npm - @mison/ag-kit-cn - Versions diffs - 2.0.1 - Mend

@mison/ag-kit-cn 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/.agent/.shared/ui-ux-pro-max/data/charts.csv +26 -0
package/.agent/.shared/ui-ux-pro-max/data/colors.csv +97 -0
package/.agent/.shared/ui-ux-pro-max/data/icons.csv +101 -0
package/.agent/.shared/ui-ux-pro-max/data/landing.csv +31 -0
package/.agent/.shared/ui-ux-pro-max/data/products.csv +97 -0
package/.agent/.shared/ui-ux-pro-max/data/prompts.csv +24 -0
package/.agent/.shared/ui-ux-pro-max/data/react-performance.csv +45 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/flutter.csv +53 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/nextjs.csv +53 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/react-native.csv +52 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/react.csv +54 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/shadcn.csv +61 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/svelte.csv +54 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/swiftui.csv +51 -0
package/.agent/.shared/ui-ux-pro-max/data/stacks/vue.csv +50 -0
package/.agent/.shared/ui-ux-pro-max/data/styles.csv +59 -0
package/.agent/.shared/ui-ux-pro-max/data/typography.csv +58 -0
package/.agent/.shared/ui-ux-pro-max/data/ui-reasoning.csv +101 -0
package/.agent/.shared/ui-ux-pro-max/data/ux-guidelines.csv +100 -0
package/.agent/.shared/ui-ux-pro-max/data/web-interface.csv +31 -0
package/.agent/.shared/ui-ux-pro-max/scripts/core.py +258 -0
package/.agent/.shared/ui-ux-pro-max/scripts/design_system.py +1067 -0
package/.agent/.shared/ui-ux-pro-max/scripts/search.py +106 -0
package/.agent/ARCHITECTURE.md +285 -0
package/.agent/agents/backend-specialist.md +268 -0
package/.agent/agents/code-archaeologist.md +106 -0
package/.agent/agents/database-architect.md +225 -0
package/.agent/agents/debugger.md +225 -0
package/.agent/agents/devops-engineer.md +242 -0
package/.agent/agents/documentation-writer.md +104 -0
package/.agent/agents/explorer-agent.md +73 -0
package/.agent/agents/frontend-specialist.md +618 -0
package/.agent/agents/game-developer.md +162 -0
package/.agent/agents/mobile-developer.md +382 -0
package/.agent/agents/orchestrator.md +438 -0
package/.agent/agents/penetration-tester.md +188 -0
package/.agent/agents/performance-optimizer.md +187 -0
package/.agent/agents/product-manager.md +112 -0
package/.agent/agents/product-owner.md +95 -0
package/.agent/agents/project-planner.md +405 -0
package/.agent/agents/qa-automation-engineer.md +103 -0
package/.agent/agents/security-auditor.md +170 -0
package/.agent/agents/seo-specialist.md +111 -0
package/.agent/agents/test-engineer.md +158 -0
package/.agent/mcp_config.json +12 -0
package/.agent/rules/GEMINI.md +273 -0
package/.agent/scripts/auto_preview.py +148 -0
package/.agent/scripts/checklist.py +217 -0
package/.agent/scripts/session_manager.py +120 -0
package/.agent/scripts/verify_all.py +327 -0
package/.agent/skills/api-patterns/SKILL.md +84 -0
package/.agent/skills/api-patterns/api-style.md +42 -0
package/.agent/skills/api-patterns/auth.md +24 -0
package/.agent/skills/api-patterns/documentation.md +26 -0
package/.agent/skills/api-patterns/graphql.md +41 -0
package/.agent/skills/api-patterns/rate-limiting.md +31 -0
package/.agent/skills/api-patterns/response.md +37 -0
package/.agent/skills/api-patterns/rest.md +40 -0
package/.agent/skills/api-patterns/scripts/api_validator.py +211 -0
package/.agent/skills/api-patterns/security-testing.md +122 -0
package/.agent/skills/api-patterns/trpc.md +41 -0
package/.agent/skills/api-patterns/versioning.md +22 -0
package/.agent/skills/app-builder/SKILL.md +75 -0
package/.agent/skills/app-builder/agent-coordination.md +74 -0
package/.agent/skills/app-builder/feature-building.md +53 -0
package/.agent/skills/app-builder/project-detection.md +34 -0
package/.agent/skills/app-builder/scaffolding.md +118 -0
package/.agent/skills/app-builder/tech-stack.md +40 -0
package/.agent/skills/app-builder/templates/SKILL.md +39 -0
package/.agent/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -0
package/.agent/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -0
package/.agent/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -0
package/.agent/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -0
package/.agent/skills/app-builder/templates/express-api/TEMPLATE.md +83 -0
package/.agent/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -0
package/.agent/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -0
package/.agent/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +122 -0
package/.agent/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +122 -0
package/.agent/skills/app-builder/templates/nextjs-static/TEMPLATE.md +169 -0
package/.agent/skills/app-builder/templates/nuxt-app/TEMPLATE.md +134 -0
package/.agent/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -0
package/.agent/skills/app-builder/templates/react-native-app/TEMPLATE.md +119 -0
package/.agent/skills/architecture/SKILL.md +57 -0
package/.agent/skills/architecture/context-discovery.md +43 -0
package/.agent/skills/architecture/examples.md +94 -0
package/.agent/skills/architecture/pattern-selection.md +68 -0
package/.agent/skills/architecture/patterns-reference.md +50 -0
package/.agent/skills/architecture/trade-off-analysis.md +77 -0
package/.agent/skills/bash-linux/SKILL.md +201 -0
package/.agent/skills/behavioral-modes/SKILL.md +264 -0
package/.agent/skills/brainstorming/SKILL.md +164 -0
package/.agent/skills/brainstorming/dynamic-questioning.md +359 -0
package/.agent/skills/clean-code/SKILL.md +200 -0
package/.agent/skills/code-review-checklist/SKILL.md +125 -0
package/.agent/skills/database-design/SKILL.md +54 -0
package/.agent/skills/database-design/database-selection.md +43 -0
package/.agent/skills/database-design/indexing.md +39 -0
package/.agent/skills/database-design/migrations.md +50 -0
package/.agent/skills/database-design/optimization.md +36 -0
package/.agent/skills/database-design/orm-selection.md +30 -0
package/.agent/skills/database-design/schema-design.md +56 -0
package/.agent/skills/database-design/scripts/schema_validator.py +172 -0
package/.agent/skills/deployment-procedures/SKILL.md +241 -0
package/.agent/skills/doc.md +177 -0
package/.agent/skills/documentation-templates/SKILL.md +194 -0
package/.agent/skills/frontend-design/SKILL.md +418 -0
package/.agent/skills/frontend-design/animation-guide.md +331 -0
package/.agent/skills/frontend-design/color-system.md +307 -0
package/.agent/skills/frontend-design/decision-trees.md +418 -0
package/.agent/skills/frontend-design/motion-graphics.md +306 -0
package/.agent/skills/frontend-design/scripts/accessibility_checker.py +183 -0
package/.agent/skills/frontend-design/scripts/ux_audit.py +727 -0
package/.agent/skills/frontend-design/typography-system.md +345 -0
package/.agent/skills/frontend-design/ux-psychology.md +1118 -0
package/.agent/skills/frontend-design/visual-effects.md +383 -0
package/.agent/skills/game-development/2d-games/SKILL.md +119 -0
package/.agent/skills/game-development/3d-games/SKILL.md +135 -0
package/.agent/skills/game-development/SKILL.md +167 -0
package/.agent/skills/game-development/game-art/SKILL.md +185 -0
package/.agent/skills/game-development/game-audio/SKILL.md +190 -0
package/.agent/skills/game-development/game-design/SKILL.md +129 -0
package/.agent/skills/game-development/mobile-games/SKILL.md +108 -0
package/.agent/skills/game-development/multiplayer/SKILL.md +132 -0
package/.agent/skills/game-development/pc-games/SKILL.md +144 -0
package/.agent/skills/game-development/vr-ar/SKILL.md +123 -0
package/.agent/skills/game-development/web-games/SKILL.md +150 -0
package/.agent/skills/geo-fundamentals/SKILL.md +155 -0
package/.agent/skills/geo-fundamentals/scripts/geo_checker.py +289 -0
package/.agent/skills/i18n-localization/SKILL.md +154 -0
package/.agent/skills/i18n-localization/scripts/i18n_checker.py +241 -0
package/.agent/skills/intelligent-routing/SKILL.md +335 -0
package/.agent/skills/lint-and-validate/SKILL.md +44 -0
package/.agent/skills/lint-and-validate/scripts/lint_runner.py +184 -0
package/.agent/skills/lint-and-validate/scripts/type_coverage.py +173 -0
package/.agent/skills/mcp-builder/SKILL.md +176 -0
package/.agent/skills/mobile-design/SKILL.md +394 -0
package/.agent/skills/mobile-design/decision-trees.md +516 -0
package/.agent/skills/mobile-design/mobile-backend.md +491 -0
package/.agent/skills/mobile-design/mobile-color-system.md +420 -0
package/.agent/skills/mobile-design/mobile-debugging.md +122 -0
package/.agent/skills/mobile-design/mobile-design-thinking.md +355 -0
package/.agent/skills/mobile-design/mobile-navigation.md +458 -0
package/.agent/skills/mobile-design/mobile-performance.md +767 -0
package/.agent/skills/mobile-design/mobile-testing.md +356 -0
package/.agent/skills/mobile-design/mobile-typography.md +432 -0
package/.agent/skills/mobile-design/platform-android.md +666 -0
package/.agent/skills/mobile-design/platform-ios.md +561 -0
package/.agent/skills/mobile-design/scripts/mobile_audit.py +670 -0
package/.agent/skills/mobile-design/touch-psychology.md +537 -0
package/.agent/skills/nextjs-react-expert/1-async-eliminating-waterfalls.md +311 -0
package/.agent/skills/nextjs-react-expert/2-bundle-bundle-size-optimization.md +241 -0
package/.agent/skills/nextjs-react-expert/3-server-server-side-performance.md +489 -0
package/.agent/skills/nextjs-react-expert/4-client-client-side-data-fetching.md +263 -0
package/.agent/skills/nextjs-react-expert/5-rerender-re-render-optimization.md +581 -0
package/.agent/skills/nextjs-react-expert/6-rendering-rendering-performance.md +431 -0
package/.agent/skills/nextjs-react-expert/7-js-javascript-performance.md +683 -0
package/.agent/skills/nextjs-react-expert/8-advanced-advanced-patterns.md +149 -0
package/.agent/skills/nextjs-react-expert/SKILL.md +286 -0
package/.agent/skills/nextjs-react-expert/scripts/convert_rules.py +222 -0
package/.agent/skills/nextjs-react-expert/scripts/react_performance_checker.py +252 -0
package/.agent/skills/nodejs-best-practices/SKILL.md +333 -0
package/.agent/skills/parallel-agents/SKILL.md +194 -0
package/.agent/skills/performance-profiling/SKILL.md +149 -0
package/.agent/skills/performance-profiling/scripts/lighthouse_audit.py +76 -0
package/.agent/skills/plan-writing/SKILL.md +152 -0
package/.agent/skills/powershell-windows/SKILL.md +166 -0
package/.agent/skills/python-patterns/SKILL.md +441 -0
package/.agent/skills/red-team-tactics/SKILL.md +203 -0
package/.agent/skills/rust-pro/SKILL.md +190 -0
package/.agent/skills/seo-fundamentals/SKILL.md +135 -0
package/.agent/skills/seo-fundamentals/scripts/seo_checker.py +215 -0
package/.agent/skills/server-management/SKILL.md +161 -0
package/.agent/skills/systematic-debugging/SKILL.md +114 -0
package/.agent/skills/tailwind-patterns/SKILL.md +269 -0
package/.agent/skills/tdd-workflow/SKILL.md +149 -0
package/.agent/skills/testing-patterns/SKILL.md +178 -0
package/.agent/skills/testing-patterns/scripts/test_runner.py +219 -0
package/.agent/skills/vulnerability-scanner/SKILL.md +276 -0
package/.agent/skills/vulnerability-scanner/checklists.md +131 -0
package/.agent/skills/vulnerability-scanner/scripts/security_scan.py +459 -0
package/.agent/skills/web-design-guidelines/SKILL.md +57 -0
package/.agent/skills/webapp-testing/SKILL.md +187 -0
package/.agent/skills/webapp-testing/scripts/playwright_runner.py +173 -0
package/.agent/workflows/brainstorm.md +113 -0
package/.agent/workflows/create.md +59 -0
package/.agent/workflows/debug.md +103 -0
package/.agent/workflows/deploy.md +176 -0
package/.agent/workflows/enhance.md +63 -0
package/.agent/workflows/orchestrate.md +242 -0
package/.agent/workflows/plan.md +89 -0
package/.agent/workflows/preview.md +80 -0
package/.agent/workflows/restore-localize-compat.md +525 -0
package/.agent/workflows/status.md +86 -0
package/.agent/workflows/test.md +144 -0
package/.agent/workflows/ui-ux-pro-max.md +295 -0
package/AGENT_FLOW.md +609 -0
package/CHANGELOG.md +68 -0
package/LICENSE +21 -0
package/README.md +260 -0
package/bin/adapters/base.js +63 -0
package/bin/adapters/codex.js +391 -0
package/bin/adapters/gemini.js +137 -0
package/bin/ag-kit.js +1336 -0
package/bin/core/builder.js +80 -0
package/bin/core/generator.js +59 -0
package/bin/core/resource-loader.js +64 -0
package/bin/core/transformer.js +208 -0
package/bin/interactive.js +65 -0
package/bin/utils/atomic-writer.js +97 -0
package/bin/utils/git-helper.js +68 -0
package/bin/utils/managed-block.js +65 -0
package/bin/utils/manifest.js +241 -0
package/bin/utils.js +82 -0
package/docs/codex-rules-template.md +36 -0
package/docs/mapping-spec.md +68 -0
package/docs/multi-target-adapter.md +80 -0
package/docs/official/README.md +53 -0
package/docs/official/antigravity/agent-modes-settings.md +64 -0
package/docs/official/antigravity/rules-workflows.md +96 -0
package/docs/official/antigravity/skills.md +147 -0
package/docs/official/codex/agents-md.md +119 -0
package/docs/official/codex/config-advanced.md +358 -0
package/docs/official/codex/config-basic.md +141 -0
package/docs/official/codex/config-reference.md +223 -0
package/docs/official/codex/config-sample.md +216 -0
package/docs/official/codex/mcp.md +107 -0
package/docs/official/codex/rules.md +79 -0
package/docs/official/codex/skills.md +114 -0
package/docs/official/sources-index.md +32 -0
package/docs/operations.md +145 -0
package/docs/terminology-style-guide.md +69 -0
package/package.json +51 -0
package/scripts/postinstall-check.js +112 -0

package/.agent/skills/testing-patterns/scripts/test_runner.py ADDED Viewed

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+"""
+Test Runner - Unified test execution and coverage reporting
+Runs tests and generates coverage report based on project type.
+Usage:
+    python test_runner.py <project_path> [--coverage]
+Supports:
+    - Node.js: npm test, jest, vitest
+    - Python: pytest, unittest
+"""
+import subprocess
+import sys
+import json
+from pathlib import Path
+from datetime import datetime
+# Fix Windows console encoding
+try:
+    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
+except:
+    pass
+def detect_test_framework(project_path: Path) -> dict:
+    """Detect test framework and commands."""
+    result = {
+        "type": "unknown",
+        "framework": None,
+        "cmd": None,
+        "coverage_cmd": None
+    }
+    # Node.js project
+    package_json = project_path / "package.json"
+    if package_json.exists():
+        result["type"] = "node"
+        try:
+            pkg = json.loads(package_json.read_text(encoding='utf-8'))
+            scripts = pkg.get("scripts", {})
+            deps = {**pkg.get("dependencies", {}), **pkg.get("devDependencies", {})}
+            # Check for test script
+            if "test" in scripts:
+                result["framework"] = "npm test"
+                result["cmd"] = ["npm", "test"]
+                # Try to detect specific framework for coverage
+                if "vitest" in deps:
+                    result["framework"] = "vitest"
+                    result["coverage_cmd"] = ["npx", "vitest", "run", "--coverage"]
+                elif "jest" in deps:
+                    result["framework"] = "jest"
+                    result["coverage_cmd"] = ["npx", "jest", "--coverage"]
+            elif "vitest" in deps:
+                result["framework"] = "vitest"
+                result["cmd"] = ["npx", "vitest", "run"]
+                result["coverage_cmd"] = ["npx", "vitest", "run", "--coverage"]
+            elif "jest" in deps:
+                result["framework"] = "jest"
+                result["cmd"] = ["npx", "jest"]
+                result["coverage_cmd"] = ["npx", "jest", "--coverage"]
+        except:
+            pass
+    # Python project
+    if (project_path / "pyproject.toml").exists() or (project_path / "requirements.txt").exists():
+        result["type"] = "python"
+        result["framework"] = "pytest"
+        result["cmd"] = ["python", "-m", "pytest", "-v"]
+        result["coverage_cmd"] = ["python", "-m", "pytest", "--cov", "--cov-report=term-missing"]
+    return result
+def run_tests(cmd: list, cwd: Path) -> dict:
+    """Run tests and return results."""
+    result = {
+        "passed": False,
+        "output": "",
+        "error": "",
+        "tests_run": 0,
+        "tests_passed": 0,
+        "tests_failed": 0
+    }
+    try:
+        proc = subprocess.run(
+            cmd,
+            cwd=str(cwd),
+            capture_output=True,
+            text=True,
+            encoding='utf-8',
+            errors='replace',
+            timeout=300  # 5 min timeout for tests
+        )
+        result["output"] = proc.stdout[:3000] if proc.stdout else ""
+        result["error"] = proc.stderr[:500] if proc.stderr else ""
+        result["passed"] = proc.returncode == 0
+        # Try to parse test counts from output
+        output = proc.stdout or ""
+        # Jest/Vitest pattern: "Tests: X passed, Y failed, Z total"
+        if "passed" in output.lower() and "failed" in output.lower():
+            import re
+            match = re.search(r'(\d+)\s+passed', output, re.IGNORECASE)
+            if match:
+                result["tests_passed"] = int(match.group(1))
+            match = re.search(r'(\d+)\s+failed', output, re.IGNORECASE)
+            if match:
+                result["tests_failed"] = int(match.group(1))
+            result["tests_run"] = result["tests_passed"] + result["tests_failed"]
+        # Pytest pattern: "X passed, Y failed"
+        if "pytest" in str(cmd):
+            import re
+            match = re.search(r'(\d+)\s+passed', output)
+            if match:
+                result["tests_passed"] = int(match.group(1))
+            match = re.search(r'(\d+)\s+failed', output)
+            if match:
+                result["tests_failed"] = int(match.group(1))
+            result["tests_run"] = result["tests_passed"] + result["tests_failed"]
+    except FileNotFoundError:
+        result["error"] = f"Command not found: {cmd[0]}"
+    except subprocess.TimeoutExpired:
+        result["error"] = "Timeout after 300s"
+    except Exception as e:
+        result["error"] = str(e)
+    return result
+def main():
+    project_path = Path(sys.argv[1] if len(sys.argv) > 1 else ".").resolve()
+    with_coverage = "--coverage" in sys.argv
+    print(f"\n{'='*60}")
+    print(f"[TEST RUNNER] Unified Test Execution")
+    print(f"{'='*60}")
+    print(f"Project: {project_path}")
+    print(f"Coverage: {'enabled' if with_coverage else 'disabled'}")
+    print(f"Time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
+    # Detect test framework
+    test_info = detect_test_framework(project_path)
+    print(f"Type: {test_info['type']}")
+    print(f"Framework: {test_info['framework']}")
+    print("-"*60)
+    if not test_info["cmd"]:
+        print("No test framework found for this project.")
+        output = {
+            "script": "test_runner",
+            "project": str(project_path),
+            "type": test_info["type"],
+            "framework": None,
+            "passed": True,
+            "message": "No tests configured"
+        }
+        print(json.dumps(output, indent=2))
+        sys.exit(0)
+    # Choose command
+    cmd = test_info["coverage_cmd"] if with_coverage and test_info["coverage_cmd"] else test_info["cmd"]
+    print(f"Running: {' '.join(cmd)}")
+    print("-"*60)
+    # Run tests
+    result = run_tests(cmd, project_path)
+    # Print output (truncated)
+    if result["output"]:
+        lines = result["output"].split("\n")
+        for line in lines[:30]:
+            print(line)
+        if len(lines) > 30:
+            print(f"... ({len(lines) - 30} more lines)")
+    # Summary
+    print("\n" + "="*60)
+    print("SUMMARY")
+    print("="*60)
+    if result["passed"]:
+        print("[PASS] All tests passed")
+    else:
+        print("[FAIL] Some tests failed")
+        if result["error"]:
+            print(f"Error: {result['error'][:200]}")
+    if result["tests_run"] > 0:
+        print(f"Tests: {result['tests_run']} total, {result['tests_passed']} passed, {result['tests_failed']} failed")
+    output = {
+        "script": "test_runner",
+        "project": str(project_path),
+        "type": test_info["type"],
+        "framework": test_info["framework"],
+        "tests_run": result["tests_run"],
+        "tests_passed": result["tests_passed"],
+        "tests_failed": result["tests_failed"],
+        "passed": result["passed"]
+    }
+    print("\n" + json.dumps(output, indent=2))
+    sys.exit(0 if result["passed"] else 1)
+if __name__ == "__main__":
+    main()

package/.agent/skills/vulnerability-scanner/SKILL.md ADDED Viewed

@@ -0,0 +1,276 @@
+---
+name: vulnerability-scanner
+description: 高级漏洞分析原则。覆盖 OWASP 2025、供应链安全、攻击面建模与风险优先级排序。
+allowed-tools: Read, Glob, Grep, Bash
+---
+# 漏洞扫描与分析
+> 像攻击者一样思考，像专家一样防守。保持对 2025 威胁态势的感知。
+## 🔧 运行时脚本
+**用于自动化验证：**
+| 脚本 | 用途 | 用法 |
+|------|------|------|
+| `scripts/security_scan.py` | 验证安全原则是否已落地 | `python scripts/security_scan.py <project_path>` |
+## 📋 参考文件
+| 文件 | 用途 |
+|------|------|
+| [checklists.md](checklists.md) | OWASP Top 10、认证、API、数据保护检查清单 |
+---
+## 1. 安全专家思维
+### 核心原则
+| 原则 | 应用 |
+|------|------|
+| **Assume Breach（假设已失陷）** | 按“攻击者已在内网”来设计 |
+| **Zero Trust（零信任）** | 永不默认信任，始终验证 |
+| **Defense in Depth（纵深防御）** | 多层防护，避免单点失败 |
+| **Least Privilege（最小权限）** | 仅授予必要访问权限 |
+| **Fail Secure（安全失败）** | 出错时默认拒绝访问 |
+### 威胁建模问题
+开始扫描前先问：
+1. 我们要保护什么？（Assets 资产）
+2. 谁会攻击我们？（Threat Actors 威胁主体）
+3. 他们会如何攻击？（Attack Vectors 攻击向量）
+4. 影响是什么？（Business Risk 业务风险）
+---
+## 2. OWASP Top 10:2025
+### 风险类别
+| 编号 | 类别 | 关注点 |
+|------|------|--------|
+| **A01** | 访问控制失效（Broken Access Control） | 谁能访问什么？IDOR、SSRF |
+| **A02** | 安全配置错误（Security Misconfiguration） | 默认配置、Header（响应头）、暴露服务 |
+| **A03** | 软件供应链安全 🆕（Software Supply Chain） | 依赖、CI/CD、构建完整性 |
+| **A04** | 密码学失效（Cryptographic Failures） | 弱加密、密钥暴露 |
+| **A05** | 注入（Injection） | 用户输入是否可进入系统命令 |
+| **A06** | 不安全设计（Insecure Design） | 架构层缺陷 |
+| **A07** | 认证失效（Authentication Failures） | 会话与凭据管理 |
+| **A08** | 完整性失效（Integrity Failures） | 未签名更新、数据篡改 |
+| **A09** | 日志与告警缺失（Logging & Alerting） | 监控盲区、缺少告警 |
+| **A10** | 异常条件处理失效 🆕（Exceptional Conditions） | 错误处理、Fail-open（失效即放行）状态 |
+### 2025 关键变化
+```
+2021 → 2025 变化：
+├── SSRF 并入 A01（访问控制）
+├── A02 权重提升（云/容器配置）
+├── A03 新增：供应链（重点）
+├── A10 新增：异常条件
+└── 重心迁移：根因优先于症状
+```
+---
+## 3. 供应链安全（A03）
+### 攻击面
+| 向量 | 风险 | 需要确认的问题 |
+|------|------|----------------|
+| **依赖（Dependencies）** | 恶意包投毒 | 新依赖是否审计？ |
+| **锁文件（Lock files）** | 完整性攻击 | 是否已提交并受保护？ |
+| **构建流水线（Build pipeline）** | CI/CD 被入侵 | 谁有修改权限？ |
+| **包仓库（Registry）** | Typosquatting | 来源是否可信可验证？ |
+### 防御原则
+- 校验包完整性（checksum）
+- 锁定版本并审计升级
+- 关键依赖使用私有仓库
+- 对构建产物签名并校验
+---
+## 4. 攻击面建模
+### 需要建模的对象
+| 类别 | 内容 |
+|------|------|
+| **入口点（Entry Points）** | API、表单、文件上传 |
+| **数据流（Data Flows）** | 输入 → 处理 → 输出 |
+| **信任边界（Trust Boundaries）** | 鉴权/授权校验位置 |
+| **资产（Assets）** | 密钥、PII、业务数据 |
+### 优先级矩阵
+```
+风险 = 可能性 × 影响
+高影响 + 高可能性 → CRITICAL（严重）
+高影响 + 低可能性 → HIGH（高）
+低影响 + 高可能性 → MEDIUM（中）
+低影响 + 低可能性 → LOW（低）
+```
+---
+## 5. 风险优先级排序
+### CVSS + 业务上下文
+| 因素 | 权重 | 问题 |
+|------|------|------|
+| **CVSS Score（评分）** | 基础严重度 | 漏洞本身多严重？ |
+| **EPSS Score（利用概率）** | 被利用概率 | 是否正在被利用？ |
+| **Asset Value（资产价值）** | 业务权重 | 风险资产价值多高？ |
+| **Exposure（暴露面）** | 暴露面 | 是否公网可达？ |
+### 优先级决策树
+```
+是否正在被利用（EPSS > 0.5）？
+├── 是 → CRITICAL：立即处理
+└── 否 → 检查 CVSS
+         ├── CVSS ≥ 9.0 → HIGH
+         ├── CVSS 7.0-8.9 → 结合资产价值评估
+         └── CVSS < 7.0 → 排期处理
+```
+---
+## 6. 异常条件处理（A10 - New）
+### Fail-Open 与 Fail-Closed
+| 场景 | Fail-Open（不安全） | Fail-Closed（安全） |
+|------|--------------------|---------------------|
+| 鉴权异常 | 允许访问 | 拒绝访问 |
+| 解析失败 | 继续接受输入 | 拒绝输入 |
+| 超时处理 | 无限重试 | 限次后中止 |
+### 重点检查项
+- 全量捕获并吞掉异常的处理器
+- 安全关键操作缺失错误处理
+- 鉴权/授权中的竞态条件（Race Condition）
+- 资源耗尽场景
+---
+## 7. 扫描方法论
+### 分阶段方法
+```
+1. RECONNAISSANCE（侦察）
+   └── 理解目标系统
+       ├── 技术栈
+       ├── 入口点
+       └── 数据流
+2. DISCOVERY（发现）
+   └── 识别潜在问题
+       ├── 配置审查
+       ├── 依赖分析
+       └── 代码模式检索
+3. ANALYSIS（分析）
+   └── 验证与优先级排序
+       ├── 排除误报
+       ├── 风险评分
+       └── 攻击链映射
+4. REPORTING（报告）
+   └── 输出可执行结论
+       ├── 清晰复现步骤
+       ├── 业务影响
+       └── 修复建议
+```
+---
+## 8. 代码模式分析
+### 高风险模式
+| 模式 | 风险 | 关注点 |
+|------|------|--------|
+| **查询拼接字符串** | 注入风险（Injection） | `"SELECT * FROM " + user_input` |
+| **动态执行代码** | RCE | `eval()`, `exec()`, `Function()` |
+| **不安全反序列化** | RCE | `pickle.loads()`, `unserialize()` |
+| **路径拼接可控** | 路径穿越（Traversal） | 用户输入参与文件路径 |
+| **关闭安全校验** | 多类风险 | `verify=False`, `--insecure` |
+### 密钥泄露模式
+| 类型 | 指标 |
+|------|------|
+| API Keys（密钥） | `api_key`、`apikey`、高熵字符串 |
+| Tokens（令牌） | `token`、`bearer`、`jwt` |
+| Credentials（凭据） | `password`、`secret`、`key` |
+| Cloud（云平台） | `AWS_`、`AZURE_`、`GCP_` 前缀 |
+---
+## 9. 云安全考量
+### 责任共担模型
+| 层级 | 你负责 | 云厂商负责 |
+|------|--------|------------|
+| 数据（Data） | ✅ | ❌ |
+| 应用（Application） | ✅ | ❌ |
+| 系统/运行时（OS/Runtime） | 视情况而定 | 视情况而定 |
+| 基础设施（Infrastructure） | ❌ | ✅ |
+### 云侧专项检查
+- IAM：是否落实最小权限？
+- 存储：是否存在公开桶？
+- 网络：安全组是否收敛？
+- 密钥：是否使用 secrets manager（密钥管理服务）？
+---
+## 10. 反模式
+| ❌ 禁止（Don't） | ✅ 推荐（Do） |
+|-----------------|-------------|
+| 不理解系统就开始扫描 | 先做攻击面建模 |
+| 对每个 CVE 都同级告警 | 按可利用性 + 资产价值排序 |
+| 忽略误报管理 | 维护经验证的基线 |
+| 只修症状不修根因 | 追到根因并修复 |
+| 仅在上线前扫描一次 | 持续扫描 |
+| 盲目信任第三方依赖 | 校验完整性并审计代码 |
+---
+## 11. 报告编写原则
+### 漏洞项结构
+每条发现都应回答：
+1. **What?（是什么）** - 清晰漏洞描述
+2. **Where?（在哪里）** - 精确位置（文件、行号、端点）
+3. **Why?（为什么）** - 根因解释
+4. **Impact?（影响）** - 业务后果
+5. **How to fix?（怎么修）** - 明确修复方案
+### 严重性分级
+| 严重性 | 标准 |
+|--------|------|
+| **Critical（严重）** | RCE、认证绕过、大规模数据泄露 |
+| **High（高）** | 数据暴露、权限提升 |
+| **Medium（中）** | 影响范围有限且需特定条件 |
+| **Low（低）** | 信息提示/最佳实践类问题 |
+---
+> **牢记：** 漏洞扫描负责“发现问题”，专家思维负责“优先级决策”。始终追问：“攻击者会怎样利用它？”

package/.agent/skills/vulnerability-scanner/checklists.md ADDED Viewed

@@ -0,0 +1,131 @@
+# 安全检查清单
+> 安全审计的快速参考清单。配合 vulnerability-scanner 原则使用。
+---
+## OWASP Top 10 审计清单
+### A01: 访问控制失效
+- [ ] 所有受保护路由的授权（Authorization）
+- [ ] 默认拒绝（Deny by default）
+- [ ] 已实现速率限制（Rate limiting）
+- [ ] CORS 配置正确
+### A02: 加密失败
+- [ ] 密码已哈希处理（bcrypt/argon2，cost 12+）
+- [ ] 静态敏感数据已加密
+- [ ] 所有连接使用 TLS 1.2+
+- [ ] 代码/日志中无机密信息（Secrets）
+### A03: 注入
+- [ ] 参数化查询
+- [ ] 所有用户数据进行输入验证
+- [ ] XSS 输出编码
+- [ ] 无 eval() 或动态代码执行
+### A04: 不安全设计
+- [ ] 已完成威胁建模
+- [ ] 已定义安全需求
+- [ ] 业务逻辑已验证
+### A05: 安全配置错误
+- [ ] 已禁用不必要的功能
+- [ ] 错误信息已净化（Sanitized）
+- [ ] 安全响应头（Security headers）已配置
+- [ ] 默认凭据已更改
+### A06: 易受攻击的组件
+- [ ] 依赖项已更新
+- [ ] 无已知漏洞
+- [ ] 移除未使用的依赖项
+### A07: 认证失败
+- [ ] MFA（多因素认证）可用
+- [ ] 注销时会话失效
+- [ ] 已实现会话超时
+- [ ] 暴力破解保护
+### A08: 完整性失败
+- [ ] 依赖项完整性已验证
+- [ ] CI/CD 管道已加固
+- [ ] 更新机制已加固
+### A09: 日志记录失败
+- [ ] 安全事件已记录
+- [ ] 日志受保护
+- [ ] 日志中无敏感数据
+- [ ] 告警已配置
+### A10: 服务端请求伪造（SSRF）
+- [ ] 已实现 URL 验证
+- [ ] 外部调用的允许列表（Allow-list）
+- [ ] 网络分段
+---
+## 认证检查清单
+- [ ] 强密码策略
+- [ ] 账户锁定
+- [ ] 安全密码重置
+- [ ] 会话管理
+- [ ] Token（令牌）过期
+- [ ] 注销失效
+---
+## API 安全检查清单
+- [ ] 需要认证
+- [ ] 每个端点的授权
+- [ ] 输入验证
+- [ ] 速率限制
+- [ ] 输出净化
+- [ ] 错误处理
+---
+## 数据保护检查清单
+- [ ] 静态加密
+- [ ] 传输中加密
+- [ ] 密钥管理
+- [ ] 数据最小化
+- [ ] 安全删除
+---
+## 安全响应头
+| 响应头                        | 目的                           |
+| ----------------------------- | ------------------------------ |
+| **Content-Security-Policy**   | XSS 预防                       |
+| **X-Content-Type-Options**    | MIME 嗅探                      |
+| **X-Frame-Options**           | 点击劫持（Clickjacking）       |
+| **Strict-Transport-Security** | 强制 HTTPS                     |
+| **Referrer-Policy**           | Referrer（引荐来源）控制       |
+---
+## 快速审计命令
+| 检查             | 寻找什么                             |
+| ---------------- | ------------------------------------ |
+| 代码中的机密信息 | password、api_key、secret            |
+| 危险模式         | eval、innerHTML、SQL concat          |
+| 依赖项问题       | npm audit、snyk                      |
+---
+> **用法：** 将相关清单复制到你的 PLAN.md 或安全报告中。