openxiangda 1.0.155 → 1.0.157

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/README.md +8 -2
  2. package/lib/cli.js +176 -1
  3. package/lib/open-api.js +256 -0
  4. package/lib/skills.js +16 -2
  5. package/openxiangda-skills/SKILL.md +7 -3
  6. package/openxiangda-skills/references/openxiangda-api.md +2 -2
  7. package/openxiangda-skills/references/pages/page-sdk.md +1 -1
  8. package/openxiangda-skills/references/troubleshooting.md +12 -0
  9. package/openxiangda-skills/skills/openxiangda-open-api/SKILL.md +57 -0
  10. package/openxiangda-skills/skills/openxiangda-open-api/agents/openai.yaml +4 -0
  11. package/openxiangda-skills/skills/openxiangda-open-api/references/backend-authentication.md +63 -0
  12. package/openxiangda-skills/skills/openxiangda-open-api/references/dingtalk-api.openapi.json +15653 -0
  13. package/package.json +6 -3
  14. package/packages/sdk/dist/components/index.cjs +2 -1
  15. package/packages/sdk/dist/components/index.cjs.map +1 -1
  16. package/packages/sdk/dist/components/index.mjs +2 -1
  17. package/packages/sdk/dist/components/index.mjs.map +1 -1
  18. package/packages/sdk/dist/runtime/index.cjs +54 -15
  19. package/packages/sdk/dist/runtime/index.cjs.map +1 -1
  20. package/packages/sdk/dist/runtime/index.mjs +54 -15
  21. package/packages/sdk/dist/runtime/index.mjs.map +1 -1
  22. package/packages/sdk/dist/runtime/react.cjs +54 -15
  23. package/packages/sdk/dist/runtime/react.cjs.map +1 -1
  24. package/packages/sdk/dist/runtime/react.mjs +54 -15
  25. package/packages/sdk/dist/runtime/react.mjs.map +1 -1
  26. package/templates/openxiangda-react-spa/.cursor/rules/openxiangda.mdc +2 -0
  27. package/templates/openxiangda-react-spa/.qoder/rules/openxiangda.md +2 -0
  28. package/templates/openxiangda-react-spa/AGENTS.md +2 -1
  29. package/templates/sy-lowcode-app-workspace/.cursor/rules/openxiangda.mdc +2 -1
  30. package/templates/sy-lowcode-app-workspace/.qoder/rules/openxiangda.md +2 -1
  31. package/templates/sy-lowcode-app-workspace/AGENTS.md +3 -2
@@ -0,0 +1,57 @@
1
+ ---
2
+ name: openxiangda-open-api
3
+ description: "Build or maintain external backend and third-party system integrations against the private low-code platform DingTalk-compatible Open API. Use for /dingtalk-api/v1.0, AK/SK, appKey/appSecret, x-acs-dingtalk-access-token, backend token caching, OpenAPI contract lookup, organization sync, external form/workflow calls, or one-time Open API credential management."
4
+ ---
5
+
6
+ # OpenXiangda Open API
7
+
8
+ Use this skill only for external backend services and third-party integrations. Keep normal OpenXiangda CLI, workspace, page, form, workflow, automation, and App Function development on `/openxiangda-api/v1` with the logged-in user's token.
9
+
10
+ ## Required workflow
11
+
12
+ 1. Inspect the target backend's language, HTTP client, configuration system, deployment model, and existing secret store.
13
+ 2. Run `openxiangda open-api spec list --search <keyword> --json`, then `openxiangda open-api spec describe <operationId|path> --method <method> --json`. Implement the exact request and response schemas returned; do not guess DTO fields or unwrap shapes.
14
+ 3. Read [references/backend-authentication.md](references/backend-authentication.md) before adding credentials or token code.
15
+ 4. Reuse an existing API credential when the user identifies one. Otherwise list credentials first. Create, update, or rotate only after explicit user authorization and only with a platform-admin profile.
16
+ 5. Hand AK/SK directly to the backend's approved secret store. Never persist them in OpenXiangda profile or workspace state.
17
+ 6. Implement token acquisition and caching inside the backend application. OpenXiangda must not cache or renew the backend's Open API token.
18
+ 7. Add contract tests for request serialization, business-envelope errors, token expiry, one retry after 401, and concurrent refresh behavior.
19
+
20
+ ## Contract lookup
21
+
22
+ Prefer the CLI index so the 15,000-line specification is not loaded wholesale:
23
+
24
+ ```bash
25
+ openxiangda open-api spec tags --json
26
+ openxiangda open-api spec list --tag "表单与菜单" --json
27
+ openxiangda open-api spec list --search submitFormData --json
28
+ openxiangda open-api spec describe /dingtalk-api/v1.0/forms/submitFormData --method post --json
29
+ ```
30
+
31
+ The bundled source contract is [references/dingtalk-api.openapi.json](references/dingtalk-api.openapi.json). Read or query it directly only when the CLI view is insufficient.
32
+
33
+ ## Credential management
34
+
35
+ Use the normal OpenXiangda login token only for the platform-admin management API:
36
+
37
+ ```bash
38
+ openxiangda open-api credential list --profile dev --json
39
+ openxiangda open-api credential get <id> --profile dev --json
40
+ openxiangda open-api credential create --name "Backend Integration" --profile dev --yes --show-secret --json
41
+ openxiangda open-api credential update <id> --description "..." --profile dev --json
42
+ openxiangda open-api credential rotate-secret <id> --profile dev --yes --show-secret --json
43
+ ```
44
+
45
+ - Treat create, update, and rotation as live platform writes. Obtain explicit authorization first.
46
+ - Keep secrets redacted unless performing an authorized handoff to the backend secret store.
47
+ - Stop on a platform-admin permission error. Do not bypass it and do not ask the user to paste AK/SK into chat.
48
+ - Do not treat the API application's `permissions` or `ipWhitelist` fields as enforced authorization. The current middleware authenticates the access token and tenant; use network controls and backend authorization independently.
49
+
50
+ ## Backend rules
51
+
52
+ - Build the service base as `<platform-origin>/service`; call `/dingtalk-api/v1.0` beneath it.
53
+ - Keep AK/SK and access tokens server-side. Never put them in browser bundles, mobile apps, public runtime config, source control, logs, traces, or error payloads.
54
+ - Exchange AK/SK at `POST /dingtalk-api/v1.0/oauth2/accessToken`; send the returned token as `x-acs-dingtalk-access-token`.
55
+ - Cache until shortly before `expireIn`, single-flight concurrent refreshes, and retry one time after a 401 with a newly acquired token.
56
+ - Inspect both HTTP status and the endpoint's documented business response. Most endpoints use `{ code, message, data }`, the token endpoint does not on success, and workflow callback success may use `code: 0`.
57
+ - Supply `userId`, `systemToken`, `appType`, or other actor/application context only when the selected operation schema requires it.
@@ -0,0 +1,4 @@
1
+ interface:
2
+ display_name: "OpenXiangda Open API"
3
+ short_description: "External backend API contracts and AK/SK workflows."
4
+ default_prompt: "Use $openxiangda-open-api to implement a secure backend integration with the private low-code platform Open API."
@@ -0,0 +1,63 @@
1
+ # Backend authentication and token lifecycle
2
+
3
+ ## API selection
4
+
5
+ - Use `/openxiangda-api/v1` for OpenXiangda CLI and low-code app development with a normal platform-user token.
6
+ - Use `/dingtalk-api/v1.0` for an external backend or third-party system that owns an AK/SK credential.
7
+ - Resolve a copied root, `/platform`, or `/view` URL to `<origin>/service` before appending either API namespace.
8
+
9
+ ## Create or retrieve AK/SK
10
+
11
+ The API application management endpoints are platform-admin APIs authenticated by the current OpenXiangda profile's normal Bearer token. They are not part of `/dingtalk-api/v1.0`:
12
+
13
+ | Operation | Request | Secret behavior |
14
+ | --- | --- | --- |
15
+ | `GET /api/dingtalk-apps` | no body | lists IDs and AKs; never returns SK |
16
+ | `POST /api/dingtalk-apps` | `{ name, description?, permissions? }` | creates and can return AK/SK |
17
+ | `GET /api/dingtalk-apps/:id` | no body | detail can return the existing AK/SK |
18
+ | `POST /api/dingtalk-apps/:id` | `{ name?, description?, permissions? }` | updates metadata; no SK |
19
+ | `POST /api/dingtalk-apps/:id/regenerate-secret` | `{}` | invalidates the old SK and returns the new one |
20
+
21
+ Prefer the `openxiangda open-api credential ...` wrappers. They redact `appSecret` unless `--show-secret` is explicit and never store it locally. Creation requires `--yes`; rotation requires both `--yes` and `--show-secret`.
22
+
23
+ The authenticated user must be a platform administrator. If the platform reports a permission failure, stop and ask an administrator to perform or authorize the operation. Never bypass the permission check.
24
+
25
+ ## Exchange AK/SK for an access token
26
+
27
+ Send JSON to the service base:
28
+
29
+ ```http
30
+ POST /dingtalk-api/v1.0/oauth2/accessToken
31
+ Content-Type: application/json
32
+
33
+ {"appKey":"ak_...","appSecret":"sk_..."}
34
+ ```
35
+
36
+ Success:
37
+
38
+ ```json
39
+ {"expireIn":7200,"accessToken":"..."}
40
+ ```
41
+
42
+ Invalid credentials and internal errors use a different business shape such as `{ "code": 40014, "message": "..." }`, potentially with an HTTP 2xx status. Accept the exchange only when a non-empty `accessToken` and positive `expireIn` are present.
43
+
44
+ ## Backend token provider
45
+
46
+ Implement the following behavior in the target backend's native stack:
47
+
48
+ 1. Read AK/SK from its environment/secret manager at process startup; never accept them from an end-user request.
49
+ 2. Return a cached token while it remains outside a five-minute refresh window.
50
+ 3. Use a single-flight promise or lock so concurrent requests share one exchange.
51
+ 4. For multiple backend instances, place token state in the existing shared cache when available; otherwise allow each instance to maintain its own token.
52
+ 5. Record `expiresAt = acquiredAt + expireIn`; do not assume a fixed lifetime even though the current server commonly returns 7200 seconds.
53
+ 6. Send protected calls with `x-acs-dingtalk-access-token: <token>` and `Content-Type: application/json`.
54
+ 7. On HTTP 401, invalidate the cached token, exchange once, and retry the original request once. Do not loop.
55
+ 8. Reject a protected response when its documented business code indicates failure even if HTTP status is successful.
56
+
57
+ Never log the AK, SK, access token, Authorization header, token exchange body, or unredacted credential-management response.
58
+
59
+ ## Current security boundary
60
+
61
+ The current authentication middleware validates the access token, token expiry, API-app active state, and tenant. If a request body contains `userId`, it also resolves that platform user as the operation context.
62
+
63
+ Do not rely on the API-app `permissions` array or `ipWhitelist` column as active route authorization or network enforcement. Apply least privilege through platform user/application permissions, backend business authorization, deployment-network policy, and secret rotation.