diff --git a/cmd/fill/main.go b/cmd/fill/main.go
index a9aa122..3b676bb 100644
--- a/cmd/fill/main.go
+++ b/cmd/fill/main.go
@@ -6,6 +6,8 @@ import (
 	"platform/pkg/env"
 	"platform/pkg/logs"
 	"platform/pkg/orm"
+	client2 "platform/web/domains/client"
+	proxy2 "platform/web/domains/proxy"
 	m "platform/web/models"
 	q "platform/web/queries"
 )
@@ -24,13 +26,13 @@ func main() {
 				Version: 1,
 				Name:    "7a17e8b4-cdc3-4500-bf16-4a665991a7f6",
 				Host:    "110.40.82.248",
-				Type:    2,
+				Type:    int32(proxy2.TypeSelfHosted),
 				Secret:  "api:123456",
 			}, &m.Proxy{
 				Version: 1,
 				Name:    "58e03f38-4cef-429c-8bb8-530142d0a745",
 				Host:    "123.6.147.241",
-				Type:    1,
+				Type:    int32(proxy2.TypeThirdParty),
 				Secret:  "api:123456",
 			})
 		if err != nil {
@@ -65,13 +67,13 @@ func main() {
 				GrantClient:   true,
 				GrantRefresh:  true,
 				GrantPassword: true,
-				Spec:          3,
+				Spec:          int32(client2.SpecTrusted),
 				Name:          "默认客户端",
 			}, &m.Client{
 				ClientID:     "tasks",
 				ClientSecret: string(tasksSecret),
 				GrantClient:  true,
-				Spec:         3,
+				Spec:         int32(client2.SpecTrusted),
 				Name:         "异步任务处理服务",
 			})
 		if err != nil {
diff --git a/scripts/sql/init.sql b/scripts/sql/init.sql
index d08cb9f..ef108bf 100644
--- a/scripts/sql/init.sql
+++ b/scripts/sql/init.sql
@@ -18,7 +18,7 @@ $$
 $$;
 
 -- ====================
--- region 管理员信息
+-- region 日志
 -- ====================
 
 -- logs_request
@@ -44,7 +44,7 @@ create table logs_request (
 -- logs_access表字段注释
 comment on table logs_request is '访问日志表';
 comment on column logs_request.id is '访问日志ID';
-comment on column logs_request.identity is '访客身份：0-游客，1-用户，2-服务，3-管理员';
+comment on column logs_request.identity is '访客身份：0-游客，1-用户，2-管理员，3-公共服务，4-安全服务，5-内部服务';
 comment on column logs_request.visitor is '访客ID';
 comment on column logs_request.ip is 'IP地址';
 comment on column logs_request.ua is '用户代理';
@@ -281,7 +281,7 @@ comment on column client.grant_code is '允许授权码授予';
 comment on column client.grant_client is '允许客户端凭证授予';
 comment on column client.grant_refresh is '允许刷新令牌授予';
 comment on column client.grant_password is '允许密码授予';
-comment on column client.spec is '安全规范：1-native，2-browser，3-web';
+comment on column client.spec is '安全规范：1-native，2-browser，3-web，4-trusted';
 comment on column client.name is '名称';
 comment on column client.icon is '图标URL';
 comment on column client.status is '状态：0-禁用，1-正常';
diff --git a/web/auth/authenticate.go b/web/auth/authenticate.go
index 8c5c5ba..f90d9f7 100644
--- a/web/auth/authenticate.go
+++ b/web/auth/authenticate.go
@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"log/slog"
+	client2 "platform/web/domains/client"
 	q "platform/web/queries"
 	"slices"
 	"strings"
@@ -38,7 +39,7 @@ func Protect(c *fiber.Ctx, types []PayloadType, permissions []string) (*Context,
 		}
 
 	case "Basic":
-		if !slices.Contains(types, PayloadClientConfidential) {
+		if !slices.Contains(types, PayloadSecuredServer) {
 			slog.Debug("禁止使用 Basic 认证方式")
 			return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
 		}
@@ -106,7 +107,7 @@ func authBasic(_ context.Context, token string) (*Context, error) {
 	client, err := q.Client.
 		Where(
 			q.Client.ClientID.Eq(clientID),
-			q.Client.Spec.Eq(3),
+			q.Client.Spec.In(int32(client2.SpecWeb), int32(client2.SpecTrusted)),
 			q.Client.GrantClient.Is(true),
 			q.Client.Status.Eq(1)).
 		Take()
@@ -126,7 +127,7 @@ func authBasic(_ context.Context, token string) (*Context, error) {
 	return &Context{
 		Payload: Payload{
 			Id:     client.ID,
-			Type:   PayloadClientConfidential,
+			Type:   PayloadSecuredServer,
 			Name:   client.Name,
 			Avatar: client.Icon,
 		},
diff --git a/web/auth/context.go b/web/auth/context.go
index 004c0ad..6ae4857 100644
--- a/web/auth/context.go
+++ b/web/auth/context.go
@@ -37,15 +37,18 @@ type Agent struct {
 type PayloadType int
 
 const (
+	// PayloadNone 游客
 	PayloadNone PayloadType = iota
-	// PayloadUser 用户类型
+	// PayloadUser 用户
 	PayloadUser
-	// PayloadAdmin 管理员类型
+	// PayloadAdmin 管理员
 	PayloadAdmin
-	// PayloadClientPublic 公共客户端类型
-	PayloadClientPublic
-	// PayloadClientConfidential 机密客户端类型
-	PayloadClientConfidential
+	// PayloadPublicServer 公共服务（public_client）
+	PayloadPublicServer
+	// PayloadSecuredServer 安全服务（credential_client）
+	PayloadSecuredServer
+	// PayloadInternalServer 内部服务
+	PayloadInternalServer
 )
 
 func (t PayloadType) ToStr() string {
@@ -54,9 +57,9 @@ func (t PayloadType) ToStr() string {
 		return "user"
 	case PayloadAdmin:
 		return "admn"
-	case PayloadClientPublic:
+	case PayloadPublicServer:
 		return "cpub"
-	case PayloadClientConfidential:
+	case PayloadSecuredServer:
 		return "ccnf"
 	default:
 		return "none"
@@ -70,9 +73,9 @@ func PayloadTypeFromStr(name string) PayloadType {
 	case "admn":
 		return PayloadAdmin
 	case "cpub":
-		return PayloadClientPublic
+		return PayloadPublicServer
 	case "ccnf":
-		return PayloadClientConfidential
+		return PayloadSecuredServer
 	default:
 		return PayloadNone
 	}
diff --git a/web/domains/announcement/types.go b/web/domains/announcement/types.go
new file mode 100644
index 0000000..2f6c397
--- /dev/null
+++ b/web/domains/announcement/types.go
@@ -0,0 +1,7 @@
+package announcement
+
+type Type int32
+
+const (
+	TypeNormal Type = iota + 1 // 普通公告
+)
diff --git a/web/domains/bill/types.go b/web/domains/bill/types.go
new file mode 100644
index 0000000..9a57a46
--- /dev/null
+++ b/web/domains/bill/types.go
@@ -0,0 +1,9 @@
+package bill
+
+type Type int32
+
+const (
+	TypeConsume  Type = iota + 1 // 消费
+	TypeRefund                   // 退款
+	TypeRecharge                 // 充值
+)
diff --git a/web/domains/channel/types.go b/web/domains/channel/types.go
new file mode 100644
index 0000000..34cf97e
--- /dev/null
+++ b/web/domains/channel/types.go
@@ -0,0 +1,9 @@
+package channel
+
+type Protocol int32
+
+const (
+	ProtocolHttp Protocol = iota + 1
+	ProtocolHttps
+	ProtocolSocks5
+)
diff --git a/web/domains/client/types.go b/web/domains/client/types.go
new file mode 100644
index 0000000..cd6b7d1
--- /dev/null
+++ b/web/domains/client/types.go
@@ -0,0 +1,10 @@
+package client
+
+type Spec int32
+
+const (
+	SpecNative  Spec = iota + 1 // 原生客户端
+	SpecBrowser                 // 浏览器客户端
+	SpecWeb                     // Web 服务
+	SpecTrusted                 // 可信服务
+)
diff --git a/web/domains/coupon/types.go b/web/domains/coupon/types.go
new file mode 100644
index 0000000..1731622
--- /dev/null
+++ b/web/domains/coupon/types.go
@@ -0,0 +1,9 @@
+package coupon
+
+type Status int32
+
+const (
+	StatusUnused  = iota // 未使用
+	StatusUsed           // 已使用
+	StatusExpired        // 已过期
+)
diff --git a/web/domains/node/types.go b/web/domains/node/types.go
new file mode 100644
index 0000000..0d1a730
--- /dev/null
+++ b/web/domains/node/types.go
@@ -0,0 +1,10 @@
+package node
+
+type ISP int32
+
+const (
+	IspUnknown      ISP = iota // 未知
+	IspChinaTelecom            // 中国电信
+	IspChinaUnicom             // 中国联通
+	IspChinaMobile             // 中国移动
+)
diff --git a/web/domains/proxy/types.go b/web/domains/proxy/types.go
new file mode 100644
index 0000000..750702d
--- /dev/null
+++ b/web/domains/proxy/types.go
@@ -0,0 +1,8 @@
+package proxy
+
+type Type int32
+
+const (
+	TypeThirdParty Type = iota + 1 // 三方代理
+	TypeSelfHosted                 // 自建代理
+)
diff --git a/web/domains/refund/types.go b/web/domains/refund/types.go
new file mode 100644
index 0000000..bfd7435
--- /dev/null
+++ b/web/domains/refund/types.go
@@ -0,0 +1,9 @@
+package refund
+
+type Status int32
+
+const (
+	StatusHandling Status = iota + 1 // 待处理
+	StatusSuccess                    // 已退款
+	StatusRefused                    // 已拒绝
+)
diff --git a/web/domains/resource/types.go b/web/domains/resource/types.go
new file mode 100644
index 0000000..0682b3a
--- /dev/null
+++ b/web/domains/resource/types.go
@@ -0,0 +1,16 @@
+package resource
+
+type Type int32
+
+const (
+	TypeDynamic Type = iota + 1 // 动态
+	TypeTunnel                  // 隧道
+	TypePrivate                 // 私有
+)
+
+type PssType int32
+
+const (
+	PssTypeTime  PssType = iota + 1 // 包时
+	PssTypeCount                    // 包量
+)
diff --git a/web/domains/trade/types.go b/web/domains/trade/types.go
new file mode 100644
index 0000000..6d55fda
--- /dev/null
+++ b/web/domains/trade/types.go
@@ -0,0 +1,24 @@
+package trade
+
+type Type int32
+
+const (
+	TypePurchase Type = iota + 1 // 购买
+	TypeRecharge                 // 充值
+)
+
+type Method int32
+
+const (
+	MethodAlipay Method = iota + 1 // 支付宝
+	MethodWeChat                   // 微信
+)
+
+type Status int32
+
+const (
+	StatusPending  Status = iota // 待支付
+	StatusSuccess                // 已支付
+	StatusCanceled               // 已取消
+	StatusRefunded
+) // 已退款
diff --git a/web/domains/user/types.go b/web/domains/user/types.go
new file mode 100644
index 0000000..0209ff9
--- /dev/null
+++ b/web/domains/user/types.go
@@ -0,0 +1,9 @@
+package user
+
+type IdType int32
+
+const (
+	IdTypeNone       IdType = iota // 未认证
+	IdTypePersonal                 // 个人认证
+	IdTypeEnterprise               // 企业认证
+)
diff --git a/web/handlers/auth.go b/web/handlers/auth.go
index 1417b30..ea3c316 100644
--- a/web/handlers/auth.go
+++ b/web/handlers/auth.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"log/slog"
 	"platform/web/auth"
+	client2 "platform/web/domains/client"
 	m "platform/web/models"
 	q "platform/web/queries"
 	s "platform/web/services"
@@ -188,7 +189,7 @@ func protect(c *fiber.Ctx, grant s.OauthGrantType, clientId, clientSecret string
 			return nil, s.ErrOauthUnauthorizedClient
 		}
 	case s.OauthGrantTypeClientCredentials:
-		if !client.GrantClient || client.Spec != 3 {
+		if !client.GrantClient || client.Spec != int32(client2.SpecWeb) || client.Spec != int32(client2.SpecTrusted) {
 			return nil, s.ErrOauthUnauthorizedClient
 		}
 	case s.OauthGrantTypeRefreshToken:
@@ -202,7 +203,7 @@ func protect(c *fiber.Ctx, grant s.OauthGrantType, clientId, clientSecret string
 	}
 
 	// 如果客户端是 confidential，验证 client_secret，失败返回错误
-	if client.Spec == 3 {
+	if client.Spec == int32(client2.SpecWeb) || client.Spec == int32(client2.SpecTrusted) {
 		if clientSecret == "" {
 			return nil, s.ErrOauthInvalidRequest
 		}
@@ -215,7 +216,7 @@ func protect(c *fiber.Ctx, grant s.OauthGrantType, clientId, clientSecret string
 	auth.Locals(c, &auth.Context{
 		Payload: auth.Payload{
 			Id:     client.ID,
-			Type:   auth.PayloadClientConfidential,
+			Type:   auth.PayloadSecuredServer,
 			Name:   client.Name,
 			Avatar: client.Icon,
 		},
diff --git a/web/handlers/channel.go b/web/handlers/channel.go
index f8dc0db..fa3ea0d 100644
--- a/web/handlers/channel.go
+++ b/web/handlers/channel.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"platform/web/auth"
 	"platform/web/core"
+	channel2 "platform/web/domains/channel"
 	q "platform/web/queries"
 	s "platform/web/services"
 	"time"
@@ -90,7 +91,7 @@ func ListChannels(c *fiber.Ctx) error {
 type CreateChannelReq struct {
 	ResourceId int32             `json:"resource_id" validate:"required"`
 	AuthType   s.ChannelAuthType `json:"auth_type" validate:"required"`
-	Protocol   s.ChannelProtocol `json:"protocol" validate:"required"`
+	Protocol   channel2.Protocol `json:"protocol" validate:"required"`
 	Count      int               `json:"count" validate:"required"`
 	Prov       string            `json:"prov"`
 	City       string            `json:"city"`
@@ -98,7 +99,7 @@ type CreateChannelReq struct {
 }
 
 type CreateChannelRespItem struct {
-	Proto    s.ChannelProtocol `json:"-"`
+	Proto    channel2.Protocol `json:"-"`
 	Host     string            `json:"host"`
 	Port     int32             `json:"port"`
 	Username *string           `json:"username,omitempty"`
@@ -198,7 +199,7 @@ func RemoveChannels(c *fiber.Ctx) error {
 	// 检查权限
 	authCtx, err := auth.Protect(c, []auth.PayloadType{
 		auth.PayloadUser,
-		auth.PayloadClientConfidential,
+		auth.PayloadSecuredServer,
 	}, []string{})
 	if err != nil {
 		return err
diff --git a/web/handlers/resource.go b/web/handlers/resource.go
index 5ddd013..73655b0 100644
--- a/web/handlers/resource.go
+++ b/web/handlers/resource.go
@@ -4,6 +4,8 @@ import (
 	"platform/pkg/u"
 	"platform/web/auth"
 	"platform/web/core"
+	resource2 "platform/web/domains/resource"
+	trade2 "platform/web/domains/trade"
 	q "platform/web/queries"
 	s "platform/web/services"
 	"time"
@@ -115,10 +117,10 @@ func AllResource(c *fiber.Ctx) error {
 			q.Resource.UserID.Eq(authContext.Payload.Id),
 			q.Resource.Active.Is(true),
 			q.Resource.Where(
-				pss.Type.Eq(1),
+				pss.Type.Eq(int32(resource2.PssTypeTime)),
 				pss.Expire.Gte(core.LocalDateTime(time.Now())),
 			).Or(
-				pss.Type.Eq(2),
+				pss.Type.Eq(int32(resource2.PssTypeCount)),
 				pss.Quota.GtCol(pss.Used),
 			),
 			q.Resource.Where(
@@ -174,7 +176,7 @@ func PrepareResourceByAlipay(c *fiber.Ctx) error {
 		c.Context(),
 		&req.CreateResourceData,
 		authContext.Payload.Id,
-		s.TransactionMethodAlipay,
+		trade2.MethodAlipay,
 	)
 	if err != nil {
 		return err
@@ -206,7 +208,7 @@ func PrepareResourceByWechat(c *fiber.Ctx) error {
 		c.Context(),
 		&req.CreateResourceData,
 		authContext.Payload.Id,
-		s.TransactionMethodWeChat,
+		trade2.MethodWeChat,
 	)
 	if err != nil {
 		return err
@@ -235,7 +237,7 @@ func CreateResourceByAlipay(c *fiber.Ctx) error {
 	// 验证支付结果
 	result, err := s.Transaction.VerifyTransaction(c.Context(), &s.TransactionVerifyData{
 		TradeNo: req.TradeNo,
-		Method:  s.TransactionMethodAlipay,
+		Method:  trade2.MethodAlipay,
 	})
 	if err != nil {
 		return err
@@ -266,7 +268,7 @@ func CreateResourceByWechat(c *fiber.Ctx) error {
 	// 验证支付结果
 	result, err := s.Transaction.VerifyTransaction(c.Context(), &s.TransactionVerifyData{
 		TradeNo: req.TradeNo,
-		Method:  s.TransactionMethodWeChat,
+		Method:  trade2.MethodWeChat,
 	})
 	if err != nil {
 		return err
diff --git a/web/handlers/trade.go b/web/handlers/trade.go
index 18bb126..6f888d8 100644
--- a/web/handlers/trade.go
+++ b/web/handlers/trade.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	trade2 "platform/web/domains/trade"
 	g "platform/web/globals"
 	q "platform/web/queries"
 	s "platform/web/services"
@@ -65,17 +66,17 @@ func AlipayCallback(c *fiber.Ctx) error {
 			Payment: payment,
 			Time:    paidAt,
 		}
-		switch trade.Type {
+		switch trade2.Type(trade.Type) {
 
 		// 余额充值
-		case 2:
+		case trade2.TypeRecharge:
 			err := s.User.RechargeConfirm(c.Context(), notification.OutTradeNo, verified)
 			if err != nil {
 				return err
 			}
 
 		// 购买产品
-		case 1:
+		case trade2.TypePurchase:
 			err = s.Resource.CompleteResource(c.Context(), notification.OutTradeNo, verified)
 			if err != nil {
 				return err
@@ -84,20 +85,21 @@ func AlipayCallback(c *fiber.Ctx) error {
 
 	// 支付关闭
 	case string(alipay.TradeStatusClosed):
-		switch trade.Type {
+		switch trade2.Type(trade.Type) {
 
 		// 购买产品
-		case 1:
+		case trade2.TypePurchase:
 
 			cancelAt, err := time.Parse("2006-01-02 15:04:05", notification.GmtClose)
 			if err != nil {
 				return err
 			}
 
-			err = s.Resource.CancelResource(c.Context(), notification.OutTradeNo, cancelAt, s.TransactionMethodAlipay)
+			err = s.Resource.CancelResource(c.Context(), notification.OutTradeNo, cancelAt, trade2.MethodAlipay)
 			if err != nil {
 				return err
 			}
+		default:
 		}
 	}
 
@@ -175,14 +177,14 @@ func WechatPayCallback(c *fiber.Ctx) error {
 		switch {
 
 		// 余额充值
-		case trade.Type == 2:
+		case trade.Type == int32(trade2.TypeRecharge):
 			err := s.User.RechargeConfirm(c.Context(), *content.OutTradeNo, verified)
 			if err != nil {
 				return err
 			}
 
 		// 购买产品
-		case trade.Type == 1:
+		case trade.Type == int32(trade2.TypePurchase):
 			err = s.Resource.CompleteResource(c.Context(), *content.OutTradeNo, verified)
 			if err != nil {
 				return err
diff --git a/web/handlers/user.go b/web/handlers/user.go
index 3c31154..d37bb39 100644
--- a/web/handlers/user.go
+++ b/web/handlers/user.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"platform/web/auth"
 	"platform/web/core"
+	trade2 "platform/web/domains/trade"
 	m "platform/web/models"
 	q "platform/web/queries"
 	s "platform/web/services"
@@ -180,8 +181,8 @@ func RechargePrepareAlipay(c *fiber.Ctx) error {
 			Subject:  "账户充值 - " + strconv.FormatFloat(req.Amount, 'f', 2, 64) + "元",
 			Amount:   req.Amount,
 			ExpireAt: time.Now().Add(30 * time.Minute),
-			Type:     s.TransactionTypeRecharge,
-			Method:   s.TransactionMethodAlipay,
+			Type:     trade2.TypeRecharge,
+			Method:   trade2.MethodAlipay,
 		})
 		return err
 	})
@@ -212,7 +213,7 @@ func RechargeConfirmAlipay(c *fiber.Ctx) error {
 	// 验证支付结果
 	result, err := s.Transaction.VerifyTransaction(c.Context(), &s.TransactionVerifyData{
 		TradeNo: req.TradeNo,
-		Method:  s.TransactionMethodAlipay,
+		Method:  trade2.MethodAlipay,
 	})
 	if err != nil {
 		return err
@@ -247,8 +248,8 @@ func RechargePrepareWechat(c *fiber.Ctx) error {
 			Subject:  "账户充值 - " + strconv.FormatFloat(req.Amount, 'f', 2, 64) + "元",
 			Amount:   req.Amount,
 			ExpireAt: time.Now().Add(30 * time.Minute),
-			Type:     s.TransactionTypeRecharge,
-			Method:   s.TransactionMethodWeChat,
+			Type:     trade2.TypeRecharge,
+			Method:   trade2.MethodWeChat,
 		})
 		return err
 	})
@@ -281,7 +282,7 @@ func RechargeConfirmWechat(c *fiber.Ctx) error {
 	// 验证支付结果
 	result, err := s.Transaction.VerifyTransaction(c.Context(), &s.TransactionVerifyData{
 		TradeNo: req.TradeNo,
-		Method:  s.TransactionMethodWeChat,
+		Method:  trade2.MethodWeChat,
 	})
 	if err != nil {
 		return err
diff --git a/web/handlers/verifier.go b/web/handlers/verifier.go
index 4edfb6d..a1953e9 100644
--- a/web/handlers/verifier.go
+++ b/web/handlers/verifier.go
@@ -18,7 +18,7 @@ type VerifierReq struct {
 func SmsCode(c *fiber.Ctx) error {
 
 	_, err := auth.Protect(c, []auth.PayloadType{
-		auth.PayloadClientConfidential,
+		auth.PayloadSecuredServer,
 	}, []string{})
 	if err != nil {
 		return err
diff --git a/web/models/client.gen.go b/web/models/client.gen.go
index 4066656..f452487 100644
--- a/web/models/client.gen.go
+++ b/web/models/client.gen.go
@@ -14,21 +14,21 @@ const TableNameClient = "client"
 
 // Client mapped from table <client>
 type Client struct {
-	ID            int32              `gorm:"column:id;primaryKey;autoIncrement:true;comment:客户端ID" json:"id"`            // 客户端ID
-	ClientID      string             `gorm:"column:client_id;not null;comment:OAuth2客户端标识符" json:"client_id"`            // OAuth2客户端标识符
-	ClientSecret  string             `gorm:"column:client_secret;not null;comment:OAuth2客户端密钥" json:"client_secret"`     // OAuth2客户端密钥
-	RedirectURI   string             `gorm:"column:redirect_uri;comment:OAuth2 重定向URI" json:"redirect_uri"`              // OAuth2 重定向URI
-	GrantCode     bool               `gorm:"column:grant_code;not null;comment:允许授权码授予" json:"grant_code"`               // 允许授权码授予
-	GrantClient   bool               `gorm:"column:grant_client;not null;comment:允许客户端凭证授予" json:"grant_client"`         // 允许客户端凭证授予
-	GrantRefresh  bool               `gorm:"column:grant_refresh;not null;comment:允许刷新令牌授予" json:"grant_refresh"`        // 允许刷新令牌授予
-	GrantPassword bool               `gorm:"column:grant_password;not null;comment:允许密码授予" json:"grant_password"`        // 允许密码授予
-	Spec          int32              `gorm:"column:spec;not null;comment:安全规范：1-native，2-browser，3-web" json:"spec"`     // 安全规范：1-native，2-browser，3-web
-	Name          string             `gorm:"column:name;not null;comment:名称" json:"name"`                                // 名称
-	Icon          string             `gorm:"column:icon;comment:图标URL" json:"icon"`                                      // 图标URL
-	Status        int32              `gorm:"column:status;not null;default:1;comment:状态：0-禁用，1-正常" json:"status"`        // 状态：0-禁用，1-正常
-	CreatedAt     core.LocalDateTime `gorm:"column:created_at;default:CURRENT_TIMESTAMP;comment:创建时间" json:"created_at"` // 创建时间
-	UpdatedAt     core.LocalDateTime `gorm:"column:updated_at;default:CURRENT_TIMESTAMP;comment:更新时间" json:"updated_at"` // 更新时间
-	DeletedAt     gorm.DeletedAt     `gorm:"column:deleted_at;comment:删除时间" json:"deleted_at"`                           // 删除时间
+	ID            int32              `gorm:"column:id;primaryKey;autoIncrement:true;comment:客户端ID" json:"id"`                  // 客户端ID
+	ClientID      string             `gorm:"column:client_id;not null;comment:OAuth2客户端标识符" json:"client_id"`                  // OAuth2客户端标识符
+	ClientSecret  string             `gorm:"column:client_secret;not null;comment:OAuth2客户端密钥" json:"client_secret"`           // OAuth2客户端密钥
+	RedirectURI   string             `gorm:"column:redirect_uri;comment:OAuth2 重定向URI" json:"redirect_uri"`                    // OAuth2 重定向URI
+	GrantCode     bool               `gorm:"column:grant_code;not null;comment:允许授权码授予" json:"grant_code"`                     // 允许授权码授予
+	GrantClient   bool               `gorm:"column:grant_client;not null;comment:允许客户端凭证授予" json:"grant_client"`               // 允许客户端凭证授予
+	GrantRefresh  bool               `gorm:"column:grant_refresh;not null;comment:允许刷新令牌授予" json:"grant_refresh"`              // 允许刷新令牌授予
+	GrantPassword bool               `gorm:"column:grant_password;not null;comment:允许密码授予" json:"grant_password"`              // 允许密码授予
+	Spec          int32              `gorm:"column:spec;not null;comment:安全规范：1-native，2-browser，3-web，4-trusted" json:"spec"` // 安全规范：1-native，2-browser，3-web，4-trusted
+	Name          string             `gorm:"column:name;not null;comment:名称" json:"name"`                                      // 名称
+	Icon          string             `gorm:"column:icon;comment:图标URL" json:"icon"`                                            // 图标URL
+	Status        int32              `gorm:"column:status;not null;default:1;comment:状态：0-禁用，1-正常" json:"status"`              // 状态：0-禁用，1-正常
+	CreatedAt     core.LocalDateTime `gorm:"column:created_at;default:CURRENT_TIMESTAMP;comment:创建时间" json:"created_at"`       // 创建时间
+	UpdatedAt     core.LocalDateTime `gorm:"column:updated_at;default:CURRENT_TIMESTAMP;comment:更新时间" json:"updated_at"`       // 更新时间
+	DeletedAt     gorm.DeletedAt     `gorm:"column:deleted_at;comment:删除时间" json:"deleted_at"`                                 // 删除时间
 }
 
 // TableName Client's table name
diff --git a/web/models/logs_request.gen.go b/web/models/logs_request.gen.go
index 598f13d..c3f17fc 100644
--- a/web/models/logs_request.gen.go
+++ b/web/models/logs_request.gen.go
@@ -10,17 +10,17 @@ const TableNameLogsRequest = "logs_request"
 
 // LogsRequest mapped from table <logs_request>
 type LogsRequest struct {
-	ID       int32              `gorm:"column:id;primaryKey;autoIncrement:true;comment:访问日志ID" json:"id"`  // 访问日志ID
-	Identity int32              `gorm:"column:identity;comment:访客身份：0-游客，1-用户，2-服务，3-管理员" json:"identity"` // 访客身份：0-游客，1-用户，2-服务，3-管理员
-	Visitor  int32              `gorm:"column:visitor;comment:访客ID" json:"visitor"`                        // 访客ID
-	IP       string             `gorm:"column:ip;not null;comment:IP地址" json:"ip"`                         // IP地址
-	Ua       string             `gorm:"column:ua;comment:用户代理" json:"ua"`                                  // 用户代理
-	Method   string             `gorm:"column:method;not null;comment:请求方法" json:"method"`                 // 请求方法
-	Path     string             `gorm:"column:path;not null;comment:请求路径" json:"path"`                     // 请求路径
-	Latency  string             `gorm:"column:latency;comment:请求延迟" json:"latency"`                        // 请求延迟
-	Status   int32              `gorm:"column:status;not null;comment:响应状态码" json:"status"`                // 响应状态码
-	Error    string             `gorm:"column:error;comment:错误信息" json:"error"`                            // 错误信息
-	Time     core.LocalDateTime `gorm:"column:time;default:CURRENT_TIMESTAMP;comment:请求时间" json:"time"`    // 请求时间
+	ID       int32              `gorm:"column:id;primaryKey;autoIncrement:true;comment:访问日志ID" json:"id"`                  // 访问日志ID
+	Identity int32              `gorm:"column:identity;comment:访客身份：0-游客，1-用户，2-管理员，3-公共服务，4-安全服务，5-内部服务" json:"identity"` // 访客身份：0-游客，1-用户，2-管理员，3-公共服务，4-安全服务，5-内部服务
+	Visitor  int32              `gorm:"column:visitor;comment:访客ID" json:"visitor"`                                        // 访客ID
+	IP       string             `gorm:"column:ip;not null;comment:IP地址" json:"ip"`                                         // IP地址
+	Ua       string             `gorm:"column:ua;comment:用户代理" json:"ua"`                                                  // 用户代理
+	Method   string             `gorm:"column:method;not null;comment:请求方法" json:"method"`                                 // 请求方法
+	Path     string             `gorm:"column:path;not null;comment:请求路径" json:"path"`                                     // 请求路径
+	Latency  string             `gorm:"column:latency;comment:请求延迟" json:"latency"`                                        // 请求延迟
+	Status   int32              `gorm:"column:status;not null;comment:响应状态码" json:"status"`                                // 响应状态码
+	Error    string             `gorm:"column:error;comment:错误信息" json:"error"`                                            // 错误信息
+	Time     core.LocalDateTime `gorm:"column:time;default:CURRENT_TIMESTAMP;comment:请求时间" json:"time"`                    // 请求时间
 }
 
 // TableName LogsRequest's table name
diff --git a/web/queries/client.gen.go b/web/queries/client.gen.go
index cf30042..8f3332e 100644
--- a/web/queries/client.gen.go
+++ b/web/queries/client.gen.go
@@ -60,7 +60,7 @@ type client struct {
 	GrantClient   field.Bool   // 允许客户端凭证授予
 	GrantRefresh  field.Bool   // 允许刷新令牌授予
 	GrantPassword field.Bool   // 允许密码授予
-	Spec          field.Int32  // 安全规范：1-native，2-browser，3-web
+	Spec          field.Int32  // 安全规范：1-native，2-browser，3-web，4-trusted
 	Name          field.String // 名称
 	Icon          field.String // 图标URL
 	Status        field.Int32  // 状态：0-禁用，1-正常
diff --git a/web/queries/logs_request.gen.go b/web/queries/logs_request.gen.go
index 6ec7576..336b504 100644
--- a/web/queries/logs_request.gen.go
+++ b/web/queries/logs_request.gen.go
@@ -49,7 +49,7 @@ type logsRequest struct {
 
 	ALL      field.Asterisk
 	ID       field.Int32  // 访问日志ID
-	Identity field.Int32  // 访客身份：0-游客，1-用户，2-服务，3-管理员
+	Identity field.Int32  // 访客身份：0-游客，1-用户，2-管理员，3-公共服务，4-安全服务，5-内部服务
 	Visitor  field.Int32  // 访客ID
 	IP       field.String // IP地址
 	Ua       field.String // 用户代理
diff --git a/web/services/auth.go b/web/services/auth.go
index 15102c3..328b93e 100644
--- a/web/services/auth.go
+++ b/web/services/auth.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"platform/web/auth"
 	"platform/web/core"
+	client2 "platform/web/domains/client"
 	m "platform/web/models"
 	q "platform/web/queries"
 	"time"
@@ -26,13 +27,11 @@ func (s *authService) OauthAuthorizationCode(ctx context.Context, client *m.Clie
 func (s *authService) OauthClientCredentials(ctx context.Context, client *m.Client, scope ...string) (*TokenDetails, error) {
 
 	var clientType auth.PayloadType
-	switch client.Spec {
-	case 1:
-		clientType = auth.PayloadClientPublic
-	case 2:
-		clientType = auth.PayloadClientPublic
-	case 3:
-		clientType = auth.PayloadClientConfidential
+	switch client2.Spec(client.Spec) {
+	case client2.SpecNative, client2.SpecBrowser:
+		clientType = auth.PayloadPublicServer
+	case client2.SpecWeb, client2.SpecTrusted:
+		clientType = auth.PayloadSecuredServer
 	}
 
 	var permissions = make(map[string]struct{}, len(scope))
diff --git a/web/services/channel.go b/web/services/channel.go
index 3774c91..2f011cc 100644
--- a/web/services/channel.go
+++ b/web/services/channel.go
@@ -15,6 +15,8 @@ import (
 	"platform/pkg/u"
 	"platform/web/auth"
 	"platform/web/core"
+	channel2 "platform/web/domains/channel"
+	proxy2 "platform/web/domains/proxy"
 	g "platform/web/globals"
 	m "platform/web/models"
 	q "platform/web/queries"
@@ -214,7 +216,7 @@ func (s *channelService) CreateChannel(
 	ctx context.Context,
 	authCtx *auth.Context,
 	resourceId int32,
-	protocol ChannelProtocol,
+	protocol channel2.Protocol,
 	authType ChannelAuthType,
 	count int,
 	nodeFilter ...NodeFilterConfig,
@@ -340,7 +342,7 @@ func findResource(q *q.Query, resourceId int32, authCtx *auth.Context, count int
 
 func findProxies(q *q.Query) (proxies []*m.Proxy, err error) {
 	proxies, err = q.Proxy.
-		Where(q.Proxy.Type.Eq(1)).
+		Where(q.Proxy.Type.Eq(int32(proxy2.TypeThirdParty))).
 		Find()
 	if err != nil {
 		return nil, err
@@ -394,7 +396,7 @@ func calcChannels(
 	whitelist *[]string,
 	count int,
 	userId int32,
-	protocol ChannelProtocol,
+	protocol channel2.Protocol,
 	authType ChannelAuthType,
 	expiration time.Time,
 	filter NodeFilterConfig,
@@ -700,15 +702,6 @@ const (
 	ChannelAuthTypePass
 )
 
-type ChannelProtocol int32
-
-const (
-	ProtocolAll ChannelProtocol = iota
-	ProtocolHTTP
-	ProtocolHttps
-	ProtocolSocks5
-)
-
 type ChannelServiceErr string
 
 func (c ChannelServiceErr) Error() string {
diff --git a/web/services/resource.go b/web/services/resource.go
index 2d32f0d..0b59a02 100644
--- a/web/services/resource.go
+++ b/web/services/resource.go
@@ -7,6 +7,9 @@ import (
 	"fmt"
 	"platform/pkg/rds"
 	"platform/web/core"
+	bill2 "platform/web/domains/bill"
+	resource2 "platform/web/domains/resource"
+	trade2 "platform/web/domains/trade"
 	m "platform/web/models"
 	q "platform/web/queries"
 	"strings"
@@ -19,7 +22,7 @@ var Resource = &resourceService{}
 
 type resourceService struct{}
 
-func (s *resourceService) PrepareResource(ctx context.Context, data *CreateResourceData, uid int32, method TransactionMethod) (*TransactionPrepareResult, error) {
+func (s *resourceService) PrepareResource(ctx context.Context, data *CreateResourceData, uid int32, method trade2.Method) (*TransactionPrepareResult, error) {
 	amount := data.GetPrice()
 
 	// 保存到数据库
@@ -32,7 +35,7 @@ func (s *resourceService) PrepareResource(ctx context.Context, data *CreateResou
 			Subject:  "购买套餐 - " + data.GetName(),
 			Amount:   amount,
 			ExpireAt: time.Now().Add(30 * time.Minute),
-			Type:     TransactionTypePurchase,
+			Type:     trade2.TypeRecharge,
 			Method:   method,
 		})
 		if err != nil {
@@ -150,7 +153,7 @@ func (s *resourceService) CreateResource(data *CreateResourceData, uid int32) er
 			ResourceID: resource.ID,
 			BillNo:     ID.GenReadable("bil"),
 			Info:       "购买套餐 - " + data.GetName(),
-			Type:       1,
+			Type:       int32(bill2.TypeConsume),
 			Amount:     data.GetPrice(),
 		}
 		err = q.Bill.
@@ -243,7 +246,7 @@ func createResource(q *q.Query, data *CreateResourceData, uid int32) (*m.Resourc
 		UserID:     uid,
 		ResourceNo: ID.GenReadable("res"),
 		Active:     true,
-		Type:       1,
+		Type:       int32(resource2.TypeDynamic),
 		Pss: &m.ResourcePss{
 			Type:       data.Type,
 			Live:       data.Live,
@@ -260,7 +263,7 @@ func createResource(q *q.Query, data *CreateResourceData, uid int32) (*m.Resourc
 	return &resource, nil
 }
 
-func (s *resourceService) CancelResource(ctx context.Context, tradeNo string, at time.Time, method TransactionMethod) error {
+func (s *resourceService) CancelResource(ctx context.Context, tradeNo string, at time.Time, method trade2.Method) error {
 	// 删除请求缓存
 	_, err := rds.Client.Del(ctx, tradeNo).Result()
 	if err != nil {
diff --git a/web/services/transaction.go b/web/services/transaction.go
index 4c1378a..432d961 100644
--- a/web/services/transaction.go
+++ b/web/services/transaction.go
@@ -9,6 +9,9 @@ import (
 	"platform/pkg/env"
 	"platform/pkg/u"
 	"platform/web/core"
+	bill2 "platform/web/domains/bill"
+	coupon2 "platform/web/domains/coupon"
+	trade2 "platform/web/domains/trade"
 	g "platform/web/globals"
 	m "platform/web/models"
 	q "platform/web/queries"
@@ -43,7 +46,7 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 		coupon, err := q.Coupon.WithContext(ctx).
 			Where(
 				q.Coupon.Code.Eq(data.CouponCode),
-				q.Coupon.Status.Eq(0),
+				q.Coupon.Status.Eq(int32(coupon2.StatusUnused)),
 			).
 			Take()
 		if err != nil {
@@ -57,7 +60,7 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 		if !expireAt.IsZero() && expireAt.Before(time.Now()) {
 			_, err = q.Coupon.
 				Where(q.Coupon.ID.Eq(coupon.ID)).
-				Update(q.Coupon.Status, 2)
+				Update(q.Coupon.Status, coupon2.StatusExpired)
 			if err != nil {
 				return nil, err
 			}
@@ -83,7 +86,7 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 			if time.Time(coupon.ExpireAt).IsZero() {
 				_, err = q.Coupon.
 					Where(q.Coupon.ID.Eq(coupon.ID)).
-					Update(q.Coupon.Status, 1)
+					Update(q.Coupon.Status, int32(coupon2.StatusUsed))
 				if err != nil {
 					return nil, err
 				}
@@ -102,7 +105,7 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 	switch method {
 
 	// 调用支付宝支付接口
-	case TransactionMethodAlipay:
+	case trade2.MethodAlipay:
 		resp, err := g.Alipay.TradePagePay(alipay.TradePagePay{
 			QRPayMode: "4",
 			Trade: alipay.Trade{
@@ -119,7 +122,7 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 		payUrl = resp.String()
 
 	// 调用微信支付接口
-	case TransactionMethodWeChat:
+	case trade2.MethodWeChat:
 		resp, _, err := g.WechatPay.Native.Prepay(ctx, native.PrepayRequest{
 			Appid:       &env.WechatPayAppId,
 			Mchid:       &env.WechatPayMchId,
@@ -142,15 +145,12 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 	}
 
 	// 保存交易订单
-	var tradeType int
-	var billType int
+	var billType bill2.Type
 	switch tType {
-	case TransactionTypeRecharge:
-		tradeType = 2
-		billType = 3
-	case TransactionTypePurchase:
-		tradeType = 1
-		billType = 1
+	case trade2.TypeRecharge:
+		billType = bill2.TypeRecharge
+	case trade2.TypePurchase:
+		billType = bill2.TypeConsume
 	}
 
 	var trade = m.Trade{
@@ -158,7 +158,7 @@ func (s *transactionService) PrepareTransaction(ctx context.Context, q *q.Query,
 		InnerNo: tradeNo,
 		Subject: subject,
 		Method:  int32(method),
-		Type:    int32(tradeType),
+		Type:    int32(tType),
 		Amount:  amount,
 		PayURL:  payUrl,
 	}
@@ -202,7 +202,7 @@ func (s *transactionService) VerifyTransaction(ctx context.Context, data *Transa
 	switch method {
 
 	// 检查支付宝交易
-	case TransactionMethodAlipay:
+	case trade2.MethodAlipay:
 		resp, err := g.Alipay.TradeQuery(ctx, alipay.TradeQuery{
 			OutTradeNo: tradeNo,
 		})
@@ -228,7 +228,7 @@ func (s *transactionService) VerifyTransaction(ctx context.Context, data *Transa
 		}
 
 	// 检查微信交易
-	case TransactionMethodWeChat:
+	case trade2.MethodWeChat:
 		resp, _, err := g.WechatPay.Native.QueryOrderByOutTradeNo(ctx, native.QueryOrderByOutTradeNoRequest{
 			OutTradeNo: &tradeNo,
 			Mchid:      &env.WechatPayMchId,
@@ -274,12 +274,12 @@ func (s *transactionService) CompleteTransaction(ctx context.Context, q *q.Query
 	}
 
 	// 检查交易状态
-	if trade.Status != 0 {
+	if trade.Status != int32(trade2.StatusPending) {
 		return nil, nil
 	}
 
 	// 更新交易状态
-	trade.Status = 1
+	trade.Status = int32(trade2.StatusSuccess)
 	trade.OuterNo = transId
 	trade.Payment = payment
 	trade.PaidAt = core.LocalDateTime(paidAt)
@@ -294,11 +294,11 @@ func (s *transactionService) CompleteTransaction(ctx context.Context, q *q.Query
 	}, nil
 }
 
-func (s *transactionService) RevokeTransaction(ctx context.Context, tradeNo string, method TransactionMethod) error {
+func (s *transactionService) RevokeTransaction(ctx context.Context, tradeNo string, method trade2.Method) error {
 
 	switch method {
 
-	case TransactionMethodAlipay:
+	case trade2.MethodAlipay:
 		resp, err := g.Alipay.TradeCancel(ctx, alipay.TradeCancel{
 			OutTradeNo: tradeNo,
 		})
@@ -310,7 +310,7 @@ func (s *transactionService) RevokeTransaction(ctx context.Context, tradeNo stri
 			return errors.New("交易取消失败")
 		}
 
-	case TransactionMethodWeChat:
+	case trade2.MethodWeChat:
 		resp, err := g.WechatPay.Native.CloseOrder(ctx, native.CloseOrderRequest{
 			Mchid:      &env.WechatPayMchId,
 			OutTradeNo: &tradeNo,
@@ -333,7 +333,7 @@ func (s *transactionService) FinishTransaction(ctx context.Context, q *q.Query,
 		Where(q.Trade.InnerNo.Eq(tradeNo)).
 		Select(q.Trade.Status, q.Trade.CancelAt, q.Trade.PayURL).
 		Updates(m.Trade{
-			Status:   2,
+			Status:   int32(trade2.StatusCanceled),
 			CancelAt: core.LocalDateTime(time),
 			PayURL:   "",
 		})
@@ -344,26 +344,12 @@ func (s *transactionService) FinishTransaction(ctx context.Context, q *q.Query,
 	return nil
 }
 
-type TransactionType int32
-
-const (
-	TransactionTypePurchase TransactionType = iota + 1
-	TransactionTypeRecharge
-)
-
-type TransactionMethod int32
-
-const (
-	TransactionMethodAlipay TransactionMethod = iota
-	TransactionMethodWeChat
-)
-
 type TransactionPrepareData struct {
 	Subject    string
 	Amount     float64
 	ExpireAt   time.Time
-	Type       TransactionType
-	Method     TransactionMethod
+	Type       trade2.Type
+	Method     trade2.Method
 	CouponCode string
 }
 
@@ -376,7 +362,7 @@ type TransactionPrepareResult struct {
 
 type TransactionVerifyData struct {
 	TradeNo string
-	Method  TransactionMethod
+	Method  trade2.Method
 }
 
 type TransactionVerifyResult struct {