@umacloud/knowledge 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (418) hide show
  1. package/00-governance/governance-capabilities.md +557 -0
  2. package/00-governance/knowledge-map.md +39 -0
  3. package/00-governance/maintenance-policy.md +76 -0
  4. package/00-governance/review-checklist.md +81 -0
  5. package/README.md +13 -0
  6. package/ai/01-standards/agent-development-complete.md +691 -0
  7. package/ai/01-standards/llm-application-complete.md +488 -0
  8. package/ai/01-standards/mlops-complete.md +798 -0
  9. package/ai/01-standards/prompt-engineering-complete.md +646 -0
  10. package/ai/01-standards/rag-architecture-complete.md +649 -0
  11. package/ai/02-playbooks/llm-evaluation-playbook.md +847 -0
  12. package/ai/03-checklists/ai-project-checklist.md +215 -0
  13. package/ai/04-antipatterns/ai-antipatterns.md +661 -0
  14. package/ai/05-cases/case-rag-production.md +147 -0
  15. package/ai/06-glossary/ai-glossary.md +162 -0
  16. package/ai/agent-evaluation-benchmark.md +53 -0
  17. package/ai/ai-agent-memory-context-management.md +41 -0
  18. package/ai/ai-cost-capacity-optimization-playbook.md +42 -0
  19. package/ai/ai-data-security-and-compliance-playbook.md +37 -0
  20. package/ai/ai-domain-index-and-checklist.md +40 -0
  21. package/ai/ai-governance-maturity-model.md +50 -0
  22. package/ai/ai-model-selection-and-routing-strategy.md +47 -0
  23. package/ai/ai-observability-and-oncall-runbook.md +52 -0
  24. package/ai/ai-rag-engineering-playbook.md +42 -0
  25. package/ai/ai-red-team-and-safety-evaluation.md +42 -0
  26. package/ai/ai-release-readiness-and-rollback-gate.md +42 -0
  27. package/ai/llm-agent-engineering-deep-dive.md +57 -0
  28. package/ai/prompt-and-tool-guardrails.md +52 -0
  29. package/api/01-standards/enterprise-api-standards.md +198 -0
  30. package/api/01-standards/rest-api-design-guide.md +63 -0
  31. package/api/02-playbooks/api-pagination-playbook.md +93 -0
  32. package/api/02-playbooks/graphql-production-playbook.md +176 -0
  33. package/api/03-checklists/api-review-checklist.md +55 -0
  34. package/api/04-antipatterns/api-antipatterns.md +112 -0
  35. package/architecture/01-standards/api-gateway-patterns.md +496 -0
  36. package/architecture/01-standards/cloud-native-patterns.md +644 -0
  37. package/architecture/01-standards/distributed-systems-patterns.md +591 -0
  38. package/architecture/01-standards/event-driven-architecture.md +595 -0
  39. package/architecture/01-standards/microservices-patterns-complete.md +968 -0
  40. package/architecture/01-standards/microservices-patterns.md +495 -0
  41. package/architecture/01-standards/system-design-interview.md +664 -0
  42. package/architecture/02-playbooks/microservices-patterns-playbook.md +137 -0
  43. package/architecture/02-playbooks/migration-playbook.md +780 -0
  44. package/architecture/02-playbooks/system-design-playbook.md +779 -0
  45. package/architecture/03-checklists/architecture-decision-checklist.md +297 -0
  46. package/architecture/04-antipatterns/architecture-antipatterns.md +417 -0
  47. package/architecture/05-cases/case-netflix-microservices.md +413 -0
  48. package/architecture/06-glossary/architecture-glossary.md +164 -0
  49. package/architecture/adr-template-and-examples.md +38 -0
  50. package/architecture/api-gateway-deep-dive.md +1291 -0
  51. package/architecture/configuration-management.md +1162 -0
  52. package/architecture/distributed-transactions.md +1220 -0
  53. package/architecture/microservices-complete.md +735 -0
  54. package/architecture/resilience-and-disaster-patterns.md +37 -0
  55. package/architecture/service-governance.md +1198 -0
  56. package/architecture/system-architecture-deep-dive.md +37 -0
  57. package/backend/01-standards/analytics-and-growth.md +65 -0
  58. package/backend/01-standards/api-and-error-conventions.md +120 -0
  59. package/backend/01-standards/application-layering-and-packaging.md +160 -0
  60. package/backend/01-standards/auth-implementation.md +104 -0
  61. package/backend/01-standards/backend-framework-idioms.md +74 -0
  62. package/backend/01-standards/background-jobs-and-async.md +66 -0
  63. package/backend/01-standards/caching-strategies-complete.md +390 -0
  64. package/backend/01-standards/config-and-observability.md +77 -0
  65. package/backend/01-standards/data-modeling-and-persistence.md +94 -0
  66. package/backend/01-standards/django-complete.md +1765 -0
  67. package/backend/01-standards/email-and-notifications.md +64 -0
  68. package/backend/01-standards/fastapi-complete.md +925 -0
  69. package/backend/01-standards/file-upload-and-storage.md +66 -0
  70. package/backend/01-standards/graphql-api-complete.md +416 -0
  71. package/backend/01-standards/llm-application-standard.md +78 -0
  72. package/backend/01-standards/message-queue-patterns.md +379 -0
  73. package/backend/01-standards/microservices-and-distributed.md +78 -0
  74. package/backend/01-standards/nestjs-complete.md +2167 -0
  75. package/backend/01-standards/payment-integration.md +80 -0
  76. package/backend/01-standards/rate-limiting-complete.md +451 -0
  77. package/backend/01-standards/realtime-and-websocket.md +65 -0
  78. package/backend/01-standards/search-and-filtering.md +64 -0
  79. package/backend/01-standards/spring-boot-complete.md +445 -0
  80. package/backend/02-playbooks/api-design-playbook.md +718 -0
  81. package/backend/02-playbooks/email-send-playbook.md +130 -0
  82. package/backend/02-playbooks/file-upload-s3-playbook.md +153 -0
  83. package/backend/02-playbooks/typescript-enterprise-playbook.md +133 -0
  84. package/backend/02-playbooks/websocket-realtime-playbook.md +154 -0
  85. package/backend/03-checklists/api-launch-checklist.md +189 -0
  86. package/backend/04-antipatterns/backend-antipatterns.md +1051 -0
  87. package/blockchain/01-standards/blockchain-basics.md +557 -0
  88. package/blockchain/01-standards/smart-contract-development.md +1315 -0
  89. package/cicd/01-standards/deployment-and-delivery-standard.md +96 -0
  90. package/cicd/01-standards/github-actions-complete.md +473 -0
  91. package/cicd/01-standards/release-and-store-submission.md +75 -0
  92. package/cicd/02-playbooks/cicd-pipeline-playbook.md +144 -0
  93. package/cicd/02-playbooks/release-management-playbook.md +605 -0
  94. package/cicd/03-checklists/pipeline-security-checklist.md +168 -0
  95. package/cicd/04-antipatterns/cicd-antipatterns.md +589 -0
  96. package/cicd/05-cases/case-deployment-automation.md +221 -0
  97. package/cicd/05-cases/case-gitops-transformation.md +212 -0
  98. package/cicd/06-glossary/cicd-glossary.md +114 -0
  99. package/cicd/cicd-blueprint-deep-dive.md +38 -0
  100. package/cicd/release-readiness-gate.md +37 -0
  101. package/cloud-native/01-standards/container-security.md +741 -0
  102. package/cloud-native/01-standards/kubernetes-complete.md +812 -0
  103. package/cloud-native/02-playbooks/api-gateway-playbook.md +155 -0
  104. package/cloud-native/02-playbooks/gitops-with-argocd.md +760 -0
  105. package/cloud-native/02-playbooks/k8s-troubleshooting-playbook.md +1942 -0
  106. package/cloud-native/02-playbooks/message-queue-playbook.md +129 -0
  107. package/cloud-native/02-playbooks/multicloud-governance.md +726 -0
  108. package/cloud-native/02-playbooks/serverless-patterns.md +788 -0
  109. package/cloud-native/02-playbooks/service-mesh-playbook.md +612 -0
  110. package/cloud-native/02-playbooks/terraform-iac-playbook.md +143 -0
  111. package/cloud-native/03-checklists/container-security-checklist.md +431 -0
  112. package/cloud-native/03-checklists/k8s-production-readiness-checklist.md +460 -0
  113. package/cloud-native/04-antipatterns/container-antipatterns.md +660 -0
  114. package/cloud-native/04-antipatterns/k8s-antipatterns.md +743 -0
  115. package/cloud-native/05-cases/case-k8s-migration.md +478 -0
  116. package/cloud-native/05-cases/case-k8s-scaling.md +642 -0
  117. package/cloud-native/05-cases/case-k8s-security-incident.md +397 -0
  118. package/cloud-native/06-glossary/cloud-native-glossary.md +337 -0
  119. package/cross-platform/01-standards/cross-platform-frameworks.md +83 -0
  120. package/cross-platform/01-standards/platform-selection-and-architecture.md +77 -0
  121. package/data/01-standards/elasticsearch-complete.md +2098 -0
  122. package/data/01-standards/postgresql-complete.md +1613 -0
  123. package/data/01-standards/redis-complete.md +1527 -0
  124. package/data/02-playbooks/database-optimization-playbook.md +403 -0
  125. package/data/02-playbooks/elasticsearch-production-playbook.md +132 -0
  126. package/data/03-checklists/database-launch-checklist.md +187 -0
  127. package/data/04-antipatterns/database-antipatterns.md +873 -0
  128. package/data/05-cases/case-database-migration.md +310 -0
  129. package/data/06-glossary/database-glossary.md +440 -0
  130. package/data/data-governance-and-modeling-deep-dive.md +39 -0
  131. package/data-engineering/01-standards/airflow-complete.md +523 -0
  132. package/data-engineering/01-standards/kafka-complete.md +1521 -0
  133. package/data-engineering/02-playbooks/spark-etl-playbook.md +496 -0
  134. package/data-engineering/03-checklists/pipeline-launch-checklist.md +194 -0
  135. package/data-engineering/04-antipatterns/data-pipeline-antipatterns.md +684 -0
  136. package/data-engineering/05-cases/case-real-time-pipeline.md +355 -0
  137. package/data-engineering/06-glossary/data-engineering-glossary.md +429 -0
  138. package/database/01-standards/database-schema-standards.md +147 -0
  139. package/database/02-playbooks/postgresql-optimization-quick.md +52 -0
  140. package/database/02-playbooks/postgresql-performance-optimization.md +58 -0
  141. package/database/02-playbooks/postgresql-production-playbook.md +146 -0
  142. package/database/02-playbooks/redis-caching-playbook.md +117 -0
  143. package/database/03-checklists/database-review-checklist.md +50 -0
  144. package/database/04-antipatterns/database-antipatterns.md +112 -0
  145. package/design/01-standards/ui-design-system-complete.md +423 -0
  146. package/design/02-playbooks/design-handoff-playbook.md +254 -0
  147. package/design/02-playbooks/design-review-playbook.md +388 -0
  148. package/design/03-checklists/design-review-checklist.md +246 -0
  149. package/design/04-antipatterns/design-antipatterns.md +378 -0
  150. package/design/05-cases/case-design-system-adoption.md +328 -0
  151. package/design/06-glossary/design-glossary.md +329 -0
  152. package/design/ui-full-lifecycle-cross-platform-playbook.md +571 -0
  153. package/design/ux-system-deep-dive.md +38 -0
  154. package/design-systems/00-craft-rules.md +71 -0
  155. package/design-systems/aesthetic-families.md +43 -0
  156. package/design-systems/anti-ai-slop.md +162 -0
  157. package/design-systems/bold-geometric.md +120 -0
  158. package/design-systems/brutalist-bold.md +103 -0
  159. package/design-systems/editorial-clean.md +109 -0
  160. package/design-systems/glass-aurora.md +108 -0
  161. package/design-systems/modern-minimal.md +145 -0
  162. package/design-systems/premium-luxury.md +106 -0
  163. package/design-systems/product-type-design-map.md +48 -0
  164. package/design-systems/soft-warm.md +123 -0
  165. package/design-systems/tech-utility.md +113 -0
  166. package/desktop/01-standards/desktop-app-standard.md +72 -0
  167. package/desktop/01-standards/desktop-design.md +71 -0
  168. package/development/00-governance/document-template.md +41 -0
  169. package/development/01-standards/api-versioning-strategies.md +432 -0
  170. package/development/01-standards/authentication-patterns-complete.md +479 -0
  171. package/development/01-standards/css-architecture-complete.md +550 -0
  172. package/development/01-standards/database-migration-strategies.md +484 -0
  173. package/development/01-standards/elasticsearch-complete.md +347 -0
  174. package/development/01-standards/git-complete.md +371 -0
  175. package/development/01-standards/golang-complete.md +1565 -0
  176. package/development/01-standards/graphql-complete.md +298 -0
  177. package/development/01-standards/javascript-bundlers-complete.md +469 -0
  178. package/development/01-standards/javascript-typescript-complete.md +528 -0
  179. package/development/01-standards/jest-complete.md +275 -0
  180. package/development/01-standards/linux-complete.md +234 -0
  181. package/development/01-standards/logging-observability-complete.md +526 -0
  182. package/development/01-standards/microservices-communication.md +502 -0
  183. package/development/01-standards/mongodb-complete.md +406 -0
  184. package/development/01-standards/oauth2-complete.md +285 -0
  185. package/development/01-standards/performance-optimization-complete.md +289 -0
  186. package/development/01-standards/playwright-complete.md +247 -0
  187. package/development/01-standards/postgresql-complete.md +456 -0
  188. package/development/01-standards/pytest-complete.md +340 -0
  189. package/development/01-standards/python-async-programming.md +902 -0
  190. package/development/01-standards/python-complete.md +956 -0
  191. package/development/01-standards/python-decorators-complete.md +799 -0
  192. package/development/01-standards/python-design-patterns.md +2854 -0
  193. package/development/01-standards/python-packaging-distribution.md +420 -0
  194. package/development/01-standards/python-testing-strategies.md +607 -0
  195. package/development/01-standards/python-web-frameworks-comparison.md +471 -0
  196. package/development/01-standards/redis-complete.md +317 -0
  197. package/development/01-standards/rest-api-complete.md +316 -0
  198. package/development/01-standards/rust-complete.md +578 -0
  199. package/development/01-standards/typescript-advanced-types.md +1513 -0
  200. package/development/01-standards/web-security-complete.md +292 -0
  201. package/development/02-playbooks/api-design-playbook.md +810 -0
  202. package/development/02-playbooks/database-migration-playbook.md +580 -0
  203. package/development/02-playbooks/debugging-playbook.md +692 -0
  204. package/development/02-playbooks/feature-delivery-playbook.md +430 -0
  205. package/development/02-playbooks/incident-hotfix-playbook.md +387 -0
  206. package/development/02-playbooks/performance-optimization-playbook.md +531 -0
  207. package/development/02-playbooks/performance-tuning-playbook.md +652 -0
  208. package/development/02-playbooks/refactor-playbook.md +403 -0
  209. package/development/02-playbooks/release-playbook.md +469 -0
  210. package/development/03-checklists/architecture-review-checklist.md +168 -0
  211. package/development/03-checklists/data-migration-checklist.md +157 -0
  212. package/development/03-checklists/oncall-handover-checklist.md +173 -0
  213. package/development/03-checklists/pr-checklist.md +158 -0
  214. package/development/03-checklists/production-readiness-checklist.md +190 -0
  215. package/development/03-checklists/release-readiness-checklist.md +154 -0
  216. package/development/03-checklists/security-review-checklist.md +182 -0
  217. package/development/04-antipatterns/api-antipatterns.md +657 -0
  218. package/development/04-antipatterns/architecture-antipatterns.md +686 -0
  219. package/development/04-antipatterns/backend-antipatterns.md +648 -0
  220. package/development/04-antipatterns/cicd-antipatterns.md +540 -0
  221. package/development/04-antipatterns/code-smell-antipatterns.md +571 -0
  222. package/development/04-antipatterns/data-antipatterns.md +658 -0
  223. package/development/04-antipatterns/database-antipatterns.md +578 -0
  224. package/development/04-antipatterns/frontend-antipatterns.md +635 -0
  225. package/development/04-antipatterns/reliability-antipatterns.md +700 -0
  226. package/development/04-antipatterns/security-antipatterns.md +747 -0
  227. package/development/05-cases/case-api-version-migration.md +428 -0
  228. package/development/05-cases/case-authorization-hardening.md +383 -0
  229. package/development/05-cases/case-bluegreen-rollback.md +466 -0
  230. package/development/05-cases/case-cache-snowball-protection.md +485 -0
  231. package/development/05-cases/case-ci-cd-pipeline.md +544 -0
  232. package/development/05-cases/case-database-scaling.md +500 -0
  233. package/development/05-cases/case-db-hotspot-optimization.md +487 -0
  234. package/development/05-cases/case-incident-mttr-reduction.md +563 -0
  235. package/development/05-cases/case-microservice-migration.md +375 -0
  236. package/development/05-cases/case-performance-optimization.md +406 -0
  237. package/development/05-cases/case-security-incident-response.md +345 -0
  238. package/development/06-glossary/full-stack-glossary.md +166 -0
  239. package/development/09-maturity/quarterly-audit-template.md +35 -0
  240. package/development/11-ui-excellence/ui-aesthetic-system.md +41 -0
  241. package/development/11-ui-excellence/ui-engineering-excellence.md +435 -0
  242. package/development/12-scenarios/development-scenarios-guide.md +565 -0
  243. package/development/13-implementation-assets/implementation-toolkit.md +282 -0
  244. package/development/13-implementation-assets/knowledge-gates-execution.md +43 -0
  245. package/development/14-full-lifecycle/software-lifecycle-gates.md +511 -0
  246. package/development/15-lifecycle-templates/project-templates-collection.md +791 -0
  247. package/development/api-contract-and-versioning-guide.md +36 -0
  248. package/development/api-governance-complete.md +43 -0
  249. package/development/backend-engineering-complete.md +43 -0
  250. package/development/code-review-quality-complete.md +43 -0
  251. package/development/concurrency-reliability-complete.md +43 -0
  252. package/development/database-engineering-complete.md +43 -0
  253. package/development/engineering-effectiveness-complete.md +43 -0
  254. package/development/engineering-standards-deep-dive.md +38 -0
  255. package/development/frontend-engineering-complete.md +43 -0
  256. package/development/performance-capacity-complete.md +43 -0
  257. package/development/refactor-migration-complete.md +42 -0
  258. package/development/refactoring-and-techdebt-playbook.md +37 -0
  259. package/development/security-in-development-complete.md +43 -0
  260. package/devops/01-standards/cicd-pipeline-complete.md +262 -0
  261. package/devops/01-standards/docker-complete.md +1490 -0
  262. package/devops/01-standards/github-actions-complete.md +337 -0
  263. package/devops/01-standards/kubernetes-complete.md +638 -0
  264. package/devops/01-standards/terraform-complete.md +2117 -0
  265. package/devops/02-playbooks/docker-compose-playbook.md +233 -0
  266. package/devops/02-playbooks/docker-k8s-production-playbook.md +186 -0
  267. package/devops/02-playbooks/docker-production-playbook.md +952 -0
  268. package/edge-iot/01-standards/edge-iot-complete.md +473 -0
  269. package/experts/architect/api-design.md +178 -0
  270. package/experts/architect/methodology.md +124 -0
  271. package/experts/architect/security.md +75 -0
  272. package/experts/backend-lead/methodology.md +216 -0
  273. package/experts/devops/methodology.md +160 -0
  274. package/experts/frontend-lead/methodology.md +178 -0
  275. package/experts/product-manager/industry/ecommerce.md +43 -0
  276. package/experts/product-manager/industry/saas.md +40 -0
  277. package/experts/product-manager/methodology.md +97 -0
  278. package/experts/qa-lead/methodology.md +123 -0
  279. package/experts/qa-lead/test-strategy.md +128 -0
  280. package/experts/uiux-designer/methodology.md +125 -0
  281. package/frontend/01-standards/accessibility-complete.md +532 -0
  282. package/frontend/01-standards/accessibility-standard.md +74 -0
  283. package/frontend/01-standards/admin-dashboard-and-crud.md +72 -0
  284. package/frontend/01-standards/design-tokens-complete.md +444 -0
  285. package/frontend/01-standards/forms-and-validation.md +77 -0
  286. package/frontend/01-standards/frontend-architecture-and-layering.md +119 -0
  287. package/frontend/01-standards/i18n-and-localization.md +65 -0
  288. package/frontend/01-standards/nextjs-complete.md +451 -0
  289. package/frontend/01-standards/react-complete.md +713 -0
  290. package/frontend/01-standards/react-hooks-complete-guide.md +1100 -0
  291. package/frontend/01-standards/react-hooks-complete.md +1171 -0
  292. package/frontend/01-standards/seo-and-web-vitals.md +77 -0
  293. package/frontend/01-standards/state-management-complete.md +444 -0
  294. package/frontend/01-standards/vue-complete.md +499 -0
  295. package/frontend/01-standards/vue3-complete.md +2002 -0
  296. package/frontend/01-standards/web-framework-best-practices.md +64 -0
  297. package/frontend/01-standards/web-performance-complete.md +495 -0
  298. package/frontend/02-playbooks/accessibility-a11y-playbook.md +161 -0
  299. package/frontend/02-playbooks/frontend-performance-playbook.md +707 -0
  300. package/frontend/02-playbooks/i18n-internationalization-playbook.md +120 -0
  301. package/frontend/02-playbooks/performance-optimization-playbook.md +163 -0
  302. package/frontend/02-playbooks/react-nextjs-production-playbook.md +167 -0
  303. package/frontend/02-playbooks/react-state-management-playbook.md +173 -0
  304. package/frontend/03-checklists/component-quality-checklist.md +166 -0
  305. package/frontend/03-checklists/frontend-launch-checklist.md +299 -0
  306. package/frontend/04-antipatterns/frontend-antipatterns.md +886 -0
  307. package/frontend/05-cases/case-performance-optimization.md +274 -0
  308. package/harmony/01-standards/harmonyos-arkts-standard.md +75 -0
  309. package/harmony/01-standards/harmonyos-design.md +65 -0
  310. package/high-quality-engineering-playbook.md +54 -0
  311. package/incident/01-standards/incident-response-complete.md +303 -0
  312. package/incident/02-playbooks/chaos-engineering-playbook.md +883 -0
  313. package/incident/02-playbooks/postmortem-playbook.md +398 -0
  314. package/incident/03-checklists/incident-readiness-checklist.md +181 -0
  315. package/incident/04-antipatterns/incident-antipatterns.md +490 -0
  316. package/incident/05-cases/case-cascade-failure.md +176 -0
  317. package/incident/06-glossary/incident-glossary.md +114 -0
  318. package/incident/postmortem-and-response-deep-dive.md +39 -0
  319. package/industries/ecommerce/ecommerce-complete.md +631 -0
  320. package/industries/education/education-complete.md +555 -0
  321. package/industries/fintech/fintech-complete.md +501 -0
  322. package/industries/gaming/gaming-complete.md +587 -0
  323. package/industries/healthcare/healthcare-complete.md +452 -0
  324. package/low-code/01-standards/low-code-complete.md +944 -0
  325. package/miniprogram/01-standards/ai-common-mistakes.md +61 -0
  326. package/miniprogram/01-standards/miniprogram-custom-navbar-capsule.md +77 -0
  327. package/miniprogram/01-standards/miniprogram-design.md +61 -0
  328. package/miniprogram/01-standards/miniprogram-standard.md +81 -0
  329. package/mobile/01-standards/android-material-design.md +70 -0
  330. package/mobile/01-standards/flutter-complete.md +384 -0
  331. package/mobile/01-standards/ios-design-hig.md +78 -0
  332. package/mobile/01-standards/mobile-app-standard.md +85 -0
  333. package/mobile/01-standards/react-native-complete.md +352 -0
  334. package/mobile/02-playbooks/mobile-cross-platform-playbook.md +175 -0
  335. package/mobile/02-playbooks/mobile-performance.md +473 -0
  336. package/mobile/03-checklists/mobile-release-checklist.md +234 -0
  337. package/mobile/04-antipatterns/mobile-antipatterns.md +798 -0
  338. package/mobile/05-cases/case-app-performance.md +500 -0
  339. package/mobile/05-cases/case-app-startup-optimization.md +218 -0
  340. package/mobile/06-glossary/mobile-glossary.md +484 -0
  341. package/observability/01-standards/observability-standards.md +103 -0
  342. package/observability/02-playbooks/prometheus-grafana-playbook.md +135 -0
  343. package/observability/02-playbooks/structured-logging-playbook.md +73 -0
  344. package/observability/03-checklists/observability-checklist.md +54 -0
  345. package/observability/04-antipatterns/observability-antipatterns.md +106 -0
  346. package/operations/01-standards/prometheus-monitoring-complete.md +1578 -0
  347. package/operations/02-playbooks/capacity-planning-playbook.md +620 -0
  348. package/operations/03-checklists/production-launch-checklist.md +365 -0
  349. package/operations/04-antipatterns/operations-antipatterns.md +664 -0
  350. package/operations/05-cases/case-sre-practices.md +581 -0
  351. package/operations/06-glossary/operations-glossary.md +120 -0
  352. package/operations/aiops-anomaly-detection.md +758 -0
  353. package/operations/capacity-planning.md +1061 -0
  354. package/operations/chaos-engineering.md +659 -0
  355. package/operations/incident-command-system.md +38 -0
  356. package/operations/observability-complete.md +442 -0
  357. package/operations/slo-sli-playbook.md +517 -0
  358. package/operations/sre-operations-deep-dive.md +39 -0
  359. package/package.json +8 -0
  360. package/performance/01-standards/performance-and-scalability.md +80 -0
  361. package/performance/01-standards/performance-standards.md +156 -0
  362. package/performance/02-playbooks/query-optimization-playbook.md +103 -0
  363. package/performance/03-checklists/performance-checklist.md +56 -0
  364. package/performance/04-antipatterns/performance-antipatterns.md +146 -0
  365. package/product/01-standards/product-management-complete.md +285 -0
  366. package/product/02-playbooks/feature-launch-playbook.md +207 -0
  367. package/product/02-playbooks/user-research-playbook.md +532 -0
  368. package/product/03-checklists/feature-launch-checklist.md +275 -0
  369. package/product/04-antipatterns/product-antipatterns.md +355 -0
  370. package/product/05-cases/case-mvp-to-scale.md +384 -0
  371. package/product/06-glossary/product-glossary.md +462 -0
  372. package/product/feature-prioritization-framework.md +40 -0
  373. package/product/kpi-and-metric-tree.md +37 -0
  374. package/product/product-discovery-and-prd-deep-dive.md +41 -0
  375. package/quantum/01-standards/quantum-complete.md +1186 -0
  376. package/security/01-standards/api-security-complete.md +511 -0
  377. package/security/01-standards/container-runtime-security.md +574 -0
  378. package/security/01-standards/data-protection-gdpr.md +543 -0
  379. package/security/01-standards/owasp-top10-complete.md +1890 -0
  380. package/security/01-standards/secure-coding-baseline.md +90 -0
  381. package/security/01-standards/supply-chain-security.md +441 -0
  382. package/security/01-standards/web-security-checklist.md +108 -0
  383. package/security/01-standards/zero-trust-architecture.md +521 -0
  384. package/security/02-playbooks/auth-sso-playbook.md +166 -0
  385. package/security/02-playbooks/incident-response-security-playbook.md +588 -0
  386. package/security/02-playbooks/owasp-api-security-playbook.md +129 -0
  387. package/security/02-playbooks/payment-integration-playbook.md +119 -0
  388. package/security/02-playbooks/penetration-testing-playbook.md +517 -0
  389. package/security/03-checklists/security-audit-checklist.md +356 -0
  390. package/security/04-antipatterns/security-coding-antipatterns.md +580 -0
  391. package/security/05-cases/case-log4shell-incident.md +537 -0
  392. package/security/05-cases/case-major-breaches.md +468 -0
  393. package/security/06-glossary/security-glossary.md +212 -0
  394. package/security/compliance-automation.md +993 -0
  395. package/security/container-security.md +680 -0
  396. package/security/devsecops-complete.md +426 -0
  397. package/security/sast-dast-sca.md +775 -0
  398. package/security/secrets-management.md +594 -0
  399. package/security/security-architecture-deep-dive.md +37 -0
  400. package/security/threat-modeling-stride-playbook.md +40 -0
  401. package/seed-templates/auth-system.md +59 -0
  402. package/seed-templates/blog-content.md +94 -0
  403. package/seed-templates/dashboard.md +89 -0
  404. package/seed-templates/docs-site.md +73 -0
  405. package/seed-templates/e-commerce.md +50 -0
  406. package/seed-templates/saas-landing.md +92 -0
  407. package/seed-templates/settings-page.md +51 -0
  408. package/testing/01-standards/test-strategy-and-layering.md +83 -0
  409. package/testing/01-standards/testing-strategy-complete.md +422 -0
  410. package/testing/01-standards/unit-testing-best-practices.md +118 -0
  411. package/testing/02-playbooks/e2e-testing-playbook.md +988 -0
  412. package/testing/02-playbooks/testing-strategy-playbook.md +126 -0
  413. package/testing/03-checklists/test-strategy-checklist.md +208 -0
  414. package/testing/04-antipatterns/testing-antipatterns.md +718 -0
  415. package/testing/05-cases/case-testing-transformation.md +300 -0
  416. package/testing/06-glossary/testing-glossary.md +110 -0
  417. package/testing/risk-based-test-matrix.md +36 -0
  418. package/testing/testing-strategy-deep-dive.md +37 -0
package/security/03-checklists/security-audit-checklist.md ADDED
@@ -0,0 +1,356 @@
1
+ ---
2
+ id: security-audit-checklist
3
+ title: 安全审计检查清单
4
+ domain: security
5
+ category: 03-checklists
6
+ difficulty: intermediate
7
+ tags: [audit, authentication, authorization, checklist, security, 依赖与供应链安全, 加密与密钥管理, 基础设施安全]
8
+ quality_score: 70
9
+ last_updated: 2026-06-15
10
+ ---
11
+ # 安全审计检查清单
12
+
13
+ > 适用范围:Web 应用、API 服务、微服务架构、云原生基础设施
14
+ > 维护周期:每季度审查一次,重大安全事件后立即更新
15
+ > 严重级别标注:🔴 Critical | 🟠 High | 🟡 Medium | 🟢 Low
16
+
17
+ ---
18
+
19
+ ## 1. 认证安全 (Authentication)
20
+
21
+ ### 1.1 OAuth 2.0 / OpenID Connect
22
+
23
+ - [ ] 🔴 Authorization Code + PKCE 流程用于公共客户端,禁止 Implicit 流程
24
+ - [ ] 🔴 Access Token 有效期不超过 15 分钟
25
+ - [ ] 🔴 Refresh Token 启用轮换(Rotation),使用后旧 Token 立即失效
26
+ - [ ] 🟠 Token 中不包含敏感业务数据(如密码、身份证号)
27
+ - [ ] 🟠 严格验证 redirect_uri,使用精确匹配而非通配符
28
+ - [ ] 🟠 state 参数绑定会话,防止 CSRF 攻击
29
+ - [ ] 🟡 配置 Token 撤销端点(Revocation Endpoint)
30
+ - [ ] 🟡 Authorization Server 支持 Token Introspection
31
+ - [ ] 🟢 客户端凭证(client_secret)存储于密钥管理系统,不硬编码
32
+
33
+ ### 1.2 JWT (JSON Web Token)
34
+
35
+ - [ ] 🔴 验证签名算法,拒绝 `alg: none`
36
+ - [ ] 🔴 使用 RS256 或 ES256 非对称算法,避免 HS256 共享密钥
37
+ - [ ] 🔴 严格校验 `iss`、`aud`、`exp`、`nbf` 声明
38
+ - [ ] 🟠 JWT 密钥定期轮换(至少每 90 天)
39
+ - [ ] 🟠 敏感操作需要验证 JWT 中的 `jti`(唯一标识)防重放
40
+ - [ ] 🟡 JWK Set (JWKS) 端点启用缓存并设置合理 TTL
41
+ - [ ] 🟡 JWT Payload 不存储超过授权所需的最小信息
42
+ - [ ] 🟢 日志记录 JWT 验证失败事件,包含来源 IP
43
+
44
+ ### 1.3 多因素认证 (MFA)
45
+
46
+ - [ ] 🔴 管理员账户强制启用 MFA
47
+ - [ ] 🔴 支持 TOTP(如 Google Authenticator)或硬件密钥(FIDO2/WebAuthn)
48
+ - [ ] 🟠 MFA 恢复码加密存储,仅生成一次并提示用户保存
49
+ - [ ] 🟠 MFA 验证失败次数限制(如连续 5 次失败锁定 15 分钟)
50
+ - [ ] 🟡 SMS 验证码作为备选而非主要 MFA 手段(SIM Swap 风险)
51
+ - [ ] 🟡 MFA 注册/解绑操作需要额外身份验证
52
+ - [ ] 🟢 记录所有 MFA 操作的审计日志
53
+
54
+ ### 1.4 密码策略
55
+
56
+ - [ ] 🔴 密码使用 bcrypt / scrypt / Argon2 哈希存储,禁止 MD5/SHA1
57
+ - [ ] 🔴 密码最低 12 位,包含大小写字母、数字、特殊字符
58
+ - [ ] 🟠 检查密码是否在已知泄露数据库中(如 HaveIBeenPwned API)
59
+ - [ ] 🟠 登录失败锁定策略:5 次失败后锁定 15 分钟
60
+ - [ ] 🟡 禁止使用最近 10 次历史密码
61
+ - [ ] 🟡 密码重置链接一次性使用,有效期不超过 30 分钟
62
+ - [ ] 🟢 密码强度实时反馈(前端 zxcvbn 库)
63
+
64
+ ---
65
+
66
+ ## 2. 授权安全 (Authorization)
67
+
68
+ ### 2.1 RBAC / ABAC
69
+
70
+ - [ ] 🔴 最小权限原则:默认拒绝,显式授权
71
+ - [ ] 🔴 角色权限矩阵文档化并定期审查(至少每季度)
72
+ - [ ] 🔴 水平越权检查:用户只能访问自己的资源
73
+ - [ ] 🔴 垂直越权检查:普通用户不能执行管理员操作
74
+ - [ ] 🟠 API 端点级别的权限控制,不仅依赖前端隐藏
75
+ - [ ] 🟠 敏感操作(删除、导出、批量修改)需要二次确认或审批流
76
+ - [ ] 🟡 服务间调用使用独立的 Service Account,权限范围最小化
77
+ - [ ] 🟡 权限变更记录审计日志
78
+ - [ ] 🟢 定期清理不活跃账户和过期权限
79
+
80
+ ### 2.2 API 授权
81
+
82
+ - [ ] 🔴 所有 API 端点需要认证,公开端点显式标注白名单
83
+ - [ ] 🟠 API Rate Limiting:按用户/IP/API Key 限流
84
+ - [ ] 🟠 GraphQL 查询深度限制和复杂度分析
85
+ - [ ] 🟡 API 密钥区分环境(dev/staging/prod),禁止混用
86
+ - [ ] 🟡 Webhook 请求验证签名(如 HMAC-SHA256)
87
+ - [ ] 🟢 API 文档标注每个端点所需权限级别
88
+
89
+ ---
90
+
91
+ ## 3. 输入验证与注入防护
92
+
93
+ ### 3.1 跨站脚本攻击 (XSS)
94
+
95
+ - [ ] 🔴 所有用户输入在输出时进行上下文相关编码(HTML/JS/URL/CSS)
96
+ - [ ] 🔴 配置 Content-Security-Policy (CSP) 头,禁止 `unsafe-inline`
97
+ - [ ] 🔴 富文本编辑器使用白名单过滤(如 DOMPurify)
98
+ - [ ] 🟠 Cookie 设置 HttpOnly 和 Secure 标志
99
+ - [ ] 🟠 使用框架自带的模板引擎自动转义(React JSX、Vue 模板)
100
+ - [ ] 🟡 X-XSS-Protection 和 X-Content-Type-Options 头配置
101
+ - [ ] 🟡 SVG 文件上传需要清洗内嵌脚本
102
+ - [ ] 🟢 定期使用自动化工具扫描 DOM XSS
103
+
104
+ ### 3.2 SQL 注入 (SQLi)
105
+
106
+ - [ ] 🔴 全部使用参数化查询 / 预编译语句,禁止字符串拼接
107
+ - [ ] 🔴 ORM 框架中禁止使用 raw query,如必须使用需经安全评审
108
+ - [ ] 🟠 数据库账户最小权限:应用账户禁止 DROP/GRANT 权限
109
+ - [ ] 🟠 错误信息不暴露数据库结构(关闭详细错误页面)
110
+ - [ ] 🟡 存储过程中的动态 SQL 同样使用参数化
111
+ - [ ] 🟡 定期使用 SQLMap 等工具进行注入测试
112
+ - [ ] 🟢 数据库查询日志监控异常模式
113
+
114
+ ### 3.3 服务端请求伪造 (SSRF)
115
+
116
+ - [ ] 🔴 URL 白名单机制:仅允许访问预定义的外部域名
117
+ - [ ] 🔴 禁止访问内网地址段(10.0.0.0/8、172.16.0.0/12、192.168.0.0/16)
118
+ - [ ] 🔴 禁止 `file://`、`gopher://`、`dict://` 等危险协议
119
+ - [ ] 🟠 DNS 重绑定防护:解析后验证 IP 地址
120
+ - [ ] 🟠 响应内容不直接回显给用户
121
+ - [ ] 🟡 云环境中禁止访问元数据服务(169.254.169.254)
122
+ - [ ] 🟢 请求超时设置不超过 10 秒
123
+
124
+ ### 3.4 其他注入
125
+
126
+ - [ ] 🔴 命令注入:禁止将用户输入拼接到系统命令中
127
+ - [ ] 🔴 LDAP 注入:LDAP 查询参数转义
128
+ - [ ] 🟠 XML 外部实体(XXE):禁用外部实体解析
129
+ - [ ] 🟠 路径遍历:文件操作验证并规范化路径,禁止 `../`
130
+ - [ ] 🟡 正则表达式拒绝服务(ReDoS):避免灾难性回溯模式
131
+ - [ ] 🟡 模板注入(SSTI):用户输入不进入模板引擎
132
+ - [ ] 🟢 日志注入:用户输入写入日志前转义换行符
133
+
134
+ ---
135
+
136
+ ## 4. 加密与密钥管理
137
+
138
+ ### 4.1 传输加密 (TLS)
139
+
140
+ - [ ] 🔴 全站 HTTPS,HTTP 自动 301 重定向到 HTTPS
141
+ - [ ] 🔴 TLS 1.2 为最低版本,推荐 TLS 1.3
142
+ - [ ] 🔴 禁用 SSLv3、TLS 1.0、TLS 1.1
143
+ - [ ] 🟠 HSTS 头配置,max-age 至少 1 年,包含 subdomains
144
+ - [ ] 🟠 证书使用 2048-bit RSA 或 256-bit ECC
145
+ - [ ] 🟠 证书自动续期(如 Let's Encrypt + certbot)
146
+ - [ ] 🟡 配置 OCSP Stapling 加速证书验证
147
+ - [ ] 🟡 禁用弱密码套件(RC4、DES、3DES、NULL)
148
+ - [ ] 🟢 使用 SSL Labs 测试评分达到 A+ 级别
149
+
150
+ ### 4.2 存储加密
151
+
152
+ - [ ] 🔴 敏感数据(PII、支付信息)数据库字段级加密(AES-256-GCM)
153
+ - [ ] 🔴 磁盘全盘加密(LUKS / BitLocker / AWS EBS 加密)
154
+ - [ ] 🟠 备份数据同样加密,密钥与主数据密钥分离
155
+ - [ ] 🟠 日志中脱敏处理(手机号、身份证号、银行卡号)
156
+ - [ ] 🟡 文件上传加密存储,下载时按需解密
157
+ - [ ] 🟡 数据库连接使用 TLS,验证服务端证书
158
+ - [ ] 🟢 临时文件处理后安全删除(覆写后删除)
159
+
160
+ ### 4.3 密钥管理
161
+
162
+ - [ ] 🔴 密钥存储于专用 KMS(AWS KMS / HashiCorp Vault / Azure Key Vault)
163
+ - [ ] 🔴 代码仓库中不存储任何密钥、密码、Token(git-secrets 扫描)
164
+ - [ ] 🔴 密钥轮换策略:对称密钥每 90 天,非对称密钥每年
165
+ - [ ] 🟠 密钥访问控制:最小权限 + 审计日志
166
+ - [ ] 🟠 环境变量或密钥管理服务注入密钥,不使用配置文件
167
+ - [ ] 🟡 密钥泄露应急预案:泄露后 1 小时内完成轮换
168
+ - [ ] 🟡 加密算法迁移计划(为后量子密码学做准备)
169
+ - [ ] 🟢 密钥使用监控,检测异常访问模式
170
+
171
+ ---
172
+
173
+ ## 5. 依赖与供应链安全
174
+
175
+ ### 5.1 软件成分分析 (SCA)
176
+
177
+ - [ ] 🔴 CI/CD 管道集成 SCA 工具(Snyk / Dependabot / Renovate)
178
+ - [ ] 🔴 已知高危漏洞(CVSS >= 9.0)阻断构建
179
+ - [ ] 🟠 依赖锁文件(package-lock.json / poetry.lock)提交到版本控制
180
+ - [ ] 🟠 定期更新依赖(至少每月检查一次)
181
+ - [ ] 🟡 评估间接依赖(transitive dependencies)的安全状态
182
+ - [ ] 🟡 使用私有制品仓库(Nexus / Artifactory)镜像公共包
183
+ - [ ] 🟢 记录所有第三方组件的许可证合规性
184
+
185
+ ### 5.2 npm 生态安全
186
+
187
+ - [ ] 🔴 `npm audit` 集成到 CI,high/critical 级别阻断
188
+ - [ ] 🔴 锁定依赖版本,禁止 `*` 或 `latest` 版本号
189
+ - [ ] 🟠 检查 npm 包的维护状态(最后更新时间、下载量、maintainer 数)
190
+ - [ ] 🟠 启用 npm 2FA 用于发布操作
191
+ - [ ] 🟡 使用 `npm-shrinkwrap.json` 确保生产依赖精确锁定
192
+ - [ ] 🟡 监控依赖包的所有权转移(包被接管风险)
193
+ - [ ] 🟢 检查 postinstall 脚本是否包含恶意代码
194
+
195
+ ### 5.3 Python 生态安全
196
+
197
+ - [ ] 🔴 `pip-audit` 或 `safety check` 集成到 CI
198
+ - [ ] 🔴 使用 `pip install --require-hashes` 验证包完整性
199
+ - [ ] 🟠 虚拟环境隔离(venv / conda),禁止系统级安装
200
+ - [ ] 🟠 PyPI 包名检查,防止 typosquatting 攻击
201
+ - [ ] 🟡 使用 `pip-compile` 生成确定性依赖列表
202
+ - [ ] 🟡 私有包使用 `--index-url` 指向内部 PyPI 镜像
203
+ - [ ] 🟢 检查 setup.py / pyproject.toml 中的构建脚本
204
+
205
+ ### 5.4 容器镜像安全
206
+
207
+ - [ ] 🔴 使用官方基础镜像,标签锁定到具体版本(禁止 `latest`)
208
+ - [ ] 🔴 镜像扫描(Trivy / Grype / Snyk Container)集成到 CI
209
+ - [ ] 🟠 多阶段构建,最终镜像不包含构建工具和源码
210
+ - [ ] 🟠 非 root 用户运行容器进程
211
+ - [ ] 🟡 镜像签名(Cosign / Notary)
212
+ - [ ] 🟡 定期重建基础镜像以获取安全补丁
213
+ - [ ] 🟢 SBOM(Software Bill of Materials)生成并存档
214
+
215
+ ---
216
+
217
+ ## 6. 基础设施安全
218
+
219
+ ### 6.1 网络安全
220
+
221
+ - [ ] 🔴 网络分段:数据库/缓存不暴露到公网
222
+ - [ ] 🔴 防火墙规则:默认拒绝,按需开放端口
223
+ - [ ] 🔴 管理端口(SSH 22 / RDP 3389)仅允许跳板机访问
224
+ - [ ] 🟠 VPC / VLAN 隔离不同环境(dev / staging / prod)
225
+ - [ ] 🟠 WAF(Web Application Firewall)部署并配置规则集
226
+ - [ ] 🟠 DDoS 防护(如 Cloudflare / AWS Shield)
227
+ - [ ] 🟡 DNS 安全:DNSSEC 启用,防止 DNS 劫持
228
+ - [ ] 🟡 出站流量监控,检测数据外泄
229
+ - [ ] 🟢 网络拓扑图文档化并定期更新
230
+
231
+ ### 6.2 服务器安全
232
+
233
+ - [ ] 🔴 操作系统安全补丁及时更新(关键补丁 72 小时内)
234
+ - [ ] 🔴 SSH 密钥认证,禁用密码登录
235
+ - [ ] 🟠 服务进程使用最小权限用户运行
236
+ - [ ] 🟠 文件系统权限最小化(配置文件 640,可执行文件 750)
237
+ - [ ] 🟡 内核安全参数加固(sysctl 配置)
238
+ - [ ] 🟡 不必要的服务和端口关闭
239
+ - [ ] 🟢 CIS Benchmark 基线检查
240
+
241
+ ### 6.3 日志与监控
242
+
243
+ - [ ] 🔴 集中化日志收集(ELK / Splunk / Datadog)
244
+ - [ ] 🔴 安全事件实时告警(认证失败、权限异常、异常流量)
245
+ - [ ] 🔴 日志不可篡改(写入后只读 / 签名验证)
246
+ - [ ] 🟠 日志保留期至少 180 天(合规要求可能更长)
247
+ - [ ] 🟠 日志中不记录敏感信息(密码、Token、信用卡号)
248
+ - [ ] 🟡 异常行为检测(UEBA)规则配置
249
+ - [ ] 🟡 定期审查日志告警规则有效性
250
+ - [ ] 🟢 日志访问控制:仅安全团队可查看完整日志
251
+
252
+ ### 6.4 Kubernetes 安全
253
+
254
+ - [ ] 🔴 Pod Security Standards 配置(Restricted 级别)
255
+ - [ ] 🔴 RBAC 最小权限:Service Account 不使用 cluster-admin
256
+ - [ ] 🟠 Network Policy 限制 Pod 间通信
257
+ - [ ] 🟠 Secret 加密存储(etcd 加密 / External Secrets Operator)
258
+ - [ ] 🟡 Admission Controller(OPA Gatekeeper / Kyverno)策略
259
+ - [ ] 🟡 容器运行时安全(Falco / Sysdig)
260
+ - [ ] 🟢 Kubernetes 版本及时更新,跟踪 CVE
261
+
262
+ ---
263
+
264
+ ## 7. 合规与隐私
265
+
266
+ ### 7.1 GDPR(通用数据保护条例)
267
+
268
+ - [ ] 🔴 用户数据处理有合法法律基础(同意 / 合同 / 正当利益)
269
+ - [ ] 🔴 隐私政策清晰告知数据收集目的、范围、保留期
270
+ - [ ] 🔴 数据主体权利实现:访问权、删除权、可携带权、更正权
271
+ - [ ] 🟠 数据处理协议(DPA)与所有第三方处理方签署
272
+ - [ ] 🟠 数据泄露 72 小时内通知监管机构
273
+ - [ ] 🟡 数据保护影响评估(DPIA)用于高风险处理活动
274
+ - [ ] 🟡 指定数据保护官(DPO)或等效负责人
275
+ - [ ] 🟢 Cookie Banner 合规(非必要 Cookie 需用户同意)
276
+
277
+ ### 7.2 SOC 2
278
+
279
+ - [ ] 🔴 安全策略文档化并经管理层批准
280
+ - [ ] 🔴 访问控制:入职/离职/调岗的权限变更流程
281
+ - [ ] 🟠 变更管理:代码变更需要 PR 审批和 CI 通过
282
+ - [ ] 🟠 事件响应计划文档化并定期演练
283
+ - [ ] 🟡 供应商风险评估流程
284
+ - [ ] 🟡 业务连续性计划和灾难恢复演练
285
+ - [ ] 🟢 员工安全意识培训记录
286
+
287
+ ### 7.3 等保(中国信息安全等级保护)
288
+
289
+ - [ ] 🔴 系统定级备案(二级/三级根据业务重要性)
290
+ - [ ] 🔴 三级系统双因素认证
291
+ - [ ] 🔴 安全审计日志保留不少于 180 天
292
+ - [ ] 🟠 网络安全区域划分(安全域隔离)
293
+ - [ ] 🟠 数据库审计系统部署
294
+ - [ ] 🟡 入侵检测/防御系统(IDS/IPS)部署
295
+ - [ ] 🟡 定期漏洞扫描和渗透测试(至少每年一次)
296
+ - [ ] 🟢 安全运维管理制度文档化
297
+
298
+ ### 7.4 行业特定合规
299
+
300
+ - [ ] 🟠 支付业务:PCI DSS 合规(卡号不落地、令牌化)
301
+ - [ ] 🟠 医疗健康:HIPAA 合规(PHI 加密、审计跟踪)
302
+ - [ ] 🟡 金融行业:数据分类分级管理
303
+ - [ ] 🟡 跨境数据传输:标准合同条款(SCC)或充分性认定
304
+ - [ ] 🟢 未成年人数据保护:COPPA / 个人信息保护法儿童条款
305
+
306
+ ---
307
+
308
+ ## 8. 安全开发生命周期 (SDL)
309
+
310
+ ### 8.1 安全设计
311
+
312
+ - [ ] 🔴 威胁建模(STRIDE / DREAD)在设计阶段完成
313
+ - [ ] 🟠 安全架构评审:新服务/新接口上线前
314
+ - [ ] 🟡 安全需求在 PRD 中明确标注
315
+ - [ ] 🟢 安全设计文档归档
316
+
317
+ ### 8.2 安全编码
318
+
319
+ - [ ] 🔴 代码审查包含安全检查项
320
+ - [ ] 🔴 SAST 工具(SonarQube / Semgrep / CodeQL)集成到 CI
321
+ - [ ] 🟠 敏感数据处理代码由安全团队 Review
322
+ - [ ] 🟡 安全编码规范文档化并培训
323
+ - [ ] 🟢 代码中的安全注释(`// SECURITY: ...`)标记关键安全决策
324
+
325
+ ### 8.3 安全测试
326
+
327
+ - [ ] 🔴 DAST 扫描(OWASP ZAP / Burp Suite)在 staging 环境运行
328
+ - [ ] 🔴 渗透测试:重大版本发布前执行
329
+ - [ ] 🟠 安全回归测试:修复后的漏洞添加自动化测试用例
330
+ - [ ] 🟠 模糊测试(Fuzzing)用于解析器和协议处理模块
331
+ - [ ] 🟡 API 安全测试:认证绕过、越权、注入
332
+ - [ ] 🟢 安全测试覆盖率跟踪
333
+
334
+ ### 8.4 安全运营
335
+
336
+ - [ ] 🔴 安全事件响应流程(检测 -> 遏制 -> 根除 -> 恢复 -> 复盘)
337
+ - [ ] 🔴 漏洞管理:Critical 24h / High 72h / Medium 30d / Low 90d 修复 SLA
338
+ - [ ] 🟠 安全监控 7x24 值班或托管 SOC 服务
339
+ - [ ] 🟠 红队/蓝队定期对抗演练
340
+ - [ ] 🟡 Bug Bounty 计划或 VDP(漏洞披露政策)
341
+ - [ ] 🟢 安全度量指标定期汇报(MTTD / MTTR / 漏洞密度)
342
+
343
+ ---
344
+
345
+ ## Agent Checklist
346
+
347
+ - [ ] 安全审计清单已覆盖 8 个安全域
348
+ - [ ] 每个检查项均标注严重级别(Critical/High/Medium/Low)
349
+ - [ ] Checkbox 格式可直接用于审计跟踪
350
+ - [ ] 认证与授权章节覆盖 OAuth2、JWT、RBAC、MFA
351
+ - [ ] 输入验证章节覆盖 XSS、SQLi、SSRF 及其他注入类型
352
+ - [ ] 加密章节覆盖传输 TLS、存储 AES、密钥管理
353
+ - [ ] 依赖安全章节覆盖 SCA、npm audit、pip-audit、容器镜像
354
+ - [ ] 基础设施章节覆盖防火墙、网络隔离、日志审计、K8s 安全
355
+ - [ ] 合规章节覆盖 GDPR、SOC2、等保、行业特定合规
356
+ - [ ] SDL 章节覆盖安全设计、编码、测试、运营全生命周期