@colin4k1024/tsp 2.4.5 → 2.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (236) hide show
  1. package/README.md +16 -20
  2. package/bin/lib/install-surface.js +3 -3
  3. package/bin/lib/source-installer.js +2 -2
  4. package/commands/team-help.md +2 -2
  5. package/commands/team-plan.md +1 -1
  6. package/commands/update-codemaps.md +3 -3
  7. package/manifests/install-components.json +1 -1
  8. package/manifests/install-modules.json +17 -3
  9. package/manifests/install-profiles.json +2 -0
  10. package/package.json +6 -3
  11. package/schemas/ecc-install-config.schema.json +6 -1
  12. package/schemas/install-modules.schema.json +4 -1
  13. package/scripts/codegraph-preflight.js +179 -0
  14. package/scripts/gitnexus-preflight.js +8 -0
  15. package/scripts/install-apply.js +10 -8
  16. package/scripts/install-codegraph.js +158 -0
  17. package/scripts/install-plan.js +28 -11
  18. package/scripts/lib/install/apply.js +256 -5
  19. package/scripts/lib/install/request.js +3 -2
  20. package/scripts/lib/install-audit-manifest.js +3 -0
  21. package/scripts/lib/install-executor.js +14 -5
  22. package/scripts/lib/install-lifecycle.js +2 -2
  23. package/scripts/lib/install-manifests.js +23 -4
  24. package/scripts/lib/install-targets/codex-home.js +187 -1
  25. package/scripts/lib/install-targets/opencode-home.js +135 -2
  26. package/scripts/lib/install-targets/registry.js +23 -1
  27. package/scripts/lib/release-health.js +19 -4
  28. package/scripts/lib/team-skills-data.json +6 -6
  29. package/scripts/release-health-summary.js +1 -1
  30. package/scripts/workflow-help.js +3 -3
  31. package/skills/codegraph/SKILL.md +57 -0
  32. package/skills/codegraph/agents/openai.yaml +4 -0
  33. package/docs/.vitepress/config.mts +0 -199
  34. package/docs/adr/ADR-001-doc-architecture-integration.md +0 -33
  35. package/docs/guides/README.md +0 -5
  36. package/docs/guides/installation.md +0 -33
  37. package/docs/guides/user-guide.md +0 -36
  38. package/docs/index.md +0 -65
  39. package/docs/memory/backlog.md +0 -10
  40. package/docs/memory/decisions.md +0 -43
  41. package/docs/memory/lessons-learned.md +0 -87
  42. package/docs/plans/2026-04-03-python-remnants-audit.md +0 -265
  43. package/docs/plans/2026-04-03-scripts-python-to-js-migration.md +0 -372
  44. package/docs/plans/2026-04-03-solo-delivery-execution-checklist.md +0 -413
  45. package/docs/plans/2026-04-03-solo-delivery-gap-plan.md +0 -377
  46. package/docs/plans/2026-04-03-team-skills-workflow-gates.md +0 -548
  47. package/docs/plans/2026-04-21-open-source-readiness-gap-plan.md +0 -217
  48. package/docs/plans/llm-surface-reduction-audit.md +0 -147
  49. package/docs/plans/llm-surface-reduction-execution-checklist.md +0 -217
  50. package/docs/plans/llm-surface-reduction-execution-history.md +0 -124
  51. package/docs/plans/team-skills-platform-migration.md +0 -54
  52. package/docs/presentation/README.md +0 -42
  53. package/docs/presentation/audience-presentation-route-map.md +0 -84
  54. package/docs/presentation/executive-briefing-talk-track.md +0 -50
  55. package/docs/presentation/generate_capability_matrix.py +0 -396
  56. package/docs/presentation/generate_ppt.py +0 -354
  57. package/docs/presentation/implementation-onboarding-brief.md +0 -38
  58. package/docs/presentation/presentation-talk-track.md +0 -97
  59. package/docs/presentation/vertical-scenario-route-map.md +0 -99
  60. package/docs/presentation/workshop-facilitator-guide.md +0 -47
  61. package/docs/runbooks/actionlint-workflow-gates.md +0 -80
  62. package/docs/runbooks/agent-governance.md +0 -131
  63. package/docs/runbooks/ai-eval-platform-demo-execution-log.md +0 -147
  64. package/docs/runbooks/ai-eval-platform-demo-script.md +0 -136
  65. package/docs/runbooks/ai-eval-platform-walkthrough.md +0 -113
  66. package/docs/runbooks/ai-pr-review-automation.md +0 -56
  67. package/docs/runbooks/api-breaking-change-gates.md +0 -58
  68. package/docs/runbooks/api-design-evolution-walkthrough.md +0 -42
  69. package/docs/runbooks/api-lint-gates.md +0 -57
  70. package/docs/runbooks/api-mocking-strategy-and-lifecycle-guide.md +0 -47
  71. package/docs/runbooks/architect-daily-operations.md +0 -63
  72. package/docs/runbooks/architect-design-conversation-example.md +0 -83
  73. package/docs/runbooks/artifact-attestation-gates.md +0 -75
  74. package/docs/runbooks/artifact-persistence.md +0 -257
  75. package/docs/runbooks/backend-engineer-daily-operations.md +0 -63
  76. package/docs/runbooks/batch-optimization-completion-checklist.md +0 -104
  77. package/docs/runbooks/biz-service-designer-end-to-end-conversation-example.md +0 -5
  78. package/docs/runbooks/biz-service-designer-toolkit.md +0 -5
  79. package/docs/runbooks/bug-fix-complete-walkthrough.md +0 -60
  80. package/docs/runbooks/build-failure-recovery-walkthrough.md +0 -40
  81. package/docs/runbooks/canary-decision-matrix.md +0 -41
  82. package/docs/runbooks/canary-staging-release-walkthrough.md +0 -46
  83. package/docs/runbooks/checkov-iac-gates.md +0 -104
  84. package/docs/runbooks/claude-code-review-workflow.md +0 -72
  85. package/docs/runbooks/claude-conversation-prompt-recipes.md +0 -132
  86. package/docs/runbooks/claude-end-to-end-conversation-example.md +0 -198
  87. package/docs/runbooks/claude-feature-development-guide.md +0 -112
  88. package/docs/runbooks/claude-quick-start.md +0 -227
  89. package/docs/runbooks/claude-usage-scenarios.md +0 -176
  90. package/docs/runbooks/code-review-collaboration-walkthrough.md +0 -65
  91. package/docs/runbooks/codeql-pr-security-gates.md +0 -64
  92. package/docs/runbooks/codex-end-to-end-conversation-example.md +0 -166
  93. package/docs/runbooks/codex-multi-agent-orchestration.md +0 -65
  94. package/docs/runbooks/codex-parallel-prompt-recipes.md +0 -131
  95. package/docs/runbooks/codex-quick-start.md +0 -223
  96. package/docs/runbooks/codex-usage-scenarios.md +0 -168
  97. package/docs/runbooks/codex-workflow-essentials.md +0 -88
  98. package/docs/runbooks/command-and-capability-matrix.md +0 -162
  99. package/docs/runbooks/conftest-policy-gates.md +0 -84
  100. package/docs/runbooks/consumer-driven-contract-testing-with-mock-alignment.md +0 -45
  101. package/docs/runbooks/contract-testing-playbook.md +0 -78
  102. package/docs/runbooks/cosign-signing-gates.md +0 -71
  103. package/docs/runbooks/cross-role-issue-triage-walkthrough.md +0 -47
  104. package/docs/runbooks/cursor-quick-start.md +0 -123
  105. package/docs/runbooks/custom-overlay.md +0 -115
  106. package/docs/runbooks/data-ml-pipeline-demo-execution-log.md +0 -141
  107. package/docs/runbooks/data-ml-pipeline-demo-script.md +0 -102
  108. package/docs/runbooks/data-ml-pipeline-walkthrough.md +0 -119
  109. package/docs/runbooks/data-observability-quality-demo-execution-log.md +0 -36
  110. package/docs/runbooks/data-observability-quality-demo-script.md +0 -42
  111. package/docs/runbooks/data-observability-quality-walkthrough.md +0 -86
  112. package/docs/runbooks/demo-deliverables-overview.md +0 -278
  113. package/docs/runbooks/demo-execution-log.md +0 -530
  114. package/docs/runbooks/demo-scenario.md +0 -129
  115. package/docs/runbooks/dependency-review-gates.md +0 -63
  116. package/docs/runbooks/dependency-update-automation.md +0 -83
  117. package/docs/runbooks/design-md-workflow.md +0 -185
  118. package/docs/runbooks/devops-engineer-daily-operations.md +0 -60
  119. package/docs/runbooks/devops-release-conversation-example.md +0 -88
  120. package/docs/runbooks/doc-architecture-integration.md +0 -59
  121. package/docs/runbooks/doc-architecture-quick-start.md +0 -122
  122. package/docs/runbooks/document-execution-audit.md +0 -32
  123. package/docs/runbooks/documentation-update-walkthrough.md +0 -37
  124. package/docs/runbooks/ecc-harness-usage.md +0 -93
  125. package/docs/runbooks/error-experience-usage.md +0 -116
  126. package/docs/runbooks/evolution-usage.md +0 -162
  127. package/docs/runbooks/executive-value-one-page.md +0 -55
  128. package/docs/runbooks/external-capability-approval-and-enablement-workflow.md +0 -39
  129. package/docs/runbooks/external-capability-intake.md +0 -160
  130. package/docs/runbooks/first-team-command-60-seconds.md +0 -96
  131. package/docs/runbooks/first-team-workflow-walkthrough.md +0 -245
  132. package/docs/runbooks/frontend-backend-integration-acceptance-checklist.md +0 -46
  133. package/docs/runbooks/frontend-backend-parallel-integration-walkthrough.md +0 -48
  134. package/docs/runbooks/frontend-bugfix-one-page.md +0 -82
  135. package/docs/runbooks/frontend-engineer-daily-operations.md +0 -60
  136. package/docs/runbooks/frontend-enterprise-style-profile.md +0 -5
  137. package/docs/runbooks/frontend-governance.md +0 -47
  138. package/docs/runbooks/frontend-refactor-walkthrough.md +0 -42
  139. package/docs/runbooks/git-pr-workflow.md +0 -63
  140. package/docs/runbooks/github-actions-supply-chain-demo-execution-log.md +0 -158
  141. package/docs/runbooks/github-actions-supply-chain-demo-script.md +0 -150
  142. package/docs/runbooks/github-actions-supply-chain-walkthrough.md +0 -117
  143. package/docs/runbooks/github-token-permissions-baseline.md +0 -92
  144. package/docs/runbooks/gitlab-manual-pipeline-release.md +0 -5
  145. package/docs/runbooks/gitlab-release-integration-playbook.md +0 -5
  146. package/docs/runbooks/gitnexus-code-intelligence-usage.md +0 -133
  147. package/docs/runbooks/graphify-knowledge-graph-usage.md +0 -88
  148. package/docs/runbooks/handoff-filling-guide-with-examples.md +0 -70
  149. package/docs/runbooks/handoff-governance.md +0 -250
  150. package/docs/runbooks/helm-unittest-playbook.md +0 -101
  151. package/docs/runbooks/hotfix-emergency-release-walkthrough.md +0 -60
  152. package/docs/runbooks/iac-kubernetes-platform-demo-execution-log.md +0 -144
  153. package/docs/runbooks/iac-kubernetes-platform-demo-script.md +0 -130
  154. package/docs/runbooks/iac-kubernetes-platform-walkthrough.md +0 -120
  155. package/docs/runbooks/implementation-onboarding-reading-path.md +0 -67
  156. package/docs/runbooks/in-toto-attestation-framework.md +0 -94
  157. package/docs/runbooks/incident-severity-triage-tree.md +0 -43
  158. package/docs/runbooks/incident-triage-one-page.md +0 -65
  159. package/docs/runbooks/internal-developer-platform-demo-execution-log.md +0 -36
  160. package/docs/runbooks/internal-developer-platform-demo-script.md +0 -42
  161. package/docs/runbooks/internal-developer-platform-walkthrough.md +0 -91
  162. package/docs/runbooks/karpathy-guidelines-usage.md +0 -27
  163. package/docs/runbooks/kubeconform-schema-gates.md +0 -100
  164. package/docs/runbooks/kubectl-server-dry-run-gates.md +0 -103
  165. package/docs/runbooks/kyverno-policy-gates.md +0 -90
  166. package/docs/runbooks/langfuse-and-observability-integration-guide.md +0 -43
  167. package/docs/runbooks/langfuse-coding-trace.md +0 -44
  168. package/docs/runbooks/mobile-miniapp-delivery-walkthrough.md +0 -112
  169. package/docs/runbooks/mobile-miniapp-demo-execution-log.md +0 -139
  170. package/docs/runbooks/mobile-miniapp-demo-script.md +0 -129
  171. package/docs/runbooks/multi-service-backend-integration-walkthrough.md +0 -61
  172. package/docs/runbooks/open-design-integration.md +0 -163
  173. package/docs/runbooks/open-source-release-checklist.md +0 -90
  174. package/docs/runbooks/opencode-quick-start.md +0 -128
  175. package/docs/runbooks/parallel-development-coordination-walkthrough.md +0 -47
  176. package/docs/runbooks/parallel-execution-usage.md +0 -179
  177. package/docs/runbooks/platform-capability-demo-execution-log.md +0 -184
  178. package/docs/runbooks/platform-capability-demo-script.md +0 -192
  179. package/docs/runbooks/plugin-extension-platform-demo-execution-log.md +0 -136
  180. package/docs/runbooks/plugin-extension-platform-demo-script.md +0 -102
  181. package/docs/runbooks/plugin-extension-platform-walkthrough.md +0 -111
  182. package/docs/runbooks/policy-controller-gates.md +0 -75
  183. package/docs/runbooks/post-rollback-verification-checklist.md +0 -37
  184. package/docs/runbooks/pre-release-checklist.md +0 -50
  185. package/docs/runbooks/product-manager-clarification-conversation-example.md +0 -90
  186. package/docs/runbooks/product-manager-daily-operations.md +0 -60
  187. package/docs/runbooks/production-incident-response-walkthrough.md +0 -50
  188. package/docs/runbooks/project-claude-design-rationale.md +0 -188
  189. package/docs/runbooks/project-manager-daily-operations.md +0 -61
  190. package/docs/runbooks/project-manager-planning-conversation-example.md +0 -82
  191. package/docs/runbooks/project-onboarding.md +0 -452
  192. package/docs/runbooks/qa-engineer-daily-operations.md +0 -63
  193. package/docs/runbooks/qa-review-conversation-example.md +0 -87
  194. package/docs/runbooks/release-closure-one-page.md +0 -65
  195. package/docs/runbooks/release-governance-reading-path.md +0 -56
  196. package/docs/runbooks/release-notes-automation.md +0 -48
  197. package/docs/runbooks/release-rollback-recovery-walkthrough.md +0 -47
  198. package/docs/runbooks/requirement-clarity-and-scope-walkthrough.md +0 -46
  199. package/docs/runbooks/reviewdog-pr-gates.md +0 -49
  200. package/docs/runbooks/role-prompt-recipes.md +0 -130
  201. package/docs/runbooks/rtk-integration-intake.md +0 -45
  202. package/docs/runbooks/rtk-token-optimization-usage.md +0 -107
  203. package/docs/runbooks/runner-egress-hardening.md +0 -81
  204. package/docs/runbooks/runtime-capabilities-overview.md +0 -113
  205. package/docs/runbooks/sbom-generation-gates.md +0 -71
  206. package/docs/runbooks/scorecard-supply-chain-gates.md +0 -82
  207. package/docs/runbooks/secret-scanning-gates.md +0 -85
  208. package/docs/runbooks/security-compliance-platform-demo-execution-log.md +0 -36
  209. package/docs/runbooks/security-compliance-platform-demo-script.md +0 -49
  210. package/docs/runbooks/security-compliance-platform-walkthrough.md +0 -98
  211. package/docs/runbooks/slsa-generator-patterns.md +0 -73
  212. package/docs/runbooks/slsa-verification-gates.md +0 -75
  213. package/docs/runbooks/solo-delivery-mode.md +0 -142
  214. package/docs/runbooks/solo-delivery-one-page.md +0 -111
  215. package/docs/runbooks/specialist-commands-playbook.md +0 -85
  216. package/docs/runbooks/sub-agent-invocation-map.md +0 -144
  217. package/docs/runbooks/system-architecture-design-walkthrough.md +0 -49
  218. package/docs/runbooks/team-closeout-example.md +0 -73
  219. package/docs/runbooks/team-command-output-contracts.md +0 -358
  220. package/docs/runbooks/team-commands-quick-prompts.md +0 -125
  221. package/docs/runbooks/team-execute-example.md +0 -63
  222. package/docs/runbooks/team-handoff-example.md +0 -49
  223. package/docs/runbooks/team-intake-example.md +0 -70
  224. package/docs/runbooks/team-plan-example.md +0 -62
  225. package/docs/runbooks/team-release-example.md +0 -63
  226. package/docs/runbooks/team-review-example.md +0 -61
  227. package/docs/runbooks/team-skills-test-run.md +0 -184
  228. package/docs/runbooks/team-skills-usage.md +0 -336
  229. package/docs/runbooks/team-training-reading-path.md +0 -64
  230. package/docs/runbooks/tech-lead-closure-conversation-example.md +0 -78
  231. package/docs/runbooks/tech-lead-daily-operations.md +0 -67
  232. package/docs/runbooks/trivy-security-gates.md +0 -79
  233. package/docs/runbooks/troubleshooting.md +0 -234
  234. package/docs/runbooks/vertical-scenario-capability-matrix.md +0 -107
  235. package/docs/runbooks/witness-policy-gates.md +0 -78
  236. package/docs/runbooks/zizmor-workflow-audits.md +0 -81
@@ -1,117 +0,0 @@
1
- ---
2
- version: "0.1.0"
3
- status: draft
4
- created: 2026-03-29
5
- updated: 2026-03-29
6
- owner: 工程团队
7
- ---
8
-
9
- # GitHub Actions 与供应链治理演练
10
-
11
- 本文演示一个以 GitHub Actions、权限治理和供应链门禁为核心的仓库,如何从治理目标拆解到 workflow 调整、证据链回写和发布收口。
12
-
13
- ## 1. 场景
14
-
15
- - 仓库当前使用 GitHub Actions 承担构建、测试、发布
16
- - 团队准备补齐 actionlint、scorecard、token 权限、SBOM、attestation 和签名链路
17
- - 目标不是改业务代码,而是把 workflow 与供应链基线治理成可审计状态
18
-
19
- ## 2. 推荐链路
20
-
21
- 1. `/team-intake`
22
- 2. `/team-plan`
23
- 3. `/tdd`
24
- 4. `/team-execute`
25
- 5. `/harness-audit`
26
- 6. `/team-review`
27
- 7. `/team-release`
28
-
29
- ## 3. 第一步:/team-intake
30
-
31
- ### 输入示例
32
-
33
- ```text
34
- /team-intake
35
- 目标:重构 GitHub Actions 发布链路并补齐供应链门禁
36
- 范围:workflow、permissions、attestation、SBOM、签名、review 说明
37
- 不做:业务服务代码改造
38
- 约束:必须区分 actionlint、scorecard、token 权限、SLSA 和 artifact attestation 的边界
39
- ```
40
-
41
- ### 期望输出重点
42
-
43
- - 识别这是平台治理 / 供应链治理任务,而不是业务功能任务
44
- - 明确参与角色至少包括 `tech-lead`、`architect`、`qa-engineer`、`devops-engineer`
45
- - 风险应聚焦 workflow 误配、权限过宽、证据链缺失和发布不可追溯
46
-
47
- ## 4. 第二步:/team-plan
48
-
49
- ### 需要拆清的动作
50
-
51
- - workflow 结构调整
52
- - token 权限收敛
53
- - actionlint / scorecard / zizmor 等门禁的分层接入
54
- - SBOM、attestation、签名、SLSA 的发布证据链回写
55
- - handoff、review 和 release 中的治理记录位置
56
-
57
- ### 合格输出应该回答
58
-
59
- 1. 哪些 workflow 调整是结构问题
60
- 2. 哪些是权限问题
61
- 3. 哪些是供应链证据问题
62
- 4. 最终如何进入 `/team-review` 和 `/team-release`
63
-
64
- ## 5. 第三步:/tdd
65
-
66
- 在这类仓库里,`/tdd` 重点不是业务测试,而是先锁完成标准:
67
-
68
- - workflow lint、权限治理和 attestation 的边界是否说清
69
- - 哪些证据必须进入 review 结果
70
- - 哪些证据必须进入 release 记录
71
- - validate / build / release 链路是否有清晰回退路径
72
-
73
- ## 6. 第四步:/team-execute
74
-
75
- 执行阶段通常包含:
76
-
77
- - 调整 workflow YAML
78
- - 收紧 job 级 `permissions`
79
- - 接入 actionlint、scorecard、token 权限基线、SLSA 或 attestation
80
- - 更新 runbook、review 说明和 release 检查项
81
-
82
- 本阶段输出至少应包含:
83
-
84
- - workflow 变更摘要
85
- - 影响范围
86
- - 校验结果
87
- - 剩余风险和例外项
88
-
89
- ## 7. 第五步:/harness-audit
90
-
91
- 这里的 audit 重点不是业务功能,而是平台入口和治理链是否同步:
92
-
93
- - 新增 workflow 治理要求是否进入 runbook
94
- - review/release 是否已经能承接供应链证据
95
- - examples、quick start 或 usage 文档是否需要补入口
96
-
97
- ## 8. 第六步:/team-review 与 /team-release
98
-
99
- ### Review 阶段要回答
100
-
101
- - 当前有哪些阻塞的 workflow 或权限风险
102
- - 哪些例外可以暂时接受
103
- - 哪些供应链门禁已形成证据链
104
-
105
- ### Release 阶段要回答
106
-
107
- - 哪些 artifact 会生成 SBOM / attestation / 签名
108
- - 哪些 workflow、runner、commit 和 digest 需要被记录
109
- - 出现发布异常时如何快速回退到上一套 workflow / 发布配置
110
-
111
- ## 9. 常见错误
112
-
113
- - 把 actionlint、scorecard、permissions、SLSA 混成同一层结论
114
- - 只改 workflow,不回写 review 或 release 结论
115
- - 生成了 attestation 或 SBOM,但没有放到可追溯位置
116
-
117
- 建议配合阅读:[actionlint-workflow-gates.md](actionlint-workflow-gates.md)、[scorecard-supply-chain-gates.md](scorecard-supply-chain-gates.md)、[github-token-permissions-baseline.md](github-token-permissions-baseline.md)、[artifact-attestation-gates.md](artifact-attestation-gates.md)、[slsa-generator-patterns.md](slsa-generator-patterns.md)
@@ -1,92 +0,0 @@
1
- # GitHub Token 权限基线手册
2
-
3
- 本手册承接 `GitHubSecurityLab/actions-permissions` 的工程实践,用于把 GitHub Actions 中 `GITHUB_TOKEN` 的真实使用情况转成最小权限建议,并把这些建议回落到 PR 评审、workflow 调整和治理记录里。它补的是“这个 workflow 运行时到底用了哪些 token 权限、哪些权限可以收窄”这一层,不替代 `scorecard-supply-chain-gates`、`zizmor-workflow-audits`、`runner-egress-hardening`、`actionlint` 或人工 review。
4
-
5
- ## 用途 / 定位
6
-
7
- - 这个 runbook 面向 GitHub Actions 的 token 权限收敛,核心对象是 `GITHUB_TOKEN`、workflow/job 级 `permissions` 配置和默认工作流权限。
8
- - 它基于真实 workflow run 的活动来给出最小权限建议,适合用来验证“理论上可能需要”和“实际运行中确实需要”之间的差异。
9
- - 它不是仓库级供应链总审计,也不是 workflow 语法审计,更不是 runner 网络出口控制。
10
-
11
- ## 适用场景
12
-
13
- - 仓库已经大量使用 GitHub Actions,但 `permissions` 仍然依赖默认值,或者长期保持过宽的 `write` 权限。
14
- - 团队想把“最小权限”从经验判断升级成可观察、可回放、可 triage 的证据链。
15
- - 某些 workflow 只有在部分分支、条件分支、skip 条件或少数 job 下才会触发,单次检查很难完整覆盖权限需求。
16
- - 团队希望在收紧 `GITHUB_TOKEN` 前先做一轮观察,避免直接改配置导致 workflow 失效。
17
-
18
- ## 不适用场景
19
-
20
- - 仓库没有使用 GitHub Actions,或者 token 权限主要由外部系统控制,与当前仓库的 workflow 无关。
21
- - 你要查的是 YAML 结构、表达式注入、危险 `uses:`、secret 泄露或 shell 误用,而不是 token 权限本身。
22
- - 你要管的是 runner 的出站网络、DNS、镜像仓库访问或外部 API 连接,而不是 GitHub token scope。
23
- - 团队已经有稳定、明确且经过验证的 `permissions` 基线,只需要做一次性文档归档。
24
-
25
- ## 推荐落地方式
26
-
27
- 1. 先把 `actions-permissions` 当成“观察和建议层”,不要一开始就把它当硬阻塞门禁。
28
- 2. 对关键 workflow 的每个 job 先观察真实运行,再汇总最小权限建议;官方仓库说明里明确提到,`Monitor` 会根据实际检测到的 workflow 活动给出建议,而 `Advisor` 可以汇总多次运行结果。
29
- 3. 优先覆盖构建、发布、制品上传、PR 处理、标签/分支管理和其他会直接碰仓库状态的 job。
30
- 4. 收敛顺序建议是:
31
- - 先明确 workflow 或 job 的默认权限来源
32
- - 再补上显式 `permissions`
33
- - 再按 job 细化到只保留实际需要的 scope
34
- - 最后移除临时观察用的 `Monitor`
35
- 5. 将结果与现有链路分层:
36
- - `scorecard-supply-chain-gates` 负责仓库级供应链基线、token 默认策略、action pinning 和治理面
37
- - `zizmor-workflow-audits` 负责 workflow 安全审计细节,例如危险表达式、`uses:` 风险和可疑结构
38
- - `runner-egress-hardening` 负责 runner 运行时出站访问控制与监测
39
- - 本手册负责把“实际用了什么权限”转成可执行的最小权限建议
40
- 6. 若建议权限与现有 workflow 行为冲突,先做人工 triage,不要直接把所有建议都自动升级为阻塞项。
41
-
42
- ## 最小门禁模型
43
-
44
- - `observation layer`:在 job 运行中记录 `GITHUB_TOKEN` 实际触发到的仓库操作。
45
- - `recommendation layer`:把单次或多次运行的观察结果聚合为最小权限建议。
46
- - `permission layer`:将建议固化到 workflow/job 级 `permissions`,并与默认权限策略对齐。
47
- - `decision layer`:`code-review`、`team-review`、`tech-lead` 和必要的安全角色决定是否接受、例外放行或继续收敛。
48
-
49
- 重点不是“工具说应该给多少”,而是“当前 workflow 证据链是否足以支撑这个最小权限配置”。
50
-
51
- ## 重点检查项
52
-
53
- - 默认工作流权限是否过宽,是否应该从 `write` 收敛到 `read` 或更细粒度的 job 级配置。
54
- - workflow 或 action 是否在未显式传参的情况下仍会通过 `github.token` 访问 `GITHUB_TOKEN`。
55
- - 是否存在只在少数分支、条件分支、skip 分支或部分 job 中才出现的权限需求,导致单次观察不完整。
56
- - 是否把 `issues: write`、`pull-requests: write`、`contents: write`、`packages: write` 等权限保留成了习惯性默认值。
57
- - 是否需要 GitHub Actions 提交 approving PR review;官方 REST 能力本身就把这项能力单独暴露出来,说明它应当被视为单独的治理项,而不是顺手打开。
58
- - 观察结论是否和最终 workflow 配置一致,避免“工具建议已经收敛,但 YAML 里仍然是宽权限”。
59
-
60
- ## 反模式
61
-
62
- - 只跑一次 Monitor 就立刻定版,忽略了条件分支、跳过 job 和不同触发路径。
63
- - 把 Advisor 的汇总结果当成绝对真理,不做人工 triage。
64
- - 看到某个 job 需要高权限,就把整个 workflow 统一放大到同等权限。
65
- - 只改仓库默认权限,不补 job 级 `permissions`,最后让默认值继续漂移。
66
- - 把这个工具拿去替代 `scorecard`、`zizmor` 或 `runner-egress-hardening`,结果把不同层的问题混在一起处理。
67
- - 只把建议留在 action 产物里,没有回写到 review、治理记录或 workflow 文件。
68
-
69
- ## 输出回落
70
-
71
- - PR 阶段:把 Monitor/Advisor 的结论、最终 permissions 变更和仍需例外说明的 scope 写入 review 摘要。
72
- - 评审阶段:在 `/team-review` 中明确当前 workflow 的最小权限基线、临时放宽原因和后续收敛计划。
73
- - 发布阶段:若某个发布 job 仍需要较高权限,必须说明它对应的仓库操作范围和回退边界。
74
- - 治理阶段:把长期存在的权限例外、默认值调整和 workflow 重构计划沉淀到 ADR 或 runbook。
75
-
76
- ## 许可证与使用边界
77
-
78
- - `GitHubSecurityLab/actions-permissions` 在官方仓库中标注为 MIT license,且当前仓库主页明确把它定位为 `Monitor` 和 `Advisor` 两个 GitHub token permissions action。
79
- - 官方仓库同时标注为 `PUBLIC BETA`,因此接入前要接受它可能带来的误报、覆盖缺口和维护成本。
80
- - GitHub 官方文档说明,`GITHUB_TOKEN` 具有仓库范围限制,workflow 可以通过 `permissions` 精确控制 `read`、`write` 或 `none`,而且默认工作流权限与是否允许 Actions 提交 approving PR review 都是可单独治理的设置。
81
- - 使用前要确认你对目标仓库拥有足够的 GitHub Actions 配置权限,因为相关 REST API 本身就区分组织级和仓库级管理权限。
82
-
83
- ## 参考来源
84
-
85
- - [GitHubSecurityLab/actions-permissions](https://github.com/GitHubSecurityLab/actions-permissions)
86
- - [GitHub Docs: GITHUB_TOKEN](https://docs.github.com/en/actions/concepts/security/github_token)
87
- - [GitHub Docs: Use GITHUB_TOKEN in workflows](https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token)
88
- - [GitHub Docs: Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions)
89
- - [GitHub Docs: REST API endpoints for GitHub Actions permissions](https://docs.github.com/en/rest/actions/permissions)
90
- - [scorecard-supply-chain-gates.md](scorecard-supply-chain-gates.md)
91
- - [zizmor-workflow-audits.md](zizmor-workflow-audits.md)
92
- - [runner-egress-hardening.md](runner-egress-hardening.md)
@@ -1,5 +0,0 @@
1
- # GitLab Manual Pipeline Release
2
-
3
- 该企业 GitLab 发布 runbook 已迁移到私有 `enterprise` overlay 仓库。公开仓不再内置企业发布流程手册。
4
-
5
- 公开安装与 overlay 约定见 [custom-overlay.md](custom-overlay.md)。
@@ -1,5 +0,0 @@
1
- # GitLab Release Integration Playbook
2
-
3
- 该企业发布集成 playbook 已迁移到私有 `enterprise` overlay 仓库。公开仓仅保留兼容入口。
4
-
5
- 公开安装与 overlay 约定见 [custom-overlay.md](custom-overlay.md)。
@@ -1,133 +0,0 @@
1
- ---
2
- version: "0.1.0"
3
- status: active
4
- created: 2026-05-05
5
- updated: 2026-05-05
6
- owner: 工程团队
7
- doc_tier: runbook
8
- last_verified: 2026-05-05
9
- source_of_truth:
10
- - ../../skills/gitnexus/SKILL.md
11
- - ../../README.md
12
- - ../../AGENTS.md
13
- - https://github.com/abhigyanpatwari/GitNexus
14
- ---
15
-
16
- # GitNexus 代码智能能力使用手册
17
-
18
- ## 1. 定位
19
-
20
- GitNexus 在 TSP 中是 **受控可选代码智能能力**。它适合 brownfield 存量系统的 MCP 查询、影响面分析、`detect_changes`、多仓分析和更深代码图谱证据。
21
-
22
- 它不替代 `/team-*` 主链,也不替代 `/update-codemaps` 的轻量现状快照。Graphify 继续用于轻量结构证据;GitNexus 用于需要 MCP tool、symbol impact、git diff impact 或多仓上下文的场景。
23
-
24
- ## 2. 前置检查
25
-
26
- 先跑:
27
-
28
- ```bash
29
- npm run gitnexus:doctor
30
- ```
31
-
32
- 检查项:
33
-
34
- - Node 版本 `>= 20`
35
- - `npm` / `npx` 可用
36
- - npm 上游包元数据可读取时,展示 GitNexus 版本、许可证与 engine 要求
37
-
38
- 如果 npm registry 临时不可用,脚本只给 warning,不会自动安装任何依赖。
39
-
40
- ## 3. 许可证与边界
41
-
42
- 截至本手册核对日期,GitNexus npm 元数据显示许可证为 `PolyForm-Noncommercial-1.0.0`,Node engine 为 `>=20.0.0`。TSP 本身仍保持 MIT 许可证和 Node `>=18` 基线,因此只做 reference/runbook/thin-skill 集成。
43
-
44
- 明确边界:
45
-
46
- - 不把 GitNexus 加入 TSP `dependencies`
47
- - 不默认安装 GitNexus
48
- - 不自动运行 `gitnexus setup`
49
- - 不复制 GitNexus 源码、hooks、skills 或生成产物
50
- - 商业使用前由用户自行确认上游授权
51
-
52
- ## 4. 推荐命令
53
-
54
- > 下面是 TSP 的安全推荐入口,具体参数以上游 `gitnexus --help` 为准。
55
-
56
- ```bash
57
- # 在目标项目根目录建立或刷新索引,同时保留现有 AGENTS.md / CLAUDE.md 契约
58
- npx --yes gitnexus@latest analyze --skip-agents-md
59
-
60
- # 查看当前项目索引状态
61
- npx --yes gitnexus@latest status
62
-
63
- # 查看已索引仓库
64
- npx --yes gitnexus@latest list
65
-
66
- # 启动 MCP stdio server,供手动配置使用
67
- npx --yes gitnexus@latest mcp
68
- ```
69
-
70
- 如果要配置 Codex MCP,优先手动写入项目级或用户级配置,避免自动改写未知编辑器配置:
71
-
72
- ```toml
73
- [mcp_servers.gitnexus]
74
- command = "npx"
75
- args = ["--yes", "gitnexus@latest", "mcp"]
76
- ```
77
-
78
- ## 5. 与主链结合方式
79
-
80
- ### 5.1 `/team-plan` 前的 brownfield 深分析
81
-
82
- 推荐路径:
83
-
84
- 1. `/team-help` 判断当前阶段
85
- 2. `/update-codemaps` 生成轻量现状快照
86
- 3. 需要跨模块影响面或 MCP 证据时,执行 GitNexus 索引与查询
87
- 4. `/team-plan` 消费 GitNexus 发现,完成 Brownfield Context Snapshot、challenge/design/readiness 收口
88
-
89
- ### 5.2 `/team-execute` 阶段的影响面确认
90
-
91
- - 对 story slice 的关键 symbol、API 或 handler 做 impact/context 查询
92
- - 对准备提交的 diff 做 detect_changes 类分析
93
- - 将结果写入执行日志或 handoff,避免“代码已改但影响未知”
94
-
95
- ### 5.3 `/team-review` 阶段的证据落盘
96
-
97
- 评审结论至少记录:
98
-
99
- - 本次分析目标
100
- - 使用的 GitNexus 入口(MCP tool/resource 或 CLI 命令)
101
- - 关键影响面
102
- - 风险等级或剩余疑点
103
- - 对回归测试、发布或回滚的影响
104
-
105
- ## 6. Artifact / Handoff 摘要格式
106
-
107
- 建议在 `docs/artifacts/{date}-{slug}/delivery-plan.md`、`arch-design.md`、handoff 或 review 记录中使用这个最小格式:
108
-
109
- ```markdown
110
- ## GitNexus Evidence
111
-
112
- - Goal: [本次要确认的问题]
113
- - Entry: [MCP tool/resource 或 CLI 命令]
114
- - Findings: [关键调用链、依赖、影响面]
115
- - Decision impact: [改变了哪个计划、测试或发布判断]
116
- - Follow-up: [仍需验证或暂缓的事项]
117
- ```
118
-
119
- ## 7. 禁用项
120
-
121
- - 不自动运行 `gitnexus setup`
122
- - 不运行会覆盖 TSP 管理入口文档的索引命令
123
- - 不把 `.gitnexus/` 数据库当作 TSP artifact 提交
124
- - 不用 GitNexus 结论绕过 `/team-plan`、`/team-review` 或验证门禁
125
-
126
- ## 8. 与 Graphify 的分工
127
-
128
- | 能力 | 默认用途 |
129
- |------|----------|
130
- | Graphify | 轻量结构扫描、依赖路径、架构问答证据 |
131
- | GitNexus | MCP 查询、symbol impact、detect_changes、多仓和执行流证据 |
132
-
133
- 默认先保留 `/update-codemaps` 作为 brownfield 快照入口;图谱工具只在问题需要更强结构证据时启用。
@@ -1,88 +0,0 @@
1
- ---
2
- version: "0.1.0"
3
- status: active
4
- created: 2026-04-17
5
- updated: 2026-04-17
6
- owner: 工程团队
7
- doc_tier: runbook
8
- last_verified: 2026-04-17
9
- source_of_truth:
10
- - ../../skills/graphify/SKILL.md
11
- - ../../README.md
12
- - ../../AGENTS.md
13
- ---
14
-
15
- # Graphify 知识图谱能力使用手册
16
-
17
- ## 1. 定位
18
-
19
- Graphify 在本仓库的定位是 **可选知识图谱能力**,用于补齐 brownfield 结构认知、架构问答和依赖影响分析。
20
- 它不会替代当前 workflow-engine,也不会改变 `/team-*` 主链职责。
21
-
22
- ## 2. 前置检查
23
-
24
- 先跑:
25
-
26
- ```bash
27
- npm run graphify:doctor
28
- ```
29
-
30
- 检查项:
31
-
32
- - Python 版本 `>= 3.10`
33
- - `graphify` CLI 可用(对应 Python 包 `graphifyy`)
34
-
35
- 如果失败,按脚本提示在你的本地环境修复。仓库不自动安装 Python 或 `graphifyy`。
36
-
37
- ## 3. 推荐命令(以上游 CLI 帮助为准)
38
-
39
- > 下面是仓库推荐入口,具体参数以 `graphify --help` 为准。
40
-
41
- ```bash
42
- # 1) 构建图谱(统一输出目录)
43
- graphify build ... --out graphify-out
44
-
45
- # 2) 图谱查询(模块/符号/关系)
46
- graphify query ...
47
-
48
- # 3) 依赖路径分析(from -> to)
49
- graphify path ...
50
-
51
- # 4) 解释输出(可读化摘要)
52
- graphify explain ...
53
- ```
54
-
55
- ## 4. 与主链结合方式
56
-
57
- ### 4.1 `/team-plan` 前的 brownfield 扫描
58
-
59
- 推荐路径:
60
-
61
- 1. `/team-help` 判定阶段
62
- 2. Graphify 构建图谱 + 关键 query/path
63
- 3. `/team-plan` 消费结构证据,完成 challenge/design/readiness 收口
64
-
65
- ### 4.2 `/team-execute` 阶段的影响面分析
66
-
67
- - 对每个 story slice 变更点做 path/explain,确认上下游影响
68
- - 结果写入执行日志和 handoff,避免“修改完成但影响未知”
69
-
70
- ### 4.3 `/team-review` 阶段的证据落盘
71
-
72
- - 将图谱结论回写 `docs/artifacts/`、`docs/adr/`、`docs/memory/`
73
- - 评审时引用“命令 -> 结果 -> 决策影响”三段证据链
74
-
75
- ## 5. 输出约定
76
-
77
- - 统一目录:`graphify-out/`
78
- - 最小内容:
79
- - 分析目标
80
- - 关键命令与结果摘要
81
- - 对主链决策的影响
82
-
83
- ## 6. 明确禁用项
84
-
85
- - 不在本仓库执行:
86
- - `graphify codex install`
87
- - `graphify claude install`
88
- - 原因:避免改写现有 `AGENTS.md` / hooks 契约,破坏当前治理链路。
@@ -1,70 +0,0 @@
1
- ---
2
- version: "0.1.0"
3
- status: draft
4
- created: 2026-03-28
5
- updated: 2026-03-28
6
- owner: 工程团队
7
- ---
8
-
9
- # Handoff 填充指南与示例
10
-
11
- 本文说明 `/handoff` 到底应该交付什么,以及前端、后端和跨角色场景下的 handoff 应该怎样写才够用。
12
-
13
- ## 1. handoff 的目标
14
-
15
- handoff 不是重复 diff,而是让下一角色能直接接住结果。
16
-
17
- 至少应回答:
18
-
19
- - 改了什么
20
- - 验证了什么
21
- - 还剩什么风险
22
- - 下一角色要关注什么
23
-
24
- ## 2. 最小字段
25
-
26
- - 代码变更摘要
27
- - 自测范围与证据
28
- - 剩余风险
29
- - QA 关注点
30
- - 若命中 custom overlay,则补装配或执行记录
31
-
32
- ## 3. 后端 API 示例
33
-
34
- ```text
35
- 代码变更摘要:新增审批记录查询接口,支持分页、状态筛选和权限校验
36
- 自测范围:单测通过,集成测试覆盖正常、无权限和空结果场景
37
- 剩余风险:历史状态枚举兼容性待联调确认
38
- QA 关注点:极端分页参数、无权限访问、错误码一致性
39
- ```
40
-
41
- ## 4. 前端页面示例
42
-
43
- ```text
44
- 代码变更摘要:新增审批记录列表页与筛选表单
45
- 自测范围:已验证桌面、iPad、移动端布局和空态/错误态
46
- 剩余风险:极长审批标题场景待真实数据验证
47
- QA 关注点:断点切换、键盘可达性、无结果空态
48
- ```
49
-
50
- ## 5. 跨角色示例
51
-
52
- 如果一次交接同时包含前后端结果,建议分块写,不要混成一段模糊总结。
53
-
54
- ## 6. custom overlay 场景
55
-
56
- 如果启用了 custom overlay,handoff 里还应写:
57
-
58
- - 启用了什么能力
59
- - 为什么启用
60
- - 做了什么
61
- - 哪些约束需要 QA 或 release 继续核对
62
-
63
- ## 7. 常见错误
64
-
65
- - 只有“已完成开发”
66
- - 没有验证证据
67
- - 没写剩余风险
68
- - custom overlay 用了却没留下记录
69
-
70
- 如果你要看 handoff 在完整链路里的位置,继续看 [first-team-workflow-walkthrough.md](first-team-workflow-walkthrough.md)。