From 415b7cbd49ae1347683a84e0c4831d4622d148d6 Mon Sep 17 00:00:00 2001
From: silverhand-bot <bot@silverhand.io>
Date: Fri, 26 Jun 2026 10:53:14 +0000
Subject: [PATCH] release: version packages

---
 .changeset/add-smtp2go-email-connector.md     |   9 --
 .changeset/curly-bikes-travel.md              |   6 -
 .changeset/escape-saml-auto-submit-form.md    |  11 --
 .changeset/fix-console-username-update-401.md |  10 --
 .changeset/fix-custom-css-flash.md            |   7 -
 .changeset/fix-sentinel-count-string.md       |   7 -
 .changeset/idempotent-application-roles.md    |   7 -
 .../jwt-customizer-organization-context.md    |  11 --
 .changeset/message-send-rate-limit.md         |   9 --
 .changeset/moody-wasps-shout.md               |   5 -
 .changeset/new-cobras-perform.md              |  22 ---
 .changeset/one-time-token-consent-guard.md    |   6 -
 .../reject-null-bytes-in-oidc-request-body.md |   9 --
 ...lease-account-center-session-management.md |   8 --
 .../release-account-profile-features.md       |   9 --
 ...e-passkey-account-center-access-control.md |   9 --
 .changeset/release-password-expiration.md     |  18 ---
 .changeset/release-theme-flash-fix.md         |  10 --
 ...social-link-without-legacy-verification.md |   5 -
 .changeset/support-passkey-mfa-native.md      |   8 --
 .changeset/url-regex-no-lookbehind.md         |   7 -
 .changeset/username-policy-client.md          |   9 --
 .changeset/username-policy-console.md         |   8 --
 .changeset/username-policy-core-kit.md        |   5 -
 .changeset/username-policy-core.md            |  15 ---
 .changeset/username-policy-validator.md       |   5 -
 .changeset/verification-code-policy.md        |   9 --
 packages/account/CHANGELOG.md                 |  26 ++++
 packages/account/package.json                 |   2 +-
 packages/api/CHANGELOG.md                     |   2 +
 packages/api/package.json                     |   2 +-
 packages/cli/CHANGELOG.md                     |  20 +++
 packages/cli/package.json                     |   2 +-
 .../connector-alipay-native/CHANGELOG.md      |   8 ++
 .../connector-alipay-native/package.json      |   2 +-
 .../connector-alipay-web/CHANGELOG.md         |   8 ++
 .../connector-alipay-web/package.json         |   2 +-
 .../connector-aliyun-dm/CHANGELOG.md          |   8 ++
 .../connector-aliyun-dm/package.json          |   2 +-
 .../connector-aliyun-sms-mas/CHANGELOG.md     |  10 ++
 .../connector-aliyun-sms-mas/package.json     |   2 +-
 .../connector-aliyun-sms/CHANGELOG.md         |   8 ++
 .../connector-aliyun-sms/package.json         |   2 +-
 .../connectors/connector-amazon/CHANGELOG.md  |   8 ++
 .../connectors/connector-amazon/package.json  |   2 +-
 .../connectors/connector-apple/CHANGELOG.md   |  10 ++
 .../connectors/connector-apple/package.json   |   2 +-
 .../connectors/connector-aws-ses/CHANGELOG.md |   8 ++
 .../connectors/connector-aws-ses/package.json |   2 +-
 .../connectors/connector-azuread/CHANGELOG.md |   8 ++
 .../connectors/connector-azuread/package.json |   2 +-
 .../connector-dingtalk-web/CHANGELOG.md       |   8 ++
 .../connector-dingtalk-web/package.json       |   2 +-
 .../connectors/connector-discord/CHANGELOG.md |   8 ++
 .../connectors/connector-discord/package.json |   2 +-
 .../connector-facebook/CHANGELOG.md           |   8 ++
 .../connector-facebook/package.json           |   2 +-
 .../connector-feishu-web/CHANGELOG.md         |   8 ++
 .../connector-feishu-web/package.json         |   2 +-
 .../connector-gatewayapi-sms/CHANGELOG.md     |   8 ++
 .../connector-gatewayapi-sms/package.json     |   2 +-
 .../connectors/connector-github/CHANGELOG.md  |   8 ++
 .../connectors/connector-github/package.json  |   2 +-
 .../connectors/connector-gitlab/CHANGELOG.md  |  11 ++
 .../connectors/connector-gitlab/package.json  |   2 +-
 .../connectors/connector-google/CHANGELOG.md  |   8 ++
 .../connectors/connector-google/package.json  |   2 +-
 .../connector-http-email/CHANGELOG.md         |   8 ++
 .../connector-http-email/package.json         |   2 +-
 .../connector-huggingface/CHANGELOG.md        |   9 ++
 .../connector-huggingface/package.json        |   2 +-
 .../connectors/connector-kakao/CHANGELOG.md   |   8 ++
 .../connectors/connector-kakao/package.json   |   2 +-
 .../connectors/connector-kook/CHANGELOG.md    |   9 ++
 .../connectors/connector-kook/package.json    |   2 +-
 .../connectors/connector-line/CHANGELOG.md    |   8 ++
 .../connectors/connector-line/package.json    |   2 +-
 .../connector-linkedin/CHANGELOG.md           |   8 ++
 .../connector-linkedin/package.json           |   2 +-
 .../connector-logto-email/CHANGELOG.md        |   8 ++
 .../connector-logto-email/package.json        |   2 +-
 .../connector-logto-social-demo/CHANGELOG.md  |   8 ++
 .../connector-logto-social-demo/package.json  |   2 +-
 .../connectors/connector-mailgun/CHANGELOG.md |   8 ++
 .../connectors/connector-mailgun/package.json |   2 +-
 .../connector-mailjunky/CHANGELOG.md          |  12 ++
 .../connector-mailjunky/package.json          |   2 +-
 .../CHANGELOG.md                              |   8 ++
 .../package.json                              |   2 +-
 .../connector-mock-email/CHANGELOG.md         |   8 ++
 .../connector-mock-email/package.json         |   2 +-
 .../connector-mock-sms/CHANGELOG.md           |   8 ++
 .../connector-mock-sms/package.json           |   2 +-
 .../connector-mock-social/CHANGELOG.md        |   8 ++
 .../connector-mock-social/package.json        |   2 +-
 .../connectors/connector-naver/CHANGELOG.md   |   8 ++
 .../connectors/connector-naver/package.json   |   2 +-
 .../connectors/connector-oauth2/CHANGELOG.md  |  10 ++
 .../connectors/connector-oauth2/package.json  |   2 +-
 .../connectors/connector-oidc/CHANGELOG.md    |  11 ++
 .../connectors/connector-oidc/package.json    |   2 +-
 .../connectors/connector-patreon/CHANGELOG.md |   9 ++
 .../connectors/connector-patreon/package.json |   2 +-
 .../connector-postmark/CHANGELOG.md           |   8 ++
 .../connector-postmark/package.json           |   2 +-
 packages/connectors/connector-qq/CHANGELOG.md |   8 ++
 packages/connectors/connector-qq/package.json |   2 +-
 .../connectors/connector-saml/CHANGELOG.md    |   8 ++
 .../connectors/connector-saml/package.json    |   2 +-
 .../connector-sendgrid-email/CHANGELOG.md     |   8 ++
 .../connector-sendgrid-email/package.json     |   2 +-
 .../connectors/connector-slack/CHANGELOG.md   |   8 ++
 .../connectors/connector-slack/package.json   |   2 +-
 .../connectors/connector-smsaero/CHANGELOG.md |   8 ++
 .../connectors/connector-smsaero/package.json |   2 +-
 .../connector-smsbao-sms/CHANGELOG.md         |   8 ++
 .../connector-smsbao-sms/package.json         |   2 +-
 .../connectors/connector-smtp/CHANGELOG.md    |   8 ++
 .../connectors/connector-smtp/package.json    |   2 +-
 .../connector-smtp2go-email/CHANGELOG.md      |  15 +++
 .../connector-smtp2go-email/package.json      |   2 +-
 .../connector-tencent-sms/CHANGELOG.md        |   8 ++
 .../connector-tencent-sms/package.json        |   2 +-
 .../connector-twilio-sms/CHANGELOG.md         |   8 ++
 .../connector-twilio-sms/package.json         |   2 +-
 .../connector-vonage-sms/CHANGELOG.md         |   8 ++
 .../connector-vonage-sms/package.json         |   2 +-
 .../connector-wechat-native/CHANGELOG.md      |   8 ++
 .../connector-wechat-native/package.json      |   2 +-
 .../connector-wechat-web/CHANGELOG.md         |   8 ++
 .../connector-wechat-web/package.json         |   2 +-
 .../connectors/connector-wecom/CHANGELOG.md   |  10 ++
 .../connectors/connector-wecom/package.json   |   2 +-
 .../connector-whatsapp/CHANGELOG.md           |   8 ++
 .../connector-whatsapp/package.json           |   2 +-
 packages/connectors/connector-x/CHANGELOG.md  |   8 ++
 packages/connectors/connector-x/package.json  |   2 +-
 .../connectors/connector-xiaomi/CHANGELOG.md  |   8 ++
 .../connectors/connector-xiaomi/package.json  |   2 +-
 .../connector-yunpian-sms/CHANGELOG.md        |   8 ++
 .../connector-yunpian-sms/package.json        |   2 +-
 packages/console/CHANGELOG.md                 |  70 ++++++++++
 packages/console/package.json                 |   2 +-
 packages/core/CHANGELOG.md                    | 127 ++++++++++++++++++
 packages/core/package.json                    |   2 +-
 packages/create/CHANGELOG.md                  |   6 +
 packages/create/package.json                  |   4 +-
 packages/experience/CHANGELOG.md              |  37 +++++
 packages/experience/package.json              |   2 +-
 packages/integration-tests/CHANGELOG.md       |  21 +++
 packages/integration-tests/package.json       |   2 +-
 packages/phrases-experience/CHANGELOG.md      |  37 +++++
 packages/phrases-experience/package.json      |   2 +-
 packages/phrases/CHANGELOG.md                 |  39 ++++++
 packages/phrases/package.json                 |   2 +-
 packages/schemas/CHANGELOG.md                 |  74 ++++++++++
 ...9864280-add-password-expiration-policy.ts} |   0
 ...64281-add-is-password-expired-to-users.ts} |   0
 ...-model-instances-legacy-grant-id-index.ts} |   0
 ... 1.41.0-1780381219-add-username-policy.ts} |   0
 ...665-set-sign-up-profile-fields-default.ts} |   0
 ...780906060-add-verification-code-policy.ts} |   0
 ...d-sentinel-activities-created-at-index.ts} |   0
 ...et-admin-account-center-profile-fields.ts} |   0
 ...logs-tenant-type-index-with-created-at.ts} |   0
 packages/schemas/package.json                 |   2 +-
 packages/shared/CHANGELOG.md                  |  14 ++
 packages/shared/package.json                  |   2 +-
 packages/toolkit/connector-kit/CHANGELOG.md   |  14 ++
 packages/toolkit/connector-kit/package.json   |   2 +-
 packages/toolkit/core-kit/CHANGELOG.md        |  12 ++
 packages/toolkit/core-kit/package.json        |   2 +-
 packages/translate/CHANGELOG.md               |  18 +++
 packages/translate/package.json               |   2 +-
 packages/tunnel/CHANGELOG.md                  |  10 ++
 packages/tunnel/package.json                  |   2 +-
 pnpm-lock.yaml                                |  40 +++++-
 177 files changed, 1095 insertions(+), 318 deletions(-)
 delete mode 100644 .changeset/add-smtp2go-email-connector.md
 delete mode 100644 .changeset/curly-bikes-travel.md
 delete mode 100644 .changeset/escape-saml-auto-submit-form.md
 delete mode 100644 .changeset/fix-console-username-update-401.md
 delete mode 100644 .changeset/fix-custom-css-flash.md
 delete mode 100644 .changeset/fix-sentinel-count-string.md
 delete mode 100644 .changeset/idempotent-application-roles.md
 delete mode 100644 .changeset/jwt-customizer-organization-context.md
 delete mode 100644 .changeset/message-send-rate-limit.md
 delete mode 100644 .changeset/moody-wasps-shout.md
 delete mode 100644 .changeset/new-cobras-perform.md
 delete mode 100644 .changeset/one-time-token-consent-guard.md
 delete mode 100644 .changeset/reject-null-bytes-in-oidc-request-body.md
 delete mode 100644 .changeset/release-account-center-session-management.md
 delete mode 100644 .changeset/release-account-profile-features.md
 delete mode 100644 .changeset/release-passkey-account-center-access-control.md
 delete mode 100644 .changeset/release-password-expiration.md
 delete mode 100644 .changeset/release-theme-flash-fix.md
 delete mode 100644 .changeset/social-link-without-legacy-verification.md
 delete mode 100644 .changeset/support-passkey-mfa-native.md
 delete mode 100644 .changeset/url-regex-no-lookbehind.md
 delete mode 100644 .changeset/username-policy-client.md
 delete mode 100644 .changeset/username-policy-console.md
 delete mode 100644 .changeset/username-policy-core-kit.md
 delete mode 100644 .changeset/username-policy-core.md
 delete mode 100644 .changeset/username-policy-validator.md
 delete mode 100644 .changeset/verification-code-policy.md
 create mode 100644 packages/connectors/connector-smtp2go-email/CHANGELOG.md
 rename packages/schemas/alterations/{next-1779864280-add-password-expiration-policy.ts => 1.41.0-1779864280-add-password-expiration-policy.ts} (100%)
 rename packages/schemas/alterations/{next-1779864281-add-is-password-expired-to-users.ts => 1.41.0-1779864281-add-is-password-expired-to-users.ts} (100%)
 rename packages/schemas/alterations/{next-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts => 1.41.0-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts} (100%)
 rename packages/schemas/alterations/{next-1780381219-add-username-policy.ts => 1.41.0-1780381219-add-username-policy.ts} (100%)
 rename packages/schemas/alterations/{next-1780643665-set-sign-up-profile-fields-default.ts => 1.41.0-1780643665-set-sign-up-profile-fields-default.ts} (100%)
 rename packages/schemas/alterations/{next-1780906060-add-verification-code-policy.ts => 1.41.0-1780906060-add-verification-code-policy.ts} (100%)
 rename packages/schemas/alterations/{next-1781689400-add-sentinel-activities-created-at-index.ts => 1.41.0-1781689400-add-sentinel-activities-created-at-index.ts} (100%)
 rename packages/schemas/alterations/{next-1782354362-set-admin-account-center-profile-fields.ts => 1.41.0-1782354362-set-admin-account-center-profile-fields.ts} (100%)
 rename packages/schemas/alterations/{next-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts => 1.41.0-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts} (100%)

diff --git a/.changeset/add-smtp2go-email-connector.md b/.changeset/add-smtp2go-email-connector.md
deleted file mode 100644
index 4f03460402a8..000000000000
--- a/.changeset/add-smtp2go-email-connector.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/connector-smtp2go-email": minor
-"@logto/connector-kit": minor
-"@logto/connector-mailjunky": patch
----
-
-add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API
-
-Export shared SMTP mailbox parsing and formatting utilities from `@logto/connector-kit`, and adopt them in the MailJunky connector
diff --git a/.changeset/curly-bikes-travel.md b/.changeset/curly-bikes-travel.md
deleted file mode 100644
index c4ec4cfa6fb5..000000000000
--- a/.changeset/curly-bikes-travel.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-"@logto/core": patch
-"@logto/phrases": patch
----
-
-map custom UI asset Azure Blob transport failures to retryable storage download errors
diff --git a/.changeset/escape-saml-auto-submit-form.md b/.changeset/escape-saml-auto-submit-form.md
deleted file mode 100644
index d5c9011910ce..000000000000
--- a/.changeset/escape-saml-auto-submit-form.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-"@logto/core": patch
----
-
-escape HTML attribute values in the SAML IdP auto-submit form
-
-When Logto acts as a SAML IdP, the auto-submit form posted to the SP's ACS interpolated `SAMLResponse`, `RelayState` and the action URL into HTML attributes without escaping. If a value contained a double quote, the browser truncated the attribute at that quote.
-
-This broke SPs that send a JSON string as `RelayState`: the SP received only `{` instead of the full value, losing the post-login context. The values are now HTML-escaped, so quotes and other markup characters round-trip intact (this also closes a reflected-markup injection vector in the interstitial page).
-
-In addition, the form action URL is now restricted to the `http`/`https` schemes before rendering. Escaping the attribute value alone does not neutralize a scriptable scheme such as `javascript:`, which the browser would execute on submission, so such URLs are now rejected.
diff --git a/.changeset/fix-console-username-update-401.md b/.changeset/fix-console-username-update-401.md
deleted file mode 100644
index 0a4d1e1838e4..000000000000
--- a/.changeset/fix-console-username-update-401.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-"@logto/console": patch
----
-
-fix Console username update returning 401 by redirecting to Account Center
-
-The Account API requires identity verification for username changes, which the
-Console profile page does not implement. Redirect username editing to the
-Account Center's `/account/username` page (same pattern as MFA) where the full
-verification flow is already implemented.
diff --git a/.changeset/fix-custom-css-flash.md b/.changeset/fix-custom-css-flash.md
deleted file mode 100644
index 0aa7d1e5e963..000000000000
--- a/.changeset/fix-custom-css-flash.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-"@logto/core": patch
----
-
-fix a flash of built-in styles on the hosted sign-in experience when custom CSS is configured
-
-Custom CSS was injected on the client via react-helmet, which mutates `<head>` asynchronously after the page had already painted with the built-in styles. The server-rendered experience HTML now inlines the configured custom CSS into `<head>`, so it is part of the cascade on the first paint. The `</style>` sequence in custom CSS is escaped so it cannot terminate the style element early, and the SSR data embedded in the inline `<script>` is now serialized with HTML-significant characters escaped to prevent script breakout.
diff --git a/.changeset/fix-sentinel-count-string.md b/.changeset/fix-sentinel-count-string.md
deleted file mode 100644
index 86da680b1124..000000000000
--- a/.changeset/fix-sentinel-count-string.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-"@logto/core": patch
----
-
-fix identifier-lockout sentinel misfiring because `count(*)` was treated as a string
-
-Postgres returns `count(*)` as a bigint that Slonik surfaces as a string. The sentinel added `1` to this value to decide whether to lock an identifier, so `'10' + 1` evaluated to `'101'` and the failed-attempt threshold (default 100) tripped far too early — roughly at 10 failed attempts. The count is now coerced to a number so the threshold is compared numerically.
diff --git a/.changeset/idempotent-application-roles.md b/.changeset/idempotent-application-roles.md
deleted file mode 100644
index 9d892319eb32..000000000000
--- a/.changeset/idempotent-application-roles.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-"@logto/core": minor
----
-
-Make `POST /api/applications/:applicationId/roles` idempotent: role IDs already attached to the application are silently ignored instead of causing the request to fail with `422 application.role_exists`. The response is now `201` with body `{ roleIds, addedRoleIds }`, matching the response shape of `POST /api/users/:userId/roles`.
-
-Closes #8900.
diff --git a/.changeset/jwt-customizer-organization-context.md b/.changeset/jwt-customizer-organization-context.md
deleted file mode 100644
index 74c89b3d1591..000000000000
--- a/.changeset/jwt-customizer-organization-context.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-"@logto/core": minor
-"@logto/schemas": minor
-"@logto/console": minor
----
-
-expose the target organization to the access token JWT customizer for organization (API resource) tokens
-
-When Logto issues an organization access token (a token requested with both `organization_id` and `resource`), the access token JWT customizer now receives a `context.organization` object with the target organization's `id`, `name`, `description` and `customData`. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the `organization_id` claim is only injected after the customizer runs.
-
-This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in `organization.customData`) without embedding a map of every organization the user belongs to into every token.
diff --git a/.changeset/message-send-rate-limit.md b/.changeset/message-send-rate-limit.md
deleted file mode 100644
index 36e6f9d9b18e..000000000000
--- a/.changeset/message-send-rate-limit.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/core": minor
-"@logto/schemas": minor
-"@logto/console": minor
----
-
-rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients
-
-Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, `/me`, organization invitations, and the legacy interaction API), emits a `Message.RateLimited` webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The `Message.RateLimited` event is now selectable in the Console webhook settings.
diff --git a/.changeset/moody-wasps-shout.md b/.changeset/moody-wasps-shout.md
deleted file mode 100644
index b1c874f03e4a..000000000000
--- a/.changeset/moody-wasps-shout.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-"@logto/core": patch
----
-
-fix custom UI asset upload timeout caused by Azure blob existence checks
diff --git a/.changeset/new-cobras-perform.md b/.changeset/new-cobras-perform.md
deleted file mode 100644
index 1e3a4edc8dc1..000000000000
--- a/.changeset/new-cobras-perform.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-"@logto/console": minor
-"@logto/core": minor
-"@logto/experience": minor
-"@logto/phrases-experience": minor
-"@logto/phrases": minor
-"@logto/integration-tests": minor
-"@logto/schemas": minor
----
-
-add app-level access control for applications
-
-Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
-
-Supported custom control rules include:
-
-- User IDs
-- User roles
-- Organizations
-- Organization roles
-
-Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
diff --git a/.changeset/one-time-token-consent-guard.md b/.changeset/one-time-token-consent-guard.md
deleted file mode 100644
index dae75749bae8..000000000000
--- a/.changeset/one-time-token-consent-guard.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-"@logto/core": patch
-"@logto/integration-tests": patch
----
-
-fix one-time token consent handling for switch-account sign-in flows
diff --git a/.changeset/reject-null-bytes-in-oidc-request-body.md b/.changeset/reject-null-bytes-in-oidc-request-body.md
deleted file mode 100644
index 354f1572a97a..000000000000
--- a/.changeset/reject-null-bytes-in-oidc-request-body.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/core": patch
----
-
-reject null bytes in OIDC request bodies and strip them from audit logs so malformed input returns a clean 400 instead of a 500
-
-A null byte (`U+0000`) in an `application/x-www-form-urlencoded` body sent to `/oidc/token` previously surfaced as a `500 Internal Server Error`. The actual cause was the audit log insert: PostgreSQL rejects null bytes in `jsonb` (error `22P05`), and because the insert runs in a `finally` block, that failure masked the original clean error. The OIDC body parser now rejects null bytes with a `400 invalid_request`, and audit log payloads are sanitized of null bytes before insert as defense in depth.
-
-Closes #8990.
diff --git a/.changeset/release-account-center-session-management.md b/.changeset/release-account-center-session-management.md
deleted file mode 100644
index a8bd97ca0b14..000000000000
--- a/.changeset/release-account-center-session-management.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-"@logto/account": minor
-"@logto/console": minor
----
-
-add account center session management
-
-Users can now configure and use the account center Sessions page to review active sessions and connected third-party applications.
diff --git a/.changeset/release-account-profile-features.md b/.changeset/release-account-profile-features.md
deleted file mode 100644
index 7703d1a6f08c..000000000000
--- a/.changeset/release-account-profile-features.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/core": minor
-"@logto/console": minor
-"@logto/account": minor
----
-
-release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates
-
-The collect-user-profile sign-up flow now respects the explicit `signUpProfileFields` list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.
diff --git a/.changeset/release-passkey-account-center-access-control.md b/.changeset/release-passkey-account-center-access-control.md
deleted file mode 100644
index a246f41394b7..000000000000
--- a/.changeset/release-passkey-account-center-access-control.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/core": minor
-"@logto/console": minor
-"@logto/account": minor
----
-
-add independent Account Center passkey controls for passkey sign-in
-
-Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.
diff --git a/.changeset/release-password-expiration.md b/.changeset/release-password-expiration.md
deleted file mode 100644
index ccc1c8a266b9..000000000000
--- a/.changeset/release-password-expiration.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-"@logto/core": minor
-"@logto/schemas": minor
-"@logto/console": minor
-"@logto/experience": minor
-"@logto/phrases": minor
-"@logto/phrases-experience": minor
----
-
-add a configurable per-tenant password expiration policy
-
-Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
-
-- **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
-- **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
-- **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
-
-Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
diff --git a/.changeset/release-theme-flash-fix.md b/.changeset/release-theme-flash-fix.md
deleted file mode 100644
index 1961af264122..000000000000
--- a/.changeset/release-theme-flash-fix.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-"@logto/core": patch
-"@logto/schemas": patch
-"@logto/experience": patch
-"@logto/account": patch
----
-
-prevent theme flash in sign-in experience and account center
-
-Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.
diff --git a/.changeset/social-link-without-legacy-verification.md b/.changeset/social-link-without-legacy-verification.md
deleted file mode 100644
index ee3d03d11c71..000000000000
--- a/.changeset/social-link-without-legacy-verification.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-"@logto/core": patch
----
-
-allow linking social identities in account center without password, email, or phone when the user has no legacy security verification methods
diff --git a/.changeset/support-passkey-mfa-native.md b/.changeset/support-passkey-mfa-native.md
deleted file mode 100644
index 37446c444d20..000000000000
--- a/.changeset/support-passkey-mfa-native.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-"@logto/console": minor
-"@logto/phrases": minor
----
-
-support passkeys (WebAuthn) as an MFA factor for native apps using Logto's native SDKs
-
-Logto's native SDKs (Android and iOS) now sign users in through the system's default browser, where passkeys (WebAuthn) are available. Upgrade to Android SDK v3 or iOS SDK v2 to enable it.
diff --git a/.changeset/url-regex-no-lookbehind.md b/.changeset/url-regex-no-lookbehind.md
deleted file mode 100644
index dbb1f0c9bf6f..000000000000
--- a/.changeset/url-regex-no-lookbehind.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-"@logto/connector-kit": patch
----
-
-fix a runtime crash on iOS 15 and older Safari when loading the experience or demo apps
-
-`urlRegEx` used a lookbehind assertion (`(?<![\w.])`), which Safari < 16.4 cannot parse. Because the regex is a top-level literal bundled into the experience app, loading the app threw `SyntaxError: Invalid regular expression: invalid group specifier name` before any code ran. The boundary now uses a `(?:^|[^\w.])` group, which is behaviorally equivalent for `.test()` and parses on all supported browsers.
diff --git a/.changeset/username-policy-client.md b/.changeset/username-policy-client.md
deleted file mode 100644
index c921ce8a83c1..000000000000
--- a/.changeset/username-policy-client.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/experience": minor
-"@logto/account": minor
-"@logto/phrases-experience": minor
----
-
-apply the tenant username policy in sign-in experience and account center username forms
-
-Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.
diff --git a/.changeset/username-policy-console.md b/.changeset/username-policy-console.md
deleted file mode 100644
index ad32104972dc..000000000000
--- a/.changeset/username-policy-console.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-"@logto/console": minor
-"@logto/phrases": minor
----
-
-add username policy management to the sign-in experience advanced options
-
-Operators can configure the tenant username policy — case sensitivity, length bounds, and allowed character types — from Console → Sign-in experience → Sign-up and sign-in → Advanced options. Switching to case-insensitive proactively detects existing usernames that differ only by case and blocks the save until the conflicts are resolved.
diff --git a/.changeset/username-policy-core-kit.md b/.changeset/username-policy-core-kit.md
deleted file mode 100644
index b7709ef1a86a..000000000000
--- a/.changeset/username-policy-core-kit.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-"@logto/core-kit": minor
----
-
-add a shared username policy type, Zod guard, and default value
diff --git a/.changeset/username-policy-core.md b/.changeset/username-policy-core.md
deleted file mode 100644
index 394db62d2918..000000000000
--- a/.changeset/username-policy-core.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-"@logto/core": minor
-"@logto/schemas": minor
-"@logto/shared": patch
----
-
-add per-tenant username policy enforcement and mirror preferred_username from username by default
-
-The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and `/me`. Admin (Management API) writes keep the always-on baseline rules only.
-
-Switching usernames to case-insensitive is guarded: `PATCH /api/sign-in-exp` is rejected with a 409 while usernames that differ only by case exist, and the new `GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts` endpoint reports such conflicts.
-
-For deployments using the legacy `CASE_SENSITIVE_USERNAME` environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing `CASE_SENSITIVE_USERNAME=false` setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring `usernamePolicy.caseSensitive` per tenant instead.
-
-The OIDC `preferred_username` claim now falls back to the user's `username` when `profile.preferredUsername` is unset, so standards-compliant clients receive a usable value out of the box.
diff --git a/.changeset/username-policy-validator.md b/.changeset/username-policy-validator.md
deleted file mode 100644
index af2c23e83b98..000000000000
--- a/.changeset/username-policy-validator.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-"@logto/core-kit": minor
----
-
-add a shared username policy validator
diff --git a/.changeset/verification-code-policy.md b/.changeset/verification-code-policy.md
deleted file mode 100644
index f57d81d5cf8e..000000000000
--- a/.changeset/verification-code-policy.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-"@logto/core": minor
-"@logto/console": minor
-"@logto/schemas": minor
----
-
-allow customizing verification code settings
-
-Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.
diff --git a/packages/account/CHANGELOG.md b/packages/account/CHANGELOG.md
index c355e061bd94..6de0d9b32b99 100644
--- a/packages/account/CHANGELOG.md
+++ b/packages/account/CHANGELOG.md
@@ -1,5 +1,31 @@
 # @logto/account
 
+## 0.5.0
+
+### Minor Changes
+
+- 3d38ae2074: add account center session management
+
+  Users can now configure and use the account center Sessions page to review active sessions and connected third-party applications.
+
+- c1ff0c1142: release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates
+
+  The collect-user-profile sign-up flow now respects the explicit `signUpProfileFields` list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.
+
+- bcd517bacf: add independent Account Center passkey controls for passkey sign-in
+
+  Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.
+
+- 67b99bba85: apply the tenant username policy in sign-in experience and account center username forms
+
+  Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.
+
+### Patch Changes
+
+- 72820ac41e: prevent theme flash in sign-in experience and account center
+
+  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.
+
 ## 0.4.1
 
 ### Patch Changes
diff --git a/packages/account/package.json b/packages/account/package.json
index b7c7b18fd1fe..7e5f1af31ae8 100644
--- a/packages/account/package.json
+++ b/packages/account/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/account",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "description": "Logto account center app.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
diff --git a/packages/api/CHANGELOG.md b/packages/api/CHANGELOG.md
index adfc232cca0f..31ccb7e054c9 100644
--- a/packages/api/CHANGELOG.md
+++ b/packages/api/CHANGELOG.md
@@ -1,5 +1,7 @@
 # @logto/api
 
+## 1.41.0
+
 ## 1.40.1
 
 ## 1.40.0
diff --git a/packages/api/package.json b/packages/api/package.json
index d4d8f8101b6c..78caf92def6e 100644
--- a/packages/api/package.json
+++ b/packages/api/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/api",
-  "version": "1.40.1",
+  "version": "1.41.0",
   "description": "Logto API types and clients.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md
index 51ee39159993..f768393f392a 100644
--- a/packages/cli/CHANGELOG.md
+++ b/packages/cli/CHANGELOG.md
@@ -1,5 +1,25 @@
 # Change Log
 
+## 1.41.0
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [a305713bb2]
+- Updated dependencies [c7f17d6c5c]
+- Updated dependencies [d41082bd7d]
+- Updated dependencies [c2016a044c]
+- Updated dependencies [72820ac41e]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [e1fadfb1a]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [a88413689]
+- Updated dependencies [eb45edbe34]
+  - @logto/connector-kit@5.1.0
+  - @logto/schemas@1.41.0
+  - @logto/core-kit@2.11.0
+  - @logto/shared@3.4.1
+
 ## 1.40.1
 
 ### Patch Changes
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 8f375514ca02..76296e12b209 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/cli",
-  "version": "1.40.1",
+  "version": "1.41.0",
   "description": "Logto CLI.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/connectors/connector-alipay-native/CHANGELOG.md b/packages/connectors/connector-alipay-native/CHANGELOG.md
index a9dbe8f8ca2a..4165acb4425d 100644
--- a/packages/connectors/connector-alipay-native/CHANGELOG.md
+++ b/packages/connectors/connector-alipay-native/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-alipay-native
 
+## 1.4.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-alipay-native/package.json b/packages/connectors/connector-alipay-native/package.json
index 53918b8dbbcc..4629093b8c5c 100644
--- a/packages/connectors/connector-alipay-native/package.json
+++ b/packages/connectors/connector-alipay-native/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-alipay-native",
-  "version": "1.4.5",
+  "version": "1.4.6",
   "description": "Alipay Native implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-alipay-web/CHANGELOG.md b/packages/connectors/connector-alipay-web/CHANGELOG.md
index 0448f5304f20..455bde78d213 100644
--- a/packages/connectors/connector-alipay-web/CHANGELOG.md
+++ b/packages/connectors/connector-alipay-web/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-alipay-web
 
+## 1.6.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-alipay-web/package.json b/packages/connectors/connector-alipay-web/package.json
index 9d2de01e0491..a523d93bf935 100644
--- a/packages/connectors/connector-alipay-web/package.json
+++ b/packages/connectors/connector-alipay-web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-alipay-web",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "Alipay implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-aliyun-dm/CHANGELOG.md b/packages/connectors/connector-aliyun-dm/CHANGELOG.md
index 51e5de7747ad..6b5633a19818 100644
--- a/packages/connectors/connector-aliyun-dm/CHANGELOG.md
+++ b/packages/connectors/connector-aliyun-dm/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-aliyun-dm
 
+## 1.6.1
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-aliyun-dm/package.json b/packages/connectors/connector-aliyun-dm/package.json
index 7eca9a5f3ad6..b39a781cf0b5 100644
--- a/packages/connectors/connector-aliyun-dm/package.json
+++ b/packages/connectors/connector-aliyun-dm/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-aliyun-dm",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "description": "Aliyun DM connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-aliyun-sms-mas/CHANGELOG.md b/packages/connectors/connector-aliyun-sms-mas/CHANGELOG.md
index a281b4f81550..8c1fa508af23 100644
--- a/packages/connectors/connector-aliyun-sms-mas/CHANGELOG.md
+++ b/packages/connectors/connector-aliyun-sms-mas/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-aliyun-sms-mas
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+  - @logto/connector-kit@5.1.0
+  - @logto/shared@3.4.1
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-aliyun-sms-mas/package.json b/packages/connectors/connector-aliyun-sms-mas/package.json
index efdb964a1929..0a0d426ae658 100644
--- a/packages/connectors/connector-aliyun-sms-mas/package.json
+++ b/packages/connectors/connector-aliyun-sms-mas/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-aliyun-sms-mas",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Aliyun Message Authentication Service (MAS) connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-aliyun-sms/CHANGELOG.md b/packages/connectors/connector-aliyun-sms/CHANGELOG.md
index 90c19da28950..33e5f54d6007 100644
--- a/packages/connectors/connector-aliyun-sms/CHANGELOG.md
+++ b/packages/connectors/connector-aliyun-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-aliyun-sms
 
+## 1.5.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-aliyun-sms/package.json b/packages/connectors/connector-aliyun-sms/package.json
index a06d7666558a..a44d6ecacba7 100644
--- a/packages/connectors/connector-aliyun-sms/package.json
+++ b/packages/connectors/connector-aliyun-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-aliyun-sms",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "Aliyun SMS connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-amazon/CHANGELOG.md b/packages/connectors/connector-amazon/CHANGELOG.md
index a9c270b2382d..264509ce42ef 100644
--- a/packages/connectors/connector-amazon/CHANGELOG.md
+++ b/packages/connectors/connector-amazon/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-amazon
 
+## 0.3.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.3.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-amazon/package.json b/packages/connectors/connector-amazon/package.json
index 3b5575e188c9..672e0fff2032 100644
--- a/packages/connectors/connector-amazon/package.json
+++ b/packages/connectors/connector-amazon/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-amazon",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Amazon web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-apple/CHANGELOG.md b/packages/connectors/connector-apple/CHANGELOG.md
index 2be19a0793f9..a035ceea1d7e 100644
--- a/packages/connectors/connector-apple/CHANGELOG.md
+++ b/packages/connectors/connector-apple/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-apple
 
+## 1.6.7
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+  - @logto/connector-kit@5.1.0
+  - @logto/shared@3.4.1
+
 ## 1.6.6
 
 ### Patch Changes
diff --git a/packages/connectors/connector-apple/package.json b/packages/connectors/connector-apple/package.json
index 0874979e45dc..e653292b72cb 100644
--- a/packages/connectors/connector-apple/package.json
+++ b/packages/connectors/connector-apple/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-apple",
-  "version": "1.6.6",
+  "version": "1.6.7",
   "description": "Apple web connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-aws-ses/CHANGELOG.md b/packages/connectors/connector-aws-ses/CHANGELOG.md
index 84cd7b678bcf..25bbe5e585aa 100644
--- a/packages/connectors/connector-aws-ses/CHANGELOG.md
+++ b/packages/connectors/connector-aws-ses/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-aws-ses
 
+## 1.5.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-aws-ses/package.json b/packages/connectors/connector-aws-ses/package.json
index 9dc2409b0e60..323e82d64636 100644
--- a/packages/connectors/connector-aws-ses/package.json
+++ b/packages/connectors/connector-aws-ses/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-aws-ses",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "Logto Connector for Amazon SES",
   "author": "Jeff <admin@breadth.app>",
   "dependencies": {
diff --git a/packages/connectors/connector-azuread/CHANGELOG.md b/packages/connectors/connector-azuread/CHANGELOG.md
index 9aab6cdeb63e..5c3ea84c1292 100644
--- a/packages/connectors/connector-azuread/CHANGELOG.md
+++ b/packages/connectors/connector-azuread/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-azuread
 
+## 1.6.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-azuread/package.json b/packages/connectors/connector-azuread/package.json
index dffae46fd26b..09ff98aa945a 100644
--- a/packages/connectors/connector-azuread/package.json
+++ b/packages/connectors/connector-azuread/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-azuread",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "Microsoft Azure AD connector implementation.",
   "author": "Mobilist Inc. <info@mobilist.com.tr>",
   "dependencies": {
diff --git a/packages/connectors/connector-dingtalk-web/CHANGELOG.md b/packages/connectors/connector-dingtalk-web/CHANGELOG.md
index b2505e3e6330..f1a8ca6ce8ec 100644
--- a/packages/connectors/connector-dingtalk-web/CHANGELOG.md
+++ b/packages/connectors/connector-dingtalk-web/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-dingtalk-web
 
+## 0.4.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.4.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-dingtalk-web/package.json b/packages/connectors/connector-dingtalk-web/package.json
index 9e301790d413..05512ac18819 100644
--- a/packages/connectors/connector-dingtalk-web/package.json
+++ b/packages/connectors/connector-dingtalk-web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-dingtalk-web",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "description": "Dingtalk web connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-discord/CHANGELOG.md b/packages/connectors/connector-discord/CHANGELOG.md
index 48c5239ff43a..3c27975e3f66 100644
--- a/packages/connectors/connector-discord/CHANGELOG.md
+++ b/packages/connectors/connector-discord/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-discord
 
+## 1.6.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-discord/package.json b/packages/connectors/connector-discord/package.json
index d8938f26b947..254ddc2b592c 100644
--- a/packages/connectors/connector-discord/package.json
+++ b/packages/connectors/connector-discord/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-discord",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "Discord connector implementation.",
   "author": "ZR3SYSTEMS. <https://github.com/FlurryNight>",
   "dependencies": {
diff --git a/packages/connectors/connector-facebook/CHANGELOG.md b/packages/connectors/connector-facebook/CHANGELOG.md
index a4ca421f7db9..e908ae350bb2 100644
--- a/packages/connectors/connector-facebook/CHANGELOG.md
+++ b/packages/connectors/connector-facebook/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-facebook
 
+## 1.6.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-facebook/package.json b/packages/connectors/connector-facebook/package.json
index 910a43bac564..c7a08ec99934 100644
--- a/packages/connectors/connector-facebook/package.json
+++ b/packages/connectors/connector-facebook/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-facebook",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "Facebook web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-feishu-web/CHANGELOG.md b/packages/connectors/connector-feishu-web/CHANGELOG.md
index e7a161c44727..097d172eb7eb 100644
--- a/packages/connectors/connector-feishu-web/CHANGELOG.md
+++ b/packages/connectors/connector-feishu-web/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-feishu-web
 
+## 1.4.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-feishu-web/package.json b/packages/connectors/connector-feishu-web/package.json
index d9f0b7311413..1286a70bf926 100644
--- a/packages/connectors/connector-feishu-web/package.json
+++ b/packages/connectors/connector-feishu-web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-feishu-web",
-  "version": "1.4.5",
+  "version": "1.4.6",
   "description": "Feishu web connector.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-gatewayapi-sms/CHANGELOG.md b/packages/connectors/connector-gatewayapi-sms/CHANGELOG.md
index 4f3f830ab624..abf99f4681e2 100644
--- a/packages/connectors/connector-gatewayapi-sms/CHANGELOG.md
+++ b/packages/connectors/connector-gatewayapi-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-gatewayapi-sms
 
+## 1.2.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.2.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-gatewayapi-sms/package.json b/packages/connectors/connector-gatewayapi-sms/package.json
index 4cf9bf24198e..ddaf94b855d7 100644
--- a/packages/connectors/connector-gatewayapi-sms/package.json
+++ b/packages/connectors/connector-gatewayapi-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-gatewayapi-sms",
-  "version": "1.2.3",
+  "version": "1.2.4",
   "description": "GatewayAPI SMS connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-github/CHANGELOG.md b/packages/connectors/connector-github/CHANGELOG.md
index a53b94060f56..5634444ae8fc 100644
--- a/packages/connectors/connector-github/CHANGELOG.md
+++ b/packages/connectors/connector-github/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-github
 
+## 1.7.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.7.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-github/package.json b/packages/connectors/connector-github/package.json
index 8b1b9bb054e9..4a08451606be 100644
--- a/packages/connectors/connector-github/package.json
+++ b/packages/connectors/connector-github/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-github",
-  "version": "1.7.4",
+  "version": "1.7.5",
   "description": "Github web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-gitlab/CHANGELOG.md b/packages/connectors/connector-gitlab/CHANGELOG.md
index 832eb8205712..05b8d7f5e746 100644
--- a/packages/connectors/connector-gitlab/CHANGELOG.md
+++ b/packages/connectors/connector-gitlab/CHANGELOG.md
@@ -1,5 +1,16 @@
 # @logto/connector-gitlab
 
+## 1.2.7
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+  - @logto/connector-kit@5.1.0
+  - @logto/shared@3.4.1
+  - @logto/connector-oauth@1.7.7
+
 ## 1.2.6
 
 ### Patch Changes
diff --git a/packages/connectors/connector-gitlab/package.json b/packages/connectors/connector-gitlab/package.json
index 3e8c007ad597..6623b09ddca8 100644
--- a/packages/connectors/connector-gitlab/package.json
+++ b/packages/connectors/connector-gitlab/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-gitlab",
-  "version": "1.2.6",
+  "version": "1.2.7",
   "description": "GitLab social connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-google/CHANGELOG.md b/packages/connectors/connector-google/CHANGELOG.md
index c5ad7670e3a1..6d1d6afa8372 100644
--- a/packages/connectors/connector-google/CHANGELOG.md
+++ b/packages/connectors/connector-google/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-google
 
+## 1.8.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.8.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-google/package.json b/packages/connectors/connector-google/package.json
index 57511fa54804..9f8872030139 100644
--- a/packages/connectors/connector-google/package.json
+++ b/packages/connectors/connector-google/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-google",
-  "version": "1.8.4",
+  "version": "1.8.5",
   "description": "Google web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-http-email/CHANGELOG.md b/packages/connectors/connector-http-email/CHANGELOG.md
index 9065eab8a6ac..71f69f5868b3 100644
--- a/packages/connectors/connector-http-email/CHANGELOG.md
+++ b/packages/connectors/connector-http-email/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-http-email
 
+## 0.4.3
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.4.2
 
 ### Patch Changes
diff --git a/packages/connectors/connector-http-email/package.json b/packages/connectors/connector-http-email/package.json
index f656156002e1..ad8fff13b485 100644
--- a/packages/connectors/connector-http-email/package.json
+++ b/packages/connectors/connector-http-email/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-http-email",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Email connector to send email via HTTP call.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-huggingface/CHANGELOG.md b/packages/connectors/connector-huggingface/CHANGELOG.md
index df84eb657801..1a80ffcc11e8 100644
--- a/packages/connectors/connector-huggingface/CHANGELOG.md
+++ b/packages/connectors/connector-huggingface/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @logto/connector-huggingface
 
+## 0.4.7
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+  - @logto/connector-oauth@1.7.7
+
 ## 0.4.6
 
 ### Patch Changes
diff --git a/packages/connectors/connector-huggingface/package.json b/packages/connectors/connector-huggingface/package.json
index 7cb24ae0de9d..c30ef2e4e1a0 100644
--- a/packages/connectors/connector-huggingface/package.json
+++ b/packages/connectors/connector-huggingface/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-huggingface",
-  "version": "0.4.6",
+  "version": "0.4.7",
   "description": "Hugging Face connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-kakao/CHANGELOG.md b/packages/connectors/connector-kakao/CHANGELOG.md
index 97dbc86f368f..d5c19fa286df 100644
--- a/packages/connectors/connector-kakao/CHANGELOG.md
+++ b/packages/connectors/connector-kakao/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-kakao
 
+## 1.4.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-kakao/package.json b/packages/connectors/connector-kakao/package.json
index 5c9833b28169..112a311b9741 100644
--- a/packages/connectors/connector-kakao/package.json
+++ b/packages/connectors/connector-kakao/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-kakao",
-  "version": "1.4.5",
+  "version": "1.4.6",
   "description": "Kakao connector implementation.",
   "author": "Kyungyoon Kim. <ruddbs5302@gmail.com>",
   "dependencies": {
diff --git a/packages/connectors/connector-kook/CHANGELOG.md b/packages/connectors/connector-kook/CHANGELOG.md
index b4a1e0d82107..7f2355dfd203 100644
--- a/packages/connectors/connector-kook/CHANGELOG.md
+++ b/packages/connectors/connector-kook/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @logto/connector-kook
 
+## 0.4.7
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+  - @logto/connector-oauth@1.7.7
+
 ## 0.4.6
 
 ### Patch Changes
diff --git a/packages/connectors/connector-kook/package.json b/packages/connectors/connector-kook/package.json
index 39cd93b4cb5b..d668795101b3 100644
--- a/packages/connectors/connector-kook/package.json
+++ b/packages/connectors/connector-kook/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-kook",
-  "version": "0.4.6",
+  "version": "0.4.7",
   "description": "KOOK connector implementation.",
   "main": "./lib/index.js",
   "module": "./lib/index.js",
diff --git a/packages/connectors/connector-line/CHANGELOG.md b/packages/connectors/connector-line/CHANGELOG.md
index 0c24cef6afd6..12c3641ecee9 100644
--- a/packages/connectors/connector-line/CHANGELOG.md
+++ b/packages/connectors/connector-line/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-line
 
+## 0.3.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.3.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-line/package.json b/packages/connectors/connector-line/package.json
index 3bbb6eed3375..f5efd5e31220 100644
--- a/packages/connectors/connector-line/package.json
+++ b/packages/connectors/connector-line/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-line",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Line web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-linkedin/CHANGELOG.md b/packages/connectors/connector-linkedin/CHANGELOG.md
index cab58c0bfa86..4107967ee7a7 100644
--- a/packages/connectors/connector-linkedin/CHANGELOG.md
+++ b/packages/connectors/connector-linkedin/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-linkedin
 
+## 0.3.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.3.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-linkedin/package.json b/packages/connectors/connector-linkedin/package.json
index 7ee468e6d859..ef98bd60e9cd 100644
--- a/packages/connectors/connector-linkedin/package.json
+++ b/packages/connectors/connector-linkedin/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-linkedin",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "LinkedIn web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-logto-email/CHANGELOG.md b/packages/connectors/connector-logto-email/CHANGELOG.md
index 4bc5eb4adcf6..f98b2d0300fd 100644
--- a/packages/connectors/connector-logto-email/CHANGELOG.md
+++ b/packages/connectors/connector-logto-email/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-logto-email
 
+## 1.3.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.3.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-logto-email/package.json b/packages/connectors/connector-logto-email/package.json
index d8c2e6302894..5777a27ea549 100644
--- a/packages/connectors/connector-logto-email/package.json
+++ b/packages/connectors/connector-logto-email/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-logto-email",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "description": "Logto email connector.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-logto-social-demo/CHANGELOG.md b/packages/connectors/connector-logto-social-demo/CHANGELOG.md
index dbe8c5f5e548..8319dc3cf726 100644
--- a/packages/connectors/connector-logto-social-demo/CHANGELOG.md
+++ b/packages/connectors/connector-logto-social-demo/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-logto-social-demo
 
+## 1.3.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.3.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-logto-social-demo/package.json b/packages/connectors/connector-logto-social-demo/package.json
index dabd838aeddf..c36dbf99a6b2 100644
--- a/packages/connectors/connector-logto-social-demo/package.json
+++ b/packages/connectors/connector-logto-social-demo/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-logto-social-demo",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "description": "OAuth standard connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-mailgun/CHANGELOG.md b/packages/connectors/connector-mailgun/CHANGELOG.md
index a03c9c99110d..f30d8431fca8 100644
--- a/packages/connectors/connector-mailgun/CHANGELOG.md
+++ b/packages/connectors/connector-mailgun/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-mailgun
 
+## 1.5.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-mailgun/package.json b/packages/connectors/connector-mailgun/package.json
index d1df7485de69..3fbd8967ec22 100644
--- a/packages/connectors/connector-mailgun/package.json
+++ b/packages/connectors/connector-mailgun/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-mailgun",
-  "version": "1.5.5",
+  "version": "1.5.6",
   "description": "Mailgun connector for Logto.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-mailjunky/CHANGELOG.md b/packages/connectors/connector-mailjunky/CHANGELOG.md
index e4087fafd1c3..da227b060400 100644
--- a/packages/connectors/connector-mailjunky/CHANGELOG.md
+++ b/packages/connectors/connector-mailjunky/CHANGELOG.md
@@ -1,5 +1,17 @@
 # @logto/connector-mailjunky
 
+## 1.6.1
+
+### Patch Changes
+
+- e7b6e9de1: add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API
+
+  Export shared SMTP mailbox parsing and formatting utilities from `@logto/connector-kit`, and adopt them in the MailJunky connector
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-mailjunky/package.json b/packages/connectors/connector-mailjunky/package.json
index 2e87ecf4bea5..9c538468377e 100644
--- a/packages/connectors/connector-mailjunky/package.json
+++ b/packages/connectors/connector-mailjunky/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-mailjunky",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "description": "Logto email connector for MailJunky (transactional email API).",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-mock-email-alternative/CHANGELOG.md b/packages/connectors/connector-mock-email-alternative/CHANGELOG.md
index fc3eba4559fc..579279f87612 100644
--- a/packages/connectors/connector-mock-email-alternative/CHANGELOG.md
+++ b/packages/connectors/connector-mock-email-alternative/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-mock-standard-email
 
+## 3.0.2
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 3.0.1
 
 ### Patch Changes
diff --git a/packages/connectors/connector-mock-email-alternative/package.json b/packages/connectors/connector-mock-email-alternative/package.json
index 898f621eca14..e8bf6003bf14 100644
--- a/packages/connectors/connector-mock-email-alternative/package.json
+++ b/packages/connectors/connector-mock-email-alternative/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-mock-standard-email",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "description": "Mock Standard Email Service connector implementation for integration tests only.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-mock-email/CHANGELOG.md b/packages/connectors/connector-mock-email/CHANGELOG.md
index e22af1876772..f547e7cfcdb1 100644
--- a/packages/connectors/connector-mock-email/CHANGELOG.md
+++ b/packages/connectors/connector-mock-email/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-mock-email
 
+## 3.0.2
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 3.0.1
 
 ### Patch Changes
diff --git a/packages/connectors/connector-mock-email/package.json b/packages/connectors/connector-mock-email/package.json
index 0b69a2c79241..ff33a5c0cf33 100644
--- a/packages/connectors/connector-mock-email/package.json
+++ b/packages/connectors/connector-mock-email/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-mock-email",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "description": "Mock Email Service connector implementation for integration tests only.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-mock-sms/CHANGELOG.md b/packages/connectors/connector-mock-sms/CHANGELOG.md
index 470b4ec6bc3b..4263e63e28b3 100644
--- a/packages/connectors/connector-mock-sms/CHANGELOG.md
+++ b/packages/connectors/connector-mock-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-mock-sms
 
+## 3.0.2
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 3.0.1
 
 ### Patch Changes
diff --git a/packages/connectors/connector-mock-sms/package.json b/packages/connectors/connector-mock-sms/package.json
index de0c41d85053..c86590b2b113 100644
--- a/packages/connectors/connector-mock-sms/package.json
+++ b/packages/connectors/connector-mock-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-mock-sms",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "description": "Mock SMS connector implementation for integration tests only.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-mock-social/CHANGELOG.md b/packages/connectors/connector-mock-social/CHANGELOG.md
index 889ed066c040..4a077cc2b4bc 100644
--- a/packages/connectors/connector-mock-social/CHANGELOG.md
+++ b/packages/connectors/connector-mock-social/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-mock-social
 
+## 1.5.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-mock-social/package.json b/packages/connectors/connector-mock-social/package.json
index c29a5d79c6cf..878e2724addc 100644
--- a/packages/connectors/connector-mock-social/package.json
+++ b/packages/connectors/connector-mock-social/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-mock-social",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "description": "Social mock connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-naver/CHANGELOG.md b/packages/connectors/connector-naver/CHANGELOG.md
index e596ed11767b..94e08ff31a52 100644
--- a/packages/connectors/connector-naver/CHANGELOG.md
+++ b/packages/connectors/connector-naver/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-naver
 
+## 1.4.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-naver/package.json b/packages/connectors/connector-naver/package.json
index b02f730747ab..87ea82023230 100644
--- a/packages/connectors/connector-naver/package.json
+++ b/packages/connectors/connector-naver/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-naver",
-  "version": "1.4.5",
+  "version": "1.4.6",
   "description": "Naver connector implementation.",
   "author": "Kyungyoon Kim. <ruddbs5302@gmail.com>",
   "dependencies": {
diff --git a/packages/connectors/connector-oauth2/CHANGELOG.md b/packages/connectors/connector-oauth2/CHANGELOG.md
index 6bfc327e99b9..1e985f8b31fc 100644
--- a/packages/connectors/connector-oauth2/CHANGELOG.md
+++ b/packages/connectors/connector-oauth2/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-oauth
 
+## 1.7.7
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+  - @logto/connector-kit@5.1.0
+  - @logto/shared@3.4.1
+
 ## 1.7.6
 
 ### Patch Changes
diff --git a/packages/connectors/connector-oauth2/package.json b/packages/connectors/connector-oauth2/package.json
index 0103394d941c..fde00e65cafe 100644
--- a/packages/connectors/connector-oauth2/package.json
+++ b/packages/connectors/connector-oauth2/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-oauth",
-  "version": "1.7.6",
+  "version": "1.7.7",
   "description": "OAuth standard connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-oidc/CHANGELOG.md b/packages/connectors/connector-oidc/CHANGELOG.md
index 2e0c0736832e..70a4f8b0ea7e 100644
--- a/packages/connectors/connector-oidc/CHANGELOG.md
+++ b/packages/connectors/connector-oidc/CHANGELOG.md
@@ -1,5 +1,16 @@
 # @logto/connector-oidc
 
+## 1.7.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+  - @logto/connector-kit@5.1.0
+  - @logto/shared@3.4.1
+  - @logto/connector-oauth@1.7.7
+
 ## 1.7.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-oidc/package.json b/packages/connectors/connector-oidc/package.json
index e264a54da5d9..36c2e3b287a2 100644
--- a/packages/connectors/connector-oidc/package.json
+++ b/packages/connectors/connector-oidc/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-oidc",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "OIDC standard connector implementation.",
   "dependencies": {
     "@logto/connector-kit": "workspace:^",
diff --git a/packages/connectors/connector-patreon/CHANGELOG.md b/packages/connectors/connector-patreon/CHANGELOG.md
index f464c667633f..d3aad995bb1a 100644
--- a/packages/connectors/connector-patreon/CHANGELOG.md
+++ b/packages/connectors/connector-patreon/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @logto/connector-patreon
 
+## 1.2.7
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+  - @logto/connector-oauth@1.7.7
+
 ## 1.2.6
 
 ### Patch Changes
diff --git a/packages/connectors/connector-patreon/package.json b/packages/connectors/connector-patreon/package.json
index 10fd3a6db3ed..573eba678893 100644
--- a/packages/connectors/connector-patreon/package.json
+++ b/packages/connectors/connector-patreon/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-patreon",
-  "version": "1.2.6",
+  "version": "1.2.7",
   "description": "Patreon web connector implementation.",
   "author": "DevTekVE <devtekve@gmail.com> & Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-postmark/CHANGELOG.md b/packages/connectors/connector-postmark/CHANGELOG.md
index 5c533a6a0c7b..ccac714cc9b9 100644
--- a/packages/connectors/connector-postmark/CHANGELOG.md
+++ b/packages/connectors/connector-postmark/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-postmark
 
+## 1.2.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.2.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-postmark/package.json b/packages/connectors/connector-postmark/package.json
index 266e89b0e381..46011e3b4868 100644
--- a/packages/connectors/connector-postmark/package.json
+++ b/packages/connectors/connector-postmark/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-postmark",
-  "version": "1.2.3",
+  "version": "1.2.4",
   "description": "Postmark connector implementation.",
   "author": "Sten Sandvik <stenrs@gmail.com>",
   "dependencies": {
diff --git a/packages/connectors/connector-qq/CHANGELOG.md b/packages/connectors/connector-qq/CHANGELOG.md
index 372d0bc1d3d2..f69e467fc803 100644
--- a/packages/connectors/connector-qq/CHANGELOG.md
+++ b/packages/connectors/connector-qq/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-qq
 
+## 1.1.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.1.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-qq/package.json b/packages/connectors/connector-qq/package.json
index c85be8fe0e07..79d13f7ff68f 100644
--- a/packages/connectors/connector-qq/package.json
+++ b/packages/connectors/connector-qq/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-qq",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "description": "QQ web connector implementation.",
   "author": "Yen Harvey. <2117555041@qq.com>",
   "dependencies": {
diff --git a/packages/connectors/connector-saml/CHANGELOG.md b/packages/connectors/connector-saml/CHANGELOG.md
index cd62d830b3d8..35cb44ff6dbe 100644
--- a/packages/connectors/connector-saml/CHANGELOG.md
+++ b/packages/connectors/connector-saml/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-saml
 
+## 1.3.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.3.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-saml/package.json b/packages/connectors/connector-saml/package.json
index 25d536bf560d..2c2e406a33e9 100644
--- a/packages/connectors/connector-saml/package.json
+++ b/packages/connectors/connector-saml/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-saml",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "description": "SAML standard connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-sendgrid-email/CHANGELOG.md b/packages/connectors/connector-sendgrid-email/CHANGELOG.md
index a66be6763d35..33718662d4d9 100644
--- a/packages/connectors/connector-sendgrid-email/CHANGELOG.md
+++ b/packages/connectors/connector-sendgrid-email/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-sendgrid-email
 
+## 1.5.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-sendgrid-email/package.json b/packages/connectors/connector-sendgrid-email/package.json
index 30367b354cf4..a83452325644 100644
--- a/packages/connectors/connector-sendgrid-email/package.json
+++ b/packages/connectors/connector-sendgrid-email/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-sendgrid-email",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "SendGrid Email Service connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-slack/CHANGELOG.md b/packages/connectors/connector-slack/CHANGELOG.md
index d6f25ff38576..fe0957f88556 100644
--- a/packages/connectors/connector-slack/CHANGELOG.md
+++ b/packages/connectors/connector-slack/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-slack
 
+## 0.3.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.3.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-slack/package.json b/packages/connectors/connector-slack/package.json
index f9f5ef837b7e..41dcebccb103 100644
--- a/packages/connectors/connector-slack/package.json
+++ b/packages/connectors/connector-slack/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-slack",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Slack connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-smsaero/CHANGELOG.md b/packages/connectors/connector-smsaero/CHANGELOG.md
index 0a8f43c2b73f..afd00e18d0ee 100644
--- a/packages/connectors/connector-smsaero/CHANGELOG.md
+++ b/packages/connectors/connector-smsaero/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-smsaero
 
+## 1.5.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-smsaero/package.json b/packages/connectors/connector-smsaero/package.json
index 4b4411d1a231..d4b4b766cd40 100644
--- a/packages/connectors/connector-smsaero/package.json
+++ b/packages/connectors/connector-smsaero/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-smsaero",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "SMSAero connector implementation.",
   "author": "Danil Tankov <danil.tankoff@yandex.ru>",
   "dependencies": {
diff --git a/packages/connectors/connector-smsbao-sms/CHANGELOG.md b/packages/connectors/connector-smsbao-sms/CHANGELOG.md
index f1db1e155398..628d3b9d0c96 100644
--- a/packages/connectors/connector-smsbao-sms/CHANGELOG.md
+++ b/packages/connectors/connector-smsbao-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-smsbao-sms
 
+## 1.1.1
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.1.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-smsbao-sms/package.json b/packages/connectors/connector-smsbao-sms/package.json
index f763701fe136..a9a0c3351fb3 100644
--- a/packages/connectors/connector-smsbao-sms/package.json
+++ b/packages/connectors/connector-smsbao-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-smsbao-sms",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "SMSBao SMS connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-smtp/CHANGELOG.md b/packages/connectors/connector-smtp/CHANGELOG.md
index 9f7836f88082..d9d8370ba9d9 100644
--- a/packages/connectors/connector-smtp/CHANGELOG.md
+++ b/packages/connectors/connector-smtp/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-smtp
 
+## 1.5.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.5.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-smtp/package.json b/packages/connectors/connector-smtp/package.json
index 6c7798219e0e..c21e156bcc2e 100644
--- a/packages/connectors/connector-smtp/package.json
+++ b/packages/connectors/connector-smtp/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-smtp",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "SMTP connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-smtp2go-email/CHANGELOG.md b/packages/connectors/connector-smtp2go-email/CHANGELOG.md
new file mode 100644
index 000000000000..de6922f6195a
--- /dev/null
+++ b/packages/connectors/connector-smtp2go-email/CHANGELOG.md
@@ -0,0 +1,15 @@
+# @logto/connector-smtp2go-email
+
+## 1.1.0
+
+### Minor Changes
+
+- e7b6e9de1: add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API
+
+  Export shared SMTP mailbox parsing and formatting utilities from `@logto/connector-kit`, and adopt them in the MailJunky connector
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
diff --git a/packages/connectors/connector-smtp2go-email/package.json b/packages/connectors/connector-smtp2go-email/package.json
index a0267c2e0728..accbb9033f4b 100644
--- a/packages/connectors/connector-smtp2go-email/package.json
+++ b/packages/connectors/connector-smtp2go-email/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-smtp2go-email",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "SMTP2GO Email Service connector implementation.",
   "author": "Fabio Lorenzo <fabio.lorenzo@lomus.ch>",
   "dependencies": {
diff --git a/packages/connectors/connector-tencent-sms/CHANGELOG.md b/packages/connectors/connector-tencent-sms/CHANGELOG.md
index 6037a178be56..227d6a278545 100644
--- a/packages/connectors/connector-tencent-sms/CHANGELOG.md
+++ b/packages/connectors/connector-tencent-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-tencent-sms
 
+## 1.4.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-tencent-sms/package.json b/packages/connectors/connector-tencent-sms/package.json
index eaad977ceee6..cbf105a7d49a 100644
--- a/packages/connectors/connector-tencent-sms/package.json
+++ b/packages/connectors/connector-tencent-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-tencent-sms",
-  "version": "1.4.3",
+  "version": "1.4.4",
   "description": "Tencent SMS connector implementation.",
   "author": "StringKe",
   "dependencies": {
diff --git a/packages/connectors/connector-twilio-sms/CHANGELOG.md b/packages/connectors/connector-twilio-sms/CHANGELOG.md
index 8f75cdd960da..e7ee7b655974 100644
--- a/packages/connectors/connector-twilio-sms/CHANGELOG.md
+++ b/packages/connectors/connector-twilio-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-twilio-sms
 
+## 1.4.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-twilio-sms/package.json b/packages/connectors/connector-twilio-sms/package.json
index cf9b90d6d64c..eadf5a06746a 100644
--- a/packages/connectors/connector-twilio-sms/package.json
+++ b/packages/connectors/connector-twilio-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-twilio-sms",
-  "version": "1.4.3",
+  "version": "1.4.4",
   "description": "Twilio SMS connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-vonage-sms/CHANGELOG.md b/packages/connectors/connector-vonage-sms/CHANGELOG.md
index df211365ac20..31ef448cd59b 100644
--- a/packages/connectors/connector-vonage-sms/CHANGELOG.md
+++ b/packages/connectors/connector-vonage-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-vonage-sms
 
+## 0.2.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.2.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-vonage-sms/package.json b/packages/connectors/connector-vonage-sms/package.json
index d2409efbdd4f..e0f0818fe024 100644
--- a/packages/connectors/connector-vonage-sms/package.json
+++ b/packages/connectors/connector-vonage-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-vonage-sms",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "Vonage SMS connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-wechat-native/CHANGELOG.md b/packages/connectors/connector-wechat-native/CHANGELOG.md
index 5c9b6b7b5844..0cc5a5117d2b 100644
--- a/packages/connectors/connector-wechat-native/CHANGELOG.md
+++ b/packages/connectors/connector-wechat-native/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-wechat-native
 
+## 1.4.6
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.4.5
 
 ### Patch Changes
diff --git a/packages/connectors/connector-wechat-native/package.json b/packages/connectors/connector-wechat-native/package.json
index 98eb26a5fe4a..bc68119f429f 100644
--- a/packages/connectors/connector-wechat-native/package.json
+++ b/packages/connectors/connector-wechat-native/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-wechat-native",
-  "version": "1.4.5",
+  "version": "1.4.6",
   "description": "WeChat native connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-wechat-web/CHANGELOG.md b/packages/connectors/connector-wechat-web/CHANGELOG.md
index 8e33586a8c16..4ece1361bc56 100644
--- a/packages/connectors/connector-wechat-web/CHANGELOG.md
+++ b/packages/connectors/connector-wechat-web/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-wechat-web
 
+## 1.6.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.6.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-wechat-web/package.json b/packages/connectors/connector-wechat-web/package.json
index 4a73043680ff..54f504502b58 100644
--- a/packages/connectors/connector-wechat-web/package.json
+++ b/packages/connectors/connector-wechat-web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-wechat-web",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "Wechat Web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-wecom/CHANGELOG.md b/packages/connectors/connector-wecom/CHANGELOG.md
index b8d2f0a6506e..42a984f1cf85 100644
--- a/packages/connectors/connector-wecom/CHANGELOG.md
+++ b/packages/connectors/connector-wecom/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/connector-wecom
 
+## 0.6.1
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+  - @logto/connector-kit@5.1.0
+  - @logto/shared@3.4.1
+
 ## 0.6.0
 
 ### Minor Changes
diff --git a/packages/connectors/connector-wecom/package.json b/packages/connectors/connector-wecom/package.json
index 495dcf4f1acb..daad40d13fef 100644
--- a/packages/connectors/connector-wecom/package.json
+++ b/packages/connectors/connector-wecom/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-wecom",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Wecom connector implementation.",
   "author": "Dove<dove@feegr.cc> fork from Wechat Web connector",
   "dependencies": {
diff --git a/packages/connectors/connector-whatsapp/CHANGELOG.md b/packages/connectors/connector-whatsapp/CHANGELOG.md
index 5462cf8a13e3..22c3f8b5a0f7 100644
--- a/packages/connectors/connector-whatsapp/CHANGELOG.md
+++ b/packages/connectors/connector-whatsapp/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-whatsapp-sms
 
+## 1.0.3
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.0.2
 
 ### Patch Changes
diff --git a/packages/connectors/connector-whatsapp/package.json b/packages/connectors/connector-whatsapp/package.json
index 2a3909bfa486..890d196d6e3a 100644
--- a/packages/connectors/connector-whatsapp/package.json
+++ b/packages/connectors/connector-whatsapp/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-whatsapp-sms",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "WhatsApp connector implementation using Meta Cloud API.",
   "author": "MrMardel",
   "dependencies": {
diff --git a/packages/connectors/connector-x/CHANGELOG.md b/packages/connectors/connector-x/CHANGELOG.md
index eaf4e02d530f..6b45b30b0c01 100644
--- a/packages/connectors/connector-x/CHANGELOG.md
+++ b/packages/connectors/connector-x/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-x
 
+## 0.4.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 0.4.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-x/package.json b/packages/connectors/connector-x/package.json
index db892d08c87b..7baaaa290a67 100644
--- a/packages/connectors/connector-x/package.json
+++ b/packages/connectors/connector-x/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-x",
-  "version": "0.4.3",
+  "version": "0.4.4",
   "description": "X web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-xiaomi/CHANGELOG.md b/packages/connectors/connector-xiaomi/CHANGELOG.md
index 49da14ce5d83..493f4fa33a21 100644
--- a/packages/connectors/connector-xiaomi/CHANGELOG.md
+++ b/packages/connectors/connector-xiaomi/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-xiaomi
 
+## 1.2.5
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.2.4
 
 ### Patch Changes
diff --git a/packages/connectors/connector-xiaomi/package.json b/packages/connectors/connector-xiaomi/package.json
index 294fdf27a0fc..9d85bc7f5b98 100644
--- a/packages/connectors/connector-xiaomi/package.json
+++ b/packages/connectors/connector-xiaomi/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-xiaomi",
-  "version": "1.2.4",
+  "version": "1.2.5",
   "description": "Xiaomi web connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/connectors/connector-yunpian-sms/CHANGELOG.md b/packages/connectors/connector-yunpian-sms/CHANGELOG.md
index d0c4d5b06cd4..bc72caeafe21 100644
--- a/packages/connectors/connector-yunpian-sms/CHANGELOG.md
+++ b/packages/connectors/connector-yunpian-sms/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @logto/connector-yunpian-sms
 
+## 1.2.4
+
+### Patch Changes
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [b7386a5113]
+  - @logto/connector-kit@5.1.0
+
 ## 1.2.3
 
 ### Patch Changes
diff --git a/packages/connectors/connector-yunpian-sms/package.json b/packages/connectors/connector-yunpian-sms/package.json
index 62aee5a2eb59..1b705e548aab 100644
--- a/packages/connectors/connector-yunpian-sms/package.json
+++ b/packages/connectors/connector-yunpian-sms/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-yunpian-sms",
-  "version": "1.2.3",
+  "version": "1.2.4",
   "description": "云片网 SMS connector implementation.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "dependencies": {
diff --git a/packages/console/CHANGELOG.md b/packages/console/CHANGELOG.md
index bde9b7475c0a..10dc9413a3c1 100644
--- a/packages/console/CHANGELOG.md
+++ b/packages/console/CHANGELOG.md
@@ -1,5 +1,75 @@
 # Change Log
 
+## 1.38.0
+
+### Minor Changes
+
+- a305713bb2: expose the target organization to the access token JWT customizer for organization (API resource) tokens
+
+  When Logto issues an organization access token (a token requested with both `organization_id` and `resource`), the access token JWT customizer now receives a `context.organization` object with the target organization's `id`, `name`, `description` and `customData`. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the `organization_id` claim is only injected after the customizer runs.
+
+  This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in `organization.customData`) without embedding a map of every organization the user belongs to into every token.
+
+- c7f17d6c5c: rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients
+
+  Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, `/me`, organization invitations, and the legacy interaction API), emits a `Message.RateLimited` webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The `Message.RateLimited` event is now selectable in the Console webhook settings.
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+- 3d38ae2074: add account center session management
+
+  Users can now configure and use the account center Sessions page to review active sessions and connected third-party applications.
+
+- c1ff0c1142: release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates
+
+  The collect-user-profile sign-up flow now respects the explicit `signUpProfileFields` list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.
+
+- bcd517bacf: add independent Account Center passkey controls for passkey sign-in
+
+  Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.
+
+- c2016a044c: add a configurable per-tenant password expiration policy
+
+  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
+
+  - **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
+  - **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
+  - **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
+
+  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
+
+- c73d32b5ee: support passkeys (WebAuthn) as an MFA factor for native apps using Logto's native SDKs
+
+  Logto's native SDKs (Android and iOS) now sign users in through the system's default browser, where passkeys (WebAuthn) are available. Upgrade to Android SDK v3 or iOS SDK v2 to enable it.
+
+- 67b99bba85: add username policy management to the sign-in experience advanced options
+
+  Operators can configure the tenant username policy — case sensitivity, length bounds, and allowed character types — from Console → Sign-in experience → Sign-up and sign-in → Advanced options. Switching to case-insensitive proactively detects existing usernames that differ only by case and blocks the save until the conflicts are resolved.
+
+- eb45edbe34: allow customizing verification code settings
+
+  Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.
+
+### Patch Changes
+
+- 92560f6b2e: fix Console username update returning 401 by redirecting to Account Center
+
+  The Account API requires identity verification for username changes, which the
+  Console profile page does not implement. Redirect username editing to the
+  Account Center's `/account/username` page (same pattern as MFA) where the full
+  verification flow is already implemented.
+
 ## 1.37.0
 
 ### Minor Changes
diff --git a/packages/console/package.json b/packages/console/package.json
index 08f625b33fb6..0ca9b1153428 100644
--- a/packages/console/package.json
+++ b/packages/console/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/console",
-  "version": "1.37.0",
+  "version": "1.38.0",
   "description": "> TODO: description",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md
index 28f23287ae2a..22358e4879e2 100644
--- a/packages/core/CHANGELOG.md
+++ b/packages/core/CHANGELOG.md
@@ -1,5 +1,132 @@
 # Change Log
 
+## 1.41.0
+
+### Minor Changes
+
+- a923dcbdc: Make `POST /api/applications/:applicationId/roles` idempotent: role IDs already attached to the application are silently ignored instead of causing the request to fail with `422 application.role_exists`. The response is now `201` with body `{ roleIds, addedRoleIds }`, matching the response shape of `POST /api/users/:userId/roles`.
+
+  Closes #8900.
+
+- a305713bb2: expose the target organization to the access token JWT customizer for organization (API resource) tokens
+
+  When Logto issues an organization access token (a token requested with both `organization_id` and `resource`), the access token JWT customizer now receives a `context.organization` object with the target organization's `id`, `name`, `description` and `customData`. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the `organization_id` claim is only injected after the customizer runs.
+
+  This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in `organization.customData`) without embedding a map of every organization the user belongs to into every token.
+
+- c7f17d6c5c: rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients
+
+  Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, `/me`, organization invitations, and the legacy interaction API), emits a `Message.RateLimited` webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The `Message.RateLimited` event is now selectable in the Console webhook settings.
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+- c1ff0c1142: release account center profile page, custom profile fields at sign-up, and experience/account avatar upload from dev feature gates
+
+  The collect-user-profile sign-up flow now respects the explicit `signUpProfileFields` list instead of always showing the full catalog. The account center profile page and avatar upload endpoints are no longer gated behind a dev feature flag.
+
+- bcd517bacf: add independent Account Center passkey controls for passkey sign-in
+
+  Admins can now configure passkey visibility separately from MFA in Account Center, and users can manage passkeys plus their passkey sign-in prompt preference when passkey sign-in is enabled.
+
+- c2016a044c: add a configurable per-tenant password expiration policy
+
+  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
+
+  - **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
+  - **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
+  - **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
+
+  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
+
+- 67b99bba85: add per-tenant username policy enforcement and mirror preferred_username from username by default
+
+  The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and `/me`. Admin (Management API) writes keep the always-on baseline rules only.
+
+  Switching usernames to case-insensitive is guarded: `PATCH /api/sign-in-exp` is rejected with a 409 while usernames that differ only by case exist, and the new `GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts` endpoint reports such conflicts.
+
+  For deployments using the legacy `CASE_SENSITIVE_USERNAME` environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing `CASE_SENSITIVE_USERNAME=false` setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring `usernamePolicy.caseSensitive` per tenant instead.
+
+  The OIDC `preferred_username` claim now falls back to the user's `username` when `profile.preferredUsername` is unset, so standards-compliant clients receive a usable value out of the box.
+
+- eb45edbe34: allow customizing verification code settings
+
+  Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.
+
+### Patch Changes
+
+- 413b7ec1a7: map custom UI asset Azure Blob transport failures to retryable storage download errors
+- 209fa0a5cb: escape HTML attribute values in the SAML IdP auto-submit form
+
+  When Logto acts as a SAML IdP, the auto-submit form posted to the SP's ACS interpolated `SAMLResponse`, `RelayState` and the action URL into HTML attributes without escaping. If a value contained a double quote, the browser truncated the attribute at that quote.
+
+  This broke SPs that send a JSON string as `RelayState`: the SP received only `{` instead of the full value, losing the post-login context. The values are now HTML-escaped, so quotes and other markup characters round-trip intact (this also closes a reflected-markup injection vector in the interstitial page).
+
+  In addition, the form action URL is now restricted to the `http`/`https` schemes before rendering. Escaping the attribute value alone does not neutralize a scriptable scheme such as `javascript:`, which the browser would execute on submission, so such URLs are now rejected.
+
+- 37999f7fce: fix a flash of built-in styles on the hosted sign-in experience when custom CSS is configured
+
+  Custom CSS was injected on the client via react-helmet, which mutates `<head>` asynchronously after the page had already painted with the built-in styles. The server-rendered experience HTML now inlines the configured custom CSS into `<head>`, so it is part of the cascade on the first paint. The `</style>` sequence in custom CSS is escaped so it cannot terminate the style element early, and the SSR data embedded in the inline `<script>` is now serialized with HTML-significant characters escaped to prevent script breakout.
+
+- 9de40208e2: fix identifier-lockout sentinel misfiring because `count(*)` was treated as a string
+
+  Postgres returns `count(*)` as a bigint that Slonik surfaces as a string. The sentinel added `1` to this value to decide whether to lock an identifier, so `'10' + 1` evaluated to `'101'` and the failed-attempt threshold (default 100) tripped far too early — roughly at 10 failed attempts. The count is now coerced to a number so the threshold is compared numerically.
+
+- 5b5005db0d: fix custom UI asset upload timeout caused by Azure blob existence checks
+- 9847dfd134: fix one-time token consent handling for switch-account sign-in flows
+- c98403862a: reject null bytes in OIDC request bodies and strip them from audit logs so malformed input returns a clean 400 instead of a 500
+
+  A null byte (`U+0000`) in an `application/x-www-form-urlencoded` body sent to `/oidc/token` previously surfaced as a `500 Internal Server Error`. The actual cause was the audit log insert: PostgreSQL rejects null bytes in `jsonb` (error `22P05`), and because the insert runs in a `finally` block, that failure masked the original clean error. The OIDC body parser now rejects null bytes with a `400 invalid_request`, and audit log payloads are sanitized of null bytes before insert as defense in depth.
+
+  Closes #8990.
+
+- 72820ac41e: prevent theme flash in sign-in experience and account center
+
+  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.
+
+- 17c52384b: allow linking social identities in account center without password, email, or phone when the user has no legacy security verification methods
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [413b7ec1a7]
+- Updated dependencies [92560f6b2e]
+- Updated dependencies [a305713bb2]
+- Updated dependencies [c7f17d6c5c]
+- Updated dependencies [d41082bd7d]
+- Updated dependencies [3d38ae2074]
+- Updated dependencies [c1ff0c1142]
+- Updated dependencies [bcd517bacf]
+- Updated dependencies [c2016a044c]
+- Updated dependencies [72820ac41e]
+- Updated dependencies [c73d32b5ee]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [e1fadfb1a]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [a88413689]
+- Updated dependencies [eb45edbe34]
+  - @logto/connector-kit@5.1.0
+  - @logto/phrases@1.29.0
+  - @logto/console@1.38.0
+  - @logto/schemas@1.41.0
+  - @logto/experience@1.20.0
+  - @logto/phrases-experience@1.14.0
+  - @logto/account@0.5.0
+  - @logto/core-kit@2.11.0
+  - @logto/shared@3.4.1
+  - @logto/cli@1.41.0
+  - @logto/demo-app@1.5.0
+  - @logto/device-demo-app@0.1.0
+
 ## 1.40.1
 
 ### Patch Changes
diff --git a/packages/core/package.json b/packages/core/package.json
index 807877d0a01a..2fd7c1c91098 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/core",
-  "version": "1.40.1",
+  "version": "1.41.0",
   "description": "The open source identity solution.",
   "main": "build/index.js",
   "author": "Silverhand Inc. <contact@silverhand.io>",
diff --git a/packages/create/CHANGELOG.md b/packages/create/CHANGELOG.md
index 374d6eff3720..8c7551f4419e 100644
--- a/packages/create/CHANGELOG.md
+++ b/packages/create/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## 1.41.0
+
+### Patch Changes
+
+- @logto/cli@1.41.0
+
 ## 1.40.1
 
 ### Patch Changes
diff --git a/packages/create/package.json b/packages/create/package.json
index 757790cbde20..2cb596e1a643 100644
--- a/packages/create/package.json
+++ b/packages/create/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/create",
-  "version": "1.40.1",
+  "version": "1.41.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -15,6 +15,6 @@
     "node": "^22.14.0"
   },
   "dependencies": {
-    "@logto/cli": "workspace:^1.40.1"
+    "@logto/cli": "workspace:^1.41.0"
   }
 }
diff --git a/packages/experience/CHANGELOG.md b/packages/experience/CHANGELOG.md
index ca9277d06b33..b410308b2751 100644
--- a/packages/experience/CHANGELOG.md
+++ b/packages/experience/CHANGELOG.md
@@ -1,5 +1,42 @@
 # Change Log
 
+## 1.20.0
+
+### Minor Changes
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+- c2016a044c: add a configurable per-tenant password expiration policy
+
+  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
+
+  - **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
+  - **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
+  - **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
+
+  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
+
+- 67b99bba85: apply the tenant username policy in sign-in experience and account center username forms
+
+  Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.
+
+### Patch Changes
+
+- 72820ac41e: prevent theme flash in sign-in experience and account center
+
+  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.
+
 ## 1.19.2
 
 ### Patch Changes
diff --git a/packages/experience/package.json b/packages/experience/package.json
index bb01ec24b2a7..2a1c6a839050 100644
--- a/packages/experience/package.json
+++ b/packages/experience/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/experience",
-  "version": "1.19.2",
+  "version": "1.20.0",
   "license": "MPL-2.0",
   "type": "module",
   "private": true,
diff --git a/packages/integration-tests/CHANGELOG.md b/packages/integration-tests/CHANGELOG.md
index 826c919ecd21..379930d63bf4 100644
--- a/packages/integration-tests/CHANGELOG.md
+++ b/packages/integration-tests/CHANGELOG.md
@@ -1,5 +1,26 @@
 # Change Log
 
+## 1.22.0
+
+### Minor Changes
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+### Patch Changes
+
+- 9847dfd134: fix one-time token consent handling for switch-account sign-in flows
+
 ## 1.21.0
 
 ### Minor Changes
diff --git a/packages/integration-tests/package.json b/packages/integration-tests/package.json
index af87e1da421c..d1ab02994857 100644
--- a/packages/integration-tests/package.json
+++ b/packages/integration-tests/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/integration-tests",
-  "version": "1.21.0",
+  "version": "1.22.0",
   "description": "Integration tests for Logto.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
diff --git a/packages/phrases-experience/CHANGELOG.md b/packages/phrases-experience/CHANGELOG.md
index a1825adb7c6f..5d300bc8a58c 100644
--- a/packages/phrases-experience/CHANGELOG.md
+++ b/packages/phrases-experience/CHANGELOG.md
@@ -1,5 +1,42 @@
 # Change Log
 
+## 1.14.0
+
+### Minor Changes
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+- c2016a044c: add a configurable per-tenant password expiration policy
+
+  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
+
+  - **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
+  - **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
+  - **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
+
+  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
+
+- 67b99bba85: apply the tenant username policy in sign-in experience and account center username forms
+
+  Usernames entered during sign-up, profile fulfillment, and account center editing are validated against the tenant username policy with localized inline errors. The dedicated username pages (continue flow and account center) state the policy requirements in their page description, and the sign-up identifier form surfaces the full requirements sentence when an entered username violates the policy.
+
+### Patch Changes
+
+- Updated dependencies [e1fadfb1a]
+- Updated dependencies [a88413689]
+  - @logto/core-kit@2.11.0
+
 ## 1.13.3
 
 ### Patch Changes
diff --git a/packages/phrases-experience/package.json b/packages/phrases-experience/package.json
index 747d8d080f13..2e0c4ab41db6 100644
--- a/packages/phrases-experience/package.json
+++ b/packages/phrases-experience/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/phrases-experience",
-  "version": "1.13.3",
+  "version": "1.14.0",
   "description": "Logto shared phrases (i18n) for experience.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/phrases/CHANGELOG.md b/packages/phrases/CHANGELOG.md
index 5c68d4190a9a..3680a7285383 100644
--- a/packages/phrases/CHANGELOG.md
+++ b/packages/phrases/CHANGELOG.md
@@ -1,5 +1,44 @@
 # Change Log
 
+## 1.29.0
+
+### Minor Changes
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+- c2016a044c: add a configurable per-tenant password expiration policy
+
+  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
+
+  - **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
+  - **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
+  - **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
+
+  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
+
+- c73d32b5ee: support passkeys (WebAuthn) as an MFA factor for native apps using Logto's native SDKs
+
+  Logto's native SDKs (Android and iOS) now sign users in through the system's default browser, where passkeys (WebAuthn) are available. Upgrade to Android SDK v3 or iOS SDK v2 to enable it.
+
+- 67b99bba85: add username policy management to the sign-in experience advanced options
+
+  Operators can configure the tenant username policy — case sensitivity, length bounds, and allowed character types — from Console → Sign-in experience → Sign-up and sign-in → Advanced options. Switching to case-insensitive proactively detects existing usernames that differ only by case and blocks the save until the conflicts are resolved.
+
+### Patch Changes
+
+- 413b7ec1a7: map custom UI asset Azure Blob transport failures to retryable storage download errors
+
 ## 1.28.0
 
 ### Minor Changes
diff --git a/packages/phrases/package.json b/packages/phrases/package.json
index 91972ae521a0..65fa1835a97c 100644
--- a/packages/phrases/package.json
+++ b/packages/phrases/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/phrases",
-  "version": "1.28.0",
+  "version": "1.29.0",
   "description": "Logto shared phrases (i18n).",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/schemas/CHANGELOG.md b/packages/schemas/CHANGELOG.md
index 60be7b2ccca0..cf2781b7c1a5 100644
--- a/packages/schemas/CHANGELOG.md
+++ b/packages/schemas/CHANGELOG.md
@@ -1,5 +1,79 @@
 # Change Log
 
+## 1.41.0
+
+### Minor Changes
+
+- a305713bb2: expose the target organization to the access token JWT customizer for organization (API resource) tokens
+
+  When Logto issues an organization access token (a token requested with both `organization_id` and `resource`), the access token JWT customizer now receives a `context.organization` object with the target organization's `id`, `name`, `description` and `customData`. Previously the customizer was invoked with the same payload as a regular user access token and had no way to know which organization the token was being issued for — the `organization_id` claim is only injected after the customizer runs.
+
+  This lets scripts attach per-organization claims (for example mapping the Logto organization id to an internal id stored in `organization.customData`) without embedding a map of every organization the user belongs to into every token.
+
+- c7f17d6c5c: rate-limit outbound verification-code and message sends per recipient and suppress delivery to unknown recipients
+
+  Adds a mandatory, system-level per-recipient send rate limit across all email/SMS send paths (experience verification codes including MFA, the account and management verification-code APIs, `/me`, organization invitations, and the legacy interaction API), emits a `Message.RateLimited` webhook when a send is throttled, and suppresses verification-code delivery to unregistered recipients when registration is disabled to prevent account enumeration. The `Message.RateLimited` event is now selectable in the Console webhook settings.
+
+- d41082bd7d: add app-level access control for applications
+
+  Add a new application access control feature that allows administrators to restrict user access to applications. When enabled, users who do not have permission to access an application will see an access denied error message when they attempt to sign in or access the application. This feature can be configured in the Console Security settings.
+
+  Supported custom control rules include:
+
+  - User IDs
+  - User roles
+  - Organizations
+  - Organization roles
+
+  Refer to the documentation for more details: https://docs.logto.io/integrate-logto/app-level-access-control
+
+- c2016a044c: add a configurable per-tenant password expiration policy
+
+  Operators can enable password expiration from Console → Security → Password policy and set the number of days a password stays valid. When a password reaches the end of its valid period — or is manually expired for a specific user — the end user is forced through the forgot-password flow on their next password sign-in before they can continue. Users signing in via SSO or passkey are not affected.
+
+  - **Console**: a new "Password expiration" card with an enable toggle and a valid-period (days) input, an inline reminder when sign-up requires no contact identifier to guarantee password recovery, and a per-user "Expire password" action on the user details page.
+  - **Core / API**: the policy is stored on the sign-in experience (`passwordExpiration`) and enforced after password verification. `PATCH /api/users/:userId/password/expiration` lets admins manually expire a user's password, and deleting the last forgot-password connector is rejected while the policy is enabled.
+  - **Experience**: an expired password prompts the user to reset it via the configured recovery method before sign-in completes.
+
+  Legacy users without a recorded password-change date are anchored to the timestamp the policy was enabled, so they get a full valid period instead of being expired immediately.
+
+- 67b99bba85: add per-tenant username policy enforcement and mirror preferred_username from username by default
+
+  The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and `/me`. Admin (Management API) writes keep the always-on baseline rules only.
+
+  Switching usernames to case-insensitive is guarded: `PATCH /api/sign-in-exp` is rejected with a 409 while usernames that differ only by case exist, and the new `GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts` endpoint reports such conflicts.
+
+  For deployments using the legacy `CASE_SENSITIVE_USERNAME` environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing `CASE_SENSITIVE_USERNAME=false` setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring `usernamePolicy.caseSensitive` per tenant instead.
+
+  The OIDC `preferred_username` claim now falls back to the user's `username` when `profile.preferredUsername` is unset, so standards-compliant clients receive a usable value out of the box.
+
+- eb45edbe34: allow customizing verification code settings
+
+  Admins can configure the verification code expiration duration and maximum retry attempts in Console Security settings.
+
+### Patch Changes
+
+- 72820ac41e: prevent theme flash in sign-in experience and account center
+
+  Sign-in experience and account center now apply tenant theme, platform, and brand color before the app hydrates, reducing flashes of the wrong theme during initial page load.
+
+- Updated dependencies [e7b6e9de1]
+- Updated dependencies [413b7ec1a7]
+- Updated dependencies [d41082bd7d]
+- Updated dependencies [c2016a044c]
+- Updated dependencies [c73d32b5ee]
+- Updated dependencies [b7386a5113]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [e1fadfb1a]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [a88413689]
+  - @logto/connector-kit@5.1.0
+  - @logto/phrases@1.29.0
+  - @logto/phrases-experience@1.14.0
+  - @logto/core-kit@2.11.0
+  - @logto/shared@3.4.1
+
 ## 1.40.1
 
 ### Patch Changes
diff --git a/packages/schemas/alterations/next-1779864280-add-password-expiration-policy.ts b/packages/schemas/alterations/1.41.0-1779864280-add-password-expiration-policy.ts
similarity index 100%
rename from packages/schemas/alterations/next-1779864280-add-password-expiration-policy.ts
rename to packages/schemas/alterations/1.41.0-1779864280-add-password-expiration-policy.ts
diff --git a/packages/schemas/alterations/next-1779864281-add-is-password-expired-to-users.ts b/packages/schemas/alterations/1.41.0-1779864281-add-is-password-expired-to-users.ts
similarity index 100%
rename from packages/schemas/alterations/next-1779864281-add-is-password-expired-to-users.ts
rename to packages/schemas/alterations/1.41.0-1779864281-add-is-password-expired-to-users.ts
diff --git a/packages/schemas/alterations/next-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts b/packages/schemas/alterations/1.41.0-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts
similarity index 100%
rename from packages/schemas/alterations/next-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts
rename to packages/schemas/alterations/1.41.0-1780358400-drop-oidc-model-instances-legacy-grant-id-index.ts
diff --git a/packages/schemas/alterations/next-1780381219-add-username-policy.ts b/packages/schemas/alterations/1.41.0-1780381219-add-username-policy.ts
similarity index 100%
rename from packages/schemas/alterations/next-1780381219-add-username-policy.ts
rename to packages/schemas/alterations/1.41.0-1780381219-add-username-policy.ts
diff --git a/packages/schemas/alterations/next-1780643665-set-sign-up-profile-fields-default.ts b/packages/schemas/alterations/1.41.0-1780643665-set-sign-up-profile-fields-default.ts
similarity index 100%
rename from packages/schemas/alterations/next-1780643665-set-sign-up-profile-fields-default.ts
rename to packages/schemas/alterations/1.41.0-1780643665-set-sign-up-profile-fields-default.ts
diff --git a/packages/schemas/alterations/next-1780906060-add-verification-code-policy.ts b/packages/schemas/alterations/1.41.0-1780906060-add-verification-code-policy.ts
similarity index 100%
rename from packages/schemas/alterations/next-1780906060-add-verification-code-policy.ts
rename to packages/schemas/alterations/1.41.0-1780906060-add-verification-code-policy.ts
diff --git a/packages/schemas/alterations/next-1781689400-add-sentinel-activities-created-at-index.ts b/packages/schemas/alterations/1.41.0-1781689400-add-sentinel-activities-created-at-index.ts
similarity index 100%
rename from packages/schemas/alterations/next-1781689400-add-sentinel-activities-created-at-index.ts
rename to packages/schemas/alterations/1.41.0-1781689400-add-sentinel-activities-created-at-index.ts
diff --git a/packages/schemas/alterations/next-1782354362-set-admin-account-center-profile-fields.ts b/packages/schemas/alterations/1.41.0-1782354362-set-admin-account-center-profile-fields.ts
similarity index 100%
rename from packages/schemas/alterations/next-1782354362-set-admin-account-center-profile-fields.ts
rename to packages/schemas/alterations/1.41.0-1782354362-set-admin-account-center-profile-fields.ts
diff --git a/packages/schemas/alterations/next-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts b/packages/schemas/alterations/1.41.0-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts
similarity index 100%
rename from packages/schemas/alterations/next-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts
rename to packages/schemas/alterations/1.41.0-1782375106-cover-service-logs-tenant-type-index-with-created-at.ts
diff --git a/packages/schemas/package.json b/packages/schemas/package.json
index 1bcfe42268f6..9944b47582a9 100644
--- a/packages/schemas/package.json
+++ b/packages/schemas/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.40.1",
+  "version": "1.41.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
diff --git a/packages/shared/CHANGELOG.md b/packages/shared/CHANGELOG.md
index ef7df5b472da..8e808cf91a4a 100644
--- a/packages/shared/CHANGELOG.md
+++ b/packages/shared/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Change Log
 
+## 3.4.1
+
+### Patch Changes
+
+- 67b99bba85: add per-tenant username policy enforcement and mirror preferred_username from username by default
+
+  The sign-in experience now stores a per-tenant username policy (case sensitivity, length bounds, and allowed character types) that is enforced on end-user username writes: experience sign-up and profile fulfillment, the account API, and `/me`. Admin (Management API) writes keep the always-on baseline rules only.
+
+  Switching usernames to case-insensitive is guarded: `PATCH /api/sign-in-exp` is rejected with a 409 while usernames that differ only by case exist, and the new `GET /api/sign-in-exp/username-policy/case-sensitivity-conflicts` endpoint reports such conflicts.
+
+  For deployments using the legacy `CASE_SENSITIVE_USERNAME` environment variable: the effective case sensitivity is the per-tenant policy AND-combined with the env var, so usernames are treated case-insensitively if either is false. Existing `CASE_SENSITIVE_USERNAME=false` setups keep their behavior — the env var acts as a runtime override that forces case-insensitive handling for every tenant, and the per-tenant policy cannot re-enable case sensitivity while it is set. The env var is deprecated and slated for removal in the next major; migrate by unsetting it and configuring `usernamePolicy.caseSensitive` per tenant instead.
+
+  The OIDC `preferred_username` claim now falls back to the user's `username` when `profile.preferredUsername` is unset, so standards-compliant clients receive a usable value out of the box.
+
 ## 3.4.0
 
 ### Minor Changes
diff --git a/packages/shared/package.json b/packages/shared/package.json
index aa01d7af691b..f86c5b140e05 100644
--- a/packages/shared/package.json
+++ b/packages/shared/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/shared",
-  "version": "3.4.0",
+  "version": "3.4.1",
   "main": "lib/index.js",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
diff --git a/packages/toolkit/connector-kit/CHANGELOG.md b/packages/toolkit/connector-kit/CHANGELOG.md
index 1de99e999850..f617f56c118c 100644
--- a/packages/toolkit/connector-kit/CHANGELOG.md
+++ b/packages/toolkit/connector-kit/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Change Log
 
+## 5.1.0
+
+### Minor Changes
+
+- e7b6e9de1: add SMTP2GO email connector for transactional auth emails via the SMTP2GO send API
+
+  Export shared SMTP mailbox parsing and formatting utilities from `@logto/connector-kit`, and adopt them in the MailJunky connector
+
+### Patch Changes
+
+- b7386a5113: fix a runtime crash on iOS 15 and older Safari when loading the experience or demo apps
+
+  `urlRegEx` used a lookbehind assertion (`(?<![\w.])`), which Safari < 16.4 cannot parse. Because the regex is a top-level literal bundled into the experience app, loading the app threw `SyntaxError: Invalid regular expression: invalid group specifier name` before any code ran. The boundary now uses a `(?:^|[^\w.])` group, which is behaviorally equivalent for `.test()` and parses on all supported browsers.
+
 ## 5.0.1
 
 ### Patch Changes
diff --git a/packages/toolkit/connector-kit/package.json b/packages/toolkit/connector-kit/package.json
index f173558c491a..7896938e200c 100644
--- a/packages/toolkit/connector-kit/package.json
+++ b/packages/toolkit/connector-kit/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/connector-kit",
-  "version": "5.0.1",
+  "version": "5.1.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {
diff --git a/packages/toolkit/core-kit/CHANGELOG.md b/packages/toolkit/core-kit/CHANGELOG.md
index 35a9bcb16a9b..4e45f5d96e36 100644
--- a/packages/toolkit/core-kit/CHANGELOG.md
+++ b/packages/toolkit/core-kit/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Change Log
 
+## 2.11.0
+
+### Minor Changes
+
+- e1fadfb1a: add a shared username policy type, Zod guard, and default value
+- a88413689: add a shared username policy validator
+
+### Patch Changes
+
+- Updated dependencies [67b99bba85]
+  - @logto/shared@3.4.1
+
 ## 2.10.0
 
 ### Minor Changes
diff --git a/packages/toolkit/core-kit/package.json b/packages/toolkit/core-kit/package.json
index 570faad779da..0893d1b66439 100644
--- a/packages/toolkit/core-kit/package.json
+++ b/packages/toolkit/core-kit/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/core-kit",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {
diff --git a/packages/translate/CHANGELOG.md b/packages/translate/CHANGELOG.md
index 8f474988f8b9..25360d392717 100644
--- a/packages/translate/CHANGELOG.md
+++ b/packages/translate/CHANGELOG.md
@@ -1,5 +1,23 @@
 # @logto/translate
 
+## 0.2.15
+
+### Patch Changes
+
+- Updated dependencies [413b7ec1a7]
+- Updated dependencies [d41082bd7d]
+- Updated dependencies [c2016a044c]
+- Updated dependencies [c73d32b5ee]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [e1fadfb1a]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [a88413689]
+  - @logto/phrases@1.29.0
+  - @logto/phrases-experience@1.14.0
+  - @logto/core-kit@2.11.0
+  - @logto/shared@3.4.1
+
 ## 0.2.14
 
 ### Patch Changes
diff --git a/packages/translate/package.json b/packages/translate/package.json
index e122bb26ceb2..c78f3f3d0b00 100644
--- a/packages/translate/package.json
+++ b/packages/translate/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/translate",
-  "version": "0.2.14",
+  "version": "0.2.15",
   "description": "A CLI tool that helps translate phrases and experience-phrases to i18n resources.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/packages/tunnel/CHANGELOG.md b/packages/tunnel/CHANGELOG.md
index 2ad525117f0d..55280d5031ca 100644
--- a/packages/tunnel/CHANGELOG.md
+++ b/packages/tunnel/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @logto/tunnel
 
+## 0.3.9
+
+### Patch Changes
+
+- Updated dependencies [e1fadfb1a]
+- Updated dependencies [67b99bba85]
+- Updated dependencies [a88413689]
+  - @logto/core-kit@2.11.0
+  - @logto/shared@3.4.1
+
 ## 0.3.8
 
 ### Patch Changes
diff --git a/packages/tunnel/package.json b/packages/tunnel/package.json
index 87f502960d17..28a5c8abf87b 100644
--- a/packages/tunnel/package.json
+++ b/packages/tunnel/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@logto/tunnel",
-  "version": "0.3.8",
+  "version": "0.3.9",
   "description": "A CLI tool that creates tunnel service to Logto Cloud for local development.",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/logto#readme",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f04101069355..38b636b59a2b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -147,7 +147,7 @@ importers:
         version: 6.0.1(eslint@8.57.0)(prettier@3.5.3)(typescript@5.5.3)
       '@silverhand/eslint-config-react':
         specifier: 6.0.2
-        version: 6.0.2(eslint@8.57.0)(postcss@8.5.14)(prettier@3.5.3)(stylelint@15.11.0(typescript@5.5.3))(typescript@5.5.3)
+        version: 6.0.2(eslint@8.57.0)(postcss@8.5.15)(prettier@3.5.3)(stylelint@15.11.0(typescript@5.5.3))(typescript@5.5.3)
       '@silverhand/essentials':
         specifier: ^2.9.1
         version: 2.9.2
@@ -4423,7 +4423,7 @@ importers:
   packages/create:
     dependencies:
       '@logto/cli':
-        specifier: workspace:^1.40.1
+        specifier: workspace:^1.41.0
         version: link:../cli
 
   packages/demo-app:
@@ -7624,131 +7624,157 @@ packages:
     resolution: {integrity: sha512-EIPRXTVQpHyF8WOo219AD2yEltPehLTcTMz2fn6JsatLYSzQf00hj3rulF+yauOlF9/FtM2WpkT/hJh/KJFGhA==}
     cpu: [arm]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm-gnueabihf@4.62.0':
     resolution: {integrity: sha512-T1dMEQhXA/jkJ/jyMIw9IovK8bSUq7A8kLIlvZTb/6YIVsp2zLavr4F3oyllHWo7eIVJRyE5n3tUjQJEbE1IuQ==}
     cpu: [arm]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm-musleabihf@4.60.4':
     resolution: {integrity: sha512-J3Yh9PzzF1Ovah2At+lHiGQdsYgArxBbXv/zHfSyaiFQEqvNv7DcW98pCrmdjCZBrqBiKrKKe2V+aaSGWuBe/w==}
     cpu: [arm]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-arm-musleabihf@4.62.0':
     resolution: {integrity: sha512-2as0LgT7qQpyceQq6VUJYnumUMUrgGQCWIiDIN9DE0/tglsk6o66uCB4f3djRawAltvfCNLyZZrsqbPA6inCsA==}
     cpu: [arm]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-arm64-gnu@4.60.4':
     resolution: {integrity: sha512-BFDEZMYfUvLn37ONE1yMBojPxnMlTFsdyNoqncT0qFq1mAfllL+ATMMJd8TeuVMiX84s1KbcxcZbXInmcO2mRg==}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm64-gnu@4.62.0':
     resolution: {integrity: sha512-bVURMg+6eNN9C/yc0aVjooZcwTTtYF4YW3xta5pP0//r3o1V8gXEHXWCndj47w/HhwsFroZrFhR+6uQP5T0n0g==}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm64-musl@4.60.4':
     resolution: {integrity: sha512-pc9EYOSlOgdQ2uPl1o9PF6/kLSgaUosia7gOuS8mB69IxJvlclko1MECXysjs5ryez1/5zjYqx3+xYU0TU6R1A==}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-arm64-musl@4.62.0':
     resolution: {integrity: sha512-Ful8pM/2yYI83PViWdFdpZhdI8HJ5qsXANe5atypbHDf+KIBBDsZsbyy8hbXnULVvW9NsTh5DHwbcBftyLTfiw==}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-loong64-gnu@4.60.4':
     resolution: {integrity: sha512-NxnomyxYerDh5n4iLrNa+sH+Z+U4BMEE46V2PgQ/hoB909i8gV1M5wPojWg9fk1jWpO3IQnOs20K4wyZuFLEFQ==}
     cpu: [loong64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-loong64-gnu@4.62.0':
     resolution: {integrity: sha512-9Gp/DgrkzfUBmNPVTyPTvay+4xEP7M/clXpj3efXBcm6uTIVIgDg4rqUpqKXvLEuFRVuEpSAOkhgNeecvaZ4Cg==}
     cpu: [loong64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-loong64-musl@4.60.4':
     resolution: {integrity: sha512-nbJnQ8a3z1mtmrwImCYhc6BGpThAyYVRQxw9uKSKG4wR6aAYno9sVjJ0zaZcW9BPJX1GbrDPf+SvdWjgTuDmnw==}
     cpu: [loong64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-loong64-musl@4.62.0':
     resolution: {integrity: sha512-m9tsJz54LUXkSYM8+8PG81B9IKK5r+2T0clMq4QrS16xFosufU7firBDAZEsDheDs7wTlP7h3++S7lMsU955HA==}
     cpu: [loong64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-ppc64-gnu@4.60.4':
     resolution: {integrity: sha512-2EU6acNrQLd8tYvo/LXW535wupT3m6fo7HKo6lr7ktQoItxTyOL1ZCR/GfGCuXl2vR+zmfI6eRXkSemafv+iVg==}
     cpu: [ppc64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-ppc64-gnu@4.62.0':
     resolution: {integrity: sha512-3UvJ5PNVU16aJf6M3tFI24pWzAl2/ynfbyRN3ICyQajK1lSkrnVYNnLz3v04J32qKa0FczJc22zeToc0lr2A3w==}
     cpu: [ppc64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-ppc64-musl@4.60.4':
     resolution: {integrity: sha512-WeBtoMuaMxiiIrO2IYP3xs6GMWkJP2C0EoT8beTLkUPmzV1i/UcOSVw1d5r9KBODtHKilG5yFxsGRnBbK3wJ4A==}
     cpu: [ppc64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-ppc64-musl@4.62.0':
     resolution: {integrity: sha512-vRWUAbYLGHBZS6Q8Msb2sfnf1fvJf+47t8l/TwOerM2qArzy+IeNMTHrYLHXh95h8MoatPHI5hhSZNs+mGXKPg==}
     cpu: [ppc64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-riscv64-gnu@4.60.4':
     resolution: {integrity: sha512-FJHFfqpKUI3A10WrWKiFbBZ7yVbGT4q4B5o1qKFFojqpaYoh9LrQgqWCmmcxQzVSXYtyB5bzkXrYzlHTs21MYA==}
     cpu: [riscv64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-riscv64-gnu@4.62.0':
     resolution: {integrity: sha512-c00T5SYENHAt86cfW47URaP3Us5vLC/4QO7GYud1G5VNRffCwwCuBspwqYrriuJB+5m0WFzClCn9wed0FBjKvg==}
     cpu: [riscv64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-riscv64-musl@4.60.4':
     resolution: {integrity: sha512-mcEl6CUT5IAUmQf1m9FYSmVqCJlpQ8r8eyftFUHG8i9OhY7BkBXSUdnLH5DOf0wCOjcP9v/QO93zpmF1SptCCw==}
     cpu: [riscv64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-riscv64-musl@4.62.0':
     resolution: {integrity: sha512-krrCDilhXOwFkSkO3Wm9I/f9H0L92XHHwy2fwxjukxIbh0dem8gZqOW5Y8BsHrpJv5qwlRBV+Wl4ZFyRWhUpwg==}
     cpu: [riscv64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-s390x-gnu@4.60.4':
     resolution: {integrity: sha512-ynt3JxVd2w2buzoKDWIyiV1pJW93xlQic1THVLXilz429oijRpSHivZAgp65KBu+cMcgf1eVVjdnTLvPxgCuoQ==}
     cpu: [s390x]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-s390x-gnu@4.62.0':
     resolution: {integrity: sha512-7pfYFSTc4/rUC/FtAI0Qp6QthDBCIi6/AuP1xYqFk5vanI6KnL5dWKP60OM/05LOsbwTmIcvr6eXC4CJuJ75IA==}
     cpu: [s390x]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-gnu@4.60.4':
     resolution: {integrity: sha512-Boiz5+MsaROEWDf+GGEwF8VMHGhlUoQMtIPjOgA5fv4osupqTVnJteQNKJwUcnUog2G55jYXH7KZFFiJe0TEzQ==}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-gnu@4.62.0':
     resolution: {integrity: sha512-7SDIalKeIpG0Ifogbbdn58HmSotYMlf23K3dCJEmiVd9Fg36Vmni82iPQec27N3wY4Bvbxftkxz6vSx9OcouTg==}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-musl@4.60.4':
     resolution: {integrity: sha512-+qfSY27qIrFfI/Hom04KYFw3GKZSGU4lXus51wsb5EuySfFlWRwjkKWoE9emgRw/ukoT4Udsj4W/+xxG8VbPKg==}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-x64-musl@4.62.0':
     resolution: {integrity: sha512-eRZevouTH2i1HeAVLqJuLnt256krQkGY0TN6WsTmsIhuzbh457HuWDMakKwmi0Cjadux983CoSr8Lim2QhUIFw==}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-openbsd-x64@4.60.4':
     resolution: {integrity: sha512-VpTfOPHgVXEBeeR8hZ2O0F3aSso+JDWqTWmTmzcQKted54IAdUVbxE+j/MVxUsKa8L20HJhv3vUezVPoquqWjA==}
@@ -8223,24 +8249,28 @@ packages:
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   '@swc/core-linux-arm64-musl@1.3.52':
     resolution: {integrity: sha512-GCxNjTAborAmv4VV1AMZLyejHLGgIzu13tvLUFqybtU4jFxVbE2ZK4ZnPCfDlWN+eBwyRWk1oNFR2hH+66vaUQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   '@swc/core-linux-x64-gnu@1.3.52':
     resolution: {integrity: sha512-mrvDBSkLI3Mza2qcu3uzB5JGwMBYDb1++UQ1VB0RXf2AR21/cCper4P44IpfdeqFz9XyXq18Sh3gblICUCGvig==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   '@swc/core-linux-x64-musl@1.3.52':
     resolution: {integrity: sha512-r9RIvKUQv7yBkpXz+QxPAucdoj8ymBlgIm5rLE0b5VmU7dlKBnpAmRBYaITdH6IXhF0pwuG+FHAd5elBcrkIwA==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   '@swc/core-win32-arm64-msvc@1.3.52':
     resolution: {integrity: sha512-YRtEr7tDo0Wes3M2ZhigF4erUjWBXeFP+O+iz6ELBBmPG7B7m/lrA21eiW9/90YGnzi0iNo46shK6PfXuPhP+Q==}
@@ -12451,24 +12481,28 @@ packages:
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   lightningcss-linux-arm64-musl@1.25.1:
     resolution: {integrity: sha512-IhxVFJoTW8wq6yLvxdPvyHv4NjzcpN1B7gjxrY3uaykQNXPHNIpChLB52+wfH+yS58zm1PL4LemUp8u9Cfp6Bw==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   lightningcss-linux-x64-gnu@1.25.1:
     resolution: {integrity: sha512-RXIaru79KrREPEd6WLXfKfIp4QzoppZvD3x7vuTKkDA64PwTzKJ2jaC43RZHRt8BmyIkRRlmywNhTRMbmkPYpA==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   lightningcss-linux-x64-musl@1.25.1:
     resolution: {integrity: sha512-TdcNqFsAENEEFr8fJWg0Y4fZ/nwuqTRsIr7W7t2wmDUlA8eSXVepeeONYcb+gtTj1RaXn/WgNLB45SFkz+XBZA==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   lightningcss-win32-x64-msvc@1.25.1:
     resolution: {integrity: sha512-9KZZkmmy9oGDSrnyHuxP6iMhbsgChUiu/NSgOx+U1I/wTngBStDf2i2aGRCHvFqj19HqqBEI4WuGVQBa2V6e0A==}
@@ -13357,7 +13391,7 @@ packages:
     resolution: {integrity: sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==}
 
   oidc-provider@https://codeload.github.com/logto-io/node-oidc-provider/tar.gz/5570006785b44e0f125ee4cb6bf540338721b1f3:
-    resolution: {tarball: https://codeload.github.com/logto-io/node-oidc-provider/tar.gz/5570006785b44e0f125ee4cb6bf540338721b1f3}
+    resolution: {gitHosted: true, tarball: https://codeload.github.com/logto-io/node-oidc-provider/tar.gz/5570006785b44e0f125ee4cb6bf540338721b1f3}
     version: 8.6.1
 
   oidc-token-hash@5.0.3: