openxiangda 1.0.81 → 1.0.82

package/lib/cli.js

@@ -128,6 +128,82 @@ OpenXiangda 使用普通用户登录 token，不需要 AK/SK。
 JS_CODE V2 使用 trusted_node；AI 源码必须写在 src/js-code-nodes/<scriptCode>/index.ts，代码自动化源码写在 src/automations/<resourceCode>/index.ts。definition-json 中的 sourceFile.localPath 会在 validate/create/publish 时先 TS 校验、再构建并上传为快照。`);
 }
 
+const SUBCOMMAND_BOOLEAN_FLAGS = new Set([
+  '--dry-run',
+  '--enabled',
+  '--force',
+  '--help',
+  '--include-sourcemaps',
+  '--json',
+  '--legacy-form-bundle',
+  '--no-activate',
+  '--no-build',
+  '--no-runtime-aliases',
+  '--prune',
+  '--publish',
+  '--published',
+  '--redact',
+  '--resources',
+  '--skip-resources',
+  '--strict',
+  '--summary',
+  '--unpublish',
+  '--yes',
+  '-h',
+]);
+
+function parseSubcommandArgs(args) {
+  const leadingFlags = [];
+  let index = 0;
+  while (index < args.length) {
+    const item = args[index];
+    if (!isFlagToken(item)) break;
+    if (item === '--') {
+      index += 1;
+      break;
+    }
+    leadingFlags.push(item);
+    if (hasInlineFlagValue(item) || isSubcommandBooleanFlag(item)) {
+      index += 1;
+      continue;
+    }
+    const next = args[index + 1];
+    if (next && !isFlagToken(next)) {
+      leadingFlags.push(next);
+      index += 2;
+      continue;
+    }
+    index += 1;
+  }
+  return {
+    subcommand: args[index],
+    rest: [...leadingFlags, ...args.slice(index + 1)],
+  };
+}
+
+function isFlagToken(value) {
+  return typeof value === 'string' && value.startsWith('-');
+}
+
+function hasInlineFlagValue(value) {
+  return typeof value === 'string' && value.startsWith('--') && value.includes('=');
+}
+
+function isSubcommandBooleanFlag(value) {
+  return SUBCOMMAND_BOOLEAN_FLAGS.has(value) || /^--no-/.test(String(value || ''));
+}
+
+function wantsSubcommandHelp(subcommand, flags) {
+  return (
+    !subcommand ||
+    subcommand === 'help' ||
+    subcommand === '--help' ||
+    subcommand === '-h' ||
+    flags.help ||
+    flags.h
+  );
+}
+
 async function update(args) {
   const requestedSubcommand = args[0] && !args[0].startsWith('--') ? args[0] : 'check';
   const parsedArgs = requestedSubcommand === args[0] ? args.slice(1) : args;
@@ -1625,8 +1701,12 @@ async function menu(args) {
 }
 
 async function workflow(args) {
-  const [subcommand, ...rest] = args;
+  const { subcommand, rest } = parseSubcommandArgs(args);
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda workflow list|create|bind|pull|publish|delete|validate [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
 
@@ -1798,8 +1878,12 @@ async function workflow(args) {
 }
 
 async function automation(args) {
-  const [subcommand, ...rest] = args;
+  const { subcommand, rest } = parseSubcommandArgs(args);
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda automation list|create|bind|pull|executions|logs|diagnose|publish|unpublish|enable|disable|delete|validate|cron-validate [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
 
@@ -2002,8 +2086,12 @@ async function automation(args) {
 }
 
 async function dataView(args) {
-  const [subcommand, ...rest] = args;
+  const { subcommand, rest } = parseSubcommandArgs(args);
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda data-view list|status|refresh|query|stats <dataViewCode> [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
   const target = getWorkspaceTarget(config, profileName, flags);
@@ -2580,8 +2668,12 @@ async function settings(args) {
 }
 
 async function resource(args) {
-  const [subcommand, ...rest] = args;
+  const { subcommand, rest } = parseSubcommandArgs(args);
   const { flags } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda resource validate|plan|publish|pull|typegen [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
 
@@ -2634,8 +2726,12 @@ async function resource(args) {
 }
 
 async function runtime(args) {
-  const [subcommand, ...rest] = args;
+  const { subcommand, rest } = parseSubcommandArgs(args);
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda runtime deploy|releases|activate [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
   const target = getWorkspaceTarget(config, profileName, flags);
@@ -3523,13 +3619,7 @@ function readResourceItemsFromFile(filePath, spec) {
         __error: '资源项必须是 JSON object',
       };
     }
-    const code =
-      item.code ||
-      item.resourceCode ||
-      item.methodName ||
-      (spec.key === 'notifications' ? inferNotificationResourceCode(item) : undefined) ||
-      item.formCode ||
-      (values.length === 1 ? defaultCode : undefined);
+    const code = inferResourceCode(item, spec, values.length === 1 ? defaultCode : undefined);
     return {
       ...item,
       ...(code ? { code } : {}),
@@ -3540,6 +3630,19 @@ function readResourceItemsFromFile(filePath, spec) {
   });
 }
 
+function inferResourceCode(item, spec, defaultCode) {
+  if (item.code || item.resourceCode || item.methodName) {
+    return item.code || item.resourceCode || item.methodName;
+  }
+  if (spec.key === 'notifications') {
+    return inferNotificationResourceCode(item) || defaultCode;
+  }
+  if (spec.key === 'formSettings') {
+    return item.formCode || defaultCode;
+  }
+  return defaultCode;
+}
+
 function inferNotificationResourceCode(item) {
   const resourceType = normalizeNotificationResourceType(item);
   if (resourceType === 'template') return item.code || item.templateCode;

package/lib/utils.js

@@ -28,6 +28,10 @@ function parseArgs(argv) {
   const positional = [];
   for (let index = 0; index < argv.length; index += 1) {
     const item = argv[index];
+    if (item === '-h') {
+      flags.h = true;
+      continue;
+    }
     if (!item.startsWith('--')) {
       positional.push(item);
       continue;

package/openxiangda-skills/SKILL.md

@@ -147,7 +147,9 @@ When the user provides a root domain such as `https://yida.wisejob.cn/`, use it
 - Run write commands that update `.openxiangda/state.json` sequentially within the same workspace. Read-only commands can run in parallel.
 - JS_CODE is backend-executed workflow/automation logic, not frontend page code. Use it when logic must run after a backend trigger such as fixed cron schedules, form date-field schedules, form submit/update/delete/field-change events, or workflow approval/process events.
 - Use JS_CODE for node-local cross-form data queries, create/update/batch update operations, process termination, platform API calls, external HTTP calls, and backend trigger orchestration. For logic that pages, automations, and workflows should reuse through a stable backend entry, prefer App Function. Do not use JS_CODE for simple UI interactions, ordinary form validation, or display-only page behavior.
-- For workflow/automation JS_CODE nodes, prefer V2 `runtimeMode: "trusted_node"`. AI-authored source must be TypeScript under `sy-lowcode-app-workspace/src/js-code-nodes/<scriptCode>/index.ts`. `pnpm build-js-code --script <scriptCode>` runs TypeScript validation before bundling, and `sourceFile.localPath` should point to the TS source; the CLI builds, uploads, and replaces it with snapshot metadata during validate/create.
+- For workflow/automation JS_CODE nodes, prefer V2 `runtimeMode: "trusted_node"`. AI-authored source must be TypeScript under `src/js-code-nodes/<scriptCode>/index.ts`, `src/automations/<resourceCode>/index.ts`, or `src/functions/<functionCode>/index.ts`. `pnpm build-js-code --script <scriptCode>` runs TypeScript validation before bundling, and `sourceFile.localPath` should point to the TS source; the CLI builds, uploads, and replaces it with snapshot metadata during validate/create.
+- Form permission group resources must have stable local codes. Use unique `code` values such as `ticket_reporter_view` and `ticket_repairer_view`; do not rely on the form code when one form has multiple groups.
+- Workflow resources can be created as drafts. After resource publish, verify `openxiangda workflow list --profile <name> --json` and run `openxiangda workflow publish <workflowCode> --profile <name>` until `isPublished: true` is visible.
 
 ## Subskills
 

package/openxiangda-skills/references/architecture-design.md

@@ -73,6 +73,8 @@ Do not insult the person. Criticize the proposal and explain the technical conse
 | Live view for unbounded heavy joins | Slow runtime queries | Materialized view with scheduled refresh and indexes |
 | JS_CODE for reusable business service | Logic gets duplicated in graph nodes | App Function for shared backend logic; JS_CODE only for node-local trigger logic |
 | Raw native form controls | Inconsistent with platform runtime and validation | OpenXiangda platform components first, Ant Design wrappers second |
+| Multiple form permission groups without stable local codes | CLI state and platform `resourceCode` cannot reliably distinguish groups on the same form | Give every group a unique `code`, for example `ticket_reporter_view` and `ticket_repairer_view` |
+| Assuming resource publish means workflow is active | Workflow resources may exist as drafts until explicitly published | Verify `workflow list` shows `isPublished: true`; run `workflow publish <workflowCode>` when needed |
 
 ## Question Gates
 
@@ -188,6 +190,7 @@ For simple CRUD/admin lists, design can proceed with the appropriate OpenXiangda
 - App roles use stable local codes.
 - Page permission groups control entry/menu visibility.
 - Form permission groups enforce data access.
+- Form permission group resources use unique stable `code` values. Do not use the same form code for multiple groups.
 - Field permissions hide sensitive fields where backend support exists.
 - Frontend-only button hiding is UX, not security.
 
@@ -207,6 +210,8 @@ For simple CRUD/admin lists, design can proceed with the appropriate OpenXiangda
 - Use automation for backend triggers and schedules.
 - Use JS_CODE V2 trusted_node for node-local backend logic.
 - Use App Function for reusable backend services.
+- After publishing workflow resources, verify `workflow list` and record whether `isPublished` is true.
+- In React SPA and classic workspaces, JS_CODE/App Function TypeScript lives under `src/js-code-nodes`, `src/automations`, or `src/functions`; build with `pnpm build-js-code`.
 
 ## Final Document Template
 
@@ -274,6 +279,7 @@ For simple CRUD/admin lists, design can proceed with the appropriate OpenXiangda
 - Performance/query checks:
 - Report freshness checks:
 - Notification/automation checks:
+- Workflow checks: real approval flows show `isPublished: true`.
 
 ## 11. Open Questions And Confirmed Assumptions
 

package/openxiangda-skills/references/automation-v3.md

@@ -287,7 +287,7 @@ Use JS_CODE V2 when the script is local to one automation graph node.
 }
 ```
 
-Author source in `sy-lowcode-app-workspace/src/js-code-nodes/<scriptCode>/index.ts`. AI-authored source must be TypeScript. Build with `pnpm build-js-code --script <scriptCode>`; the command runs TypeScript validation before bundling. During validate/create, the CLI uploads the generated bundle, replaces `sourceFile.localPath` with `{ bucketName, objectName, sha256, ... }`, and the backend verifies sha256 before execution.
+Author source in `src/js-code-nodes/<scriptCode>/index.ts`. AI-authored source must be TypeScript. Build with `pnpm build-js-code --script <scriptCode>`; the command runs TypeScript validation before bundling. During validate/create, the CLI uploads the generated bundle, replaces `sourceFile.localPath` with `{ bucketName, objectName, sha256, ... }`, and the backend verifies sha256 before execution.
 
 The backend runs the snapshot in the trusted Node runtime, applies the node timeout (`30000` ms by default), stores execution logs, and writes the returned value to the node output and `variables.node_<nodeId>`. Scripts may use `export default async function (ctx) {}`, `module.exports = async (ctx) => {}`, `require`, `process`, `Buffer`, arbitrary HTTP, and `platform.api` for `/openxiangda-api/v1`.
 

package/openxiangda-skills/references/resource-manifest-cheatsheet.md

@@ -371,6 +371,8 @@ export default async function (ctx) {
 
 ## 10. Form Permission Group — `src/resources/permissions/form-groups/<formCode>/<groupCode>.json`
 
+每个表单权限组必须有稳定、唯一的 `code`。同一张表单通常会有多个查看/提交/管理员权限组，不能把 `formCode` 当成权限组 code，否则本地 state 和平台 `resourceCode` 会把不同组混在一起。
+
 ```json
 {
   "code": "sales_view",
@@ -455,3 +457,4 @@ export default async function (ctx) {
 - ❌ 用 data view 代替 `linkedForm` 下拉、单表 CRUD 或写回。**data view 是只读；materialized 有刷新延迟，live 要控制查询边界。**
 - ❌ 把跨页面/跨流程复用的后端逻辑都塞进 JS_CODE。**优先 App Function，JS_CODE 只做节点内脚本。**
 - ❌ 在 page 源码里 hardcode `/api/notification-config/*` 或 `/connectors/actions/invoke`。**用 `sdk.notification` / `sdk.connector`。**
+- ❌ 发布 workflow resource 后不检查是否激活。**用 `openxiangda workflow list --profile <name> --json` 确认 `isPublished: true`，需要时再跑 `openxiangda workflow publish <workflowCode>`。**

package/openxiangda-skills/references/workflow-v3.md

@@ -133,7 +133,7 @@ File snapshot:
 }
 ```
 
-AI-authored JS_CODE source must be TypeScript under `sy-lowcode-app-workspace/src/js-code-nodes/<scriptCode>/index.ts`. When validating or creating, the CLI runs `pnpm build-js-code --script <scriptCode>`, which runs TypeScript validation first, bundles to `dist/js-code-nodes/<scriptCode>/index.cjs`, uploads the bundle, and replaces `sourceFile.localPath` with immutable snapshot metadata. The backend verifies snapshot `sha256`, runs it in the trusted Node runtime, applies the node timeout (`30000` ms by default), stores execution logs, and writes the returned value to the node output and `variables.node_<nodeId>`.
+AI-authored JS_CODE source must be TypeScript under `src/js-code-nodes/<scriptCode>/index.ts`. When validating or creating, the CLI runs `pnpm build-js-code --script <scriptCode>`, which runs TypeScript validation first, bundles to `dist/js-code-nodes/<scriptCode>/index.cjs`, uploads the bundle, and replaces `sourceFile.localPath` with immutable snapshot metadata. The backend verifies snapshot `sha256`, runs it in the trusted Node runtime, applies the node timeout (`30000` ms by default), stores execution logs, and writes the returned value to the node output and `variables.node_<nodeId>`.
 
 For reusable backend logic that should be shared by pages, automations, and workflows, prefer an App Function under `src/functions/<functionCode>/index.ts` plus `src/resources/functions/<functionCode>.json`. Workflow graphs that support App Function nodes can call it with:
 

package/openxiangda-skills/skills/openxiangda-workflow-automation/SKILL.md

@@ -24,7 +24,7 @@ Create a workflow only when the scenario has **real approval semantics**: approv
 - ✅ New AI-authored automations: prefer **code-first** `automation_code_ts` (`src/automations/<code>/index.ts` + `definition.code.json` + `preview.json`).
 - ✅ New AI-authored workflows that don't need canvas editing: prefer **code-first** `src/workflows/<code>/workflow.ts` using `openxiangda/workflow`.
 - ✅ Reusable backend business logic: prefer **App Function** (`src/functions/<functionCode>/index.ts` + `src/resources/functions/<functionCode>.json`), then call it from page `sdk.function.invoke` or automation/workflow `function_call`.
-- ✅ JS_CODE V2 trusted_node: source in TypeScript under `sy-lowcode-app-workspace/src/js-code-nodes/<scriptCode>/index.ts`. Run `pnpm build-js-code --script <code>` (validates with `tsc` first).
+- ✅ JS_CODE V2 trusted_node: source in TypeScript under `src/js-code-nodes/<scriptCode>/index.ts`, `src/automations/<resourceCode>/index.ts`, or `src/functions/<functionCode>/index.ts`. Run `pnpm build-js-code --script <code>` (validates with `tsc` first).
 - ✅ Use `trigger_v2` for new automation triggers; CLI fills root `appType` / `formUuid` from active profile when `--form-code` is provided.
 - ✅ Use logical `workflowCode` / `automationCode` locally; live IDs are profile-isolated under `.openxiangda/state.json`.
 - ✅ `ctx.logger.debug/info/warn/error(message, data?)` at every important step — inspect via `automation executions` / `automation logs` / `automation diagnose`.
@@ -70,9 +70,10 @@ openxiangda form bind customer --form-uuid FORM_XXX --profile dev
 4. Publish:
    ```bash
    openxiangda workflow publish customer_approval --profile dev
+   openxiangda workflow list --profile dev --json
    ```
 
-Use `workflow pull` to inspect the live definition. Use logical workflow codes locally; never copy a workflow ID from one profile to another.
+Use `workflow pull` to inspect the live definition. Use `workflow list --json` after publishing and confirm the target shows `isPublished: true`; resource publish can create/update a draft without activating it. Use logical workflow codes locally; never copy a workflow ID from one profile to another.
 
 ## JS_CODE V2
 
@@ -86,7 +87,7 @@ For new AI-authored workflows where users do not need canvas editing, prefer com
 
 Do not use JS_CODE for simple UI interactions, ordinary form validation, display-only page behavior, or logic that belongs in a normal React code page. For non-trivial backend logic, prefer JS_CODE V2 trusted Node scripts over large inline snippets. AI-authored JS_CODE source must be TypeScript:
 
-1. Put source in `sy-lowcode-app-workspace/src/js-code-nodes/<scriptCode>/index.ts`.
+1. Put source in `src/js-code-nodes/<scriptCode>/index.ts`.
 2. Run `pnpm build-js-code --script <scriptCode>`. This command runs TypeScript validation first and only bundles after `tsc` passes.
 3. In workflow or automation JSON, use:
    ```json
@@ -106,7 +107,7 @@ Do not use JS_CODE for simple UI interactions, ordinary form validation, display
    }
    ```
 
-The CLI requires `sourceFile.localPath` to point to `src/js-code-nodes/<scriptCode>/index.ts`. During validate/create it runs `pnpm build-js-code --script <scriptCode>`, uploads the generated `dist/js-code-nodes/<scriptCode>/index.cjs` to `/file/js-code-snapshot/upload`, verifies the server snapshot metadata, and replaces it with `{ bucketName, objectName, sha256, ... }`.
+The CLI requires `sourceFile.localPath` to point to TypeScript source in `src/js-code-nodes/<scriptCode>/index.ts`, `src/automations/<resourceCode>/index.ts`, or `src/functions/<functionCode>/index.ts`. During validate/create it runs `pnpm build-js-code --script <scriptCode>`, uploads the generated bundle to `/file/js-code-snapshot/upload`, verifies the server snapshot metadata, and replaces it with `{ bucketName, objectName, sha256, ... }`.
 
 The backend verifies the uploaded snapshot sha256 before execution, runs it in the trusted Node runtime, applies the node timeout (`30000` ms by default), stores console/runtime logs in the execution record, and writes the returned value to the node output and `variables.node_<nodeId>`.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.81",
+  "version": "1.0.82",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {

package/templates/openxiangda-react-spa/AGENTS.md

@@ -18,7 +18,9 @@
 pnpm install
 pnpm dev
 pnpm typecheck
+pnpm typecheck:js-code
 pnpm build
+pnpm build-js-code
 openxiangda workspace publish --profile <name> --form <formCode>
 openxiangda resource plan --profile <name>
 openxiangda resource publish --profile <name>
@@ -33,6 +35,8 @@ openxiangda resource publish --profile <name>
 openxiangda runtime deploy --profile <name>
 ```
 
+`pnpm build-js-code` 会检查并打包 `src/js-code-nodes/<code>/index.ts`、`src/automations/<code>/index.ts`、`src/functions/<code>/index.ts`，供 JS_CODE V2、代码自动化和 App Function 资源发布使用。
+
 `openxiangda runtime deploy` 会构建 `dist/`、上传应用前端包并激活当前版本。不要手工修改 `dist/index.html`。
 
 ## 应用结构
@@ -41,6 +45,8 @@ openxiangda runtime deploy --profile <name>
 - `src/pages/admin/AdminDashboardPage.tsx`：默认首页。
 - `src/pages/defaults/*`：表单、流程、数据列表、文件预览等默认页。
 - `src/runtime/default-page-overrides.tsx`：整页覆盖默认页的入口。
+- `src/js-code-nodes/*`、`src/automations/*`、`src/functions/*`：后端执行脚本源码。
+- `scripts/build-js-code.mjs`：JS_CODE V2、代码自动化和 App Function 的 TypeScript 构建脚本。
 
 ## 权限资源
 

package/templates/openxiangda-react-spa/package.json

@@ -6,11 +6,14 @@
   "scripts": {
     "dev": "vite",
     "build": "vite build",
+    "build-js-code": "node scripts/build-js-code.mjs",
+    "build:js-code": "node scripts/build-js-code.mjs",
     "build:forms": "lowcode-workspace build-forms",
     "sync-schema": "lowcode-workspace sync-schema",
     "publish:all": "lowcode-workspace publish-all",
     "openxiangda:publish": "lowcode-workspace publish-all",
     "typecheck": "tsc -p tsconfig.app.json --noEmit",
+    "typecheck:js-code": "tsc -p tsconfig.js-code-nodes.json --noEmit",
     "check": "pnpm typecheck && pnpm build",
     "resources:plan": "openxiangda resource plan",
     "resources:publish": "openxiangda resource publish",

package/templates/openxiangda-react-spa/scripts/build-js-code.mjs

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+import { builtinModules } from "node:module";
+import { spawnSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { readdir, stat } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { build } from "vite";
+
+const rootDir = fileURLToPath(new URL("..", import.meta.url));
+const args = process.argv.slice(2);
+
+const sourceKinds = {
+  "js-code-nodes": {
+    name: "js-code-nodes",
+    sourceRoot: path.join(rootDir, "src", "js-code-nodes"),
+    outputRoot: path.join(rootDir, "dist", "js-code-nodes"),
+    label: "JS_CODE",
+  },
+  automations: {
+    name: "automations",
+    sourceRoot: path.join(rootDir, "src", "automations"),
+    outputRoot: path.join(rootDir, "dist", "automations"),
+    label: "automation code",
+  },
+  functions: {
+    name: "functions",
+    sourceRoot: path.join(rootDir, "src", "functions"),
+    outputRoot: path.join(rootDir, "dist", "functions"),
+    label: "app function",
+  },
+};
+
+function readArg(name) {
+  const prefix = `--${name}=`;
+  const inline = args.find((arg) => arg.startsWith(prefix));
+  if (inline) return inline.slice(prefix.length);
+  const index = args.indexOf(`--${name}`);
+  return index >= 0 ? args[index + 1] : undefined;
+}
+
+async function listScriptCodes(kind) {
+  if (!existsSync(kind.sourceRoot)) return [];
+  const entries = await readdir(kind.sourceRoot);
+  const result = [];
+  for (const entry of entries) {
+    const entryDir = path.join(kind.sourceRoot, entry);
+    const entryStat = await stat(entryDir);
+    if (!entryStat.isDirectory()) continue;
+    if (existsSync(path.join(entryDir, "index.ts"))) result.push(entry);
+  }
+  return result.sort();
+}
+
+function typecheckScripts() {
+  const result = spawnSync(
+    "pnpm",
+    ["exec", "tsc", "-p", "tsconfig.js-code-nodes.json", "--noEmit"],
+    {
+      cwd: rootDir,
+      stdio: "inherit",
+    },
+  );
+  if (result.status !== 0) throw new Error("JS_CODE TypeScript validation failed");
+}
+
+async function buildScript(kind, scriptCode) {
+  const entry = path.join(kind.sourceRoot, scriptCode, "index.ts");
+  if (!existsSync(entry)) throw new Error(`${kind.label} script not found: ${entry}`);
+
+  const outDir = path.join(kind.outputRoot, scriptCode);
+  const external = Array.from(
+    new Set([...builtinModules, ...builtinModules.map((name) => `node:${name}`)]),
+  );
+
+  await build({
+    configFile: false,
+    root: rootDir,
+    logLevel: "warn",
+    resolve: {
+      alias: {
+        "@": path.join(rootDir, "src"),
+      },
+    },
+    build: {
+      ssr: entry,
+      outDir,
+      emptyOutDir: true,
+      target: "node20",
+      minify: false,
+      sourcemap: true,
+      rollupOptions: {
+        external,
+        output: {
+          format: "cjs",
+          entryFileNames: "index.cjs",
+          inlineDynamicImports: true,
+          exports: "auto",
+        },
+      },
+    },
+  });
+
+  console.log(`built ${kind.name}/${scriptCode} -> ${path.relative(rootDir, path.join(outDir, "index.cjs"))}`);
+}
+
+const onlyScript = readArg("script");
+const sourceArg = readArg("source");
+const selectedKind = sourceArg ? sourceKinds[sourceArg] : undefined;
+if (sourceArg && !selectedKind) {
+  throw new Error(`unsupported source: ${sourceArg}. Expected js-code-nodes, automations, or functions`);
+}
+
+async function resolveBuildTargets() {
+  if (onlyScript) {
+    if (selectedKind) return [{ kind: selectedKind, scriptCode: onlyScript }];
+    for (const kind of Object.values(sourceKinds)) {
+      if (existsSync(path.join(kind.sourceRoot, onlyScript, "index.ts"))) {
+        return [{ kind, scriptCode: onlyScript }];
+      }
+    }
+    return [{ kind: sourceKinds["js-code-nodes"], scriptCode: onlyScript }];
+  }
+
+  const kinds = selectedKind ? [selectedKind] : Object.values(sourceKinds);
+  const targets = [];
+  for (const kind of kinds) {
+    for (const scriptCode of await listScriptCodes(kind)) {
+      targets.push({ kind, scriptCode });
+    }
+  }
+  return targets;
+}
+
+const targets = await resolveBuildTargets();
+
+if (targets.length === 0) {
+  console.log("no JS_CODE scripts found under src/js-code-nodes/<scriptCode>/index.ts, src/automations/<scriptCode>/index.ts, or src/functions/<functionCode>/index.ts");
+  process.exit(0);
+}
+
+typecheckScripts();
+
+for (const target of targets) {
+  await buildScript(target.kind, target.scriptCode);
+}

package/templates/openxiangda-react-spa/tsconfig.js-code-nodes.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "strict": true,
+    "skipLibCheck": true,
+    "types": ["node"],
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["src/*"]
+    }
+  },
+  "include": [
+    "src/js-code-nodes/**/*.ts",
+    "src/automations/**/*.ts",
+    "src/functions/**/*.ts"
+  ]
+}