中文文档 | English
🎯 Project Purpose: This framework is specifically designed for agile development with Cursor while implementing strict permission management. It enables teams to rapidly develop services using Cursor AI assistance while maintaining enterprise-grade security controls through JWT authentication, role-based access control, and service-level authorization.
A modern frontend service framework based on Node.js + TypeScript, featuring Apple-style flat design with built-in user registration approval, permission management, route validation, and API proxy capabilities. Helps teams rapidly iterate various business pages in the services/* directory.
- 🎨 Modern UI: Top navigation bar + service tab switching, hidden uncommon elements, Apple-style minimalist design.
- 🔐 Registration Approval: Users submit registration requests, accounts are created after admin approval, with password modification support.
- 🛡️ Permission Management: Three-layer control with JWT + roles + service authorization, independent user/permission/service management panel.
- 🗺️ Route Control: Automatically validates permissions before accessing
/{serviceId}and injects context to the frontend. - 🔌 API Proxy: Automatically forwards
/{serviceId}/api/**requests toAPI_PROXY_TARGETor service-specific custom addresses. - 📚 Agile Collaboration: Each service includes
API_DOCUMENT.md / PLAN.md / WORKBLOOK.md, with.cursorrulesconstraining the development process.
cp .env.example .env
npm install
npm run build:services # Build all service frontends for the first time
npm run devVisit http://localhost:3100/app, default admin account: admin / admin123.
Regular users need to submit registration requests, which must be approved by administrators in "Admin Panel > Registration Approval" before they can log in.
- Apple Style: Flat design, rounded corners, glassmorphism effects, minimalist spacing
- Top Navigation Bar: Brand logo + service tabs + user menu
- Responsive Design: Adapts to desktop and mobile devices
- Color Scheme: #1d1d1f (dark) / #f5f5f7 (light) / #007aff (primary)
- Registration Approval Process:
- Users submit registration requests
- Accounts created after admin approval
- Support for rejection with reason
- JWT Authentication: Token + HttpOnly Cookie dual protection
- Three-Layer Permission Control:
- User roles (roles)
- Service authorization (services)
- Admin permissions (admin)
- Password Management:
- User self-service password modification
- Current password verification
- Minimum length 6 characters
- View All Users: Display username, roles, service permissions
- Edit User Permissions: Modal form to edit roles and services
- Delete Users: With confirmation prompt
- Security Protection:
- ✅ Admins cannot delete themselves
- ✅ Admins cannot modify their own permissions
- Pending Requests List: Display username, request time
- Approve Request: Automatically create user account
- Reject Request: Optional rejection reason
- Status Tracking: pending / approved / rejected
- View All Services: Automatically loaded from
services/*/service.config.json - Edit Service Configuration:
- Service name
- Description
- Required roles (comma-separated)
- API proxy target address
- API proxy rewrite path
- Real-time Effect: Automatically updates configuration file after modification
- Permission Validation: Automatically verifies permissions before accessing
/{serviceId} - Context Injection: Injects service configuration and user info into
window.__SERVICE_CONTEXT__ - API Proxy:
- Frontend calls
/{serviceId}/api/** - Automatically forwards to configured target address
- Supports path rewriting
- Supports service-level custom targets
- Frontend calls
- Directory Structure:
services/ example/ service.config.json # Service configuration public/index.html # HTML template frontend/ # React/TS code main.tsx # Entry file App.tsx # Main component components/ # Custom components dist/ # Build output API_DOCUMENT.md # API documentation PLAN.md # Business goals WORKBLOOK.md # Implementation progress - Build Tool: esbuild for fast bundling
- Development Standards:
.cursorrulesconstrains UI style and development process
services/
example/
public/index.html # Template entry, contains SERVICE_CONTEXT placeholder
frontend/ # TypeScript/React code
dist/ # esbuild output (auto-generated)
API_DOCUMENT.md
PLAN.md
WORKBLOOK.md
- Copy
services/exampleas a template, rename toservices/<serviceId>. - Update
service.config.json:requiredRoles,proxyRewrite,proxyTarget.
- Let Cursor implement the service: After configuring the necessary content, use Cursor to implement the service logic. Cursor will follow the
.cursorrulesstandards and create the frontend code infrontend/directory. - Run
npm run build:servicesto generatedist/main.js. - Ensure pages import
/public/global.cssand follow.cursorrulesUI standards, especially keepWORKBLOOK.mdupdated in time.
The console is located at
public/app.html, containing login/registration, service authorization, navigation bar, and iframe workspace where service pages are rendered. Do not duplicate shell UI in individual services.
POST /auth/register- Submit registration requestPOST /auth/login- LoginGET /auth/me- Get current user infoPOST /auth/change-password- Change password
GET /admin/users- User listPATCH /admin/users/:id- Update user permissionsDELETE /admin/users/:id- Delete userGET /admin/registration-requests- Registration request listPOST /admin/registration-requests/:id/approve- Approve requestPOST /admin/registration-requests/:id/reject- Reject requestGET /admin/services- Service listPATCH /admin/services/:id- Update service configuration
GET /api/services- List of accessible servicesGET /:serviceId- Render service pageALL /:serviceId/api/**- API proxy forwardingGET /api/services/:id/docs/{api|plan|workblook}- View service documentation
Injected by the server when rendering public/index.html:
{
"service": {
"id": "example",
"name": "Example Service",
"proxy": { "path": "/example/api", "rewrite": "/api" }
},
"user": { "username": "admin", "roles": ["admin"] }
}Frontend can access directly via window.__SERVICE_CONTEXT__.
/{service}/api/**→proxyTarget + proxyRewrite(default.envAPI_PROXY_TARGET+/api).- Service-level
proxyTargetcan override default value, supports linking to SaaS or local microservices.
- Primary:
#007aff(hover:#0051d5) - Text:
#1d1d1f(muted:#86868b) - Background:
#f5f5f7
- System fonts:
-apple-system, BlinkMacSystemFont, 'SF Pro Display' - Headings: 20-48px, weight 600-700
- Body: 14-17px
- Auxiliary: 13px
- Small components: 8-10px
- Cards: 12-16px
- Modal windows: 14-16px
- Follow 8px multiples (8/16/24/32)
- Card padding: 16-24px
- Card margin: 12-16px
- Primary button:
#007affbackground, hover#0051d5 - Secondary button: Transparent background + border
- Border radius: 8-10px
- Font weight: 600
- Pure linear or two-tone, avoid skeuomorphic
- Custom components must be implemented in
services/xxx/frontend/componentsand reuse variables
- Click user menu → "Register Account"
- Fill in username, password
- Submit request, wait for admin approval
- Login with admin account (
admin/admin123) - Click user menu → "Admin Panel"
- Switch to "Registration Approval" tab
- Click "Approve" or "Reject"
- Admin Panel → "User Management"
- Click user's "Edit" button
- Modify roles/service permissions
- Save
- Click user menu → "Change Password"
- Enter current password, new password
- Confirm and save
- Admin Panel → "Service Management"
- Click service's "Edit" button
- Modify service name, description, required roles, API proxy, etc.
- Save to automatically update configuration file
-
Copy template:
cp -r services/example services/new-service-name
-
Modify
service.config.json:{ "id": "new-service-name", "name": "Display Name", "description": "Service description", "entryHtml": "public/index.html", "entryScript": "dist/main.js", "requiredRoles": ["service:new-service-name"], "proxyRewrite": "/api", "proxyTarget": "${API_PROXY_TARGET}" } -
Let Cursor implement the service: After configuring the necessary content, use Cursor to implement the service logic. Cursor will follow the
.cursorrulesstandards and create the frontend code inservices/new-service-name/frontend/. -
Build:
npm run build:services
-
Update documentation:
API_DOCUMENT.md- API documentationPLAN.md- Business goalsWORKBLOOK.md- Implementation progress
Admin login → Admin Panel → User Management → Edit User:
- Roles:
service:new-service-name(oradmin) - Services:
new-service-name
- JWT + HttpOnly Cookie: Dual token protection
- Permission Validation Middleware: All admin endpoints require admin role
- Self-Protection: Admins cannot delete/downgrade themselves
- Password Encryption: bcrypt hash storage
- iframe Sandbox: Limits service page permissions
- Check
service.config.jsonformat - Run
npm run build:services - Restart server
- Hard refresh browser (Cmd+Shift+R)
- Confirm user roles include required roles
- Or add service ID to user's services field
- Admin accounts can access all services
- Check if
proxyTargetis correct - Confirm target service is running
- Check server logs for errors
- ✅ Zero-config service registration (auto-scan services directory)
- ✅ Hot-update service configuration (edit directly in admin panel)
- ✅ Registration approval process (prevents malicious registration)
- ✅ Fine-grained permission control (role + service dual validation)
- ✅ Modern UI (Apple-style design)
- ✅ Agile development standards (.cursorrules constraints)
- ✅ Complete admin panel (user/approval/service three-in-one)
- ✅ Framework MVP
- 🔜 CLI initialization scaffold
- 🔜 Session-driven SSO