openxiangda 1.0.85 → 1.0.87

package/lib/cli.js

@@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const os = require('os');
+const { builtinModules } = require('module');
 const { spawnSync } = require('child_process');
 const { pathToFileURL } = require('url');
 const esbuild = require('esbuild');
@@ -3375,6 +3376,8 @@ function ensureResourceBuckets(bound) {
   bound.resources.connectors = bound.resources.connectors || {};
   bound.resources.dataViews = bound.resources.dataViews || {};
   bound.resources.authConfigs = bound.resources.authConfigs || {};
+  bound.resources.routes = bound.resources.routes || {};
+  bound.resources.publicAccessPolicies = bound.resources.publicAccessPolicies || {};
   bound.resources.notifications = bound.resources.notifications || {};
   bound.resources.notifications.templates = bound.resources.notifications.templates || {};
   bound.resources.notifications.typeConfigs = bound.resources.notifications.typeConfigs || {};
@@ -3585,6 +3588,22 @@ function saveDataViewResource(target, dataViewCode, dataViewId, extra = {}) {
   }, keys);
 }
 
+function saveRouteResource(target, routeCode, routeId, extra = {}) {
+  const keys = ['routeId', 'pathPattern', 'publicAccess', 'publicPolicyCode'];
+  saveStateResource(target, 'routes', routeCode, {
+    ...pickStateFields(extra, keys),
+    routeId,
+  }, keys);
+}
+
+function savePublicAccessPolicyResource(target, policyCode, policyId, extra = {}) {
+  const keys = ['policyId', 'mode', 'routeCode', 'pathPattern'];
+  saveStateResource(target, 'publicAccessPolicies', policyCode, {
+    ...pickStateFields(extra, keys),
+    policyId,
+  }, keys);
+}
+
 function saveAuthConfigResource(target, authConfigCode, configId, extra = {}) {
   const keys = ['configId', 'status'];
   saveStateResource(target, 'authConfigs', authConfigCode, {
@@ -3701,6 +3720,13 @@ const RESOURCE_SPECS = [
   { key: 'functions', dir: 'functions', topFiles: ['functions.json'], pluralKeys: ['functions'] },
   { key: 'dataViews', dir: 'data-views', topFiles: ['data-views.json'], pluralKeys: ['dataViews', 'data-views'] },
   { key: 'authConfigs', dir: 'auth', topFiles: ['auth.json'], pluralKeys: ['authConfigs', 'auth'] },
+  { key: 'routes', dir: 'routes', topFiles: ['routes.json'], pluralKeys: ['routes'] },
+  {
+    key: 'publicAccessPolicies',
+    dir: 'public-access',
+    topFiles: ['public-access.json'],
+    pluralKeys: ['publicAccessPolicies', 'publicAccess', 'policies'],
+  },
   {
     key: 'pagePermissionGroups',
     dir: path.join('permissions', 'page-groups'),
@@ -3882,6 +3908,12 @@ function generateResourceTypes(manifest, outputFile) {
     routeCode: item.routeCode || null,
     path: item.path || null,
   }));
+  const routes = (manifest.routes || []).map(item => ({
+    code: item.code,
+    pathPattern: item.pathPattern || item.path || null,
+    publicAccess: item.publicAccess || 'none',
+    publicPolicyCode: item.publicPolicyCode || item.policyCode || null,
+  }));
   const pagePermissionGroups = (manifest.pagePermissionGroups || []).map(item => ({
     code: item.code,
     menuCodes: normalizePermissionCodeArray(item.menuCodes),
@@ -3891,6 +3923,7 @@ function generateResourceTypes(manifest, outputFile) {
   const routeCodes = unique(
     [
       ...menus.map(item => item.routeCode),
+      ...routes.map(item => item.code),
       ...pagePermissionGroups.flatMap(item => item.routeCodes),
     ].filter(Boolean)
   );
@@ -3901,6 +3934,7 @@ function generateResourceTypes(manifest, outputFile) {
   const dataViewCodes = unique((manifest.dataViews || []).map(item => item.code).filter(Boolean));
   const functionCodes = unique((manifest.functions || []).map(item => item.code).filter(Boolean));
   const authConfigCodes = unique((manifest.authConfigs || []).map(item => item.code).filter(Boolean));
+  const publicAccessPolicyCodes = unique((manifest.publicAccessPolicies || []).map(item => item.code).filter(Boolean));
   const content = [
     '/* eslint-disable */',
     '// Generated by openxiangda resource typegen. Do not edit manually.',
@@ -3923,8 +3957,13 @@ function generateResourceTypes(manifest, outputFile) {
     `export const authConfigCodes = ${JSON.stringify(authConfigCodes, null, 2)} as const`,
     'export type AuthConfigCode = typeof authConfigCodes[number]',
     '',
+    `export const publicAccessPolicyCodes = ${JSON.stringify(publicAccessPolicyCodes, null, 2)} as const`,
+    'export type PublicAccessPolicyCode = typeof publicAccessPolicyCodes[number]',
+    '',
     `export const runtimeMenus = ${JSON.stringify(menus, null, 2)} as const`,
     '',
+    `export const runtimeRoutes = ${JSON.stringify(routes, null, 2)} as const`,
+    '',
     `export const pagePermissionGroups = ${JSON.stringify(pagePermissionGroups, null, 2)} as const`,
     '',
   ].join('\n');
@@ -3938,6 +3977,7 @@ function generateResourceTypes(manifest, outputFile) {
     dataViews: dataViewCodes.length,
     functions: functionCodes.length,
     authConfigs: authConfigCodes.length,
+    publicAccessPolicies: publicAccessPolicyCodes.length,
   };
 }
 
@@ -4042,6 +4082,29 @@ function validateResourceItem(kind, item, errors, warnings) {
       warnings.push(`${label}: 已开启非默认注册策略 ${registrationMode}，请确认身份匹配键、默认角色和审计字段`);
     }
   }
+  if (kind === 'routes') {
+    if (!item.pathPattern && !item.path) errors.push(`${label}: 缺少 pathPattern`);
+    const mode = item.publicAccess === undefined ? 'none' : String(item.publicAccess);
+    if (!['none', 'guest', 'ticket'].includes(mode)) {
+      errors.push(`${label}: publicAccess 只能是 none、guest 或 ticket`);
+    }
+  }
+  if (kind === 'publicAccessPolicies') {
+    if (!item.name) warnings.push(`${label}: 未声明 name，将使用 code`);
+    const mode = item.mode === undefined ? 'guest' : String(item.mode);
+    if (!['guest', 'ticket'].includes(mode)) {
+      errors.push(`${label}: mode 只能是 guest 或 ticket`);
+    }
+    if (!item.routeCode && !item.pathPattern && !item.path) {
+      warnings.push(`${label}: 未声明 routeCode/pathPattern，建议绑定到 /view/:appType/public/* 路由`);
+    }
+    if (!item.grants || typeof item.grants !== 'object' || Array.isArray(item.grants)) {
+      errors.push(`${label}: 缺少 grants object；未显式 grant 的 form/dataView/function/connector 默认拒绝`);
+    }
+    if (!Array.isArray(item.externalRoleCodes || item.externalRoles || item.roles || [])) {
+      errors.push(`${label}: externalRoleCodes 必须是数组`);
+    }
+  }
   if (kind === 'pagePermissionGroups' && !item.name) errors.push(`${label}: 缺少 name`);
   if (kind === 'formPermissionGroups') {
     if (!item.name) errors.push(`${label}: 缺少 name`);
@@ -4444,6 +4507,8 @@ async function buildResourcePlan(config, target, manifest) {
   await addWorkflowPlanActions(config, target, actions, manifest.workflows, existing.workflows);
   addPlanActions(actions, 'function', manifest.functions, existing.functions, (item, current) => functionEquals(target, item, current));
   addPlanActions(actions, 'authConfig', manifest.authConfigs, existing.authConfigs, (item, current) => authConfigEquals(item, current));
+  addPlanActions(actions, 'route', manifest.routes, existing.routes, (item, current) => routeEquals(item, current));
+  addPlanActions(actions, 'publicAccessPolicy', manifest.publicAccessPolicies, existing.publicAccessPolicies, (item, current) => publicAccessPolicyEquals(target.bound, item, current));
   await addAutomationPlanActions(config, target, actions, manifest.automations, existing.automations);
   addPlanActions(actions, 'dataView', manifest.dataViews, existing.dataViews, (item, current) => dataViewEquals(target.bound, item, current));
   addPlanActions(actions, 'pagePermissionGroup', manifest.pagePermissionGroups, existing.pagePermissionGroups, (item, current) => pagePermissionGroupEquals(target.bound, item, current));
@@ -4480,8 +4545,10 @@ async function publishResourceManifest(config, target, manifest, options = {}) {
   await publishWorkflowResources(config, target, manifest.workflows || [], result);
   await publishFunctionResources(config, target, manifest.functions || [], result);
   await publishAuthConfigResources(config, target, manifest.authConfigs || [], result);
+  await publishRouteResources(config, target, manifest.routes || [], result);
   await publishAutomationResources(config, target, manifest.automations || [], result);
   await publishDataViewResources(config, target, manifest.dataViews || [], result);
+  await publishPublicAccessPolicyResources(config, target, manifest.publicAccessPolicies || [], result);
   await publishPagePermissionGroupResources(config, target, manifest.pagePermissionGroups || [], result);
   await publishFormPermissionGroupResources(config, target, manifest.formPermissionGroups || [], result);
   if (options.prune) {
@@ -4504,6 +4571,8 @@ async function fetchExistingResourceMaps(config, target, manifest) {
     workflows: new Map(),
     functions: new Map(),
     authConfigs: new Map(),
+    routes: new Map(),
+    publicAccessPolicies: new Map(),
     automations: new Map(),
     dataViews: new Map(),
     pagePermissionGroups: new Map(),
@@ -4634,6 +4703,28 @@ async function fetchExistingResourceMaps(config, target, manifest) {
       });
     }
   }
+  if ((manifest.routes || []).length > 0) {
+    const data = await requestWithAuth(
+      config,
+      target.profileName,
+      apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes`, {
+        page: 1,
+        pageSize: 1000,
+      })
+    );
+    indexByCode(maps.routes, normalizeItems(data), item => item.code || item.resourceCode);
+  }
+  if ((manifest.publicAccessPolicies || []).length > 0) {
+    const data = await requestWithAuth(
+      config,
+      target.profileName,
+      apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies`, {
+        page: 1,
+        pageSize: 1000,
+      })
+    );
+    indexByCode(maps.publicAccessPolicies, normalizeItems(data), item => item.code || item.resourceCode);
+  }
   if ((manifest.dataViews || []).length > 0) {
     const data = await requestWithAuth(
       config,
@@ -5361,6 +5452,74 @@ async function publishDataViewResources(config, target, dataViews, result) {
   }
 }
 
+async function publishRouteResources(config, target, routes, result) {
+  for (const route of routes) {
+    const code = route.code || route.resourceCode;
+    const existing = await findExistingRoute(config, target, code);
+    const body = normalizeRouteManifest(route);
+    const data = existing
+      ? await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes/${encodeURIComponent(code)}`,
+          { method: 'PUT', body }
+        )
+      : await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes`,
+          { method: 'POST', body }
+        );
+    if (data?.id) {
+      saveRouteResource(target, code, data.id, {
+        pathPattern: data.pathPattern,
+        publicAccess: data.publicAccess,
+        publicPolicyCode: data.publicPolicyCode,
+      });
+    }
+    result.published.push({
+      kind: 'route',
+      code,
+      action: existing ? 'update' : 'create',
+      id: data?.id,
+    });
+  }
+}
+
+async function publishPublicAccessPolicyResources(config, target, policies, result) {
+  for (const policy of policies) {
+    const code = policy.code || policy.resourceCode;
+    const existing = await findExistingPublicAccessPolicy(config, target, code);
+    const body = normalizePublicAccessPolicyManifest(target.bound, policy);
+    const data = existing
+      ? await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies/${encodeURIComponent(code)}`,
+          { method: 'PUT', body }
+        )
+      : await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies`,
+          { method: 'POST', body }
+        );
+    if (data?.id) {
+      savePublicAccessPolicyResource(target, code, data.id, {
+        mode: data.mode,
+        routeCode: data.routeCode,
+        pathPattern: data.pathPattern,
+      });
+    }
+    result.published.push({
+      kind: 'publicAccessPolicy',
+      code,
+      action: existing ? 'update' : 'create',
+      id: data?.id,
+    });
+  }
+}
+
 async function findExistingFunction(config, target, code) {
   const stateId = target.bound.resources?.functions?.[code]?.functionId;
   const byCode = await requestOptionalWithAuth(
@@ -5373,6 +5532,30 @@ async function findExistingFunction(config, target, code) {
   return null;
 }
 
+async function findExistingRoute(config, target, code) {
+  const stateId = target.bound.resources?.routes?.[code]?.routeId;
+  const byCode = await requestOptionalWithAuth(
+    config,
+    target.profileName,
+    `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes/${encodeURIComponent(code)}`
+  );
+  if (byCode?.id) return byCode;
+  if (stateId) return { id: stateId, code };
+  return null;
+}
+
+async function findExistingPublicAccessPolicy(config, target, code) {
+  const stateId = target.bound.resources?.publicAccessPolicies?.[code]?.policyId;
+  const byCode = await requestOptionalWithAuth(
+    config,
+    target.profileName,
+    `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies/${encodeURIComponent(code)}`
+  );
+  if (byCode?.id) return byCode;
+  if (stateId) return { id: stateId, code };
+  return null;
+}
+
 async function findExistingAuthConfig(config, target, code) {
   const stateId = target.bound.resources?.authConfigs?.[code]?.configId;
   const byCode = await requestOptionalWithAuth(
@@ -5536,7 +5719,14 @@ async function pruneResourceManifest(config, target, manifest, result) {
   await pruneAutomations(config, target, desiredCodes(manifest.automations), result);
   await pruneFunctions(config, target, desiredCodes(manifest.functions), result);
   await pruneAuthConfigs(config, target, desiredCodes(manifest.authConfigs), result);
+  await pruneRoutes(config, target, desiredCodes(manifest.routes), result);
   await pruneDataViews(config, target, desiredCodes(manifest.dataViews), result);
+  await prunePublicAccessPolicies(
+    config,
+    target,
+    desiredCodes(manifest.publicAccessPolicies),
+    result
+  );
   await prunePagePermissionGroups(
     config,
     target,
@@ -5754,6 +5944,52 @@ async function pruneAuthConfigs(config, target, desired, result) {
   }
 }
 
+async function pruneRoutes(config, target, desired, result) {
+  const data = await requestWithAuth(
+    config,
+    target.profileName,
+    apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes`, {
+      page: 1,
+      pageSize: 1000,
+    })
+  );
+  for (const route of normalizeItems(data)) {
+    const code = route.code || route.resourceCode;
+    if (!code || desired.has(code)) continue;
+    await pruneOne(config, target, result, 'route', code, route.id, async () => {
+      await requestWithAuth(
+        config,
+        target.profileName,
+        `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes/${encodeURIComponent(code)}`,
+        { method: 'DELETE' }
+      );
+    });
+  }
+}
+
+async function prunePublicAccessPolicies(config, target, desired, result) {
+  const data = await requestWithAuth(
+    config,
+    target.profileName,
+    apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies`, {
+      page: 1,
+      pageSize: 1000,
+    })
+  );
+  for (const policy of normalizeItems(data)) {
+    const code = policy.code || policy.resourceCode;
+    if (!code || desired.has(code)) continue;
+    await pruneOne(config, target, result, 'publicAccessPolicy', code, policy.id, async () => {
+      await requestWithAuth(
+        config,
+        target.profileName,
+        `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies/${encodeURIComponent(code)}`,
+        { method: 'DELETE' }
+      );
+    });
+  }
+}
+
 async function prunePagePermissionGroups(config, target, desired, result) {
   const data = await requestWithAuth(
     config,
@@ -5830,6 +6066,8 @@ function removeStateResource(target, kind, code) {
     automation: 'automations',
     function: 'functions',
     authConfig: 'authConfigs',
+    route: 'routes',
+    publicAccessPolicy: 'publicAccessPolicies',
     dataView: 'dataViews',
     pagePermissionGroup: 'pagePermissionGroups',
     formPermissionGroup: 'formPermissionGroups',
@@ -6048,6 +6286,36 @@ async function pullResources(config, target) {
     written.push(path.relative(process.cwd(), filePath));
   }
 
+  const routes = await requestWithAuth(
+    config,
+    target.profileName,
+    apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes`, {
+      page: 1,
+      pageSize: 1000,
+    })
+  );
+  for (const route of normalizeItems(routes)) {
+    const code = route.code || route.resourceCode || route.id;
+    const filePath = path.join(baseDir, 'routes', `${code}.json`);
+    writeResourceJsonFile(filePath, toPulledRoute(route));
+    written.push(path.relative(process.cwd(), filePath));
+  }
+
+  const publicAccessPolicies = await requestWithAuth(
+    config,
+    target.profileName,
+    apiPathWithQuery(`/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies`, {
+      page: 1,
+      pageSize: 1000,
+    })
+  );
+  for (const policy of normalizeItems(publicAccessPolicies)) {
+    const code = policy.code || policy.resourceCode || policy.id;
+    const filePath = path.join(baseDir, 'public-access', `${code}.json`);
+    writeResourceJsonFile(filePath, toPulledPublicAccessPolicy(policy, pullLookups));
+    written.push(path.relative(process.cwd(), filePath));
+  }
+
   const dataViews = await requestWithAuth(
     config,
     target.profileName,
@@ -6263,6 +6531,48 @@ function toPulledDataView(dataView, permissionGroups, lookups) {
   });
 }
 
+function toPulledRoute(route) {
+  return stripUndefinedValues({
+    code: route.code || route.resourceCode,
+    title: route.title || route.name,
+    kind: route.kind || 'page',
+    pathPattern: route.pathPattern || route.path,
+    menuCode: route.menuCode || undefined,
+    publicAccess: route.publicAccess || 'none',
+    publicPolicyCode: route.publicPolicyCode || route.policyCode || undefined,
+    meta: route.metaJson || route.meta || undefined,
+  });
+}
+
+function toPulledPublicAccessPolicy(policy, lookups) {
+  return stripUndefinedValues({
+    code: policy.code || policy.resourceCode,
+    name: policy.name,
+    description: policy.description || '',
+    enabled: policy.enabled !== false,
+    mode: policy.mode || 'guest',
+    routeCode: policy.routeCode || undefined,
+    pathPattern: policy.pathPattern || policy.path || undefined,
+    externalRoleCodes: policy.externalRoleCodes || policy.externalRoles || [],
+    grants: rewritePublicAccessGrantsForManifest(policy.grantsJson || policy.grants || {}, lookups),
+    ticketConfig: policy.ticketConfigJson || policy.ticketConfig || undefined,
+    rateLimit: policy.rateLimitJson || policy.rateLimit || undefined,
+    expiresAt: policy.expiresAt || undefined,
+  });
+}
+
+function rewritePublicAccessGrantsForManifest(grants, lookups) {
+  const formCodes = normalizePermissionCodeArray(grants.forms).map(formUuid =>
+    lookups.formCodeByUuid.get(formUuid) || formUuid
+  );
+  return stripUndefinedValues({
+    formCodes,
+    dataViews: normalizePermissionCodeArray(grants.dataViews),
+    functions: normalizePermissionCodeArray(grants.functions),
+    connectors: normalizePermissionCodeArray(grants.connectors),
+  });
+}
+
 function toPulledAuthConfig(authConfig) {
   return stripUndefinedValues({
     code: authConfig.code || authConfig.resourceCode,
@@ -6453,6 +6763,54 @@ function normalizeDataViewManifest(bound, dataView) {
   });
 }
 
+function normalizeRouteManifest(route) {
+  const code = route.code || route.resourceCode;
+  return stripUndefinedValues({
+    code,
+    title: route.title || route.name || code,
+    kind: route.kind || 'page',
+    pathPattern: route.pathPattern || route.path,
+    menuCode: route.menuCode,
+    publicAccess: route.publicAccess || 'none',
+    publicPolicyCode: route.publicPolicyCode || route.policyCode,
+    meta: route.meta || route.metaJson,
+  });
+}
+
+function normalizePublicAccessPolicyManifest(bound, policy) {
+  const code = policy.code || policy.resourceCode;
+  return stripUndefinedValues({
+    code,
+    name: policy.name || policy.title || code,
+    description: policy.description || '',
+    enabled: policy.enabled !== false,
+    mode: policy.mode || 'guest',
+    routeCode: policy.routeCode,
+    pathPattern: policy.pathPattern || policy.path,
+    externalRoleCodes: normalizePermissionCodeArray(
+      policy.externalRoleCodes || policy.externalRoles || policy.roles
+    ),
+    grants: normalizePublicAccessGrants(bound, policy.grants || {}),
+    ticketConfig: policy.ticketConfig,
+    rateLimit: policy.rateLimit,
+    expiresAt: policy.expiresAt,
+  });
+}
+
+function normalizePublicAccessGrants(bound, grants = {}) {
+  const formEntries = [
+    ...normalizePermissionCodeArray(grants.forms),
+    ...normalizePermissionCodeArray(grants.formCodes),
+    ...normalizePermissionCodeArray(grants.formUuids),
+  ];
+  return stripUndefinedValues({
+    forms: unique(formEntries.map(code => resolveOptionalFormUuid(bound, code)).filter(Boolean)),
+    dataViews: normalizePermissionCodeArray(grants.dataViews),
+    functions: normalizePermissionCodeArray(grants.functions),
+    connectors: normalizePermissionCodeArray(grants.connectors),
+  });
+}
+
 function normalizeAuthConfigManifest(authConfig) {
   const code = authConfig.code || authConfig.resourceCode || 'default';
   const configJson = clonePlainJson(
@@ -6968,6 +7326,40 @@ function authConfigEquals(desired, existing) {
   );
 }
 
+function routeEquals(desired, existing) {
+  if (!existing) return false;
+  const expected = normalizeRouteManifest(desired);
+  return (
+    String(existing.code || existing.resourceCode || '') === String(expected.code || '') &&
+    String(existing.title || existing.name || '') === String(expected.title || '') &&
+    String(existing.kind || 'page') === String(expected.kind || 'page') &&
+    String(existing.pathPattern || existing.path || '') === String(expected.pathPattern || '') &&
+    String(existing.menuCode || '') === String(expected.menuCode || '') &&
+    String(existing.publicAccess || 'none') === String(expected.publicAccess || 'none') &&
+    String(existing.publicPolicyCode || existing.policyCode || '') === String(expected.publicPolicyCode || '') &&
+    jsonEqualsForPlan(existing.metaJson || existing.meta || {}, expected.meta || {}, desired.__dir)
+  );
+}
+
+function publicAccessPolicyEquals(bound, desired, existing) {
+  if (!existing) return false;
+  const expected = normalizePublicAccessPolicyManifest(bound, desired);
+  return (
+    String(existing.code || existing.resourceCode || '') === String(expected.code || '') &&
+    String(existing.name || '') === String(expected.name || '') &&
+    String(existing.description || '') === String(expected.description || '') &&
+    Boolean(existing.enabled) === Boolean(expected.enabled) &&
+    String(existing.mode || 'guest') === String(expected.mode || 'guest') &&
+    String(existing.routeCode || '') === String(expected.routeCode || '') &&
+    String(existing.pathPattern || '') === String(expected.pathPattern || '') &&
+    stringSetEquals(existing.externalRoleCodes || [], expected.externalRoleCodes || []) &&
+    jsonEqualsForPlan(existing.grantsJson || existing.grants || {}, expected.grants || {}, desired.__dir) &&
+    jsonEqualsForPlan(existing.ticketConfigJson || existing.ticketConfig || {}, expected.ticketConfig || {}, desired.__dir) &&
+    jsonEqualsForPlan(existing.rateLimitJson || existing.rateLimit || {}, expected.rateLimit || {}, desired.__dir) &&
+    String(existing.expiresAt || '') === String(expected.expiresAt || '')
+  );
+}
+
 function dataViewEquals(bound, desired, existing) {
   if (!existing) return false;
   const expected = normalizeDataViewManifest(bound, desired);
@@ -7107,10 +7499,18 @@ function resolveJsCodeBundlePathForPlan(localPath) {
   const extension = path.extname(localPath).toLowerCase();
   if (extension && extension !== '.ts' && extension !== '.tsx') return null;
   const normalized = localPath.replace(/\\/g, '/');
-  const matched = normalized.match(/src\/js-code-nodes\/([^/]+)\/index\.tsx?$/);
+  const jsCodeMatched = normalized.match(/src\/js-code-nodes\/([^/]+)\/index\.tsx?$/);
+  const automationMatched = normalized.match(/src\/automations\/([^/]+)\/index\.tsx?$/);
+  const functionMatched = normalized.match(/src\/functions\/([^/]+)\/index\.tsx?$/);
+  const matched = jsCodeMatched || automationMatched || functionMatched;
   if (!matched) return null;
+  const sourceKind = functionMatched
+    ? 'functions'
+    : automationMatched
+      ? 'automations'
+      : 'js-code-nodes';
   const workspaceRoot = findWorkspaceRoot(localPath);
-  return path.join(workspaceRoot, 'dist', 'js-code-nodes', matched[1], 'index.cjs');
+  return path.join(workspaceRoot, 'dist', sourceKind, matched[1], 'index.cjs');
 }
 
 function sortObjectForStableJson(value) {
@@ -7272,7 +7672,7 @@ async function uploadJsCodeSnapshotFile(
   const resolvedLocalPath = fs.existsSync(baseResolvedPath)
     ? baseResolvedPath
     : cwdResolvedPath;
-  const bundlePath = resolveJsCodeBundlePath(resolvedLocalPath, scriptCode);
+  const bundlePath = await resolveJsCodeBundlePath(resolvedLocalPath, scriptCode);
   if (!fs.existsSync(bundlePath)) {
     fail(`JS_CODE bundle不存在: ${bundlePath}`);
   }
@@ -7308,14 +7708,14 @@ async function uploadJsCodeSnapshotFile(
   return sourceFile;
 }
 
-function resolveJsCodeBundlePath(localPath, scriptCode) {
+async function resolveJsCodeBundlePath(localPath, scriptCode) {
   const extension = path.extname(localPath).toLowerCase();
   if (['.js', '.cjs', '.mjs'].includes(extension)) {
     fail(
       `JS_CODE V2 要求 AI 源码使用 TypeScript，请把 sourceFile.localPath 指向 src/js-code-nodes/<scriptCode>/index.ts、src/automations/<scriptCode>/index.ts 或 src/functions/<functionCode>/index.ts，而不是已构建的 ${extension} 文件: ${localPath}`
     );
   }
-  if (extension !== '.ts') {
+  if (!['.ts', '.tsx'].includes(extension)) {
     fail(
       `JS_CODE V2 sourceFile.localPath 必须指向 TypeScript 源文件 src/js-code-nodes/<scriptCode>/index.ts、src/automations/<scriptCode>/index.ts 或 src/functions/<functionCode>/index.ts: ${localPath}`
     );
@@ -7339,16 +7739,88 @@ function resolveJsCodeBundlePath(localPath, scriptCode) {
       : 'js-code-nodes';
 
   const workspaceRoot = findWorkspaceRoot(localPath);
-  const result = spawnSync('pnpm', ['build-js-code', '--script', resolvedScriptCode, '--source', sourceKind], {
-    cwd: workspaceRoot,
-    stdio: 'inherit',
-  });
-  if (result.status !== 0) {
+  const result = runWorkspaceJsCodeBuild(workspaceRoot, resolvedScriptCode, sourceKind);
+  if (result.status !== 0 && sourceKind === 'functions' && isUnsupportedFunctionsBuildScript(result)) {
+    warn(
+      `当前工作区 scripts/build-js-code.mjs 不支持 App Function source=functions，已使用 openxiangda 内置构建器兼容构建 ${resolvedScriptCode}`
+    );
+    await buildFunctionSourceWithBundledEsbuild(localPath, workspaceRoot, resolvedScriptCode);
+  } else if (result.status !== 0) {
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
     fail(`JS_CODE bundle构建失败: ${resolvedScriptCode}`);
+  } else {
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
   }
   return path.join(workspaceRoot, 'dist', sourceKind, resolvedScriptCode, 'index.cjs');
 }
 
+function runWorkspaceJsCodeBuild(workspaceRoot, resolvedScriptCode, sourceKind) {
+  return spawnSync('pnpm', ['build-js-code', '--script', resolvedScriptCode, '--source', sourceKind], {
+    cwd: workspaceRoot,
+    encoding: 'utf8',
+  });
+}
+
+function isUnsupportedFunctionsBuildScript(result) {
+  const output = `${result.stdout || ''}\n${result.stderr || ''}`;
+  return (
+    output.includes('unsupported source: functions') ||
+    output.includes('Expected js-code-nodes or automations')
+  );
+}
+
+async function buildFunctionSourceWithBundledEsbuild(localPath, workspaceRoot, functionCode) {
+  const outfile = path.join(workspaceRoot, 'dist', 'functions', functionCode, 'index.cjs');
+  fs.mkdirSync(path.dirname(outfile), { recursive: true });
+  const external = Array.from(
+    new Set([...builtinModules, ...builtinModules.map(name => `node:${name}`)])
+  );
+  try {
+    await esbuild.build({
+      entryPoints: [localPath],
+      outfile,
+      bundle: true,
+      platform: 'node',
+      format: 'cjs',
+      target: ['node20'],
+      sourcemap: true,
+      logLevel: 'silent',
+      external,
+      plugins: [
+        {
+          name: 'openxiangda-workspace-alias',
+          setup(build) {
+            build.onResolve({ filter: /^@\// }, args => ({
+              path: resolveWorkspaceAliasPath(workspaceRoot, args.path),
+            }));
+          },
+        },
+      ],
+    });
+  } catch (error) {
+    fail(`App Function 内置构建失败: ${functionCode}: ${error.message}`);
+  }
+  print(`built functions/${functionCode} -> ${path.relative(workspaceRoot, outfile)}`);
+}
+
+function resolveWorkspaceAliasPath(workspaceRoot, importPath) {
+  const raw = path.join(workspaceRoot, 'src', importPath.replace(/^@\//, ''));
+  const candidates = [
+    raw,
+    `${raw}.ts`,
+    `${raw}.tsx`,
+    `${raw}.js`,
+    `${raw}.mjs`,
+    `${raw}.cjs`,
+    path.join(raw, 'index.ts'),
+    path.join(raw, 'index.tsx'),
+    path.join(raw, 'index.js'),
+  ];
+  return candidates.find(candidate => fs.existsSync(candidate)) || raw;
+}
+
 function findWorkspaceRoot(startPath) {
   if (!fs.existsSync(startPath)) {
     return process.cwd();