npm - openxiangda - Versions diffs - 1.0.92 → 1.0.94 - Mend

openxiangda 1.0.92 → 1.0.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +42 -0
package/lib/cli.js +1211 -23
package/lib/design-gates.js +449 -0
package/openxiangda-skills/SKILL.md +23 -20
package/openxiangda-skills/references/architecture-design.md +25 -0
package/openxiangda-skills/references/resource-manifest-cheatsheet.md +36 -0
package/openxiangda-skills/skills/openxiangda-architecture-design/SKILL.md +29 -0
package/package.json +4 -1
package/templates/openxiangda-react-spa/AGENTS.md +6 -0
package/templates/sy-lowcode-app-workspace/AGENTS.md +7 -0

package/lib/cli.js CHANGED Viewed

@@ -22,6 +22,13 @@ const { requestJson } = require('./http');
 const { getSkillStatusReport, installSkills } = require('./skills');
 const { assertCanInitializeWorkspace, initWorkspace } = require('./workspace-init');
 const { bootstrapWorkspace } = require('./workspace-bootstrap');
+const {
+  getDesignGates,
+  getResourceExplain,
+  renderDesignGatesText,
+  renderDesignTemplate,
+  renderResourceExplain,
+} = require('./design-gates');
 const {
   fail,
   formatFetchError,
@@ -52,6 +59,8 @@ async function main(argv) {
   if (command === 'env') return env(rest);
   if (command === 'auth') return auth(rest);
   if (command === 'platform') return platform(rest);
+  if (command === 'doctor') return doctor(rest);
+  if (command === 'design') return design(rest);
   if (command === 'workspace') return workspace(rest);
   if (command === 'app') return app(rest);
   if (command === 'form') return form(rest);
@@ -60,6 +69,12 @@ async function main(argv) {
   if (command === 'workflow') return workflow(rest);
   if (command === 'automation') return automation(rest);
   if (command === 'data-view') return dataView(rest);
+  if (command === 'route') return route(rest);
+  if (command === 'public-access') return publicAccess(rest);
+  if (command === 'auth-config') return authConfig(rest);
+  if (command === 'function') return appFunction(rest);
+  if (command === 'connector') return connector(rest);
+  if (command === 'notification') return notification(rest);
   if (command === 'permission') return permission(rest);
   if (command === 'settings') return settings(rest);
   if (command === 'resource') return resource(rest);
@@ -82,6 +97,8 @@ Usage:
   openxiangda platform list
   openxiangda platform use <name>
   openxiangda auth status|refresh|logout [--profile name]
+  openxiangda doctor [--profile name] [--app-type APP_XXX] [--json]
+  openxiangda design gates|template [--topic code] [--json]
   openxiangda env [--profile name]
   openxiangda workspace init [dir] [--name package-name] [--runtime legacy|react-spa] [--install] [--profile name --app-type APP_XXX]
   openxiangda workspace init [dir] --profile <name> --app-name <app-name> [--runtime legacy|react-spa] [--install]
@@ -100,6 +117,7 @@ Usage:
   openxiangda page bind <pageCode> --page-id <id>
   openxiangda menu list [--profile name] [--json]
   openxiangda menu create <menuCode> --name <text> --type <nav|receipt|display>
+  openxiangda menu update|sort [--json-file file] [--write-manifest]
   openxiangda menu bind <menuCode> --menu-id <id>
   openxiangda workflow list [--profile name] [--form-code code] [--json]
   openxiangda workflow create <workflowCode> --form-code <formCode> --definition-json <file>
@@ -112,12 +130,18 @@ Usage:
   openxiangda automation logs <instanceId> [--automation <automationCode|automationId>] [--summary] [--redact] [--json]
   openxiangda automation diagnose <automationCode|automationId> [--redact] [--json]
   openxiangda automation publish|enable|disable <automationCode|automationId>
-  openxiangda data-view list|status|refresh|query|stats <dataViewCode> [--profile name] [--json]
-  openxiangda permission role-list|role-create|role-bind
-  openxiangda permission page-group-list|page-group-create|page-group-bind
-  openxiangda permission form-group-list|form-group-create|form-group-bind
+  openxiangda data-view list|get|create|update|upsert|delete|status|refresh|query|stats <dataViewCode> [--profile name] [--json]
+  openxiangda route list|get|create|update|upsert|delete [--json-file file] [--dry-run] [--write-manifest]
+  openxiangda public-access list|get|create|update|upsert|delete|ticket-create|session-test|grant-check [--json-file file]
+  openxiangda auth-config list|get|create|update|upsert|delete|methods [--json-file file]
+  openxiangda function list|get|create|update|upsert|delete|invoke [--json-file file]
+  openxiangda connector list|get|create|update|upsert|delete|invoke|download-test [--json-file file]
+  openxiangda notification template-list|template-get|template-upsert|template-delete|type-list|type-get|type-upsert|type-delete|preview|send|batch-send
+  openxiangda permission role-list|role-create|role-update|role-delete|role-bind|audit
+  openxiangda permission page-group-list|page-group-create|page-group-update|page-group-delete|page-group-bind
+  openxiangda permission form-group-list|form-group-create|form-group-update|form-group-delete|form-group-bind
   openxiangda settings get|save|indexes|indexes-save|data-management|data-management-save|public-access
-  openxiangda resource validate|plan|publish|pull [--profile name] [--json]
+  openxiangda resource validate|plan|publish|pull|typegen|explain [--profile name] [--json]
   openxiangda runtime deploy [--profile name] [--dist dist] [--build-id id] [--upload-mode staged|legacy-json] [--upload-timeout-ms ms] [--no-build] [--no-activate] [--json]
   openxiangda runtime releases [--profile name] [--json]
   openxiangda runtime activate <releaseId> [--profile name] [--json]
@@ -152,6 +176,7 @@ const SUBCOMMAND_BOOLEAN_FLAGS = new Set([
   '--strict',
   '--summary',
   '--unpublish',
+  '--write-manifest',
   '--yes',
   '-h',
 ]);
@@ -212,6 +237,10 @@ async function update(args) {
   const requestedSubcommand = args[0] && !args[0].startsWith('--') ? args[0] : 'check';
   const parsedArgs = requestedSubcommand === args[0] ? args.slice(1) : args;
   const { flags } = parseArgs(parsedArgs);
+  if (wantsSubcommandHelp(requestedSubcommand, flags)) {
+    print('用法: openxiangda update check|install [--json] [--registry https://registry.npmjs.org] [--no-skills]');
+    return;
+  }
   const registry = normalizeNpmRegistry(flags.registry || OFFICIAL_NPM_REGISTRY);
   if (requestedSubcommand === 'check') {
@@ -401,9 +430,165 @@ function parseSemver(value) {
   };
 }
+async function design(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  const topic = flags.topic || positional[0];
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda design gates|template [--topic new-app,public-access] [--json]');
+    return;
+  }
+  if (subcommand === 'gates') {
+    const result = getDesignGates(topic);
+    if (flags.json) return writeJson(result);
+    print(renderDesignGatesText(topic));
+    return;
+  }
+  if (subcommand === 'template') {
+    const result = {
+      topic: topic || 'all',
+      content: renderDesignTemplate(topic),
+    };
+    if (flags.json) return writeJson(result);
+    print(result.content);
+    return;
+  }
+  fail('用法: openxiangda design gates|template [--topic code] [--json]');
+}
+async function doctor(args) {
+  const { flags } = parseArgs(args);
+  if (flags.help || flags.h) {
+    print('用法: openxiangda doctor [--profile name] [--app-type APP_XXX] [--agent codex] [--json]');
+    return;
+  }
+  const config = loadConfig();
+  const profileName = flags.profile || config.currentProfile;
+  const result = {
+    cli: {
+      version: CURRENT_VERSION,
+      commandDiscovery: 'openxiangda commands --json',
+      designGateCommand: 'openxiangda design gates --json',
+    },
+    profile: {
+      requested: profileName || null,
+      exists: false,
+      baseUrl: null,
+      loggedIn: false,
+      user: null,
+    },
+    workspace: {
+      cwd: process.cwd(),
+      stateFile: path.join(process.cwd(), PROJECT_STATE_FILE),
+      hasState: fs.existsSync(path.join(process.cwd(), PROJECT_STATE_FILE)),
+      appType: flags['app-type'] || null,
+      bound: false,
+    },
+    resources: {
+      hasDirectory: fs.existsSync(path.join(process.cwd(), 'src', 'resources')),
+      validation: null,
+    },
+    skills: null,
+    checks: [],
+  };
+  if (profileName && config.profiles?.[profileName]) {
+    const { profile } = getProfile(config, profileName);
+    result.profile.exists = true;
+    result.profile.baseUrl = profile.baseUrl || null;
+    result.profile.loggedIn = Boolean(profile.token?.accessToken);
+    result.profile.user = profile.user || null;
+    try {
+      const target = getWorkspaceTarget(config, profileName, flags);
+      result.workspace.appType = target.appType;
+      result.workspace.bound = true;
+      result.workspace.profile = target.profileName;
+      result.workspace.boundAt = target.bound.updatedAt || null;
+      result.checks.push({ name: 'workspace-binding', status: 'ok' });
+    } catch (error) {
+      result.checks.push({ name: 'workspace-binding', status: 'warn', message: error.message });
+    }
+    if (result.profile.loggedIn) {
+      try {
+        const authStatus = await requestWithAuth(config, profileName, '/openxiangda-api/v1/auth/whoami');
+        result.profile.authStatus = authStatus;
+        result.checks.push({ name: 'auth', status: 'ok' });
+      } catch (error) {
+        result.profile.authError = error.message;
+        result.checks.push({ name: 'auth', status: 'warn', message: error.message });
+      }
+    } else {
+      result.checks.push({ name: 'auth', status: 'warn', message: 'profile 未登录' });
+    }
+  } else {
+    result.checks.push({ name: 'profile', status: 'warn', message: '未选择或不存在 profile' });
+  }
+  if (result.resources.hasDirectory) {
+    const manifest = loadWorkspaceResources();
+    const validation = validateWorkspaceResources(manifest);
+    result.resources.validation = {
+      errors: validation.errors,
+      warnings: validation.warnings,
+      counts: Object.fromEntries(
+        RESOURCE_SPECS.map(spec => [spec.key, (manifest[spec.key] || []).length])
+      ),
+    };
+    result.checks.push({
+      name: 'resource-validate',
+      status: validation.errors.length > 0 ? 'error' : 'ok',
+      errors: validation.errors.length,
+      warnings: validation.warnings.length,
+    });
+  } else {
+    result.checks.push({ name: 'resource-validate', status: 'skip', message: '未发现 src/resources' });
+  }
+  result.skills = getSkillStatusReport({ agent: flags.agent || 'codex' });
+  const outdatedSkills = result.skills.results
+    .flatMap(item => item.skills)
+    .filter(item => item.status !== 'installed');
+  result.checks.push({
+    name: 'skills',
+    status: outdatedSkills.length > 0 ? 'warn' : 'ok',
+    message: outdatedSkills.length > 0 ? `${outdatedSkills.length} 个 skill 未安装或过期` : undefined,
+  });
+  if (flags.json) return writeJson(result);
+  printDoctorReport(result);
+}
+function printDoctorReport(result) {
+  const lines = [
+    `OpenXiangda doctor v${result.cli.version}`,
+    `profile: ${result.profile.requested || '(none)'} ${result.profile.loggedIn ? '(logged in)' : '(not logged in)'}`,
+    `baseUrl: ${result.profile.baseUrl || '(none)'}`,
+    `workspace: ${result.workspace.bound ? `${result.workspace.profile}/${result.workspace.appType}` : 'not bound'}`,
+    `resources: ${result.resources.hasDirectory ? 'src/resources found' : 'missing'}`,
+  ];
+  if (result.resources.validation) {
+    lines.push(
+      `resource validation: ${result.resources.validation.errors.length} errors, ${result.resources.validation.warnings.length} warnings`
+    );
+  }
+  for (const check of result.checks) {
+    const suffix = check.message ? ` - ${check.message}` : '';
+    lines.push(`- ${check.name}: ${check.status}${suffix}`);
+  }
+  lines.push(`design gate: ${result.cli.designGateCommand}`);
+  print(lines.join('\n'));
+}
 async function platform(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda platform add|list|use|remove');
+    return;
+  }
   const config = loadConfig();
   if (subcommand === 'add') {
@@ -479,6 +664,16 @@ async function platform(args) {
 async function login(args) {
   const { flags, positional } = parseArgs(args);
+  if (
+    flags.help ||
+    flags.h ||
+    positional[0] === 'help' ||
+    positional[0] === '--help' ||
+    positional[0] === '-h'
+  ) {
+    print('用法: openxiangda login <platform-url> [--profile name] [--no-open] [--json]');
+    return;
+  }
   const config = loadConfig();
   const rawUrl = positional[0];
   const profileName = flags.profile || config.currentProfile || 'default';
@@ -592,6 +787,10 @@ function normalizePlatformSessionUrl(value, baseUrl) {
 async function auth(args) {
   const [subcommand, ...rest] = args;
   const { flags } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda auth status|refresh|logout [--profile name] [--json]');
+    return;
+  }
   if (subcommand === 'status') {
     const config = loadConfig();
@@ -646,6 +845,10 @@ async function auth(args) {
 async function env(args) {
   const { flags } = parseArgs(args);
+  if (flags.help || flags.h) {
+    print('用法: openxiangda env [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const globalEnv = loadGlobalEnv();
   const profileName = flags.profile || config.currentProfile;
@@ -683,6 +886,12 @@ async function env(args) {
 async function feedback(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print(
+      '用法: openxiangda feedback preview|submit --summary <text> [--type bug] [--severity medium] [--profile name] [--yes] [--json]'
+    );
+    return;
+  }
   if (subcommand !== 'preview' && subcommand !== 'submit') {
     fail(
@@ -1106,6 +1315,10 @@ function summarizeOssEnv(globalEnv) {
 async function workspace(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda workspace init|bind|publish [--changed [--since ref]|--form code|--page code|--only list] [--dry-run] [--force] [--resources|--skip-resources]');
+    return;
+  }
   const config = loadConfig();
   if (subcommand === 'init') {
@@ -1238,6 +1451,10 @@ async function workspace(args) {
 async function app(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda app list|create|snapshot [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -1308,6 +1525,10 @@ function extractCreatedAppType(data) {
 async function form(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda form list|create|bind|pull|publish [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -1416,6 +1637,10 @@ async function form(args) {
 async function page(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda page list|publish|bind|releases|activate [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -1536,6 +1761,10 @@ async function page(args) {
 async function menu(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda menu list|create|update|sort|bind|delete [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -1626,7 +1855,46 @@ async function menu(args) {
     return;
   }
-  fail('用法: openxiangda menu list|create|bind|delete');
+  if (subcommand === 'update') {
+    const [menuKey] = positional;
+    const body = readDirectJsonBody(flags, 'menu update');
+    const menuCode = menuKey || body.code || body.resourceCode;
+    if (!menuCode) fail('用法: openxiangda menu update <menuCode|menuId> --json-file file');
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const menuId = resolveMenuId(target.bound, menuCode, flags);
+    const desired = normalizeMenuDirectBody(target.bound, { ...body, code: body.code || menuCode });
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'PUT',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/menus/${encodeURIComponent(menuId)}`,
+      body: desired,
+    }, { returnData: true });
+    if (!flags['dry-run']) {
+      const resultCode = body.code || body.resourceCode || menuCode;
+      if (data?.id) {
+        saveMenuResource(target, resultCode, data.id, {
+          formUuid: data.formUuid || desired.formUuid,
+          pageId: data.pageId || desired.pageId,
+          parentId: data.parentId || desired.parentId,
+          routeCode: data.routeCode || desired.routeCode,
+          path: data.path || desired.path,
+        });
+      }
+      if (flags['write-manifest']) writeDirectManifest('menu', resultCode, { ...body, code: resultCode });
+    }
+    return outputDirectResult(data, flags);
+  }
+  if (subcommand === 'sort') {
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const body = readDirectJsonBody(flags, 'menu sort');
+    return runDirectRequest(config, target, flags, {
+      method: 'POST',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/menus/sort`,
+      body,
+    });
+  }
+  fail('用法: openxiangda menu list|create|update|sort|bind|delete');
 }
 async function workflow(args) {
@@ -2093,7 +2361,7 @@ async function dataView(args) {
   const { subcommand, rest } = parseSubcommandArgs(args);
   const { flags, positional } = parseArgs(rest);
   if (wantsSubcommandHelp(subcommand, flags)) {
-    print('用法: openxiangda data-view list|status|refresh|query|stats <dataViewCode> [--profile name] [--json]');
+    print('用法: openxiangda data-view list|get|create|update|upsert|delete|status|refresh|query|stats <dataViewCode> [--profile name] [--json]');
     return;
   }
   const config = loadConfig();
@@ -2176,12 +2444,418 @@ async function dataView(args) {
     return;
   }
-  fail('用法: openxiangda data-view list|status|refresh|query|stats');
+  if (['get', 'create', 'update', 'upsert', 'delete'].includes(subcommand)) {
+    return directResourceCrud(config, target, {
+      commandName: 'data-view',
+      subcommand,
+      flags,
+      positional,
+      resourceType: 'data-view',
+      basePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/data-views`,
+      manifestDir: path.join('src', 'resources', 'data-views'),
+      normalizeBody: body => normalizeDataViewManifest(target.bound, body),
+      codeOf: body => body.code || body.resourceCode || body.definition?.code,
+      saveState: (code, data) => saveDataViewResource(target, code, data?.id, {
+        materializedViewName: data?.materializedViewName,
+        status: data?.status,
+        storageMode: data?.storageMode,
+      }),
+    });
+  }
+  fail('用法: openxiangda data-view list|get|create|update|upsert|delete|status|refresh|query|stats');
+}
+async function route(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda route list|get|create|update|upsert|delete [routeCode] [--json-file file] [--dry-run] [--write-manifest]');
+    return;
+  }
+  const config = loadConfig();
+  const target = getWorkspaceTarget(config, flags.profile || config.currentProfile, flags);
+  return directResourceCrud(config, target, {
+    commandName: 'route',
+    subcommand,
+    flags,
+    positional,
+    resourceType: 'route',
+    basePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/routes`,
+    manifestDir: path.join('src', 'resources', 'routes'),
+    normalizeBody: body => normalizeRouteManifest(body),
+    codeOf: body => body.code || body.resourceCode,
+    saveState: (code, data) => saveRouteResource(target, code, data?.id, {
+      pathPattern: data?.pathPattern,
+      publicAccess: data?.publicAccess,
+      publicPolicyCode: data?.publicPolicyCode,
+    }),
+  });
+}
+async function publicAccess(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda public-access list|get|create|update|upsert|delete|ticket-create|session-test|grant-check [policyCode] [--json-file file]');
+    return;
+  }
+  const config = loadConfig();
+  const target = getWorkspaceTarget(config, flags.profile || config.currentProfile, flags);
+  if (['list', 'get', 'create', 'update', 'upsert', 'delete'].includes(subcommand)) {
+    return directResourceCrud(config, target, {
+      commandName: 'public-access',
+      subcommand,
+      flags,
+      positional,
+      resourceType: 'public-access',
+      basePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies`,
+      manifestDir: path.join('src', 'resources', 'public-access'),
+      normalizeBody: body => normalizePublicAccessPolicyManifest(target.bound, body),
+      codeOf: body => body.code || body.resourceCode,
+      saveState: (code, data) => savePublicAccessPolicyResource(target, code, data?.id, {
+        mode: data?.mode,
+        routeCode: data?.routeCode,
+        pathPattern: data?.pathPattern,
+      }),
+    });
+  }
+  if (subcommand === 'ticket-create') {
+    const [policyCode] = positional;
+    if (!policyCode) fail('用法: openxiangda public-access ticket-create <policyCode> [--json-file file]');
+    const body = readDirectJsonBody(flags, 'ticket');
+    return runDirectRequest(config, target, flags, {
+      method: 'POST',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies/${encodeURIComponent(policyCode)}/tickets`,
+      body,
+      strictEnvelope: true,
+    });
+  }
+  if (subcommand === 'session-test') {
+    const [policyCode] = positional;
+    const body = {
+      ...readDirectJsonBody(flags, 'public-session', { optional: true }),
+      ...(policyCode ? { policyCode } : {}),
+      ...(flags.path ? { path: flags.path } : {}),
+      ...(flags.ticket ? { ticket: flags.ticket } : {}),
+    };
+    return runDirectRequest(config, target, flags, {
+      method: 'POST',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public/session`,
+      body,
+      auth: false,
+      strictEnvelope: true,
+    });
+  }
+  if (subcommand === 'grant-check') {
+    const [policyCode] = positional;
+    if (!policyCode) fail('用法: openxiangda public-access grant-check <policyCode> [--form-code code] [--data-view code] [--function code] [--connector code]');
+    const policy = flags['json-file']
+      ? readDirectJsonBody(flags, 'policy')
+      : await requestWithAuth(
+          config,
+          target.profileName,
+          `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/public-access/policies/${encodeURIComponent(policyCode)}`
+        );
+    const normalized = normalizePublicAccessPolicyManifest(target.bound, policy);
+    const grants = normalized.grants || {};
+    const checks = buildPublicGrantChecks(target.bound, grants, flags);
+    const result = { policyCode, grants, checks, allowed: checks.every(item => item.allowed) };
+    if (flags.json) return writeJson(result);
+    print(JSON.stringify(result, null, 2));
+    if (!result.allowed) fail('公开访问 grant-check 失败');
+    return;
+  }
+  fail('用法: openxiangda public-access list|get|create|update|upsert|delete|ticket-create|session-test|grant-check');
+}
+async function authConfig(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda auth-config list|get|create|update|upsert|delete|methods [configCode] [--json-file file]');
+    return;
+  }
+  if (subcommand === 'methods') {
+    const result = {
+      methods: [
+        { type: 'password', requiredFields: ['username', 'password'] },
+        { type: 'phone_code', requiredFields: ['phone', 'code'], provider: 'functionCode 或 connector' },
+        { type: 'sso', requiredFields: ['provider', 'callbackUrl'] },
+      ],
+      defaultRegistration: { mode: 'reject' },
+      defaultBinding: { mode: 'auto' },
+    };
+    if (flags.json) return writeJson(result);
+    print(JSON.stringify(result, null, 2));
+    return;
+  }
+  const config = loadConfig();
+  const target = getWorkspaceTarget(config, flags.profile || config.currentProfile, flags);
+  return directResourceCrud(config, target, {
+    commandName: 'auth-config',
+    subcommand,
+    flags,
+    positional,
+    resourceType: 'auth-config',
+    basePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/auth/configs`,
+    manifestDir: path.join('src', 'resources', 'auth'),
+    normalizeBody: body => normalizeAuthConfigManifest(body),
+    codeOf: body => body.code || body.resourceCode || 'default',
+    saveState: (code, data) => saveAuthConfigResource(target, code, data?.id, {
+      status: data?.status,
+    }),
+  });
+}
+async function appFunction(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda function list|get|create|update|upsert|delete|invoke [functionCode] [--json-file file]');
+    return;
+  }
+  const config = loadConfig();
+  const target = getWorkspaceTarget(config, flags.profile || config.currentProfile, flags);
+  if (subcommand === 'invoke') {
+    const [functionCode] = positional;
+    if (!functionCode) fail('用法: openxiangda function invoke <functionCode> [--body-json file|json]');
+    const body = readDirectJsonBody(flags, 'function invoke', { optional: true });
+    return runDirectRequest(config, target, flags, {
+      method: 'POST',
+      path: `/${encodeURIComponent(target.appType)}/v1/functions/${encodeURIComponent(functionCode)}/invoke.json`,
+      body,
+      strictEnvelope: true,
+    });
+  }
+  return directResourceCrud(config, target, {
+    commandName: 'function',
+    subcommand,
+    flags,
+    positional,
+    resourceType: 'function',
+    basePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/functions`,
+    manifestDir: path.join('src', 'resources', 'functions'),
+    prepareBody: async body => {
+      const definitionJson = await resolveManifestJson(
+        config,
+        target.profileName,
+        body,
+        'definitionJson',
+        'definitionFile'
+      );
+      applyResourceBindingsToRuntimeDefinition(target.bound, body, definitionJson);
+      const code = body.code || body.functionCode || body.resourceCode;
+      return stripUndefinedValues({
+        code,
+        name: body.name || definitionJson.name || code,
+        description: body.description !== undefined ? body.description : definitionJson.description || '',
+        definitionJson,
+        resourceBindings: definitionJson.resourceBindings,
+        inputSchema: body.inputSchema || definitionJson.inputSchema,
+        outputSchema: body.outputSchema || definitionJson.outputSchema,
+        status: body.status,
+      });
+    },
+    codeOf: body => body.code || body.functionCode || body.resourceCode,
+    saveState: (code, data) => saveFunctionResource(target, code, data?.id, {
+      status: data?.status,
+    }),
+  });
+}
+async function connector(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda connector list|get|create|update|upsert|delete|invoke|download-test [connectorCode[.apiCode]] [--json-file file]');
+    return;
+  }
+  const config = loadConfig();
+  const target = getWorkspaceTarget(config, flags.profile || config.currentProfile, flags);
+  if (subcommand === 'invoke' || subcommand === 'download-test') {
+    const targetName = positional[0] || flags.connector;
+    if (!targetName) fail(`用法: openxiangda connector ${subcommand} <connectorCode.apiCode> [--body-json file|json]`);
+    const parsed = parseConnectorApiName(targetName, flags);
+    const body = {
+      connector: parsed.connector,
+      api: parsed.api,
+      ...readDirectJsonBody(flags, 'connector invoke', { optional: true }),
+      ...(flags['path-params-json'] ? { pathParams: readJsonArg(flags['path-params-json'], 'path-params-json') } : {}),
+      ...(flags['query-json'] ? { query: readJsonArg(flags['query-json'], 'query-json') } : {}),
+      ...(flags['headers-json'] ? { headers: readJsonArg(flags['headers-json'], 'headers-json') } : {}),
+      ...(flags['request-body-type'] ? { requestBodyType: flags['request-body-type'] } : {}),
+      ...(flags['response-type'] ? { responseType: flags['response-type'] } : {}),
+    };
+    if (subcommand === 'download-test') body.responseType = 'binary';
+    return runDirectRequest(config, target, flags, {
+      method: 'POST',
+      path: `/${encodeURIComponent(target.appType)}/v1/connectors/actions/${subcommand === 'download-test' ? 'download' : 'invoke'}`,
+      body,
+      strictEnvelope: subcommand !== 'download-test',
+    });
+  }
+  return directResourceCrud(config, target, {
+    commandName: 'connector',
+    subcommand,
+    flags,
+    positional,
+    resourceType: 'connector',
+    basePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/connectors`,
+    manifestDir: path.join('src', 'resources', 'connectors'),
+    createMethod: 'POST',
+    createPath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/connectors/actions/sync`,
+    createBody: body => ({ connectors: [normalizeConnectorManifest(body)] }),
+    updateMethod: 'POST',
+    updatePath: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/connectors/actions/sync`,
+    updateBody: body => ({ connectors: [normalizeConnectorManifest(body)] }),
+    normalizeBody: body => normalizeConnectorManifest(body),
+    codeOf: body => body.code || body.methodName,
+    responseData: data => Array.isArray(data?.data) ? data.data[0] : data,
+    saveState: (code, data) => saveConnectorResource(target, code, data?.connector?.id || data?.id, {
+      apis: Object.fromEntries(
+        (data?.apis || []).map(api => [api.code || api.methodName, { apiId: api.id, name: api.name }])
+      ),
+    }),
+  });
+}
+async function notification(args) {
+  const { subcommand, rest } = parseSubcommandArgs(args);
+  const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda notification template-list|template-get|template-upsert|template-delete|type-list|type-get|type-upsert|type-delete|preview|send|batch-send');
+    return;
+  }
+  const config = loadConfig();
+  const target = getWorkspaceTarget(config, flags.profile || config.currentProfile, flags);
+  const appPrefix = `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/notifications`;
+  if (subcommand === 'template-list') {
+    return runDirectRequest(config, target, flags, {
+      method: 'GET',
+      path: apiPathWithQuery(`${appPrefix}/templates`, { page: flags.page, pageSize: flags['page-size'] || flags.limit }),
+    });
+  }
+  if (subcommand === 'template-get') {
+    const code = positional[0] || flags.code;
+    if (!code) fail('用法: openxiangda notification template-get <templateCode>');
+    return runDirectRequest(config, target, flags, {
+      method: 'GET',
+      path: `${appPrefix}/templates/${encodeURIComponent(code)}`,
+    });
+  }
+  if (subcommand === 'template-upsert') {
+    const body = readDirectJsonBody(flags, 'notification template');
+    const template = extractNotificationTemplateBody(target.bound, body);
+    const code = positional[0] || body.code || body.templateCode || template.code;
+    if (!code) fail('notification template-upsert 缺少 template code');
+    const normalized = normalizeNotificationTemplateManifest(target.bound, { ...body, ...template, code });
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'PUT',
+      path: `${appPrefix}/templates/${encodeURIComponent(code)}`,
+      body: normalized,
+    }, { returnData: true });
+    if (!flags['dry-run'] && data?.id) {
+      saveNotificationTemplateResource(target, code, data.id, {
+        level: data.level || normalized.level,
+        formUuid: data.formUuid || normalized.formUuid,
+      });
+      if (flags['write-manifest']) writeDirectManifest('notification', code, { ...body, code, resourceType: 'template' });
+    }
+    return outputDirectResult(data, flags);
+  }
+  if (subcommand === 'template-delete') {
+    const code = positional[0] || flags.code;
+    if (!code || !flags.force) fail('用法: openxiangda notification template-delete <templateCode> --force');
+    return runDirectRequest(config, target, flags, {
+      method: 'DELETE',
+      path: `${appPrefix}/templates/${encodeURIComponent(code)}`,
+    });
+  }
+  if (subcommand === 'type-list') {
+    return runDirectRequest(config, target, flags, {
+      method: 'GET',
+      path: apiPathWithQuery(`${appPrefix}/type-configs`, { page: flags.page, pageSize: flags['page-size'] || flags.limit }),
+    });
+  }
+  if (subcommand === 'type-get') {
+    const code = positional[0] || flags.code;
+    if (!code) fail('用法: openxiangda notification type-get <notificationType>');
+    return runDirectRequest(config, target, flags, {
+      method: 'GET',
+      path: `${appPrefix}/type-configs/${encodeURIComponent(code)}`,
+    });
+  }
+  if (subcommand === 'type-upsert') {
+    const body = readDirectJsonBody(flags, 'notification type-config');
+    const configBody = extractNotificationTypeConfigBody(target.bound, body);
+    const code = positional[0] || body.notificationType || configBody.notificationType;
+    if (!code) fail('notification type-upsert 缺少 notificationType');
+    const normalized = normalizeNotificationTypeConfigManifest(target.bound, { ...body, ...configBody, notificationType: code });
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'PUT',
+      path: `${appPrefix}/type-configs/${encodeURIComponent(code)}`,
+      body: normalized,
+    }, { returnData: true });
+    if (!flags['dry-run'] && data?.id) {
+      saveNotificationTypeConfigResource(target, body.code || code, data.id, {
+        notificationType: data.notificationType || code,
+        level: data.level || normalized.level,
+        formUuid: data.formUuid || normalized.formUuid,
+        templateId: data.templateId,
+        templateCode: data.template?.code || body.templateCode,
+      });
+      if (flags['write-manifest']) writeDirectManifest('notification', body.code || code, { ...body, notificationType: code, resourceType: 'typeConfig' });
+    }
+    return outputDirectResult(data, flags);
+  }
+  if (subcommand === 'type-delete') {
+    const code = positional[0] || flags.code;
+    if (!code || !flags.force) fail('用法: openxiangda notification type-delete <notificationType> --force');
+    return runDirectRequest(config, target, flags, {
+      method: 'DELETE',
+      path: `${appPrefix}/type-configs/${encodeURIComponent(code)}`,
+    });
+  }
+  if (['preview', 'send', 'batch-send'].includes(subcommand)) {
+    if ((subcommand === 'send' || subcommand === 'batch-send') && !flags.force) {
+      fail(`openxiangda notification ${subcommand} 是发送动作，必须加 --force`);
+    }
+    const code = positional[0] || flags.code;
+    const body = {
+      ...readDirectJsonBody(flags, `notification ${subcommand}`, { optional: true }),
+      ...(code ? { templateCode: code, notificationType: code } : {}),
+    };
+    return runDirectRequest(config, target, flags, {
+      method: 'POST',
+      path: `${appPrefix}/${subcommand === 'batch-send' ? 'batch-send' : subcommand}`,
+      body,
+      strictEnvelope: true,
+    });
+  }
+  fail('用法: openxiangda notification template-list|template-get|template-upsert|template-delete|type-list|type-get|type-upsert|type-delete|preview|send|batch-send');
 }
 async function permission(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print(
+      '用法: openxiangda permission role-list|role-create|role-update|role-delete|role-bind|role-users|role-add-users|page-group-list|page-group-create|page-group-update|page-group-delete|page-group-bind|form-group-list|form-group-create|form-group-update|form-group-delete|form-group-bind|form-summary|menu-permissions|audit'
+    );
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -2243,6 +2917,46 @@ async function permission(args) {
     return;
   }
+  if (subcommand === 'role-update') {
+    const [roleKey] = positional;
+    const body = readDirectJsonBody(flags, 'role update');
+    const roleCode = roleKey || body.code || body.resourceCode;
+    if (!roleCode) fail('用法: openxiangda permission role-update <roleCode|roleId> --json-file file');
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const roleId = resolveRoleId(target.bound, roleCode, flags);
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'PUT',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/roles/${encodeURIComponent(roleId)}`,
+      body: {
+        code: body.code || roleCode,
+        name: body.name || roleCode,
+        description: body.description || '',
+      },
+    }, { returnData: true });
+    if (!flags['dry-run']) {
+      const resultCode = body.code || roleCode;
+      if (data?.id) saveRoleResource(target, resultCode, data.id);
+      if (flags['write-manifest']) writeDirectManifest('role', resultCode, { ...body, code: resultCode });
+    }
+    return outputDirectResult(data, flags);
+  }
+  if (subcommand === 'role-delete') {
+    const [roleKey] = positional;
+    if (!roleKey || !flags.force) fail('用法: openxiangda permission role-delete <roleCode|roleId> --force');
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const roleId = resolveRoleId(target.bound, roleKey, flags);
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'DELETE',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/roles/${encodeURIComponent(roleId)}`,
+    }, { returnData: true });
+    if (!flags['dry-run'] && target.bound.resources?.roles?.[roleKey]) {
+      delete target.bound.resources.roles[roleKey];
+      saveProjectState(target.state);
+    }
+    return outputDirectResult(data, flags);
+  }
   if (subcommand === 'role-users') {
     const [roleKey] = positional;
     if (!roleKey) fail('用法: openxiangda permission role-users <roleCode|roleId>');
@@ -2380,6 +3094,42 @@ async function permission(args) {
     return;
   }
+  if (subcommand === 'page-group-update') {
+    const [groupKey] = positional;
+    const body = readDirectJsonBody(flags, 'page permission group update');
+    const groupCode = groupKey || body.code || body.resourceCode;
+    if (!groupCode) fail('用法: openxiangda permission page-group-update <groupCode|groupId> --json-file file');
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const groupId = flags['group-id'] || target.bound.resources?.pagePermissionGroups?.[groupCode]?.groupId || groupCode;
+    const normalized = normalizePagePermissionGroupDirectBody(target.bound, { ...body, code: body.code || groupCode });
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'PUT',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/page-permission-groups/${encodeURIComponent(groupId)}`,
+      body: normalized,
+    }, { returnData: true });
+    if (!flags['dry-run']) {
+      if (data?.id) savePagePermissionGroupResource(target, body.code || groupCode, data.id, { name: data.name, resourceCode: body.code || groupCode });
+      if (flags['write-manifest']) writeDirectManifest('page-permission-group', body.code || groupCode, { ...body, code: body.code || groupCode });
+    }
+    return outputDirectResult(data, flags);
+  }
+  if (subcommand === 'page-group-delete') {
+    const [groupKey] = positional;
+    if (!groupKey || !flags.force) fail('用法: openxiangda permission page-group-delete <groupCode|groupId> --force');
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const groupId = flags['group-id'] || target.bound.resources?.pagePermissionGroups?.[groupKey]?.groupId || groupKey;
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'DELETE',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/page-permission-groups/${encodeURIComponent(groupId)}`,
+    }, { returnData: true });
+    if (!flags['dry-run'] && target.bound.resources?.pagePermissionGroups?.[groupKey]) {
+      delete target.bound.resources.pagePermissionGroups[groupKey];
+      saveProjectState(target.state);
+    }
+    return outputDirectResult(data, flags);
+  }
   if (subcommand === 'form-group-list') {
     const target = getWorkspaceTarget(config, profileName, flags);
     const formUuid = flags['form-uuid'] || resolveOptionalFormUuid(target.bound, flags['form-code']);
@@ -2477,6 +3227,44 @@ async function permission(args) {
     return;
   }
+  if (subcommand === 'form-group-update') {
+    const [groupKey] = positional;
+    const body = readDirectJsonBody(flags, 'form permission group update');
+    const groupCode = groupKey || body.code || body.resourceCode;
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const formUuid = flags['form-uuid'] || resolveManifestFormUuid(target.bound, body);
+    if (!groupCode || !formUuid) fail('用法: openxiangda permission form-group-update <groupCode|groupId> --form-code code|--form-uuid FORM --json-file file');
+    const groupId = flags['group-id'] || target.bound.resources?.formPermissionGroups?.[groupCode]?.groupId || groupCode;
+    const normalized = normalizeFormPermissionGroupManifest(target.bound, { ...body, code: body.code || groupCode, formUuid });
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'PUT',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/forms/${encodeURIComponent(formUuid)}/permission-groups/${encodeURIComponent(groupId)}`,
+      body: normalized,
+    }, { returnData: true });
+    if (!flags['dry-run']) {
+      if (data?.id) saveFormPermissionGroupResource(target, body.code || groupCode, data.id, { formUuid, name: data.name, resourceCode: body.code || groupCode });
+      if (flags['write-manifest']) writeDirectManifest('form-permission-group', body.code || groupCode, { ...body, code: body.code || groupCode });
+    }
+    return outputDirectResult(data, flags);
+  }
+  if (subcommand === 'form-group-delete') {
+    const [groupKey] = positional;
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const formUuid = flags['form-uuid'] || resolveOptionalFormUuid(target.bound, flags['form-code']);
+    if (!groupKey || !formUuid || !flags.force) fail('用法: openxiangda permission form-group-delete <groupCode|groupId> --form-code code|--form-uuid FORM --force');
+    const groupId = flags['group-id'] || target.bound.resources?.formPermissionGroups?.[groupKey]?.groupId || groupKey;
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'DELETE',
+      path: `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/forms/${encodeURIComponent(formUuid)}/permission-groups/${encodeURIComponent(groupId)}`,
+    }, { returnData: true });
+    if (!flags['dry-run'] && target.bound.resources?.formPermissionGroups?.[groupKey]) {
+      delete target.bound.resources.formPermissionGroups[groupKey];
+      saveProjectState(target.state);
+    }
+    return outputDirectResult(data, flags);
+  }
   if (subcommand === 'form-summary') {
     const target = getWorkspaceTarget(config, profileName, flags);
     const formUuid = flags['form-uuid'] || resolveOptionalFormUuid(target.bound, flags['form-code'] || positional[0]);
@@ -2503,14 +3291,29 @@ async function permission(args) {
     return;
   }
+  if (subcommand === 'audit') {
+    const target = getWorkspaceTarget(config, profileName, flags);
+    const result = await buildPermissionAudit(config, target, flags);
+    if (flags.json) return writeJson(result);
+    print(JSON.stringify(result, null, 2));
+    if (result.errors.length > 0) fail(`permission audit 发现 ${result.errors.length} 个错误`);
+    return;
+  }
   fail(
-    '用法: openxiangda permission role-list|role-create|role-bind|role-users|role-add-users|page-group-list|page-group-create|page-group-bind|form-group-list|form-group-create|form-group-bind|form-summary|menu-permissions'
+    '用法: openxiangda permission role-list|role-create|role-update|role-delete|role-bind|role-users|role-add-users|page-group-list|page-group-create|page-group-update|page-group-delete|page-group-bind|form-group-list|form-group-create|form-group-update|form-group-delete|form-group-bind|form-summary|menu-permissions|audit'
   );
 }
 async function settings(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print(
+      '用法: openxiangda settings get|save|indexes|indexes-save|data-management|data-management-save|public-access|public-access-save|public-access-delete'
+    );
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -2673,16 +3476,25 @@ async function settings(args) {
 async function resource(args) {
   const { subcommand, rest } = parseSubcommandArgs(args);
-  const { flags } = parseArgs(rest);
+  const { flags, positional } = parseArgs(rest);
   if (wantsSubcommandHelp(subcommand, flags)) {
-    print('用法: openxiangda resource validate|plan|publish|pull|typegen [--profile name] [--json]');
+    print('用法: openxiangda resource validate|plan|publish|pull|typegen|explain [type] [--profile name] [--json]');
     return;
   }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
-  if (!['validate', 'plan', 'publish', 'pull', 'typegen'].includes(subcommand)) {
-    fail('用法: openxiangda resource validate|plan|publish|pull|typegen [--profile name] [--json]');
+  if (!['validate', 'plan', 'publish', 'pull', 'typegen', 'explain'].includes(subcommand)) {
+    fail('用法: openxiangda resource validate|plan|publish|pull|typegen|explain [--profile name] [--json]');
+  }
+  if (subcommand === 'explain') {
+    const type = positional[0] || flags.type || 'route';
+    const result = getResourceExplain(type);
+    if (!result) fail(`未知资源类型: ${type}`);
+    if (flags.json) return writeJson({ type, ...result });
+    print(renderResourceExplain(type));
+    return;
   }
   if (subcommand === 'pull') {
@@ -3097,6 +3909,16 @@ function formatBytes(value) {
 async function inspect(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (
+    subcommand === 'help' ||
+    subcommand === '--help' ||
+    subcommand === '-h' ||
+    flags.help ||
+    flags.h
+  ) {
+    print('用法: openxiangda inspect app|form|workflow|automation|permissions [--profile name] [--json]');
+    return;
+  }
   const config = loadConfig();
   const profileName = flags.profile || config.currentProfile;
@@ -3181,20 +4003,28 @@ async function commands(args) {
       'update check|install',
       'platform add|list|use|remove',
       'auth status|refresh|logout',
+      'doctor [--profile name] [--app-type APP_XXX]',
+      'design gates|template [--topic code]',
       'env',
       'workspace init|bind|publish [--app-name] [--changed|--since|--form|--page|--only|--dry-run|--force|--resources|--skip-resources|--prune]',
       'app list|create|snapshot',
       'form list|create|bind|pull|publish',
       'page list|publish|bind|releases|activate',
-      'menu list|create|bind|delete',
+      'menu list|create|update|sort|bind|delete',
       'workflow list|create|bind|pull|publish|delete|validate',
       'automation list|create|bind|pull|publish|unpublish|enable|disable|delete|validate|cron-validate',
-      'data-view list|status|refresh|query|stats',
-      'permission role-list|role-create|role-bind|role-users|role-add-users',
-      'permission page-group-list|page-group-create|page-group-bind',
-      'permission form-group-list|form-group-create|form-group-bind|form-summary|menu-permissions',
+      'data-view list|get|create|update|upsert|delete|status|refresh|query|stats',
+      'route list|get|create|update|upsert|delete',
+      'public-access list|get|create|update|upsert|delete|ticket-create|session-test|grant-check',
+      'auth-config list|get|create|update|upsert|delete|methods',
+      'function list|get|create|update|upsert|delete|invoke',
+      'connector list|get|create|update|upsert|delete|invoke|download-test',
+      'notification template-list|template-get|template-upsert|template-delete|type-list|type-get|type-upsert|type-delete|preview|send|batch-send',
+      'permission role-list|role-create|role-update|role-delete|role-bind|role-users|role-add-users|audit',
+      'permission page-group-list|page-group-create|page-group-update|page-group-delete|page-group-bind',
+      'permission form-group-list|form-group-create|form-group-update|form-group-delete|form-group-bind|form-summary|menu-permissions',
       'settings get|save|indexes|indexes-save|data-management|data-management-save|public-access|public-access-save|public-access-delete',
-      'resource validate|plan|publish|pull|typegen',
+      'resource validate|plan|publish|pull|typegen|explain',
       'inspect app|form|workflow|automation|permissions',
       'feedback preview|submit',
       'skill install|status|bootstrap',
@@ -3228,6 +4058,10 @@ function printWorkspaceInitReport(result) {
 async function skill(args) {
   const [subcommand, ...rest] = args;
   const { flags, positional } = parseArgs(rest);
+  if (wantsSubcommandHelp(subcommand, flags)) {
+    print('用法: openxiangda skill install|status [--agent codex|claude|qoder|dual] [--dest <skills-dir>] [--force] [--dry-run] [--json]\n      openxiangda skill bootstrap [<dir>] [--force] [--dry-run] [--json]');
+    return;
+  }
   const options = {
     agent: flags.agent || 'codex',
     dest: flags.dest,
@@ -3365,6 +4199,334 @@ function getWorkspaceTarget(config, profileName, flags = {}) {
   };
 }
+async function directResourceCrud(config, target, spec) {
+  const { subcommand, flags, positional } = spec;
+  const basePath = spec.basePath;
+  if (subcommand === 'list') {
+    return runDirectRequest(config, target, flags, {
+      method: 'GET',
+      path: apiPathWithQuery(basePath, {
+        page: flags.page,
+        pageSize: flags['page-size'] || flags.limit,
+        limit: flags.limit,
+        code: flags.code,
+      }),
+    });
+  }
+  if (subcommand === 'get') {
+    const code = positional[0] || flags.code;
+    if (!code) fail(`用法: openxiangda ${spec.commandName} get <code>`);
+    return runDirectRequest(config, target, flags, {
+      method: 'GET',
+      path: `${basePath}/${encodeURIComponent(code)}`,
+    });
+  }
+  if (subcommand === 'delete') {
+    const code = positional[0] || flags.code;
+    if (!code || !flags.force) fail(`用法: openxiangda ${spec.commandName} delete <code> --force`);
+    const data = await runDirectRequest(config, target, flags, {
+      method: 'DELETE',
+      path: `${basePath}/${encodeURIComponent(code)}`,
+    }, { returnData: true });
+    if (!flags['dry-run']) removeDirectStateResource(target, spec.resourceType, code);
+    return outputDirectResult(data, flags);
+  }
+  if (!['create', 'update', 'upsert'].includes(subcommand)) {
+    fail(`用法: openxiangda ${spec.commandName} list|get|create|update|upsert|delete`);
+  }
+  const rawBody = readDirectJsonBody(flags, spec.commandName);
+  const explicitCode = positional[0] || flags.code;
+  if (explicitCode && !rawBody.code && !rawBody.resourceCode && !rawBody.functionCode && !rawBody.methodName) {
+    rawBody.code = explicitCode;
+  }
+  const code = explicitCode || spec.codeOf(rawBody);
+  if (!code) fail(`openxiangda ${spec.commandName} ${subcommand} 缺少资源 code`);
+  const normalizedBody = spec.prepareBody
+    ? await spec.prepareBody(rawBody)
+    : spec.normalizeBody
+      ? spec.normalizeBody(rawBody)
+      : rawBody;
+  let method = subcommand === 'create' ? (spec.createMethod || 'POST') : (spec.updateMethod || 'PUT');
+  let requestPath = subcommand === 'create'
+    ? (spec.createPath || basePath)
+    : (spec.updatePath || `${basePath}/${encodeURIComponent(code)}`);
+  let requestBody = subcommand === 'create'
+    ? (spec.createBody ? spec.createBody(rawBody, normalizedBody) : normalizedBody)
+    : (spec.updateBody ? spec.updateBody(rawBody, normalizedBody) : normalizedBody);
+  let action = subcommand;
+  if (subcommand === 'upsert') {
+    if (flags['dry-run']) {
+      return outputDirectResult({
+        dryRun: true,
+        action: 'upsert',
+        existsCheck: { method: 'GET', path: `${basePath}/${encodeURIComponent(code)}` },
+        create: {
+          method: spec.createMethod || 'POST',
+          path: spec.createPath || basePath,
+          body: spec.createBody ? spec.createBody(rawBody, normalizedBody) : normalizedBody,
+        },
+        update: {
+          method: spec.updateMethod || 'PUT',
+          path: spec.updatePath || `${basePath}/${encodeURIComponent(code)}`,
+          body: spec.updateBody ? spec.updateBody(rawBody, normalizedBody) : normalizedBody,
+        },
+      }, flags);
+    }
+    const existing = await requestOptionalWithAuth(
+      config,
+      target.profileName,
+      `${basePath}/${encodeURIComponent(code)}`
+    );
+    action = existing ? 'update' : 'create';
+    method = existing ? (spec.updateMethod || 'PUT') : (spec.createMethod || 'POST');
+    requestPath = existing
+      ? (spec.updatePath || `${basePath}/${encodeURIComponent(code)}`)
+      : (spec.createPath || basePath);
+    requestBody = existing
+      ? (spec.updateBody ? spec.updateBody(rawBody, normalizedBody) : normalizedBody)
+      : (spec.createBody ? spec.createBody(rawBody, normalizedBody) : normalizedBody);
+  }
+  const response = await runDirectRequest(config, target, flags, {
+    method,
+    path: requestPath,
+    body: requestBody,
+  }, { returnData: true });
+  const data = spec.responseData ? spec.responseData(response) : response;
+  if (!flags['dry-run']) {
+    if (spec.saveState) spec.saveState(code, data);
+    if (flags['write-manifest']) writeDirectManifest(spec.resourceType, code, { ...rawBody, code });
+  }
+  return outputDirectResult({ action, data }, flags);
+}
+async function runDirectRequest(config, target, flags, request, options = {}) {
+  const plan = {
+    dryRun: true,
+    method: request.method || 'GET',
+    path: request.path,
+    body: request.body,
+  };
+  if (flags['dry-run']) {
+    if (options.returnData) return plan;
+    return outputDirectResult(plan, flags);
+  }
+  const requestOptions = {
+    method: request.method || 'GET',
+    body: request.body,
+    strictEnvelope: request.strictEnvelope,
+  };
+  let data;
+  if (request.auth === false) {
+    const payload = await requestJson(target.profile.baseUrl, request.path, requestOptions);
+    data = request.strictEnvelope ? unwrapStrictApi(payload) : unwrapApi(payload);
+  } else {
+    data = await requestWithAuth(config, target.profileName, request.path, requestOptions);
+  }
+  if (options.returnData) return data;
+  return outputDirectResult(data, flags);
+}
+function outputDirectResult(data, flags = {}) {
+  if (flags.json) return writeJson(data);
+  print(JSON.stringify(data, null, 2));
+}
+function readDirectJsonBody(flags = {}, label, options = {}) {
+  if (flags['json-file']) return readJsonArg(flags['json-file'], 'json-file');
+  if (flags['body-json']) return readJsonArg(flags['body-json'], 'body-json');
+  if (options.optional) return {};
+  fail(`${label} 缺少 --json-file <file> 或 --body-json <json|file>`);
+}
+function writeDirectManifest(resourceType, code, value) {
+  const dir = directManifestDir(resourceType);
+  if (!dir) return;
+  const fileName = `${String(code).replace(/[^A-Za-z0-9_.-]+/g, '_')}.json`;
+  writeResourceJsonFile(path.join(process.cwd(), dir, fileName), value);
+}
+function directManifestDir(resourceType) {
+  const dirs = {
+    route: path.join('src', 'resources', 'routes'),
+    'public-access': path.join('src', 'resources', 'public-access'),
+    'auth-config': path.join('src', 'resources', 'auth'),
+    function: path.join('src', 'resources', 'functions'),
+    connector: path.join('src', 'resources', 'connectors'),
+    notification: path.join('src', 'resources', 'notifications'),
+    'data-view': path.join('src', 'resources', 'data-views'),
+    menu: path.join('src', 'resources', 'menus'),
+    role: path.join('src', 'resources', 'roles'),
+    'page-permission-group': path.join('src', 'resources', 'permissions', 'page-groups'),
+    'form-permission-group': path.join('src', 'resources', 'permissions', 'form-groups'),
+  };
+  return dirs[resourceType];
+}
+function removeDirectStateResource(target, resourceType, code) {
+  const buckets = {
+    route: 'routes',
+    'public-access': 'publicAccessPolicies',
+    'auth-config': 'authConfigs',
+    function: 'functions',
+    connector: 'connectors',
+    'data-view': 'dataViews',
+  };
+  const bucket = buckets[resourceType];
+  if (!bucket || !target.bound.resources?.[bucket]?.[code]) return;
+  delete target.bound.resources[bucket][code];
+  saveProjectState(target.state);
+}
+function normalizeMenuDirectBody(bound, menuItem) {
+  const formUuid = resolveManifestFormUuid(bound, menuItem);
+  const pageId = resolveManifestPageId(bound, menuItem);
+  const parentId = resolveManifestMenuId(bound, menuItem.parentCode) || menuItem.parentId || null;
+  return stripUndefinedValues({
+    resourceCode: menuItem.code || menuItem.resourceCode,
+    name: menuItem.name || menuItem.code,
+    type: menuItem.type || 'nav',
+    formUuid,
+    pageId,
+    parentId,
+    sortOrder: menuItem.sortOrder,
+    icon: menuItem.icon || null,
+    isHidden: menuItem.isHidden,
+    routeCode: menuItem.routeCode || null,
+    path: menuItem.path || null,
+  });
+}
+function normalizePagePermissionGroupDirectBody(bound, group) {
+  return stripUndefinedValues({
+    resourceCode: group.code || group.resourceCode,
+    name: group.name || group.code,
+    roles: group.roles || [],
+    menuFormUuids: resolvePagePermissionGroupTargets(bound, group),
+    menuCodes: normalizePermissionCodeArray(group.menuCodes),
+    routeCodes: normalizePermissionCodeArray(group.routeCodes),
+    pathPatterns: normalizePermissionCodeArray(group.pathPatterns),
+  });
+}
+function parseConnectorApiName(targetName, flags = {}) {
+  const raw = String(targetName || '');
+  const separator = raw.indexOf('.');
+  const connectorCode = separator >= 0 ? raw.slice(0, separator) : raw;
+  const apiCode = flags.api || flags['api-code'] || (separator >= 0 ? raw.slice(separator + 1) : undefined);
+  if (!connectorCode || !apiCode) fail('连接器调用需要 <connectorCode.apiCode> 或 --api <apiCode>');
+  return { connector: connectorCode, api: apiCode };
+}
+function extractNotificationTemplateBody(bound, body) {
+  const template = Array.isArray(body.templates) ? body.templates[0] : body.template || body;
+  return {
+    ...template,
+    code: template.code || template.templateCode || body.code || body.templateCode,
+    formCode: template.formCode || body.formCode,
+    formUuid: template.formUuid || body.formUuid,
+    level: template.level || body.level,
+  };
+}
+function extractNotificationTypeConfigBody(bound, body) {
+  const config = Array.isArray(body.typeConfigs)
+    ? body.typeConfigs[0]
+    : Array.isArray(body.notificationTypeConfigs)
+      ? body.notificationTypeConfigs[0]
+      : body.typeConfig || body;
+  return {
+    ...config,
+    notificationType: config.notificationType || body.notificationType || body.code,
+    formCode: config.formCode || body.formCode,
+    formUuid: config.formUuid || body.formUuid,
+    level: config.level || body.level,
+  };
+}
+function buildPublicGrantChecks(bound, grants, flags = {}) {
+  const checks = [];
+  const formTargets = [
+    ...splitList(flags['form-code']).map(code => resolveOptionalFormUuid(bound, code)),
+    ...splitList(flags['form-uuid']),
+  ].filter(Boolean);
+  for (const formUuid of formTargets) {
+    checks.push({ type: 'form', code: formUuid, allowed: (grants.forms || []).includes(formUuid) });
+  }
+  for (const code of splitList(flags['data-view'])) {
+    checks.push({ type: 'dataView', code, allowed: (grants.dataViews || []).includes(code) });
+  }
+  for (const code of splitList(flags.function || flags['function-code'])) {
+    checks.push({ type: 'function', code, allowed: (grants.functions || []).includes(code) });
+  }
+  for (const code of splitList(flags.connector || flags['connector-code'])) {
+    checks.push({ type: 'connector', code, allowed: (grants.connectors || []).includes(code) });
+  }
+  if (checks.length === 0) {
+    return [
+      { type: 'forms', granted: grants.forms || [], allowed: true },
+      { type: 'dataViews', granted: grants.dataViews || [], allowed: true },
+      { type: 'functions', granted: grants.functions || [], allowed: true },
+      { type: 'connectors', granted: grants.connectors || [], allowed: true },
+    ];
+  }
+  return checks;
+}
+async function buildPermissionAudit(config, target, flags = {}) {
+  const manifest = loadWorkspaceResources();
+  const validation = validateWorkspaceResources(manifest);
+  const roleCodes = new Set((manifest.roles || []).map(item => item.code || item.resourceCode).filter(Boolean));
+  const warnings = [...validation.warnings];
+  const errors = [...validation.errors];
+  for (const group of manifest.pagePermissionGroups || []) {
+    for (const roleCode of group.roles || []) {
+      if (roleCodes.size > 0 && !roleCodes.has(roleCode)) warnings.push(`page permission group ${group.code} 引用未声明角色: ${roleCode}`);
+    }
+  }
+  for (const group of manifest.formPermissionGroups || []) {
+    for (const roleCode of group.roles || []) {
+      if (roleCodes.size > 0 && !roleCodes.has(roleCode)) warnings.push(`form permission group ${group.code} 引用未声明角色: ${roleCode}`);
+    }
+    const formUuid = resolveManifestFormUuid(target.bound, group);
+    if (!formUuid) errors.push(`form permission group ${group.code} 缺少 formCode/formUuid`);
+  }
+  for (const policy of manifest.publicAccessPolicies || []) {
+    const grants = normalizePublicAccessPolicyManifest(target.bound, policy).grants || {};
+    if (
+      (grants.forms || []).length === 0 &&
+      (grants.dataViews || []).length === 0 &&
+      (grants.functions || []).length === 0 &&
+      (grants.connectors || []).length === 0
+    ) {
+      warnings.push(`public-access policy ${policy.code} 未声明任何 grants`);
+    }
+  }
+  const result = {
+    appType: target.appType,
+    manifestCounts: Object.fromEntries(
+      RESOURCE_SPECS.map(spec => [spec.key, (manifest[spec.key] || []).length])
+    ),
+    errors,
+    warnings,
+  };
+  if (flags.live) {
+    result.live = {
+      roles: await requestWithAuth(config, target.profileName, `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/roles`),
+      pagePermissionGroups: await requestWithAuth(config, target.profileName, `/openxiangda-api/v1/apps/${encodeURIComponent(target.appType)}/page-permission-groups`),
+    };
+  }
+  return result;
+}
 function ensureResourceBuckets(bound) {
   bound.resources = bound.resources || {};
   bound.resources.forms = bound.resources.forms || {};
@@ -7884,6 +9046,31 @@ function unwrapApi(payload) {
   return 'data' in payload ? payload.data : payload;
 }
+function unwrapStrictApi(payload) {
+  if (!payload || typeof payload !== 'object') return payload;
+  if (payload.success === false) {
+    const error = new Error(payload.message || payload.errorMessage || 'OpenXiangda API request failed');
+    error.apiCode = payload.code;
+    throw error;
+  }
+  if ('code' in payload) {
+    const code = payload.code;
+    const numericCode = Number(code);
+    const normalizedCode = String(code || '').toUpperCase();
+    const isOk =
+      numericCode === 0 ||
+      (Number.isFinite(numericCode) && numericCode >= 200 && numericCode < 300) ||
+      normalizedCode === 'OK' ||
+      normalizedCode === 'SUCCESS';
+    if (!isOk) {
+      const error = new Error(payload.message || payload.errorMessage || String(code));
+      error.apiCode = code;
+      throw error;
+    }
+  }
+  return 'data' in payload ? payload.data : payload;
+}
 function isUnauthorized(error) {
   return (
     Number(error?.apiCode) === 401 ||
@@ -7897,23 +9084,24 @@ async function requestWithAuth(config, profileName, apiPath, options = {}) {
   if (!profile.token?.accessToken) {
     fail(`profile ${resolved.profileName} 未登录，请先执行 openxiangda login --profile ${resolved.profileName}`);
   }
+  const { strictEnvelope, ...requestOptions } = options;
   try {
     const payload = await requestJson(profile.baseUrl, apiPath, {
-      ...options,
+      ...requestOptions,
       accessToken: profile.token.accessToken,
     });
-    return unwrapApi(payload);
+    return strictEnvelope ? unwrapStrictApi(payload) : unwrapApi(payload);
   } catch (error) {
     if (!isUnauthorized(error) || !profile.token?.refreshToken) {
       throw error;
     }
     await refreshProfile(config, resolved.profileName);
     const payload = await requestJson(profile.baseUrl, apiPath, {
-      ...options,
+      ...requestOptions,
       accessToken: profile.token.accessToken,
     });
-    return unwrapApi(payload);
+    return strictEnvelope ? unwrapStrictApi(payload) : unwrapApi(payload);
   }
 }