Merge remote-tracking branch 'origin/main' into feat/auto-generate-skills

Author: qcq01083097

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  check:
+    name: lint + typecheck + test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm -r --filter "./packages/*" build
+
+      - run: pnpm run check
+
+      - run: pnpm test

.github/workflows/publish.yml

@@ -0,0 +1,86 @@
+name: Publish
+
+on:
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: "Publish mode"
+        required: true
+        type: choice
+        options:
+          - channel
+          - stable
+      channel:
+        description: "dist-tag (channel mode only, e.g. mcp/plugin/advisor)"
+        required: false
+        type: string
+
+concurrency:
+  group: publish-${{ inputs.mode }}-${{ inputs.channel }}
+  cancel-in-progress: false
+
+jobs:
+  publish-stable:
+    if: inputs.mode == 'stable'
+    name: publish stable to npm + tag
+    runs-on: ubuntu-latest
+    environment: production # Required Reviewers gate
+    permissions:
+      contents: write # push lightweight tag to origin
+      id-token: write # OIDC for npm Trusted Publishing + provenance
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "24"
+          cache: pnpm
+          registry-url: "https://registry.npmjs.org/"
+
+      - name: Install gitleaks
+        run: |
+          set -euo pipefail
+          GITLEAKS_VERSION=8.21.2
+          curl -sSfL \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | sudo tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: publish-stable
+        run: node tools/release/publish-stable.mjs
+
+  publish-channel:
+    if: inputs.mode == 'channel'
+    name: publish beta to npm
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # no tag, no Release; just publish
+      id-token: write # OIDC for npm Trusted Publishing + provenance
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "24"
+          cache: pnpm
+          registry-url: "https://registry.npmjs.org/"
+
+      - name: Install gitleaks
+        run: |
+          set -euo pipefail
+          GITLEAKS_VERSION=8.21.2
+          curl -sSfL \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | sudo tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: publish-channel
+        run: node tools/release/publish-channel.mjs --channel "${{ inputs.channel }}"

AGENTS.md

@@ -29,7 +29,7 @@ Skill / 命令手册不再随 npm 包发布,改由独立的 `npx add skills` 机
 
 非代码资产:
 
-- `tools/release.mjs` — 发版自动化
+- `tools/release/` — 发版自动化（CI 驱动，见 `.github/workflows/publish.yml`）
 - `tools/generate-reference.ts` — 从 `catalog.ts` 生成命令手册(临时输出到 `tools/generated/reference/`)
 - `README.md` / `README_CN.md` — npm 和 GitHub 主页
 
@@ -55,7 +55,7 @@ Skill / 命令手册不再随 npm 包发布,改由独立的 `npx add skills` 机
 | URL / 渠道变更 | 控制台域名 / 文档站 / 追踪参数               | [docs/agents/url-change.md](docs/agents/url-change.md)                   |
 | 鉴权扩展       | 加 OAuth / SSO / 换 token 来源               | [docs/agents/auth-change.md](docs/agents/auth-change.md)                 |
 | 配置项扩展     | 新 env var 或 `~/.bailian/config.json` 字段  | [docs/agents/config-add.md](docs/agents/config-add.md)                   |
-| 发版前自检     | beta / rc / 正式发布到 npm                   | [docs/agents/release.md](docs/agents/release.md)                         |
+| 发布           | channel / stable 发布到 npm（CI 驱动）       | [docs/agents/publish.md](docs/agents/publish.md)                         |
 | 工具链调整     | lint 规则 / 构建配置 / 依赖升级              | [docs/agents/lint-toolchain.md](docs/agents/lint-toolchain.md)           |
 
 如果当前任务无法对应任何场景,先按经验完成,然后**回来评估这是不是一类新场景** —— 是就新增一份 `docs/agents/<scenario>.md`,把清单沉淀下来。

CHANGELOG.md

@@ -6,6 +6,30 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 [中文版](CHANGELOG_CN.md) · [README](README.md) · [Contributing](CONTRIBUTING.md)
 
+## [1.2.0] - 2026-06-05
+
+### Added
+
+- `bl mcp` command group: `bl mcp list` to list MCP servers, `bl mcp tools <server>` to inspect available tools, and `bl mcp call <server>.<tool>` to invoke a tool with `--arg k=v` or `--json`.
+- `bl advisor recommend` — describe your task in natural language and get intelligent model recommendations ranked by fit, with context-window, pricing, and capability details.
+
+### Fixed
+
+- Image/video watermark was always on regardless of config; now respects `bl config set watermark false`.
+- Paired flags (e.g. `--watermark` / `--no-watermark`) are properly mutually exclusive.
+- Null-value flag validation no longer crashes on missing optional arguments.
+- **Security**: credentials no longer leak to on-disk logs; file permissions tightened.
+- **Security**: `base_url` / `console_gateway_url` validated as real HTTP(S) URLs.
+- **Security**: script/JS `code` fields require a string literal (blocks untrusted-code RCE).
+- **Security**: URL path segments are percent-encoded; SSE buffer is bounded.
+- **Security**: pipeline planning, pointer traversal, and concurrency hardened.
+- MCP commands now handle auth _after_ arg validation and dry-run checks.
+
+### Changed
+
+- Flag default-value text is now unified and de-duplicated across all commands.
+- Illegal/unknown flag names surface a clear error instead of silently ignoring.
+
 ## [1.1.3] - 2026-06-02
 
 ### Added

CHANGELOG_CN.md

@@ -6,6 +6,30 @@
 
 [English](CHANGELOG.md) · [README](README_CN.md) · [参与贡献](CONTRIBUTING_CN.md)
 
+## [1.2.0] - 2026-06-05
+
+### 新增
+
+- `bl mcp` 命令组：`bl mcp list` 列出 MCP 服务器，`bl mcp tools <server>` 查看可用工具，`bl mcp call <server>.<tool>` 通过 `--arg k=v` 或 `--json` 调用工具。
+- `bl advisor recommend` — 用自然语言描述任务需求，智能推荐最合适的模型，展示上下文窗口、定价及能力详情。
+
+### 修复
+
+- 图片/视频水印始终开启的问题，现在正确遵守 `bl config set watermark false` 配置。
+- 成对 flag（如 `--watermark` / `--no-watermark`）现已正确互斥。
+- 可选参数为空时 flag 校验不再崩溃。
+- **安全**：凭据不再泄漏到磁盘日志，文件权限已收紧。
+- **安全**：校验 `base_url` / `console_gateway_url` 为合法 HTTP(S) URL。
+- **安全**：script/JS `code` 字段强制为字符串字面量（阻止不可信代码 RCE）。
+- **安全**：URL 路径段已百分号编码，SSE 缓冲区设上限。
+- **安全**：流水线规划、指针遍历及并发安全加固。
+- MCP 命令现在在参数校验和 dry-run 检查之后才处理鉴权。
+
+### 变更
+
+- 所有命令的 flag 默认值文案统一并去重。
+- 非法/未知 flag 名称现在会报明确错误，而非静默忽略。
+
 ## [1.1.3] - 2026-06-02
 
 ### 新增

CONTRIBUTING.md

@@ -18,7 +18,7 @@ bailian-cli/
 │   ├── cli/              # `bailian-cli` — CLI entry, commands, UI
 │   └── core/             # `bailian-cli-core` — auth, HTTP, types
 ├── docs/agents/          # Scenario-based maintenance guides
-├── tools/                # Release & reference generation
+├── tools/                # Release automation & reference generation
 ├── AGENTS.md             # Contract for AI agents
 └── README.md
 ```

CONTRIBUTING_CN.md

@@ -18,7 +18,7 @@ bailian-cli/
 │   ├── cli/              # `bailian-cli` —— CLI 入口、命令、UI
 │   └── core/             # `bailian-cli-core` —— 鉴权、HTTP、类型
 ├── docs/agents/          # 场景化维护文档
-├── tools/                # 发版与命令手册生成
+├── tools/                # 发版自动化与命令手册生成
 ├── AGENTS.md             # AI agent 维护契约
 └── README.md
 ```

README.md

@@ -32,7 +32,9 @@ Equip your AI Agent out-of-the-box with these capabilities, composable across co
 - **Image & video understanding** — Qwen-VL: long-form video analysis, chart/document parsing, visual reasoning, multilingual OCR
 - **Knowledge base & memory** — Multimodal RAG retrieval and cross-session memory for personalized, coherent dialogue
 - **App calls** — Invoke agents and workflows already published on Aliyun Model Studio
+- **MCP integration** — Orchestrate Bailian MCP servers: list services, inspect tools, and invoke any tool directly from the terminal
 - **Web search** — Real-time internet retrieval for up-to-date, accurate answers
+- **Model recommendation** — Describe your scenario and get best-fit model suggestions; supports scoped search, model comparison, and alternative discovery
 - **Console capabilities** — Browse Bailian apps (`app list`) and check free-tier quota (`usage free`)
 - **Local file auto-upload** — Every URL parameter accepts a local path; uploaded to free temp storage with 48-hour validity
 
@@ -97,6 +99,12 @@ bl image generate --prompt "A cat in a spacesuit" --out-dir ./images/
 # Generate a video from local image
 bl video generate --image ./cat.png --prompt "Make the cat move" --download cat.mp4
 
+# Model recommendation — find the best model for your use case
+bl advisor recommend --message "I need a visual-understanding chatbot"
+
+# Compare specific models
+bl advisor recommend --message "qwen-max vs deepseek-v3 for code generation"
+
 # Browser login (required for console capability commands)
 bl auth login --console
 

README_CN.md

@@ -32,7 +32,9 @@ _专为 AI Agent 打造，每个命令均可作为结构化工具调用。_
 - **图像与视频理解** — Qwen-VL：长视频解析、复杂图表与文档识别、视觉推理、多语种 OCR
 - **知识库与记忆库** — 多模态 RAG 检索 + 跨会话记忆，提供个性化连贯对话体验
 - **应用调用** — 调用已发布在阿里云百炼平台上的智能体与工作流应用
+- **MCP 集成** — 统一调度百炼 MCP 服务：列出服务、查看工具、直接在终端调用任意工具
 - **联网搜索** — 实时互联网信息检索，提升回答准确性及时效性
+- **模型推荐** — 描述你的场景，智能推荐最适合的模型；支持限定范围搜索、模型对比和替代发现
 - **控制台能力** — 浏览百炼应用（`app list`），查询模型免费额度（`usage free`）
 - **本地文件自动上传** — 所有 URL 参数同时支持本地路径，免费临时存储 48 小时
 
@@ -92,6 +94,12 @@ bl image generate --prompt "一只穿太空服的猫在火星上" --out-dir ./im
 # 图生视频（本地文件自动上传）
 bl video generate --image ./cat.png --prompt "让画面中的猫动起来" --download cat.mp4
 
+# 模型推荐 — 根据场景推荐最适合的模型
+bl advisor recommend --message "我要做一个能理解图片的客服机器人"
+
+# 对比特定模型
+bl advisor recommend --message "qwen-max 和 deepseek-v3 哪个更适合做代码生成"
+
 # 浏览器登录（控制台能力相关命令需要）
 bl auth login --console
 

docs/agents/changelog-write.md

@@ -176,11 +176,11 @@ git show <commit> --stat
 | 版本号 bump commit 自身的 README 改动算进上个版本 | 重复 / 错位                                             |
 | 中英两份不同步                                    | 文档可信度直接崩,等同于撒谎                             |
 
-## 与 release.md 的边界
+## 与 publish.md 的边界
 
-| 文档                     | 管什么                                               |
-| ------------------------ | ---------------------------------------------------- |
-| [release.md](release.md) | 发版前自检:版本号 / 包内容 / 安全扫描 / publish 流程 |
-| 本文档                   | 发版后写说明:面向用户的 release notes                |
+| 文档                     | 管什么                                        |
+| ------------------------ | --------------------------------------------- |
+| [publish.md](publish.md) | 发布流程:自检 / 构建 / npm publish（CI 驱动） |
+| 本文档                   | 发版后写说明:面向用户的 release notes         |
 
-两者顺序:`release.md` → npm publish → 本文档(更新 `CHANGELOG.md` + `CHANGELOG_CN.md`)→ 推到 GitHub。
+两者顺序:`publish.md` → npm publish → 本文档(更新 `CHANGELOG.md` + `CHANGELOG_CN.md`)→ 推到 GitHub。