@tacoreai/web-sdk 1.22.1-beta.0 → 1.22.1-beta.2

package/database/core/apps/AppServerRuntime.js

@@ -33,6 +33,8 @@ const getRequestSource = (isPlatformProxyRequest, isSchedulerRequest) => {
 const createRequestScopedAppsClient = (env, options = {}) => {
   const {
     accessToken = null,
+    appServerApiKey = null,
+    clientAppId = env.dataSourceId || env.appId,
     previewAppServerApiKey = null,
     enableAppServerServiceAuth = false,
   } = options;
@@ -50,11 +52,15 @@ const createRequestScopedAppsClient = (env, options = {}) => {
       null;
   }
 
+  if (appServerApiKey) {
+    config.appServerApiKey = appServerApiKey;
+  }
+
   if (previewAppServerApiKey) {
     config.previewAppServerApiKey = previewAppServerApiKey;
   }
 
-  return new AppsClient(env.dataSourceId || env.appId, config);
+  return new AppsClient(clientAppId, config);
 };
 
 const isPreviewApiKeyShapeValid = (apiKey) => {
@@ -286,6 +292,7 @@ export const createAppServerRuntime = async (options = {}) => {
       process.env.CLOUDFLARE_WORKER_INTEROP_APP_SERVER_TOKEN
     );
     const requestSource = getRequestSource(isPlatformProxyRequest, isSchedulerRequest);
+    let appServerApiKey = null;
     let previewAppServerApiKey = null;
     let isExternalApiKeyRequest = false;
 
@@ -313,6 +320,7 @@ export const createAppServerRuntime = async (options = {}) => {
       try {
         const authClient = createRequestScopedAppsClient(env, {
           accessToken: requestAccessToken || null,
+          clientAppId: env.appId,
         });
         isValidApiKey = await validateExternalApiKey(authClient, env.appId, requestApiKey);
       } catch (error) {
@@ -333,6 +341,7 @@ export const createAppServerRuntime = async (options = {}) => {
       }
 
       isExternalApiKeyRequest = true;
+      appServerApiKey = requestApiKey;
 
       if (isPreviewMode() && !requestAccessToken) {
         previewAppServerApiKey = requestApiKey;
@@ -347,16 +356,19 @@ export const createAppServerRuntime = async (options = {}) => {
         hasPlatformInteropHeader: Boolean(platformInteropHeader),
         hasSchedulerInteropHeader: Boolean(schedulerInteropHeader),
         isExternalApiKeyRequest,
+        willForwardAppServerApiKey: Boolean(appServerApiKey && !requestAccessToken),
         willForwardPreviewAppServerApiKey: Boolean(previewAppServerApiKey),
       });
 
       const appsClient = createRequestScopedAppsClient(env, {
         accessToken: requestAccessToken || null,
+        appServerApiKey: requestAccessToken ? null : appServerApiKey,
         previewAppServerApiKey,
         enableAppServerServiceAuth: Boolean((isSchedulerRequest || isExternalApiKeyRequest) && !requestAccessToken),
       });
       console.log(`[AppServer Debug] scoped AppsClient api="${apiName}"`, {
         hasAccessToken: Boolean(appsClient.getAccessToken()),
+        hasAppServerApiKey: Boolean(appsClient.config.appServerApiKey),
         hasPreviewAppServerApiKey: Boolean(appsClient.config.previewAppServerApiKey),
         hasInteropKey: Boolean(appsClient.config.tacoreServerInteropAppServerApiKey),
         serviceAuthEnabled: appsClient.config.enableAppServerServiceAuth === true,

package/database/core/apps/AppsClient.Data.js

@@ -80,22 +80,11 @@ export const appsClientDataMethods = {
         modelName: modelName,
       };
 
-      if (typeof query === "string") {
-        params.wyID = query;
-      } else if (query && typeof query === "object") {
-        const { page = 1, pageSize = 20, fields, filter } = query;
-        params.page = Math.max(1, parseInt(page));
-        params.pageSize = parseInt(pageSize) || 1000;
-        console.log(params);
-        if (fields && Array.isArray(fields)) {
-          params.fields = fields;
-        }
-
-        if (filter && typeof filter === "object") {
-          params.filter = filter;
-        }
+      if (typeof query !== "string" || !query) {
+        throw new Error("readData only supports single-record reads by wyID. Use invoke('data/list', ...) or invoke('data/query', ...) for list/query reads.");
       }
 
+      params.wyID = query;
       const result = await this._get("/apps/data/read", params);
 
       if (result.data === null && params.wyID) {
@@ -152,7 +141,13 @@ export const appsClientDataMethods = {
   async hasData(modelName) {
     try {
       if (!modelName) throw new Error("modelName is required for hasData");
-      const result = await this.readData(modelName, { page: 1, pageSize: 1 });
+      const result = await this.invoke("data/list", {
+        modelName,
+        query: {
+          page: 1,
+          pageSize: 1,
+        },
+      });
       return result && result.data && result.data.length > 0;
     } catch (error) {
       console.error(`检查应用数据失败 (model: ${modelName}):`, error);

package/database/core/apps/AppsClient.IAM.js

@@ -0,0 +1,77 @@
+export const appsClientIamMethods = {
+  async getIamContext(params = {}) {
+    return this._post("/apps/iam/me", params);
+  },
+
+  async bootstrapIam(params = {}) {
+    return this._post("/apps/iam/bootstrap", params);
+  },
+
+  async listIamOrgUnits(params = {}) {
+    return this._post("/apps/iam/org-units/list", params);
+  },
+
+  async createIamOrgUnit(params = {}) {
+    return this._post("/apps/iam/org-units", params);
+  },
+
+  async updateIamOrgUnit(params = {}) {
+    return this._post("/apps/iam/org-units/update", params);
+  },
+
+  async deleteIamOrgUnit(params = {}) {
+    return this._post("/apps/iam/org-units/delete", params);
+  },
+
+  async listIamRoles(params = {}) {
+    return this._post("/apps/iam/roles/list", params);
+  },
+
+  async createIamRole(params = {}) {
+    return this._post("/apps/iam/roles", params);
+  },
+
+  async updateIamRole(params = {}) {
+    return this._post("/apps/iam/roles/update", params);
+  },
+
+  async deleteIamRole(params = {}) {
+    return this._post("/apps/iam/roles/delete", params);
+  },
+
+  async listIamStaff(params = {}) {
+    return this._post("/apps/iam/staff/list", params);
+  },
+
+  async createIamStaff(params = {}) {
+    return this._post("/apps/iam/staff", params);
+  },
+
+  async updateIamStaff(params = {}) {
+    return this._post("/apps/iam/staff/update", params);
+  },
+
+  async deleteIamStaff(params = {}) {
+    return this._post("/apps/iam/staff/delete", params);
+  },
+
+  async listModelPolicies(params = {}) {
+    return this._post("/apps/data/model-policies/list", params);
+  },
+
+  async declareModelPolicy(params = {}) {
+    return this._post("/apps/data/model-policies/declare", params);
+  },
+
+  async writeAuditLog(params = {}) {
+    return this._post("/apps/audit/write", params);
+  },
+
+  async queryAuditLogs(params = {}) {
+    return this._post("/apps/audit/query", params);
+  },
+
+  async authorizeFileDownload(params = {}) {
+    return this._post("/apps/files/authorize-download", params);
+  },
+};

package/database/core/apps/AppsClient.Users.js

@@ -62,4 +62,34 @@ export const appsClientUserMethods = {
       password,
     });
   },
+
+  /**
+   * 从当前应用移除用户访问权限，保留 Auth 账号。
+   * @param {Object} params { userId: string }
+   * @returns {Promise<{success: boolean, data: {userId: string, appId: string}}>}
+   */
+  async removeAppUser({ userId }) {
+    if (!userId) {
+      throw new Error("userId is required.");
+    }
+    return this._post("/apps/users/remove", {
+      appId: this.appId,
+      targetUserId: userId,
+    });
+  },
+
+  /**
+   * 彻底删除当前应用中的用户账号，使该邮箱可重新注册。
+   * @param {Object} params { userId: string }
+   * @returns {Promise<{success: boolean, data: {userId: string, appId: string, deletionMode: string, authDeleted: boolean}}>}
+   */
+  async deleteAppUser({ userId }) {
+    if (!userId) {
+      throw new Error("userId is required.");
+    }
+    return this._post("/apps/users/delete", {
+      appId: this.appId,
+      targetUserId: userId,
+    });
+  },
 };

package/database/core/apps/AppsClient.js

@@ -18,6 +18,7 @@ import { appsClientToolsMethods } from "./AppsClient.Tools.js";
 import { appsClientDebugMethods } from "./AppsClient.Debug.js";
 import { appsClientCrawlerMethods } from "./AppsClient.Crawler.js";
 import { appsClientWechatMethods } from "./AppsClient.Wechat.js";
+import { appsClientIamMethods } from "./AppsClient.IAM.js";
 
 const instanceMap = new Map();
 /**
@@ -79,8 +80,7 @@ class AppsClient extends BaseAppsClient {
           return this.readData(modelName, rest.wyID);
         }
         
-        // 兼容旧版平铺参数
-        return this.readData(modelName, rest);
+        throw new Error("readData only supports single-record reads by wyID. Use invoke('data/list', ...) or invoke('data/query', ...) for list/query reads.");
       },
 
       "deleteData": ({ modelName, wyID, options }) =>
@@ -103,8 +103,31 @@ class AppsClient extends BaseAppsClient {
       "createRole": params => this.createRole(params),
       "updateUserRole": params => this.updateUserRole(params),
       "users/update-password": params => this.updateUserPassword(params),
+      "users/remove": params => this.removeAppUser(params),
+      "users/delete": params => this.deleteAppUser(params),
       "listAppUsers": params => this.listAppUsers(params),
 
+      // === 企业 IAM / 审计 / 文件鉴权 ===
+      "iam/me": params => this.getIamContext(params),
+      "iam/bootstrap": params => this.bootstrapIam(params),
+      "iam/org-units/list": params => this.listIamOrgUnits(params),
+      "iam/org-units": params => this.createIamOrgUnit(params),
+      "iam/org-units/update": params => this.updateIamOrgUnit(params),
+      "iam/org-units/delete": params => this.deleteIamOrgUnit(params),
+      "iam/roles/list": params => this.listIamRoles(params),
+      "iam/roles": params => this.createIamRole(params),
+      "iam/roles/update": params => this.updateIamRole(params),
+      "iam/roles/delete": params => this.deleteIamRole(params),
+      "iam/staff/list": params => this.listIamStaff(params),
+      "iam/staff": params => this.createIamStaff(params),
+      "iam/staff/update": params => this.updateIamStaff(params),
+      "iam/staff/delete": params => this.deleteIamStaff(params),
+      "data/model-policies/list": params => this.listModelPolicies(params),
+      "data/model-policies/declare": params => this.declareModelPolicy(params),
+      "audit/write": params => this.writeAuditLog(params),
+      "audit/query": params => this.queryAuditLogs(params),
+      "files/authorize-download": params => this.authorizeFileDownload(params),
+
       // === 文件存储 ===
       "uploadFile": ({ file }) => this.uploadFile(file),
       "uploadToR2": ({ file }) => this.uploadToR2(file),
@@ -213,7 +236,8 @@ Object.assign(
   appsClientToolsMethods,
   appsClientDebugMethods,
   appsClientCrawlerMethods,
-  appsClientWechatMethods
+  appsClientWechatMethods,
+  appsClientIamMethods
 );
 
 export { AppsClient };

package/database/core/apps/AppsPublicClient.js

@@ -4,8 +4,10 @@ import { BaseAppsClient } from "./BaseAppsClient.js";
  * AI应用公共数据客户端 - 无需认证
  *
  * 核心理念：
- * - 用于匿名读取被 `writeData` 设为公共的数据。
+ * - 通过继承的通用 invoke(path, params) 调用匿名公开接口。
+ * - 用于匿名读取模型策略 `publicRead` 明确开放的 CMS 数据。
  * - 用于匿名提交数据到指定的、允许公开写入的模型。
+ * - 保留 `readConfiguredPublicData` 兼容旧 publicConfig 公开读。
  * - 此客户端的所有操作都无需用户登录。
  */
 export class AppsPublicClient extends BaseAppsClient {

package/database/core/apps/BaseAppsClient.js

@@ -2,10 +2,11 @@ import { getAppsApiBaseUrl, isBrowser, isBackend, isSSR, getGlobalOptions } from
 
 const ACCESS_TOKEN_STORAGE_KEY = "tacoreai_apps_access_token";
 const PREVIEW_APPSERVER_API_KEY_HEADER = "x-tacore-preview-app-server-api-key";
+const FORWARDED_APP_SERVER_API_KEY_HEADER = "x-tacore-forwarded-app-server-api-key";
 const APP_SERVER_SERVICE_TOKEN_HEADER = "x-tacore-app-server-service-token";
 const APP_SERVER_OWNER_APP_ID_HEADER = "x-tacore-app-server-owner-app-id";
-const INTEROP_APP_SERVER_API_KEY_REQUIRED_ERROR =
-  "tacoreServerInteropAppServerApiKey is required for backend environment. Provide it in config or via TACORE_SERVER_INTEROP_APP_SERVER_API_KEY env var.";
+const APP_SERVER_SERVICE_CREDENTIAL_REQUIRED_ERROR =
+  "AppServer service credential is required for backend service auth. Provide TACORE_SERVER_INTEROP_APP_SERVER_API_KEY + TACORE_APP_SERVER_SERVICE_TOKEN, or forward a validated appServerApiKey.";
 
 const normalizeAccessToken = (value) => {
   if (typeof value !== "string") {
@@ -50,7 +51,17 @@ const writePersistedAccessToken = (token) => {
 };
 
 const isBackendPreviewMode = () => isBackend && process.env.TACORE_APPSERVER_PREVIEW_MODE === "true";
-const shouldRequireInteropAppServerApiKey = () => isBackend && !isSSR && !isBackendPreviewMode();
+const hasAppServerServiceCredential = (config = {}) => {
+  if (config.tacoreServerInteropAppServerApiKey && config.tacoreAppServerServiceToken) {
+    return true;
+  }
+  if (config.appServerApiKey) {
+    return true;
+  }
+  return isBackendPreviewMode() && Boolean(config.previewAppServerApiKey);
+};
+const shouldRequireAppServerServiceCredential = (config = {}) =>
+  isBackend && !isSSR && config.enableAppServerServiceAuth === true;
 
 /**
  * Apps SDK 基类
@@ -96,8 +107,8 @@ export class BaseAppsClient {
       this.config.tacoreAppServerServiceToken = process.env.TACORE_APP_SERVER_SERVICE_TOKEN;
     }
 
-    if (shouldRequireInteropAppServerApiKey() && !this.config.tacoreServerInteropAppServerApiKey) {
-      throw new Error(INTEROP_APP_SERVER_API_KEY_REQUIRED_ERROR);
+    if (shouldRequireAppServerServiceCredential(this.config) && !hasAppServerServiceCredential(this.config)) {
+      throw new Error(APP_SERVER_SERVICE_CREDENTIAL_REQUIRED_ERROR);
     }
   }
 
@@ -167,10 +178,6 @@ export class BaseAppsClient {
       ...additionalHeaders,
     };
 
-    if (this.config.datasource) {
-      headers["x-datasource"] = this.config.datasource;
-    }
-
     if (this.config.supabaseBaseUrl) {
       headers["x-supabase-base-url"] = this.config.supabaseBaseUrl;
     }
@@ -196,17 +203,20 @@ export class BaseAppsClient {
       headers["Authorization"] = `Bearer ${token}`;
     }
 
-    if (
-      isBackend &&
-      !isSSR &&
-      !token &&
-      this.config.enableAppServerServiceAuth === true &&
-      this.config.tacoreServerInteropAppServerApiKey &&
-      this.config.tacoreAppServerServiceToken
-    ) {
-      headers["x-tacore-server-interop-app-server-api-key"] = this.config.tacoreServerInteropAppServerApiKey;
-      headers[APP_SERVER_SERVICE_TOKEN_HEADER] = this.config.tacoreAppServerServiceToken;
-      headers[APP_SERVER_OWNER_APP_ID_HEADER] = this.config.appServerOwnerAppId || this.config.appId || process.env.APP_ID || this.appId;
+    if (isBackend && !isSSR && !token && this.config.enableAppServerServiceAuth === true) {
+      if (this.config.tacoreServerInteropAppServerApiKey && this.config.tacoreAppServerServiceToken) {
+        headers["x-tacore-server-interop-app-server-api-key"] = this.config.tacoreServerInteropAppServerApiKey;
+        headers[APP_SERVER_SERVICE_TOKEN_HEADER] = this.config.tacoreAppServerServiceToken;
+        headers[APP_SERVER_OWNER_APP_ID_HEADER] = this.config.appServerOwnerAppId || this.config.appId || process.env.APP_ID || this.appId;
+      } else if (this.config.appServerApiKey && !headers[FORWARDED_APP_SERVER_API_KEY_HEADER]) {
+        headers[FORWARDED_APP_SERVER_API_KEY_HEADER] = this.config.appServerApiKey;
+      } else if (
+        isBackendPreviewMode() &&
+        this.config.previewAppServerApiKey &&
+        !headers[PREVIEW_APPSERVER_API_KEY_HEADER]
+      ) {
+        headers[PREVIEW_APPSERVER_API_KEY_HEADER] = this.config.previewAppServerApiKey;
+      }
     } else if (
       isBackendPreviewMode() &&
       !token &&
@@ -323,6 +333,7 @@ export class BaseAppsClient {
   getConfig() {
     const config = { ...this.config };
     delete config.accessToken;
+    delete config.appServerApiKey;
     delete config.previewAppServerApiKey;
     return config;
   }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tacoreai/web-sdk",
   "description": "This file is for app server package, not the real npm package",
-  "version": "1.22.1-beta.0",
+  "version": "1.22.1-beta.2",
   "type": "module",
   "publishConfig": {
     "access": "public",

package/utils/index.js

@@ -54,11 +54,8 @@ export function getAppsApiBaseUrl() {
   }
   // 后端环境逻辑
   if (isBackend) {
-    // stone 手动： tacore server 内网地址
-    const baseUrl = process.env.TACORE_SERVER_INTRANET_BASE_URL;
-    if (!baseUrl) {
-      throw new Error("TACORE_SERVER_INTRANET_BASE_URL environment variable is not set in the backend environment.");
-    }
+    // stone 手动：tacore server 地址，优先使用内网地址，兜底走公网（比如平台外本地部署）
+    const baseUrl = process.env.TACORE_SERVER_INTRANET_BASE_URL || 'https://api.tacore.chat';
     return baseUrl;
   }