openxiangda 1.0.84 → 1.0.86

package/README.md

@@ -178,6 +178,8 @@ const affiliatedDepartmentExternalId = user?.affiliatedDepartment?.externalId
 
 后端业务逻辑优先声明为 App Function：源码放在 `src/functions/<functionCode>/index.ts`，资源 manifest 放在 `src/resources/functions/<functionCode>.json`。函数运行在 trusted_node 中，通过 `ctx.form`、`ctx.dataView`、`ctx.connector`、`ctx.notification`、`ctx.platform.api` 等受控 API 访问平台能力；自动化、流程和运行时接口都可以调用同一个 function。JS_CODE V2 仍兼容，但新逻辑建议写成 function，再由 `function_call` 节点、`sdk.function.invoke(code, { input })` 或 `/:appType/v1/functions/:code/invoke.json` 调用。当前 MVP 中直接运行时接口要求调用者具备应用自动化管理权限，自动化/流程内部调用走服务端受控上下文。
 
+应用登录能力通过 auth resource 和 runtime SDK 提供：登录配置放在 `src/resources/auth/<code>.json`，默认 React SPA 模板已包含 `/view/:appType/login`，自定义页面可使用 `createAuthClient({ appType, servicePrefix })` 或 `LoginPage` / `useAuth` from `openxiangda/runtime/react`。手机号验证码、CAS/SSO 或其他外部登录可以由 App Function provider 校验外部凭证，但 provider 只能返回 `phone` / `email` / `externalId` / `unionId` 等身份声明；平台后端按 auth resource 策略执行账号匹配、绑定、创建或拒绝，并由平台统一签发 token/cookie。默认注册策略是拒绝，开启自动注册或白名单注册前必须确认身份匹配键、默认角色、验证码 TTL/频率/失败次数、审计字段和错误文案策略。
+
 常用数据视图命令：
 
 ```bash

package/lib/cli.js

@@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const os = require('os');
+const { builtinModules } = require('module');
 const { spawnSync } = require('child_process');
 const { pathToFileURL } = require('url');
 const esbuild = require('esbuild');
@@ -3374,6 +3375,7 @@ function ensureResourceBuckets(bound) {
   bound.resources.roles = bound.resources.roles || {};
   bound.resources.connectors = bound.resources.connectors || {};
   bound.resources.dataViews = bound.resources.dataViews || {};
+  bound.resources.authConfigs = bound.resources.authConfigs || {};
   bound.resources.notifications = bound.resources.notifications || {};
   bound.resources.notifications.templates = bound.resources.notifications.templates || {};
   bound.resources.notifications.typeConfigs = bound.resources.notifications.typeConfigs || {};
@@ -3584,6 +3586,14 @@ function saveDataViewResource(target, dataViewCode, dataViewId, extra = {}) {
   }, keys);
 }
 
+function saveAuthConfigResource(target, authConfigCode, configId, extra = {}) {
+  const keys = ['configId', 'status'];
+  saveStateResource(target, 'authConfigs', authConfigCode, {
+    ...pickStateFields(extra, keys),
+    configId,
+  }, keys);
+}
+
 function saveRoleResource(target, roleCode, roleId) {
   saveStateResource(target, 'roles', roleCode, { roleId }, ['roleId']);
 }
@@ -3691,6 +3701,7 @@ const RESOURCE_SPECS = [
   { key: 'automations', dir: 'automations', topFiles: ['automations.json'], pluralKeys: ['automations'] },
   { key: 'functions', dir: 'functions', topFiles: ['functions.json'], pluralKeys: ['functions'] },
   { key: 'dataViews', dir: 'data-views', topFiles: ['data-views.json'], pluralKeys: ['dataViews', 'data-views'] },
+  { key: 'authConfigs', dir: 'auth', topFiles: ['auth.json'], pluralKeys: ['authConfigs', 'auth'] },
   {
     key: 'pagePermissionGroups',
     dir: path.join('permissions', 'page-groups'),
@@ -3890,6 +3901,7 @@ function generateResourceTypes(manifest, outputFile) {
   );
   const dataViewCodes = unique((manifest.dataViews || []).map(item => item.code).filter(Boolean));
   const functionCodes = unique((manifest.functions || []).map(item => item.code).filter(Boolean));
+  const authConfigCodes = unique((manifest.authConfigs || []).map(item => item.code).filter(Boolean));
   const content = [
     '/* eslint-disable */',
     '// Generated by openxiangda resource typegen. Do not edit manually.',
@@ -3909,6 +3921,9 @@ function generateResourceTypes(manifest, outputFile) {
     `export const functionCodes = ${JSON.stringify(functionCodes, null, 2)} as const`,
     'export type FunctionCode = typeof functionCodes[number]',
     '',
+    `export const authConfigCodes = ${JSON.stringify(authConfigCodes, null, 2)} as const`,
+    'export type AuthConfigCode = typeof authConfigCodes[number]',
+    '',
     `export const runtimeMenus = ${JSON.stringify(menus, null, 2)} as const`,
     '',
     `export const pagePermissionGroups = ${JSON.stringify(pagePermissionGroups, null, 2)} as const`,
@@ -3923,6 +3938,7 @@ function generateResourceTypes(manifest, outputFile) {
     pagePermissionGroups: pagePermissionGroupCodes.length,
     dataViews: dataViewCodes.length,
     functions: functionCodes.length,
+    authConfigs: authConfigCodes.length,
   };
 }
 
@@ -4001,6 +4017,32 @@ function validateResourceItem(kind, item, errors, warnings) {
     }
     validateDataViewPerformance(label, definition, errors, warnings, storageMode);
   }
+  if (kind === 'authConfigs') {
+    const config = item.configJson || item.config || item;
+    if (!Array.isArray(config.methods)) {
+      errors.push(`${label}: 缺少 methods`);
+    } else {
+      config.methods.forEach((method, index) => {
+        if (!method?.type) errors.push(`${label}.methods[${index}]: 缺少 type`);
+        if (
+          method?.type === 'phone_code' &&
+          method.enabled !== false &&
+          !(
+            method.provider?.functionCode ||
+            method.providerFunctionCode ||
+            config.providers?.phone_code?.functionCode ||
+            config.providers?.phoneCode?.functionCode
+          )
+        ) {
+          errors.push(`${label}.methods[${index}]: phone_code 缺少 provider.functionCode`);
+        }
+      });
+    }
+    const registrationMode = String(config.registration?.mode || 'reject');
+    if (registrationMode !== 'reject') {
+      warnings.push(`${label}: 已开启非默认注册策略 ${registrationMode}，请确认身份匹配键、默认角色和审计字段`);
+    }
+  }
   if (kind === 'pagePermissionGroups' && !item.name) errors.push(`${label}: 缺少 name`);
   if (kind === 'formPermissionGroups') {
     if (!item.name) errors.push(`${label}: 缺少 name`);
@@ -4402,6 +4444,7 @@ async function buildResourcePlan(config, target, manifest) {
   addNotificationPlanActions(target, actions, manifest.notifications || [], existing);
   await addWorkflowPlanActions(config, target, actions, manifest.workflows, existing.workflows);
   addPlanActions(actions, 'function', manifest.functions, existing.functions, (item, current) => functionEquals(target, item, current));
+  addPlanActions(actions, 'authConfig', manifest.authConfigs, existing.authConfigs, (item, current) => authConfigEquals(item, current));
   await addAutomationPlanActions(config, target, actions, manifest.automations, existing.automations);
   addPlanActions(actions, 'dataView', manifest.dataViews, existing.dataViews, (item, current) => dataViewEquals(target.bound, item, current));
   addPlanActions(actions, 'pagePermissionGroup', manifest.pagePermissionGroups, existing.pagePermissionGroups, (item, current) => pagePermissionGroupEquals(target.bound, item, current));
@@ -4437,6 +4480,7 @@ async function publishResourceManifest(config, target, manifest, options = {}) {
   await publishNotificationResources(config, target, manifest.notifications || [], result);
   await publishWorkflowResources(config, target, manifest.workflows || [], result);
   await publishFunctionResources(config, target, manifest.functions || [], result);
+  await publishAuthConfigResources(config, target, manifest.authConfigs || [], result);
   await publishAutomationResources(config, target, manifest.automations || [], result);
   await publishDataViewResources(config, target, manifest.dataViews || [], result);
   await publishPagePermissionGroupResources(config, target, manifest.pagePermissionGroups || [], result);
@@ -4460,6 +4504,7 @@ async function fetchExistingResourceMaps(config, target, manifest) {
     notificationTypeConfigs: new Map(),
     workflows: new Map(),
     functions: new Map(),
+    authConfigs: new Map(),
     automations: new Map(),
     dataViews: new Map(),
     pagePermissionGroups: new Map(),
@@ -4565,6 +4610,31 @@ async function fetchExistingResourceMaps(config, target, manifest) {
       });
     }
   }
+  if ((manifest.authConfigs || []).length > 0) {
+    const data = await requestWithAuth(
+      config,
+      target.profileName,
+      apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs`, {
+        page: 1,
+        pageSize: 1000,
+      })
+    );
+    indexByCode(maps.authConfigs, normalizeItems(data), item => item.code || item.resourceCode);
+    for (const item of manifest.authConfigs || []) {
+      const code = item.code || item.resourceCode;
+      const existing = maps.authConfigs.get(code);
+      if (!existing) continue;
+      const detail = await requestOptionalWithAuth(
+        config,
+        target.profileName,
+        `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs/${encodeURIComponent(code)}`
+      );
+      maps.authConfigs.set(code, {
+        ...existing,
+        ...(detail || {}),
+      });
+    }
+  }
   if ((manifest.dataViews || []).length > 0) {
     const data = await requestWithAuth(
       config,
@@ -5227,6 +5297,38 @@ async function publishFunctionResources(config, target, functions, result) {
   }
 }
 
+async function publishAuthConfigResources(config, target, authConfigs, result) {
+  for (const authItem of authConfigs) {
+    const code = authItem.code || authItem.resourceCode || 'default';
+    const existing = await findExistingAuthConfig(config, target, code);
+    const body = normalizeAuthConfigManifest(authItem);
+    const data = existing
+      ? await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs/${encodeURIComponent(code)}`,
+          { method: 'PUT', body }
+        )
+      : await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs`,
+          { method: 'POST', body }
+        );
+    if (data?.id) {
+      saveAuthConfigResource(target, data.code || code, data.id, {
+        status: data.status,
+      });
+    }
+    result.published.push({
+      kind: 'authConfig',
+      code,
+      action: existing ? 'update' : 'create',
+      id: data?.id,
+    });
+  }
+}
+
 async function publishDataViewResources(config, target, dataViews, result) {
   for (const dataViewItem of dataViews) {
     const existing = await findExistingDataView(config, target, dataViewItem.code);
@@ -5272,6 +5374,18 @@ async function findExistingFunction(config, target, code) {
   return null;
 }
 
+async function findExistingAuthConfig(config, target, code) {
+  const stateId = target.bound.resources?.authConfigs?.[code]?.configId;
+  const byCode = await requestOptionalWithAuth(
+    config,
+    target.profileName,
+    `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs/${encodeURIComponent(code)}`
+  );
+  if (byCode?.id) return byCode;
+  if (stateId) return { id: stateId, code };
+  return null;
+}
+
 async function findExistingDataView(config, target, code) {
   const stateId = target.bound.resources?.dataViews?.[code]?.dataViewId;
   const byCode = await requestOptionalWithAuth(
@@ -5422,6 +5536,7 @@ async function pruneResourceManifest(config, target, manifest, result) {
   await pruneWorkflows(config, target, desiredCodes(manifest.workflows), result);
   await pruneAutomations(config, target, desiredCodes(manifest.automations), result);
   await pruneFunctions(config, target, desiredCodes(manifest.functions), result);
+  await pruneAuthConfigs(config, target, desiredCodes(manifest.authConfigs), result);
   await pruneDataViews(config, target, desiredCodes(manifest.dataViews), result);
   await prunePagePermissionGroups(
     config,
@@ -5617,6 +5732,29 @@ async function pruneFunctions(config, target, desired, result) {
   }
 }
 
+async function pruneAuthConfigs(config, target, desired, result) {
+  const data = await requestWithAuth(
+    config,
+    target.profileName,
+    apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs`, {
+      page: 1,
+      pageSize: 1000,
+    })
+  );
+  for (const item of normalizeItems(data)) {
+    const code = item.code || item.resourceCode;
+    if (!code || desired.has(code)) continue;
+    await pruneOne(config, target, result, 'authConfig', code, item.id, async () => {
+      await requestWithAuth(
+        config,
+        target.profileName,
+        `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs/${encodeURIComponent(code)}`,
+        { method: 'DELETE' }
+      );
+    });
+  }
+}
+
 async function prunePagePermissionGroups(config, target, desired, result) {
   const data = await requestWithAuth(
     config,
@@ -5692,6 +5830,7 @@ function removeStateResource(target, kind, code) {
     workflow: 'workflows',
     automation: 'automations',
     function: 'functions',
+    authConfig: 'authConfigs',
     dataView: 'dataViews',
     pagePermissionGroup: 'pagePermissionGroups',
     formPermissionGroup: 'formPermissionGroups',
@@ -5890,6 +6029,26 @@ async function pullResources(config, target) {
     written.push(path.relative(process.cwd(), filePath));
   }
 
+  const authConfigs = await requestWithAuth(
+    config,
+    target.profileName,
+    apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs`, {
+      page: 1,
+      pageSize: 1000,
+    })
+  );
+  for (const item of normalizeItems(authConfigs)) {
+    const code = item.code || item.resourceCode || item.id;
+    const detail = await requestWithAuth(
+      config,
+      target.profileName,
+      `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs/${encodeURIComponent(code)}`
+    );
+    const filePath = path.join(baseDir, 'auth', `${code}.json`);
+    writeResourceJsonFile(filePath, toPulledAuthConfig(detail));
+    written.push(path.relative(process.cwd(), filePath));
+  }
+
   const dataViews = await requestWithAuth(
     config,
     target.profileName,
@@ -6105,6 +6264,16 @@ function toPulledDataView(dataView, permissionGroups, lookups) {
   });
 }
 
+function toPulledAuthConfig(authConfig) {
+  return stripUndefinedValues({
+    code: authConfig.code || authConfig.resourceCode,
+    name: authConfig.name,
+    description: authConfig.description || '',
+    status: authConfig.status || 'active',
+    configJson: authConfig.configJson || authConfig.config || {},
+  });
+}
+
 function rewriteDataViewDefinitionForManifest(definition, lookups) {
   rewriteDataViewSourceForManifest(definition.base, lookups);
   for (const join of definition.joins || []) {
@@ -6285,6 +6454,40 @@ function normalizeDataViewManifest(bound, dataView) {
   });
 }
 
+function normalizeAuthConfigManifest(authConfig) {
+  const code = authConfig.code || authConfig.resourceCode || 'default';
+  const configJson = clonePlainJson(
+    authConfig.configJson || authConfig.config || withoutAuthConfigManifestMeta(authConfig)
+  );
+  return stripUndefinedValues({
+    code,
+    name: authConfig.name || configJson.name || code,
+    description:
+      authConfig.description !== undefined
+        ? authConfig.description
+        : configJson.description || '',
+    status: authConfig.status || configJson.status || 'active',
+    configJson: {
+      ...configJson,
+      methods: Array.isArray(configJson.methods) ? configJson.methods : [],
+      registration: configJson.registration || { mode: 'reject' },
+      binding: configJson.binding || { mode: 'auto' },
+    },
+  });
+}
+
+function withoutAuthConfigManifestMeta(authConfig) {
+  const next = withoutResourceMeta(authConfig);
+  delete next.code;
+  delete next.resourceCode;
+  delete next.name;
+  delete next.description;
+  delete next.status;
+  delete next.config;
+  delete next.configJson;
+  return next;
+}
+
 function withoutDataViewManifestMeta(dataView) {
   const next = withoutResourceMeta(dataView);
   delete next.permissionGroups;
@@ -6754,6 +6957,18 @@ function functionEquals(target, desired, existing) {
   );
 }
 
+function authConfigEquals(desired, existing) {
+  if (!existing) return false;
+  const expected = normalizeAuthConfigManifest(desired);
+  return (
+    String(existing.code || existing.resourceCode || '') === String(expected.code || '') &&
+    String(existing.name || '') === String(expected.name || '') &&
+    String(existing.description || '') === String(expected.description || '') &&
+    String(existing.status || 'active') === String(expected.status || 'active') &&
+    jsonEqualsForPlan(existing.configJson || {}, expected.configJson || {}, desired.__dir)
+  );
+}
+
 function dataViewEquals(bound, desired, existing) {
   if (!existing) return false;
   const expected = normalizeDataViewManifest(bound, desired);
@@ -6893,10 +7108,18 @@ function resolveJsCodeBundlePathForPlan(localPath) {
   const extension = path.extname(localPath).toLowerCase();
   if (extension && extension !== '.ts' && extension !== '.tsx') return null;
   const normalized = localPath.replace(/\\/g, '/');
-  const matched = normalized.match(/src\/js-code-nodes\/([^/]+)\/index\.tsx?$/);
+  const jsCodeMatched = normalized.match(/src\/js-code-nodes\/([^/]+)\/index\.tsx?$/);
+  const automationMatched = normalized.match(/src\/automations\/([^/]+)\/index\.tsx?$/);
+  const functionMatched = normalized.match(/src\/functions\/([^/]+)\/index\.tsx?$/);
+  const matched = jsCodeMatched || automationMatched || functionMatched;
   if (!matched) return null;
+  const sourceKind = functionMatched
+    ? 'functions'
+    : automationMatched
+      ? 'automations'
+      : 'js-code-nodes';
   const workspaceRoot = findWorkspaceRoot(localPath);
-  return path.join(workspaceRoot, 'dist', 'js-code-nodes', matched[1], 'index.cjs');
+  return path.join(workspaceRoot, 'dist', sourceKind, matched[1], 'index.cjs');
 }
 
 function sortObjectForStableJson(value) {
@@ -7058,7 +7281,7 @@ async function uploadJsCodeSnapshotFile(
   const resolvedLocalPath = fs.existsSync(baseResolvedPath)
     ? baseResolvedPath
     : cwdResolvedPath;
-  const bundlePath = resolveJsCodeBundlePath(resolvedLocalPath, scriptCode);
+  const bundlePath = await resolveJsCodeBundlePath(resolvedLocalPath, scriptCode);
   if (!fs.existsSync(bundlePath)) {
     fail(`JS_CODE bundle不存在: ${bundlePath}`);
   }
@@ -7094,14 +7317,14 @@ async function uploadJsCodeSnapshotFile(
   return sourceFile;
 }
 
-function resolveJsCodeBundlePath(localPath, scriptCode) {
+async function resolveJsCodeBundlePath(localPath, scriptCode) {
   const extension = path.extname(localPath).toLowerCase();
   if (['.js', '.cjs', '.mjs'].includes(extension)) {
     fail(
       `JS_CODE V2 要求 AI 源码使用 TypeScript，请把 sourceFile.localPath 指向 src/js-code-nodes/<scriptCode>/index.ts、src/automations/<scriptCode>/index.ts 或 src/functions/<functionCode>/index.ts，而不是已构建的 ${extension} 文件: ${localPath}`
     );
   }
-  if (extension !== '.ts') {
+  if (!['.ts', '.tsx'].includes(extension)) {
     fail(
       `JS_CODE V2 sourceFile.localPath 必须指向 TypeScript 源文件 src/js-code-nodes/<scriptCode>/index.ts、src/automations/<scriptCode>/index.ts 或 src/functions/<functionCode>/index.ts: ${localPath}`
     );
@@ -7125,16 +7348,88 @@ function resolveJsCodeBundlePath(localPath, scriptCode) {
       : 'js-code-nodes';
 
   const workspaceRoot = findWorkspaceRoot(localPath);
-  const result = spawnSync('pnpm', ['build-js-code', '--script', resolvedScriptCode, '--source', sourceKind], {
-    cwd: workspaceRoot,
-    stdio: 'inherit',
-  });
-  if (result.status !== 0) {
+  const result = runWorkspaceJsCodeBuild(workspaceRoot, resolvedScriptCode, sourceKind);
+  if (result.status !== 0 && sourceKind === 'functions' && isUnsupportedFunctionsBuildScript(result)) {
+    warn(
+      `当前工作区 scripts/build-js-code.mjs 不支持 App Function source=functions，已使用 openxiangda 内置构建器兼容构建 ${resolvedScriptCode}`
+    );
+    await buildFunctionSourceWithBundledEsbuild(localPath, workspaceRoot, resolvedScriptCode);
+  } else if (result.status !== 0) {
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
     fail(`JS_CODE bundle构建失败: ${resolvedScriptCode}`);
+  } else {
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
   }
   return path.join(workspaceRoot, 'dist', sourceKind, resolvedScriptCode, 'index.cjs');
 }
 
+function runWorkspaceJsCodeBuild(workspaceRoot, resolvedScriptCode, sourceKind) {
+  return spawnSync('pnpm', ['build-js-code', '--script', resolvedScriptCode, '--source', sourceKind], {
+    cwd: workspaceRoot,
+    encoding: 'utf8',
+  });
+}
+
+function isUnsupportedFunctionsBuildScript(result) {
+  const output = `${result.stdout || ''}\n${result.stderr || ''}`;
+  return (
+    output.includes('unsupported source: functions') ||
+    output.includes('Expected js-code-nodes or automations')
+  );
+}
+
+async function buildFunctionSourceWithBundledEsbuild(localPath, workspaceRoot, functionCode) {
+  const outfile = path.join(workspaceRoot, 'dist', 'functions', functionCode, 'index.cjs');
+  fs.mkdirSync(path.dirname(outfile), { recursive: true });
+  const external = Array.from(
+    new Set([...builtinModules, ...builtinModules.map(name => `node:${name}`)])
+  );
+  try {
+    await esbuild.build({
+      entryPoints: [localPath],
+      outfile,
+      bundle: true,
+      platform: 'node',
+      format: 'cjs',
+      target: ['node20'],
+      sourcemap: true,
+      logLevel: 'silent',
+      external,
+      plugins: [
+        {
+          name: 'openxiangda-workspace-alias',
+          setup(build) {
+            build.onResolve({ filter: /^@\// }, args => ({
+              path: resolveWorkspaceAliasPath(workspaceRoot, args.path),
+            }));
+          },
+        },
+      ],
+    });
+  } catch (error) {
+    fail(`App Function 内置构建失败: ${functionCode}: ${error.message}`);
+  }
+  print(`built functions/${functionCode} -> ${path.relative(workspaceRoot, outfile)}`);
+}
+
+function resolveWorkspaceAliasPath(workspaceRoot, importPath) {
+  const raw = path.join(workspaceRoot, 'src', importPath.replace(/^@\//, ''));
+  const candidates = [
+    raw,
+    `${raw}.ts`,
+    `${raw}.tsx`,
+    `${raw}.js`,
+    `${raw}.mjs`,
+    `${raw}.cjs`,
+    path.join(raw, 'index.ts'),
+    path.join(raw, 'index.tsx'),
+    path.join(raw, 'index.js'),
+  ];
+  return candidates.find(candidate => fs.existsSync(candidate)) || raw;
+}
+
 function findWorkspaceRoot(startPath) {
   if (!fs.existsSync(startPath)) {
     return process.cwd();

package/openxiangda-skills/SKILL.md

@@ -28,6 +28,7 @@ OpenXiangda supports two workspace modes. Classic `sy-lowcode-app-workspace` pub
 | 审批流程 / workflow / 流程节点 / JS_CODE | `openxiangda-workflow-automation` | `openxiangda workflow validate / create / publish` |
 | 自动化 / 定时任务 / 提交触发 / cron | `openxiangda-workflow-automation` | `openxiangda automation validate / create / publish / enable` |
 | App Function / function_call / 可复用后端逻辑 | `openxiangda-workflow-automation` | declare `src/resources/functions/<code>.json` + `src/functions/<code>/index.ts` |
+| 应用登录 / Auth SDK / 手机号验证码 / CAS / 钉钉免登 | `openxiangda-architecture-design` + `openxiangda-page` | design security gate first, then declare `src/resources/auth/<code>.json` and use `createAuthClient` / `LoginPage` |
 | 角色 / 权限组 / 字段权限 / 数据范围 / 公开访问 | `openxiangda-permission-settings` | `openxiangda permission ...` / `openxiangda settings ...` |
 | 看应用结构 / 快照 / 对比 / 诊断 / 排查 / 报错 | `openxiangda-inspect` | `openxiangda app snapshot <APP_XXX> --profile <name> --json` |
 | 登录 / 切换平台 / profile / token / whoami | `openxiangda-core` | `openxiangda env --profile <name>` / `openxiangda auth status` |
@@ -42,6 +43,7 @@ OpenXiangda supports two workspace modes. Classic `sy-lowcode-app-workspace` pub
 - ✅ Each profile (dev / prod / ...) has its own `appType` and resource IDs; never copy a `formUuid` / `pageId` / `workflowId` / `automationId` across profiles.
 - ✅ Run `openxiangda update check --json` at the start of substantial work; if `updateAvailable`, run `openxiangda update install` and `openxiangda skill install --force`.
 - ✅ For non-trivial app requirements, run the architecture design gate first: forms, fields, pages, permissions, data views, status/workflow, automation, notifications, and development tasks must be decided before coding.
+- ✅ For app login/auth requirements, run the auth security gate before coding: enabled methods, registration policy, identity matching keys, provider boundary, default roles, rate limits, audit fields, and third-party ownership must be confirmed.
 - ✅ For form-entry UX, pick components in this order: OpenXiangda platform form components → `antd` / `antd-mobile` wrappers → custom component only when neither exists.
 - ✅ List pages, linked options, remote selectors, and report drill-downs must use paginated server-side queries with explicit searchable fields. Do not fetch a large page and filter in local state.
 - ✅ Treat workflow forms as an exception. Ordinary ticket/order/task/asset lifecycles use status fields, state machines, action logs, permissions, and automations; workflows are for real approval tasks.
@@ -142,6 +144,7 @@ When the user provides a root domain such as `https://yida.wisejob.cn/`, use it
 - For repeated read-only multi-form queries or predefined dashboard metrics, create a data view manifest in `src/resources/data-views/`. Use `storageMode: "materialized"` for refreshed lists/reports that tolerate delay; use `storageMode: "live"` for bounded real-time joins where source changes must appear immediately. Use row views plus `sdk.dataView.query` for joined lists/lookups; use `viewType: "aggregate"` plus `sdk.dataView.stats` for count/sum/avg/min/max statistics. Add `indexes` only for materialized views. Do not use data views for single-form CRUD, simple linkedForm selects, writes, write-back, unbounded realtime joins, or ad-hoc BI. Read `references/data-views.md` before designing one.
 - For external APIs, create a connector manifest in `src/resources/connectors/` and call it from pages through `sdk.connector`; never put third-party API keys in page source.
 - For reusable backend logic shared by pages, automations, and workflows, create an App Function in `src/resources/functions/<functionCode>.json` plus `src/functions/<functionCode>/index.ts`. Call it from pages with `sdk.function.invoke`, from automation/workflow graphs with `function_call`, or from the runtime endpoint when the caller has app automation management permission. Current App Function MVP exposes controlled helpers such as `ctx.resources`, `ctx.form`, `ctx.dataView`, `ctx.connector`, `ctx.notification`, and `ctx.platform.api`; it does not expose raw SQL or Redis.
+- For application login, declare auth resources in `src/resources/auth/<code>.json` and publish them with `openxiangda resource publish`. App Function auth providers may validate external credentials and return only an identity assertion; they must never issue tokens, set cookies, or write platform user/binding tables directly. The platform auth service decides create/bind/reject and issues tokens.
 - Before scaffolding a real app, complex page, data management page, portal shell, status lifecycle, role governance, or automation, read `references/best-practices.md` and pick the architecture first. Prefer copying the relevant pattern from `examples/best-practices/` into `src/` instead of generating a single large page file.
 - Before publishing to another platform, verify the workspace is bound for that profile. Resource IDs from one profile must not be reused for another profile.
 - Use `openxiangda app snapshot <APP_XXX> --profile <name> --json` for diagnosis before changing an existing app.
@@ -181,7 +184,7 @@ Core CLI / state:
 - `references/architecture-design.md` — OpenXiangda architecture design gate, anti-pattern rejection, question gates, final design template, and black-box demo scenario.
 - `references/workspace-state.md` — `.openxiangda/state.json` shape and profile isolation rules.
 - `references/connector-resources.md` — `src/resources` manifests, connector schema, App Function boundary, and platform runtime calls.
-- `references/resource-manifest-cheatsheet.md` — 复制即用的 connector / data-view / notification / App Function / workflow / automation / JS_CODE / role / permission group / settings / menu manifest 骨架与运行时调用示例。在创建任何 `src/resources/` 资源前先看这份。
+- `references/resource-manifest-cheatsheet.md` — 复制即用的 auth / connector / data-view / notification / App Function / workflow / automation / JS_CODE / role / permission group / settings / menu manifest 骨架与运行时调用示例。在创建任何 `src/resources/` 资源前先看这份。
 - `references/data-views.md` — `src/resources/data-views` materialized/live data view resources, DSL, permissions, refresh, CLI commands, and runtime SDK usage.
 - `references/notifications.md` — `src/resources/notifications`, notification templates/type bindings, and `sdk.notification` / `ctx.notification`.
 - `references/best-practices.md` — initialized examples for modular pages, state lifecycles, role governance, permission isolation, high-performance queries, portal shells, workflow boundaries, and automation patterns.

package/openxiangda-skills/references/architecture-design.md

@@ -24,6 +24,7 @@ This design flow is for applications built on OpenXiangda. The output is not a g
 - status machines or workflows
 - automations, JS_CODE V2 nodes, and App Functions
 - notifications and connectors
+- application login/auth methods, registration policy, identity matching, and provider boundaries
 - publish and acceptance steps
 
 The design is complete only when another agent can implement it without deciding major architecture tradeoffs.
@@ -72,6 +73,8 @@ Do not insult the person. Criticize the proposal and explain the technical conse
 | Materialized view for hard realtime data | Users see stale data | `storageMode: "live"` only for bounded realtime joins, or direct source queries/App Function |
 | Live view for unbounded heavy joins | Slow runtime queries | Materialized view with scheduled refresh and indexes |
 | JS_CODE for reusable business service | Logic gets duplicated in graph nodes | App Function for shared backend logic; JS_CODE only for node-local trigger logic |
+| Auth provider issues tokens or writes users directly | Breaks platform account, binding, permission, and audit boundaries | Provider returns identity assertion only; platform creates/binds/rejects and issues token |
+| Phone-code login auto-registers by default | Allows uncontrolled account creation from weak identity proof | Default registration is reject; enable auto-create/whitelist only after explicit confirmation |
 | Raw native form controls | Inconsistent with platform runtime and validation | OpenXiangda platform components first, Ant Design wrappers second |
 | Multiple form permission groups without stable local codes | CLI state and platform `resourceCode` cannot reliably distinguish groups on the same form | Give every group a unique `code`, for example `ticket_reporter_view` and `ticket_repairer_view` |
 | Assuming resource publish means workflow is active | Workflow resources may exist as drafts until explicitly published | Verify `workflow list` shows `isPublished: true`; run `workflow publish <workflowCode>` when needed |
@@ -153,6 +156,20 @@ Default: reusable calculations and validations become App Functions; one-off bac
 - Are templates reusable resources?
 - Are external credentials needed? If yes, use connectors/resources, never page source secrets.
 
+### Login And Auth
+
+Ask these before generating any login/auth design:
+
+- Which methods are enabled: password, DingTalk in-app free login, CAS/SSO, phone code, guest?
+- What is the phone registration policy: reject, auto-create, bind existing only, whitelist, or manual approval?
+- What are the identity match keys and priorities: `phone`, `email`, `externalId`, `unionId`, `jobNumber`, `username`?
+- Which App Function provider validates each external credential, and what identity assertion fields must it return?
+- Which default app roles/page groups/data scopes should new users receive, if registration is enabled?
+- What are the security parameters: code TTL, send frequency, failed attempts, IP/device limits, audit fields, and failure message disclosure?
+- Is CAS/DingTalk configured by the platform tenant, or delegated to an app-level provider function?
+
+Default: registration is rejected; provider functions return identity assertions only; platform auth service owns account creation, binding, permission assignment, cookies, and tokens.
+
 ### UI Design
 
 Ask whether to use Product Design or another design skill for:
@@ -213,6 +230,14 @@ For simple CRUD/admin lists, design can proceed with the appropriate OpenXiangda
 - After publishing workflow resources, verify `workflow list` and record whether `isPublished` is true.
 - In React SPA and classic workspaces, JS_CODE/App Function TypeScript lives under `src/js-code-nodes`, `src/automations`, or `src/functions`; build with `pnpm build-js-code`.
 
+### Auth
+
+- Auth resources use stable local codes under `src/resources/auth/`.
+- Use `/view/:appType/login` or `LoginPage` from `openxiangda/runtime/react` for default React login.
+- Use `createAuthClient({ appType, servicePrefix })` for custom React login pages.
+- Phone-code providers are App Functions. They validate send/verify events and return identity assertions; they do not issue tokens or mutate platform users.
+- New-user registration must be explicit, with default roles and identity conflict behavior documented.
+
 ## Final Document Template
 
 ```markdown
@@ -262,17 +287,26 @@ For simple CRUD/admin lists, design can proceed with the appropriate OpenXiangda
 - JS_CODE V2 nodes:
 - App Functions:
 
-## 8. Notifications And Connectors
+## 8. Login And Auth
+
+- Enabled methods:
+- Registration policy:
+- Identity matching keys:
+- Provider functions:
+- Default roles/permissions:
+- Security parameters:
+
+## 9. Notifications And Connectors
 
 | Scenario | Trigger | Channel | Recipients | Template/resource | Notes |
 |---|---|---|---|---|---|
 
-## 9. Development Task Table
+## 10. Development Task Table
 
 | Phase | Task | Resources/files | Validation | Publish step |
 |---|---|---|---|---|
 
-## 10. Acceptance Criteria
+## 11. Acceptance Criteria
 
 - Functional checks:
 - Permission checks:
@@ -281,7 +315,7 @@ For simple CRUD/admin lists, design can proceed with the appropriate OpenXiangda
 - Notification/automation checks:
 - Workflow checks: real approval flows show `isPublished: true`.
 
-## 11. Open Questions And Confirmed Assumptions
+## 12. Open Questions And Confirmed Assumptions
 
 - Confirmed:
 - Still open:

package/openxiangda-skills/references/connector-resources.md

@@ -12,6 +12,7 @@ Common folders:
 - `automations`
 - `data-views`
 - `functions`
+- `auth`
 - `permissions/page-groups`
 - `permissions/form-groups`
 - `settings/forms`
@@ -33,6 +34,8 @@ Data view manifests live under `src/resources/data-views/` and define read-only
 
 App Function manifests live under `src/resources/functions/`, with source in `src/functions/<functionCode>/index.ts`. Use them for reusable server-side logic that pages, automations, and workflows can share through `sdk.function.invoke` or `function_call` nodes. App Functions expose controlled runtime helpers such as `ctx.resources`, `ctx.form`, `ctx.dataView`, `ctx.connector`, `ctx.notification`, and `ctx.platform.api`; they do not expose raw SQL or Redis in the current MVP. Use JS_CODE V2 only for node-local workflow/automation scripts.
 
+Auth manifests live under `src/resources/auth/`. Use them to enable app-level login methods and bind phone-code/CAS/custom providers to App Functions. Auth provider functions are called only by the platform auth flow. They validate external credentials and return identity assertions such as `phone`, `email`, `externalId`, or `unionId`; they must not issue tokens, set cookies, or mutate platform user/binding tables.
+
 ```json
 {
   "code": "crm",