diff --git a/docs/license-replacement-test-record.md b/docs/license-replacement-test-record.md
index bdf97720..8306ff1f 100644
--- a/docs/license-replacement-test-record.md
+++ b/docs/license-replacement-test-record.md
@@ -284,3 +284,15 @@
 
 - 自有业务代码已移除 `crmeb\basic\BaseAuth`、`crmeb\basic\BaseController`、加密版权 helper 的直接引用。
 - 本地 `php think list` 仍受商业授权环境影响，部署前需要在合法授权或目标运行环境完成全量手工回归。
+
+## 审查修复记录
+
+### 自动化检查
+
+| 命令 | 结果 | 备注 |
+|------|------|------|
+| `php -l app/common/controller/AppBaseController.php` | 通过 | 修复校验失败未抛异常的问题。 |
+| `php -l app/services/auth/AccessTokenService.php` | 通过 | 增加账号状态校验回调。 |
+| `php -l app/services/out/OutAccountServices.php` | 通过 | 刷新 token 时补齐 `auth` claim，并拒绝禁用/删除外部账号。 |
+| `php -l app/services/kefu/LoginServices.php` | 通过 | 拒绝禁用客服账号 token。 |
+| `rg "crmeb\\basic\\BaseAuth|crmeb\\basic\\BaseController|app\\(\\)->make\\(BaseAuth::class\\)|__z6uxy|__qsG" pro_v3.5.1 --glob "*.php"` | 通过 | 应用层仍无商业基础类和加密版权 helper 引用。 |
diff --git a/pro_v3.5.1/app/common/controller/AppBaseController.php b/pro_v3.5.1/app/common/controller/AppBaseController.php
index 040e1270..d00520e5 100644
--- a/pro_v3.5.1/app/common/controller/AppBaseController.php
+++ b/pro_v3.5.1/app/common/controller/AppBaseController.php
@@ -7,6 +7,7 @@ namespace app\common\controller;
 
 use app\Request;
 use think\App;
+use think\exception\ValidateException;
 use think\Response;
 
 /**
@@ -73,6 +74,10 @@ abstract class AppBaseController
             $validator->message($scene);
         }
 
-        return $validator->check($data);
+        if (!$validator->check($data)) {
+            throw new ValidateException($validator->getError());
+        }
+
+        return true;
     }
 }
diff --git a/pro_v3.5.1/app/services/auth/AccessTokenService.php b/pro_v3.5.1/app/services/auth/AccessTokenService.php
index 3c3d6939..76f3c158 100644
--- a/pro_v3.5.1/app/services/auth/AccessTokenService.php
+++ b/pro_v3.5.1/app/services/auth/AccessTokenService.php
@@ -32,10 +32,11 @@ class AccessTokenService
      *
      * @param callable $resolver 根据 token 内的 id 读取账号模型或数组
      * @param callable $authHashResolver 根据账号返回当前有效的 auth hash
+     * @param callable|null $accountValidator 根据账号判断当前 token 是否仍可用
      * @return mixed
      * @throws \Psr\SimpleCache\InvalidArgumentException
      */
-    public function parseToken(string $token, string $type, callable $resolver, callable $authHashResolver)
+    public function parseToken(string $token, string $type, callable $resolver, callable $authHashResolver, callable $accountValidator = null)
     {
         if (!$token || $token === 'undefined') {
             throw new AuthException(ApiErrorCode::ERR_LOGIN);
@@ -78,6 +79,11 @@ class AccessTokenService
             throw new AuthException(ApiErrorCode::ERR_LOGIN);
         }
 
+        if ($accountValidator && !$accountValidator($account)) {
+            $this->clearToken($md5Token, $type);
+            throw new AuthException(ApiErrorCode::ERR_LOGIN_INVALID);
+        }
+
         if ($auth !== $authHashResolver($account)) {
             throw new AuthException(ApiErrorCode::ERR_LOGIN_INVALID);
         }
diff --git a/pro_v3.5.1/app/services/kefu/LoginServices.php b/pro_v3.5.1/app/services/kefu/LoginServices.php
index de1285c8..6a7d2eb0 100644
--- a/pro_v3.5.1/app/services/kefu/LoginServices.php
+++ b/pro_v3.5.1/app/services/kefu/LoginServices.php
@@ -81,7 +81,8 @@ class LoginServices extends BaseServices
             $token,
             'kefu',
             fn($id) => $this->dao->get($id),
-            fn($adminInfo) => md5($adminInfo->password)
+            fn($adminInfo) => md5($adminInfo->password),
+            fn($adminInfo) => $adminInfo->status && $adminInfo->account_status
         );
 
         return $adminInfo->hidden(['password', 'ip', 'status']);
diff --git a/pro_v3.5.1/app/services/out/OutAccountServices.php b/pro_v3.5.1/app/services/out/OutAccountServices.php
index 87468e6a..cc4a4b58 100644
--- a/pro_v3.5.1/app/services/out/OutAccountServices.php
+++ b/pro_v3.5.1/app/services/out/OutAccountServices.php
@@ -81,8 +81,9 @@ class OutAccountServices extends BaseServices
         $adminInfo = $services->parseToken(
             $token,
             'out',
-            fn($id) => $this->dao->get($id),
-            fn($adminInfo) => md5($adminInfo->appsecret)
+            fn($id) => $this->dao->getOne(['id' => $id, 'is_del' => 0]),
+            fn($adminInfo) => md5($adminInfo->appsecret),
+            fn($adminInfo) => (int)$adminInfo->status !== 2
         );
 
         return $adminInfo->hidden(['appsecret', 'ip', 'status']);
@@ -177,7 +178,7 @@ class OutAccountServices extends BaseServices
 
         CacheService::redisHandler('out')->delete($md5Token);
 
-        $token = $jwtAuth->createToken($id, $type);
+        $token = $jwtAuth->createToken($id, $type, ['auth' => md5($authInfo->appsecret)]);
         $data['last_time'] = time();
         $data['ip'] = request()->ip();
         $this->dao->update($id, $data);