Gusnais Skill
Implement Gusnais API integration that mirrors web behavior and permission boundaries.
Require only two user inputs
- - �INLINECODE0
- INLINECODE1
Do not ask for base URL, OAuth paths, account IDs, scope defaults, pagination defaults, or serializer mappings unless discovery fails.
Auto-complete platform config
Use these defaults:
- - Site: �INLINECODE2
- OAuth Authorize: �INLINECODE3
- OAuth Token: �INLINECODE4
- OAuth Revoke: �INLINECODE5
- API Base: �INLINECODE6
Auth flow
- 1. Build authorization URL automatically.
- Exchange authorization code for
access_token and refresh_token. - Validate token with
GET /api/v3/users/me. - Refresh once on 401; if refresh fails, request re-auth.
Prefer Authorization header for requests:
Keep access_token query fallback for compatibility with Homeland API behavior.
Web parity contract
Match gusnais.com UX and permission behavior:
- 1. Read abilities first when available
- Resource-level actions must follow returned
abilities.
- 2. Dual check
- UI check (visible/enabled) using abilities.
- Execution check with real API call and status code handling.
- 3. No privilege escalation
- Never assume admin/mod privileges in client logic.
- 4. Respect hidden/inaccessible resources
- 404/403 semantics should stay consistent with server behavior.
Capability gating model
For each action produce:
- -
visible: �INLINECODE14 - INLINECODE15�: �INLINECODE16
- INLINECODE17�: �INLINECODE18
- INLINECODE19�: �INLINECODE20
Endpoint behavior alignment
Use endpoint mapping in
references/endpoints.md and serializer notes for normalized outputs.
Keep defaults aligned with docs:
- - offset default: �INLINECODE22
- limit default: �INLINECODE23
- limit range on list endpoints:
1..150 (or endpoint-specific documented max) - topic list default �INLINECODE25
For plugin domain operations (press/note/site/jobs):
- - Read plugin web-route parity and API contract in
references/endpoints.md. - Read permission nuances in
references/permission-parity.md. - Treat 404 on plugin API endpoints as
resource_unavailable unless deployment has enabled those API routes.
Topic action safety
For
POST /api/v3/topics/:id/action?type=:type (
ban|excellent|unexcellent|close|open):
- - Gate by
abilities if present. - Enforce final server response.
- Never expose action as enabled when denied.
Error mapping
Normalize API errors without changing meaning:
- - 400 -> �INLINECODE32
- 401 ->
auth_required (refresh then retry once) - 403 -> �INLINECODE34
- 404 -> �INLINECODE35
- 500 -> �INLINECODE36
Return original server error text when available.
Rate limiting / retries
- - Respect
Retry-After on 429. - Use exponential backoff with jitter for transient 5xx.
- Avoid one-item tight loops for batch writes.
Read these references before implementation
- - �INLINECODE38
- INLINECODE39
Bootstrap script
Use
scripts/gusnais_bootstrap.py to initialize runtime config from
CLIENT_ID and
CLIENT_SECRET.
Recommended:
- - set
TOKEN_STORE_PATH when exchanging code, so refreshable tokens are persisted to JSON for long-lived automation.
Plugin API client script
Use
scripts/gusnais_plugin_client.py for plugin API read/write calls with:
- - auto refresh before expiry and on 401;
- one retry after refresh;
- normalized status reason mapping;
- capability hint extraction from
abilities; - action-level payload guardrails to avoid avoidable 400/500 (e.g. press create summary fallback).
Current deployment notes (2026-03-19):
- - Press API is mounted for read/write (
/api/v3/press/posts*). - Note API is mounted for read/write (
/api/v3/note/notes*). - Site API is mounted for
sites CRUD + site_nodes list; undestroy/site_node writes are not mounted. - Treat any unmounted plugin API route as
resource_unavailable and avoid repeated retries.
Gusnais 技能
实现模仿 Web 行为和权限边界的 Gusnais API 集成。
仅需两个用户输入
除非发现失败,否则不要询问基础 URL、OAuth 路径、账户 ID、作用域默认值、分页默认值或序列化器映射。
自动补全平台配置
使用以下默认值:
- - 站点:https://gusnais.com
- OAuth 授权:/oauth/authorize
- OAuth 令牌:/oauth/token
- OAuth 撤销:/oauth/revoke
- API 基础路径:/api/v3
认证流程
- 1. 自动构建授权 URL。
- 将授权码交换为 accesstoken 和 refreshtoken。
- 使用 GET /api/v3/users/me 验证令牌。
- 遇到 401 时刷新一次;如果刷新失败,则请求重新认证。
请求优先使用 Authorization 头:
保留 access_token 查询参数作为回退,以兼容 Homeland API 行为。
Web 对等契约
匹配 gusnais.com 的用户体验和权限行为:
- 1. 优先读取能力(当可用时)
- 资源级操作必须遵循返回的 abilities。
- 2. 双重检查
- 使用能力进行 UI 检查(可见/启用)。
- 通过真实 API 调用和状态码处理进行执行检查。
- 3. 无权限提升
- 客户端逻辑中绝不假设管理员/版主权限。
- 4. 尊重隐藏/不可访问的资源
- 404/403 语义应与服务器行为保持一致。
能力门控模型
对每个操作生成:
- - visible:true|false
- enabled:true|false
- reason:ok|nopermission|authrequired|resourceunavailable|validationerror
- source:abilities|server_status|policy
端点行为对齐
使用 references/endpoints.md 中的端点映射和序列化器注释来规范化输出。
保持默认值与文档一致:
- - offset 默认值:0
- limit 默认值:20
- 列表端点的 limit 范围:1..150(或端点特定的文档最大值)
- 话题列表默认 type=last_actived
对于插件域操作(press/note/site/jobs):
- - 在 references/endpoints.md 中读取插件 Web 路由对等性和 API 契约。
- 在 references/permission-parity.md 中读取权限细节。
- 将插件 API 端点上的 404 视为 resource_unavailable,除非部署已启用这些 API 路由。
话题操作安全
对于 POST /api/v3/topics/:id/action?type=:type(ban|excellent|unexcellent|close|open):
- - 如果存在 abilities,则通过其进行门控。
- 强制执行最终服务器响应。
- 当被拒绝时,绝不将操作暴露为已启用。
错误映射
规范化 API 错误而不改变含义:
- - 400 -> validationerror
- 401 -> authrequired(刷新后重试一次)
- 403 -> nopermission
- 404 -> resourceunavailable
- 500 -> server_error
当可用时,返回原始服务器错误文本。
速率限制/重试
- - 对 429 响应尊重 Retry-After。
- 对临时性 5xx 使用带抖动的指数退避。
- 避免对批量写入使用单项目紧密循环。
实现前阅读以下参考资料
- - references/endpoints.md
- references/permission-parity.md
引导脚本
使用 scripts/gusnais
bootstrap.py 从 CLIENTID 和 CLIENT_SECRET 初始化运行时配置。
建议:
- - 在交换代码时设置 TOKENSTOREPATH,以便可刷新的令牌持久化到 JSON 中,用于长期运行的自动化。
插件 API 客户端脚本
使用 scripts/gusnais
pluginclient.py 进行插件 API 的读/写调用,具备:
- - 在过期前和遇到 401 时自动刷新;
- 刷新后重试一次;
- 规范化状态原因映射;
- 从 abilities 中提取能力提示;
- 操作级有效载荷防护,以避免可避免的 400/500 错误(例如,press 创建摘要回退)。
当前部署说明(2026-03-19):
- - Press API 已挂载用于读/写(/api/v3/press/posts)。
- Note API 已挂载用于读/写(/api/v3/note/notes)。
- Site API 已挂载用于 sites 的增删改查 + sitenodes 列表;undestroy/sitenode 写入未挂载。
- 将任何未挂载的插件 API 路由视为 resource_unavailable,并避免重复重试。
