feat: SkillHub CLI — Agent Skills 包管理工具

.gitignore

@@ -1,6 +1,7 @@
 # OS files
 .DS_Store
 Thumbs.db
+.nfs*
 
 # Editors / IDEs / local tooling
 .claude/
@@ -14,6 +15,7 @@ Thumbs.db
 *.iml
 *.swp
 *.swo
+*.code-workspace
 
 # Logs
 *.log
@@ -86,3 +88,7 @@ CLAUDE.md
 
 # Local config file
 .mcp.json
+
+# Local scripts (personal utilities)
+scripts/notify-feishu.sh
+scripts/release-cli.sh

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/TokenController.java

@@ -41,12 +41,12 @@ public ApiResponse<TokenCreateResponse> create(
             @Valid @RequestBody TokenCreateRequest request) {
         String scopeJson;
         if (request.scopes() == null || request.scopes().isEmpty()) {
-            scopeJson = "[\"skill:read\",\"skill:publish\"]";
+            scopeJson = "[\"skill:read\",\"skill:publish\",\"skill:manage\"]";
         } else {
             try {
                 scopeJson = objectMapper.writeValueAsString(request.scopes());
             } catch (JsonProcessingException e) {
-                scopeJson = "[\"skill:read\",\"skill:publish\"]";
+                scopeJson = "[\"skill:read\",\"skill:publish\",\"skill:manage\"]";
             }
         }
 

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/admin/AdminAuditorController.java

@@ -0,0 +1,35 @@
+package com.iflytek.skillhub.controller.admin;
+
+import com.iflytek.skillhub.controller.BaseApiController;
+import com.iflytek.skillhub.dto.ApiResponse;
+import com.iflytek.skillhub.dto.ApiResponseFactory;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * Auditor-specific endpoints for read-only access to platform data.
+ * AUDITOR role can view all data for compliance and auditing purposes.
+ */
+@RestController
+@RequestMapping("/api/v1/admin/auditor")
+public class AdminAuditorController extends BaseApiController {
+
+    public AdminAuditorController(ApiResponseFactory responseFactory) {
+        super(responseFactory);
+    }
+
+    // TODO: Implement auditor-specific endpoints
+    // Examples:
+    // - GET /all-skills - View all skills including hidden
+    // - GET /review-history - View review history
+    // - GET /user-activity - View user activity logs
+    // - GET /statistics - View platform statistics
+
+    @GetMapping("/status")
+    @PreAuthorize("hasAnyRole('AUDITOR', 'SUPER_ADMIN')")
+    public ApiResponse<String> getStatus() {
+        return ok("response.success", "Auditor API is ready. More endpoints coming soon.");
+    }
+}

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/admin/AdminSkillController.java

@@ -33,12 +33,12 @@ public AdminSkillController(ApiResponseFactory responseFactory,
     }
 
     @PostMapping("/{skillId}/hide")
-    @PreAuthorize("hasRole('SUPER_ADMIN')")
+    @PreAuthorize("hasAnyRole('SKILL_ADMIN', 'SUPER_ADMIN')")
     public ApiResponse<AdminSkillMutationResponse> hideSkill(@PathVariable Long skillId,
                                                              @RequestBody(required = false) AdminSkillActionRequest request,
                                                              @AuthenticationPrincipal PlatformPrincipal principal,
                                                              HttpServletRequest httpRequest) {
-        var skill = skillGovernanceService.hideSkill(
+        var skill = skillGovernanceService.hideSkillAsAdmin(
             skillId,
             principal.userId(),
             httpRequest.getRemoteAddr(),
@@ -49,11 +49,11 @@ public ApiResponse<AdminSkillMutationResponse> hideSkill(@PathVariable Long skil
     }
 
     @PostMapping("/{skillId}/unhide")
-    @PreAuthorize("hasRole('SUPER_ADMIN')")
+    @PreAuthorize("hasAnyRole('SKILL_ADMIN', 'SUPER_ADMIN')")
     public ApiResponse<AdminSkillMutationResponse> unhideSkill(@PathVariable Long skillId,
                                                                @AuthenticationPrincipal PlatformPrincipal principal,
                                                                HttpServletRequest httpRequest) {
-        var skill = skillGovernanceService.unhideSkill(
+        var skill = skillGovernanceService.unhideSkillAsAdmin(
             skillId,
             principal.userId(),
             httpRequest.getRemoteAddr(),

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/portal/SkillDeleteController.java

@@ -32,7 +32,7 @@ public SkillDeleteController(SkillDeleteAppService skillDeleteAppService,
     }
 
     @DeleteMapping("/id/{skillId}")
-    @PreAuthorize("hasRole('SUPER_ADMIN')")
+    @PreAuthorize("hasAnyRole('SKILL_ADMIN', 'SUPER_ADMIN')")
     public ApiResponse<SkillDeleteResponse> deleteSkillById(@PathVariable Long skillId,
                                                             @AuthenticationPrincipal PlatformPrincipal principal,
                                                             HttpServletRequest request) {
@@ -50,7 +50,7 @@ public ApiResponse<SkillDeleteResponse> deleteSkillById(@PathVariable Long skill
     }
 
     @DeleteMapping("/{namespace}/{slug}")
-    @PreAuthorize("hasRole('SUPER_ADMIN')")
+    @PreAuthorize("hasAnyRole('SKILL_ADMIN', 'SUPER_ADMIN')")
     public ApiResponse<SkillDeleteResponse> deleteSkill(@PathVariable String namespace,
                                                         @PathVariable String slug,
                                                         @RequestParam(required = false) String ownerId,

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/portal/SkillLifecycleController.java

@@ -14,6 +14,7 @@
 import jakarta.validation.Valid;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Map;
+import java.util.Set;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -44,6 +45,7 @@ public ApiResponse<SkillLifecycleMutationResponse> archiveSkill(@PathVariable St
                                                                     @RequestBody(required = false) AdminSkillActionRequest request,
                                                                     @RequestAttribute("userId") String userId,
                                                                     @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
+                                                                    @RequestAttribute(value = "platformRoles", required = false) Set<String> platformRoles,
                                                                     HttpServletRequest httpRequest) {
         return ok("response.success.updated",
                 governanceWorkflowAppService.archiveSkill(
@@ -52,6 +54,7 @@ public ApiResponse<SkillLifecycleMutationResponse> archiveSkill(@PathVariable St
                         request,
                         userId,
                         userNsRoles,
+                        platformRoles,
                         AuditRequestContext.from(httpRequest)));
     }
 
@@ -60,13 +63,15 @@ public ApiResponse<SkillLifecycleMutationResponse> unarchiveSkill(@PathVariable
                                                                       @PathVariable String slug,
                                                                       @RequestAttribute("userId") String userId,
                                                                       @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
+                                                                      @RequestAttribute(value = "platformRoles", required = false) Set<String> platformRoles,
                                                                       HttpServletRequest httpRequest) {
         return ok("response.success.updated",
                 governanceWorkflowAppService.unarchiveSkill(
                         namespace,
                         slug,
                         userId,
                         userNsRoles,
+                        platformRoles,
                         AuditRequestContext.from(httpRequest)));
     }
 
@@ -76,6 +81,7 @@ public ApiResponse<SkillLifecycleMutationResponse> deleteVersion(@PathVariable S
                                                                      @PathVariable String version,
                                                                      @RequestAttribute("userId") String userId,
                                                                      @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
+                                                                     @RequestAttribute(value = "platformRoles", required = false) Set<String> platformRoles,
                                                                      HttpServletRequest httpRequest) {
         return ok("response.success.deleted",
                 governanceWorkflowAppService.deleteVersion(
@@ -84,6 +90,7 @@ public ApiResponse<SkillLifecycleMutationResponse> deleteVersion(@PathVariable S
                         version,
                         userId,
                         userNsRoles,
+                        platformRoles,
                         AuditRequestContext.from(httpRequest)));
     }
 
@@ -141,11 +148,11 @@ public ApiResponse<SkillLifecycleMutationResponse> submitForReview(@PathVariable
 
     @PostMapping("/{namespace}/{slug}/confirm-publish")
     public ApiResponse<SkillLifecycleMutationResponse> confirmPublish(@PathVariable String namespace,
-                                                                       @PathVariable String slug,
-                                                                       @Valid @RequestBody ConfirmPublishRequest request,
-                                                                       @RequestAttribute("userId") String userId,
-                                                                       @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
-                                                                       HttpServletRequest httpRequest) {
+                                                                        @PathVariable String slug,
+                                                                        @Valid @RequestBody ConfirmPublishRequest request,
+                                                                        @RequestAttribute("userId") String userId,
+                                                                        @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
+                                                                        HttpServletRequest httpRequest) {
         return ok("response.success.updated",
                 governanceWorkflowAppService.confirmPublish(
                         namespace,
@@ -155,4 +162,40 @@ public ApiResponse<SkillLifecycleMutationResponse> confirmPublish(@PathVariable
                         userNsRoles,
                         AuditRequestContext.from(httpRequest)));
     }
+
+    @PostMapping("/{namespace}/{slug}/hide")
+    public ApiResponse<SkillLifecycleMutationResponse> hideSkill(@PathVariable String namespace,
+                                                                 @PathVariable String slug,
+                                                                 @RequestBody(required = false) AdminSkillActionRequest request,
+                                                                 @RequestAttribute("userId") String userId,
+                                                                 @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
+                                                                 @RequestAttribute(value = "platformRoles", required = false) Set<String> platformRoles,
+                                                                 HttpServletRequest httpRequest) {
+        return ok("response.success.updated",
+                governanceWorkflowAppService.hideSkill(
+                        namespace,
+                        slug,
+                        request,
+                        userId,
+                        userNsRoles,
+                        platformRoles,
+                        AuditRequestContext.from(httpRequest)));
+    }
+
+    @PostMapping("/{namespace}/{slug}/unhide")
+    public ApiResponse<SkillLifecycleMutationResponse> unhideSkill(@PathVariable String namespace,
+                                                                   @PathVariable String slug,
+                                                                   @RequestAttribute("userId") String userId,
+                                                                   @RequestAttribute(value = "userNsRoles", required = false) Map<Long, NamespaceRole> userNsRoles,
+                                                                   @RequestAttribute(value = "platformRoles", required = false) Set<String> platformRoles,
+                                                                   HttpServletRequest httpRequest) {
+        return ok("response.success.updated",
+                governanceWorkflowAppService.unhideSkill(
+                        namespace,
+                        slug,
+                        userId,
+                        userNsRoles,
+                        platformRoles,
+                        AuditRequestContext.from(httpRequest)));
+    }
 }

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/portal/SkillRatingController.java

@@ -1,20 +1,16 @@
 package com.iflytek.skillhub.controller.portal;
 
-import com.iflytek.skillhub.auth.rbac.PlatformPrincipal;
 import com.iflytek.skillhub.controller.BaseApiController;
+import com.iflytek.skillhub.domain.shared.exception.DomainForbiddenException;
 import com.iflytek.skillhub.dto.ApiResponse;
 import com.iflytek.skillhub.dto.ApiResponseFactory;
 import com.iflytek.skillhub.dto.SkillRatingRequest;
 import com.iflytek.skillhub.dto.SkillRatingStatusResponse;
 import com.iflytek.skillhub.domain.social.SkillRatingService;
 import jakarta.validation.Valid;
-import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.*;
 import java.util.Optional;
 
-/**
- * Endpoints for reading and mutating the current user's rating on a skill.
- */
 @RestController
 @RequestMapping({"/api/v1/skills", "/api/web/skills"})
 public class SkillRatingController extends BaseApiController {
@@ -31,19 +27,22 @@ public SkillRatingController(ApiResponseFactory responseFactory,
     public ApiResponse<Void> rateSkill(
             @PathVariable Long skillId,
             @Valid @RequestBody SkillRatingRequest request,
-            @AuthenticationPrincipal PlatformPrincipal principal) {
-        skillRatingService.rate(skillId, principal.userId(), request.score());
+            @RequestAttribute("userId") String userId) {
+        if (userId == null) {
+            throw new DomainForbiddenException("error.auth.required");
+        }
+        skillRatingService.rate(skillId, userId, request.score());
         return ok("response.success.updated", null);
     }
 
     @GetMapping("/{skillId}/rating")
     public ApiResponse<SkillRatingStatusResponse> getUserRating(
             @PathVariable Long skillId,
-            @AuthenticationPrincipal PlatformPrincipal principal) {
-        if (principal == null) {
+            @RequestAttribute(value = "userId", required = false) String userId) {
+        if (userId == null) {
             return ok("response.success.read", new SkillRatingStatusResponse((short) 0, false));
         }
-        Optional<Short> rating = skillRatingService.getUserRating(skillId, principal.userId());
+        Optional<Short> rating = skillRatingService.getUserRating(skillId, userId);
         return ok(
                 "response.success.read",
                 new SkillRatingStatusResponse(

server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/portal/SkillStarController.java

@@ -1,16 +1,12 @@
 package com.iflytek.skillhub.controller.portal;
 
-import com.iflytek.skillhub.auth.rbac.PlatformPrincipal;
 import com.iflytek.skillhub.controller.BaseApiController;
+import com.iflytek.skillhub.domain.shared.exception.DomainForbiddenException;
 import com.iflytek.skillhub.dto.ApiResponse;
 import com.iflytek.skillhub.dto.ApiResponseFactory;
 import com.iflytek.skillhub.domain.social.SkillStarService;
-import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.*;
 
-/**
- * Endpoints for starring, unstarring, and checking star state on a skill.
- */
 @RestController
 @RequestMapping({"/api/v1/skills", "/api/web/skills"})
 public class SkillStarController extends BaseApiController {
@@ -26,27 +22,33 @@ public SkillStarController(ApiResponseFactory responseFactory,
     @PutMapping("/{skillId}/star")
     public ApiResponse<Void> starSkill(
             @PathVariable Long skillId,
-            @AuthenticationPrincipal PlatformPrincipal principal) {
-        skillStarService.star(skillId, principal.userId());
+            @RequestAttribute("userId") String userId) {
+        if (userId == null) {
+            throw new DomainForbiddenException("error.auth.required");
+        }
+        skillStarService.star(skillId, userId);
         return ok("response.success.updated", null);
     }
 
     @DeleteMapping("/{skillId}/star")
     public ApiResponse<Void> unstarSkill(
             @PathVariable Long skillId,
-            @AuthenticationPrincipal PlatformPrincipal principal) {
-        skillStarService.unstar(skillId, principal.userId());
+            @RequestAttribute("userId") String userId) {
+        if (userId == null) {
+            throw new DomainForbiddenException("error.auth.required");
+        }
+        skillStarService.unstar(skillId, userId);
         return ok("response.success.updated", null);
     }
 
     @GetMapping("/{skillId}/star")
     public ApiResponse<Boolean> checkStarred(
             @PathVariable Long skillId,
-            @AuthenticationPrincipal PlatformPrincipal principal) {
-        if (principal == null) {
+            @RequestAttribute(value = "userId", required = false) String userId) {
+        if (userId == null) {
             return ok("response.success.read", false);
         }
-        boolean starred = skillStarService.isStarred(skillId, principal.userId());
+        boolean starred = skillStarService.isStarred(skillId, userId);
         return ok("response.success.read", starred);
     }
 }

server/skillhub-app/src/main/java/com/iflytek/skillhub/security/ApiAccessDeniedHandler.java

@@ -38,12 +38,15 @@ public ApiAccessDeniedHandler(ObjectMapper objectMapper,
     public void handle(HttpServletRequest request,
                        HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException {
-        logger.info(
-                "Forbidden API request [requestId={}, method={}, path={}, reason={}]",
+        String userId = request.getAttribute("userId") != null ? request.getAttribute("userId").toString() : "anonymous";
+        logger.warn(
+                "Forbidden API request [requestId={}, method={}, path={}, userId={}, reason={}, message={}]",
                 MDC.get("requestId"),
                 request.getMethod(),
                 sensitiveLogSanitizer.sanitizeRequestTarget(request),
-                accessDeniedException.getClass().getSimpleName()
+                userId,
+                accessDeniedException.getClass().getSimpleName(),
+                accessDeniedException.getMessage()
         );
         ApiResponse<Void> body = apiResponseFactory.error(403, "error.forbidden");
         response.setStatus(HttpServletResponse.SC_FORBIDDEN);