@colin4k1024/tsp 2.4.1 → 2.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (216) hide show
  1. package/README.md +12 -6
  2. package/docs/.vitepress/config.mts +199 -0
  3. package/docs/adr/ADR-001-doc-architecture-integration.md +33 -0
  4. package/docs/guides/README.md +5 -0
  5. package/docs/guides/installation.md +33 -0
  6. package/docs/guides/user-guide.md +36 -0
  7. package/docs/index.md +65 -0
  8. package/docs/memory/backlog.md +10 -0
  9. package/docs/memory/decisions.md +43 -0
  10. package/docs/memory/lessons-learned.md +87 -0
  11. package/docs/plans/2026-04-03-python-remnants-audit.md +265 -0
  12. package/docs/plans/2026-04-03-scripts-python-to-js-migration.md +372 -0
  13. package/docs/plans/2026-04-03-solo-delivery-execution-checklist.md +413 -0
  14. package/docs/plans/2026-04-03-solo-delivery-gap-plan.md +377 -0
  15. package/docs/plans/2026-04-03-team-skills-workflow-gates.md +548 -0
  16. package/docs/plans/2026-04-21-open-source-readiness-gap-plan.md +217 -0
  17. package/docs/plans/llm-surface-reduction-audit.md +147 -0
  18. package/docs/plans/llm-surface-reduction-execution-checklist.md +217 -0
  19. package/docs/plans/llm-surface-reduction-execution-history.md +124 -0
  20. package/docs/plans/team-skills-platform-migration.md +54 -0
  21. package/docs/presentation/README.md +42 -0
  22. package/docs/presentation/audience-presentation-route-map.md +84 -0
  23. package/docs/presentation/executive-briefing-talk-track.md +50 -0
  24. package/docs/presentation/generate_capability_matrix.py +396 -0
  25. package/docs/presentation/generate_ppt.py +354 -0
  26. package/docs/presentation/implementation-onboarding-brief.md +38 -0
  27. package/docs/presentation/presentation-talk-track.md +97 -0
  28. package/docs/presentation/vertical-scenario-route-map.md +99 -0
  29. package/docs/presentation/workshop-facilitator-guide.md +47 -0
  30. package/docs/runbooks/actionlint-workflow-gates.md +80 -0
  31. package/docs/runbooks/agent-governance.md +131 -0
  32. package/docs/runbooks/ai-eval-platform-demo-execution-log.md +147 -0
  33. package/docs/runbooks/ai-eval-platform-demo-script.md +136 -0
  34. package/docs/runbooks/ai-eval-platform-walkthrough.md +113 -0
  35. package/docs/runbooks/ai-pr-review-automation.md +56 -0
  36. package/docs/runbooks/api-breaking-change-gates.md +58 -0
  37. package/docs/runbooks/api-design-evolution-walkthrough.md +42 -0
  38. package/docs/runbooks/api-lint-gates.md +57 -0
  39. package/docs/runbooks/api-mocking-strategy-and-lifecycle-guide.md +47 -0
  40. package/docs/runbooks/architect-daily-operations.md +63 -0
  41. package/docs/runbooks/architect-design-conversation-example.md +83 -0
  42. package/docs/runbooks/artifact-attestation-gates.md +75 -0
  43. package/docs/runbooks/artifact-persistence.md +257 -0
  44. package/docs/runbooks/backend-engineer-daily-operations.md +63 -0
  45. package/docs/runbooks/batch-optimization-completion-checklist.md +104 -0
  46. package/docs/runbooks/biz-service-designer-end-to-end-conversation-example.md +5 -0
  47. package/docs/runbooks/biz-service-designer-toolkit.md +5 -0
  48. package/docs/runbooks/bug-fix-complete-walkthrough.md +60 -0
  49. package/docs/runbooks/build-failure-recovery-walkthrough.md +40 -0
  50. package/docs/runbooks/canary-decision-matrix.md +41 -0
  51. package/docs/runbooks/canary-staging-release-walkthrough.md +46 -0
  52. package/docs/runbooks/checkov-iac-gates.md +104 -0
  53. package/docs/runbooks/claude-code-review-workflow.md +72 -0
  54. package/docs/runbooks/claude-conversation-prompt-recipes.md +132 -0
  55. package/docs/runbooks/claude-end-to-end-conversation-example.md +198 -0
  56. package/docs/runbooks/claude-feature-development-guide.md +112 -0
  57. package/docs/runbooks/claude-quick-start.md +227 -0
  58. package/docs/runbooks/claude-usage-scenarios.md +176 -0
  59. package/docs/runbooks/code-review-collaboration-walkthrough.md +65 -0
  60. package/docs/runbooks/codeql-pr-security-gates.md +64 -0
  61. package/docs/runbooks/codex-end-to-end-conversation-example.md +166 -0
  62. package/docs/runbooks/codex-multi-agent-orchestration.md +65 -0
  63. package/docs/runbooks/codex-parallel-prompt-recipes.md +131 -0
  64. package/docs/runbooks/codex-quick-start.md +223 -0
  65. package/docs/runbooks/codex-usage-scenarios.md +168 -0
  66. package/docs/runbooks/codex-workflow-essentials.md +88 -0
  67. package/docs/runbooks/command-and-capability-matrix.md +162 -0
  68. package/docs/runbooks/conftest-policy-gates.md +84 -0
  69. package/docs/runbooks/consumer-driven-contract-testing-with-mock-alignment.md +45 -0
  70. package/docs/runbooks/contract-testing-playbook.md +78 -0
  71. package/docs/runbooks/cosign-signing-gates.md +71 -0
  72. package/docs/runbooks/cross-role-issue-triage-walkthrough.md +47 -0
  73. package/docs/runbooks/cursor-quick-start.md +123 -0
  74. package/docs/runbooks/custom-overlay.md +115 -0
  75. package/docs/runbooks/data-ml-pipeline-demo-execution-log.md +141 -0
  76. package/docs/runbooks/data-ml-pipeline-demo-script.md +102 -0
  77. package/docs/runbooks/data-ml-pipeline-walkthrough.md +119 -0
  78. package/docs/runbooks/data-observability-quality-demo-execution-log.md +36 -0
  79. package/docs/runbooks/data-observability-quality-demo-script.md +42 -0
  80. package/docs/runbooks/data-observability-quality-walkthrough.md +86 -0
  81. package/docs/runbooks/demo-deliverables-overview.md +278 -0
  82. package/docs/runbooks/demo-execution-log.md +530 -0
  83. package/docs/runbooks/demo-scenario.md +129 -0
  84. package/docs/runbooks/dependency-review-gates.md +63 -0
  85. package/docs/runbooks/dependency-update-automation.md +83 -0
  86. package/docs/runbooks/design-md-workflow.md +185 -0
  87. package/docs/runbooks/devops-engineer-daily-operations.md +60 -0
  88. package/docs/runbooks/devops-release-conversation-example.md +88 -0
  89. package/docs/runbooks/doc-architecture-integration.md +59 -0
  90. package/docs/runbooks/doc-architecture-quick-start.md +122 -0
  91. package/docs/runbooks/document-execution-audit.md +32 -0
  92. package/docs/runbooks/documentation-update-walkthrough.md +37 -0
  93. package/docs/runbooks/ecc-harness-usage.md +93 -0
  94. package/docs/runbooks/error-experience-usage.md +116 -0
  95. package/docs/runbooks/evolution-usage.md +162 -0
  96. package/docs/runbooks/executive-value-one-page.md +55 -0
  97. package/docs/runbooks/external-capability-approval-and-enablement-workflow.md +39 -0
  98. package/docs/runbooks/external-capability-intake.md +160 -0
  99. package/docs/runbooks/first-team-command-60-seconds.md +96 -0
  100. package/docs/runbooks/first-team-workflow-walkthrough.md +245 -0
  101. package/docs/runbooks/frontend-backend-integration-acceptance-checklist.md +46 -0
  102. package/docs/runbooks/frontend-backend-parallel-integration-walkthrough.md +48 -0
  103. package/docs/runbooks/frontend-bugfix-one-page.md +82 -0
  104. package/docs/runbooks/frontend-engineer-daily-operations.md +60 -0
  105. package/docs/runbooks/frontend-enterprise-style-profile.md +5 -0
  106. package/docs/runbooks/frontend-governance.md +47 -0
  107. package/docs/runbooks/frontend-refactor-walkthrough.md +42 -0
  108. package/docs/runbooks/git-pr-workflow.md +63 -0
  109. package/docs/runbooks/github-actions-supply-chain-demo-execution-log.md +158 -0
  110. package/docs/runbooks/github-actions-supply-chain-demo-script.md +150 -0
  111. package/docs/runbooks/github-actions-supply-chain-walkthrough.md +117 -0
  112. package/docs/runbooks/github-token-permissions-baseline.md +92 -0
  113. package/docs/runbooks/gitlab-manual-pipeline-release.md +5 -0
  114. package/docs/runbooks/gitlab-release-integration-playbook.md +5 -0
  115. package/docs/runbooks/gitnexus-code-intelligence-usage.md +133 -0
  116. package/docs/runbooks/graphify-knowledge-graph-usage.md +88 -0
  117. package/docs/runbooks/handoff-filling-guide-with-examples.md +70 -0
  118. package/docs/runbooks/handoff-governance.md +250 -0
  119. package/docs/runbooks/helm-unittest-playbook.md +101 -0
  120. package/docs/runbooks/hotfix-emergency-release-walkthrough.md +60 -0
  121. package/docs/runbooks/iac-kubernetes-platform-demo-execution-log.md +144 -0
  122. package/docs/runbooks/iac-kubernetes-platform-demo-script.md +130 -0
  123. package/docs/runbooks/iac-kubernetes-platform-walkthrough.md +120 -0
  124. package/docs/runbooks/implementation-onboarding-reading-path.md +67 -0
  125. package/docs/runbooks/in-toto-attestation-framework.md +94 -0
  126. package/docs/runbooks/incident-severity-triage-tree.md +43 -0
  127. package/docs/runbooks/incident-triage-one-page.md +65 -0
  128. package/docs/runbooks/internal-developer-platform-demo-execution-log.md +36 -0
  129. package/docs/runbooks/internal-developer-platform-demo-script.md +42 -0
  130. package/docs/runbooks/internal-developer-platform-walkthrough.md +91 -0
  131. package/docs/runbooks/karpathy-guidelines-usage.md +27 -0
  132. package/docs/runbooks/kubeconform-schema-gates.md +100 -0
  133. package/docs/runbooks/kubectl-server-dry-run-gates.md +103 -0
  134. package/docs/runbooks/kyverno-policy-gates.md +90 -0
  135. package/docs/runbooks/langfuse-and-observability-integration-guide.md +43 -0
  136. package/docs/runbooks/langfuse-coding-trace.md +44 -0
  137. package/docs/runbooks/mobile-miniapp-delivery-walkthrough.md +112 -0
  138. package/docs/runbooks/mobile-miniapp-demo-execution-log.md +139 -0
  139. package/docs/runbooks/mobile-miniapp-demo-script.md +129 -0
  140. package/docs/runbooks/multi-service-backend-integration-walkthrough.md +61 -0
  141. package/docs/runbooks/open-design-integration.md +163 -0
  142. package/docs/runbooks/open-source-release-checklist.md +90 -0
  143. package/docs/runbooks/opencode-quick-start.md +128 -0
  144. package/docs/runbooks/parallel-development-coordination-walkthrough.md +47 -0
  145. package/docs/runbooks/parallel-execution-usage.md +179 -0
  146. package/docs/runbooks/platform-capability-demo-execution-log.md +184 -0
  147. package/docs/runbooks/platform-capability-demo-script.md +192 -0
  148. package/docs/runbooks/plugin-extension-platform-demo-execution-log.md +136 -0
  149. package/docs/runbooks/plugin-extension-platform-demo-script.md +102 -0
  150. package/docs/runbooks/plugin-extension-platform-walkthrough.md +111 -0
  151. package/docs/runbooks/policy-controller-gates.md +75 -0
  152. package/docs/runbooks/post-rollback-verification-checklist.md +37 -0
  153. package/docs/runbooks/pre-release-checklist.md +50 -0
  154. package/docs/runbooks/product-manager-clarification-conversation-example.md +90 -0
  155. package/docs/runbooks/product-manager-daily-operations.md +60 -0
  156. package/docs/runbooks/production-incident-response-walkthrough.md +50 -0
  157. package/docs/runbooks/project-claude-design-rationale.md +188 -0
  158. package/docs/runbooks/project-manager-daily-operations.md +61 -0
  159. package/docs/runbooks/project-manager-planning-conversation-example.md +82 -0
  160. package/docs/runbooks/project-onboarding.md +452 -0
  161. package/docs/runbooks/qa-engineer-daily-operations.md +63 -0
  162. package/docs/runbooks/qa-review-conversation-example.md +87 -0
  163. package/docs/runbooks/release-closure-one-page.md +65 -0
  164. package/docs/runbooks/release-governance-reading-path.md +56 -0
  165. package/docs/runbooks/release-notes-automation.md +48 -0
  166. package/docs/runbooks/release-rollback-recovery-walkthrough.md +47 -0
  167. package/docs/runbooks/requirement-clarity-and-scope-walkthrough.md +46 -0
  168. package/docs/runbooks/reviewdog-pr-gates.md +49 -0
  169. package/docs/runbooks/role-prompt-recipes.md +130 -0
  170. package/docs/runbooks/rtk-integration-intake.md +45 -0
  171. package/docs/runbooks/rtk-token-optimization-usage.md +107 -0
  172. package/docs/runbooks/runner-egress-hardening.md +81 -0
  173. package/docs/runbooks/runtime-capabilities-overview.md +113 -0
  174. package/docs/runbooks/sbom-generation-gates.md +71 -0
  175. package/docs/runbooks/scorecard-supply-chain-gates.md +82 -0
  176. package/docs/runbooks/secret-scanning-gates.md +85 -0
  177. package/docs/runbooks/security-compliance-platform-demo-execution-log.md +36 -0
  178. package/docs/runbooks/security-compliance-platform-demo-script.md +49 -0
  179. package/docs/runbooks/security-compliance-platform-walkthrough.md +98 -0
  180. package/docs/runbooks/slsa-generator-patterns.md +73 -0
  181. package/docs/runbooks/slsa-verification-gates.md +75 -0
  182. package/docs/runbooks/solo-delivery-mode.md +142 -0
  183. package/docs/runbooks/solo-delivery-one-page.md +111 -0
  184. package/docs/runbooks/specialist-commands-playbook.md +85 -0
  185. package/docs/runbooks/sub-agent-invocation-map.md +144 -0
  186. package/docs/runbooks/system-architecture-design-walkthrough.md +49 -0
  187. package/docs/runbooks/team-closeout-example.md +73 -0
  188. package/docs/runbooks/team-command-output-contracts.md +358 -0
  189. package/docs/runbooks/team-commands-quick-prompts.md +125 -0
  190. package/docs/runbooks/team-execute-example.md +63 -0
  191. package/docs/runbooks/team-handoff-example.md +49 -0
  192. package/docs/runbooks/team-intake-example.md +70 -0
  193. package/docs/runbooks/team-plan-example.md +62 -0
  194. package/docs/runbooks/team-release-example.md +63 -0
  195. package/docs/runbooks/team-review-example.md +61 -0
  196. package/docs/runbooks/team-skills-test-run.md +184 -0
  197. package/docs/runbooks/team-skills-usage.md +336 -0
  198. package/docs/runbooks/team-training-reading-path.md +64 -0
  199. package/docs/runbooks/tech-lead-closure-conversation-example.md +78 -0
  200. package/docs/runbooks/tech-lead-daily-operations.md +67 -0
  201. package/docs/runbooks/trivy-security-gates.md +79 -0
  202. package/docs/runbooks/troubleshooting.md +234 -0
  203. package/docs/runbooks/vertical-scenario-capability-matrix.md +107 -0
  204. package/docs/runbooks/witness-policy-gates.md +78 -0
  205. package/docs/runbooks/zizmor-workflow-audits.md +81 -0
  206. package/manifests/install-components.json +8 -0
  207. package/manifests/install-modules.json +34 -0
  208. package/manifests/install-profiles.json +2 -0
  209. package/package.json +2 -1
  210. package/scripts/install-apply.js +9 -0
  211. package/scripts/install-open-design.js +206 -0
  212. package/scripts/install-plan.js +17 -0
  213. package/scripts/lib/install/apply.js +31 -0
  214. package/scripts/lib/install-executor.js +56 -0
  215. package/skills/open-design/SKILL.md +87 -0
  216. package/skills/open-design/agents/openai.yaml +4 -0
@@ -0,0 +1,336 @@
1
+ ---
2
+ version: "2.3.0"
3
+ status: draft
4
+ created: 2026-03-27
5
+ updated: 2026-04-18
6
+ owner: 工程团队
7
+ doc_tier: entry
8
+ last_verified: 2026-04-18
9
+ source_of_truth:
10
+ - ../../README.md
11
+ - ../../AGENTS.md
12
+ - ./command-and-capability-matrix.md
13
+ ---
14
+
15
+ # Team Skills 使用手册
16
+
17
+ 本文说明新的开源角色化 Team Skills Platform 如何使用、如何安装,以及角色之间如何协作。若你先想搞清楚“当前到底有哪些命令、skills 和 runtime 能力”,先看 [command-and-capability-matrix.md](command-and-capability-matrix.md) 和 [runtime-capabilities-overview.md](runtime-capabilities-overview.md)。
18
+
19
+ 主链命令的输出字段定义见 [team-command-output-contracts.md](team-command-output-contracts.md),本轮文档核对台账见 [document-execution-audit.md](document-execution-audit.md),本轮批量优化完成情况见 [batch-optimization-completion-checklist.md](batch-optimization-completion-checklist.md)。
20
+
21
+ ## 1. 平台组成
22
+
23
+ ### 1.1 Canonical Source
24
+
25
+ - `roles/*/role.yaml`:角色唯一事实源
26
+ - `skills/`:当前正式技能目录。共享能力和 ECC 增强统一平铺到这里;自定义扩展通过 custom overlay 提供
27
+ - `rules/`:工作规则
28
+ - `templates/`:交付模板与生成模板
29
+
30
+ ### 1.2 Generated Artifacts
31
+
32
+ - `skills/roles/`:角色型 skills
33
+ - `agents/roles/`:角色 agent prompt
34
+ - `agents/specialists/`:ECC 风格 specialist agents
35
+ - `commands/`:团队命令面 + ECC 快捷命令
36
+ - `.codex-plugin/plugin.json`
37
+ - `.claude-plugin/plugin.json`
38
+ - `marketplace.json`
39
+ - `.agents/plugins/marketplace.json`
40
+
41
+ ## 2. 角色入口
42
+
43
+ | 角色 | 入口方式 | 推荐场景 |
44
+ |------|----------|----------|
45
+ | `tech-lead` | role skill + agent | 需求 intake、任务分派、冲突仲裁 |
46
+ | `product-manager` | role skill + agent | 需求澄清、PRD、验收标准 |
47
+ | `project-manager` | role skill + agent | 排期、依赖、风险推进 |
48
+ | `architect` | role skill + agent | 方案决策、接口与数据契约 |
49
+ | `frontend-engineer` | role skill + agent | 页面、交互、状态、前端自测 |
50
+ | `backend-engineer` | role skill + agent | 接口、服务、数据、后端自测 |
51
+ | `qa-engineer` | role skill + agent | 测试计划、回归、放行建议 |
52
+ | `devops-engineer` | role skill + agent | 发布、监控、回滚、运行保障 |
53
+
54
+ ## 3. 默认命令流
55
+
56
+ 1. `/team-help`
57
+ 2. `/team-intake`
58
+ 3. `/team-plan`
59
+ 4. `/handoff`
60
+ 5. `/team-execute`
61
+ 6. `/team-review`
62
+ 7. `/team-release`
63
+ 8. `/team-closeout`
64
+
65
+ 实际执行时,`/team-help` 是唯一公开入口;`/team-plan` 内部必须先完成 `Requirement Challenge Session`、`design-review` 与 implementation-readiness;`/team-execute` 只能消费 readiness proof;`/team-closeout` 只能消费已经完成观察窗口的 release 结果。
66
+
67
+ 主链 artifact 不允许只停留在对话里。`/team-intake` 到 `/team-closeout` 的正式输出都应通过 `npm run artifact:persist -- ...` 落到 `docs/artifacts/`、`docs/adr/` 和 `docs/memory/`。
68
+
69
+ 如果项目采用 `solo mode`,推荐最短链路为 `/team-intake -> /team-plan -> /team-execute -> /team-review -> /team-release -> /team-closeout`。详见 [solo-delivery-mode.md](solo-delivery-mode.md) 和 [solo-delivery-one-page.md](solo-delivery-one-page.md)。
70
+
71
+ ## 3.1 specialist 与平台体检命令
72
+
73
+ | 命令 | 作用 | 典型回落位置 |
74
+ |------|------|--------------|
75
+ | `/plan` | 深度规划与拆阶段 | `/handoff`、`/team-plan` |
76
+ | `/tdd` | 先测后码的 red-green-refactor 路径 | `/team-execute`、`/handoff` |
77
+ | `/code-review` | 实现质量、回归与风险审查 | `/handoff`、`/team-review` |
78
+ | `/build-fix` | 构建失败定位与修复 | `/team-execute`、`/handoff` |
79
+ | `/verify` | 验证回环、关键路径确认 | `/team-review`、`/team-release` |
80
+ | `/multi-frontend` | 前端多视角并行分析 | `/handoff`、`/team-plan` |
81
+ | `/multi-backend` | 后端多视角并行分析 | `/handoff`、`/team-plan` |
82
+ | `/harness-audit` | 平台能力面评分、缺口与优先级建议 | 平台治理、文档补齐、命令/skill 收敛 |
83
+
84
+ ## 4. 共享能力
85
+
86
+ | Shared Skill | 作用 |
87
+ |--------------|------|
88
+ | `api-contract` | 固化接口、错误码和兼容性 |
89
+ | `frontend-engineering` | 统一 React/Next 优先的前端工程规范与交付质量 |
90
+ | `frontend-ui-ux-system` | 统一产品视觉方向、设计 token、交互与体验门禁 |
91
+ | `doc-architecture` | 将 discovery / modeling / consistency audit 输出映射到 artifacts/adr/memory |
92
+
93
+ 其中方案设计、目标澄清、backlog 拆解、事故协同、发布准备度和测试口径对齐都不再单独暴露成 shared skill,而是分别收敛到角色主链、模板、QA 手册和专题 runbook 中。
94
+
95
+ 文档架构能力的执行细则见 [doc-architecture-integration.md](doc-architecture-integration.md)。
96
+ 第一次实际使用可直接按 [doc-architecture-quick-start.md](doc-architecture-quick-start.md) 跑最小闭环。
97
+
98
+ ## 5. 企业扩展层
99
+
100
+ - 公开仓的 `skills/` 只承载公开能力,不再内置企业内部 skills。
101
+ - 企业扩展改由私有 `enterprise` overlay 提供,公开仓只保留安装位与兼容入口。
102
+ - 启用策略由 `/team-intake` 和 `/team-plan` 决定,不默认把私有领域扩展施加到所有任务上。
103
+ - 公开安装与分发约定见 [custom-overlay.md](custom-overlay.md)。
104
+ - 任何需要企业内部 runbook、toolkit、examples 或脚本的场景,都应在私有 overlay 环境中完成。
105
+
106
+ ## 5.1 可选代码图谱能力(Graphify + GitNexus)
107
+
108
+ - Graphify 作为轻量结构证据能力接入,定位是 brownfield 结构扫描、架构问答和依赖路径证据补充。
109
+ - GitNexus 作为受控可选代码智能能力接入,定位是 MCP 查询、impact、detect_changes、多仓分析和更深代码图谱证据。
110
+ - 推荐组合:`/team-help -> /update-codemaps -> npm run graphify:doctor 或 npm run gitnexus:doctor -> 图谱查询 -> /team-plan`。
111
+ - 输出必须在 handoff 或 artifacts 中引用关键结论,不创建平行责任链。
112
+ - 不允许在本仓库执行会改写现有 AGENTS/hooks/MCP 契约的自动 setup 类命令。
113
+ - 详细操作见 [graphify-knowledge-graph-usage.md](graphify-knowledge-graph-usage.md) 与 [gitnexus-code-intelligence-usage.md](gitnexus-code-intelligence-usage.md)。
114
+
115
+ ## 6. ECC Harness Layer
116
+
117
+ ### 5.1 specialist agents
118
+
119
+ - `agents/specialists/` 提供 27 个规划、review、build-fix、文档和编排专项代理
120
+ - specialist 结论不直接形成最终交付,必须回落到 role handoff 或 `/team-*`
121
+
122
+ ### 5.2 ECC commands
123
+
124
+ - 快捷命令包括 `/plan`、`/tdd`、`/code-review`、`/build-fix`、`/verify`、`/multi-frontend`、`/multi-backend`
125
+ - 它们用于 specialist 编排,不替代团队主链
126
+
127
+ ### 5.3 ECC skills 与 rules
128
+
129
+ - `skills/`:精选工程技能入口,建议按三类理解:
130
+
131
+ | 类别 | 技能 | 适用场景 |
132
+ |------|------|----------|
133
+ | 调试与验证(结构认知) | `graphify`、`gitnexus` | brownfield 结构扫描、依赖路径分析、架构问答、MCP 查询、impact / detect_changes 证据补齐 |
134
+ | 调试与验证 | `browser-smoke-testing`、`pairwise-test-design`、`testcontainers-integration-testing`、`systematic-debugging`、`java-unit-test`、`maven-qa`、`mysql-query`、`eval-harness` | 浏览器回归、组合压缩、集成验证、系统化排障、语言/数据库专项、EDD |
135
+ | 编排与效率 | `parallel-execution`、`strategic-compact`、`cost-aware-llm-pipeline`、`harness-audit` | 并行执行、长会话整理、成本控制、平台能力自检 |
136
+ | 学习与记忆 | `error-experience-library`、`continuous-learning` | 错误模式沉淀、instinct 学习与演进 |
137
+
138
+ - 如果你想知道每个命令通常搭配哪些 skill,直接看 [command-and-capability-matrix.md](command-and-capability-matrix.md)
139
+ - `rules/common/`:通用工程规则
140
+ - `rules/typescript/`、`rules/java/`、`rules/python/`、`rules/golang/`:语言专项规则
141
+ - 配套工程实践手册:[git-pr-workflow.md](git-pr-workflow.md)、[ai-pr-review-automation.md](ai-pr-review-automation.md)、[reviewdog-pr-gates.md](reviewdog-pr-gates.md)、[api-breaking-change-gates.md](api-breaking-change-gates.md)、[api-lint-gates.md](api-lint-gates.md)、[dependency-review-gates.md](dependency-review-gates.md)、[dependency-update-automation.md](dependency-update-automation.md)、[codeql-pr-security-gates.md](codeql-pr-security-gates.md)、[secret-scanning-gates.md](secret-scanning-gates.md)、[actionlint-workflow-gates.md](actionlint-workflow-gates.md)、[github-token-permissions-baseline.md](github-token-permissions-baseline.md)、[zizmor-workflow-audits.md](zizmor-workflow-audits.md)、[checkov-iac-gates.md](checkov-iac-gates.md)、[kyverno-policy-gates.md](kyverno-policy-gates.md)、[trivy-security-gates.md](trivy-security-gates.md)、[kubeconform-schema-gates.md](kubeconform-schema-gates.md)、[conftest-policy-gates.md](conftest-policy-gates.md)、[helm-unittest-playbook.md](helm-unittest-playbook.md)、[kubectl-server-dry-run-gates.md](kubectl-server-dry-run-gates.md)、[scorecard-supply-chain-gates.md](scorecard-supply-chain-gates.md)、[runner-egress-hardening.md](runner-egress-hardening.md)、[sbom-generation-gates.md](sbom-generation-gates.md)、[artifact-attestation-gates.md](artifact-attestation-gates.md)、[cosign-signing-gates.md](cosign-signing-gates.md)、[slsa-verification-gates.md](slsa-verification-gates.md)、[slsa-generator-patterns.md](slsa-generator-patterns.md)、[in-toto-attestation-framework.md](in-toto-attestation-framework.md)、[policy-controller-gates.md](policy-controller-gates.md)、[witness-policy-gates.md](witness-policy-gates.md)、[contract-testing-playbook.md](contract-testing-playbook.md)、[release-notes-automation.md](release-notes-automation.md)
142
+ - 详细使用见 [ecc-harness-usage.md](ecc-harness-usage.md)、[error-experience-usage.md](error-experience-usage.md)、[parallel-execution-usage.md](parallel-execution-usage.md)
143
+
144
+ ### 5.4 runtime hooks 与 memory
145
+
146
+ - hooks 配置位于 `hooks/hooks.json`
147
+ - 当前公开 runtime 入口位于 `scripts/hooks/`,至少包括:
148
+ - 会话持久化:`session-start-bootstrap.js`、`session-start.js`、`session-end.js`、`session-end-marker.js`
149
+ - 上下文整理:`pre-compact.js`、`suggest-compact.js`
150
+ - 观察与治理:`governance-capture.js`、`mcp-health-check.js`
151
+ - 质量与成本:`quality-gate.js`、`cost-tracker.js`
152
+ - Claude legacy 安装脚本现在会复制这些 JS hooks,并清理旧 `.py` hook 注册
153
+ - 默认写入 `docs/memory/`、`docs/memory/sessions/`、`~/.claude/memory/audit/` 与 `~/.claude/metrics/` 等本地目录
154
+ - 如果你要理解这些能力如何配合 specialist 与主链,先看 [ecc-harness-usage.md](ecc-harness-usage.md);如果你想单独看后台机制,继续看 [runtime-capabilities-overview.md](runtime-capabilities-overview.md)
155
+
156
+ ## 7. 前端能力包
157
+
158
+ ### 6.1 适用场景
159
+
160
+ - 页面、组件、样式、导航、表单、图表或前端静态资源发生变更
161
+ - `tech-lead` 在 intake 或 plan 阶段已确认存在 UI 交付物
162
+
163
+ ### 6.2 默认使用方式
164
+
165
+ 1. `tech-lead` 在 `/team-intake` 和 `/team-plan` 锁定产品类型、目标端、设计约束、响应式基线、A11y/性能门禁。
166
+ 2. `frontend-engineer` 优先使用 `frontend-engineering` 确定组件结构、状态流和工程边界。
167
+ 3. 若目标项目明确采用自定义前端样式 profile,再按需阅读 [frontend-enterprise-style-profile.md](frontend-enterprise-style-profile.md) 与对应 toolkit。
168
+ 4. `frontend-engineer`、`qa-engineer`、`tech-lead` 在涉及体验决策和评审时使用 `frontend-ui-ux-system`。
169
+ 5. 进入 QA 前,前端任务必须补齐 [ui-review-checklist.md](../../templates/ui-review-checklist.md)。
170
+
171
+ ### 6.3 相关规则与模板
172
+
173
+ - 规则:[frontend-engineering-standards.md](../../rules/frontend-engineering-standards.md)、[frontend-ui-ux-standards.md](../../rules/frontend-ui-ux-standards.md)、[frontend-quality-gates.md](../../rules/frontend-quality-gates.md)
174
+ - 模板:[design-system-brief.md](../../templates/design-system-brief.md)、[ui-implementation-plan.md](../../templates/ui-implementation-plan.md)、[ui-review-checklist.md](../../templates/ui-review-checklist.md)
175
+ - 专题手册:[frontend-governance.md](frontend-governance.md)
176
+
177
+ ## 8. 安装方式
178
+
179
+ ### 7.1 推荐安装方式
180
+
181
+ ```bash
182
+ node scripts/build-platform-artifacts.js
183
+ node scripts/install-apply.js --profile team --target claude
184
+ node scripts/install-apply.js --profile full --target codex
185
+ ```
186
+
187
+ 推荐优先使用 `install-apply.js`。它会按 profile 选择安装模块,并与当前 JS runtime、平铺 `skills/` 目录和生成产物保持一致。
188
+
189
+ ### 7.2 Legacy shell wrappers
190
+
191
+ ```bash
192
+ node scripts/build-platform-artifacts.js
193
+ CODEX_HOME_DIR="$HOME/.codex" AGENTS_HOME_DIR="$HOME/.agents" ./scripts/install-codex.sh
194
+ CLAUDE_HOME_DIR="$HOME/.claude" ./scripts/install-claude.sh
195
+ ```
196
+
197
+ legacy shell wrappers 仍可用,但底层已统一转到 `scripts/install-platform.js` 的当前 JS 安装链路。
198
+
199
+ ### 7.3 安装后会发生什么
200
+
201
+ - Codex:把插件同步到 `$CODEX_HOME_DIR/plugins/team-skills-platform`,并把 marketplace 合并到 `$AGENTS_HOME_DIR/plugins/marketplace.json`
202
+ - Claude:同步平铺 `skills/`、`agents/`、`commands/`、`rules/`、`templates/`,并注册当前 JS hooks 到 `settings.json`
203
+ - 两端都把 `/team-help` 作为公开主链入口;正式任务输出仍需通过 `artifact:persist` 回写到项目仓库
204
+
205
+ ### 7.4 安装校验
206
+
207
+ 首次安装后,建议先确认文件是否落到预期位置:
208
+
209
+ - Claude:`~/.claude/commands/team-intake.md`、`~/.claude/agents/roles/tech-lead.md`、`~/.claude/examples/project-CLAUDE.md`
210
+ - Codex:`$CODEX_HOME_DIR/plugins/team-skills-platform/commands/team-intake.md`、`$CODEX_HOME_DIR/plugins/team-skills-platform/agents/roles/tech-lead.md`
211
+ - Codex marketplace:`$AGENTS_HOME_DIR/plugins/marketplace.json` 中存在 `team-skills-platform`
212
+
213
+ 如果安装位置不对,优先检查:
214
+
215
+ - 是否先运行了 `node scripts/build-platform-artifacts.js`
216
+ - 是否通过 `CODEX_HOME_DIR`、`AGENTS_HOME_DIR`、`CLAUDE_HOME_DIR` 覆盖了默认目录
217
+ - 是否误把历史导入源当成正式安装入口
218
+
219
+ ### 7.5 新项目接入
220
+
221
+ 如果你的目标不是体验单条命令,而是把平台正式接入一个新仓库,建议直接阅读 [project-onboarding.md](project-onboarding.md)。这份文档覆盖项目级 `CLAUDE.md` 准备、角色和 skills 装配、第一条主链任务、以及提交前校验。
222
+
223
+ 如果你已经明确项目属于某个 vertical,也可以直接从 [../../examples/INDEX.md](../../examples/INDEX.md) 选择模板;如果你想先确认该 vertical 的 starter、walkthrough、demo script 和 execution log 是否都已补齐,再看 [vertical-scenario-capability-matrix.md](vertical-scenario-capability-matrix.md)。
224
+
225
+ ## 9. 首次调用示例
226
+
227
+ ### 9.1 Claude 中的最小闭环
228
+
229
+ 建议先在目标项目根目录准备一份项目级 `CLAUDE.md`,可以从 [../../examples/project-CLAUDE.md](../../examples/project-CLAUDE.md) 或专项样例复制。
230
+
231
+ 第一次对话建议只做一个最小闭环:
232
+
233
+ 1. 用 `tech-lead` 视角运行 `/team-intake`
234
+ 2. 用 `tech-lead` 视角运行 `/team-plan`
235
+ 3. 若任务很小,直接转 `/code-review` 或 `/team-execute`
236
+ 4. 需要交接时运行 `/handoff`
237
+
238
+ 示例输入:
239
+
240
+ ```text
241
+ /team-intake
242
+ 目标:为 Spring Boot 订单服务新增审批 API
243
+ 范围:接口、权限校验、测试计划
244
+ 不做:前端页面、运维发布脚本改造
245
+ 约束:必须评估 私有流程与权限集成 是否需要启用
246
+ 输出:参与角色、初始风险、下一步计划
247
+ ```
248
+
249
+ 后续继续:
250
+
251
+ ```text
252
+ /team-plan
253
+ 基于上一步 intake 结果,拆解 architect、backend-engineer、qa-engineer 的任务。
254
+ 要求给出依赖关系、是否启用 custom overlay、每个 handoff 的最小交付物。
255
+ ```
256
+
257
+ ### 9.2 Codex 中的最小闭环
258
+
259
+ Codex 安装的是完整插件目录,因此更适合在一个仓库里连续执行主链和 specialist 组合。
260
+
261
+ 推荐顺序:
262
+
263
+ 1. 先用 `/team-intake` 锁定目标和约束
264
+ 2. 再用 `/plan` 或 `/multi-frontend`、`/multi-backend` 做专项拆解
265
+ 3. 用 `/handoff` 把专项结论回收到主链
266
+ 4. 最后进入 `/team-review` 或 `/team-release`
267
+
268
+ 示例输入:
269
+
270
+ ```text
271
+ /team-intake
272
+ 目标:修复 Next.js 控制台首页在 iPad 下的布局溢出
273
+ 范围:页面布局、视觉回归、响应式验证
274
+ 约束:必须遵守 frontend-quality-gates,并附上 ui-review-checklist
275
+ ```
276
+
277
+ 专项示例:
278
+
279
+ ```text
280
+ /multi-frontend
281
+ 基于当前 intake 结果,分别从实现、UI/UX、QA 风险三个视角拆解工作。
282
+ 要求指出哪些结论必须进入最终 handoff,哪些只作为参考建议。
283
+ ```
284
+
285
+ ## 10. 何时用主链,何时用 specialist
286
+
287
+ - `/team-*` 适合负责最终决策、角色分派、交付收口
288
+ - `/plan`、`/code-review`、`/build-fix`、`/multi-*` 适合产出专项分析
289
+ - specialist 结论不是最终交付,必须回落到 `/handoff` 或对应主责角色
290
+ - 简单 bug fix 可以走短链路,但仍然要保留 handoff 和验证证据
291
+
292
+ ## 11. 维护方式
293
+
294
+ 1. 先改 `roles/`、`skills/`、`skills/`、`skills/`、`rules/` 或 `templates/`。
295
+ 2. 新增开源 skill / 工程实践前,先登记 [external-capability-intake.md](external-capability-intake.md)。
296
+ 3. 运行 `node scripts/build-platform-artifacts.js`。
297
+ 4. 运行 `node scripts/validate-library.js`。
298
+ 5. 再执行安装或提交。
299
+
300
+ ## 12. 常见问题
301
+
302
+ ### 12.1 为什么安装后看不到命令
303
+
304
+ 优先检查安装目录里是否真的存在命令文件,例如 `~/.claude/commands/team-intake.md` 或 `$CODEX_HOME_DIR/plugins/team-skills-platform/commands/team-intake.md`。如果文件不存在,通常是构建未执行或安装目录覆盖错了。
305
+
306
+ ### 12.2 为什么 specialist 给出的结论不能直接当最终结果
307
+
308
+ 因为这个平台的工作模型是 `tech-lead` 编排 + 专业角色协作。specialist 用来缩短专项分析路径,但最终责任仍在主链角色,不在 specialist 本身。
309
+
310
+ ### 12.3 custom overlay 什么时候启用
311
+
312
+ 只有在 `/team-intake` 或 `/team-plan` 判断任务真的涉及 私有流程、权限集成 或其他公司域能力时才启用,默认不加载到所有任务。
313
+
314
+ ### 12.4 新增的 memory / 并行能力从哪里看
315
+
316
+ - 错误经验库与错误模式沉淀:看 [error-experience-usage.md](error-experience-usage.md)
317
+ - 并行执行与 Git worktree 协作:看 [parallel-execution-usage.md](parallel-execution-usage.md)
318
+ - 命令、skills 与推荐组合:看 [command-and-capability-matrix.md](command-and-capability-matrix.md)
319
+ - runtime hooks、observe、cost、budget、instinct、compact:看 [runtime-capabilities-overview.md](runtime-capabilities-overview.md)
320
+ - 想看一份完整演示:看 [demo-scenario.md](demo-scenario.md) 和 [demo-execution-log.md](demo-execution-log.md)
321
+ - 想看本轮新增能力的专用演示:看 [platform-capability-demo-script.md](platform-capability-demo-script.md) 和 [platform-capability-demo-execution-log.md](platform-capability-demo-execution-log.md)
322
+ - 想按垂直项目类型直接复用演示台账:看 [github-actions-supply-chain-demo-execution-log.md](github-actions-supply-chain-demo-execution-log.md)、[ai-eval-platform-demo-execution-log.md](ai-eval-platform-demo-execution-log.md) 和 [mobile-miniapp-demo-execution-log.md](mobile-miniapp-demo-execution-log.md)
323
+ - 想按垂直项目类型直接照着讲:看 [github-actions-supply-chain-demo-script.md](github-actions-supply-chain-demo-script.md)、[ai-eval-platform-demo-script.md](ai-eval-platform-demo-script.md) 和 [mobile-miniapp-demo-script.md](mobile-miniapp-demo-script.md)
324
+ - 想继续看更多 vertical 的完整 demo:看 [iac-kubernetes-platform-demo-script.md](iac-kubernetes-platform-demo-script.md)、[plugin-extension-platform-demo-script.md](plugin-extension-platform-demo-script.md)、[data-ml-pipeline-demo-script.md](data-ml-pipeline-demo-script.md) 以及对应的 execution log
325
+ - 想按表格查看所有 vertical 的材料覆盖:看 [vertical-scenario-capability-matrix.md](vertical-scenario-capability-matrix.md)
326
+ - 想对外介绍平台:看 [../presentation/README.md](../presentation/README.md)
327
+ - 想按管理层、实施接入或培训三类听众选 presentation 材料:看 [../presentation/audience-presentation-route-map.md](../presentation/audience-presentation-route-map.md)
328
+ - 想在 runbook 层直接拿一页或阅读路径:看 [executive-value-one-page.md](executive-value-one-page.md)、[implementation-onboarding-reading-path.md](implementation-onboarding-reading-path.md) 和 [team-training-reading-path.md](team-training-reading-path.md)
329
+
330
+ ## 13. 回归要求
331
+
332
+ - 活跃入口中不再暴露历史流程模型。
333
+ - 交接必须遵循 `rules/handoff-contract.md`。
334
+ - 角色技能与 agent prompt 必须和 `roles/*/role.yaml` 保持一致。
335
+ - 前端任务必须满足 `rules/frontend-quality-gates.md`。
336
+ - specialist、ECC commands、custom overlay技能、rules packs、runtime hooks 必须可安装、可校验、可回落到主团队链路。
@@ -0,0 +1,64 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-29
5
+ updated: 2026-03-29
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # 团队培训阅读路径
10
+
11
+ 本文面向团队培训、联合赋能和新成员入组,目标是让读者先理解怎么用,再决定看哪一条 vertical 或哪一类 specialist。
12
+
13
+ ## 1. 适合谁
14
+
15
+ - 前后端研发
16
+ - QA / DevOps / PM / Architect 联合培训
17
+ - 新成员入组培训
18
+
19
+ ## 2. 培训先讲什么
20
+
21
+ - 主链命令解决什么问题
22
+ - specialist 命令和主链是什么关系
23
+ - runtime 能力为什么不是“隐形魔法”,而是可解释的平台能力
24
+ - vertical 材料怎么选,不同项目为什么不用从零写脚本
25
+
26
+ ## 3. 推荐顺序
27
+
28
+ 1. [../presentation/workshop-facilitator-guide.md](../presentation/workshop-facilitator-guide.md)
29
+ 2. [command-and-capability-matrix.md](command-and-capability-matrix.md)
30
+ 3. [runtime-capabilities-overview.md](runtime-capabilities-overview.md)
31
+ 4. [specialist-commands-playbook.md](specialist-commands-playbook.md)
32
+ 5. [vertical-scenario-capability-matrix.md](vertical-scenario-capability-matrix.md)
33
+
34
+ ## 4. 培训分三段就够了
35
+
36
+ ### 4.1 第一段:讲主链
37
+
38
+ 先用 [first-team-command-60-seconds.md](first-team-command-60-seconds.md) 和 [first-team-workflow-walkthrough.md](first-team-workflow-walkthrough.md) 讲最小闭环。
39
+
40
+ ### 4.2 第二段:讲 specialist 和 runtime
41
+
42
+ 用 [specialist-commands-playbook.md](specialist-commands-playbook.md) 解释 `/plan`、`/tdd`、`/code-review`、`/verify`,再用 [runtime-capabilities-overview.md](runtime-capabilities-overview.md) 讲 memory、observe、cost、budget、compact。
43
+
44
+ ### 4.3 第三段:讲 vertical 复用
45
+
46
+ 用 [vertical-scenario-capability-matrix.md](vertical-scenario-capability-matrix.md) 选一条完整 vertical,再进入对应 demo script 和 execution log。
47
+
48
+ ## 5. 推荐练习顺序
49
+
50
+ 1. 先跑一条最小主链
51
+ 2. 再加一个 specialist 命令
52
+ 3. 最后挑一个 vertical 做完整演练
53
+
54
+ ## 6. 常见误区
55
+
56
+ - 一开始就把角色、命令、runtime、vertical 一次讲完,导致信息过载
57
+ - 只讲命令,不讲 handoff 回落和责任链
58
+ - 只讲理论,不给 demo script 或 execution log
59
+
60
+ ## 7. 培训后继续分流
61
+
62
+ - 需要实施接入的人:转到 [implementation-onboarding-reading-path.md](implementation-onboarding-reading-path.md)
63
+ - 需要汇报价值的人:转到 [executive-value-one-page.md](executive-value-one-page.md)
64
+ - 需要按 Claude 或 Codex 分端阅读的人:转到 [claude-usage-scenarios.md](claude-usage-scenarios.md) 和 [codex-usage-scenarios.md](codex-usage-scenarios.md)
@@ -0,0 +1,78 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # Tech Lead 收口对话样例
10
+
11
+ 本文给出一份偏 Tech Lead 视角的成品对话样例,重点展示当 intake、plan、specialist、review、release 都已经出现时,最终应该怎么统一收口,而不是保留多份平行结论。
12
+
13
+ ## 1. 场景
14
+
15
+ - 任务:审批记录查询能力已经经过 plan、execute、review、release
16
+ - 当前输入:存在多个 specialist 结论、QA 结论和发布观察记录
17
+ - 目标:形成一次可交付、可回溯的最终收口
18
+
19
+ ## 2. 用户怎么说
20
+
21
+ ```text
22
+ 请以 tech-lead 视角基于当前 intake、plan、specialist、handoff、review 和 release 结果做最终收口。
23
+ 输出必须包含:已确认结论、未决问题、阻塞风险、非阻塞风险、下一步动作。
24
+ 如果 specialist 结论还没有完全回收到主链,也请指出缺口。
25
+ ```
26
+
27
+ ## 3. 期望结果长什么样
28
+
29
+ ```text
30
+ 已确认结论
31
+ - 审批记录查询接口和列表页已完成实现、自测、QA 验证与灰度发布
32
+ - 本次未正式启用 custom overlay
33
+ - GitLab 与 Langfuse 仅作为发布 runbook 补充
34
+
35
+ 未决问题
36
+ - 旧客户端字段顺序兼容性仍需在下一次版本回顾中确认是否彻底下线
37
+
38
+ 阻塞风险
39
+ - 无
40
+
41
+ 非阻塞风险
42
+ - 低流量场景下暂未发现结构性问题,但仍需观察一周
43
+
44
+ specialist 收口情况
45
+ - /code-review 结论已回收进 handoff
46
+ - /verify 结论已回收进 review
47
+ - 无未回收的平行结论
48
+
49
+ 下一步动作
50
+ - 由 project-manager 记录版本里程碑
51
+ - 由 tech-lead 在版本复盘中跟踪兼容性问题是否关闭
52
+ ```
53
+
54
+ ## 4. 不合格结果通常长什么样
55
+
56
+ ```text
57
+ 整体完成,可以结束。
58
+ ```
59
+
60
+ 这类结果的问题是:
61
+
62
+ - 没说明还有没有未决问题
63
+ - 没说明 specialist 是否真的回收进主链
64
+ - 没把后续责任链交代清楚
65
+
66
+ ## 5. Tech Lead 在收口时最容易漏什么
67
+
68
+ - 把非阻塞风险遗漏掉
69
+ - 忘记检查 specialist 是否仍停留在平行结论
70
+ - 忘记把发布后观察动作转成后续责任
71
+
72
+ ## 6. 什么时候该用这份样例
73
+
74
+ - 任务已经跨多个角色和阶段
75
+ - 需要正式结束一次交付
76
+ - 需要给项目经理、产品或下一个版本留清晰交接
77
+
78
+ 与这些文档配合阅读:[tech-lead-daily-operations.md](tech-lead-daily-operations.md)、[role-prompt-recipes.md](role-prompt-recipes.md)、[handoff-filling-guide-with-examples.md](handoff-filling-guide-with-examples.md)
@@ -0,0 +1,67 @@
1
+ ---
2
+ version: "0.1.0"
3
+ status: draft
4
+ created: 2026-03-28
5
+ updated: 2026-03-28
6
+ owner: 工程团队
7
+ ---
8
+
9
+ # Tech Lead 日常操作手册
10
+
11
+ 本文面向 Tech Lead,说明如何在 Team Skills Platform 下负责 intake、计划编排、冲突仲裁和最终收口。
12
+
13
+ 如果你想先看当前命令总表,直接看 [command-and-capability-matrix.md](command-and-capability-matrix.md)。如果你最近在排查 memory、observe、budget、compact、instinct 对会话的影响,再配合看 [runtime-capabilities-overview.md](runtime-capabilities-overview.md)。
14
+
15
+ ## 1. 你的默认职责
16
+
17
+ - 锁定目标、范围和成功标准
18
+ - 决定哪些角色参与、哪些 specialist 需要介入
19
+ - 处理结论冲突、风险升级和优先级调整
20
+ - 对最终 handoff、review 和 release 结果负责
21
+
22
+ ## 2. intake 阶段必须确认什么
23
+
24
+ - 目标是否单一且可执行
25
+ - 范围外事项是否明确
26
+ - custom overlay 是否只是候选项还是需要进入 plan
27
+ - 当前任务适合短链路还是完整主链
28
+
29
+ ## 3. plan 阶段必须确认什么
30
+
31
+ - 角色边界是否清楚
32
+ - handoff 节点和最小交付物是否清楚
33
+ - 哪些问题需要 specialist 先分析
34
+ - 哪些风险需要 architect、qa 或 devops 提前介入
35
+
36
+ ## 4. execute 到 review 的收口原则
37
+
38
+ - specialist 结论必须回到主链
39
+ - handoff 必须能支撑下一角色行动
40
+ - 风险必须分成阻塞和非阻塞
41
+ - release 之前必须有明确的验证和回滚视角
42
+
43
+ ## 5. 常用命令组合
44
+
45
+ - `/team-intake`
46
+ - `/team-plan`
47
+ - `/plan`、`/tdd`、`/code-review`、`/verify`
48
+ - `/handoff`
49
+ - `/team-review`
50
+ - `/team-release`
51
+
52
+ 常见判断方式:
53
+
54
+ - 任务拆不清时先补 `/plan`
55
+ - 想先锁成功标准和测试约束时补 `/tdd`
56
+ - 代码已经改完、要判断实现风险时补 `/code-review`
57
+ - 放行前缺关键证据时补 `/verify`
58
+ - 平台本身刚做过扩容或重构时补 `/harness-audit`
59
+
60
+ ## 6. 常见错误
61
+
62
+ - 让多个角色并行输出,却没有单点收口
63
+ - 在 intake 阶段过早拍板 custom overlay
64
+ - 把 specialist 结论当成最终决定
65
+ - 平台治理问题没有和业务交付问题区分,导致该用 `/harness-audit` 时还在做零散 review
66
+
67
+ 建议与这些文档配合阅读:[first-team-workflow-walkthrough.md](first-team-workflow-walkthrough.md)、[specialist-commands-playbook.md](specialist-commands-playbook.md)、[role-prompt-recipes.md](role-prompt-recipes.md)、[tech-lead-closure-conversation-example.md](tech-lead-closure-conversation-example.md)
@@ -0,0 +1,79 @@
1
+ # Trivy 安全门禁手册
2
+
3
+ 本手册承接 `aquasecurity/trivy-action` 的工程实践,用于把容器镜像、仓库文件系统和 IaC 配置扫描接入 PR、评审与发布流程。它补的是“制品与基础设施面”的安全证据,不替代依赖门禁、代码级语义扫描或人工安全判断。
4
+
5
+ ## 适用场景
6
+
7
+ - 变更涉及 `Dockerfile`、容器镜像构建、基础镜像升级或运行时包层变化。
8
+ - 仓库包含 Helm、Kubernetes YAML、Terraform、Docker Compose 或其他 IaC 配置。
9
+ - 团队希望在 PR 或发布前提前发现镜像漏洞、错误配置、明文 secret 或高风险暴露面。
10
+
11
+ ## 不适用场景
12
+
13
+ - 仓库既没有镜像产物,也没有基础设施配置,却为了“看起来更安全”强行加扫描。
14
+ - 团队还没定义哪些漏洞级别、misconfiguration 类型或 secret 命中会阻塞。
15
+ - 期望只靠 Trivy 结果替代人工发布评审、依赖 review 或代码级安全 review。
16
+
17
+ ## 推荐落地方式
18
+
19
+ 1. 先明确扫描目标,不要一上来全开:
20
+ - PR 阶段优先扫文件系统和 IaC
21
+ - 发布前优先扫容器镜像
22
+ 2. 第一阶段只把高信号问题拉进门禁:
23
+ - `HIGH` / `CRITICAL` 漏洞
24
+ - 高风险 misconfiguration
25
+ - 明显的 secret 泄漏
26
+ 3. 将 Trivy 与现有安全链分层:
27
+ - `dependency-review-gates` 负责依赖漏洞和许可证变化
28
+ - `codeql-pr-security-gates` 负责代码级语义问题
29
+ - `checkov-iac-gates` 负责 IaC 安全与合规基线、内置规则和图关系检查
30
+ - `kubeconform-schema-gates` 负责 Kubernetes manifest 的 schema 级结构校验
31
+ - Trivy 负责镜像、文件系统和 IaC 层风险
32
+ - `conftest-policy-gates` 负责结构化配置的 policy-as-code 预检与团队规则约束
33
+ - 安全评审角色、`devops-engineer`、`tech-lead` 负责最终阻塞与放行判断
34
+ 4. 对镜像扫描要区分“基础镜像遗留问题”和“本次变更新增风险”,避免每次发布都被老问题淹没。
35
+ 5. 结果必须回写到 `/team-review` 或 `/team-release`,不要只停在 action 日志或安全面板里。
36
+
37
+ ## 最小门禁模型
38
+
39
+ - `target layer`:文件系统、IaC 或容器镜像
40
+ - `scan layer`:漏洞、misconfiguration 和 secret 检查
41
+ - `triage layer`:确认哪些是当前变更新增、哪些是存量问题或误报
42
+ - `decision layer`:安全评审角色、`devops-engineer`、`tech-lead` 决定是否阻塞
43
+
44
+ 先把“扫描到了什么”和“这次是否该拦”分开,团队更容易持续使用。
45
+
46
+ ## 重点检查项
47
+
48
+ - 容器镜像中的高危 / 严重漏洞,以及基础镜像是否长期滞后
49
+ - `Dockerfile`、Helm、Kubernetes、Terraform 等配置里的高风险暴露面
50
+ - 仓库或镜像层里误提交的 token、密钥和凭证
51
+ - 运行时包是否意外带入不必要的系统组件或调试工具
52
+ - 基础设施配置是否把高权限、公开暴露或弱默认配置带进生产链
53
+
54
+ ## 反模式
55
+
56
+ - 还没定义阻塞策略,就把所有 Trivy 命中直接当失败。
57
+ - 文件系统、镜像、IaC 一次全扫,但没人区分哪类结果该由谁处理。
58
+ - 只记录“有多少漏洞”,不区分存量问题和本次变更新增问题。
59
+ - 发布链已经依赖镜像或 IaC,却只做代码 review,不看制品和部署层风险。
60
+
61
+ ## 输出回落
62
+
63
+ - PR 阶段:把新增高风险漏洞、误报判断和 misconfiguration 结论写入 review 摘要。
64
+ - 团队协作:在 `/team-review` 中明确哪些风险来自 Trivy、哪些已被人工接受或降级处理。
65
+ - 发布阶段:若镜像或 IaC 仍存在未关闭的高风险问题,必须回写到 `/team-release` 的风险、放行结论或后续观察项。
66
+
67
+ ## 许可证与使用边界
68
+
69
+ - `aquasecurity/trivy-action` 本身是 MIT。
70
+ - 若团队要进一步自建镜像仓库扫描、数据库镜像缓存或离线更新链路,应单独确认制品来源、网络策略和合规要求。
71
+
72
+ ## 参考来源
73
+
74
+ - [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action)
75
+ - [dependency-review-gates.md](dependency-review-gates.md)
76
+ - [codeql-pr-security-gates.md](codeql-pr-security-gates.md)
77
+ - [checkov-iac-gates.md](checkov-iac-gates.md)
78
+ - [kubeconform-schema-gates.md](kubeconform-schema-gates.md)
79
+ - [conftest-policy-gates.md](conftest-policy-gates.md)