diff --git a/tenant-service/src/main/java/com/xuqm/tenant/config/SecurityConfig.java b/tenant-service/src/main/java/com/xuqm/tenant/config/SecurityConfig.java
index ae7e09e..f2302ae 100644
--- a/tenant-service/src/main/java/com/xuqm/tenant/config/SecurityConfig.java
+++ b/tenant-service/src/main/java/com/xuqm/tenant/config/SecurityConfig.java
@@ -40,6 +40,7 @@ public class SecurityConfig {
                     "/api/private/deployment/status",
                     "/api/migrate/export",          // key-based auth, no JWT
                     "/api/private/deployment/migrate/import",  // private deployment only, no JWT
+                    "/api/private/admin/**",         // private deployment internal maintenance, no JWT
                     "/actuator/health",
                     "/actuator/info"
                 ).permitAll()
diff --git a/tenant-service/src/main/java/com/xuqm/tenant/controller/OpsController.java b/tenant-service/src/main/java/com/xuqm/tenant/controller/OpsController.java
index 6c77a6a..a94b1bc 100644
--- a/tenant-service/src/main/java/com/xuqm/tenant/controller/OpsController.java
+++ b/tenant-service/src/main/java/com/xuqm/tenant/controller/OpsController.java
@@ -303,4 +303,15 @@ public class OpsController {
         riskControlService.deleteWord(id);
         return ResponseEntity.ok(ApiResponse.ok());
     }
+
+    /* ---------- 私有化部署维护接口（无需 JWT，仅私有化模式可用） ---------- */
+
+    @PostMapping("/api/private/admin/approve-pending-requests")
+    public ResponseEntity<ApiResponse<Map<String, Object>>> approvePendingRequests() {
+        if (!deploymentProperties.isPrivate()) {
+            return ResponseEntity.notFound().build();
+        }
+        int approved = featureServiceManager.autoApproveAllPending();
+        return ResponseEntity.ok(ApiResponse.success(Map.of("approved", approved)));
+    }
 }
diff --git a/tenant-service/src/main/java/com/xuqm/tenant/service/FeatureServiceManager.java b/tenant-service/src/main/java/com/xuqm/tenant/service/FeatureServiceManager.java
index 6cb87d8..7f3e182 100644
--- a/tenant-service/src/main/java/com/xuqm/tenant/service/FeatureServiceManager.java
+++ b/tenant-service/src/main/java/com/xuqm/tenant/service/FeatureServiceManager.java
@@ -668,4 +668,25 @@ public class FeatureServiceManager {
                     appKey, serviceType, status, e.getMessage());
         }
     }
+
+    /**
+     * 私有化部署维护接口：将所有 PENDING 申请自动审批，upgrade.sh 重启后调用。
+     */
+    @Transactional
+    public int autoApproveAllPending() {
+        org.springframework.data.domain.Pageable all =
+                org.springframework.data.domain.PageRequest.of(0, 1000);
+        List<ServiceActivationRequestEntity> pendingList =
+                requestRepository.findByStatusOrderByCreatedAtDesc(Status.PENDING, all).getContent();
+        int count = 0;
+        for (ServiceActivationRequestEntity req : pendingList) {
+            try {
+                approveRequest(req.getId(), "私有化部署自动开通");
+                count++;
+            } catch (Exception e) {
+                log.warn("Auto-approve failed for request {}: {}", req.getId(), e.getMessage());
+            }
+        }
+        return count;
+    }
 }