apache
diff --git a/‎.claude/skills/package/SKILL.md‎
Lines changed: 113 additions & 0 deletions b/‎.claude/skills/package/SKILL.md‎
Lines changed: 113 additions & 0 deletions
diff --git a/‎.claude/skills/run-e2e/SKILL.md‎
Lines changed: 63 additions & 0 deletions b/‎.claude/skills/run-e2e/SKILL.md‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/workflows/skywalking.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/skywalking.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 1 addition & 0 deletions b/‎CLAUDE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎dist-material/release-docs/LICENSE‎
Lines changed: 2 additions & 2 deletions b/‎dist-material/release-docs/LICENSE‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/en/changes/changes.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/en/changes/changes.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/en/security/README.md‎
Lines changed: 12 additions & 4 deletions b/‎docs/en/security/README.md‎
Lines changed: 12 additions & 4 deletions
@@ -0,0 +1,113 @@
+---
+name: package
+description: Rebuild the SkyWalking distribution and OAP Docker image after source changes. Use before running e2e tests so the image reflects your code changes. Avoids the "image looks updated but runtime has stale jars" trap.
+argument-hint: "[oap|all|dist-only]"
+---
+
+# Package OAP Distribution & Docker Image
+
+Rebuilding the Docker image after a source-code change has a **two-step dependency**: rebuild the dist tarball, then rebuild the image. Skipping the first step silently produces an image with stale jars — the Docker build still "succeeds," the image has a fresh timestamp, but the embedded jar is the one from your previous build.
+
+## Why this matters
+
+`make docker.oap` in the root `Makefile` is defined as:
+
+```
+docker.% push.docker.%: $(CONTEXT)/$(DIST) $(SW_ROOT)/docker/%/*
+    $(DOCKER_RULE)
+```
+
+It depends on `$(CONTEXT)/$(DIST)` (the dist tarball) **as a file prerequisite**. If that tarball already exists, make does not regenerate it — it just copies whatever is on disk into `dist/docker_build/oap/` and runs `docker buildx build`. There is **no** dependency that rebuilds the tarball from source.
+
+Only `make docker` triggers the full chain (`init → build.all → docker.all`). So:
+
+| Command | Rebuilds source? | Rebuilds tarball? | Rebuilds image? |
+|---------|:--:|:--:|:--:|
+| `./mvnw -pl <module> package` | only that module | no | no |
+| `./mvnw -pl apm-dist -am package -Pbackend,dist` | all backend deps + dist | yes | no |
+| `make docker.oap` | **no** | **no** (uses whatever's on disk) | yes |
+| `make docker` | yes (`build.all`) | yes | yes (`docker.all`) |
+
+## `flatten:flatten` — always run it before `package`/`install`
+
+SkyWalking's poms use `${revision}` as a placeholder version (e.g., `10.5.0-SNAPSHOT`). The `flatten-maven-plugin` resolves `${revision}` into concrete versions and writes a `.flattened-pom.xml`. Without it:
+
+- Installed artifacts carry the literal string `${revision}` in their coordinates and cannot be resolved as dependencies.
+- Downstream modules (including `apm-dist`) see an inconsistent dependency graph.
+- Symptoms are subtle: `-pl <module> -am` may succeed in isolation but fail or pull in stale transitive artifacts when the same module is consumed by another build invocation in the same session.
+
+**Always run `flatten:flatten` in the same goal chain as `package` or `install`.** The CI `dist-tar` job and the `compile` skill both do this. Example:
+
+```bash
+./mvnw clean flatten:flatten package -Pbackend,dist -DskipTests
+```
+
+Not optional — treat it as part of `package`.
+
+## Pick the right command
+
+### Changed OAP source → want a new image
+
+```bash
+# Recommended: full chain
+make docker
+```
+
+or, faster and equivalent for backend-only changes (skips UI):
+
+```bash
+./mvnw -pl apm-dist -am -o clean flatten:flatten package -Pbackend,dist -DskipTests -Dcheckstyle.skip=true -Dmaven.javadoc.skip=true
+make docker.oap
+```
+
+**Do not** just run `make docker.oap` after a code edit — the image will look rebuilt but your change will not be in the jars.
+**Do not** skip `flatten:flatten` — see the section above.
+
+### Changed only the dist packaging (e.g., `apm-dist/`, log4j2.xml)
+
+```bash
+./mvnw -pl apm-dist -am -o clean flatten:flatten package -Pbackend,dist -DskipTests
+make docker.oap
+```
+
+### Changed only Dockerfile / entrypoint (`docker/oap/*`)
+
+The tarball is untouched, so `make docker.oap` alone is correct:
+
+```bash
+make docker.oap
+```
+
+## Verify the fix reached the image
+
+Docker's "image created" timestamp updates even when the content is stale (because `--no-cache` is used). **Don't trust the timestamp.** Verify the jar contents directly:
+
+```bash
+# Copy the jar out of the container
+docker cp <container-name>:/skywalking/oap-libs/<module>-<version>.jar /tmp/verify.jar
+
+# Extract the specific class
+cd /tmp && jar -xf verify.jar <path/to/YourClass.class>
+
+# Grep for a string your fix introduced (unique literal, method name, etc.)
+grep -oa "myFixSignature" <path/to/YourClass.class>
+```
+
+If grep finds nothing, the image does not contain your fix — you forgot to rebuild the dist. Re-run with the correct chain.
+
+## Common pitfalls
+
+- **`make docker.oap` after `./mvnw package`**: The module jar is fresh in `oap-server/.../target/`, but the dist tarball at `dist/apache-skywalking-apm-bin.tar.gz` is untouched. Image uses the old jar.
+- **Cancelling a `make docker` mid-flight**: leaves the dist half-rebuilt. Re-run `make docker` or delete `dist/` first.
+- **Stale buildx cache**: not usually the issue (the Makefile passes `--no-cache`), but if you suspect it, run `docker buildx prune`.
+- **Trusting image timestamps**: `docker images` shows when the image was *tagged*, not when its content actually changed. A no-op rebuild still updates the timestamp.
+- **Interactive buildx hangs**: if `docker buildx build` sits silent for minutes with no stdout, kill it and retry. The buildx container driver occasionally stalls; a restart is faster than waiting.
+
+## The golden rule
+
+After any Java source edit that affects code shipped in `oap-libs/`, run one of:
+
+1. `make docker` (full, safest)
+2. `./mvnw -pl apm-dist -am -o package -Pbackend,dist -DskipTests -Dcheckstyle.skip=true && make docker.oap` (fast)
+
+Then **verify the fix is in the image's jar** before running e2e. Don't assume.
@@ -134,6 +134,69 @@ Do NOT run cleanup immediately. Instead:
    e2e cleanup -c test/e2e-v2/cases/<case-path>/e2e.yaml
    ```
 
+### 6. Manually fire each verify query (fast triage)
+
+The `e2e verify` retry loop runs in sequence and stops at the first failing case, so a single bad query hides every case after it. When a verify fails, **run each verify case directly against the still-running OAP** before editing anything — you'll see the real error (bad flag, missing data, wrong expected), not the progress spinner. This is also the right way to author new verify cases: craft the query against live OAP, confirm the actual YAML, then write the expected file.
+
+```bash
+# Find the host-side port that infra-e2e bound to OAP's container port 12800.
+# (Each run picks a new random port; the trigger log prints it too.)
+docker ps --filter "name=skywalking_e2e-oap" --format "{{.Ports}}" \
+  | grep -oE "[0-9]+->12800" | head -1
+# => e.g. 56381->12800
+
+URL=http://localhost:56381/graphql
+SWCTL=/tmp/skywalking-infra-e2e/bin/swctl
+
+# Copy the query from e2e.yaml verbatim, then substitute ${oap_host} → localhost
+# and ${oap_12800} → the port you just found:
+$SWCTL --display yaml --base-url=$URL service ly IOS
+$SWCTL --display yaml --base-url=$URL logs list --service-name=MyiOSApp
+$SWCTL --display yaml --base-url=$URL metrics exec --expression=service_cpm --service-name=MyiOSApp
+```
+
+When a `swctl` subcommand rejects a flag (`Incorrect Usage: flag provided but not defined: -layer`), the e2e config is using syntax the pinned `swctl` commit doesn't support. Find the right syntax with `swctl <cmd> --help` and update the e2e config. Common cases encountered:
+
+| Broken flag/form | Working form |
+|---|---|
+| `service ls --layer IOS` | `service ly IOS` |
+| `metrics exec ... --is-normal=true` | drop `--is-normal` (default behavior) |
+
+For queries that *don't* use `swctl` (raw `curl` against `/loki/...`, Zipkin, PromQL), hit the matching exposed port:
+
+```bash
+curl "http://localhost:$(docker ps --filter name=skywalking_e2e-oap --format '{{.Ports}}' | grep -oE '[0-9]+->3100' | head -1 | cut -d'-' -f1)/loki/api/v1/labels"
+```
+
+### 7. UI template changes require a fresh DB
+
+`UITemplateInitializer.initTemplate()` (in `oap-server/server-core`) calls `uiTemplateManagementService.addIfNotExist(setting)` — keyed by the `id` field in each `ui-initialized-templates/**/*.json`. Same ID → skipped. So edits to an *existing* template JSON (adding widgets, relabeling, changing expressions) will **not** be applied on an already-initialized OAP, even after a container restart, because the old copy still lives in storage.
+
+To pick up dashboard JSON changes:
+
+```bash
+# Remove both containers — BanyanDB stores state inside the container FS in the
+# e2e compose (no named volume), so removing the container wipes state cleanly.
+docker rm -f skywalking_e2e-oap-1 skywalking_e2e-banyandb-1
+
+# For compose setups that use a named volume, also:
+# docker volume rm <volume-name>
+
+# Then re-run — OAP sees empty storage, loads the new template JSON.
+e2e run -c test/e2e-v2/cases/<case>/e2e.yaml
+```
+
+Symptom to watch for: you edit the JSON, rebuild, redeploy — dashboard in the UI still shows the pre-edit layout. That's not a caching bug; that's `addIfNotExist` doing exactly what its name says.
+
+### 8. Author the expected YAML from live output
+
+For a new verify case, the workflow is:
+
+1. Fire the query manually (see step 6) and capture the YAML.
+2. Pick which fields are *meaningful domain values* (must match exactly) vs *dynamic runtime values* (`notEmpty` / `gt` / `ge`). See `test/e2e-v2/CLAUDE.md` for the decision guide.
+3. Write the expected file. If the response is a list, wrap the items in `{{- contains . }} ... {{- end }}` so ordering and extra actual items don't fail the match.
+4. Re-run `e2e verify` alone (the containers are still up from the previous run); iterate on the expected file without rebuilding.
+
 ## Common test cases
 
 | Shorthand | Path |
 
@@ -640,6 +640,8 @@ jobs:
             config: test/e2e-v2/cases/otlp-virtual-genai/e2e.yaml
           - name: Zipkin Virtual GenAI
             config: test/e2e-v2/cases/zipkin-virtual-genai/e2e.yaml
+          - name: iOS Monitoring
+            config: test/e2e-v2/cases/ios/e2e.yaml
 
           - name: Nginx
             config: test/e2e-v2/cases/nginx/e2e.yaml
 
@@ -246,6 +246,7 @@ Actions owned by `actions/*` (GitHub), `github/*`, and `apache/*` are always all
 1. **Always check submodules**: Protocol changes may require submodule updates
 2. **Generate sources first**: Run `mvnw compile` before analyzing generated code
 3. **Install package**: Use `mvnw flatten:flatten install` to build the precompiler and export generated classes before running tests. ref to [compile skill doc](.claude/skills/compile/SKILL.md)
+3. **Full rebuild on cross-module changes**: If you changed more than two modules or pulled/rebased code from git remote, run `mvnw clean install` (or `mvnw clean package`) on the **whole project** rather than picking individual modules with `-pl`. Incremental `-pl ... -am` builds can leave stale jars in `.m2` or `oap-libs/` when jar sizes don't change but content does, causing hard-to-debug runtime issues.
 3. **Respect checkstyle**: No System.out, no @author, no Chinese characters
 4. **Follow module patterns**: Use existing modules as templates
 5. **Check multiple storage implementations**: Logic may vary by storage type
 
@@ -531,8 +531,8 @@ The text of each license is also included in licenses/LICENSE-[project].txt.
     https://npmjs.com/package/estree-walker/v/2.0.2 2.0.2 MIT
     https://npmjs.com/package/iconv-lite/v/0.6.3 0.6.3 MIT
     https://npmjs.com/package/is-plain-object/v/5.0.0 5.0.0 MIT
-    https://npmjs.com/package/lodash/v/4.17.23 4.17.23 MIT
-    https://npmjs.com/package/lodash-es/v/4.17.23 4.17.23 MIT
+    https://npmjs.com/package/lodash/v/4.18.1 4.18.1 MIT
+    https://npmjs.com/package/lodash-es/v/4.18.1 4.18.1 MIT
     https://npmjs.com/package/lodash-unified/v/1.0.3 1.0.3 MIT
     https://npmjs.com/package/magic-string/v/0.30.21 0.30.21 MIT
     https://npmjs.com/package/memoize-one/v/6.0.0 6.0.0 MIT
 
@@ -31,11 +31,17 @@
 * Add OTLP/HTTP receiver support for traces, logs, and metrics (`/v1/traces`, `/v1/logs`, `/v1/metrics`). Supports both `application/x-protobuf` and `application/json` content types.
 * Fix: TTL query add metadata TTL.
 * Fix: PersistentWorker used wrong TTL for metrics cache if the storage is BanyanDB.
+* Add iOS/iPadOS app monitoring via OpenTelemetry Swift SDK (SWIP-11). Includes the `IOS` layer, `IOSHTTPSpanListener` for outbound HTTP client metrics (supports OTel Swift `.old`/`.stable`/`.httpDup` semantic-convention modes via stable-then-legacy attribute fallback), `IOSMetricKitSpanListener` for daily MetricKit metrics (exit counts split by foreground/background, app-launch / hang-time percentile histograms with finite 30 s overflow ceiling), LAL rules for crash/hang diagnostics, Mobile menu, and iOS dashboards.
+* Fix LAL `layer: auto` mode dropping logs after extractor set the layer. Codegen now propagates `layer "..."` assignments to `LogMetadata.layer` so `FilterSpec.doSink()` sees the script-decided layer.
+* Fix MetricKit histogram percentile metrics being reported at 1000× their true value — the listener now marks its `SampleFamily` with `defaultHistogramBucketUnit(MILLISECONDS)` so MAL's default SECONDS→MS rescale of `le` labels is not applied.
 
 #### UI
+* Add mobile menu icon and i18n labels for the iOS layer.
+* Fix metric label rendering in multi-expression dashboard widgets.
 
 #### Documentation
 * Update LAL documentation with `sourceAttribute()` function and `layer: auto` mode.
+* Add iOS app monitoring setup documentation.
 
 All issues and pull requests are [here](https://github.com/apache/skywalking/issues?q=milestone:10.5.0)
 
@@ -24,7 +24,15 @@ Remote Code Execution (RCE) issues.
 For some sensitive environment, consider to limit the telemetry report frequency in case of DoS/DDoS for exposed OAP
 and UI services.
 
-## appendix
-
-The SkyWalking [client-js](https://github.com/apache/skywalking-client-js) agent is always running out of the secured
-environment. Please follow its **security notice** for more details.
+## Client-Side Monitoring
+
+Client-side applications — iOS/iPadOS apps (via OpenTelemetry Swift SDK), browser web apps
+(via [client-js](https://github.com/apache/skywalking-client-js)), and WeChat/Alipay
+mini-programs (via [mini-program-monitor](https://github.com/SkyAPM/mini-program-monitor)) —
+send telemetry data **from the public internet** to OAP endpoints including OTLP/HTTP
+(`/v1/traces`, `/v1/logs`, `/v1/metrics`), SkyWalking native (`/v3/segments`), and browser
+reporting endpoints.
+
+These endpoints accept data from any client without authentication by default. Apply the
+security policies listed above, especially rate limiting, to prevent abuse from untrusted
+client-side sources.