maxc-cli 0.4.2__tar.gz → 0.4.3__tar.gz

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maxc-cli
-Version: 0.4.2
+Version: 0.4.3
 Summary: Agent-native MaxCompute CLI for external coding agents
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.9

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/setup.py

@@ -9,7 +9,7 @@ README = ROOT / "README.md"
 
 setup(
     name="maxc-cli",
-    version="0.4.2",
+    version="0.4.3",
     description="Agent-native MaxCompute CLI for external coding agents",
     long_description=README.read_text(encoding="utf-8"),
     long_description_content_type="text/markdown",

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/__init__.py

@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.4.2"
+__version__ = "0.4.3"

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/agent_platforms.py

@@ -118,7 +118,7 @@ def _build_registry() -> tuple[Platform, ...]:
             install_root=_claude_root(),
             skill_subpath=None,
             extra_files=(),
-            next_step_hint="Restart Claude Code or run /reload-plugins to activate",
+            next_step_hint="Skill is auto-discovered — start a new Claude Code session to activate",
         ),
         Platform(name="cursor",    install_root=_simple_root(".cursor"),
                  next_step_hint="Restart Cursor to activate"),

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/app.py

@@ -2940,13 +2940,15 @@ class MaxCApp:
     def auth_can_i(
         self,
         *,
-        table_name: 'str',
+        object_name: 'str',
+        object_type: 'str' = "Table",
         operation: 'str',
         project: 'str | None' = None,
     ) -> 'Envelope':
         target_project = project or self.config.default_project
         payload, warnings = self.backend.can_i_info(
-            table_name=table_name,
+            object_name=object_name,
+            object_type=object_type,
             operation=operation,
             project=target_project,
         )

maxc_cli-0.4.3/src/maxc_cli/backend/auth.py

@@ -0,0 +1,164 @@
+"""Auth-related mixin for OdpsBackend."""
+
+from typing import Any
+from xml.etree import ElementTree
+
+from ..exceptions import BackendConnectionError, MaxCError
+from ..helpers import (
+    build_odps_identity_payload,
+    odps_identity_source,
+    quote_table_name,
+    translate_odps_error,
+)
+
+
+class AuthMixin:
+    """Mixin providing authentication and authorization methods."""
+
+    def whoami_info(self, *, project: 'str | None' = None) -> 'tuple[dict[str, Any], list[str]]':
+        """Get current identity info by executing ``whoami`` security query.
+
+        Calls ``client.execute_security_query("whoami")`` to verify the
+        connection and return desensitized identity information.
+
+        Args:
+            project: Optional project override.
+
+        Returns:
+            Tuple of (identity payload dict, warnings list).
+        """
+        target_project = project or self.project
+        try:
+            result = self.client.execute_security_query("whoami", project=target_project)
+        except Exception as exc:
+            raise translate_odps_error(exc, "whoami") from exc
+
+        owner_display_name = result.get("DisplayName") if isinstance(result, dict) else None
+        if owner_display_name:
+            self._owner_display_name = owner_display_name
+        return build_odps_identity_payload(
+            client=self.client,
+            settings=self.settings,
+            allowed_operations=self.config.allowed_operations,
+            identity_source=odps_identity_source(self.setting_sources),
+            auth_type=getattr(self.resolved_auth, "auth_type", "access_key"),
+            token_expires_at=getattr(self.resolved_auth, "token_expires_at", None),
+            project=target_project,
+            owner_display_name=owner_display_name,
+        )
+
+    def _check_permission(
+        self,
+        *,
+        object_name: 'str',
+        object_type: 'str',
+        action: 'str',
+        project: 'str',
+    ) -> 'tuple[bool, str]':
+        """Call the MaxCompute checkPermission REST API.
+
+        Uses GET /projects/{project}/auth/?type={type}&name={name}&grantee={action}
+        (same endpoint as Java SDK's SecurityManager#checkPermission).
+
+        Returns:
+            Tuple of (allowed: bool, message: str).
+        """
+        import json as _json
+
+        rest = self.client.rest
+        endpoint = rest.endpoint
+        url = f"{endpoint}/projects/{project}/auth/"
+        params = {
+            "type": object_type,
+            "name": object_name,
+            "grantee": action,
+        }
+        resp = rest.get(url, params=params)
+        root = ElementTree.fromstring(resp.content)
+        result = (root.findtext("Result") or "").strip()
+        raw_message = (root.findtext("Message") or "").strip()
+        try:
+            parsed = _json.loads(raw_message)
+            message = parsed.get("message", "") if isinstance(parsed, dict) else raw_message
+        except (ValueError, TypeError):
+            message = raw_message
+        return result.upper() == "ALLOW", message
+
+    def can_i_info(
+        self,
+        *,
+        object_name: 'str',
+        object_type: 'str' = "Table",
+        operation: 'str',
+        project: 'str | None' = None,
+    ) -> 'tuple[dict[str, Any], list[str]]':
+        """Check if a specific operation is allowed on an object.
+
+        Calls the MaxCompute checkPermission REST API directly.
+
+        Args:
+            object_name: Object name to check (table name, function name, etc.).
+            object_type: Object type (Table, Project, Function, Resource, Instance).
+            operation: ODPS ActionType (e.g. "Select", "CreateInstance").
+            project: Optional project override.
+
+        Returns:
+            Tuple of (permission payload dict, warnings list).
+        """
+        target_project = project or self.project
+        if object_type == "Table":
+            quote_table_name(object_name)
+
+        try:
+            allowed, message = self._check_permission(
+                object_name=object_name,
+                object_type=object_type,
+                action=operation,
+                project=target_project,
+            )
+        except Exception as exc:
+            translated = translate_odps_error(exc)
+            if isinstance(translated, BackendConnectionError):
+                raise translated
+            return (
+                {
+                    "object_type": object_type,
+                    "object_name": object_name,
+                    "project": target_project,
+                    "operation": operation,
+                    "allowed": False,
+                    "check_mode": "odps_check_permission_api",
+                    "reason": translated.message,
+                    "check_error_code": translated.error_code,
+                },
+                [],
+            )
+
+        return (
+            {
+                "object_type": object_type,
+                "object_name": object_name,
+                "project": target_project,
+                "operation": operation,
+                "allowed": allowed,
+                "check_mode": "odps_check_permission_api",
+                "reason": message if message else ("Allowed." if allowed else "Denied."),
+                "check_error_code": None if allowed else "PERMISSION_DENIED",
+            },
+            [],
+        )
+
+    def _get_owner_display_name(self) -> 'str | None':
+        """Get the current user's display name (e.g., 'ALIYUN$xxx' or 'RAM$xxx')."""
+        if self._owner_display_name is not None:
+            return self._owner_display_name
+        try:
+            result = self.client.execute_security_query("whoami", project=self.project)
+            display_name = result.get("DisplayName") if isinstance(result, dict) else None
+            if display_name:
+                self._owner_display_name = display_name
+                return display_name
+        except Exception:
+            pass
+
+        return None

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/cli.py

@@ -532,16 +532,57 @@ def build_parser() -> argparse.ArgumentParser:
     auth_whoami.add_argument("--json", action="store_true", help="Output as JSON envelope")
     auth_whoami.set_defaults(handler=_handle_auth_whoami)
 
-    auth_can_i = _make_parser(auth_subparsers, "can-i", "auth.can-i", help="Check whether an operation is allowed")
-    auth_can_i.add_argument("--table", required=True, help="Table name to check")
+    _CAN_I_ACTIONS = [
+        "Select", "Describe", "Alter", "Update", "Drop", "Download", "All",
+        "Read", "Write", "List",
+        "CreateTable", "CreateInstance", "CreateFunction", "CreateResource",
+        "Execute", "Delete",
+    ]
+    _CAN_I_ACTIONS_LOWER = {a.lower(): a for a in _CAN_I_ACTIONS}
+    _CAN_I_OBJECT_TYPES = ["Table", "Project", "Function", "Resource", "Instance"]
+    _CAN_I_OBJECT_TYPES_LOWER = {t.lower(): t for t in _CAN_I_OBJECT_TYPES}
+
+    auth_can_i = _make_parser(
+        auth_subparsers, "can-i", "auth.can-i",
+        help="Check whether current user has a specific permission on an object",
+        description=(
+            "Check whether the current user has a specific permission on an ODPS object.\n"
+            "\n"
+            "Examples:\n"
+            "  maxc auth can-i --table my_table --operation Select\n"
+            "  maxc auth can-i --table my_table --operation Update --project other_proj\n"
+            "  maxc auth can-i --object my_proj --type Project --operation CreateTable\n"
+            "  maxc auth can-i --object my_proj --type Project --operation CreateInstance\n"
+        ),
+        formatter_class=AliyunRawTextFormatter,
+    )
+    auth_can_i.add_argument("--object", "--table", required=True, dest="object_name",
+                            help="Object name to check (table name, or project name when --type=Project)")
+    auth_can_i.add_argument(
+        "--type",
+        default="Table",
+        type=lambda s: _CAN_I_OBJECT_TYPES_LOWER.get(s.lower(), s),
+        choices=_CAN_I_OBJECT_TYPES,
+        help=(
+            "Object type (case-insensitive, default: Table). "
+            "Table | Project | Function | Resource | Instance."
+        ),
+    )
     auth_can_i.add_argument(
         "--operation",
         required=True,
-        type=lambda s: s.upper(),
-        choices=["SELECT", "INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER"],
-        help="Operation to check (only SELECT is probed against the live backend; others rely on the configured allow-list).",
+        type=lambda s: _CAN_I_ACTIONS_LOWER.get(s.lower(), s),
+        choices=_CAN_I_ACTIONS,
+        help=(
+            "Permission to check (case-insensitive). "
+            "Table: Select, Describe, Alter, Update, Drop, Download, All. "
+            "Project: CreateTable, CreateInstance, CreateFunction, CreateResource, List, Read, Write, All. "
+            "Function: Read, Write, Delete, Execute, All. "
+            "Resource: Read, Write, Delete, All. "
+            "Instance: Read, Write, All."
+        ),
     )
-    auth_can_i.add_argument("--project", help="Target MaxCompute project")
+    auth_can_i.add_argument("--project", help="Project where the object lives (default: current project)")
     auth_can_i.add_argument("--json", action="store_true", help="Output as JSON envelope")
     auth_can_i.set_defaults(handler=_handle_auth_can_i)
 
@@ -802,13 +843,13 @@ def _is_json_mode(args: argparse.Namespace) -> bool:
 
 
 def _build_permission_denied_hints(app: MaxCApp | None) -> AgentHints:
-    """Build PERMISSION_DENIED agent hints, suggesting _dev workspace switch when appropriate."""
+    """Build PERMISSION_DENIED agent hints, suggesting _dev project switch when appropriate."""
     actions = []
     project = app.config.default_project if app else None
     if project and not project.endswith("_dev"):
         actions.append(SuggestedAction(
             id="session.set",
-            title="Switch to dev workspace",
+            title="Switch to dev project",
             command=f"maxc session set --project {project}_dev --json",
         ))
     actions.append(action("query", metadata={"sql_executed": "SELECT 1"}))
@@ -1454,7 +1495,8 @@ def _handle_auth_whoami(app: MaxCApp, args: argparse.Namespace, stdout: TextIO)
 
 def _handle_auth_can_i(app: MaxCApp, args: argparse.Namespace, stdout: TextIO) -> None:
     envelope = app.auth_can_i(
-        table_name=args.table,
+        object_name=args.object_name,
+        object_type=args.type,
         operation=args.operation,
         project=args.project,
     )

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/helpers.py

@@ -1039,12 +1039,12 @@ def classify_sql_error(message: str) -> dict[str, Any]:
     return {"error_type": "unknown"}
 
 
-def _dev_workspace_hint(project: str | None) -> str:
-    """Return a hint about switching to the _dev workspace if the project is not a dev workspace."""
+def _dev_project_hint(project: str | None) -> str:
+    """Return a hint about switching to the _dev project if the current project is production."""
     if project and not project.endswith("_dev"):
         return (
-            f"Current project '{project}' is a production workspace. "
-            f"Personal accounts usually only have access to the dev workspace (_dev). "
+            f"Current project '{project}' is a production project. "
+            f"Personal accounts usually only have access to the dev project (_dev). "
             f"Try switching: maxc session set --project {project}_dev"
         )
     return ""
@@ -1063,7 +1063,7 @@ def _build_permission_error(
     preserved as the error message for diagnostics. Context-specific
     guidance goes into the suggestion field.
     """
-    dev_hint = _dev_workspace_hint(project_name)
+    dev_hint = _dev_project_hint(project_name)
 
     if context == "list_projects" and project_name:
         suggestion = f"Verify that your account has `odps:Read` on project {project_name}, or contact the project owner."

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/skills/SKILL.md

@@ -11,7 +11,6 @@ Use the live CLI instead of inventing a separate MaxCompute adapter. Prefer `{{c
 
 - First-time setup or repair of Python or `maxc-cli`
 - Auth bootstrap or identity inspection (AK/SK or env vars)
-- Migrating from odpscmd (reusing existing ODPS Console credentials)
 - Session project or schema overrides
 - Metadata discovery, schema inspection, fast table/column search
 - Read-only query execution or job tracking
@@ -43,9 +42,9 @@ These are non-negotiable. See [references/red-lines.md](references/red-lines.md)
 
 1. **Always use `--json`** for machine work. Use `--format markdown` for user-facing output, `--format brief` in token-tight contexts. `--json` is shorthand for `--format json`. **`--format` is a top-level flag — it must come before the subcommand**: `{{cli}} --format markdown query "SELECT 1"` (✓), not `{{cli}} query "SELECT 1" --format markdown` (✗). `--json` may appear anywhere because each subcommand also accepts it.
 2. **Never invent names** — table, schema, project, or endpoint. Verify with `meta` commands and `auth whoami`.
-3. **Default to `--project` for the user's target workspace.** The configured project (in `~/.maxc/config.yaml`) is the user's **home dev workspace** — the data they actually want to query usually lives in a *different* workspace (often the corresponding production one). When the user mentions a table/project without specifying which workspace, **ask first**, then pass `--project <name>` on every meta/data command and use `project.table` in SQL.
-4. **Workspace naming convention is a fixed pair:** `<name>_dev` is the dev workspace; the same `<name>` **without** the `_dev` suffix is its corresponding **production** workspace. They share metadata structure but hold different data and different permissions. See Dev vs Production Workspaces below.
-5. **Never re-prompt for credentials** when `auth whoami` shows `authenticated=true`. Permission errors are almost always a workspace/project issue, not a credential issue.
+3. **Default to `--project` for the user's target project.** The configured project (in `~/.maxc/config.yaml`) is the user's **dev project** — the data they actually want to query usually lives in a *different* project (often the corresponding production one). When the user mentions a table/project without specifying which environment, **ask first**, then pass `--project <name>` on every meta/data command and use `project.table` in SQL.
+4. **Project naming convention is a fixed pair:** `<name>_dev` is the dev project; the same `<name>` **without** the `_dev` suffix is its corresponding **production** project. Together they form one DataWorks workspace. They share metadata structure but hold different data and different permissions. See Dev vs Production Projects below.
+5. **Never re-prompt for credentials** when `auth whoami` shows `authenticated=true`. Permission errors are almost always a project environment issue (dev vs prod), not a credential issue.
 6. **Always discover partitions** via `meta latest-partition` before querying partitioned tables. Format varies per table.
 7. **Always read `error.suggestion`** before retrying a failed command. Same input → same error.
 8. **Never install or upgrade Python** without explicit user confirmation.
@@ -56,8 +55,7 @@ These are non-negotiable. See [references/red-lines.md](references/red-lines.md)
 When `auth whoami --json` returns `configured=false` (no auth set up), follow [references/bootstrap-flow.md](references/bootstrap-flow.md) step by step. Three principles:
 
 1. **Never pick the auth method yourself** — always ask the user to choose between AK/SK and environment variables.
-2. **If the user already has `odpscmd` configured**, proactively offer to migrate those credentials before asking them to enter anything new — see [references/migrate-from-odpscmd.md](references/migrate-from-odpscmd.md).
-3. **If `auth whoami` shows `auth_type=external`, the user is on an externally-managed credential provider — do NOT modify the auth config.** Treat the bootstrap as already done. Only `project`/`endpoint`/`schema` are safe to change (via `session set` or by re-running `auth login-external` with the same `--process-command`).
+2. **If `auth whoami` shows `auth_type=external`, the user is on an externally-managed credential provider — do NOT modify the auth config.** Treat the bootstrap as already done. Only `project`/`endpoint`/`schema` are safe to change (via `session set` or by re-running `auth login-external` with the same `--process-command`).
 
 ## First Pass
 
@@ -87,38 +85,38 @@ Key paths:
 
 See [references/json-output-format.md](references/json-output-format.md) for full examples and [references/command-patterns.md](references/command-patterns.md) §JSON Contract for all data shapes.
 
-## Dev vs Production Workspaces
+## Dev vs Production Projects
 
-MaxCompute workspaces come in **fixed pairs**: a dev workspace and its corresponding production workspace. Confusing the two is the #1 source of permission errors.
+A single **DataWorks workspace** corresponds to **two MaxCompute projects**: a dev project and a production project. Confusing the two is the #1 source of permission errors.
 
 ### The naming pair (memorize this)
 
-| Workspace type | Name pattern | Example | Who can access | What lives there |
-|----------------|--------------|---------|----------------|------------------|
+| Project type   | Name pattern | Example          | Who can access | What lives there |
+|----------------|--------------|------------------|----------------|------------------|
 | **Dev**        | `<name>_dev` | `my_project_dev` | Personal accounts (the user themselves) | Test data, scratch tables, the user's own work |
 | **Production** | `<name>`     | `my_project`     | Usually only service accounts / DataWorks pipelines | The real business data the user actually wants to query |
 
-The dev workspace and the production workspace **share metadata structure but hold different data**. A table that exists in `my_project_dev` almost always exists in `my_project` too — but the rows, partitions, and freshness will differ.
+Both projects belong to the same DataWorks workspace (`my_project`). They **share metadata structure but hold different data**. A table that exists in `my_project_dev` almost always exists in `my_project` too — but the rows, partitions, and freshness will differ.
 
 ### Other key facts
 
-- The project configured in `~/.maxc/config.yaml` or env vars is always the **dev** workspace — this is the user's home workspace.
-- Personal accounts usually only have *write* access to dev and *read* access to production (varies by org policy). Pointing a session directly at production often results in `PERMISSION_DENIED`.
-- `--project` is the canonical way to access **another project's** tables — most often the corresponding production workspace, occasionally a different team's project.
-- When the user asks about a table without naming the workspace, **ask whether they mean the dev or production copy** before guessing.
+- The project configured in `~/.maxc/config.yaml` or env vars is always the **dev project** — this is the user's home project.
+- Personal accounts usually only have *write* access to dev and *read* access to production (varies by org policy). Pointing a session directly at the production project often results in `PERMISSION_DENIED`.
+- `--project` is the canonical way to access **another project's** tables — most often the corresponding production project, occasionally a different team's project.
+- When the user asks about a table without naming the project, **ask whether they mean the dev or production copy** before guessing.
 
-### How to tell which workspace you are in
+### How to tell which project you are in
 
 ```bash
 {{cli}} auth whoami --json    # check data.identity.project — ends with _dev?
 {{cli}} session show --json   # check current session project
 ```
 
-If the project name does NOT end with `_dev`, you may be pointed at a production workspace by mistake.
+If the project name does NOT end with `_dev`, you may be pointed at the production project by mistake.
 
-### Accessing production tables from dev workspace
+### Accessing production tables from dev project
 
-Use `--project` to read metadata from the production workspace without switching session:
+Use `--project` to read metadata from the production project without switching session:
 
 ```bash
 {{cli}} meta list-tables --project my_project --json
@@ -126,10 +124,10 @@ Use `--project` to read metadata from the production workspace without switching
 {{cli}} data sample my_table --project my_project --json
 ```
 
-When writing SQL, use `project.table` format to reference tables in another workspace:
+When writing SQL, use `project.table` format to reference tables in another project:
 
 ```sql
--- From dev workspace, query a production table
+-- From dev project, query a production table
 SELECT * FROM my_project.my_table WHERE ds = '20260418' LIMIT 100
 ```
 
@@ -139,7 +137,7 @@ Do NOT use bare table names (`FROM my_table`) when the target table lives in a d
 
 | Scenario | Symptom | Fix |
 |----------|---------|-----|
-| Config points to production workspace | `PERMISSION_DENIED` on most operations | `{{cli}} session set --project my_project_dev` |
+| Config points to production project | `PERMISSION_DENIED` on most operations | `{{cli}} session set --project my_project_dev` |
 | Need to read production table metadata | `PERMISSION_DENIED` on `meta describe` | `{{cli}} meta describe my_table --project my_project --json` |
 | SQL references a table in another project without project prefix | `TABLE_NOT_FOUND` | Use `project.table` format in SQL |
 | Mixed access: dev metadata + production data | Confusing results | Be explicit: use `--project` for metadata commands, `project.table` in SQL |
@@ -227,7 +225,6 @@ For full command syntax and options, see [references/command-patterns.md](refere
 | Check permission for an op | `{{cli}} auth can-i --table T --operation SELECT --json` |
 | Diagnose a failed job | `{{cli}} job diagnose <id> --json` |
 | Add semantic metadata to a table | `{{cli}} meta semantic set T ... --json` (see command-patterns.md §Semantic Metadata) |
-| Migrate from odpscmd | See [references/migrate-from-odpscmd.md](references/migrate-from-odpscmd.md) |
 | Plan NL→SQL before writing | See [references/text2sql-principles.md](references/text2sql-principles.md) |
 | Look up MaxCompute SQL dialect rule | See [references/maxcompute-select-guide.md](references/maxcompute-select-guide.md) |
 | Pick a query template (Top-N, PIVOT, retention, …) | See [references/sql-query-patterns.md](references/sql-query-patterns.md) |
@@ -260,7 +257,6 @@ For full command syntax and options, see [references/command-patterns.md](refere
 | [bootstrap-flow.md](references/bootstrap-flow.md) | First-time setup or `configured=false` |
 | [setup-install.md](references/setup-install.md) | Python / maxc-cli install detail |
 | [bootstrap-auth.md](references/bootstrap-auth.md) | Per-method auth setup (AK/SK, env vars) |
-| [migrate-from-odpscmd.md](references/migrate-from-odpscmd.md) | User has `odpscmd` configured |
 | [command-patterns.md](references/command-patterns.md) | Full command syntax, output shapes, semantic, multi-project, schema, async |
 | [json-output-format.md](references/json-output-format.md) | JSON envelope examples |
 | [partition-guide.md](references/partition-guide.md) | Partition naming, MAX_PT() guidance, ambiguity |

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/skills/references/bootstrap-auth.md

@@ -28,10 +28,6 @@ If the console script is not on `PATH`, use:
 
 In sandboxes or CI, make sure those paths are writable.
 
-### Migrating From odpscmd
-
-If the user already has `odpscmd` configured, reuse their credentials — see [migrate-from-odpscmd.md](migrate-from-odpscmd.md) for the field mapping and config conversion steps.
-
 ---
 
 ## Step 1: Check Current Auth Status

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/skills/references/bootstrap-flow.md

@@ -7,7 +7,7 @@ When `auth whoami --json` returns `configured=false`, follow the three phases be
 ```
 Phase 1: Prerequisites    → setup-install.md
             ↓
-Phase 2: Auth             → bootstrap-auth.md  (or migrate-from-odpscmd.md)
+Phase 2: Auth             → bootstrap-auth.md
             ↓
 Phase 3: Verify           → {{cli}} auth whoami --json
 ```
@@ -51,25 +51,17 @@ Then jump to the matching path in [bootstrap-auth.md](bootstrap-auth.md):
 
 If `auth whoami --json` shows `auth_type=external` (or `provider: external` in the saved config), the user is on an externally-managed credential provider. **Do not run Phase 2.** The auth is already set up — only `project`/`endpoint`/`schema` are safe to change via `session set` or by re-running the original `auth login-external` with updated `--project`/`--endpoint`. Treat bootstrap as complete and move to Phase 3.
 
-### Shortcut for users with `odpscmd` already configured
-
-Before asking the question above, check whether the user already has `odpscmd` set up. If yes:
-
-> "Do you already have `odpscmd` configured? We can migrate the existing credentials without you re-entering anything."
-
-Then follow [migrate-from-odpscmd.md](migrate-from-odpscmd.md).
-
 ### Always confirm project and endpoint
 
 Regardless of method, ask the user explicitly for `project` and `endpoint`. If a value is already in the config or env, present it as a default but require confirmation. See [bootstrap-auth.md](bootstrap-auth.md) §"Always ask for project and endpoint".
 
-### Dev vs production workspace check
+### Dev vs production project check
 
 If the project name does **not** end with `_dev`, warn the user:
 
-> "Project `<project>` does not end with `_dev`. Personal accounts usually only have access to dev workspaces — would you like to switch to `<project>_dev`?"
+> "Project `<project>` does not end with `_dev`. Personal accounts usually only have access to dev projects — would you like to switch to `<project>_dev`?"
 
-See SKILL.md §"Dev vs Production Workspaces" for the full rationale.
+See SKILL.md §"Dev vs Production Projects" for the full rationale.
 
 ---
 
@@ -100,5 +92,4 @@ Expected: `data.identity.authenticated=true`. `validation_status` interpretation
 
 - Step-by-step Python / maxc-cli installation — see [setup-install.md](setup-install.md).
 - Each auth method's exact CLI flags and saved YAML — see [bootstrap-auth.md](bootstrap-auth.md).
-- odpscmd field-by-field migration — see [migrate-from-odpscmd.md](migrate-from-odpscmd.md).
 - Public cloud endpoint catalog — present in [bootstrap-auth.md](bootstrap-auth.md) Path A.

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/skills/references/command-patterns.md

@@ -343,7 +343,7 @@ fi
 # NOT_FOUND → search for the correct name
 {{cli}} meta search "partial_name" --json
 
-# PERMISSION_DENIED → check permissions (often a workspace issue)
+# PERMISSION_DENIED → check permissions (often a dev vs prod project issue)
 {{cli}} auth can-i --table your_table --operation SELECT --json
 
 # JOB_TIMEOUT → check status and continue waiting

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli/skills/references/red-lines.md

@@ -13,7 +13,7 @@ Cross-referenced with SKILL.md §Core Principles (which lists the highest-priori
 | 1 | Always use `--json` for machine-driven work | Plain output is for humans; agents must parse the envelope |
 | 2 | Never invent table, schema, project, or endpoint names | Always verify with `meta search` / `meta list-tables` / `auth whoami` |
 | 3 | Never install or upgrade Python without explicit user confirmation | System-level change with broad impact |
-| 4 | Never re-prompt for credentials when `auth whoami` shows `authenticated=true` | Permission errors are almost always a workspace issue, not a credential issue — see SKILL.md §Dev vs Production Workspaces |
+| 4 | Never re-prompt for credentials when `auth whoami` shows `authenticated=true` | Permission errors are almost always a dev vs production project issue, not a credential issue — see SKILL.md §Dev vs Production Projects |
 | 5 | Always check partition value via `meta latest-partition` before querying partitioned tables | Hardcoded partitions go stale; format varies per table |
 | 6 | Always use schema-qualified (`schema.table`) or `project.table` names in SQL | Bare names fail across schemas/projects |
 | 7 | Never log, echo, or include AK/SK in output | Even in error context |
@@ -37,7 +37,7 @@ Cross-referenced with SKILL.md §Core Principles (which lists the highest-priori
 | Running a query without checking cost first | Use `query cost`, or `--cost-check N` to auto-abort |
 | Ignoring `agent_hints.warnings` in the response | They surface backend issues, cache staleness, cost alerts |
 | Assuming `meta describe` data is live | Cache may be stale; check `metadata.source` and warnings |
-| Using a production project name as default | See SKILL.md §Dev vs Production Workspaces |
+| Using a production project name as default | See SKILL.md §Dev vs Production Projects |
 | Querying partitioned table without partition filter | Always run `meta latest-partition` first; use the exact returned value in WHERE |
 
 ## Agent Anti-Patterns
@@ -64,7 +64,7 @@ When `status=failure`, inspect `error.code` and follow the recovery action. Alwa
 | `COLUMN_NOT_FOUND` | Column reference does not exist | Check `error.available`; run `meta describe <table> --json` |
 | `WRITE_OPERATION_REQUIRES_FORCE` | SQL DDL/DML blocked by read-only mode | Read-only is by design; use `--force` only if authorized. Does NOT apply to `data upload` (Tunnel-based write, no `--force` needed). |
 | `CSV_PARSE_ERROR` | A CSV cell could not be parsed against the column type during `data upload` | Read `error.context.line` (1-based row number, including header if present) and `error.context.column` (the column **name** as a string, not a position index) to find the bad cell; fix the source CSV and retry. The Tunnel session is aborted, nothing is committed. |
-| `PERMISSION_DENIED` | No access to the resource | Almost always dev vs production workspace — see SKILL.md §Dev vs Production Workspaces |
+| `PERMISSION_DENIED` | No access to the resource | Almost always dev vs production project issue — see SKILL.md §Dev vs Production Projects |
 | `SQL_ERROR` | SQL syntax or execution error | Fix the SQL; use `query explain` to validate first |
 | `COST_LIMIT_EXCEEDED` | Cost exceeds `--cost-check` threshold | Add partition filters, reduce columns, or raise the threshold |
 | `BACKEND_CONNECTION_ERROR` | Network or service unavailable | Retry after a delay; check endpoint with `auth whoami --json` |

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maxc-cli
-Version: 0.4.2
+Version: 0.4.3
 Summary: Agent-native MaxCompute CLI for external coding agents
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.9

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/src/maxc_cli.egg-info/SOURCES.txt

@@ -46,7 +46,6 @@ src/maxc_cli/skills/references/command-patterns.md
 src/maxc_cli/skills/references/json-output-format.md
 src/maxc_cli/skills/references/maxcompute-select-guide.md
 src/maxc_cli/skills/references/maxcompute-sql-notes.md
-src/maxc_cli/skills/references/migrate-from-odpscmd.md
 src/maxc_cli/skills/references/partition-guide.md
 src/maxc_cli/skills/references/red-lines.md
 src/maxc_cli/skills/references/setup-install.md
@@ -90,4 +89,5 @@ tests/test_query_auto_promote.py
 tests/test_query_result_csv_fallback.py
 tests/test_setting_parser.py
 tests/test_skill_cli_consistency.py
+tests/test_skill_eval.py
 tests/test_skill_renderer.py

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/tests/test_agent_skill_commands_context.py

@@ -333,7 +333,7 @@ class TestAgentInstallSkill:
     def test_install_skill_next_step_hint(self, tmp_path):
         config = _make_config(tmp_path)
         _, payload, _ = _run_cmd(config, ["agent", "skill", "install", "claude-code", "--json"])
-        assert "/reload-plugins" in payload["data"]["next_step"]
+        assert "auto-discovered" in payload["data"]["next_step"]
 
         _, payload, _ = _run_cmd(config, ["agent", "skill", "install", "cursor", "--json"])
         assert "Restart" in payload["data"]["next_step"]

{maxc_cli-0.4.2 → maxc_cli-0.4.3}/tests/test_integration_real.py

@@ -245,14 +245,14 @@ class TestAuth:
                 "--table",
                 test_table,
                 "--operation",
-                "SELECT",
+                "Select",
                 "--json",
             ]
         )
         assert code == 0, f"命令失败: {stderr}"
         assert data["status"] == "success"
         authorization = _payload_data(data)["authorization"]
-        assert authorization["table_name"] == test_table
+        assert authorization["object_name"] == test_table
         assert "allowed" in authorization