openxiangda 1.0.16 → 1.0.17

package/openxiangda-skills/SKILL.md

@@ -69,6 +69,8 @@ When the user provides a root domain such as `https://yida.wisejob.cn/`, use it
 - Publish normal form pages, workflow form pages, and custom code pages through `openxiangda workspace publish --profile <name>` from the app workspace.
 - Never store token data in the project directory. User tokens live in `~/.openxiangda/profiles.json`; project state lives in `.openxiangda/state.json` and stores only IDs and mappings.
 - Use logical resource codes in local files. Platform-specific IDs such as `formUuid`, `pageId`, `workflowId`, and `automationId` must be isolated by profile.
+- Put engineering-managed resources in `src/resources/` and use `openxiangda resource validate|plan|publish|pull`. `workspace publish` publishes workspace forms/pages first, then runs non-destructive resource upsert. Only pass `--prune` when the user explicitly wants local manifests to delete platform-side extras.
+- For external APIs, create a connector manifest in `src/resources/connectors/` and call it from pages through `sdk.connector`; never put third-party API keys in page source.
 - Before publishing to another platform, verify the workspace is bound for that profile. Resource IDs from one profile must not be reused for another profile.
 - Use `openxiangda app snapshot <APP_XXX> --profile <name> --json` for diagnosis before changing an existing app.
 - Run write commands that update `.openxiangda/state.json` sequentially within the same workspace. Read-only commands can run in parallel.
@@ -100,6 +102,7 @@ Core CLI / state:
 
 - `references/openxiangda-api.md` — `/openxiangda-api/v1` request and response fields.
 - `references/workspace-state.md` — `.openxiangda/state.json` shape and profile isolation rules.
+- `references/connector-resources.md` — `src/resources` manifests, connector schema, and SDK connector calls.
 
 Form authoring:
 

package/openxiangda-skills/references/connector-resources.md

@@ -0,0 +1,68 @@
+# Connector Resources
+
+OpenXiangda engineering resources live under `src/resources/`.
+
+Common folders:
+
+- `connectors`
+- `roles`
+- `menus`
+- `workflows`
+- `automations`
+- `permissions/page-groups`
+- `permissions/form-groups`
+- `settings/forms`
+
+Commands:
+
+```bash
+openxiangda resource validate --profile dev
+openxiangda resource plan --profile dev
+openxiangda resource publish --profile dev
+openxiangda resource pull --profile dev
+```
+
+Connector manifests use stable `code` values. The platform maps connector `code` to the existing connector `methodName`, and API `code` to the existing connector API `methodName`.
+
+```json
+{
+  "code": "crm",
+  "name": "CRM Service",
+  "url": "https://crm.internal.example.com/api",
+  "authType": "apiKey",
+  "authConfig": {
+    "apiKey": {
+      "key": "X-API-Key",
+      "value": "internal-secret",
+      "in": "header"
+    }
+  },
+  "userContext": {
+    "enabled": true,
+    "inject": [
+      { "target": "header", "key": "X-User-Id", "value": "userId" },
+      { "target": "body", "key": "operator", "value": "user" }
+    ]
+  },
+  "apis": [
+    {
+      "code": "getCustomer",
+      "name": "Get Customer",
+      "method": "POST",
+      "path": "/customers/search",
+      "requestBodyType": "json",
+      "responseType": "json"
+    }
+  ]
+}
+```
+
+Runtime page code:
+
+```ts
+await sdk.connector.call("crm.getCustomer", {
+  body: { keyword: "Acme" },
+})
+```
+
+Do not put third-party domains or API keys in page source. The runtime page calls `/:appType/v1/connectors/actions/invoke` for normal responses and `/:appType/v1/connectors/actions/download` for binary downloads; the platform backend applies auth, user context, and redaction.

package/openxiangda-skills/references/pages/page-sdk.md

@@ -6,6 +6,7 @@ Guidelines:
 
 - Do not hardcode `/openxiangda-api` calls inside end-user page components unless the page is explicitly an admin tool.
 - Prefer SDK modules for form data, user context, permissions, and platform navigation.
+- Use `sdk.connector.invoke`, `sdk.connector.call("connector.api")`, or `sdk.connector.download` for external services. The SDK calls the platform runtime connector endpoint; it must not call third-party domains directly.
 - For the current user's department hierarchy, use `sdk.department.getCurrentUserParentDepartments()`; do not hardcode `GET /department/:id/parentDepartments` in page code.
 - Keep API calls behind small local functions so generated UI stays testable.
 - Treat user context and tenant context as runtime-provided values.

package/openxiangda-skills/references/workspace-state.md

@@ -28,7 +28,12 @@ Tokens never belong in the project. User tokens live in `~/.openxiangda/profiles
         },
         "workflows": {},
         "automations": {},
-        "menus": {}
+        "menus": {},
+        "roles": {},
+        "connectors": {},
+        "pagePermissionGroups": {},
+        "formPermissionGroups": {},
+        "formSettings": {}
       }
     }
   }
@@ -40,6 +45,7 @@ Tokens never belong in the project. User tokens live in `~/.openxiangda/profiles
 - Profile is the deployment boundary.
 - `baseUrl` is the backend API base. On standard private deployments it is `<origin>/service`; management pages use `/platform`, and app runtime pages use `/view`.
 - Local resource keys are logical codes.
-- Live IDs are nested under the profile that produced them.
+- Live IDs and lightweight runtime aliases are nested under the profile that produced them.
+- Do not store business configuration or secrets in `.openxiangda/state.json`; store those in `src/resources/`.
 - A prod publish must not read dev IDs.
 - Before publishing to another platform, run `openxiangda workspace bind --profile <name> --app-type <APP_XXX>`.

package/openxiangda-skills/skills/openxiangda-core/SKILL.md

@@ -60,6 +60,8 @@ openxiangda workspace bind --profile dev --app-type APP_DEV
 openxiangda workspace bind --profile prod --app-type APP_PROD
 cd /path/to/sy-lowcode-app-workspace
 openxiangda workspace publish --profile dev
+openxiangda resource validate --profile dev
+openxiangda resource plan --profile dev
 ```
 
 Read-only diagnosis can use resource commands:
@@ -93,8 +95,10 @@ Project state is stored in `.openxiangda/state.json`:
         "automations": {},
         "menus": {},
         "roles": {},
+        "connectors": {},
         "pagePermissionGroups": {},
-        "formPermissionGroups": {}
+        "formPermissionGroups": {},
+        "formSettings": {}
       }
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.16",
+  "version": "1.0.17",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {
@@ -54,6 +54,7 @@
     "check": "node --check bin/openxiangda.js && node --check lib/*.js && node --check packages/sdk/src/build-source/src/cli.mjs && node --check packages/sdk/src/build-source/scripts/*.mjs && node --check packages/sdk/src/build-source/scripts/utils/*.mjs",
     "prepack": "npm run build:sdk",
     "test:profile-isolation": "bash scripts/profile-isolation-smoke.sh",
+    "test:resource-plan": "node scripts/resource-plan-smoke.mjs",
     "test:skill-install": "bash scripts/skill-install-smoke.sh",
     "test:workspace-init": "bash scripts/workspace-init-smoke.sh"
   },

package/packages/sdk/dist/runtime/index.cjs

@@ -98,6 +98,17 @@ var parseContentDispositionFileName = (contentDisposition) => {
   }
   return void 0;
 };
+var parseConnectorCallName = (name) => {
+  const value = String(name || "").trim();
+  const separatorIndex = value.indexOf(".");
+  if (separatorIndex <= 0 || separatorIndex === value.length - 1) {
+    throw new Error("\u8FDE\u63A5\u5668\u8C03\u7528\u540D\u5FC5\u987B\u662F connector.api \u683C\u5F0F");
+  }
+  return {
+    connector: value.slice(0, separatorIndex),
+    api: value.slice(separatorIndex + 1)
+  };
+};
 var serializeQuery = (query) => {
   if (!query) {
     return void 0;
@@ -387,6 +398,52 @@ var createPageSdk = (context) => {
       throw toSdkError(error, payload);
     }
   };
+  const connector = {
+    invoke: (params) => request({
+      path: buildAppPath(
+        context,
+        params.appType,
+        "/v1/connectors/actions/invoke"
+      ),
+      method: "post",
+      body: {
+        connector: params.connector,
+        api: params.api,
+        pathParams: params.pathParams,
+        query: params.query,
+        body: params.body,
+        headers: params.headers,
+        requestBodyType: params.requestBodyType,
+        responseType: params.responseType
+      }
+    }),
+    call: (name, params = {}) => {
+      const target = parseConnectorCallName(name);
+      return connector.invoke({
+        ...params,
+        connector: target.connector,
+        api: target.api
+      });
+    },
+    download: (params) => download({
+      path: buildAppPath(
+        context,
+        params.appType,
+        "/v1/connectors/actions/download"
+      ),
+      method: "post",
+      body: {
+        connector: params.connector,
+        api: params.api,
+        pathParams: params.pathParams,
+        query: params.query,
+        body: params.body,
+        headers: params.headers,
+        requestBodyType: params.requestBodyType,
+        responseType: "binary"
+      }
+    })
+  };
   const form = {
     getDetail: (params) => request({
       path: buildAppPath(
@@ -1044,6 +1101,7 @@ var createPageSdk = (context) => {
       request,
       download
     },
+    connector,
     form,
     user,
     department,