code-yangzz 1.0.0

package/skills/tools/verify-quality/SKILL.md

@@ -0,0 +1,159 @@
+---
+name: verify-quality
+description: 代码质量校验关卡。检测复杂度、重复代码、命名规范、函数长度等质量指标。当用户提到代码质量、复杂度检查、代码异味、重构建议、lint检查、代码规范时使用。在复杂模块、重构完成时自动触发。
+license: MIT
+compatibility: node>=18
+user-invocable: true
+disable-model-invocation: false
+allowed-tools: Bash, Read, Glob
+argument-hint: <扫描路径>
+---
+
+# ⚖ 校验关卡 · 代码质量
+
+## 核心原则
+
+```
+代码质量 = 可读性 + 可维护性 + 可测试性
+劣质代码是技术债，技术债是
+复杂度是 bug 的温床
+```
+
+## 自动检查
+
+运行质量检查脚本（跨平台）：
+
+```bash
+# 在 skill 目录下运行
+node scripts/quality_checker.js <扫描路径>
+node scripts/quality_checker.js <扫描路径> -v      # 详细模式
+node scripts/quality_checker.js <扫描路径> --json  # JSON 输出
+```
+
+## 检测指标
+
+### 复杂度指标
+
+| 指标 | 阈值 | 超标后果 |
+|------|------|----------|
+| **圈复杂度** | ≤ 10 | 🟠 警告，建议拆分 |
+| **函数长度** | ≤ 50 行 | 🟠 警告，建议拆分 |
+| **文件长度** | ≤ 500 行 | 🟡 提示，考虑拆分 |
+| **参数数量** | ≤ 5 | 🟠 警告，考虑封装 |
+| **嵌套深度** | ≤ 4 | 🟠 警告，建议重构 |
+| **行长度** | ≤ 120 | 🔵 提示 |
+
+### 命名规范
+
+| 类型 | 规范 | 示例 |
+|------|------|------|
+| **类名** | PascalCase | `UserService`, `HttpClient` |
+| **函数名** | snake_case | `get_user`, `process_data` |
+| **常量** | UPPER_SNAKE | `MAX_RETRY`, `DEFAULT_TIMEOUT` |
+| **变量** | snake_case | `user_id`, `total_count` |
+
+### 代码异味
+
+| 异味 | 说明 | 严重度 |
+|------|------|--------|
+| 重复代码 | 相似代码块 > 10 行 | 🟠 High |
+| 过长参数列表 | 参数 > 5 个 | 🟡 Medium |
+| 魔法数字 | 未命名的常量 | 🟡 Medium |
+| 死代码 | 未使用的函数/变量 | 🔵 Low |
+| 注释代码 | 被注释的代码块 | 🔵 Low |
+
+## 自动触发时机
+
+| 场景 | 触发条件 |
+|------|----------|
+| 复杂模块 | 代码行数 > 200 |
+| 重构完成 | 重构任务完成时 |
+| 代码审查 | PR/MR 审查时 |
+| 提交前 | 代码提交前检查 |
+
+## 校验流程
+
+```
+1. 扫描代码文件
+2. 计算复杂度指标
+3. 检测代码异味
+4. 验证命名规范
+5. 输出质量校验报告
+```
+
+## 校验报告格式
+
+```
+## 代码质量校验报告
+
+✓ 通过 | ✗ 未通过
+
+### 复杂度指标
+- 平均函数复杂度: N
+- 超标函数数: N
+- 最大文件行数: N
+
+### 代码异味
+- 🟠 High: N
+- 🟡 Medium: N
+- 🔵 Low: N
+
+### 问题清单
+
+| 文件 | 行号 | 类型 | 严重度 | 描述 |
+|------|------|------|--------|------|
+| ... | ... | ... | ... | ... |
+
+### 结论
+可交付 / 需重构后交付
+```
+
+## 重构建议
+
+### 降低复杂度
+
+```python
+# 🔴 高复杂度 - 不稳
+def process(data):
+    if condition1:
+        if condition2:
+            if condition3:
+                # 深层嵌套
+                pass
+
+# ✅ 低复杂度 - 稳固
+def process(data):
+    if not condition1:
+        return
+    if not condition2:
+        return
+    if not condition3:
+        return
+    # 主逻辑
+```
+
+### 消除重复
+
+```python
+# 🔴 重复代码 - 异端
+def func1():
+    # 10行相同逻辑
+    pass
+
+def func2():
+    # 10行相同逻辑
+    pass
+
+# ✅ 提取公共函数 - 正道
+def common_logic():
+    # 公共逻辑
+    pass
+
+def func1():
+    common_logic()
+
+def func2():
+    common_logic()
+```
+
+---

package/skills/tools/verify-quality/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Verify Quality"
+  short_description: "代码质量校验关卡"
+  default_prompt: "Read the skill at skills/tools/verify-quality/SKILL.md, then run: node skills/run_skill.js verify-quality $ARGUMENTS"

package/skills/tools/verify-quality/scripts/quality_checker.js

@@ -0,0 +1,337 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { parseCliArgs, buildReport, hasFatal } = require(path.join(__dirname, '..', '..', 'lib', 'shared.js'));
+
+// 质量规则配置
+const MAX_LINE_LENGTH = 120;
+const MAX_FUNCTION_LENGTH = 50;
+const MAX_FILE_LENGTH = 500;
+const MAX_COMPLEXITY = 10;
+const MAX_PARAMETERS = 5;
+const MIN_FUNCTION_NAME_LENGTH = 2;
+
+const EXCLUDE_DIRS = new Set(['.git', 'node_modules', '__pycache__', '.venv', 'venv', 'dist', 'build', '.tox']);
+const CODE_EXTENSIONS = new Set(['.py', '.js', '.ts', '.go', '.java', '.rs', '.c', '.cpp']);
+
+const COMMENT_PREFIXES = {
+  '.js': '//', '.ts': '//', '.go': '//', '.java': '//',
+  '.c': '//', '.cpp': '//', '.rs': '//',
+};
+
+// --- Analysis ---
+
+function analyzeGenericFile(filePath) {
+  const metrics = {
+    path: filePath, lines: 0, code_lines: 0, comment_lines: 0,
+    blank_lines: 0, functions: 0, classes: 0,
+    max_complexity: 0, avg_function_length: 0,
+  };
+  const issues = [];
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf-8');
+  } catch { return { metrics, issues }; }
+
+  const lines = content.split('\n');
+  metrics.lines = lines.length;
+  const prefix = COMMENT_PREFIXES[
+    path.extname(filePath).toLowerCase()
+  ] || '//';
+
+  for (let i = 0; i < lines.length; i++) {
+    const stripped = lines[i].trim();
+    if (!stripped) metrics.blank_lines++;
+    else if (
+      stripped.startsWith(prefix) ||
+      stripped.startsWith('/*') ||
+      stripped.startsWith('*')
+    ) metrics.comment_lines++;
+    else metrics.code_lines++;
+
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      issues.push({
+        severity: 'info', category: '格式',
+        message: `行过长 (${lines[i].length} > ${MAX_LINE_LENGTH})`,
+        file_path: filePath, line_number: i + 1,
+        suggestion: null,
+      });
+    }
+  }
+
+  if (metrics.code_lines > MAX_FILE_LENGTH) {
+    issues.push({
+      severity: 'warning', category: '复杂度',
+      message: `文件过长 (${metrics.code_lines} 行代码 > ${MAX_FILE_LENGTH})`,
+      file_path: filePath, suggestion: '考虑拆分为多个模块',
+      line_number: null,
+    });
+  }
+
+  return { metrics, issues };
+}
+
+function analyzePythonFile(filePath) {
+  const metrics = {
+    path: filePath, lines: 0, code_lines: 0, comment_lines: 0,
+    blank_lines: 0, functions: 0, classes: 0,
+    max_complexity: 0, avg_function_length: 0,
+  };
+  const issues = [];
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf-8');
+  } catch (e) {
+    issues.push({
+      severity: 'error', category: '文件',
+      message: `无法读取文件: ${e.message}`,
+      file_path: filePath, line_number: null, suggestion: null,
+    });
+    return { metrics, issues };
+  }
+
+  const lines = content.split('\n');
+  metrics.lines = lines.length;
+  let inMultiline = false;
+
+  for (let i = 0; i < lines.length; i++) {
+    const stripped = lines[i].trim();
+    if (!stripped) { metrics.blank_lines++; }
+    else if (stripped.startsWith('#')) { metrics.comment_lines++; }
+    else if (stripped.includes('"""') || stripped.includes("'''")) {
+      const dq = (stripped.match(/"""/g) || []).length;
+      const sq = (stripped.match(/'''/g) || []).length;
+      if (dq === 2 || sq === 2) { metrics.comment_lines++; }
+      else { inMultiline = !inMultiline; metrics.comment_lines++; }
+    } else if (inMultiline) { metrics.comment_lines++; }
+    else { metrics.code_lines++; }
+
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      issues.push({
+        severity: 'info', category: '格式',
+        message: `行过长 (${lines[i].length} > ${MAX_LINE_LENGTH})`,
+        file_path: filePath, line_number: i + 1,
+        suggestion: null,
+      });
+    }
+  }
+
+  if (metrics.code_lines > MAX_FILE_LENGTH) {
+    issues.push({
+      severity: 'warning', category: '复杂度',
+      message: `文件过长 (${metrics.code_lines} 行代码 > ${MAX_FILE_LENGTH})`,
+      file_path: filePath, suggestion: '考虑拆分为多个模块',
+      line_number: null,
+    });
+  }
+
+  // Regex-based Python analysis (no AST available in Node)
+  const funcRegex = /^( *)(?:async\s+)?def\s+(\w+)\s*\(([^)]*)\)/gm;
+  const classRegex = /^( *)class\s+(\w+)/gm;
+  const functions = [];
+  let match;
+
+  while ((match = funcRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const name = match[2];
+    const indent = match[1].length;
+    const params = match[3].trim()
+      ? match[3].split(',').map(p => p.trim())
+        .filter(p => p && p !== 'self' && p !== 'cls')
+      : [];
+
+    // Calculate function length by finding next line at same or lesser indent
+    const funcLines = lines.slice(lineNum); // lines after def
+    let length = 1;
+    for (let j = 1; j < funcLines.length; j++) {
+      const l = funcLines[j];
+      if (l.trim() === '') { length++; continue; }
+      const curIndent = l.match(/^(\s*)/)[1].length;
+      if (curIndent <= indent && l.trim() !== '') break;
+      length++;
+    }
+
+    // Estimate complexity from function body
+    const bodyLines = lines.slice(lineNum, lineNum + length - 1);
+    let complexity = 1;
+    for (const bl of bodyLines) {
+      const s = bl.trim();
+      if (/^(if|elif|while|for)\s/.test(s) || /^(if|elif|while|for)\(/.test(s)) complexity++;
+      if (/^except(\s|:)/.test(s)) complexity++;
+      if (/\s(and|or)\s/.test(s)) complexity++;
+      if (/\sfor\s/.test(s) && /\sin\s/.test(s) && (s.includes('[') || s.includes('('))) complexity++;
+    }
+
+    functions.push({ name, line: lineNum, length, complexity, parameters: params.length });
+    metrics.max_complexity = Math.max(metrics.max_complexity, complexity);
+
+    // Check function length
+    if (length > MAX_FUNCTION_LENGTH) {
+      issues.push({
+        severity: 'warning', category: '复杂度',
+        message: `函数 '${name}' 过长 (${length} 行 > ${MAX_FUNCTION_LENGTH})`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '考虑拆分为多个小函数',
+      });
+    }
+    // Check complexity
+    if (complexity > MAX_COMPLEXITY) {
+      issues.push({
+        severity: 'warning', category: '复杂度',
+        message: `函数 '${name}' 圈复杂度过高 (${complexity} > ${MAX_COMPLEXITY})`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '减少嵌套层级，提取子函数',
+      });
+    }
+    // Check parameter count
+    if (params.length > MAX_PARAMETERS) {
+      issues.push({
+        severity: 'warning', category: '设计',
+        message: `函数 '${name}' 参数过多 (${params.length} > ${MAX_PARAMETERS})`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '考虑使用配置对象或数据类封装参数',
+      });
+    }
+    // Check naming
+    const SPECIAL = new Set([
+      'setUp', 'tearDown', 'setUpClass',
+      'tearDownClass', 'setUpModule', 'tearDownModule',
+    ]);
+    if (!name.startsWith('_') && !SPECIAL.has(name) && !name.startsWith('visit_')) {
+      if (!/^[a-z][a-z0-9_]*$/.test(name)) {
+        issues.push({
+          severity: 'info', category: '命名',
+          message: `函数名 '${name}' 不符合 snake_case 规范`,
+          file_path: filePath, line_number: lineNum,
+          suggestion: '函数名应使用 snake_case',
+        });
+      }
+    }
+    if (name.length < MIN_FUNCTION_NAME_LENGTH) {
+      issues.push({
+        severity: 'warning', category: '命名',
+        message: `函数名 '${name}' 过短`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '使用更具描述性的函数名',
+      });
+    }
+  }
+
+  while ((match = classRegex.exec(content)) !== null) {
+    const lineNum = content.substring(0, match.index).split('\n').length;
+    const name = match[2];
+    metrics.classes++;
+    if (!/^[A-Z][a-zA-Z0-9]*$/.test(name)) {
+      issues.push({
+        severity: 'warning', category: '命名',
+        message: `类名 '${name}' 不符合 PascalCase 规范`,
+        file_path: filePath, line_number: lineNum,
+        suggestion: '类名应使用 PascalCase，如 MyClassName',
+      });
+    }
+  }
+
+  metrics.functions = functions.length;
+  if (functions.length > 0) {
+    metrics.avg_function_length = functions.reduce((s, f) => s + f.length, 0) / functions.length;
+  }
+
+  return { metrics, issues };
+}
+
+// --- Directory scan ---
+
+function scanDirectory(scanPath, excludeDirs) {
+  const resolved = path.resolve(scanPath);
+  const exclude = excludeDirs || EXCLUDE_DIRS;
+  const result = {
+    scan_path: resolved, files_scanned: 0,
+    total_lines: 0, total_code_lines: 0,
+    issues: [], file_metrics: [],
+  };
+
+  function walk(dir) {
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      if (exclude.has(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) { walk(full); continue; }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (!CODE_EXTENSIONS.has(ext)) continue;
+
+      result.files_scanned++;
+      const { metrics, issues } = ext === '.py' ? analyzePythonFile(full) : analyzeGenericFile(full);
+      result.file_metrics.push(metrics);
+      result.issues.push(...issues);
+      result.total_lines += metrics.lines;
+      result.total_code_lines += metrics.code_lines;
+    }
+  }
+
+  walk(resolved);
+  return result;
+}
+
+// --- Reporting ---
+
+function passed(result) { return !hasFatal(result.issues); }
+
+function formatReport(result, verbose) {
+  const errs = result.issues.filter(i => i.severity === 'error').length;
+  const warns = result.issues.filter(i => i.severity === 'warning').length;
+  const fields = {
+    '扫描路径': result.scan_path,
+    '扫描文件': result.files_scanned,
+    '总行数': result.total_lines,
+    '代码行数': result.total_code_lines,
+    '检查结果': passed(result) ? '✓ 通过' : '✗ 需要关注',
+    '统计': `错误: ${errs} | 警告: ${warns}`,
+  };
+  let report = buildReport(
+    '代码质量检查报告', fields, result.issues, verbose, 'category'
+  );
+
+  if (verbose && result.file_metrics.length) {
+    const complex = result.file_metrics
+      .filter(m => m.max_complexity > 0)
+      .sort((a, b) => b.max_complexity - a.max_complexity)
+      .slice(0, 5);
+    if (complex.length) {
+      const lines = ['\n' + '-'.repeat(40), '复杂度最高的文件:', '-'.repeat(40)];
+      for (const m of complex) lines.push(`  ${m.path}: 复杂度 ${m.max_complexity}, ${m.functions} 个函数`);
+      report += '\n' + lines.join('\n');
+    }
+  }
+  return report;
+}
+
+// --- CLI ---
+
+function main() {
+  const opts = parseCliArgs(process.argv);
+
+  const result = scanDirectory(opts.target);
+
+  if (opts.json) {
+    const output = {
+      scan_path: result.scan_path,
+      files_scanned: result.files_scanned,
+      total_lines: result.total_lines,
+      total_code_lines: result.total_code_lines,
+      passed: passed(result),
+      error_count: result.issues.filter(i => i.severity === 'error').length,
+      warning_count: result.issues.filter(i => i.severity === 'warning').length,
+      issues: result.issues
+    };
+    console.log(JSON.stringify(output, null, 2));
+  } else {
+    console.log(formatReport(result, opts.verbose));
+  }
+
+  process.exit(passed(result) ? 0 : 1);
+}
+
+main();

package/skills/tools/verify-security/SKILL.md

@@ -0,0 +1,142 @@
+---
+name: verify-security
+description: 安全校验关卡。自动扫描代码安全漏洞，检测危险模式，确保安全决策有文档记录。当用户提到安全扫描、漏洞检测、安全审计、代码安全、OWASP、注入检测、敏感信息泄露时使用。在新建模块、安全相关变更、攻防任务、重构完成时自动触发。
+license: MIT
+compatibility: node>=18
+user-invocable: true
+disable-model-invocation: false
+allowed-tools: Bash, Read, Grep
+argument-hint: <扫描路径>
+---
+
+# ⚖ 校验关卡 · 安全校验
+
+## 核心原则
+
+```
+安全即，破则劫败
+安全决策必须可追溯
+Critical/High 问题必须修复后才能交付
+```
+
+## 自动扫描
+
+运行安全扫描脚本（跨平台）：
+
+```bash
+# 在 skill 目录下运行
+node scripts/security_scanner.js <扫描路径>
+node scripts/security_scanner.js <扫描路径> -v           # 详细模式
+node scripts/security_scanner.js <扫描路径> --json       # JSON 输出
+node scripts/security_scanner.js <扫描路径> --exclude vendor  # 排除目录
+```
+
+## 检测范围
+
+### 自动检测的漏洞类型
+
+| 类别 | 检测项 | 严重度 |
+|------|--------|--------|
+| **注入** | SQL 注入、命令注入、代码注入 | 🔴 Critical |
+| **敏感信息** | 硬编码密钥、AWS Key、私钥 | 🔴 Critical |
+| **XSS** | innerHTML、dangerouslySetInnerHTML | 🟠 High |
+| **反序列化** | pickle.loads、yaml.load | 🟠 High |
+| **路径遍历** | 未验证的文件路径操作 | 🟠 High |
+| **SSRF** | 未验证的 URL 请求 | 🟠 High |
+| **XXE** | 不安全的 XML 解析 | 🟠 High |
+| **弱加密** | MD5、SHA1 用于安全场景 | 🟡 Medium |
+| **不安全随机** | random 模块用于安全场景 | 🟡 Medium |
+| **调试代码** | console.log、print、debugger | 🔵 Low |
+
+### 文档层面检查
+
+安全相关代码必须在 DESIGN.md 中记录：
+
+- [ ] **威胁模型** — 防御哪些攻击
+- [ ] **安全决策** — 为何选择此方案
+- [ ] **安全边界** — 信任边界在哪里
+- [ ] **已知风险** — 接受了哪些风险
+
+## 危险模式速查
+
+### Python
+```python
+# 🔴 危险 - 触犯
+eval(), exec(), os.system()
+subprocess(..., shell=True)
+pickle.loads(), yaml.load()
+cursor.execute(f"SELECT * FROM t WHERE id = {id}")
+
+# ✅ 安全替代 - 稳固
+ast.literal_eval()
+subprocess([...], shell=False)
+yaml.safe_load()
+cursor.execute("SELECT * FROM t WHERE id = %s", (id,))
+```
+
+### JavaScript
+```javascript
+// 🔴 危险 - 触犯
+eval(), innerHTML, document.write()
+new Function(userInput)
+
+// ✅ 安全替代 - 稳固
+JSON.parse(), textContent
+模板引擎自动转义
+```
+
+### Go
+```go
+// 🔴 危险 - 触犯
+exec.Command("sh", "-c", userInput)
+template.HTML(userInput)
+
+// ✅ 安全替代 - 稳固
+exec.Command("cmd", args...)
+html/template 自动转义
+```
+
+## 校验流程
+
+```
+1. 运行 security_scanner.js 自动扫描
+2. 分析扫描结果，按严重度排序
+3. 检查安全决策是否有文档记录
+4. 输出安全校验报告
+5. Critical/High 问题必须修复后才能交付
+```
+
+## 自动触发时机
+
+| 场景 | 触发条件 |
+|------|----------|
+| 新建模块 | 模块创建完成时 |
+| 安全相关变更 | 涉及认证、授权、加密、输入处理 |
+| 攻防任务 | 红队/蓝队任务完成时 |
+| 重构完成 | 重构任务完成时 |
+| 提交前 | 代码提交前检查 |
+
+## 校验报告格式
+
+```
+## 安全校验报告
+
+✓ 通过 | ✗ 未通过
+
+- 🔴 Critical: N
+- 🟠 High: N
+- 🟡 Medium: N
+- 🔵 Low: N
+
+### 发现问题
+
+| 文件 | 行号 | 类型 | 严重度 | 描述 |
+|------|------|------|--------|------|
+| ... | ... | ... | ... | ... |
+
+### 结论
+
+可交付 / 需修复后交付
+```
+
+---

package/skills/tools/verify-security/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Verify Security"
+  short_description: "安全校验关卡"
+  default_prompt: "Read the skill at skills/tools/verify-security/SKILL.md, then run: node skills/run_skill.js verify-security $ARGUMENTS"