[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74634":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":16,"starSnapshotCount":16,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},74634,"dingtalk-workspace-cli","DingTalk-Real-AI\u002Fdingtalk-workspace-cli","DingTalk-Real-AI","DingTalk Workspace is an officially open-sourced cross-platform CLI tool from DingTalk. It unifies DingTalk’s full suite of product capabilities into a single package, is designed for both human users and AI agent scenarios.","",null,"Go",2163,135,19,70,0,46,127,414,138,28.4,"Apache License 2.0",false,"main",[],"2026-06-12 02:03:26","\u003Ch1 align=\"center\">DingTalk Workspace CLI (dws)\u003C\u002Fh1>\n\n\u003Cp align=\"center\">\u003Ccode>dws\u003C\u002Fcode> — DingTalk Workspace on the command line, built for humans and AI agents.\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"https:\u002F\u002Fimg.alicdn.com\u002Fimgextra\u002Fi1\u002FO1CN01oKAc2r28jOyyspcQt_!!6000000007968-2-tps-4096-1701.png\" alt=\"DWS Product Overview\" width=\"100%\">\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGo-1.25+-green?logo=go&logoColor=white\" alt=\"Go 1.25+\">\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Fblob\u002Fmain\u002FLICENSE\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache_2.0-blue\" alt=\"License Apache-2.0\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Freleases\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli?color=red&label=release\" alt=\"Latest Release\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Factions\u002Fworkflows\u002Fci.yml\">\u003Cimg src=\"https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg\" alt=\"CI\">\u003C\u002Fa>\n  \u003Cimg src=\".github\u002Fbadges\u002Fcoverage.svg\" alt=\"Coverage\">\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Ca href=\".\u002FREADME_zh.md\">中文版\u003C\u002Fa> · \u003Ca href=\".\u002FREADME.md\">English\u003C\u002Fa> · \u003Ca href=\".\u002Fdocs\u002Freference.md\">Reference\u003C\u002Fa> · \u003Ca href=\".\u002FCHANGELOG.md\">Changelog\u003C\u002Fa>\n\u003C\u002Fp>\n\n> [!IMPORTANT]\n> **Co-creation Phase**: This project accesses DingTalk enterprise data and requires enterprise admin authorization. Join the DingTalk DWS co-creation group for support and updates. See [Getting Started](#getting-started) below.\n>\n> \u003Cimg src=\"https:\u002F\u002Fimg.alicdn.com\u002Fimgextra\u002Fi1\u002FO1CN01WJyAsJ1prD2ovQACM_!!6000000005413-2-tps-718-720.png\" alt=\"dws Open Source Community DingTalk Group QR Code\" width=\"150\">\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Table of Contents\u003C\u002Fstrong>\u003C\u002Fsummary>\n\n- [Why dws?](#why-dws)\n- [Installation](#installation)\n- [Upgrade](#upgrade)\n- [Getting Started](#getting-started)\n- [Quick Start](#quick-start)\n- [Using with Agents](#using-with-agents)\n- [Features](#features)\n- [Key Services](#key-services)\n- [Security by Design](#security-by-design)\n- [Reference & Docs](#reference--docs)\n- [Contributing](#contributing)\n\n\u003C\u002Fdetails>\n\n\n---\n\n\u003Ch2 id=\"why-dws\">Why dws?\u003C\u002Fh2>\n\n- **For humans** — `--help` for usage, `--dry-run` to preview requests, `-f table\u002Fjson\u002Fraw` for output formats.\n- **For AI agents** — structured JSON responses + built-in Agent Skills, ready out of the box.\n- **For enterprise admins** — zero-trust architecture: OAuth device-flow auth + domain allowlisting + least-privilege scoping. **Not a single byte can bypass authentication and audit.**\n\n## Installation\n\n**macOS \u002F Linux:**\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Fmain\u002Fscripts\u002Finstall.sh | sh\n```\n\n**Windows (PowerShell):**\n\n```powershell\nirm https:\u002F\u002Fraw.githubusercontent.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Fmain\u002Fscripts\u002Finstall.ps1 | iex\n```\n\n\u003Cdetails>\n\u003Csummary>Other install methods\u003C\u002Fsummary>\n\n**npm** (requires Node.js (npm\u002Fnpx)):\n\n```bash\nnpm install -g dingtalk-workspace-cli\n```\n\n**Pre-built binary**: download from [GitHub Releases](https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Freleases).\n\n> **macOS users**: If you see \"cannot be opened because Apple cannot check it for malicious software\", run:\n> ```bash\n> xattr -d com.apple.quarantine \u002Fpath\u002Fto\u002Fdws\n> ```\n\n**Build from source**:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli.git\ncd dingtalk-workspace-cli\ngo build -o dws .\u002Fcmd       # build to current directory\ncp dws ~\u002F.local\u002Fbin\u002F         # install to PATH\n```\n\n> Requires Go 1.25+. Use `make package` to cross-compile for all platforms (macOS \u002F Linux \u002F Windows x amd64 \u002F arm64).\n\n\u003C\u002Fdetails>\n\n## Upgrade\n\n> Requires **v1.0.7** or later. For earlier versions, please re-run the [install script](#installation) to upgrade.\n\ndws has built-in self-upgrade capability. Updates are pulled directly from [GitHub Releases](https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Freleases) with SHA256 integrity verification and automatic backup.\n\n```bash\ndws upgrade                    # interactive upgrade to latest version\ndws upgrade --check            # check for new versions without installing\ndws upgrade --list             # list all available versions\ndws upgrade --version v1.0.7   # upgrade to a specific version\ndws upgrade --rollback         # rollback to the previous version\ndws upgrade -y                 # skip confirmation prompt\n```\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>How it works\u003C\u002Fstrong>\u003C\u002Fsummary>\n\nThe upgrade process follows a two-phase atomic flow to ensure consistency:\n\n1. **Prepare** — downloads the platform-specific binary and skill packages to a temporary directory, verifies SHA256 checksums, and extracts\u002Fvalidates all files. If any step fails, the upgrade aborts without modifying the existing installation.\n2. **Apply** — only after all preparations succeed, the binary is replaced and skill packages are installed to all detected agent directories (`~\u002F.agents\u002Fskills\u002Fdws`, `~\u002F.claude\u002Fskills\u002Fdws`, `~\u002F.cursor\u002Fskills\u002Fdws`, etc.).\n\nA backup of the current version is automatically created before each upgrade. Use `dws upgrade --rollback` to restore the previous version if needed.\n\n| Flag | Description |\n|------|-------------|\n| `--check` | Check for updates without installing |\n| `--list` | List all available versions with changelogs |\n| `--version` | Upgrade to a specific version (e.g. `v1.0.7`) |\n| `--rollback` | Rollback to the previous backed-up version |\n| `--force` | Force reinstall even if already on the latest version |\n| `--skip-skills` | Skip skill package update |\n| `-y` | Skip confirmation prompt |\n\n\u003C\u002Fdetails>\n\n## Getting Started\n\n```bash\ndws auth login            # browser opens automatically\ndws auth login --device   # for headless environments (Docker, SSH, CI)\n```\n\nSelect your organization and authorize. That's it.\n\n> If your organization hasn't enabled CLI access, you'll be prompted to send an access request to your admin. Once approved, re-run `dws auth login`.\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Organization hasn't enabled CLI access?\u003C\u002Fstrong>\u003C\u002Fsummary>\n\n1. After selecting your organization, click \"Apply Now\" to notify the admin\n2. The admin receives a request card and can approve with one click\n3. Once approved, re-run `dws auth login`\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"https:\u002F\u002Fimg.alicdn.com\u002Fimgextra\u002Fi2\u002FO1CN01wtsYuQ1CTbboVTlsD_!!6000000000082-2-tps-2696-1544.png\" alt=\"Apply for Access\" width=\"600\">\n\u003C\u002Fp>\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Admin: Enable CLI access for your organization\u003C\u002Fstrong>\u003C\u002Fsummary>\n\nGo to [Developer Platform](https:\u002F\u002Fopen-dev.dingtalk.com) → \"CLI Access Management\" → Enable.\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"https:\u002F\u002Fimg.alicdn.com\u002Fimgextra\u002Fi4\u002FO1CN01M8K7Wj1rZ0WikrZby_!!6000000005644-2-tps-2940-1596.png\" alt=\"CLI Access Management\" width=\"600\">\n\u003C\u002Fp>\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Custom App mode (CI\u002FCD, ISV integration)\u003C\u002Fstrong>\u003C\u002Fsummary>\n\nFor enterprise-managed scenarios, create your own DingTalk app:\n\n1. [Open Platform Console](https:\u002F\u002Fopen-dev.dingtalk.com\u002Ffe\u002Fapp#\u002Fcorp\u002Fapp) → Create App\n2. Security Settings → Add redirect URLs: `http:\u002F\u002F127.0.0.1,https:\u002F\u002Flogin.dingtalk.com`\n3. Publish the app\n4. Login:\n\n```bash\ndws auth login --client-id \u003Cyour-app-key> --client-secret \u003Cyour-app-secret>\n```\n\nCredentials are securely persisted after first login (Keychain). Subsequent runs auto-refresh tokens.\n\n\u003C\u002Fdetails>\n\n## Quick Start\n\n```bash\ndws contact user search --query \"engineering\"      # search contacts\ndws calendar event list                            # list today's calendar events\ndws doc search --query \"quarterly\"                 # search DingTalk Docs\ndws minutes list mine                              # list AI meeting notes I created\ndws drive list                                     # list DingTalk drive files\ndws todo task create --title \"Quarterly report\" --executors \"\u003Cyour-userId>\"   # create a todo (replace \u003Cyour-userId>)\ndws todo task list --dry-run                       # preview without executing\n```\n\n> **Full command list**: [`docs\u002Fcommand-index.md`](.\u002Fdocs\u002Fcommand-index.md) — all commands with descriptions and when-to-use guidance.\n\n## Using with Agents\n\ndws is designed as an AI-native CLI. Complete [Installation](#installation) and [Getting Started](#getting-started) first, then configure your agent:\n\n### Agent Invocation Patterns\n\n```bash\n# Use --yes to skip confirmation prompts (required for agents)\ndws todo task create --title \"Review PR\" --executors \"\u003Cyour-userId>\" --yes\n\n# Use --dry-run to preview operations (safe execution)\ndws contact user search --query \"engineering\" --dry-run\n\n# Use --jq to extract precisely (save tokens)\ndws contact user get-self --jq '.result[0].orgEmployeeModel | {name: .orgUserName, dept: .depts[0].deptName, userId}'\n```\n\n### Schema Discovery\n\nAgents don't need pre-built knowledge of every command. Use `dws schema` to dynamically discover capabilities:\n\n```bash\n# Step 1: Discover all available products\ndws schema --jq '.products[] | {id, tool_count: (.tools | length)}'\n\n# Step 2: Inspect target tool's parameter schema\ndws schema aitable.query_records --jq '.tool.parameters'\n\n# Step 3: Construct the correct call\ndws aitable record query --base-id BASE_ID --table-id TABLE_ID --limit 10\n```\n\n### Agent Skills\n\nThe repo ships a complete Agent Skill system (`skills\u002F`). After installing, AI tools like Claude Code \u002F Cursor can operate DingTalk directly through natural language:\n\n```bash\n# Install skills into current project\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Fmain\u002Fscripts\u002Finstall-skills.sh | sh\n```\n\n> `install.sh` installs to `$HOME\u002F.agents\u002Fskills\u002Fdws` (global); `install-skills.sh` installs to `.\u002F.agents\u002Fskills\u002Fdws` (current project).\n\n**What's included:**\n\n| Component | Path | Description |\n|-----------|------|-------------|\n| Master Skill | `SKILL.md` | Intent routing, decision tree, safety rules, error handling |\n| Product references | `references\u002Fproducts\u002F*.md` | Per-product command reference (aitable, chat, calendar, etc.) |\n| Intent guide | `references\u002Fintent-guide.md` | Disambiguation for confusing scenarios (e.g. report vs todo) |\n| Global reference | `references\u002Fglobal-reference.md` | Auth, output formats, global flags |\n| Error codes | `references\u002Ferror-codes.md` | Error codes + debugging workflows |\n| Recovery guide | `references\u002Frecovery-guide.md` | `RECOVERY_EVENT_ID` handling |\n| Ready-made scripts | `scripts\u002F*.py` | 13 batch operation scripts (see below) |\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Ready-made scripts\u003C\u002Fstrong> — 13 Python scripts for common multi-step workflows\u003C\u002Fsummary>\n\n| Script | Description |\n|--------|-------------|\n| `calendar_schedule_meeting.py` | Create event + add participants + find & book available meeting room |\n| `calendar_free_slot_finder.py` | Find common free slots across multiple people, recommend best meeting time |\n| `calendar_today_agenda.py` | View today\u002Ftomorrow\u002Fthis week's schedule |\n| `import_records.py` | Batch import records from CSV\u002FJSON into AITable |\n| `bulk_add_fields.py` | Batch add fields to an AITable data table |\n| `upload_attachment.py` | Upload attachment to AITable attachment field |\n| `todo_batch_create.py` | Batch create todos from JSON (with priority, due date, executors) |\n| `todo_daily_summary.py` | Summarize today\u002Fthis week's incomplete todos |\n| `todo_overdue_check.py` | Scan overdue todos and output overdue list |\n| `contact_dept_members.py` | Search department by name and list all members |\n| `attendance_my_record.py` | View my attendance records for today\u002Fthis week\u002Fspecific date |\n| `attendance_team_shift.py` | Query team shift schedules and attendance statistics |\n| `report_inbox_today.py` | View today's received reports with details |\n\n\u003C\u002Fdetails>\n\n**ISV Integration**: Author your own Agent Skills and orchestrate them with dws skills for cross-product workflows: **ISV Skill → dws Skill → DingTalk Open Platform API (enforced auth + full audit)**.\n\n## Features\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Raw API Access\u003C\u002Fstrong> — call any DingTalk OpenAPI directly\u003C\u002Fsummary>\n\n`dws api` lets you call any DingTalk OpenAPI without an SDK. Tokens are automatically acquired and refreshed.\n\n> **Prerequisite**: Must login with your own app credentials (see [Custom App mode](#getting-started)). Encrypted tokens from MCP default-credential login are not supported for raw API calls.\n\n```bash\n# Login (first time only)\ndws auth login --client-id \u003CAPP_KEY> --client-secret \u003CAPP_SECRET>\n\n# === api.dingtalk.com ===\n\n# List all enterprise apps\ndws api GET \u002Fv1.0\u002FmicroApp\u002FallApps\n\n# Search users (POST + JSON body)\ndws api POST \u002Fv1.0\u002Fcontact\u002Fusers\u002Fsearch \\\n  --data '{\"queryWord\":\"engineering\",\"offset\":0,\"size\":10}'\n\n# === oapi.dingtalk.com ===\n\n# Get user details (use --base-url to specify domain)\ndws api POST \u002Ftopapi\u002Fv2\u002Fuser\u002Fget \\\n  --base-url https:\u002F\u002Foapi.dingtalk.com \\\n  --data '{\"userid\":\"\u003CUSER_ID>\"}'\n\n# Or use the full URL directly\ndws api POST https:\u002F\u002Foapi.dingtalk.com\u002Ftopapi\u002Fv2\u002Fuser\u002Fget \\\n  --data '{\"userid\":\"\u003CUSER_ID>\"}'\n\n# === General ===\ndws api GET \u002Fv1.0\u002FmicroApp\u002FallApps --page-all   # auto-paginate\ndws api GET \u002Fv1.0\u002FmicroApp\u002FallApps --dry-run     # preview request\ndws api GET \u002Fv1.0\u002FmicroApp\u002FallApps --jq '.agentId'  # jq filtering\n```\n\n| Feature | Details |\n|---------|----------|\n| Dual-form auto-detection | Automatically selects api.dingtalk.com (header auth) or oapi.dingtalk.com (query-param auth) based on URL |\n| Automatic token management | App-level accessToken is fetched on first call, cached while valid, auto-refreshed on expiry |\n| Domain allowlist | Only `api.dingtalk.com` and `oapi.dingtalk.com` permitted — prevents token leakage |\n| Auto-pagination | `--page-all` iterates all pages. `--page-limit` caps the maximum (default 10, set to 0 for unlimited, hard cap at 500 to prevent infinite loops) |\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Smart Input Correction\u003C\u002Fstrong> — auto-corrects common AI model parameter mistakes\u003C\u002Fsummary>\n\nBuilt-in pipeline engine that normalizes flag names, splits sticky arguments, and fuzzy-matches typos:\n\n```bash\n# Naming convention auto-conversion (camelCase \u002F snake_case \u002F UPPER -> kebab-case)\ndws aitable record query --baseId BASE_ID --tableId TABLE_ID         # auto-corrected to --base-id --table-id\n\n# Sticky argument splitting\ndws contact user search --query \"engineering\" --timeout30           # auto-split to --timeout 30\n\n# Fuzzy flag name matching\ndws aitable record query --base-id BASE_ID --tabel-id TABLE_ID       # --tabel-id -> --table-id\n\n# Value normalization (boolean \u002F number \u002F date \u002F enum)\n# \"yes\" -> true, \"1,000\" -> 1000, \"2024\u002F03\u002F29\" -> \"2024-03-29\", \"ACTIVE\" -> \"active\"\n```\n\n| Agent Output | dws Auto-Corrects To |\n|-----------|--------------|\n| `--userId` | `--user-id` |\n| `--limit100` | `--limit 100` |\n| `--tabel-id` | `--table-id` |\n| `--USER-ID` | `--user-id` |\n| `--user_name` | `--user-name` |\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>jq Filtering & Field Selection\u003C\u002Fstrong> — fine-grained output control to reduce token consumption\u003C\u002Fsummary>\n\n```bash\n# Built-in jq expressions\ndws aitable record query --base-id BASE_ID --table-id TABLE_ID --jq '.invocation.params'\ndws schema --jq '.products[] | {id, tools: (.tools | length)}'\n\n# Return only specific fields\ndws aitable record query --base-id BASE_ID --table-id TABLE_ID --fields invocation,response\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Schema Introspection\u003C\u002Fstrong> — query parameter schemas before making calls\u003C\u002Fsummary>\n\n```bash\ndws schema                                              # list all products and tools\ndws schema aitable.query_records                        # view parameter schema\ndws schema aitable.query_records --jq '.tool.required'   # view required fields\ndws schema --jq '.products[].id'                        # extract all product IDs\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>Pipe & File Input\u003C\u002Fstrong> — read flag values from files or stdin\u003C\u002Fsummary>\n\n```bash\n# Read message body from a file\ndws chat message send-by-bot --robot-code BOT_CODE --group GROUP_ID \\\n  --title \"Weekly Report\" --text @report.md\n\n# Pipe content via stdin\ncat report.md | dws chat message send-by-bot --robot-code BOT_CODE --group GROUP_ID \\\n  --title \"Weekly Report\"\n\n# Read from stdin explicitly\ndws chat message send-by-bot --robot-code BOT_CODE --group GROUP_ID \\\n  --title \"Weekly Report\" --text @-\n```\n\n\u003C\u002Fdetails>\n\n## Key Services\n\n| Service | Command | Commands | Subcommands | Description |\n|---------|---------|:--------:|-------------|-------------|\n| Contact | `contact` | 6 | `user` `dept` | Search users by name\u002Fmobile, batch query, departments, current user profile |\n| Chat \u002F IM | `chat` (alias `im`) | 23 | `message` `group` `bot` `conversation-info` `search` `search-common` `list-top-conversations` | Messages (send \u002F list \u002F list-all \u002F by-sender \u002F mentions \u002F focused \u002F unread \u002F topic replies \u002F search), group CRUD + member management (incl. `add-bot`), bot-identity messaging (`send-by-bot` \u002F `recall-by-bot` \u002F `send-by-webhook`), conversation info, common groups lookup |\n| Calendar | `calendar` | 14 | `event` `room` `participant` `busy` | Events CRUD + suggested times + attachments, meeting room booking, free-busy query, participant management |\n| Todo | `todo` | 6 | `task` | Create, list, update, done, get detail, delete |\n| Approval | `oa` | 9 | `approval` | Approve \u002F reject \u002F revoke, pending \u002F initiated instances, process list, operation records |\n| Attendance | `attendance` | 4 | `record` `shift` `summary` `rules` | Clock-in records, shift schedules, attendance summary, group rules |\n| Ding | `ding` | 2 | `message` | Send \u002F recall DING messages |\n| Report | `report` | 7 | `create` `list` `detail` `template` `stats` `sent` | Create reports, sent\u002Freceived list, templates, statistics |\n| AI Tables | `aitable` | 41 | `base` `table` `record` `field` `view` `dashboard` `chart` `import` `export` `attachment` `template` | Full CRUD for Bases \u002F datasheets \u002F records \u002F fields \u002F views; charts & dashboards with public-share configs; data import\u002Fexport; attachments; templates |\n| Doc | `doc` | 21 | `search` `list` `info` `read` `create` `update` `upload` `download` `copy` `move` `rename` `file` `folder` `block` `comment` | Search \u002F read \u002F write docs, file & folder create, block-level editing, comments (list \u002F create \u002F reply \u002F create-inline), upload \u002F download |\n| Drive | `drive` | 6 | `list` `info` `download` `mkdir` `upload-info` `commit` | DingTalk drive file ops: list, info, download, create folders, two-phase upload |\n| Minutes | `minutes` | 19 | `list` `get` `update` `mind-graph` `speaker` `hot-word` `upload` | List AI meeting notes (mine \u002F shared), details (info \u002F summary \u002F keywords \u002F transcription \u002F todos \u002F batch), title\u002Fsummary updates, mind map, speaker replace, hot-word, upload session |\n| Mail | `mail` | 4 | `mailbox` `message` | List mailbox addresses, KQL message search, get full message content, send email |\n| Sheet | `sheet` | 34 | `range` `filter-view` (top-level: `create` `new` `list` `info` `find` `replace` `append` `merge-cells` `unmerge-cells` `add-dimension` `insert-dimension` `delete-dimension` `move-dimension` `update-dimension` `write-image` `copy_sheet` `update_sheet` `submit_export_job` `query_export_job` `create_filter` `get_filter` `update_filter` `delete_filter` `set_filter_criteria` `clear_filter_criteria` `sort_filter`) | Online spreadsheet (`contentType=ALIDOC`, `extension=axls`): worksheet CRUD, range read\u002Fwrite\u002Fappend, dimension ops, cell merge, find\u002Freplace, named filter views + sheet-level filters, image write, async export (`submit_export_job` + `query_export_job` — no consolidated `export` in v1.0.25) |\n| Wiki | `wiki` | 7 | `space` `member` | Knowledge base management: space `create` \u002F `get` \u002F `list` \u002F `search` + member `add` \u002F `list` \u002F `update` |\n| DevDoc | `devdoc` | 1 | `article` | Search the DingTalk Open Platform documentation |\n| AI Search | `aisearch` | 1 | `person` | Enterprise people search by name \u002F department \u002F position \u002F duty \u002F supervisor \u002F subordinate \u002F phone \u002F job-number (single command, multi-dimension filter) |\n| AI App | `aiapp` | 3 | — | AI application lifecycle: `create` (with prompt \u002F attachments \u002F skills) \u002F `query` (by task ID) \u002F `modify` (by thread ID) |\n| Live | `live` | 1 | `stream` | DingTalk live streaming: list my lives |\n| Raw API | `api` | 1 | — | Call any DingTalk OpenAPI directly (api \u002F oapi dual-form), with automatic app-level token management |\n\n> **209 commands across 19 products.** Full listing with descriptions and usage scenarios: [`docs\u002Fcommand-index.md`](.\u002Fdocs\u002Fcommand-index.md). Run `dws --help` for the top-level tree, or `dws \u003Cservice> --help` for subcommands.\n\n> **Note on `chat bot`**: bot capabilities (`send-by-bot` \u002F `recall-by-bot` \u002F `add-bot` \u002F `send-by-webhook` \u002F bot search) are merged into the relevant `chat` subtrees (e.g. `dws chat message send-by-bot`, `dws chat group members add-bot`) so the agent-facing command surface stays flat and discoverable. There is no longer a separate top-level `bot` product.\n\n\u003Cdetails>\n\u003Csummary>Coming soon\u003C\u002Fsummary>\n\n`conference` (video meetings)\n\n\u003C\u002Fdetails>\n\n\u003Ch2 id=\"security-by-design\">Security by Design\u003C\u002Fh2>\n\n`dws` treats security as a first-class architectural concern, not an afterthought. **Credentials never touch disk, tokens never leave trusted domains, permissions never exceed grants, operations never escape audit** — every API call must pass through DingTalk Open Platform's authentication and audit chain, no exceptions.\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>For Developers\u003C\u002Fstrong>\u003C\u002Fsummary>\n\n| Mechanism | Details |\n|-----------|----------|\n| **Encrypted token storage** | **PBKDF2 + AES-256-GCM** encryption, keyed by device physical MAC address; cross-platform Keychain\u002FDPAPI integration provides additional protection — tokens cannot be decrypted on another machine |\n| **Input security** | Path traversal protection (symlink resolution + working directory containment), CRLF injection blocking, Unicode visual spoofing filtering — prevents AI Agents from being tricked by malicious instructions |\n| **Domain allowlist** | `DWS_TRUSTED_DOMAINS` defaults to `*.dingtalk.com`; bearer tokens are never sent to non-allowlisted domains |\n| **HTTPS enforced** | All requests require TLS; HTTP only permitted for loopback during development |\n| **Dry-run preview** | `--dry-run` shows call parameters without executing, preventing accidental mutations |\n| **Zero credential persistence** | Client ID \u002F Secret used in memory only — never written to config files or logs |\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>For Enterprise Admins\u003C\u002Fstrong>\u003C\u002Fsummary>\n\n| Mechanism | Details |\n|-----------|---------|\n| **OAuth device-flow auth** | Users must authenticate through an admin-authorized DingTalk application |\n| **Least-privilege scoping** | CLI can only invoke APIs granted to the application — no privilege escalation |\n| **Allowlist gating** | Admin confirmation required during co-creation phase; self-service approval planned |\n| **Full-chain audit** | Every data read\u002Fwrite passes through the DingTalk Open Platform API — enterprise admins can trace complete call logs in real time; no anomalous operation can hide |\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cstrong>For ISVs\u003C\u002Fstrong>\u003C\u002Fsummary>\n\n| Mechanism | Details |\n|-----------|---------|\n| **Tenant data isolation** | Operates under authorized app identity; cross-tenant access is impossible |\n| **Skill sandbox** | Agent Skills are Markdown documents (`SKILL.md`) — prompt descriptions only, no arbitrary code execution |\n| **Zero blind spots** | Every API call during ISV–dws skill orchestration is forced through DingTalk Open Platform authentication — full call chain is traceable with no bypass path |\n\n\u003C\u002Fdetails>\n\n> Found a vulnerability? Report via [GitHub Security Advisories](https:\u002F\u002Fgithub.com\u002FDingTalk-Real-AI\u002Fdingtalk-workspace-cli\u002Fsecurity\u002Fadvisories\u002Fnew). See [SECURITY.md](.\u002FSECURITY.md).\n\n## Reference & Docs\n\n- [Command Index](.\u002Fdocs\u002Fcommand-index.md) — every runtime command with description and when-to-use guidance\n- [Reference](.\u002Fdocs\u002Freference.md) — environment variables, exit codes, output formats, shell completion\n- [Architecture](.\u002Fdocs\u002Farchitecture.md) — discovery-driven pipeline, IR, transport layer\n- [Changelog](.\u002FCHANGELOG.md) — release history and migration notes\n\n## Contributing\n\nSee [CONTRIBUTING.md](.\u002FCONTRIBUTING.md) for build instructions, testing, and development workflow.\n\n## License\n\nApache-2.0\n","DingTalk Workspace CLI (dws) 是一个由钉钉官方开源的跨平台命令行工具，集成了钉钉的全套产品功能，旨在服务于人类用户和AI代理场景。其核心功能包括支持多种输出格式（如表格、JSON等）以满足不同需求，内置了适用于AI代理的结构化JSON响应及技能，同时采用了零信任架构确保企业数据安全，通过OAuth设备流认证、域名白名单以及最小权限范围控制来保障信息安全。该工具特别适合需要在命令行环境中高效管理和操作钉钉资源的企业和个人开发者使用。",2,"2026-06-11 03:50:12","high_star"]