npm - @abtnode/core - Versions diffs - 1.17.8-beta-20260109-075740-5f484e08 → 1.17.8-beta-20260113-015027-32a1cec4 - Mend

@abtnode/core 1.17.8-beta-20260109-075740-5f484e08 → 1.17.8-beta-20260113-015027-32a1cec4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/lib/api/team/access-key-manager.js +104 -0
package/lib/api/team/invitation-manager.js +461 -0
package/lib/api/team/notification-manager.js +189 -0
package/lib/api/team/oauth-manager.js +60 -0
package/lib/api/team/org-crud-manager.js +202 -0
package/lib/api/team/org-manager.js +56 -0
package/lib/api/team/org-member-manager.js +403 -0
package/lib/api/team/org-query-manager.js +126 -0
package/lib/api/team/org-resource-manager.js +186 -0
package/lib/api/team/passport-manager.js +670 -0
package/lib/api/team/rbac-manager.js +335 -0
package/lib/api/team/session-manager.js +540 -0
package/lib/api/team/store-manager.js +198 -0
package/lib/api/team/tag-manager.js +230 -0
package/lib/api/team/user-auth-manager.js +132 -0
package/lib/api/team/user-manager.js +78 -0
package/lib/api/team/user-query-manager.js +299 -0
package/lib/api/team/user-social-manager.js +354 -0
package/lib/api/team/user-update-manager.js +224 -0
package/lib/api/team/verify-code-manager.js +161 -0
package/lib/api/team.js +439 -3287
package/lib/blocklet/manager/disk/auth-manager.js +68 -0
package/lib/blocklet/manager/disk/backup-manager.js +288 -0
package/lib/blocklet/manager/disk/cleanup-manager.js +157 -0
package/lib/blocklet/manager/disk/component-manager.js +83 -0
package/lib/blocklet/manager/disk/config-manager.js +191 -0
package/lib/blocklet/manager/disk/controller-manager.js +64 -0
package/lib/blocklet/manager/disk/delete-reset-manager.js +328 -0
package/lib/blocklet/manager/disk/download-manager.js +96 -0
package/lib/blocklet/manager/disk/env-config-manager.js +311 -0
package/lib/blocklet/manager/disk/federated-manager.js +651 -0
package/lib/blocklet/manager/disk/hook-manager.js +124 -0
package/lib/blocklet/manager/disk/install-component-manager.js +95 -0
package/lib/blocklet/manager/disk/install-core-manager.js +448 -0
package/lib/blocklet/manager/disk/install-download-manager.js +313 -0
package/lib/blocklet/manager/disk/install-manager.js +36 -0
package/lib/blocklet/manager/disk/install-upgrade-manager.js +340 -0
package/lib/blocklet/manager/disk/job-manager.js +467 -0
package/lib/blocklet/manager/disk/lifecycle-manager.js +26 -0
package/lib/blocklet/manager/disk/notification-manager.js +343 -0
package/lib/blocklet/manager/disk/query-manager.js +562 -0
package/lib/blocklet/manager/disk/settings-manager.js +507 -0
package/lib/blocklet/manager/disk/start-manager.js +611 -0
package/lib/blocklet/manager/disk/stop-restart-manager.js +292 -0
package/lib/blocklet/manager/disk/update-manager.js +153 -0
package/lib/blocklet/manager/disk.js +669 -5796
package/lib/blocklet/manager/helper/blue-green-start-blocklet.js +5 -0
package/lib/blocklet/manager/lock.js +18 -0
package/lib/event/index.js +28 -24
package/lib/util/blocklet/app-utils.js +192 -0
package/lib/util/blocklet/blocklet-loader.js +258 -0
package/lib/util/blocklet/config-manager.js +232 -0
package/lib/util/blocklet/did-document.js +240 -0
package/lib/util/blocklet/environment.js +555 -0
package/lib/util/blocklet/health-check.js +449 -0
package/lib/util/blocklet/install-utils.js +365 -0
package/lib/util/blocklet/logo.js +57 -0
package/lib/util/blocklet/meta-utils.js +269 -0
package/lib/util/blocklet/port-manager.js +141 -0
package/lib/util/blocklet/process-manager.js +504 -0
package/lib/util/blocklet/runtime-info.js +105 -0
package/lib/util/blocklet/validation.js +418 -0
package/lib/util/blocklet.js +98 -3066
package/lib/util/wallet-app-notification.js +40 -0
package/package.json +22 -22

package/lib/api/team.js CHANGED Viewed

@@ -1,233 +1,36 @@
 const { EventEmitter } = require('events');
-const axios = require('@abtnode/util/lib/axios');
-const pick = require('lodash/pick');
-const omit = require('lodash/omit');
-const defaults = require('lodash/defaults');
-const isEmpty = require('lodash/isEmpty');
 const throttle = require('lodash/throttle');
-const cloneDeep = require('@abtnode/util/lib/deep-clone');
-const { joinURL, withoutTrailingSlash } = require('ufo');
 const { Op } = require('sequelize');
 const dayjs = require('@abtnode/util/lib/dayjs');
 const logger = require('@abtnode/logger')('@abtnode/core:api:team');
 const pAll = require('p-all');
-const {
-  ROLES,
-  genPermissionName,
-  PASSPORT_STATUS,
-  WELLKNOWN_SERVICE_PATH_PREFIX,
-  MAX_USER_PAGE_SIZE,
-  MAIN_CHAIN_ENDPOINT,
-  USER_AVATAR_URL_PREFIX,
-  SESSION_TTL,
-  EVENTS,
-  NOTIFICATION_SEND_CHANNEL,
-  USER_SESSION_STATUS,
-  WEBHOOK_CONSECUTIVE_FAILURES_THRESHOLD,
-} = require('@abtnode/constant');
-const { isValid: isValidDid } = require('@arcblock/did');
-const { BlockletEvents, TeamEvents, BlockletInternalEvents } = require('@blocklet/constant');
-const { sendToUser } = require('@blocklet/sdk/lib/util/send-notification');
-const {
-  createPassportVC,
-  createPassport,
-  upsertToPassports,
-  createUserPassport,
-} = require('@abtnode/auth/lib/passport');
-const { formatError } = require('@blocklet/error');
-const { getPassportStatusEndpoint, getApplicationInfo } = require('@abtnode/auth/lib/auth');
-const {
-  callFederated,
-  getFederatedMaster,
-  findFederatedSite,
-  getUserAvatarUrl: getFederatedUserAvatarUrl,
-  syncFederated,
-} = require('@abtnode/auth/lib/util/federated');
-const { hasActiveOwnerPassport } = require('@abtnode/util/lib/passport');
-const { getBlockletInfo } = require('@blocklet/meta/lib/info');
-const { getUserAvatarUrl, getAppAvatarUrl, extractUserAvatar, getAvatarByUrl } = require('@abtnode/util/lib/user');
-const { getChainClient } = require('@abtnode/util/lib/get-chain-client');
-const { getWalletDid } = require('@blocklet/meta/lib/did-utils');
-const { generateRandomString } = require('@abtnode/models/lib/util');
-const pMap = require('p-map');
+const { PASSPORT_STATUS, USER_AVATAR_URL_PREFIX } = require('@abtnode/constant');
 const isUrl = require('is-url');
-const { PASSPORT_LOG_ACTION, PASSPORT_SOURCE, PASSPORT_ISSUE_ACTION } = require('@abtnode/constant');
-const ensureServerEndpoint = require('@abtnode/util/lib/ensure-server-endpoint');
-const { CustomError } = require('@blocklet/error');
-const { getEmailServiceProvider } = require('@abtnode/auth/lib/email');
-const md5 = require('@abtnode/util/lib/md5');
-const { sanitizeTag } = require('@abtnode/util/lib/sanitize');
-const { Joi } = require('@arcblock/validator');
-const { getBlockletAppIdList } = require('@blocklet/meta/lib/util');
-const { validateTrustedPassportIssuers } = require('../validators/trusted-passport');
-const { validateTrustedFactories } = require('../validators/trusted-factory');
-const { validateCreateRole, validateUpdateRole } = require('../validators/role');
-const { validateCreatePermission, validateUpdatePermission } = require('../validators/permission');
+const { extractUserAvatar, getAvatarByUrl } = require('@abtnode/util/lib/user');
+const { TeamEvents } = require('@blocklet/constant');
 const { BlockletRuntimeMonitor } = require('../monitor/blocklet-runtime-monitor');
 const { getBlocklet } = require('../util/blocklet');
-const StoreUtil = require('../util/store');
 const { profileSchema } = require('../validators/user');
-const { passportDisplaySchema } = require('../validators/util');
-const { validateUserRolePassport } = require('../util/validate-user-role-passport');
-const { getOrgInviteLink, createOrgValidators, isOrgOwner, isAdmingPath } = require('../util/org');
-const { createOrgInputSchema, updateOrgInputSchema } = require('../validators/org');
-const { checkPushChannelAvailable, getNotificationPushState } = require('../util/notification');
-const sanitizeUrl = (url) => {
-  if (!url) {
-    throw new Error('Registry URL should not be empty');
-  }
-  return url.trim();
-};
-const validateReservedRole = (role) => {
-  if (Object.values(ROLES).includes(role)) {
-    throw new Error(`The role ${role} is reserved`);
-  }
-  return true;
-};
-const sendPassportVcNotification = ({ userDid, appWallet: wallet, locale, vc, notification }) => {
-  try {
-    const receiver = userDid;
-    const sender = { appDid: wallet.address, appSk: wallet.secretKey };
-    const message = { ...notification };
-    if (!message.title) {
-      message.title = {
-        en: 'Receive a Passport',
-        zh: '获得通行证',
-      }[locale];
-    }
-    if (!message.body) {
-      message.body = {
-        en: 'You got a passport',
-        zh: '你获得了一张通行证',
-      }[locale];
-    }
-    if (!message.attachments) {
-      message.attachments = [
-        {
-          type: 'vc',
-          data: {
-            credential: vc,
-            tag: vc.credentialSubject.passport.name,
-          },
-        },
-      ];
-    }
-    sendToUser(receiver, message, sender, { channels: [NOTIFICATION_SEND_CHANNEL.WALLET] }).catch((error) => {
-      logger.error('Failed send passport vc to wallet', { error });
-    });
-  } catch (error) {
-    logger.error('Failed send passport vc to wallet', { error });
-  }
-};
-const formatTransferData = (data) => ({
-  transferId: data.id,
-  remark: data.remark || '',
-  expireDate: new Date(data.expireDate).toString(),
-  appDid: data.appDid,
-  status: data.status || '',
-});
-const taggingSchema = Joi.object({
-  tagId: Joi.number().required(),
-  taggableIds: Joi.array().items(Joi.string()).min(1).required().messages({
-    'any.required': 'Must specify tagging.taggableIds to create',
-    'array.base': 'taggableIds must be an array',
-    'array.min': 'taggableIds must contain at least one element',
-  }),
-  taggableType: Joi.string().required().messages({
-    'any.required': 'Must specify tagging.taggableType to create',
-    'string.base': 'taggableType must be a string',
-  }),
-});
-const validatePassportDisplay = async (role, display) => {
-  if (role.extra?.display === 'custom') {
-    if (!display) {
-      throw new Error(`display is required for custom passport: ${role.name}`);
-    }
-    const { error, value } = passportDisplaySchema.validate(display);
-    if (error) {
-      throw new Error(`display invalid for custom passport: ${formatError(error)}`);
-    }
-    if (value.type === 'url') {
-      try {
-        const res = await axios.head(value.content, {
-          timeout: 8000,
-          maxRedirects: 8,
-          validateStatus: null,
-          headers: {
-            Accept: 'image/avif,image/webp,image/png,image/svg+xml,image/*,*/*;q=0.8',
-            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36', // prettier-ignore
-          },
-        });
-        if (res.status >= 400) {
-          throw new Error(`Passport display is not accessible: ${res.statusText}`);
-        }
-        const contentType = res.headers['content-type'];
-        if (!contentType?.startsWith('image/')) {
-          throw new Error(`Passport display does not return valid image: ${contentType}`);
-        }
-      } catch (err) {
-        throw new Error(`Error validating passport display: ${err.message}`);
-      }
-    }
-  }
-};
-const getUserSessionWhere = ({ status, blocklet }) => {
-  const now = Date.now();
-  const sessionTtl = blocklet.settings?.session?.ttl || SESSION_TTL;
-  if (status === USER_SESSION_STATUS.ONLINE) {
-    return {
-      updatedAt: {
-        [Op.gt]: new Date(now - sessionTtl * 1000),
-      },
-      status: {
-        [Op.ne]: USER_SESSION_STATUS.OFFLINE,
-      },
-    };
-  }
-  if (status === USER_SESSION_STATUS.EXPIRED) {
-    return {
-      updatedAt: {
-        [Op.lt]: new Date(now - sessionTtl * 1000),
-      },
-      status: {
-        [Op.ne]: USER_SESSION_STATUS.OFFLINE,
-      },
-    };
-  }
-  if (status === USER_SESSION_STATUS.OFFLINE) {
-    return {
-      status: USER_SESSION_STATUS.OFFLINE,
-    };
-  }
-  return {};
-};
-// 关注取消关注相关接口
-const USER_RELATION_ACTIONS = {
-  follow: (state, followerDid, userDid, options) => state.followUser(followerDid, userDid, options),
-  unfollow: (state, followerDid, userDid, options) => state.unfollowUser(followerDid, userDid, options),
-};
-// 获取用户相关接口
-const USER_RELATION_QUERIES = {
-  followers: (state, userDid, options, context) => state.getFollowers(userDid, options, context),
-  following: (state, userDid, options, context) => state.getFollowing(userDid, options, context),
-};
+// Import split modules
+const tagManager = require('./team/tag-manager');
+const notificationManager = require('./team/notification-manager');
+const rbacManager = require('./team/rbac-manager');
+const accessKeyManager = require('./team/access-key-manager');
+const oauthManager = require('./team/oauth-manager');
+const verifyCodeManager = require('./team/verify-code-manager');
+const storeManager = require('./team/store-manager');
+const sessionManager = require('./team/session-manager');
+const userManager = require('./team/user-manager');
+const invitationManager = require('./team/invitation-manager');
+const passportManager = require('./team/passport-manager');
+const orgManager = require('./team/org-manager');
+// Re-export helper functions
+const { validatePassportDisplay, sendPassportVcNotification } = passportManager;
 class TeamAPI extends EventEmitter {
   /**
-   *
    * @param {object} states abtnode core StateDB
    */
   constructor({ teamManager, states, dataDirs, nodeAPI, passportAPI, passportIssueQueue }) {
@@ -369,3308 +172,657 @@ class TeamAPI extends EventEmitter {
     };
   }
-  // Tagging
-  async createTagging({ teamDid, tagging }) {
-    const state = await this.getTaggingState(teamDid);
-    const { error, value } = taggingSchema.validate(tagging, { stripUnknown: true });
-    if (error) {
-      throw new Error(error.details.map((d) => d.message).join('; '));
-    }
+  // ============ Tag Manager ============
+  createTagging({ teamDid, tagging }) {
+    return tagManager.createTagging(this, { teamDid, tagging });
+  }
-    const fns = value.taggableIds.map(async (id) => {
-      const found = await state.findOne({ tagId: tagging.tagId, taggableId: id });
-      if (found) return found;
+  deleteTagging({ teamDid, tagging }) {
+    return tagManager.deleteTagging(this, { teamDid, tagging });
+  }
-      return state.insert({ tagId: tagging.tagId, taggableId: id, taggableType: tagging.taggableType });
-    });
+  getTag({ teamDid, tag }) {
+    return tagManager.getTag(this, { teamDid, tag });
+  }
-    const docs = await Promise.all(fns);
-    logger.info('tagging created successfully', { teamDid, tagging });
-    return docs;
+  createTag({ teamDid, tag }, context = {}) {
+    return tagManager.createTag(this, { teamDid, tag }, context);
   }
-  async deleteTagging({ teamDid, tagging }) {
-    const { error, value } = taggingSchema.validate(tagging, { stripUnknown: true });
-    if (error) {
-      throw new Error(error.details.map((d) => d.message).join('; '));
-    }
+  updateTag({ teamDid, tag }, context = {}) {
+    return tagManager.updateTag(this, { teamDid, tag }, context);
+  }
-    const state = await this.getTaggingState(teamDid);
+  deleteTag({ teamDid, tag, moveTo }) {
+    return tagManager.deleteTag(this, { teamDid, tag, moveTo });
+  }
-    const { tagId, taggableIds } = value;
-    const fns = taggableIds.map((id) => {
-      return state.remove({ tagId, taggableId: id });
-    });
+  getTags({ teamDid, paging }) {
+    return tagManager.getTags(this, { teamDid, paging });
+  }
-    const docs = await Promise.all(fns);
-    logger.info('tagging deleted successfully', { teamDid, tagging });
+  // ============ Notification Manager ============
+  getNotification(params, context) {
+    return notificationManager.getNotification(this, params, context);
+  }
-    return docs;
+  getNotificationById(params) {
+    return notificationManager.getNotificationById(this, params);
   }
-  // Tags
-  async getTag({ teamDid, tag }) {
-    const state = await this.getTagState(teamDid);
-    return state.findOne({ id: tag.id });
+  getNotificationsUnreadCount(params, context) {
+    return notificationManager.getNotificationsUnreadCount(this, params, context);
   }
-  async createTag({ teamDid, tag }, context = {}) {
-    if (!tag.title) {
-      throw new Error('Must specify tag.title to create');
-    }
-    if (!tag.color || !tag.color.match(/^#[0-9a-f]{6}$/i)) {
-      throw new Error('Must specify hex encoded tag.color to create');
-    }
-    if (!tag.slug) {
-      throw new Error('Must specify tag.slug to create');
-    }
+  createNotificationReceiver(params) {
+    return notificationManager.createNotificationReceiver(this, params);
+  }
-    const state = await this.getTagState(teamDid);
-    const tagData = pick(tag, ['title', 'description', 'color', 'slug', 'type', 'componentDid', 'parentId']);
-    tagData.createdBy = context.user.did;
-    tagData.updatedBy = context.user.did;
-    const doc = await state.insert(tagData);
-    logger.info('tags created successfully', { teamDid, tag });
-    return doc;
+  markAllNotificationsAsRead(params, context) {
+    return notificationManager.markAllNotificationsAsRead(this, params, context);
   }
-  async updateTag({ teamDid, tag }, context = {}) {
-    if (!tag.id) {
-      throw new Error('Must specify tag.id to update');
-    }
+  updateNotificationStatus(params, context) {
+    return notificationManager.updateNotificationStatus(this, params, context);
+  }
-    const keys = ['title', 'description', 'color', 'slug', 'type', 'componentDid', 'parentId'];
-    const tagData = Object.fromEntries(keys.map((key) => [key, tag[key] ?? null]));
-    tagData.updatedBy = context.user.did;
+  readNotifications(params, context) {
+    return notificationManager.readNotifications(this, params, context);
+  }
-    const state = await this.getTagState(teamDid);
-    const result = await state.updateById(tag.id, tagData);
-    logger.info('tags updated successfully', { teamDid, tag, result });
-    return state.findOne({ id: tag.id });
+  unreadNotifications(params, context) {
+    return notificationManager.unreadNotifications(this, params, context);
   }
-  async deleteTag({ teamDid, tag, moveTo }) {
-    if (!tag.id) {
-      throw new Error('Must specify tag.id to delete');
-    }
+  getNotificationSendLog(params) {
+    return notificationManager.getNotificationSendLog(this, params);
+  }
-    const state = await this.getTagState(teamDid);
-    const taggingState = await this.getTaggingState(teamDid);
+  getNotificationComponents(params) {
+    return notificationManager.getNotificationComponents(this, params);
+  }
-    if (moveTo) {
-      const records = await taggingState.find({ tagId: tag.id });
-      const checkPairs = records.map((r) => ({ taggableId: r.taggableId, taggableType: r.taggableType }));
-      const existing = await taggingState.find({ tagId: moveTo, $or: checkPairs });
+  getReceivers(params) {
+    return notificationManager.getReceivers(this, params);
+  }
-      const existingSet = new Set(existing.map((e) => `${e.taggableId}:${e.taggableType}`));
-      const toUpdate = [];
-      const toDelete = [];
+  createNotification(payload) {
+    return this.teamManager.createNotification(payload);
+  }
-      for (const record of records) {
-        const key = `${record.taggableId}:${record.taggableType}`;
-        if (existingSet.has(key)) {
-          toDelete.push(record);
-          logger.info('tag already at moveTo, will delete record', { teamDid, tag, record });
-        } else {
-          toUpdate.push(record);
-        }
-      }
+  // ============ RBAC Manager ============
+  getRole({ teamDid, role }) {
+    return rbacManager.getRole(this, { teamDid, role });
+  }
-      if (toUpdate.length > 0) {
-        await Promise.all(
-          toUpdate.map((record) =>
-            taggingState
-              .update(
-                { tagId: record.tagId, taggableId: record.taggableId, taggableType: record.taggableType },
-                { $set: { tagId: moveTo } }
-              )
-              .then(() => {
-                logger.info('tag moved successfully', { teamDid, tag, record, moveTo });
-              })
-          )
-        );
-      }
+  createRole({ teamDid, name, description, title, childName, permissions = [], extra, orgId }) {
+    return rbacManager.createRole(this, { teamDid, name, description, title, childName, permissions, extra, orgId });
+  }
-      if (toDelete.length > 0) {
-        await Promise.all(
-          toDelete.map((record) =>
-            taggingState.remove(record).then(() => {
-              logger.info('tagging deleted successfully', { teamDid, tag, record });
-            })
-          )
-        );
-      }
-    }
+  updateRole({ teamDid, role, orgId }) {
+    return rbacManager.updateRole(this, { teamDid, role, orgId });
+  }
-    const doc = await state.remove({ id: tag.id });
-    await taggingState.remove({ tagId: tag.id });
-    logger.info('tags deleted successfully', { teamDid, tag });
-    return doc;
+  getPermissions({ teamDid }) {
+    return rbacManager.getPermissions(this, { teamDid });
   }
-  async getTags({ teamDid, paging }) {
-    const state = await this.getTagState(teamDid);
-    const result = await state.paginate({}, { createdAt: -1 }, { pageSize: 20, ...paging });
-    return { tags: result.list, paging: result.paging };
-  }
-  async sendNewMemberNotification(teamManager, user, nodeInfo) {
-    if (nodeInfo.nodeOwner && user.did !== nodeInfo.nodeOwner.did) {
-      const actionPath = '/team/members';
-      const action =
-        process.env.NODE_ENV === 'production' ? joinURL(nodeInfo.routing.adminPath, actionPath) : actionPath;
-      await teamManager.createNotification({
-        title: 'New member join',
-        description: `User with Name (${user.fullName}) and DID (${user.did}) has joined this server`,
-        entityType: 'node',
-        action,
-        entityId: user.did,
-        severity: 'success',
-      });
-    }
+  createPermission({ teamDid, name, description, extra }) {
+    return rbacManager.createPermission(this, { teamDid, name, description, extra });
   }
-  // User && Invitation
-  async loginUser({ teamDid, user, notify = true, force = false }) {
-    const state = await this.getUserState(teamDid);
-    const nodeInfo = await this.node.read();
+  updatePermission({ teamDid, permission }) {
+    return rbacManager.updatePermission(this, { teamDid, permission });
+  }
-    if (user.role === ROLES.OWNER) {
-      if (teamDid !== nodeInfo.did && !force) {
-        throw new Error('Cannot add user of owner role');
-      }
-      if (await state.count({ role: ROLES.OWNER })) {
-        throw new Error('The owner already exists');
-      }
-    }
+  grant({ teamDid, roleName, grantName }) {
+    return rbacManager.grant(this, { teamDid, roleName, grantName });
+  }
-    const { _action, ...doc } = await state.loginUser(user);
-    if (_action === 'update') {
-      logger.info('user updated successfully', { teamDid, userDid: user.did });
-      this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
-    } else if (_action === 'add') {
-      this.createDefaultOrgForUser({ teamDid, user });
+  revoke({ teamDid, roleName, grantName }) {
+    return rbacManager.revoke(this, { teamDid, roleName, grantName });
+  }
-      if (teamDid === nodeInfo.did && nodeInfo.nodeOwner && user.did !== nodeInfo.nodeOwner.did && notify) {
-        await this.sendNewMemberNotification(this.teamManager, user, nodeInfo);
-      }
+  updateGrants({ teamDid, roleName, grantNames }) {
+    return rbacManager.updateGrants(this, { teamDid, roleName, grantNames });
+  }
-      logger.info('user added successfully', { teamDid, userDid: user.did, userPk: user.pk, userName: user.fullName });
-      this.emit(TeamEvents.userAdded, { teamDid, user: doc });
-    }
-    return doc;
+  deleteRole({ teamDid, name }) {
+    return rbacManager.deleteRole(this, { teamDid, name });
   }
-  async disconnectUserAccount({ teamDid, connectedAccount }) {
-    const state = await this.getUserState(teamDid);
-    const result = await state.disconnectUserAccount(connectedAccount);
+  deletePermission({ teamDid, name }) {
+    return rbacManager.deletePermission(this, { teamDid, name });
+  }
-    logger.info('user disconnect account successfully', {
-      teamDid,
-      connectedAccountDid: connectedAccount.did,
-      connectedAccountPk: connectedAccount.pk,
-      connectedAccountProvider: connectedAccount.provider,
-    });
-    return result;
+  getPermissionsByRole({ teamDid, role }) {
+    return rbacManager.getPermissionsByRole(this, { teamDid, role });
   }
-  async addUser({ teamDid, user, force = false }) {
-    const state = await this.getUserState(teamDid);
+  hasPermission({ teamDid, role, permission }) {
+    return rbacManager.hasPermission(this, { teamDid, role, permission });
+  }
-    if (user.role === ROLES.OWNER) {
-      const nodeInfo = await this.node.read();
+  refreshBlockletInterfacePermissions(blockletMeta) {
+    return rbacManager.refreshBlockletInterfacePermissions(this, blockletMeta);
+  }
-      if (teamDid !== nodeInfo.did && !force) {
-        throw new Error('Cannot add user of owner role');
-      }
+  // ============ Access Key Manager ============
+  getAccessKeys({ teamDid, paging }, context) {
+    return accessKeyManager.getAccessKeys(this, { teamDid, paging }, context);
+  }
-      if (await state.count({ role: ROLES.OWNER })) {
-        throw new Error('The owner already exists');
-      }
-    }
+  getAccessKey({ teamDid, accessKeyId }, context) {
+    return accessKeyManager.getAccessKey(this, { teamDid, accessKeyId }, context);
+  }
-    const doc = await state.addUser(user);
+  createAccessKey({ teamDid, ...data }, context) {
+    return accessKeyManager.createAccessKey(this, { teamDid, ...data }, context);
+  }
-    logger.info('user added successfully', { teamDid, userDid: user.did, userPk: user.pk, userName: user.fullName });
+  updateAccessKey({ teamDid, ...data }, context) {
+    return accessKeyManager.updateAccessKey(this, { teamDid, ...data }, context);
+  }
-    const nodeInfo = await this.node.read();
-    if (teamDid === nodeInfo.did && nodeInfo.nodeOwner && user.did !== nodeInfo.nodeOwner.did) {
-      await this.sendNewMemberNotification(this.teamManager, user, nodeInfo);
-    }
+  deleteAccessKey({ teamDid, accessKeyId }, context) {
+    return accessKeyManager.deleteAccessKey(this, { teamDid, accessKeyId }, context);
+  }
-    this.emit(TeamEvents.userAdded, { teamDid, user: doc });
+  refreshLastUsed({ teamDid, accessKeyId }, context) {
+    return accessKeyManager.refreshLastUsed(this, { teamDid, accessKeyId }, context);
+  }
-    return doc;
+  verifyAccessKey({ teamDid, accessKey }) {
+    return accessKeyManager.verifyAccessKey(this, { teamDid, accessKey });
   }
-  async getUsers({ teamDid, query, paging: inputPaging, sort, dids }, context = {}) {
-    const state = await this.getUserState(teamDid);
-    const nodeInfo = await this.node.read();
+  // ============ OAuth Manager ============
+  getOAuthClients({ teamDid, paging }) {
+    return oauthManager.getOAuthClients(this, { teamDid, paging });
+  }
-    // HACK: 如果查询的是 server 的数据库，则不应该查询 userSession 表
-    if (teamDid === nodeInfo.did) {
-      if (query) {
-        delete query.includeUserSessions;
-      }
-    }
+  deleteOAuthClient({ teamDid, clientId }) {
+    return oauthManager.deleteOAuthClient(this, { teamDid, clientId });
+  }
-    if (inputPaging?.pageSize > MAX_USER_PAGE_SIZE) {
-      throw new Error(`Length of users should not exceed ${MAX_USER_PAGE_SIZE} per page`);
-    }
+  createOAuthClient({ teamDid, input }, context) {
+    return oauthManager.createOAuthClient(this, { teamDid, input }, context);
+  }
-    if (dids && dids.length > MAX_USER_PAGE_SIZE) {
-      throw new Error(`Length of users should not exceed ${MAX_USER_PAGE_SIZE}`);
-    }
+  updateOAuthClient({ teamDid, input }, context) {
+    return oauthManager.updateOAuthClient(this, { teamDid, input }, context);
+  }
-    let list;
-    let paging;
-    if (dids) {
-      list = await state.getUsersByDids({ query, dids }, context);
-      paging = {
-        total: list.length,
-        pageSize: dids.length,
-        pageCount: 1,
-        page: 1,
-      };
-    } else {
-      const doc = await state.getUsers({ query, sort, paging: { pageSize: 20, ...inputPaging } }, context);
-      list = doc.list;
-      paging = doc.paging;
-    }
+  // ============ Verify Code Manager ============
+  createVerifyCode({ teamDid, subject, scope, purpose }) {
+    return verifyCodeManager.createVerifyCode(this, { teamDid, subject, scope, purpose });
+  }
-    let userSessionsCountList = [];
-    if (teamDid !== nodeInfo.did && query?.includeUserSessions) {
-      userSessionsCountList = await pMap(
-        list,
-        async (x) => {
-          const { count: userSessionsCount } = await this.getUserSessionsCount({
-            teamDid,
-            query: {
-              userDid: x.did,
-              appPid: teamDid,
-            },
-          });
-          return userSessionsCount;
-        },
-        { concurrency: 10 }
-      );
-    }
-    const users = list.map(
-      (d, index) => {
-        const pickData = pick(d, [
-          'did',
-          'pk',
-          'role',
-          'email',
-          'phone',
-          'fullName',
-          'approved',
-          'createdAt',
-          'updatedAt',
-          'passports',
-          'firstLoginAt',
-          'lastLoginAt',
-          'lastLoginIp',
-          'remark',
-          'avatar',
-          'locale',
-          'tags',
-          'url',
-          'inviter',
-          'generation',
-          'emailVerified',
-          'phoneVerified',
-          // oauth relate fields
-          'sourceProvider',
-          'sourceAppPid',
-          'connectedAccounts',
-          'metadata',
-          'isFollowing',
-        ]);
+  consumeVerifyCode({ teamDid, code }) {
+    return verifyCodeManager.consumeVerifyCode(this, { teamDid, code });
+  }
-        return {
-          ...pickData,
-          userSessions: [],
-          userSessionsCount: userSessionsCountList[index] || 0,
-        };
-      }
+  issueVerifyCode({ teamDid, code }) {
+    return verifyCodeManager.issueVerifyCode(this, { teamDid, code });
+  }
-      // eslint-disable-next-line function-paren-newline
-    );
-    return {
-      // FIXME: @zhanghan 这里做字段过滤的目的是？gql 本身已经对字段做了过滤了
-      users,
-      paging,
-    };
+  sendVerifyCode({ teamDid, code }) {
+    return verifyCodeManager.sendVerifyCode(this, { teamDid, code });
   }
-  async getUsersCount({ teamDid }) {
-    const state = await this.getUserState(teamDid);
-    return state.count();
+  isSubjectVerified({ teamDid, subject }) {
+    return verifyCodeManager.isSubjectVerified(this, { teamDid, subject });
   }
-  async getUsersCountPerRole({ teamDid }) {
-    const roles = await this.getRoles({ teamDid });
-    const state = await this.getUserState(teamDid);
-    const names = ['$all', ...roles.filter((x) => !x.orgId).map((x) => x.name), '$none', '$blocked'];
-    return Promise.all(
-      names.map(async (name) => {
-        const count = await state.countByPassport({ name, status: PASSPORT_STATUS.VALID });
-        return { key: name, value: count };
-      })
-    );
+  isSubjectIssued({ teamDid, userDid, subject }) {
+    return verifyCodeManager.isSubjectIssued(this, { teamDid, userDid, subject });
   }
-  /**
-   * @description
-   * @param {{
-   *  teamDid: string,
-   *  user: {
-   *    did: string,
-   *  },
-   *  options: Record<string, any>
-   * }} { teamDid, user, options = {} }
-   * @return {Promise<import('@abtnode/models').UserState>}
-   * @memberof TeamAPI
-   */
-  async getUser({ teamDid, user, options = {} }) {
-    const state = await this.getUserState(teamDid);
-    return state.getUser(user.did, options);
+  isSubjectSent({ teamDid, subject }) {
+    return verifyCodeManager.isSubjectSent(this, { teamDid, subject });
   }
-  async getConnectedAccount({ teamDid, id }) {
-    const state = await this.getUserState(teamDid);
-    return state.getConnectedAccount(id);
+  getVerifyCode({ teamDid, code, id }) {
+    return verifyCodeManager.getVerifyCode(this, { teamDid, code, id });
   }
-  async isEmailUsed({ teamDid, email, verified = false, sourceProvider = '' }) {
-    const state = await this.getUserState(teamDid);
-    return state.isEmailUsed(email, verified, sourceProvider);
+  rotateSessionKey({ teamDid }) {
+    return verifyCodeManager.rotateSessionKey(this, { teamDid });
   }
-  async isPhoneUsed({ teamDid, phone, verified = false }) {
-    const state = await this.getUserState(teamDid);
-    return state.isPhoneUsed(phone, verified);
+  // ============ Store Manager ============
+  addStore({ teamDid, url, scope }, context) {
+    return storeManager.addStore(this, { teamDid, url, scope }, context);
   }
-  async getUserByDid({ teamDid, userDid, attributes = [] }) {
-    const state = await this.getUserState(teamDid);
-    return state.getUserByDid(userDid, attributes);
+  addEndpoint({ teamDid, url }, context) {
+    return storeManager.addEndpoint(this, { teamDid, url }, context);
   }
-  async isUserValid({ teamDid, userDid }) {
-    const state = await this.getUserState(teamDid);
-    return state.isUserValid(userDid);
+  deleteEndpoint({ teamDid, did, projectId }, context) {
+    return storeManager.deleteEndpoint(this, { teamDid, did, projectId }, context);
   }
-  async isPassportValid({ teamDid, passportId }) {
-    const state = await this.getUserState(teamDid);
-    return state.isPassportValid(passportId);
+  existsStore({ teamDid, url, scope }, context) {
+    return storeManager.existsStore(this, { teamDid, url, scope }, context);
   }
-  async isConnectedAccount({ teamDid, did }) {
-    const state = await this.getUserState(teamDid);
-    return state.isConnectedAccount(did);
+  deleteStore({ teamDid, url, projectId, scope }, context) {
+    return storeManager.deleteStore(this, { teamDid, url, projectId, scope }, context);
   }
-  async getOwner({ teamDid }) {
-    let owner = await this.teamManager.getOwner(teamDid);
-    const state = await this.getUserState(teamDid);
-    if (!owner) {
-      const ownerDids = await state.getOwnerDids();
-      if (ownerDids.length > 0) {
-        owner = { did: ownerDids[0] };
-      }
-    }
+  // ============ Session Manager ============
+  getUserSession(params) {
+    return sessionManager.getUserSession(this, params);
+  }
-    if (!owner) {
-      return null;
-    }
+  getUserSessions(params) {
+    return sessionManager.getUserSessions(this, params);
+  }
-    // NOTICE: 目前 owner 只能为 did-wallet，无需查询 connectedAccount
-    const full = await state.getUser(owner.did);
-    return full || owner;
+  getUserSessionsCount(params) {
+    return sessionManager.getUserSessionsCount(this, params);
   }
-  async userFollowAction({ teamDid, userDid, followerDid, action = 'follow', options = {} }, context = {}) {
-    const targetDid = followerDid || context.userDid;
+  getPassportById(params) {
+    return sessionManager.getPassportById(this, params);
+  }
-    if (!USER_RELATION_ACTIONS[action]) {
-      throw new CustomError(
-        400,
-        `Invalid action: ${action}. Supported: ${Object.keys(USER_RELATION_ACTIONS).join(', ')}`
-      );
-    }
-    let result;
-    try {
-      const state = await this.getUserState(teamDid);
-      result = await USER_RELATION_ACTIONS[action](state, targetDid, userDid, options);
-    } catch (error) {
-      logger.error(`Failed to ${action} user`, {
-        followerDid: targetDid,
-        userDid,
-        error,
-      });
-      throw error;
-    }
+  getPassportFromFederated(params) {
+    return sessionManager.getPassportFromFederated(this, params);
+  }
-    try {
-      if (action === 'follow' && !options.skipNotification) {
-        const currentUser = await this.getUser({ teamDid, user: { did: targetDid } });
-        await this.createNotification({
-          teamDid,
-          receiver: userDid,
-          title: 'Followed',
-          description: `<${currentUser.fullName}(did:abt:${currentUser.did})> followed you`,
-          activity: {
-            type: 'follow',
-            actor: followerDid,
-            target: {
-              type: 'user',
-              id: followerDid,
-            },
-          },
-          entityId: teamDid,
-          source: 'system',
-          severity: 'success',
-        });
-      }
-    } catch (error) {
-      // 消息创建失败，不影响 follow 操作
-      logger.error('Failed to create notification', { error });
-    }
+  upsertUserSession(params) {
+    return sessionManager.upsertUserSession(this, params);
+  }
-    return result;
+  syncUserSession(params) {
+    return sessionManager.syncUserSession(this, params);
   }
-  async getUserFollows({ teamDid, userDid, type = 'following', paging, sort, options = {} }, context = {}) {
-    const state = await this.getUserState(teamDid);
+  logoutUser(params) {
+    return sessionManager.logoutUser(this, params);
+  }
-    const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
+  // ============ User Manager ============
+  loginUser(params, context) {
+    return userManager.loginUser(this, params, context);
+  }
-    if (paging?.pageSize > MAX_USER_PAGE_SIZE) {
-      throw new Error(`Length of users should not exceed ${MAX_USER_PAGE_SIZE} per page`);
-    }
+  disconnectUserAccount(params, context) {
+    return userManager.disconnectUserAccount(this, params, context);
+  }
-    if (!USER_RELATION_QUERIES[type]) {
-      throw new CustomError(400, `Invalid type: ${type}. Supported: ${Object.keys(USER_RELATION_QUERIES).join(', ')}`);
-    }
+  addUser(params, context) {
+    return userManager.addUser(this, params, context);
+  }
-    try {
-      const { list, paging: resultPaging } = await USER_RELATION_QUERIES[type](
-        state,
-        userDid,
-        {
-          paging,
-          sort,
-          ...options,
-        },
-        context
-      );
-      list.forEach((item) => {
-        const { user } = item;
-        if (user && user?.avatar && user?.avatar?.startsWith(USER_AVATAR_URL_PREFIX)) {
-          user.avatar = `${getFederatedUserAvatarUrl(user.avatar, blocklet)}?imageFilter=resize&w=48&h=48`;
-        }
-      });
-      return {
-        data: list,
-        paging: resultPaging,
-      };
-    } catch (error) {
-      logger.error('Failed to get user follows', { error });
-      throw error;
-    }
+  getUsers(params, context) {
+    return userManager.getUsers(this, params, context);
   }
-  async getUserFollowStats({ teamDid, userDids, options = {} }, context = {}) {
-    const state = await this.getUserState(teamDid);
-    const info = await this.node.read();
-    const prefix = process.env.NODE_ENV === 'production' ? info.routing.adminPath : '';
-    return state.getFollowStats({ userDids, teamDid, prefix, options }, context);
+  getUsersCount(params) {
+    return userManager.getUsersCount(this, params);
   }
-  async checkFollowing({ teamDid, userDids = [], followerDid }) {
-    if (!followerDid) {
-      throw new CustomError(400, 'Follower DID is required');
-    }
-    const state = await this.getUserState(teamDid);
-    return state.isFollowing(followerDid, userDids);
+  getUsersCountPerRole(params) {
+    return userManager.getUsersCountPerRole(this, params);
   }
-  async getUserInvites({ teamDid, userDid, paging, sort, options = {} }, context = {}) {
-    try {
-      if (paging?.pageSize > MAX_USER_PAGE_SIZE) {
-        throw new CustomError(400, `Length of users should not exceed ${MAX_USER_PAGE_SIZE} per page`);
-      }
-      const state = await this.getUserState(teamDid);
-      const { users, paging: resultPaging } = await state.getInvitees(userDid, { paging, sort, ...options }, context);
-      // 处理头像
-      const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-      users.forEach((user) => {
-        if (user && user?.avatar && user?.avatar?.startsWith(USER_AVATAR_URL_PREFIX)) {
-          user.avatar = `${getFederatedUserAvatarUrl(user.avatar, blocklet)}?imageFilter=resize&w=48&h=48`;
-        }
-      });
-      return {
-        users,
-        paging: resultPaging,
-      };
-    } catch (error) {
-      logger.error('Failed to get user invites', { teamDid, userDid, error });
-      throw error;
-    }
+  getUser(params, context) {
+    return userManager.getUser(this, params, context);
   }
-  async createWebhookDisabledNotification({ teamDid, userDid, webhook, action = '', locale = 'en' }) {
-    const notification = {
-      en: {
-        title: 'Your webhook has been temporarily disabled',
-        description: `Your Webhook has been temporarily disabled after ${WEBHOOK_CONSECUTIVE_FAILURES_THRESHOLD} consecutive failed message delivery attempts. Please check its availability and you can click the button below to reactivate it if needed.`,
-        failureCount: 'Number of failures',
-        failureUrl: 'Failed Webhook URL',
-      },
-      zh: {
-        title: '您的 webhook 已被暂时禁用',
-        description: `您的 Webhook 在连续 ${WEBHOOK_CONSECUTIVE_FAILURES_THRESHOLD} 次消息投递失败后已被暂时禁用。请检查其可用性，如果需要重新激活，请点击下方按钮。`,
-        failureCount: '失败次数',
-        failureUrl: '失败的 Webhook URL',
-      },
-    };
+  getConnectedAccount(params, context) {
+    return userManager.getConnectedAccount(this, params, context);
+  }
-    try {
-      const nodeInfo = await this.node.read();
-      // server 的 webhook 页面地址
-      const actionPath = '/settings/integration';
-      let _action =
-        process.env.NODE_ENV === 'production' ? joinURL(nodeInfo.routing.adminPath, actionPath) : actionPath;
-      const channels = [NOTIFICATION_SEND_CHANNEL.WALLET, NOTIFICATION_SEND_CHANNEL.PUSH];
-      if (teamDid && !this.teamManager.isNodeTeam(teamDid)) {
-        channels.push(NOTIFICATION_SEND_CHANNEL.EMAIL);
-        _action = action || `${WELLKNOWN_SERVICE_PATH_PREFIX}/user/settings`; // 默认返回用户中心页面设置页面
-      }
-      await this.teamManager.createNotification({
-        title: notification[locale].title,
-        description: notification[locale].description,
-        attachments: [
-          {
-            type: 'section',
-            fields: [
-              {
-                type: 'text',
-                data: {
-                  type: 'plain',
-                  color: '#9397A1',
-                  text: notification[locale].failureUrl,
-                },
-              },
-              {
-                type: 'text',
-                data: {
-                  type: 'plain',
-                  color: '#9397A1',
-                  text: webhook.url,
-                },
-              },
-              {
-                type: 'text',
-                data: {
-                  type: 'plain',
-                  color: '#9397A1',
-                  text: notification[locale].failureCount,
-                },
-              },
-              {
-                type: 'text',
-                data: {
-                  type: 'plain',
-                  color: '#9397A1',
-                  text: `${WEBHOOK_CONSECUTIVE_FAILURES_THRESHOLD}`,
-                },
-              },
-            ],
-          },
-        ],
-        source: 'system',
-        severity: 'warning',
-        action: _action,
-        channels,
-        ...(teamDid ? { teamDid } : {}),
-        ...(userDid ? { receiver: userDid } : {}),
-      });
-    } catch (error) {
-      logger.error('Failed to create webhook disabled notification', { teamDid, userDid, webhook, error });
-    }
+  isEmailUsed(params) {
+    return userManager.isEmailUsed(this, params);
   }
-  async updateWebHookState({ teamDid, userDids, webhook, enabled, consecutiveFailures }) {
-    const state = await this.getUserState(teamDid);
-    return Promise.all(
-      userDids.map(async (userDid) => {
-        const webhookParams =
-          consecutiveFailures === undefined
-            ? omit(
-                {
-                  ...webhook,
-                  enabled: enabled ?? webhook.enabled,
-                },
-                ['consecutiveFailures']
-              )
-            : {
-                ...webhook,
-                enabled: enabled ?? webhook.enabled,
-                consecutiveFailures,
-              };
-        await state.updateWebhook(userDid, webhookParams, (updated) => {
-          this.createWebhookDisabledNotification({ teamDid, userDid, webhook: updated });
-        });
-      })
-    );
+  isPhoneUsed(params) {
+    return userManager.isPhoneUsed(this, params);
   }
-  async updateUser({ teamDid, user }) {
-    const state = await this.getUserState(teamDid);
-    const exist = await state.getUserByDid(user.did);
-    const updated = await state.updateUser(user.did, user);
-    logger.info('user updated successfully', { teamDid, userDid: user.did });
-    this.emit(TeamEvents.userUpdated, { teamDid, user: updated });
-    const kycChanged =
-      (typeof user.emailVerified === 'boolean' && user.emailVerified !== exist.emailVerified) ||
-      (typeof user.phoneVerified === 'boolean' && user.phoneVerified !== exist.phoneVerified);
-    if (kycChanged) {
-      logger.info('user updated with kycChanged', { teamDid, userDid: user.did });
-      this.emit(TeamEvents.userPermissionUpdated, { teamDid, user: updated });
-    }
+  getUserByDid(params) {
+    return userManager.getUserByDid(this, params);
+  }
-    return updated;
+  isUserValid(params) {
+    return userManager.isUserValid(this, params);
   }
-  updateUserAddress(args) {
-    if (!args.address) {
-      throw new Error('address should not be empty');
-    }
+  isPassportValid(params) {
+    return userManager.isPassportValid(this, params);
+  }
-    return this.updateUser({ teamDid: args.teamDid, user: pick(args, ['did', 'address']) });
+  isConnectedAccount(params) {
+    return userManager.isConnectedAccount(this, params);
   }
-  async updateUserTags({ teamDid, did, tags }) {
-    const state = await this.getUserState(teamDid);
-    const doc = await state.updateTags(did, tags);
-    logger.info('user tags updated successfully', { teamDid, userDid: did, tags });
-    this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
-    return doc;
+  getOwner(params) {
+    return userManager.getOwner(this, params);
   }
-  async removeUser({ teamDid, user }) {
-    const { did } = user;
+  userFollowAction(params, context) {
+    return userManager.userFollowAction(this, params, context);
+  }
-    if (!did) {
-      throw new Error('did does not exist');
-    }
+  getUserFollows(params, context) {
+    return userManager.getUserFollows(this, params, context);
+  }
-    if (user.role === ROLES.OWNER) {
-      throw new Error('Cannot delete owner');
-    }
+  getUserFollowStats(params, context) {
+    return userManager.getUserFollowStats(this, params, context);
+  }
-    const state = await this.getUserState(teamDid);
-    await state.remove({ did });
-    logger.info('user removed successfully', { teamDid, userDid: did });
-    this.emit(TeamEvents.userRemoved, { teamDid, user: { did } });
+  checkFollowing(params) {
+    return userManager.checkFollowing(this, params);
+  }
-    return { did };
+  getUserInvites(params) {
+    return userManager.getUserInvites(this, params);
   }
-  async updateUserApproval({ teamDid, user, options: { includeFederated = true } = {} }) {
-    const state = await this.getUserState(teamDid);
-    const userDoc = await state.getUser(user.did);
+  updateUser(params, context) {
+    return userManager.updateUser(this, params, context);
+  }
-    if (!userDoc) {
-      throw new Error('User does not exist');
-    }
+  updateUserAddress(params, context) {
+    return userManager.updateUserAddress(this, params, context);
+  }
-    if (hasActiveOwnerPassport(userDoc)) {
-      throw new Error('Cannot update owner\'s approval'); // prettier-ignore
-    }
+  updateUserTags(params, context) {
+    return userManager.updateUserTags(this, params, context);
+  }
-    const changeData = pick(user, ['did', 'approved']);
+  removeUser(params, context) {
+    return userManager.removeUser(this, params, context);
+  }
-    const result = await state.updateApproved(changeData);
+  updateUserApproval(params, context) {
+    return userManager.updateUserApproval(this, params, context);
+  }
-    logger.info('user approval updated successfully', { teamDid, userDid: user.did, approved: user.approved });
+  updateWebHookState(params) {
+    return userManager.updateWebHookState(this, params);
+  }
-    if (changeData?.approved === false) {
-      // 需要注销指定 userDid 在当前 member 和 master 中的所有 userSession
-      await this.logoutUser({ teamDid, userDid: user.did });
+  createWebhookDisabledNotification(params) {
+    return userManager.createWebhookDisabledNotification(this, params);
+  }
-      // 需要禁用用户的所有 passport
-      await state.revokePassportByUserDid({ did: user.did });
+  async switchProfile({ teamDid, userDid, profile }) {
+    const state = await this.getUserState(teamDid);
+    // NOTICE: 这个 schema 没有对数据做任何 default 操作，所以没必要用 validate 之后的值
+    const { error } = profileSchema.validate({ ...profile, did: userDid });
+    if (error) {
+      throw new Error(error);
     }
-    if (includeFederated) {
-      const nodeInfo = await this.node.read();
-      // 只有 blocklet 需要执行这个操作
-      if (nodeInfo.did !== teamDid) {
-        const blocklet = await getBlocklet({
-          did: teamDid,
-          states: this.states,
-          dataDirs: this.dataDirs,
-          useCache: true,
-        });
-        syncFederated({
-          nodeInfo,
-          blocklet,
-          data: {
-            users: [
-              {
-                action: user.approved ? 'unban' : 'ban',
-                did: user.did,
-                sourceAppPid: userDoc.sourceAppPid,
-              },
-            ],
-          },
-        });
+    const oldUser = await state.getUser(userDid);
+    if (!oldUser) {
+      throw new Error('User is not exist', { userDid, teamDid });
+    }
+    const mergeData = { ...profile };
+    if (mergeData.avatar) {
+      if (mergeData.avatar.startsWith(USER_AVATAR_URL_PREFIX)) {
+        // pass
+      } else if (isUrl(mergeData.avatar)) {
+        try {
+          mergeData.avatar = await getAvatarByUrl(mergeData.avatar);
+          const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
+          mergeData.avatar = await extractUserAvatar(mergeData.avatar, { dataDir: blocklet.env.dataDir });
+        } catch {
+          logger.error('Failed to convert external avatar', { teamDid, userDid, avatar: mergeData.avatar });
+          throw new Error('Failed to convert external avatar');
+        }
+      } else {
+        // 仅当 avatar 是 base64 时，对 avatar 进行处理
+        const regex = /^data:image\/(\w+);base64,/;
+        const match = regex.exec(mergeData.avatar);
+        if (match) {
+          const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
+          mergeData.avatar = await extractUserAvatar(mergeData.avatar, { dataDir: blocklet.env.dataDir });
+        } else {
+          logger.error('Profile avatar is invalid', { teamDid, userDid, profile });
+          throw new Error('Profile avatar is invalid');
+        }
       }
     }
-    this.emit(TeamEvents.userUpdated, { teamDid, user: result });
-    this.emit(TeamEvents.userPermissionUpdated, { teamDid, user: result });
+    const doc = await state.updateUser(userDid, mergeData);
+    logger.info('User switch-profile successfully', { teamDid, userDid });
+    this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
+    this.emit(TeamEvents.userProfileUpdated, { teamDid, user: doc });
+    return doc;
+  }
-    return result;
+  // ============ Invitation Manager ============
+  createMemberInvitation(params, context) {
+    return invitationManager.createMemberInvitation(this, params, context, { validatePassportDisplay });
   }
-  /**
-   * @param {object} options
-   * @param {string} options.teamDid
-   * @param {string} options.userDid
-   * @param {string} options.role
-   * @param {object} [options.display]
-   * @param {string} options.display.type
-   * @param {string} options.display.content
-   * @param {boolean} [options.notify=true]
-   * @param {object} [options.notification]
-   */
-  // 前端用上了，目前是在后端使用
-  async issuePassportToUser(
-    { teamDid, userDid, role: roleName, display = null, notify = true, notification, action = '' },
-    context = {}
-  ) {
-    try {
-      // eslint-disable-next-line no-param-reassign
-      notification = JSON.parse(notification);
-    } catch {
-      logger.error('Failed to parse notification, use notification as undefined', { notification });
-    }
-    const { locale = 'en' } = context;
+  getInvitation({ teamDid, inviteId }) {
+    return invitationManager.getInvitation(this, { teamDid, inviteId });
+  }
-    const userState = await this.getUserState(teamDid);
-    // NOTICE: issuePassportToUser 必须传入 wallet did，无需查询 connectedAccount
-    const user = await userState.getUser(userDid);
+  getInvitations({ teamDid, filter, orgId }, context) {
+    return invitationManager.getInvitations(this, { teamDid, filter, orgId }, context);
+  }
-    if (!user) {
-      throw new Error(`user does not exist: ${userDid}`);
-    }
+  deleteInvitation({ teamDid, inviteId }) {
+    return invitationManager.deleteInvitation(this, { teamDid, inviteId });
+  }
-    if (!user.approved) {
-      throw new Error(`the user is revoked: ${userDid}`);
-    }
+  checkInvitation({ teamDid, inviteId }) {
+    return invitationManager.checkInvitation(this, { teamDid, inviteId });
+  }
-    const rbac = await this.getRBAC(teamDid);
-    const role = await rbac.getRole(roleName);
+  closeInvitation(params) {
+    return invitationManager.closeInvitation(this, params);
+  }
-    if (!role) {
-      throw new Error(`passport does not exist: ${roleName}`);
-    }
+  createTransferInvitation({ teamDid, remark }, context = {}) {
+    return invitationManager.createTransferInvitation(this, { teamDid, remark }, context, { validatePassportDisplay });
+  }
-    await validatePassportDisplay(role, display);
-    // create vc
-    const nodeInfo = await this.node.read();
-    const {
-      wallet,
-      passportColor,
-      appUrl,
-      name: issuerName,
-    } = await getApplicationInfo({
-      teamDid,
-      nodeInfo,
-      node: {
-        dataDirs: this.dataDirs,
-        getSessionSecret: this.nodeAPI?.getSessionSecret?.bind(this.nodeAPI) || (() => 'abc'),
-        getBlocklet: () => getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs }),
-      },
-    });
+  createTransferAppOwnerSession({ appDid, remark }) {
+    return invitationManager.createTransferAppOwnerSession(this, { appDid, remark });
+  }
-    const result = await createPassport({ role });
-    const vc = await createPassportVC({
-      issuerName,
-      issuerWallet: wallet,
-      issuerAvatarUrl: getAppAvatarUrl(appUrl),
-      ownerDid: userDid,
-      endpoint: getPassportStatusEndpoint({
-        baseUrl: joinURL(appUrl, WELLKNOWN_SERVICE_PATH_PREFIX),
-        userDid: user.did,
-        teamDid,
-      }),
-      ownerProfile: {
-        ...user,
-        avatar: getUserAvatarUrl(appUrl, user.avatar),
-      },
-      preferredColor: passportColor,
-      passport: result.passport,
-      types: result.types,
-      purpose: teamDid === nodeInfo.did || isEmpty(result.types) ? 'login' : 'verification',
-      display,
-    });
-    // write passport to db
-    const passport = createUserPassport(vc, { role: role.name, display, source: PASSPORT_SOURCE.ISSUE });
-    user.passports = upsertToPassports(user.passports || [], passport);
-    await this.updateUser({
-      teamDid,
-      user: {
-        did: user.did,
-        pk: user.pk,
-        passports: user.passports,
-      },
-    });
-    if (passport && this.passportAPI) {
-      await this.passportAPI.createPassportLog(teamDid, {
-        passportId: passport.id,
-        action: PASSPORT_LOG_ACTION.ISSUE,
-        operatorDid: userDid,
-        metadata: {
-          action: action || 'issue-passport-to-user',
-        },
-        operatorIp: context?.ip || '',
-        operatorUa: context?.ua || '',
-      });
-    }
-    // send vc to wallet
-    if (notify) {
-      sendPassportVcNotification({ userDid, appWallet: wallet, locale, vc, notification });
-    }
-    return user;
-  }
-  async revokeUserPassport({ teamDid, userDid, passportId } = {}, context = {}) {
-    if (!passportId) {
-      throw new Error('Revoked passport should not be empty');
-    }
-    const state = await this.getUserState(teamDid);
-    const doc = await state.revokePassportById({ did: userDid, id: passportId });
-    // create passport log
-    if (this.passportAPI) {
-      await this.passportAPI.createPassportLog(teamDid, {
-        passportId,
-        action: PASSPORT_LOG_ACTION.REVOKE,
-        operatorDid: userDid,
-        metadata: {
-          operator: await state.getUser(userDid).catch(() => null),
-        },
-        operatorIp: context?.ip || '',
-        operatorUa: context?.ua || '',
-      });
-    }
-    logger.info('user passport revoked successfully', { teamDid, userDid, passportId });
-    this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
-    this.emit(TeamEvents.userPermissionUpdated, { teamDid, user: doc });
-    return doc;
-  }
-  async enableUserPassport({ teamDid, userDid, passportId } = {}, context) {
-    if (!passportId) {
-      throw new Error('Passport should not be empty');
-    }
-    const state = await this.getUserState(teamDid);
-    const doc = await state.enablePassportById({ did: userDid, id: passportId });
-    if (this.passportAPI) {
-      await this.passportAPI.createPassportLog(teamDid, {
-        passportId,
-        action: PASSPORT_LOG_ACTION.APPROVE,
-        operatorDid: userDid,
-        metadata: {
-          operator: await state.getUser(userDid).catch(() => null),
-        },
-        operatorIp: context?.ip || '',
-        operatorUa: context?.ua || '',
-      });
-    }
-    logger.info('user passport enabled successfully', { teamDid, userDid, passportId });
-    this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
-    this.emit(TeamEvents.userPermissionUpdated, { teamDid, user: doc });
-    return doc;
-  }
-  async removeUserPassport({ passportId, userDid, teamDid }) {
-    if (!passportId) {
-      throw new Error('Revoked passport should not be empty');
-    }
-    const state = await this.getUserState(teamDid);
-    const doc = await state.removePassportById({ id: passportId });
-    logger.info('user passport remove successfully', { teamDid, userDid, passportId });
-    this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
-    this.emit(TeamEvents.userPermissionUpdated, { teamDid, user: doc });
-    return doc;
-  }
-  async switchProfile({ teamDid, userDid, profile }) {
-    const state = await this.getUserState(teamDid);
-    // NOTICE: 这个 schema 没有对数据做任何 default 操作，所以没必要用 validate 之后的值
-    const { error } = profileSchema.validate({ ...profile, did: userDid });
-    if (error) {
-      throw new Error(error);
-    }
-    const oldUser = await state.getUser(userDid);
-    if (!oldUser) {
-      throw new Error('User is not exist', { userDid, teamDid });
-    }
-    const mergeData = { ...profile };
-    if (mergeData.avatar) {
-      if (mergeData.avatar.startsWith(USER_AVATAR_URL_PREFIX)) {
-        // pass
-      } else if (isUrl(mergeData.avatar)) {
-        try {
-          mergeData.avatar = await getAvatarByUrl(mergeData.avatar);
-          const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-          mergeData.avatar = await extractUserAvatar(mergeData.avatar, { dataDir: blocklet.env.dataDir });
-        } catch {
-          logger.error('Failed to convert external avatar', { teamDid, userDid, avatar: mergeData.avatar });
-          throw new Error('Failed to convert external avatar');
-        }
-      } else {
-        // 仅当 avatar 是 base64 时，对 avatar 进行处理
-        const regex = /^data:image\/(\w+);base64,/;
-        const match = regex.exec(mergeData.avatar);
-        if (match) {
-          const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-          mergeData.avatar = await extractUserAvatar(mergeData.avatar, { dataDir: blocklet.env.dataDir });
-        } else {
-          logger.error('Profile avatar is invalid', { teamDid, userDid, profile });
-          throw new Error('Profile avatar is invalid');
-        }
-      }
-    }
-    const doc = await state.updateUser(userDid, mergeData);
-    logger.info('User switch-profile successfully', { teamDid, userDid });
-    this.emit(TeamEvents.userUpdated, { teamDid, user: doc });
-    this.emit(TeamEvents.userProfileUpdated, { teamDid, user: doc });
-    return doc;
-  }
-  // Invite member
-  /**
-   * @type InvitationSession {
-   *   type: 'invite';
-   *   role: string;
-   *   remark: string;
-   *   expireDate: number;
-   *   inviter: {
-   *     did: string;
-   *     email?: string;
-   *     fullName?: string;
-   *     role?: string;
-   *   };
-   *   teamDid: string;
-   *   status: '' | 'success';
-   *   receiver: {
-   *     did: string;
-   *   };
-   *   sourceAppPid: string;
-   *   display: {
-   *     type: string;
-   *     tag: string;
-   *   };
-   * }
-   * @returns
-   */
-  async createMemberInvitation(
-    {
-      teamDid,
-      role: roleName,
-      expireTime,
-      remark,
-      sourceAppPid,
-      display = null,
-      passportExpireTime = null,
-      orgId = '', // 是否是邀请加入组织
-      inviteUserDids = [], // 邀请用户列表
-    },
-    context
-  ) {
-    await this.teamManager.checkEnablePassportIssuance(teamDid);
-    if (expireTime && expireTime <= 0) {
-      throw new Error('Expire time must be greater than 0');
-    }
-    if (!roleName) {
-      throw new Error('Role cannot be empty');
-    }
-    if (passportExpireTime && dayjs(passportExpireTime).isBefore(dayjs())) {
-      throw new Error('Passport expire time must be greater than current time');
-    }
-    const roles = await this.getRoles({ teamDid, orgId });
-    const role = roles.find((r) => r.name === roleName);
-    if (!role) {
-      throw new Error(`Role does not exist: ${roleName}`);
-    }
-    await validatePassportDisplay(role, display);
-    if (remark && remark.length > 50) {
-      throw new Error('Remark length should NOT be more than 50 characters');
-    }
-    const { user } = context;
-    if (!user || !user.did) {
-      throw new Error('Inviter does not exist');
-    }
-    // 如果邀请加入组织，则不验证 role 和 passport
-    if (!orgId && (user?.role || '').startsWith('blocklet-')) {
-      const userInfo = await this.getUser({ teamDid, user });
-      validateUserRolePassport({
-        role: (user?.role || '').replace('blocklet-', ''),
-        passports: userInfo?.passports || [],
-      });
-    }
-    const expireDate = Date.now() + (expireTime || this.memberInviteExpireTime);
-    const state = await this.getSessionState(teamDid);
-    const { id: inviteId } = await state.start({
-      type: 'invite',
-      role: roleName,
-      remark,
-      expireDate,
-      inviter: user,
-      teamDid,
-      orgId,
-      inviteUserDids,
-      sourceAppPid,
-      display,
-      passportExpireTime,
-    });
-    logger.info('Create invite member', { role: roleName, user, inviteId, display });
-    return {
-      inviteId,
-      role: roleName,
-      remark,
-      expireDate: new Date(expireDate).toString(),
-      inviter: user,
-      teamDid,
-      sourceAppPid,
-      display,
-    };
-  }
-  async getInvitation({ teamDid, inviteId }) {
-    if (!teamDid || !inviteId) {
-      return null;
-    }
-    const state = await this.getSessionState(teamDid);
-    const invitation = await state.read(inviteId);
-    if (!invitation) {
-      return null;
-    }
-    return {
-      // eslint-disable-next-line no-underscore-dangle
-      inviteId: invitation.id,
-      role: invitation.role,
-      remark: invitation.remark,
-      expireDate: new Date(invitation.expireDate).toString(),
-      inviter: invitation.inviter,
-      teamDid: invitation.teamDid,
-      status: invitation.status,
-      receiver: invitation.receiver,
-      sourceAppPid: invitation.sourceAppPid || null,
-      display: invitation.display || null,
-      orgId: invitation.orgId || null,
-      inviteUserDids: invitation.inviteUserDids || [],
-      passportExpireTime: invitation.passportExpireTime || null,
-    };
-  }
-  async getInvitations({ teamDid, filter, orgId = '' }, context = {}) {
-    const state = await this.getSessionState(teamDid);
-    let invitations = [];
-    if (orgId) {
-      const org = await this.getOrg({ teamDid, id: orgId }, context);
-      const { user } = context;
-      if (!org) {
-        throw new CustomError(404, `Org does not exist: ${orgId}`);
-      }
-      if (org.ownerDid !== user?.did) {
-        throw new CustomError(403, `You are not the owner of the org: ${orgId}`);
-      }
-    }
-    const query = { type: 'invite' };
-    if (orgId) {
-      query['__data.orgId'] = orgId;
-    } else {
-      query.$or = [{ '__data.orgId': { $exists: false } }, { '__data.orgId': '' }];
-    }
-    invitations = await state.find(query);
-    return invitations.filter(filter || ((x) => x.status !== 'success')).map((d) => ({
-      // eslint-disable-next-line no-underscore-dangle
-      inviteId: d.id,
-      role: d.role,
-      remark: d.remark,
-      expireDate: new Date(d.expireDate).toString(),
-      inviter: d.inviter,
-      teamDid: d.teamDid,
-      status: d.status,
-      receiver: d.receiver,
-      sourceAppPid: d.sourceAppPid || null,
-      display: d.display || null,
-      orgId: d.orgId || null,
-      inviteUserDids: d.inviteUserDids || [],
-      passportExpireTime: d.passportExpireTime || null,
-    }));
-  }
-  async deleteInvitation({ teamDid, inviteId }) {
-    if (!inviteId) {
-      throw new Error('InviteId cannot be empty');
-    }
-    const state = await this.getSessionState(teamDid);
-    await state.end(inviteId);
-    logger.info('Delete invite session', { inviteId });
-    return true;
-  }
-  async checkInvitation({ teamDid, inviteId }) {
-    const state = await this.getSessionState(teamDid);
-    const invitation = await state.read(inviteId);
-    if (!invitation) {
-      throw new Error(`The invitation does not exist: ${inviteId}`);
-    }
-    const { role, expireDate, remark } = invitation;
-    if (Date.now() > expireDate) {
-      logger.error('Invite id has expired', { inviteId, expireAt: new Date(expireDate) });
-      throw new Error(`The invitation has expired: ${inviteId}`);
-    }
-    const roles = await this.getRoles({ teamDid });
-    const orgRoles = await this.getRoles({ teamDid, orgId: invitation.orgId });
-    const allRoles = [...roles, ...orgRoles];
-    if (!allRoles.some((r) => r.name === role)) {
-      throw new Error(`Role does not exist: ${role}`);
-    }
-    return {
-      role,
-      remark,
-    };
-  }
-  async closeInvitation({ teamDid, inviteId, status, receiver, isOrgInvite, timeout = 30 * 1000 }) {
-    const state = await this.getSessionState(teamDid);
-    const invitation = await state.read(inviteId);
-    if (!invitation) {
-      throw new Error(`The invitation does not exist: ${inviteId}`);
-    }
-    let shouldRemoveInviteSession = false;
-    if (isOrgInvite && invitation?.inviteUserDids?.length > 0) {
-      const unReceiverUserDids = invitation.inviteUserDids.filter((did) => did !== receiver.did);
-      shouldRemoveInviteSession = unReceiverUserDids.length === 0;
-      await state.update(inviteId, {
-        receiver,
-        inviteUserDids: unReceiverUserDids,
-        ...(shouldRemoveInviteSession ? { status } : {}),
-      });
-    } else {
-      await state.update(inviteId, { status, receiver });
-      shouldRemoveInviteSession = true;
-    }
-    if (shouldRemoveInviteSession) {
-      setTimeout(async () => {
-        try {
-          logger.info('Invitation session closed', { inviteId });
-          await state.end(inviteId);
-        } catch (error) {
-          logger.error('close invitation failed', { error });
-        }
-      }, timeout);
-    }
-  }
-  // transfer
-  /**
-   * this function is only used to create server owner transfer invitation
-   */
-  createTransferInvitation({ teamDid, remark }, context = {}) {
-    return this.createMemberInvitation(
-      { teamDid, expireTime: this.transferOwnerExpireTime, remark, role: 'owner' },
-      context
-    );
-  }
-  /**
-   * this function is only used to create application owner transfer
-   */
-  async createTransferAppOwnerSession({ appDid, remark = '' }) {
-    const expireTime = this.transferOwnerExpireTime;
-    await this.teamManager.checkEnableTransferAppOwner(appDid);
-    if (remark && remark.length > 50) {
-      throw new Error('Remark length should NOT be more than 50 characters');
-    }
-    const expireDate = Date.now() + expireTime;
-    const state = await this.getSessionState(appDid);
-    const { id: transferId } = await state.start({
-      type: 'transfer-app-owner',
-      remark,
-      expireDate,
-      appDid,
-    });
-    logger.info('createTransferAppOwnerSession', { appDid, transferId });
-    return {
-      transferId,
-      remark,
-      expireDate: new Date(expireDate).toString(),
-      appDid,
-      status: 'created',
-    };
-  }
-  async getTransferAppOwnerSession({ appDid, transferId }) {
-    if (!appDid || !transferId) {
-      return null;
-    }
-    const state = await this.getSessionState(appDid);
-    const transfer = await state.read(transferId);
-    if (!transfer) {
-      return null;
-    }
-    return formatTransferData(transfer);
-  }
-  async checkTransferAppOwnerSession({ appDid, transferId }) {
-    const state = await this.getSessionState(appDid);
-    const transfer = await state.read(transferId);
-    if (!transfer) {
-      throw new Error(`The transfer session does not exist: ${transferId}`);
-    }
-    const { expireDate } = transfer;
-    if (Date.now() > expireDate) {
-      logger.error('Transfer session has expired', { transferId, expireAt: new Date(expireDate) });
-      throw new Error(`The transfer session has expired: ${transferId}`);
-    }
-    return formatTransferData(transfer);
-  }
-  async closeTransferAppOwnerSession({ appPid, transferId, status, timeout = 30 * 1000 }) {
-    const state = await this.getSessionState(appPid);
-    const session = await state.read(transferId);
-    if (!session) {
-      throw new Error(`The transfer app owner session does not exist: ${transferId}`);
-    }
-    await state.update(transferId, { status });
-    setTimeout(async () => {
-      try {
-        await state.end(transferId);
-        logger.info('Transfer session closed', { transferId });
-      } catch (error) {
-        logger.error('close transfer session failed', { transferId, error });
-      }
-    }, timeout);
-  }
-  // Issue Passport
-  /**
-   * 为指定用户颁发 passport
-   * @param {string} param.teamDid - 应用的 did
-   * @param {string} param.ownerDid - 指定用户的 did
-   * @param {string} param.name - passport 的 role
-   * @returns {object} passport-info
-   */
-  async createPassportIssuance({ teamDid, ownerDid, name, display = null, passportExpireTime = null }, context = {}) {
-    if (!name) {
-      throw new Error('Passport cannot be empty');
-    }
-    if (!isValidDid(ownerDid)) {
-      throw new Error(`ownerDid is invalid: ${ownerDid}`);
-    }
-    await this.teamManager.checkEnablePassportIssuance(teamDid);
-    // passport name is same as role
-    const roles = await this.getRoles({ teamDid });
-    const role = roles.find((r) => r.name === name);
-    if (!role) {
-      throw new Error(`Passport does not exist: ${name}`);
-    }
-    if (role.extra?.display === 'custom') {
-      if (!display) {
-        throw new Error(`display is required for custom passport: ${name}`);
-      }
-      const { error } = passportDisplaySchema.validate(display);
-      if (error) {
-        throw new Error(`display invalid for custom passport: ${formatError(error)}`);
-      }
-    }
-    await validatePassportDisplay(role, display);
-    const expireDate = Date.now() + this.memberInviteExpireTime;
-    const state = await this.getSessionState(teamDid);
-    // 为指定用户颁发通行证，拿到的 did 是永久 did，无需查询 connectedAccount
-    const currentUser = await this.getUser({ teamDid, user: { did: ownerDid } });
-    const walletDid = getWalletDid(currentUser);
-    const userDid = walletDid || ownerDid;
-    // 这里可能是为一个不存在的用户创建一个 passport，所以需要额外判断一下
-    if (currentUser) {
-      // auth0 账户不需要手动领取
-      if (walletDid !== ownerDid) {
-        const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-        const nodeInfo = await this.node.read();
-        const blockletInfo = getBlockletInfo(blocklet, nodeInfo.sk);
-        const { wallet, passportColor, appUrl, name: issuerName } = blockletInfo;
-        const result = await createPassport({ role });
-        const vc = await createPassportVC({
-          issuerName,
-          issuerWallet: wallet,
-          issuerAvatarUrl: getAppAvatarUrl(appUrl),
-          ownerDid: userDid,
-          endpoint: getPassportStatusEndpoint({
-            baseUrl: joinURL(appUrl, WELLKNOWN_SERVICE_PATH_PREFIX),
-            userDid: ownerDid,
-            teamDid,
-          }),
-          ownerProfile: {
-            ...currentUser,
-            avatar: getUserAvatarUrl(appUrl, currentUser.avatar),
-          },
-          preferredColor: passportColor,
-          display,
-          passport: result.passport,
-          types: result.types,
-          purpose: teamDid === nodeInfo.did || isEmpty(result.types) ? 'login' : 'verification',
-        });
-        if (walletDid) {
-          sendPassportVcNotification({ userDid, appWallet: wallet, locale: 'en', vc });
-        }
-        // write passport to db
-        const passport = createUserPassport(vc, { role: role.name, display, source: PASSPORT_SOURCE.ISSUE });
-        const passports = upsertToPassports(currentUser.passports || [], passport);
-        await this.updateUser({
-          teamDid,
-          user: {
-            did: currentUser.did,
-            pk: currentUser.pk,
-            passports,
-          },
-        });
-        if (passport && this.passportAPI) {
-          await this.passportAPI.createPassportLog(teamDid, {
-            passportId: passport.id,
-            action: PASSPORT_LOG_ACTION.ISSUE,
-            operatorIp: context?.ip || '',
-            operatorUa: context?.ua || '',
-            operatorDid: ownerDid,
-            metadata: {
-              action: PASSPORT_ISSUE_ACTION.ISSUE_ON_AUTH0,
-            },
-          });
-        }
-        return undefined;
-      }
-    }
-    const { id } = await state.start({
-      type: 'passport-issuance',
-      key: userDid,
-      expireDate, // session expireDate
-      name: role.name,
-      title: role.title,
-      ownerDid: userDid,
-      teamDid,
-      display,
-      inviter: context?.user,
-      passportExpireTime,
-    });
-    logger.info('Create issuing passport session', { id, passport: name, ownerDid, teamDid });
-    return {
-      id,
-      name: role.name,
-      title: role.title,
-      expireDate: new Date(expireDate).toString(),
-      ownerDid: userDid,
-      teamDid,
-      display,
-    };
-  }
-  async getPassportIssuances({ teamDid, ownerDid }) {
-    const state = await this.getSessionState(teamDid);
-    const query = { type: 'passport-issuance' };
-    if (ownerDid) {
-      query.key = ownerDid;
-    }
-    const list = await state.find(query);
-    return list.map((d) => ({
-      // eslint-disable-next-line no-underscore-dangle
-      id: d.id,
-      name: d.name,
-      title: d.title,
-      expireDate: new Date(d.expireDate).toString(),
-      ownerDid: d.ownerDid,
-      teamDid: d.teamDid,
-      display: d.display,
-    }));
-  }
-  async getPassportIssuance({ teamDid, sessionId }) {
-    const state = await this.getSessionState(teamDid);
-    const doc = await state.read(sessionId);
-    // FIXME: @zhanghan 指定被邀请者的邀请需要查询被邀请者的详细信息
-    return doc;
-  }
-  async processPassportIssuance({ teamDid, sessionId }) {
-    const state = await this.getSessionState(teamDid);
-    const session = await state.read(sessionId);
-    if (!session) {
-      throw new Error(`The passport issuance session does not exist: ${sessionId}`);
-    }
-    const { name, ownerDid, expireDate } = session;
-    if (Date.now() > expireDate) {
-      logger.error('The passport issuance session has expired', { sessionId, expireAt: new Date(expireDate) });
-      throw new Error(`The passport issuance session has expired: ${sessionId}`);
-    }
-    const roles = await this.getRoles({ teamDid });
-    if (!roles.find((x) => x.name === name)) {
-      throw new Error(`Passport does not exist: ${name}`);
-    }
-    await state.end(sessionId);
-    logger.info('The passport issuance session completed successfully', { sessionId, name, ownerDid });
-    return {
-      name,
-      ownerDid,
-    };
-  }
-  async deletePassportIssuance({ teamDid, sessionId }) {
-    if (!sessionId) {
-      throw new Error('SessionId cannot be empty');
-    }
-    const state = await this.getSessionState(teamDid);
-    await state.end(sessionId);
-    logger.info('Delete passport issuance session', { sessionId });
-    return true;
-  }
-  async configTrustedPassports({ teamDid, trustedPassports }) {
-    const value = await validateTrustedPassportIssuers(trustedPassports);
-    await this.teamManager.configTrustedPassports(teamDid, value);
-    if (!this.teamManager.isNodeTeam(teamDid)) {
-      this.emit(BlockletEvents.updated, { meta: { did: teamDid } });
-    }
-  }
-  async configTrustedFactories({ teamDid, trustedFactories }) {
-    const value = await validateTrustedFactories(trustedFactories);
-    const client = getChainClient(MAIN_CHAIN_ENDPOINT);
-    await Promise.all(
-      value.map(async (x) => {
-        const { state } = await client.getFactoryState({ address: x.factoryAddress });
-        if (!state) {
-          throw new Error(`NFT Collection ${x.factoryAddress} not found on ${MAIN_CHAIN_ENDPOINT}`);
-        }
-      })
-    );
-    await this.teamManager.configTrustedFactories(teamDid, value);
-    if (!this.teamManager.isNodeTeam(teamDid)) {
-      this.emit(BlockletEvents.updated, { meta: { did: teamDid } });
-    }
-  }
-  async configPassportIssuance({ teamDid, enable }) {
-    await this.teamManager.configPassportIssuance(teamDid, !!enable);
-    if (!this.teamManager.isNodeTeam(teamDid)) {
-      this.emit(BlockletEvents.updated, { meta: { did: teamDid } });
-    }
-  }
-  // Access Control
-  getRoles({ teamDid, orgId }) {
-    return this.teamManager.getRoles(teamDid, orgId);
-  }
-  async getRole({ teamDid, role: { name } = {} }) {
-    if (!name) {
-      throw new Error('role name is invalid');
-    }
-    const rbac = await this.getRBAC(teamDid);
-    const role = await rbac.getRole(name);
-    return role ? pick(role, ['name', 'grants', 'title', 'description', 'extra', 'orgId']) : null;
-  }
-  async createRole({ teamDid, name, description, title, childName, permissions = [], extra: raw, orgId }) {
-    logger.info('create role', { teamDid, name, description, childName, permissions, raw });
-    const attrs = { name, title, description, childName, permissions, orgId };
-    if (raw) {
-      try {
-        attrs.extra = JSON.parse(raw);
-      } catch (err) {
-        throw new Error('extra should be a valid json string');
-      }
-    }
-    await validateCreateRole(pick(attrs, ['name', 'title', 'description', 'extra']));
-    validateReservedRole(name);
-    const rbac = await this.getRBAC(teamDid);
-    let role;
-    try {
-      role = await rbac.createRole(attrs);
-      return pick(role, ['name', 'title', 'grants', 'description', 'extra', 'orgId']);
-    } catch (err) {
-      if (new RegExp(`Item ${name} already exists`).test(err.message)) {
-        throw new Error(`Id ${name} already exists`);
-      }
-      throw err;
-    }
-  }
-  async updateRole({ teamDid, role: { name, title, description, extra: raw } = {}, orgId }) {
-    logger.info('update role', { teamDid, name, title, description, raw });
-    const attrs = { name, title, description, orgId };
-    if (raw) {
-      try {
-        attrs.extra = JSON.parse(raw);
-      } catch (err) {
-        throw new Error('extra should be a valid json string');
-      }
-    }
-    await validateUpdateRole(pick(attrs, ['name', 'title', 'description', 'extra']));
-    const rbac = await this.getRBAC(teamDid);
-    const state = await rbac.updateRole(attrs);
-    return pick(state, ['name', 'title', 'grants', 'description', 'extra', 'orgId']);
-  }
-  async getPermissions({ teamDid }) {
-    const rbac = await this.getRBAC(teamDid);
-    const permissions = await rbac.getPermissions();
-    return permissions.map((d) => {
-      d.isProtected = !!(d.extra && d.extra.isProtected);
-      return pick(d, ['name', 'description', 'isProtected']);
-    });
-  }
-  async createPermission({ teamDid, name, description }) {
-    logger.info('create permissions', { teamDid, name });
-    await validateCreatePermission({ name, description });
-    const rbac = await this.getRBAC(teamDid);
-    const added = await rbac.createPermission({ name, description });
-    return pick(added, ['name', 'description']);
-  }
-  async updatePermission({ teamDid, permission: { name, description } = {} }) {
-    logger.info('update permission', { teamDid, name, description });
-    await validateUpdatePermission({ name, description });
-    const rbac = await this.getRBAC(teamDid);
-    const state = await rbac.updatePermission({ name, description });
-    return pick(state, ['name', 'description']);
-  }
-  async grant({ teamDid, roleName, grantName }) {
-    logger.info('grant', { teamDid, roleName, grantName });
-    const rbac = await this.getRBAC(teamDid);
-    await rbac.grant(roleName, grantName);
-    return true;
-  }
-  async revoke({ teamDid, roleName, grantName }) {
-    logger.info('revoke', { teamDid, roleName, grantName });
-    const rbac = await this.getRBAC(teamDid);
-    await rbac.revoke(roleName, grantName);
-    return true;
-  }
-  async updateGrants({ teamDid, roleName, grantNames }) {
-    logger.info('update grants', { teamDid, roleName, grantNames });
-    const rbac = await this.getRBAC(teamDid);
-    const role = await rbac.updateGrants(roleName, grantNames);
-    return pick(role, ['name', 'grants', 'title', 'description']);
-  }
-  async deleteRole({ teamDid, name }) {
-    logger.info('delete role', { teamDid, name });
-    validateReservedRole(name);
-    const rbac = await this.getRBAC(teamDid);
-    await rbac.removeRole(name);
-    return true;
-  }
-  async deletePermission({ teamDid, name }) {
-    logger.info('delete permission', { teamDid, name });
-    const rbac = await this.getRBAC(teamDid);
-    const permission = await rbac.getPermission(name);
-    if (permission.extra && permission.extra.isProtected) {
-      throw new Error(`The permission ${name} is reserved`);
-    }
-    await rbac.removePermission(name);
-    return true;
-  }
-  async getPermissionsByRole({ teamDid, role }) {
-    const rbac = await this.getRBAC(teamDid);
-    const permissions = await rbac.getScope(role.name, true);
-    return permissions.map((d) => pick(d, ['name', 'description']));
-  }
-  async hasPermission({ teamDid, role, permission }) {
-    const rbac = await this.getRBAC(teamDid);
-    const has = await rbac.can(role, ...permission.split('_'));
-    return has;
-  }
-  async refreshBlockletInterfacePermissions(blockletMeta) {
-    const { did, interfaces } = blockletMeta;
-    const rbac = await this.getRBAC(did);
-    const oldPermissions = await this.getPermissions({ teamDid: did });
-    await Promise.all(
-      (interfaces || []).map(async ({ name, type }) => {
-        const permissionName = genPermissionName(name);
-        if (type === 'web') {
-          if (!oldPermissions.some((x) => x.name === permissionName)) {
-            await rbac.createPermission({
-              name: permissionName,
-              description: `Access resources under the ${name} interface`,
-              extra: {
-                isProtected: true,
-              },
-            });
-          }
-        }
-      })
-    );
-  }
-  // eslint-disable-next-line no-unused-vars
-  async addStore({ teamDid, url, scope = '' }, context) {
-    logger.info('add store', { teamDid, url, scope });
-    const sanitized = withoutTrailingSlash(await StoreUtil.getStoreUrl(url));
-    const storeList = await this.teamManager.getStoreList(teamDid);
-    const exists = storeList.some((x) => {
-      if (x.url === sanitized) {
-        if (!x.scope) {
-          return true;
-        }
-        return x.scope === scope;
-      }
-      return false;
-    });
-    if (exists) {
-      throw new Error(`Blocklet Store already exist: ${sanitized}`);
-    }
-    const store = await StoreUtil.getStoreMeta(sanitized);
-    storeList.push({ ...store, scope, url: sanitized, protected: false });
-    return this.teamManager.updateStoreList(teamDid, storeList);
-  }
-  // 获取更多信息
-  async addEndpoint({ teamDid, url }, context) {
-    const userDid = context?.user?.did;
-    const { endpoint, appPid, appName, appDescription } = await ensureServerEndpoint(url);
-    const endpointList = await this.teamManager.getEndpointList(teamDid);
-    if (!appPid) {
-      throw new Error('current url not blocklet url');
-    }
-    if (!endpoint) {
-      throw new Error('current url not blocklet url');
-    }
-    const index = endpointList.findIndex((x) => x.id === appPid);
-    if (index !== -1) {
-      endpointList[index].url = url;
-    } else {
-      endpointList.push({ id: appPid, appName, appDescription, scope: userDid, url, endpoint, protected: false });
-    }
-    return this.teamManager.updateEndpointList(teamDid, endpointList);
-  }
-  async deleteEndpoint({ teamDid, did, projectId }, context) {
-    const endpointList = await this.teamManager.getEndpointList(teamDid);
-    const index = endpointList.findIndex((x) => x.id === did);
-    if (index === -1) {
-      throw new Error(`Blocklet Endpoint does not exist: ${did}`);
-    }
-    endpointList.splice(index, 1);
-    if (projectId) {
-      const { projectState } = await this.teamManager.getProjectState(teamDid);
-      await projectState.deleteConnectedEndpoint({ projectId, endpointId: did, createdBy: context?.user?.did });
-    }
-    return this.teamManager.updateEndpointList(teamDid, endpointList);
-  }
-  async existsStore({ teamDid, url, scope }, context) {
-    const sanitized = withoutTrailingSlash(await StoreUtil.getStoreUrl(url));
-    const storeList = await this.teamManager.getStoreList(teamDid);
-    const did = context?.user?.did;
-    const exists = storeList.some((x) => {
-      if (x.url !== sanitized) {
-        return false;
-      }
-      if (x.scope && x.scope === did) {
-        return true;
-      }
-      if (!x.scope || x.scope === 'studio') {
-        return true;
-      }
-      return x.scope === scope;
-    });
-    return exists;
-  }
-  // eslint-disable-next-line no-unused-vars
-  async deleteStore({ teamDid, url, projectId, scope }, context) {
-    logger.info('delete registry', { url });
-    const sanitized = sanitizeUrl(url);
-    const storeList = await this.teamManager.getStoreList(teamDid);
-    let storeIndex;
-    if (scope) {
-      storeIndex = storeList.findIndex((x) => {
-        if (x.protected) {
-          return false;
-        }
-        return x.url === sanitized && x.scope === scope;
-      });
-      if (storeIndex === -1) {
-        throw new Error(`No permission to delete the Store registry: ${sanitized}`);
-      }
-    } else {
-      storeIndex = storeList.findIndex((x) => x.url === sanitized && !x.scope);
-      if (storeIndex === -1) {
-        throw new Error(`Store registry does not exist: ${sanitized}`);
-      }
-    }
-    if (projectId && scope) {
-      const { projectState } = await this.teamManager.getProjectState(teamDid);
-      const store = await StoreUtil.getStoreMeta(sanitized);
-      await projectState.deleteConnectedStore({
-        projectId,
-        storeId: store.id,
-        createdBy: scope === 'studio' ? null : context?.user?.did,
-      });
-    }
-    storeList.splice(storeIndex, 1);
-    return this.teamManager.updateStoreList(teamDid, storeList);
-  }
-  createNotification = (payload) => {
-    return this.teamManager.createNotification(payload);
-  };
-  async getNotification({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.findPaginated({ teamDid, ...rest }, context);
-  }
-  async getNotificationById({ teamDid, id }) {
-    const notificationState = await this.getNotificationState(teamDid);
-    const notification = await notificationState.findNotification({ id });
-    return notification;
-  }
-  async getNotificationsUnreadCount({ teamDid, receiver }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.getUnreadCount({ receiver }, context);
-  }
-  async createNotificationReceiver({ teamDid, receiverInstance, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.createNotificationReceiver({ receiverInstance, ...rest }, context);
-  }
-  async markAllNotificationsAsRead({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    const result = await notificationState.makeAllAsRead(rest, context);
-    const { numAffected, notificationIds, effectRows } = result;
-    this.teamManager.emitReadNotification(teamDid, {
-      readCount: numAffected,
-      notificationIds,
-      receiver: rest.receiver,
-      effectRows,
-    });
-    return result;
-  }
-  async updateNotificationStatus({ teamDid, receivers, notificationId, updates }) {
-    const notificationState = await this.getNotificationState(teamDid);
-    const result = await notificationState.updateStatus({ receivers, notificationId, updates, teamDid });
-    // 发送状态更新的通知给前端，使用通用节流函数
-    if (result > 0 && teamDid && !this.teamManager.isNodeTeam(teamDid)) {
-      const throttledEmit = this.getThrottledEmit(teamDid);
-      if (throttledEmit) {
-        throttledEmit(EVENTS.NOTIFICATION_BLOCKLET_UPDATE, {
-          teamDid,
-          notificationId,
-        });
-      }
-    }
-    return result;
+  getTransferAppOwnerSession({ appDid, transferId }) {
+    return invitationManager.getTransferAppOwnerSession(this, { appDid, transferId });
   }
-  async readNotifications({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    const { numAffected, effectRows } = await notificationState.read({ teamDid, ...rest }, context);
-    this.teamManager.emitReadNotification(teamDid, {
-      readCount: numAffected,
-      receiver: rest.receiver,
-      notificationIds: rest.notificationIds ?? [],
-      effectRows,
-    });
-    return numAffected;
-  }
-  async unreadNotifications({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.unread({ teamDid, ...rest }, context);
-  }
-  async getNotificationSendLog({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.getNotificationSendLog({ ...rest }, context);
-  }
-  async getNotificationComponents({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.getNotificationComponents({ ...rest }, context);
-  }
-  async getReceivers({ teamDid, ...rest }, context) {
-    const notificationState = await this.getNotificationState(teamDid);
-    return notificationState.getNotificationReceivers({ ...rest }, context);
-  }
-  // =======
-  // Private
-  // =======
-  getRBAC(did) {
-    return this.teamManager.getRBAC(did);
-  }
-  getUserState(did) {
-    return this.teamManager.getUserState(did);
-  }
-  getVerifyCodeState(did) {
-    return this.teamManager.getVerifyCodeState(did);
-  }
-  getUserSessionState(did) {
-    return this.teamManager.getUserSessionState(did);
-  }
-  getAccessKeyState(did) {
-    return this.teamManager.getAccessKeyState(did);
-  }
-  getTagState(did) {
-    return this.teamManager.getTagState(did);
-  }
-  getTaggingState(did) {
-    return this.teamManager.getTaggingState(did);
-  }
-  getSessionState(did) {
-    return this.teamManager.getSessionState(did);
-  }
-  getNotificationState(did) {
-    return this.teamManager.getNotificationState(did);
-  }
-  getOrgState(did) {
-    return this.teamManager.getOrgState(did);
-  }
-  // =============
-  // Just for test
-  // =============
-  setInviteExpireTime(ms) {
-    this.memberInviteExpireTime = ms;
-  }
-  // user-session management
-  async getUserSession({ teamDid, id, includeUser = false }) {
-    const state = await this.getUserSessionState(teamDid);
-    const userState = await this.getUserState(teamDid);
-    const where = {
-      status: USER_SESSION_STATUS.ONLINE,
-      id,
-    };
-    const include = [];
-    if (includeUser) {
-      include.push({
-        model: userState.model,
-        as: 'user',
-        attributes: [
-          'did',
-          'pk',
-          'sourceProvider',
-          'fullName',
-          'email',
-          'avatar',
-          'remark',
-          'sourceAppPid',
-          'approved',
-        ],
-      });
-    }
-    const userSession = await state.model.findOne({
-      where,
-      attributes: [
-        'id',
-        'appPid',
-        'userDid',
-        'visitorId',
-        'passportId',
-        'createdAt',
-        'updatedAt',
-        'extra',
-        'ua',
-        'lastLoginIp',
-        'status',
-      ],
-      include,
-    });
-    return userSession?.toJSON?.();
-  }
-  // query, paging: inputPaging, sort
-  async getUserSessions({ teamDid, query = {}, paging, sort }) {
-    const nodeInfo = await this.node.read({ useCache: true });
-    if (teamDid === nodeInfo.did) {
-      return {
-        list: [],
-        paging: {
-          page: 1,
-          pageCount: 0,
-          pageSize: 10,
-          total: 0,
-        },
-      };
-    }
-    const { userDid, visitorId, appPid, includeUser = false, status = USER_SESSION_STATUS.ONLINE } = query;
-    const state = await this.getUserSessionState(teamDid);
-    const userState = await this.getUserState(teamDid);
-    const where = {};
-    if (userDid) where.userDid = userDid;
-    if (visitorId) where.visitorId = visitorId;
-    if (appPid) where.appPid = appPid;
-    const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs, useCache: true });
-    const whereStatus = getUserSessionWhere({ status, blocklet });
-    Object.assign(where, whereStatus);
-    const include = [];
-    if (includeUser) {
-      include.push({
-        model: userState.model,
-        as: 'user',
-        attributes: [
-          'did',
-          'pk',
-          'sourceProvider',
-          'fullName',
-          'email',
-          'avatar',
-          'remark',
-          'sourceAppPid',
-          'approved',
-        ],
-      });
-    }
-    const result = await state.paginate(
-      {
-        where,
-        attributes: [
-          'id',
-          'appPid',
-          'userDid',
-          'visitorId',
-          'passportId',
-          'createdAt',
-          'updatedAt',
-          'extra',
-          'ua',
-          'lastLoginIp',
-          'status',
-        ],
-        include,
-      },
-      { updatedAt: -1, ...sort },
-      { pageSize: 10, ...paging }
-    );
-    // NOTICE: 保留结构，方便理解
-    return {
-      list: result.list,
-      paging: result.paging,
-    };
+  checkTransferAppOwnerSession({ appDid, transferId }) {
+    return invitationManager.checkTransferAppOwnerSession(this, { appDid, transferId });
   }
-  async getUserSessionsCount({ teamDid, query = {} }) {
-    const nodeInfo = await this.node.read();
-    if (teamDid === nodeInfo.did) {
-      return {
-        count: 0,
-      };
-    }
-    const { userDid, visitorId, appPid, status = USER_SESSION_STATUS.ONLINE } = query;
-    const state = await this.getUserSessionState(teamDid);
-    const where = {};
-    if (userDid) where.userDid = userDid;
-    if (visitorId) where.visitorId = visitorId;
-    if (appPid) where.appPid = appPid;
-    const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs, useCache: true });
-    const whereStatus = getUserSessionWhere({ status, blocklet });
-    Object.assign(where, whereStatus);
-    // HACK: 使用 state.count 并不能按预期工作，先改为使用 state.model.count 来实现
-    const result = await state.model.count({ where });
-    return {
-      count: result,
-    };
+  closeTransferAppOwnerSession(params) {
+    return invitationManager.closeTransferAppOwnerSession(this, params);
   }
-  async getPassportById({ teamDid, passportId }) {
-    const userState = await this.getUserState(teamDid);
-    const passport = await userState.getPassportById(passportId);
-    return passport;
-  }
-  async getPassportFromFederated({ site, passportId, teamDid }) {
-    try {
-      const blocklet = await getBlocklet({
-        did: teamDid,
-        states: this.states,
-        dataDirs: this.dataDirs,
-        useCache: true,
-      });
-      const nodeInfo = await this.node.read();
-      const { permanentWallet } = getBlockletInfo(blocklet, nodeInfo.sk);
-      const result = await callFederated({
-        action: 'getPassport',
-        data: {
-          passportId,
-        },
-        permanentWallet,
-        site,
-        requestOptions: {
-          // 缩短查询通行证的请求时间，这个请求不会很复杂
-          timeout: 3 * 1000,
-        },
-      });
-      return result;
-    } catch (error) {
-      // 吞没错误，查询失败也不会影响整个快捷登录流程
-      logger.error('Failed to getPassportFromFederated', { site, passportId, teamDid, error });
-      return null;
-    }
+  // ============ Passport Manager ============
+  issuePassportToUser(params, context) {
+    return passportManager.issuePassportToUser(this, params, context);
   }
-  /**
-   * 新增|更新一个 userSession
-   * @param {string} params.teamDid - 当前更新的这个应用的 teamDid
-   * @param {string} params.appPid - 记录的 userSession 中应用的 appPid
-   * @param {string} params.userDid - 记录的 userSession 中当前用户的 did
-   * @param {string} params.visitorId - 记录的 userSession 中当前用户所使用设备的 visitorId
-   * @param {string} params.ua - 记录的 userSession 中当前用户所使用设备的 ua
-   * @param {string} params.lastLoginIp - 记录的 userSession 中当前用户的最后登录 ip
-   * @param {string} params.passportId - 记录的 userSession 中当前用户登录所使用的 passportId
-   * @param {string} params.status - 记录的 userSession 的状态
-   * @param {Object} params.extra - 记录的 userSession 额外的数据
-   * @returns
-   */
-  async upsertUserSession(
-    { teamDid, appPid, userDid, visitorId, ua, lastLoginIp, passportId, status, extra, locale, origin },
-    { skipNotification = false } = {}
-  ) {
-    if (!userDid) {
-      throw new Error('userDid is required');
-    }
-    if (visitorId) {
-      if (visitorId.length > 80) {
-        throw new Error('visitorId should be less than 80 characters');
-      }
-    }
-    const state = await this.getUserSessionState(teamDid);
-    let data;
-    if (!visitorId) {
-      data = await state.insert({
-        userDid,
-        ua,
-        lastLoginIp,
-        appPid,
-        passportId,
-        extra,
-      });
-      logger.info('insert userSession successfully', { userDid, ua, lastLoginIp, appPid, passportId, extra });
-      this.emit(BlockletEvents.addUserSession, {
-        userSession: data,
-        teamDid,
-        userDid,
-        locale,
-        skipNotification,
-        origin,
-      });
-    } else {
-      const exist = await state.findOne({ userDid, visitorId, appPid });
-      if (exist) {
-        const mergeExtra = defaults({}, extra || {}, exist.extra || {});
-        [, [data]] = await state.update(exist.id, {
-          passportId,
-          lastLoginIp,
-          ua,
-          status,
-          extra: mergeExtra,
-        });
-        logger.info('update userSession successfully', {
-          id: exist.id,
-          ua,
-          lastLoginIp,
-          passportId,
-          status,
-          extra: mergeExtra,
-        });
-        if (Date.now() - new Date(exist.createdAt).getTime() < 1000 * 10) {
-          // HACK: 此处是为了矫正首次创建 userSession 没有 ua 的情况，会通过 /api/did/session 接口来更新 ua 信息，这个时候才能当成新增 userSession 来发送通知
-          this.emit(BlockletEvents.addUserSession, {
-            userSession: data,
-            teamDid,
-            userDid,
-            locale,
-            skipNotification,
-            origin,
-          });
-        } else {
-          this.emit(BlockletEvents.updateUserSession, {
-            userSession: data,
-            teamDid,
-            userDid,
-            skipNotification,
-            origin,
-          });
-        }
-      } else {
-        data = await state.insert({
-          visitorId,
-          userDid,
-          ua,
-          lastLoginIp,
-          appPid,
-          passportId,
-          extra,
-        });
-        logger.info('insert userSession successfully', {
-          visitorId,
-          userDid,
-          ua,
-          lastLoginIp,
-          appPid,
-          passportId,
-          extra,
-        });
-        this.emit(BlockletEvents.addUserSession, {
-          userSession: data,
-          teamDid,
-          userDid,
-          locale,
-          skipNotification,
-          origin,
-        });
-      }
-    }
-    return data;
+  revokeUserPassport(params, context) {
+    return passportManager.revokeUserPassport(this, params, context);
   }
-  /**
-   * 同步一个 userSession（userSession 只能向 master 同步，或 master 向 member 同步，不能由 member 向 member 同步）
-   * @param {string} params.teamDid - 当前更新的这个应用的 teamDid
-   * @param {string} params.targetAppPid - 同步的 userSession 的目标站点 appPid
-   * @param {string} params.userDid - 同步的 userSession 中当前用户的 did
-   * @param {string} params.visitorId - 同步的 userSession 中当前用户所使用设备的 visitorId
-   * @param {string} params.ua - 同步的 userSession 中当前用户所使用设备的 ua
-   * @param {string} params.lastLoginIp - 同步的 userSession 中当前用户的最后登录 ip
-   * @param {string} params.passportId - 同步的 userSession 中当前用户登录所使用的 passportId
-   * @param {object} params.extra - 同步的 userSession 中当前用户登录额外的数据
-   * @returns
-   */
-  async syncUserSession({ teamDid, targetAppPid, userDid, visitorId, ua, lastLoginIp, passportId, extra }) {
-    if (!targetAppPid) return;
-    const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs, useCache: true });
-    const nodeInfo = await this.node.read();
-    const { permanentWallet } = getBlockletInfo(blocklet, nodeInfo.sk);
-    const targetSite = findFederatedSite(blocklet, targetAppPid);
-    const masterSite = getFederatedMaster(blocklet);
-    let syncSite = null;
-    let appPid;
-    if (masterSite && targetSite) {
-      if (targetSite.appPid === masterSite.appPid) {
-        if (teamDid !== masterSite.appPid) {
-          syncSite = masterSite;
-          appPid = teamDid;
-        }
-      } else if (teamDid === masterSite.appPid) {
-        syncSite = targetSite;
-        appPid = targetAppPid;
-      }
-      if (syncSite) {
-        try {
-          const userSession = {
-            action: 'login',
-            userDid,
-            visitorId,
-            ua,
-            lastLoginIp,
-            appPid,
-            passportId,
-            extra,
-          };
-          await callFederated({
-            action: 'sync',
-            permanentWallet,
-            site: targetSite,
-            data: {
-              userSessions: [userSession],
-            },
-          });
-          logger.debug('Sync userSession to federated site successfully', {
-            userDid,
-            visitorId,
-            ua,
-            lastLoginIp,
-            appPid,
-            passportId,
-            targetSite,
-            extra,
-          });
-        } catch (err) {
-          logger.error(
-            'Sync userSession to federated site failed',
-            {
-              userDid,
-              visitorId,
-              ua,
-              lastLoginIp,
-              appPid,
-              passportId,
-              targetSite,
-              extra,
-            },
-            err
-          );
-        }
-      }
-    }
+  enableUserPassport(params, context) {
+    return passportManager.enableUserPassport(this, params, context);
   }
-  async logoutUser({ teamDid, userDid, visitorId = '', appPid = '', status = '', remove = false }) {
-    if (!userDid) {
-      throw new Error('userDid is required');
-    }
-    if (!teamDid) {
-      throw new Error('teamDid is required');
-    }
-    const nodeInfo = await this.node.read();
-    if (nodeInfo.did === teamDid) {
-      return 0;
-    }
-    const userSessionState = await this.getUserSessionState(teamDid);
-    const where = { userDid };
-    if (visitorId) where.visitorId = visitorId;
-    if (appPid) where.appPid = appPid;
-    const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs, useCache: true });
-    const whereStatus = getUserSessionWhere({ status, blocklet });
-    Object.assign(where, whereStatus);
-    let result;
-    if (remove) {
-      result = await userSessionState.remove(where);
-    } else {
-      result = await userSessionState.update(where, { $set: { status: USER_SESSION_STATUS.OFFLINE } });
-    }
-    const { permanentWallet } = getBlockletInfo(blocklet, nodeInfo.sk);
-    const masterSite = getFederatedMaster(blocklet);
-    if (masterSite && masterSite.isMaster !== false && masterSite.appPid !== teamDid) {
-      callFederated({
-        action: 'sync',
-        permanentWallet,
-        // FIXME: @zhanghan 是否还需要通知其他 Member 站点，执行退出登录的操作
-        site: masterSite,
-        data: {
-          userSessions: [
-            {
-              action: 'logout',
-              userDid,
-              visitorId,
-              // HACK: 如果未传入 appPid，代表要注销当前用户在 master 中所有登录状态，所以传入 undefined；否则就只注销 master 中记录的当前 member 的登录状态
-              appPid: appPid ? teamDid : undefined,
-              remove,
-            },
-          ],
-        },
-      });
-    }
-    return result;
+  removeUserPassport(params) {
+    return passportManager.removeUserPassport(this, params);
   }
-  // KYC related
-  async createVerifyCode({ teamDid, subject, scope = 'email', purpose = 'kyc' }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    return state.create(subject, scope, purpose);
+  createPassportIssuance(params, context) {
+    return passportManager.createPassportIssuance(this, params, context);
   }
-  async consumeVerifyCode({ teamDid, code }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    return state.verify(code);
+  getPassportIssuances({ teamDid, ownerDid }) {
+    return passportManager.getPassportIssuances(this, { teamDid, ownerDid });
   }
-  async issueVerifyCode({ teamDid, code }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    return state.issue(code);
+  getPassportIssuance({ teamDid, sessionId }) {
+    return passportManager.getPassportIssuance(this, { teamDid, sessionId });
   }
-  async sendVerifyCode({ teamDid, code }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    return state.send(code);
+  processPassportIssuance({ teamDid, sessionId }) {
+    return passportManager.processPassportIssuance(this, { teamDid, sessionId });
   }
-  async isSubjectVerified({ teamDid, subject }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    return state.isVerified(subject);
+  deletePassportIssuance({ teamDid, sessionId }) {
+    return passportManager.deletePassportIssuance(this, { teamDid, sessionId });
   }
-  async isSubjectIssued({ teamDid, userDid, subject }) {
-    const state = await this.getUserState(teamDid);
-    return state.isSubjectIssued(userDid, subject);
+  configTrustedPassports({ teamDid, trustedPassports }) {
+    return passportManager.configTrustedPassports(this, { teamDid, trustedPassports });
   }
-  async isSubjectSent({ teamDid, subject }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    return state.isSent(subject);
+  configTrustedFactories({ teamDid, trustedFactories }) {
+    return passportManager.configTrustedFactories(this, { teamDid, trustedFactories });
   }
-  async getVerifyCode({ teamDid, code, id }) {
-    const state = await this.getVerifyCodeState(teamDid);
-    const where = {};
-    if (code) where.code = code;
-    if (id) where.id = id;
-    return state.findOne(where);
+  configPassportIssuance({ teamDid, enable }) {
+    return passportManager.configPassportIssuance(this, { teamDid, enable });
   }
-  async rotateSessionKey({ teamDid }) {
-    if (!teamDid) {
-      throw new Error('teamDid is required');
-    }
-    const info = await this.node.read();
-    if (info.did === teamDid) {
-      await this.node.updateNodeInfo({ sessionSalt: generateRandomString(16) });
-      return 0;
-    }
-    const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs, useCache: true });
-    const sessionConfig = cloneDeep(blocklet.settings.session || {});
-    sessionConfig.salt = generateRandomString(16);
-    await this.states.blockletExtras.setSettings(blocklet.meta.did, { session: sessionConfig });
-    this.emit(BlockletEvents.updated, { meta: { did: teamDid } });
-    // NOTE: we need emit appConfigChanged event to update sessionSalt in blocklet-sdk
-    this.emit(BlockletInternalEvents.appConfigChanged, {
-      appDid: teamDid,
-      configs: [{ key: 'BLOCKLET_APP_SALT', value: sessionConfig.salt }],
-    });
-    return 1;
+  // ============ Org Manager ============
+  getOrgs(params, context) {
+    return orgManager.getOrgs(this, params, context);
   }
-  // AccessKey related
-  async getAccessKeys({ teamDid, ...data }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    return state.findPaginated(data, context);
+  getOrg({ teamDid, id }, context) {
+    return orgManager.getOrg(this, { teamDid, id }, context);
   }
-  async getAccessKey({ teamDid, accessKeyId }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    return state.detail({ accessKeyId }, context);
+  createDefaultOrgForUser({ teamDid, user }) {
+    return orgManager.createDefaultOrgForUser(this, { teamDid, user });
   }
-  async createAccessKey({ teamDid, ...data }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    return state.create(Object.assign({ componentDid: teamDid }, data), context);
+  issueOrgOwnerPassport({ teamDid, org }) {
+    return orgManager.issueOrgOwnerPassport(this, { teamDid, org });
   }
-  async updateAccessKey({ teamDid, ...data }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    return state.update(data, context);
+  createOrg(params, context) {
+    return orgManager.createOrg(this, params, context);
   }
-  async deleteAccessKey({ teamDid, accessKeyId }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    return state.remove({ accessKeyId }, context);
+  updateOrg({ teamDid, org }, context) {
+    return orgManager.updateOrg(this, { teamDid, org }, context);
   }
-  async refreshLastUsed({ teamDid, accessKeyId }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    return state.refreshLastUsed(accessKeyId, context);
+  deleteOrg({ teamDid, id }, context) {
+    return orgManager.deleteOrg(this, { teamDid, id }, context);
   }
-  async verifyAccessKey({ teamDid, ...data }, context) {
-    const state = await this.getAccessKeyState(teamDid);
-    const accessKey = await state.verify(data, context);
-    return accessKey;
+  addOrgMember({ teamDid, orgId, userDid }, context) {
+    return orgManager.addOrgMember(this, { teamDid, orgId, userDid }, context);
   }
-  async getOAuthClients({ teamDid, paging }) {
-    const { oauthClientState } = await this.teamManager.getOAuthState(teamDid);
-    return oauthClientState.list(paging);
+  updateOrgMember({ teamDid, orgId, userDid, status }, context) {
+    return orgManager.updateOrgMember(this, { teamDid, orgId, userDid, status }, context);
   }
-  async deleteOAuthClient({ teamDid, clientId }) {
-    const { oauthClientState } = await this.teamManager.getOAuthState(teamDid);
-    return oauthClientState.remove({ clientId });
+  sendInvitationNotification(params) {
+    return orgManager.sendInvitationNotification(this, params);
   }
-  async createOAuthClient({ teamDid, input }, context) {
-    const { oauthClientState } = await this.teamManager.getOAuthState(teamDid);
-    return oauthClientState.create(input, context);
+  getFederatedMasterBlockletInfo({ blocklet }) {
+    return orgManager.getFederatedMasterBlockletInfo({ blocklet });
   }
-  async updateOAuthClient({ teamDid, input }, context) {
-    const { oauthClientState } = await this.teamManager.getOAuthState(teamDid);
-    return oauthClientState.update(input, context);
+  inviteMembersToOrg(params, context) {
+    return orgManager.inviteMembersToOrg(this, params, context);
   }
-  async getOrgs({ teamDid, ...payload }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      const { passports, orgs, ...rest } = await state.list(payload, context);
-      const { includePassports = true } = payload.options || {};
-      if (includePassports) {
-        // 获取每个组织的 passports
-        const orgPassports = await Promise.all(orgs.map((o) => this.getRoles({ teamDid, orgId: o.id })));
-        orgs.forEach((o, index) => {
-          const roles = orgPassports[index]; // 获取每个组织的角色
-          // 过滤 passports
-          o.passports = passports.filter((p) => roles.some((r) => r.name === p.name));
-        });
-      } else {
-        orgs.forEach((o) => {
-          o.passports = [];
-        });
-      }
-      return {
-        ...rest,
-        orgs,
-      };
-    } catch (err) {
-      logger.error('Failed to get orgs', { err, teamDid });
-      throw err;
-    }
+  removeOrgMember({ teamDid, orgId, userDid }, context) {
+    return orgManager.removeOrgMember(this, { teamDid, orgId, userDid }, context);
   }
-  async getOrg({ teamDid, id }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.get({ id }, context);
-    } catch (err) {
-      logger.error('Failed to get org', { err, teamDid, id });
-      throw err;
-    }
+  getOrgMembers({ teamDid, orgId, paging }, context) {
+    return orgManager.getOrgMembers(this, { teamDid, orgId, paging }, context);
   }
-  async createDefaultOrgForUser({ teamDid, user }) {
-    try {
-      // 创建失败不要影响主流程
-      await this.createOrg(
-        {
-          teamDid,
-          name: user.fullName,
-          description: `this is a default org for ${user.fullName}`,
-          throwOnValidationError: false,
-        },
-        { user }
-      );
-    } catch (err) {
-      logger.error('Failed to create default org for user', { err, teamDid, user });
-    }
+  getOrgInvitableUsers({ teamDid, id, query, paging }, context) {
+    return orgManager.getOrgInvitableUsers(this, { teamDid, id, query, paging }, context);
   }
-  async issueOrgOwnerPassport({ teamDid, org }) {
-    try {
-      // 创建 org 的 owner passport, 并赋值给 owner
-      const roleName = md5(`${org.id}-owner`); // 避免 name 重复
-      await this.createRole({ teamDid, name: roleName, title: org.name, description: 'Owner', orgId: org.id });
-      await this.issuePassportToUser({
-        teamDid,
-        userDid: org.ownerDid,
-        role: roleName,
-        notification: {},
-      });
-    } catch (err) {
-      logger.error('Failed to create passport to org owner', { err, teamDid, org });
-    }
+  getOrgResource({ teamDid, orgId, resourceId }, context) {
+    return orgManager.getOrgResource(this, { teamDid, orgId, resourceId }, context);
   }
-  async createOrg({ teamDid, deferPassport = false, throwOnValidationError = true, ...rest }, context) {
-    try {
-      // 1. 对输入进行转义
-      const sanitizedOrg = {
-        ...rest,
-        description: sanitizeTag(rest.description || ''),
-        name: sanitizeTag(rest.name || ''),
-      };
-      const { error } = createOrgInputSchema.validate(sanitizedOrg);
-      if (error) {
-        throw new CustomError(400, error.message);
-      }
-      const state = await this.getOrgState(teamDid);
-      const blocklet = await getBlocklet({
-        did: teamDid,
-        states: this.states,
-        dataDirs: this.dataDirs,
-        useCache: true,
-      });
-      const checkedUserDid = rest.ownerDid || context.user.did || '';
-      const orgCount = await state.getOrgCountByUser(checkedUserDid);
-      const { veriftMaxOrgPerUser } = createOrgValidators(blocklet);
-      try {
-        veriftMaxOrgPerUser(orgCount); // 验证用户创建的 org 数量是否超过最大限制, 内部已经验证 org 是否开启
-      } catch (_error) {
-        if (throwOnValidationError) {
-          throw _error;
-        }
-        logger.warn('Failed to validate org creation', { error: _error, teamDid, orgCount });
-        return undefined;
-      }
-      const result = await state.create({ ...sanitizedOrg }, context);
-      // 创建 org 的 owner passport, 并赋值给 owner
-      if (!deferPassport) {
-        await this.issueOrgOwnerPassport({ teamDid, org: result });
-      } else {
-        const jobId = md5(`${teamDid}-${result.id}-${checkedUserDid}`);
-        this.passportIssueQueue.push(
-          {
-            action: 'issueOrgOwnerPassport',
-            entity: 'blocklet',
-            entityId: teamDid,
-            params: {
-              teamDid,
-              org: result,
-            },
-          },
-          jobId,
-          true
-        );
-      }
-      return result;
-    } catch (err) {
-      logger.error('Failed to create org', err, {
-        teamDid,
-        name: rest.name,
-        userDid: rest.ownerDid || context.user.did || '',
-      });
-      throw err;
-    }
+  addOrgResource({ teamDid, orgId, resourceIds, type, metadata }, context) {
+    return orgManager.addOrgResource(this, { teamDid, orgId, resourceIds, type, metadata }, context);
   }
-  async updateOrg({ teamDid, org }, context) {
-    try {
-      const sanitizedOrg = {
-        ...org,
-        description: sanitizeTag(org.description),
-        name: sanitizeTag(org.name),
-      };
-      const { error } = updateOrgInputSchema.validate(sanitizedOrg);
-      if (error) {
-        throw new CustomError(400, error.message);
-      }
-      const state = await this.getOrgState(teamDid);
-      return state.updateOrg({ org: sanitizedOrg }, context);
-    } catch (err) {
-      logger.error('Failed to update org', { err, teamDid });
-      throw err;
-    }
+  removeOrgResource({ teamDid, orgId, resourceIds }, context) {
+    return orgManager.removeOrgResource(this, { teamDid, orgId, resourceIds }, context);
   }
-  async deleteOrg({ teamDid, id }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      // 要同时删除与 org 相关的 passport 和 邀请链接
-      const roles = await this.getRoles({ teamDid, orgId: id });
-      const result = await state.deleteOrg({ id }, context);
-      try {
-        await state.removeOrgRelatedData({ roles, orgId: id });
-      } catch (err) {
-        logger.error('Failed to remove org related data', { err, teamDid, roles, id });
-      }
-      return result;
-    } catch (err) {
-      logger.error('Failed to delete org', { err, teamDid, id });
-      throw err;
-    }
+  migrateOrgResource({ teamDid, from, to, resourceIds }, context) {
+    return orgManager.migrateOrgResource(this, { teamDid, from, to, resourceIds }, context);
   }
-  async addOrgMember({ teamDid, orgId, userDid }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.addOrgMember({ orgId, userDid }, context);
-    } catch (err) {
-      logger.error('Add member to org failed', { err, teamDid, orgId, userDid });
-      throw err;
-    }
+  getNotificationStats({ teamDid, since }) {
+    return orgManager.getNotificationStats(this, { teamDid, since });
   }
-  async updateOrgMember({ teamDid, orgId, userDid, status }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.updateOrgMember({ orgId, userDid, status }, context);
-    } catch (err) {
-      logger.error('Update member in org failed', { err, teamDid, orgId, userDid, status });
-      throw err;
-    }
+  // ============ Delegated Methods (from teamManager) ============
+  getRoles({ teamDid, orgId }) {
+    return this.teamManager.getRoles(teamDid, orgId);
   }
-  /**
-   * 发送邀请通知
-   * @param {*} param0
-   */
-  async sendInvitationNotification({
-    teamDid,
-    invitor,
-    org,
-    role,
-    successUserDids,
-    inviteLink,
-    email,
-    inviteType,
-    blocklet,
-  }) {
-    try {
-      const userInfo = await this.getUser({
-        teamDid,
-        user: { did: invitor.did },
-        options: { enableConnectedAccount: true },
-      });
-      // 检测是否开启了 email 服务
-      const provider = getEmailServiceProvider(blocklet);
-      const translate = {
-        en: {
-          title: 'Inviting you to join the organization',
-          description: `<${userInfo.fullName}(did:abt:${userInfo.did})> invites you to join the ${org.name} organization, role is ${role}.<br/>After accepting, you will be able to access the resources and collaboration content of the organization.<br/><br/>Please click the button below to handle the invitation.<br/><br/>If you don't want to join, you can ignore this notification.`,
-          accept: 'Accept',
-        },
-        zh: {
-          title: '邀请您加入组织',
-          description: `<${userInfo.fullName}(did:abt:${userInfo.did})> 邀请您加入 ${org.name} 组织，角色为 ${role}。<br/>接受后，你将能够访问该组织的资源和协作内容。<br/><br/>请点击下方按钮处理邀请。<br/><br/>如果你不想加入，可以忽略此通知。`,
-          accept: '接受',
-        },
-      };
-      const content = translate[userInfo.locale || 'en'] || translate.en;
-      const message = {
-        title: content.title,
-        body: content.description,
-        actions: [
-          {
-            name: content.accept,
-            title: content.accept,
-            link: inviteLink,
-          },
-        ],
-      };
-      if (inviteType === 'internal') {
-        await this.createNotification({
-          teamDid,
-          receiver: successUserDids,
-          entityId: teamDid,
-          source: 'system',
-          severity: 'info',
-          ...message,
-        });
-        logger.info('Invite notification sent successfully', {
-          teamDid,
-          orgId: org.id,
-          sentToUsers: successUserDids,
-          sentCount: successUserDids.length,
-        });
-      } else if (inviteType === 'external' && provider && email) {
-        // 当 service 开启 email 服务时才会发送邮件通知
-        const emailInputSchema = Joi.string().email().required();
-        const { error } = emailInputSchema.validate(email);
-        if (error) {
-          throw new CustomError(400, error.message);
-        }
-        const nodeInfo = await this.node.read();
-        const blockletInfo = getBlockletInfo(blocklet, nodeInfo.sk);
-        const sender = {
-          appDid: blockletInfo.wallet.address,
-          appSk: blockletInfo.wallet.secretKey,
-        };
-        await sendToUser(email, message, sender, undefined, 'send-to-mail');
-        logger.info('Send invitation notification to email completed', {
-          teamDid,
-          orgId: org.id,
-          email,
-        });
-      }
-    } catch (notificationErr) {
-      // 通知发送失败不影响邀请的成功，只记录警告
-      logger.warn('Failed to send invitation notification, but invitations were created successfully', {
-        notificationErr,
-        teamDid,
-        orgId: org.id,
-        successUserDids,
-      });
-    }
+  getRBAC(teamDid) {
+    return this.teamManager.getRBAC(teamDid);
   }
-  getFederatedMasterBlockletInfo({ blocklet }) {
-    const sites = blocklet.settings?.federated?.sites || [];
-    const federatedMaster = sites.find((item) => item.isMaster !== false);
-    const federatedCurrent = sites.find((item) => item.appId === blocklet.appDid);
-    const isFederated = !!federatedMaster || !!federatedCurrent;
-    if (!isFederated) {
-      return undefined;
-    }
-    const formatBlockletInfo = (federateBlocklet) => ({
-      appId: federateBlocklet?.appId,
-      appName: federateBlocklet?.appName,
-      appDescription: federateBlocklet?.appDescription,
-      appLogo: federateBlocklet?.appLogo,
-      appPid: federateBlocklet?.appPid,
-      appUrl: federateBlocklet?.appUrl,
-      version: federateBlocklet?.version,
-      sourceAppPid: federateBlocklet?.appPid,
-      provider: 'wallet',
-    });
-    const blocklets = [];
-    if (federatedCurrent?.status === 'approved') {
-      blocklets.push(formatBlockletInfo(federatedMaster));
-    }
-    if (federatedCurrent) {
-      blocklets.push({
-        ...formatBlockletInfo(federatedCurrent),
-        sourceAppPid: null,
-      });
-    } else {
-      const blockletInfo = getBlockletInfo(blocklet, undefined, { returnWallet: false });
-      blocklets.push({
-        ...formatBlockletInfo(blockletInfo),
-        appPid: blocklet?.appPid,
-        appLogo: joinURL(blockletInfo.appUrl, WELLKNOWN_SERVICE_PATH_PREFIX, '/blocklet/logo'),
-        sourceAppPid: null,
-      });
-    }
-    return blocklets[0];
+  // State getters (delegated to teamManager)
+  getUserState(teamDid) {
+    return this.teamManager.getUserState(teamDid);
   }
-  /**
-   * 邀请成员到组织
-   *  1. 批量添加成员到组织 - 记录添加成功和添加失败的用户 DID
-   *  2. 创建邀请链接，只创建添加成功的用户邀请链接
-   *  3. 发送邀请通知，只发送添加成功的用户邀请通知
-   * @param {*} param0
-   * @param {*} param0.inviteType 邀请类型，internal 内部邀请，external 外部邀请
-   * @param {*} context
-   * @returns 返回邀请成功的用户和失败的用户 did 列表
-   */
-  async inviteMembersToOrg({ teamDid, orgId, userDids, role, inviteType = 'internal', email }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      const { user } = context || {};
-      if (!user) {
-        throw new CustomError(400, 'User is required');
-      }
-      const org = await this.getOrg({ teamDid, id: orgId }, context);
-      if (!org) {
-        throw new CustomError(400, 'Org not found');
-      }
-      // dashboard 或者非 org owner 无法邀请成员
-      if (isAdmingPath(context) || !isOrgOwner(user, org)) {
-        throw new CustomError(403, "You cannot invite members to other users' org");
-      }
-      if (inviteType === 'internal' && userDids.length === 0) {
-        throw new CustomError(400, 'You must invite at least one user');
-      }
-      // Step 1: 批量添加成员到组织 - 记录添加成功和添加失败的用户 DID
-      const successUserDids = [];
-      const failedUserDids = [];
-      const skipInviteUserDids = [];
-      // 内部邀请
-      if (inviteType === 'internal') {
-        for (const userDid of userDids) {
-          try {
-            // eslint-disable-next-line no-await-in-loop
-            const currentUser = await this.getUser({
-              teamDid,
-              user: { did: userDid },
-            });
-            const walletDid = getWalletDid(currentUser);
-            // 如果当前用户不是钱包用户，则跳过邀请 (参考颁发通行证逻辑)
-            const skipInvite = walletDid !== userDid;
-            if (skipInvite) {
-              skipInviteUserDids.push(userDid);
-            }
-            const status = skipInvite ? 'active' : 'inviting';
-            // eslint-disable-next-line no-await-in-loop
-            await state.addOrgMember({ orgId, userDid, status }, context);
-            successUserDids.push(userDid);
-          } catch (addErr) {
-            failedUserDids.push(userDid);
-            logger.warn('Failed to add user to org', { userDid, orgId, error: addErr.message });
-          }
-        }
-        logger.info('Batch add members to org completed', {
-          teamDid,
-          orgId,
-          totalUsers: userDids.length,
-          successCount: successUserDids.length,
-          failedCount: failedUserDids.length,
-        });
-        // 如果没有成功添加的用户，直接返回结果
-        if (successUserDids.length === 0) {
-          logger.warn('No users were successfully added to org', { teamDid, orgId, failedUserDids });
-          throw new CustomError(500, 'No users were successfully added to org');
-        }
-      }
-      // 要排除 OAuth 用户
-      const inviteUserDids = successUserDids.filter((did) => !skipInviteUserDids.includes(did));
-      if (skipInviteUserDids.length > 0) {
-        logger.info('OAuth users were successfully added to org', { teamDid, orgId, skipInviteUserDids });
-        // 向 OAuth 用户颁发通行证
-        for (const userDid of skipInviteUserDids) {
-          // eslint-disable-next-line no-await-in-loop
-          await this.issuePassportToUser({
-            teamDid,
-            userDid,
-            role,
-            notification: {},
-          });
-        }
-      }
-      // 如果没有其他用户，那么直接返回即可
-      if (inviteType === 'internal' && inviteUserDids.length === 0) {
-        return {
-          successDids: successUserDids,
-          failedDids: failedUserDids,
-        };
-      }
-      // Previous Step 2: 要判断站点是否是站点群内，如果是站点群中，需要使用 master 的 appPid 作为 sourceAppPid 创建邀请链接
-      const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-      const masterBlockletInfo = this.getFederatedMasterBlockletInfo({ blocklet });
-      // Step 2: 创建邀请链接，只创建添加成功的用户邀请链接
-      const inviteInfo = await this.createMemberInvitation(
-        {
-          teamDid,
-          role,
-          expireTime: this.memberInvitationExpireTime,
-          orgId,
-          inviteUserDids: inviteType === 'internal' ? inviteUserDids : [],
-          sourceAppPid: masterBlockletInfo?.appPid,
-        },
-        context
-      );
-      const inviteLink = getOrgInviteLink(inviteInfo, blocklet);
-      logger.info('Invite link created for successful users', {
-        teamDid,
-        orgId,
-        inviteId: inviteInfo.inviteId,
-        userCount: successUserDids.length,
-      });
-      // Step 3: 发送邀请通知，只发送添加成功的用户邀请通知
-      this.sendInvitationNotification({
-        teamDid,
-        invitor: user,
-        org,
-        role,
-        successUserDids,
-        email,
-        inviteType,
-        inviteLink,
-        blocklet,
-      });
-      // 返回成功和失败的用户列表
-      return {
-        successDids: successUserDids,
-        failedDids: failedUserDids,
-        inviteLink,
-      };
-    } catch (err) {
-      logger.error('Invite users to org failed', { err, teamDid, orgId, userDids, role });
-      throw err;
-    }
+  getSessionState(teamDid) {
+    return this.teamManager.getSessionState(teamDid);
   }
-  async removeOrgMember({ teamDid, orgId, userDid }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      const roles = await this.getRoles({ teamDid, orgId });
-      const result = await state.removeOrgMember({ orgId, userDid }, context);
-      try {
-        await state.removeOrgRelatedData({ roles, orgId, userDid });
-      } catch (err) {
-        logger.error('Failed to remove user related passports', { err, teamDid, roles, userDid });
-      }
-      return result;
-    } catch (err) {
-      logger.error('Remove member from org failed', { err, teamDid, orgId, userDid });
-      throw err;
-    }
+  getNotificationState(teamDid) {
+    return this.teamManager.getNotificationState(teamDid);
   }
-  async getOrgMembers({ teamDid, orgId, paging }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      const result = await state.getOrgMembers({ orgId, paging, options: { includePassport: true } }, context);
-      const info = await this.node.read();
-      const isServer = this.teamManager.isNodeTeam(teamDid);
-      const blocklet = await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-      const baseUrl = blocklet.environmentObj.BLOCKLET_APP_URL;
-      const roles = await this.getRoles({ teamDid, orgId });
-      result.users.forEach((item) => {
-        if (item?.user?.avatar) {
-          item.user.avatar = getUserAvatarUrl(baseUrl, item.user.avatar, info, isServer);
-        }
-        if (item?.user?.passports?.length > 0) {
-          item.user.passports = item.user.passports.filter((passport) =>
-            roles.some((role) => role.name === passport.name)
-          );
-        }
-      });
-      return result;
-    } catch (err) {
-      logger.error('Get org members failed', { err, teamDid, orgId });
-      throw err;
-    }
+  getTagState(teamDid) {
+    return this.teamManager.getTagState(teamDid);
   }
-  async getOrgInvitableUsers({ teamDid, id, query, paging }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.getOrgInvitableUsers({ id, query, paging }, context);
-    } catch (err) {
-      logger.error('Get org invitable users failed', { err, teamDid, id });
-      throw err;
-    }
+  getTaggingState(teamDid) {
+    return this.teamManager.getTaggingState(teamDid);
   }
-  async getOrgResource({ teamDid, orgId, resourceId }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.getOrgResource({ orgId, resourceId }, context);
-    } catch (err) {
-      logger.error('Get org resource failed', { err, teamDid, orgId, resourceId });
-      throw err;
-    }
+  getVerifyCodeState(teamDid) {
+    return this.teamManager.getVerifyCodeState(teamDid);
   }
-  async addOrgResource({ teamDid, orgId, resourceIds, type, metadata }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.addOrgResource({ orgId, resourceIds, type, metadata }, context);
-    } catch (err) {
-      logger.error('Add org resource failed', { err, teamDid, orgId, resourceIds, type, metadata });
-      throw err;
-    }
+  getAccessKeyState(teamDid) {
+    return this.teamManager.getAccessKeyState(teamDid);
   }
-  async removeOrgResource({ teamDid, orgId, resourceIds }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.removeOrgResource({ orgId, resourceIds }, context);
-    } catch (err) {
-      logger.error('Remove org resource failed', { err, teamDid, orgId, resourceIds });
-      throw err;
-    }
+  getOrgState(teamDid) {
+    return this.teamManager.getOrgState(teamDid);
   }
-  async migrateOrgResource({ teamDid, from, to, resourceIds }, context) {
-    try {
-      const state = await this.getOrgState(teamDid);
-      return state.migrateOrgResource({ from, to, resourceIds }, context);
-    } catch (err) {
-      logger.error('Migrate org resource failed', { err, teamDid, from, to, resourceIds });
-      throw err;
-    }
+  getUserSessionState(teamDid) {
+    return this.teamManager.getUserSessionState(teamDid);
   }
-  async getNotificationStats({ teamDid, since = '1h' }) {
-    let startTime = dayjs().subtract(1, 'hours').toDate();
-    if (since && typeof since === 'string') {
-      const sinceMatch = since.match(/^(\d+)h$/);
-      if (sinceMatch) {
-        let hours = parseInt(sinceMatch[1], 10);
-        if (hours < 1 || hours > 24) {
-          hours = Math.min(Math.max(hours, 1), 24);
-        }
-        startTime = dayjs().subtract(hours, 'hours').toDate();
-      }
-    }
-    try {
-      const state = await this.getNotificationState(teamDid);
-      const isServer = this.teamManager.isNodeTeam(teamDid);
-      const blocklet = isServer
-        ? {}
-        : await getBlocklet({ did: teamDid, states: this.states, dataDirs: this.dataDirs });
-      const channelsAvailable = checkPushChannelAvailable(blocklet, isServer);
-      const results = await state.getNotificationsBySince({ since });
-      if (results.length === 0) {
-        return {
-          healthy: true,
-          message: `There have been no push records since ${startTime}. Please choose another time range`,
-          since: startTime,
-          channels: channelsAvailable,
-        };
-      }
-      const pushState = getNotificationPushState(results, channelsAvailable, isServer);
-      let teamDids = [teamDid];
-      if (isServer) {
-        const nodeInfo = await this.node.read();
-        teamDids = [nodeInfo.did];
-      } else {
-        teamDids = getBlockletAppIdList(blocklet);
-      }
-      const pendingResult = await this.states.job.getPendingNotifications({
-        teamDids,
-        isServer,
-        channels: Object.keys(channelsAvailable),
-        createdAt: startTime,
-      });
-      // pushState 的 key 与 pendingResult 的 key 映射关系
-      const channelKeyMap = {
-        pushKit: NOTIFICATION_SEND_CHANNEL.PUSH,
-        wallet: NOTIFICATION_SEND_CHANNEL.WALLET,
-        email: NOTIFICATION_SEND_CHANNEL.EMAIL,
-        webhook: NOTIFICATION_SEND_CHANNEL.WEBHOOK,
-      };
-      // 合并 pending 数量到对应的 channel
-      const channels = Object.entries(pushState).reduce((acc, [key, value]) => {
-        const pendingKey = channelKeyMap[key] || key;
-        acc[key] = {
-          ...value,
-          pending: pendingResult[pendingKey] || 0,
-        };
-        return acc;
-      }, {});
-      return {
-        healthy: true,
-        since: startTime,
-        channels,
-      };
-    } catch (err) {
-      logger.error('Get notification service health failed', err, { teamDid });
-      return {
-        healthy: false,
-        error: err.message,
-        since: startTime,
-      };
-    }
+  // ============ Just for test ============
+  setInviteExpireTime(ms) {
+    this.memberInviteExpireTime = ms;
   }
 }