openxiangda 1.0.104 → 1.0.105

package/lib/app-function-invoke.js

@@ -0,0 +1,28 @@
+function buildOpenXiangdaFunctionInvokeRequest(appType, functionCode, body) {
+  return {
+    method: 'POST',
+    path: `/openxiangda-api/v1/apps/${encodeURIComponent(appType)}/functions/${encodeURIComponent(functionCode)}/invoke`,
+    body,
+    strictEnvelope: true,
+  };
+}
+
+function buildLegacyFunctionInvokeRequest(appType, functionCode, body) {
+  return {
+    method: 'POST',
+    path: `/${encodeURIComponent(appType)}/v1/functions/${encodeURIComponent(functionCode)}/invoke.json`,
+    body,
+    strictEnvelope: true,
+  };
+}
+
+function isHttpNotFound(error) {
+  const status = Number(error?.status || error?.statusCode || error?.response?.status);
+  return status === 404 || String(error?.message || '').includes('HTTP 404');
+}
+
+module.exports = {
+  buildLegacyFunctionInvokeRequest,
+  buildOpenXiangdaFunctionInvokeRequest,
+  isHttpNotFound,
+};

package/lib/cli.js

@@ -20,6 +20,11 @@ const {
 } = require('./config');
 const { requestJson } = require('./http');
 const { getSkillStatusReport, installSkills } = require('./skills');
+const {
+  buildLegacyFunctionInvokeRequest,
+  buildOpenXiangdaFunctionInvokeRequest,
+  isHttpNotFound,
+} = require('./app-function-invoke');
 const { assertCanInitializeWorkspace, initWorkspace } = require('./workspace-init');
 const { bootstrapWorkspace } = require('./workspace-bootstrap');
 const {
@@ -31,6 +36,7 @@ const {
   renderDesignTemplate,
   renderResourceExplain,
 } = require('./design-gates');
+const { buildDesignReview, renderDesignReview } = require('./design-review');
 const {
   fail,
   formatFetchError,
@@ -104,7 +110,7 @@ Usage:
   openxiangda platform use <name>
   openxiangda auth status|refresh|logout [--profile name]
   openxiangda doctor [--profile name] [--app-type APP_XXX] [--json]
-  openxiangda design gates|template [--topic code] [--json]
+  openxiangda design gates|template|review [--topic code] [--json]
   openxiangda env [--profile name]
   openxiangda workspace init [dir] [--name package-name] [--runtime legacy|react-spa] [--install] [--profile name --app-type APP_XXX]
   openxiangda workspace init [dir] --profile <name> --app-name <app-name> [--runtime legacy|react-spa] [--install]
@@ -475,7 +481,24 @@ async function design(args) {
     return;
   }
 
-  fail('用法: openxiangda design gates|template [--topic code] [--json]');
+  if (subcommand === 'review') {
+    const hasResources = fs.existsSync(path.join(process.cwd(), 'src', 'resources'));
+    const manifest = hasResources ? loadWorkspaceResources() : null;
+    const validation = manifest ? validateWorkspaceResources(manifest) : {
+      errors: [],
+      warnings: ['未发现 src/resources，无法审查资源 manifest'],
+    };
+    const result = buildDesignReview({
+      cwd: process.cwd(),
+      manifest,
+      validation,
+    });
+    if (flags.json) return writeJson(result);
+    print(renderDesignReview(result));
+    return;
+  }
+
+  fail('用法: openxiangda design gates|template|review [--topic code] [--json]');
 }
 
 async function doctor(args) {
@@ -2664,12 +2687,35 @@ async function appFunction(args) {
     const [functionCode] = positional;
     if (!functionCode) fail('用法: openxiangda function invoke <functionCode> [--body-json file|json]');
     const body = readDirectJsonBody(flags, 'function invoke', { optional: true });
-    return runDirectRequest(config, target, flags, {
-      method: 'POST',
-      path: `/${encodeURIComponent(target.appType)}/v1/functions/${encodeURIComponent(functionCode)}/invoke.json`,
-      body,
-      strictEnvelope: true,
-    });
+    const openXiangdaApiRequest = buildOpenXiangdaFunctionInvokeRequest(
+      target.appType,
+      functionCode,
+      body
+    );
+    if (flags['dry-run']) {
+      return runDirectRequest(config, target, flags, openXiangdaApiRequest);
+    }
+    try {
+      const data = await requestWithAuth(
+        config,
+        target.profileName,
+        openXiangdaApiRequest.path,
+        {
+          method: openXiangdaApiRequest.method,
+          body: openXiangdaApiRequest.body,
+          strictEnvelope: true,
+        }
+      );
+      return outputDirectResult(data, flags);
+    } catch (error) {
+      if (!isHttpNotFound(error)) throw error;
+      return runDirectRequest(
+        config,
+        target,
+        flags,
+        buildLegacyFunctionInvokeRequest(target.appType, functionCode, body)
+      );
+    }
   }
 
   return directResourceCrud(config, target, {
@@ -4044,7 +4090,7 @@ async function commands(args) {
       'platform add|list|use|remove',
       'auth status|refresh|logout',
       'doctor [--profile name] [--app-type APP_XXX]',
-      'design gates|template [--topic code]',
+      'design gates|template|review [--topic code]',
       'env',
       'workspace init|bind|publish [--app-name] [--changed|--since|--form|--page|--only|--dry-run|--force|--resources|--skip-resources|--prune]',
       'app list|create|snapshot',

package/lib/design-gates.js

@@ -309,7 +309,7 @@ function getDesignTopicCatalog() {
 function renderDesignHelp() {
   const catalog = getDesignTopicCatalog();
   const lines = [
-    '用法: openxiangda design gates|template [--topic code[,code...]] [--json]',
+    '用法: openxiangda design gates|template|review [--topic code[,code...]] [--json]',
     '',
     catalog.hardRule,
     '',

package/lib/design-review.js

@@ -0,0 +1,220 @@
+const fs = require('fs');
+const path = require('path');
+
+const SOURCE_DIRS = [
+  path.join('src', 'app'),
+  path.join('src', 'pages'),
+  path.join('src', 'forms'),
+  path.join('src', 'runtime'),
+];
+const SOURCE_EXTENSIONS = new Set(['.js', '.jsx', '.ts', '.tsx']);
+const SKIP_DIRS = new Set([
+  'node_modules',
+  '.pnpm',
+  'dist',
+  '.vite',
+  '.vite-temp',
+  '.cache',
+  'coverage',
+]);
+
+function buildDesignReview(options = {}) {
+  const cwd = options.cwd || process.cwd();
+  const manifest = options.manifest || null;
+  const validation = options.validation || null;
+  const result = {
+    cwd,
+    checkedAt: new Date().toISOString(),
+    passed: true,
+    summary: {
+      errors: 0,
+      warnings: 0,
+      suggestions: 0,
+    },
+    errors: [],
+    warnings: [],
+    suggestions: [],
+  };
+
+  addResourceValidationFindings(result, validation);
+  reviewPublicAccess(result, manifest);
+  reviewSourceFiles(result, cwd);
+  reviewAcceptanceArtifacts(result, cwd);
+
+  result.summary.errors = result.errors.length;
+  result.summary.warnings = result.warnings.length;
+  result.summary.suggestions = result.suggestions.length;
+  result.passed = result.errors.length === 0;
+  return result;
+}
+
+function renderDesignReview(result) {
+  const lines = [
+    'OpenXiangda design review',
+    `cwd: ${result.cwd}`,
+    `status: ${result.passed ? 'passed' : 'needs attention'}`,
+    `summary: ${result.summary.errors} errors, ${result.summary.warnings} warnings, ${result.summary.suggestions} suggestions`,
+  ];
+  appendFindings(lines, 'Errors', result.errors);
+  appendFindings(lines, 'Warnings', result.warnings);
+  appendFindings(lines, 'Suggestions', result.suggestions);
+  return `${lines.join('\n')}\n`;
+}
+
+function appendFindings(lines, title, findings) {
+  if (!findings.length) return;
+  lines.push('', `${title}:`);
+  for (const finding of findings) {
+    lines.push(`- [${finding.code}] ${finding.message}`);
+    if (finding.file) lines.push(`  file: ${finding.file}`);
+  }
+}
+
+function addResourceValidationFindings(result, validation) {
+  for (const message of validation?.errors || []) {
+    result.errors.push({
+      code: 'resource-validation-error',
+      message,
+    });
+  }
+  for (const message of validation?.warnings || []) {
+    result.warnings.push({
+      code: 'resource-validation-warning',
+      message,
+    });
+  }
+}
+
+function reviewPublicAccess(result, manifest) {
+  if (!manifest) return;
+  const policies = manifest.publicAccessPolicies || [];
+  const policyCodes = new Set(policies.map(policy => String(policy.code || '').trim()).filter(Boolean));
+  const policyRouteCodes = new Set(policies.map(policy => String(policy.routeCode || '').trim()).filter(Boolean));
+
+  for (const route of manifest.routes || []) {
+    if (route.__invalid) continue;
+    const publicAccess = String(route.publicAccess || 'none');
+    if (publicAccess !== 'guest' && publicAccess !== 'ticket') continue;
+    const routeLabel = route.code || route.pathPattern || route.path || route.__source || 'public route';
+    const policyCode = String(route.publicPolicyCode || route.policyCode || '').trim();
+    if (policyCode && !policyCodes.has(policyCode)) {
+      result.errors.push({
+        code: 'public-route-missing-policy',
+        message: `公开路由 ${routeLabel} 引用了不存在的 public-access policy: ${policyCode}`,
+        file: route.__source,
+      });
+      continue;
+    }
+    if (!policyCode && route.code && !policyRouteCodes.has(String(route.code))) {
+      result.warnings.push({
+        code: 'public-route-unbound-policy',
+        message: `公开路由 ${routeLabel} 未声明 publicPolicyCode，也没有 policy.routeCode 绑定它`,
+        file: route.__source,
+      });
+    }
+  }
+
+  for (const policy of policies) {
+    if (policy.__invalid) continue;
+    const grants = policy.grants && typeof policy.grants === 'object' ? policy.grants : null;
+    const grantCount = grants
+      ? ['forms', 'dataViews', 'functions', 'connectors'].reduce(
+          (count, key) => count + (Array.isArray(grants[key]) ? grants[key].length : 0),
+          0
+        )
+      : 0;
+    if (grantCount === 0) {
+      result.warnings.push({
+        code: 'public-policy-empty-grants',
+        message: `公开策略 ${policy.code || policy.__source} 没有显式 grants；公开页调用 form/dataView/function/connector 会被后端拒绝`,
+        file: policy.__source,
+      });
+    }
+  }
+}
+
+function reviewSourceFiles(result, cwd) {
+  for (const filePath of listSourceFiles(cwd)) {
+    const relativeFile = path.relative(cwd, filePath);
+    let source = '';
+    try {
+      source = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue;
+    }
+    const lineCount = source.split(/\r?\n/).length;
+    if (relativeFile.startsWith(path.join('src', 'pages')) && lineCount > 600) {
+      result.warnings.push({
+        code: 'large-page-module',
+        message: `页面文件超过 600 行，建议拆分为 domain/service/hooks/components 后再交给 AI 迭代`,
+        file: relativeFile,
+      });
+    }
+    if (/\?publicAccess=guest|publicAccess=guest|isRenderNav|workbench/i.test(source)) {
+      result.errors.push({
+        code: 'legacy-public-runtime-pattern',
+        message: '发现旧公开访问或旧 workbench/runtime 参数；React SPA 新公开页应使用 routes + public-access + PublicAccessGate',
+        file: relativeFile,
+      });
+    }
+    if (/<(?:input|select|textarea)\b/i.test(source)) {
+      result.warnings.push({
+        code: 'native-form-control',
+        message: 'AI 编写的页面/表单代码不应直接使用原生表单控件，优先使用 OpenXiangda/antd/antd-mobile 封装',
+        file: relativeFile,
+      });
+    }
+    if (/(pageSize|limit)\s*[:=]\s*(1000|2000|5000|9999)\b|fetchAll|getAllData|allData/i.test(source)) {
+      result.warnings.push({
+        code: 'unbounded-query-risk',
+        message: '发现疑似大页或全量拉取；列表、选择器和报表应使用服务端分页、搜索字段或 data-view',
+        file: relativeFile,
+      });
+    }
+    if (/(localStorage|sessionStorage).{0,80}(role|permission)|(role|permission).{0,80}(localStorage|sessionStorage)/i.test(source)) {
+      result.warnings.push({
+        code: 'frontend-permission-risk',
+        message: '发现疑似前端存储权限判断；权限和数据范围必须以后端权限组、public grants 或接口返回为准',
+        file: relativeFile,
+      });
+    }
+  }
+}
+
+function listSourceFiles(cwd) {
+  const files = [];
+  for (const relativeDir of SOURCE_DIRS) {
+    const dir = path.join(cwd, relativeDir);
+    if (fs.existsSync(dir)) collectSourceFiles(dir, files);
+  }
+  return files;
+}
+
+function collectSourceFiles(dir, files) {
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    if (SKIP_DIRS.has(entry.name)) continue;
+    const filePath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      collectSourceFiles(filePath, files);
+      continue;
+    }
+    if (entry.isFile() && SOURCE_EXTENSIONS.has(path.extname(entry.name))) {
+      files.push(filePath);
+    }
+  }
+}
+
+function reviewAcceptanceArtifacts(result, cwd) {
+  const acceptanceDir = path.join(cwd, 'docs', 'acceptance');
+  const acceptanceFile = path.join(cwd, 'docs', 'acceptance.md');
+  if (fs.existsSync(acceptanceDir) || fs.existsSync(acceptanceFile)) return;
+  result.suggestions.push({
+    code: 'missing-acceptance-artifacts',
+    message: '建议补充 docs/acceptance/ 或 docs/acceptance.md，沉淀验收路径、账号、数据、发布 releaseId 和回滚方式',
+  });
+}
+
+module.exports = {
+  buildDesignReview,
+  renderDesignReview,
+};

package/lib/http.js

@@ -52,7 +52,10 @@ async function requestJson(baseUrl, apiPath, options = {}) {
 
   if (!response.ok) {
     const message = payload?.message || response.statusText || 'request failed';
-    throw new Error(maskText(`HTTP ${response.status}: ${message}`));
+    const error = new Error(maskText(`HTTP ${response.status}: ${message}`));
+    error.status = response.status;
+    error.payload = payload;
+    throw error;
   }
 
   return payload;

package/lib/workspace-init.js

@@ -6,6 +6,16 @@ const { getProfile, loadConfig, saveProjectState } = require('./config');
 const ROOT_DIR = path.join(__dirname, '..');
 const LEGACY_TEMPLATE_DIR = path.join(ROOT_DIR, 'templates', 'sy-lowcode-app-workspace');
 const REACT_SPA_TEMPLATE_DIR = path.join(ROOT_DIR, 'templates', 'openxiangda-react-spa');
+const TEMPLATE_IGNORE_NAMES = new Set([
+  'node_modules',
+  '.pnpm',
+  'dist',
+  '.vite',
+  '.vite-temp',
+  '.cache',
+  'coverage',
+]);
+const TEMPLATE_IGNORE_PATHS = new Set(['.openxiangda/build-cache.json']);
 
 function initWorkspace(options = {}) {
   const targetDir = path.resolve(options.dir || process.cwd());
@@ -113,13 +123,14 @@ function normalizeRuntime(value) {
   return value === 'react-spa' || value === 'spa' ? 'react-spa' : 'legacy';
 }
 
-function copyTemplate(sourceDir, targetDir, replacements) {
+function copyTemplate(sourceDir, targetDir, replacements, baseDir = sourceDir) {
   for (const entry of fs.readdirSync(sourceDir, { withFileTypes: true })) {
     const sourcePath = path.join(sourceDir, entry.name);
+    if (shouldSkipTemplateEntry(baseDir, sourcePath, entry.name)) continue;
     const targetPath = path.join(targetDir, entry.name);
     if (entry.isDirectory()) {
       fs.mkdirSync(targetPath, { recursive: true });
-      copyTemplate(sourcePath, targetPath, replacements);
+      copyTemplate(sourcePath, targetPath, replacements, baseDir);
       continue;
     }
     if (!entry.isFile()) continue;
@@ -129,6 +140,12 @@ function copyTemplate(sourceDir, targetDir, replacements) {
   }
 }
 
+function shouldSkipTemplateEntry(baseDir, sourcePath, entryName) {
+  if (TEMPLATE_IGNORE_NAMES.has(entryName)) return true;
+  const relativePath = path.relative(baseDir, sourcePath).split(path.sep).join('/');
+  return TEMPLATE_IGNORE_PATHS.has(relativePath);
+}
+
 function applyReplacements(content, replacements) {
   return Object.entries(replacements).reduce(
     (result, [key, value]) => result.split(key).join(value),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.104",
+  "version": "1.0.105",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {
@@ -67,6 +67,7 @@
     "test:resource-plan": "node scripts/resource-plan-smoke.mjs",
     "test:design-gates": "node scripts/design-gates-smoke.mjs",
     "test:resource-cli": "node scripts/resource-cli-smoke.mjs",
+    "test:api-contract": "node scripts/openxiangda-api-contract-smoke.mjs",
     "test:help-no-side-effects": "node scripts/help-no-side-effects-smoke.mjs",
     "test:app-function-fallback": "node scripts/app-function-source-fallback-smoke.mjs",
     "test:runtime-deploy": "node scripts/runtime-deploy-smoke.mjs",

package/packages/sdk/src/build-source/scripts/build-forms.runtime-entry.test.ts

@@ -6,7 +6,7 @@ import { describe, expect, it } from "vitest";
 describe("form runtime entry template", () => {
   it("injects AntD styles outside CSS layers with high priority", () => {
     const source = fs.readFileSync(
-      path.resolve("packages/workspace-tools/scripts/build-forms.mjs"),
+      path.resolve("packages/sdk/src/build-source/scripts/build-forms.mjs"),
       "utf-8",
     );
 

package/templates/openxiangda-react-spa/.cursor/rules/openxiangda-resources.mdc

@@ -0,0 +1,25 @@
+---
+description: src/resources/** glob — OpenXiangda React SPA resource manifests
+globs: src/resources/**/*
+alwaysApply: false
+---
+
+# OpenXiangda Resource Manifests
+
+You are editing engineering-managed resource manifests under `src/resources/`. Local files use logical codes; platform IDs stay in `.openxiangda/state.json`.
+
+## Commands
+
+```bash
+openxiangda resource validate --profile <name>
+openxiangda resource plan --profile <name>
+openxiangda resource publish --profile <name>
+openxiangda resource typegen --profile <name>
+```
+
+## Rules
+
+- Public routes require matching `routes` and `public-access` manifests.
+- Guest access to forms, dataViews, functions, and connectors requires explicit policy `grants`.
+- Connector secrets and third-party credentials belong in the platform backend, never in manifests or page source.
+- Formal changes should keep Git as the source of truth: edit manifests, validate, plan, then publish.

package/templates/openxiangda-react-spa/.cursor/rules/openxiangda.mdc

@@ -0,0 +1,33 @@
+---
+description: OpenXiangda React SPA workspace strong constraints
+alwaysApply: true
+---
+
+# OpenXiangda React SPA Rule
+
+This is an OpenXiangda React SPA workspace. See [AGENTS.md](mdc:AGENTS.md) for full guidance.
+
+## Hard route
+
+| User says | Command |
+|---|---|
+| publish resources | `openxiangda resource publish --profile <name>` |
+| deploy frontend | `openxiangda runtime deploy --profile <name>` |
+| full deploy | `pnpm deploy -- --profile <name>` |
+| diff / plan | `openxiangda resource plan --profile <name>` |
+| diagnose | `openxiangda doctor --profile <name> --json` |
+
+## Always
+
+- Writes and deploys must pass `--profile <name>` explicitly.
+- Architecture-class work is plan-gated: run `openxiangda design gates --topic <code> --json` and wait for confirmation.
+- `src/resources/**` is the resource source of truth; use `validate -> plan -> publish`.
+- React routes live in `src/app/router.tsx`; frontend artifacts are deployed with `openxiangda runtime deploy`.
+- Backend permissions and public-access grants are authoritative.
+
+## Never
+
+- Do not run `lowcode-workspace publish-all`, `pnpm publish:all`, or `pnpm openxiangda:publish` directly.
+- Do not deploy without `--profile`.
+- Do not use legacy `?publicAccess=guest`, `isRenderNav`, or workbench page parameters for new React SPA routes.
+- Do not commit tokens, AK/SK, or third-party secrets.

package/templates/openxiangda-react-spa/.qoder/rules/openxiangda-resources.md

@@ -0,0 +1,25 @@
+---
+description: src/resources/** glob — OpenXiangda React SPA 资源 manifest 规则
+glob: src/resources/**/*
+alwaysApply: false
+---
+
+# OpenXiangda Resource Manifests
+
+You are editing engineering-managed resource manifests under `src/resources/`. Local files use logical codes; platform IDs stay in `.openxiangda/state.json`.
+
+## Commands
+
+```bash
+openxiangda resource validate --profile <name>
+openxiangda resource plan --profile <name>
+openxiangda resource publish --profile <name>
+openxiangda resource typegen --profile <name>
+```
+
+## Rules
+
+- Public routes require matching `routes` and `public-access` manifests.
+- Guest access to forms, dataViews, functions, and connectors requires explicit policy `grants`.
+- Connector secrets and third-party credentials belong in the platform backend, never in manifests or page source.
+- Formal changes should keep Git as the source of truth: edit manifests, validate, plan, then publish.

package/templates/openxiangda-react-spa/.qoder/rules/openxiangda.md

@@ -0,0 +1,33 @@
+---
+description: OpenXiangda React SPA 工作区强约束 — 路由、命令、不变量、禁令
+alwaysApply: true
+---
+
+# OpenXiangda React SPA Rule
+
+This is an OpenXiangda React SPA workspace. Read [AGENTS.md](AGENTS.md) for full guidance. New apps use `resource publish` plus `runtime deploy`; do not use classic workspace publish flows for frontend deployment.
+
+## Hard route
+
+| 用户说 | 必用命令 |
+|---|---|
+| 发布资源 / publish resources | `openxiangda resource publish --profile <name>` |
+| 发布前端 / deploy runtime | `openxiangda runtime deploy --profile <name>` |
+| 完整部署 / deploy | `pnpm deploy -- --profile <name>` |
+| 资源计划 / diff | `openxiangda resource plan --profile <name>` |
+| 诊断 / 环境 | `openxiangda doctor --profile <name> --json` / `openxiangda env --profile <name>` |
+
+## Always
+
+- 发布和写平台资源必须显式传 `--profile <name>`。
+- 架构类需求先跑 `openxiangda design gates --topic <code> --json` 并等用户确认。
+- `src/resources/**` 是工程化资源来源，正式多资源变更走 `validate -> plan -> publish`。
+- React SPA 路由由 `src/app/router.tsx` 管理，前端包通过 `openxiangda runtime deploy` 发布。
+- 页面权限、表单权限、公开访问 grants 以后端资源为准；前端只做展示保护。
+
+## Never
+
+- 不要直接运行 `lowcode-workspace publish-all`、`pnpm publish:all` 或 `pnpm openxiangda:publish`。
+- 不要省略 `--profile` 发布。
+- 不要使用旧 `?publicAccess=guest`、`isRenderNav` 或 workbench 参数模型开发新 React SPA。
+- 不要把 token、AK、SK、第三方密钥写入项目文件。

package/templates/openxiangda-react-spa/AGENTS.md

@@ -23,6 +23,7 @@ pnpm typecheck
 pnpm typecheck:js-code
 pnpm build
 pnpm build-js-code
+pnpm deploy -- --profile <name>
 openxiangda workspace publish --profile <name> --form <formCode>
 openxiangda doctor --profile <name> --json
 openxiangda design gates --topic public-access --json
@@ -32,6 +33,8 @@ openxiangda runtime deploy --profile <name>
 openxiangda commands --json
 ```
 
+`pnpm deploy -- --profile <name>` 会按顺序执行 `openxiangda resource publish --profile <name>` 与 `openxiangda runtime deploy --profile <name>`。不要直接运行 `pnpm publish:all`、`pnpm openxiangda:publish` 或 `lowcode-workspace publish-all`；这些是 legacy classic workspace 的内部发布入口，会被 `scripts/guard-publish.mjs` 拦截。
+
 完整发布顺序：
 
 ```bash

package/templates/openxiangda-react-spa/package.json

@@ -12,13 +12,16 @@
     "sync-schema": "lowcode-workspace sync-schema",
     "publish:all": "lowcode-workspace publish-all",
     "openxiangda:publish": "lowcode-workspace publish-all",
+    "prepublish:all": "pnpm _guard:publish",
+    "preopenxiangda:publish": "pnpm _guard:publish",
+    "_guard:publish": "node scripts/guard-publish.mjs",
     "typecheck": "tsc -p tsconfig.app.json --noEmit",
     "typecheck:js-code": "tsc -p tsconfig.js-code-nodes.json --noEmit",
     "check": "pnpm typecheck && pnpm build",
     "resources:plan": "openxiangda resource plan",
     "resources:publish": "openxiangda resource publish",
     "runtime:deploy": "openxiangda runtime deploy",
-    "deploy": "openxiangda resource publish && openxiangda runtime deploy",
+    "deploy": "node scripts/deploy.mjs",
     "typegen": "openxiangda resource typegen"
   },
   "dependencies": {

package/templates/openxiangda-react-spa/scripts/deploy.mjs

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process';
+
+const args = process.argv.slice(2);
+const profile = readProfile(args);
+
+if (!profile) {
+  console.error('');
+  console.error('错误：React SPA 发布必须显式指定 profile。');
+  console.error('');
+  console.error('用法：');
+  console.error('  pnpm deploy -- --profile <name>');
+  console.error('  openxiangda resource publish --profile <name>');
+  console.error('  openxiangda runtime deploy --profile <name>');
+  console.error('');
+  process.exit(1);
+}
+
+run('openxiangda', ['resource', 'publish', '--profile', profile]);
+run('openxiangda', ['runtime', 'deploy', '--profile', profile]);
+
+function readProfile(argv) {
+  const profileIndex = argv.indexOf('--profile');
+  if (profileIndex >= 0) {
+    const value = argv[profileIndex + 1];
+    return value && !value.startsWith('-') ? value : null;
+  }
+  const inline = argv.find(arg => arg.startsWith('--profile='));
+  return inline ? inline.slice('--profile='.length) || null : null;
+}
+
+function run(command, commandArgs) {
+  const result = spawnSync(command, commandArgs, {
+    stdio: 'inherit',
+    env: process.env,
+    shell: process.platform === 'win32',
+  });
+  if (result.status !== 0) {
+    process.exit(result.status ?? 1);
+  }
+}

package/templates/openxiangda-react-spa/scripts/guard-publish.mjs

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+
+const lines = [
+  '',
+  '错误：React SPA 工作区不要直接调用 lowcode-workspace publish-all。',
+  '',
+  'React SPA 的发布入口分两步，且必须显式指定 profile：',
+  '  openxiangda resource publish --profile <name>',
+  '  openxiangda runtime deploy --profile <name>',
+  '',
+  '或者使用模板脚本：',
+  '  pnpm deploy -- --profile <name>',
+  '',
+  'legacy lowcode-workspace publish-all 只用于旧 classic workspace 的兼容流程。',
+  '',
+];
+
+for (const line of lines) {
+  console.error(line);
+}
+process.exit(1);