@tinkcarlos/skillora 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/skills/.temp-skill-index.md +245 -0
- package/.claude/skills/SKILL.md +264 -0
- package/.claude/skills/api-scaffolding/SKILL.md +431 -0
- package/.claude/skills/api-scaffolding/agents/backend-architect.md +282 -0
- package/.claude/skills/api-scaffolding/agents/django-pro.md +144 -0
- package/.claude/skills/api-scaffolding/agents/fastapi-pro.md +156 -0
- package/.claude/skills/api-scaffolding/agents/graphql-architect.md +146 -0
- package/.claude/skills/api-scaffolding/skills/fastapi-templates/SKILL.md +171 -0
- package/.claude/skills/api-testing-observability/SKILL.md +583 -0
- package/.claude/skills/api-testing-observability/agents/api-documenter.md +146 -0
- package/.claude/skills/api-testing-observability/commands/api-mock.md +1320 -0
- package/.claude/skills/brainstorming/SKILL.md +283 -0
- package/.claude/skills/bug-fixing/SKILL.md +382 -0
- package/.claude/skills/bug-fixing/references/backend-guide.md +132 -0
- package/.claude/skills/bug-fixing/references/bug-guide.md +354 -0
- package/.claude/skills/bug-fixing/references/bug-record-template.md +134 -0
- package/.claude/skills/bug-fixing/references/bug-records.md +88 -0
- package/.claude/skills/bug-fixing/references/code-review-gate.md +81 -0
- package/.claude/skills/bug-fixing/references/common-bugs.md +140 -0
- package/.claude/skills/bug-fixing/references/complete-workflow.md +361 -0
- package/.claude/skills/bug-fixing/references/config-driven-fixes.md +136 -0
- package/.claude/skills/bug-fixing/references/context-isolation-protocol.md +268 -0
- package/.claude/skills/bug-fixing/references/cross-surface-regression.md +120 -0
- package/.claude/skills/bug-fixing/references/database-investigation.md +129 -0
- package/.claude/skills/bug-fixing/references/dependency-and-integrity-protocol.md +369 -0
- package/.claude/skills/bug-fixing/references/fix-completeness-checklist.md +239 -0
- package/.claude/skills/bug-fixing/references/frontend-guide.md +219 -0
- package/.claude/skills/bug-fixing/references/fullstack-joint-guide.md +123 -0
- package/.claude/skills/bug-fixing/references/functional-breakage.md +117 -0
- package/.claude/skills/bug-fixing/references/ide-lint-errors-guide.md +176 -0
- package/.claude/skills/bug-fixing/references/impact-analysis.md +511 -0
- package/.claude/skills/bug-fixing/references/investigation-checklist.md +263 -0
- package/.claude/skills/bug-fixing/references/knowledge-extraction-guide.md +531 -0
- package/.claude/skills/bug-fixing/references/knowledge-workflow.md +212 -0
- package/.claude/skills/bug-fixing/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/bug-fixing/references/python-env-and-testing.md +126 -0
- package/.claude/skills/bug-fixing/references/rca-guide.md +428 -0
- package/.claude/skills/bug-fixing/references/similar-bug-patterns.md +113 -0
- package/.claude/skills/bug-fixing/references/skill-delegation-guide.md +350 -0
- package/.claude/skills/bug-fixing/references/skill-orchestration.md +155 -0
- package/.claude/skills/bug-fixing/references/testing-strategy.md +350 -0
- package/.claude/skills/bug-fixing/references/tooling-build-scripts.md +162 -0
- package/.claude/skills/bug-fixing/references/user-input-validation.md +77 -0
- package/.claude/skills/bug-fixing/references/ux-patterns.md +158 -0
- package/.claude/skills/bug-fixing/references/windows-terminal-hygiene.md +106 -0
- package/.claude/skills/bug-fixing/references/zero-regression-matrix.md +239 -0
- package/.claude/skills/bug-fixing/references/zero-risk-protocol.md +102 -0
- package/.claude/skills/bug-fixing/scripts/format_code.py +611 -0
- package/.claude/skills/bug-fixing/scripts/generate_report_template.py +74 -0
- package/.claude/skills/bug-fixing/scripts/lint_check.py +816 -0
- package/.claude/skills/bug-fixing/scripts/requirements.txt +36 -0
- package/.claude/skills/cicd-pipeline/SKILL.md +300 -0
- package/.claude/skills/code-review/SKILL.md +535 -0
- package/.claude/skills/code-review/references/anti-pattern-scan.md +102 -0
- package/.claude/skills/code-review/references/automated-analysis.md +456 -0
- package/.claude/skills/code-review/references/backend-common-issues.md +589 -0
- package/.claude/skills/code-review/references/backend-expert-guide.md +415 -0
- package/.claude/skills/code-review/references/backend-review.md +868 -0
- package/.claude/skills/code-review/references/batch-processing-strategy.md +198 -0
- package/.claude/skills/code-review/references/call-chain-analysis-protocol.md +166 -0
- package/.claude/skills/code-review/references/common-patterns.md +321 -0
- package/.claude/skills/code-review/references/configuration-review.md +425 -0
- package/.claude/skills/code-review/references/control-flow-completeness.md +114 -0
- package/.claude/skills/code-review/references/database-review.md +298 -0
- package/.claude/skills/code-review/references/dependency-and-integrity-protocol.md +313 -0
- package/.claude/skills/code-review/references/external-standards.md +51 -0
- package/.claude/skills/code-review/references/feature-review.md +329 -0
- package/.claude/skills/code-review/references/file-review-template.md +326 -0
- package/.claude/skills/code-review/references/frontend-advanced.md +654 -0
- package/.claude/skills/code-review/references/frontend-common-issues.md +482 -0
- package/.claude/skills/code-review/references/frontend-expert-guide.md +342 -0
- package/.claude/skills/code-review/references/frontend-review.md +783 -0
- package/.claude/skills/code-review/references/fullstack-consistency.md +418 -0
- package/.claude/skills/code-review/references/fullstack-review.md +477 -0
- package/.claude/skills/code-review/references/functional-completeness.md +386 -0
- package/.claude/skills/code-review/references/hidden-bugs-detection.md +473 -0
- package/.claude/skills/code-review/references/ide-lint-errors-guide.md +173 -0
- package/.claude/skills/code-review/references/infrastructure-review.md +453 -0
- package/.claude/skills/code-review/references/iteration-review.md +264 -0
- package/.claude/skills/code-review/references/job-review.md +335 -0
- package/.claude/skills/code-review/references/layered-checklist-protocol.md +157 -0
- package/.claude/skills/code-review/references/logic-completeness.md +535 -0
- package/.claude/skills/code-review/references/mandatory-checklist.md +288 -0
- package/.claude/skills/code-review/references/multi-language-guide.md +800 -0
- package/.claude/skills/code-review/references/new-project-review.md +226 -0
- package/.claude/skills/code-review/references/non-code-files-review.md +451 -0
- package/.claude/skills/code-review/references/overlooked-issues.md +657 -0
- package/.claude/skills/code-review/references/platform-specific-review.md +195 -0
- package/.claude/skills/code-review/references/precision-analysis-protocol.md +260 -0
- package/.claude/skills/code-review/references/python-patterns.md +494 -0
- package/.claude/skills/code-review/references/rca-techniques.md +362 -0
- package/.claude/skills/code-review/references/report-template.md +430 -0
- package/.claude/skills/code-review/references/resource-limits-and-degradation.md +137 -0
- package/.claude/skills/code-review/references/review-dimensions.md +311 -0
- package/.claude/skills/code-review/references/review-guide.md +202 -0
- package/.claude/skills/code-review/references/review-knowledge-workflow.md +257 -0
- package/.claude/skills/code-review/references/review-progress-tracker-protocol.md +172 -0
- package/.claude/skills/code-review/references/review-record-template.md +195 -0
- package/.claude/skills/code-review/references/skill-orchestration.md +143 -0
- package/.claude/skills/code-review/references/ui-ux-review.md +470 -0
- package/.claude/skills/containerization/SKILL.md +313 -0
- package/.claude/skills/database-migrations/agents/database-admin.md +142 -0
- package/.claude/skills/database-migrations/agents/database-optimizer.md +144 -0
- package/.claude/skills/database-migrations/commands/migration-observability.md +408 -0
- package/.claude/skills/database-migrations/commands/sql-migrations.md +492 -0
- package/.claude/skills/finishing-a-development-branch/SKILL.md +319 -0
- package/.claude/skills/frontend-design/LICENSE.txt +177 -0
- package/.claude/skills/frontend-design/SKILL.md +587 -0
- package/.claude/skills/frontend-design/references/color-consistency.md +487 -0
- package/.claude/skills/frontend-design/references/color-palettes-full.md +657 -0
- package/.claude/skills/frontend-design/references/design-system-generator.md +285 -0
- package/.claude/skills/frontend-design/references/font-pairings-full.md +705 -0
- package/.claude/skills/frontend-design/references/industry-anti-patterns.md +281 -0
- package/.claude/skills/frontend-design/references/layout-anti-patterns.md +582 -0
- package/.claude/skills/frontend-design/references/motion-patterns.md +659 -0
- package/.claude/skills/frontend-design/references/pre-delivery-checklist.md +153 -0
- package/.claude/skills/frontend-design/references/responsive-design.md +555 -0
- package/.claude/skills/frontend-design/references/style-modification-rules.md +335 -0
- package/.claude/skills/frontend-design/references/ui-styles-full.md +383 -0
- package/.claude/skills/frontend-design/references/ui-styles-rating.md +191 -0
- package/.claude/skills/frontend-design/references/ux-guidelines.md +640 -0
- package/.claude/skills/fullstack-developer/SKILL.md +512 -0
- package/.claude/skills/fullstack-developer/references/api-contract-guide.md +312 -0
- package/.claude/skills/fullstack-developer/references/api-response-patterns.md +223 -0
- package/.claude/skills/fullstack-developer/references/async-patterns.md +220 -0
- package/.claude/skills/fullstack-developer/references/bug-prevention.md +914 -0
- package/.claude/skills/fullstack-developer/references/code-quality-checklist.md +271 -0
- package/.claude/skills/fullstack-developer/references/complete-development-workflow.md +278 -0
- package/.claude/skills/fullstack-developer/references/context-isolation-protocol.md +256 -0
- package/.claude/skills/fullstack-developer/references/database-migration.md +331 -0
- package/.claude/skills/fullstack-developer/references/dependency-and-integrity-protocol.md +390 -0
- package/.claude/skills/fullstack-developer/references/development-phases.md +333 -0
- package/.claude/skills/fullstack-developer/references/expert-guide.md +214 -0
- package/.claude/skills/fullstack-developer/references/file-import-patterns.md +114 -0
- package/.claude/skills/fullstack-developer/references/graceful-degradation-patterns.md +78 -0
- package/.claude/skills/fullstack-developer/references/ide-lint-errors-guide.md +183 -0
- package/.claude/skills/fullstack-developer/references/integration-testing.md +301 -0
- package/.claude/skills/fullstack-developer/references/mock-api-patterns.md +307 -0
- package/.claude/skills/fullstack-developer/references/phase-gate-template.md +249 -0
- package/.claude/skills/fullstack-developer/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/fullstack-developer/references/python-engineering.md +79 -0
- package/.claude/skills/fullstack-developer/references/skill-orchestration.md +214 -0
- package/.claude/skills/fullstack-developer/references/skill-router-table.md +304 -0
- package/.claude/skills/fullstack-developer/references/state-sync.md +217 -0
- package/.claude/skills/fullstack-developer/references/ui-testing-checklist.md +292 -0
- package/.claude/skills/fullstack-developer/scripts/format_code.py +611 -0
- package/.claude/skills/fullstack-developer/scripts/lint_check.py +816 -0
- package/.claude/skills/fullstack-developer/scripts/requirements.txt +36 -0
- package/.claude/skills/performance-optimization/SKILL.md +250 -0
- package/.claude/skills/product-requirements/SKILL.md +357 -0
- package/.claude/skills/product-requirements/references/acceptance-criteria.md +335 -0
- package/.claude/skills/product-requirements/references/answer-first-questioning-protocol.md +299 -0
- package/.claude/skills/product-requirements/references/competitive-analysis-guide.md +183 -0
- package/.claude/skills/product-requirements/references/document-accuracy-protocol.md +253 -0
- package/.claude/skills/product-requirements/references/document-management-protocol.md +278 -0
- package/.claude/skills/product-requirements/references/external-standards.md +62 -0
- package/.claude/skills/product-requirements/references/feature-spec-template.md +359 -0
- package/.claude/skills/product-requirements/references/knowledge-acquisition-protocol.md +251 -0
- package/.claude/skills/product-requirements/references/plan-execution-protocol.md +334 -0
- package/.claude/skills/product-requirements/references/plan-generation-protocol.md +264 -0
- package/.claude/skills/product-requirements/references/prioritization-frameworks.md +80 -0
- package/.claude/skills/product-requirements/references/requirement-decomposition-protocol.md +291 -0
- package/.claude/skills/product-requirements/references/user-story-examples.md +297 -0
- package/.claude/skills/product-requirements/references/workflow-templates.md +266 -0
- package/.claude/skills/react-best-practices/SKILL.md +198 -0
- package/.claude/skills/react-best-practices/references/advanced-patterns.md +94 -0
- package/.claude/skills/react-best-practices/references/bundle-optimization.md +182 -0
- package/.claude/skills/react-best-practices/references/client-data-fetching.md +112 -0
- package/.claude/skills/react-best-practices/references/complete-guide.md +2249 -0
- package/.claude/skills/react-best-practices/references/eliminating-waterfalls.md +169 -0
- package/.claude/skills/react-best-practices/references/javascript-performance.md +256 -0
- package/.claude/skills/react-best-practices/references/rendering-performance.md +230 -0
- package/.claude/skills/react-best-practices/references/rerender-optimization.md +214 -0
- package/.claude/skills/react-best-practices/references/server-performance.md +182 -0
- package/.claude/skills/security-audit/SKILL.md +226 -0
- package/.claude/skills/shared-references/advanced-debugging-techniques.md +186 -0
- package/.claude/skills/shared-references/code-quality-checklist.md +218 -0
- package/.claude/skills/shared-references/code-review-efficiency-guide.md +125 -0
- package/.claude/skills/shared-references/mcp-dependency-compatibility-protocol.md +276 -0
- package/.claude/skills/shared-references/skill-call-graph.md +230 -0
- package/.claude/skills/shared-references/skill-orchestration-protocol.md +281 -0
- package/.claude/skills/shared-references/subagent-dispatch-templates.md +199 -0
- package/.claude/skills/skill-expert-skills/LICENSE.txt +204 -0
- package/.claude/skills/skill-expert-skills/QUICK_NAVIGATION.md +374 -0
- package/.claude/skills/skill-expert-skills/SKILL.md +247 -0
- package/.claude/skills/skill-expert-skills/docs/_index.md +91 -0
- package/.claude/skills/skill-expert-skills/references/deep-research-methodology.md +389 -0
- package/.claude/skills/skill-expert-skills/references/docs-generation-workflow.md +398 -0
- package/.claude/skills/skill-expert-skills/references/domain-expertise-protocol.md +343 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/_index.md +54 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/backend-expertise.md +517 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/bug-fixing-expertise.md +363 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/code-review-expertise.md +392 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/frontend-expertise.md +410 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge-template.md +503 -0
- package/.claude/skills/skill-expert-skills/references/examples.md +782 -0
- package/.claude/skills/skill-expert-skills/references/integration-examples.md +655 -0
- package/.claude/skills/skill-expert-skills/references/knowledge-validation-checklist.md +246 -0
- package/.claude/skills/skill-expert-skills/references/latest-knowledge-acquisition.md +461 -0
- package/.claude/skills/skill-expert-skills/references/mcp-tools-guide.md +439 -0
- package/.claude/skills/skill-expert-skills/references/official-best-practices.md +616 -0
- package/.claude/skills/skill-expert-skills/references/patterns.md +218 -0
- package/.claude/skills/skill-expert-skills/references/plugin-skills-guide.md +432 -0
- package/.claude/skills/skill-expert-skills/references/requirement-elicitation-protocol.md +290 -0
- package/.claude/skills/skill-expert-skills/references/skill-creator-SKILL.md +353 -0
- package/.claude/skills/skill-expert-skills/references/skill-templates.md +583 -0
- package/.claude/skills/skill-expert-skills/references/skills-knowledge-base.md +561 -0
- package/.claude/skills/skill-expert-skills/references/tools-guide.md +379 -0
- package/.claude/skills/skill-expert-skills/references/troubleshooting.md +378 -0
- package/.claude/skills/skill-expert-skills/references/universality-guide.md +205 -0
- package/.claude/skills/skill-expert-skills/references/writing-style-guide.md +466 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/quick_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/universal_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/analyze_trigger.py +425 -0
- package/.claude/skills/skill-expert-skills/scripts/diff_with_official.py +188 -0
- package/.claude/skills/skill-expert-skills/scripts/init_skill.py +349 -0
- package/.claude/skills/skill-expert-skills/scripts/package_skill.py +156 -0
- package/.claude/skills/skill-expert-skills/scripts/quick_validate.py +493 -0
- package/.claude/skills/skill-expert-skills/scripts/requirements.txt +2 -0
- package/.claude/skills/skill-expert-skills/scripts/universal_validate.py +182 -0
- package/.claude/skills/skill-expert-skills/scripts/upgrade_skill.py +431 -0
- package/.claude/skills/subagent-driven-development/SKILL.md +268 -0
- package/.claude/skills/test-driven-development/SKILL.md +246 -0
- package/.claude/skills/test-driven-development/references/testing-anti-patterns.md +192 -0
- package/.claude/skills/using-git-worktrees/SKILL.md +266 -0
- package/.claude/skills/using-skillstack/SKILL.md +127 -0
- package/.claude/skills/vercel-deploy/SKILL.md +166 -0
- package/.claude/skills/vercel-deploy/scripts/deploy.sh +249 -0
- package/.claude/skills/verification-before-completion/SKILL.md +305 -0
- package/.claude/skills/writing-plans/SKILL.md +259 -0
- package/README.md +69 -0
- package/bin/cli.js +468 -0
- package/lib/init.js +333 -0
- package/package.json +29 -0
|
@@ -0,0 +1,226 @@
|
|
|
1
|
+
# New Project Review Guide
|
|
2
|
+
|
|
3
|
+
> Review focus for "from zero to one" development: laying a solid foundation.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
New projects are foundation-building. Review like an architect: ensure the blueprint is sound before walls go up.
|
|
8
|
+
|
|
9
|
+
**Target Bug Rate**: <1% at launch
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## Critical Review Areas
|
|
14
|
+
|
|
15
|
+
### 1. Architecture & Design
|
|
16
|
+
|
|
17
|
+
| Check | What to Verify | Red Flags |
|
|
18
|
+
|-------|----------------|-----------|
|
|
19
|
+
| **Separation of concerns** | Clear layers (UI/Logic/Data) | Mixed concerns, god classes |
|
|
20
|
+
| **Dependency direction** | Dependencies point inward | Circular dependencies |
|
|
21
|
+
| **Modularity** | Features are isolated | Cross-cutting concerns everywhere |
|
|
22
|
+
| **Extensibility** | Easy to add features | Hardcoded behaviors |
|
|
23
|
+
| **Testability** | Dependencies injectable | Static dependencies, singletons |
|
|
24
|
+
|
|
25
|
+
### 2. Tech Stack Validation
|
|
26
|
+
|
|
27
|
+
| Aspect | Questions to Ask | Warning Signs |
|
|
28
|
+
|--------|------------------|---------------|
|
|
29
|
+
| **Framework** | Is it appropriate for the use case? | Over-engineering, under-powered |
|
|
30
|
+
| **Database** | Right type? (SQL vs NoSQL) | ACID needs with NoSQL |
|
|
31
|
+
| **Dependencies** | Versions pinned? Well-maintained? | `latest` tags, abandoned libs |
|
|
32
|
+
| **Build tools** | Modern, efficient? | Slow builds, complex config |
|
|
33
|
+
|
|
34
|
+
### 3. Security Foundation
|
|
35
|
+
|
|
36
|
+
```markdown
|
|
37
|
+
## Security Baseline Checklist
|
|
38
|
+
|
|
39
|
+
### Authentication & Authorization
|
|
40
|
+
- [ ] Auth mechanism chosen (JWT/OAuth/Session)
|
|
41
|
+
- [ ] Password hashing (bcrypt/argon2)
|
|
42
|
+
- [ ] Session management secure
|
|
43
|
+
- [ ] RBAC/ABAC planned
|
|
44
|
+
|
|
45
|
+
### Input Validation
|
|
46
|
+
- [ ] All inputs validated
|
|
47
|
+
- [ ] SQL injection prevented (ORM/parameterized)
|
|
48
|
+
- [ ] XSS prevention configured
|
|
49
|
+
- [ ] CSRF protection enabled
|
|
50
|
+
|
|
51
|
+
### Secrets Management
|
|
52
|
+
- [ ] No hardcoded secrets
|
|
53
|
+
- [ ] Environment variables used
|
|
54
|
+
- [ ] Secrets rotation planned
|
|
55
|
+
- [ ] .env files gitignored
|
|
56
|
+
|
|
57
|
+
### Security Headers
|
|
58
|
+
- [ ] HTTPS enforced
|
|
59
|
+
- [ ] Security headers configured
|
|
60
|
+
- [ ] CORS policy appropriate
|
|
61
|
+
- [ ] Content Security Policy defined
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
### 4. Testing Infrastructure
|
|
65
|
+
|
|
66
|
+
| Test Type | Required Coverage | Purpose |
|
|
67
|
+
|-----------|-------------------|---------|
|
|
68
|
+
| **Unit Tests** | >80% | Component logic |
|
|
69
|
+
| **Integration Tests** | Critical paths | API/DB interaction |
|
|
70
|
+
| **E2E Tests** | Happy paths | User flows |
|
|
71
|
+
| **Security Tests** | OWASP Top 10 | Vulnerability prevention |
|
|
72
|
+
|
|
73
|
+
### 5. DevOps Readiness
|
|
74
|
+
|
|
75
|
+
```markdown
|
|
76
|
+
## DevOps Checklist
|
|
77
|
+
|
|
78
|
+
### CI/CD Pipeline
|
|
79
|
+
- [ ] Lint/format checks
|
|
80
|
+
- [ ] Type checking
|
|
81
|
+
- [ ] Test execution
|
|
82
|
+
- [ ] Build verification
|
|
83
|
+
- [ ] Security scanning
|
|
84
|
+
- [ ] Artifact creation
|
|
85
|
+
|
|
86
|
+
### Deployment
|
|
87
|
+
- [ ] Containerization (Docker)
|
|
88
|
+
- [ ] Environment configuration
|
|
89
|
+
- [ ] Health checks defined
|
|
90
|
+
- [ ] Rollback procedure
|
|
91
|
+
|
|
92
|
+
### Monitoring
|
|
93
|
+
- [ ] Logging structured
|
|
94
|
+
- [ ] Metrics defined
|
|
95
|
+
- [ ] Alerting configured
|
|
96
|
+
- [ ] Error tracking (Sentry)
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## Common New Project Mistakes
|
|
102
|
+
|
|
103
|
+
### Frontend
|
|
104
|
+
|
|
105
|
+
| Mistake | Impact | Prevention |
|
|
106
|
+
|---------|--------|------------|
|
|
107
|
+
| No TypeScript | Runtime errors | Mandate strict mode |
|
|
108
|
+
| No component library | UI inconsistency | Storybook from start |
|
|
109
|
+
| No state strategy | Prop drilling, global abuse | Decide early (Context/Zustand/Redux) |
|
|
110
|
+
| No performance baseline | Slow app | Lighthouse CI from day one |
|
|
111
|
+
|
|
112
|
+
### Backend
|
|
113
|
+
|
|
114
|
+
| Mistake | Impact | Prevention |
|
|
115
|
+
|---------|--------|------------|
|
|
116
|
+
| No API versioning | Breaking clients | `/v1/` prefix mandatory |
|
|
117
|
+
| No migration tool | Manual DB changes | Alembic/Flyway required |
|
|
118
|
+
| No rate limiting | DoS vulnerability | Rate limits from start |
|
|
119
|
+
| No structured logging | Debugging hell | JSON logs with context |
|
|
120
|
+
|
|
121
|
+
### Infrastructure
|
|
122
|
+
|
|
123
|
+
| Mistake | Impact | Prevention |
|
|
124
|
+
|---------|--------|------------|
|
|
125
|
+
| No containerization | "Works on my machine" | Docker from day one |
|
|
126
|
+
| No health checks | Silent failures | Liveness/readiness probes |
|
|
127
|
+
| No secrets management | Security breach | Vault/env vars only |
|
|
128
|
+
| No backup strategy | Data loss | Automated backups tested |
|
|
129
|
+
|
|
130
|
+
---
|
|
131
|
+
|
|
132
|
+
## Review Questions for New Projects
|
|
133
|
+
|
|
134
|
+
```markdown
|
|
135
|
+
## New Project Review Questions
|
|
136
|
+
|
|
137
|
+
### Architecture
|
|
138
|
+
1. Can you explain the high-level architecture?
|
|
139
|
+
2. What are the main modules/services?
|
|
140
|
+
3. How do they communicate?
|
|
141
|
+
4. What happens when load increases 10x?
|
|
142
|
+
|
|
143
|
+
### Data
|
|
144
|
+
1. What is the data model?
|
|
145
|
+
2. Why this database choice?
|
|
146
|
+
3. How are migrations handled?
|
|
147
|
+
4. What's the backup/recovery plan?
|
|
148
|
+
|
|
149
|
+
### Security
|
|
150
|
+
1. How is authentication handled?
|
|
151
|
+
2. Where are secrets stored?
|
|
152
|
+
3. What input validation exists?
|
|
153
|
+
4. Has security testing been done?
|
|
154
|
+
|
|
155
|
+
### Operations
|
|
156
|
+
1. How is the app deployed?
|
|
157
|
+
2. What monitoring exists?
|
|
158
|
+
3. How are errors tracked?
|
|
159
|
+
4. What's the rollback plan?
|
|
160
|
+
|
|
161
|
+
### Quality
|
|
162
|
+
1. What's the test coverage?
|
|
163
|
+
2. How are code standards enforced?
|
|
164
|
+
3. What's the code review process?
|
|
165
|
+
4. How is technical debt tracked?
|
|
166
|
+
```
|
|
167
|
+
|
|
168
|
+
---
|
|
169
|
+
|
|
170
|
+
## New Project Review Template
|
|
171
|
+
|
|
172
|
+
```markdown
|
|
173
|
+
# New Project Code Review
|
|
174
|
+
|
|
175
|
+
## Project Info
|
|
176
|
+
- **Project Name**:
|
|
177
|
+
- **Tech Stack**:
|
|
178
|
+
- **Team Size**:
|
|
179
|
+
- **Timeline**:
|
|
180
|
+
|
|
181
|
+
## Architecture Review
|
|
182
|
+
|
|
183
|
+
### Strengths
|
|
184
|
+
-
|
|
185
|
+
|
|
186
|
+
### Concerns
|
|
187
|
+
-
|
|
188
|
+
|
|
189
|
+
### Recommendations
|
|
190
|
+
-
|
|
191
|
+
|
|
192
|
+
## Security Assessment
|
|
193
|
+
|
|
194
|
+
### ✅ Implemented
|
|
195
|
+
-
|
|
196
|
+
|
|
197
|
+
### ❌ Missing
|
|
198
|
+
-
|
|
199
|
+
|
|
200
|
+
### 🔴 Critical Issues
|
|
201
|
+
-
|
|
202
|
+
|
|
203
|
+
## Quality Gates
|
|
204
|
+
|
|
205
|
+
| Gate | Status | Notes |
|
|
206
|
+
|------|--------|-------|
|
|
207
|
+
| TypeScript/Type Safety | ⬜ | |
|
|
208
|
+
| Test Coverage >80% | ⬜ | |
|
|
209
|
+
| Linting Zero Warnings | ⬜ | |
|
|
210
|
+
| Security Scan Clean | ⬜ | |
|
|
211
|
+
| Performance Baseline | ⬜ | |
|
|
212
|
+
| Documentation Complete | ⬜ | |
|
|
213
|
+
|
|
214
|
+
## Verdict
|
|
215
|
+
|
|
216
|
+
**Ready for Development**: Yes / No
|
|
217
|
+
|
|
218
|
+
**Blockers to Address**:
|
|
219
|
+
1.
|
|
220
|
+
2.
|
|
221
|
+
|
|
222
|
+
**Recommendations**:
|
|
223
|
+
1.
|
|
224
|
+
2.
|
|
225
|
+
```
|
|
226
|
+
|
|
@@ -0,0 +1,451 @@
|
|
|
1
|
+
# 非代码文件审查清单 (Non-Code Files Review)
|
|
2
|
+
|
|
3
|
+
> **核心原则**: 代码审查不仅仅是审查代码,配置文件、脚本、数据文件同样重要,一个错误的配置可能导致生产事故。
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## 🔴 为什么需要审查非代码文件
|
|
8
|
+
|
|
9
|
+
### 真实案例
|
|
10
|
+
|
|
11
|
+
```
|
|
12
|
+
案例 1: .env 文件泄露
|
|
13
|
+
- 开发者提交了 .env 文件到 Git
|
|
14
|
+
- 包含数据库密码和 API 密钥
|
|
15
|
+
- 被爬虫抓取,数据库被删除
|
|
16
|
+
|
|
17
|
+
案例 2: 配置错误导致生产事故
|
|
18
|
+
- package.json 中 dependencies 写成了 devDependencies
|
|
19
|
+
- 生产环境缺少关键依赖,服务启动失败
|
|
20
|
+
|
|
21
|
+
案例 3: SQL 脚本未审查
|
|
22
|
+
- 迁移脚本包含 DROP TABLE
|
|
23
|
+
- 没有备份,数据永久丢失
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
## 📋 Phase 1: 环境配置文件检查
|
|
29
|
+
|
|
30
|
+
### 1.1 .env 文件检查
|
|
31
|
+
|
|
32
|
+
```markdown
|
|
33
|
+
## .env 文件检查清单
|
|
34
|
+
|
|
35
|
+
### 安全检查
|
|
36
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
37
|
+
|---|--------|----------|----------|------|
|
|
38
|
+
| 1 | .env 不在 Git 中 | .gitignore 包含 .env | P0 | ⬜ |
|
|
39
|
+
| 2 | 无硬编码密钥 | 敏感值使用占位符 | P0 | ⬜ |
|
|
40
|
+
| 3 | .env.example 存在 | 有示例文件 | P1 | ⬜ |
|
|
41
|
+
| 4 | 生产密钥不在代码库 | 使用密钥管理服务 | P0 | ⬜ |
|
|
42
|
+
|
|
43
|
+
### 完整性检查
|
|
44
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
45
|
+
|---|--------|----------|----------|------|
|
|
46
|
+
| 1 | 所有必需变量都定义 | 代码中使用的变量都存在 | P0 | ⬜ |
|
|
47
|
+
| 2 | 变量命名规范 | 大写 + 下划线 | P2 | ⬜ |
|
|
48
|
+
| 3 | 有注释说明 | 复杂配置有说明 | P3 | ⬜ |
|
|
49
|
+
| 4 | 环境区分 | DEV/STAGING/PROD 配置分离 | P1 | ⬜ |
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
**检查命令**:
|
|
53
|
+
```bash
|
|
54
|
+
# 检查 .env 是否在 .gitignore 中
|
|
55
|
+
grep -n "\.env" .gitignore
|
|
56
|
+
|
|
57
|
+
# 检查代码中使用的环境变量
|
|
58
|
+
grep -rn "process.env\.\|os.environ\[" --include="*.ts" --include="*.py" | \
|
|
59
|
+
grep -oE "(process\.env\.|os\.environ\[)['\"]?[A-Z_]+['\"]?" | sort -u
|
|
60
|
+
|
|
61
|
+
# 检查 .env.example 是否存在
|
|
62
|
+
ls -la .env*
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
### 1.2 Docker 配置检查
|
|
66
|
+
|
|
67
|
+
```markdown
|
|
68
|
+
## Dockerfile 检查清单
|
|
69
|
+
|
|
70
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
71
|
+
|---|--------|----------|----------|------|
|
|
72
|
+
| 1 | 基础镜像版本固定 | 不使用 :latest | P1 | ⬜ |
|
|
73
|
+
| 2 | 多阶段构建 | 生产镜像不含构建工具 | P2 | ⬜ |
|
|
74
|
+
| 3 | 非 root 用户 | USER 指令存在 | P1 | ⬜ |
|
|
75
|
+
| 4 | 健康检查 | HEALTHCHECK 指令存在 | P2 | ⬜ |
|
|
76
|
+
| 5 | 敏感信息不在镜像中 | 不 COPY .env 或密钥 | P0 | ⬜ |
|
|
77
|
+
| 6 | .dockerignore 存在 | 排除不必要文件 | P2 | ⬜ |
|
|
78
|
+
|
|
79
|
+
## docker-compose.yml 检查清单
|
|
80
|
+
|
|
81
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
82
|
+
|---|--------|----------|----------|------|
|
|
83
|
+
| 1 | 版本号正确 | version: "3.8" 或更高 | P2 | ⬜ |
|
|
84
|
+
| 2 | 端口映射安全 | 不暴露不必要端口 | P1 | ⬜ |
|
|
85
|
+
| 3 | 卷挂载正确 | 路径存在且权限正确 | P1 | ⬜ |
|
|
86
|
+
| 4 | 环境变量引用 | 使用 ${VAR} 而非硬编码 | P1 | ⬜ |
|
|
87
|
+
| 5 | 网络隔离 | 服务间网络正确配置 | P2 | ⬜ |
|
|
88
|
+
| 6 | 资源限制 | 设置 mem_limit/cpus | P2 | ⬜ |
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### 1.3 CI/CD 配置检查
|
|
92
|
+
|
|
93
|
+
```markdown
|
|
94
|
+
## GitHub Actions / GitLab CI 检查清单
|
|
95
|
+
|
|
96
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
97
|
+
|---|--------|----------|----------|------|
|
|
98
|
+
| 1 | 密钥使用 secrets | 不硬编码密钥 | P0 | ⬜ |
|
|
99
|
+
| 2 | 分支保护 | main/master 有保护规则 | P1 | ⬜ |
|
|
100
|
+
| 3 | 依赖缓存 | 使用 cache 加速构建 | P3 | ⬜ |
|
|
101
|
+
| 4 | 测试步骤存在 | 有 test job | P1 | ⬜ |
|
|
102
|
+
| 5 | 部署审批 | 生产部署需要审批 | P1 | ⬜ |
|
|
103
|
+
| 6 | 超时设置 | timeout-minutes 合理 | P2 | ⬜ |
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
---
|
|
107
|
+
|
|
108
|
+
## 📋 Phase 2: 包管理配置检查
|
|
109
|
+
|
|
110
|
+
### 2.1 package.json 检查
|
|
111
|
+
|
|
112
|
+
```markdown
|
|
113
|
+
## package.json 检查清单
|
|
114
|
+
|
|
115
|
+
### 依赖检查
|
|
116
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
117
|
+
|---|--------|----------|----------|------|
|
|
118
|
+
| 1 | 版本号正确 | 符合 semver | P2 | ⬜ |
|
|
119
|
+
| 2 | 依赖分类正确 | dev 依赖不在 dependencies | P1 | ⬜ |
|
|
120
|
+
| 3 | 无废弃包 | npm audit 无 deprecated | P2 | ⬜ |
|
|
121
|
+
| 4 | 无安全漏洞 | npm audit 无 high/critical | P0 | ⬜ |
|
|
122
|
+
| 5 | 版本锁定 | 使用 ^ 或 ~ 而非 * | P1 | ⬜ |
|
|
123
|
+
| 6 | lock 文件同步 | package-lock.json 已更新 | P1 | ⬜ |
|
|
124
|
+
|
|
125
|
+
### 脚本检查
|
|
126
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
127
|
+
|---|--------|----------|----------|------|
|
|
128
|
+
| 1 | start 脚本正确 | 能正常启动 | P0 | ⬜ |
|
|
129
|
+
| 2 | build 脚本正确 | 能正常构建 | P0 | ⬜ |
|
|
130
|
+
| 3 | test 脚本存在 | 有测试命令 | P1 | ⬜ |
|
|
131
|
+
| 4 | 无危险命令 | 不含 rm -rf / 等 | P0 | ⬜ |
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
### 2.2 requirements.txt / pyproject.toml 检查
|
|
135
|
+
|
|
136
|
+
```markdown
|
|
137
|
+
## Python 依赖检查清单
|
|
138
|
+
|
|
139
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
140
|
+
|---|--------|----------|----------|------|
|
|
141
|
+
| 1 | 版本固定 | 使用 == 而非 >= | P1 | ⬜ |
|
|
142
|
+
| 2 | 无安全漏洞 | safety check 通过 | P0 | ⬜ |
|
|
143
|
+
| 3 | 依赖完整 | pip check 无错误 | P1 | ⬜ |
|
|
144
|
+
| 4 | 开发依赖分离 | dev 依赖在单独文件 | P2 | ⬜ |
|
|
145
|
+
| 5 | Python 版本指定 | python_requires 正确 | P1 | ⬜ |
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
---
|
|
149
|
+
|
|
150
|
+
## 📋 Phase 3: 数据文件检查
|
|
151
|
+
|
|
152
|
+
### 3.1 JSON 文件检查
|
|
153
|
+
|
|
154
|
+
```markdown
|
|
155
|
+
## JSON 文件检查清单
|
|
156
|
+
|
|
157
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
158
|
+
|---|--------|----------|----------|------|
|
|
159
|
+
| 1 | 语法正确 | JSON.parse 不报错 | P0 | ⬜ |
|
|
160
|
+
| 2 | 无敏感信息 | 不含密码/密钥 | P0 | ⬜ |
|
|
161
|
+
| 3 | 格式化正确 | 缩进一致 | P3 | ⬜ |
|
|
162
|
+
| 4 | 编码正确 | UTF-8 无 BOM | P2 | ⬜ |
|
|
163
|
+
| 5 | 数据类型正确 | 数字不是字符串 | P2 | ⬜ |
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
**检查命令**:
|
|
167
|
+
```bash
|
|
168
|
+
# 验证 JSON 语法
|
|
169
|
+
find . -name "*.json" -exec python -m json.tool {} \; 2>&1 | grep -i error
|
|
170
|
+
|
|
171
|
+
# 检查敏感信息
|
|
172
|
+
grep -rn "password\|secret\|api_key\|token" --include="*.json" | grep -v package
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
### 3.2 YAML 文件检查
|
|
176
|
+
|
|
177
|
+
```markdown
|
|
178
|
+
## YAML 文件检查清单
|
|
179
|
+
|
|
180
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
181
|
+
|---|--------|----------|----------|------|
|
|
182
|
+
| 1 | 语法正确 | yamllint 通过 | P0 | ⬜ |
|
|
183
|
+
| 2 | 缩进正确 | 2 空格缩进 | P2 | ⬜ |
|
|
184
|
+
| 3 | 无敏感信息 | 不含明文密码 | P0 | ⬜ |
|
|
185
|
+
| 4 | 锚点引用正确 | &anchor 和 *anchor 匹配 | P1 | ⬜ |
|
|
186
|
+
| 5 | 布尔值明确 | 使用 true/false 而非 yes/no | P2 | ⬜ |
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
### 3.3 XML 文件检查
|
|
190
|
+
|
|
191
|
+
```markdown
|
|
192
|
+
## XML 文件检查清单
|
|
193
|
+
|
|
194
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
195
|
+
|---|--------|----------|----------|------|
|
|
196
|
+
| 1 | 语法正确 | xmllint 通过 | P0 | ⬜ |
|
|
197
|
+
| 2 | 编码声明 | <?xml encoding="UTF-8"?> | P2 | ⬜ |
|
|
198
|
+
| 3 | 无敏感信息 | 不含明文密码 | P0 | ⬜ |
|
|
199
|
+
| 4 | Schema 验证 | 符合 XSD 定义 | P1 | ⬜ |
|
|
200
|
+
| 5 | 命名空间正确 | xmlns 声明正确 | P1 | ⬜ |
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
---
|
|
204
|
+
|
|
205
|
+
## 📋 Phase 4: 数据库脚本检查
|
|
206
|
+
|
|
207
|
+
### 4.1 SQL 迁移脚本检查
|
|
208
|
+
|
|
209
|
+
```markdown
|
|
210
|
+
## SQL 迁移脚本检查清单
|
|
211
|
+
|
|
212
|
+
### 安全检查
|
|
213
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
214
|
+
|---|--------|----------|----------|------|
|
|
215
|
+
| 1 | 无 DROP DATABASE | 禁止删除数据库 | P0 | ⬜ |
|
|
216
|
+
| 2 | DROP TABLE 有确认 | 有注释说明原因 | P0 | ⬜ |
|
|
217
|
+
| 3 | 有回滚脚本 | down migration 存在 | P1 | ⬜ |
|
|
218
|
+
| 4 | 无 TRUNCATE | 或有明确说明 | P0 | ⬜ |
|
|
219
|
+
| 5 | 无硬编码数据 | 测试数据不在迁移中 | P1 | ⬜ |
|
|
220
|
+
|
|
221
|
+
### 性能检查
|
|
222
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
223
|
+
|---|--------|----------|----------|------|
|
|
224
|
+
| 1 | 大表操作分批 | 超过 100 万行分批处理 | P1 | ⬜ |
|
|
225
|
+
| 2 | 索引创建 CONCURRENTLY | 不锁表 | P1 | ⬜ |
|
|
226
|
+
| 3 | 有执行时间估算 | 注释中说明 | P2 | ⬜ |
|
|
227
|
+
| 4 | 向后兼容 | 旧代码仍能运行 | P0 | ⬜ |
|
|
228
|
+
|
|
229
|
+
### 数据完整性
|
|
230
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
231
|
+
|---|--------|----------|----------|------|
|
|
232
|
+
| 1 | 外键约束正确 | ON DELETE 行为明确 | P1 | ⬜ |
|
|
233
|
+
| 2 | 默认值合理 | NOT NULL 有 DEFAULT | P1 | ⬜ |
|
|
234
|
+
| 3 | 索引合理 | 查询字段有索引 | P2 | ⬜ |
|
|
235
|
+
| 4 | 字段类型正确 | 不用 VARCHAR 存数字 | P2 | ⬜ |
|
|
236
|
+
```
|
|
237
|
+
|
|
238
|
+
### 4.2 种子数据脚本检查
|
|
239
|
+
|
|
240
|
+
```markdown
|
|
241
|
+
## 种子数据检查清单
|
|
242
|
+
|
|
243
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
244
|
+
|---|--------|----------|----------|------|
|
|
245
|
+
| 1 | 幂等性 | 重复执行不报错 | P1 | ⬜ |
|
|
246
|
+
| 2 | 无生产数据 | 不含真实用户信息 | P0 | ⬜ |
|
|
247
|
+
| 3 | 外键顺序正确 | 先插入父表 | P1 | ⬜ |
|
|
248
|
+
| 4 | 数据量合理 | 开发环境数据量适中 | P3 | ⬜ |
|
|
249
|
+
```
|
|
250
|
+
|
|
251
|
+
---
|
|
252
|
+
|
|
253
|
+
## 📋 Phase 5: 脚本文件检查
|
|
254
|
+
|
|
255
|
+
### 5.1 Shell 脚本检查
|
|
256
|
+
|
|
257
|
+
```markdown
|
|
258
|
+
## Shell 脚本检查清单
|
|
259
|
+
|
|
260
|
+
### 安全检查
|
|
261
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
262
|
+
|---|--------|----------|----------|------|
|
|
263
|
+
| 1 | 无 rm -rf / | 禁止危险删除 | P0 | ⬜ |
|
|
264
|
+
| 2 | 变量引用加引号 | "$VAR" 而非 $VAR | P1 | ⬜ |
|
|
265
|
+
| 3 | 无硬编码密码 | 使用环境变量 | P0 | ⬜ |
|
|
266
|
+
| 4 | 权限检查 | 执行前检查权限 | P2 | ⬜ |
|
|
267
|
+
|
|
268
|
+
### 健壮性检查
|
|
269
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
270
|
+
|---|--------|----------|----------|------|
|
|
271
|
+
| 1 | set -e | 错误时退出 | P1 | ⬜ |
|
|
272
|
+
| 2 | set -u | 未定义变量报错 | P1 | ⬜ |
|
|
273
|
+
| 3 | 错误处理 | trap 或 || 处理 | P1 | ⬜ |
|
|
274
|
+
| 4 | 日志输出 | 关键步骤有日志 | P2 | ⬜ |
|
|
275
|
+
| 5 | 参数验证 | 检查必需参数 | P1 | ⬜ |
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
**检查命令**:
|
|
279
|
+
```bash
|
|
280
|
+
# 使用 shellcheck 检查
|
|
281
|
+
shellcheck scripts/*.sh
|
|
282
|
+
|
|
283
|
+
# 检查危险命令
|
|
284
|
+
grep -rn "rm -rf\|dd if=\|mkfs\|:(){" --include="*.sh"
|
|
285
|
+
```
|
|
286
|
+
|
|
287
|
+
### 5.2 Python 脚本检查
|
|
288
|
+
|
|
289
|
+
```markdown
|
|
290
|
+
## Python 脚本检查清单
|
|
291
|
+
|
|
292
|
+
| # | 检查项 | 通过标准 | 严重级别 | 结果 |
|
|
293
|
+
|---|--------|----------|----------|------|
|
|
294
|
+
| 1 | shebang 正确 | #!/usr/bin/env python3 | P2 | ⬜ |
|
|
295
|
+
| 2 | 编码声明 | # -*- coding: utf-8 -*- | P3 | ⬜ |
|
|
296
|
+
| 3 | main guard | if __name__ == "__main__" | P2 | ⬜ |
|
|
297
|
+
| 4 | 异常处理 | try-except 存在 | P1 | ⬜ |
|
|
298
|
+
| 5 | 日志而非 print | 使用 logging 模块 | P2 | ⬜ |
|
|
299
|
+
| 6 | 参数解析 | 使用 argparse | P2 | ⬜ |
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
---
|
|
303
|
+
|
|
304
|
+
## 📋 Phase 6: 配置文件一致性检查
|
|
305
|
+
|
|
306
|
+
### 6.1 多环境配置一致性
|
|
307
|
+
|
|
308
|
+
```markdown
|
|
309
|
+
## 多环境配置检查
|
|
310
|
+
|
|
311
|
+
### 配置文件对比
|
|
312
|
+
| 配置项 | .env.development | .env.staging | .env.production | 一致? |
|
|
313
|
+
|--------|------------------|--------------|-----------------|-------|
|
|
314
|
+
| DATABASE_URL | ✅ | ✅ | ✅ | ✅ |
|
|
315
|
+
| REDIS_URL | ✅ | ✅ | ❌ 缺失 | ❌ |
|
|
316
|
+
| API_KEY | ✅ | ✅ | ✅ | ✅ |
|
|
317
|
+
| DEBUG | true | false | false | ✅ |
|
|
318
|
+
| LOG_LEVEL | debug | info | warn | ✅ |
|
|
319
|
+
|
|
320
|
+
### 检查命令
|
|
321
|
+
```bash
|
|
322
|
+
# 对比不同环境的配置键
|
|
323
|
+
diff <(grep -oE "^[A-Z_]+=" .env.development | sort) \
|
|
324
|
+
<(grep -oE "^[A-Z_]+=" .env.production | sort)
|
|
325
|
+
```
|
|
326
|
+
```
|
|
327
|
+
|
|
328
|
+
### 6.2 前后端配置一致性
|
|
329
|
+
|
|
330
|
+
```markdown
|
|
331
|
+
## 前后端配置一致性检查
|
|
332
|
+
|
|
333
|
+
| 配置项 | 后端配置 | 前端配置 | 一致? |
|
|
334
|
+
|--------|----------|----------|-------|
|
|
335
|
+
| API_BASE_URL | http://api.example.com | http://api.example.com | ✅ |
|
|
336
|
+
| WS_URL | ws://api.example.com/ws | wss://api.example.com/ws | ❌ 协议不同 |
|
|
337
|
+
| TIMEOUT | 30000 | 30000 | ✅ |
|
|
338
|
+
| MAX_UPLOAD_SIZE | 10MB | 10MB | ✅ |
|
|
339
|
+
| ALLOWED_ORIGINS | ["http://localhost:3000"] | - | ⚠️ 需验证 |
|
|
340
|
+
```
|
|
341
|
+
|
|
342
|
+
---
|
|
343
|
+
|
|
344
|
+
## 📊 非代码文件审查汇总模板
|
|
345
|
+
|
|
346
|
+
```markdown
|
|
347
|
+
## 非代码文件审查报告
|
|
348
|
+
|
|
349
|
+
### 环境配置
|
|
350
|
+
| 文件 | 安全 | 完整性 | 问题 |
|
|
351
|
+
|------|------|--------|------|
|
|
352
|
+
| .env | ⚠️ | ✅ | 未在 .gitignore |
|
|
353
|
+
| Dockerfile | ✅ | ⚠️ | 缺少 HEALTHCHECK |
|
|
354
|
+
| docker-compose.yml | ✅ | ✅ | - |
|
|
355
|
+
| .github/workflows/*.yml | ✅ | ✅ | - |
|
|
356
|
+
|
|
357
|
+
### 包管理
|
|
358
|
+
| 文件 | 安全 | 依赖分类 | 问题 |
|
|
359
|
+
|------|------|----------|------|
|
|
360
|
+
| package.json | ⚠️ 2 漏洞 | ✅ | 需要 npm audit fix |
|
|
361
|
+
| requirements.txt | ✅ | ✅ | - |
|
|
362
|
+
|
|
363
|
+
### 数据文件
|
|
364
|
+
| 文件 | 语法 | 敏感信息 | 问题 |
|
|
365
|
+
|------|------|----------|------|
|
|
366
|
+
| config/*.json | ✅ | ✅ | - |
|
|
367
|
+
| *.yaml | ✅ | ❌ | 包含明文密码 |
|
|
368
|
+
|
|
369
|
+
### 数据库脚本
|
|
370
|
+
| 文件 | 安全 | 回滚 | 问题 |
|
|
371
|
+
|------|------|------|------|
|
|
372
|
+
| migrations/*.sql | ⚠️ | ✅ | DROP TABLE 需确认 |
|
|
373
|
+
| seeds/*.sql | ✅ | N/A | - |
|
|
374
|
+
|
|
375
|
+
### 脚本文件
|
|
376
|
+
| 文件 | 安全 | 健壮性 | 问题 |
|
|
377
|
+
|------|------|--------|------|
|
|
378
|
+
| scripts/*.sh | ✅ | ⚠️ | 缺少 set -e |
|
|
379
|
+
| scripts/*.py | ✅ | ✅ | - |
|
|
380
|
+
|
|
381
|
+
### 问题汇总
|
|
382
|
+
| # | 文件 | 问题 | 严重级别 | 修复建议 |
|
|
383
|
+
|---|------|------|----------|----------|
|
|
384
|
+
| 1 | .env | 未在 .gitignore | P0 | 添加到 .gitignore |
|
|
385
|
+
| 2 | config.yaml | 包含明文密码 | P0 | 使用环境变量 |
|
|
386
|
+
| 3 | deploy.sh | 缺少 set -e | P1 | 添加错误处理 |
|
|
387
|
+
```
|
|
388
|
+
|
|
389
|
+
---
|
|
390
|
+
|
|
391
|
+
## 🔧 自动化检查脚本
|
|
392
|
+
|
|
393
|
+
```bash
|
|
394
|
+
#!/bin/bash
|
|
395
|
+
# non-code-files-check.sh
|
|
396
|
+
|
|
397
|
+
echo "=== 非代码文件检查 ==="
|
|
398
|
+
|
|
399
|
+
echo ""
|
|
400
|
+
echo "--- 1. 敏感信息检查 ---"
|
|
401
|
+
echo "检查 .env 文件:"
|
|
402
|
+
if [ -f ".env" ]; then
|
|
403
|
+
if git ls-files --error-unmatch .env 2>/dev/null; then
|
|
404
|
+
echo "❌ .env 在 Git 中!"
|
|
405
|
+
else
|
|
406
|
+
echo "✅ .env 不在 Git 中"
|
|
407
|
+
fi
|
|
408
|
+
fi
|
|
409
|
+
|
|
410
|
+
echo ""
|
|
411
|
+
echo "检查硬编码密钥:"
|
|
412
|
+
grep -rn "password\s*=\|api_key\s*=\|secret\s*=" \
|
|
413
|
+
--include="*.json" --include="*.yaml" --include="*.yml" \
|
|
414
|
+
--include="*.xml" --include="*.properties" \
|
|
415
|
+
| grep -v "example\|template\|sample" | head -10
|
|
416
|
+
|
|
417
|
+
echo ""
|
|
418
|
+
echo "--- 2. JSON 语法检查 ---"
|
|
419
|
+
find . -name "*.json" -not -path "./node_modules/*" -exec sh -c '
|
|
420
|
+
python -m json.tool "$1" > /dev/null 2>&1 || echo "❌ 语法错误: $1"
|
|
421
|
+
' _ {} \;
|
|
422
|
+
|
|
423
|
+
echo ""
|
|
424
|
+
echo "--- 3. YAML 语法检查 ---"
|
|
425
|
+
find . -name "*.yaml" -o -name "*.yml" | grep -v node_modules | while read f; do
|
|
426
|
+
python -c "import yaml; yaml.safe_load(open('$f'))" 2>&1 | grep -q Error && echo "❌ 语法错误: $f"
|
|
427
|
+
done
|
|
428
|
+
|
|
429
|
+
echo ""
|
|
430
|
+
echo "--- 4. Shell 脚本检查 ---"
|
|
431
|
+
if command -v shellcheck &> /dev/null; then
|
|
432
|
+
find . -name "*.sh" -exec shellcheck {} \; 2>&1 | head -20
|
|
433
|
+
else
|
|
434
|
+
echo "shellcheck 未安装,跳过"
|
|
435
|
+
fi
|
|
436
|
+
|
|
437
|
+
echo ""
|
|
438
|
+
echo "--- 5. 依赖安全检查 ---"
|
|
439
|
+
if [ -f "package.json" ]; then
|
|
440
|
+
echo "npm audit:"
|
|
441
|
+
npm audit --audit-level=high 2>/dev/null | head -10
|
|
442
|
+
fi
|
|
443
|
+
|
|
444
|
+
if [ -f "requirements.txt" ]; then
|
|
445
|
+
echo "pip-audit:"
|
|
446
|
+
pip-audit 2>/dev/null | head -10 || echo "pip-audit 未安装"
|
|
447
|
+
fi
|
|
448
|
+
|
|
449
|
+
echo ""
|
|
450
|
+
echo "=== 检查完成 ==="
|
|
451
|
+
```
|