api7 · guoqqqi · May 11, 2026 · May 11, 2026
diff --git a/AGENTS.md b/AGENTS.md
@@ -35,7 +35,6 @@ a7/
 │   ├── root/root.go              # Root command registration
 │   ├── factory.go                # Factory DI container
 │   ├── route/                    # Published route commands
-│   ├── upstream/                 # ⚠️ NOT EXPOSED in API7 EE — upstreams are inline-only (code kept for potential future support)
 │   ├── service/                  # Published service commands
 │   ├── consumer/                 # Consumer commands
 │   ├── ssl/                      # SSL certificate commands
@@ -45,7 +44,6 @@ a7/
 │   ├── secret-provider/          # Secret provider commands
 │   ├── plugin-metadata/          # Plugin metadata commands
 │   ├── credential/               # Consumer credential commands
-│   ├── service-template/         # Service template commands (EE)
 │   ├── route-template/           # Route template commands (EE)
 │   ├── gateway-group/            # Gateway group commands (EE)
 │   ├── service-registry/         # Service registry commands (EE)
@@ -70,7 +68,6 @@ a7/
 │   ├── types_consumer.go         # Consumer types
 │   ├── types_ssl.go              # SSL types
 │   ├── types_gateway_group.go    # Gateway group types (EE)
-│   ├── types_service_template.go # Service template types (EE)
 │   ├── types_token.go            # Token types (EE)
 │   └── ...                       # One types file per resource
 ├── pkg/iostreams/                 # I/O abstraction (TTY detection)
@@ -100,19 +97,18 @@ a7/
 6. **Dual API Prefix**: Control-plane resources use `/api/*`, runtime resources use `/apisix/admin/*`. The client handles prefix selection transparently.
 
 ### API7 EE vs APISIX Differences (Key)
-- API7 EE uses `/api/services/template` for design-time services, `/apisix/admin/services` for published (runtime) services.
+- API7 EE uses `/apisix/admin/services` for runtime services. Upstreams are modeled inline on services and routes.
 - Gateway groups scope all operations. Many endpoints require `gateway_group_id` as a query parameter.
 - Auth tokens use `a7ee` prefix (access token).
 - PATCH endpoints use JSON Patch (RFC 6902) arrays, not merge-patch.
-- Enterprise-specific resources: gateway groups, service templates, RBAC (users/roles/policies), developer portal, audit logs, custom plugins, service registries, tokens.
+- Enterprise-specific resources: gateway groups, RBAC (users/roles/policies), developer portal, audit logs, custom plugins, service registries, tokens.
 
 ### Resources NOT Exposed in API7 EE
 The following APISIX resources do **not** have REST API endpoints in API7 Enterprise Edition:
 - **Standalone Upstream** (`/apisix/admin/upstreams`): Returns "resource not found". Upstreams exist only inline within services and routes.
 - **Consumer Group** (`/apisix/admin/consumer_groups`): No endpoint exposed.
 - **Plugin Config** (`/apisix/admin/plugin_configs`): No endpoint exposed.
-
-The `pkg/cmd/upstream/` code directory is kept for potential future support, but these commands are non-functional against API7 EE.
+- **Service Template** (`/api/services/template`): Removed from current a7 support; use runtime services directly.
 
 ### How to Add a New Command
 1. Read `PRD.md` for the resource spec and `docs/api7ee-api-spec.md` for the API.

diff --git a/PRD.md b/PRD.md
@@ -92,8 +92,8 @@ a7 <resource> <action> [args] [flags]
 ### Resource Commands — Control Plane (`/api/*`)
 
 #### Service Templates (design-time)
-- `a7 service-template list|get|create|update|patch|delete`
-- `a7 service-template publish --gateway-group <id>` (publish to gateway group)
+Service templates are not part of current a7 support. Manage runtime services
+directly and define upstreams inline on services or routes.
 
 #### Gateway Groups
 - `a7 gateway-group list|get|create|update|delete`
@@ -128,7 +128,7 @@ All runtime commands require `--gateway-group <id>` (or default from context).
 - `a7 service list|get|create|update|delete|export --gateway-group <id>`
 
 #### Upstreams
-> **⚠️ NOT SUPPORTED**: Standalone upstreams are not exposed via the API7 EE Admin API. Upstreams exist only as inline objects within services and routes. The `a7 upstream` commands exist for APISIX compatibility but will not work against API7 EE.
+> **⚠️ NOT SUPPORTED**: Standalone upstreams are not exposed via the API7 EE Admin API. Upstreams exist only as inline objects within services and routes.
 
 #### Consumers
 - `a7 consumer list|get|create|update|delete|export --gateway-group <id>`
@@ -137,7 +137,7 @@ All runtime commands require `--gateway-group <id>` (or default from context).
 - `a7 credential list|get|create|update|delete --consumer <username> --gateway-group <id>`
 
 #### Consumer Groups
-> **⚠️ NOT SUPPORTED**: Consumer groups are not exposed via the API7 EE Admin API. The `a7 consumer-group` commands exist for APISIX compatibility but will not work against API7 EE.
+> **⚠️ NOT SUPPORTED**: Consumer groups are not exposed via the API7 EE Admin API, so a7 does not expose consumer group commands.
 
 #### SSL Certificates
 - `a7 ssl list|get|create|update|delete|export --gateway-group <id>`
@@ -207,7 +207,7 @@ All runtime commands require `--gateway-group <id>` (or default from context).
 
 ### Phase 3 — CLI Usability ✅ COMPLETE
 1. ✅ `-f/--file` flag: file-based create/update for all resource commands.
-2. ✅ `export` subcommand for all applicable resources (route, service, upstream, consumer, consumer-group, ssl, global-rule, stream-route, plugin-config, proto).
+2. ✅ `export` subcommand for all applicable resources (route, service, consumer, ssl, global-rule, stream-route, plugin-config, proto).
 3. ✅ `--force` flag for delete commands (skip confirmation).
 4. ✅ `--label` flag for list/export commands (label-based filtering).
 5. 🔲 `--dry-run` flag for create/update commands.
@@ -229,7 +229,7 @@ All runtime commands require `--gateway-group <id>` (or default from context).
 6. ✅ `docs/documentation-maintenance.md` — Doc update rules and templates.
 7. ✅ `docs/roadmap.md` — Per-PR development plan for Phases 5-9.
 8. ✅ `docs/api7ee-api-spec.md` — API7 EE Admin API reference (16 resources, dual-API).
-9. ✅ `docs/user-guide/` — 21 per-resource user guides (getting-started, configuration, route, service, upstream, consumer, ssl, plugin, global-rule, stream-route, plugin-config, plugin-metadata, consumer-group, credential, secret, proto, declarative-config, gateway-group, service-template, debug, bulk-operations).
+9. ✅ `docs/user-guide/` — per-resource user guides (getting-started, configuration, route, service, upstream, consumer, ssl, plugin, global-rule, stream-route, plugin-config, plugin-metadata, credential, secret, proto, declarative-config, gateway-group, debug, bulk-operations).
 
 ### Phase 6 — AI Agent Skills ✅ COMPLETE
 Port and adapt 40 SKILL.md files from a6, organized by category:
@@ -255,7 +255,7 @@ Port and adapt 40 SKILL.md files from a6, organized by category:
 ### Phase 8 — End-to-End Tests ✅ COMPLETE
 1. ✅ `test/e2e/docker-compose.yml` — Docker Compose for API7 EE (Dashboard + DP Manager + Gateway + PostgreSQL).
 2. ✅ `test/e2e/setup_test.go` — TestMain, binary build, admin/control API helpers, shared test utilities.
-3. ✅ Per-resource E2E tests (22 test files): route, service, upstream, consumer, ssl, plugin, global-rule, stream-route, plugin-config, plugin-metadata, consumer-group, credential, secret, proto, context, gateway-group, service-template.
+3. ✅ Per-resource E2E tests: route, service, consumer, ssl, plugin, global-rule, stream-route, plugin-config, plugin-metadata, credential, secret, proto, context, gateway-group.
 4. ✅ Declarative config E2E tests: dump, diff, sync, validate (config_test.go + config_sync_test.go).
 5. ✅ Export and label E2E tests (integrated into resource test files).
 6. ✅ Debug E2E tests: trace (JSON/method/headers/host/path) + logs (file mode).
@@ -317,7 +317,7 @@ The following table tracks feature parity between a7 and [a6](https://github.com
 
 | Feature | a6 | a7 | Notes |
 |---------|----|----|-------|
-| Resource CRUD (14 types) | ✅ | ✅ (13 functional in API7 EE) | a7 adds gateway-group, service-template; 3 APISIX resources (upstream, consumer-group, plugin-config) not exposed in API7 EE |
+| Resource CRUD | ✅ | ✅ (API7 EE supported resources) | a7 adds gateway-group; standalone upstreams, consumer groups, service templates, and plugin configs are not exposed in current API7 EE |
 | Context management | ✅ | ✅ | |
 | Shell completions | ✅ | ✅ | |
 | JSON/YAML/table output | ✅ | ✅ | |

diff --git a/README.md b/README.md
@@ -2,12 +2,12 @@
 
 > **⚠️ This project is under active development and is NOT production-ready.** APIs, commands, and output formats may change without notice.
 
-`a7` is a command-line tool for managing [API7 Enterprise Edition](https://api7.ai) API Gateway from your terminal. It wraps both the API7 EE control-plane API (`/api/*`) and the APISIX admin API (`/apisix/admin/*`) to provide convenient, scriptable access to gateway groups, routes, services, upstreams, consumers, SSL certificates, plugins, and more.
+`a7` is a command-line tool for managing [API7 Enterprise Edition](https://api7.ai) API Gateway from your terminal. It wraps both the API7 EE control-plane API (`/api/*`) and the APISIX admin API (`/apisix/admin/*`) to provide convenient, scriptable access to gateway groups, routes, services, consumers, SSL certificates, plugins, and more.
 
 ## Features
 
-- **Resource CRUD** — Create, list, get, update, and delete 13 API7 EE resource types:
-  - **Control Plane**: Gateway Group, Service Template
+- **Resource CRUD** — Create, list, get, update, and delete current API7 EE resource types:
+  - **Control Plane**: Gateway Group
   - **Runtime**: Route, Service, Consumer, SSL Certificate, Plugin, Global Rule, Stream Route, Plugin Metadata, Credential, Secret, Proto
 - **Context management** — Switch between multiple API7 EE instances (`a7 context create`, `a7 context use`, `a7 context list`)
 - **Gateway group scoping** — All runtime operations are scoped to a gateway group via `--gateway-group` flag or context config
@@ -131,7 +131,6 @@ a7 service delete <id> -g default --force
 | Command | Alias | Actions | Description |
 |---------|-------|---------|-------------|
 | `a7 gateway-group` | `gg` | list, get, create, update, delete | Manage gateway groups |
-| `a7 service-template` | `st` | list, get, create, update, delete, publish | Manage service templates |
 
 ### Runtime Resources
 

diff --git a/docs/adr/001-tech-stack.md b/docs/adr/001-tech-stack.md
@@ -42,8 +42,6 @@ a7/
 │   │   │   ├── delete/delete.go
 │   │   │   └── shared/display.go    # Shared display logic for route resources
 │   │   ├── gateway-group/            # Gateway group commands (control-plane)
-│   │   ├── service-template/         # Service template commands (control-plane)
-│   │   ├── upstream/                 # Same pattern as route/
 │   │   ├── service/
 │   │   ├── consumer/
 │   │   ├── ssl/
@@ -151,4 +149,4 @@ Each command is structured into four distinct parts:
 - **Opinionated Frameworks**: Cobra and Viper impose specific patterns on flag and config handling.
 - **Initial Setup**: The Factory pattern requires more boilerplate initially, but it significantly simplifies testing.
 - **Modularity**: The directory-per-command approach keeps the codebase organized as it grows to support the 16+ enterprise resource types.
-- **Enterprise Complexity**: Handling dual API prefixes and gateway group scoping adds internal complexity but provides a seamless user experience.
+- **Enterprise Complexity**: Handling dual API prefixes and gateway group scoping adds internal complexity but provides a seamless user experience.
diff --git a/docs/api7ee-api-spec.md b/docs/api7ee-api-spec.md
@@ -76,24 +76,24 @@ API7 EE uses **JSON Patch** (RFC 6902) for `PATCH` operations. The request body
 Manage logical groupings of gateway instances.
 - **Methods**: `GET` (list), `GET /:id`, `POST` (create), `PUT /:id` (update), `DELETE /:id`
 
-### 2. Service Template (/api/services/template)
-Design-time service definitions used to generate runtime services.
-- **Methods**: `GET` (list), `GET /:id`, `POST`, `PUT /:id`, `DELETE /:id`
+### 2. Service Template
+> **Removed from current a7 support.** Current API7 EE workflows should manage
+> runtime services directly and define upstreams inline on services.
 
 ## Runtime Resources (/apisix/admin)
 
 All runtime resources require `gateway_group_id` query parameter.
 
 ### 1. Route (/apisix/admin/routes)
 - **Methods**: `GET` (list), `GET /:id`, `POST` (create), `PUT /:id` (create/update), `PATCH /:id`, `DELETE /:id`
-- **Fields**: `id`, `name`, `uris`, `methods`, `host`, `hosts`, `plugins`, `upstream_id`, `service_id`, `status`.
+- **Fields**: `id`, `name`, `paths`, `methods`, `host`, `hosts`, `plugins`, `service_id`, `status`.
 
 ### 2. Upstream (/apisix/admin/upstreams)
 > **⚠️ NOT EXPOSED in API7 EE.** Standalone upstreams do not have REST API endpoints. Upstreams exist only as inline objects within services and routes. This endpoint returns "resource not found".
 
 ### 3. Service (/apisix/admin/services)
 - **Methods**: `GET`, `GET /:id`, `POST`, `PUT /:id`, `PATCH /:id`, `DELETE /:id`
-- **Fields**: `id`, `name`, `upstream_id`, `plugins`.
+- **Fields**: `id`, `name`, `upstream`, `plugins`.
 
 ### 4. Consumer (/apisix/admin/consumers)
 - **Methods**: `GET`, `GET /:username`, `PUT` (idempotent create/update), `DELETE /:username`
@@ -137,7 +137,7 @@ All runtime resources require `gateway_group_id` query parameter.
 | Resource | Prefix | Identifier | Scope | Status |
 |----------|--------|------------|-------|--------|
 | Gateway Group | `/api` | `id` | Global | ✅ |
-| Service Template | `/api` | `id` | Global | ✅ |
+| Service Template | `/api` | `id` | Global | ⚠️ Removed from a7 |
 | Route | `/apisix/admin` | `id` | Gateway Group | ✅ |
 | Upstream | `/apisix/admin` | `id` | Gateway Group | ⚠️ Not exposed |
 | Service | `/apisix/admin` | `id` | Gateway Group | ✅ |
@@ -151,4 +151,4 @@ All runtime resources require `gateway_group_id` query parameter.
 | Credential | `/apisix/admin` | `id` | Consumer | ✅ |
 | Secret | `/apisix/admin` | `manager/id`| Gateway Group | ✅ |
 | Proto | `/apisix/admin` | `id` | Gateway Group | ✅ |
-| Plugin | `/apisix/admin` | `name` | Gateway Group | ✅ |
+| Plugin | `/apisix/admin` | `name` | Gateway Group | ✅ |
diff --git a/docs/documentation-maintenance.md b/docs/documentation-maintenance.md
@@ -19,9 +19,8 @@ docs/
     ├── getting-started.md         # Installation + first commands
     ├── configuration.md           # Context management, config file format
     ├── gateway-group.md           # Gateway group commands (EE)
-    ├── service-template.md        # Service template commands (EE)
     ├── route.md                   # Route command reference
-    ├── upstream.md                # ⚠️ Deprecated — upstreams are inline-only in API7 EE
+    ├── upstream.md                # Inline upstream configuration guide
     ├── service.md                 # Service command reference
     ├── consumer.md                # Consumer command reference
     ├── ssl.md                     # SSL command reference
@@ -121,4 +120,4 @@ Before approving any PR, verify:
 ### Who Updates Documentation
 - AI coding agents: MUST update docs as part of every feature PR
 - Human reviewers: MUST check docs checklist before approving
-- If docs are missing from a code PR, the PR is NOT ready for merge
+- If docs are missing from a code PR, the PR is NOT ready for merge
diff --git a/docs/roadmap.md b/docs/roadmap.md
@@ -30,8 +30,8 @@ This document defines the per-PR development plan for the a7 CLI (API7 Enterpris
 **Goal**: Create 40 `SKILL.md` files enabling AI agents to operate API7 EE.
 
 ### PR-29: AI Gateway & Enterprise Skills
-- **Skills**: `a7-plugin-ai-proxy`, `a7-plugin-ai-prompt-template`, `a7-plugin-ai-rag`, `a7-recipe-gateway-group`, `a7-recipe-service-template`
-- **Focus**: Configuring LLM providers and enterprise-only design-time resources.
+- **Skills**: `a7-plugin-ai-proxy`, `a7-plugin-ai-prompt-template`, `a7-plugin-ai-rag`, `a7-recipe-gateway-group`
+- **Focus**: Configuring LLM providers and supported API7 EE runtime resources.
 
 ### PR-30: Security & Auth Skills
 - **Skills**: `a7-plugin-key-auth`, `a7-plugin-openid-connect`, `a7-plugin-wolf-rbac`, `a7-recipe-rbac-setup`

diff --git a/docs/skills.md b/docs/skills.md
@@ -47,7 +47,7 @@ Every skill file has two parts: YAML frontmatter and Markdown body.
 ---
 name: a7-plugin-ai-proxy
 description: >-
-  Skill for configuring AI Proxy plugin on API7 EE routes and service templates.
+  Skill for configuring AI Proxy plugin on API7 EE routes and services.
   Covers LLM provider configuration, model selection, and endpoint routing.
 version: "1.0.0"
 author: API7.ai Contributors
@@ -58,7 +58,7 @@ metadata:
   plugin_name: ai-proxy
   a7_commands:
     - a7 route create
-    - a7 service-template create
+    - a7 service create
     - a7 plugin list
 ---
 ```
@@ -88,11 +88,11 @@ The body content depends on the skill type:
 - Configuration schema reference
 - **Gateway Group Scoping**: How to enable per gateway group
 - Example: Enabling on a Route
-- Example: Enabling on a Service Template
+- Example: Enabling on a Service
 - Enterprise-only features and limitations
 
 **Recipe skills** (EE specific):
-- Enterprise workflow goal (e.g., "Create a cross-group service template")
+- Enterprise workflow goal (e.g., "Create service-backed routes across gateway groups")
 - Prerequisites (e.g., "Existing gateway groups")
 - Step-by-step instructions with `a7` commands
 - Verification using `a7` list/get commands
@@ -101,7 +101,7 @@ The body content depends on the skill type:
 **Persona skills**:
 - Role description (Platform Engineer, API Architect, App Developer)
 - Common enterprise workflows
-- Decision trees for resource selection (e.g., "Route vs Service Template")
+- Decision trees for resource selection (e.g., "Route vs Service")
 - Which other skills to load for specific tasks
 
 ## CI Validation

diff --git a/docs/user-guide/bulk-operations.md b/docs/user-guide/bulk-operations.md
@@ -34,7 +34,7 @@ Each resource will have an `export` command to dump multiple resources to a file
 
 ```bash
 # Planned
-a7 upstream export -g default
+a7 service export -g default
 ```
 
 #### Export by Label

diff --git a/docs/user-guide/consumer.md b/docs/user-guide/consumer.md
@@ -138,7 +138,6 @@ Key fields in the consumer configuration (sent to `/apisix/admin/consumers`):
 | `username` | string | Unique identifier for the consumer |
 | `desc` | string | Human-readable description |
 | `plugins` | object | Plugin configurations (e.g., key-auth, jwt-auth) |
-| `group_id` | string | Reference to a consumer group |
 | `labels` | object | Key-value labels for the consumer |
 
 ## Examples

diff --git a/docs/user-guide/declarative-config.md b/docs/user-guide/declarative-config.md
@@ -19,12 +19,9 @@ A7 supports the following resource types in its declarative configuration:
 - `protos`
 - `secrets`
 - `plugin_metadata`
-- `gateway_groups` (Control Plane resource)
-- `service_templates` (Control Plane resource)
 - `credentials` (Nested under consumers)
-- `canary_release`
 
-> **Note:** `upstreams`, `plugin_configs`, and `consumer_groups` are not exposed via the API7 EE Admin API and are excluded from declarative config operations.
+> **Note:** `upstreams`, `consumer_groups`, and `service_templates` are not supported as top-level API7 EE declarative resources. Define upstreams inline under `services` instead.
 
 ### Structure with Gateway Groups
 

diff --git a/docs/user-guide/proto.md b/docs/user-guide/proto.md
@@ -147,9 +147,7 @@ Proto resources are commonly referenced by the `grpc-transcode` plugin. Once def
   },
   "upstream": {
     "scheme": "grpc",
-    "nodes": {
-      "127.0.0.1:50051": 1
-    }
+    "nodes": [{"host": "127.0.0.1", "port": 50051, "weight": 1}]
   }
 }
 ```