@josephyan/qingflow-app-builder-mcp 0.2.0-beta.985 → 0.2.0-beta.986

package/README.md

@@ -3,13 +3,13 @@
 Install:
 
 ```bash
-npm install @josephyan/qingflow-app-builder-mcp@0.2.0-beta.985
+npm install @josephyan/qingflow-app-builder-mcp@0.2.0-beta.986
 ```
 
 Run:
 
 ```bash
-npx -y -p @josephyan/qingflow-app-builder-mcp@0.2.0-beta.985 qingflow-app-builder-mcp
+npx -y -p @josephyan/qingflow-app-builder-mcp@0.2.0-beta.986 qingflow-app-builder-mcp
 ```
 
 Environment:

package/docs/local-agent-install.md

@@ -6,6 +6,20 @@
 2. 记录/待办优先的 `qingflow-app-user-mcp`
 3. 精简 builder 的 `qingflow-app-builder-mcp`
 
+## 本地鉴权推荐方案
+
+本地模式现在推荐优先使用 `credential` 建立会话，而不是直接注入 `token`。
+
+推荐链路：
+
+1. createClaw 或其它本地宿主为当前实例保存 `credential`
+2. 本地 MCP 调用 `auth_use_credential`
+3. MCP 用该 `credential` 请求 apaas `/mcp/auth/context`
+4. 解析并保存 `token / wsId / qfVersion / uid`
+5. 业务工具直接使用这份上下文
+
+`auth_use_credential` 是本地唯一鉴权主路径。
+
 ## npm 安装器适用场景
 
 适合这类本地 agent / gateway：
@@ -63,17 +77,17 @@ npm run pack:npm
 会生成：
 
 ```bash
-dist/npm/josephyan-qingflow-cli-<version>.tgz
-dist/npm/josephyan-qingflow-app-user-mcp-<version>.tgz
-dist/npm/josephyan-qingflow-app-builder-mcp-<version>.tgz
+dist/npm/qingflow-tech-qingflow-cli-<version>.tgz
+dist/npm/qingflow-tech-qingflow-app-user-mcp-<version>.tgz
+dist/npm/qingflow-tech-qingflow-app-builder-mcp-<version>.tgz
 ```
 
 然后在目标机器安装：
 
 ```bash
-npm install /absolute/path/to/dist/npm/josephyan-qingflow-cli-<version>.tgz
-npm install /absolute/path/to/dist/npm/josephyan-qingflow-app-user-mcp-<version>.tgz
-npm install /absolute/path/to/dist/npm/josephyan-qingflow-app-builder-mcp-<version>.tgz
+npm install /absolute/path/to/dist/npm/qingflow-tech-qingflow-cli-<version>.tgz
+npm install /absolute/path/to/dist/npm/qingflow-tech-qingflow-app-user-mcp-<version>.tgz
+npm install /absolute/path/to/dist/npm/qingflow-tech-qingflow-app-builder-mcp-<version>.tgz
 ```
 
 安装时会自动：
@@ -136,7 +150,10 @@ qingflow-app-builder-mcp
       ],
       "env": {
         "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api",
-        "QINGFLOW_MCP_HOME": "/absolute/path/to/.qingflow-mcp"
+        "QINGFLOW_MCP_HOME": "/absolute/path/to/.qingflow-mcp",
+        "QINGFLOW_MCP_CREDIT_METER_ENABLED": "true",
+        "QINGFLOW_MCP_CREDIT_APAAS_BASE_URL": "https://apaas.internal.example.com",
+        "QINGFLOW_MCP_CREDIT_APAAS_PATH": "/user/credit/usage"
       }
     }
   }
@@ -153,7 +170,10 @@ qingflow-app-builder-mcp
       "args": [],
       "env": {
         "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api",
-        "QINGFLOW_MCP_HOME": "/absolute/path/to/.qingflow-mcp"
+        "QINGFLOW_MCP_HOME": "/absolute/path/to/.qingflow-mcp",
+        "QINGFLOW_MCP_CREDIT_METER_ENABLED": "true",
+        "QINGFLOW_MCP_CREDIT_APAAS_BASE_URL": "https://apaas.internal.example.com",
+        "QINGFLOW_MCP_CREDIT_APAAS_PATH": "/user/credit/usage"
       }
     }
   }
@@ -170,7 +190,10 @@ qingflow-app-builder-mcp
       "args": [],
       "env": {
         "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api",
-        "QINGFLOW_MCP_HOME": "/absolute/path/to/.qingflow-mcp"
+        "QINGFLOW_MCP_HOME": "/absolute/path/to/.qingflow-mcp",
+        "QINGFLOW_MCP_CREDIT_METER_ENABLED": "true",
+        "QINGFLOW_MCP_CREDIT_APAAS_BASE_URL": "https://apaas.internal.example.com",
+        "QINGFLOW_MCP_CREDIT_APAAS_PATH": "/user/credit/usage"
       }
     }
   }
@@ -191,7 +214,10 @@ qingflow-app-builder-mcp
         "@josephyan/qingflow-app-user-mcp"
       ],
       "env": {
-        "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api"
+        "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api",
+        "QINGFLOW_MCP_CREDIT_METER_ENABLED": "true",
+        "QINGFLOW_MCP_CREDIT_APAAS_BASE_URL": "https://apaas.internal.example.com",
+        "QINGFLOW_MCP_CREDIT_APAAS_PATH": "/user/credit/usage"
       }
     },
     "qingflow-builder": {
@@ -201,7 +227,10 @@ qingflow-app-builder-mcp
         "@josephyan/qingflow-app-builder-mcp"
       ],
       "env": {
-        "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api"
+        "QINGFLOW_MCP_DEFAULT_BASE_URL": "https://qingflow.com/api",
+        "QINGFLOW_MCP_CREDIT_METER_ENABLED": "true",
+        "QINGFLOW_MCP_CREDIT_APAAS_BASE_URL": "https://apaas.internal.example.com",
+        "QINGFLOW_MCP_CREDIT_APAAS_PATH": "/user/credit/usage"
       }
     }
   }
@@ -212,6 +241,7 @@ qingflow-app-builder-mcp
 - 源码目录 `npm install` 不会把命令加到全局 PATH；这种模式请用 `node ./npm/bin/qingflow.mjs`、`node ./npm/bin/qingflow-app-user-mcp.mjs` 或 `node ./npm/bin/qingflow-app-builder-mcp.mjs`
 - `npx` 方式适合临时安装或容器化本地 agent
 - 全局安装方式更适合长期固定使用的本机开发环境
+- 计费接口使用当前登录会话的 `token` 与 `wsId` 请求头，可通过 `QINGFLOW_MCP_CREDIT_APAAS_BASE_URL/PATH` 覆盖调用记录接口地址
 
 ## 排障
 
@@ -242,3 +272,32 @@ npm install
 4. 再启动 MCP 客户端
 
 现在 stdio MCP 入口会拒绝在启动瞬间“边启动边重建 Python 运行时”，因为安装日志一旦写进 stdout，就会破坏 MCP 握手并表现成 `Transport closed`。如果运行时缺失或版本不一致，入口会直接报错并提示重装，而不是静默自修复。
+
+## createClaw 本地接入示例
+
+如果 createClaw 已经为当前本地实例保存了 `credential`，推荐在首次建链时调用：
+
+```bash
+qingflow auth use-credential \
+  --base-url https://qingflow.com/api \
+  --credential-stdin
+```
+
+然后把 `credential` 写到 stdin。
+
+等价 MCP 工具调用参数：
+
+```json
+{
+  "profile": "default",
+  "base_url": "https://qingflow.com/api",
+  "credential": "1602853_277941",
+  "persist": false
+}
+```
+
+说明：
+
+- 本地会把解析后的 `token` 和原始 `credential` 写入 profile 文件，用于后续 CLI 命令恢复会话
+- `persist=true` 时，本地还会优先把解析后的 `token` 和原始 `credential` 同步写入系统 keychain
+- 当前工作区以 `/mcp/auth/context` 返回的 `wsId` 为准，不再通过本地 MCP 显式切换

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@josephyan/qingflow-app-builder-mcp",
-  "version": "0.2.0-beta.985",
+  "version": "0.2.0-beta.986",
   "description": "Builder MCP for Qingflow app/package/system design and staged solution workflows.",
   "license": "MIT",
   "type": "module",

package/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "qingflow-mcp"
-version = "0.2.0b985"
+version = "0.2.0b986"
 description = "User-authenticated MCP server for Qingflow"
 readme = "README.md"
 license = "MIT"

package/skills/qingflow-app-builder/SKILL.md

@@ -9,36 +9,22 @@ metadata:
 
 ## Overview
 
-This skill helps a system builder use the AI-native Qingflow builder surface safely. It assumes the MCP is already connected and authenticated. If not, switch to `$qingflow-mcp-setup` first.
+This skill is for the current **public builder surface**, not for legacy low-level builder writes.
+Assumes MCP is already connected, authenticated, and on the correct workspace.
 
 Before any write or verification flow, identify whether the task targets `test` or `prod` and read [references/environments.md](references/environments.md). If the user did not specify one, default to `prod`.
 
-## Tool Selection
+Before choosing a route, skim the shared maintenance baseline: [public-surface-sync.md](../qingflow-app-user/references/public-surface-sync.md).
 
-Pick the smallest tool layer that can finish the task.
+## Current Public Mental Model
 
-## Shared Helper
+Model builder requests in four layers and keep them separate:
 
-- `feedback_submit` is a cross-cutting helper for product feedback submission
-- It does not require Qingflow login or workspace selection
-- If builder capability is unsupported or still cannot satisfy the need after reasonable use, summarize the gap, ask whether to submit feedback, and call `feedback_submit` only after explicit user confirmation.
-
-## Mental Model
-
-Model builder requests in four layers. Do not flatten them.
-
-- `package`: the solution container or app bundle, for example “研发项目管理” or “费控管理系统”
-- `app`: one form/app inside that package, for example “项目”, “需求”, “任务”, “缺陷”, “团队”
+- `package`: the app bundle or solution container
+- `app`: one form/app inside that package
 - `field`: one field inside one app
 - `relation`: a field that links one app to another app
 
-Interpret user intent with this hierarchy:
-
-- If the user says “应用包”, “系统”, “包含多个表单”, “多个模块”, or asks for several named forms that relate to each other, treat it as a `package` with multiple `apps`
-- Do not compress a multi-app system into one app with several text fields
-- Names like “项目/需求/任务/缺陷/团队” or “费用申请/预算管理/报销审批” are usually separate apps, not text fields
-- Build the apps first, then add `relation` fields to connect them
-
 Default modeling rules:
 
 - One business object -> one app
@@ -46,176 +32,93 @@ Default modeling rules:
 - Another business object -> a separate app, not a text field
 - Cross-object links -> relation fields, not text fields
 
-- Authentication and workspace: `auth_*`, `workspace_*`
-- File upload: `file_upload_local`
-- Resource resolve/read: `package_list`, `package_resolve`, `package_create`, `builder_tool_contract`, `member_search`, `role_search`, `app_resolve`, `app_get`, `app_get_fields`, `app_get_layout`, `app_get_views`, `app_get_flow`, `app_get_charts`, `portal_list`, `portal_get`, `view_get`, `chart_get`
-- Resource patch: `app_schema_apply`, `app_layout_apply`, `app_flow_apply`, `app_views_apply`, `app_charts_apply`, `portal_apply`, `package_attach_app`, `app_release_edit_lock_if_mine`, `role_create`
-- Publish and verify: `app_publish_verify`
-
-Note:
-- Do not try to handcraft raw Qingflow schema or internal solution payloads.
-- Do not rely on low-level `view_*`, `workflow_*`, `qingbi_report_*`, or `portal_*` write payloads from public builder flows.
-- Public builder work should stay on the resource path: `resolve -> summary read -> apply -> attach -> publish_verify`.
-- `app_schema_apply` / `app_layout_apply` / `app_flow_apply` / `app_views_apply` publish by default; pass `publish=false` only when you intentionally want to leave changes in draft.
-- `app_charts_apply` is immediate-live and does not publish; it resolves targets by `chart_id` first and then exact unique chart name.
-- `portal_apply` uses replace semantics for sections; remove a section by omitting it from the next full sections list. `publish=false` only guarantees draft/base-info updates, and `chart_ref/view_ref` resolve by `id/key` first and exact unique name second.
-- `app_get_charts` is the compact discovery path for current chart inventory; use it before `app_charts_apply` when you need exact `chart_id` values.
-- `chart_get` returns one chart's base info and config only; public builder flows should treat data reads as user-side access, not builder config access.
-- `portal_list` is the discovery path for builder-configurable portals.
-- `portal_get` returns portal-level config detail plus a component inventory; it does not inline chart/view detail or user-side chart/view data.
-- `view_get` returns one view's definition detail only; use `record_list` separately when you need rows from that view.
-- `app_schema_apply` / `app_layout_apply` / `app_flow_apply` / `app_views_apply` now perform planning, normalization, and dependency checks internally; when prechecks block, read the returned blocking issues and `suggested_next_call` directly from the apply result.
-- If you are unsure about a public builder tool's keys, aliases, presets, or minimal legal shape, call `builder_tool_contract` instead of guessing.
-- For views, always write the canonical key `columns`. Do not emit `column_names`; treat `fields` only as a tolerated legacy alias, not the preferred shape.
-- For flow presets, map natural language to canonical values before calling MCP:
-  - “默认审批/基础审批/普通审批” -> `basic_approval`
-  - “先填报再审批/提交后审批” -> `basic_fill_then_approve`
-- Public flow building is intentionally limited to linear workflows:
-  - `start`
-  - `approve`
-  - `fill`
-  - `copy`
-  - `webhook`
-  - `end`
-  Do not generate `branch` or `condition` nodes in the public builder surface. The backend workflow route is not front-end stable for those node types.
-- For first-time flow or view work in a session, read `builder_tool_contract` before planning so keys, aliases, presets, and minimal examples come from MCP instead of memory.
-- For workflow assignees, prefer roles over explicit members:
-  - use `role_search` first
-  - use `member_search` only when the user explicitly names members or no stable role exists
-  - use `role_create` when the business owner wants a reusable directory role instead of hard-coded members
-- On any `VALIDATION_ERROR`, inspect `suggested_next_call` first and prefer reusing the MCP-normalized arguments over re-guessing from the original natural language.
-- If the current MCP capability is unsupported, the workflow is awkward, or the user's need still cannot be satisfied after reasonable use, summarize the gap, ask whether to submit feedback, and call `feedback_submit` only after explicit user confirmation.
-
-Default policy:
-
-- Creating or updating one app inside an existing package: resolve the package/app, read compact state, then apply schema/layout/flow/views patches explicitly.
-- If package creation looks necessary or beneficial, ask the user to confirm before calling `package_create`.
-- If the user describes a system/package with multiple forms or modules, do not start with `app_schema_apply` on the package name. Resolve or create the package first, then create each app separately.
+## Public Tools You Should Think In
+
+- Package: `package_get`, `package_apply`
+- App reads: `app_resolve`, `app_get`, `app_get_fields`, `app_get_layout`, `app_get_views`, `app_get_flow`, `app_get_charts`
+- Builder reads: `portal_list`, `portal_get`, `view_get`, `chart_get`, `builder_tool_contract`
+- Directory: `member_search`, `role_search`, `role_create`
+- Writes: `app_schema_apply`, `app_layout_apply`, `app_flow_apply`, `app_views_apply`, `app_charts_apply`, `portal_apply`, `app_release_edit_lock_if_mine`
+- Verification: `app_publish_verify`
+
+Treat these as the official surface. Do not default to `package_create`, `package_attach_app`, raw `portal_*` writes, or raw `qingbi_report_*` writes.
+
+## Current Public Defaults
+
+- Package work:
+  - use `package_get(package_id=...)` to read one known package
+  - use `package_apply(...)` for package creation, rename, icon, visibility, grouping, ordering, and app/portal layout
+- App base permissions:
+  - trust `app_get.editability.can_edit_app_base` for app base-info writes like app name, icon, and visibility
+  - `can_edit_form` only means schema/form-route capability; it no longer implies app base-info write capability
+- Portal work:
+  - `portal_apply` is the public write path
+  - in edit mode, omitting `sections` means “preserve existing layout and update base info only”
+  - supplying `sections` means full replace semantics for sections
+- Chart work:
+  - `app_charts_apply` is the public write path
+  - `visibility` is a public capability and should be treated as a base-only permission update
+  - do not model chart visibility changes as raw config rewrites
+- Views and flows:
+  - stay on `app_views_apply` / `app_flow_apply`
+  - use `builder_tool_contract` whenever the minimal legal shape is unclear
 
 ## Standard Operating Order
 
-Before any business tool:
-
 1. Ensure auth exists
 2. Ensure workspace is selected
 3. Confirm whether the task is read-only or write-impacting
-
-For builder work:
-
-1. Resolve the target package with `package_resolve`; if resolution is ambiguous or you need a read-only fallback, use `package_list`. If you believe a new package should be created, ask the user to confirm before calling `package_create`.
-2. Decide whether the target is one app or a multi-app package:
-   - one app: continue with `app_resolve`
-   - multi-app package/system: create or resolve the package, then create each app separately before adding relations
-3. Resolve the target app with `app_resolve` if the request is an update. Use exactly one selector mode: `app_key`, or `app_name + package_tag_id`.
-4. Read only the smallest config slice you need: `app_get`, `app_get_fields`, `app_get_layout`, `app_get_views`, `app_get_flow`, `app_get_charts`, `portal_get`.
-5. Use `app_schema_apply` for create/upsert/remove field work. It publishes by default after the patch lands; noop schema requests do not publish.
-6. If the app must belong to a package, use `package_attach_app` explicitly after schema work with `tag_id + app_key` unless readback already shows the target `tag_id`.
-7. Use `app_layout_apply` only when the user is explicitly changing layout. Prefer the default `mode=merge`; use `mode=replace` only when you intend to place every field explicitly. It publishes by default after the patch lands; noop layout requests do not publish.
-8. Use `app_flow_apply` after schema exists. It publishes by default; pass `publish=false` when you only want draft/precheck behavior.
-9. Use `app_views_apply` when the user wants explicit table/card/board/gantt views. It publishes by default after the patch lands; noop view requests do not publish.
-10. Use `app_publish_verify` only when the user explicitly wants final publish/live verification or you need an explicit verification pass.
-11. If a write fails with `APP_EDIT_LOCKED`, stop normal writes. Only use `app_release_edit_lock_if_mine` when the failed result shows the lock owner is the current logged-in user.
-
-For view work, keep the order strict:
-
-1. `builder_tool_contract`
-2. `app_get_fields`
-3. `app_get_views`
-4. `app_views_apply`
-5. `app_get_views` again whenever `app_views_apply` returns `failed` or `partial_success`
-
-For flow work, keep the order strict:
-
-1. `builder_tool_contract`
-2. `app_get_fields`
-3. `app_get_flow`
-4. `role_search` or `member_search` if assignees need to come from the directory
-5. `role_create` if the user wants a reusable role and no suitable role exists yet
-6. Start from a canonical preset when possible
-7. Use patch-style edits to that skeleton instead of freehand full-graph generation
-8. When patching a preset skeleton, reuse the preset node ids:
-   - `basic_approval` -> patch `approve_1`
-   - `basic_fill_then_approve` -> patch `fill_1` and `approve_1`
-   Do not invent a second approval/fill node id unless you are intentionally replacing the skeleton and removing the preset node.
-9. Declare approver/fill/copy assignees explicitly:
-   - prefer `assignees.role_names`
-   - support `assignees.member_names` / `assignees.member_emails` / `assignees.member_uids`
-10. When a node must edit specific fields, declare `permissions.editable_fields`
-11. `app_flow_apply`
-12. `app_get_flow` after apply whenever the user asked for verification or apply returns `partial_success`
-13. Use `app_get_charts` before chart work whenever exact current `chart_id` values matter
-14. Use `app_charts_apply` for QingBI chart creation and updates, not raw `qingbi_report_*` writes
-15. Use `portal_get` before portal work whenever exact current portal config and section inventory matter
-16. Use `portal_apply` for builder-side portal work; treat sections as a full replacement list
-
-For additive work on existing systems:
-
-1. Confirm the target package or existing apps
-2. Avoid creating a new package unless the user explicitly wants a separate solution
-3. Use ordinary low-level tools for incremental change
-4. Re-verify the affected apps, views, workflows, or portal after modification
+4. Resolve the smallest stable target:
+   - app-scoped work -> `app_resolve`
+   - package-scoped work with known id -> `package_get`
+   - portal inventory -> `portal_list`
+5. Read only the smallest config slice needed:
+   - app summary -> `app_get`
+   - fields -> `app_get_fields`
+   - layout -> `app_get_layout`
+   - views -> `app_get_views`
+   - flow -> `app_get_flow`
+   - charts -> `app_get_charts`
+   - portal -> `portal_get`
+6. If the public shape is unclear, call `builder_tool_contract`
+7. Apply the smallest patch tool that fits:
+   - fields -> `app_schema_apply`
+   - layout -> `app_layout_apply`
+   - flow -> `app_flow_apply`
+   - views -> `app_views_apply`
+   - charts -> `app_charts_apply`
+   - portal -> `portal_apply`
+   - package metadata/layout -> `package_apply`
+8. Use `app_publish_verify` only when the user explicitly wants final publish/live verification or you need a dedicated verification pass
 
 ## Safe Usage Rules
 
-- When using `package_name`, expect deterministic resolution only on a unique exact package name match; if multiple packages match, stop and resolve the ambiguity instead of guessing
-- `app_schema_apply` is the only public patch tool allowed to create an app shell; `app_layout_apply`, `app_flow_apply`, and `app_views_apply` require an existing app.
-- Prefer reading compact state plus `builder_tool_contract` before `*_apply`; apply already performs server-side normalization and returns blocking issues or the next executable call shape when needed.
-- For abstract requests like “默认视图”, “基础审批流”, “灵活流程”, or “美观布局”, first translate the intent into a stable preset or explicit patch. Do not send those phrases to MCP unchanged.
-- If the user asks for a business system or package that contains several forms, do not use the system/package name as `app_name` and do not try to store the child app names as text fields.
-- For flexible workflow requests, split the work into two steps:
-  1. create a base skeleton with a preset
-  2. apply explicit business-specific changes as patchable nodes/transitions
-- For preset-based flows, treat preset node ids as part of the public contract. Patch the skeleton nodes by the same ids instead of creating a parallel node with a new id and leaving the preset node unassigned.
-- Approval, fill, and copy nodes must declare at least one assignee. Treat this as a hard requirement, not an optional detail.
-- For workflow nodes, use the canonical public shape:
-  - `assignees.role_names`
-  - `assignees.member_names`
-  - `permissions.editable_fields`
-- For layout work, keep the public section shape canonical:
-  - `title`
-  - `rows`
-  Do not invent top-level layout `columns`, and do not prefer `fields` or `field_ids` once `rows` is known.
-- Translate natural language like “一行四个字段 / 四列布局 / 每行放四个” into `rows` matrices, not guessed layout parameters.
-- If the same layout-shape `VALIDATION_ERROR` repeats twice, stop guessing and re-read `builder_tool_contract(app_layout_apply)` or the layout reference before trying again.
-- Do not guess role ids or member ids. Resolve them from the directory first.
-- `app_schema_apply` does not treat package attachment as success criteria; if package ownership matters, verify `tag_ids_after` and call `package_attach_app` explicitly.
-- `package_attach_app` is the source of truth for package ownership; do not assume app creation or publish implicitly attaches the app.
-- `relation` and `subtable` must be explicit; do not infer them from vague natural language.
-- Another app is not a field. If two business objects should both have their own records, build two apps and connect them with relation fields.
-- In `prod`, prefer explicit patch tools and avoid any speculative create flow.
-- Never try to bypass collaborative edit locks. `app_release_edit_lock_if_mine` is only for the case where the lock owner is the current authenticated user.
+- Do not guess package identity from a loose name. Public package work assumes a known `package_id`, or an explicit create/update intent through `package_apply`.
+- If `package_id` is unknown, derive it from related app/portal readback when possible; otherwise ask the user instead of falling back to hidden package lookup tools.
+- Do not use `package_create` or `package_attach_app` as a public default path. If they still appear in low-level code, treat them as internal/legacy implementation details.
+- Do not use raw `portal_*` writes or raw `qingbi_report_*` writes as the default builder strategy.
+- `app_schema_apply`, `app_layout_apply`, `app_flow_apply`, and `app_views_apply` publish by default; `app_charts_apply` is immediate-live without publish.
+- If the same validation error repeats twice, stop guessing and re-read `builder_tool_contract`.
+- For workflow assignees, prefer `role_search` over explicit members unless the user explicitly wants named members.
+- Public flow building is still intentionally limited to stable linear workflows. If a requirement sounds like branches/conditions, explain the limitation instead of freehanding unsupported graph shapes.
+- Respect collaborative edit locks. Only use `app_release_edit_lock_if_mine` when the lock owner is the current authenticated user.
 
 ## Response Interpretation
 
-- low-level list totals from the backend may report `0` while rows are present; prefer summary or aggregate readbacks for final conclusions
-- `app_publish_verify` is the publish source of truth.
-- All public builder tools expose top-level `warnings`, `verification`, and `verified`. Read them before deciding whether a run is fully done.
-- For read tools, `status=success` can still pair with `verified=false` when some optional readback is unavailable; in that case prefer `warnings` and `verification` over the bare status code.
-- For `app_charts_apply`, `portal_apply`, and `app_publish_verify`, treat `success` as “write and verification completed” and `partial_success` as “write executed but verification is incomplete”.
-- For `app_schema_apply`, multiple relation fields are a known high-risk backend area. If you see `RELATION_FIELD_LIMIT_RISK` or `verification.relation_field_limit_verified=false`, do not describe the schema as fully safe.
-- For `app_layout_apply`, trust `verification.layout_verified` first and `verification.layout_summary_verified` second. `LAYOUT_SUMMARY_UNVERIFIED` means the raw form readback is more trustworthy than the compact summary.
-- For `app_views_apply`, treat `verification.views_verified` and `verification.view_filters_verified` separately. A created view with unverified filters is not a finished business view.
-- For `app_flow_apply`, treat only linear node structure as publicly supported. If you see `FLOW_NODE_TYPE_UNSUPPORTED`, redesign the workflow as a stable linear flow instead of retrying branch/condition nodes.
-- If readback mismatches the UI, compare `request_route` and do not assume the builder hit the same `qf_version` as the browser
-- Treat post-write readback as the source of truth, not just write status codes
-- For views, a top-level `VIEW_APPLY_FAILED` does not prove all requested views failed. Read back the view list and verify which views actually landed.
-- For views, “view exists” is not the same as “filters are active”. If `app_views_apply` returns `partial_success`, `views_verified=false`, or `details.filter_mismatches`, report the view as created but the filters as unverified until readback confirms them.
-- If multiple views share the same name, do not guess which one to update. Read `view_key` from `app_get_views` and pass it explicitly in `upsert_views[]`.
-- In final user-facing summaries, distinguish clearly between:
-  - contract is visible / canonical shape is known
-  - apply precheck succeeded
-  - apply landed and readback verified it
-  - base template/skeleton applied
-  - business-specific rules completed
-  - remaining gaps or follow-up patches
-- Do not report “流程已满足业务需求” when only a preset skeleton has landed.
+- Treat post-write readback as the source of truth, not just write status codes.
+- `success` means write and verification completed; `partial_success` means the write landed but verification is incomplete.
+- For portals, distinguish clearly between:
+  - base-info-only update with layout preserved
+  - full sections replace
+- For charts, distinguish clearly between:
+  - base / visibility change
+  - real chart-config change
+- For app permissions, report `can_edit_app_base` separately from `can_edit_form / can_edit_flow / can_edit_views / can_edit_charts`.
 
 ## Practical Patterns
 
-- List packages: `package_list`
-- Resolve one package: `package_resolve`
-- Create one package: `package_create`
-- Read one public tool contract: `builder_tool_contract`
+- Read one package: `package_get`
+- Create or update one package: `package_apply`
 - Resolve one app: `app_resolve`
 - Read one app summary: `app_get`
 - Read fields only: `app_get_fields`
@@ -224,21 +127,20 @@ For additive work on existing systems:
 - Read flow summary: `app_get_flow`
 - Read chart summary: `app_get_charts`
 - Read portal config: `portal_get`
-- Search members for workflow assignees: `member_search`
-- Search roles for workflow assignees: `role_search`
-- Create reusable workflow role: `role_create`
+- Search members or roles: `member_search`, `role_search`
+- Create reusable role: `role_create`
 - Add/update/remove fields: `app_schema_apply`
 - Merge or replace layout: `app_layout_apply`
 - Replace workflow: `app_flow_apply`
 - Upsert/remove views: `app_views_apply`
-- Upsert/remove/reorder QingBI charts: `app_charts_apply`
-- Create or replace-update portal pages: `portal_apply`
-- Attach one app to a package: `package_attach_app`
+- Upsert/remove/reorder charts: `app_charts_apply`
+- Create or update portal pages: `portal_apply`
 - Release your own stale edit lock: `app_release_edit_lock_if_mine`
-- Publish and verify: `app_publish_verify` when you need a separate verification pass beyond the default auto-publish behavior in apply tools
+- Final publish verification: `app_publish_verify`
 
-Detailed playbooks:
+## Resources
 
+- Shared public-surface baseline: [public-surface-sync.md](../qingflow-app-user/references/public-surface-sync.md)
 - Environment switching: [references/environments.md](references/environments.md)
 - Tool choice and sequencing: [references/tool-selection.md](references/tool-selection.md)
 - Result semantics and gotchas: [references/gotchas.md](references/gotchas.md)

package/skills/qingflow-app-builder/references/create-app.md

@@ -1,12 +1,13 @@
 # Create App
 
 Use this when the user wants one new app inside an existing package.
+This playbook follows the current public builder surface, not legacy package helper tools.
 
 Do not use this playbook when the user is really asking for a system/package with multiple forms or modules. In that case:
 
-1. resolve or create the package
+1. read or create the package through `package_get` / `package_apply`
 2. create each app separately
-3. attach each app to the package
+3. keep package ownership on the public `package_id` path instead of a separate attach step
 4. add relation fields between apps
 
 Hierarchy reminder:
@@ -14,15 +15,14 @@ Hierarchy reminder:
 - package -> app -> field -> relation
 - another business object is another app, not a text field
 
-If creating a brand new package would help, ask the user to confirm package creation first. After confirmation, call `package_create` before this sequence.
+If creating a brand new package would help, ask the user to confirm package creation first. After confirmation, create it through `package_apply(create_if_missing=true, package_name=...)`.
 
 ## Minimal sequence
 
-1. `package_resolve`
+1. `package_get` if `package_id` is already known; otherwise derive the package from related readback or ask the user for the id
 2. `app_resolve`
 3. `app_schema_apply`
-4. `package_attach_app`
-5. `app_publish_verify` only when the user asks for explicit final verification
+4. `app_publish_verify` only when the user asks for explicit final verification
 
 ## Multi-app systems are different
 
@@ -36,8 +36,8 @@ then do not treat that as one app.
 
 Use this pattern instead:
 
-1. `package_resolve` or `package_create`
-2. for each app name, run `app_schema_apply -> package_attach_app`
+1. `package_get` or `package_apply(create_if_missing=true, package_name=...)`
+2. for each app name, run `app_schema_apply`
 3. once the apps exist, add `relation` fields between them
 
 ## Example
@@ -46,22 +46,23 @@ Create a new package only after the user confirms package creation:
 
 ```json
 {
-  "tool_name": "package_create",
+  "tool_name": "package_apply",
   "arguments": {
     "profile": "default",
-    "package_name": "研发项目管理"
+    "package_name": "研发项目管理",
+    "create_if_missing": true
   }
 }
 ```
 
-Resolve the package:
+Read the package when `package_id` is already known:
 
 ```json
 {
-  "tool_name": "package_resolve",
+  "tool_name": "package_get",
   "arguments": {
     "profile": "default",
-    "package_name": "测试应用包"
+    "package_id": 1218950
   }
 }
 ```
@@ -74,7 +75,7 @@ Apply schema for a new app:
   "arguments": {
     "profile": "default",
     "app_name": "客户订单",
-    "package_tag_id": 1218950,
+    "package_id": 1218950,
     "create_if_missing": true,
     "publish": true,
     "add_fields": [
@@ -87,22 +88,6 @@ Apply schema for a new app:
     "remove_fields": []
   }
 }
-```
-  }
-}
-```
-
-Attach explicitly if `tag_ids_after` does not yet contain the package:
-
-```json
-{
-  "tool_name": "package_attach_app",
-  "arguments": {
-    "profile": "default",
-    "tag_id": 1218950,
-    "app_key": "APP_KEY_FROM_SCHEMA_APPLY"
-  }
-}
 ```
 
 ## Common failures
@@ -115,10 +100,6 @@ Expected on create. Continue with `create_if_missing=true`.
 
 The create route did not resolve in the current backend route context. Re-run `workspace_select`, then retry the same `app_schema_apply`.
 
-### `PACKAGE_ATTACH_FAILED`
-
-Do not retry schema creation. Re-run only `package_attach_app`, then verify with `app_get`.
-
 ### Hierarchy modeling mistake
 
 If the user asked for several named forms/apps but the draft patch turns them into text fields inside one app, stop and remodel the task as: