maxc-cli 0.4.1__tar.gz → 0.4.3__tar.gz

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maxc-cli
-Version: 0.4.1
+Version: 0.4.3
 Summary: Agent-native MaxCompute CLI for external coding agents
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.9

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/setup.py

@@ -9,7 +9,7 @@ README = ROOT / "README.md"
 
 setup(
     name="maxc-cli",
-    version="0.4.1",
+    version="0.4.3",
     description="Agent-native MaxCompute CLI for external coding agents",
     long_description=README.read_text(encoding="utf-8"),
     long_description_content_type="text/markdown",

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/__init__.py

@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.4.1"
+__version__ = "0.4.3"

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/agent_platforms.py

@@ -118,7 +118,7 @@ def _build_registry() -> tuple[Platform, ...]:
             install_root=_claude_root(),
             skill_subpath=None,
             extra_files=(),
-            next_step_hint="Restart Claude Code or run /reload-plugins to activate",
+            next_step_hint="Skill is auto-discovered — start a new Claude Code session to activate",
         ),
         Platform(name="cursor",    install_root=_simple_root(".cursor"),
                  next_step_hint="Restart Cursor to activate"),

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/app.py

@@ -607,6 +607,7 @@ class MaxCApp:
         cost_check: 'float | None' = None,
         idempotency_key: 'str | None' = None,
         force: 'bool' = False,
+        dry_run: 'bool' = False,
     ) -> 'Envelope':
         return self.query(
             command="job.submit",
@@ -617,6 +618,7 @@ class MaxCApp:
             cost_check=cost_check,
             idempotency_key=idempotency_key,
             force=force,
+            dry_run=dry_run,
         )
 
     def job_status(self, job_id: 'str') -> 'Envelope':
@@ -2465,6 +2467,7 @@ class MaxCApp:
         block_size: 'int' = 10000,
         project: 'str | None' = None,
         schema: 'str | None' = None,
+        dry_run: 'bool' = False,
     ) -> 'Envelope':
         target_project = project or self.config.default_project
         result = self.backend.upload_table(
@@ -2473,6 +2476,7 @@ class MaxCApp:
             delimiter=delimiter, has_header=has_header,
             null_marker=null_marker, block_size=block_size,
             project=project, schema=schema,
+            dry_run=dry_run,
         )
         metadata = {
             "project": target_project,
@@ -2480,16 +2484,21 @@ class MaxCApp:
             "delimiter": delimiter,
             "block_size": block_size,
         }
+        if dry_run:
+            actions = [action("data.upload", data=result, metadata=metadata)]
+            insights = ["Dry-run validated table schema and CSV file. Re-run without --dry-run to upload."]
+        else:
+            actions = [action("data.sample", data=result, metadata=metadata)]
+            insights = []
         envelope = Envelope(
             command="data.upload",
             status="success",
             data=result,
             metadata=metadata,
             agent_hints=AgentHints(
-                actions=[
-                    action("data.sample", data=result, metadata=metadata),
-                ],
+                actions=actions,
                 warnings=result.get("warnings", []),
+                insights=insights,
             ),
         )
         self.log("data.upload", envelope.status, envelope.metadata)
@@ -2931,13 +2940,15 @@ class MaxCApp:
     def auth_can_i(
         self,
         *,
-        table_name: 'str',
+        object_name: 'str',
+        object_type: 'str' = "Table",
         operation: 'str',
         project: 'str | None' = None,
     ) -> 'Envelope':
         target_project = project or self.config.default_project
         payload, warnings = self.backend.can_i_info(
-            table_name=table_name,
+            object_name=object_name,
+            object_type=object_type,
             operation=operation,
             project=target_project,
         )

maxc_cli-0.4.3/src/maxc_cli/backend/auth.py

@@ -0,0 +1,164 @@
+"""Auth-related mixin for OdpsBackend."""
+
+from typing import Any
+from xml.etree import ElementTree
+
+from ..exceptions import BackendConnectionError, MaxCError
+from ..helpers import (
+    build_odps_identity_payload,
+    odps_identity_source,
+    quote_table_name,
+    translate_odps_error,
+)
+
+
+class AuthMixin:
+    """Mixin providing authentication and authorization methods."""
+
+    def whoami_info(self, *, project: 'str | None' = None) -> 'tuple[dict[str, Any], list[str]]':
+        """Get current identity info by executing ``whoami`` security query.
+
+        Calls ``client.execute_security_query("whoami")`` to verify the
+        connection and return desensitized identity information.
+
+        Args:
+            project: Optional project override.
+
+        Returns:
+            Tuple of (identity payload dict, warnings list).
+        """
+        target_project = project or self.project
+        try:
+            result = self.client.execute_security_query("whoami", project=target_project)
+        except Exception as exc:
+            raise translate_odps_error(exc, "whoami") from exc
+
+        owner_display_name = result.get("DisplayName") if isinstance(result, dict) else None
+        if owner_display_name:
+            self._owner_display_name = owner_display_name
+        return build_odps_identity_payload(
+            client=self.client,
+            settings=self.settings,
+            allowed_operations=self.config.allowed_operations,
+            identity_source=odps_identity_source(self.setting_sources),
+            auth_type=getattr(self.resolved_auth, "auth_type", "access_key"),
+            token_expires_at=getattr(self.resolved_auth, "token_expires_at", None),
+            project=target_project,
+            owner_display_name=owner_display_name,
+        )
+
+    def _check_permission(
+        self,
+        *,
+        object_name: 'str',
+        object_type: 'str',
+        action: 'str',
+        project: 'str',
+    ) -> 'tuple[bool, str]':
+        """Call the MaxCompute checkPermission REST API.
+
+        Uses GET /projects/{project}/auth/?type={type}&name={name}&grantee={action}
+        (same endpoint as Java SDK's SecurityManager#checkPermission).
+
+        Returns:
+            Tuple of (allowed: bool, message: str).
+        """
+        import json as _json
+
+        rest = self.client.rest
+        endpoint = rest.endpoint
+        url = f"{endpoint}/projects/{project}/auth/"
+        params = {
+            "type": object_type,
+            "name": object_name,
+            "grantee": action,
+        }
+        resp = rest.get(url, params=params)
+        root = ElementTree.fromstring(resp.content)
+        result = (root.findtext("Result") or "").strip()
+        raw_message = (root.findtext("Message") or "").strip()
+        try:
+            parsed = _json.loads(raw_message)
+            message = parsed.get("message", "") if isinstance(parsed, dict) else raw_message
+        except (ValueError, TypeError):
+            message = raw_message
+        return result.upper() == "ALLOW", message
+
+    def can_i_info(
+        self,
+        *,
+        object_name: 'str',
+        object_type: 'str' = "Table",
+        operation: 'str',
+        project: 'str | None' = None,
+    ) -> 'tuple[dict[str, Any], list[str]]':
+        """Check if a specific operation is allowed on an object.
+
+        Calls the MaxCompute checkPermission REST API directly.
+
+        Args:
+            object_name: Object name to check (table name, function name, etc.).
+            object_type: Object type (Table, Project, Function, Resource, Instance).
+            operation: ODPS ActionType (e.g. "Select", "CreateInstance").
+            project: Optional project override.
+
+        Returns:
+            Tuple of (permission payload dict, warnings list).
+        """
+        target_project = project or self.project
+        if object_type == "Table":
+            quote_table_name(object_name)
+
+        try:
+            allowed, message = self._check_permission(
+                object_name=object_name,
+                object_type=object_type,
+                action=operation,
+                project=target_project,
+            )
+        except Exception as exc:
+            translated = translate_odps_error(exc)
+            if isinstance(translated, BackendConnectionError):
+                raise translated
+            return (
+                {
+                    "object_type": object_type,
+                    "object_name": object_name,
+                    "project": target_project,
+                    "operation": operation,
+                    "allowed": False,
+                    "check_mode": "odps_check_permission_api",
+                    "reason": translated.message,
+                    "check_error_code": translated.error_code,
+                },
+                [],
+            )
+
+        return (
+            {
+                "object_type": object_type,
+                "object_name": object_name,
+                "project": target_project,
+                "operation": operation,
+                "allowed": allowed,
+                "check_mode": "odps_check_permission_api",
+                "reason": message if message else ("Allowed." if allowed else "Denied."),
+                "check_error_code": None if allowed else "PERMISSION_DENIED",
+            },
+            [],
+        )
+
+    def _get_owner_display_name(self) -> 'str | None':
+        """Get the current user's display name (e.g., 'ALIYUN$xxx' or 'RAM$xxx')."""
+        if self._owner_display_name is not None:
+            return self._owner_display_name
+        try:
+            result = self.client.execute_security_query("whoami", project=self.project)
+            display_name = result.get("DisplayName") if isinstance(result, dict) else None
+            if display_name:
+                self._owner_display_name = display_name
+                return display_name
+        except Exception:
+            pass
+
+        return None

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/backend/data.py

@@ -228,6 +228,7 @@ class DataMixin:
         block_size: 'int' = 10000,
         project: 'str | None' = None,
         schema: 'str | None' = None,
+        dry_run: 'bool' = False,
     ) -> 'dict[str, Any]':
         """Upload a CSV/TSV file into an existing table or partition via Tunnel.
 
@@ -295,6 +296,36 @@ class DataMixin:
             )
 
         bytes_read = os.path.getsize(file_path)
+
+        if dry_run:
+            warnings: list[str] = []
+            rows_found = 0
+            with open(file_path, encoding="utf-8", newline="") as fh:
+                reader = csv.reader(fh, delimiter=delimiter)
+                if has_header:
+                    try:
+                        header = next(reader)
+                    except StopIteration:
+                        header = []
+                    column_mapping = _resolve_header_mapping(header, data_columns, warnings)
+                else:
+                    column_mapping = [c.name for c in data_columns]
+                for _ in reader:
+                    rows_found += 1
+            warnings.append("Dry-run: file and table schema validated, no data was uploaded.")
+            return {
+                "table": definition.name,
+                "applied_partition": partition,
+                "rows_written": 0,
+                "rows_found": rows_found,
+                "bytes_read": bytes_read,
+                "column_mapping": column_mapping,
+                "blocks": 0,
+                "overwrite": overwrite,
+                "dry_run": True,
+                "warnings": warnings,
+            }
+
         block_ids: list[int] = []
         rows_written = 0
         warnings: list[str] = []

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/cli.py

@@ -250,6 +250,7 @@ def build_parser() -> argparse.ArgumentParser:
     job_submit.add_argument("--max-rows", type=positive_int, default=100, help="Maximum rows to return (default: 100)")
     job_submit.add_argument("--cost-check", type=float, help="Abort if estimated cost exceeds threshold (CU)")
     job_submit.add_argument("--idempotency-key", help="Deduplication key for retries")
+    job_submit.add_argument("--dry-run", action="store_true", help="Estimate cost without submitting")
     job_submit.add_argument("--force", action="store_true", default=False, help=argparse.SUPPRESS)
     job_submit.set_defaults(handler=_handle_job_submit)
 
@@ -453,6 +454,7 @@ def build_parser() -> argparse.ArgumentParser:
     data_upload.add_argument("--schema", help="Schema name (overrides session default)")
     data_upload.add_argument("--block-size", type=positive_int, default=10000,
                              help="Rows per Tunnel block (default: 10000)")
+    data_upload.add_argument("--dry-run", action="store_true", help="Validate table and CSV without uploading")
     data_upload.add_argument("--project", help="Target MaxCompute project")
     data_upload.add_argument("--json", action="store_true", help="Output as JSON envelope")
     data_upload.set_defaults(handler=_handle_data_upload)
@@ -530,16 +532,57 @@ def build_parser() -> argparse.ArgumentParser:
     auth_whoami.add_argument("--json", action="store_true", help="Output as JSON envelope")
     auth_whoami.set_defaults(handler=_handle_auth_whoami)
 
-    auth_can_i = _make_parser(auth_subparsers, "can-i", "auth.can-i", help="Check whether an operation is allowed")
-    auth_can_i.add_argument("--table", required=True, help="Table name to check")
+    _CAN_I_ACTIONS = [
+        "Select", "Describe", "Alter", "Update", "Drop", "Download", "All",
+        "Read", "Write", "List",
+        "CreateTable", "CreateInstance", "CreateFunction", "CreateResource",
+        "Execute", "Delete",
+    ]
+    _CAN_I_ACTIONS_LOWER = {a.lower(): a for a in _CAN_I_ACTIONS}
+    _CAN_I_OBJECT_TYPES = ["Table", "Project", "Function", "Resource", "Instance"]
+    _CAN_I_OBJECT_TYPES_LOWER = {t.lower(): t for t in _CAN_I_OBJECT_TYPES}
+
+    auth_can_i = _make_parser(
+        auth_subparsers, "can-i", "auth.can-i",
+        help="Check whether current user has a specific permission on an object",
+        description=(
+            "Check whether the current user has a specific permission on an ODPS object.\n"
+            "\n"
+            "Examples:\n"
+            "  maxc auth can-i --table my_table --operation Select\n"
+            "  maxc auth can-i --table my_table --operation Update --project other_proj\n"
+            "  maxc auth can-i --object my_proj --type Project --operation CreateTable\n"
+            "  maxc auth can-i --object my_proj --type Project --operation CreateInstance\n"
+        ),
+        formatter_class=AliyunRawTextFormatter,
+    )
+    auth_can_i.add_argument("--object", "--table", required=True, dest="object_name",
+                            help="Object name to check (table name, or project name when --type=Project)")
+    auth_can_i.add_argument(
+        "--type",
+        default="Table",
+        type=lambda s: _CAN_I_OBJECT_TYPES_LOWER.get(s.lower(), s),
+        choices=_CAN_I_OBJECT_TYPES,
+        help=(
+            "Object type (case-insensitive, default: Table). "
+            "Table | Project | Function | Resource | Instance."
+        ),
+    )
     auth_can_i.add_argument(
         "--operation",
         required=True,
-        type=lambda s: s.upper(),
-        choices=["SELECT", "INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER"],
-        help="Operation to check (only SELECT is probed against the live backend; others rely on the configured allow-list).",
+        type=lambda s: _CAN_I_ACTIONS_LOWER.get(s.lower(), s),
+        choices=_CAN_I_ACTIONS,
+        help=(
+            "Permission to check (case-insensitive). "
+            "Table: Select, Describe, Alter, Update, Drop, Download, All. "
+            "Project: CreateTable, CreateInstance, CreateFunction, CreateResource, List, Read, Write, All. "
+            "Function: Read, Write, Delete, Execute, All. "
+            "Resource: Read, Write, Delete, All. "
+            "Instance: Read, Write, All."
+        ),
     )
-    auth_can_i.add_argument("--project", help="Target MaxCompute project")
+    auth_can_i.add_argument("--project", help="Project where the object lives (default: current project)")
     auth_can_i.add_argument("--json", action="store_true", help="Output as JSON envelope")
     auth_can_i.set_defaults(handler=_handle_auth_can_i)
 
@@ -800,13 +843,13 @@ def _is_json_mode(args: argparse.Namespace) -> bool:
 
 
 def _build_permission_denied_hints(app: MaxCApp | None) -> AgentHints:
-    """Build PERMISSION_DENIED agent hints, suggesting _dev workspace switch when appropriate."""
+    """Build PERMISSION_DENIED agent hints, suggesting _dev project switch when appropriate."""
     actions = []
     project = app.config.default_project if app else None
     if project and not project.endswith("_dev"):
         actions.append(SuggestedAction(
             id="session.set",
-            title="Switch to dev workspace",
+            title="Switch to dev project",
             command=f"maxc session set --project {project}_dev --json",
         ))
     actions.append(action("query", metadata={"sql_executed": "SELECT 1"}))
@@ -1100,6 +1143,7 @@ def _handle_job_submit(app: MaxCApp, args: argparse.Namespace, stdout: TextIO) -
         cost_check=args.cost_check,
         idempotency_key=args.idempotency_key,
         force=args.force,
+        dry_run=args.dry_run,
     )
     _emit_envelope(envelope, args=args, stdout=stdout, default_format="json")
 
@@ -1372,6 +1416,7 @@ def _handle_data_upload(app: MaxCApp, args: argparse.Namespace, stdout: TextIO)
         block_size=args.block_size,
         project=args.project,
         schema=getattr(args, "schema", None),
+        dry_run=args.dry_run,
     )
     _emit_envelope(envelope, args=args, stdout=stdout, default_format="json")
 
@@ -1450,7 +1495,8 @@ def _handle_auth_whoami(app: MaxCApp, args: argparse.Namespace, stdout: TextIO)
 
 def _handle_auth_can_i(app: MaxCApp, args: argparse.Namespace, stdout: TextIO) -> None:
     envelope = app.auth_can_i(
-        table_name=args.table,
+        object_name=args.object_name,
+        object_type=args.type,
         operation=args.operation,
         project=args.project,
     )

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/helpers.py

@@ -1039,12 +1039,12 @@ def classify_sql_error(message: str) -> dict[str, Any]:
     return {"error_type": "unknown"}
 
 
-def _dev_workspace_hint(project: str | None) -> str:
-    """Return a hint about switching to the _dev workspace if the project is not a dev workspace."""
+def _dev_project_hint(project: str | None) -> str:
+    """Return a hint about switching to the _dev project if the current project is production."""
     if project and not project.endswith("_dev"):
         return (
-            f"Current project '{project}' is a production workspace. "
-            f"Personal accounts usually only have access to the dev workspace (_dev). "
+            f"Current project '{project}' is a production project. "
+            f"Personal accounts usually only have access to the dev project (_dev). "
             f"Try switching: maxc session set --project {project}_dev"
         )
     return ""
@@ -1063,7 +1063,7 @@ def _build_permission_error(
     preserved as the error message for diagnostics. Context-specific
     guidance goes into the suggestion field.
     """
-    dev_hint = _dev_workspace_hint(project_name)
+    dev_hint = _dev_project_hint(project_name)
 
     if context == "list_projects" and project_name:
         suggestion = f"Verify that your account has `odps:Read` on project {project_name}, or contact the project owner."

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/skills/SKILL.md

@@ -11,7 +11,6 @@ Use the live CLI instead of inventing a separate MaxCompute adapter. Prefer `{{c
 
 - First-time setup or repair of Python or `maxc-cli`
 - Auth bootstrap or identity inspection (AK/SK or env vars)
-- Migrating from odpscmd (reusing existing ODPS Console credentials)
 - Session project or schema overrides
 - Metadata discovery, schema inspection, fast table/column search
 - Read-only query execution or job tracking
@@ -43,9 +42,9 @@ These are non-negotiable. See [references/red-lines.md](references/red-lines.md)
 
 1. **Always use `--json`** for machine work. Use `--format markdown` for user-facing output, `--format brief` in token-tight contexts. `--json` is shorthand for `--format json`. **`--format` is a top-level flag — it must come before the subcommand**: `{{cli}} --format markdown query "SELECT 1"` (✓), not `{{cli}} query "SELECT 1" --format markdown` (✗). `--json` may appear anywhere because each subcommand also accepts it.
 2. **Never invent names** — table, schema, project, or endpoint. Verify with `meta` commands and `auth whoami`.
-3. **Default to `--project` for the user's target workspace.** The configured project (in `~/.maxc/config.yaml`) is the user's **home dev workspace** — the data they actually want to query usually lives in a *different* workspace (often the corresponding production one). When the user mentions a table/project without specifying which workspace, **ask first**, then pass `--project <name>` on every meta/data command and use `project.table` in SQL.
-4. **Workspace naming convention is a fixed pair:** `<name>_dev` is the dev workspace; the same `<name>` **without** the `_dev` suffix is its corresponding **production** workspace. They share metadata structure but hold different data and different permissions. See Dev vs Production Workspaces below.
-5. **Never re-prompt for credentials** when `auth whoami` shows `authenticated=true`. Permission errors are almost always a workspace/project issue, not a credential issue.
+3. **Default to `--project` for the user's target project.** The configured project (in `~/.maxc/config.yaml`) is the user's **dev project** — the data they actually want to query usually lives in a *different* project (often the corresponding production one). When the user mentions a table/project without specifying which environment, **ask first**, then pass `--project <name>` on every meta/data command and use `project.table` in SQL.
+4. **Project naming convention is a fixed pair:** `<name>_dev` is the dev project; the same `<name>` **without** the `_dev` suffix is its corresponding **production** project. Together they form one DataWorks workspace. They share metadata structure but hold different data and different permissions. See Dev vs Production Projects below.
+5. **Never re-prompt for credentials** when `auth whoami` shows `authenticated=true`. Permission errors are almost always a project environment issue (dev vs prod), not a credential issue.
 6. **Always discover partitions** via `meta latest-partition` before querying partitioned tables. Format varies per table.
 7. **Always read `error.suggestion`** before retrying a failed command. Same input → same error.
 8. **Never install or upgrade Python** without explicit user confirmation.
@@ -56,8 +55,7 @@ These are non-negotiable. See [references/red-lines.md](references/red-lines.md)
 When `auth whoami --json` returns `configured=false` (no auth set up), follow [references/bootstrap-flow.md](references/bootstrap-flow.md) step by step. Three principles:
 
 1. **Never pick the auth method yourself** — always ask the user to choose between AK/SK and environment variables.
-2. **If the user already has `odpscmd` configured**, proactively offer to migrate those credentials before asking them to enter anything new — see [references/migrate-from-odpscmd.md](references/migrate-from-odpscmd.md).
-3. **If `auth whoami` shows `auth_type=external`, the user is on an externally-managed credential provider — do NOT modify the auth config.** Treat the bootstrap as already done. Only `project`/`endpoint`/`schema` are safe to change (via `session set` or by re-running `auth login-external` with the same `--process-command`).
+2. **If `auth whoami` shows `auth_type=external`, the user is on an externally-managed credential provider — do NOT modify the auth config.** Treat the bootstrap as already done. Only `project`/`endpoint`/`schema` are safe to change (via `session set` or by re-running `auth login-external` with the same `--process-command`).
 
 ## First Pass
 
@@ -87,38 +85,38 @@ Key paths:
 
 See [references/json-output-format.md](references/json-output-format.md) for full examples and [references/command-patterns.md](references/command-patterns.md) §JSON Contract for all data shapes.
 
-## Dev vs Production Workspaces
+## Dev vs Production Projects
 
-MaxCompute workspaces come in **fixed pairs**: a dev workspace and its corresponding production workspace. Confusing the two is the #1 source of permission errors.
+A single **DataWorks workspace** corresponds to **two MaxCompute projects**: a dev project and a production project. Confusing the two is the #1 source of permission errors.
 
 ### The naming pair (memorize this)
 
-| Workspace type | Name pattern | Example | Who can access | What lives there |
-|----------------|--------------|---------|----------------|------------------|
+| Project type   | Name pattern | Example          | Who can access | What lives there |
+|----------------|--------------|------------------|----------------|------------------|
 | **Dev**        | `<name>_dev` | `my_project_dev` | Personal accounts (the user themselves) | Test data, scratch tables, the user's own work |
 | **Production** | `<name>`     | `my_project`     | Usually only service accounts / DataWorks pipelines | The real business data the user actually wants to query |
 
-The dev workspace and the production workspace **share metadata structure but hold different data**. A table that exists in `my_project_dev` almost always exists in `my_project` too — but the rows, partitions, and freshness will differ.
+Both projects belong to the same DataWorks workspace (`my_project`). They **share metadata structure but hold different data**. A table that exists in `my_project_dev` almost always exists in `my_project` too — but the rows, partitions, and freshness will differ.
 
 ### Other key facts
 
-- The project configured in `~/.maxc/config.yaml` or env vars is always the **dev** workspace — this is the user's home workspace.
-- Personal accounts usually only have *write* access to dev and *read* access to production (varies by org policy). Pointing a session directly at production often results in `PERMISSION_DENIED`.
-- `--project` is the canonical way to access **another project's** tables — most often the corresponding production workspace, occasionally a different team's project.
-- When the user asks about a table without naming the workspace, **ask whether they mean the dev or production copy** before guessing.
+- The project configured in `~/.maxc/config.yaml` or env vars is always the **dev project** — this is the user's home project.
+- Personal accounts usually only have *write* access to dev and *read* access to production (varies by org policy). Pointing a session directly at the production project often results in `PERMISSION_DENIED`.
+- `--project` is the canonical way to access **another project's** tables — most often the corresponding production project, occasionally a different team's project.
+- When the user asks about a table without naming the project, **ask whether they mean the dev or production copy** before guessing.
 
-### How to tell which workspace you are in
+### How to tell which project you are in
 
 ```bash
 {{cli}} auth whoami --json    # check data.identity.project — ends with _dev?
 {{cli}} session show --json   # check current session project
 ```
 
-If the project name does NOT end with `_dev`, you may be pointed at a production workspace by mistake.
+If the project name does NOT end with `_dev`, you may be pointed at the production project by mistake.
 
-### Accessing production tables from dev workspace
+### Accessing production tables from dev project
 
-Use `--project` to read metadata from the production workspace without switching session:
+Use `--project` to read metadata from the production project without switching session:
 
 ```bash
 {{cli}} meta list-tables --project my_project --json
@@ -126,10 +124,10 @@ Use `--project` to read metadata from the production workspace without switching
 {{cli}} data sample my_table --project my_project --json
 ```
 
-When writing SQL, use `project.table` format to reference tables in another workspace:
+When writing SQL, use `project.table` format to reference tables in another project:
 
 ```sql
--- From dev workspace, query a production table
+-- From dev project, query a production table
 SELECT * FROM my_project.my_table WHERE ds = '20260418' LIMIT 100
 ```
 
@@ -139,7 +137,7 @@ Do NOT use bare table names (`FROM my_table`) when the target table lives in a d
 
 | Scenario | Symptom | Fix |
 |----------|---------|-----|
-| Config points to production workspace | `PERMISSION_DENIED` on most operations | `{{cli}} session set --project my_project_dev` |
+| Config points to production project | `PERMISSION_DENIED` on most operations | `{{cli}} session set --project my_project_dev` |
 | Need to read production table metadata | `PERMISSION_DENIED` on `meta describe` | `{{cli}} meta describe my_table --project my_project --json` |
 | SQL references a table in another project without project prefix | `TABLE_NOT_FOUND` | Use `project.table` format in SQL |
 | Mixed access: dev metadata + production data | Confusing results | Be explicit: use `--project` for metadata commands, `project.table` in SQL |
@@ -227,7 +225,6 @@ For full command syntax and options, see [references/command-patterns.md](refere
 | Check permission for an op | `{{cli}} auth can-i --table T --operation SELECT --json` |
 | Diagnose a failed job | `{{cli}} job diagnose <id> --json` |
 | Add semantic metadata to a table | `{{cli}} meta semantic set T ... --json` (see command-patterns.md §Semantic Metadata) |
-| Migrate from odpscmd | See [references/migrate-from-odpscmd.md](references/migrate-from-odpscmd.md) |
 | Plan NL→SQL before writing | See [references/text2sql-principles.md](references/text2sql-principles.md) |
 | Look up MaxCompute SQL dialect rule | See [references/maxcompute-select-guide.md](references/maxcompute-select-guide.md) |
 | Pick a query template (Top-N, PIVOT, retention, …) | See [references/sql-query-patterns.md](references/sql-query-patterns.md) |
@@ -260,7 +257,6 @@ For full command syntax and options, see [references/command-patterns.md](refere
 | [bootstrap-flow.md](references/bootstrap-flow.md) | First-time setup or `configured=false` |
 | [setup-install.md](references/setup-install.md) | Python / maxc-cli install detail |
 | [bootstrap-auth.md](references/bootstrap-auth.md) | Per-method auth setup (AK/SK, env vars) |
-| [migrate-from-odpscmd.md](references/migrate-from-odpscmd.md) | User has `odpscmd` configured |
 | [command-patterns.md](references/command-patterns.md) | Full command syntax, output shapes, semantic, multi-project, schema, async |
 | [json-output-format.md](references/json-output-format.md) | JSON envelope examples |
 | [partition-guide.md](references/partition-guide.md) | Partition naming, MAX_PT() guidance, ambiguity |

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/skills/references/bootstrap-auth.md

@@ -28,10 +28,6 @@ If the console script is not on `PATH`, use:
 
 In sandboxes or CI, make sure those paths are writable.
 
-### Migrating From odpscmd
-
-If the user already has `odpscmd` configured, reuse their credentials — see [migrate-from-odpscmd.md](migrate-from-odpscmd.md) for the field mapping and config conversion steps.
-
 ---
 
 ## Step 1: Check Current Auth Status

{maxc_cli-0.4.1 → maxc_cli-0.4.3}/src/maxc_cli/skills/references/bootstrap-flow.md

@@ -7,7 +7,7 @@ When `auth whoami --json` returns `configured=false`, follow the three phases be
 ```
 Phase 1: Prerequisites    → setup-install.md
             ↓
-Phase 2: Auth             → bootstrap-auth.md  (or migrate-from-odpscmd.md)
+Phase 2: Auth             → bootstrap-auth.md
             ↓
 Phase 3: Verify           → {{cli}} auth whoami --json
 ```
@@ -51,25 +51,17 @@ Then jump to the matching path in [bootstrap-auth.md](bootstrap-auth.md):
 
 If `auth whoami --json` shows `auth_type=external` (or `provider: external` in the saved config), the user is on an externally-managed credential provider. **Do not run Phase 2.** The auth is already set up — only `project`/`endpoint`/`schema` are safe to change via `session set` or by re-running the original `auth login-external` with updated `--project`/`--endpoint`. Treat bootstrap as complete and move to Phase 3.
 
-### Shortcut for users with `odpscmd` already configured
-
-Before asking the question above, check whether the user already has `odpscmd` set up. If yes:
-
-> "Do you already have `odpscmd` configured? We can migrate the existing credentials without you re-entering anything."
-
-Then follow [migrate-from-odpscmd.md](migrate-from-odpscmd.md).
-
 ### Always confirm project and endpoint
 
 Regardless of method, ask the user explicitly for `project` and `endpoint`. If a value is already in the config or env, present it as a default but require confirmation. See [bootstrap-auth.md](bootstrap-auth.md) §"Always ask for project and endpoint".
 
-### Dev vs production workspace check
+### Dev vs production project check
 
 If the project name does **not** end with `_dev`, warn the user:
 
-> "Project `<project>` does not end with `_dev`. Personal accounts usually only have access to dev workspaces — would you like to switch to `<project>_dev`?"
+> "Project `<project>` does not end with `_dev`. Personal accounts usually only have access to dev projects — would you like to switch to `<project>_dev`?"
 
-See SKILL.md §"Dev vs Production Workspaces" for the full rationale.
+See SKILL.md §"Dev vs Production Projects" for the full rationale.
 
 ---
 
@@ -100,5 +92,4 @@ Expected: `data.identity.authenticated=true`. `validation_status` interpretation
 
 - Step-by-step Python / maxc-cli installation — see [setup-install.md](setup-install.md).
 - Each auth method's exact CLI flags and saved YAML — see [bootstrap-auth.md](bootstrap-auth.md).
-- odpscmd field-by-field migration — see [migrate-from-odpscmd.md](migrate-from-odpscmd.md).
 - Public cloud endpoint catalog — present in [bootstrap-auth.md](bootstrap-auth.md) Path A.