npm - @hupan56/wlkj - Versions diffs - 2.2.3 → 2.2.5 - Mend

@hupan56/wlkj 2.2.3 → 2.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/bin/cli.js +532 -532
package/package.json +28 -28
package/templates/qoder/hooks/inject-workflow-state.py +117 -117
package/templates/qoder/hooks/session-start.py +204 -204
package/templates/qoder/scripts/common/developer.py +231 -161
package/templates/qoder/scripts/common/paths.py +310 -310
package/templates/qoder/scripts/common/task_utils.py +392 -387
package/templates/qoder/scripts/init_developer.py +75 -75
package/templates/qoder/scripts/install_qoderwork.py +367 -367
package/templates/qoder/scripts/role.py +39 -39
package/templates/qoder/scripts/syncgate.py +333 -333
package/templates/qoder/scripts/team_sync.py +439 -439
package/templates/qoder/skills/design-review/SKILL.md +25 -25
package/templates/qoder/skills/prd-generator/SKILL.md +180 -180
package/templates/qoder/skills/prd-review/SKILL.md +36 -36
package/templates/qoder/skills/prototype-generator/SKILL.md +141 -141
package/templates/qoder/skills/spec-coder/SKILL.md +68 -68
package/templates/qoder/skills/spec-generator/SKILL.md +66 -66
package/templates/qoder/skills/test-generator/SKILL.md +71 -71
package/templates/root/AGENTS.md +182 -182

package/templates/qoder/scripts/syncgate.py CHANGED Viewed

@@ -1,333 +1,333 @@
-# -*- coding: utf-8 -*-
-"""
-syncgate.py - team_sync 推送前的零信任门禁
-四道关卡, 任一失败则拒绝 push (exit 非 0, 不 commit 不 push):
-  1. 身份强制: 当前开发者必须已注册 (member.json + 本地密钥)
-  2. 作者强制: git config user.name/email 必须与 member.json[git_author] 一致
-  3. 秘密扫描: staged 文件不能含 AWS key / GitHub PAT / 私钥 / 高熵串
-  4. EVA 门禁: staged 的 PRD 必须过 eval_prd (>=80%)
-设计为独立模块, 方便单元测试和复用。team_sync.do_push 在 commit 前调用
-run_gates(staged_files) -> (passed, reasons)。
-"""
-import os
-import re
-import subprocess
-import sys
-from typing import List, Tuple, Optional
-# 相对导入
-_THIS_DIR = os.path.dirname(os.path.abspath(__file__))
-if _THIS_DIR not in sys.path:
-    sys.path.insert(0, _THIS_DIR)
-_COMMON = os.path.join(_THIS_DIR, "common")
-if _COMMON not in sys.path:
-    sys.path.insert(0, _COMMON)
-from common.identity import (
-    get_member, verify_member, EXIT_AUTHZ, IdentityError,
-)
-__all__ = [
-    "run_gates",
-    "check_identity",
-    "check_git_author",
-    "scan_secrets",
-    "check_eval_gate",
-    "SAFE_EXTENSIONS",
-    "SecretFound",
-    "GateFailure",
-]
-# 退出码统一
-EXIT_QUALITY = 5  # 质量门禁失败 (EVA 不过)
-class GateFailure(Exception):
-    """门禁失败。"""
-class SecretFound(GateFailure):
-    """发现疑似秘密。"""
-# ============================================================
-# Allowlist: 只允许这些后缀被 stage (替代危险的 git add -A)
-# ============================================================
-SAFE_EXTENSIONS = {
-    ".md", ".html", ".json", ".jsonl", ".yaml", ".yml",
-    ".toml", ".txt", ".csv", ".svg",
-}
-# 已知的无扩展名文件 (task 系统的元数据)
-SAFE_NOEXT_FILES = {"task", "implement", "check"}  # task.jsonl 等其实有扩展
-# ============================================================
-# 1. 身份强制
-# ============================================================
-def check_identity(dev: Optional[str], repo_root: str) -> None:
-    """开发者必须已注册且有本地密钥。"""
-    if not dev:
-        raise GateFailure(
-            "[authz] 拒绝: 未设置开发者身份。先跑 /wl-init <名字> <角色> 注册。"
-        )
-    m = get_member(dev, repo_root)
-    if not m:
-        raise GateFailure(
-            "[authz] 拒绝: 成员 %s 未在注册表 (workspace/members/%s/member.json)。"
-            "先跑 /wl-init %s 注册。" % (dev, dev, dev)
-        )
-    if not verify_member(dev, repo_root):
-        raise GateFailure(
-            "[authz] 拒绝: 成员 %s 在本机无签名密钥。"
-            "可能换了机器或未完成 /wl-init。跑 /wl-init %s 修复。" % (dev, dev)
-        )
-# ============================================================
-# 2. 作者强制: git config 必须与 member.json 一致
-# ============================================================
-def _git_config(key: str) -> str:
-    """读 git config。git 未安装时返回空串, 不崩溃。"""
-    try:
-        r = subprocess.run(
-            ["git", "config", key],
-            capture_output=True, text=True, encoding="utf-8", errors="replace",
-        )
-        return r.stdout.strip() if r.returncode == 0 else ""
-    except FileNotFoundError:
-        return ""  # git 未装
-def check_git_author(dev: str, repo_root: str) -> None:
-    """git user.name/email 必须与 member.json 的 git_author 一致。
-    member.json git_author 格式: "Name <email>"
-    git 未安装时跳过此检查 (本地无提交可冒名)。
-    """
-    m = get_member(dev, repo_root)
-    if not m:
-        check_identity(dev, repo_root)  # 会抛
-        return
-    expected_author = m.get("git_author", "")
-    if not expected_author:
-        return  # 老数据没设, 不阻塞 (向后兼容)
-    # git 未安装 — 无法校验作者, 跳过 (本地工作不阻塞)
-    try:
-        subprocess.run(["git", "--version"], capture_output=True, timeout=5)
-    except (FileNotFoundError, OSError):
-        return  # 无 git, 跳过
-    # 解析 "Name <email>"
-    match = re.match(r"^(.+?) <(.+?)>$", expected_author)
-    if not match:
-        return
-    exp_name, exp_email = match.group(1).strip(), match.group(2).strip()
-    actual_name = _git_config("user.name")
-    actual_email = _git_config("user.email")
-    # 名字或邮箱任一不符则拒绝 (防止冒名提交)
-    # 注意: 允许 git user.name 带/不带数字后缀等小差异? 不, 严格匹配防冒名
-    if actual_name != exp_name or actual_email != exp_email:
-        raise GateFailure(
-            "[authz] 拒绝: git 作者与注册身份不符。\n"
-            "  注册: %s <%s>\n"
-            "  当前 git config: user.name=%r user.email=%r\n"
-            "  修复: git config user.name %s && git config user.email %s\n"
-            "  (用 --local 只改本仓库, 不影响全局)" % (
-                exp_name, exp_email, actual_name, actual_email,
-                exp_name, exp_email,
-            )
-        )
-# ============================================================
-# 3. 秘密扫描
-# ============================================================
-# 常见秘密模式 (保守, 低误报)
-SECRET_PATTERNS = [
-    # AWS Access Key
-    (re.compile(r"AKIA[0-9A-Z]{16}"), "AWS Access Key"),
-    # AWS Secret (40 字符 base64, 上下文提示)
-    (re.compile(r"(?i)aws[_-]?secret[_-]?access[_-]?key['\"\s:=]+([A-Za-z0-9/+=]{40})"), "AWS Secret Key"),
-    # GitHub PAT (ghp_/gho_/ghu_/ghs_/ghr_)
-    (re.compile(r"gh[pousr]_[A-Za-z0-9]{36}"), "GitHub Token"),
-    # Slack
-    (re.compile(r"xox[baprs]-[A-Za-z0-9-]{10,}"), "Slack Token"),
-    # Google API key
-    (re.compile(r"AIza[0-9A-Za-z\-_]{35}"), "Google API Key"),
-    # Generic private key header
-    (re.compile(r"-----BEGIN (RSA |EC |DSA |OPENSSH |)PRIVATE KEY-----"), "Private Key"),
-    # Generic password assignment (保守: 只匹配明显的赋值)
-    (re.compile(r"(?i)(password|passwd|pwd)\s*[:=]\s*['\"]([^'\"\s]{8,})['\"]"), "Password literal"),
-    # 高熵连接字符串里的凭据
-    (re.compile(r"(?i)(postgres|mysql|mongodb|redis)://[^:\s]+:([^@\s]{8,})@"), "DB connection password"),
-]
-def scan_secrets(file_paths: List[str], repo_root: str) -> None:
-    """扫描文件内容, 发现秘密则抛 SecretFound。
-    只扫文本文件 (按 SAFE_EXTENSIONS), 二进制跳过。
-    限制每个文件读前 256KB (防巨大文件)。
-    """
-    hits = []
-    for fp in file_paths:
-        full = os.path.join(repo_root, fp) if not os.path.isabs(fp) else fp
-        ext = os.path.splitext(fp)[1].lower()
-        if ext not in SAFE_EXTENSIONS and ext != "":
-            continue
-        if not os.path.isfile(full):
-            continue
-        try:
-            with open(full, "r", encoding="utf-8", errors="ignore") as f:
-                content = f.read(256 * 1024)
-        except OSError:
-            continue
-        for pattern, label in SECRET_PATTERNS:
-            for m in pattern.finditer(content):
-                # 屏蔽匹配到的实际值, 只报告位置
-                line_no = content[:m.start()].count("\n") + 1
-                hits.append((fp, line_no, label))
-    if hits:
-        lines = ["[gate] 拒绝: 检测到疑似秘密, 已阻止提交:"]
-        for fp, ln, label in hits[:20]:
-            lines.append("  %s:%d  %s" % (fp, ln, label))
-        if len(hits) > 20:
-            lines.append("  ... 还有 %d 处" % (len(hits) - 20))
-        lines.append("若确认误报, 在文件里标注 '# noscan' 或用 --skip-secret-scan (仅 admin)")
-        raise SecretFound("\n".join(lines))
-# ============================================================
-# 4. EVA 门禁 (PRD 质量校验)
-# ============================================================
-def check_eval_gate(
-    prd_paths: List[str],
-    repo_root: str,
-    skip_eval: bool = False,
-) -> None:
-    """对每个 PRD 跑 eval_prd, 任一 FAIL 则拒绝。
-    skip_eval=True 时跳过 (仅 admin 用, 会记录到审计日志)。
-    """
-    if skip_eval or not prd_paths:
-        return
-    try:
-        from common.eval_api import evaluate
-    except ImportError:
-        # eval_api 还没建 (阶段 1.2 建), 跳过不阻塞
-        return
-    failures = []
-    for prd in prd_paths:
-        full = os.path.join(repo_root, prd) if not os.path.isabs(prd) else prd
-        if not os.path.isfile(full):
-            continue
-        # 找同名原型 (可选)
-        dirname = os.path.dirname(full)
-        base = os.path.splitext(os.path.basename(full))[0]
-        feature = base.replace("REQ-", "").split("-", 1)[-1] if "-" in base else base
-        html_candidates = [
-            os.path.join(dirname, "prototype-%s.html" % feature),
-            os.path.join(dirname, "prototype-%s-web.html" % feature),
-        ]
-        html = next((h for h in html_candidates if os.path.isfile(h)), None)
-        try:
-            result = evaluate(full, html)
-        except Exception as e:
-            failures.append((prd, "评估异常: %s" % e))
-            continue
-        if not result.get("passed"):
-            pct = result.get("pct", 0)
-            misses = result.get("misses", [])[:5]
-            failures.append((prd, "%.0f%% (<80%%). 问题: %s" % (pct, "; ".join(misses) if misses else "见 EVA 报告")))
-    if failures:
-        lines = ["[gate] 拒绝: %d 个 PRD 未过 EVA 门禁 (<80%%):" % len(failures)]
-        issues_all = []
-        for prd, reason in failures:
-            lines.append("  %s  %s" % (prd, reason))
-            issues_all.append("%s: %s" % (prd, reason))
-        lines.append("修复 PRD 后重试, 或 admin 用 --skip-eval 跳过 (会记录审计)")
-        # D2: 飞书通知 EVA 拒绝
-        try:
-            from common.feishu import notify_eval_rejected
-            notify_eval_rejected(
-                req_id=",".join(os.path.basename(p) for p, _ in failures[:3]),
-                title="批量 EVA 拒绝",
-                issues=issues_all,
-            )
-        except Exception:
-            pass
-        raise GateFailure("\n".join(lines))
-# ============================================================
-# 总入口
-# ============================================================
-def run_gates(
-    staged_files: List[str],
-    dev: Optional[str],
-    repo_root: str,
-    skip_eval: bool = False,
-    skip_secret: bool = False,
-) -> Tuple[bool, str]:
-    """跑全部门禁。返回 (passed, reason)。
-    passed=True 表示全过。passed=False 时 reason 是给人看的错误信息。
-    """
-    try:
-        # 1. 身份
-        check_identity(dev, repo_root)
-        # 2. 作者
-        check_git_author(dev, repo_root)
-        # 3. 秘密
-        if not skip_secret:
-            scan_secrets(staged_files, repo_root)
-        # 4. REQ-ID 校验 (防撞号/跳号)
-        prd_files = [
-            f for f in staged_files
-            if ("/prd/" in f.replace("\\", "/").lower() or
-                os.path.basename(f).lower().startswith("req-"))
-            and f.lower().endswith(".md")
-        ]
-        if prd_files:
-            try:
-                from common.reqid import validate_req_ids, migrate_from_existing, ReqIdError
-                # 计数器缺失则先迁移 (幂等)
-                try:
-                    validate_req_ids(prd_files, repo_root)
-                except ReqIdError as e:
-                    if '超过计数器最大值 0' in str(e) or 'req-counter' in str(e).lower():
-                        # 计数器未初始化, 迁移后重试
-                        migrate_from_existing(repo_root)
-                        validate_req_ids(prd_files, repo_root)
-                    else:
-                        raise
-            except ImportError:
-                pass  # reqid 模块不可用, 跳过 (向后兼容)
-        # 5. EVA 门禁 (只对 PRD 文件)
-        check_eval_gate(prd_files, repo_root, skip_eval=skip_eval)
-        return True, ""
-    except GateFailure as e:
-        return False, str(e)
-    except Exception as e:
-        # ReqIdError / AtomicIOError 等也包装成 GateFailure 风格, 不让原始
-        # traceback 冒泡到产品经理眼前
-        msg = str(e)
-        if 'REQ-ID' in msg or '撞号' in msg or 'REQ' in msg:
-            return False, msg
-        # 其他意外异常: 返回友好错误而非崩溃栈
-        return False, '[gate] 门禁检查遇到意外错误 (非门禁失败, 请重试或检查环境): ' + msg[:200]
+# -*- coding: utf-8 -*-
+"""
+syncgate.py - team_sync 推送前的零信任门禁
+四道关卡, 任一失败则拒绝 push (exit 非 0, 不 commit 不 push):
+  1. 身份强制: 当前开发者必须已注册 (member.json + 本地密钥)
+  2. 作者强制: git config user.name/email 必须与 member.json[git_author] 一致
+  3. 秘密扫描: staged 文件不能含 AWS key / GitHub PAT / 私钥 / 高熵串
+  4. EVA 门禁: staged 的 PRD 必须过 eval_prd (>=80%)
+设计为独立模块, 方便单元测试和复用。team_sync.do_push 在 commit 前调用
+run_gates(staged_files) -> (passed, reasons)。
+"""
+import os
+import re
+import subprocess
+import sys
+from typing import List, Tuple, Optional
+# 相对导入
+_THIS_DIR = os.path.dirname(os.path.abspath(__file__))
+if _THIS_DIR not in sys.path:
+    sys.path.insert(0, _THIS_DIR)
+_COMMON = os.path.join(_THIS_DIR, "common")
+if _COMMON not in sys.path:
+    sys.path.insert(0, _COMMON)
+from common.identity import (
+    get_member, verify_member, EXIT_AUTHZ, IdentityError,
+)
+__all__ = [
+    "run_gates",
+    "check_identity",
+    "check_git_author",
+    "scan_secrets",
+    "check_eval_gate",
+    "SAFE_EXTENSIONS",
+    "SecretFound",
+    "GateFailure",
+]
+# 退出码统一
+EXIT_QUALITY = 5  # 质量门禁失败 (EVA 不过)
+class GateFailure(Exception):
+    """门禁失败。"""
+class SecretFound(GateFailure):
+    """发现疑似秘密。"""
+# ============================================================
+# Allowlist: 只允许这些后缀被 stage (替代危险的 git add -A)
+# ============================================================
+SAFE_EXTENSIONS = {
+    ".md", ".html", ".json", ".jsonl", ".yaml", ".yml",
+    ".toml", ".txt", ".csv", ".svg",
+}
+# 已知的无扩展名文件 (task 系统的元数据)
+SAFE_NOEXT_FILES = {"task", "implement", "check"}  # task.jsonl 等其实有扩展
+# ============================================================
+# 1. 身份强制
+# ============================================================
+def check_identity(dev: Optional[str], repo_root: str) -> None:
+    """开发者必须已注册且有本地密钥。"""
+    if not dev:
+        raise GateFailure(
+            "[authz] 拒绝: 未设置开发者身份。先跑 /wl-init <名字> <角色> 注册。"
+        )
+    m = get_member(dev, repo_root)
+    if not m:
+        raise GateFailure(
+            "[authz] 拒绝: 成员 %s 未在注册表 (workspace/members/%s/member.json)。"
+            "先跑 /wl-init %s 注册。" % (dev, dev, dev)
+        )
+    if not verify_member(dev, repo_root):
+        raise GateFailure(
+            "[authz] 拒绝: 成员 %s 在本机无签名密钥。"
+            "可能换了机器或未完成 /wl-init。跑 /wl-init %s 修复。" % (dev, dev)
+        )
+# ============================================================
+# 2. 作者强制: git config 必须与 member.json 一致
+# ============================================================
+def _git_config(key: str) -> str:
+    """读 git config。git 未安装时返回空串, 不崩溃。"""
+    try:
+        r = subprocess.run(
+            ["git", "config", key],
+            capture_output=True, text=True, encoding="utf-8", errors="replace",
+        )
+        return r.stdout.strip() if r.returncode == 0 else ""
+    except FileNotFoundError:
+        return ""  # git 未装
+def check_git_author(dev: str, repo_root: str) -> None:
+    """git user.name/email 必须与 member.json 的 git_author 一致。
+    member.json git_author 格式: "Name <email>"
+    git 未安装时跳过此检查 (本地无提交可冒名)。
+    """
+    m = get_member(dev, repo_root)
+    if not m:
+        check_identity(dev, repo_root)  # 会抛
+        return
+    expected_author = m.get("git_author", "")
+    if not expected_author:
+        return  # 老数据没设, 不阻塞 (向后兼容)
+    # git 未安装 — 无法校验作者, 跳过 (本地工作不阻塞)
+    try:
+        subprocess.run(["git", "--version"], capture_output=True, timeout=5)
+    except (FileNotFoundError, OSError):
+        return  # 无 git, 跳过
+    # 解析 "Name <email>"
+    match = re.match(r"^(.+?) <(.+?)>$", expected_author)
+    if not match:
+        return
+    exp_name, exp_email = match.group(1).strip(), match.group(2).strip()
+    actual_name = _git_config("user.name")
+    actual_email = _git_config("user.email")
+    # 名字或邮箱任一不符则拒绝 (防止冒名提交)
+    # 注意: 允许 git user.name 带/不带数字后缀等小差异? 不, 严格匹配防冒名
+    if actual_name != exp_name or actual_email != exp_email:
+        raise GateFailure(
+            "[authz] 拒绝: git 作者与注册身份不符。\n"
+            "  注册: %s <%s>\n"
+            "  当前 git config: user.name=%r user.email=%r\n"
+            "  修复: git config user.name %s && git config user.email %s\n"
+            "  (用 --local 只改本仓库, 不影响全局)" % (
+                exp_name, exp_email, actual_name, actual_email,
+                exp_name, exp_email,
+            )
+        )
+# ============================================================
+# 3. 秘密扫描
+# ============================================================
+# 常见秘密模式 (保守, 低误报)
+SECRET_PATTERNS = [
+    # AWS Access Key
+    (re.compile(r"AKIA[0-9A-Z]{16}"), "AWS Access Key"),
+    # AWS Secret (40 字符 base64, 上下文提示)
+    (re.compile(r"(?i)aws[_-]?secret[_-]?access[_-]?key['\"\s:=]+([A-Za-z0-9/+=]{40})"), "AWS Secret Key"),
+    # GitHub PAT (ghp_/gho_/ghu_/ghs_/ghr_)
+    (re.compile(r"gh[pousr]_[A-Za-z0-9]{36}"), "GitHub Token"),
+    # Slack
+    (re.compile(r"xox[baprs]-[A-Za-z0-9-]{10,}"), "Slack Token"),
+    # Google API key
+    (re.compile(r"AIza[0-9A-Za-z\-_]{35}"), "Google API Key"),
+    # Generic private key header
+    (re.compile(r"-----BEGIN (RSA |EC |DSA |OPENSSH |)PRIVATE KEY-----"), "Private Key"),
+    # Generic password assignment (保守: 只匹配明显的赋值)
+    (re.compile(r"(?i)(password|passwd|pwd)\s*[:=]\s*['\"]([^'\"\s]{8,})['\"]"), "Password literal"),
+    # 高熵连接字符串里的凭据
+    (re.compile(r"(?i)(postgres|mysql|mongodb|redis)://[^:\s]+:([^@\s]{8,})@"), "DB connection password"),
+]
+def scan_secrets(file_paths: List[str], repo_root: str) -> None:
+    """扫描文件内容, 发现秘密则抛 SecretFound。
+    只扫文本文件 (按 SAFE_EXTENSIONS), 二进制跳过。
+    限制每个文件读前 256KB (防巨大文件)。
+    """
+    hits = []
+    for fp in file_paths:
+        full = os.path.join(repo_root, fp) if not os.path.isabs(fp) else fp
+        ext = os.path.splitext(fp)[1].lower()
+        if ext not in SAFE_EXTENSIONS and ext != "":
+            continue
+        if not os.path.isfile(full):
+            continue
+        try:
+            with open(full, "r", encoding="utf-8", errors="ignore") as f:
+                content = f.read(256 * 1024)
+        except OSError:
+            continue
+        for pattern, label in SECRET_PATTERNS:
+            for m in pattern.finditer(content):
+                # 屏蔽匹配到的实际值, 只报告位置
+                line_no = content[:m.start()].count("\n") + 1
+                hits.append((fp, line_no, label))
+    if hits:
+        lines = ["[gate] 拒绝: 检测到疑似秘密, 已阻止提交:"]
+        for fp, ln, label in hits[:20]:
+            lines.append("  %s:%d  %s" % (fp, ln, label))
+        if len(hits) > 20:
+            lines.append("  ... 还有 %d 处" % (len(hits) - 20))
+        lines.append("若确认误报, 在文件里标注 '# noscan' 或用 --skip-secret-scan (仅 admin)")
+        raise SecretFound("\n".join(lines))
+# ============================================================
+# 4. EVA 门禁 (PRD 质量校验)
+# ============================================================
+def check_eval_gate(
+    prd_paths: List[str],
+    repo_root: str,
+    skip_eval: bool = False,
+) -> None:
+    """对每个 PRD 跑 eval_prd, 任一 FAIL 则拒绝。
+    skip_eval=True 时跳过 (仅 admin 用, 会记录到审计日志)。
+    """
+    if skip_eval or not prd_paths:
+        return
+    try:
+        from common.eval_api import evaluate
+    except ImportError:
+        # eval_api 还没建 (阶段 1.2 建), 跳过不阻塞
+        return
+    failures = []
+    for prd in prd_paths:
+        full = os.path.join(repo_root, prd) if not os.path.isabs(prd) else prd
+        if not os.path.isfile(full):
+            continue
+        # 找同名原型 (可选)
+        dirname = os.path.dirname(full)
+        base = os.path.splitext(os.path.basename(full))[0]
+        feature = base.replace("REQ-", "").split("-", 1)[-1] if "-" in base else base
+        html_candidates = [
+            os.path.join(dirname, "prototype-%s.html" % feature),
+            os.path.join(dirname, "prototype-%s-web.html" % feature),
+        ]
+        html = next((h for h in html_candidates if os.path.isfile(h)), None)
+        try:
+            result = evaluate(full, html)
+        except Exception as e:
+            failures.append((prd, "评估异常: %s" % e))
+            continue
+        if not result.get("passed"):
+            pct = result.get("pct", 0)
+            misses = result.get("misses", [])[:5]
+            failures.append((prd, "%.0f%% (<80%%). 问题: %s" % (pct, "; ".join(misses) if misses else "见 EVA 报告")))
+    if failures:
+        lines = ["[gate] 拒绝: %d 个 PRD 未过 EVA 门禁 (<80%%):" % len(failures)]
+        issues_all = []
+        for prd, reason in failures:
+            lines.append("  %s  %s" % (prd, reason))
+            issues_all.append("%s: %s" % (prd, reason))
+        lines.append("修复 PRD 后重试, 或 admin 用 --skip-eval 跳过 (会记录审计)")
+        # D2: 飞书通知 EVA 拒绝
+        try:
+            from common.feishu import notify_eval_rejected
+            notify_eval_rejected(
+                req_id=",".join(os.path.basename(p) for p, _ in failures[:3]),
+                title="批量 EVA 拒绝",
+                issues=issues_all,
+            )
+        except Exception:
+            pass
+        raise GateFailure("\n".join(lines))
+# ============================================================
+# 总入口
+# ============================================================
+def run_gates(
+    staged_files: List[str],
+    dev: Optional[str],
+    repo_root: str,
+    skip_eval: bool = False,
+    skip_secret: bool = False,
+) -> Tuple[bool, str]:
+    """跑全部门禁。返回 (passed, reason)。
+    passed=True 表示全过。passed=False 时 reason 是给人看的错误信息。
+    """
+    try:
+        # 1. 身份
+        check_identity(dev, repo_root)
+        # 2. 作者
+        check_git_author(dev, repo_root)
+        # 3. 秘密
+        if not skip_secret:
+            scan_secrets(staged_files, repo_root)
+        # 4. REQ-ID 校验 (防撞号/跳号)
+        prd_files = [
+            f for f in staged_files
+            if ("/prd/" in f.replace("\\", "/").lower() or
+                os.path.basename(f).lower().startswith("req-"))
+            and f.lower().endswith(".md")
+        ]
+        if prd_files:
+            try:
+                from common.reqid import validate_req_ids, migrate_from_existing, ReqIdError
+                # 计数器缺失则先迁移 (幂等)
+                try:
+                    validate_req_ids(prd_files, repo_root)
+                except ReqIdError as e:
+                    if '超过计数器最大值 0' in str(e) or 'req-counter' in str(e).lower():
+                        # 计数器未初始化, 迁移后重试
+                        migrate_from_existing(repo_root)
+                        validate_req_ids(prd_files, repo_root)
+                    else:
+                        raise
+            except ImportError:
+                pass  # reqid 模块不可用, 跳过 (向后兼容)
+        # 5. EVA 门禁 (只对 PRD 文件)
+        check_eval_gate(prd_files, repo_root, skip_eval=skip_eval)
+        return True, ""
+    except GateFailure as e:
+        return False, str(e)
+    except Exception as e:
+        # ReqIdError / AtomicIOError 等也包装成 GateFailure 风格, 不让原始
+        # traceback 冒泡到产品经理眼前
+        msg = str(e)
+        if 'REQ-ID' in msg or '撞号' in msg or 'REQ' in msg:
+            return False, msg
+        # 其他意外异常: 返回友好错误而非崩溃栈
+        return False, '[gate] 门禁检查遇到意外错误 (非门禁失败, 请重试或检查环境): ' + msg[:200]