cyymall-cli 0.1.0

package/README.md

@@ -0,0 +1,91 @@
+# cyymall-cli (`cyy`)
+
+Node.js CLI for CyyMall / 菜洋洋商城 APIs. Spec: [`../app-api-cli-spec.md`](../app-api-cli-spec.md).
+
+## Install from npm
+
+```bash
+npm install -g cyymall-cli
+cyy --help
+```
+
+Package: [cyymall-cli](https://www.npmjs.com/package/cyymall-cli)（发布后可用；首次发布前请用下方「本地开发」安装。）
+
+## Install (local dev)
+
+```bash
+cd cyymall-cli
+npm install
+npm link
+```
+
+Then run `cyy --help`.
+
+## Publish to npm (maintainers)
+
+1. 在 [npmjs.com](https://www.npmjs.com/) 登录；发布策略若要求 **2FA**，必须先完成账号安全设置。
+2. 本机认证二选一（**不要把 token 写进仓库或发给他人**）：
+   - **`npm login`**（交互式）；或  
+   - **`npm config set //registry.npmjs.org/:_authToken=<token>`**（仅本机 `~/.npmrc`，勿提交 Git）。
+3. 在项目目录发布：
+
+```bash
+cd cyymall-cli
+npm publish
+```
+
+若账号启用了 **2FA 且发布时必须验证**，仅配置 `_authToken` 仍可能 **403**，需带一次性密码：
+
+```bash
+npm publish --otp=123456
+```
+
+或使用 npm 后台生成的 **Granular Access Token**：权限包含 **Publish**，并在创建时勾选 **Bypass two-factor authentication (2FA)**（仅在你信任该 token 存放环境时使用；详见 npm 创建 token 页面说明）。
+
+4. 若出现 **`403 Forbidden … Two-factor authentication or granular access token with bypass 2fa`**：按上一步处理（`--otp` 或带 bypass 的 granular token），**不是** `package.json` 或 tarball 的问题。
+5. 后续发版：修改 **`package.json` 的 `version`**，再执行 `npm publish`（必要时同样加 `--otp`）。
+
+`npm pack --dry-run` 可预览将要上传的文件列表（由 **`files`** 字段控制）。
+
+## Requirements
+
+- Node.js >= 18
+
+## Quick commands
+
+```bash
+cyy config path
+cyy auth login --phone <mobile> --password <pwd>
+cyy auth whoami
+cyy shop list
+cyy shop sites --shop-id <门店ID>
+cyy shop use --shop-id <门店ID>
+cyy shop use-site --site-id <站点ID>
+cyy product search --keyword 牛奶
+cyy api call --method POST --module PRODUCT --path /app/product/getSkuList --body-file body.json
+cyy order quick --keyword 牛奶 --quantity 1 --unit 袋
+cyy serve --port 8787
+```
+
+## Session vs bootstrap env
+
+**After `cyy auth login` succeeds**, the CLI reads the session token from **`data.token`** or **`data.appToken`** (plus optional **`shopId` / `siteId` / `versionCode` / `loginId`→`memberId`** when present) and saves them under **`~/.cyymall/config.json`**. If the API omits `shopId`/`siteId`, previously saved or bootstrap values are kept where applicable.  
+后续 **`api call`、`product search`、`order quick`** 等命令都会从该文件加载并组装 Header —— **正常情况下不再需要设置 `CYY_BOOTSTRAP_*`**，等价于「登录接口返回什么就持久化什么，进程退出后仍可用」（磁盘配置，不是仅限内存）。
+
+**`CYY_BOOTSTRAP_*` 仅用于「尚未登录」时**（例如第一次调用 `/app/auth/ua/registerMember/v2` 本身需要的网关 Header）。若你的环境里登录接口在未带 shop/token 时会被网关拒绝，再按需配置这些变量；**登录成功后的业务请求一律优先使用配置文件里的会话字段**。
+
+| Variable | Purpose |
+|----------|---------|
+| `CYY_BASE_URL` | Override API host (default `https://dhcmall.ifoodbuy.com`) |
+| `CYY_PASSWORD` | Used by `auth login` if `--password` omitted |
+| `CYY_BOOTSTRAP_TOKEN` | Optional — **only before login**, gateway may expect placeholder token |
+| `CYY_BOOTSTRAP_SHOP_ID` | Optional — **only before login** |
+| `CYY_BOOTSTRAP_SITE_ID` | Default `1` when bootstrapping |
+| `CYY_BOOTSTRAP_MEMBER_ID` | Optional — **only before login** |
+| `CYY_BOOTSTRAP_VERSION_CODE` | App version header when bootstrapping / fallback (`22118`) |
+
+权威规格（含请求体附录）建议以 Android 工程内的 **`docs/app-api-cli-spec.md`** 为准；若与本仓库根目录同名文档不一致，以该版本为准。
+
+## Implementation phases
+
+See [`../README_CLI.md`](../README_CLI.md) for staged rollout and acceptance notes.

package/bin/cyy.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require("../src/cli.js");

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "cyymall-cli",
+  "version": "0.1.0",
+  "description": "CyyMall / 菜洋洋商城 API CLI (per app-api-cli-spec)",
+  "bin": {
+    "cyy": "bin/cyy.js"
+  },
+  "main": "src/cli.js",
+  "type": "commonjs",
+  "files": [
+    "bin",
+    "src",
+    "README.md",
+    "package.json"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "start": "node bin/cyy.js",
+    "lint": "node --check src/cli.js",
+    "prepublishOnly": "node --check src/cli.js && node --check bin/cyy.js"
+  },
+  "keywords": [
+    "cyymall",
+    "cli",
+    "dhcmall"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "commander": "^12.1.0"
+  }
+}

package/src/biz.js

@@ -0,0 +1,14 @@
+"use strict";
+
+/**
+ * @param {unknown} upstream
+ */
+function isBizSuccess(upstream) {
+  if (upstream == null || typeof upstream !== "object") return false;
+  const o = /** @type {{success?:boolean,code?:unknown}} */ (upstream);
+  if (o.success === true) return true;
+  if (o.code === "00000" || o.code === 0 || o.code === "0") return true;
+  return false;
+}
+
+module.exports = { isBizSuccess };

package/src/cli.js

@@ -0,0 +1,208 @@
+"use strict";
+
+const path = require("path");
+const pkg = require(path.join(__dirname, "..", "package.json"));
+
+const config = require("./config");
+const apiCall = require("./commands/apiCall");
+const auth = require("./commands/auth");
+const product = require("./commands/product");
+const cart = require("./commands/cart");
+const order = require("./commands/order");
+const serve = require("./commands/serve");
+const shop = require("./commands/shop");
+
+const { Command } = require("commander");
+const program = new Command();
+
+program
+  .name("cyy")
+  .description("CyyMall / 菜洋洋商城 CLI (see app-api-cli-spec.md)")
+  .version(pkg.version);
+
+const cfgCmd = program.command("config").description("Configuration");
+
+cfgCmd
+  .command("path")
+  .description("Print config file path")
+  .action(() => {
+    console.log(config.getConfigPath());
+  });
+
+cfgCmd
+  .command("show")
+  .description("Show config (token masked)")
+  .action(() => {
+    const c = config.loadConfig();
+    if (!c) {
+      console.log(JSON.stringify({ loggedIn: false }, null, 2));
+      return;
+    }
+    const masked = { ...c, token: config.maskToken(String(c.token || "")) };
+    console.log(JSON.stringify(masked, null, 2));
+  });
+
+function collect(value, previous) {
+  return previous.concat([value]);
+}
+
+const api = program.command("api").description("Low-level API calls");
+
+api
+  .command("call")
+  .description("Invoke any mapped endpoint (spec §3)")
+  .requiredOption("--method <verb>", "HTTP method: GET, POST, PUT, PATCH, DELETE")
+  .requiredOption("--module <name>", "DEFAULT | ORDER | PRODUCT | PLATFORM | PAYMENT | OSS | BIZ")
+  .requiredOption("--path <path>", "Path starting with /, e.g. /app/product/getSkuList")
+  .option("--body-json <json>", "JSON body string")
+  .option("--body-file <file>", "Read JSON body from UTF-8 file")
+  .option("--query <pair>", "Repeatable: key=value for query string", collect, [])
+  .option("--header <h>", 'Repeatable: "Name: value"', collect, [])
+  .option("--bare", "Bootstrap headers only (do not merge saved session)")
+  .action(async (opts) => {
+    await apiCall.runApiCall({
+      ...opts,
+      noAuth: Boolean(opts.bare),
+    });
+  });
+
+const authCmd = program.command("auth").description("Authentication");
+
+authCmd
+  .command("login")
+  .description("Password login (SHA-256); saves ~/.cyymall/config.json")
+  .requiredOption("--phone <p>", "Mobile phone")
+  .option("--password <pwd>", "Plain password (or set env CYY_PASSWORD)")
+  .action(async (opts) => {
+    const pwd = opts.password || process.env.CYY_PASSWORD;
+    if (!pwd) {
+      console.error("cyy: provide --password or set CYY_PASSWORD");
+      process.exit(1);
+    }
+    await auth.login(opts.phone, pwd);
+  });
+
+authCmd
+  .command("whoami")
+  .description("GET /member/getInfo/V2 using saved token")
+  .action(async () => {
+    await auth.whoami();
+  });
+
+const prod = program.command("product").description("Product helpers");
+
+prod
+  .command("search")
+  .description("POST /mall-product/app/product/getSkuList")
+  .requiredOption("--keyword <k>", "spuName keyword")
+  .option("--shop-id <id>", "Override shopId (default from session)")
+  .option("--site-id <id>", "Override siteId")
+  .option("--page <n>", "pageNum", "1")
+  .option("--page-size <n>", "pageSize", "10")
+  .option("--stock-flag <s>", "stockFlag string (Java SearchCommodityReq)", "0")
+  .action(async (opts) => {
+    await product.search(opts);
+  });
+
+const shopCmd = program.command("shop").description("Member shops and delivery sites");
+
+shopCmd
+  .command("list")
+  .description("POST /shop/member/list — paginated shops for current member (GetShopReq)")
+  .option("--page <n>", "pageNum", "1")
+  .option("--page-size <n>", "pageSize", "20")
+  .option("--name <s>", "shopName filter", "")
+  .option("--object-code <n>", "objectCode", "3")
+  .action(async (opts) => {
+    await shop.list(opts);
+  });
+
+shopCmd
+  .command("sites")
+  .description("GET /shop/member/store/list — sites for a shop")
+  .option("--shop-id <id>", "Shop id (default: session shop_id)")
+  .option("--site-name <s>", "Optional siteName filter")
+  .action(async (opts) => {
+    await shop.sites(opts);
+  });
+
+shopCmd
+  .command("use")
+  .description("Set default shop_id only in ~/.cyymall/config.json (site_id unchanged; validate via shop list)")
+  .requiredOption("--shop-id <id>", "Numeric shop id from cyy shop list")
+  .action(async (opts) => {
+    await shop.useShop(opts);
+  });
+
+shopCmd
+  .command("use-site")
+  .description("Set default site_id for current session shop_id (validates against shop sites)")
+  .requiredOption("--site-id <id>", "Site id from shop sites")
+  .action(async (opts) => {
+    await shop.useSite(opts);
+  });
+
+const cartCmd = program.command("cart").description("Shopping cart");
+
+cartCmd
+  .command("add")
+  .description("POST /mall-order/app/order/cart")
+  .option("--body-file <file>", "Cart JSON body")
+  .option("--body-json <json>", "Cart JSON string")
+  .action(async (opts) => {
+    await cart.add(opts);
+  });
+
+const orderCmd = program.command("order").description("Order flow");
+
+orderCmd
+  .command("pre-settle")
+  .description("POST /mall-order/app/order/preSettleOrder")
+  .option("--body-file <file>", "")
+  .option("--body-json <json>", "")
+  .action(async (opts) => {
+    await order.preSettle(opts);
+  });
+
+orderCmd
+  .command("confirm")
+  .description("POST /mall-order/app/order/confirmOrder")
+  .option("--body-file <file>", "")
+  .option("--body-json <json>", "")
+  .action(async (opts) => {
+    await order.confirm(opts);
+  });
+
+orderCmd
+  .command("pay-url")
+  .description("Build H5 replacePay URL for order")
+  .requiredOption("--order-id <id>", "Order id from confirm response")
+  .action(async (opts) => {
+    await order.payUrl(opts);
+  });
+
+orderCmd
+  .command("quick")
+  .description("Search → cart → pre-settle → confirm → pay URL (first search hit)")
+  .requiredOption("--keyword <k>", "Product keyword")
+  .option("--quantity <n>", "Qty", "1")
+  .option("--unit <u>", "袋 | 提 | 箱", "袋")
+  .option("--shop-id <id>", "shopId override")
+  .option("--site-id <id>", "siteId override")
+  .action(async (opts) => {
+    await order.quick(opts);
+  });
+
+program
+  .command("serve")
+  .description("Local HTTP shim: POST /invoke JSON body { method, module, path, body?, query?, noAuth? }")
+  .option("-p, --port <n>", "port", "8787")
+  .option("--host <h>", "bind address", "127.0.0.1")
+  .action((opts) => {
+    serve.runServe({ port: opts.port, host: opts.host });
+  });
+
+program.parseAsync(process.argv).catch((e) => {
+  console.error(e);
+  process.exit(1);
+});

package/src/commands/apiCall.js

@@ -0,0 +1,149 @@
+"use strict";
+
+const config = require("../config");
+const http = require("../http");
+const biz = require("../biz");
+
+/**
+ * Parse repeated --query key=value
+ * @param {string[]} queryArgs
+ */
+function parseQueryPairs(queryArgs) {
+  const q = {};
+  if (!queryArgs || !queryArgs.length) return q;
+  for (const pair of queryArgs) {
+    const i = pair.indexOf("=");
+    if (i <= 0) continue;
+    const k = pair.slice(0, i).trim();
+    const v = pair.slice(i + 1);
+    q[k] = v;
+  }
+  return q;
+}
+
+function appendQuery(url, queryObj) {
+  const keys = Object.keys(queryObj);
+  if (!keys.length) return url;
+  const u = new URL(url);
+  for (const k of keys) {
+    u.searchParams.set(k, queryObj[k]);
+  }
+  return u.toString();
+}
+
+/**
+ * Shared executor for CLI and HTTP serve mode.
+ * @param {object} opts
+ */
+async function executeApiCall(opts) {
+  const {
+    method,
+    module: moduleKey,
+    path: pathSuffix,
+    bodyJson,
+    bodyFile,
+    bodyObj,
+    query: queryArgs,
+    queryObj: queryObjIn,
+    noAuth,
+    header: headerPairs,
+  } = opts;
+
+  let bodyStr = null;
+  if (bodyFile) {
+    const fs = require("fs");
+    bodyStr = fs.readFileSync(bodyFile, "utf8");
+  } else if (bodyObj != null) {
+    bodyStr = JSON.stringify(bodyObj);
+  } else if (bodyJson != null && bodyJson !== "") {
+    bodyStr = bodyJson;
+  }
+
+  if (bodyStr && method === "GET") {
+    return { error: "GET request should not use body; use query only.", exitCode: 1 };
+  }
+
+  let url = http.moduleUrl(moduleKey, pathSuffix);
+  const queryObj =
+    queryObjIn && typeof queryObjIn === "object"
+      ? queryObjIn
+      : parseQueryPairs(queryArgs || []);
+  url = appendQuery(url, queryObj);
+
+  /** @type {Record<string,string>} */
+  let headers = {};
+
+  if (!noAuth) {
+    const cfg = config.loadConfig();
+    headers = /** @type {Record<string,string>} */ (
+      http.buildAuthHeaders(cfg)
+    );
+  } else {
+    headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(null));
+  }
+
+  const extras = headerPairs || [];
+  for (const h of extras) {
+    const idx = h.indexOf(":");
+    if (idx > 0) {
+      const hk = h.slice(0, idx).trim();
+      const hv = h.slice(idx + 1).trim();
+      headers[hk] = hv;
+    }
+  }
+
+  if (method === "GET" || method === "HEAD") {
+    delete headers["Content-Type"];
+  } else if (bodyStr) {
+    headers["Content-Type"] = headers["Content-Type"] || "application/json;charset=UTF-8";
+  }
+
+  const { ok, status, json } = await http.request(url, {
+    method,
+    headers,
+    body: bodyStr,
+  });
+
+  const bizOk = ok && (json == null || biz.isBizSuccess(json));
+  const envelopeSuccess = bizOk;
+  const traceId = `local-${require("crypto").randomBytes(8).toString("hex")}`;
+  const message =
+    json && typeof json === "object" && "msg" in json
+      ? String(/** @type {{msg?:string}} */ (json).msg)
+      : ok
+        ? "success"
+        : `HTTP ${status}`;
+
+  const envelope = {
+    success: envelopeSuccess,
+    code: envelopeSuccess ? "OK" : "UPSTREAM_ERROR",
+    message,
+    data: { upstream: json, httpStatus: status },
+    traceId,
+  };
+
+  return { envelope, exitCode: envelopeSuccess ? 0 : 2 };
+}
+
+/**
+ * @param {import('commander').OptionValues} opts
+ */
+async function runApiCall(opts) {
+  if (opts.bodyJson && opts.method === "GET") {
+    console.error("cyy: GET request should not use body; use --query instead.");
+    process.exit(1);
+  }
+  const merged = {
+    ...opts,
+    noAuth: Boolean(opts.noAuth ?? opts.bare),
+  };
+  const result = await executeApiCall(merged);
+  if (result.error) {
+    console.error(`cyy: ${result.error}`);
+    process.exit(result.exitCode ?? 1);
+  }
+  console.log(JSON.stringify(result.envelope, null, 2));
+  process.exit(result.exitCode ?? 1);
+}
+
+module.exports = { runApiCall, executeApiCall, parseQueryPairs };

package/src/commands/auth.js

@@ -0,0 +1,134 @@
+"use strict";
+
+const crypto = require("crypto");
+const config = require("../config");
+const http = require("../http");
+const biz = require("../biz");
+
+function sha256Hex(s) {
+  return crypto.createHash("sha256").update(s, "utf8").digest("hex");
+}
+
+/**
+ * Login `data` may use `token` (Android LoginBean / Gson), `appToken`, or `accessToken`.
+ * @param {Record<string, unknown>|null|undefined} data
+ */
+function pickLoginToken(data) {
+  if (!data || typeof data !== "object") return "";
+  const d = /** @type {Record<string, unknown>} */ (data);
+  const v = d.token ?? d.appToken ?? d.accessToken;
+  return v != null ? String(v) : "";
+}
+
+async function login(phone, password) {
+  const url = http.moduleUrl("DEFAULT", "/app/auth/ua/registerMember/v2");
+  const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(null));
+  const body = JSON.stringify({
+    phone,
+    objectCode: "3",
+    password: sha256Hex(password),
+    passwordLoginFlag: true,
+    onKeyLoginFlag: false,
+    wxOpenid: "",
+  });
+
+  const { ok, json } = await http.request(url, {
+    method: "POST",
+    headers,
+    body,
+  });
+
+  if (!ok || !biz.isBizSuccess(json)) {
+    const msg =
+      json && typeof json === "object" && "msg" in json
+        ? String(/** @type {{msg?:string}} */ (json).msg)
+        : "login failed";
+    console.error(`cyy: ${msg}`);
+    process.exit(2);
+  }
+
+  const raw = /** @type {{data?:Record<string,unknown>|null}} */ (json).data;
+  const data = raw && typeof raw === "object" ? raw : {};
+  const prev = config.loadConfig() || {};
+
+  const loginId = String(data.loginId || "");
+  const memberId = loginId.includes("_") ? loginId.split("_")[0] : loginId;
+
+  const token = pickLoginToken(data);
+  if (!token) {
+    console.error(
+      "cyy: login reported success but data has no token (expected token, appToken, or accessToken)",
+    );
+    process.exit(2);
+  }
+
+  const saved = {
+    phone,
+    token,
+    member_id: memberId || String(prev.member_id || ""),
+    shop_id: data.shopId ?? prev.shop_id,
+    site_id: data.siteId ?? prev.site_id ?? "1",
+    version_code: String(data.versionCode ?? prev.version_code ?? http.DEFAULT_VERSION),
+    login_time: Math.floor(Date.now() / 1000),
+  };
+
+  config.saveConfig(saved);
+
+  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
+  console.log(
+    JSON.stringify(
+      {
+        success: true,
+        code: "OK",
+        message: "login success",
+        data: {
+          phone: saved.phone,
+          member_id: saved.member_id,
+          shop_id: saved.shop_id,
+          site_id: saved.site_id,
+          version_code: saved.version_code,
+          token_preview: config.maskToken(saved.token),
+        },
+        traceId,
+      },
+      null,
+      2,
+    ),
+  );
+  process.exit(0);
+}
+
+async function whoami() {
+  const cfg = config.loadConfig();
+  if (!cfg?.token) {
+    console.error("cyy: not logged in. Run: cyy auth login --phone ... --password ...");
+    process.exit(1);
+  }
+  const url = http.moduleUrl("DEFAULT", "/member/getInfo/V2");
+  const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(cfg));
+  delete headers["Content-Type"];
+  const { ok, json } = await http.request(url, {
+    method: "GET",
+    headers,
+    body: null,
+  });
+
+  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
+  const success = ok && biz.isBizSuccess(json);
+  console.log(
+    JSON.stringify(
+      {
+        success,
+        code: success ? "OK" : "UPSTREAM_ERROR",
+        message: success ? "success" : "whoami failed",
+        data: { upstream: json },
+        traceId,
+      },
+      null,
+      2,
+    ),
+  );
+  process.exit(success ? 0 : 2);
+}
+
+module.exports = { login, whoami };

package/src/commands/cart.js

@@ -0,0 +1,55 @@
+"use strict";
+
+const fs = require("fs");
+const crypto = require("crypto");
+const http = require("../http");
+const config = require("../config");
+const biz = require("../biz");
+
+/**
+ * @param {{ bodyFile?: string, bodyJson?: string }} opts
+ */
+async function add(opts) {
+  const cfg = config.loadConfig();
+  if (!cfg?.token) {
+    console.error("cyy: not logged in.");
+    process.exit(1);
+  }
+
+  let raw = opts.bodyJson;
+  if (opts.bodyFile) {
+    raw = fs.readFileSync(opts.bodyFile, "utf8");
+  }
+  if (!raw) {
+    console.error("cyy: provide --body-file or --body-json");
+    process.exit(1);
+  }
+
+  const url = http.moduleUrl("ORDER", "/app/order/cart");
+  const headers = /** @type {Record<string,string>} */ (http.buildAuthHeaders(cfg));
+
+  const { ok, json } = await http.request(url, {
+    method: "POST",
+    headers,
+    body: raw,
+  });
+
+  const traceId = `local-${crypto.randomBytes(8).toString("hex")}`;
+  const success = ok && biz.isBizSuccess(json);
+  console.log(
+    JSON.stringify(
+      {
+        success,
+        code: success ? "OK" : "UPSTREAM_ERROR",
+        message: success ? "success" : "cart failed",
+        data: { upstream: json },
+        traceId,
+      },
+      null,
+      2,
+    ),
+  );
+  process.exit(success ? 0 : 2);
+}
+
+module.exports = { add };