(result);
+    }
+
+    [HttpGet("me/current")]
+    [Authorize]
+    public async Task<ActionResult<NotableDay?>> GetAccountCurrentHoliday()
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var region = currentUser.Region;
+        if (string.IsNullOrWhiteSpace(region)) region = "us";
+
+        var result = await days.GetCurrentHoliday(region);
+        if (result == null)
+        {
+            return NotFound("No holiday today");
+        }
+        return Ok(result);
+    }
+
+    [HttpGet("{regionCode}/recent")]
+    public async Task<ActionResult<List<NotableDay>>> GetRecentNotableDay(string regionCode)
+    {
+        var result = await days.GetCurrentAndNextHoliday(regionCode);
+        return Ok(result);
+    }
+
+    [HttpGet("me/recent")]
+    [Authorize]
+    public async Task<ActionResult<List<NotableDay>>> GetAccountRecentNotableDay()
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var region = currentUser.Region;
+        if (string.IsNullOrWhiteSpace(region)) region = "us";
+
+        var result = await days.GetCurrentAndNextHoliday(region);
+        return Ok(result);
+    }
 }

DysonNetwork.Pass/Account/NotableDaysService.cs

@@ -27,12 +27,123 @@ public class NotableDaysService(ICacheService cache)
         var holidays = await holidayClient.GetHolidaysAsync(year.Value, regionCode);
         var days = holidays?.Select(NotableDay.FromNagerHoliday).ToList() ?? [];
 
+        // Add global holidays that are available for all regions
+        var globalDays = GetGlobalHolidays(year.Value);
+        foreach (var globalDay in globalDays.Where(globalDay =>
+                     !days.Any(d => d.Date.Equals(globalDay.Date) && d.GlobalName == globalDay.GlobalName)))
+        {
+            days.Add(globalDay);
+        }
+
         // Cache the result for 1 day (holiday data doesn't change frequently)
         await cache.SetAsync(cacheKey, days, TimeSpan.FromDays(1));
 
         return days;
     }
 
+    private static List<NotableDay> GetGlobalHolidays(int year)
+    {
+        var globalDays = new List<NotableDay>();
+
+        // Christmas Day - December 25
+        var christmas = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 12, 25, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "Christmas",
+            GlobalName = "Christmas",
+            LocalizableKey = "Christmas",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Public]
+        };
+        globalDays.Add(christmas);
+
+        // New Year's Day - January 1
+        var newYear = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 1, 1, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "New Year's Day",
+            GlobalName = "New Year's Day",
+            LocalizableKey = "NewYear",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Public]
+        };
+        globalDays.Add(newYear);
+
+        // Valentine's Day - February 14
+        var valentine = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 2, 14, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "Valentine's Day",
+            GlobalName = "Valentine's Day",
+            LocalizableKey = "ValentineDay",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Observance]
+        };
+        globalDays.Add(valentine);
+
+        // April Fools' Day - April 1
+        var aprilFools = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 4, 1, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "April Fools' Day",
+            GlobalName = "April Fools' Day",
+            LocalizableKey = "AprilFoolsDay",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Observance]
+        };
+        globalDays.Add(aprilFools);
+
+        // International Workers' Day - May 1
+        var workersDay = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 5, 1, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "International Workers' Day",
+            GlobalName = "International Workers' Day",
+            LocalizableKey = "WorkersDay",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Public]
+        };
+        globalDays.Add(workersDay);
+
+        // Children's Day - June 1
+        var childrenDay = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 6, 1, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "Children's Day",
+            GlobalName = "Children's Day",
+            LocalizableKey = "ChildrenDay",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Public]
+        };
+        globalDays.Add(childrenDay);
+
+        // World Environment Day - June 5
+        var environmentDay = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 6, 5, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "World Environment Day",
+            GlobalName = "World Environment Day",
+            LocalizableKey = "EnvironmentDay",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Observance]
+        };
+        globalDays.Add(environmentDay);
+
+        // Halloween - October 31
+        var halloween = new NotableDay
+        {
+            Date = Instant.FromDateTimeUtc(new DateTime(year, 10, 31, 0, 0, 0, DateTimeKind.Utc)),
+            LocalName = "Halloween",
+            GlobalName = "Halloween",
+            LocalizableKey = "Halloween",
+            CountryCode = null,
+            Holidays = [NotableHolidayType.Observance]
+        };
+        globalDays.Add(halloween);
+
+        return globalDays;
+    }
+
     public async Task<NotableDay?> GetNextHoliday(string regionCode)
     {
         var currentDate = SystemClock.Instance.GetCurrentInstant();
@@ -52,4 +163,37 @@ public class NotableDaysService(ICacheService cache)
 
         return nextHoliday;
     }
+
+    public async Task<NotableDay?> GetCurrentHoliday(string regionCode)
+    {
+        var currentDate = SystemClock.Instance.GetCurrentInstant();
+        var currentYear = currentDate.InUtc().Year;
+
+        var currentYearHolidays = await GetNotableDays(currentYear, regionCode);
+
+        // Find the holiday that is today
+        var todayHoliday = currentYearHolidays
+            .FirstOrDefault(day => day.Date.InUtc().Date == currentDate.InUtc().Date);
+
+        return todayHoliday;
+    }
+
+    public async Task<List<NotableDay>> GetCurrentAndNextHoliday(string regionCode)
+    {
+        var result = new List<NotableDay>();
+
+        var current = await GetCurrentHoliday(regionCode);
+        if (current != null)
+        {
+            result.Add(current);
+        }
+
+        var next = await GetNextHoliday(regionCode);
+        if (next != null && (current == null || !next.Date.Equals(current.Date)))
+        {
+            result.Add(next);
+        }
+
+        return result;
+    }
 }

DysonNetwork.Pass/Account/RelationshipController.cs

@@ -20,6 +20,7 @@ public class RelationshipController(AppDatabase db, RelationshipService rels) :
         var userId = currentUser.Id;
 
         var query = db.AccountRelationships.AsQueryable()
+            .OrderByDescending(r => r.CreatedAt)
             .Where(r => r.RelatedId == userId);
         var totalCount = await query.CountAsync();
         var relationships = await query
@@ -35,8 +36,9 @@ public class RelationshipController(AppDatabase db, RelationshipService rels) :
             .Where(r => r.AccountId == userId)
             .ToDictionaryAsync(r => r.RelatedId);
         foreach (var relationship in relationships)
-            if (statuses.TryGetValue(relationship.RelatedId, out var status))
+            relationship.Status = statuses.TryGetValue(relationship.AccountId, out var status)
-                relationship.Status = status.Status;
+                ? status.Status
+                : RelationshipStatus.Pending;
 
         Response.Headers["X-Total"] = totalCount.ToString();
 

DysonNetwork.Pass/Account/RelationshipService.cs

@@ -17,12 +17,18 @@ public class RelationshipService(
 {
     private const string UserFriendsCacheKeyPrefix = "accounts:friends:";
     private const string UserBlockedCacheKeyPrefix = "accounts:blocked:";
+    private static readonly TimeSpan CacheExpiration = TimeSpan.FromHours(1);
 
     public async Task<bool> HasExistingRelationship(Guid accountId, Guid relatedId)
     {
+        if (accountId == Guid.Empty || relatedId == Guid.Empty)
+            throw new ArgumentException("Account IDs cannot be empty.");
+        if (accountId == relatedId)
+            return false; // Prevent self-relationships
+
         var count = await db.AccountRelationships
             .Where(r => (r.AccountId == accountId && r.RelatedId == relatedId) ||
-                        (r.AccountId == relatedId && r.AccountId == accountId))
+                        (r.AccountId == relatedId && r.RelatedId == accountId))
             .CountAsync();
         return count > 0;
     }
@@ -34,6 +40,9 @@ public class RelationshipService(
         bool ignoreExpired = false
     )
     {
+        if (accountId == Guid.Empty || relatedId == Guid.Empty)
+            throw new ArgumentException("Account IDs cannot be empty.");
+
         var now = Instant.FromDateTimeUtc(DateTime.UtcNow);
         var queries = db.AccountRelationships.AsQueryable()
             .Where(r => r.AccountId == accountId && r.RelatedId == relatedId);
@@ -61,7 +70,7 @@ public class RelationshipService(
         db.AccountRelationships.Add(relationship);
         await db.SaveChangesAsync();
 
-        await PurgeRelationshipCache(sender.Id, target.Id);
+        await PurgeRelationshipCache(sender.Id, target.Id, status);
 
         return relationship;
     }
@@ -80,7 +89,7 @@ public class RelationshipService(
         db.Remove(relationship);
         await db.SaveChangesAsync();
 
-        await PurgeRelationshipCache(sender.Id, target.Id);
+        await PurgeRelationshipCache(sender.Id, target.Id, RelationshipStatus.Blocked);
 
         return relationship;
     }
@@ -114,19 +123,24 @@ public class RelationshipService(
             }
         });
 
+        await PurgeRelationshipCache(sender.Id, target.Id, RelationshipStatus.Pending);
+
         return relationship;
     }
 
     public async Task DeleteFriendRequest(Guid accountId, Guid relatedId)
     {
-        var relationship = await GetRelationship(accountId, relatedId, RelationshipStatus.Pending);
+        if (accountId == Guid.Empty || relatedId == Guid.Empty)
-        if (relationship is null) throw new ArgumentException("Friend request was not found.");
+            throw new ArgumentException("Account IDs cannot be empty.");
 
-        await db.AccountRelationships
+        var affectedRows = await db.AccountRelationships
             .Where(r => r.AccountId == accountId && r.RelatedId == relatedId && r.Status == RelationshipStatus.Pending)
             .ExecuteDeleteAsync();
 
-        await PurgeRelationshipCache(relationship.AccountId, relationship.RelatedId);
+        if (affectedRows == 0)
+            throw new ArgumentException("Friend request was not found.");
+
+        await PurgeRelationshipCache(accountId, relatedId, RelationshipStatus.Pending);
     }
 
     public async Task<SnAccountRelationship> AcceptFriendRelationship(
@@ -155,7 +169,7 @@ public class RelationshipService(
 
         await db.SaveChangesAsync();
 
-        await PurgeRelationshipCache(relationship.AccountId, relationship.RelatedId);
+        await PurgeRelationshipCache(relationship.AccountId, relationship.RelatedId, RelationshipStatus.Friends, status);
 
         return relationshipBackward;
     }
@@ -165,11 +179,12 @@ public class RelationshipService(
         var relationship = await GetRelationship(accountId, relatedId);
         if (relationship is null) throw new ArgumentException("There is no relationship between you and the user.");
         if (relationship.Status == status) return relationship;
+        var oldStatus = relationship.Status;
         relationship.Status = status;
         db.Update(relationship);
         await db.SaveChangesAsync();
 
-        await PurgeRelationshipCache(accountId, relatedId);
+        await PurgeRelationshipCache(accountId, relatedId, oldStatus, status);
 
         return relationship;
     }
@@ -181,21 +196,7 @@ public class RelationshipService(
 
     public async Task<List<Guid>> ListAccountFriends(Guid accountId)
     {
-        var cacheKey = $"{UserFriendsCacheKeyPrefix}{accountId}";
+        return await GetCachedRelationships(accountId, RelationshipStatus.Friends, UserFriendsCacheKeyPrefix);
-        var friends = await cache.GetAsync<List<Guid>>(cacheKey);
-
-        if (friends == null)
-        {
-            friends = await db.AccountRelationships
-                .Where(r => r.RelatedId == accountId)
-                .Where(r => r.Status == RelationshipStatus.Friends)
-                .Select(r => r.AccountId)
-                .ToListAsync();
-
-            await cache.SetAsync(cacheKey, friends, TimeSpan.FromHours(1));
-        }
-
-        return friends ?? [];
     }
 
     public async Task<List<Guid>> ListAccountBlocked(SnAccount account)
@@ -205,21 +206,7 @@ public class RelationshipService(
 
     public async Task<List<Guid>> ListAccountBlocked(Guid accountId)
     {
-        var cacheKey = $"{UserBlockedCacheKeyPrefix}{accountId}";
+        return await GetCachedRelationships(accountId, RelationshipStatus.Blocked, UserBlockedCacheKeyPrefix);
-        var blocked = await cache.GetAsync<List<Guid>>(cacheKey);
-
-        if (blocked == null)
-        {
-            blocked = await db.AccountRelationships
-                .Where(r => r.RelatedId == accountId)
-                .Where(r => r.Status == RelationshipStatus.Blocked)
-                .Select(r => r.AccountId)
-                .ToListAsync();
-
-            await cache.SetAsync(cacheKey, blocked, TimeSpan.FromHours(1));
-        }
-
-        return blocked ?? [];
     }
 
     public async Task<bool> HasRelationshipWithStatus(Guid accountId, Guid relatedId,
@@ -229,11 +216,59 @@ public class RelationshipService(
         return relationship is not null;
     }
 
-    private async Task PurgeRelationshipCache(Guid accountId, Guid relatedId)
+    private async Task<List<Guid>> GetCachedRelationships(Guid accountId, RelationshipStatus status, string cachePrefix)
     {
-        await cache.RemoveAsync($"{UserFriendsCacheKeyPrefix}{accountId}");
+        if (accountId == Guid.Empty)
-        await cache.RemoveAsync($"{UserFriendsCacheKeyPrefix}{relatedId}");
+            throw new ArgumentException("Account ID cannot be empty.");
-        await cache.RemoveAsync($"{UserBlockedCacheKeyPrefix}{accountId}");
+
-        await cache.RemoveAsync($"{UserBlockedCacheKeyPrefix}{relatedId}");
+        var cacheKey = $"{cachePrefix}{accountId}";
+        var relationships = await cache.GetAsync<List<Guid>>(cacheKey);
+
+        if (relationships != null) return relationships;
+        var now = Instant.FromDateTimeUtc(DateTime.UtcNow);
+        var query = db.AccountRelationships
+            .Where(r => r.RelatedId == accountId)
+            .Where(r => r.Status == status)
+            .Where(r => r.ExpiredAt == null || r.ExpiredAt > now)
+            .Select(r => r.AccountId);
+
+        if (status == RelationshipStatus.Friends)
+        {
+            var usersBlockedByMe = db.AccountRelationships
+                .Where(r => r.AccountId == accountId && r.Status == RelationshipStatus.Blocked)
+                .Select(r => r.RelatedId);
+            query = query.Except(usersBlockedByMe);
+        }
+
+        relationships = await query.ToListAsync();
+
+        await cache.SetAsync(cacheKey, relationships, CacheExpiration);
+
+        return relationships;
+    }
+
+    private async Task PurgeRelationshipCache(Guid accountId, Guid relatedId, params RelationshipStatus[] statuses)
+    {
+        if (statuses.Length == 0)
+        {
+            statuses = Enum.GetValues<RelationshipStatus>();
+        }
+
+        var keysToRemove = new List<string>();
+
+        if (statuses.Contains(RelationshipStatus.Friends) || statuses.Contains(RelationshipStatus.Pending))
+        {
+            keysToRemove.Add($"{UserFriendsCacheKeyPrefix}{accountId}");
+            keysToRemove.Add($"{UserFriendsCacheKeyPrefix}{relatedId}");
+        }
+
+        if (statuses.Contains(RelationshipStatus.Blocked))
+        {
+            keysToRemove.Add($"{UserBlockedCacheKeyPrefix}{accountId}");
+            keysToRemove.Add($"{UserBlockedCacheKeyPrefix}{relatedId}");
+        }
+
+        var removeTasks = keysToRemove.Select(key => cache.RemoveAsync(key));
+        await Task.WhenAll(removeTasks);
     }
 }

DysonNetwork.Pass/Affiliation/AffiliationSpellController.cs

@@ -0,0 +1,134 @@
+using System.ComponentModel.DataAnnotations;
+using DysonNetwork.Shared.Models;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+
+namespace DysonNetwork.Pass.Affiliation;
+
+[ApiController]
+[Route("/api/affiliations")]
+public class AffiliationSpellController(AppDatabase db, AffiliationSpellService ars) : ControllerBase
+{
+    public class CreateAffiliationSpellRequest
+    {
+        [MaxLength(1024)] public string? Spell { get; set; }
+    }
+
+    [HttpPost]
+    [Authorize]
+    public async Task<ActionResult<SnAffiliationSpell>> CreateSpell([FromBody] CreateAffiliationSpellRequest request)
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        try
+        {
+            var spell = await ars.CreateAffiliationSpell(currentUser.Id, request.Spell);
+            return Ok(spell);
+        }
+        catch (InvalidOperationException e)
+        {
+            return BadRequest(e.Message);
+        }
+    }
+    
+    [HttpGet]
+    [Authorize]
+    public async Task<ActionResult<List<SnAffiliationSpell>>> ListCreatedSpells(
+        [FromQuery(Name = "order")] string orderBy = "date",
+        [FromQuery(Name = "desc")] bool orderDesc = false,
+        [FromQuery] int take = 10,
+        [FromQuery] int offset = 0
+    )
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var queryable = db.AffiliationSpells
+            .Where(s => s.AccountId == currentUser.Id)
+            .AsQueryable();
+
+        queryable = orderBy switch
+        {
+            "usage" => orderDesc
+                ? queryable.OrderByDescending(q => q.Results.Count)
+                : queryable.OrderBy(q => q.Results.Count),
+            _ => orderDesc
+                ? queryable.OrderByDescending(q => q.CreatedAt)
+                : queryable.OrderBy(q => q.CreatedAt)
+        };
+
+        var totalCount = queryable.Count();
+        Response.Headers["X-Total"] = totalCount.ToString();
+
+        var spells = await queryable
+            .Skip(offset)
+            .Take(take)
+            .ToListAsync();
+        return Ok(spells);
+    }
+
+    [HttpGet("{id:guid}")]
+    [Authorize]
+    public async Task<ActionResult<SnAffiliationSpell>> GetSpell([FromRoute] Guid id)
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var spell = await db.AffiliationSpells
+            .Where(s => s.AccountId == currentUser.Id)
+            .Where(s => s.Id == id)
+            .FirstOrDefaultAsync();
+        if (spell is null) return NotFound();
+
+        return Ok(spell);
+    }
+
+    [HttpGet("{id:guid}/results")]
+    [Authorize]
+    public async Task<ActionResult<List<SnAffiliationResult>>> ListResults(
+        [FromRoute] Guid id,
+        [FromQuery(Name = "desc")] bool orderDesc = false,
+        [FromQuery] int take = 10,
+        [FromQuery] int offset = 0
+    )
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var queryable = db.AffiliationResults
+            .Include(r => r.Spell)
+            .Where(r => r.Spell.AccountId == currentUser.Id)
+            .Where(r => r.SpellId == id)
+            .AsQueryable();
+
+        // Order by creation date
+        queryable = orderDesc
+            ? queryable.OrderByDescending(r => r.CreatedAt)
+            : queryable.OrderBy(r => r.CreatedAt);
+
+        var totalCount = queryable.Count();
+        Response.Headers["X-Total"] = totalCount.ToString();
+
+        var results = await queryable
+            .Skip(offset)
+            .Take(take)
+            .ToListAsync();
+        return Ok(results);
+    }
+
+    [HttpDelete("{id:guid}")]
+    [Authorize]
+    public async Task<ActionResult> DeleteSpell([FromRoute] Guid id)
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount currentUser) return Unauthorized();
+
+        var spell = await db.AffiliationSpells
+            .Where(s => s.AccountId == currentUser.Id)
+            .Where(s => s.Id == id)
+            .FirstOrDefaultAsync();
+        if (spell is null) return NotFound();
+
+        db.AffiliationSpells.Remove(spell);
+        await db.SaveChangesAsync();
+
+        return Ok();
+    }
+}

DysonNetwork.Pass/Affiliation/AffiliationSpellService.cs

@@ -0,0 +1,62 @@
+using System.Security.Cryptography;
+using DysonNetwork.Shared.Models;
+using Microsoft.EntityFrameworkCore;
+
+namespace DysonNetwork.Pass.Affiliation;
+
+public class AffiliationSpellService(AppDatabase db)
+{
+    public async Task<SnAffiliationSpell> CreateAffiliationSpell(Guid accountId, string? spellWord)
+    {
+        spellWord ??= _GenerateRandomString(8);
+        if (await CheckAffiliationSpellHasTaken(spellWord))
+            throw new InvalidOperationException("The spell has been taken.");
+
+        var spell = new SnAffiliationSpell
+        {
+            AccountId = accountId,
+            Spell = spellWord
+        };
+
+        db.AffiliationSpells.Add(spell);
+        await db.SaveChangesAsync();
+        return spell;
+    }
+
+    public async Task<SnAffiliationResult> CreateAffiliationResult(string spellWord, string resourceId)
+    {
+        var spell =
+            await db.AffiliationSpells.FirstOrDefaultAsync(a => a.Spell == spellWord);
+        if (spell is null) throw  new InvalidOperationException("The spell was not found.");
+
+        var result = new SnAffiliationResult
+        {
+            Spell = spell,
+            ResourceIdentifier = resourceId
+        };
+        db.AffiliationResults.Add(result);
+        await db.SaveChangesAsync();
+        
+        return result;
+    }
+
+    public async Task<bool> CheckAffiliationSpellHasTaken(string spellWord)
+    {
+        return await db.AffiliationSpells.AnyAsync(s => s.Spell == spellWord);
+    }
+
+    private static string _GenerateRandomString(int length)
+    {
+        const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+        var result = new char[length];
+        using var rng = RandomNumberGenerator.Create();
+        for (var i = 0; i < length; i++)
+        {
+            var bytes = new byte[1];
+            rng.GetBytes(bytes);
+            result[i] = chars[bytes[0] % chars.Length];
+        }
+
+        return new string(result);
+    }
+}

DysonNetwork.Pass/AppDatabase.cs

@@ -1,8 +1,8 @@
 using System.Linq.Expressions;
-using System.Reflection;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using DysonNetwork.Pass.Permission;
+using DysonNetwork.Shared.Data;
 using DysonNetwork.Shared.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Design;
@@ -61,6 +61,11 @@ public class AppDatabase(
     public DbSet<SnLottery> Lotteries { get; set; } = null!;
     public DbSet<SnLotteryRecord> LotteryRecords { get; set; } = null!;
 
+    public DbSet<SnAffiliationSpell> AffiliationSpells { get; set; } = null!;
+    public DbSet<SnAffiliationResult> AffiliationResults { get; set; } = null!;
+    
+    public DbSet<SnRewindPoint> RewindPoints { get; set; }
+
     protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
     {
         optionsBuilder.UseNpgsql(
@@ -100,7 +105,7 @@ public class AppDatabase(
                             "stickers.packs.create",
                             "stickers.create"
                         }.Select(permission =>
-                            PermissionService.NewPermissionNode("group:default", "global", permission, true))
+                            PermissionService.NewPermissionNode("group:default", permission, true))
                         .ToList()
                 });
                 await context.SaveChangesAsync(cancellationToken);
@@ -143,51 +148,12 @@ public class AppDatabase(
             .HasForeignKey(pm => pm.RealmId)
             .OnDelete(DeleteBehavior.Cascade);
 
-        // Automatically apply soft-delete filter to all entities inheriting BaseModel
+        modelBuilder.ApplySoftDeleteFilters();
-        foreach (var entityType in modelBuilder.Model.GetEntityTypes())
-        {
-            if (!typeof(ModelBase).IsAssignableFrom(entityType.ClrType)) continue;
-            var method = typeof(AppDatabase)
-                .GetMethod(nameof(SetSoftDeleteFilter),
-                    BindingFlags.NonPublic | BindingFlags.Static)!
-                .MakeGenericMethod(entityType.ClrType);
-
-            method.Invoke(null, [modelBuilder]);
-        }
-    }
-
-    private static void SetSoftDeleteFilter<TEntity>(ModelBuilder modelBuilder)
-        where TEntity : ModelBase
-    {
-        modelBuilder.Entity<TEntity>().HasQueryFilter(e => e.DeletedAt == null);
     }
 
     public override async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
     {
-        var now = SystemClock.Instance.GetCurrentInstant();
+        this.ApplyAuditableAndSoftDelete();
-
-        foreach (var entry in ChangeTracker.Entries<ModelBase>())
-        {
-            switch (entry.State)
-            {
-                case EntityState.Added:
-                    entry.Entity.CreatedAt = now;
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Modified:
-                    entry.Entity.UpdatedAt = now;
-                    break;
-                case EntityState.Deleted:
-                    entry.State = EntityState.Modified;
-                    entry.Entity.DeletedAt = now;
-                    break;
-                case EntityState.Detached:
-                case EntityState.Unchanged:
-                default:
-                    break;
-            }
-        }
-
         return await base.SaveChangesAsync(cancellationToken);
     }
 }
@@ -266,34 +232,3 @@ public class AppDatabaseFactory : IDesignTimeDbContextFactory<AppDatabase>
     }
 }
 
-public static class OptionalQueryExtensions
-{
-    public static IQueryable<T> If<T>(
-        this IQueryable<T> source,
-        bool condition,
-        Func<IQueryable<T>, IQueryable<T>> transform
-    )
-    {
-        return condition ? transform(source) : source;
-    }
-
-    public static IQueryable<T> If<T, TP>(
-        this IIncludableQueryable<T, TP> source,
-        bool condition,
-        Func<IIncludableQueryable<T, TP>, IQueryable<T>> transform
-    )
-        where T : class
-    {
-        return condition ? transform(source) : source;
-    }
-
-    public static IQueryable<T> If<T, TP>(
-        this IIncludableQueryable<T, IEnumerable<TP>> source,
-        bool condition,
-        Func<IIncludableQueryable<T, IEnumerable<TP>>, IQueryable<T>> transform
-    )
-        where T : class
-    {
-        return condition ? transform(source) : source;
-    }
-}

DysonNetwork.Pass/Auth/Auth.cs

@@ -70,7 +70,7 @@ public class DysonTokenAuthHandler(
             };
 
             // Add scopes as claims
-            session.Challenge?.Scopes.ForEach(scope => claims.Add(new Claim("scope", scope)));
+            session.Scopes.ForEach(scope => claims.Add(new Claim("scope", scope)));
 
             // Add superuser claim if applicable
             if (session.Account.IsSuperuser)
@@ -117,16 +117,17 @@ public class DysonTokenAuthHandler(
         {
             if (authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
             {
-                var token = authHeader["Bearer ".Length..].Trim();
+                var tokenText = authHeader["Bearer ".Length..].Trim();
-                var parts = token.Split('.');
+                var parts = tokenText.Split('.');
 
                 return new TokenInfo
                 {
-                    Token = token,
+                    Token = tokenText,
                     Type = parts.Length == 3 ? TokenType.OidcKey : TokenType.AuthKey
                 };
             }
-            else if (authHeader.StartsWith("AtField ", StringComparison.OrdinalIgnoreCase))
+
+            if (authHeader.StartsWith("AtField ", StringComparison.OrdinalIgnoreCase))
             {
                 return new TokenInfo
                 {
@@ -134,7 +135,8 @@ public class DysonTokenAuthHandler(
                     Type = TokenType.AuthKey
                 };
             }
-            else if (authHeader.StartsWith("AkField ", StringComparison.OrdinalIgnoreCase))
+
+            if (authHeader.StartsWith("AkField ", StringComparison.OrdinalIgnoreCase))
             {
                 return new TokenInfo
                 {

DysonNetwork.Pass/Auth/AuthController.cs

@@ -3,7 +3,7 @@ using Microsoft.AspNetCore.Mvc;
 using NodaTime;
 using Microsoft.EntityFrameworkCore;
 using DysonNetwork.Pass.Localization;
-using DysonNetwork.Shared.GeoIp;
+using DysonNetwork.Shared.Geometry;
 using DysonNetwork.Shared.Proto;
 using Microsoft.Extensions.Localization;
 using AccountService = DysonNetwork.Pass.Account.AccountService;
@@ -18,7 +18,7 @@ public class AuthController(
     AppDatabase db,
     AccountService accounts,
     AuthService auth,
-    GeoIpService geo,
+    GeoService geo,
     ActionLogService als,
     RingService.RingServiceClient pusher,
     IConfiguration configuration,
@@ -30,12 +30,12 @@ public class AuthController(
 
     public class ChallengeRequest
     {
-        [Required] public ClientPlatform Platform { get; set; }
+        [Required] public Shared.Models.ClientPlatform Platform { get; set; }
         [Required] [MaxLength(256)] public string Account { get; set; } = null!;
         [Required] [MaxLength(512)] public string DeviceId { get; set; } = null!;
         [MaxLength(1024)] public string? DeviceName { get; set; }
-        public List<string> Audiences { get; set; } = new();
+        public List<string> Audiences { get; set; } = [];
-        public List<string> Scopes { get; set; } = new();
+        public List<string> Scopes { get; set; } = [];
     }
 
     [HttpPost("challenge")]
@@ -61,9 +61,6 @@ public class AuthController(
 
         request.DeviceName ??= userAgent;
 
-        var device =
-            await auth.GetOrCreateDeviceAsync(account.Id, request.DeviceId, request.DeviceName, request.Platform);
-
         // Trying to pick up challenges from the same IP address and user agent
         var existingChallenge = await db.AuthChallenges
             .Where(e => e.AccountId == account.Id)
@@ -71,15 +68,9 @@ public class AuthController(
             .Where(e => e.UserAgent == userAgent)
             .Where(e => e.StepRemain > 0)
             .Where(e => e.ExpiredAt != null && now < e.ExpiredAt)
-            .Where(e => e.Type == Shared.Models.ChallengeType.Login)
+            .Where(e => e.DeviceId == request.DeviceId)
-            .Where(e => e.ClientId == device.Id)
             .FirstOrDefaultAsync();
-        if (existingChallenge is not null)
+        if (existingChallenge is not null) return existingChallenge;
-        {
-            var existingSession = await db.AuthSessions.Where(e => e.ChallengeId == existingChallenge.Id)
-                .FirstOrDefaultAsync();
-            if (existingSession is null) return existingChallenge;
-        }
 
         var challenge = new SnAuthChallenge
         {
@@ -90,7 +81,9 @@ public class AuthController(
             IpAddress = ipAddress,
             UserAgent = userAgent,
             Location = geo.GetPointFromIp(ipAddress),
-            ClientId = device.Id,
+            DeviceId = request.DeviceId,
+            DeviceName = request.DeviceName,
+            Platform = request.Platform,
             AccountId = account.Id
         }.Normalize();
 
@@ -112,14 +105,11 @@ public class AuthController(
             .ThenInclude(e => e.Profile)
             .FirstOrDefaultAsync(e => e.Id == id);
 
-        if (challenge is null)
+        if (challenge is not null) return challenge;
-        {
+        logger.LogWarning("GetChallenge: challenge not found (challengeId={ChallengeId}, ip={IpAddress})",
-            logger.LogWarning("GetChallenge: challenge not found (challengeId={ChallengeId}, ip={IpAddress})",
+            id, HttpContext.Connection.RemoteIpAddress?.ToString());
-                id, HttpContext.Connection.RemoteIpAddress?.ToString());
+        return NotFound("Auth challenge was not found.");
-            return NotFound("Auth challenge was not found.");
-        }
 
-        return challenge;
     }
 
     [HttpGet("challenge/{id:guid}/factors")]
@@ -176,7 +166,6 @@ public class AuthController(
     {
         var challenge = await db.AuthChallenges
             .Include(e => e.Account)
-            .Include(authChallenge => authChallenge.Client)
             .FirstOrDefaultAsync(e => e.Id == id);
         if (challenge is null) return NotFound("Auth challenge was not found.");
 
@@ -218,7 +207,7 @@ public class AuthController(
                 throw new ArgumentException("Invalid password.");
             }
         }
-        catch (Exception ex)
+        catch (Exception)
         {
             challenge.FailedAttempts++;
             db.Update(challenge);
@@ -231,8 +220,11 @@ public class AuthController(
             );
             await db.SaveChangesAsync();
 
-            logger.LogWarning("DoChallenge: authentication failure (challengeId={ChallengeId}, factorId={FactorId}, accountId={AccountId}, failedAttempts={FailedAttempts}, factorType={FactorType}, ip={IpAddress}, uaLength={UaLength})",
+            logger.LogWarning(
-                challenge.Id, factor.Id, challenge.AccountId, challenge.FailedAttempts, factor.Type, HttpContext.Connection.RemoteIpAddress?.ToString(), (HttpContext.Request.Headers.UserAgent.ToString() ?? "").Length);
+                "DoChallenge: authentication failure (challengeId={ChallengeId}, factorId={FactorId}, accountId={AccountId}, failedAttempts={FailedAttempts}, factorType={FactorType}, ip={IpAddress}, uaLength={UaLength})",
+                challenge.Id, factor.Id, challenge.AccountId, challenge.FailedAttempts, factor.Type,
+                HttpContext.Connection.RemoteIpAddress?.ToString(),
+                HttpContext.Request.Headers.UserAgent.ToString().Length);
 
             return BadRequest("Invalid password.");
         }
@@ -242,11 +234,11 @@ public class AuthController(
             AccountService.SetCultureInfo(challenge.Account);
             await pusher.SendPushNotificationToUserAsync(new SendPushNotificationToUserRequest
             {
-                Notification = new PushNotification()
+                Notification = new PushNotification
                 {
                     Topic = "auth.login",
                     Title = localizer["NewLoginTitle"],
-                    Body = localizer["NewLoginBody", challenge.Client?.DeviceName ?? "unknown",
+                    Body = localizer["NewLoginBody", challenge.DeviceName ?? "unknown",
                         challenge.IpAddress ?? "unknown"],
                     IsSavable = true
                 },
@@ -277,6 +269,14 @@ public class AuthController(
         public string Token { get; set; } = string.Empty;
     }
 
+    public class NewSessionRequest
+    {
+        [Required] [MaxLength(512)] public string DeviceId { get; set; } = null!;
+        [MaxLength(1024)] public string? DeviceName { get; set; }
+        [Required] public Shared.Models.ClientPlatform Platform { get; set; }
+        public Instant? ExpiredAt { get; set; }
+    }
+
     [HttpPost("token")]
     public async Task<ActionResult<TokenExchangeResponse>> ExchangeToken([FromBody] TokenExchangeRequest request)
     {
@@ -327,4 +327,35 @@ public class AuthController(
         });
         return Ok();
     }
+
+    [HttpPost("login/session")]
+    [Microsoft.AspNetCore.Authorization.Authorize] // Use full namespace to avoid ambiguity with DysonNetwork.Pass.Permission.Authorize
+    public async Task<ActionResult<TokenExchangeResponse>> LoginFromSession([FromBody] NewSessionRequest request)
+    {
+        if (HttpContext.Items["CurrentUser"] is not SnAccount ||
+            HttpContext.Items["CurrentSession"] is not SnAuthSession currentSession)
+            return Unauthorized();
+
+        var newSession = await auth.CreateSessionFromParentAsync(
+            currentSession,
+            request.DeviceId,
+            request.DeviceName,
+            request.Platform,
+            request.ExpiredAt
+        );
+
+        var tk = auth.CreateToken(newSession);
+
+        // Set cookie using HttpContext, similar to CreateSessionAndIssueToken
+        HttpContext.Response.Cookies.Append(AuthConstants.CookieTokenName, tk, new CookieOptions
+        {
+            HttpOnly = true,
+            Secure = true,
+            SameSite = SameSiteMode.Lax,
+            Domain = _cookieDomain,
+            Expires = request.ExpiredAt?.ToDateTimeOffset() ?? DateTime.UtcNow.AddYears(20)
+        });
+
+        return Ok(new TokenExchangeResponse { Token = tk });
+    }
 }

DysonNetwork.Pass/Auth/AuthService.cs

@@ -2,6 +2,8 @@ using System.Security.Cryptography;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using DysonNetwork.Shared.Cache;
+using DysonNetwork.Shared.Data;
+using DysonNetwork.Shared.Geometry;
 using DysonNetwork.Shared.Models;
 using Microsoft.EntityFrameworkCore;
 using NodaTime;
@@ -13,7 +15,8 @@ public class AuthService(
     IConfiguration config,
     IHttpClientFactory httpClientFactory,
     IHttpContextAccessor httpContextAccessor,
-    ICacheService cache
+    ICacheService cache,
+    GeoService geo
 )
 {
     private HttpContext HttpContext => httpContextAccessor.HttpContext!;
@@ -30,7 +33,7 @@ public class AuthService(
     {
         // 1) Find out how many authentication factors the account has enabled.
         var enabledFactors = await db.AccountAuthFactors
-            .Where(f => f.AccountId == account.Id)
+            .Where(f => f.AccountId == account.Id && f.Type != AccountAuthFactorType.PinCode)
             .Where(f => f.EnabledAt != null)
             .ToListAsync();
         var maxSteps = enabledFactors.Count;
@@ -41,13 +44,18 @@ public class AuthService(
 
         // 2) Get login context from recent sessions
         var recentSessions = await db.AuthSessions
-            .Include(s => s.Challenge)
             .Where(s => s.AccountId == account.Id)
             .Where(s => s.LastGrantedAt != null)
             .OrderByDescending(s => s.LastGrantedAt)
             .Take(10)
             .ToListAsync();
 
+        var recentChallengeIds =
+            recentSessions
+                .Where(s => s.ChallengeId != null)
+                .Select(s => s.ChallengeId!.Value).ToList();
+        var recentChallenges = await db.AuthChallenges.Where(c => recentChallengeIds.Contains(c.Id)).ToListAsync();
+
         var ipAddress = request.HttpContext.Connection.RemoteIpAddress?.ToString();
         var userAgent = request.Headers.UserAgent.ToString();
 
@@ -59,14 +67,14 @@ public class AuthService(
         else
         {
             // Check if IP has been used before
-            var ipPreviouslyUsed = recentSessions.Any(s => s.Challenge?.IpAddress == ipAddress);
+            var ipPreviouslyUsed = recentChallenges.Any(c => c.IpAddress == ipAddress);
             if (!ipPreviouslyUsed)
             {
                 riskScore += 8;
             }
 
             // Check geographical distance for last known location
-            var lastKnownIp = recentSessions.FirstOrDefault(s => !string.IsNullOrWhiteSpace(s.Challenge?.IpAddress))?.Challenge?.IpAddress;
+            var lastKnownIp = recentChallenges.FirstOrDefault(c => !string.IsNullOrWhiteSpace(c.IpAddress))?.IpAddress;
             if (!string.IsNullOrWhiteSpace(lastKnownIp) && lastKnownIp != ipAddress)
             {
                 riskScore += 6;
@@ -80,9 +88,9 @@ public class AuthService(
         }
         else
         {
-            var uaPreviouslyUsed = recentSessions.Any(s =>
+            var uaPreviouslyUsed = recentChallenges.Any(c =>
-                !string.IsNullOrWhiteSpace(s.Challenge?.UserAgent) &&
+                !string.IsNullOrWhiteSpace(c.UserAgent) &&
-                string.Equals(s.Challenge.UserAgent, userAgent, StringComparison.OrdinalIgnoreCase));
+                string.Equals(c.UserAgent, userAgent, StringComparison.OrdinalIgnoreCase));
 
             if (!uaPreviouslyUsed)
             {
@@ -156,7 +164,7 @@ public class AuthService(
         // 8) Device Trust Assessment
         var trustedDeviceIds = recentSessions
             .Where(s => s.CreatedAt > now.Minus(Duration.FromDays(30))) // Trust devices from last 30 days
-            .Select(s => s.Challenge?.ClientId)
+            .Select(s => s.ClientId)
             .Where(id => id.HasValue)
             .Distinct()
             .ToList();
@@ -180,29 +188,28 @@ public class AuthService(
         return totalRequiredSteps;
     }
 
-    public async Task<SnAuthSession> CreateSessionForOidcAsync(SnAccount account, Instant time,
+    public async Task<SnAuthSession> CreateSessionForOidcAsync(
-        Guid? customAppId = null)
+        SnAccount account,
+        Instant time,
+        Guid? customAppId = null,
+        SnAuthSession? parentSession = null
+    )
     {
-        var challenge = new SnAuthChallenge
+        var ipAddr = HttpContext.Connection.RemoteIpAddress?.ToString();
-        {
+        var geoLocation = ipAddr is not null ? geo.GetPointFromIp(ipAddr) : null;
-            AccountId = account.Id,
-            IpAddress = HttpContext.Connection.RemoteIpAddress?.ToString(),
-            UserAgent = HttpContext.Request.Headers.UserAgent,
-            StepRemain = 1,
-            StepTotal = 1,
-            Type = customAppId is not null ? ChallengeType.OAuth : ChallengeType.Oidc
-        };
-
         var session = new SnAuthSession
         {
             AccountId = account.Id,
             CreatedAt = time,
             LastGrantedAt = time,
-            Challenge = challenge,
+            IpAddress = ipAddr,
-            AppId = customAppId
+            UserAgent = HttpContext.Request.Headers.UserAgent,
+            Location = geoLocation,
+            AppId = customAppId,
+            ParentSessionId = parentSession?.Id,
+            Type = customAppId is not null ? SessionType.OAuth : SessionType.Oidc,
         };
 
-        db.AuthChallenges.Add(challenge);
         db.AuthSessions.Add(session);
         await db.SaveChangesAsync();
 
@@ -216,7 +223,8 @@ public class AuthService(
         ClientPlatform platform = ClientPlatform.Unidentified
     )
     {
-        var device = await db.AuthClients.FirstOrDefaultAsync(d => d.DeviceId == deviceId && d.AccountId == accountId);
+        var device = await db.AuthClients
+            .FirstOrDefaultAsync(d => d.DeviceId == deviceId && d.AccountId == accountId);
         if (device is not null) return device;
         device = new SnAuthClient
         {
@@ -287,35 +295,71 @@ public class AuthService(
 
     /// <summary>
     /// Immediately revoke a session by setting expiry to now and clearing from cache
-    /// This provides immediate invalidation of tokens and sessions
+    /// This provides immediate invalidation of tokens and sessions, including all child sessions recursively.
     /// </summary>
     /// <param name="sessionId">Session ID to revoke</param>
     /// <returns>True if session was found and revoked, false otherwise</returns>
     public async Task<bool> RevokeSessionAsync(Guid sessionId)
     {
-        var session = await db.AuthSessions.FirstOrDefaultAsync(s => s.Id == sessionId);
+        var sessionsToRevokeIds = new HashSet<Guid>();
-        if (session == null)
+        await CollectSessionsToRevoke(sessionId, sessionsToRevokeIds);
+
+        if (sessionsToRevokeIds.Count == 0)
         {
             return false;
         }
 
-        // Set expiry to now (immediate invalidation)
         var now = SystemClock.Instance.GetCurrentInstant();
-        session.ExpiredAt = now;
+        var accountIdsToClearCache = new HashSet<Guid>();
-        db.AuthSessions.Update(session);
 
-        // Clear from cache immediately
+        // Fetch all sessions to be revoked in one go
-        var cacheKey = $"{AuthCachePrefix}{session.Id}";
+        var sessions = await db.AuthSessions
-        await cache.RemoveAsync(cacheKey);
+            .Where(s => sessionsToRevokeIds.Contains(s.Id))
+            .ToListAsync();
 
-        // Clear account-level cache groups that include this session
+        foreach (var session in sessions)
-        await cache.RemoveAsync($"{AuthCachePrefix}{session.AccountId}");
+        {
+            session.ExpiredAt = now;
+            accountIdsToClearCache.Add(session.AccountId);
 
+            // Clear from cache immediately for each session
+            await cache.RemoveAsync($"{AuthCachePrefix}{session.Id}");
+        }
+
+        db.AuthSessions.UpdateRange(sessions);
         await db.SaveChangesAsync();
 
+        // Clear account-level cache groups
+        foreach (var accountId in accountIdsToClearCache)
+        {
+            await cache.RemoveAsync($"{AuthCachePrefix}{accountId}");
+        }
+
         return true;
     }
 
+    /// <summary>
+    /// Recursively collects all session IDs that need to be revoked, starting from a given session.
+    /// </summary>
+    /// <param name="currentSessionId">The session ID to start collecting from.</param>
+    /// <param name="sessionsToRevoke">A HashSet to store the IDs of all sessions to be revoked.</param>
+    private async Task CollectSessionsToRevoke(Guid currentSessionId, HashSet<Guid> sessionsToRevoke)
+    {
+        if (!sessionsToRevoke.Add(currentSessionId))
+            return; // Already processed this session
+
+        // Find direct children
+        var childSessions = await db.AuthSessions
+            .Where(s => s.ParentSessionId == currentSessionId)
+            .Select(s => s.Id)
+            .ToListAsync();
+
+        foreach (var childId in childSessions)
+        {
+            await CollectSessionsToRevoke(childId, sessionsToRevoke);
+        }
+    }
+
     /// <summary>
     /// Revoke all sessions for an account (logout everywhere)
     /// </summary>
@@ -374,10 +418,12 @@ public class AuthService(
         if (challenge.StepRemain != 0)
             throw new ArgumentException("Challenge not yet completed.");
 
-        var hasSession = await db.AuthSessions
+        var device = await GetOrCreateDeviceAsync(
-            .AnyAsync(e => e.ChallengeId == challenge.Id);
+            challenge.AccountId,
-        if (hasSession)
+            challenge.DeviceId,
-            throw new ArgumentException("Session already exists for this challenge.");
+            challenge.DeviceName,
+            challenge.Platform
+        );
 
         var now = SystemClock.Instance.GetCurrentInstant();
         var session = new SnAuthSession
@@ -385,7 +431,13 @@ public class AuthService(
             LastGrantedAt = now,
             ExpiredAt = now.Plus(Duration.FromDays(7)),
             AccountId = challenge.AccountId,
-            ChallengeId = challenge.Id
+            IpAddress = challenge.IpAddress,
+            UserAgent = challenge.UserAgent,
+            Location = challenge.Location,
+            Scopes = challenge.Scopes,
+            Audiences = challenge.Audiences,
+            ChallengeId = challenge.Id,
+            ClientId = device.Id,
         };
 
         db.AuthSessions.Add(session);
@@ -408,7 +460,7 @@ public class AuthService(
         return tk;
     }
 
-    private string CreateCompactToken(Guid sessionId, RSA rsa)
+    private static string CreateCompactToken(Guid sessionId, RSA rsa)
     {
         // Create the payload: just the session ID
         var payloadBytes = sessionId.ToByteArray();
@@ -499,7 +551,8 @@ public class AuthService(
         return key;
     }
 
-    public async Task<SnApiKey> CreateApiKey(Guid accountId, string label, Instant? expiredAt = null)
+    public async Task<SnApiKey> CreateApiKey(Guid accountId, string label, Instant? expiredAt = null,
+        SnAuthSession? parentSession = null)
     {
         var key = new SnApiKey
         {
@@ -508,7 +561,8 @@ public class AuthService(
             Session = new SnAuthSession
             {
                 AccountId = accountId,
-                ExpiredAt = expiredAt
+                ExpiredAt = expiredAt,
+                ParentSessionId = parentSession?.Id
             },
         };
 
@@ -614,4 +668,47 @@ public class AuthService(
 
         return Convert.FromBase64String(padded);
     }
+
+    /// <summary>
+    /// Creates a new session derived from an existing parent session.
+    /// </summary>
+    /// <param name="parentSession">The existing session from which the new session is derived.</param>
+    /// <param name="deviceId">The ID of the device for the new session.</param>
+    /// <param name="deviceName">The name of the device for the new session.</param>
+    /// <param name="platform">The platform of the device for the new session.</param>
+    /// <param name="expiredAt">Optional: The expiration time for the new session.</param>
+    /// <returns>The newly created SnAuthSession.</returns>
+    public async Task<SnAuthSession> CreateSessionFromParentAsync(
+        SnAuthSession parentSession,
+        string deviceId,
+        string? deviceName,
+        ClientPlatform platform,
+        Instant? expiredAt = null
+    )
+    {
+        var device = await GetOrCreateDeviceAsync(parentSession.AccountId, deviceId, deviceName, platform);
+
+        var ipAddress = HttpContext.Connection.RemoteIpAddress?.ToString();
+        var userAgent = HttpContext.Request.Headers.UserAgent.ToString();
+        var geoLocation = ipAddress is not null ? geo.GetPointFromIp(ipAddress) : null;
+
+        var now = SystemClock.Instance.GetCurrentInstant();
+        var session = new SnAuthSession
+        {
+            IpAddress = ipAddress,
+            UserAgent = userAgent,
+            Location = geoLocation,
+            AccountId = parentSession.AccountId,
+            CreatedAt = now,
+            LastGrantedAt = now,
+            ExpiredAt = expiredAt,
+            ParentSessionId = parentSession.Id,
+            ClientId = device.Id,
+        };
+
+        db.AuthSessions.Add(session);
+        await db.SaveChangesAsync();
+
+        return session;
+    }
 }

DysonNetwork.Pass/Auth/OidcProvider/Controllers/OidcProviderController.cs

@@ -306,7 +306,7 @@ public class OidcProviderController(
             HttpContext.Items["CurrentSession"] is not SnAuthSession currentSession) return Unauthorized();
 
         // Get requested scopes from the token
-        var scopes = currentSession.Challenge?.Scopes ?? [];
+        var scopes = currentSession.Scopes;
 
         var userInfo = new Dictionary<string, object>
         {

DysonNetwork.Pass/Auth/OidcProvider/Models/AuthorizationCodeInfo.cs

@@ -5,7 +5,8 @@ namespace DysonNetwork.Pass.Auth.OidcProvider.Models;
 public class AuthorizationCodeInfo
 {
     public Guid ClientId { get; set; }
-    public Guid AccountId { get; set; }
+    public Guid? AccountId { get; set; }
+    public ExternalUserInfo? ExternalUserInfo { get; set; }
     public string RedirectUri { get; set; } = string.Empty;
     public List<string> Scopes { get; set; } = new();
     public string? CodeChallenge { get; set; }

DysonNetwork.Pass/Auth/OidcProvider/Models/ExternalUserInfo.cs

@@ -0,0 +1,9 @@
+namespace DysonNetwork.Pass.Auth.OidcProvider.Models;
+
+public class ExternalUserInfo
+{
+    public string Provider { get; set; } = null!;
+    public string UserId { get; set; } = null!;
+    public string? Email { get; set; }
+    public string? Name { get; set; }
+}

DysonNetwork.Pass/Auth/OidcProvider/Responses/TokenResponse.cs

@@ -5,7 +5,7 @@ namespace DysonNetwork.Pass.Auth.OidcProvider.Responses;
 public class TokenResponse
 {
     [JsonPropertyName("access_token")]
-    public string AccessToken { get; set; } = null!;
+    public string? AccessToken { get; set; } = null!;
 
     [JsonPropertyName("expires_in")]
     public int ExpiresIn { get; set; }
@@ -22,4 +22,7 @@ public class TokenResponse
 
     [JsonPropertyName("id_token")]
     public string? IdToken { get; set; }
+    
+    [JsonPropertyName("onboarding_token")]
+    public string? OnboardingToken { get; set; }
 }

DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs

@@ -72,7 +72,6 @@ public class OidcProviderService(
         var now = SystemClock.Instance.GetCurrentInstant();
 
         var queryable = db.AuthSessions
-            .Include(s => s.Challenge)
             .AsQueryable();
         if (withAccount)
             queryable = queryable
@@ -85,8 +84,7 @@ public class OidcProviderService(
             .Where(s => s.AccountId == accountId &&
                         s.AppId == clientId &&
                         (s.ExpiredAt == null || s.ExpiredAt > now) &&
-                        s.Challenge != null &&
+                        s.Type == Shared.Models.SessionType.OAuth)
-                        s.Challenge.Type == Shared.Models.ChallengeType.OAuth)
             .OrderByDescending(s => s.CreatedAt)
             .FirstOrDefaultAsync();
     }
@@ -257,18 +255,15 @@ public class OidcProviderService(
     }
 
     private async Task<(SnAuthSession session, string? nonce, List<string>? scopes)> HandleAuthorizationCodeFlowAsync(
-        string authorizationCode,
+        AuthorizationCodeInfo authCode,
-        Guid clientId,
+        Guid clientId
-        string? redirectUri,
-        string? codeVerifier
     )
     {
-        var authCode = await ValidateAuthorizationCodeAsync(authorizationCode, clientId, redirectUri, codeVerifier);
+        if (authCode.AccountId == null)
-        if (authCode == null)
+            throw new InvalidOperationException("Invalid authorization code, account id is missing.");
-            throw new InvalidOperationException("Invalid authorization code");
 
         // Load the session for the user
-        var existingSession = await FindValidSessionAsync(authCode.AccountId, clientId, withAccount: true);
+        var existingSession = await FindValidSessionAsync(authCode.AccountId.Value, clientId, withAccount: true);
 
         SnAuthSession session;
         if (existingSession == null)
@@ -315,31 +310,124 @@ public class OidcProviderService(
 
         var client = await FindClientByIdAsync(clientId) ?? throw new InvalidOperationException("Client not found");
 
-        var (session, nonce, scopes) = authorizationCode != null
+        if (authorizationCode != null)
-            ? await HandleAuthorizationCodeFlowAsync(authorizationCode, clientId, redirectUri, codeVerifier)
+        {
-            : sessionId.HasValue
+            var authCode = await ValidateAuthorizationCodeAsync(authorizationCode, clientId, redirectUri, codeVerifier);
-                ? await HandleRefreshTokenFlowAsync(sessionId.Value)
+            if (authCode == null)
-                : throw new InvalidOperationException("Either authorization code or session ID must be provided");
+            {
+                throw new InvalidOperationException("Invalid authorization code");
+            }
 
+            if (authCode.AccountId.HasValue)
+            {
+                var (session, nonce, scopes) = await HandleAuthorizationCodeFlowAsync(authCode, clientId);
+                var clock = SystemClock.Instance;
+                var now = clock.GetCurrentInstant();
+                var expiresIn = (int)_options.AccessTokenLifetime.TotalSeconds;
+                var expiresAt = now.Plus(Duration.FromSeconds(expiresIn));
+
+                // Generate tokens
+                var accessToken = GenerateJwtToken(client, session, expiresAt, scopes);
+                var idToken = GenerateIdToken(client, session, nonce, scopes);
+                var refreshToken = GenerateRefreshToken(session);
+
+                return new TokenResponse
+                {
+                    AccessToken = accessToken,
+                    IdToken = idToken,
+                    ExpiresIn = expiresIn,
+                    TokenType = "Bearer",
+                    RefreshToken = refreshToken,
+                    Scope = scopes != null ? string.Join(" ", scopes) : null
+                };
+            }
+
+            if (authCode.ExternalUserInfo != null)
+            {
+                var onboardingToken = GenerateOnboardingToken(client, authCode.ExternalUserInfo, authCode.Nonce, authCode.Scopes);
+                return new TokenResponse
+                {
+                    OnboardingToken = onboardingToken,
+                    TokenType = "Onboarding"
+                };
+            }
+
+            throw new InvalidOperationException("Invalid authorization code state.");
+        }
+
+        if (sessionId.HasValue)
+        {
+            var (session, nonce, scopes) = await HandleRefreshTokenFlowAsync(sessionId.Value);
+            var clock = SystemClock.Instance;
+            var now = clock.GetCurrentInstant();
+            var expiresIn = (int)_options.AccessTokenLifetime.TotalSeconds;
+            var expiresAt = now.Plus(Duration.FromSeconds(expiresIn));
+            var accessToken = GenerateJwtToken(client, session, expiresAt, scopes);
+            var idToken = GenerateIdToken(client, session, nonce, scopes);
+            var refreshToken = GenerateRefreshToken(session);
+            return new TokenResponse
+            {
+                AccessToken = accessToken,
+                IdToken = idToken,
+                ExpiresIn = expiresIn,
+                TokenType = "Bearer",
+                RefreshToken = refreshToken,
+                Scope = scopes != null ? string.Join(" ", scopes) : null
+            };
+        }
+
+        throw new InvalidOperationException("Either authorization code or session ID must be provided");
+    }
+
+    private string GenerateOnboardingToken(CustomApp client, ExternalUserInfo externalUserInfo, string? nonce,
+        List<string> scopes)
+    {
+        var tokenHandler = new JwtSecurityTokenHandler();
         var clock = SystemClock.Instance;
         var now = clock.GetCurrentInstant();
-        var expiresIn = (int)_options.AccessTokenLifetime.TotalSeconds;
-        var expiresAt = now.Plus(Duration.FromSeconds(expiresIn));
 
-        // Generate tokens
+        var claims = new List<Claim>
-        var accessToken = GenerateJwtToken(client, session, expiresAt, scopes);
-        var idToken = GenerateIdToken(client, session, nonce, scopes);
-        var refreshToken = GenerateRefreshToken(session);
-
-        return new TokenResponse
         {
-            AccessToken = accessToken,
+            new(JwtRegisteredClaimNames.Iss, _options.IssuerUri),
-            IdToken = idToken,
+            new(JwtRegisteredClaimNames.Aud, client.Slug),
-            ExpiresIn = expiresIn,
+            new(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64),
-            TokenType = "Bearer",
+            new(JwtRegisteredClaimNames.Exp,
-            RefreshToken = refreshToken,
+                now.Plus(Duration.FromMinutes(15)).ToUnixTimeSeconds()
-            Scope = scopes != null ? string.Join(" ", scopes) : null
+                    .ToString(), ClaimValueTypes.Integer64),
+            new("provider", externalUserInfo.Provider),
+            new("provider_user_id", externalUserInfo.UserId)
         };
+
+        if (!string.IsNullOrEmpty(externalUserInfo.Email))
+        {
+            claims.Add(new Claim(JwtRegisteredClaimNames.Email, externalUserInfo.Email));
+        }
+
+        if (!string.IsNullOrEmpty(externalUserInfo.Name))
+        {
+            claims.Add(new Claim("name", externalUserInfo.Name));
+        }
+
+        if (!string.IsNullOrEmpty(nonce))
+        {
+            claims.Add(new Claim("nonce", nonce));
+        }
+
+        var tokenDescriptor = new SecurityTokenDescriptor
+        {
+            Subject = new ClaimsIdentity(claims),
+            Issuer = _options.IssuerUri,
+            Audience = client.Slug,
+            Expires = now.Plus(Duration.FromMinutes(15)).ToDateTimeUtc(),
+            NotBefore = now.ToDateTimeUtc(),
+            SigningCredentials = new SigningCredentials(
+                new RsaSecurityKey(_options.GetRsaPrivateKey()),
+                SecurityAlgorithms.RsaSha256
+            )
+        };
+
+        var token = tokenHandler.CreateToken(tokenDescriptor);
+        return tokenHandler.WriteToken(token);
     }
 
     private string GenerateJwtToken(
@@ -421,7 +509,6 @@ public class OidcProviderService(
     {
         return await db.AuthSessions
             .Include(s => s.Account)
-            .Include(s => s.Challenge)
             .FirstOrDefaultAsync(s => s.Id == sessionId);
     }
 
@@ -440,12 +527,6 @@ public class OidcProviderService(
         string? nonce = null
     )
     {
-        // Generate a random code
-        var clock = SystemClock.Instance;
-        var code = GenerateRandomString(32);
-        var now = clock.GetCurrentInstant();
-
-        // Create the authorization code info
         var authCodeInfo = new AuthorizationCodeInfo
         {
             ClientId = clientId,
@@ -455,17 +536,47 @@ public class OidcProviderService(
             CodeChallenge = codeChallenge,
             CodeChallengeMethod = codeChallengeMethod,
             Nonce = nonce,
-            CreatedAt = now
+            CreatedAt = SystemClock.Instance.GetCurrentInstant()
         };
 
-        // Store the code with its metadata in the cache
+        return await StoreAuthorizationCode(authCodeInfo);
+    }
+
+    public async Task<string> GenerateAuthorizationCodeAsync(
+        Guid clientId,
+        ExternalUserInfo externalUserInfo,
+        string redirectUri,
+        IEnumerable<string> scopes,
+        string? codeChallenge = null,
+        string? codeChallengeMethod = null,
+        string? nonce = null
+    )
+    {
+        var authCodeInfo = new AuthorizationCodeInfo
+        {
+            ClientId = clientId,
+            ExternalUserInfo = externalUserInfo,
+            RedirectUri = redirectUri,
+            Scopes = scopes.ToList(),
+            CodeChallenge = codeChallenge,
+            CodeChallengeMethod = codeChallengeMethod,
+            Nonce = nonce,
+            CreatedAt = SystemClock.Instance.GetCurrentInstant()
+        };
+
+        return await StoreAuthorizationCode(authCodeInfo);
+    }
+
+    private async Task<string> StoreAuthorizationCode(AuthorizationCodeInfo authCodeInfo)
+    {
+        var code = GenerateRandomString(32);
         var cacheKey = $"{CacheKeyPrefixAuthCode}{code}";
         await cache.SetAsync(cacheKey, authCodeInfo, _options.AuthorizationCodeLifetime);
-
+        logger.LogInformation("Generated authorization code for client {ClientId}", authCodeInfo.ClientId);
-        logger.LogInformation("Generated authorization code for client {ClientId} and user {UserId}", clientId, userId);
         return code;
     }
 
+
     private async Task<AuthorizationCodeInfo?> ValidateAuthorizationCodeAsync(
         string code,
         Guid clientId,

DysonNetwork.Pass/Auth/OpenId/ConnectionController.cs

@@ -3,6 +3,7 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using DysonNetwork.Shared.Cache;
+using Microsoft.AspNetCore.WebUtilities;
 using NodaTime;
 using DysonNetwork.Shared.Models;
 
@@ -17,7 +18,8 @@ public class ConnectionController(
     AccountService accounts,
     AuthService auth,
     ICacheService cache,
-    IConfiguration configuration
+    IConfiguration configuration,
+    ILogger<ConnectionController> logger
 ) : ControllerBase
 {
     private const string StateCachePrefix = "oidc-state:";
@@ -152,9 +154,14 @@ public class ConnectionController(
         {
             var stateValue = await cache.GetAsync<string>(stateKey);
             if (string.IsNullOrEmpty(stateValue) || !OidcState.TryParse(stateValue, out oidcState) || oidcState == null)
+            {
+                logger.LogWarning("Invalid or expired OIDC state: {State}", callbackData.State);
                 return BadRequest("Invalid or expired state parameter");
+            }
         }
         
+        logger.LogInformation("OIDC callback for provider {Provider} with state {State} and flow {FlowType}", provider, callbackData.State, oidcState.FlowType);
+
         // Remove the state from cache to prevent replay attacks
         await cache.RemoveAsync(stateKey);
 
@@ -166,19 +173,24 @@ public class ConnectionController(
             {
                 callbackData.State = oidcState.DeviceId;
             }
+            
             return await HandleManualConnection(provider, oidcService, callbackData, oidcState.AccountId.Value);
         }
-        else if (oidcState.FlowType == OidcFlowType.Login)
+
+        if (oidcState.FlowType == OidcFlowType.Login)
         {
             // Login/Registration flow
             if (!string.IsNullOrEmpty(oidcState.DeviceId))
-            {
                 callbackData.State = oidcState.DeviceId;
-            }
 
             // Store return URL if provided
             if (string.IsNullOrEmpty(oidcState.ReturnUrl) || oidcState.ReturnUrl == "/")
+            {
+                logger.LogInformation("No returnUrl provided in OIDC state, will use default.");
                 return await HandleLoginOrRegistration(provider, oidcService, callbackData);
+            }
+            
+            logger.LogInformation("Storing returnUrl {ReturnUrl} for state {State}", oidcState.ReturnUrl, callbackData.State);
             var returnUrlKey = $"{ReturnUrlCachePrefix}{callbackData.State}";
             await cache.SetAsync(returnUrlKey, oidcState.ReturnUrl, StateExpiration);
 
@@ -204,6 +216,7 @@ public class ConnectionController(
         }
         catch (Exception ex)
         {
+            logger.LogError(ex, "Error processing OIDC callback for provider {Provider} during connection flow", provider);
             return BadRequest($"Error processing {provider} authentication: {ex.Message}");
         }
 
@@ -268,8 +281,9 @@ public class ConnectionController(
         {
             await db.SaveChangesAsync();
         }
-        catch (DbUpdateException)
+        catch (DbUpdateException ex)
         {
+            logger.LogError(ex, "Failed to save OIDC connection for provider {Provider}", provider);
             return StatusCode(500, $"Failed to save {provider} connection. Please try again.");
         }
 
@@ -279,8 +293,10 @@ public class ConnectionController(
         await cache.RemoveAsync(returnUrlKey);
 
         var siteUrl = configuration["SiteUrl"];
+        var redirectUrl = string.IsNullOrEmpty(returnUrl) ? siteUrl + "/auth/callback" : returnUrl;
         
-        return Redirect(string.IsNullOrEmpty(returnUrl) ? siteUrl + "/auth/callback" : returnUrl);
+        logger.LogInformation("Redirecting after OIDC connection to {RedirectUrl}", redirectUrl);
+        return Redirect(redirectUrl);
     }
 
     private async Task<IActionResult> HandleLoginOrRegistration(
@@ -296,6 +312,7 @@ public class ConnectionController(
         }
         catch (Exception ex)
         {
+            logger.LogError(ex, "Error processing OIDC callback for provider {Provider} during login/registration flow", provider);
             return BadRequest($"Error processing callback: {ex.Message}");
         }
 
@@ -304,11 +321,20 @@ public class ConnectionController(
             return BadRequest($"Email or user ID is missing from {provider}'s response");
         }
         
+        // Retrieve and clean up the return URL
+        var returnUrlKey = $"{ReturnUrlCachePrefix}{callbackData.State}";
+        var returnUrl = await cache.GetAsync<string>(returnUrlKey);
+        await cache.RemoveAsync(returnUrlKey);
+
+        var siteUrl = configuration["SiteUrl"];
+        var redirectBaseUrl = string.IsNullOrEmpty(returnUrl) ? siteUrl + "/auth/callback" : returnUrl;
+
         var connection = await db.AccountConnections
             .Include(c => c.Account)
             .FirstOrDefaultAsync(c => c.Provider == provider && c.ProvidedIdentifier == userInfo.UserId);
 
         var clock = SystemClock.Instance;
+        
         if (connection != null)
         {
             // Login existing user
@@ -316,12 +342,21 @@ public class ConnectionController(
                 callbackData.State.Split('|').FirstOrDefault() :
                 string.Empty;
 
-            var challenge = await oidcService.CreateChallengeForUserAsync(
+            if (HttpContext.Items["CurrentSession"] is not SnAuthSession parentSession) parentSession = null;
+            
+            var session = await oidcService.CreateSessionForUserAsync(
                 userInfo,
                 connection.Account,
                 HttpContext,
-                deviceId ?? string.Empty);
+                deviceId ?? string.Empty,
-            return Redirect($"/auth/callback?challenge={challenge.Id}");
+                null,
+                ClientPlatform.Web,
+                parentSession);
+            
+            var token = auth.CreateToken(session);
+            var redirectUrl = QueryHelpers.AddQueryString(redirectBaseUrl, "token", token);
+            logger.LogInformation("OIDC login successful for user {UserId}. Redirecting to {RedirectUrl}", connection.AccountId, redirectUrl);
+            return Redirect(redirectUrl);
         }
 
         // Register new user
@@ -345,9 +380,9 @@ public class ConnectionController(
         var loginSession = await auth.CreateSessionForOidcAsync(account, clock.GetCurrentInstant());
         var loginToken = auth.CreateToken(loginSession);
 
-        var siteUrl = configuration["SiteUrl"];
+        var finalRedirectUrl = QueryHelpers.AddQueryString(redirectBaseUrl, "token", loginToken);
-
+        logger.LogInformation("OIDC registration successful for new user {UserId}. Redirecting to {RedirectUrl}", account.Id, finalRedirectUrl);
-        return Redirect(siteUrl + $"/auth/callback?token={loginToken}");
+        return Redirect(finalRedirectUrl);
     }
 
     private static async Task<OidcCallbackData> ExtractCallbackData(HttpRequest request)

DysonNetwork.Pass/Auth/OpenId/OidcController.cs

@@ -14,7 +14,9 @@ public class OidcController(
     IServiceProvider serviceProvider,
     AppDatabase db,
     AccountService accounts,
-    ICacheService cache
+    AuthService auth,
+    ICacheService cache,
+    ILogger<OidcController> logger
 )
     : ControllerBase
 {
@@ -25,15 +27,17 @@ public class OidcController(
     public async Task<ActionResult> OidcLogin(
         [FromRoute] string provider,
         [FromQuery] string? returnUrl = "/",
-        [FromHeader(Name = "X-Device-Id")] string? deviceId = null
+        [FromQuery] string? deviceId = null,
+        [FromQuery] string? flow = null
     )
     {
+        logger.LogInformation("OIDC login request for provider {Provider} with returnUrl {ReturnUrl}, deviceId {DeviceId} and flow {Flow}", provider, returnUrl, deviceId, flow);
         try
         {
             var oidcService = GetOidcService(provider);
 
             // If the user is already authenticated, treat as an account connection request
-            if (HttpContext.Items["CurrentUser"] is SnAccount currentUser)
+            if (flow != "login" && HttpContext.Items["CurrentUser"] is SnAccount currentUser)
             {
                 var state = Guid.NewGuid().ToString();
                 var nonce = Guid.NewGuid().ToString();
@@ -41,6 +45,7 @@ public class OidcController(
                 // Create and store connection state
                 var oidcState = OidcState.ForConnection(currentUser.Id, provider, nonce, deviceId);
                 await cache.SetAsync($"{StateCachePrefix}{state}", oidcState, StateExpiration);
+                logger.LogInformation("OIDC connection flow started for user {UserId} with state {State}", currentUser.Id, state);
 
                 // The state parameter sent to the provider is the GUID key for the cache.
                 var authUrl = await oidcService.GetAuthorizationUrlAsync(state, nonce);
@@ -54,12 +59,14 @@ public class OidcController(
                 // Create login state with return URL and device ID
                 var oidcState = OidcState.ForLogin(returnUrl ?? "/", deviceId);
                 await cache.SetAsync($"{StateCachePrefix}{state}", oidcState, StateExpiration);
+                logger.LogInformation("OIDC login flow started with state {State} and returnUrl {ReturnUrl}", state, oidcState.ReturnUrl);
                 var authUrl = await oidcService.GetAuthorizationUrlAsync(state, nonce);
                 return Redirect(authUrl);
             }
         }
         catch (Exception ex)
         {
+            logger.LogError(ex, "Error initiating OIDC flow for provider {Provider}", provider);
             return BadRequest($"Error initiating OpenID Connect flow: {ex.Message}");
         }
     }
@@ -69,7 +76,7 @@ public class OidcController(
     /// Handles Apple authentication directly from mobile apps
     /// </summary>
     [HttpPost("apple/mobile")]
-    public async Task<ActionResult<SnAuthChallenge>> AppleMobileLogin(
+    public async Task<ActionResult<AuthController.TokenExchangeResponse>> AppleMobileLogin(
         [FromBody] AppleMobileSignInRequest request
     )
     {
@@ -92,16 +99,21 @@ public class OidcController(
             // Find or create user account using existing logic
             var account = await FindOrCreateAccount(userInfo, "apple");
 
+            if (HttpContext.Items["CurrentSession"] is not SnAuthSession parentSession) parentSession = null;
+            
             // Create session using the OIDC service
-            var challenge = await appleService.CreateChallengeForUserAsync(
+            var session = await appleService.CreateSessionForUserAsync(
                 userInfo,
                 account,
                 HttpContext,
                 request.DeviceId,
-                request.DeviceName
+                request.DeviceName,
+                ClientPlatform.Ios,
+                parentSession
             );
             
-            return Ok(challenge);
+            var token = auth.CreateToken(session);
+            return Ok(new AuthController.TokenExchangeResponse { Token = token });
         }
         catch (SecurityTokenValidationException ex)
         {

DysonNetwork.Pass/Auth/OpenId/OidcService.cs

@@ -1,4 +1,3 @@
-using System;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography;
 using System.Text;
@@ -250,15 +249,17 @@ public abstract class OidcService(
     }
 
     /// <summary>
-    /// Creates a challenge and session for an authenticated user
+    /// Creates a session for an authenticated user
     /// Also creates or updates the account connection
     /// </summary>
-    public async Task<SnAuthChallenge> CreateChallengeForUserAsync(
+    public async Task<SnAuthSession> CreateSessionForUserAsync(
         OidcUserInfo userInfo,
         SnAccount account,
         HttpContext request,
         string deviceId,
-        string? deviceName = null
+        string? deviceName = null,
+        ClientPlatform platform = ClientPlatform.Web,
+        SnAuthSession? parentSession = null
     )
     {
         // Create or update the account connection
@@ -282,28 +283,24 @@ public abstract class OidcService(
             await Db.AccountConnections.AddAsync(connection);
         }
 
-        // Create a challenge that's already completed
+        // Create a session directly
         var now = SystemClock.Instance.GetCurrentInstant();
-        var device = await auth.GetOrCreateDeviceAsync(account.Id, deviceId, deviceName, ClientPlatform.Ios);
+        var device = await auth.GetOrCreateDeviceAsync(account.Id, deviceId, deviceName, platform);
-        var challenge = new SnAuthChallenge
-        {
-            ExpiredAt = now.Plus(Duration.FromHours(1)),
-            StepTotal = await auth.DetectChallengeRisk(request.Request, account),
-            Type = ChallengeType.Oidc,
-            Audiences = [ProviderName],
-            Scopes = ["*"],
-            AccountId = account.Id,
-            ClientId = device.Id,
-            IpAddress = request.Connection.RemoteIpAddress?.ToString() ?? null,
-            UserAgent = request.Request.Headers.UserAgent,
-        };
-        challenge.StepRemain--;
-        if (challenge.StepRemain < 0) challenge.StepRemain = 0;
 
-        await Db.AuthChallenges.AddAsync(challenge);
+        var session = new SnAuthSession
+        {
+            AccountId = account.Id,
+            CreatedAt = now,
+            LastGrantedAt = now,
+            ParentSessionId = parentSession?.Id,
+            ClientId = device.Id,
+            ExpiredAt = now.Plus(Duration.FromDays(30))
+        };
+
+        await Db.AuthSessions.AddAsync(session);
         await Db.SaveChangesAsync();
 
-        return challenge;
+        return session;
     }
 }
 

DysonNetwork.Pass/Auth/TokenAuthService.cs

@@ -77,7 +77,7 @@ public class TokenAuthService(
                     "AuthenticateTokenAsync: success via cache (sessionId={SessionId}, accountId={AccountId}, scopes={ScopeCount}, expiresAt={ExpiresAt})",
                     sessionId,
                     session.AccountId,
-                    session.Challenge?.Scopes.Count,
+                    session.Scopes.Count,
                     session.ExpiredAt
                 );
                 return (true, session, null);
@@ -87,8 +87,7 @@ public class TokenAuthService(
 
             session = await db.AuthSessions
                 .AsNoTracking()
-                .Include(e => e.Challenge)
+                .Include(e => e.Client)
-                .ThenInclude(e => e.Client)
                 .Include(e => e.Account)
                 .ThenInclude(e => e.Profile)
                 .FirstOrDefaultAsync(s => s.Id == sessionId);
@@ -110,11 +109,11 @@ public class TokenAuthService(
                 "AuthenticateTokenAsync: DB session loaded (sessionId={SessionId}, accountId={AccountId}, clientId={ClientId}, appId={AppId}, scopes={ScopeCount}, ip={Ip}, uaLen={UaLen})",
                 sessionId,
                 session.AccountId,
-                session.Challenge?.ClientId,
+                session.ClientId,
                 session.AppId,
-                session.Challenge?.Scopes.Count,
+                session.Scopes.Count,
-                session.Challenge?.IpAddress,
+                session.IpAddress,
-                (session.Challenge?.UserAgent ?? string.Empty).Length
+                (session.UserAgent ?? string.Empty).Length
             );
 
             logger.LogDebug("AuthenticateTokenAsync: enriching account with subscription (accountId={AccountId})", session.AccountId);
@@ -143,7 +142,7 @@ public class TokenAuthService(
                 "AuthenticateTokenAsync: success via DB (sessionId={SessionId}, accountId={AccountId}, clientId={ClientId})",
                 sessionId,
                 session.AccountId,
-                session.Challenge?.ClientId
+                session.ClientId
             );
             return (true, session, null);
         }

DysonNetwork.Pass/DysonNetwork.Pass.csproj

@@ -132,4 +132,8 @@
       <AdditionalFiles Include="Resources\Emails\PasswordResetEmail.razor" />
       <AdditionalFiles Include="Resources\Emails\RegistrationConfirmEmail.razor" />
     </ItemGroup>
+
+    <ItemGroup>
+      <Folder Include="Migrations\" />
+    </ItemGroup>
 </Project>

DysonNetwork.Pass/Handlers/ActionLogFlushHandler.cs

@@ -6,16 +6,17 @@ using Quartz;
 
 namespace DysonNetwork.Pass.Handlers;
 
-public class ActionLogFlushHandler(IServiceProvider serviceProvider) : IFlushHandler<SnActionLog>
+public class ActionLogFlushHandler(IServiceProvider sp) : IFlushHandler<SnActionLog>
 {
     public async Task FlushAsync(IReadOnlyList<SnActionLog> items)
     {
-        using var scope = serviceProvider.CreateScope();
+        using var scope = sp.CreateScope();
         var db = scope.ServiceProvider.GetRequiredService<AppDatabase>();
 
+        var now = SystemClock.Instance.GetCurrentInstant();
         await db.BulkInsertAsync(items.Select(x =>
         {
-            x.CreatedAt = SystemClock.Instance.GetCurrentInstant();
+            x.CreatedAt = now;
             x.UpdatedAt = x.CreatedAt;
             return x;
         }), config => config.ConflictOption = ConflictOption.Ignore);

DysonNetwork.Pass/Leveling/ExperienceService.cs

@@ -1,5 +1,4 @@
 using DysonNetwork.Pass.Wallet;
-using DysonNetwork.Shared.Cache;
 using DysonNetwork.Shared.Models;
 using Microsoft.EntityFrameworkCore;
 
@@ -24,7 +23,7 @@ public class ExperienceService(AppDatabase db, SubscriptionService subscriptions
             {
                 SubscriptionType.Stellar => 1.5,
                 SubscriptionType.Nova => 2,
-                SubscriptionType.Supernova => 2,
+                SubscriptionType.Supernova => 2.5,
                 _ => 1
             };
             if (record.Delta >= 0)

DysonNetwork.Pass/Lotteries/LotteryController.cs

@@ -2,6 +2,7 @@ using System.ComponentModel.DataAnnotations;
 using DysonNetwork.Shared.Models;
 using DysonNetwork.Pass.Wallet;
 using DysonNetwork.Pass.Permission;
+using DysonNetwork.Shared.Auth;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
@@ -81,7 +82,7 @@ public class LotteryController(AppDatabase db, LotteryService lotteryService) :
 
     [HttpPost("draw")]
     [Authorize]
-    [RequiredPermission("maintenance", "lotteries.draw.perform")]
+    [AskPermission("lotteries.draw.perform")]
     public async Task<IActionResult> PerformLotteryDraw()
     {
         await lotteryService.DrawLotteries();

DysonNetwork.Pass/Migrations/20250715075623_ReinitalMigration.cs

@@ -1,40 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class ReinitalMigration : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "background_id",
-                table: "account_profiles");
-
-            migrationBuilder.DropColumn(
-                name: "picture_id",
-                table: "account_profiles");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<string>(
-                name: "background_id",
-                table: "account_profiles",
-                type: "character varying(32)",
-                maxLength: 32,
-                nullable: true);
-
-            migrationBuilder.AddColumn<string>(
-                name: "picture_id",
-                table: "account_profiles",
-                type: "character varying(32)",
-                maxLength: 32,
-                nullable: true);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250720193202_RemoveNotification.cs

@@ -1,94 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RemoveNotification : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropTable(
-                name: "notification_push_subscriptions");
-
-            migrationBuilder.DropTable(
-                name: "notifications");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateTable(
-                name: "notification_push_subscriptions",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    device_id = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: false),
-                    device_token = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: false),
-                    last_used_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    provider = table.Column<int>(type: "integer", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_notification_push_subscriptions", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_notification_push_subscriptions_accounts_account_id",
-                        column: x => x.account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "notifications",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    content = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    meta = table.Column<Dictionary<string, object>>(type: "jsonb", nullable: true),
-                    priority = table.Column<int>(type: "integer", nullable: false),
-                    subtitle = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    title = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    topic = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    viewed_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_notifications", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_notifications_accounts_account_id",
-                        column: x => x.account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_notification_push_subscriptions_account_id",
-                table: "notification_push_subscriptions",
-                column: "account_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_notification_push_subscriptions_device_token_device_id_acco",
-                table: "notification_push_subscriptions",
-                columns: new[] { "device_token", "device_id", "account_id" },
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "ix_notifications_account_id",
-                table: "notifications",
-                column: "account_id");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250731071524_AddCheckInBackdated.cs

@@ -1,29 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddCheckInBackdated : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<Instant>(
-                name: "backdated_from",
-                table: "account_check_in_results",
-                type: "timestamp with time zone",
-                nullable: true);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "backdated_from",
-                table: "account_check_in_results");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250807162919_RemoveDevelopers.cs

@@ -1,130 +0,0 @@
-using DysonNetwork.Shared.Models;
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RemoveDevelopers : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_auth_sessions_custom_apps_app_id",
-                table: "auth_sessions");
-
-            migrationBuilder.DropTable(
-                name: "custom_app_secrets");
-
-            migrationBuilder.DropTable(
-                name: "custom_apps");
-
-            migrationBuilder.DropIndex(
-                name: "ix_auth_sessions_app_id",
-                table: "auth_sessions");
-
-            migrationBuilder.CreateTable(
-                name: "punishments",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    reason = table.Column<string>(type: "character varying(8192)", maxLength: 8192, nullable: false),
-                    expired_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    type = table.Column<int>(type: "integer", nullable: false),
-                    blocked_permissions = table.Column<List<string>>(type: "jsonb", nullable: true),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_punishments", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_punishments_accounts_account_id",
-                        column: x => x.account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_punishments_account_id",
-                table: "punishments",
-                column: "account_id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropTable(
-                name: "punishments");
-
-            migrationBuilder.CreateTable(
-                name: "custom_apps",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    background = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    description = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: true),
-                    name = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    picture = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    slug = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    status = table.Column<int>(type: "integer", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    verification = table.Column<SnVerificationMark>(type: "jsonb", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_custom_apps", x => x.id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "custom_app_secrets",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    app_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    description = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: true),
-                    expired_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    is_oidc = table.Column<bool>(type: "boolean", nullable: false),
-                    secret = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_custom_app_secrets", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_custom_app_secrets_custom_apps_app_id",
-                        column: x => x.app_id,
-                        principalTable: "custom_apps",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_auth_sessions_app_id",
-                table: "auth_sessions",
-                column: "app_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_custom_app_secrets_app_id",
-                table: "custom_app_secrets",
-                column: "app_id");
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_auth_sessions_custom_apps_app_id",
-                table: "auth_sessions",
-                column: "app_id",
-                principalTable: "custom_apps",
-                principalColumn: "id");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250808152643_AddProfileLinks.cs

@@ -1,28 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddProfileLinks : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<Dictionary<string, string>>(
-                name: "links",
-                table: "account_profiles",
-                type: "jsonb",
-                nullable: true);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "links",
-                table: "account_profiles");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250813072436_AddAuthorizeDevice.cs

@@ -1,109 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddAuthorizeDevice : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AlterColumn<string>(
-                name: "device_id",
-                table: "auth_challenges",
-                type: "character varying(1024)",
-                maxLength: 1024,
-                nullable: true,
-                oldClrType: typeof(string),
-                oldType: "character varying(256)",
-                oldMaxLength: 256,
-                oldNullable: true);
-
-            migrationBuilder.AddColumn<Guid>(
-                name: "client_id",
-                table: "auth_challenges",
-                type: "uuid",
-                nullable: true);
-
-            migrationBuilder.CreateTable(
-                name: "auth_clients",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    device_name = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    device_label = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    device_id = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_auth_clients", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_auth_clients_accounts_account_id",
-                        column: x => x.account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_auth_challenges_client_id",
-                table: "auth_challenges",
-                column: "client_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_auth_clients_account_id",
-                table: "auth_clients",
-                column: "account_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_auth_clients_device_id",
-                table: "auth_clients",
-                column: "device_id",
-                unique: true);
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_auth_challenges_auth_clients_client_id",
-                table: "auth_challenges",
-                column: "client_id",
-                principalTable: "auth_clients",
-                principalColumn: "id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_auth_challenges_auth_clients_client_id",
-                table: "auth_challenges");
-
-            migrationBuilder.DropTable(
-                name: "auth_clients");
-
-            migrationBuilder.DropIndex(
-                name: "ix_auth_challenges_client_id",
-                table: "auth_challenges");
-
-            migrationBuilder.DropColumn(
-                name: "client_id",
-                table: "auth_challenges");
-
-            migrationBuilder.AlterColumn<string>(
-                name: "device_id",
-                table: "auth_challenges",
-                type: "character varying(256)",
-                maxLength: 256,
-                nullable: true,
-                oldClrType: typeof(string),
-                oldType: "character varying(1024)",
-                oldMaxLength: 1024,
-                oldNullable: true);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250813121421_AddAuthDevicePlatform.cs

@@ -1,40 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddAuthDevicePlatform : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "platform",
-                table: "auth_challenges");
-
-            migrationBuilder.AddColumn<int>(
-                name: "platform",
-                table: "auth_clients",
-                type: "integer",
-                nullable: false,
-                defaultValue: 0);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "platform",
-                table: "auth_clients");
-
-            migrationBuilder.AddColumn<int>(
-                name: "platform",
-                table: "auth_challenges",
-                type: "integer",
-                nullable: false,
-                defaultValue: 0);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250815041723_RemoveAuthClientIndex.cs

@@ -1,28 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RemoveAuthClientIndex : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropIndex(
-                name: "ix_auth_clients_device_id",
-                table: "auth_clients");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateIndex(
-                name: "ix_auth_clients_device_id",
-                table: "auth_clients",
-                column: "device_id",
-                unique: true);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250818125540_RemoveChallengeOldDeviceId.cs

@@ -1,29 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RemoveChallengeOldDeviceId : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "device_id",
-                table: "auth_challenges");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<string>(
-                name: "device_id",
-                table: "auth_challenges",
-                type: "character varying(1024)",
-                maxLength: 1024,
-                nullable: true);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250820104425_AddApiKeys.cs

@@ -1,113 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddApiKeys : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_auth_sessions_auth_challenges_challenge_id",
-                table: "auth_sessions");
-
-            migrationBuilder.DropColumn(
-                name: "label",
-                table: "auth_sessions");
-
-            migrationBuilder.AlterColumn<Guid>(
-                name: "challenge_id",
-                table: "auth_sessions",
-                type: "uuid",
-                nullable: true,
-                oldClrType: typeof(Guid),
-                oldType: "uuid");
-
-            migrationBuilder.CreateTable(
-                name: "api_keys",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    label = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    session_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_api_keys", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_api_keys_accounts_account_id",
-                        column: x => x.account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                    table.ForeignKey(
-                        name: "fk_api_keys_auth_sessions_session_id",
-                        column: x => x.session_id,
-                        principalTable: "auth_sessions",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_api_keys_account_id",
-                table: "api_keys",
-                column: "account_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_api_keys_session_id",
-                table: "api_keys",
-                column: "session_id");
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_auth_sessions_auth_challenges_challenge_id",
-                table: "auth_sessions",
-                column: "challenge_id",
-                principalTable: "auth_challenges",
-                principalColumn: "id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_auth_sessions_auth_challenges_challenge_id",
-                table: "auth_sessions");
-
-            migrationBuilder.DropTable(
-                name: "api_keys");
-
-            migrationBuilder.AlterColumn<Guid>(
-                name: "challenge_id",
-                table: "auth_sessions",
-                type: "uuid",
-                nullable: false,
-                defaultValue: new Guid("00000000-0000-0000-0000-000000000000"),
-                oldClrType: typeof(Guid),
-                oldType: "uuid",
-                oldNullable: true);
-
-            migrationBuilder.AddColumn<string>(
-                name: "label",
-                table: "auth_sessions",
-                type: "character varying(1024)",
-                maxLength: 1024,
-                nullable: true);
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_auth_sessions_auth_challenges_challenge_id",
-                table: "auth_sessions",
-                column: "challenge_id",
-                principalTable: "auth_challenges",
-                principalColumn: "id",
-                onDelete: ReferentialAction.Cascade);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250821093930_AddLevelingBonusMultiplier.cs

@@ -1,29 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddLevelingBonusMultiplier : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<double>(
-                name: "bonus_multiplier",
-                table: "experience_records",
-                type: "double precision",
-                nullable: false,
-                defaultValue: 0.0);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "bonus_multiplier",
-                table: "experience_records");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250822142926_CacheSocialCreditsInProfile.cs

@@ -1,29 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class CacheSocialCreditsInProfile : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<double>(
-                name: "social_credits",
-                table: "account_profiles",
-                type: "double precision",
-                nullable: false,
-                defaultValue: 0.0);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "social_credits",
-                table: "account_profiles");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250904144723_AddOrderProductIdentifier.cs

@@ -1,29 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddOrderProductIdentifier : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<string>(
-                name: "product_identifier",
-                table: "payment_orders",
-                type: "character varying(4096)",
-                maxLength: 4096,
-                nullable: true);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "product_identifier",
-                table: "payment_orders");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250906174610_AddAccountRegion.cs

@@ -1,30 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddAccountRegion : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<string>(
-                name: "region",
-                table: "accounts",
-                type: "character varying(32)",
-                maxLength: 32,
-                nullable: false,
-                defaultValue: "");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "region",
-                table: "accounts");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250907065433_RefactorGeoIpPoint.cs

@@ -1,63 +0,0 @@
-using DysonNetwork.Shared.GeoIp;
-using Microsoft.EntityFrameworkCore.Migrations;
-using NetTopologySuite.Geometries;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RefactorGeoIpPoint : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.Sql("UPDATE auth_challenges SET location = NULL;");
-            migrationBuilder.Sql("UPDATE action_logs SET location = NULL;");
-
-            migrationBuilder.DropColumn(
-                name: "location",
-                table: "auth_challenges");
-
-            migrationBuilder.AddColumn<GeoPoint>(
-                name: "location",
-                table: "auth_challenges",
-                type: "jsonb",
-                nullable: true);
-
-            migrationBuilder.DropColumn(
-                name: "location",
-                table: "action_logs");
-
-            migrationBuilder.AddColumn<GeoPoint>(
-                name: "location",
-                table: "action_logs",
-                type: "jsonb",
-                nullable: true);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "location",
-                table: "auth_challenges");
-
-            migrationBuilder.AddColumn<Point>(
-                name: "location",
-                table: "auth_challenges",
-                type: "geometry",
-                nullable: true);
-
-            migrationBuilder.DropColumn(
-                name: "location",
-                table: "action_logs");
-
-            migrationBuilder.AddColumn<Point>(
-                name: "location",
-                table: "action_logs",
-                type: "geometry",
-                nullable: true);
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250907065933_RemoveNetTopo.cs

@@ -1,24 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RemoveNetTopo : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AlterDatabase()
-                .OldAnnotation("Npgsql:PostgresExtension:postgis", ",,");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AlterDatabase()
-                .Annotation("Npgsql:PostgresExtension:postgis", ",,");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250908151924_AddAutomatedStatus.cs

@@ -1,40 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddAutomatedStatus : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<string>(
-                name: "app_identifier",
-                table: "account_statuses",
-                type: "character varying(4096)",
-                maxLength: 4096,
-                nullable: true);
-
-            migrationBuilder.AddColumn<bool>(
-                name: "is_automated",
-                table: "account_statuses",
-                type: "boolean",
-                nullable: false,
-                defaultValue: false);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "app_identifier",
-                table: "account_statuses");
-
-            migrationBuilder.DropColumn(
-                name: "is_automated",
-                table: "account_statuses");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20250924054811_AddStatusMeta.cs

@@ -1,28 +0,0 @@
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddStatusMeta : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.AddColumn<Dictionary<string, object>>(
-                name: "meta",
-                table: "account_statuses",
-                type: "jsonb",
-                nullable: true);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropColumn(
-                name: "meta",
-                table: "account_statuses");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20251003061315_AddSubscriptionGift.cs

@@ -1,133 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Text.Json;
-using DysonNetwork.Shared.GeoIp;
-using DysonNetwork.Shared.Models;
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddSubscriptionGift : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateTable(
-                name: "wallet_gifts",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    gifter_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    recipient_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    gift_code = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
-                    message = table.Column<string>(type: "character varying(1000)", maxLength: 1000, nullable: true),
-                    subscription_identifier = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: false),
-                    base_price = table.Column<decimal>(type: "numeric", nullable: false),
-                    final_price = table.Column<decimal>(type: "numeric", nullable: false),
-                    status = table.Column<int>(type: "integer", nullable: false),
-                    redeemed_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    redeemer_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    expires_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    is_open_gift = table.Column<bool>(type: "boolean", nullable: false),
-                    payment_method = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: false),
-                    payment_details = table.Column<SnPaymentDetails>(type: "jsonb", nullable: false),
-                    coupon_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_wallet_gifts", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_wallet_gifts_accounts_gifter_id",
-                        column: x => x.gifter_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                    table.ForeignKey(
-                        name: "fk_wallet_gifts_accounts_recipient_id",
-                        column: x => x.recipient_id,
-                        principalTable: "accounts",
-                        principalColumn: "id");
-                    table.ForeignKey(
-                        name: "fk_wallet_gifts_accounts_redeemer_id",
-                        column: x => x.redeemer_id,
-                        principalTable: "accounts",
-                        principalColumn: "id");
-                    table.ForeignKey(
-                        name: "fk_wallet_gifts_wallet_coupons_coupon_id",
-                        column: x => x.coupon_id,
-                        principalTable: "wallet_coupons",
-                        principalColumn: "id");
-                });
-
-            migrationBuilder.AddColumn<Guid>(
-                name: "gift_id",
-                table: "wallet_subscriptions",
-                type: "uuid",
-                nullable: true);
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_gifts_coupon_id",
-                table: "wallet_gifts",
-                column: "coupon_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_gifts_gift_code",
-                table: "wallet_gifts",
-                column: "gift_code");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_gifts_gifter_id",
-                table: "wallet_gifts",
-                column: "gifter_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_gifts_recipient_id",
-                table: "wallet_gifts",
-                column: "recipient_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_gifts_redeemer_id",
-                table: "wallet_gifts",
-                column: "redeemer_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_subscriptions_gift_id",
-                table: "wallet_subscriptions",
-                column: "gift_id",
-                unique: true);
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_wallet_subscriptions_wallet_gifts_gift_id",
-                table: "wallet_subscriptions",
-                column: "gift_id",
-                principalTable: "wallet_gifts",
-                principalColumn: "id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_wallet_subscriptions_wallet_gifts_gift_id",
-                table: "wallet_subscriptions");
-
-            migrationBuilder.DropTable(
-                name: "wallet_gifts");
-
-            migrationBuilder.DropIndex(
-                name: "ix_wallet_subscriptions_gift_id",
-                table: "wallet_subscriptions");
-
-            migrationBuilder.DropColumn(
-                name: "gift_id",
-                table: "wallet_subscriptions");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20251003123103_RefactorSubscriptionRelation.cs

@@ -1,81 +0,0 @@
-using System;
-using Microsoft.EntityFrameworkCore.Migrations;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RefactorSubscriptionRelation : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_wallet_subscriptions_wallet_gifts_gift_id",
-                table: "wallet_subscriptions");
-
-            migrationBuilder.DropIndex(
-                name: "ix_wallet_subscriptions_gift_id",
-                table: "wallet_subscriptions");
-
-            migrationBuilder.DropColumn(
-                name: "gift_id",
-                table: "wallet_subscriptions");
-
-            migrationBuilder.AddColumn<Guid>(
-                name: "subscription_id",
-                table: "wallet_gifts",
-                type: "uuid",
-                nullable: true);
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_gifts_subscription_id",
-                table: "wallet_gifts",
-                column: "subscription_id",
-                unique: true);
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_wallet_gifts_wallet_subscriptions_subscription_id",
-                table: "wallet_gifts",
-                column: "subscription_id",
-                principalTable: "wallet_subscriptions",
-                principalColumn: "id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropForeignKey(
-                name: "fk_wallet_gifts_wallet_subscriptions_subscription_id",
-                table: "wallet_gifts");
-
-            migrationBuilder.DropIndex(
-                name: "ix_wallet_gifts_subscription_id",
-                table: "wallet_gifts");
-
-            migrationBuilder.DropColumn(
-                name: "subscription_id",
-                table: "wallet_gifts");
-
-            migrationBuilder.AddColumn<Guid>(
-                name: "gift_id",
-                table: "wallet_subscriptions",
-                type: "uuid",
-                nullable: true);
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_subscriptions_gift_id",
-                table: "wallet_subscriptions",
-                column: "gift_id",
-                unique: true);
-
-            migrationBuilder.AddForeignKey(
-                name: "fk_wallet_subscriptions_wallet_gifts_gift_id",
-                table: "wallet_subscriptions",
-                column: "gift_id",
-                principalTable: "wallet_gifts",
-                principalColumn: "id");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20251003152102_AddWalletFund.cs

@@ -1,99 +0,0 @@
-using System;
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddWalletFund : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateTable(
-                name: "wallet_funds",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    currency = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
-                    total_amount = table.Column<decimal>(type: "numeric", nullable: false),
-                    split_type = table.Column<int>(type: "integer", nullable: false),
-                    status = table.Column<int>(type: "integer", nullable: false),
-                    message = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: true),
-                    creator_account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    expired_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_wallet_funds", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_wallet_funds_accounts_creator_account_id",
-                        column: x => x.creator_account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "wallet_fund_recipients",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    fund_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    recipient_account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    amount = table.Column<decimal>(type: "numeric", nullable: false),
-                    is_received = table.Column<bool>(type: "boolean", nullable: false),
-                    received_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_wallet_fund_recipients", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_wallet_fund_recipients_accounts_recipient_account_id",
-                        column: x => x.recipient_account_id,
-                        principalTable: "accounts",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                    table.ForeignKey(
-                        name: "fk_wallet_fund_recipients_wallet_funds_fund_id",
-                        column: x => x.fund_id,
-                        principalTable: "wallet_funds",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_fund_recipients_fund_id",
-                table: "wallet_fund_recipients",
-                column: "fund_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_fund_recipients_recipient_account_id",
-                table: "wallet_fund_recipients",
-                column: "recipient_account_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_wallet_funds_creator_account_id",
-                table: "wallet_funds",
-                column: "creator_account_id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropTable(
-                name: "wallet_fund_recipients");
-
-            migrationBuilder.DropTable(
-                name: "wallet_funds");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20251021153439_AddRealmFromSphere.cs

@@ -1,160 +0,0 @@
-using System;
-using DysonNetwork.Shared.Models;
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class AddRealmFromSphere : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateTable(
-                name: "realms",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    slug = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    name = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    description = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: false),
-                    is_community = table.Column<bool>(type: "boolean", nullable: false),
-                    is_public = table.Column<bool>(type: "boolean", nullable: false),
-                    picture_id = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: true),
-                    background_id = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: true),
-                    picture = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    background = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    verification = table.Column<SnVerificationMark>(type: "jsonb", nullable: true),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_realms", x => x.id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "realm_members",
-                columns: table => new
-                {
-                    realm_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    role = table.Column<int>(type: "integer", nullable: false),
-                    joined_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    leave_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_realm_members", x => new { x.realm_id, x.account_id });
-                    table.ForeignKey(
-                        name: "fk_realm_members_realms_realm_id",
-                        column: x => x.realm_id,
-                        principalTable: "realms",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "sn_chat_room",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    name = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    description = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: true),
-                    type = table.Column<int>(type: "integer", nullable: false),
-                    is_community = table.Column<bool>(type: "boolean", nullable: false),
-                    is_public = table.Column<bool>(type: "boolean", nullable: false),
-                    picture_id = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: true),
-                    background_id = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: true),
-                    picture = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    background = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    realm_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    sn_realm_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_sn_chat_room", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_sn_chat_room_realms_sn_realm_id",
-                        column: x => x.sn_realm_id,
-                        principalTable: "realms",
-                        principalColumn: "id");
-                });
-
-            migrationBuilder.CreateTable(
-                name: "sn_chat_member",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    chat_room_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    nick = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    role = table.Column<int>(type: "integer", nullable: false),
-                    notify = table.Column<int>(type: "integer", nullable: false),
-                    last_read_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    joined_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    leave_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    is_bot = table.Column<bool>(type: "boolean", nullable: false),
-                    break_until = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    timeout_until = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    timeout_cause = table.Column<ChatTimeoutCause>(type: "jsonb", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_sn_chat_member", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_sn_chat_member_sn_chat_room_chat_room_id",
-                        column: x => x.chat_room_id,
-                        principalTable: "sn_chat_room",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_realms_slug",
-                table: "realms",
-                column: "slug",
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "ix_sn_chat_member_chat_room_id",
-                table: "sn_chat_member",
-                column: "chat_room_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_sn_chat_room_sn_realm_id",
-                table: "sn_chat_room",
-                column: "sn_realm_id");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropTable(
-                name: "realm_members");
-
-            migrationBuilder.DropTable(
-                name: "sn_chat_member");
-
-            migrationBuilder.DropTable(
-                name: "sn_chat_room");
-
-            migrationBuilder.DropTable(
-                name: "realms");
-        }
-    }
-}

DysonNetwork.Pass/Migrations/20251022164134_RemoveChatRoom.cs

@@ -1,99 +0,0 @@
-using System;
-using DysonNetwork.Shared.Models;
-using Microsoft.EntityFrameworkCore.Migrations;
-using NodaTime;
-
-#nullable disable
-
-namespace DysonNetwork.Pass.Migrations
-{
-    /// <inheritdoc />
-    public partial class RemoveChatRoom : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropTable(
-                name: "sn_chat_member");
-
-            migrationBuilder.DropTable(
-                name: "sn_chat_room");
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateTable(
-                name: "sn_chat_room",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    background = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    background_id = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    description = table.Column<string>(type: "character varying(4096)", maxLength: 4096, nullable: true),
-                    is_community = table.Column<bool>(type: "boolean", nullable: false),
-                    is_public = table.Column<bool>(type: "boolean", nullable: false),
-                    name = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    picture = table.Column<SnCloudFileReferenceObject>(type: "jsonb", nullable: true),
-                    picture_id = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: true),
-                    realm_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    sn_realm_id = table.Column<Guid>(type: "uuid", nullable: true),
-                    type = table.Column<int>(type: "integer", nullable: false),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_sn_chat_room", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_sn_chat_room_realms_sn_realm_id",
-                        column: x => x.sn_realm_id,
-                        principalTable: "realms",
-                        principalColumn: "id");
-                });
-
-            migrationBuilder.CreateTable(
-                name: "sn_chat_member",
-                columns: table => new
-                {
-                    id = table.Column<Guid>(type: "uuid", nullable: false),
-                    chat_room_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    account_id = table.Column<Guid>(type: "uuid", nullable: false),
-                    break_until = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    created_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false),
-                    deleted_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    is_bot = table.Column<bool>(type: "boolean", nullable: false),
-                    joined_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    last_read_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    leave_at = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    nick = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    notify = table.Column<int>(type: "integer", nullable: false),
-                    role = table.Column<int>(type: "integer", nullable: false),
-                    timeout_cause = table.Column<ChatTimeoutCause>(type: "jsonb", nullable: true),
-                    timeout_until = table.Column<Instant>(type: "timestamp with time zone", nullable: true),
-                    updated_at = table.Column<Instant>(type: "timestamp with time zone", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("pk_sn_chat_member", x => x.id);
-                    table.ForeignKey(
-                        name: "fk_sn_chat_member_sn_chat_room_chat_room_id",
-                        column: x => x.chat_room_id,
-                        principalTable: "sn_chat_room",
-                        principalColumn: "id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "ix_sn_chat_member_chat_room_id",
-                table: "sn_chat_member",
-                column: "chat_room_id");
-
-            migrationBuilder.CreateIndex(
-                name: "ix_sn_chat_room_sn_realm_id",
-                table: "sn_chat_room",
-                column: "sn_realm_id");
-        }
-    }
-}