@josephyan/qingflow-cli 0.2.0-beta.985 → 0.2.0-beta.987

package/src/qingflow_mcp/cli/commands/auth.py

@@ -1,10 +1,7 @@
 from __future__ import annotations
 
 import argparse
-import getpass
-import sys
 
-from ...errors import QingflowApiError
 from ..context import CliContext
 from .common import read_secret_arg
 
@@ -13,23 +10,13 @@ def register(subparsers: argparse._SubParsersAction[argparse.ArgumentParser]) ->
     parser = subparsers.add_parser("auth", help="认证与会话")
     auth_subparsers = parser.add_subparsers(dest="auth_command", required=True)
 
-    login = auth_subparsers.add_parser("login", help="邮箱密码登录")
-    login.add_argument("--base-url")
-    login.add_argument("--qf-version")
-    login.add_argument("--email", required=True)
-    login.add_argument("--password")
-    login.add_argument("--password-stdin", action="store_true")
-    login.add_argument("--persist", action=argparse.BooleanOptionalAction, default=True)
-    login.set_defaults(handler=_handle_login, format_hint="auth_whoami")
-
-    use_token = auth_subparsers.add_parser("use-token", help="直接注入 token")
-    use_token.add_argument("--base-url")
-    use_token.add_argument("--qf-version")
-    use_token.add_argument("--token")
-    use_token.add_argument("--token-stdin", action="store_true")
-    use_token.add_argument("--ws-id", type=int)
-    use_token.add_argument("--persist", action=argparse.BooleanOptionalAction, default=False)
-    use_token.set_defaults(handler=_handle_use_token, format_hint="auth_whoami")
+    use_credential = auth_subparsers.add_parser("use-credential", help="直接注入 credential")
+    use_credential.add_argument("--base-url")
+    use_credential.add_argument("--qf-version")
+    use_credential.add_argument("--credential")
+    use_credential.add_argument("--credential-stdin", action="store_true")
+    use_credential.add_argument("--persist", action=argparse.BooleanOptionalAction, default=False)
+    use_credential.set_defaults(handler=_handle_use_credential, format_hint="auth_whoami")
 
     whoami = auth_subparsers.add_parser("whoami", help="查看当前登录态")
     whoami.set_defaults(handler=_handle_whoami, format_hint="auth_whoami")
@@ -39,33 +26,17 @@ def register(subparsers: argparse._SubParsersAction[argparse.ArgumentParser]) ->
     logout.set_defaults(handler=_handle_logout, format_hint="")
 
 
-def _handle_login(args: argparse.Namespace, context: CliContext) -> dict:
-    password = args.password
-    if args.password_stdin:
-        password = read_secret_arg(args.password, stdin_enabled=True, label="password")
-    elif not password:
-        if sys.stdin.isatty():
-            password = getpass.getpass("Password: ")
-        else:
-            raise QingflowApiError.config_error("password is required; use --password or --password-stdin")
-    return context.auth.auth_login(
-        profile=args.profile,
-        base_url=args.base_url,
-        qf_version=args.qf_version,
-        email=args.email,
-        password=password,
-        persist=bool(args.persist),
+def _handle_use_credential(args: argparse.Namespace, context: CliContext) -> dict:
+    credential = (
+        read_secret_arg(args.credential, stdin_enabled=bool(args.credential_stdin), label="credential")
+        if args.credential or bool(args.credential_stdin)
+        else ""
     )
-
-
-def _handle_use_token(args: argparse.Namespace, context: CliContext) -> dict:
-    token = read_secret_arg(args.token, stdin_enabled=bool(args.token_stdin), label="token")
-    return context.auth.auth_use_token(
+    return context.auth.auth_use_credential(
         profile=args.profile,
         base_url=args.base_url,
         qf_version=args.qf_version,
-        token=token,
-        ws_id=args.ws_id,
+        credential=credential,
         persist=bool(args.persist),
     )
 

package/src/qingflow_mcp/cli/commands/workspace.py

@@ -15,9 +15,9 @@ def register(subparsers: argparse._SubParsersAction[argparse.ArgumentParser]) ->
     list_parser.add_argument("--include-external", action="store_true")
     list_parser.set_defaults(handler=_handle_list, format_hint="workspace_list")
 
-    select = workspace_subparsers.add_parser("select", help="切换工作区")
-    select.add_argument("--ws-id", type=int, required=True)
-    select.set_defaults(handler=_handle_select, format_hint="workspace_select")
+    get_parser = workspace_subparsers.add_parser("get", help="读取工作区详情")
+    get_parser.add_argument("--ws-id", type=int, default=0)
+    get_parser.set_defaults(handler=_handle_get, format_hint="workspace_get")
 
 
 def _handle_list(args: argparse.Namespace, context: CliContext) -> dict:
@@ -29,5 +29,8 @@ def _handle_list(args: argparse.Namespace, context: CliContext) -> dict:
     )
 
 
-def _handle_select(args: argparse.Namespace, context: CliContext) -> dict:
-    return context.workspace.workspace_select(profile=args.profile, ws_id=args.ws_id)
+def _handle_get(args: argparse.Namespace, context: CliContext) -> dict:
+    return context.workspace.workspace_get(
+        profile=args.profile,
+        ws_id=args.ws_id if int(args.ws_id or 0) > 0 else None,
+    )

package/src/qingflow_mcp/cli/formatters.py

@@ -38,8 +38,12 @@ def _format_whoami(result: dict[str, Any]) -> str:
         f"User: {result.get('nick_name') or '-'} ({result.get('email') or '-'})",
         f"UID: {result.get('uid')}",
         f"Workspace: {result.get('selected_ws_name') or '-'} ({result.get('selected_ws_id') or '-'})",
-        f"QF Version: {result.get('qf_version') or '-'}",
+        f"Workspace QF Version: {result.get('qf_version') or '-'}",
     ]
+    request_route = result.get("request_route") if isinstance(result.get("request_route"), dict) else {}
+    route_qf_version = request_route.get("qf_version")
+    if route_qf_version and route_qf_version != result.get("qf_version"):
+        lines.append(f"Request Route QF Version: {route_qf_version}")
     lines.append(f"Permission Level: {result.get('permission_level') or '-'}")
     departments = result.get("departments") if isinstance(result.get("departments"), list) else []
     roles = result.get("roles") if isinstance(result.get("roles"), list) else []
@@ -82,6 +86,19 @@ def _format_workspace_list(result: dict[str, Any]) -> str:
     return _render_titled_table("Workspaces", ["ws_id", "name", "remark"], rows)
 
 
+def _format_workspace_get(result: dict[str, Any]) -> str:
+    workspace = result.get("workspace") if isinstance(result.get("workspace"), dict) else {}
+    lines = [
+        f"Workspace: {workspace.get('workspaceName') or workspace.get('wsName') or '-'} ({workspace.get('wsId') or result.get('ws_id') or '-'})",
+        f"QF Version: {result.get('qf_version') or workspace.get('systemVersion') or '-'}",
+        f"Identity: {workspace.get('identity') or '-'}",
+        f"Auth: {workspace.get('auth') if workspace.get('auth') is not None else '-'}",
+        f"State: {workspace.get('state') if workspace.get('state') is not None else '-'}",
+    ]
+    _append_warnings(lines, result.get("warnings"))
+    return "\n".join(lines) + "\n"
+
+
 def _format_app_items(result: dict[str, Any]) -> str:
     items = result.get("items")
     if not isinstance(items, list):
@@ -132,26 +149,6 @@ def _format_app_get(result: dict[str, Any]) -> str:
     _append_warnings(lines, result.get("warnings"))
     return "\n".join(lines) + "\n"
 
-
-def _format_workspace_select(result: dict[str, Any]) -> str:
-    lines = [
-        f"Workspace: {result.get('selected_ws_name') or '-'} ({result.get('selected_ws_id') or '-'})",
-        f"QF Version: {result.get('qf_version') or '-'}",
-    ]
-    workspace_version = result.get("workspace_version") if isinstance(result.get("workspace_version"), dict) else {}
-    if workspace_version:
-        lines.append(
-            "Workspace Version: "
-            f"{workspace_version.get('display_name') or '-'} "
-            f"({workspace_version.get('level_name') or workspace_version.get('level_code') or '-'})"
-        )
-        if workspace_version.get("being_trial") is not None:
-            lines.append(f"Trial: {workspace_version.get('being_trial')}")
-        if workspace_version.get("expire_date") is not None:
-            lines.append(f"Expire Date: {workspace_version.get('expire_date')}")
-    return "\n".join(lines) + "\n"
-
-
 def _format_record_list(result: dict[str, Any]) -> str:
     data = result.get("data") if isinstance(result.get("data"), dict) else {}
     items = data.get("items") if isinstance(data.get("items"), list) else []
@@ -364,7 +361,7 @@ def _first_present(payload: dict[str, Any], *keys: str) -> Any:
 _FORMATTERS = {
     "auth_whoami": _format_whoami,
     "workspace_list": _format_workspace_list,
-    "workspace_select": _format_workspace_select,
+    "workspace_get": _format_workspace_get,
     "app_list": _format_app_items,
     "app_search": _format_app_items,
     "app_get": _format_app_get,

package/src/qingflow_mcp/config.py

@@ -21,6 +21,8 @@ DEFAULT_REPOSITORY_PROD_BRANCH = "prod"
 DEFAULT_REPOSITORY_AUTHOR_NAME = "qingflow-mcp"
 DEFAULT_REPOSITORY_AUTHOR_EMAIL = "qingflow-mcp@local.invalid"
 DEFAULT_REPOSITORY_INTERNAL_SHARE_TOKEN_KEY = "tokenKey"
+DEFAULT_CREDIT_USAGE_RECORD_PATH = "/user/credit/usage"
+DEFAULT_MCPORTER_CONFIG_PATH = "~/.openclaw/workspace/config/mcporter.json"
 
 
 def get_mcp_home() -> Path:
@@ -32,6 +34,13 @@ def get_profiles_path() -> Path:
     return get_mcp_home() / "profiles.json"
 
 
+def get_mcporter_config_path() -> Path:
+    custom_path = os.getenv("QINGFLOW_MCP_MCPORTER_CONFIG_PATH") or os.getenv(
+        "QINGFLOW_MCP_AUTH_CONFIG_PATH"
+    )
+    return Path(custom_path).expanduser() if custom_path else Path(DEFAULT_MCPORTER_CONFIG_PATH)
+
+
 def get_repository_metadata_dir() -> Path:
     return get_mcp_home() / "repository-metadata"
 
@@ -208,6 +217,36 @@ def get_log_level() -> str:
     )
 
 
+def get_credit_meter_enabled() -> bool:
+    value = get_config_value(
+        "credit_meter.enabled",
+        env_var="QINGFLOW_MCP_CREDIT_METER_ENABLED",
+        default="true",
+    )
+    normalized = str(value or "").strip().lower()
+    return normalized in {"1", "true", "yes", "on"}
+
+
+def get_credit_usage_base_url() -> str | None:
+    value = get_config_value(
+        "credit_meter.apaas.base_url",
+        env_var="QINGFLOW_MCP_CREDIT_APAAS_BASE_URL",
+        default=None,
+    )
+    normalized = normalize_base_url(value)
+    return normalized or None
+
+
+def get_credit_usage_path() -> str:
+    value = get_config_value(
+        "credit_meter.apaas.path",
+        env_var="QINGFLOW_MCP_CREDIT_APAAS_PATH",
+        default=DEFAULT_CREDIT_USAGE_RECORD_PATH,
+    )
+    normalized = str(value or "").strip()
+    return normalized or DEFAULT_CREDIT_USAGE_RECORD_PATH
+
+
 def get_repository_default_group() -> str | None:
     value = get_config_value(
         "repository.default_group",

package/src/qingflow_mcp/errors.py

@@ -43,14 +43,14 @@ class QingflowApiError(Exception):
     def auth_required(cls, profile: str) -> "QingflowApiError":
         return cls(
             category="auth",
-            message=f"Profile '{profile}' is not logged in. Run auth_login first.",
+            message=f"Profile '{profile}' is not logged in. Run auth_use_credential first.",
         )
 
     @classmethod
     def workspace_not_selected(cls, profile: str) -> "QingflowApiError":
         return cls(
             category="workspace",
-            message=f"WORKSPACE_NOT_SELECTED: profile '{profile}' has no selected workspace. Run workspace_select first.",
+            message=f"WORKSPACE_NOT_SELECTED: profile '{profile}' has no workspace from auth context. Re-run auth_use_credential.",
         )
 
     @classmethod

package/src/qingflow_mcp/public_surface.py

@@ -30,12 +30,11 @@ def tool_key(domain: str, tool_name: str) -> str:
 
 
 USER_PUBLIC_TOOL_SPECS: tuple[PublicToolSpec, ...] = (
-    PublicToolSpec(USER_DOMAIN, "auth_login", ("auth_login",), ("auth", "login")),
-    PublicToolSpec(USER_DOMAIN, "auth_use_token", ("auth_use_token",), ("auth", "use-token")),
+    PublicToolSpec(USER_DOMAIN, "auth_use_credential", ("auth_use_credential",), ("auth", "use-credential")),
     PublicToolSpec(USER_DOMAIN, "auth_whoami", ("auth_whoami",), ("auth", "whoami")),
     PublicToolSpec(USER_DOMAIN, "auth_logout", ("auth_logout",), ("auth", "logout")),
     PublicToolSpec(USER_DOMAIN, "workspace_list", ("workspace_list",), ("workspace", "list")),
-    PublicToolSpec(USER_DOMAIN, "workspace_select", ("workspace_select",), ("workspace", "select")),
+    PublicToolSpec(USER_DOMAIN, "workspace_get", ("workspace_get",), ("workspace", "get")),
     PublicToolSpec(USER_DOMAIN, "app_list", ("app_list",), ("app", "list"), cli_show_effective_context=True),
     PublicToolSpec(USER_DOMAIN, "app_search", ("app_search",), ("app", "search"), cli_show_effective_context=True),
     PublicToolSpec(USER_DOMAIN, "app_get", ("app_get",), ("app", "get"), cli_show_effective_context=True),
@@ -107,12 +106,11 @@ USER_PUBLIC_TOOL_SPECS: tuple[PublicToolSpec, ...] = (
 
 
 BUILDER_PUBLIC_TOOL_SPECS: tuple[PublicToolSpec, ...] = (
-    PublicToolSpec(BUILDER_DOMAIN, "auth_login", ("auth_login",), ("builder", "auth", "login"), cli_public=False),
-    PublicToolSpec(BUILDER_DOMAIN, "auth_use_token", ("auth_use_token",), ("builder", "auth", "use-token"), cli_public=False),
+    PublicToolSpec(BUILDER_DOMAIN, "auth_use_credential", ("auth_use_credential",), ("builder", "auth", "use-credential"), cli_public=False),
     PublicToolSpec(BUILDER_DOMAIN, "auth_whoami", ("auth_whoami",), ("builder", "auth", "whoami"), cli_public=False),
     PublicToolSpec(BUILDER_DOMAIN, "auth_logout", ("auth_logout",), ("builder", "auth", "logout"), cli_public=False),
     PublicToolSpec(BUILDER_DOMAIN, "workspace_list", ("workspace_list",), ("builder", "workspace", "list"), cli_public=False),
-    PublicToolSpec(BUILDER_DOMAIN, "workspace_select", ("workspace_select",), ("builder", "workspace", "select"), cli_public=False),
+    PublicToolSpec(BUILDER_DOMAIN, "workspace_get", ("workspace_get",), ("builder", "workspace", "get"), cli_public=False),
     PublicToolSpec(BUILDER_DOMAIN, "file_upload_local", ("file_upload_local",), ("builder", "file", "upload-local"), has_contract=True, cli_show_effective_context=True, cli_context_write=True),
     PublicToolSpec(BUILDER_DOMAIN, "feedback_submit", ("feedback_submit",), ("builder", "feedback", "submit"), has_contract=True),
     PublicToolSpec(BUILDER_DOMAIN, "builder_tool_contract", ("builder_tool_contract",), ("builder", "contract"), has_contract=False),

package/src/qingflow_mcp/response_trim.py

@@ -263,12 +263,6 @@ def _trim_workspace_list(payload: JSONObject) -> None:
         _trim_item_list(page, "list", allowed=("wsId", "workspaceName", "remark"))
 
 
-def _trim_workspace_select(payload: JSONObject) -> None:
-    workspace = payload.get("workspace")
-    if isinstance(workspace, dict):
-        payload["workspace"] = _pick(workspace, ("wsId", "workspaceName"))
-
-
 def _trim_app_search_like(payload: JSONObject) -> None:
     payload.pop("apps", None)
     _trim_item_list(payload, "items", allowed=("app_key", "app_name", "package_name"))
@@ -731,10 +725,9 @@ def _register_policy(domains: tuple[str, ...], names: tuple[str, ...], transform
             SUCCESS_POLICY_BY_TOOL[tool_key(domain, name)] = transform
 
 
-_register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("auth_login", "auth_use_token", "auth_whoami"), _trim_auth_payload)
+_register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("auth_use_credential", "auth_whoami"), _trim_auth_payload)
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("auth_logout",), _trim_auth_logout)
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("workspace_list",), _trim_workspace_list)
-_register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("workspace_select",), _trim_workspace_select)
 _register_policy((USER_DOMAIN,), ("app_list", "app_search"), _trim_app_search_like)
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("app_get",), _trim_app_get)
 _register_policy((BUILDER_DOMAIN,), ("app_repair_code_blocks",), _trim_builder_list_like)

package/src/qingflow_mcp/server.py

@@ -34,7 +34,7 @@ def build_server() -> FastMCP:
 
 ## Authentication
 
-Use `auth_login` first, then `workspace_list` and `workspace_select`.
+Use `auth_use_credential` first when a local host such as createClaw can provide a credential. Treat the returned `wsId` and `qfVersion` as authoritative for the local session.
 All resource tools operate with the logged-in user's Qingflow permissions.
 
 ## Shared Helper

package/src/qingflow_mcp/server_app_builder.py

@@ -56,38 +56,18 @@ def build_builder_server() -> FastMCP:
     feedback = FeedbackTools(backend, mcp_side="App Builder MCP")
 
     @server.tool()
-    def auth_login(
+    def auth_use_credential(
         profile: str = DEFAULT_PROFILE,
         base_url: str | None = None,
         qf_version: str | None = None,
-        email: str = "",
-        password: str = "",
-        persist: bool = True,
-    ) -> dict:
-        return auth.auth_login(
-            profile=profile,
-            base_url=base_url,
-            qf_version=qf_version,
-            email=email,
-            password=password,
-            persist=persist,
-        )
-
-    @server.tool()
-    def auth_use_token(
-        profile: str = DEFAULT_PROFILE,
-        base_url: str | None = None,
-        qf_version: str | None = None,
-        token: str = "",
-        ws_id: int | None = None,
+        credential: str = "",
         persist: bool = False,
     ) -> dict:
-        return auth.auth_use_token(
+        return auth.auth_use_credential(
             profile=profile,
             base_url=base_url,
             qf_version=qf_version,
-            token=token,
-            ws_id=ws_id,
+            credential=credential,
             persist=persist,
         )
 
@@ -113,10 +93,6 @@ def build_builder_server() -> FastMCP:
             include_external=include_external,
         )
 
-    @server.tool()
-    def workspace_select(profile: str = DEFAULT_PROFILE, ws_id: int = 0) -> dict:
-        return workspace.workspace_select(profile=profile, ws_id=ws_id)
-
     @server.tool()
     def file_upload_local(
         profile: str = DEFAULT_PROFILE,

package/src/qingflow_mcp/server_app_user.py

@@ -191,38 +191,18 @@ If the current MCP capability is unsupported, the workflow is awkward, or the us
     directory_tools = wrap_trimmed_methods(DirectoryTools(sessions, backend), USER_SERVER_METHOD_MAP)
 
     @server.tool()
-    def auth_login(
+    def auth_use_credential(
         profile: str = DEFAULT_PROFILE,
         base_url: str | None = None,
         qf_version: str | None = None,
-        email: str = "",
-        password: str = "",
-        persist: bool = True,
-    ) -> dict:
-        return auth.auth_login(
-            profile=profile,
-            base_url=base_url,
-            qf_version=qf_version,
-            email=email,
-            password=password,
-            persist=persist,
-        )
-
-    @server.tool()
-    def auth_use_token(
-        profile: str = DEFAULT_PROFILE,
-        base_url: str | None = None,
-        qf_version: str | None = None,
-        token: str = "",
-        ws_id: int | None = None,
+        credential: str = "",
         persist: bool = False,
     ) -> dict:
-        return auth.auth_use_token(
+        return auth.auth_use_credential(
             profile=profile,
             base_url=base_url,
             qf_version=qf_version,
-            token=token,
-            ws_id=ws_id,
+            credential=credential,
             persist=persist,
         )
 
@@ -248,10 +228,6 @@ If the current MCP capability is unsupported, the workflow is awkward, or the us
             include_external=include_external,
         )
 
-    @server.tool()
-    def workspace_select(profile: str = DEFAULT_PROFILE, ws_id: int = 0) -> dict:
-        return workspace.workspace_select(profile=profile, ws_id=ws_id)
-
     @server.tool()
     def app_list(profile: str = DEFAULT_PROFILE) -> dict:
         return apps.app_list(profile=profile)

package/src/qingflow_mcp/session_store.py

@@ -29,6 +29,9 @@ class SessionProfile:
     base_url: str
     qf_version: str | None
     qf_version_source: str | None
+    token: str | None
+    login_token: str | None
+    credential: str | None
     uid: int
     email: str | None
     nick_name: str | None
@@ -45,6 +48,9 @@ class SessionProfile:
             base_url=value["base_url"],
             qf_version=value.get("qf_version"),
             qf_version_source=value.get("qf_version_source"),
+            token=value.get("token"),
+            login_token=value.get("login_token"),
+            credential=value.get("credential"),
             uid=value["uid"],
             email=value.get("email"),
             nick_name=value.get("nick_name"),
@@ -60,6 +66,7 @@ class SessionProfile:
 class BackendSession:
     token: str
     login_token: str | None
+    credential: str | None
     profile: str
     base_url: str
     qf_version: str | None
@@ -85,6 +92,7 @@ class SessionStore:
         qf_version_source: str | None = None,
         token: str,
         login_token: str | None,
+        credential: str | None = None,
         uid: int,
         email: str | None,
         nick_name: str | None,
@@ -99,14 +107,22 @@ class SessionStore:
                 self._set_secret(self._login_token_key(profile), login_token)
             else:
                 self._delete_secret(self._login_token_key(profile))
+            if credential:
+                self._set_secret(self._credential_key(profile), credential)
+            else:
+                self._delete_secret(self._credential_key(profile))
         else:
             self._delete_secret(self._token_key(profile))
             self._delete_secret(self._login_token_key(profile))
+            self._delete_secret(self._credential_key(profile))
         session_profile = SessionProfile(
             profile=profile,
             base_url=normalize_base_url(base_url) or base_url,
             qf_version=(str(qf_version).strip() or None) if qf_version is not None else None,
             qf_version_source=(str(qf_version_source).strip() or None) if qf_version_source is not None else None,
+            token=str(token).strip() or None,
+            login_token=(str(login_token).strip() or None) if login_token is not None else None,
+            credential=(str(credential).strip() or None) if credential is not None else None,
             uid=uid,
             email=email,
             nick_name=nick_name,
@@ -117,8 +133,9 @@ class SessionStore:
             updated_at=now,
         )
         self._memory_sessions[profile] = BackendSession(
-            token=token,
-            login_token=login_token,
+            token=session_profile.token or token,
+            login_token=session_profile.login_token,
+            credential=session_profile.credential,
             profile=profile,
             base_url=session_profile.base_url,
             qf_version=session_profile.qf_version,
@@ -146,14 +163,19 @@ class SessionStore:
                 memory_session.qf_version = session_profile.qf_version
                 memory_session.qf_version_source = session_profile.qf_version_source
             return memory_session
-        if not session_profile or not session_profile.persisted:
+        if not session_profile:
             return None
-        token = self._get_secret(self._token_key(profile))
+        token = self._get_secret(self._token_key(profile)) if session_profile.persisted else None
+        if not token:
+            token = session_profile.token
         if not token:
             return None
+        login_token = self._get_secret(self._login_token_key(profile)) if session_profile.persisted else None
+        credential = self._get_secret(self._credential_key(profile)) if session_profile.persisted else None
         backend_session = BackendSession(
             token=token,
-            login_token=self._get_secret(self._login_token_key(profile)),
+            login_token=login_token or session_profile.login_token,
+            credential=credential or session_profile.credential,
             profile=profile,
             base_url=session_profile.base_url,
             qf_version=session_profile.qf_version,
@@ -234,6 +256,7 @@ class SessionStore:
         self._logged_out_profiles.discard(profile)
         self._delete_secret(self._token_key(profile))
         self._delete_secret(self._login_token_key(profile))
+        self._delete_secret(self._credential_key(profile))
         payload = self._load_profiles()
         profiles = payload.get("profiles", {})
         if profile in profiles:
@@ -249,6 +272,9 @@ class SessionStore:
     def _login_token_key(self, profile: str) -> str:
         return f"{profile}:login-token"
 
+    def _credential_key(self, profile: str) -> str:
+        return f"{profile}:credential"
+
     def _upsert_profile(self, profile: SessionProfile) -> None:
         payload = self._load_profiles()
         payload.setdefault("profiles", {})[profile.profile] = asdict(profile)

package/src/qingflow_mcp/solution/compiler/form_compiler.py

@@ -307,7 +307,7 @@ def build_reference_config(field: dict[str, Any], temp_id: int) -> dict[str, Any
                 "queId": que_id,
                 "queTitle": label,
                 "queType": _normalize_reference_que_type(raw_type) or "2",
-                "queAuth": 1,
+                "queAuth": 3,
                 "ordinal": ordinal,
                 "quoteId": temp_id,
                 "_field_id": field_id,
@@ -320,7 +320,7 @@ def build_reference_config(field: dict[str, Any], temp_id: int) -> dict[str, Any
         auth_ques = []
         for ordinal, field_id in enumerate(auth_field_ids, start=1):
             que_id = auth_field_que_ids[ordinal - 1] if ordinal - 1 < len(auth_field_que_ids) else 0
-            auth_ques.append({"queId": que_id, "queAuth": 1, "_field_id": field_id})
+            auth_ques.append({"queId": que_id, "queAuth": 3, "_field_id": field_id})
     return {
         "referAppKey": "__TARGET_APP_KEY__",
         "referQueId": display_field_que_id,

package/src/qingflow_mcp/solution/executor.py

@@ -857,12 +857,12 @@ class SolutionExecutor:
                 if refer_que_id is None:
                     continue
                 resolved["queId"] = refer_que_id
-                resolved["queAuth"] = int(resolved.get("queAuth", 1))
+                resolved["queAuth"] = int(resolved.get("queAuth", 3))
                 auth_ques.append(resolved)
             if not auth_ques:
                 fallback_que_id = target_meta.get("by_field_id", {}).get(target_field_id)
                 if fallback_que_id is not None:
-                    auth_ques.append({"queId": fallback_que_id, "queAuth": 1})
+                    auth_ques.append({"queId": fallback_que_id, "queAuth": 3})
             reference_config["referAuthQues"] = auth_ques
             reference_config["fieldNameShow"] = bool(reference_config.get("fieldNameShow", True))
             fill_rules = []