openxiangda 1.0.103 → 1.0.105

package/lib/app-function-invoke.js

@@ -0,0 +1,28 @@
+function buildOpenXiangdaFunctionInvokeRequest(appType, functionCode, body) {
+  return {
+    method: 'POST',
+    path: `/openxiangda-api/v1/apps/${encodeURIComponent(appType)}/functions/${encodeURIComponent(functionCode)}/invoke`,
+    body,
+    strictEnvelope: true,
+  };
+}
+
+function buildLegacyFunctionInvokeRequest(appType, functionCode, body) {
+  return {
+    method: 'POST',
+    path: `/${encodeURIComponent(appType)}/v1/functions/${encodeURIComponent(functionCode)}/invoke.json`,
+    body,
+    strictEnvelope: true,
+  };
+}
+
+function isHttpNotFound(error) {
+  const status = Number(error?.status || error?.statusCode || error?.response?.status);
+  return status === 404 || String(error?.message || '').includes('HTTP 404');
+}
+
+module.exports = {
+  buildLegacyFunctionInvokeRequest,
+  buildOpenXiangdaFunctionInvokeRequest,
+  isHttpNotFound,
+};

package/lib/cli.js

@@ -20,6 +20,11 @@ const {
 } = require('./config');
 const { requestJson } = require('./http');
 const { getSkillStatusReport, installSkills } = require('./skills');
+const {
+  buildLegacyFunctionInvokeRequest,
+  buildOpenXiangdaFunctionInvokeRequest,
+  isHttpNotFound,
+} = require('./app-function-invoke');
 const { assertCanInitializeWorkspace, initWorkspace } = require('./workspace-init');
 const { bootstrapWorkspace } = require('./workspace-bootstrap');
 const {
@@ -31,6 +36,7 @@ const {
   renderDesignTemplate,
   renderResourceExplain,
 } = require('./design-gates');
+const { buildDesignReview, renderDesignReview } = require('./design-review');
 const {
   fail,
   formatFetchError,
@@ -104,7 +110,7 @@ Usage:
   openxiangda platform use <name>
   openxiangda auth status|refresh|logout [--profile name]
   openxiangda doctor [--profile name] [--app-type APP_XXX] [--json]
-  openxiangda design gates|template [--topic code] [--json]
+  openxiangda design gates|template|review [--topic code] [--json]
   openxiangda env [--profile name]
   openxiangda workspace init [dir] [--name package-name] [--runtime legacy|react-spa] [--install] [--profile name --app-type APP_XXX]
   openxiangda workspace init [dir] --profile <name> --app-name <app-name> [--runtime legacy|react-spa] [--install]
@@ -475,7 +481,24 @@ async function design(args) {
     return;
   }
 
-  fail('用法: openxiangda design gates|template [--topic code] [--json]');
+  if (subcommand === 'review') {
+    const hasResources = fs.existsSync(path.join(process.cwd(), 'src', 'resources'));
+    const manifest = hasResources ? loadWorkspaceResources() : null;
+    const validation = manifest ? validateWorkspaceResources(manifest) : {
+      errors: [],
+      warnings: ['未发现 src/resources，无法审查资源 manifest'],
+    };
+    const result = buildDesignReview({
+      cwd: process.cwd(),
+      manifest,
+      validation,
+    });
+    if (flags.json) return writeJson(result);
+    print(renderDesignReview(result));
+    return;
+  }
+
+  fail('用法: openxiangda design gates|template|review [--topic code] [--json]');
 }
 
 async function doctor(args) {
@@ -2664,12 +2687,35 @@ async function appFunction(args) {
     const [functionCode] = positional;
     if (!functionCode) fail('用法: openxiangda function invoke <functionCode> [--body-json file|json]');
     const body = readDirectJsonBody(flags, 'function invoke', { optional: true });
-    return runDirectRequest(config, target, flags, {
-      method: 'POST',
-      path: `/${encodeURIComponent(target.appType)}/v1/functions/${encodeURIComponent(functionCode)}/invoke.json`,
-      body,
-      strictEnvelope: true,
-    });
+    const openXiangdaApiRequest = buildOpenXiangdaFunctionInvokeRequest(
+      target.appType,
+      functionCode,
+      body
+    );
+    if (flags['dry-run']) {
+      return runDirectRequest(config, target, flags, openXiangdaApiRequest);
+    }
+    try {
+      const data = await requestWithAuth(
+        config,
+        target.profileName,
+        openXiangdaApiRequest.path,
+        {
+          method: openXiangdaApiRequest.method,
+          body: openXiangdaApiRequest.body,
+          strictEnvelope: true,
+        }
+      );
+      return outputDirectResult(data, flags);
+    } catch (error) {
+      if (!isHttpNotFound(error)) throw error;
+      return runDirectRequest(
+        config,
+        target,
+        flags,
+        buildLegacyFunctionInvokeRequest(target.appType, functionCode, body)
+      );
+    }
   }
 
   return directResourceCrud(config, target, {
@@ -4044,7 +4090,7 @@ async function commands(args) {
       'platform add|list|use|remove',
       'auth status|refresh|logout',
       'doctor [--profile name] [--app-type APP_XXX]',
-      'design gates|template [--topic code]',
+      'design gates|template|review [--topic code]',
       'env',
       'workspace init|bind|publish [--app-name] [--changed|--since|--form|--page|--only|--dry-run|--force|--resources|--skip-resources|--prune]',
       'app list|create|snapshot',

package/lib/design-gates.js

@@ -309,7 +309,7 @@ function getDesignTopicCatalog() {
 function renderDesignHelp() {
   const catalog = getDesignTopicCatalog();
   const lines = [
-    '用法: openxiangda design gates|template [--topic code[,code...]] [--json]',
+    '用法: openxiangda design gates|template|review [--topic code[,code...]] [--json]',
     '',
     catalog.hardRule,
     '',

package/lib/design-review.js

@@ -0,0 +1,220 @@
+const fs = require('fs');
+const path = require('path');
+
+const SOURCE_DIRS = [
+  path.join('src', 'app'),
+  path.join('src', 'pages'),
+  path.join('src', 'forms'),
+  path.join('src', 'runtime'),
+];
+const SOURCE_EXTENSIONS = new Set(['.js', '.jsx', '.ts', '.tsx']);
+const SKIP_DIRS = new Set([
+  'node_modules',
+  '.pnpm',
+  'dist',
+  '.vite',
+  '.vite-temp',
+  '.cache',
+  'coverage',
+]);
+
+function buildDesignReview(options = {}) {
+  const cwd = options.cwd || process.cwd();
+  const manifest = options.manifest || null;
+  const validation = options.validation || null;
+  const result = {
+    cwd,
+    checkedAt: new Date().toISOString(),
+    passed: true,
+    summary: {
+      errors: 0,
+      warnings: 0,
+      suggestions: 0,
+    },
+    errors: [],
+    warnings: [],
+    suggestions: [],
+  };
+
+  addResourceValidationFindings(result, validation);
+  reviewPublicAccess(result, manifest);
+  reviewSourceFiles(result, cwd);
+  reviewAcceptanceArtifacts(result, cwd);
+
+  result.summary.errors = result.errors.length;
+  result.summary.warnings = result.warnings.length;
+  result.summary.suggestions = result.suggestions.length;
+  result.passed = result.errors.length === 0;
+  return result;
+}
+
+function renderDesignReview(result) {
+  const lines = [
+    'OpenXiangda design review',
+    `cwd: ${result.cwd}`,
+    `status: ${result.passed ? 'passed' : 'needs attention'}`,
+    `summary: ${result.summary.errors} errors, ${result.summary.warnings} warnings, ${result.summary.suggestions} suggestions`,
+  ];
+  appendFindings(lines, 'Errors', result.errors);
+  appendFindings(lines, 'Warnings', result.warnings);
+  appendFindings(lines, 'Suggestions', result.suggestions);
+  return `${lines.join('\n')}\n`;
+}
+
+function appendFindings(lines, title, findings) {
+  if (!findings.length) return;
+  lines.push('', `${title}:`);
+  for (const finding of findings) {
+    lines.push(`- [${finding.code}] ${finding.message}`);
+    if (finding.file) lines.push(`  file: ${finding.file}`);
+  }
+}
+
+function addResourceValidationFindings(result, validation) {
+  for (const message of validation?.errors || []) {
+    result.errors.push({
+      code: 'resource-validation-error',
+      message,
+    });
+  }
+  for (const message of validation?.warnings || []) {
+    result.warnings.push({
+      code: 'resource-validation-warning',
+      message,
+    });
+  }
+}
+
+function reviewPublicAccess(result, manifest) {
+  if (!manifest) return;
+  const policies = manifest.publicAccessPolicies || [];
+  const policyCodes = new Set(policies.map(policy => String(policy.code || '').trim()).filter(Boolean));
+  const policyRouteCodes = new Set(policies.map(policy => String(policy.routeCode || '').trim()).filter(Boolean));
+
+  for (const route of manifest.routes || []) {
+    if (route.__invalid) continue;
+    const publicAccess = String(route.publicAccess || 'none');
+    if (publicAccess !== 'guest' && publicAccess !== 'ticket') continue;
+    const routeLabel = route.code || route.pathPattern || route.path || route.__source || 'public route';
+    const policyCode = String(route.publicPolicyCode || route.policyCode || '').trim();
+    if (policyCode && !policyCodes.has(policyCode)) {
+      result.errors.push({
+        code: 'public-route-missing-policy',
+        message: `公开路由 ${routeLabel} 引用了不存在的 public-access policy: ${policyCode}`,
+        file: route.__source,
+      });
+      continue;
+    }
+    if (!policyCode && route.code && !policyRouteCodes.has(String(route.code))) {
+      result.warnings.push({
+        code: 'public-route-unbound-policy',
+        message: `公开路由 ${routeLabel} 未声明 publicPolicyCode，也没有 policy.routeCode 绑定它`,
+        file: route.__source,
+      });
+    }
+  }
+
+  for (const policy of policies) {
+    if (policy.__invalid) continue;
+    const grants = policy.grants && typeof policy.grants === 'object' ? policy.grants : null;
+    const grantCount = grants
+      ? ['forms', 'dataViews', 'functions', 'connectors'].reduce(
+          (count, key) => count + (Array.isArray(grants[key]) ? grants[key].length : 0),
+          0
+        )
+      : 0;
+    if (grantCount === 0) {
+      result.warnings.push({
+        code: 'public-policy-empty-grants',
+        message: `公开策略 ${policy.code || policy.__source} 没有显式 grants；公开页调用 form/dataView/function/connector 会被后端拒绝`,
+        file: policy.__source,
+      });
+    }
+  }
+}
+
+function reviewSourceFiles(result, cwd) {
+  for (const filePath of listSourceFiles(cwd)) {
+    const relativeFile = path.relative(cwd, filePath);
+    let source = '';
+    try {
+      source = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue;
+    }
+    const lineCount = source.split(/\r?\n/).length;
+    if (relativeFile.startsWith(path.join('src', 'pages')) && lineCount > 600) {
+      result.warnings.push({
+        code: 'large-page-module',
+        message: `页面文件超过 600 行，建议拆分为 domain/service/hooks/components 后再交给 AI 迭代`,
+        file: relativeFile,
+      });
+    }
+    if (/\?publicAccess=guest|publicAccess=guest|isRenderNav|workbench/i.test(source)) {
+      result.errors.push({
+        code: 'legacy-public-runtime-pattern',
+        message: '发现旧公开访问或旧 workbench/runtime 参数；React SPA 新公开页应使用 routes + public-access + PublicAccessGate',
+        file: relativeFile,
+      });
+    }
+    if (/<(?:input|select|textarea)\b/i.test(source)) {
+      result.warnings.push({
+        code: 'native-form-control',
+        message: 'AI 编写的页面/表单代码不应直接使用原生表单控件，优先使用 OpenXiangda/antd/antd-mobile 封装',
+        file: relativeFile,
+      });
+    }
+    if (/(pageSize|limit)\s*[:=]\s*(1000|2000|5000|9999)\b|fetchAll|getAllData|allData/i.test(source)) {
+      result.warnings.push({
+        code: 'unbounded-query-risk',
+        message: '发现疑似大页或全量拉取；列表、选择器和报表应使用服务端分页、搜索字段或 data-view',
+        file: relativeFile,
+      });
+    }
+    if (/(localStorage|sessionStorage).{0,80}(role|permission)|(role|permission).{0,80}(localStorage|sessionStorage)/i.test(source)) {
+      result.warnings.push({
+        code: 'frontend-permission-risk',
+        message: '发现疑似前端存储权限判断；权限和数据范围必须以后端权限组、public grants 或接口返回为准',
+        file: relativeFile,
+      });
+    }
+  }
+}
+
+function listSourceFiles(cwd) {
+  const files = [];
+  for (const relativeDir of SOURCE_DIRS) {
+    const dir = path.join(cwd, relativeDir);
+    if (fs.existsSync(dir)) collectSourceFiles(dir, files);
+  }
+  return files;
+}
+
+function collectSourceFiles(dir, files) {
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    if (SKIP_DIRS.has(entry.name)) continue;
+    const filePath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      collectSourceFiles(filePath, files);
+      continue;
+    }
+    if (entry.isFile() && SOURCE_EXTENSIONS.has(path.extname(entry.name))) {
+      files.push(filePath);
+    }
+  }
+}
+
+function reviewAcceptanceArtifacts(result, cwd) {
+  const acceptanceDir = path.join(cwd, 'docs', 'acceptance');
+  const acceptanceFile = path.join(cwd, 'docs', 'acceptance.md');
+  if (fs.existsSync(acceptanceDir) || fs.existsSync(acceptanceFile)) return;
+  result.suggestions.push({
+    code: 'missing-acceptance-artifacts',
+    message: '建议补充 docs/acceptance/ 或 docs/acceptance.md，沉淀验收路径、账号、数据、发布 releaseId 和回滚方式',
+  });
+}
+
+module.exports = {
+  buildDesignReview,
+  renderDesignReview,
+};

package/lib/http.js

@@ -52,7 +52,10 @@ async function requestJson(baseUrl, apiPath, options = {}) {
 
   if (!response.ok) {
     const message = payload?.message || response.statusText || 'request failed';
-    throw new Error(maskText(`HTTP ${response.status}: ${message}`));
+    const error = new Error(maskText(`HTTP ${response.status}: ${message}`));
+    error.status = response.status;
+    error.payload = payload;
+    throw error;
   }
 
   return payload;

package/lib/workspace-init.js

@@ -6,6 +6,16 @@ const { getProfile, loadConfig, saveProjectState } = require('./config');
 const ROOT_DIR = path.join(__dirname, '..');
 const LEGACY_TEMPLATE_DIR = path.join(ROOT_DIR, 'templates', 'sy-lowcode-app-workspace');
 const REACT_SPA_TEMPLATE_DIR = path.join(ROOT_DIR, 'templates', 'openxiangda-react-spa');
+const TEMPLATE_IGNORE_NAMES = new Set([
+  'node_modules',
+  '.pnpm',
+  'dist',
+  '.vite',
+  '.vite-temp',
+  '.cache',
+  'coverage',
+]);
+const TEMPLATE_IGNORE_PATHS = new Set(['.openxiangda/build-cache.json']);
 
 function initWorkspace(options = {}) {
   const targetDir = path.resolve(options.dir || process.cwd());
@@ -113,13 +123,14 @@ function normalizeRuntime(value) {
   return value === 'react-spa' || value === 'spa' ? 'react-spa' : 'legacy';
 }
 
-function copyTemplate(sourceDir, targetDir, replacements) {
+function copyTemplate(sourceDir, targetDir, replacements, baseDir = sourceDir) {
   for (const entry of fs.readdirSync(sourceDir, { withFileTypes: true })) {
     const sourcePath = path.join(sourceDir, entry.name);
+    if (shouldSkipTemplateEntry(baseDir, sourcePath, entry.name)) continue;
     const targetPath = path.join(targetDir, entry.name);
     if (entry.isDirectory()) {
       fs.mkdirSync(targetPath, { recursive: true });
-      copyTemplate(sourcePath, targetPath, replacements);
+      copyTemplate(sourcePath, targetPath, replacements, baseDir);
       continue;
     }
     if (!entry.isFile()) continue;
@@ -129,6 +140,12 @@ function copyTemplate(sourceDir, targetDir, replacements) {
   }
 }
 
+function shouldSkipTemplateEntry(baseDir, sourcePath, entryName) {
+  if (TEMPLATE_IGNORE_NAMES.has(entryName)) return true;
+  const relativePath = path.relative(baseDir, sourcePath).split(path.sep).join('/');
+  return TEMPLATE_IGNORE_PATHS.has(relativePath);
+}
+
 function applyReplacements(content, replacements) {
   return Object.entries(replacements).reduce(
     (result, [key, value]) => result.split(key).join(value),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.103",
+  "version": "1.0.105",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {
@@ -67,6 +67,7 @@
     "test:resource-plan": "node scripts/resource-plan-smoke.mjs",
     "test:design-gates": "node scripts/design-gates-smoke.mjs",
     "test:resource-cli": "node scripts/resource-cli-smoke.mjs",
+    "test:api-contract": "node scripts/openxiangda-api-contract-smoke.mjs",
     "test:help-no-side-effects": "node scripts/help-no-side-effects-smoke.mjs",
     "test:app-function-fallback": "node scripts/app-function-source-fallback-smoke.mjs",
     "test:runtime-deploy": "node scripts/runtime-deploy-smoke.mjs",

package/packages/sdk/dist/runtime/index.cjs

@@ -607,7 +607,7 @@ var require_react_is_development = __commonJS({
         var ContextProvider = REACT_PROVIDER_TYPE;
         var Element2 = REACT_ELEMENT_TYPE;
         var ForwardRef2 = REACT_FORWARD_REF_TYPE;
-        var Fragment18 = REACT_FRAGMENT_TYPE2;
+        var Fragment19 = REACT_FRAGMENT_TYPE2;
         var Lazy = REACT_LAZY_TYPE;
         var Memo = REACT_MEMO_TYPE;
         var Portal = REACT_PORTAL_TYPE;
@@ -675,7 +675,7 @@ var require_react_is_development = __commonJS({
         exports.ContextProvider = ContextProvider;
         exports.Element = Element2;
         exports.ForwardRef = ForwardRef2;
-        exports.Fragment = Fragment18;
+        exports.Fragment = Fragment19;
         exports.Lazy = Lazy;
         exports.Memo = Memo;
         exports.Portal = Portal;
@@ -842,6 +842,10 @@ __export(runtime_exports, {
   createReactPage: () => createReactPage,
   extractFieldsFromComponentsTree: () => extractFieldsFromComponentsTree,
   fetchBrowserRuntimeBootstrap: () => fetchBrowserRuntimeBootstrap,
+  getAuthErrorExtra: () => getAuthErrorExtra,
+  getAuthErrorReason: () => getAuthErrorReason,
+  isAuthChallengeRequired: () => isAuthChallengeRequired,
+  isAuthClientError: () => isAuthClientError,
   loadCustomPageModule: () => loadCustomPageModule,
   loadRuntimeScriptModules: () => loadRuntimeScriptModules,
   mountBrowserPageRuntime: () => mountBrowserPageRuntime,
@@ -2296,8 +2300,43 @@ var AuthClientError = class extends Error {
     this.status = options.status;
     this.code = options.code;
     this.payload = options.payload;
+    this.extra = normalizeAuthErrorExtra(
+      options.extra || getRecordValue(options.payload, "extra")
+    );
+    this.reason = this.extra?.reason || this.extra?.guardCode || (typeof options.code === "string" ? options.code : void 0);
+    this.challenge = this.extra?.challenge;
+    this.retryAfter = readNumber(
+      this.extra?.retryAfter ?? this.extra?.retryAfterSeconds
+    );
+    this.remainingAttempts = readNumber(this.extra?.remainingAttempts);
+    this.lockUntil = this.extra?.lockUntil ?? null;
   }
 };
+var isAuthClientError = (error) => {
+  if (error instanceof AuthClientError) return true;
+  return Boolean(
+    error && typeof error === "object" && error.name === "AuthClientError"
+  );
+};
+var getAuthErrorExtra = (error) => {
+  if (!error || typeof error !== "object") return void 0;
+  const record2 = error;
+  return normalizeAuthErrorExtra(record2.extra || getRecordValue(record2.payload, "extra"));
+};
+var getAuthErrorReason = (error) => {
+  if (!error || typeof error !== "object") return void 0;
+  const record2 = error;
+  const extra = getAuthErrorExtra(error);
+  return extra?.reason || extra?.guardCode || (typeof record2.reason === "string" ? record2.reason : void 0) || (typeof record2.code === "string" ? record2.code : void 0);
+};
+var isAuthChallengeRequired = (error) => {
+  if (!error || typeof error !== "object") return false;
+  const record2 = error;
+  const code = record2.code;
+  const reason = getAuthErrorReason(error);
+  const extra = getAuthErrorExtra(error);
+  return code === 460 || code === "460" || code === "LOGIN_CHALLENGE_REQUIRED" || reason === "LOGIN_CHALLENGE_REQUIRED" || reason === "CHALLENGE_REQUIRED" || extra?.guardCode === "LOGIN_CHALLENGE_REQUIRED";
+};
 var createAuthClient = ({
   appType,
   servicePrefix = "/service",
@@ -2324,7 +2363,12 @@ var createAuthClient = ({
     if (!response.ok || success === false || !isSuccessCode2(code)) {
       throw new AuthClientError(
         String(getRecordValue(payload, "message") || `Auth request failed: ${response.status}`),
-        { status: response.status, code, payload }
+        {
+          status: response.status,
+          code,
+          payload,
+          extra: normalizeAuthErrorExtra(getRecordValue(payload, "extra"))
+        }
       );
     }
     return unwrapPayload(payload);
@@ -2374,6 +2418,27 @@ var getRecordValue = (value, key) => {
   if (!value || typeof value !== "object") return void 0;
   return value[key];
 };
+var normalizeAuthErrorExtra = (value) => {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
+  const record2 = value;
+  const challenge = record2.challenge && typeof record2.challenge === "object" && !Array.isArray(record2.challenge) ? record2.challenge : void 0;
+  const reason = readString(record2.reason);
+  const guardCode = readString(record2.guardCode);
+  return {
+    ...record2,
+    ...reason ? { reason } : {},
+    ...guardCode ? { guardCode } : {},
+    ...challenge ? { challenge } : {},
+    ...readNumber(record2.retryAfter) !== void 0 ? { retryAfter: readNumber(record2.retryAfter) } : {},
+    ...readNumber(record2.retryAfterSeconds) !== void 0 ? { retryAfterSeconds: readNumber(record2.retryAfterSeconds) } : {},
+    ...readNumber(record2.remainingAttempts) !== void 0 ? { remainingAttempts: readNumber(record2.remainingAttempts) } : {}
+  };
+};
+var readString = (value) => typeof value === "string" ? value : void 0;
+var readNumber = (value) => {
+  const numberValue = Number(value);
+  return Number.isFinite(numberValue) ? numberValue : void 0;
+};
 var isSuccessCode2 = (code) => {
   if (code === void 0 || code === null || code === "") return true;
   const normalized = Number(code);
@@ -4114,6 +4179,7 @@ var LoginPage = ({
     "login"
   );
   const [phoneChallengeId, setPhoneChallengeId] = (0, import_react7.useState)("");
+  const [passwordChallenge, setPasswordChallenge] = (0, import_react7.useState)(null);
   const [submitting, setSubmitting] = (0, import_react7.useState)(false);
   const [sendingCode, setSendingCode] = (0, import_react7.useState)(false);
   const [error, setError] = (0, import_react7.useState)(null);
@@ -4136,6 +4202,7 @@ var LoginPage = ({
         children: /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
           PasswordLoginForm,
           {
+            challenge: passwordChallenge,
             form: passwordForm,
             loading: submitting,
             onFinish: async (values) => {
@@ -4144,12 +4211,25 @@ var LoginPage = ({
               try {
                 await handleSuccess(
                   await auth.passwordLogin({
+                    challengeAnswer: passwordChallenge ? values.challengeAnswer : void 0,
+                    challengeId: readChallengeId(passwordChallenge),
+                    clientFingerprint: getOrCreateLoginFingerprint(auth.client),
                     username: values.username,
                     password: values.password
                   })
                 );
+                setPasswordChallenge(null);
               } catch (loginError) {
-                setError(normalizeError(loginError).message);
+                if (isAuthChallengeRequired(loginError)) {
+                  const nextChallenge = getAuthErrorExtra(loginError)?.challenge;
+                  if (nextChallenge) {
+                    setPasswordChallenge(nextChallenge);
+                    passwordForm.setFieldValue("challengeAnswer", "");
+                  }
+                } else {
+                  setPasswordChallenge(null);
+                }
+                setError(formatAuthErrorMessage(loginError));
               } finally {
                 setSubmitting(false);
               }
@@ -4219,6 +4299,7 @@ var LoginPage = ({
     allowRegister,
     auth,
     handleSuccess,
+    passwordChallenge,
     passwordForm,
     passwordMethod,
     phoneChallengeId,
@@ -4372,7 +4453,7 @@ var LoginPage = ({
     }
   );
 };
-var PasswordLoginForm = ({ form, loading, onFinish }) => /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(import_antd2.Form, { form, layout: "vertical", requiredMark: false, onFinish, children: [
+var PasswordLoginForm = ({ challenge, form, loading, onFinish }) => /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(import_antd2.Form, { form, layout: "vertical", requiredMark: false, onFinish, children: [
   /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
     import_antd2.Form.Item,
     {
@@ -4391,6 +4472,26 @@ var PasswordLoginForm = ({ form, loading, onFinish }) => /* @__PURE__ */ (0, imp
       children: /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_antd2.Input.Password, { autoComplete: "current-password" })
     }
   ),
+  challenge ? /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(import_jsx_runtime3.Fragment, { children: [
+    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+      import_antd2.Alert,
+      {
+        showIcon: true,
+        type: "warning",
+        message: "\u8BF7\u5B8C\u6210\u989D\u5916\u9A8C\u8BC1",
+        description: readChallengeQuestion(challenge) || "\u8BF7\u8F93\u5165\u9A8C\u8BC1\u7801\u540E\u7EE7\u7EED\u767B\u5F55\u3002"
+      }
+    ),
+    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+      import_antd2.Form.Item,
+      {
+        label: "\u9A8C\u8BC1\u7B54\u6848",
+        name: "challengeAnswer",
+        rules: [{ required: true, message: "\u8BF7\u8F93\u5165\u9A8C\u8BC1\u7B54\u6848" }],
+        children: /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_antd2.Input, { autoComplete: "one-time-code" })
+      }
+    )
+  ] }) : null,
   /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_antd2.Button, { block: true, htmlType: "submit", icon: /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_icons.LoginOutlined, {}), loading, type: "primary", children: "\u767B\u5F55" })
 ] });
 var PhoneCodeLoginForm = ({
@@ -4452,6 +4553,22 @@ var PhoneCodeLoginForm = ({
 ] });
 var findMethod = (methods, type4) => methods.find((method4) => method4.type === type4);
 var normalizeError = (error) => error instanceof Error ? error : new Error(String(error || "\u8BF7\u6C42\u5931\u8D25"));
+var formatAuthErrorMessage = (error) => {
+  const normalized = normalizeError(error);
+  const extra = getAuthErrorExtra(error);
+  const reason = getAuthErrorReason(error);
+  if (isAuthChallengeRequired(error)) {
+    return extra?.challenge?.question ? "\u8BF7\u5B8C\u6210\u4E0B\u65B9\u9A8C\u8BC1\u540E\u518D\u767B\u5F55" : normalized.message || "\u8BF7\u5148\u5B8C\u6210\u989D\u5916\u9A8C\u8BC1\u540E\u518D\u5C1D\u8BD5\u767B\u5F55";
+  }
+  if (reason === "LOGIN_BLOCKED" || reason === "USERNAME_BLOCKED" || reason === "IP_BLOCKED" || reason === "ACCOUNT_LOCKED") {
+    const retryAfter = Number(extra?.retryAfter ?? extra?.retryAfterSeconds);
+    if (Number.isFinite(retryAfter) && retryAfter > 0) {
+      const minutes = Math.ceil(retryAfter / 60);
+      return `\u767B\u5F55\u53D7\u9650\uFF0C\u8BF7\u7EA6 ${minutes} \u5206\u949F\u540E\u518D\u8BD5\u6216\u8054\u7CFB\u7BA1\u7406\u5458`;
+    }
+  }
+  return normalized.message || "\u767B\u5F55\u5931\u8D25";
+};
 var getString = (value, key) => {
   if (!value || typeof value !== "object") return void 0;
   const result = value[key];
@@ -4485,7 +4602,21 @@ var getOrCreateGuestIdentifier = (client) => {
   window.localStorage.setItem(key, next);
   return next;
 };
+var getOrCreateLoginFingerprint = (client) => {
+  const key = `openxiangda:${client.appType}:login_fingerprint`;
+  if (typeof window === "undefined") return createGuestIdentifier();
+  const current = window.localStorage.getItem(key);
+  const id = current || createGuestIdentifier();
+  if (!current) window.localStorage.setItem(key, id);
+  return `${id}:${window.navigator?.userAgent || "unknown"}`;
+};
 var createGuestIdentifier = () => `guest_${Date.now()}_${Math.random().toString(36).slice(2, 10)}`;
+var readChallengeId = (challenge) => {
+  if (!challenge) return void 0;
+  const id = challenge.id || challenge.challengeId;
+  return typeof id === "string" && id.trim() ? id.trim() : void 0;
+};
+var readChallengeQuestion = (challenge) => typeof challenge.question === "string" ? challenge.question : void 0;
 var getCurrentHref3 = () => typeof window === "undefined" ? "" : window.location.href;
 var getCurrentHostname = () => typeof window === "undefined" ? "" : window.location.hostname;
 var getCallbackUrl = () => {