npm - @chenguangyao/devflow-kit - Versions diffs - 0.1.43 - Mend

@chenguangyao/devflow-kit 0.1.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/CHANGELOG.md +232 -0
package/LICENSE +21 -0
package/README.md +539 -0
package/bin/devflow.js +9 -0
package/docs/RFC-001-devflow-kit.md +617 -0
package/docs/RFC-002-workflow-kernel.md +134 -0
package/docs/enterprise-integration-supplement.md +274 -0
package/docs/internal-gitlab-setup.md +426 -0
package/docs/marketplace-skills.md +231 -0
package/docs/migration-from-arb.md +232 -0
package/docs/tooling-overview.md +774 -0
package/docs/workflow-orchestration.md +695 -0
package/docs/workflow-ui-prototype.html +271 -0
package/package.json +52 -0
package/schemas/config.schema.json +51 -0
package/schemas/delta.schema.json +22 -0
package/schemas/state.schema.json +130 -0
package/schemas/status-surface.schema.json +197 -0
package/schemas/workflow-confirmation-surface.schema.json +70 -0
package/schemas/workflow-picker.schema.json +94 -0
package/scripts/postinstall.js +101 -0
package/scripts/render-workflow-ui-prototype.js +271 -0
package/skills/apply/SKILL.md +313 -0
package/skills/apply/references/discipline-checklist.md +145 -0
package/skills/apply/references/subagent-implementer-prompt.md +113 -0
package/skills/apply/references/subagent-orchestration.md +150 -0
package/skills/apply/references/subagent-reviewer-prompt.md +180 -0
package/skills/apply/references/tdd-loop.md +287 -0
package/skills/apply/references/when-plan-is-wrong.md +279 -0
package/skills/apply/references/worktree-swarm.md +292 -0
package/skills/archive/SKILL.md +229 -0
package/skills/archive/references/conflict-resolution.md +336 -0
package/skills/archive/references/knowledge-deposit.md +381 -0
package/skills/archive/references/spec-merge.md +365 -0
package/skills/brainstorm/SKILL.md +123 -0
package/skills/brainstorm/references/proposal-template.md +244 -0
package/skills/brainstorm/references/question-catalog.md +168 -0
package/skills/brainstorm/references/session-template.md +184 -0
package/skills/ci-fix/SKILL.md +63 -0
package/skills/ci-fix/references/loop.md +25 -0
package/skills/code-review/SKILL.md +279 -0
package/skills/code-review/references/escalation-playbook.md +192 -0
package/skills/code-review/references/language-cheatsheets/go.md +175 -0
package/skills/code-review/references/language-cheatsheets/java-spring-mybatis.md +246 -0
package/skills/code-review/references/language-cheatsheets/python.md +170 -0
package/skills/code-review/references/language-cheatsheets/vue.md +199 -0
package/skills/code-review/references/output-template.md +275 -0
package/skills/code-review/references/review-checklist.md +251 -0
package/skills/complexity-grading/SKILL.md +259 -0
package/skills/deliver/SKILL.md +271 -0
package/skills/deliver/references/delivery-modes.md +299 -0
package/skills/deliver/references/notify.md +359 -0
package/skills/deliver/references/pr-description.md +319 -0
package/skills/dependency-upgrade/SKILL.md +57 -0
package/skills/dependency-upgrade/references/risk-matrix.md +38 -0
package/skills/df-orchestrator/SKILL.md +407 -0
package/skills/df-orchestrator/references/complexity-grading.md +177 -0
package/skills/df-orchestrator/references/escalation-matrix.md +191 -0
package/skills/df-orchestrator/references/routing-rules.md +290 -0
package/skills/df-orchestrator/references/workflow-state-machine.md +208 -0
package/skills/frontend-quality/SKILL.md +61 -0
package/skills/frontend-quality/references/checklist.md +35 -0
package/skills/handoff-resume/SKILL.md +59 -0
package/skills/handoff-resume/references/handoff-template.md +54 -0
package/skills/plan/SKILL.md +166 -0
package/skills/plan/references/task-breakdown.md +207 -0
package/skills/plan/references/task-sequencing.md +143 -0
package/skills/plan/references/task-template.md +248 -0
package/skills/requirement-analysis/SKILL.md +499 -0
package/skills/requirement-analysis/references/acceptance-criteria.md +183 -0
package/skills/requirement-analysis/references/code-recon.md +151 -0
package/skills/requirement-analysis/references/edge-case-catalog.md +164 -0
package/skills/requirement-analysis/references/requirement-template.md +339 -0
package/skills/requirement-analysis/references/scope-negotiation.md +162 -0
package/skills/security-hardening/SKILL.md +60 -0
package/skills/security-hardening/references/checklist.md +42 -0
package/skills/tech-spec/SKILL.md +388 -0
package/skills/tech-spec/references/api-contract-design.md +172 -0
package/skills/tech-spec/references/decision-records.md +110 -0
package/skills/tech-spec/references/design-template.md +301 -0
package/skills/tech-spec/references/rollout-and-rollback.md +203 -0
package/skills/tech-spec/references/spec-delta-conventions.md +250 -0
package/skills/tech-spec/references/transaction-patterns.md +212 -0
package/skills/test-spec/SKILL.md +219 -0
package/skills/test-spec/references/coverage-strategy.md +218 -0
package/skills/test-spec/references/edge-case-to-test.md +143 -0
package/skills/test-spec/references/test-case-template.md +276 -0
package/skills/verify/SKILL.md +232 -0
package/skills/verify/references/nfr-verification.md +292 -0
package/skills/verify/references/report-templates.md +510 -0
package/skills/verify/references/self-test-guide.md +240 -0
package/skills/verify/references/verify-rollback-map.md +247 -0
package/src/cli/commands/_helpers.js +108 -0
package/src/cli/commands/_submit.js +718 -0
package/src/cli/commands/apply.js +198 -0
package/src/cli/commands/archive.js +180 -0
package/src/cli/commands/checkpoint.js +113 -0
package/src/cli/commands/deliver.js +377 -0
package/src/cli/commands/deploy.js +504 -0
package/src/cli/commands/design.js +158 -0
package/src/cli/commands/disable.js +21 -0
package/src/cli/commands/doctor.js +178 -0
package/src/cli/commands/enable.js +21 -0
package/src/cli/commands/flow.js +645 -0
package/src/cli/commands/help.js +93 -0
package/src/cli/commands/ingest.js +602 -0
package/src/cli/commands/init.js +341 -0
package/src/cli/commands/knowledge.js +523 -0
package/src/cli/commands/logs.js +43 -0
package/src/cli/commands/new.js +202 -0
package/src/cli/commands/plan.js +49 -0
package/src/cli/commands/propose.js +27 -0
package/src/cli/commands/provider.js +698 -0
package/src/cli/commands/report.js +143 -0
package/src/cli/commands/requirement.js +227 -0
package/src/cli/commands/review.js +301 -0
package/src/cli/commands/skills.js +457 -0
package/src/cli/commands/status.js +925 -0
package/src/cli/commands/switch.js +27 -0
package/src/cli/commands/sync.js +47 -0
package/src/cli/commands/test.js +366 -0
package/src/cli/commands/uninstall.js +32 -0
package/src/cli/commands/update.js +74 -0
package/src/cli/commands/verify.js +354 -0
package/src/cli/commands/worktree.js +78 -0
package/src/cli/index.js +72 -0
package/src/cli/parse-args.js +102 -0
package/src/core/autodetect.js +271 -0
package/src/core/change.js +208 -0
package/src/core/checkpoint.js +217 -0
package/src/core/config.js +60 -0
package/src/core/delta.js +290 -0
package/src/core/markers.js +59 -0
package/src/core/paths.js +173 -0
package/src/core/plan-tasks.js +36 -0
package/src/core/project-routing.js +285 -0
package/src/core/projects.js +200 -0
package/src/core/state.js +200 -0
package/src/core/workflow-check.js +177 -0
package/src/core/workflow-init.js +34 -0
package/src/core/workflow-picker.js +154 -0
package/src/core/workflow-policy.js +119 -0
package/src/core/workflow-suggest.js +181 -0
package/src/core/workflow-verify.js +88 -0
package/src/core/workflow.js +433 -0
package/src/core/worktree.js +241 -0
package/src/knowledge/categories.js +107 -0
package/src/knowledge/classify.js +125 -0
package/src/knowledge/deposit.js +414 -0
package/src/knowledge/migrate.js +149 -0
package/src/knowledge/mr.js +219 -0
package/src/knowledge/query.js +131 -0
package/src/knowledge/registry.js +151 -0
package/src/knowledge/sync.js +179 -0
package/src/providers/base.js +74 -0
package/src/providers/drivers/api-yapi.js +78 -0
package/src/providers/drivers/ci-jenkins.js +109 -0
package/src/providers/drivers/intake-confluence.js +544 -0
package/src/providers/drivers/kb-git.js +549 -0
package/src/providers/drivers/kb-weknora.js +472 -0
package/src/providers/drivers/notify-smtp.js +515 -0
package/src/providers/drivers/observability-oss.js +43 -0
package/src/providers/drivers/observability-sls.js +50 -0
package/src/providers/lifecycle.js +135 -0
package/src/providers/loader.js +132 -0
package/src/providers/local.js +190 -0
package/src/providers/userconfig.js +283 -0
package/src/reports/aggregate.js +185 -0
package/src/reports/coverage.js +163 -0
package/src/reports/detect.js +143 -0
package/src/reports/parse.js +236 -0
package/src/templates/files/ci/github.yml +38 -0
package/src/templates/files/ci/gitlab.yml +27 -0
package/src/templates/files/design.md +63 -0
package/src/templates/files/ide/devflow-workflow.md +58 -0
package/src/templates/files/ide/project-overview-reference.md +1 -0
package/src/templates/files/ide/project-overview.md +27 -0
package/src/templates/files/knowledge-index.json +17 -0
package/src/templates/files/knowledge.md +28 -0
package/src/templates/files/meta.json +8 -0
package/src/templates/files/plan.md +38 -0
package/src/templates/files/proposal.md +33 -0
package/src/templates/files/reports/contract-test.md +40 -0
package/src/templates/files/reports/e2e-test.md +30 -0
package/src/templates/files/reports/integration-test.md +36 -0
package/src/templates/files/reports/joint-test.md +58 -0
package/src/templates/files/reports/perf.md +24 -0
package/src/templates/files/reports/regression.md +20 -0
package/src/templates/files/reports/remote-test.md +55 -0
package/src/templates/files/reports/self-test.md +43 -0
package/src/templates/files/reports/smoke-test.md +22 -0
package/src/templates/files/reports/unit-test.md +36 -0
package/src/templates/files/requirement.md +51 -0
package/src/templates/files/review.md +38 -0
package/src/templates/files/tests.md +36 -0
package/src/templates/files/verify.md +32 -0
package/src/templates/index.js +21 -0
package/src/utils/log.js +37 -0

package/src/core/workflow-check.js ADDED Viewed

@@ -0,0 +1,177 @@
+'use strict';
+const workflow = require('./workflow.js');
+const workflowPolicy = require('./workflow-policy.js');
+const workflowVerify = require('./workflow-verify.js');
+function checkWorkflow(root, slug, st) {
+  const errors = [];
+  const warnings = [];
+  const wf = st.workflow;
+  if (!wf || !Array.isArray(wf.steps)) {
+    return {
+      ok: false,
+      status: null,
+      errors: [{ code: 'workflow-missing', message: 'workflow draft not found' }],
+      warnings,
+      nextAction: `devflow flow draft --slug=${slug}`,
+    };
+  }
+  checkProtectedGates(st, wf, errors);
+  checkInstalledSkills(root, wf, errors);
+  checkPendingWorkflowPolicy(st, errors);
+  checkVerifyStrength(st, wf, warnings);
+  checkRiskSignals(st, wf, warnings);
+  const ok = errors.length === 0 && warnings.length === 0;
+  return {
+    ok,
+    status: wf.status || null,
+    errors,
+    warnings,
+    nextAction: nextCheckAction(slug, st, errors, warnings),
+    confirmationCard: ok ? buildConfirmationCard(slug, wf) : null,
+  };
+}
+function buildConfirmationCard(slug, wf) {
+  const confirmCommand = `devflow flow confirm --slug=${slug}`;
+  return {
+    type: 'workflow_confirm',
+    title: '确认本次 workflow',
+    question: '是否确认本次 change workflow，并按当前快照执行？',
+    baseRecipe: wf.baseRecipe || null,
+    status: wf.status || null,
+    steps: (wf.steps || []).map((step) => ({
+      id: step.id,
+      skill: step.skill,
+      label: step.label || step.id,
+      status: step.status || null,
+      required: step.required === true,
+      optional: step.optional === true,
+      protected: step.protected === true,
+      source: step.source || null,
+    })),
+    primaryAction: {
+      id: 'confirm',
+      label: '确认 workflow',
+      command: confirmCommand,
+    },
+    secondaryActions: [
+      {
+        id: 'edit',
+        label: '调整编排',
+        command: `devflow flow picker --slug=${slug} --json`,
+      },
+    ],
+  };
+}
+function checkProtectedGates(st, wf, errors) {
+  const steps = wf.steps || [];
+  for (const gateId of workflow.PROTECTED_GATES) {
+    const step = steps.find((s) => s.id === gateId);
+    if (!step) {
+      errors.push({ code: 'missing-protected-gate', step: gateId, message: `missing protected workflow gate: ${gateId}` });
+      continue;
+    }
+    if (step.status === 'disabled') {
+      const summary = `禁用 required workflow step: ${gateId}`;
+      if (!hasAcceptedWorkflowRisk(st, summary)) {
+        errors.push({ code: 'disabled-protected-gate', step: gateId, message: `protected workflow gate is disabled: ${gateId}` });
+      }
+    }
+    if (!step.required || !step.protected) {
+      errors.push({ code: 'invalid-protected-gate', step: gateId, message: `protected workflow gate must be required and protected: ${gateId}` });
+    }
+  }
+  const order = steps.map((s) => s.id);
+  if (hasInvalidOrder(order, 'review', 'verify') || hasInvalidOrder(order, 'verify', 'deliver')) {
+    errors.push({ code: 'invalid-gate-order', message: 'protected workflow gates must keep review -> verify -> deliver order' });
+  }
+}
+function hasInvalidOrder(order, before, after) {
+  const beforeIdx = order.indexOf(before);
+  const afterIdx = order.indexOf(after);
+  return beforeIdx !== -1 && afterIdx !== -1 && beforeIdx > afterIdx;
+}
+function checkInstalledSkills(root, wf, errors) {
+  for (const step of wf.steps || []) {
+    if (step.status === 'disabled') continue;
+    if (!workflow.installedSkillExists(root, step.skill)) {
+      errors.push({ code: 'missing-skill', step: step.id, skill: step.skill, message: `workflow step references an uninstalled skill: ${step.skill}` });
+    }
+  }
+}
+function checkPendingWorkflowPolicy(st, errors) {
+  const pending = (st.checkpoints || []).filter((cp) => cp.type === 'workflow_policy' && (cp.status || 'pending') === 'pending');
+  for (const cp of pending) {
+    errors.push({
+      code: 'pending-workflow-policy',
+      checkpoint: cp.id,
+      message: cp.summary || 'pending workflow policy checkpoint',
+    });
+  }
+}
+function checkVerifyStrength(st, wf, warnings) {
+  const override = wf.verify && wf.verify.requiredReports;
+  if (!Array.isArray(override) || !override.length) return;
+  const missing = workflowVerify.missingDefaultReports(st.level, override);
+  if (missing.length) {
+    const summary = `降低 verify 要求: 缺少 ${missing.join(', ')}`;
+    if (hasAcceptedWorkflowRisk(st, summary)) return;
+    warnings.push({
+      code: 'verify-below-level-default',
+      missingReports: missing,
+      message: `verify reports are below ${st.level || 'default'} defaults: missing ${missing.join(', ')}`,
+    });
+  }
+}
+function checkRiskSignals(st, wf, warnings) {
+  const steps = wf.steps || [];
+  const open = (st.riskSignals || []).filter((risk) => (risk.status || 'open') === 'open');
+  for (const risk of open) {
+    const gate = workflowPolicy.RISK_STEP_GATES[risk.type];
+    if (!gate) continue;
+    const hasActiveStep = gate.steps.some((id) => {
+      const step = steps.find((s) => s.id === id);
+      return step && step.status !== 'disabled';
+    });
+    if (!hasActiveStep) {
+      const accepted = gate.steps.some((id) => hasAcceptedWorkflowRisk(st, `禁用风险相关 workflow step: ${id} (${risk.type})`));
+      if (accepted) continue;
+      warnings.push({
+        code: 'missing-risk-step',
+        riskSignal: risk.type,
+        recommendedSteps: gate.steps.slice(),
+        message: `open ${risk.type} risk signal has no active recommended workflow step: ${gate.steps.join(', ')}`,
+      });
+    }
+  }
+}
+function hasAcceptedWorkflowRisk(st, summary) {
+  return (st.checkpoints || []).some((cp) => (
+    cp.type === 'workflow_policy'
+    && cp.summary === summary
+    && cp.status === 'resolved'
+    && cp.decision === 'accept-risk'
+  ));
+}
+function nextCheckAction(slug, st, errors, warnings) {
+  if (errors.find((item) => item.code === 'workflow-missing')) return `devflow flow draft --slug=${slug}`;
+  if (errors.find((item) => item.code === 'pending-workflow-policy')) return `devflow checkpoint show --slug=${slug}`;
+  if (errors.length) return `devflow flow explain --slug=${slug}`;
+  if (warnings.find((item) => item.code === 'missing-risk-step')) return `devflow flow suggest --slug=${slug} --apply-draft`;
+  if (warnings.find((item) => item.code === 'verify-below-level-default')) return `devflow flow set-verify --slug=${slug} --reports=${workflowVerify.defaultRequiredReports(st.level).join(',')}`;
+  return `devflow flow confirm --slug=${slug}`;
+}
+module.exports = { checkWorkflow };

package/src/core/workflow-init.js ADDED Viewed

@@ -0,0 +1,34 @@
+'use strict';
+const state = require('./state.js');
+const workflow = require('./workflow.js');
+function draftRecommendedWorkflow(root, st, cfg = {}, opts = {}) {
+  if (!st) throw new Error('state is required');
+  if (!opts.force && st.workflow && Array.isArray(st.workflow.steps)) {
+    return { created: false, recipe: st.workflow.baseRecipe || null, reason: 'workflow already exists' };
+  }
+  const recommendation = opts.recipe
+    ? { id: opts.recipe, reason: opts.reason || 'selected by entry' }
+    : workflow.recommendRecipe(st, cfg || {});
+  const recipe = workflow.expandRecipe(recommendation.id, cfg || {});
+  validateInstalledSkills(root, recipe.steps);
+  st.workflow = workflow.createDraft({ recipe, state: st, reason: recommendation.reason });
+  state.logEvent(st, 'workflow.draft', {
+    recipe: recipe.id,
+    source: recipe.source,
+    reason: recommendation.reason,
+    auto: opts.auto === true,
+  });
+  return { created: true, recipe, reason: recommendation.reason };
+}
+function validateInstalledSkills(root, steps) {
+  for (const step of steps) {
+    if (!workflow.installedSkillExists(root, step.skill)) {
+      throw new Error(`skill is not installed in this project: ${step.skill}`);
+    }
+  }
+}
+module.exports = { draftRecommendedWorkflow };

package/src/core/workflow-picker.js ADDED Viewed

@@ -0,0 +1,154 @@
+'use strict';
+const workflow = require('./workflow.js');
+const workflowPolicy = require('./workflow-policy.js');
+const GROUPS = [
+  { id: 'core', label: '核心流程' },
+  { id: 'quality', label: '专项检查' },
+  { id: 'delivery', label: '质量闸与交付' },
+];
+const CORE_STEPS = ['requirement', 'design', 'plan', 'apply'];
+const DELIVERY_STEPS = ['review', 'verify', 'deliver', 'archive'];
+const QUALITY_CANDIDATES = [
+  { id: 'frontend-quality', skill: 'frontend-quality', label: 'frontend-quality', after: 'apply' },
+  { id: 'security-hardening', skill: 'security-hardening', label: 'security-hardening', after: 'apply' },
+  { id: 'dependency-upgrade', skill: 'dependency-upgrade', label: 'dependency-upgrade', before: 'plan' },
+  { id: 'ci-fix', skill: 'ci-fix', label: 'ci-fix', before: 'apply' },
+];
+function buildPicker(root, slug, st) {
+  const wf = st.workflow;
+  if (!wf || !Array.isArray(wf.steps)) throw new Error('workflow draft not found. run devflow flow draft first.');
+  const activeSteps = new Map((wf.steps || []).map((step) => [step.id, step]));
+  const baseStepIds = new Set((wf.baseSteps || []).map((step) => step.id));
+  const riskReasons = recommendedStepReasons(st);
+  const groups = GROUPS.map((group) => ({ ...group, items: [] }));
+  const byGroup = new Map(groups.map((group) => [group.id, group]));
+  for (const step of wf.steps || []) {
+    const group = byGroup.get(groupForStep(step));
+    group.items.push(buildItem(root, slug, step, {
+      selected: step.status !== 'disabled',
+      recommended: baseStepIds.has(step.id) || riskReasons.has(step.id),
+      reason: riskReasons.get(step.id) || (baseStepIds.has(step.id) ? 'included by base recipe' : null),
+    }));
+  }
+  for (const candidate of QUALITY_CANDIDATES) {
+    if (activeSteps.has(candidate.id)) continue;
+    byGroup.get('quality').items.push(buildItem(root, slug, {
+      id: candidate.id,
+      skill: candidate.skill,
+      label: candidate.label,
+      optional: true,
+      required: false,
+      protected: false,
+      source: 'builtin',
+      status: 'available',
+    }, {
+      selected: false,
+      recommended: riskReasons.has(candidate.id),
+      reason: riskReasons.get(candidate.id) || null,
+      command: addCommand(slug, candidate),
+    }));
+  }
+  for (const group of groups) {
+    group.items.sort((a, b) => itemOrder(a) - itemOrder(b));
+  }
+  return {
+    type: 'workflow_picker_surface',
+    layout: 'linear-grouped',
+    baseRecipe: wf.baseRecipe || null,
+    status: wf.status || null,
+    currentStep: wf.currentStep || null,
+    groups,
+    actions: {
+      card: `devflow flow card --slug=${slug} --json`,
+      check: `devflow flow check --slug=${slug} --json`,
+      applySelection: `devflow flow apply-selection --slug=${slug} --selection=<json> --json`,
+      confirm: `devflow flow confirm --slug=${slug}`,
+      suggest: `devflow flow suggest --slug=${slug} --apply-draft`,
+    },
+  };
+}
+function buildItem(root, slug, step, opts = {}) {
+  const selected = opts.selected === true;
+  const locked = step.protected === true || workflow.PROTECTED_GATES.includes(step.id);
+  return {
+    step: step.id,
+    skill: step.skill,
+    label: step.label || step.id,
+    group: groupForStep(step),
+    selected,
+    recommended: opts.recommended === true,
+    reason: opts.reason || null,
+    required: step.required === true,
+    optional: step.optional === true,
+    protected: step.protected === true,
+    locked,
+    source: step.source || null,
+    status: step.status || null,
+    installed: workflow.installedSkillExists(root, step.skill),
+    command: opts.command || commandForStep(slug, step, selected, locked),
+  };
+}
+function commandForStep(slug, step, selected, locked) {
+  if (locked) return null;
+  if (selected && step.optional) {
+    return `devflow flow disable-step ${step.id} --slug=${slug} --reason="..."`;
+  }
+  return null;
+}
+function addCommand(slug, candidate) {
+  const anchor = candidate.after ? `--after=${candidate.after}` : `--before=${candidate.before}`;
+  return `devflow flow add-step ${candidate.skill} --slug=${slug} ${anchor}`;
+}
+function recommendedStepReasons(st) {
+  const out = new Map();
+  const open = (st.riskSignals || []).filter((risk) => (risk.status || 'open') === 'open');
+  for (const risk of open) {
+    const gate = workflowPolicy.RISK_STEP_GATES[risk.type];
+    if (!gate) continue;
+    for (const stepId of gate.steps || []) {
+      out.set(stepId, `open ${risk.type} risk signal`);
+    }
+  }
+  return out;
+}
+function groupForStep(step) {
+  if (DELIVERY_STEPS.includes(step.id) || step.protected) return 'delivery';
+  if (QUALITY_CANDIDATES.some((candidate) => candidate.id === step.id) || step.optional) return 'quality';
+  if (CORE_STEPS.includes(step.id)) return 'core';
+  return 'core';
+}
+function itemOrder(item) {
+  const order = [
+    'requirement',
+    'design',
+    'plan',
+    'apply',
+    'dependency-upgrade',
+    'ci-fix',
+    'frontend-quality',
+    'security-hardening',
+    'review',
+    'verify',
+    'deliver',
+    'archive',
+  ];
+  const idx = order.indexOf(item.step);
+  return idx === -1 ? order.length : idx;
+}
+module.exports = { buildPicker };

package/src/core/workflow-policy.js ADDED Viewed

@@ -0,0 +1,119 @@
+'use strict';
+const workflowVerify = require('./workflow-verify.js');
+const RISK_STEP_GATES = {
+  frontend_change: {
+    steps: ['frontend-quality'],
+    label: '前端质量检查',
+  },
+  security_sensitive: {
+    steps: ['security-hardening'],
+    label: '安全专项检查',
+  },
+  dependency_change: {
+    steps: ['dependency-upgrade'],
+    label: '依赖升级检查',
+  },
+  ci_failure: {
+    steps: ['ci-fix'],
+    label: 'CI 修复检查',
+  },
+};
+function evaluateWorkflowChange(st, change) {
+  const action = change && change.action;
+  if (action === 'add-step') {
+    return safe('adding checks does not weaken workflow');
+  }
+  if (action === 'set-verify') {
+    const missing = workflowVerify.missingDefaultReports(st.level, change.requiredReports || change.reports || []);
+    if (missing.length) {
+      return checkpointRequired({
+        summary: `降低 verify 要求: 缺少 ${missing.join(', ')}`,
+        risks: ['降低 verify required reports 会减少本次 change 的验证证据。'],
+      });
+    }
+    return auditOnly('verify required reports are equal or stronger than level default');
+  }
+  if (action === 'move-step') {
+    const step = findStep(st.workflow, change.stepId);
+    if (isProtected(step)) {
+      return rejected(`cannot move protected workflow gate: ${change.stepId}`, [
+        'protected gates must keep review -> verify -> deliver ordering.',
+      ]);
+    }
+    return safe('moving a non-gate step is audit-only');
+  }
+  if (action === 'disable-step') {
+    const step = findStep(st.workflow, change.stepId);
+    if (isProtected(step) || step.required) {
+      return checkpointRequired({
+        summary: `禁用 required workflow step: ${change.stepId}`,
+        risks: ['禁用 required step 可能绕过 review/verify/deliver 或必要前置产物。'],
+      });
+    }
+    const risk = matchedOpenRisk(st, change.stepId);
+    if (risk) {
+      return checkpointRequired({
+        summary: `禁用风险相关 workflow step: ${change.stepId} (${risk.type})`,
+        risks: [`当前存在 ${risk.type} 风险信号，禁用 ${risk.label} 会降低本次 change 的验证覆盖。`],
+      });
+    }
+    return auditOnly('disabling optional step without mapped open risk');
+  }
+  return safe('no policy rule matched');
+}
+function matchedOpenRisk(st, stepId) {
+  const open = (st.riskSignals || []).filter((r) => (r.status || 'open') === 'open');
+  for (const r of open) {
+    const gate = RISK_STEP_GATES[r.type];
+    if (gate && gate.steps.includes(stepId)) return { type: r.type, label: gate.label };
+  }
+  return null;
+}
+function findStep(workflow, id) {
+  const step = workflow && Array.isArray(workflow.steps)
+    ? workflow.steps.find((s) => s.id === id)
+    : null;
+  if (!step) return { id, missing: true };
+  return step;
+}
+function isProtected(step) {
+  return !!(step && (step.protected || step.required || ['review', 'verify', 'deliver'].includes(step.id)));
+}
+function safe(reason) {
+  return { decision: 'safe', reason };
+}
+function auditOnly(reason) {
+  return { decision: 'audit-only', reason };
+}
+function checkpointRequired({ summary, risks }) {
+  return {
+    decision: 'checkpoint-required',
+    summary,
+    question: '这个 workflow 调整会提高风险，是否接受本次 change 的风险变化？',
+    risks,
+  };
+}
+function rejected(message, risks) {
+  return { decision: 'rejected', message, risks };
+}
+module.exports = {
+  RISK_STEP_GATES,
+  evaluateWorkflowChange,
+};

package/src/core/workflow-suggest.js ADDED Viewed

@@ -0,0 +1,181 @@
+'use strict';
+const workflowVerify = require('./workflow-verify.js');
+const INTENT_RULES = [
+  {
+    id: 'frontend-quality',
+    kind: 'step',
+    skill: 'frontend-quality',
+    patterns: [/前端/, /页面/, /\bui\b/i, /样式/, /交互/, /视觉/, /浏览器/, /react/i, /vue/i, /next/i, /vite/i],
+    reason: 'intent mentions frontend or UI quality risk',
+  },
+  {
+    id: 'security-hardening',
+    kind: 'step',
+    skill: 'security-hardening',
+    patterns: [/安全/, /权限/, /鉴权/, /认证/, /登录/, /token/i, /cookie/i, /auth/i, /加密/, /校验/],
+    reason: 'intent mentions security-sensitive behavior',
+  },
+  {
+    id: 'dependency-upgrade',
+    kind: 'recipe',
+    recipe: 'dependency-upgrade',
+    patterns: [/依赖/, /升级/, /package-lock/i, /pnpm-lock/i, /yarn\.lock/i, /go\.sum/i, /pom\.xml/i],
+    reason: 'intent mentions dependency changes',
+  },
+  {
+    id: 'ci-fix',
+    kind: 'recipe',
+    recipe: 'ci-fix',
+    patterns: [/\bci\b/i, /构建/, /流水线/, /jenkins/i, /github actions/i, /gitlab ci/i, /失败/],
+    reason: 'intent mentions CI or build failure',
+  },
+];
+const VERIFY_RULES = [
+  {
+    id: 'frontend-e2e',
+    reports: ['e2e-test.md'],
+    patterns: [/核心链路/, /主链路/, /关键路径/, /端到端/, /\be2e\b/i],
+    reason: 'intent mentions core path or e2e verification',
+  },
+];
+const RISK_SIGNAL_RULES = {
+  frontend_change: {
+    step: { id: 'frontend-quality', skill: 'frontend-quality' },
+    reports: ['e2e-test.md'],
+    reason: 'open frontend_change risk signal',
+  },
+  security_sensitive: {
+    step: { id: 'security-hardening', skill: 'security-hardening' },
+    reports: ['contract-test.md'],
+    reason: 'open security_sensitive risk signal',
+  },
+  dependency_change: {
+    recipe: 'dependency-upgrade',
+    reason: 'open dependency_change risk signal',
+  },
+  ci_failure: {
+    recipe: 'ci-fix',
+    reason: 'open ci_failure risk signal',
+  },
+};
+function suggestWorkflowOverrides(intent, workflow, options = {}) {
+  const text = String(intent || '').trim();
+  const existing = new Set(((workflow && workflow.steps) || []).map((s) => s.id));
+  const suggestedSteps = new Set(existing);
+  const suggestedRecipes = new Set();
+  const suggestions = [];
+  let after = existing.has('apply') ? 'apply' : null;
+  for (const rule of INTENT_RULES) {
+    if (!matches(rule, text)) continue;
+    if (rule.kind === 'recipe') {
+      pushRecipeSuggestion(suggestions, suggestedRecipes, rule.recipe, rule.reason);
+      continue;
+    }
+    after = pushStepSuggestion(suggestions, suggestedSteps, { id: rule.id, skill: rule.skill, after, reason: rule.reason }) || after;
+  }
+  const currentReports = workflowVerify.requiredReportsForState({
+    level: options.level,
+    workflow,
+  });
+  let reportBase = currentReports;
+  for (const rule of VERIFY_RULES) {
+    if (!matches(rule, text)) continue;
+    const suggestion = buildVerifySuggestion(reportBase, rule.reports, rule.reason);
+    if (suggestion) {
+      suggestions.push(suggestion);
+      reportBase = suggestion.reports;
+    }
+  }
+  for (const risk of openRiskSignals(options.riskSignals)) {
+    const rule = RISK_SIGNAL_RULES[risk.type];
+    if (!rule) continue;
+    if (rule.recipe) pushRecipeSuggestion(suggestions, suggestedRecipes, rule.recipe, rule.reason);
+    if (rule.step) {
+      after = pushStepSuggestion(suggestions, suggestedSteps, {
+        id: rule.step.id,
+        skill: rule.step.skill,
+        after,
+        reason: rule.reason,
+      }) || after;
+    }
+    if (rule.reports) {
+      const suggestion = buildVerifySuggestion(reportBase, rule.reports, rule.reason);
+      if (suggestion) {
+        suggestions.push(suggestion);
+        reportBase = suggestion.reports;
+      }
+    }
+  }
+  return suggestions;
+}
+function matches(rule, text) {
+  if (!text) return false;
+  return rule.patterns.some((pattern) => pattern.test(text));
+}
+function withReports(base, extra) {
+  const out = workflowVerify.normalizeReportList(base);
+  const seen = new Set(out);
+  for (const report of workflowVerify.normalizeReportList(extra)) {
+    if (!seen.has(report)) {
+      out.push(report);
+      seen.add(report);
+    }
+  }
+  return out;
+}
+function buildVerifySuggestion(baseReports, extraReports, reason) {
+  const nextReports = withReports(baseReports, extraReports);
+  if (nextReports.length === baseReports.length) return null;
+  return {
+    type: 'set-verify',
+    reports: nextReports,
+    reportArgs: nextReports.map(workflowVerify.reportKindFromName),
+    reason,
+  };
+}
+function pushStepSuggestion(suggestions, suggestedSteps, { id, skill, after, reason }) {
+  if (suggestedSteps.has(id)) return null;
+  suggestions.push({
+    type: 'add-step',
+    step: id,
+    skill,
+    after,
+    reason,
+  });
+  suggestedSteps.add(id);
+  return id;
+}
+function pushRecipeSuggestion(suggestions, suggestedRecipes, recipe, reason) {
+  if (suggestedRecipes.has(recipe)) return;
+  suggestions.push({
+    type: 'recipe',
+    recipe,
+    reason,
+  });
+  suggestedRecipes.add(recipe);
+}
+function openRiskSignals(riskSignals) {
+  return (riskSignals || []).filter((risk) => (risk.status || 'open') === 'open');
+}
+module.exports = {
+  INTENT_RULES,
+  VERIFY_RULES,
+  RISK_SIGNAL_RULES,
+  suggestWorkflowOverrides,
+};