npm - openxiangda - Versions diffs - 1.0.92 → 1.0.93 - Mend

openxiangda 1.0.92 → 1.0.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +42 -0
package/lib/cli.js +1129 -23
package/lib/design-gates.js +449 -0
package/openxiangda-skills/SKILL.md +23 -20
package/openxiangda-skills/references/architecture-design.md +25 -0
package/openxiangda-skills/references/resource-manifest-cheatsheet.md +36 -0
package/openxiangda-skills/skills/openxiangda-architecture-design/SKILL.md +29 -0
package/package.json +3 -1
package/templates/openxiangda-react-spa/AGENTS.md +6 -0
package/templates/sy-lowcode-app-workspace/AGENTS.md +7 -0

package/openxiangda-skills/skills/openxiangda-architecture-design/SKILL.md CHANGED Viewed

@@ -33,6 +33,33 @@ Be the technical architect. Do not passively accept product requirements when th
 Keep the tone direct and critical about the design, but do not insult the person. Acceptable: "这个方案不能这样做，会把查询压力和权限风险推到前端。" Not acceptable: personal attacks.
+## Plan-Gate Hard Rule
+Architecture-class requests are planning-only until the user explicitly confirms the design.
+This includes new apps, complex pages, login/register, public/no-login access, roles/data scopes, workflow/automation, App Function, connector, notification, and external integration work.
+Before confirmation you may only:
+- read files and docs
+- inspect `.openxiangda/state.json`
+- run read-only snapshots/doctor commands
+- run `openxiangda design gates --topic <code> --json`
+- run `openxiangda resource validate|plan` or other dry-run commands
+- ask focused design-gate questions
+- output or write the design artifact
+Before confirmation you must not:
+- edit app source files
+- create/update/delete platform resources
+- publish workspace/resources/runtime
+- send notifications
+- call live write/delete endpoints
+- start implementation subskills
+Once the user confirms, hand execution to the relevant implementation skill and use the resource commands documented in `references/resource-manifest-cheatsheet.md`.
 ## Non-Negotiable Rules
 - Do not design list pages, option searches, linked-form choices, or report drill-downs that fetch 1000 rows and filter in local state. Use paginated queries, explicit filters, sort, and server-side search fields.
@@ -49,6 +76,7 @@ Keep the tone direct and critical about the design, but do not insult the person
    - If a workspace exists, inspect `.openxiangda/state.json`, `app-workspace.config.ts`, and relevant `src/` resources before designing.
    - If this is an existing app, use snapshots/read-only inspection before proposing changes.
    - If this is a blank app, explicitly state that the design is greenfield.
+   - Run `openxiangda doctor --json` when the CLI/workspace is available.
 2. Extract the domain:
    - Actors and roles.
    - Business objects that should become forms.
@@ -62,6 +90,7 @@ Keep the tone direct and critical about the design, but do not insult the person
    - Data Views with mode, query shape, freshness, indexes, and permissions.
    - Workflows, automations, JS_CODE nodes, App Functions, notifications, connectors, and settings.
 4. Ask design-gate questions in rounds. Do not produce the final design while high-impact unknowns remain.
+   Use `openxiangda design gates --topic <code> --json` to get the current question matrix and recommended defaults.
 5. Challenge bad assumptions. Give the cost, reject the unsafe implementation path, and propose the OpenXiangda-native alternative.
 6. For frontend-heavy pages, ask whether a visual/interaction design pass is needed. If Product Design or another UI design skill is available, route design work there before page implementation.
 7. Write the final artifact by default when a workspace exists:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.92",
+  "version": "1.0.93",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {
@@ -65,6 +65,8 @@
     "prepack": "npm run build:sdk",
     "test:profile-isolation": "bash scripts/profile-isolation-smoke.sh",
     "test:resource-plan": "node scripts/resource-plan-smoke.mjs",
+    "test:design-gates": "node scripts/design-gates-smoke.mjs",
+    "test:resource-cli": "node scripts/resource-cli-smoke.mjs",
     "test:app-function-fallback": "node scripts/app-function-source-fallback-smoke.mjs",
     "test:runtime-deploy": "node scripts/runtime-deploy-smoke.mjs",
     "test:skill-install": "bash scripts/skill-install-smoke.sh",

package/templates/openxiangda-react-spa/AGENTS.md CHANGED Viewed

@@ -4,6 +4,7 @@
 ## 开发原则
+- 架构类需求默认只规划、不实现。新应用、复杂页面、登录注册、公开访问、权限数据范围、流程自动化、连接器/通知等需求，先运行 `openxiangda doctor --json` 和 `openxiangda design gates --topic <code> --json`，输出设计并等用户确认；确认前只允许读取、快照、dry-run、提问和写设计文档，不允许改源码、写平台、发布或发送通知。
 - 默认用户界面保持克制：左侧应用导航、顶部账号信息、首页内容区域。
 - 不在默认可见页面展示 SDK、Runtime、Cookie、Proxy、Playwright、AI 验证、调试上下文、构建号等开发语言。
 - 使用 React Router 管理路由，路由定义在 `src/app/router.tsx`。
@@ -23,9 +24,12 @@ pnpm typecheck:js-code
 pnpm build
 pnpm build-js-code
 openxiangda workspace publish --profile <name> --form <formCode>
+openxiangda doctor --profile <name> --json
+openxiangda design gates --topic public-access --json
 openxiangda resource plan --profile <name>
 openxiangda resource publish --profile <name>
 openxiangda runtime deploy --profile <name>
+openxiangda commands --json
 ```
 完整发布顺序：
@@ -98,6 +102,8 @@ import { PermissionBoundary, useAppMenus, useRuntimeBootstrap } from "openxiangd
 表单、dataView、function、connector 没有被 policy `grants` 显式列出时，公开 guest 默认无权访问。需要数据访问时，把同一个外部角色码加入对应后端权限组。
+资源诊断或小步修复可以使用一等 CLI：`route`、`public-access`、`auth-config`、`function`、`connector`、`notification`、`data-view`、`menu`、`permission`。正式多资源开发仍优先写 `src/resources/**` 后走 `openxiangda resource validate|plan|publish`。直接 CLI 写平台资源时，先加 `--dry-run` 看 path/body；需要保持仓库为来源时加 `--write-manifest`；删除、发送、覆盖类高风险动作必须加 `--force`。
 ## 默认页与覆盖
 - 表单提交：`/view/:appType/admin/forms/:formUuid/new`

package/templates/sy-lowcode-app-workspace/AGENTS.md CHANGED Viewed

@@ -7,6 +7,8 @@
 **所有"发布 / 上线 / 部署 / publish / deploy / ship / release"请求，唯一正确入口是 `openxiangda workspace publish --profile <name>`，不要直接 `pnpm publish:all`。**
+**架构类需求默认只规划、不实现。** 新应用、复杂页面、登录注册、公开访问、权限数据范围、流程自动化、连接器/通知等需求，先 `openxiangda doctor --json` + `openxiangda design gates --topic <code> --json`，输出设计并等待用户确认；确认前只允许读取、快照、dry-run、提问和写设计文档，不允许改源码、写平台、发布、部署或发送通知。
 工作区内的 npm scripts（`publish:all` / `publish:oss` / `register`）已加 `_guard:publish` 守卫；缺少 `OPENXIANGDA_PROFILE` 环境变量时会立即 fail，提示重新走 CLI 入口。
 ## 路由表 — 用户意图 → 命令 / skill
@@ -26,10 +28,12 @@
 | 登录 / 切平台 / token / whoami | `openxiangda-core` | `openxiangda env --profile <name>` / `openxiangda auth status` |
 | 多表只读联表查询 / 报表数据源 | `openxiangda-form`（data view） | 在 `src/resources/data-views/<code>.json` 声明 → `resource publish` |
 | 调外部 / 第三方 API / 钉钉 / 自建系统 | `openxiangda-page`（connector） | 在 `src/resources/connectors/<code>.json` 声明 → `sdk.connector.invoke()` |
+| 资源诊断 / 小步修复 / 同步 manifest | 对应资源 skill | `openxiangda route|public-access|auth-config|function|connector|notification|data-view|menu|permission ... --dry-run` |
 ## 必须遵守
 - ✅ 先 preflight：`openxiangda env --profile <name>` + `openxiangda auth status --profile <name>` + `openxiangda update check --json`。
+- ✅ 架构类需求先 plan gate：`openxiangda doctor --profile <name> --json` + `openxiangda design gates --topic <code> --json`，用户确认后再实现。
 - ✅ 单文件改动默认增量发布：`workspace publish --profile <name> --changed --dry-run` → `--changed` / `--page` / `--form`。
 - ✅ 用户 token 在 `~/.openxiangda/profiles.json`；项目 state 在 `.openxiangda/state.json`（只存 ID）。
 - ✅ 共享环境（`APP_OSS_*`、反馈机器人等）在 `~/.openxiangda/.env`，项目 `.env` 仅做 per-workspace override。
@@ -37,6 +41,7 @@
 - ✅ 改已有应用前先 `openxiangda app snapshot APP_XXX --profile <name> --json`。
 - ✅ 表单录入组件选择顺序：OpenXiangda 平台表单组件 → `antd` / `antd-mobile` 包装 → 只有两者都不满足时才写自定义业务组件。
 - ✅ 发现平台缺陷、能力缺口、规则不清、反复 workaround、AI 不确定点、用户可见体验问题时，主动 `openxiangda feedback submit --yes`；发送后告诉用户反馈内容和 fingerprint。
+- ✅ 正式多资源开发优先写 `src/resources/**` 后 `openxiangda resource validate|plan|publish`；直接 CLI 写平台资源时先 `--dry-run`，需要避免漂移就加 `--write-manifest`。
 ## 严禁
@@ -45,6 +50,7 @@
 - ❌ 在没有本地 `.openxiangda/state.json` 绑定时，去平台搜索同名应用尝试"复用"。空目录 / 无绑定 → 直接 `workspace init --app-name` 创建新应用。
 - ❌ 把 `openxiangda form create` / `form publish` / `page publish` 当作日常页面生成方式。它们仅作底层修复 / 诊断。
 - ❌ 改一个文件就 `workspace publish` 全量。
+- ❌ 用户确认架构设计前就实现、写平台资源、发布、部署或发送通知。
 - ❌ 把 token、AK、SK、第三方密钥写进项目文件。
 - ❌ `npm publish` —— 这个工作区是 `"private": true` 的应用工作区，不是要发到 npm 的 package。
 - ❌ 在 AI 生成的 `src/forms/**` / `src/pages/**` 里直接写原生 `<input>` / `<select>` / `<textarea>` / `<input type="file">`、手写 picker、手写 uploader、手写人员/部门选择器。原生控件只允许出现在 OpenXiangda SDK / 平台组件内部。
@@ -60,6 +66,7 @@
 - 列表页用 `DataManagementList` 模式 + 分页 + 结构化 `filterGroup`，不要 `pageSize=10000` 然后前端过滤。
 - 正式入口（管理后台 / PC 门户 / 移动门户）必须是 app-shell：`page.config.ts` 里 `entry: { mode: "app-shell", hidePlatformNav: true, defaultRoute: "<home>" }`。
 - 对外接口走 `src/resources/connectors/`；多表只读联表走 `src/resources/data-views/`；通知模板走 `src/resources/notifications/`。
+- 新 React SPA 公开访问使用 `/view/:appType/public/*` + `src/resources/routes/` + `src/resources/public-access/` + `PublicAccessGate`。旧 `?publicAccess=guest` 只用于旧 `sy-lowcode-view` 兼容，新应用禁止采用。
 ## 工作区结构速查