@josephyan/qingflow-cli 0.2.0-beta.988 → 0.2.0-beta.990

package/src/qingflow_mcp/cli/qingflow_login.py

@@ -0,0 +1,116 @@
+from __future__ import annotations
+
+import base64
+from dataclasses import dataclass
+from typing import Any
+
+from Crypto.Cipher import PKCS1_v1_5
+from Crypto.PublicKey import RSA
+
+from ..backend_client import BackendClient
+from ..config import get_default_base_url, get_timeout_seconds, normalize_base_url
+from ..errors import QingflowApiError
+
+
+@dataclass(slots=True)
+class QingflowNativeLoginResult:
+    token: str
+    user_info: dict[str, Any]
+    login_token: str | None = None
+    flow: str = "qingflow_password"
+
+
+class QingflowNativeLoginHelper:
+    def __init__(self, *, backend: BackendClient | None = None) -> None:
+        self._owns_backend = backend is None
+        self._backend = backend or BackendClient(timeout=get_timeout_seconds())
+
+    def close(self) -> None:
+        if self._owns_backend:
+            self._backend.close()
+
+    def login_with_password(
+        self,
+        *,
+        base_url: str | None,
+        email: str,
+        password: str,
+    ) -> QingflowNativeLoginResult:
+        normalized_base_url = normalize_base_url(base_url) or get_default_base_url()
+        normalized_email = str(email or "").strip()
+        normalized_password = str(password or "")
+        if not normalized_base_url:
+            raise QingflowApiError.config_error("base_url is required or configure default_base_url")
+        if not normalized_email:
+            raise QingflowApiError.config_error("email is required for Qingflow account login")
+        if not normalized_password:
+            raise QingflowApiError.config_error("password is required for Qingflow account login")
+
+        pubkey_payload = self._backend.public_request("GET", normalized_base_url, "/user/pubkey", qf_version=None)
+        pubkey = self._extract_pubkey(pubkey_payload)
+        encrypted_password = _encrypt_password(normalized_password, pubkey)
+        login_payload = self._backend.public_request(
+            "POST",
+            normalized_base_url,
+            "/user/login",
+            json_body={"email": normalized_email, "password": encrypted_password},
+            qf_version=None,
+        )
+        if not isinstance(login_payload, dict):
+            raise QingflowApiError(category="auth", message="Qingflow login did not return a valid response")
+
+        token = str(login_payload.get("token") or "").strip()
+        login_token = str(login_payload.get("loginToken") or "").strip() or None
+        if not token:
+            if login_token:
+                raise QingflowApiError(
+                    category="auth",
+                    message=(
+                        "Qingflow account login requires additional security verification. "
+                        "CLI password login currently does not complete the loginToken verification step."
+                    ),
+                    details={"login_token_present": True},
+                )
+            raise QingflowApiError(
+                category="auth",
+                message="Qingflow login succeeded but did not return a token",
+            )
+
+        user_info = login_payload.get("userInfo")
+        if not isinstance(user_info, dict):
+            user_info = {}
+        return QingflowNativeLoginResult(
+            token=token,
+            login_token=login_token,
+            user_info=user_info,
+        )
+
+    def _extract_pubkey(self, payload: Any) -> str:
+        if not isinstance(payload, dict):
+            raise QingflowApiError(category="auth", message="Qingflow pubkey response is invalid")
+        pubkey = str(payload.get("pubkey") or "").strip()
+        if not pubkey:
+            raise QingflowApiError(category="auth", message="Qingflow pubkey response did not include pubkey")
+        return pubkey
+
+
+def login_with_qingflow_password(
+    *,
+    base_url: str | None,
+    email: str,
+    password: str,
+) -> QingflowNativeLoginResult:
+    helper = QingflowNativeLoginHelper()
+    try:
+        return helper.login_with_password(base_url=base_url, email=email, password=password)
+    finally:
+        helper.close()
+
+
+def _encrypt_password(password: str, pubkey: str) -> str:
+    public_key = RSA.import_key(
+        "-----BEGIN PUBLIC KEY-----\n" + pubkey.strip() + "\n-----END PUBLIC KEY-----\n"
+    )
+    cipher = PKCS1_v1_5.new(public_key)
+    encrypted = cipher.encrypt(password.encode("utf-8"))
+    return base64.b64encode(encrypted).decode("ascii")

package/src/qingflow_mcp/errors.py

@@ -43,14 +43,14 @@ class QingflowApiError(Exception):
     def auth_required(cls, profile: str) -> "QingflowApiError":
         return cls(
             category="auth",
-            message=f"Profile '{profile}' is not logged in. Run auth_use_credential first.",
+            message=f"Profile '{profile}' is not logged in. Run auth login or auth_use_credential first.",
         )
 
     @classmethod
     def workspace_not_selected(cls, profile: str) -> "QingflowApiError":
         return cls(
             category="workspace",
-            message=f"WORKSPACE_NOT_SELECTED: profile '{profile}' has no workspace from auth context. Re-run auth_use_credential.",
+            message=f"WORKSPACE_NOT_SELECTED: profile '{profile}' has no workspace from auth context. Re-run auth login or auth_use_credential.",
         )
 
     @classmethod

package/src/qingflow_mcp/id_utils.py

@@ -0,0 +1,49 @@
+from __future__ import annotations
+
+from typing import Any
+
+from .errors import QingflowApiError
+
+
+JS_MAX_SAFE_INTEGER = 9_007_199_254_740_991
+
+
+def stringify_backend_id(value: Any) -> str | None:
+    """Return an exact public id string for backend-originated identifiers."""
+    if value in (None, ""):
+        return None
+    if isinstance(value, bool):
+        return None
+    text = str(value).strip()
+    return text or None
+
+
+def normalize_positive_id_text(value: Any, *, field_name: str) -> str:
+    """Normalize a user-supplied id while rejecting JS-unsafe numeric input."""
+    if value in (None, "") or isinstance(value, bool):
+        raise QingflowApiError.config_error(f"{field_name} must be positive")
+    if isinstance(value, int):
+        if value <= 0:
+            raise QingflowApiError.config_error(f"{field_name} must be positive")
+        if value > JS_MAX_SAFE_INTEGER:
+            raise QingflowApiError.config_error(
+                f"{field_name} exceeds JavaScript's safe integer range; pass it as a string to avoid precision loss"
+            )
+        return str(value)
+    if isinstance(value, str):
+        text = value.strip()
+        if not text.isdecimal() or int(text) <= 0:
+            raise QingflowApiError.config_error(f"{field_name} must be a positive integer string")
+        return text
+    raise QingflowApiError.config_error(f"{field_name} must be a positive integer string")
+
+
+def normalize_positive_id_int(value: Any, *, field_name: str) -> int:
+    """Normalize an id to Python int after the public boundary preserves it as text."""
+    return int(normalize_positive_id_text(value, field_name=field_name))
+
+
+def ids_equal(left: Any, right: Any) -> bool:
+    left_text = stringify_backend_id(left)
+    right_text = stringify_backend_id(right)
+    return left_text is not None and right_text is not None and left_text == right_text

package/src/qingflow_mcp/public_surface.py

@@ -30,6 +30,7 @@ def tool_key(domain: str, tool_name: str) -> str:
 
 
 USER_PUBLIC_TOOL_SPECS: tuple[PublicToolSpec, ...] = (
+    PublicToolSpec(USER_DOMAIN, "auth_login", cli_route=("auth", "login"), mcp_public=False),
     PublicToolSpec(USER_DOMAIN, "auth_use_credential", ("auth_use_credential",), ("auth", "use-credential")),
     PublicToolSpec(USER_DOMAIN, "auth_whoami", ("auth_whoami",), ("auth", "whoami")),
     PublicToolSpec(USER_DOMAIN, "auth_logout", ("auth_logout",), ("auth", "logout")),

package/src/qingflow_mcp/response_trim.py

@@ -263,6 +263,15 @@ def _trim_workspace_list(payload: JSONObject) -> None:
         _trim_item_list(page, "list", allowed=("wsId", "workspaceName", "remark"))
 
 
+def _trim_workspace_get(payload: JSONObject) -> None:
+    workspace = payload.get("workspace")
+    if isinstance(workspace, dict):
+        payload["workspace"] = _pick(
+            workspace,
+            allowed=("wsId", "workspaceName", "remark", "systemVersion", "auth"),
+        )
+
+
 def _trim_app_search_like(payload: JSONObject) -> None:
     payload.pop("apps", None)
     _trim_item_list(payload, "items", allowed=("app_key", "app_name", "package_name"))
@@ -728,6 +737,7 @@ def _register_policy(domains: tuple[str, ...], names: tuple[str, ...], transform
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("auth_use_credential", "auth_whoami"), _trim_auth_payload)
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("auth_logout",), _trim_auth_logout)
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("workspace_list",), _trim_workspace_list)
+_register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("workspace_get",), _trim_workspace_get)
 _register_policy((USER_DOMAIN,), ("app_list", "app_search"), _trim_app_search_like)
 _register_policy((USER_DOMAIN, BUILDER_DOMAIN), ("app_get",), _trim_app_get)
 _register_policy((BUILDER_DOMAIN,), ("app_repair_code_blocks",), _trim_builder_list_like)

package/src/qingflow_mcp/tools/auth_tools.py

@@ -164,6 +164,136 @@ class AuthTools(ToolBase):
             ),
         }
 
+    def auth_use_token(
+        self,
+        *,
+        profile: str = DEFAULT_PROFILE,
+        base_url: str | None = None,
+        qf_version: str | None = None,
+        token: str | None = None,
+        login_token: str | None = None,
+        persist: bool = False,
+        user_info: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """使用已获得的 Qingflow token 建立本地会话。"""
+        normalized_base_url = self._normalize_base_url(base_url)
+        normalized_qf_version, qf_version_source = self._resolve_qf_version_input(qf_version)
+        normalized_token = self._normalize_text(token)
+        normalized_login_token = self._normalize_text(login_token)
+        if not normalized_token:
+            raise_tool_error(QingflowApiError.config_error("token is required"))
+
+        resolved_user_info = user_info if isinstance(user_info, dict) else None
+        response_qf_version: str | None = None
+        if resolved_user_info is None:
+            resolved_user_info, response_qf_version = self._fetch_user_info(
+                normalized_base_url,
+                normalized_token,
+                None,
+                qf_version=normalized_qf_version,
+                qf_version_source=qf_version_source,
+            )
+
+        last_workspace = resolved_user_info.get("lastWsInfo")
+        selected_ws_id = self._coerce_positive_int(
+            last_workspace.get("wsId") if isinstance(last_workspace, dict) else None
+        )
+        selected_ws_name = self._normalize_text(
+            (last_workspace.get("wsName") if isinstance(last_workspace, dict) else None)
+            or (last_workspace.get("workspaceName") if isinstance(last_workspace, dict) else None)
+            or (last_workspace.get("remark") if isinstance(last_workspace, dict) else None)
+        )
+        workspace_qf_version = (
+            self._workspace_system_version(last_workspace) if isinstance(last_workspace, dict) else None
+        )
+        if selected_ws_id is None:
+            fallback_workspace, fallback_qf_version = self._fetch_first_workspace(
+                normalized_base_url,
+                normalized_token,
+                qf_version=normalized_qf_version,
+                qf_version_source=qf_version_source,
+            )
+            if isinstance(fallback_workspace, dict):
+                selected_ws_id = self._coerce_positive_int(fallback_workspace.get("wsId"))
+                selected_ws_name = self._normalize_text(
+                    fallback_workspace.get("workspaceName")
+                    or fallback_workspace.get("wsName")
+                    or fallback_workspace.get("remark")
+                ) or selected_ws_name
+                workspace_qf_version = self._workspace_system_version(fallback_workspace) or fallback_qf_version
+        elif selected_ws_name is None or workspace_qf_version is None:
+            workspace = self._fetch_workspace_with_name_fallback(
+                normalized_base_url,
+                normalized_token,
+                selected_ws_id,
+                qf_version=normalized_qf_version,
+                qf_version_source=qf_version_source,
+            )
+            if isinstance(workspace, dict):
+                selected_ws_name = self._normalize_text(
+                    workspace.get("workspaceName")
+                    or workspace.get("wsName")
+                    or workspace.get("remark")
+                ) or selected_ws_name
+                workspace_qf_version = self._workspace_system_version(workspace) or workspace_qf_version
+
+        if workspace_qf_version is not None:
+            resolved_qf_version, resolved_qf_version_source = workspace_qf_version, "workspace_system_version"
+        else:
+            resolved_qf_version, resolved_qf_version_source = self._resolve_backend_qf_version(
+                response_qf_version,
+                fallback_qf_version=normalized_qf_version,
+                fallback_source=qf_version_source,
+            )
+
+        uid = self._coerce_positive_int(resolved_user_info.get("uid"))
+        if uid is None:
+            raise_tool_error(QingflowApiError(category="auth", message="Token validation did not return valid user info"))
+
+        session_profile = self.sessions.save_session(
+            profile=profile,
+            base_url=normalized_base_url,
+            qf_version=resolved_qf_version,
+            qf_version_source=resolved_qf_version_source,
+            token=normalized_token,
+            login_token=normalized_login_token,
+            credential=None,
+            uid=uid,
+            email=self._normalize_text(resolved_user_info.get("email")),
+            nick_name=self._normalize_text(
+                resolved_user_info.get("nickName")
+                or resolved_user_info.get("displayName")
+                or resolved_user_info.get("name")
+            ),
+            persist=persist,
+        )
+        if selected_ws_id is not None:
+            session_profile = self.sessions.select_workspace(profile, ws_id=selected_ws_id, ws_name=selected_ws_name)
+
+        return {
+            "profile": session_profile.profile,
+            "base_url": session_profile.base_url,
+            "qf_version": session_profile.qf_version,
+            "qf_version_source": session_profile.qf_version_source,
+            "uid": session_profile.uid,
+            "email": session_profile.email,
+            "nick_name": session_profile.nick_name,
+            "selected_ws_id": session_profile.selected_ws_id,
+            "selected_ws_name": session_profile.selected_ws_name,
+            "suggested_ws_id": session_profile.selected_ws_id,
+            "suggested_ws_name": session_profile.selected_ws_name,
+            "persisted": session_profile.persisted,
+            "request_route": self._request_route_payload(
+                BackendRequestContext(
+                    base_url=session_profile.base_url,
+                    token=normalized_token,
+                    ws_id=session_profile.selected_ws_id,
+                    qf_version=session_profile.qf_version,
+                    qf_version_source=session_profile.qf_version_source,
+                )
+            ),
+        }
+
     def _resolve_mcporter_auth_inputs(self, *, base_url: str | None, credential: str | None) -> tuple[str | None, str]:
         """从参数或 mcporter 配置解析登录所需 base_url 与 credential。"""
         normalized_base_url = self._normalize_text(base_url)

package/src/qingflow_mcp/tools/base.py

@@ -100,7 +100,7 @@ class ToolBase:
             self.sessions.invalidate(profile)
             error = QingflowApiError(
                 category="auth",
-                message=f"Qingflow session for profile '{profile}' has expired. Run auth_use_credential again.",
+                message=f"Qingflow session for profile '{profile}' has expired. Run auth login or auth_use_credential again.",
                 backend_code=error.backend_code,
                 request_id=error.request_id,
                 http_status=error.http_status,

package/src/qingflow_mcp/tools/code_block_tools.py

@@ -91,7 +91,7 @@ class CodeBlockTools(RecordTools):
         def record_code_block_run(
             profile: str = DEFAULT_PROFILE,
             app_key: str = "",
-            record_id: int = 0,
+            record_id: str = "",
             code_block_field: str = "",
             role: int = 1,
             workflow_node_id: int | None = None,
@@ -197,7 +197,7 @@ class CodeBlockTools(RecordTools):
         *,
         profile: str,
         app_key: str,
-        record_id: int,
+        record_id: int | str,
         code_block_field: str,
         role: int = 1,
         workflow_node_id: int | None = None,