feat(cli): support anonymous public search and install by dongmucat · Pull Request #523 · iflytek/skillhub

dongmucat · 2026-06-15T03:05:01Z

Summary

This PR consolidates the CLI anonymous public access work into one delivery PR.

What changed:

Allow anonymous CLI search and install for public, visible, active skills whose latest version is installable.
Keep authenticated requests fail-closed: invalid, empty, revoked, or missing-user Bearer tokens return 401 and do not fall back to anonymous access.
Add skillhub search --token and preserve the intended token precedence across CLI auth sources.
Align anonymous search, resolve, and download around the same latest-version installability rules: latest must exist, be published, download-ready, not yanked, and not hidden/private/archived/unpublished.
Return a clean forbidden response for anonymous private or namespace-only resolve/install paths instead of surfacing HTTP 500 when namespace role data is absent.

Prior PR Handling

This PR replaces the prior split PRs #511, #512, #514, and #515. Those PRs are closed and were not merged.

Verification

Local verification reported for this PR:

git diff --check origin/main...HEAD: passed
make cli-install: passed
make test-backend-app: passed, 535 tests / 0 failures / 0 errors
make typecheck-cli: passed
make lint-cli: passed
make test-cli: passed, 329 tests / 0 failures
make build-cli: passed

Additional gates completed:

Technical review passed.
Independent code review passed with no must-fix findings.
Human-simulated CLI QA passed with screenshots.
Focused retest confirmed anonymous private and namespace-only resolve return HTTP 403 rather than 500, and install fails closed with CLI exit code 2.
GitHub checks are green: DCO, license/cla, Docs Build, Server Unit Tests, Web Build And Test, CLI ubuntu/macos/windows, and E2E Real Services.

Notes

Branch was created from origin/main.
No merge to main was performed.
No database migration.
No web UI changes.
No controller schema change; API generation is not required.

Signed-off-by: dongmucat <1127093059@qq.com>

dongmucat · 2026-06-15T03:18:32Z

复核结论：Approved，未发现阻塞问题。说明：当前 GitHub 凭证被判定为 PR 作者，平台不允许我设置正式 Approved review，因此本结论以评论形式记录；我没有合并 main。

确认点：

feat(cli): support anonymous public search and install #523 是当前唯一 active delivery PR，fix(auth): fail closed invalid CLI bearer tokens #511/fix(cli): add token auth to search #512/fix(cli): align anonymous installability rules (ISSUE-39) #515 均已关闭且未合并；feat(cli): support anonymous public search and install #523 的文件范围覆盖了三者已审查过的 CLI、auth、domain installability、文档和测试改动。
fix(auth): fail closed invalid CLI bearer tokens #511 行为保留：Bearer token fail-closed，坏/空/格式错误/未知/用户不可用 token 在 CLI read routes 上直接 401，不降级匿名；无 Authorization 仍允许匿名公开读路径。
fix(cli): add token auth to search #512 行为保留：skillhub search --token 已纳入，token 优先级仍是 CLI 参数 > SKILLHUB_TOKEN > 本地 credentials；坏 token 的 search/install 不匿名重试，stderr 与 JSON 错误字段覆盖仍在。
fix(cli): align anonymous installability rules (ISSUE-39) #515 行为保留：匿名 search/resolve/download latest 使用一致的 latest 可安装判断，latestVersionId 指向的版本必须 PUBLISHED + downloadReady + not yanked，search 不再 fallback 旧可安装版本；负例矩阵覆盖 no latest、latest yanked、downloadReady=false、hidden/private/archived/unpublished 等场景。
未看到 publish/delete/whoami 登录要求被放宽。

验证：GitHub checks 当前全部通过，包括 DCO、license/cla、Docs Build、Server Unit Tests、Web Build And Test、CLI ubuntu/macos/windows、E2E (Real Services)。本地核对 git diff --check origin/main..origin/pr/523 通过，git diff --name-only origin/main..origin/pr/523 与预期整合文件范围一致。

非阻塞流程提示：Multica issue pull-requests 对 ISSUE-36 当前仍返回空，尽管 PR 标题/正文包含 ISSUE-36/ISSUE-42；这不是代码阻塞，但应继续作为 ISSUE-40 最终 QA 的 PR 链接项核对。

Signed-off-by: dongmucat <1127093059@qq.com>

dongmucat · 2026-06-15T09:56:17Z

复审结论：代码层面通过，未发现阻塞问题。

说明：当前 GitHub 凭证无法提交 formal approval（GitHub 返回 “Can not approve your own pull request”），因此以普通 PR 评论记录技术复审结论。

确认点：

cd4c3cee53baec2147a50960dfbb82c5642bca41 将 VisibilityChecker.canAccess 的 userNamespaceRoles == null 规范化为 Map.of()，缺失角色按空权限处理；PUBLIC、NAMESPACE_ONLY、PRIVATE、hidden/latest/super-admin 的判断边界没有放宽。
CLI resolve 路径可传入缺失的 userNsRoles；现在 private / namespace-only 匿名 resolve 会稳定返回领域拒绝，而不是 NPE 暴露 500。install 依赖 resolve 前置判断，因此同类匿名 install 也保持 fail-closed。
direct download 对非公开匿名访问仍在 SkillDownloadService 先行拒绝；本修复没有扩大匿名 download 面。
新增回归覆盖 anonymous + null roles 下 private 与 namespace-only resolve 均拒绝，能覆盖本次 500 根因。

验证：gh pr checks 523 全绿（含 E2E Real Services），git diff --check origin/main..origin/pr/523 无输出。未合并 main。

备注：ISSUE-48 的聚焦手工复测截图仍作为并行 QA 门禁等待，不影响本次代码复审结论。

dongmucat · 2026-06-16T02:25:03Z

追加独立 code review 结论：✅ 通过，未发现必须修复项。已按 PR #523 最新提交 cd4c3cee53baec2147a50960dfbb82c5642bca41 复核；未合并 main。

Checklist:

✅ 分层合规：server/skillhub-domain/pom.xml:13 未新增 infra 反向依赖；Controller 仍只做参数和响应转发，业务编排在 server/skillhub-app/src/main/java/com/iflytek/skillhub/service/cli/CliSkillAppService.java:53，领域判断在 server/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/service/SkillQueryService.java:546 和 server/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/service/SkillDownloadService.java:275。
✅ API 契约/错误码：CLI JSON 接口保持 ApiResponse 包装，下载接口在 server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/cli/CliSkillController.java:69 和 :78 继续作为二进制/重定向接口豁免；invalid / empty / missing-user Bearer 在 server/skillhub-auth/src/main/java/com/iflytek/skillhub/auth/token/ApiTokenAuthenticationFilter.java:71、:78、:140 返回 401，不回退匿名。
✅ 安全/权限：公开匿名 search/install 只放开 public + active + visible + non-archived + installable latest；null namespace roles 在 server/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/VisibilityChecker.java:18 按空权限处理，NAMESPACE_ONLY / PRIVATE 仍在 :31、:32 fail-closed。installability 集中在 server/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/SkillInstallability.java:12，resolve/download 分别在 SkillQueryService.java:562、:914 和 SkillDownloadService.java:313 强制 published + downloadReady + not yanked。
✅ CLI 行为：search --token 注册在 cli/src/index.ts:224、:226，token 优先级走 cli/src/commands/search.ts:16；401/403 映射 auth exit code 在 cli/src/clients/skillhub-client.ts:153。坏 token search/install 不匿名重试由 cli/test/integration/search-command.test.ts:48、:87 和 cli/test/integration/install-command.test.ts:221 覆盖。
✅ 测试覆盖：本需求关键回归覆盖包括 server/skillhub-app/src/test/java/com/iflytek/skillhub/controller/cli/CliSkillControllerTest.java:99、server/skillhub-auth/src/test/java/com/iflytek/skillhub/auth/token/ApiTokenAuthenticationFilterTest.java:106、server/skillhub-domain/src/test/java/com/iflytek/skillhub/domain/skill/service/SkillQueryServiceTest.java:651、:834、server/skillhub-domain/src/test/java/com/iflytek/skillhub/domain/skill/service/SkillDownloadServiceTest.java:146、:369、server/skillhub-app/src/test/java/com/iflytek/skillhub/service/cli/CliSkillAppServiceTest.java:80。
✅ API drift / 前端 / i18n：本 PR 无 web 代码和 controller schema 变更；git diff --name-only HEAD -- web/src/api/generated/schema.d.ts 无输出；无 JSX 用户文案变化。
✅ 提交与 PR 状态：feat(cli): support anonymous public search and install #523 是唯一交付 PR，当前 OPEN、非 draft、base main、merge state CLEAN、head SHA 匹配；fix(auth): fail closed invalid CLI bearer tokens #511/fix(cli): add token auth to search #512/fix(compat): enforce anonymous installability rules #514/fix(cli): align anonymous installability rules (ISSUE-39) #515 均 CLOSED 且 mergedAt=null。

验证：git diff --check origin/main...HEAD 通过；make test-backend-app 通过，535 tests / 0 failures / 0 errors；make test-cli 通过，329 tests / 0 failures；make typecheck-cli 通过；GitHub checks 全绿，包括 DCO、license/cla、Docs、Server Unit Tests、Web Build And Test、CLI ubuntu/macos/windows、E2E Real Services。

dongmucat added 4 commits June 15, 2026 10:54

fix(auth): fail closed invalid cli bearer tokens

07a43c0

Signed-off-by: dongmucat <1127093059@qq.com>

fix(cli): add token auth to search

f6dc3f1

Signed-off-by: dongmucat <1127093059@qq.com>

fix(cli): align anonymous installability rules

9bc680b

Signed-off-by: dongmucat <1127093059@qq.com>

fix(cli): require installable latest in search

6953d85

Signed-off-by: dongmucat <1127093059@qq.com>

This was referenced Jun 15, 2026

fix(auth): fail closed invalid CLI bearer tokens #511

Closed

fix(cli): align anonymous installability rules (ISSUE-39) #515

Closed

fix(cli): add token auth to search #512

Closed

dongmucat mentioned this pull request Jun 15, 2026

fix(compat): enforce anonymous installability rules #514

Closed

5 tasks

fix(domain): reject anonymous restricted resolves cleanly

cd4c3ce

Signed-off-by: dongmucat <1127093059@qq.com>

dongmucat force-pushed the fix/issue-42-single-cli-pr branch from 3150e0d to cd4c3ce Compare June 15, 2026 09:27

dongmucat changed the title ~~ISSUE-36: consolidate CLI installability and token auth fixes~~ feat(cli): support anonymous public search and install Jun 16, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(cli): support anonymous public search and install#523

feat(cli): support anonymous public search and install#523
dongmucat wants to merge 5 commits into
mainfrom
fix/issue-42-single-cli-pr

dongmucat commented Jun 15, 2026 •

edited

Loading

Uh oh!

dongmucat commented Jun 15, 2026

Uh oh!

dongmucat commented Jun 15, 2026

Uh oh!

dongmucat commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dongmucat commented Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Prior PR Handling

Verification

Notes

Uh oh!

dongmucat commented Jun 15, 2026

Uh oh!

dongmucat commented Jun 15, 2026

Uh oh!

dongmucat commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dongmucat commented Jun 15, 2026 •

edited

Loading