openxiangda 1.0.134 → 1.0.136
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -0
- package/lib/cli.js +947 -16
- package/lib/design-gates.js +40 -10
- package/lib/sdd.js +777 -0
- package/lib/workspace-init.js +3 -0
- package/openxiangda-skills/SKILL.md +11 -1
- package/openxiangda-skills/references/best-practices.md +32 -5
- package/openxiangda-skills/references/openxiangda-api.md +32 -6
- package/openxiangda-skills/references/pages/page-sdk.md +3 -0
- package/openxiangda-skills/references/pages/publish-flow.md +16 -0
- package/openxiangda-skills/references/permission-design-patterns.md +216 -0
- package/openxiangda-skills/references/permissions-settings.md +58 -0
- package/openxiangda-skills/references/platform-data-model.md +19 -4
- package/openxiangda-skills/references/resource-manifest-cheatsheet.md +32 -1
- package/openxiangda-skills/skills/openxiangda-architecture-design/SKILL.md +8 -0
- package/openxiangda-skills/skills/openxiangda-core/SKILL.md +2 -0
- package/openxiangda-skills/skills/openxiangda-permission-settings/SKILL.md +38 -1
- package/package.json +2 -1
- package/packages/sdk/dist/{ProcessPreview-Dfc4-wIq.d.mts → ProcessPreview-Ci8_UsbN.d.mts} +4 -0
- package/packages/sdk/dist/{ProcessPreview-Dfc4-wIq.d.ts → ProcessPreview-Ci8_UsbN.d.ts} +4 -0
- package/packages/sdk/dist/build/index.cjs.map +1 -1
- package/packages/sdk/dist/build/index.d.mts +7 -0
- package/packages/sdk/dist/build/index.d.ts +7 -0
- package/packages/sdk/dist/build/index.mjs.map +1 -1
- package/packages/sdk/dist/components/index.cjs +32 -4
- package/packages/sdk/dist/components/index.cjs.map +1 -1
- package/packages/sdk/dist/components/index.d.mts +8 -2
- package/packages/sdk/dist/components/index.d.ts +8 -2
- package/packages/sdk/dist/components/index.mjs +32 -4
- package/packages/sdk/dist/components/index.mjs.map +1 -1
- package/packages/sdk/dist/runtime/index.cjs +181 -28
- package/packages/sdk/dist/runtime/index.cjs.map +1 -1
- package/packages/sdk/dist/runtime/index.d.mts +2 -2
- package/packages/sdk/dist/runtime/index.d.ts +2 -2
- package/packages/sdk/dist/runtime/index.mjs +181 -28
- package/packages/sdk/dist/runtime/index.mjs.map +1 -1
- package/packages/sdk/dist/runtime/react.cjs +152 -25
- package/packages/sdk/dist/runtime/react.cjs.map +1 -1
- package/packages/sdk/dist/runtime/react.d.mts +57 -4
- package/packages/sdk/dist/runtime/react.d.ts +57 -4
- package/packages/sdk/dist/runtime/react.mjs +152 -25
- package/packages/sdk/dist/runtime/react.mjs.map +1 -1
- package/templates/openxiangda-react-spa/.cursor/rules/openxiangda.mdc +8 -1
- package/templates/openxiangda-react-spa/.qoder/rules/openxiangda.md +8 -1
- package/templates/openxiangda-react-spa/AGENTS.md +9 -1
- package/templates/openxiangda-react-spa/app-workspace.config.ts +14 -0
- package/templates/sy-lowcode-app-workspace/.cursor/rules/openxiangda-resources.mdc +5 -1
- package/templates/sy-lowcode-app-workspace/.cursor/rules/openxiangda.mdc +7 -1
- package/templates/sy-lowcode-app-workspace/.qoder/rules/openxiangda-resources.md +6 -0
- package/templates/sy-lowcode-app-workspace/.qoder/rules/openxiangda.md +7 -1
- package/templates/sy-lowcode-app-workspace/AGENTS.md +10 -1
- package/templates/sy-lowcode-app-workspace/app-workspace.config.ts +14 -0
- package/templates/sy-lowcode-app-workspace/examples/best-practices/README.md +3 -0
- package/templates/sy-lowcode-app-workspace/examples/best-practices/access-governance.md +239 -0
- package/templates/sy-lowcode-app-workspace/examples/best-practices/catalog.json +6 -0
- package/templates/sy-lowcode-app-workspace/examples/best-practices/decision-guide.md +25 -1
- package/templates/sy-lowcode-app-workspace/src/types/app-workspace.types.ts +12 -0
package/lib/design-gates.js
CHANGED
|
@@ -112,28 +112,51 @@ const DESIGN_GATE_TOPICS = [
|
|
|
112
112
|
},
|
|
113
113
|
{
|
|
114
114
|
code: 'permissions',
|
|
115
|
-
title: '角色 / 页面权限 / 表单数据范围',
|
|
116
|
-
triggers: ['权限', '角色', '数据范围', '只看自己', '部门数据', '页面权限', '字段权限'],
|
|
115
|
+
title: '账号 / 角色 / 页面权限 / 表单数据范围',
|
|
116
|
+
triggers: ['权限', '角色', 'RBAC', '账号权限', '平台账号', '组织账号', '角色治理', '数据范围', '只看自己', '部门数据', '页面权限', '字段权限', '查询参数权限'],
|
|
117
117
|
mustAsk: [
|
|
118
|
-
'
|
|
119
|
-
'
|
|
120
|
-
'
|
|
121
|
-
'
|
|
122
|
-
'
|
|
118
|
+
'权限模式选择:managed-platform-account、existing-platform-user-assignment、static-role-permission、query-param-context 中哪一种,为什么',
|
|
119
|
+
'账号来源是什么:应用创建平台账号/部门、选择已有平台用户、固定角色成员,还是仅使用低风险查询参数上下文',
|
|
120
|
+
'是否创建或维护平台账号/部门;如果是,哪些 App Function/organization SDK 负责创建、更新、重置密码和同步审计',
|
|
121
|
+
'角色成员如何维护:角色分配表、平台角色手工维护、静态 roles manifest、还是公开访问 externalRoleCodes',
|
|
122
|
+
'哪些角色可以设置应用角色、分配角色成员、给角色分配接口权限;这些角色是否需要 `app:role:manage`',
|
|
123
|
+
'哪些角色可以维护页面权限组、表单权限组、组织账号;是否需要 `app:page-permission-group:manage`、`app:form-permission-group:manage`、`app:organization:manage`',
|
|
124
|
+
'业务范围字段是什么,哪些可见字段需要派生隐藏 scalar key 供表单权限条件匹配',
|
|
125
|
+
'页面/菜单/路由、表单 submit/view/manage/fieldAccessPolicy/dataScope 的权限矩阵如何落到 resources',
|
|
126
|
+
'查询参数是否参与授权;如果参与,只能做上下文、筛选或 ticket 输入,敏感数据必须由 public-access grant、角色、表单权限组或 App Function 校验',
|
|
127
|
+
'验收时需要模拟哪些角色、账号状态、业务范围、查询参数篡改和拒绝场景',
|
|
123
128
|
],
|
|
124
129
|
recommendedDefaults: [
|
|
125
|
-
'
|
|
126
|
-
'
|
|
127
|
-
'
|
|
130
|
+
'正式后台优先选择 managed-platform-account;如果平台账号已存在,选择 existing-platform-user-assignment;固定内部门户选择 static-role-permission',
|
|
131
|
+
'query-param-context 仅用于低风险页面上下文、筛选条件或公开 ticket 输入,不作为敏感数据授权依据',
|
|
132
|
+
'角色写 src/resources/roles,页面组写 permissions/page-groups,表单组写 permissions/form-groups,显式声明 dataScope/operations/fieldAccessPolicy',
|
|
133
|
+
'能管理角色或给别人分配角色的应用角色必须在 roles manifest 声明 apiPermissionCodes;至少包含 app:role:manage,按需加入 app:page-permission-group:manage、app:form-permission-group:manage、app:organization:manage',
|
|
134
|
+
'由校区管理员等委托管理员创建的新角色,如果还具备继续管理账号/角色/权限的能力,也必须同步声明并发布对应 apiPermissionCodes',
|
|
135
|
+
'账号治理闭环使用 organization_unit、system_account、role_assignment 等业务表,加 roles、page groups、form groups、sync App Functions 和 PermissionBoundary',
|
|
136
|
+
'平台账号创建、更新、重置密码只走 sdk.organization/ctx.organization;操作者必须具备 app:organization:manage',
|
|
137
|
+
'公开访问不要复用内部管理员权限组;公开数据仍需 public-access grants 与外部角色权限组双重覆盖',
|
|
128
138
|
],
|
|
129
139
|
antiPatterns: [
|
|
140
|
+
'不能只做前端权限隐藏,必须有后端角色、表单权限组、public-access grant 或 App Function 校验',
|
|
141
|
+
'查询参数不能作为敏感授权依据,只能作为上下文、筛选或 ticket 输入',
|
|
130
142
|
'只配菜单可见,不配后端数据权限',
|
|
131
143
|
'为了省事授予全部数据再在前端过滤',
|
|
144
|
+
'在页面里硬编码角色、账号、部门或权限范围',
|
|
145
|
+
'只给用户挂业务角色但没有给该角色绑定角色设置接口权限,导致后续新增账号/角色时运行时报无权限',
|
|
146
|
+
'让普通管理员创建带管理能力的新角色,但没有同时发布新角色的 apiPermissionCodes',
|
|
147
|
+
'前端模拟权限通过、mock role、假账号、假 ID 或空数组兜底',
|
|
148
|
+
'直接绕过 SDK 调平台账号/组织写接口,或用旧 /user、/department 接口写账号',
|
|
132
149
|
'公开角色和内部角色混用',
|
|
133
150
|
],
|
|
134
151
|
acceptance: [
|
|
135
152
|
'permission audit 输出无高危缺口',
|
|
153
|
+
'设计文档写明权限模式、账号来源、角色成员来源和权限矩阵',
|
|
154
|
+
'角色资源中声明了管理型角色的 apiPermissionCodes,并说明由谁首次授予',
|
|
136
155
|
'内部角色允许项可用,未授权项拒绝',
|
|
156
|
+
'用非授权角色验证角色创建/成员分配/权限组维护会被拒绝,用授权角色验证可成功',
|
|
157
|
+
'敏感 App Function 包含服务端 role/scope checks,且不信任页面传入的 roleCodes',
|
|
158
|
+
'平台账号治理路径验证当前操作者拥有 app:organization:manage',
|
|
159
|
+
'查询参数篡改不会扩大敏感数据访问范围',
|
|
137
160
|
'公开访问受 public-access grant 和权限组双重约束',
|
|
138
161
|
],
|
|
139
162
|
},
|
|
@@ -236,6 +259,13 @@ const DESIGN_GATE_TOPIC_ALIASES = {
|
|
|
236
259
|
permission: 'permissions',
|
|
237
260
|
role: 'permissions',
|
|
238
261
|
roles: 'permissions',
|
|
262
|
+
rbac: 'permissions',
|
|
263
|
+
'role-governance': 'permissions',
|
|
264
|
+
'account-permission': 'permissions',
|
|
265
|
+
'organization-account': 'permissions',
|
|
266
|
+
'org-account': 'permissions',
|
|
267
|
+
'account-role': 'permissions',
|
|
268
|
+
'query-param-permission': 'permissions',
|
|
239
269
|
workflow: 'workflow-automation',
|
|
240
270
|
automation: 'workflow-automation',
|
|
241
271
|
function: 'workflow-automation',
|