@colin4k1024/tsp 2.4.4 → 2.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (236) hide show
  1. package/README.md +16 -20
  2. package/bin/lib/install-surface.js +3 -3
  3. package/bin/lib/source-installer.js +2 -2
  4. package/commands/team-help.md +2 -2
  5. package/commands/team-plan.md +1 -1
  6. package/commands/update-codemaps.md +3 -3
  7. package/manifests/install-components.json +1 -1
  8. package/manifests/install-modules.json +17 -3
  9. package/manifests/install-profiles.json +2 -0
  10. package/package.json +6 -3
  11. package/schemas/ecc-install-config.schema.json +6 -1
  12. package/schemas/install-modules.schema.json +4 -1
  13. package/scripts/codegraph-preflight.js +179 -0
  14. package/scripts/gitnexus-preflight.js +8 -0
  15. package/scripts/install-apply.js +10 -8
  16. package/scripts/install-codegraph.js +158 -0
  17. package/scripts/install-plan.js +28 -11
  18. package/scripts/lib/install/apply.js +256 -5
  19. package/scripts/lib/install/request.js +3 -2
  20. package/scripts/lib/install-audit-manifest.js +3 -0
  21. package/scripts/lib/install-executor.js +14 -5
  22. package/scripts/lib/install-lifecycle.js +2 -2
  23. package/scripts/lib/install-manifests.js +23 -4
  24. package/scripts/lib/install-targets/codex-home.js +187 -1
  25. package/scripts/lib/install-targets/opencode-home.js +135 -2
  26. package/scripts/lib/install-targets/registry.js +23 -1
  27. package/scripts/lib/release-health.js +19 -4
  28. package/scripts/lib/team-skills-data.json +6 -6
  29. package/scripts/release-health-summary.js +1 -1
  30. package/scripts/workflow-help.js +3 -3
  31. package/skills/codegraph/SKILL.md +57 -0
  32. package/skills/codegraph/agents/openai.yaml +4 -0
  33. package/docs/.vitepress/config.mts +0 -199
  34. package/docs/adr/ADR-001-doc-architecture-integration.md +0 -33
  35. package/docs/guides/README.md +0 -5
  36. package/docs/guides/installation.md +0 -33
  37. package/docs/guides/user-guide.md +0 -36
  38. package/docs/index.md +0 -65
  39. package/docs/memory/backlog.md +0 -10
  40. package/docs/memory/decisions.md +0 -43
  41. package/docs/memory/lessons-learned.md +0 -87
  42. package/docs/plans/2026-04-03-python-remnants-audit.md +0 -265
  43. package/docs/plans/2026-04-03-scripts-python-to-js-migration.md +0 -372
  44. package/docs/plans/2026-04-03-solo-delivery-execution-checklist.md +0 -413
  45. package/docs/plans/2026-04-03-solo-delivery-gap-plan.md +0 -377
  46. package/docs/plans/2026-04-03-team-skills-workflow-gates.md +0 -548
  47. package/docs/plans/2026-04-21-open-source-readiness-gap-plan.md +0 -217
  48. package/docs/plans/llm-surface-reduction-audit.md +0 -147
  49. package/docs/plans/llm-surface-reduction-execution-checklist.md +0 -217
  50. package/docs/plans/llm-surface-reduction-execution-history.md +0 -124
  51. package/docs/plans/team-skills-platform-migration.md +0 -54
  52. package/docs/presentation/README.md +0 -42
  53. package/docs/presentation/audience-presentation-route-map.md +0 -84
  54. package/docs/presentation/executive-briefing-talk-track.md +0 -50
  55. package/docs/presentation/generate_capability_matrix.py +0 -396
  56. package/docs/presentation/generate_ppt.py +0 -354
  57. package/docs/presentation/implementation-onboarding-brief.md +0 -38
  58. package/docs/presentation/presentation-talk-track.md +0 -97
  59. package/docs/presentation/vertical-scenario-route-map.md +0 -99
  60. package/docs/presentation/workshop-facilitator-guide.md +0 -47
  61. package/docs/runbooks/actionlint-workflow-gates.md +0 -80
  62. package/docs/runbooks/agent-governance.md +0 -131
  63. package/docs/runbooks/ai-eval-platform-demo-execution-log.md +0 -147
  64. package/docs/runbooks/ai-eval-platform-demo-script.md +0 -136
  65. package/docs/runbooks/ai-eval-platform-walkthrough.md +0 -113
  66. package/docs/runbooks/ai-pr-review-automation.md +0 -56
  67. package/docs/runbooks/api-breaking-change-gates.md +0 -58
  68. package/docs/runbooks/api-design-evolution-walkthrough.md +0 -42
  69. package/docs/runbooks/api-lint-gates.md +0 -57
  70. package/docs/runbooks/api-mocking-strategy-and-lifecycle-guide.md +0 -47
  71. package/docs/runbooks/architect-daily-operations.md +0 -63
  72. package/docs/runbooks/architect-design-conversation-example.md +0 -83
  73. package/docs/runbooks/artifact-attestation-gates.md +0 -75
  74. package/docs/runbooks/artifact-persistence.md +0 -257
  75. package/docs/runbooks/backend-engineer-daily-operations.md +0 -63
  76. package/docs/runbooks/batch-optimization-completion-checklist.md +0 -104
  77. package/docs/runbooks/biz-service-designer-end-to-end-conversation-example.md +0 -5
  78. package/docs/runbooks/biz-service-designer-toolkit.md +0 -5
  79. package/docs/runbooks/bug-fix-complete-walkthrough.md +0 -60
  80. package/docs/runbooks/build-failure-recovery-walkthrough.md +0 -40
  81. package/docs/runbooks/canary-decision-matrix.md +0 -41
  82. package/docs/runbooks/canary-staging-release-walkthrough.md +0 -46
  83. package/docs/runbooks/checkov-iac-gates.md +0 -104
  84. package/docs/runbooks/claude-code-review-workflow.md +0 -72
  85. package/docs/runbooks/claude-conversation-prompt-recipes.md +0 -132
  86. package/docs/runbooks/claude-end-to-end-conversation-example.md +0 -198
  87. package/docs/runbooks/claude-feature-development-guide.md +0 -112
  88. package/docs/runbooks/claude-quick-start.md +0 -227
  89. package/docs/runbooks/claude-usage-scenarios.md +0 -176
  90. package/docs/runbooks/code-review-collaboration-walkthrough.md +0 -65
  91. package/docs/runbooks/codeql-pr-security-gates.md +0 -64
  92. package/docs/runbooks/codex-end-to-end-conversation-example.md +0 -166
  93. package/docs/runbooks/codex-multi-agent-orchestration.md +0 -65
  94. package/docs/runbooks/codex-parallel-prompt-recipes.md +0 -131
  95. package/docs/runbooks/codex-quick-start.md +0 -223
  96. package/docs/runbooks/codex-usage-scenarios.md +0 -168
  97. package/docs/runbooks/codex-workflow-essentials.md +0 -88
  98. package/docs/runbooks/command-and-capability-matrix.md +0 -162
  99. package/docs/runbooks/conftest-policy-gates.md +0 -84
  100. package/docs/runbooks/consumer-driven-contract-testing-with-mock-alignment.md +0 -45
  101. package/docs/runbooks/contract-testing-playbook.md +0 -78
  102. package/docs/runbooks/cosign-signing-gates.md +0 -71
  103. package/docs/runbooks/cross-role-issue-triage-walkthrough.md +0 -47
  104. package/docs/runbooks/cursor-quick-start.md +0 -123
  105. package/docs/runbooks/custom-overlay.md +0 -115
  106. package/docs/runbooks/data-ml-pipeline-demo-execution-log.md +0 -141
  107. package/docs/runbooks/data-ml-pipeline-demo-script.md +0 -102
  108. package/docs/runbooks/data-ml-pipeline-walkthrough.md +0 -119
  109. package/docs/runbooks/data-observability-quality-demo-execution-log.md +0 -36
  110. package/docs/runbooks/data-observability-quality-demo-script.md +0 -42
  111. package/docs/runbooks/data-observability-quality-walkthrough.md +0 -86
  112. package/docs/runbooks/demo-deliverables-overview.md +0 -278
  113. package/docs/runbooks/demo-execution-log.md +0 -530
  114. package/docs/runbooks/demo-scenario.md +0 -129
  115. package/docs/runbooks/dependency-review-gates.md +0 -63
  116. package/docs/runbooks/dependency-update-automation.md +0 -83
  117. package/docs/runbooks/design-md-workflow.md +0 -185
  118. package/docs/runbooks/devops-engineer-daily-operations.md +0 -60
  119. package/docs/runbooks/devops-release-conversation-example.md +0 -88
  120. package/docs/runbooks/doc-architecture-integration.md +0 -59
  121. package/docs/runbooks/doc-architecture-quick-start.md +0 -122
  122. package/docs/runbooks/document-execution-audit.md +0 -32
  123. package/docs/runbooks/documentation-update-walkthrough.md +0 -37
  124. package/docs/runbooks/ecc-harness-usage.md +0 -93
  125. package/docs/runbooks/error-experience-usage.md +0 -116
  126. package/docs/runbooks/evolution-usage.md +0 -162
  127. package/docs/runbooks/executive-value-one-page.md +0 -55
  128. package/docs/runbooks/external-capability-approval-and-enablement-workflow.md +0 -39
  129. package/docs/runbooks/external-capability-intake.md +0 -160
  130. package/docs/runbooks/first-team-command-60-seconds.md +0 -96
  131. package/docs/runbooks/first-team-workflow-walkthrough.md +0 -245
  132. package/docs/runbooks/frontend-backend-integration-acceptance-checklist.md +0 -46
  133. package/docs/runbooks/frontend-backend-parallel-integration-walkthrough.md +0 -48
  134. package/docs/runbooks/frontend-bugfix-one-page.md +0 -82
  135. package/docs/runbooks/frontend-engineer-daily-operations.md +0 -60
  136. package/docs/runbooks/frontend-enterprise-style-profile.md +0 -5
  137. package/docs/runbooks/frontend-governance.md +0 -47
  138. package/docs/runbooks/frontend-refactor-walkthrough.md +0 -42
  139. package/docs/runbooks/git-pr-workflow.md +0 -63
  140. package/docs/runbooks/github-actions-supply-chain-demo-execution-log.md +0 -158
  141. package/docs/runbooks/github-actions-supply-chain-demo-script.md +0 -150
  142. package/docs/runbooks/github-actions-supply-chain-walkthrough.md +0 -117
  143. package/docs/runbooks/github-token-permissions-baseline.md +0 -92
  144. package/docs/runbooks/gitlab-manual-pipeline-release.md +0 -5
  145. package/docs/runbooks/gitlab-release-integration-playbook.md +0 -5
  146. package/docs/runbooks/gitnexus-code-intelligence-usage.md +0 -133
  147. package/docs/runbooks/graphify-knowledge-graph-usage.md +0 -88
  148. package/docs/runbooks/handoff-filling-guide-with-examples.md +0 -70
  149. package/docs/runbooks/handoff-governance.md +0 -250
  150. package/docs/runbooks/helm-unittest-playbook.md +0 -101
  151. package/docs/runbooks/hotfix-emergency-release-walkthrough.md +0 -60
  152. package/docs/runbooks/iac-kubernetes-platform-demo-execution-log.md +0 -144
  153. package/docs/runbooks/iac-kubernetes-platform-demo-script.md +0 -130
  154. package/docs/runbooks/iac-kubernetes-platform-walkthrough.md +0 -120
  155. package/docs/runbooks/implementation-onboarding-reading-path.md +0 -67
  156. package/docs/runbooks/in-toto-attestation-framework.md +0 -94
  157. package/docs/runbooks/incident-severity-triage-tree.md +0 -43
  158. package/docs/runbooks/incident-triage-one-page.md +0 -65
  159. package/docs/runbooks/internal-developer-platform-demo-execution-log.md +0 -36
  160. package/docs/runbooks/internal-developer-platform-demo-script.md +0 -42
  161. package/docs/runbooks/internal-developer-platform-walkthrough.md +0 -91
  162. package/docs/runbooks/karpathy-guidelines-usage.md +0 -27
  163. package/docs/runbooks/kubeconform-schema-gates.md +0 -100
  164. package/docs/runbooks/kubectl-server-dry-run-gates.md +0 -103
  165. package/docs/runbooks/kyverno-policy-gates.md +0 -90
  166. package/docs/runbooks/langfuse-and-observability-integration-guide.md +0 -43
  167. package/docs/runbooks/langfuse-coding-trace.md +0 -44
  168. package/docs/runbooks/mobile-miniapp-delivery-walkthrough.md +0 -112
  169. package/docs/runbooks/mobile-miniapp-demo-execution-log.md +0 -139
  170. package/docs/runbooks/mobile-miniapp-demo-script.md +0 -129
  171. package/docs/runbooks/multi-service-backend-integration-walkthrough.md +0 -61
  172. package/docs/runbooks/open-design-integration.md +0 -163
  173. package/docs/runbooks/open-source-release-checklist.md +0 -90
  174. package/docs/runbooks/opencode-quick-start.md +0 -128
  175. package/docs/runbooks/parallel-development-coordination-walkthrough.md +0 -47
  176. package/docs/runbooks/parallel-execution-usage.md +0 -179
  177. package/docs/runbooks/platform-capability-demo-execution-log.md +0 -184
  178. package/docs/runbooks/platform-capability-demo-script.md +0 -192
  179. package/docs/runbooks/plugin-extension-platform-demo-execution-log.md +0 -136
  180. package/docs/runbooks/plugin-extension-platform-demo-script.md +0 -102
  181. package/docs/runbooks/plugin-extension-platform-walkthrough.md +0 -111
  182. package/docs/runbooks/policy-controller-gates.md +0 -75
  183. package/docs/runbooks/post-rollback-verification-checklist.md +0 -37
  184. package/docs/runbooks/pre-release-checklist.md +0 -50
  185. package/docs/runbooks/product-manager-clarification-conversation-example.md +0 -90
  186. package/docs/runbooks/product-manager-daily-operations.md +0 -60
  187. package/docs/runbooks/production-incident-response-walkthrough.md +0 -50
  188. package/docs/runbooks/project-claude-design-rationale.md +0 -188
  189. package/docs/runbooks/project-manager-daily-operations.md +0 -61
  190. package/docs/runbooks/project-manager-planning-conversation-example.md +0 -82
  191. package/docs/runbooks/project-onboarding.md +0 -452
  192. package/docs/runbooks/qa-engineer-daily-operations.md +0 -63
  193. package/docs/runbooks/qa-review-conversation-example.md +0 -87
  194. package/docs/runbooks/release-closure-one-page.md +0 -65
  195. package/docs/runbooks/release-governance-reading-path.md +0 -56
  196. package/docs/runbooks/release-notes-automation.md +0 -48
  197. package/docs/runbooks/release-rollback-recovery-walkthrough.md +0 -47
  198. package/docs/runbooks/requirement-clarity-and-scope-walkthrough.md +0 -46
  199. package/docs/runbooks/reviewdog-pr-gates.md +0 -49
  200. package/docs/runbooks/role-prompt-recipes.md +0 -130
  201. package/docs/runbooks/rtk-integration-intake.md +0 -45
  202. package/docs/runbooks/rtk-token-optimization-usage.md +0 -107
  203. package/docs/runbooks/runner-egress-hardening.md +0 -81
  204. package/docs/runbooks/runtime-capabilities-overview.md +0 -113
  205. package/docs/runbooks/sbom-generation-gates.md +0 -71
  206. package/docs/runbooks/scorecard-supply-chain-gates.md +0 -82
  207. package/docs/runbooks/secret-scanning-gates.md +0 -85
  208. package/docs/runbooks/security-compliance-platform-demo-execution-log.md +0 -36
  209. package/docs/runbooks/security-compliance-platform-demo-script.md +0 -49
  210. package/docs/runbooks/security-compliance-platform-walkthrough.md +0 -98
  211. package/docs/runbooks/slsa-generator-patterns.md +0 -73
  212. package/docs/runbooks/slsa-verification-gates.md +0 -75
  213. package/docs/runbooks/solo-delivery-mode.md +0 -142
  214. package/docs/runbooks/solo-delivery-one-page.md +0 -111
  215. package/docs/runbooks/specialist-commands-playbook.md +0 -85
  216. package/docs/runbooks/sub-agent-invocation-map.md +0 -144
  217. package/docs/runbooks/system-architecture-design-walkthrough.md +0 -49
  218. package/docs/runbooks/team-closeout-example.md +0 -73
  219. package/docs/runbooks/team-command-output-contracts.md +0 -358
  220. package/docs/runbooks/team-commands-quick-prompts.md +0 -125
  221. package/docs/runbooks/team-execute-example.md +0 -63
  222. package/docs/runbooks/team-handoff-example.md +0 -49
  223. package/docs/runbooks/team-intake-example.md +0 -70
  224. package/docs/runbooks/team-plan-example.md +0 -62
  225. package/docs/runbooks/team-release-example.md +0 -63
  226. package/docs/runbooks/team-review-example.md +0 -61
  227. package/docs/runbooks/team-skills-test-run.md +0 -184
  228. package/docs/runbooks/team-skills-usage.md +0 -336
  229. package/docs/runbooks/team-training-reading-path.md +0 -64
  230. package/docs/runbooks/tech-lead-closure-conversation-example.md +0 -78
  231. package/docs/runbooks/tech-lead-daily-operations.md +0 -67
  232. package/docs/runbooks/trivy-security-gates.md +0 -79
  233. package/docs/runbooks/troubleshooting.md +0 -234
  234. package/docs/runbooks/vertical-scenario-capability-matrix.md +0 -107
  235. package/docs/runbooks/witness-policy-gates.md +0 -78
  236. package/docs/runbooks/zizmor-workflow-audits.md +0 -81
@@ -1,234 +0,0 @@
1
- ---
2
- version: "2.3.0"
3
- status: draft
4
- created: 2026-03-28
5
- updated: 2026-04-18
6
- owner: 工程团队
7
- doc_tier: entry
8
- last_verified: 2026-04-18
9
- source_of_truth:
10
- - ../../README.md
11
- - ../../AGENTS.md
12
- - ./project-onboarding.md
13
- ---
14
-
15
- # 安装与使用排障
16
-
17
- 本文用于排查 Team Skills Platform 在安装、加载和首次使用过程中的高频问题。建议先按症状定位,再看对应章节,而不是从头读到尾。
18
-
19
- ## 1. 最常见的症状
20
-
21
- - 安装脚本执行成功,但看不到 `/team-help`
22
- - 运行 `node scripts/build-platform-artifacts.js` 或 `node scripts/validate-library.js` 失败
23
- - Claude 或 Codex 找不到角色 agent / specialist
24
- - 项目级 `CLAUDE.md` 不知道哪些字段是必须的
25
- - 使用了 custom overlay,但 review 阶段无法说明启用原因和执行记录
26
- - `npm run graphify:doctor` 失败(Python 版本或 Graphify CLI 缺失)
27
- - `npm run gitnexus:doctor` 失败(Node 版本、npm/npx 或许可证确认问题)
28
-
29
- ## 2. 安装脚本相关问题
30
-
31
- ### 2.1 构建脚本失败
32
-
33
- 先检查:
34
-
35
- 1. 是否在仓库根目录执行脚本
36
- 2. `node` 是否可用
37
- 3. 是否先修改了 canonical source,再执行构建
38
-
39
- 推荐命令:
40
-
41
- ```bash
42
- node scripts/build-platform-artifacts.js
43
- node scripts/validate-library.js
44
- node scripts/validate-doc-freshness.js
45
- ```
46
-
47
- 如果失败,优先看报错是否属于:
48
-
49
- - Node.js 版本或环境问题
50
- - 文档链接失效
51
- - 生成产物与源文件不一致
52
-
53
- ### 2.2 安装目录不对
54
-
55
- Claude 检查点:
56
-
57
- - `~/.claude/commands/team-help.md`
58
- - `~/.claude/agents/roles/tech-lead.md`
59
- - `~/.claude/examples/project-CLAUDE.md`
60
-
61
- Codex 检查点:
62
-
63
- - `$CODEX_HOME_DIR/plugins/team-skills-platform/commands/team-help.md`
64
- - `$CODEX_HOME_DIR/plugins/team-skills-platform/agents/roles/tech-lead.md`
65
- - `$AGENTS_HOME_DIR/plugins/marketplace.json`
66
-
67
- 如果路径不对,检查是否错误覆盖了:
68
-
69
- - `CLAUDE_HOME_DIR`
70
- - `CODEX_HOME_DIR`
71
- - `AGENTS_HOME_DIR`
72
-
73
- ## 3. 命令或 agent 不可用
74
-
75
- ### 3.1 看不到 `/team-help`
76
-
77
- 按顺序检查:
78
-
79
- 1. 安装目录是否有命令文件
80
- 2. 是否先执行了构建脚本
81
- 3. 是否安装到了你当前实际使用的 Claude / Codex 目录
82
-
83
- 如果命令文件存在但仍不可用,先重新安装一次平台,再验证目录落点。
84
-
85
- ### 3.2 看不到角色 agent 或 specialist
86
-
87
- 检查:
88
-
89
- - Claude:`~/.claude/agents/roles/` 和 `~/.claude/agents/specialists/`
90
- - Codex:`$CODEX_HOME_DIR/plugins/team-skills-platform/agents/roles/` 和 `.../specialists/`
91
-
92
- 如果目录存在但上下文中没体现,优先回到 quick start 文档确认你是否仍在正确的使用路径上。
93
-
94
- ## 4. 项目级 CLAUDE 配置问题
95
-
96
- ### 4.1 最小必填项
97
-
98
- 项目级 `CLAUDE.md` 至少应包含:
99
-
100
- - 项目背景
101
- - 默认角色链路
102
- - 默认命令流
103
- - 项目约束
104
-
105
- 如果缺少这些内容,模型很难稳定地遵守边界和门禁。
106
-
107
- ### 4.2 选哪个示例
108
-
109
- 优先看 [../../examples/INDEX.md](../../examples/INDEX.md)。
110
-
111
- 快速规则:
112
-
113
- - 全栈混合项目:从 [../../examples/project-CLAUDE.md](../../examples/project-CLAUDE.md) 开始
114
- - 前端主导项目:从 [../../examples/saas-nextjs-CLAUDE.md](../../examples/saas-nextjs-CLAUDE.md) 开始
115
- - 后端主导项目:从 [../../examples/springboot-service-CLAUDE.md](../../examples/springboot-service-CLAUDE.md) 开始
116
- - 流程型企业项目:从 [../../examples/workflow-enterprise-CLAUDE.md](../../examples/workflow-enterprise-CLAUDE.md) 开始
117
- - 平台治理仓库:从 [../../examples/platform-governance-CLAUDE.md](../../examples/platform-governance-CLAUDE.md) 开始
118
- - 数据看板项目:从 [../../examples/data-analytics-dashboard-CLAUDE.md](../../examples/data-analytics-dashboard-CLAUDE.md) 开始
119
- - 不理解每一段作用:先看 [project-claude-design-rationale.md](project-claude-design-rationale.md)
120
-
121
- ## 5. 主链输出质量问题
122
-
123
- ### 5.1 execute 结果不够结构化
124
-
125
- 常见错误:
126
-
127
- - 只写“已完成开发”
128
- - 没有自测结果
129
- - 没有剩余风险
130
-
131
- 建议对照 [team-command-output-contracts.md](team-command-output-contracts.md) 和 [first-team-workflow-walkthrough.md](first-team-workflow-walkthrough.md) 补齐结构。
132
-
133
- ### 5.2 handoff 不知道写什么
134
-
135
- `/handoff` 的目标不是重复 diff,而是交代:
136
-
137
- - 改了什么
138
- - 验证了什么
139
- - 还有什么风险
140
- - 下一角色应该关注什么
141
-
142
- 如果启用了 custom overlay,还要附带装配或执行记录。
143
-
144
- ### 5.3 不知道怎么开口才能拿到结构化输出
145
-
146
- 如果你发现模型总是只给松散建议,而不是主链可用结果,优先看:
147
-
148
- - [claude-conversation-prompt-recipes.md](claude-conversation-prompt-recipes.md)
149
- - [codex-parallel-prompt-recipes.md](codex-parallel-prompt-recipes.md)
150
- - [team-commands-quick-prompts.md](team-commands-quick-prompts.md)
151
-
152
- ## 6. Enterprise Overlay 决策问题
153
-
154
- ### 6.1 什么时候启用
155
-
156
- 按这个节奏判断:
157
-
158
- - intake:识别候选项
159
- - plan:确认启用或不启用
160
- - execute / review:若已启用,记录执行与核对结果
161
-
162
- ### 6.2 常见误区
163
-
164
- - 看到审批或权限字样就立刻默认启用 custom overlay
165
- - intake 没记录候选项,plan 阶段只能凭记忆判断
166
- - execute 实际用了 custom overlay,但 review 阶段没有证据可回溯
167
-
168
- 详细判定清单见 [project-onboarding.md](project-onboarding.md)。
169
-
170
- 如果你卡在“候选项怎么写”或“plan 怎么表达未启用”,直接看 。
171
-
172
- 如果你已经进入 review 或 release,但不知道 overlay、runbook、toolkit 的执行记录怎么回写,继续看 。
173
-
174
- ### 6.3 发布治理不知道从哪看起
175
-
176
- 如果问题发生在发布、灰度、事故或回滚阶段,优先按下面顺序进入:
177
-
178
- 1. [release-governance-reading-path.md](release-governance-reading-path.md)
179
- 2. [pre-release-checklist.md](pre-release-checklist.md)
180
- 3. [incident-severity-triage-tree.md](incident-severity-triage-tree.md)
181
- 4. [post-rollback-verification-checklist.md](post-rollback-verification-checklist.md)
182
-
183
- ## 7. 遇到问题时推荐的回退路径
184
-
185
- 如果你不知道问题属于哪类,按下面顺序排:
186
-
187
- 1. 先确认构建和校验脚本能通过
188
- 2. 再确认安装目录和命令文件是否存在
189
- 3. 再确认项目级 `CLAUDE.md` 是否完整
190
- 4. 再确认你当前是在 quick start、onboarding 还是 walkthrough 的正确阶段
191
-
192
- 如果问题仍无法定位,建议把当前症状、执行命令和失败点整理成一个最小问题描述,再回到对应 runbook 定位。
193
-
194
- ## 8. Graphify 预检查失败
195
-
196
- 如果你看到下面任一报错:
197
-
198
- - Python 版本低于 `3.10`
199
- - `graphify` 命令不存在
200
-
201
- 优先按这个顺序处理:
202
-
203
- 1. 安装或切换到 Python `3.10+`
204
- 2. 在对应环境安装 `graphify`
205
- 3. 重新执行 `npm run graphify:doctor`
206
- 4. 用 `graphify --help` 验证 CLI 已可用
207
-
208
- 说明:
209
-
210
- - 仓库只提供 preflight 检查,不会自动安装 Python 或 Graphify
211
- - 不要在本仓库执行 `graphify codex install` / `graphify claude install` 改写现有 AGENTS/hooks 契约
212
- - Graphify 详细用法见 [graphify-knowledge-graph-usage.md](graphify-knowledge-graph-usage.md)
213
-
214
- ## 9. GitNexus 预检查失败
215
-
216
- 如果你看到下面任一报错:
217
-
218
- - Node 版本低于 `20`
219
- - `npm` 或 `npx` 不可用
220
- - npm registry 元数据读取失败
221
-
222
- 优先按这个顺序处理:
223
-
224
- 1. 在目标项目环境切换到 Node `20+`
225
- 2. 确认 `npm --version` 与 `npx --version` 可正常执行
226
- 3. 重新执行 `npm run gitnexus:doctor`
227
- 4. 若 registry 临时不可用,手动核对 GitNexus 上游许可证和 engine 后再决定是否启用
228
-
229
- 说明:
230
-
231
- - 仓库只提供 preflight 检查,不会自动安装 GitNexus
232
- - 不要自动执行 `gitnexus setup` 改写全局 MCP/editor 配置
233
- - 在 TSP 管理仓库执行索引时,使用 `npx --yes gitnexus@latest analyze --skip-agents-md`
234
- - GitNexus 详细用法见 [gitnexus-code-intelligence-usage.md](gitnexus-code-intelligence-usage.md)
@@ -1,107 +0,0 @@
1
- ---
2
- version: "0.1.0"
3
- status: draft
4
- created: 2026-03-29
5
- updated: 2026-03-29
6
- owner: 工程团队
7
- ---
8
-
9
- # Vertical 场景能力矩阵
10
-
11
- 这份矩阵用于回答一个问题:当前各 vertical 场景已经补到了哪一层材料,应该从哪一层开始使用。
12
-
13
- 如果你只想快速选一个讲解入口,先看 [../presentation/vertical-scenario-route-map.md](../presentation/vertical-scenario-route-map.md)。如果你想按项目类型选模板,先看 [../../examples/INDEX.md](../../examples/INDEX.md)。
14
-
15
- ## 1. 阅读方式
16
-
17
- - `模板`:项目级示例,可直接作为项目配置起点
18
- - `起手句`:项目类型第一句话,来自 starter playbook
19
- - `连续脚本`:可直接复制的多轮对话脚本
20
- - `walkthrough`:演练手册,适合 onboarding 与内部训练
21
- - `demo script`:可直接照着讲的演示话术
22
- - `execution log`:适合复盘、同步与汇报的台账
23
-
24
- ## 2. 场景矩阵
25
-
26
- | 场景 | 模板 | 起手句 | 连续脚本 | walkthrough | demo script | execution log | 推荐起点 |
27
- |------|------|--------|----------|-------------|-------------|---------------|----------|
28
- | GitHub Actions / 供应链治理 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
29
- | AI / Eval 平台 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
30
- | 移动端 / 小程序交付 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
31
- | IaC / Kubernetes 平台仓库 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
32
- | 插件 / 扩展仓库 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
33
- | 数据 / ML pipeline 仓库 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
34
- | 安全 / 合规平台仓库 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
35
- | 内部开发者平台 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
36
- | 数据可观测性 / 质量平台 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 已具备 | 先看 demo script |
37
-
38
- ## 3. 推荐入口映射
39
-
40
- ### GitHub Actions / 供应链治理
41
-
42
- - 模板:[../../examples/github-actions-supply-chain-CLAUDE.md](../../examples/github-actions-supply-chain-CLAUDE.md)
43
- - 演练:[github-actions-supply-chain-walkthrough.md](github-actions-supply-chain-walkthrough.md)
44
- - 演示:[github-actions-supply-chain-demo-script.md](github-actions-supply-chain-demo-script.md)
45
- - 台账:[github-actions-supply-chain-demo-execution-log.md](github-actions-supply-chain-demo-execution-log.md)
46
-
47
- ### AI / Eval 平台
48
-
49
- - 模板:[../../examples/ai-eval-platform-CLAUDE.md](../../examples/ai-eval-platform-CLAUDE.md)
50
- - 演练:[ai-eval-platform-walkthrough.md](ai-eval-platform-walkthrough.md)
51
- - 演示:[ai-eval-platform-demo-script.md](ai-eval-platform-demo-script.md)
52
- - 台账:[ai-eval-platform-demo-execution-log.md](ai-eval-platform-demo-execution-log.md)
53
-
54
- ### 移动端 / 小程序交付
55
-
56
- - 模板:[../../examples/mobile-miniapp-CLAUDE.md](../../examples/mobile-miniapp-CLAUDE.md)
57
- - 演练:[mobile-miniapp-delivery-walkthrough.md](mobile-miniapp-delivery-walkthrough.md)
58
- - 演示:[mobile-miniapp-demo-script.md](mobile-miniapp-demo-script.md)
59
- - 台账:[mobile-miniapp-demo-execution-log.md](mobile-miniapp-demo-execution-log.md)
60
-
61
- ### IaC / Kubernetes 平台仓库
62
-
63
- - 模板:[../../examples/iac-kubernetes-platform-CLAUDE.md](../../examples/iac-kubernetes-platform-CLAUDE.md)
64
- - 演练:[iac-kubernetes-platform-walkthrough.md](iac-kubernetes-platform-walkthrough.md)
65
- - 演示:[iac-kubernetes-platform-demo-script.md](iac-kubernetes-platform-demo-script.md)
66
- - 台账:[iac-kubernetes-platform-demo-execution-log.md](iac-kubernetes-platform-demo-execution-log.md)
67
-
68
- ### 插件 / 扩展仓库
69
-
70
- - 模板:[../../examples/plugin-extension-platform-CLAUDE.md](../../examples/plugin-extension-platform-CLAUDE.md)
71
- - 演练:[plugin-extension-platform-walkthrough.md](plugin-extension-platform-walkthrough.md)
72
- - 演示:[plugin-extension-platform-demo-script.md](plugin-extension-platform-demo-script.md)
73
- - 台账:[plugin-extension-platform-demo-execution-log.md](plugin-extension-platform-demo-execution-log.md)
74
-
75
- ### 数据 / ML pipeline 仓库
76
-
77
- - 模板:[../../examples/data-ml-pipeline-CLAUDE.md](../../examples/data-ml-pipeline-CLAUDE.md)
78
- - 演练:[data-ml-pipeline-walkthrough.md](data-ml-pipeline-walkthrough.md)
79
- - 演示:[data-ml-pipeline-demo-script.md](data-ml-pipeline-demo-script.md)
80
- - 台账:[data-ml-pipeline-demo-execution-log.md](data-ml-pipeline-demo-execution-log.md)
81
-
82
- ### 安全 / 合规平台仓库
83
-
84
- - 模板:[../../examples/security-compliance-platform-CLAUDE.md](../../examples/security-compliance-platform-CLAUDE.md)
85
- - 演练:[security-compliance-platform-walkthrough.md](security-compliance-platform-walkthrough.md)
86
- - 演示:[security-compliance-platform-demo-script.md](security-compliance-platform-demo-script.md)
87
- - 台账:[security-compliance-platform-demo-execution-log.md](security-compliance-platform-demo-execution-log.md)
88
-
89
- ### 内部开发者平台
90
-
91
- - 模板:[../../examples/internal-developer-platform-CLAUDE.md](../../examples/internal-developer-platform-CLAUDE.md)
92
- - 演练:[internal-developer-platform-walkthrough.md](internal-developer-platform-walkthrough.md)
93
- - 演示:[internal-developer-platform-demo-script.md](internal-developer-platform-demo-script.md)
94
- - 台账:[internal-developer-platform-demo-execution-log.md](internal-developer-platform-demo-execution-log.md)
95
-
96
- ### 数据可观测性 / 质量平台
97
-
98
- - 模板:[../../examples/data-observability-quality-CLAUDE.md](../../examples/data-observability-quality-CLAUDE.md)
99
- - 演练:[data-observability-quality-walkthrough.md](data-observability-quality-walkthrough.md)
100
- - 演示:[data-observability-quality-demo-script.md](data-observability-quality-demo-script.md)
101
- - 台账:[data-observability-quality-demo-execution-log.md](data-observability-quality-demo-execution-log.md)
102
-
103
- ## 4. 使用建议
104
-
105
- 1. 如果你是在 onboarding,一个 vertical 先看模板,再看 walkthrough,最后看 demo script。
106
- 2. 如果你是在汇报,直接从 demo script 开始,再补 execution log。
107
- 3. 如果你是在做文档补齐,优先检查矩阵里是否有缺层,而不是只补一个入口。
@@ -1,78 +0,0 @@
1
- # Witness 证据策略门禁手册
2
-
3
- 本手册承接 `in-toto/witness` 的工程实践,用于把证据采集、证据封装与策略评估组织成一条可执行的供应链治理链。它补的是“如何基于真实执行证据做更高级的政策判断”这一层,不替代 SBOM、签名、provenance attestation、SLSA verification 或集群侧的 policy controller。
4
-
5
- ## 适用场景
6
-
7
- - 团队已经有签名、attestation 和基础验证链,想进一步把“证据是否足够、证据是否可信、证据是否符合策略”做成可执行门禁。
8
- - 需要把构建、发布、部署或执行过程中的 evidence 收集起来,再基于这些 evidence 做 policy 判断。
9
- - 想把“某次运行到底发生了什么”沉淀成可追溯、可回放、可审计的证据链,而不只是单一的签名结果。
10
- - 需要更精细地把供应链治理从“文件级验证”推进到“证据驱动的策略评估”。
11
-
12
- ## 不适用场景
13
-
14
- - 当前还没有稳定的签名、attestation 或 verification 链,却先引入 witness 风格的证据策略门禁。
15
- - 团队还没有明确哪些证据要采集、谁来维护 policy、证据失败后怎么 triage。
16
- - 期望 witness 替代 SBOM、签名、attestation 或 SLSA verification 的基础门禁职责。
17
- - 团队只想要一个简单的发布检查清单,而不是证据驱动的策略框架。
18
-
19
- ## 推荐落地方式
20
-
21
- 1. 先把 witness 看成“证据和策略的编排层”,不要一开始就把它升级成全集群硬门禁。
22
- 2. 第一阶段先固定三件事:
23
- - 哪些执行阶段需要采集 evidence
24
- - 这些 evidence 以什么形式归档和回链
25
- - 哪些 policy 依赖这些 evidence 做判断
26
- 3. 将 witness 与现有链路分层:
27
- - `cosign-signing-gates` 负责签名与验签
28
- - `artifact-attestation-gates` 负责 provenance attestation
29
- - `slsa-verification-gates` 负责独立验证 attestation 是否匹配目标产物
30
- - `policy-controller-gates` 负责在集群 admission 层强制执行已确认的策略
31
- - witness 负责把 evidence 收集、归档、解释并喂给更上层的 policy decision
32
- 4. 建议先从少量高价值流程试点,比如构建链、发布链或关键部署链,不要一开始就覆盖全部工作负载。
33
- 5. 结果必须回写到 `/team-release`、审计记录或治理文档中,不让 evidence 只停在运行时日志里。
34
-
35
- ## 最小门禁模型
36
-
37
- - `evidence layer`:构建、测试、发布或部署过程中采集到的 evidence
38
- - `policy layer`:基于 evidence 进行的策略规则和判断条件
39
- - `evaluation layer`:witness 对 evidence 与 policy 的匹配与评估
40
- - `decision layer`:`devops-engineer`、`tech-lead` 决定“证据不足”是否阻塞发布或部署
41
-
42
- 重点不是“收集了一堆日志”,而是这些 evidence 是否能支撑可重复的 policy decision。
43
-
44
- ## 重点检查项
45
-
46
- - evidence 是否来自真实执行链,而不是手工拼接或事后补写
47
- - policy 是否明确描述了“需要哪些证据、缺什么算失败、如何例外”
48
- - evidence 与产物、commit、workflow、digest 或环境上下文是否能稳定关联
49
- - 证据失败时是否有清晰的 triage、回退和例外处理
50
- - 不同环境或不同阶段的 policy 是否能持续维护,而不是一次配置后长期漂移
51
-
52
- ## 反模式
53
-
54
- - 只收集 evidence,却没有明确 policy,最后变成一堆无法消费的日志。
55
- - policy 写得过于宽泛,任何结果都能解释成“通过”,失去门禁意义。
56
- - evidence 只存在于临时目录或终端输出里,没有回链到 release 记录或治理文档。
57
- - 在没有前置签名、attestation 或 verification 链的情况下,直接把 witness 当成最终阻塞点。
58
- - 证据失败后没人负责 triage,最后团队把 policy gate 当成噪音源。
59
-
60
- ## 输出回落
61
-
62
- - 构建阶段:记录关键执行步骤产生的 evidence、归档位置和可回放方式。
63
- - 发布阶段:把 witness 评估结果、失败摘要或例外结论写入 `/team-release` 的检查结果或放行结论。
64
- - 审计阶段:若后续要追溯某次发布或部署,必须能从 release 记录定位到对应 evidence,再反查到 policy 决策。
65
-
66
- ## 许可证与使用边界
67
-
68
- - `in-toto/witness` 采用 Apache-2.0。
69
- - 启用前应确认 evidence 采集范围、policy 维护责任、运行环境和团队是否有能力长期维护规则。
70
- - 如果团队当前还处在“先补 SBOM / 签名 / attestation / verification”的阶段,witness 应该先作为参考型治理层,而不是立刻成为强阻塞门禁。
71
-
72
- ## 参考来源
73
-
74
- - [in-toto/witness](https://github.com/in-toto/witness)
75
- - [cosign-signing-gates.md](cosign-signing-gates.md)
76
- - [artifact-attestation-gates.md](artifact-attestation-gates.md)
77
- - [slsa-verification-gates.md](slsa-verification-gates.md)
78
- - [policy-controller-gates.md](policy-controller-gates.md)
@@ -1,81 +0,0 @@
1
- # Zizmor Workflow 审计手册
2
-
3
- 本手册承接 `zizmor` 的工程实践,用于把 GitHub Actions workflow 的安全审计接入 PR、默认分支与治理流程。它补的是“workflow 里是否存在明显的安全审计问题、以及这些问题如何落回 review 与发布链”这一层,不替代 `actionlint`、`scorecard-supply-chain-gates`、`runner-egress-hardening`、`secret-scanning-gates` 或人工安全 review。
4
-
5
- ## 适用场景
6
-
7
- - 变更涉及 `.github/workflows/`、reusable workflow、workflow call、composite action 或 job 级脚本。
8
- - 团队希望尽早发现 unpinned `uses:`、危险表达式、`env` 写入、secret 暴露、过宽权限和可疑 workflow 结构。
9
- - 仓库已经有 workflow 语法 lint,但还缺“安全视角”的审计。
10
- - 需要把 GitHub Actions 的潜在攻击面前置到 PR 或默认分支审查,而不是等到发布阶段才发现。
11
-
12
- ## 不适用场景
13
-
14
- - 仓库没有 GitHub Actions,或者 workflow 主要是第三方托管、与当前仓库治理边界无关。
15
- - 团队还没有建立基本的 workflow review、token 权限收敛和 secret 管理,却期待单靠审计工具解决问题。
16
- - 期望 `zizmor` 替代 `actionlint` 做 YAML / 语法 / shell 检查。
17
- - 期望 `zizmor` 替代 `scorecard` 做仓库级供应链基线审计。
18
-
19
- ## 推荐落地方式
20
-
21
- 1. 先把 `zizmor` 看成 workflow 安全审计层,不要一开始就把它当成全集仓库门禁。
22
- 2. 第一阶段优先审计高风险 workflow:
23
- - 构建与发布 workflow
24
- - 访问密钥、签名、attestation 或制品仓库的 workflow
25
- - 使用第三方 action、reusable workflow 或复杂表达式的 workflow
26
- 3. 审计范围先收窄到 `.github/workflows/` 与关键 workflow 片段,再逐步扩展到 reusable workflow、composite action 或远程引用。
27
- 4. 将 `zizmor` 与现有链路分层:
28
- - `actionlint` 负责 workflow 语法、结构和常见 shell 失误
29
- - `scorecard-supply-chain-gates` 负责仓库级供应链基线、权限和 action pinning 的宏观审计
30
- - `github-token-permissions-baseline` 负责基于真实 workflow run 收敛 `GITHUB_TOKEN` 最小权限
31
- - `zizmor-workflow-audits` 负责 GitHub Actions workflow 的安全审计细节
32
- - 安全评审角色 / `code-review` 负责判断这些审计结果是否真实、是否阻塞
33
- 5. 对高风险问题,先维持人工 triage 或草稿结论,不要把所有命中都自动变成阻塞项。
34
- 6. 结果必须回写到 `/code-review`、`/team-review` 或治理记录,不让审计结果只停在工具输出里。
35
-
36
- ## 最小门禁模型
37
-
38
- - `workflow layer`:被审计的 workflow、job、step、reusable workflow
39
- - `audit layer`:`zizmor` 发现的风险候选,例如 unpinned uses、危险表达式、权限异常、secret 暴露
40
- - `triage layer`:人工确认哪些是实质风险、哪些是误报或可接受设计
41
- - `decision layer`:安全评审角色、`tech-lead`、`devops-engineer` 决定是否阻塞或进入治理待办
42
-
43
- 重点不是“发现了多少条”,而是这些发现是否对应真实攻击面。
44
-
45
- ## 重点检查项
46
-
47
- - `uses:` 是否固定到可审计的版本或 commit,而不是浮动引用
48
- - 表达式是否把不可信输入直接拼到 shell、路径、命令或权限边界里
49
- - `env`、`GITHUB_ENV`、`GITHUB_OUTPUT`、`secrets`、`vars` 是否被不当写入或外泄
50
- - workflow 权限是否过宽,是否存在不必要的 `write` 能力
51
- - 远程引用、reusable workflow、第三方 action 是否引入了意外的执行面
52
- - 审计结果是否能和 PR、review 结论、发布记录互相对应
53
-
54
- ## 反模式
55
-
56
- - 把 `zizmor` 当成 `actionlint` 的替代品,只看安全,不看语法和结构。
57
- - 把 `zizmor` 当成 `scorecard` 的替代品,只看 workflow,而不看仓库级治理基线。
58
- - 发现高风险命中后只修一处,不回头检查同类 workflow 是否也存在同样模式。
59
- - 审计结果无人 triage,最后团队把命中当噪音源。
60
- - 只在默认分支跑审计,PR 阶段完全不看,导致问题晚到发布时才暴露。
61
-
62
- ## 输出回落
63
-
64
- - PR 阶段:把高风险命中、误报判断和 triage 结论写入 review 摘要。
65
- - 评审阶段:在 `/team-review` 中明确哪些 workflow 风险已经确认,哪些仍需人工处理。
66
- - 发布阶段:若 workflow 风险仍未收敛,必须回写到 `/team-release` 的风险、放行结论或后续观察项。
67
- - 治理阶段:把长期存在的 workflow 风险、例外和整改计划沉淀到 runbook 或 ADR。
68
-
69
- ## 许可证与使用边界
70
-
71
- - `zizmor` 采用 MIT License。
72
- - 启用前应确认 GitHub Actions 使用方式、审计范围、误报 triage 责任人和 workflow 维护节奏。
73
- - 如果团队当前还没有稳定的 workflow 语法 lint 与供应链基线审计,`zizmor` 应该先作为补充审计层,而不是唯一门禁。
74
-
75
- ## 参考来源
76
-
77
- - [zizmorcore/zizmor](https://github.com/zizmorcore/zizmor)
78
- - [zizmor-action](https://github.com/marketplace/actions/zizmor-action)
79
- - [actionlint](https://github.com/marketplace/actions/actionlint)
80
- - [scorecard-supply-chain-gates.md](scorecard-supply-chain-gates.md)
81
- - [github-token-permissions-baseline.md](github-token-permissions-baseline.md)