npm - @umacloud/knowledge - Versions diffs - 1.0.1 - Mend

@umacloud/knowledge 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/00-governance/governance-capabilities.md +557 -0
package/00-governance/knowledge-map.md +39 -0
package/00-governance/maintenance-policy.md +76 -0
package/00-governance/review-checklist.md +81 -0
package/README.md +13 -0
package/ai/01-standards/agent-development-complete.md +691 -0
package/ai/01-standards/llm-application-complete.md +488 -0
package/ai/01-standards/mlops-complete.md +798 -0
package/ai/01-standards/prompt-engineering-complete.md +646 -0
package/ai/01-standards/rag-architecture-complete.md +649 -0
package/ai/02-playbooks/llm-evaluation-playbook.md +847 -0
package/ai/03-checklists/ai-project-checklist.md +215 -0
package/ai/04-antipatterns/ai-antipatterns.md +661 -0
package/ai/05-cases/case-rag-production.md +147 -0
package/ai/06-glossary/ai-glossary.md +162 -0
package/ai/agent-evaluation-benchmark.md +53 -0
package/ai/ai-agent-memory-context-management.md +41 -0
package/ai/ai-cost-capacity-optimization-playbook.md +42 -0
package/ai/ai-data-security-and-compliance-playbook.md +37 -0
package/ai/ai-domain-index-and-checklist.md +40 -0
package/ai/ai-governance-maturity-model.md +50 -0
package/ai/ai-model-selection-and-routing-strategy.md +47 -0
package/ai/ai-observability-and-oncall-runbook.md +52 -0
package/ai/ai-rag-engineering-playbook.md +42 -0
package/ai/ai-red-team-and-safety-evaluation.md +42 -0
package/ai/ai-release-readiness-and-rollback-gate.md +42 -0
package/ai/llm-agent-engineering-deep-dive.md +57 -0
package/ai/prompt-and-tool-guardrails.md +52 -0
package/api/01-standards/enterprise-api-standards.md +198 -0
package/api/01-standards/rest-api-design-guide.md +63 -0
package/api/02-playbooks/api-pagination-playbook.md +93 -0
package/api/02-playbooks/graphql-production-playbook.md +176 -0
package/api/03-checklists/api-review-checklist.md +55 -0
package/api/04-antipatterns/api-antipatterns.md +112 -0
package/architecture/01-standards/api-gateway-patterns.md +496 -0
package/architecture/01-standards/cloud-native-patterns.md +644 -0
package/architecture/01-standards/distributed-systems-patterns.md +591 -0
package/architecture/01-standards/event-driven-architecture.md +595 -0
package/architecture/01-standards/microservices-patterns-complete.md +968 -0
package/architecture/01-standards/microservices-patterns.md +495 -0
package/architecture/01-standards/system-design-interview.md +664 -0
package/architecture/02-playbooks/microservices-patterns-playbook.md +137 -0
package/architecture/02-playbooks/migration-playbook.md +780 -0
package/architecture/02-playbooks/system-design-playbook.md +779 -0
package/architecture/03-checklists/architecture-decision-checklist.md +297 -0
package/architecture/04-antipatterns/architecture-antipatterns.md +417 -0
package/architecture/05-cases/case-netflix-microservices.md +413 -0
package/architecture/06-glossary/architecture-glossary.md +164 -0
package/architecture/adr-template-and-examples.md +38 -0
package/architecture/api-gateway-deep-dive.md +1291 -0
package/architecture/configuration-management.md +1162 -0
package/architecture/distributed-transactions.md +1220 -0
package/architecture/microservices-complete.md +735 -0
package/architecture/resilience-and-disaster-patterns.md +37 -0
package/architecture/service-governance.md +1198 -0
package/architecture/system-architecture-deep-dive.md +37 -0
package/backend/01-standards/analytics-and-growth.md +65 -0
package/backend/01-standards/api-and-error-conventions.md +120 -0
package/backend/01-standards/application-layering-and-packaging.md +160 -0
package/backend/01-standards/auth-implementation.md +104 -0
package/backend/01-standards/backend-framework-idioms.md +74 -0
package/backend/01-standards/background-jobs-and-async.md +66 -0
package/backend/01-standards/caching-strategies-complete.md +390 -0
package/backend/01-standards/config-and-observability.md +77 -0
package/backend/01-standards/data-modeling-and-persistence.md +94 -0
package/backend/01-standards/django-complete.md +1765 -0
package/backend/01-standards/email-and-notifications.md +64 -0
package/backend/01-standards/fastapi-complete.md +925 -0
package/backend/01-standards/file-upload-and-storage.md +66 -0
package/backend/01-standards/graphql-api-complete.md +416 -0
package/backend/01-standards/llm-application-standard.md +78 -0
package/backend/01-standards/message-queue-patterns.md +379 -0
package/backend/01-standards/microservices-and-distributed.md +78 -0
package/backend/01-standards/nestjs-complete.md +2167 -0
package/backend/01-standards/payment-integration.md +80 -0
package/backend/01-standards/rate-limiting-complete.md +451 -0
package/backend/01-standards/realtime-and-websocket.md +65 -0
package/backend/01-standards/search-and-filtering.md +64 -0
package/backend/01-standards/spring-boot-complete.md +445 -0
package/backend/02-playbooks/api-design-playbook.md +718 -0
package/backend/02-playbooks/email-send-playbook.md +130 -0
package/backend/02-playbooks/file-upload-s3-playbook.md +153 -0
package/backend/02-playbooks/typescript-enterprise-playbook.md +133 -0
package/backend/02-playbooks/websocket-realtime-playbook.md +154 -0
package/backend/03-checklists/api-launch-checklist.md +189 -0
package/backend/04-antipatterns/backend-antipatterns.md +1051 -0
package/blockchain/01-standards/blockchain-basics.md +557 -0
package/blockchain/01-standards/smart-contract-development.md +1315 -0
package/cicd/01-standards/deployment-and-delivery-standard.md +96 -0
package/cicd/01-standards/github-actions-complete.md +473 -0
package/cicd/01-standards/release-and-store-submission.md +75 -0
package/cicd/02-playbooks/cicd-pipeline-playbook.md +144 -0
package/cicd/02-playbooks/release-management-playbook.md +605 -0
package/cicd/03-checklists/pipeline-security-checklist.md +168 -0
package/cicd/04-antipatterns/cicd-antipatterns.md +589 -0
package/cicd/05-cases/case-deployment-automation.md +221 -0
package/cicd/05-cases/case-gitops-transformation.md +212 -0
package/cicd/06-glossary/cicd-glossary.md +114 -0
package/cicd/cicd-blueprint-deep-dive.md +38 -0
package/cicd/release-readiness-gate.md +37 -0
package/cloud-native/01-standards/container-security.md +741 -0
package/cloud-native/01-standards/kubernetes-complete.md +812 -0
package/cloud-native/02-playbooks/api-gateway-playbook.md +155 -0
package/cloud-native/02-playbooks/gitops-with-argocd.md +760 -0
package/cloud-native/02-playbooks/k8s-troubleshooting-playbook.md +1942 -0
package/cloud-native/02-playbooks/message-queue-playbook.md +129 -0
package/cloud-native/02-playbooks/multicloud-governance.md +726 -0
package/cloud-native/02-playbooks/serverless-patterns.md +788 -0
package/cloud-native/02-playbooks/service-mesh-playbook.md +612 -0
package/cloud-native/02-playbooks/terraform-iac-playbook.md +143 -0
package/cloud-native/03-checklists/container-security-checklist.md +431 -0
package/cloud-native/03-checklists/k8s-production-readiness-checklist.md +460 -0
package/cloud-native/04-antipatterns/container-antipatterns.md +660 -0
package/cloud-native/04-antipatterns/k8s-antipatterns.md +743 -0
package/cloud-native/05-cases/case-k8s-migration.md +478 -0
package/cloud-native/05-cases/case-k8s-scaling.md +642 -0
package/cloud-native/05-cases/case-k8s-security-incident.md +397 -0
package/cloud-native/06-glossary/cloud-native-glossary.md +337 -0
package/cross-platform/01-standards/cross-platform-frameworks.md +83 -0
package/cross-platform/01-standards/platform-selection-and-architecture.md +77 -0
package/data/01-standards/elasticsearch-complete.md +2098 -0
package/data/01-standards/postgresql-complete.md +1613 -0
package/data/01-standards/redis-complete.md +1527 -0
package/data/02-playbooks/database-optimization-playbook.md +403 -0
package/data/02-playbooks/elasticsearch-production-playbook.md +132 -0
package/data/03-checklists/database-launch-checklist.md +187 -0
package/data/04-antipatterns/database-antipatterns.md +873 -0
package/data/05-cases/case-database-migration.md +310 -0
package/data/06-glossary/database-glossary.md +440 -0
package/data/data-governance-and-modeling-deep-dive.md +39 -0
package/data-engineering/01-standards/airflow-complete.md +523 -0
package/data-engineering/01-standards/kafka-complete.md +1521 -0
package/data-engineering/02-playbooks/spark-etl-playbook.md +496 -0
package/data-engineering/03-checklists/pipeline-launch-checklist.md +194 -0
package/data-engineering/04-antipatterns/data-pipeline-antipatterns.md +684 -0
package/data-engineering/05-cases/case-real-time-pipeline.md +355 -0
package/data-engineering/06-glossary/data-engineering-glossary.md +429 -0
package/database/01-standards/database-schema-standards.md +147 -0
package/database/02-playbooks/postgresql-optimization-quick.md +52 -0
package/database/02-playbooks/postgresql-performance-optimization.md +58 -0
package/database/02-playbooks/postgresql-production-playbook.md +146 -0
package/database/02-playbooks/redis-caching-playbook.md +117 -0
package/database/03-checklists/database-review-checklist.md +50 -0
package/database/04-antipatterns/database-antipatterns.md +112 -0
package/design/01-standards/ui-design-system-complete.md +423 -0
package/design/02-playbooks/design-handoff-playbook.md +254 -0
package/design/02-playbooks/design-review-playbook.md +388 -0
package/design/03-checklists/design-review-checklist.md +246 -0
package/design/04-antipatterns/design-antipatterns.md +378 -0
package/design/05-cases/case-design-system-adoption.md +328 -0
package/design/06-glossary/design-glossary.md +329 -0
package/design/ui-full-lifecycle-cross-platform-playbook.md +571 -0
package/design/ux-system-deep-dive.md +38 -0
package/design-systems/00-craft-rules.md +71 -0
package/design-systems/aesthetic-families.md +43 -0
package/design-systems/anti-ai-slop.md +162 -0
package/design-systems/bold-geometric.md +120 -0
package/design-systems/brutalist-bold.md +103 -0
package/design-systems/editorial-clean.md +109 -0
package/design-systems/glass-aurora.md +108 -0
package/design-systems/modern-minimal.md +145 -0
package/design-systems/premium-luxury.md +106 -0
package/design-systems/product-type-design-map.md +48 -0
package/design-systems/soft-warm.md +123 -0
package/design-systems/tech-utility.md +113 -0
package/desktop/01-standards/desktop-app-standard.md +72 -0
package/desktop/01-standards/desktop-design.md +71 -0
package/development/00-governance/document-template.md +41 -0
package/development/01-standards/api-versioning-strategies.md +432 -0
package/development/01-standards/authentication-patterns-complete.md +479 -0
package/development/01-standards/css-architecture-complete.md +550 -0
package/development/01-standards/database-migration-strategies.md +484 -0
package/development/01-standards/elasticsearch-complete.md +347 -0
package/development/01-standards/git-complete.md +371 -0
package/development/01-standards/golang-complete.md +1565 -0
package/development/01-standards/graphql-complete.md +298 -0
package/development/01-standards/javascript-bundlers-complete.md +469 -0
package/development/01-standards/javascript-typescript-complete.md +528 -0
package/development/01-standards/jest-complete.md +275 -0
package/development/01-standards/linux-complete.md +234 -0
package/development/01-standards/logging-observability-complete.md +526 -0
package/development/01-standards/microservices-communication.md +502 -0
package/development/01-standards/mongodb-complete.md +406 -0
package/development/01-standards/oauth2-complete.md +285 -0
package/development/01-standards/performance-optimization-complete.md +289 -0
package/development/01-standards/playwright-complete.md +247 -0
package/development/01-standards/postgresql-complete.md +456 -0
package/development/01-standards/pytest-complete.md +340 -0
package/development/01-standards/python-async-programming.md +902 -0
package/development/01-standards/python-complete.md +956 -0
package/development/01-standards/python-decorators-complete.md +799 -0
package/development/01-standards/python-design-patterns.md +2854 -0
package/development/01-standards/python-packaging-distribution.md +420 -0
package/development/01-standards/python-testing-strategies.md +607 -0
package/development/01-standards/python-web-frameworks-comparison.md +471 -0
package/development/01-standards/redis-complete.md +317 -0
package/development/01-standards/rest-api-complete.md +316 -0
package/development/01-standards/rust-complete.md +578 -0
package/development/01-standards/typescript-advanced-types.md +1513 -0
package/development/01-standards/web-security-complete.md +292 -0
package/development/02-playbooks/api-design-playbook.md +810 -0
package/development/02-playbooks/database-migration-playbook.md +580 -0
package/development/02-playbooks/debugging-playbook.md +692 -0
package/development/02-playbooks/feature-delivery-playbook.md +430 -0
package/development/02-playbooks/incident-hotfix-playbook.md +387 -0
package/development/02-playbooks/performance-optimization-playbook.md +531 -0
package/development/02-playbooks/performance-tuning-playbook.md +652 -0
package/development/02-playbooks/refactor-playbook.md +403 -0
package/development/02-playbooks/release-playbook.md +469 -0
package/development/03-checklists/architecture-review-checklist.md +168 -0
package/development/03-checklists/data-migration-checklist.md +157 -0
package/development/03-checklists/oncall-handover-checklist.md +173 -0
package/development/03-checklists/pr-checklist.md +158 -0
package/development/03-checklists/production-readiness-checklist.md +190 -0
package/development/03-checklists/release-readiness-checklist.md +154 -0
package/development/03-checklists/security-review-checklist.md +182 -0
package/development/04-antipatterns/api-antipatterns.md +657 -0
package/development/04-antipatterns/architecture-antipatterns.md +686 -0
package/development/04-antipatterns/backend-antipatterns.md +648 -0
package/development/04-antipatterns/cicd-antipatterns.md +540 -0
package/development/04-antipatterns/code-smell-antipatterns.md +571 -0
package/development/04-antipatterns/data-antipatterns.md +658 -0
package/development/04-antipatterns/database-antipatterns.md +578 -0
package/development/04-antipatterns/frontend-antipatterns.md +635 -0
package/development/04-antipatterns/reliability-antipatterns.md +700 -0
package/development/04-antipatterns/security-antipatterns.md +747 -0
package/development/05-cases/case-api-version-migration.md +428 -0
package/development/05-cases/case-authorization-hardening.md +383 -0
package/development/05-cases/case-bluegreen-rollback.md +466 -0
package/development/05-cases/case-cache-snowball-protection.md +485 -0
package/development/05-cases/case-ci-cd-pipeline.md +544 -0
package/development/05-cases/case-database-scaling.md +500 -0
package/development/05-cases/case-db-hotspot-optimization.md +487 -0
package/development/05-cases/case-incident-mttr-reduction.md +563 -0
package/development/05-cases/case-microservice-migration.md +375 -0
package/development/05-cases/case-performance-optimization.md +406 -0
package/development/05-cases/case-security-incident-response.md +345 -0
package/development/06-glossary/full-stack-glossary.md +166 -0
package/development/09-maturity/quarterly-audit-template.md +35 -0
package/development/11-ui-excellence/ui-aesthetic-system.md +41 -0
package/development/11-ui-excellence/ui-engineering-excellence.md +435 -0
package/development/12-scenarios/development-scenarios-guide.md +565 -0
package/development/13-implementation-assets/implementation-toolkit.md +282 -0
package/development/13-implementation-assets/knowledge-gates-execution.md +43 -0
package/development/14-full-lifecycle/software-lifecycle-gates.md +511 -0
package/development/15-lifecycle-templates/project-templates-collection.md +791 -0
package/development/api-contract-and-versioning-guide.md +36 -0
package/development/api-governance-complete.md +43 -0
package/development/backend-engineering-complete.md +43 -0
package/development/code-review-quality-complete.md +43 -0
package/development/concurrency-reliability-complete.md +43 -0
package/development/database-engineering-complete.md +43 -0
package/development/engineering-effectiveness-complete.md +43 -0
package/development/engineering-standards-deep-dive.md +38 -0
package/development/frontend-engineering-complete.md +43 -0
package/development/performance-capacity-complete.md +43 -0
package/development/refactor-migration-complete.md +42 -0
package/development/refactoring-and-techdebt-playbook.md +37 -0
package/development/security-in-development-complete.md +43 -0
package/devops/01-standards/cicd-pipeline-complete.md +262 -0
package/devops/01-standards/docker-complete.md +1490 -0
package/devops/01-standards/github-actions-complete.md +337 -0
package/devops/01-standards/kubernetes-complete.md +638 -0
package/devops/01-standards/terraform-complete.md +2117 -0
package/devops/02-playbooks/docker-compose-playbook.md +233 -0
package/devops/02-playbooks/docker-k8s-production-playbook.md +186 -0
package/devops/02-playbooks/docker-production-playbook.md +952 -0
package/edge-iot/01-standards/edge-iot-complete.md +473 -0
package/experts/architect/api-design.md +178 -0
package/experts/architect/methodology.md +124 -0
package/experts/architect/security.md +75 -0
package/experts/backend-lead/methodology.md +216 -0
package/experts/devops/methodology.md +160 -0
package/experts/frontend-lead/methodology.md +178 -0
package/experts/product-manager/industry/ecommerce.md +43 -0
package/experts/product-manager/industry/saas.md +40 -0
package/experts/product-manager/methodology.md +97 -0
package/experts/qa-lead/methodology.md +123 -0
package/experts/qa-lead/test-strategy.md +128 -0
package/experts/uiux-designer/methodology.md +125 -0
package/frontend/01-standards/accessibility-complete.md +532 -0
package/frontend/01-standards/accessibility-standard.md +74 -0
package/frontend/01-standards/admin-dashboard-and-crud.md +72 -0
package/frontend/01-standards/design-tokens-complete.md +444 -0
package/frontend/01-standards/forms-and-validation.md +77 -0
package/frontend/01-standards/frontend-architecture-and-layering.md +119 -0
package/frontend/01-standards/i18n-and-localization.md +65 -0
package/frontend/01-standards/nextjs-complete.md +451 -0
package/frontend/01-standards/react-complete.md +713 -0
package/frontend/01-standards/react-hooks-complete-guide.md +1100 -0
package/frontend/01-standards/react-hooks-complete.md +1171 -0
package/frontend/01-standards/seo-and-web-vitals.md +77 -0
package/frontend/01-standards/state-management-complete.md +444 -0
package/frontend/01-standards/vue-complete.md +499 -0
package/frontend/01-standards/vue3-complete.md +2002 -0
package/frontend/01-standards/web-framework-best-practices.md +64 -0
package/frontend/01-standards/web-performance-complete.md +495 -0
package/frontend/02-playbooks/accessibility-a11y-playbook.md +161 -0
package/frontend/02-playbooks/frontend-performance-playbook.md +707 -0
package/frontend/02-playbooks/i18n-internationalization-playbook.md +120 -0
package/frontend/02-playbooks/performance-optimization-playbook.md +163 -0
package/frontend/02-playbooks/react-nextjs-production-playbook.md +167 -0
package/frontend/02-playbooks/react-state-management-playbook.md +173 -0
package/frontend/03-checklists/component-quality-checklist.md +166 -0
package/frontend/03-checklists/frontend-launch-checklist.md +299 -0
package/frontend/04-antipatterns/frontend-antipatterns.md +886 -0
package/frontend/05-cases/case-performance-optimization.md +274 -0
package/harmony/01-standards/harmonyos-arkts-standard.md +75 -0
package/harmony/01-standards/harmonyos-design.md +65 -0
package/high-quality-engineering-playbook.md +54 -0
package/incident/01-standards/incident-response-complete.md +303 -0
package/incident/02-playbooks/chaos-engineering-playbook.md +883 -0
package/incident/02-playbooks/postmortem-playbook.md +398 -0
package/incident/03-checklists/incident-readiness-checklist.md +181 -0
package/incident/04-antipatterns/incident-antipatterns.md +490 -0
package/incident/05-cases/case-cascade-failure.md +176 -0
package/incident/06-glossary/incident-glossary.md +114 -0
package/incident/postmortem-and-response-deep-dive.md +39 -0
package/industries/ecommerce/ecommerce-complete.md +631 -0
package/industries/education/education-complete.md +555 -0
package/industries/fintech/fintech-complete.md +501 -0
package/industries/gaming/gaming-complete.md +587 -0
package/industries/healthcare/healthcare-complete.md +452 -0
package/low-code/01-standards/low-code-complete.md +944 -0
package/miniprogram/01-standards/ai-common-mistakes.md +61 -0
package/miniprogram/01-standards/miniprogram-custom-navbar-capsule.md +77 -0
package/miniprogram/01-standards/miniprogram-design.md +61 -0
package/miniprogram/01-standards/miniprogram-standard.md +81 -0
package/mobile/01-standards/android-material-design.md +70 -0
package/mobile/01-standards/flutter-complete.md +384 -0
package/mobile/01-standards/ios-design-hig.md +78 -0
package/mobile/01-standards/mobile-app-standard.md +85 -0
package/mobile/01-standards/react-native-complete.md +352 -0
package/mobile/02-playbooks/mobile-cross-platform-playbook.md +175 -0
package/mobile/02-playbooks/mobile-performance.md +473 -0
package/mobile/03-checklists/mobile-release-checklist.md +234 -0
package/mobile/04-antipatterns/mobile-antipatterns.md +798 -0
package/mobile/05-cases/case-app-performance.md +500 -0
package/mobile/05-cases/case-app-startup-optimization.md +218 -0
package/mobile/06-glossary/mobile-glossary.md +484 -0
package/observability/01-standards/observability-standards.md +103 -0
package/observability/02-playbooks/prometheus-grafana-playbook.md +135 -0
package/observability/02-playbooks/structured-logging-playbook.md +73 -0
package/observability/03-checklists/observability-checklist.md +54 -0
package/observability/04-antipatterns/observability-antipatterns.md +106 -0
package/operations/01-standards/prometheus-monitoring-complete.md +1578 -0
package/operations/02-playbooks/capacity-planning-playbook.md +620 -0
package/operations/03-checklists/production-launch-checklist.md +365 -0
package/operations/04-antipatterns/operations-antipatterns.md +664 -0
package/operations/05-cases/case-sre-practices.md +581 -0
package/operations/06-glossary/operations-glossary.md +120 -0
package/operations/aiops-anomaly-detection.md +758 -0
package/operations/capacity-planning.md +1061 -0
package/operations/chaos-engineering.md +659 -0
package/operations/incident-command-system.md +38 -0
package/operations/observability-complete.md +442 -0
package/operations/slo-sli-playbook.md +517 -0
package/operations/sre-operations-deep-dive.md +39 -0
package/package.json +8 -0
package/performance/01-standards/performance-and-scalability.md +80 -0
package/performance/01-standards/performance-standards.md +156 -0
package/performance/02-playbooks/query-optimization-playbook.md +103 -0
package/performance/03-checklists/performance-checklist.md +56 -0
package/performance/04-antipatterns/performance-antipatterns.md +146 -0
package/product/01-standards/product-management-complete.md +285 -0
package/product/02-playbooks/feature-launch-playbook.md +207 -0
package/product/02-playbooks/user-research-playbook.md +532 -0
package/product/03-checklists/feature-launch-checklist.md +275 -0
package/product/04-antipatterns/product-antipatterns.md +355 -0
package/product/05-cases/case-mvp-to-scale.md +384 -0
package/product/06-glossary/product-glossary.md +462 -0
package/product/feature-prioritization-framework.md +40 -0
package/product/kpi-and-metric-tree.md +37 -0
package/product/product-discovery-and-prd-deep-dive.md +41 -0
package/quantum/01-standards/quantum-complete.md +1186 -0
package/security/01-standards/api-security-complete.md +511 -0
package/security/01-standards/container-runtime-security.md +574 -0
package/security/01-standards/data-protection-gdpr.md +543 -0
package/security/01-standards/owasp-top10-complete.md +1890 -0
package/security/01-standards/secure-coding-baseline.md +90 -0
package/security/01-standards/supply-chain-security.md +441 -0
package/security/01-standards/web-security-checklist.md +108 -0
package/security/01-standards/zero-trust-architecture.md +521 -0
package/security/02-playbooks/auth-sso-playbook.md +166 -0
package/security/02-playbooks/incident-response-security-playbook.md +588 -0
package/security/02-playbooks/owasp-api-security-playbook.md +129 -0
package/security/02-playbooks/payment-integration-playbook.md +119 -0
package/security/02-playbooks/penetration-testing-playbook.md +517 -0
package/security/03-checklists/security-audit-checklist.md +356 -0
package/security/04-antipatterns/security-coding-antipatterns.md +580 -0
package/security/05-cases/case-log4shell-incident.md +537 -0
package/security/05-cases/case-major-breaches.md +468 -0
package/security/06-glossary/security-glossary.md +212 -0
package/security/compliance-automation.md +993 -0
package/security/container-security.md +680 -0
package/security/devsecops-complete.md +426 -0
package/security/sast-dast-sca.md +775 -0
package/security/secrets-management.md +594 -0
package/security/security-architecture-deep-dive.md +37 -0
package/security/threat-modeling-stride-playbook.md +40 -0
package/seed-templates/auth-system.md +59 -0
package/seed-templates/blog-content.md +94 -0
package/seed-templates/dashboard.md +89 -0
package/seed-templates/docs-site.md +73 -0
package/seed-templates/e-commerce.md +50 -0
package/seed-templates/saas-landing.md +92 -0
package/seed-templates/settings-page.md +51 -0
package/testing/01-standards/test-strategy-and-layering.md +83 -0
package/testing/01-standards/testing-strategy-complete.md +422 -0
package/testing/01-standards/unit-testing-best-practices.md +118 -0
package/testing/02-playbooks/e2e-testing-playbook.md +988 -0
package/testing/02-playbooks/testing-strategy-playbook.md +126 -0
package/testing/03-checklists/test-strategy-checklist.md +208 -0
package/testing/04-antipatterns/testing-antipatterns.md +718 -0
package/testing/05-cases/case-testing-transformation.md +300 -0
package/testing/06-glossary/testing-glossary.md +110 -0
package/testing/risk-based-test-matrix.md +36 -0
package/testing/testing-strategy-deep-dive.md +37 -0

package/development/04-antipatterns/api-antipatterns.md ADDED Viewed

@@ -0,0 +1,657 @@
+---
+id: api-antipatterns
+title: API 反模式指南
+domain: development
+category: 04-antipatterns
+difficulty: intermediate
+tags: [antipatterns, api, development, error, handling, limiting, naming, rate]
+quality_score: 70
+last_updated: 2026-06-15
+---
+# API 反模式指南
+> 适用范围：RESTful API / GraphQL / gRPC
+> 约束级别：SHALL（必须在 API Review 阶段拦截）
+---
+## 1. 不一致的命名（Inconsistent Naming）
+### 描述
+同一 API 中混用不同的命名风格（camelCase / snake_case / kebab-case），资源名称单复数不一致，动词名词混用。导致调用方无法预测 API 的 URL 和字段名，集成成本持续上升。
+### 错误示例
+```
+# 路径命名混乱
+GET  /api/getUsers              # 动词 + 驼峰
+GET  /api/order_list            # 蛇形 + 单数
+POST /api/Create-Payment        # 大写 + kebab
+GET  /api/v1/product/123        # 单数
+GET  /api/v1/categories         # 复数
+# 响应字段命名不一致
+{
+    "userId": 1,                  // camelCase
+    "user_name": "Alice",         // snake_case
+    "Email": "alice@example.com", // PascalCase
+    "phone-number": "138xxxx"     // kebab-case
+}
+```
+### 正确示例
+```
+# 统一的 RESTful 命名规范
+GET    /api/v1/users              # 复数名词
+GET    /api/v1/users/123          # 单个资源
+POST   /api/v1/users              # 创建
+PUT    /api/v1/users/123          # 全量更新
+PATCH  /api/v1/users/123          # 部分更新
+DELETE /api/v1/users/123          # 删除
+GET    /api/v1/users/123/orders   # 嵌套资源
+# 统一的响应字段（选择一种风格并贯穿整个 API）
+{
+    "user_id": 1,
+    "user_name": "Alice",
+    "email": "alice@example.com",
+    "phone_number": "138xxxx"
+}
+```
+```python
+# 使用 OpenAPI Schema 强制命名规范
+from pydantic import BaseModel, ConfigDict
+class UserResponse(BaseModel):
+    model_config = ConfigDict(
+        alias_generator=to_camel,  # 或统一 snake_case
+        populate_by_name=True,
+    )
+    user_id: int
+    user_name: str
+    email: str
+    phone_number: str | None = None
+```
+### 检测方法
+- OpenAPI / Swagger 文档审查：对所有 path 和 field 检查命名一致性。
+- `spectral` lint 工具：自定义规则检查命名风格。
+- API 测试中断言响应字段命名符合约定。
+### 修复步骤
+1. 制定团队 API 命名规范文档（路径用 kebab-case 或 snake_case，字段用 snake_case 或 camelCase）。
+2. 使用 `spectral` 或自定义 lint 规则在 CI 中检查 OpenAPI spec。
+3. 通过 Pydantic / Serializer 的 alias 机制统一输出格式。
+4. 对已发布的 API，通过新版本逐步迁移（不可破坏性变更）。
+### Agent Checklist
+- [ ] API 路径统一使用复数名词、小写、无动词
+- [ ] 响应字段统一使用同一种命名风格
+- [ ] CI 包含 OpenAPI lint 检查
+- [ ] 新旧接口命名风格一致
+---
+## 2. 无版本控制（Missing API Versioning）
+### 描述
+API 没有版本号，任何变更直接影响所有调用方。当需要做不兼容变更时，要么破坏现有客户端，要么在代码中维护大量兼容逻辑。
+### 错误示例
+```python
+# 无版本号 -- 任何变更影响所有客户端
+@app.get("/users/{user_id}")
+def get_user(user_id: int):
+    user = user_repo.get(user_id)
+    return {
+        "id": user.id,
+        "name": user.name,      # 后来要拆分为 first_name + last_name
+        "email": user.email,
+    }
+# "向下兼容"导致代码腐化
+@app.get("/users/{user_id}")
+def get_user(user_id: int, format: str = "v1"):
+    user = user_repo.get(user_id)
+    if format == "v1":
+        return {"id": user.id, "name": user.name}
+    elif format == "v2":
+        return {"id": user.id, "first_name": user.first_name, "last_name": user.last_name}
+    elif format == "v3":
+        # ... 越来越多的分支
+```
+### 正确示例
+```python
+# URL 路径版本控制
+from fastapi import APIRouter
+router_v1 = APIRouter(prefix="/api/v1")
+router_v2 = APIRouter(prefix="/api/v2")
+@router_v1.get("/users/{user_id}")
+def get_user_v1(user_id: int) -> UserResponseV1:
+    user = user_repo.get(user_id)
+    return UserResponseV1(id=user.id, name=f"{user.first_name} {user.last_name}")
+@router_v2.get("/users/{user_id}")
+def get_user_v2(user_id: int) -> UserResponseV2:
+    user = user_repo.get(user_id)
+    return UserResponseV2(
+        id=user.id, first_name=user.first_name, last_name=user.last_name
+    )
+app.include_router(router_v1)
+app.include_router(router_v2)
+```
+```python
+# Header 版本控制（适用于微服务间调用）
+from fastapi import Header, HTTPException
+@app.get("/users/{user_id}")
+def get_user(user_id: int, x_api_version: str = Header("2024-01-01")):
+    user = user_repo.get(user_id)
+    if x_api_version < "2024-06-01":
+        return UserResponseV1.from_user(user)
+    return UserResponseV2.from_user(user)
+```
+### 检测方法
+- API 路径中不包含版本号（`/v1/`、`/v2/`）。
+- 无 `Accept-Version` 或 `X-API-Version` header 支持。
+- 同一个 endpoint handler 中包含版本分支逻辑。
+- 客户端集成文档未说明版本策略。
+### 修复步骤
+1. 选择版本控制策略（URL 路径 vs Header vs Query Param）。
+2. 为当前 API 标记为 v1，所有路径加上 `/api/v1/` 前缀。
+3. 设立弃用策略：旧版本至少维护 N 个月后下线。
+4. 在 API 文档和响应 Header 中标注版本信息和弃用时间。
+### Agent Checklist
+- [ ] 所有 API 路径包含版本号
+- [ ] 不兼容变更通过新版本发布
+- [ ] 旧版本有明确的弃用时间表
+- [ ] API 文档标注当前最新版本
+---
+## 3. 缺乏错误处理（Poor Error Handling）
+### 描述
+API 返回的错误信息不统一、不可机器解析、或泄露内部实现细节。调用方无法程序化处理错误，只能靠人工阅读错误消息。
+### 错误示例
+```python
+@app.post("/orders")
+def create_order(data: dict):
+    try:
+        order = order_service.create(data)
+        return order
+    except Exception as e:
+        # 问题 1: 所有错误返回 500
+        # 问题 2: 泄露堆栈信息
+        # 问题 3: 无统一格式
+        return {"error": str(e)}, 500
+# 不同接口返回不同的错误格式
+# 接口 A: {"error": "Not found"}
+# 接口 B: {"message": "用户不存在", "code": -1}
+# 接口 C: {"err_msg": "insufficient balance", "err_code": 40001}
+```
+### 正确示例
+```python
+from enum import Enum
+from pydantic import BaseModel
+class ErrorCode(str, Enum):
+    VALIDATION_ERROR = "VALIDATION_ERROR"
+    NOT_FOUND = "NOT_FOUND"
+    CONFLICT = "CONFLICT"
+    INSUFFICIENT_BALANCE = "INSUFFICIENT_BALANCE"
+    RATE_LIMITED = "RATE_LIMITED"
+    INTERNAL_ERROR = "INTERNAL_ERROR"
+class ErrorResponse(BaseModel):
+    error: ErrorCode
+    message: str
+    details: list[dict] | None = None
+    request_id: str
+class AppException(Exception):
+    def __init__(self, code: ErrorCode, message: str, status: int = 400, details=None):
+        self.code = code
+        self.message = message
+        self.status = status
+        self.details = details
+@app.exception_handler(AppException)
+async def app_exception_handler(request: Request, exc: AppException):
+    return JSONResponse(
+        status_code=exc.status,
+        content=ErrorResponse(
+            error=exc.code,
+            message=exc.message,
+            details=exc.details,
+            request_id=request.state.request_id,
+        ).model_dump(),
+    )
+@app.exception_handler(Exception)
+async def generic_exception_handler(request: Request, exc: Exception):
+    logger.exception("Unhandled exception", request_id=request.state.request_id)
+    return JSONResponse(
+        status_code=500,
+        content=ErrorResponse(
+            error=ErrorCode.INTERNAL_ERROR,
+            message="An internal error occurred. Please try again later.",
+            request_id=request.state.request_id,
+        ).model_dump(),
+    )
+# 业务代码使用统一异常
+@app.post("/orders", response_model=OrderResponse, status_code=201)
+def create_order(data: CreateOrderRequest):
+    user = user_repo.get(data.user_id)
+    if not user:
+        raise AppException(
+            code=ErrorCode.NOT_FOUND,
+            message=f"User {data.user_id} not found",
+            status=404,
+        )
+    if user.balance < data.total:
+        raise AppException(
+            code=ErrorCode.INSUFFICIENT_BALANCE,
+            message="Insufficient balance to place this order",
+            status=422,
+            details=[{"field": "total", "required": str(data.total), "available": str(user.balance)}],
+        )
+    return order_service.create(user, data)
+```
+### 检测方法
+- 不同接口的错误响应 JSON 结构不一致。
+- 存在 `except Exception: return str(e)` 模式。
+- 错误响应中包含堆栈信息、文件路径、SQL 语句。
+- 所有错误都返回 HTTP 500。
+### 修复步骤
+1. 定义统一的 `ErrorResponse` 模型和 `ErrorCode` 枚举。
+2. 创建自定义异常基类 `AppException`，包含错误码、消息、HTTP 状态码。
+3. 注册全局异常处理器，拦截所有异常并转为统一格式。
+4. 在生产环境中隐藏内部错误详情，只返回 request_id 供排查。
+5. 更新 API 文档，列出每个接口可能返回的错误码。
+### Agent Checklist
+- [ ] 所有接口使用统一的错误响应格式
+- [ ] 错误码使用枚举，可机器解析
+- [ ] 生产环境不泄露堆栈信息
+- [ ] 每个错误响应包含 request_id
+- [ ] API 文档列出每个接口的错误码
+---
+## 4. 过大响应（Oversized Response）
+### 描述
+API 返回了远超客户端需要的数据量，包括不必要的嵌套对象、大文本字段、二进制数据。导致带宽浪费、客户端解析慢、移动端体验差。
+### 错误示例
+```python
+@app.get("/users/{user_id}")
+def get_user(user_id: int):
+    user = user_repo.get_with_all_relations(user_id)
+    return {
+        "id": user.id,
+        "name": user.name,
+        "email": user.email,
+        "avatar_base64": user.avatar_base64,     # 500KB 的 base64 图片
+        "orders": [                               # 所有历史订单
+            {
+                "id": o.id,
+                "items": [                        # 每个订单的所有商品
+                    {
+                        "product": {              # 嵌套完整商品信息
+                            "id": p.id,
+                            "description": p.description,  # 长文本
+                            "images": p.images,            # 图片列表
+                        }
+                    } for p in o.items
+                ]
+            } for o in user.orders                # 可能有几千个订单
+        ],
+        "audit_log": user.audit_log,              # 审计日志，不应暴露给客户端
+    }
+```
+### 正确示例
+```python
+# 基础响应 -- 只包含核心字段
+class UserSummary(BaseModel):
+    id: int
+    name: str
+    email: str
+    avatar_url: str  # URL 而非 base64
+# 详情响应 -- 按需扩展
+class UserDetail(UserSummary):
+    phone: str | None
+    created_at: datetime
+    order_count: int  # 聚合数字而非完整列表
+@app.get("/users/{user_id}", response_model=UserSummary)
+def get_user(user_id: int):
+    return user_repo.get_summary(user_id)
+@app.get("/users/{user_id}/detail", response_model=UserDetail)
+def get_user_detail(user_id: int):
+    return user_repo.get_detail(user_id)
+# 订单通过独立的分页接口获取
+@app.get("/users/{user_id}/orders", response_model=PaginatedResponse[OrderSummary])
+def get_user_orders(
+    user_id: int,
+    page: int = Query(1, ge=1),
+    page_size: int = Query(20, ge=1, le=100),
+):
+    return order_repo.get_by_user(user_id, page=page, page_size=page_size)
+# GraphQL 方案 -- 客户端自选字段
+type_defs = """
+type User {
+    id: ID!
+    name: String!
+    email: String!
+    avatarUrl: String
+    orders(first: Int = 10, after: String): OrderConnection
+}
+"""
+```
+### 检测方法
+- 响应 JSON 大小 > 100KB。
+- 响应中包含 base64 编码的二进制数据。
+- 响应中嵌套层级 > 3 层。
+- 响应中包含客户端不需要的内部字段（audit_log、internal_id 等）。
+### 修复步骤
+1. 分析前端实际使用的字段，删除未使用的字段。
+2. 将大对象（图片、文件）改为 URL 引用。
+3. 将嵌套列表拆分为独立的分页接口。
+4. 使用不同粒度的响应模型（Summary / Detail / Full）。
+5. 考虑 GraphQL 或 JSON:API sparse fieldsets 让客户端自选字段。
+### Agent Checklist
+- [ ] 单个响应 JSON < 100KB
+- [ ] 无 base64 编码的二进制数据（使用 URL）
+- [ ] 嵌套层级 <= 3
+- [ ] 列表数据通过独立分页接口获取
+- [ ] 响应模型不包含内部字段
+---
+## 5. 无限流 / 缺乏限流（Missing Rate Limiting）
+### 描述
+API 没有请求频率限制，任何客户端可以无限制地发起请求。导致 DDoS 攻击、恶意爬虫、单个客户端耗尽系统资源影响其他用户。
+### 错误示例
+```python
+# 无任何限流措施
+@app.post("/api/send-sms")
+def send_sms(phone: str, message: str):
+    # 恶意调用者可以无限发送短信，消耗短信费用
+    sms_service.send(phone, message)
+    return {"status": "sent"}
+@app.get("/api/search")
+def search(query: str):
+    # 无限制搜索请求，可能打垮搜索引擎
+    return search_engine.query(query)
+# 登录接口无限制 -- 可暴力破解
+@app.post("/api/login")
+def login(username: str, password: str):
+    user = authenticate(username, password)
+    if not user:
+        return {"error": "Invalid credentials"}, 401
+    return {"token": create_token(user)}
+```
+### 正确示例
+```python
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+import redis
+limiter = Limiter(key_func=get_remote_address)
+# 全局默认限流
+@app.middleware("http")
+async def rate_limit_middleware(request: Request, call_next):
+    # 全局：每分钟 60 次
+    pass
+# 精细化限流
+@app.post("/api/send-sms")
+@limiter.limit("5/minute")  # 短信接口：每分钟 5 次
+def send_sms(request: Request, data: SmsRequest):
+    sms_service.send(data.phone, data.message)
+    return {"status": "sent"}
+@app.post("/api/login")
+@limiter.limit("10/minute")  # 登录接口：每分钟 10 次
+def login(request: Request, credentials: LoginRequest):
+    user = authenticate(credentials.username, credentials.password)
+    if not user:
+        # 记录失败次数，连续失败超过阈值锁定账号
+        failed_count = login_tracker.increment(credentials.username)
+        if failed_count >= MAX_LOGIN_ATTEMPTS:
+            login_tracker.lock(credentials.username, duration=LOCKOUT_MINUTES)
+        raise AppException(ErrorCode.UNAUTHORIZED, "Invalid credentials", status=401)
+    login_tracker.reset(credentials.username)
+    return {"token": create_token(user)}
+# API Key 维度的限流
+class ApiKeyRateLimiter:
+    def __init__(self, redis_client: redis.Redis):
+        self._redis = redis_client
+    def check(self, api_key: str, limit: int, window_seconds: int) -> bool:
+        key = f"rate_limit:{api_key}"
+        current = self._redis.incr(key)
+        if current == 1:
+            self._redis.expire(key, window_seconds)
+        return current <= limit
+```
+```
+# 响应 Header 包含限流信息
+HTTP/1.1 200 OK
+X-RateLimit-Limit: 60
+X-RateLimit-Remaining: 45
+X-RateLimit-Reset: 1704067200
+# 超限时返回 429
+HTTP/1.1 429 Too Many Requests
+Retry-After: 30
+{
+    "error": "RATE_LIMITED",
+    "message": "Too many requests. Please retry after 30 seconds.",
+    "request_id": "req_abc123"
+}
+```
+### 检测方法
+- API 代码中无限流 middleware 或装饰器。
+- 响应 Header 中无 `X-RateLimit-*` 字段。
+- 负载测试中无 429 响应。
+- 短信、邮件、登录等敏感接口无独立的限流策略。
+### 修复步骤
+1. 引入限流中间件（`slowapi` / Nginx `limit_req` / API Gateway）。
+2. 设置全局默认限流（如 60 次/分钟）。
+3. 对敏感接口（登录、短信、支付）设置更严格的限流。
+4. 在响应 Header 中返回限流信息。
+5. 超限时返回 HTTP 429 + `Retry-After` header。
+6. 使用 Redis 实现分布式限流（多实例部署场景）。
+### Agent Checklist
+- [ ] 所有公开 API 有全局限流
+- [ ] 敏感接口（登录/短信/支付）有独立限流
+- [ ] 响应包含 `X-RateLimit-*` Header
+- [ ] 超限返回 HTTP 429 + `Retry-After`
+- [ ] 登录接口有连续失败锁定机制
+---
+## 6. 无认证 / 认证不当（Missing or Broken Authentication）
+### 描述
+API 没有认证机制，或认证实现存在严重缺陷（Token 不过期、无刷新机制、敏感接口可匿名访问、JWT 密钥硬编码）。
+### 错误示例
+```python
+# 无认证：任何人都能访问
+@app.get("/api/users")
+def list_users():
+    return user_repo.get_all()
+@app.delete("/api/users/{user_id}")
+def delete_user(user_id: int):
+    user_repo.delete(user_id)
+    return {"status": "deleted"}
+# JWT 实现缺陷
+SECRET_KEY = "super-secret-123"  # 硬编码密钥
+def create_token(user):
+    return jwt.encode(
+        {"user_id": user.id},       # 无过期时间
+        SECRET_KEY,
+        algorithm="HS256"
+    )
+def verify_token(token):
+    try:
+        return jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
+    except:
+        return None  # 吞掉所有异常
+```
+### 正确示例
+```python
+import os
+from datetime import datetime, timedelta, timezone
+from fastapi import Depends, HTTPException, Security
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+# 密钥从环境变量读取
+JWT_SECRET = os.environ["JWT_SECRET_KEY"]
+JWT_ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = 15
+REFRESH_TOKEN_EXPIRE_DAYS = 7
+security = HTTPBearer()
+def create_access_token(user_id: int, roles: list[str]) -> str:
+    now = datetime.now(timezone.utc)
+    payload = {
+        "sub": str(user_id),
+        "roles": roles,
+        "iat": now,
+        "exp": now + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES),
+        "jti": str(uuid4()),  # 唯一 ID，支持 Token 吊销
+    }
+    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
+def create_refresh_token(user_id: int) -> str:
+    now = datetime.now(timezone.utc)
+    payload = {
+        "sub": str(user_id),
+        "type": "refresh",
+        "exp": now + timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS),
+        "jti": str(uuid4()),
+    }
+    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Security(security),
+) -> User:
+    try:
+        payload = jwt.decode(
+            credentials.credentials, JWT_SECRET, algorithms=[JWT_ALGORITHM]
+        )
+    except jwt.ExpiredSignatureError:
+        raise HTTPException(status_code=401, detail="Token expired")
+    except jwt.InvalidTokenError:
+        raise HTTPException(status_code=401, detail="Invalid token")
+    # 检查 Token 是否被吊销
+    if token_blacklist.is_revoked(payload["jti"]):
+        raise HTTPException(status_code=401, detail="Token revoked")
+    user = user_repo.get(int(payload["sub"]))
+    if not user:
+        raise HTTPException(status_code=401, detail="User not found")
+    return user
+def require_role(*roles: str):
+    async def role_checker(user: User = Depends(get_current_user)):
+        if not any(r in user.roles for r in roles):
+            raise HTTPException(status_code=403, detail="Insufficient permissions")
+        return user
+    return role_checker
+# 接口使用认证和授权
+@app.get("/api/users", dependencies=[Depends(require_role("admin"))])
+def list_users(current_user: User = Depends(get_current_user)):
+    return user_repo.get_all()
+@app.delete("/api/users/{user_id}", dependencies=[Depends(require_role("admin"))])
+def delete_user(user_id: int, current_user: User = Depends(get_current_user)):
+    if user_id == current_user.id:
+        raise AppException(ErrorCode.CONFLICT, "Cannot delete yourself")
+    user_repo.soft_delete(user_id, operator=current_user.id)
+    return {"status": "deleted"}
+```
+### 检测方法
+- 接口 handler 无认证依赖（`Depends(get_current_user)` 或中间件）。
+- JWT 密钥硬编码在源码中。
+- Token 无 `exp` 字段或过期时间 > 24 小时。
+- 无 Token 吊销机制（黑名单）。
+- 管理接口和普通接口使用相同的权限级别。
+### 修复步骤
+1. 建立全局认证中间件，默认所有接口需要认证（白名单制）。
+2. JWT 密钥从环境变量读取，不同环境使用不同密钥。
+3. Access Token 过期时间设为 15 分钟，Refresh Token 设为 7 天。
+4. 实现 Token 吊销机制（Redis 黑名单或数据库记录）。
+5. 使用 RBAC 对不同接口设置不同的角色要求。
+6. 安全扫描工具（`bandit` / `semgrep`）检查硬编码密钥。
+### Agent Checklist
+- [ ] 所有非公开接口要求认证
+- [ ] JWT 密钥从环境变量读取
+- [ ] Access Token 过期时间 <= 30 分钟
+- [ ] 有 Refresh Token 机制
+- [ ] Token 支持吊销（黑名单）
+- [ ] 管理接口有独立的角色校验
+- [ ] 无硬编码的密钥或 Token
+---
+## 全局 Agent Checklist
+| 检查项 | 阈值 | 工具 |
+|--------|------|------|
+| API 命名一致性 | 100% | `spectral` / OpenAPI lint |
+| API 版本号 | 必须有 | URL / Header 检查 |
+| 错误格式统一性 | 100% | API 测试 / Contract 测试 |
+| 单响应大小 | < 100KB | APM / 网络监控 |
+| 限流覆盖率 | 100% 公开接口 | 压力测试 / 429 检查 |
+| 认证覆盖率 | 100% 非公开接口 | 安全扫描 / Pentest |
+| 硬编码密钥 | 0 处 | `bandit` / `semgrep` |