@colin4k1024/tsp 2.4.1 → 2.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (216) hide show
  1. package/README.md +12 -6
  2. package/docs/.vitepress/config.mts +199 -0
  3. package/docs/adr/ADR-001-doc-architecture-integration.md +33 -0
  4. package/docs/guides/README.md +5 -0
  5. package/docs/guides/installation.md +33 -0
  6. package/docs/guides/user-guide.md +36 -0
  7. package/docs/index.md +65 -0
  8. package/docs/memory/backlog.md +10 -0
  9. package/docs/memory/decisions.md +43 -0
  10. package/docs/memory/lessons-learned.md +87 -0
  11. package/docs/plans/2026-04-03-python-remnants-audit.md +265 -0
  12. package/docs/plans/2026-04-03-scripts-python-to-js-migration.md +372 -0
  13. package/docs/plans/2026-04-03-solo-delivery-execution-checklist.md +413 -0
  14. package/docs/plans/2026-04-03-solo-delivery-gap-plan.md +377 -0
  15. package/docs/plans/2026-04-03-team-skills-workflow-gates.md +548 -0
  16. package/docs/plans/2026-04-21-open-source-readiness-gap-plan.md +217 -0
  17. package/docs/plans/llm-surface-reduction-audit.md +147 -0
  18. package/docs/plans/llm-surface-reduction-execution-checklist.md +217 -0
  19. package/docs/plans/llm-surface-reduction-execution-history.md +124 -0
  20. package/docs/plans/team-skills-platform-migration.md +54 -0
  21. package/docs/presentation/README.md +42 -0
  22. package/docs/presentation/audience-presentation-route-map.md +84 -0
  23. package/docs/presentation/executive-briefing-talk-track.md +50 -0
  24. package/docs/presentation/generate_capability_matrix.py +396 -0
  25. package/docs/presentation/generate_ppt.py +354 -0
  26. package/docs/presentation/implementation-onboarding-brief.md +38 -0
  27. package/docs/presentation/presentation-talk-track.md +97 -0
  28. package/docs/presentation/vertical-scenario-route-map.md +99 -0
  29. package/docs/presentation/workshop-facilitator-guide.md +47 -0
  30. package/docs/runbooks/actionlint-workflow-gates.md +80 -0
  31. package/docs/runbooks/agent-governance.md +131 -0
  32. package/docs/runbooks/ai-eval-platform-demo-execution-log.md +147 -0
  33. package/docs/runbooks/ai-eval-platform-demo-script.md +136 -0
  34. package/docs/runbooks/ai-eval-platform-walkthrough.md +113 -0
  35. package/docs/runbooks/ai-pr-review-automation.md +56 -0
  36. package/docs/runbooks/api-breaking-change-gates.md +58 -0
  37. package/docs/runbooks/api-design-evolution-walkthrough.md +42 -0
  38. package/docs/runbooks/api-lint-gates.md +57 -0
  39. package/docs/runbooks/api-mocking-strategy-and-lifecycle-guide.md +47 -0
  40. package/docs/runbooks/architect-daily-operations.md +63 -0
  41. package/docs/runbooks/architect-design-conversation-example.md +83 -0
  42. package/docs/runbooks/artifact-attestation-gates.md +75 -0
  43. package/docs/runbooks/artifact-persistence.md +257 -0
  44. package/docs/runbooks/backend-engineer-daily-operations.md +63 -0
  45. package/docs/runbooks/batch-optimization-completion-checklist.md +104 -0
  46. package/docs/runbooks/biz-service-designer-end-to-end-conversation-example.md +5 -0
  47. package/docs/runbooks/biz-service-designer-toolkit.md +5 -0
  48. package/docs/runbooks/bug-fix-complete-walkthrough.md +60 -0
  49. package/docs/runbooks/build-failure-recovery-walkthrough.md +40 -0
  50. package/docs/runbooks/canary-decision-matrix.md +41 -0
  51. package/docs/runbooks/canary-staging-release-walkthrough.md +46 -0
  52. package/docs/runbooks/checkov-iac-gates.md +104 -0
  53. package/docs/runbooks/claude-code-review-workflow.md +72 -0
  54. package/docs/runbooks/claude-conversation-prompt-recipes.md +132 -0
  55. package/docs/runbooks/claude-end-to-end-conversation-example.md +198 -0
  56. package/docs/runbooks/claude-feature-development-guide.md +112 -0
  57. package/docs/runbooks/claude-quick-start.md +227 -0
  58. package/docs/runbooks/claude-usage-scenarios.md +176 -0
  59. package/docs/runbooks/code-review-collaboration-walkthrough.md +65 -0
  60. package/docs/runbooks/codeql-pr-security-gates.md +64 -0
  61. package/docs/runbooks/codex-end-to-end-conversation-example.md +166 -0
  62. package/docs/runbooks/codex-multi-agent-orchestration.md +65 -0
  63. package/docs/runbooks/codex-parallel-prompt-recipes.md +131 -0
  64. package/docs/runbooks/codex-quick-start.md +223 -0
  65. package/docs/runbooks/codex-usage-scenarios.md +168 -0
  66. package/docs/runbooks/codex-workflow-essentials.md +88 -0
  67. package/docs/runbooks/command-and-capability-matrix.md +162 -0
  68. package/docs/runbooks/conftest-policy-gates.md +84 -0
  69. package/docs/runbooks/consumer-driven-contract-testing-with-mock-alignment.md +45 -0
  70. package/docs/runbooks/contract-testing-playbook.md +78 -0
  71. package/docs/runbooks/cosign-signing-gates.md +71 -0
  72. package/docs/runbooks/cross-role-issue-triage-walkthrough.md +47 -0
  73. package/docs/runbooks/cursor-quick-start.md +123 -0
  74. package/docs/runbooks/custom-overlay.md +115 -0
  75. package/docs/runbooks/data-ml-pipeline-demo-execution-log.md +141 -0
  76. package/docs/runbooks/data-ml-pipeline-demo-script.md +102 -0
  77. package/docs/runbooks/data-ml-pipeline-walkthrough.md +119 -0
  78. package/docs/runbooks/data-observability-quality-demo-execution-log.md +36 -0
  79. package/docs/runbooks/data-observability-quality-demo-script.md +42 -0
  80. package/docs/runbooks/data-observability-quality-walkthrough.md +86 -0
  81. package/docs/runbooks/demo-deliverables-overview.md +278 -0
  82. package/docs/runbooks/demo-execution-log.md +530 -0
  83. package/docs/runbooks/demo-scenario.md +129 -0
  84. package/docs/runbooks/dependency-review-gates.md +63 -0
  85. package/docs/runbooks/dependency-update-automation.md +83 -0
  86. package/docs/runbooks/design-md-workflow.md +185 -0
  87. package/docs/runbooks/devops-engineer-daily-operations.md +60 -0
  88. package/docs/runbooks/devops-release-conversation-example.md +88 -0
  89. package/docs/runbooks/doc-architecture-integration.md +59 -0
  90. package/docs/runbooks/doc-architecture-quick-start.md +122 -0
  91. package/docs/runbooks/document-execution-audit.md +32 -0
  92. package/docs/runbooks/documentation-update-walkthrough.md +37 -0
  93. package/docs/runbooks/ecc-harness-usage.md +93 -0
  94. package/docs/runbooks/error-experience-usage.md +116 -0
  95. package/docs/runbooks/evolution-usage.md +162 -0
  96. package/docs/runbooks/executive-value-one-page.md +55 -0
  97. package/docs/runbooks/external-capability-approval-and-enablement-workflow.md +39 -0
  98. package/docs/runbooks/external-capability-intake.md +160 -0
  99. package/docs/runbooks/first-team-command-60-seconds.md +96 -0
  100. package/docs/runbooks/first-team-workflow-walkthrough.md +245 -0
  101. package/docs/runbooks/frontend-backend-integration-acceptance-checklist.md +46 -0
  102. package/docs/runbooks/frontend-backend-parallel-integration-walkthrough.md +48 -0
  103. package/docs/runbooks/frontend-bugfix-one-page.md +82 -0
  104. package/docs/runbooks/frontend-engineer-daily-operations.md +60 -0
  105. package/docs/runbooks/frontend-enterprise-style-profile.md +5 -0
  106. package/docs/runbooks/frontend-governance.md +47 -0
  107. package/docs/runbooks/frontend-refactor-walkthrough.md +42 -0
  108. package/docs/runbooks/git-pr-workflow.md +63 -0
  109. package/docs/runbooks/github-actions-supply-chain-demo-execution-log.md +158 -0
  110. package/docs/runbooks/github-actions-supply-chain-demo-script.md +150 -0
  111. package/docs/runbooks/github-actions-supply-chain-walkthrough.md +117 -0
  112. package/docs/runbooks/github-token-permissions-baseline.md +92 -0
  113. package/docs/runbooks/gitlab-manual-pipeline-release.md +5 -0
  114. package/docs/runbooks/gitlab-release-integration-playbook.md +5 -0
  115. package/docs/runbooks/gitnexus-code-intelligence-usage.md +133 -0
  116. package/docs/runbooks/graphify-knowledge-graph-usage.md +88 -0
  117. package/docs/runbooks/handoff-filling-guide-with-examples.md +70 -0
  118. package/docs/runbooks/handoff-governance.md +250 -0
  119. package/docs/runbooks/helm-unittest-playbook.md +101 -0
  120. package/docs/runbooks/hotfix-emergency-release-walkthrough.md +60 -0
  121. package/docs/runbooks/iac-kubernetes-platform-demo-execution-log.md +144 -0
  122. package/docs/runbooks/iac-kubernetes-platform-demo-script.md +130 -0
  123. package/docs/runbooks/iac-kubernetes-platform-walkthrough.md +120 -0
  124. package/docs/runbooks/implementation-onboarding-reading-path.md +67 -0
  125. package/docs/runbooks/in-toto-attestation-framework.md +94 -0
  126. package/docs/runbooks/incident-severity-triage-tree.md +43 -0
  127. package/docs/runbooks/incident-triage-one-page.md +65 -0
  128. package/docs/runbooks/internal-developer-platform-demo-execution-log.md +36 -0
  129. package/docs/runbooks/internal-developer-platform-demo-script.md +42 -0
  130. package/docs/runbooks/internal-developer-platform-walkthrough.md +91 -0
  131. package/docs/runbooks/karpathy-guidelines-usage.md +27 -0
  132. package/docs/runbooks/kubeconform-schema-gates.md +100 -0
  133. package/docs/runbooks/kubectl-server-dry-run-gates.md +103 -0
  134. package/docs/runbooks/kyverno-policy-gates.md +90 -0
  135. package/docs/runbooks/langfuse-and-observability-integration-guide.md +43 -0
  136. package/docs/runbooks/langfuse-coding-trace.md +44 -0
  137. package/docs/runbooks/mobile-miniapp-delivery-walkthrough.md +112 -0
  138. package/docs/runbooks/mobile-miniapp-demo-execution-log.md +139 -0
  139. package/docs/runbooks/mobile-miniapp-demo-script.md +129 -0
  140. package/docs/runbooks/multi-service-backend-integration-walkthrough.md +61 -0
  141. package/docs/runbooks/open-design-integration.md +163 -0
  142. package/docs/runbooks/open-source-release-checklist.md +90 -0
  143. package/docs/runbooks/opencode-quick-start.md +128 -0
  144. package/docs/runbooks/parallel-development-coordination-walkthrough.md +47 -0
  145. package/docs/runbooks/parallel-execution-usage.md +179 -0
  146. package/docs/runbooks/platform-capability-demo-execution-log.md +184 -0
  147. package/docs/runbooks/platform-capability-demo-script.md +192 -0
  148. package/docs/runbooks/plugin-extension-platform-demo-execution-log.md +136 -0
  149. package/docs/runbooks/plugin-extension-platform-demo-script.md +102 -0
  150. package/docs/runbooks/plugin-extension-platform-walkthrough.md +111 -0
  151. package/docs/runbooks/policy-controller-gates.md +75 -0
  152. package/docs/runbooks/post-rollback-verification-checklist.md +37 -0
  153. package/docs/runbooks/pre-release-checklist.md +50 -0
  154. package/docs/runbooks/product-manager-clarification-conversation-example.md +90 -0
  155. package/docs/runbooks/product-manager-daily-operations.md +60 -0
  156. package/docs/runbooks/production-incident-response-walkthrough.md +50 -0
  157. package/docs/runbooks/project-claude-design-rationale.md +188 -0
  158. package/docs/runbooks/project-manager-daily-operations.md +61 -0
  159. package/docs/runbooks/project-manager-planning-conversation-example.md +82 -0
  160. package/docs/runbooks/project-onboarding.md +452 -0
  161. package/docs/runbooks/qa-engineer-daily-operations.md +63 -0
  162. package/docs/runbooks/qa-review-conversation-example.md +87 -0
  163. package/docs/runbooks/release-closure-one-page.md +65 -0
  164. package/docs/runbooks/release-governance-reading-path.md +56 -0
  165. package/docs/runbooks/release-notes-automation.md +48 -0
  166. package/docs/runbooks/release-rollback-recovery-walkthrough.md +47 -0
  167. package/docs/runbooks/requirement-clarity-and-scope-walkthrough.md +46 -0
  168. package/docs/runbooks/reviewdog-pr-gates.md +49 -0
  169. package/docs/runbooks/role-prompt-recipes.md +130 -0
  170. package/docs/runbooks/rtk-integration-intake.md +45 -0
  171. package/docs/runbooks/rtk-token-optimization-usage.md +107 -0
  172. package/docs/runbooks/runner-egress-hardening.md +81 -0
  173. package/docs/runbooks/runtime-capabilities-overview.md +113 -0
  174. package/docs/runbooks/sbom-generation-gates.md +71 -0
  175. package/docs/runbooks/scorecard-supply-chain-gates.md +82 -0
  176. package/docs/runbooks/secret-scanning-gates.md +85 -0
  177. package/docs/runbooks/security-compliance-platform-demo-execution-log.md +36 -0
  178. package/docs/runbooks/security-compliance-platform-demo-script.md +49 -0
  179. package/docs/runbooks/security-compliance-platform-walkthrough.md +98 -0
  180. package/docs/runbooks/slsa-generator-patterns.md +73 -0
  181. package/docs/runbooks/slsa-verification-gates.md +75 -0
  182. package/docs/runbooks/solo-delivery-mode.md +142 -0
  183. package/docs/runbooks/solo-delivery-one-page.md +111 -0
  184. package/docs/runbooks/specialist-commands-playbook.md +85 -0
  185. package/docs/runbooks/sub-agent-invocation-map.md +144 -0
  186. package/docs/runbooks/system-architecture-design-walkthrough.md +49 -0
  187. package/docs/runbooks/team-closeout-example.md +73 -0
  188. package/docs/runbooks/team-command-output-contracts.md +358 -0
  189. package/docs/runbooks/team-commands-quick-prompts.md +125 -0
  190. package/docs/runbooks/team-execute-example.md +63 -0
  191. package/docs/runbooks/team-handoff-example.md +49 -0
  192. package/docs/runbooks/team-intake-example.md +70 -0
  193. package/docs/runbooks/team-plan-example.md +62 -0
  194. package/docs/runbooks/team-release-example.md +63 -0
  195. package/docs/runbooks/team-review-example.md +61 -0
  196. package/docs/runbooks/team-skills-test-run.md +184 -0
  197. package/docs/runbooks/team-skills-usage.md +336 -0
  198. package/docs/runbooks/team-training-reading-path.md +64 -0
  199. package/docs/runbooks/tech-lead-closure-conversation-example.md +78 -0
  200. package/docs/runbooks/tech-lead-daily-operations.md +67 -0
  201. package/docs/runbooks/trivy-security-gates.md +79 -0
  202. package/docs/runbooks/troubleshooting.md +234 -0
  203. package/docs/runbooks/vertical-scenario-capability-matrix.md +107 -0
  204. package/docs/runbooks/witness-policy-gates.md +78 -0
  205. package/docs/runbooks/zizmor-workflow-audits.md +81 -0
  206. package/manifests/install-components.json +8 -0
  207. package/manifests/install-modules.json +34 -0
  208. package/manifests/install-profiles.json +2 -0
  209. package/package.json +2 -1
  210. package/scripts/install-apply.js +9 -0
  211. package/scripts/install-open-design.js +206 -0
  212. package/scripts/install-plan.js +17 -0
  213. package/scripts/lib/install/apply.js +31 -0
  214. package/scripts/lib/install-executor.js +56 -0
  215. package/skills/open-design/SKILL.md +87 -0
  216. package/skills/open-design/agents/openai.yaml +4 -0
@@ -0,0 +1,102 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-29
5
+ updated: 2026-03-29
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # 插件与扩展平台演示剧本
10
+
11
+ 本文是一份可直接照着讲的演示脚本,面向宿主集成点、命令入口、配置面、安装路径和兼容矩阵场景。
12
+
13
+ ## 1. 演示目标
14
+
15
+ - 说明插件仓库为什么要同时治理命令面、配置面和安装路径
16
+ - 说明 `/tdd` 如何前置锁定兼容和升级完成标准
17
+ - 说明 `/verify` 如何收口宿主集成点、安装路径和配置验证结果
18
+
19
+ ## 2. 适用对象
20
+
21
+ - 需要介绍插件 / 扩展交付方法的 Tech Lead
22
+ - 需要讲宿主兼容与安装路径的前端 / 工具链负责人
23
+ - 需要向团队解释 verify 为何必须覆盖升级和禁用态的讲解人
24
+
25
+ ## 3. 演示时长建议
26
+
27
+ - 5 分钟:讲命令面、配置面、安装路径三类风险
28
+ - 10 分钟:再讲 `/tdd` 与 `/verify`
29
+ - 15 分钟:完整走一遍 intake -> plan -> tdd -> execute -> verify -> review
30
+
31
+ ## 4. 演示脚本
32
+
33
+ ### Step 1. 先用 1 分钟讲清插件任务在治理什么
34
+
35
+ 建议讲法:
36
+
37
+ ```text
38
+ 插件仓库要治理的不只是一个命令入口,至少还有配置项、宿主兼容和安装升级路径。
39
+ 如果只改功能不改这些外围入口,发布后最容易出问题。
40
+ ```
41
+
42
+ ### Step 2. 用 `/team-intake` 讲清任务边界
43
+
44
+ 建议输入:
45
+
46
+ ```text
47
+ /team-intake
48
+ 目标:为插件仓库新增命令入口并补齐安装、配置与兼容性说明
49
+ 范围:命令、配置项、集成点、安装文档、测试计划
50
+ 不做:无关业务服务改造
51
+ 约束:必须说明宿主版本边界、升级路径、禁用态和失败回退行为
52
+ ```
53
+
54
+ ### Step 3. 用 `/team-plan` 说明如何拆分集成任务
55
+
56
+ 建议输入:
57
+
58
+ ```text
59
+ /team-plan
60
+ 基于当前 intake 结果,拆命令入口、配置项、宿主集成、安装路径、兼容矩阵和验证收口动作。
61
+ 输出必须指出哪些完成标准应先进入 /tdd,哪些证据最终应由 /verify 汇总。
62
+ ```
63
+
64
+ ### Step 4. 用 `/tdd` 讲“先锁兼容与升级标准”
65
+
66
+ 建议输入:
67
+
68
+ ```text
69
+ /tdd
70
+ 基于当前 /team-plan 结果,先定义命令入口、配置兼容、安装升级、禁用态和失败回退的完成标准。
71
+ ```
72
+
73
+ ### Step 5. 用 `/team-execute` 讲实际收敛动作
74
+
75
+ 建议讲法:
76
+
77
+ ```text
78
+ 执行阶段通常会先补命令入口和配置项,再补安装升级说明,最后补兼容矩阵和验证收口。
79
+ ```
80
+
81
+ ### Step 6. 用 `/verify` 收口
82
+
83
+ 建议输入:
84
+
85
+ ```text
86
+ /verify
87
+ 请基于当前插件改动,输出命令入口、配置项、安装路径和兼容性验证结果,并整理成可直接进入 /team-review 的结论。
88
+ ```
89
+
90
+ ## 5. 建议演示顺序
91
+
92
+ 1. 先讲命令面、配置面、安装路径三类风险
93
+ 2. 再展示 `/team-intake` 与 `/team-plan`
94
+ 3. 然后讲 `/tdd`
95
+ 4. 再讲 `/team-execute`
96
+ 5. 最后讲 `/verify` 与 `/team-review`
97
+
98
+ ## 6. 演示后建议发给观众的材料
99
+
100
+ - [plugin-extension-platform-demo-execution-log.md](plugin-extension-platform-demo-execution-log.md)
101
+ - [plugin-extension-platform-walkthrough.md](plugin-extension-platform-walkthrough.md)
102
+ - [../../examples/plugin-extension-platform-CLAUDE.md](../../examples/plugin-extension-platform-CLAUDE.md)
@@ -0,0 +1,111 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-29
5
+ updated: 2026-03-29
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # 插件与扩展平台演练
10
+
11
+ 本文演示一个以命令入口、配置项、宿主集成点和安装路径为核心的插件 / 扩展仓库,如何从需求澄清、兼容性约束到验证收口完整跑通。
12
+
13
+ ## 1. 场景
14
+
15
+ - 仓库当前主要维护 extension / plugin、命令、配置项和安装说明
16
+ - 团队准备新增一个宿主命令入口,并同步补齐配置、兼容矩阵和安装路径
17
+ - 目标不是开发独立业务功能,而是把扩展点和安装链路治理成可验证、可发布、可回退的状态
18
+
19
+ ## 2. 推荐链路
20
+
21
+ 1. `/team-intake`
22
+ 2. `/team-plan`
23
+ 3. `/tdd`
24
+ 4. `/team-execute`
25
+ 5. `/verify`
26
+ 6. `/team-review`
27
+
28
+ ## 3. 第一步:/team-intake
29
+
30
+ ### 输入示例
31
+
32
+ ```text
33
+ /team-intake
34
+ 目标:为插件仓库新增命令入口并补齐安装、配置与兼容性说明
35
+ 范围:命令、配置项、集成点、安装文档、测试计划
36
+ 不做:无关业务服务改造
37
+ 约束:必须说明宿主版本边界、升级路径、禁用态和失败回退行为
38
+ ```
39
+
40
+ ### 期望输出重点
41
+
42
+ - 识别这是插件 / 扩展交付任务,而不是普通应用开发
43
+ - 明确参与角色至少包括 `tech-lead`、`architect`、`qa-engineer`
44
+ - 风险应聚焦宿主边界不清、命令入口失联、配置升级不兼容和安装回退不明确
45
+
46
+ ## 4. 第二步:/team-plan
47
+
48
+ ### 需要拆清的动作
49
+
50
+ - 命令入口与贡献点调整
51
+ - 配置项、默认值与升级兼容策略
52
+ - 安装路径、启用 / 禁用路径和失败回退
53
+ - 宿主版本矩阵与验证范围
54
+ - review 中需要记录的兼容性与发布说明
55
+
56
+ ### 合格输出应该回答
57
+
58
+ 1. 哪些改动影响命令面
59
+ 2. 哪些影响配置面
60
+ 3. 哪些影响安装与升级路径
61
+ 4. 哪些兼容风险需要 verify 覆盖
62
+
63
+ ## 5. 第三步:/tdd
64
+
65
+ 在这类仓库里,`/tdd` 重点是先锁安装与兼容完成标准:
66
+
67
+ - 命令入口与配置边界是否说清
68
+ - 最低宿主版本与升级路径是否明确
69
+ - 禁用态、失败态和回退路径是否可验证
70
+ - 哪些验证证据必须进入 review
71
+
72
+ ## 6. 第四步:/team-execute
73
+
74
+ 执行阶段通常包含:
75
+
76
+ - 调整命令入口或宿主集成点
77
+ - 调整配置项、默认值和兼容处理
78
+ - 更新安装说明、升级说明与故障回退说明
79
+ - 补关键验证用例和测试计划
80
+
81
+ 本阶段输出至少应包含:
82
+
83
+ - 集成点变更摘要
84
+ - 配置与兼容变更摘要
85
+ - 安装 / 升级验证结果
86
+ - 剩余风险和例外项
87
+
88
+ ## 7. 第五步:/verify
89
+
90
+ Verify 阶段要回答:
91
+
92
+ - 命令入口是否可用
93
+ - 配置项和默认值是否兼容既有安装
94
+ - 安装、升级和禁用路径是否可执行
95
+ - 宿主版本矩阵是否覆盖关键场景
96
+
97
+ ## 8. 第六步:/team-review
98
+
99
+ Review 阶段要回答:
100
+
101
+ - 当前是否还存在阻塞发布的兼容问题
102
+ - 哪些例外可以暂时接受
103
+ - 是否需要补更多宿主版本或安装路径验证
104
+
105
+ ## 9. 常见错误
106
+
107
+ - 只改命令入口,不更新安装和配置说明
108
+ - 只验证 happy path,不验证禁用态和升级路径
109
+ - 宿主兼容矩阵说得很笼统,无法指导 QA
110
+
111
+ 建议配合阅读:[codex-workflow-essentials.md](codex-workflow-essentials.md)、[troubleshooting.md](troubleshooting.md)、[project-onboarding.md](project-onboarding.md)
@@ -0,0 +1,75 @@
1
+ # Policy Controller 策略强制门禁手册
2
+
3
+ 本手册承接 `sigstore/policy-controller` 的工程实践,用于把 Kubernetes admission 层的策略强制执行接入供应链治理链。它补的是“在集群里真正拦住不符合策略的镜像和工作负载”这一层,不替代 SBOM、签名、provenance attestation、SLSA verification 或漏洞扫描。
4
+
5
+ ## 适用场景
6
+
7
+ - 团队已经有 `cosign`、provenance attestation 或 SLSA verification,想把“建议验证”推进到“集群 admission 强制执行”。
8
+ - 需要在 Kubernetes 集群内按 namespace 或工作负载范围强制要求镜像签名、attestation 或其他可验证的供应链元数据。
9
+ - 仓库的镜像来源复杂,单靠 CI / release 流程不足以保证运行中的 workload 没有被替换或绕过治理。
10
+
11
+ ## 不适用场景
12
+
13
+ - 当前还没有稳定的签名、attestation 或验证链,却先上 admission 强制,导致拦截全靠猜。
14
+ - 团队还没有明确哪些 namespace、workload 或镜像类型需要受策略约束。
15
+ - 期望 policy controller 替代 CI 侧的 SBOM、签名、验证和人工放行流程。
16
+
17
+ ## 推荐落地方式
18
+
19
+ 1. 先把策略范围收窄到少数关键 namespace,不要一开始全集群拦截。
20
+ 2. 第一阶段先固定三件事:
21
+ - 哪些 workload 或 namespace 受策略约束
22
+ - 策略依据是什么,例如签名、attestation 或仓库来源
23
+ - 拒绝时如何回退、告警和 triage
24
+ 3. 将 policy controller 与现有链路分层:
25
+ - `sbom-generation-gates` 负责成分清单
26
+ - `artifact-attestation-gates` 负责 provenance 证明
27
+ - `cosign-signing-gates` 负责签名与验签
28
+ - `slsa-verification-gates` 负责独立验证 provenance / attestation
29
+ - `kyverno-policy-gates` 负责更通用的 Kubernetes admission、background scan 和 policy report 治理
30
+ - policy controller 负责在 admission 层强制执行这些可验证策略
31
+ 4. 建议先从“观察模式”或“单 namespace 强制”开始,再逐步扩大范围。
32
+ 5. 结果必须回写到 `/team-release`、集群治理记录或运行手册,不让策略结果只停在 webhook 日志里。
33
+
34
+ ## 最小门禁模型
35
+
36
+ - `policy layer`:定义哪些 namespace、workload、镜像或来源受约束
37
+ - `evidence layer`:签名、attestation、验证结果和镜像来源
38
+ - `admission layer`:Kubernetes webhook 在创建或更新时执行拦截
39
+ - `decision layer`:`devops-engineer`、`tech-lead` 决定是否把拒绝结果视为阻塞或降级
40
+
41
+ 重点不是“装了一个 webhook”,而是让集群真正按供应链证据执行策略。
42
+
43
+ ## 重点检查项
44
+
45
+ - 策略是否按 namespace 或工作负载边界配置,而不是一刀切全局生效
46
+ - 策略依据是否和镜像签名、attestation 或验证结果稳定关联
47
+ - 镜像 tag 是否会在 admission 时被解析成 digest,避免“通过时和运行时不是同一个镜像”
48
+ - 策略失败时是否有明确的告警、triage 和例外流程
49
+ - 多 key、多个 policy 或不同环境之间的配置是否能持续维护
50
+
51
+ ## 反模式
52
+
53
+ - 没有前置验证链,却先上 admission 强制,把所有问题都变成发布阻塞。
54
+ - 策略配置只写在集群里,发布记录和治理文档里没有回链。
55
+ - 把 policy controller 当成安全扫描器,忽略它本质上是执行层拦截器。
56
+ - 上线后只有“拒绝了什么”,没有“为什么拒绝、谁来处理、何时放宽”的闭环。
57
+
58
+ ## 输出回落
59
+
60
+ - 发布阶段:把受影响的 namespace、策略范围和验证结果写入 `/team-release` 的检查结果或放行结论。
61
+ - 集群治理:把 policy 变更、例外项和告警处理记录沉淀到治理文档或 runbook。
62
+ - 审计阶段:若某次 workload 被拦截,必须能追溯到对应的签名、attestation 或验证证据。
63
+
64
+ ## 许可证与使用边界
65
+
66
+ - `sigstore/policy-controller` 采用 Apache-2.0。
67
+ - 启用前应确认 Kubernetes 版本、Webhook 部署方式、镜像仓库可访问性和团队是否有足够的治理人力。
68
+ - 参考仓库的支持说明,`policy-controller` 近版本面向 Kubernetes 1.27 到 1.29 更稳定,旧版本需单独验证。
69
+
70
+ ## 参考来源
71
+
72
+ - [sigstore/policy-controller](https://github.com/sigstore/policy-controller)
73
+ - [cosign-signing-gates.md](cosign-signing-gates.md)
74
+ - [artifact-attestation-gates.md](artifact-attestation-gates.md)
75
+ - [slsa-verification-gates.md](slsa-verification-gates.md)
@@ -0,0 +1,37 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # 回滚后验证检查清单
10
+
11
+ 本文用于回滚完成后的快速验证,避免“服务恢复了”就直接结束。
12
+
13
+ ## 1. 服务状态
14
+
15
+ - [ ] 关键服务已恢复可用
16
+ - [ ] 关键页面或接口已可访问
17
+ - [ ] 依赖服务状态正常
18
+
19
+ ## 2. 数据与配置
20
+
21
+ - [ ] 数据一致性已抽样验证
22
+ - [ ] 配置与开关已确认回退到目标状态
23
+ - [ ] 新旧版本混合状态已排除
24
+
25
+ ## 3. 指标与观察
26
+
27
+ - [ ] 错误率回落到预期区间
28
+ - [ ] 耗时或吞吐恢复到基线
29
+ - [ ] 用户反馈或监控告警已明显收敛
30
+
31
+ ## 4. 后续动作
32
+
33
+ - [ ] 事故记录已更新
34
+ - [ ] 后续修复任务已登记
35
+ - [ ] 是否需要继续观察已明确
36
+
37
+ 相关长文档见:[release-rollback-recovery-walkthrough.md](release-rollback-recovery-walkthrough.md)、[production-incident-response-walkthrough.md](production-incident-response-walkthrough.md)
@@ -0,0 +1,50 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # 发布前检查速查清单
10
+
11
+ 本文用于发布前 5 到 10 分钟的最后检查,不替代完整发布方案。
12
+
13
+ ## 1. 环境
14
+
15
+ - [ ] 目标环境与发布窗口已确认
16
+ - [ ] 责任人、值守人与观察窗口已确认
17
+ - [ ] 必要配置与环境变量已就绪
18
+
19
+ ## 2. 变更
20
+
21
+ - [ ] 发布范围和版本信息已锁定
22
+ - [ ] 高风险点已单独标记
23
+ - [ ] 数据或配置变更已确认可回退
24
+
25
+ ## 3. 质量
26
+
27
+ - [ ] QA 放行结论明确
28
+ - [ ] 关键链路 smoke 范围明确
29
+ - [ ] 残余风险已进入观察项
30
+
31
+ ## 4. 回滚
32
+
33
+ - [ ] 回滚条件已明确
34
+ - [ ] 回滚步骤已明确
35
+ - [ ] 回滚负责人已明确
36
+
37
+ ## 5. 扩展项
38
+
39
+ - [ ] 如需 GitLab manual job,已确认触发条件
40
+ - [ ] 如需 Langfuse 追踪,已确认 trace 粒度和回写位置
41
+
42
+ ## 6. npm 发布补充检查(适用于 npm registry 发布)
43
+
44
+ - [ ] 若使用 npm Trusted Publisher,已在 npm 包设置中正确绑定 GitHub 仓库、仓库名与 workflow 文件名(例如 `publish.yml`)
45
+ - [ ] GitHub Actions 发布 workflow 已启用 `id-token: write`
46
+ - [ ] `npm publish` 步骤未再注入发布用 `NODE_AUTH_TOKEN` / `NPM_TOKEN`,避免从 OIDC 回落到 token 鉴权后触发 OTP
47
+ - [ ] 若 `npm ci` 需要访问私有依赖,仅读取阶段使用只读 token;publish 阶段保持 OIDC-only
48
+ - [ ] 若启用 provenance,已确认当前仓库与 runner 满足 npm Trusted Publishing 的支持条件
49
+
50
+ 相关长文档见:[team-release-example.md](team-release-example.md)、[release-governance-reading-path.md](release-governance-reading-path.md)
@@ -0,0 +1,90 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # Product Manager 需求澄清对话样例
10
+
11
+ 本文给出一份偏 Product Manager 视角的成品对话样例,重点展示怎样把业务语言整理成能直接进入 `/team-intake` 的输入,而不是停留在模糊需求层。
12
+
13
+ ## 1. 场景
14
+
15
+ - 任务:业务方提出“审批记录查询太难用,需要优化”
16
+ - 当前输入:只有业务诉求,没有清晰范围和验收标准
17
+ - 目标:把需求整理成可进入主链的澄清结果
18
+
19
+ ## 2. 用户怎么说
20
+
21
+ ```text
22
+ 请以 product-manager 视角整理当前需求。
23
+ 输出:业务目标、核心用户场景、In Scope、Out of Scope、验收标准、待确认事项。
24
+ 最后补一段:这些内容怎样进入 /team-intake。
25
+ ```
26
+
27
+ ## 3. 期望结果长什么样
28
+
29
+ ```text
30
+ 业务目标
31
+ - 让运营同学能更快查询审批记录,降低人工翻找成本
32
+
33
+ 核心用户场景
34
+ - 运营按订单号、审批状态、创建时间筛选审批记录
35
+ - 运营查看空结果和异常提示时能快速判断下一步动作
36
+
37
+ In Scope
38
+ - 审批记录查询列表页
39
+ - 后端查询接口
40
+ - 分页、筛选、空态和错误态
41
+
42
+ Out of Scope
43
+ - 审批流程定义改造
44
+ - 历史数据回填
45
+ - 导出能力新增
46
+
47
+ 验收标准
48
+ - 支持按订单号、状态、时间范围查询
49
+ - 无结果时有明确空态提示
50
+ - 无权限时有明确错误提示
51
+
52
+ 待确认事项
53
+ - 是否需要兼容旧查询入口的字段顺序
54
+ - 是否存在特定角色的权限差异
55
+
56
+ 进入 /team-intake 的建议
57
+ - 目标:新增审批记录查询能力
58
+ - 范围:列表页、查询接口、测试计划
59
+ - 不做:流程定义改造、历史数据回填、导出新增
60
+ - 约束:判断是否涉及权限中心或 custom overlay
61
+ ```
62
+
63
+ ## 4. 不合格结果通常长什么样
64
+
65
+ ```text
66
+ 需求是把审批记录查询做好一点。
67
+ ```
68
+
69
+ 这类结果的问题是:
70
+
71
+ - 没有用户场景
72
+ - 没有范围边界
73
+ - 没有验收标准
74
+
75
+ ## 5. Product Manager 在对话里最容易漏什么
76
+
77
+ - Out of Scope
78
+ - 可测的验收标准
79
+ - 待确认事项
80
+ - 这些内容如何回落成 `/team-intake` 输入
81
+
82
+ ## 6. 继续推进时怎么说
83
+
84
+ 当澄清结果形成后,下一句通常是:
85
+
86
+ ```text
87
+ 请基于上面的需求澄清结果继续执行 /team-intake,输出参与角色、风险和下一步建议。
88
+ ```
89
+
90
+ 与这些文档配合阅读:[product-manager-daily-operations.md](product-manager-daily-operations.md)、[requirement-clarity-and-scope-walkthrough.md](requirement-clarity-and-scope-walkthrough.md)、[role-prompt-recipes.md](role-prompt-recipes.md)
@@ -0,0 +1,60 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # Product Manager 日常操作手册
10
+
11
+ 本文面向产品经理,说明需求澄清、PRD、范围边界和验收标准如何在 Team Skills Platform 下进入主链。
12
+
13
+ 如果你想先看命令面和能力映射,先读 [command-and-capability-matrix.md](command-and-capability-matrix.md)。
14
+
15
+ ## 1. 你的默认职责
16
+
17
+ - 定义问题、目标和用户价值
18
+ - 产出 PRD、用户故事和验收标准
19
+ - 控制范围边界,避免需求蔓延
20
+ - 把业务意图准确交给 tech-lead、architect 和 project-manager
21
+
22
+ ## 2. 开始澄清前必须确认什么
23
+
24
+ - 当前问题是否真实存在且值得做
25
+ - 用户对象、核心场景和成功指标是否明确
26
+ - 哪些内容是本次范围外事项
27
+ - 是否存在业务优先级冲突
28
+
29
+ ## 3. 需求澄清时的固定检查
30
+
31
+ - 目标是否可验证
32
+ - In Scope / Out of Scope 是否明确
33
+ - 验收标准是否可测
34
+ - 依赖和约束是否已记录
35
+ - 是否需要升级到 tech-lead 做仲裁
36
+
37
+ ## 4. 应交付什么
38
+
39
+ - PRD 或等价需求说明
40
+ - 用户故事与验收标准
41
+ - 范围边界说明
42
+ - 风险和待确认事项
43
+
44
+ 最小字段可直接按 [artifact-standards.md](../../rules/artifact-standards.md) 中的 PRD 要求组织:背景、目标与成功标准、用户故事、范围、风险与依赖。
45
+
46
+ ## 5. 常用命令组合
47
+
48
+ - `/team-intake`:把需求转成主链输入
49
+ - `/team-plan`:确认角色分工和下一步交付物
50
+ - `/tdd`:当验收标准容易争议时,提前把“可测标准”压实到执行前
51
+ - `/handoff`:把需求背景和验收标准传给研发或 QA
52
+
53
+ ## 6. 常见错误
54
+
55
+ - 只写功能点,不写目标和成功标准
56
+ - 验收标准不可测
57
+ - 明明需求高风险且验收容易歧义,却没有推动团队在实现前进入 `/tdd`
58
+ - 范围边界含糊,导致执行中不断加需求
59
+
60
+ 建议与这些文档配合阅读:[requirement-clarity-and-scope-walkthrough.md](requirement-clarity-and-scope-walkthrough.md)、[project-manager-daily-operations.md](project-manager-daily-operations.md)、[role-prompt-recipes.md](role-prompt-recipes.md)、[product-manager-clarification-conversation-example.md](product-manager-clarification-conversation-example.md)
@@ -0,0 +1,50 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # 生产事故应急响应演练
10
+
11
+ 本文演示线上事故从快速分级、止血、修复到后续复盘的完整协作方式。重点是多角色协同,而不是单点修 bug。
12
+
13
+ ## 1. 场景
14
+
15
+ - 线上告警触发,审批提交成功率突然下降
16
+ - 影响关键路径,需要快速止血
17
+ - 可能需要临时回滚、限流或降级
18
+
19
+ ## 2. 推荐链路
20
+
21
+ 1. `/team-intake`
22
+ 2. `/team-execute`
23
+ 3. `/verify`
24
+ 4. `/handoff`
25
+ 5. `/team-release`
26
+
27
+ 问题复杂时,可在中间插入 `/code-review` 或 `/plan` 做专项分析。
28
+
29
+ ## 3. 关键输出
30
+
31
+ - 事故等级与影响范围
32
+ - 止血方案与执行结果
33
+ - 根因假设或已确认根因
34
+ - 后续修复和复盘建议
35
+
36
+ 若需要快速形成事故简报,直接按 [artifact-standards.md](../../rules/artifact-standards.md) 中的 Incident Brief 最小字段组织:事件概览、初步判断、协作分工、后续动作。
37
+
38
+ ## 4. 合格结果的检查点
39
+
40
+ - 有单点决策人
41
+ - 止血动作和根治动作被区分开
42
+ - 事故记录可供后续复盘
43
+
44
+ ## 5. 常见错误
45
+
46
+ - 多个角色同时给最终结论
47
+ - 先争论根因,延误止血
48
+ - 事故结束后没有沉淀后续动作
49
+
50
+ 与这些文档配合阅读:[tech-lead-daily-operations.md](tech-lead-daily-operations.md)、[troubleshooting.md](troubleshooting.md)