larksuite · syh-cpdsss · Apr 10, 2026 · Apr 1, 2026
diff --git a/cmd/auth/login.go b/cmd/auth/login.go
@@ -134,18 +134,7 @@ func authLoginRun(opts *LoginOptions) error {
 	// Expand --domain all to all available domains (from_meta projects + shortcut services)
 	for _, d := range selectedDomains {
 		if strings.EqualFold(d, "all") {
-			domainSet := make(map[string]bool)
-			for _, p := range registry.ListFromMetaProjects() {
-				domainSet[p] = true
-			}
-			for _, sc := range shortcuts.AllShortcuts() {
-				domainSet[sc.Service] = true
-			}
-			selectedDomains = make([]string, 0, len(domainSet))
-			for d := range domainSet {
-				selectedDomains = append(selectedDomains, d)
-			}
-			sort.Strings(selectedDomains)
+			selectedDomains = sortedKnownDomains()
 			break
 		}
 	}
@@ -451,6 +440,8 @@ func findProfileByName(multi *core.MultiAppConfig, profileName string) *core.App
 
 // collectScopesForDomains collects API scopes (from from_meta projects) and
 // shortcut scopes for the given domain names.
+// Domains with auth_domain children are automatically expanded to include
+// their children's scopes.
 func collectScopesForDomains(domains []string, identity string) []string {
 	scopeSet := make(map[string]bool)
 
@@ -459,11 +450,16 @@ func collectScopesForDomains(domains []string, identity string) []string {
 		scopeSet[s] = true
 	}
 
-	// 2. Shortcut scopes matching by Service (only include shortcuts supporting the identity)
+	// 2. Expand domains: include auth_domain children
 	domainSet := make(map[string]bool, len(domains))
 	for _, d := range domains {
 		domainSet[d] = true
+		for _, child := range registry.GetAuthChildren(d) {
+			domainSet[child] = true
+		}
 	}
+
+	// 3. Shortcut scopes matching by Service (only include shortcuts supporting the identity)
 	for _, sc := range shortcuts.AllShortcuts() {
 		if domainSet[sc.Service] && shortcutSupportsIdentity(sc, identity) {
 			for _, s := range sc.ScopesForIdentity(identity) {
@@ -472,7 +468,7 @@ func collectScopesForDomains(domains []string, identity string) []string {
 		}
 	}
 
-	// 3. Deduplicate and sort
+	// 4. Deduplicate and sort
 	result := make([]string, 0, len(scopeSet))
 	for s := range scopeSet {
 		result = append(result, s)
@@ -481,14 +477,20 @@ func collectScopesForDomains(domains []string, identity string) []string {
 	return result
 }
 
-// allKnownDomains returns all valid domain names (from_meta projects + shortcut services).
+// allKnownDomains returns all valid auth domain names (from_meta projects +
+// shortcut services), excluding domains that have auth_domain set (they are
+// folded into their parent domain).
 func allKnownDomains() map[string]bool {
 	domains := make(map[string]bool)
 	for _, p := range registry.ListFromMetaProjects() {
-		domains[p] = true
+		if !registry.HasAuthDomain(p) {
+			domains[p] = true
+		}
 	}
 	for _, sc := range shortcuts.AllShortcuts() {
-		domains[sc.Service] = true
+		if !registry.HasAuthDomain(sc.Service) {
+			domains[sc.Service] = true
+		}
 	}
 	return domains
 }

diff --git a/cmd/auth/login_interactive.go b/cmd/auth/login_interactive.go
@@ -34,8 +34,12 @@ func getDomainMetadata(lang string) []domainMeta {
 	seen := make(map[string]bool)
 	var domains []domainMeta
 
-	// 1. Domains from from_meta projects
+	// 1. Domains from from_meta projects (skip domains with auth_domain)
 	for _, project := range registry.ListFromMetaProjects() {
+		if registry.HasAuthDomain(project) {
+			seen[project] = true
+			continue
+		}
 		dm := buildDomainMeta(project, lang)
 		domains = append(domains, dm)
 		seen[project] = true
@@ -52,13 +56,14 @@ func getDomainMetadata(lang string) []domainMeta {
 	}
 
 	// 3. Auto-discover remaining shortcut services that are listed as shortcut-only domains
+	//    (skip domains with auth_domain — they are folded into their parent)
 	shortcutOnlySet := make(map[string]bool)
 	for _, n := range shortcutOnlyNames {
 		shortcutOnlySet[n] = true
 	}
 	for _, sc := range shortcuts.AllShortcuts() {
 		if !seen[sc.Service] {
-			if shortcutOnlySet[sc.Service] {
+			if shortcutOnlySet[sc.Service] && !registry.HasAuthDomain(sc.Service) {
 				dm := buildDomainMeta(sc.Service, lang)
 				domains = append(domains, dm)
 			}

diff --git a/cmd/auth/login_test.go b/cmd/auth/login_test.go
@@ -903,3 +903,37 @@ func TestGetDomainMetadata_ExcludesEvent(t *testing.T) {
 		}
 	}
 }
+
+func TestAllKnownDomains_ExcludesAuthDomainChildren(t *testing.T) {
+	domains := allKnownDomains()
+	if domains["whiteboard"] {
+		t.Error("whiteboard should not appear in known auth domains (it has auth_domain=docs)")
+	}
+	if !domains["docs"] {
+		t.Error("docs should still be a known auth domain")
+	}
+}
+
+func TestCollectScopesForDomains_ExpandsAuthDomainChildren(t *testing.T) {
+	scopes := collectScopesForDomains([]string{"docs"}, "user")
+	// docs domain should include whiteboard shortcut scopes (board:whiteboard:*)
+	found := false
+	for _, s := range scopes {
+		if strings.HasPrefix(s, "board:whiteboard:") {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Error("collectScopesForDomains([docs]) should include whiteboard scopes (board:whiteboard:*)")
+	}
+}
+
+func TestGetDomainMetadata_ExcludesAuthDomainChildren(t *testing.T) {
+	domains := getDomainMetadata("zh")
+	for _, dm := range domains {
+		if dm.Name == "whiteboard" {
+			t.Error("whiteboard should not appear in interactive domain list (has auth_domain=docs)")
+		}
+	}
+}
diff --git a/internal/registry/registry_test.go b/internal/registry/registry_test.go
@@ -564,3 +564,54 @@ func TestCollectScopesForProjects_NonexistentProject(t *testing.T) {
 		t.Errorf("expected empty scopes for nonexistent project, got %d", len(scopes))
 	}
 }
+
+// --- auth_domain functions ---
+
+func TestGetAuthDomain_Configured(t *testing.T) {
+	// whiteboard has auth_domain: "docs" in service_descriptions.json
+	if got := GetAuthDomain("whiteboard"); got != "docs" {
+		t.Errorf("GetAuthDomain(whiteboard) = %q, want %q", got, "docs")
+	}
+}
+
+func TestGetAuthDomain_NotConfigured(t *testing.T) {
+	if got := GetAuthDomain("calendar"); got != "" {
+		t.Errorf("GetAuthDomain(calendar) = %q, want empty", got)
+	}
+}
+
+func TestGetAuthDomain_Unknown(t *testing.T) {
+	if got := GetAuthDomain("nonexistent_xyz"); got != "" {
+		t.Errorf("GetAuthDomain(nonexistent_xyz) = %q, want empty", got)
+	}
+}
+
+func TestHasAuthDomain(t *testing.T) {
+	if !HasAuthDomain("whiteboard") {
+		t.Error("HasAuthDomain(whiteboard) = false, want true")
+	}
+	if HasAuthDomain("calendar") {
+		t.Error("HasAuthDomain(calendar) = true, want false")
+	}
+}
+
+func TestGetAuthChildren(t *testing.T) {
+	children := GetAuthChildren("docs")
+	found := false
+	for _, c := range children {
+		if c == "whiteboard" {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Errorf("GetAuthChildren(docs) = %v, want to contain 'whiteboard'", children)
+	}
+}
+
+func TestGetAuthChildren_NoChildren(t *testing.T) {
+	children := GetAuthChildren("calendar")
+	if len(children) != 0 {
+		t.Errorf("GetAuthChildren(calendar) = %v, want empty", children)
+	}
+}
diff --git a/internal/registry/service_desc.go b/internal/registry/service_desc.go
@@ -19,8 +19,9 @@ type serviceDescLocale struct {
 
 // serviceDescEntry holds bilingual descriptions for a service domain.
 type serviceDescEntry struct {
-	En serviceDescLocale `json:"en"`
-	Zh serviceDescLocale `json:"zh"`
+	En         serviceDescLocale `json:"en"`
+	Zh         serviceDescLocale `json:"zh"`
+	AuthDomain string            `json:"auth_domain,omitempty"`
 }
 
 var serviceDescMap map[string]serviceDescEntry
@@ -76,3 +77,31 @@ func GetServiceDetailDescription(name, lang string) string {
 	}
 	return loc.Description
 }
+
+// GetAuthDomain returns the auth_domain for a service, or "" if not set.
+// When auth_domain is set, the service's scopes are collected under the
+// parent domain during auth login.
+func GetAuthDomain(service string) string {
+	m := loadServiceDescriptions()
+	if entry, ok := m[service]; ok {
+		return entry.AuthDomain
+	}
+	return ""
+}
+
+// HasAuthDomain reports whether the service has an auth_domain configured.
+func HasAuthDomain(service string) bool {
+	return GetAuthDomain(service) != ""
+}
+
+// GetAuthChildren returns all service names whose auth_domain equals parent.
+func GetAuthChildren(parent string) []string {
+	m := loadServiceDescriptions()
+	var children []string
+	for name, entry := range m {
+		if entry.AuthDomain == parent {
+			children = append(children, name)
+		}
+	}
+	return children
+}
diff --git a/internal/registry/service_descriptions.json b/internal/registry/service_descriptions.json
@@ -53,7 +53,8 @@
   },
   "whiteboard": {
     "en": { "title": "Whiteboard", "description": "Create and edit boards" },
-    "zh": { "title": "画板", "description": "画板创建、编辑" }
+    "zh": { "title": "画板", "description": "画板创建、编辑" },
+    "auth_domain": "docs"
   },
   "wiki": {
     "en": { "title": "Wiki", "description": "Wiki space and node management" },

diff --git a/shortcuts/whiteboard/shortcuts.go b/shortcuts/whiteboard/shortcuts.go
@@ -11,12 +11,15 @@ import (
 func Shortcuts() []common.Shortcut {
 	return []common.Shortcut{
 		WhiteboardUpdate,
+		WhiteboardUpdateOld,
+		WhiteboardQuery,
 	}
 }
 
 type WbCliOutput struct {
-	Code int `json:"code"`
-	Data WbCliOutputData
+	Code     int `json:"code"`
+	Data     WbCliOutputData
+	RawNodes []interface{} `json:"nodes"` // 从 whiteboard-cli -t openapi 输出的原始请求格式
 }
 
 type WbCliOutputData struct {