@colin4k1024/tsp 2.4.0 → 2.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +87 -4
- package/bin/lib/post-install-bridge.js +2 -2
- package/bin/tsp-create.js +11 -11
- package/commands/team-help.md +2 -2
- package/commands/team-plan.md +1 -1
- package/commands/update-codemaps.md +3 -2
- package/docs/.vitepress/config.mts +199 -0
- package/docs/adr/ADR-001-doc-architecture-integration.md +33 -0
- package/docs/guides/README.md +5 -0
- package/docs/guides/installation.md +33 -0
- package/docs/guides/user-guide.md +36 -0
- package/docs/index.md +65 -0
- package/docs/memory/backlog.md +10 -0
- package/docs/memory/decisions.md +43 -0
- package/docs/memory/lessons-learned.md +87 -0
- package/docs/plans/2026-04-03-python-remnants-audit.md +265 -0
- package/docs/plans/2026-04-03-scripts-python-to-js-migration.md +372 -0
- package/docs/plans/2026-04-03-solo-delivery-execution-checklist.md +413 -0
- package/docs/plans/2026-04-03-solo-delivery-gap-plan.md +377 -0
- package/docs/plans/2026-04-03-team-skills-workflow-gates.md +548 -0
- package/docs/plans/2026-04-21-open-source-readiness-gap-plan.md +217 -0
- package/docs/plans/llm-surface-reduction-audit.md +147 -0
- package/docs/plans/llm-surface-reduction-execution-checklist.md +217 -0
- package/docs/plans/llm-surface-reduction-execution-history.md +124 -0
- package/docs/plans/team-skills-platform-migration.md +54 -0
- package/docs/presentation/README.md +42 -0
- package/docs/presentation/audience-presentation-route-map.md +84 -0
- package/docs/presentation/executive-briefing-talk-track.md +50 -0
- package/docs/presentation/generate_capability_matrix.py +396 -0
- package/docs/presentation/generate_ppt.py +354 -0
- package/docs/presentation/implementation-onboarding-brief.md +38 -0
- package/docs/presentation/presentation-talk-track.md +97 -0
- package/docs/presentation/vertical-scenario-route-map.md +99 -0
- package/docs/presentation/workshop-facilitator-guide.md +47 -0
- package/docs/runbooks/actionlint-workflow-gates.md +80 -0
- package/docs/runbooks/agent-governance.md +131 -0
- package/docs/runbooks/ai-eval-platform-demo-execution-log.md +147 -0
- package/docs/runbooks/ai-eval-platform-demo-script.md +136 -0
- package/docs/runbooks/ai-eval-platform-walkthrough.md +113 -0
- package/docs/runbooks/ai-pr-review-automation.md +56 -0
- package/docs/runbooks/api-breaking-change-gates.md +58 -0
- package/docs/runbooks/api-design-evolution-walkthrough.md +42 -0
- package/docs/runbooks/api-lint-gates.md +57 -0
- package/docs/runbooks/api-mocking-strategy-and-lifecycle-guide.md +47 -0
- package/docs/runbooks/architect-daily-operations.md +63 -0
- package/docs/runbooks/architect-design-conversation-example.md +83 -0
- package/docs/runbooks/artifact-attestation-gates.md +75 -0
- package/docs/runbooks/artifact-persistence.md +257 -0
- package/docs/runbooks/backend-engineer-daily-operations.md +63 -0
- package/docs/runbooks/batch-optimization-completion-checklist.md +104 -0
- package/docs/runbooks/biz-service-designer-end-to-end-conversation-example.md +5 -0
- package/docs/runbooks/biz-service-designer-toolkit.md +5 -0
- package/docs/runbooks/bug-fix-complete-walkthrough.md +60 -0
- package/docs/runbooks/build-failure-recovery-walkthrough.md +40 -0
- package/docs/runbooks/canary-decision-matrix.md +41 -0
- package/docs/runbooks/canary-staging-release-walkthrough.md +46 -0
- package/docs/runbooks/checkov-iac-gates.md +104 -0
- package/docs/runbooks/claude-code-review-workflow.md +72 -0
- package/docs/runbooks/claude-conversation-prompt-recipes.md +132 -0
- package/docs/runbooks/claude-end-to-end-conversation-example.md +198 -0
- package/docs/runbooks/claude-feature-development-guide.md +112 -0
- package/docs/runbooks/claude-quick-start.md +227 -0
- package/docs/runbooks/claude-usage-scenarios.md +176 -0
- package/docs/runbooks/code-review-collaboration-walkthrough.md +65 -0
- package/docs/runbooks/codeql-pr-security-gates.md +64 -0
- package/docs/runbooks/codex-end-to-end-conversation-example.md +166 -0
- package/docs/runbooks/codex-multi-agent-orchestration.md +65 -0
- package/docs/runbooks/codex-parallel-prompt-recipes.md +131 -0
- package/docs/runbooks/codex-quick-start.md +223 -0
- package/docs/runbooks/codex-usage-scenarios.md +168 -0
- package/docs/runbooks/codex-workflow-essentials.md +88 -0
- package/docs/runbooks/command-and-capability-matrix.md +162 -0
- package/docs/runbooks/conftest-policy-gates.md +84 -0
- package/docs/runbooks/consumer-driven-contract-testing-with-mock-alignment.md +45 -0
- package/docs/runbooks/contract-testing-playbook.md +78 -0
- package/docs/runbooks/cosign-signing-gates.md +71 -0
- package/docs/runbooks/cross-role-issue-triage-walkthrough.md +47 -0
- package/docs/runbooks/cursor-quick-start.md +123 -0
- package/docs/runbooks/custom-overlay.md +115 -0
- package/docs/runbooks/data-ml-pipeline-demo-execution-log.md +141 -0
- package/docs/runbooks/data-ml-pipeline-demo-script.md +102 -0
- package/docs/runbooks/data-ml-pipeline-walkthrough.md +119 -0
- package/docs/runbooks/data-observability-quality-demo-execution-log.md +36 -0
- package/docs/runbooks/data-observability-quality-demo-script.md +42 -0
- package/docs/runbooks/data-observability-quality-walkthrough.md +86 -0
- package/docs/runbooks/demo-deliverables-overview.md +278 -0
- package/docs/runbooks/demo-execution-log.md +530 -0
- package/docs/runbooks/demo-scenario.md +129 -0
- package/docs/runbooks/dependency-review-gates.md +63 -0
- package/docs/runbooks/dependency-update-automation.md +83 -0
- package/docs/runbooks/design-md-workflow.md +185 -0
- package/docs/runbooks/devops-engineer-daily-operations.md +60 -0
- package/docs/runbooks/devops-release-conversation-example.md +88 -0
- package/docs/runbooks/doc-architecture-integration.md +59 -0
- package/docs/runbooks/doc-architecture-quick-start.md +122 -0
- package/docs/runbooks/document-execution-audit.md +32 -0
- package/docs/runbooks/documentation-update-walkthrough.md +37 -0
- package/docs/runbooks/ecc-harness-usage.md +93 -0
- package/docs/runbooks/error-experience-usage.md +116 -0
- package/docs/runbooks/evolution-usage.md +162 -0
- package/docs/runbooks/executive-value-one-page.md +55 -0
- package/docs/runbooks/external-capability-approval-and-enablement-workflow.md +39 -0
- package/docs/runbooks/external-capability-intake.md +160 -0
- package/docs/runbooks/first-team-command-60-seconds.md +96 -0
- package/docs/runbooks/first-team-workflow-walkthrough.md +245 -0
- package/docs/runbooks/frontend-backend-integration-acceptance-checklist.md +46 -0
- package/docs/runbooks/frontend-backend-parallel-integration-walkthrough.md +48 -0
- package/docs/runbooks/frontend-bugfix-one-page.md +82 -0
- package/docs/runbooks/frontend-engineer-daily-operations.md +60 -0
- package/docs/runbooks/frontend-enterprise-style-profile.md +5 -0
- package/docs/runbooks/frontend-governance.md +47 -0
- package/docs/runbooks/frontend-refactor-walkthrough.md +42 -0
- package/docs/runbooks/git-pr-workflow.md +63 -0
- package/docs/runbooks/github-actions-supply-chain-demo-execution-log.md +158 -0
- package/docs/runbooks/github-actions-supply-chain-demo-script.md +150 -0
- package/docs/runbooks/github-actions-supply-chain-walkthrough.md +117 -0
- package/docs/runbooks/github-token-permissions-baseline.md +92 -0
- package/docs/runbooks/gitlab-manual-pipeline-release.md +5 -0
- package/docs/runbooks/gitlab-release-integration-playbook.md +5 -0
- package/docs/runbooks/gitnexus-code-intelligence-usage.md +133 -0
- package/docs/runbooks/graphify-knowledge-graph-usage.md +88 -0
- package/docs/runbooks/handoff-filling-guide-with-examples.md +70 -0
- package/docs/runbooks/handoff-governance.md +250 -0
- package/docs/runbooks/helm-unittest-playbook.md +101 -0
- package/docs/runbooks/hotfix-emergency-release-walkthrough.md +60 -0
- package/docs/runbooks/iac-kubernetes-platform-demo-execution-log.md +144 -0
- package/docs/runbooks/iac-kubernetes-platform-demo-script.md +130 -0
- package/docs/runbooks/iac-kubernetes-platform-walkthrough.md +120 -0
- package/docs/runbooks/implementation-onboarding-reading-path.md +67 -0
- package/docs/runbooks/in-toto-attestation-framework.md +94 -0
- package/docs/runbooks/incident-severity-triage-tree.md +43 -0
- package/docs/runbooks/incident-triage-one-page.md +65 -0
- package/docs/runbooks/internal-developer-platform-demo-execution-log.md +36 -0
- package/docs/runbooks/internal-developer-platform-demo-script.md +42 -0
- package/docs/runbooks/internal-developer-platform-walkthrough.md +91 -0
- package/docs/runbooks/karpathy-guidelines-usage.md +27 -0
- package/docs/runbooks/kubeconform-schema-gates.md +100 -0
- package/docs/runbooks/kubectl-server-dry-run-gates.md +103 -0
- package/docs/runbooks/kyverno-policy-gates.md +90 -0
- package/docs/runbooks/langfuse-and-observability-integration-guide.md +43 -0
- package/docs/runbooks/langfuse-coding-trace.md +44 -0
- package/docs/runbooks/mobile-miniapp-delivery-walkthrough.md +112 -0
- package/docs/runbooks/mobile-miniapp-demo-execution-log.md +139 -0
- package/docs/runbooks/mobile-miniapp-demo-script.md +129 -0
- package/docs/runbooks/multi-service-backend-integration-walkthrough.md +61 -0
- package/docs/runbooks/open-design-integration.md +163 -0
- package/docs/runbooks/open-source-release-checklist.md +90 -0
- package/docs/runbooks/opencode-quick-start.md +128 -0
- package/docs/runbooks/parallel-development-coordination-walkthrough.md +47 -0
- package/docs/runbooks/parallel-execution-usage.md +179 -0
- package/docs/runbooks/platform-capability-demo-execution-log.md +184 -0
- package/docs/runbooks/platform-capability-demo-script.md +192 -0
- package/docs/runbooks/plugin-extension-platform-demo-execution-log.md +136 -0
- package/docs/runbooks/plugin-extension-platform-demo-script.md +102 -0
- package/docs/runbooks/plugin-extension-platform-walkthrough.md +111 -0
- package/docs/runbooks/policy-controller-gates.md +75 -0
- package/docs/runbooks/post-rollback-verification-checklist.md +37 -0
- package/docs/runbooks/pre-release-checklist.md +50 -0
- package/docs/runbooks/product-manager-clarification-conversation-example.md +90 -0
- package/docs/runbooks/product-manager-daily-operations.md +60 -0
- package/docs/runbooks/production-incident-response-walkthrough.md +50 -0
- package/docs/runbooks/project-claude-design-rationale.md +188 -0
- package/docs/runbooks/project-manager-daily-operations.md +61 -0
- package/docs/runbooks/project-manager-planning-conversation-example.md +82 -0
- package/docs/runbooks/project-onboarding.md +452 -0
- package/docs/runbooks/qa-engineer-daily-operations.md +63 -0
- package/docs/runbooks/qa-review-conversation-example.md +87 -0
- package/docs/runbooks/release-closure-one-page.md +65 -0
- package/docs/runbooks/release-governance-reading-path.md +56 -0
- package/docs/runbooks/release-notes-automation.md +48 -0
- package/docs/runbooks/release-rollback-recovery-walkthrough.md +47 -0
- package/docs/runbooks/requirement-clarity-and-scope-walkthrough.md +46 -0
- package/docs/runbooks/reviewdog-pr-gates.md +49 -0
- package/docs/runbooks/role-prompt-recipes.md +130 -0
- package/docs/runbooks/rtk-integration-intake.md +45 -0
- package/docs/runbooks/rtk-token-optimization-usage.md +107 -0
- package/docs/runbooks/runner-egress-hardening.md +81 -0
- package/docs/runbooks/runtime-capabilities-overview.md +113 -0
- package/docs/runbooks/sbom-generation-gates.md +71 -0
- package/docs/runbooks/scorecard-supply-chain-gates.md +82 -0
- package/docs/runbooks/secret-scanning-gates.md +85 -0
- package/docs/runbooks/security-compliance-platform-demo-execution-log.md +36 -0
- package/docs/runbooks/security-compliance-platform-demo-script.md +49 -0
- package/docs/runbooks/security-compliance-platform-walkthrough.md +98 -0
- package/docs/runbooks/slsa-generator-patterns.md +73 -0
- package/docs/runbooks/slsa-verification-gates.md +75 -0
- package/docs/runbooks/solo-delivery-mode.md +142 -0
- package/docs/runbooks/solo-delivery-one-page.md +111 -0
- package/docs/runbooks/specialist-commands-playbook.md +85 -0
- package/docs/runbooks/sub-agent-invocation-map.md +144 -0
- package/docs/runbooks/system-architecture-design-walkthrough.md +49 -0
- package/docs/runbooks/team-closeout-example.md +73 -0
- package/docs/runbooks/team-command-output-contracts.md +358 -0
- package/docs/runbooks/team-commands-quick-prompts.md +125 -0
- package/docs/runbooks/team-execute-example.md +63 -0
- package/docs/runbooks/team-handoff-example.md +49 -0
- package/docs/runbooks/team-intake-example.md +70 -0
- package/docs/runbooks/team-plan-example.md +62 -0
- package/docs/runbooks/team-release-example.md +63 -0
- package/docs/runbooks/team-review-example.md +61 -0
- package/docs/runbooks/team-skills-test-run.md +184 -0
- package/docs/runbooks/team-skills-usage.md +336 -0
- package/docs/runbooks/team-training-reading-path.md +64 -0
- package/docs/runbooks/tech-lead-closure-conversation-example.md +78 -0
- package/docs/runbooks/tech-lead-daily-operations.md +67 -0
- package/docs/runbooks/trivy-security-gates.md +79 -0
- package/docs/runbooks/troubleshooting.md +234 -0
- package/docs/runbooks/vertical-scenario-capability-matrix.md +107 -0
- package/docs/runbooks/witness-policy-gates.md +78 -0
- package/docs/runbooks/zizmor-workflow-audits.md +81 -0
- package/manifests/install-components.json +9 -1
- package/manifests/install-modules.json +38 -2
- package/manifests/install-profiles.json +2 -0
- package/package.json +4 -1
- package/scripts/gitnexus-preflight.js +187 -0
- package/scripts/install-apply.js +9 -0
- package/scripts/install-open-design.js +206 -0
- package/scripts/install-plan.js +17 -0
- package/scripts/lib/install/apply.js +31 -0
- package/scripts/lib/install-executor.js +56 -0
- package/scripts/lib/team-skills-data.json +7 -6
- package/scripts/project-progress.js +852 -0
- package/scripts/release-health-summary.js +49 -7
- package/scripts/release.sh +1 -1
- package/scripts/validate-packed-tarball.js +25 -0
- package/scripts/workflow-help.js +3 -3
- package/skills/gitnexus/SKILL.md +60 -0
- package/skills/gitnexus/agents/openai.yaml +4 -0
- package/skills/open-design/SKILL.md +87 -0
- package/skills/open-design/agents/openai.yaml +4 -0
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# API Breaking Change 门禁手册
|
|
2
|
+
|
|
3
|
+
本手册承接 `OpenAPITools/openapi-diff` 的工程实践,用于把 OpenAPI 契约变更从“人工肉眼比对”升级为可执行的 breaking change 检查。它是 API 契约治理和发布前验证的补充,不替代 `api-contract` 或 `/team-review` 的人工判断。
|
|
4
|
+
|
|
5
|
+
## 适用场景
|
|
6
|
+
|
|
7
|
+
- 接口契约以 OpenAPI 形式维护,且需要评估本次变更是否破坏向后兼容。
|
|
8
|
+
- 发布前需要明确区分 `breaking / non-breaking / unclassified` 风险。
|
|
9
|
+
- 多团队共享 API,不能只靠 reviewer 凭记忆判断兼容性。
|
|
10
|
+
|
|
11
|
+
## 不适用场景
|
|
12
|
+
|
|
13
|
+
- 当前接口尚未形成可比对的 OpenAPI 基线文件。
|
|
14
|
+
- 变更只停留在实现层,没有对外契约变化。
|
|
15
|
+
- 团队没有清晰的版本或兼容性策略,diff 结果即使出来也没人负责解释。
|
|
16
|
+
|
|
17
|
+
## 推荐落地方式
|
|
18
|
+
|
|
19
|
+
1. 先锁定比较对象:`baseline spec` 与 `candidate spec`,不要拿不完整或不同环境生成的产物直接互比。
|
|
20
|
+
2. 在做 diff 前,优先用 [api-lint-gates.md](api-lint-gates.md) 确认 spec 本身结构稳定;否则 diff 容易混入低质量文档噪音。
|
|
21
|
+
3. 在方案或实现阶段先做一次预比对,尽早发现潜在 breaking change,不要等到发布前才第一次看结果。
|
|
22
|
+
4. 对 diff 结果分类处理:
|
|
23
|
+
- 明确 breaking:必须改设计、升版本、做兼容层,或由 `tech-lead` 显式接受风险
|
|
24
|
+
- 明确非 breaking:记录结论,继续后续测试和发布
|
|
25
|
+
- 无法自动判断:回到 `architect` / `backend-engineer` 做人工契约评审
|
|
26
|
+
5. 把 diff 结论回写到 `API Contract`、`/team-review` 或 `/team-release`,不要让结果停留在 CI 日志里。
|
|
27
|
+
|
|
28
|
+
## 最小门禁模型
|
|
29
|
+
|
|
30
|
+
- `input layer`:稳定的基线 OpenAPI 文件 + 当前候选 OpenAPI 文件
|
|
31
|
+
- `diff layer`:生成 breaking / changed / compatible 结果
|
|
32
|
+
- `decision layer`:`architect`、`backend-engineer`、`qa-engineer`、`tech-lead` 判断是否阻塞
|
|
33
|
+
|
|
34
|
+
这三层必须分开:工具给出“发现”,团队给出“结论”。
|
|
35
|
+
|
|
36
|
+
## 重点检查项
|
|
37
|
+
|
|
38
|
+
- 删除 path、operation、response field、enum 值或 required 字段
|
|
39
|
+
- 修改字段类型、约束、状态码语义或鉴权要求
|
|
40
|
+
- 新增字段但改变默认行为、分页语义或错误处理方式
|
|
41
|
+
- 文档中写着兼容,结果 diff 却显示 breaking
|
|
42
|
+
|
|
43
|
+
## 反模式
|
|
44
|
+
|
|
45
|
+
- 用实现代码或接口联调结果替代契约 diff。
|
|
46
|
+
- 基线文件不稳定,却把 diff 结果当正式阻塞门禁。
|
|
47
|
+
- 工具报告 breaking,团队却不做任何版本/兼容性说明。
|
|
48
|
+
- 只看“有无 diff”,不解释 diff 为什么重要、影响哪些调用方。
|
|
49
|
+
|
|
50
|
+
## 输出回落
|
|
51
|
+
|
|
52
|
+
- 设计阶段:把兼容性结论回写到 [api-contract.md](../../templates/api-contract.md) 的兼容性部分。
|
|
53
|
+
- 评审阶段:在 `/team-review` 中记录 breaking change 是否阻塞、影响哪些调用方、需要哪些补救动作。
|
|
54
|
+
- 发布阶段:若 breaking risk 仍存在,必须同步到 `/team-release` 的放行结论或观察项。
|
|
55
|
+
|
|
56
|
+
## 参考来源
|
|
57
|
+
|
|
58
|
+
- [OpenAPITools/openapi-diff](https://github.com/OpenAPITools/openapi-diff)
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
---
|
|
2
|
+
version: "0.1.0"
|
|
3
|
+
status: draft
|
|
4
|
+
created: 2026-03-28
|
|
5
|
+
updated: 2026-03-28
|
|
6
|
+
owner: 工程团队
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
# API 设计与演进演练
|
|
10
|
+
|
|
11
|
+
本文演示接口从设计、联调到兼容性验证的完整链路,适用于前后端协作和跨服务接口调整。
|
|
12
|
+
|
|
13
|
+
## 1. 场景
|
|
14
|
+
|
|
15
|
+
- 订单查询接口新增状态聚合字段
|
|
16
|
+
- 前端需要新字段,旧调用方不能被破坏
|
|
17
|
+
- 需要补契约说明和联调验证
|
|
18
|
+
|
|
19
|
+
## 2. 推荐链路
|
|
20
|
+
|
|
21
|
+
1. `/team-intake`
|
|
22
|
+
2. `/team-plan`
|
|
23
|
+
3. `/multi-backend`
|
|
24
|
+
4. `/team-execute`
|
|
25
|
+
5. `/code-review`
|
|
26
|
+
6. `/verify`
|
|
27
|
+
7. `/handoff`
|
|
28
|
+
|
|
29
|
+
## 3. 关键输出
|
|
30
|
+
|
|
31
|
+
- 接口变更说明
|
|
32
|
+
- 兼容性策略
|
|
33
|
+
- 联调结果
|
|
34
|
+
- 回滚与降级说明
|
|
35
|
+
|
|
36
|
+
## 4. 常见错误
|
|
37
|
+
|
|
38
|
+
- 只说新增字段,不说兼容性
|
|
39
|
+
- 后端改完才通知前端
|
|
40
|
+
- 没有明确哪些调用方需要回归
|
|
41
|
+
|
|
42
|
+
与后端角色说明配合阅读:[backend-engineer-daily-operations.md](backend-engineer-daily-operations.md)
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# API Lint 门禁手册
|
|
2
|
+
|
|
3
|
+
本手册承接 `stoplightio/spectral` 的工程实践,用于把 OpenAPI / AsyncAPI 规范从“口头约定”升级为可执行的 lint ruleset。它是接口设计与契约治理的补充,不替代 `api-contract` 或架构评审。
|
|
4
|
+
|
|
5
|
+
## 适用场景
|
|
6
|
+
|
|
7
|
+
- 团队以 OpenAPI 或 AsyncAPI 维护接口文档,希望对命名、错误响应、分页、鉴权等规则做统一检查。
|
|
8
|
+
- 仓库已经有 API spec 文件,但 review 还在靠人工发现风格不一致或漏填字段。
|
|
9
|
+
- 需要把“API 规范应该怎样写”沉淀成能重复执行的 ruleset。
|
|
10
|
+
|
|
11
|
+
## 不适用场景
|
|
12
|
+
|
|
13
|
+
- 当前 API 规格尚不稳定,连基础字段和输出格式都在快速漂移。
|
|
14
|
+
- 团队还没统一基本 API 设计原则,却急着上大量 lint 规则。
|
|
15
|
+
- 希望用 lint 结果替代人工设计评审或兼容性判断。
|
|
16
|
+
|
|
17
|
+
## 推荐落地方式
|
|
18
|
+
|
|
19
|
+
1. 先把规则分层:
|
|
20
|
+
- `baseline rules`:必须满足的结构性要求,例如 operationId、response、schema 引用、错误响应
|
|
21
|
+
- `style rules`:命名、描述、tag、分页约定等风格规则
|
|
22
|
+
2. 第一阶段只启用高信号规则,先压住明显缺陷,不要一开始就把所有风格问题都做成阻塞项。
|
|
23
|
+
3. 本地和 CI 使用同一套 ruleset,保证开发者能复现 lint 结果。
|
|
24
|
+
4. 先 lint,再做 breaking change diff;否则候选 spec 本身不稳定,diff 结论也会失真。
|
|
25
|
+
5. lint 结果要回写到 API 契约和 review 结论里,而不是只留在命令行输出。
|
|
26
|
+
|
|
27
|
+
## 最小门禁模型
|
|
28
|
+
|
|
29
|
+
- `input layer`:稳定的 OpenAPI / AsyncAPI 文件
|
|
30
|
+
- `lint layer`:ruleset 输出错误、警告和建议
|
|
31
|
+
- `decision layer`:`architect`、`backend-engineer`、`qa-engineer`、`tech-lead` 判断哪些规则阻塞、哪些暂时接受
|
|
32
|
+
|
|
33
|
+
工具负责指出偏差,团队负责定义规则和接受风险。
|
|
34
|
+
|
|
35
|
+
## 推荐优先检查项
|
|
36
|
+
|
|
37
|
+
- operationId、summary、description、tags 是否完整
|
|
38
|
+
- 错误响应、鉴权要求、分页参数是否缺失
|
|
39
|
+
- schema 引用、命名约定、枚举描述是否一致
|
|
40
|
+
- 是否存在空 response schema、未定义错误码、含糊字段名或重复 path 设计
|
|
41
|
+
|
|
42
|
+
## 反模式
|
|
43
|
+
|
|
44
|
+
- 还没对齐 API 设计原则,就先把 lint 全面阻塞。
|
|
45
|
+
- 本地和 CI 的 ruleset 不一致,导致 PR 报错无法复现。
|
|
46
|
+
- 用 lint 替代设计 review,结果结构整齐但语义仍然有问题。
|
|
47
|
+
- 只看 warning 数量,不分析哪些规则真正影响协作和兼容性。
|
|
48
|
+
|
|
49
|
+
## 输出回落
|
|
50
|
+
|
|
51
|
+
- 设计阶段:把规则偏差和例外说明回写到 [api-contract.md](../../templates/api-contract.md) 或方案说明。
|
|
52
|
+
- 评审阶段:在 `/team-review` 或 `/code-review` 中明确哪些 lint 问题阻塞、哪些属于暂时接受的风格偏差。
|
|
53
|
+
- 发布阶段:若 lint 规则属于正式门禁,结果同步到 `/team-release` 的检查项或放行前提。
|
|
54
|
+
|
|
55
|
+
## 参考来源
|
|
56
|
+
|
|
57
|
+
- [stoplightio/spectral](https://github.com/stoplightio/spectral)
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
---
|
|
2
|
+
version: "0.1.0"
|
|
3
|
+
status: draft
|
|
4
|
+
created: 2026-03-28
|
|
5
|
+
updated: 2026-03-28
|
|
6
|
+
owner: 工程团队
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
# API Mock 策略与生命周期手册
|
|
10
|
+
|
|
11
|
+
本文说明前后端并行开发时,Mock 应该如何选型、使用、同步和下线。它补的是工程实践,不替代接口契约、contract testing 或真实联调。
|
|
12
|
+
|
|
13
|
+
## 1. 什么时候需要 Mock
|
|
14
|
+
|
|
15
|
+
- 前端先于后端开工
|
|
16
|
+
- 接口契约已基本稳定,但实现尚未交付
|
|
17
|
+
- QA 需要提前准备部分验收路径
|
|
18
|
+
|
|
19
|
+
## 2. Mock 的选型思路
|
|
20
|
+
|
|
21
|
+
- 固定 fixture:适合稳定 happy path
|
|
22
|
+
- 拦截型 mock:适合前端页面开发与交互验证
|
|
23
|
+
- 轻量 HTTP mock 服务:适合多端共享同一份假数据
|
|
24
|
+
- provider stub:适合后端依赖未就绪时的集成占位
|
|
25
|
+
|
|
26
|
+
## 3. 生命周期管理
|
|
27
|
+
|
|
28
|
+
- 立项时:明确是否允许 Mock 驱动开发
|
|
29
|
+
- plan 阶段:写清楚谁维护 Mock 和何时切真实接口
|
|
30
|
+
- execute 阶段:记录 Mock 覆盖的场景和已知缺口
|
|
31
|
+
- 联调阶段:把 Mock 与真实接口差异回写 handoff
|
|
32
|
+
- review 阶段:清理过期 Mock,避免长期漂移
|
|
33
|
+
|
|
34
|
+
## 4. 最小交接要求
|
|
35
|
+
|
|
36
|
+
- Mock 覆盖了哪些请求与响应
|
|
37
|
+
- 哪些字段仍待真实接口确认
|
|
38
|
+
- 切换真实接口的检查点
|
|
39
|
+
- 哪些问题不能靠 Mock 证明
|
|
40
|
+
|
|
41
|
+
## 5. 常见错误
|
|
42
|
+
|
|
43
|
+
- 契约还没稳定就先写大量 Mock
|
|
44
|
+
- Mock 数据和真实接口长期分叉
|
|
45
|
+
- 联调完成后没有回收临时 Mock
|
|
46
|
+
|
|
47
|
+
与这些文档配合阅读:[frontend-backend-parallel-integration-walkthrough.md](frontend-backend-parallel-integration-walkthrough.md)、[contract-testing-playbook.md](contract-testing-playbook.md)
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
---
|
|
2
|
+
version: "0.1.0"
|
|
3
|
+
status: draft
|
|
4
|
+
created: 2026-03-28
|
|
5
|
+
updated: 2026-03-28
|
|
6
|
+
owner: 工程团队
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
# Architect 日常操作手册
|
|
10
|
+
|
|
11
|
+
本文面向架构师,说明系统边界、接口契约、技术方案与风险控制如何在 Team Skills Platform 下落地。
|
|
12
|
+
|
|
13
|
+
如果你想先看平台当前有哪些公开命令和能力映射,先读 [command-and-capability-matrix.md](command-and-capability-matrix.md)。
|
|
14
|
+
|
|
15
|
+
## 1. 你的默认职责
|
|
16
|
+
|
|
17
|
+
- 明确系统边界、依赖关系和关键约束
|
|
18
|
+
- 产出 ADR、接口契约、数据模型或实施边界说明
|
|
19
|
+
- 识别中长期技术风险和短期实施风险
|
|
20
|
+
- 把设计结论结构化交接给研发、QA 和 tech-lead
|
|
21
|
+
|
|
22
|
+
## 2. 开始设计前必须确认什么
|
|
23
|
+
|
|
24
|
+
- 需求目标、范围外事项和成功标准是否清楚
|
|
25
|
+
- 当前任务是接口演进、系统重构还是跨服务协作
|
|
26
|
+
- 哪些约束不可打破,例如兼容性、稳定性、权限边界
|
|
27
|
+
- 哪些风险需要在 plan 阶段提前暴露
|
|
28
|
+
|
|
29
|
+
## 3. 设计时的固定检查
|
|
30
|
+
|
|
31
|
+
- 边界是否单一清楚
|
|
32
|
+
- 契约是否可消费、可验证
|
|
33
|
+
- 兼容性和迁移路径是否说明
|
|
34
|
+
- 非功能约束是否写明
|
|
35
|
+
- 实施方是否能据此落地
|
|
36
|
+
|
|
37
|
+
## 4. 应交付什么
|
|
38
|
+
|
|
39
|
+
- 方案摘要
|
|
40
|
+
- ADR 或替代决策记录
|
|
41
|
+
- 接口或数据契约
|
|
42
|
+
- 实施建议与风险提醒
|
|
43
|
+
- 需要 handoff 的重点事项
|
|
44
|
+
|
|
45
|
+
如果需要成文化 ADR,直接按 [artifact-standards.md](../../rules/artifact-standards.md) 中的 ADR 最小字段组织:决策信息、背景与约束、备选方案、决策结果、企业内控补充、后续动作。
|
|
46
|
+
|
|
47
|
+
## 5. 常用命令组合
|
|
48
|
+
|
|
49
|
+
- `/team-intake`:确认目标、范围和约束
|
|
50
|
+
- `/team-plan`:把设计任务放入主链拆解
|
|
51
|
+
- `/multi-backend` 或 `/plan`:做专项方案分析
|
|
52
|
+
- `/tdd`:在高返工风险任务里提前锁边界行为和验证口径
|
|
53
|
+
- `/handoff`:把方案交给研发与 QA
|
|
54
|
+
- `/team-review`:确认方案落地后的剩余风险
|
|
55
|
+
|
|
56
|
+
## 6. 常见错误
|
|
57
|
+
|
|
58
|
+
- 设计只停留在概念层,没有可执行边界
|
|
59
|
+
- 契约写了 happy path,没有错误和兼容策略
|
|
60
|
+
- 方案已明确适合测试先行,却没有把 `/tdd` 约束前置到实现阶段
|
|
61
|
+
- 复杂任务没有留下决策记录
|
|
62
|
+
|
|
63
|
+
建议与这些文档配合阅读:[api-design-evolution-walkthrough.md](api-design-evolution-walkthrough.md)、[system-architecture-design-walkthrough.md](system-architecture-design-walkthrough.md)、[architect-design-conversation-example.md](architect-design-conversation-example.md)
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
---
|
|
2
|
+
version: "0.1.0"
|
|
3
|
+
status: draft
|
|
4
|
+
created: 2026-03-28
|
|
5
|
+
updated: 2026-03-28
|
|
6
|
+
owner: 工程团队
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
# Architect 方案设计对话样例
|
|
10
|
+
|
|
11
|
+
本文给出一份偏 Architect 视角的成品对话样例,重点展示怎样把系统边界、契约、兼容性和实施风险整理成可执行方案,而不是停留在概念描述。
|
|
12
|
+
|
|
13
|
+
## 1. 场景
|
|
14
|
+
|
|
15
|
+
- 任务:审批记录查询能力准备进入设计拆解
|
|
16
|
+
- 当前输入:需求范围已经确认,需判断接口契约和 overlay 候选项
|
|
17
|
+
- 目标:形成可交给研发和 QA 的结构化方案
|
|
18
|
+
|
|
19
|
+
## 2. 用户怎么说
|
|
20
|
+
|
|
21
|
+
```text
|
|
22
|
+
请以 architect 视角处理当前任务。
|
|
23
|
+
输出:系统边界、接口契约、数据约束、主要技术风险、是否需要 custom overlay。
|
|
24
|
+
如果需要 custom overlay,请区分候选项和正式启用项。
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
## 3. 期望结果长什么样
|
|
28
|
+
|
|
29
|
+
```text
|
|
30
|
+
系统边界
|
|
31
|
+
- 本次只新增审批记录查询能力,不改流程定义和历史数据
|
|
32
|
+
- 前端消费查询接口,后端负责权限过滤和分页
|
|
33
|
+
|
|
34
|
+
接口契约
|
|
35
|
+
- 入参:订单号、审批状态、开始时间、结束时间、分页参数
|
|
36
|
+
- 出参:记录列表、总数、分页信息、错误码
|
|
37
|
+
|
|
38
|
+
数据约束
|
|
39
|
+
- 审批状态字段保持与现有运营口径一致
|
|
40
|
+
- 分页参数兼容旧客户端默认值
|
|
41
|
+
|
|
42
|
+
主要技术风险
|
|
43
|
+
- 若权限口径和现有查询接口不一致,可能导致结果偏差
|
|
44
|
+
- 若字段命名调整过大,旧客户端兼容性会受影响
|
|
45
|
+
|
|
46
|
+
company 判断
|
|
47
|
+
- 私有流程引擎:候选,原因是任务涉及审批状态语义
|
|
48
|
+
- 私有权限中心:候选,原因是任务涉及权限过滤
|
|
49
|
+
- 正式启用:本次不启用,原因是未进入流程运行态和权限中心正式集成
|
|
50
|
+
|
|
51
|
+
实施建议
|
|
52
|
+
- 先冻结字段口径和权限边界,再进入实现
|
|
53
|
+
- QA 需重点验证兼容性和权限场景
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
## 4. 不合格结果通常长什么样
|
|
57
|
+
|
|
58
|
+
```text
|
|
59
|
+
大概加一个查询接口,权限再看。
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
这类结果的问题是:
|
|
63
|
+
|
|
64
|
+
- 没有接口契约
|
|
65
|
+
- 没有兼容性约束
|
|
66
|
+
- 没有 company 判断
|
|
67
|
+
|
|
68
|
+
## 5. Architect 在对话里最容易漏什么
|
|
69
|
+
|
|
70
|
+
- 错误和异常路径
|
|
71
|
+
- 兼容性与迁移说明
|
|
72
|
+
- overlay 候选项和未启用原因
|
|
73
|
+
- 交给研发与 QA 的明确关注点
|
|
74
|
+
|
|
75
|
+
## 6. 继续推进时怎么说
|
|
76
|
+
|
|
77
|
+
当设计结论形成后,下一句通常是:
|
|
78
|
+
|
|
79
|
+
```text
|
|
80
|
+
请把上面的方案整理成可直接进入 /handoff 或 /team-plan 的内容,包含接口契约、风险、技能装配判断和实施建议。
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
与这些文档配合阅读:[architect-daily-operations.md](architect-daily-operations.md)、[system-architecture-design-walkthrough.md](system-architecture-design-walkthrough.md)、[api-design-evolution-walkthrough.md](api-design-evolution-walkthrough.md)
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
# Artifact Attestation 门禁手册
|
|
2
|
+
|
|
3
|
+
本手册承接 `actions/attest-build-provenance` 的工程实践,用于把构建产物 provenance attestation 接入发布链、审计链和供应链治理。它补的是“这个产物是如何构建出来的”证明,不替代 SBOM、漏洞扫描或人工放行判断。
|
|
4
|
+
|
|
5
|
+
## 适用场景
|
|
6
|
+
|
|
7
|
+
- 仓库会发布二进制、容器镜像、压缩包或其他正式制品。
|
|
8
|
+
- 团队已经开始关注 SBOM、依赖门禁或供应链基线,希望进一步证明产物来源和构建链。
|
|
9
|
+
- 需要让发布记录能回答“这个 artifact 是由哪次 workflow、哪份源码、哪套 runner 构建出来的”。
|
|
10
|
+
|
|
11
|
+
## 不适用场景
|
|
12
|
+
|
|
13
|
+
- 当前还没有稳定发布制品,却为了追求概念完整性强行加 provenance。
|
|
14
|
+
- 团队还没有明确 attestation 生成后存放在哪里、谁来验证、何时检查。
|
|
15
|
+
- 期望只靠 provenance attestation 回答漏洞、许可证或业务风险问题。
|
|
16
|
+
|
|
17
|
+
## 推荐落地方式
|
|
18
|
+
|
|
19
|
+
1. 先把 attestation 看成发布证明链,不要一开始就把它和所有安全门禁混成一个阻塞开关。
|
|
20
|
+
2. 第一阶段先固定三件事:
|
|
21
|
+
- 哪些正式制品需要 provenance
|
|
22
|
+
- attestation 与产物如何关联
|
|
23
|
+
- 发布记录在哪里能找到 attestation
|
|
24
|
+
3. 将 attestation 与现有链路分层:
|
|
25
|
+
- `sbom-generation-gates` 负责成分清单
|
|
26
|
+
- `trivy-security-gates` 负责漏洞与 misconfiguration
|
|
27
|
+
- `scorecard-supply-chain-gates` 负责仓库与 workflow 基线
|
|
28
|
+
- `slsa-generator-patterns` 负责 GitHub Actions 侧更通用的 provenance 生成模式与 workflow 约束
|
|
29
|
+
- `in-toto-attestation-framework` 负责 predicate、schema 和 evidence model 设计
|
|
30
|
+
- attestation 负责构建来源与生成证明
|
|
31
|
+
4. 若团队后续要接签名或对外验证,先把 attestation 生成和归档链跑稳,再补验证链。
|
|
32
|
+
5. 结果必须回写到 `/team-release`、发布记录或制品元数据中,不让 attestation 只停在 workflow summary 里。
|
|
33
|
+
|
|
34
|
+
## 最小门禁模型
|
|
35
|
+
|
|
36
|
+
- `subject layer`:要发布的 artifact 或镜像
|
|
37
|
+
- `provenance layer`:attestation 的 subject、digest、构建来源与 workflow 信息
|
|
38
|
+
- `publication layer`:attestation 的存放位置与可检索方式
|
|
39
|
+
- `decision layer`:`devops-engineer`、`tech-lead` 决定“缺失 attestation”是否阻塞发布
|
|
40
|
+
|
|
41
|
+
重点不是“能生成一份 attestation”,而是发布后还能稳定找到并验证它。
|
|
42
|
+
|
|
43
|
+
## 重点检查项
|
|
44
|
+
|
|
45
|
+
- attestation 是否和实际发布出去的 artifact、镜像 digest 或 release asset 一一对应
|
|
46
|
+
- 产物重新构建、补发或回滚时,attestation 是否同步更新
|
|
47
|
+
- workflow 是否记录了足够的 provenance 信息,而不是只有一个孤立文件
|
|
48
|
+
- 团队是否定义了 attestation 的存放位置、命名规则和发布记录回链方式
|
|
49
|
+
- 后续若要对外验证,当前格式和存储方式是否能平滑扩展
|
|
50
|
+
|
|
51
|
+
## 反模式
|
|
52
|
+
|
|
53
|
+
- 生成了 attestation,但没人知道和哪个产物、哪个版本对应。
|
|
54
|
+
- 有 SBOM 没 provenance,或有 provenance 没 SBOM,导致追溯链断层。
|
|
55
|
+
- 只把 attestation 当“发布多一个文件”,没有放回 release 记录和审计链。
|
|
56
|
+
- 还没跑通归档和验证链,就先把“缺失 attestation”设置成强阻塞项。
|
|
57
|
+
|
|
58
|
+
## 输出回落
|
|
59
|
+
|
|
60
|
+
- 构建阶段:记录哪些产物生成了 provenance attestation、文件或 URL 在哪里。
|
|
61
|
+
- 发布阶段:把 attestation 链接、artifact 名称或摘要写入 `/team-release` 的发布方案、检查结果或放行结论。
|
|
62
|
+
- 审计阶段:若需要追溯某次发布,必须能从 release 记录定位到对应 attestation,并反查到构建来源。
|
|
63
|
+
|
|
64
|
+
## 许可证与使用边界
|
|
65
|
+
|
|
66
|
+
- `actions/attest-build-provenance` 本身是 MIT。
|
|
67
|
+
- 启用前应确认仓库类型、GitHub runner 版本、产物发布位置和组织级 attestations 能力边界。
|
|
68
|
+
|
|
69
|
+
## 参考来源
|
|
70
|
+
|
|
71
|
+
- [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance)
|
|
72
|
+
- [sbom-generation-gates.md](sbom-generation-gates.md)
|
|
73
|
+
- [scorecard-supply-chain-gates.md](scorecard-supply-chain-gates.md)
|
|
74
|
+
- [slsa-generator-patterns.md](slsa-generator-patterns.md)
|
|
75
|
+
- [in-toto-attestation-framework.md](in-toto-attestation-framework.md)
|