npm - pdd-skills - Versions diffs - 3.0.0 - Mend

pdd-skills 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

package/README.md +1478 -0
package/bin/pdd.js +354 -0
package/config/bpmn-rules.yaml +166 -0
package/config/checkstyle.xml +105 -0
package/config/eslint.config.js +48 -0
package/config/pmd.xml +91 -0
package/config/prd-rules.yaml +113 -0
package/config/ruff.toml +45 -0
package/config/sqlfluff.cfg +82 -0
package/hooks/hook-executor.js +332 -0
package/index.js +43 -0
package/lib/api-routes.js +750 -0
package/lib/api-server.js +408 -0
package/lib/cache/cache-config.js +209 -0
package/lib/cache/system-cache.js +852 -0
package/lib/config-manager.js +373 -0
package/lib/generate.js +528 -0
package/lib/grpc/grpc-routes.js +1134 -0
package/lib/grpc/grpc-server.js +912 -0
package/lib/grpc/proto-definitions.js +1033 -0
package/lib/init.js +172 -0
package/lib/iteration/auto-fixer.js +1025 -0
package/lib/iteration/auto-reviewer.js +923 -0
package/lib/iteration/controller.js +577 -0
package/lib/list.js +130 -0
package/lib/mcp-server.js +548 -0
package/lib/openclaw/api-integration.js +535 -0
package/lib/openclaw/cli-integration.js +567 -0
package/lib/openclaw/data-sync.js +845 -0
package/lib/openclaw/openclaw-adapter.js +783 -0
package/lib/plugin/example-plugins/code-stats/index.js +332 -0
package/lib/plugin/example-plugins/code-stats/plugin.json +1 -0
package/lib/plugin/example-plugins/custom-linter/index.js +472 -0
package/lib/plugin/example-plugins/custom-linter/plugin.json +1 -0
package/lib/plugin/example-plugins/hello-world/index.js +86 -0
package/lib/plugin/example-plugins/hello-world/plugin.json +1 -0
package/lib/plugin/plugin-manager.js +655 -0
package/lib/plugin/plugin-sdk.js +565 -0
package/lib/plugin/sandbox.js +627 -0
package/lib/quality/rules/maintainability.js +418 -0
package/lib/quality/rules/performance.js +498 -0
package/lib/quality/rules/readability.js +441 -0
package/lib/quality/rules/robustness.js +504 -0
package/lib/quality/rules/security.js +444 -0
package/lib/quality/scorer.js +576 -0
package/lib/report.js +669 -0
package/lib/sdk-base.js +301 -0
package/lib/sdk-js.js +446 -0
package/lib/sdk-python/README.md +546 -0
package/lib/sdk-python/examples/basic_usage.py +450 -0
package/lib/sdk-python/pdd_sdk/__init__.py +180 -0
package/lib/sdk-python/pdd_sdk/client.py +1170 -0
package/lib/sdk-python/pdd_sdk/events.py +423 -0
package/lib/sdk-python/pdd_sdk/exceptions.py +158 -0
package/lib/sdk-python/pdd_sdk/models.py +518 -0
package/lib/sdk-python/pdd_sdk/utils.py +759 -0
package/lib/token/budget-alert.js +367 -0
package/lib/token/budget-manager.js +485 -0
package/lib/update.js +54 -0
package/lib/utils/logger.js +88 -0
package/lib/verify.js +741 -0
package/lib/version.js +52 -0
package/lib/vm/README.md +102 -0
package/lib/vm/dashboard/api-routes.js +669 -0
package/lib/vm/dashboard/server.js +391 -0
package/lib/vm/dashboard/sse.js +358 -0
package/lib/vm/dashboard/static/css/dashboard.css +1378 -0
package/lib/vm/dashboard/static/index.html +118 -0
package/lib/vm/dashboard/static/js/app.js +949 -0
package/lib/vm/dashboard/static/js/charts.js +913 -0
package/lib/vm/dashboard/static/js/kanban-view.js +1053 -0
package/lib/vm/dashboard/static/js/pipeline-view.js +463 -0
package/lib/vm/dashboard/static/js/quality-view.js +598 -0
package/lib/vm/dashboard/static/js/system-view.js +1021 -0
package/lib/vm/data-provider.js +1191 -0
package/lib/vm/event-bus.js +402 -0
package/lib/vm/hooks/extract-hook.js +307 -0
package/lib/vm/hooks/generate-hook.js +374 -0
package/lib/vm/hooks/hook-interface.js +458 -0
package/lib/vm/hooks/report-hook.js +331 -0
package/lib/vm/hooks/verify-hook.js +454 -0
package/lib/vm/models.js +1003 -0
package/lib/vm/reconciler.js +855 -0
package/lib/vm/scanner.js +988 -0
package/lib/vm/state-schema.js +955 -0
package/lib/vm/state-store.js +733 -0
package/lib/vm/tui/components/card.js +339 -0
package/lib/vm/tui/components/progress-bar.js +368 -0
package/lib/vm/tui/components/sparkline.js +327 -0
package/lib/vm/tui/components/status-light.js +294 -0
package/lib/vm/tui/components/table.js +370 -0
package/lib/vm/tui/input.js +335 -0
package/lib/vm/tui/renderer.js +548 -0
package/lib/vm/tui/screens/kanban-screen.js +397 -0
package/lib/vm/tui/screens/overview-screen.js +357 -0
package/lib/vm/tui/screens/quality-screen.js +336 -0
package/lib/vm/tui/screens/system-screen.js +379 -0
package/lib/vm/tui/tui.js +805 -0
package/package.json +1 -0
package/scripts/cso-analyzer.js +198 -0
package/scripts/eval-runner.js +359 -0
package/scripts/i18n-checker.js +109 -0
package/scripts/linter/activiti-linter.js +272 -0
package/scripts/linter/prd-linter.js +162 -0
package/scripts/linter/report-generator.js +207 -0
package/scripts/linter/run-linters.js +285 -0
package/scripts/linter/sql-linter.js +166 -0
package/scripts/token-analyzer.js +162 -0
package/scripts/vm-test.js +180 -0
package/skills/core/official-doc-writer/LICENSE +21 -0
package/skills/core/official-doc-writer/README.md +232 -0
package/skills/core/official-doc-writer/SKILL.md +475 -0
package/skills/core/official-doc-writer/_meta.json +1 -0
package/skills/core/official-doc-writer/document_generator.py +580 -0
package/skills/core/official-doc-writer/evals/default-evals.json +1 -0
package/skills/core/official-doc-writer/examples.md +150 -0
package/skills/core/official-doc-writer/fonts/FONTS_LIST.md +45 -0
package/skills/core/official-doc-writer/fonts/README.md +141 -0
package/skills/core/official-doc-writer/fonts/SIMFANG.TTF +0 -0
package/skills/core/official-doc-writer/fonts/SIMHEI.TTF +0 -0
package/skills/core/official-doc-writer/fonts/SIMKAI.TTF +0 -0
package/skills/core/official-doc-writer/fonts/SIMSUN.TTC +0 -0
package/skills/core/official-doc-writer/fonts//346/226/271/346/255/243/345/260/217/346/240/207/345/256/213GBK.TTF +0 -0
package/skills/core/official-doc-writer/references/GBT_9704-2012_/345/205/232/346/224/277/346/234/272/345/205/263/345/205/254/346/226/207/346/240/274/345/274/217.md +422 -0
package/skills/core/official-doc-writer/scripts/__pycache__/generate_official_doc.cpython-313.pyc +0 -0
package/skills/core/official-doc-writer/scripts/dialog_manager.py +564 -0
package/skills/core/official-doc-writer/scripts/generate_official_doc.py +252 -0
package/skills/core/official-doc-writer/scripts/install_fonts.py +390 -0
package/skills/core/official-doc-writer/scripts/smart_prompts.py +363 -0
package/skills/core/pdd-ba/SKILL.md +305 -0
package/skills/core/pdd-ba/_meta.json +1 -0
package/skills/core/pdd-ba/evals/default-evals.json +1 -0
package/skills/core/pdd-code-reviewer/SKILL.md +378 -0
package/skills/core/pdd-code-reviewer/_meta.json +1 -0
package/skills/core/pdd-code-reviewer/evals/default-evals.json +1 -0
package/skills/core/pdd-doc-change/SKILL.md +350 -0
package/skills/core/pdd-doc-change/_meta.json +1 -0
package/skills/core/pdd-doc-change/evals/default-evals.json +1 -0
package/skills/core/pdd-doc-gardener/SKILL.md +248 -0
package/skills/core/pdd-doc-gardener/_meta.json +1 -0
package/skills/core/pdd-doc-gardener/evals/default-evals.json +1 -0
package/skills/core/pdd-entropy-reduction/SKILL.md +360 -0
package/skills/core/pdd-entropy-reduction/_meta.json +1 -0
package/skills/core/pdd-entropy-reduction/evals/default-evals.json +1 -0
package/skills/core/pdd-entropy-reduction/references/entropy-report-template.md +287 -0
package/skills/core/pdd-entropy-reduction/references/golden-principles.md +573 -0
package/skills/core/pdd-entropy-reduction/scripts/entropy_scan.py +712 -0
package/skills/core/pdd-extract-features/SKILL.md +320 -0
package/skills/core/pdd-extract-features/_meta.json +1 -0
package/skills/core/pdd-extract-features/evals/default-evals.json +1 -0
package/skills/core/pdd-generate-spec/SKILL.md +418 -0
package/skills/core/pdd-generate-spec/_meta.json +1 -0
package/skills/core/pdd-generate-spec/evals/default-evals.json +1 -0
package/skills/core/pdd-implement-feature/SKILL.md +332 -0
package/skills/core/pdd-implement-feature/_meta.json +1 -0
package/skills/core/pdd-implement-feature/evals/default-evals.json +1 -0
package/skills/core/pdd-main/SKILL.md +540 -0
package/skills/core/pdd-main/_meta.json +1 -0
package/skills/core/pdd-main/evals/default-evals.json +1 -0
package/skills/core/pdd-main/evals/evals.json +215 -0
package/skills/core/pdd-verify-feature/SKILL.md +474 -0
package/skills/core/pdd-verify-feature/_meta.json +1 -0
package/skills/core/pdd-verify-feature/evals/default-evals.json +1 -0
package/skills/core/pdd-vm/evals/default-evals.json +1 -0
package/skills/core/traffic-accident-assessor/LICENSE +29 -0
package/skills/core/traffic-accident-assessor/SKILL.md +439 -0
package/skills/core/traffic-accident-assessor/evals/evals.json +1 -0
package/skills/core/traffic-accident-assessor/references/accident-types.md +369 -0
package/skills/core/traffic-accident-assessor/references/liability-rules.md +287 -0
package/skills/core/traffic-accident-assessor/references/traffic-laws.md +226 -0
package/skills/core/traffic-accident-assessor/references//351/253/230/345/260/224/345/244/253/350/257/264/346/230/216/344/271/246.pdf +32576 -106
package/skills/core/traffic-accident-assessor/scripts/generate_official_statement.py +588 -0
package/skills/core/traffic-accident-assessor/scripts/generate_report.py +495 -0
package/skills/core/traffic-accident-assessor/scripts/generate_statement.py +528 -0
package/skills/core/traffic-accident-assessor.zip +0 -0
package/skills/entropy/expert-arch-enforcer/SKILL.md +292 -0
package/skills/entropy/expert-arch-enforcer/_meta.json +1 -0
package/skills/entropy/expert-arch-enforcer/evals/default-evals.json +1 -0
package/skills/entropy/expert-auto-refactor/SKILL.md +327 -0
package/skills/entropy/expert-auto-refactor/_meta.json +1 -0
package/skills/entropy/expert-auto-refactor/evals/default-evals.json +1 -0
package/skills/entropy/expert-code-quality/SKILL.md +468 -0
package/skills/entropy/expert-code-quality/_meta.json +1 -0
package/skills/entropy/expert-code-quality/evals/default-evals.json +1 -0
package/skills/entropy/expert-code-quality/evals/evals.json +109 -0
package/skills/entropy/expert-code-quality/references/code-smells.md +605 -0
package/skills/entropy/expert-code-quality/references/design-patterns.md +1111 -0
package/skills/entropy/expert-code-quality/references/refactoring-catalog.md +1281 -0
package/skills/entropy/expert-code-quality/references/solid-principles.md +524 -0
package/skills/entropy/expert-entropy-auditor/SKILL.md +276 -0
package/skills/entropy/expert-entropy-auditor/_meta.json +1 -0
package/skills/entropy/expert-entropy-auditor/evals/default-evals.json +1 -0
package/skills/expert/expert-activiti/SKILL.md +497 -0
package/skills/expert/expert-activiti/_meta.json +1 -0
package/skills/expert/expert-mysql/SKILL.md +832 -0
package/skills/expert/expert-mysql/_meta.json +1 -0
package/skills/expert/expert-performance/SKILL.md +379 -0
package/skills/expert/expert-performance/_meta.json +1 -0
package/skills/expert/expert-performance/evals/default-evals.json +1 -0
package/skills/expert/expert-ruoyi/SKILL.md +472 -0
package/skills/expert/expert-ruoyi/_meta.json +1 -0
package/skills/expert/expert-security/SKILL.md +1341 -0
package/skills/expert/expert-security/_meta.json +1 -0
package/skills/expert/expert-security/evals/default-evals.json +1 -0
package/skills/expert/software-architect/SKILL.md +350 -0
package/skills/expert/software-architect/_meta.json +1 -0
package/skills/expert/software-engineer/SKILL.md +437 -0
package/skills/expert/software-engineer/_meta.json +1 -0
package/skills/expert/software-engineer/architecture.md +130 -0
package/skills/expert/software-engineer/patterns.md +151 -0
package/skills/expert/software-engineer/testing.md +135 -0
package/skills/expert/system-architect/SKILL.md +628 -0
package/skills/expert/system-architect/_meta.json +1 -0
package/skills/expert/system-architect/assets/templates/ARCHITECTURE.md +25 -0
package/skills/expert/system-architect/assets/templates/README.md +44 -0
package/skills/expert/system-architect/references/js-ts-standards.md +18 -0
package/skills/expert/system-architect/references/python-standards.md +19 -0
package/skills/expert/system-architect/references/scaffolding.md +61 -0
package/skills/expert/system-architect/references/security-checklist.md +21 -0
package/skills/openspec/openspec-apply-change/SKILL.md +156 -0
package/skills/openspec/openspec-apply-change/_meta.json +1 -0
package/skills/openspec/openspec-archive-change/SKILL.md +114 -0
package/skills/openspec/openspec-archive-change/_meta.json +1 -0
package/skills/openspec/openspec-bulk-archive-change/SKILL.md +246 -0
package/skills/openspec/openspec-bulk-archive-change/_meta.json +1 -0
package/skills/openspec/openspec-continue-change/SKILL.md +118 -0
package/skills/openspec/openspec-continue-change/_meta.json +1 -0
package/skills/openspec/openspec-explore/SKILL.md +288 -0
package/skills/openspec/openspec-explore/_meta.json +1 -0
package/skills/openspec/openspec-ff-change/SKILL.md +101 -0
package/skills/openspec/openspec-ff-change/_meta.json +1 -0
package/skills/openspec/openspec-new-change/SKILL.md +74 -0
package/skills/openspec/openspec-new-change/_meta.json +1 -0
package/skills/openspec/openspec-onboard/SKILL.md +554 -0
package/skills/openspec/openspec-onboard/_meta.json +1 -0
package/skills/openspec/openspec-sync-specs/SKILL.md +138 -0
package/skills/openspec/openspec-sync-specs/_meta.json +1 -0
package/skills/openspec/openspec-verify-change/SKILL.md +168 -0
package/skills/openspec/openspec-verify-change/_meta.json +1 -0
package/skills/pr/pdd-multi-review/SKILL.md +534 -0
package/skills/pr/pdd-multi-review/_meta.json +1 -0
package/skills/pr/pdd-pr-batch/SKILL.md +303 -0
package/skills/pr/pdd-pr-batch/_meta.json +1 -0
package/skills/pr/pdd-pr-create/SKILL.md +344 -0
package/skills/pr/pdd-pr-create/_meta.json +1 -0
package/skills/pr/pdd-pr-merge/SKILL.md +286 -0
package/skills/pr/pdd-pr-merge/_meta.json +1 -0
package/skills/pr/pdd-pr-review/SKILL.md +217 -0
package/skills/pr/pdd-pr-review/_meta.json +1 -0
package/skills/pr/pdd-task-manager/SKILL.md +636 -0
package/skills/pr/pdd-task-manager/_meta.json +1 -0
package/skills/pr/pdd-template-engine/SKILL.md +306 -0
package/skills/pr/pdd-template-engine/_meta.json +1 -0
package/templates/behavior-shaping/iron-law-template.md +87 -0
package/templates/behavior-shaping/rationalization-template.md +62 -0
package/templates/behavior-shaping/red-flags-template.md +70 -0
package/templates/bilingual-template.md +139 -0
package/templates/config/default.yaml +47 -0
package/templates/project/default/README.md +31 -0
package/templates/project/frontend/README.md +46 -0
package/templates/project/java/README.md +48 -0

package/lib/quality/rules/security.js ADDED Viewed

@@ -0,0 +1,444 @@
+// lib/quality/rules/security.js - 安全规则集
+// 评估代码安全性: 输入验证、SQL注入、XSS、硬编码密钥、权限控制等
+/**
+ * 安全规则集
+ *
+ * 规则列表：
+ * - sqlInjection: SQL注入风险检测
+ * - xssRisk: XSS跨站脚本攻击风险
+ * - hardcodedSecrets: 硬编码敏感信息
+ * - inputValidation: 用户输入校验
+ * - dependencySecurity: 依赖安全
+ * - insecureConfig: 不安全配置
+ */
+const rules = [
+  {
+    name: 'sqlInjection',
+    description: 'SQL注入: 使用参数化查询，禁止字符串拼接SQL',
+    maxScore: 25,
+    check(code, ext) {
+      const lines = code.split('\n');
+      const vulnerabilities = [];
+      // 危险的SQL拼接模式
+      const dangerousPatterns = [
+        { pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP)\s+.*\+\s*["']/i, desc: '字符串拼接SQL' },
+        { pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP)\s+.*`\$\{.*?\}`/i, desc: '模板字面量拼接SQL' },
+        { pattern: /\.(query|execute|raw|run)\s*\(\s*["`][^"]*\$\{|[^"]*\+/, desc: '动态构建SQL语句' },
+        { pattern: /"[\s\S]*(?:SELECT|INSERT|UPDATE|DELETE)[\s\S]*"\s*\+/i, desc: '字符串连接包含SQL关键字' }
+      ];
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { pattern, desc } of dangerousPatterns) {
+          if (pattern.test(line)) {
+            // 排除注释行
+            if (!line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+              vulnerabilities.push({
+                type: 'sql_injection',
+                description: desc,
+                line: i + 1,
+                context: line.trim().substring(0, 70)
+              });
+            }
+          }
+        }
+      }
+      // 检测未使用参数化查询的ORM操作
+      const unsafeOrmPatterns = [
+        { pattern: /\.where\s*\(\s*["`].*\$\{/, desc: 'where条件使用插值' },
+        { pattern: /sequelize\.query\s*\(\s*[^,)]*\+/, desc: 'sequelize.query使用拼接' },
+        { pattern: /knex\.raw\s*\(/, desc: 'knex原始查询（需确认参数化）' },
+        { pattern: /mongoose\.aggregate\s*\(\s*\[.*\$where/i, desc: 'MongoDB $where操作符' }
+      ];
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { pattern, desc } of unsafeOrmPatterns) {
+          if (pattern.test(line) && !line.trim().startsWith('//')) {
+            vulnerabilities.push({
+              type: 'unsafe_orm',
+              description: desc,
+              line: i + 1,
+              context: line.trim().substring(0, 60)
+            });
+          }
+        }
+      }
+      // 检查是否有安全的替代方案存在
+      const hasParameterizedQuery =
+        /\?/.test(code) && /(?:prepare|bind|execute|run)/.test(code) ||
+        /sequelize\.query\(.*replacements/.test(code) ||
+        /knex\(.*)\.where\([^)]*\)/.test(code);
+      return {
+        passed: vulnerabilities.length === 0,
+        deduction: Math.min(vulnerabilities.length * 8, 25),
+        message: vulnerabilities.length > 0
+          ? `发现${vulnerabilities.length}个潜在的SQL注入风险点`
+          : hasParameterizedQuery ? '使用了参数化查询' : '未检测到明显的SQL拼接',
+        suggestion: '始终使用参数化查询(prepared statement)或ORM提供的参数绑定方法；绝对不要将用户输入直接拼接到SQL中',
+        line: vulnerabilities.length > 0 ? vulnerabilities[0].line : null
+      };
+    }
+  },
+  {
+    name: 'xssRisk',
+    description: 'XSS攻击: 对用户输入进行转义和过滤后再输出到HTML',
+    maxScore: 20,
+    check(code, ext) {
+      const lines = code.split('\n');
+      const risks = [];
+      // 危险模式：直接输出未经处理的数据
+      const dangerousPatterns = [
+        { pattern: /innerHTML\s*=.*(?:req|request|params|query|body|input|user|form|data)\b/, desc: 'innerHTML赋值含用户数据' },
+        { pattern: /document\.write\s*\(/, desc: 'document.write使用' },
+        { pattern: /eval\s*\(/, desc: 'eval()使用' },
+        { pattern: /new\s+Function\s*\(/, desc: 'new Function()使用' },
+        { pattern: /setTimeout\s*\(\s*["'`]/, desc: 'setTimeout传入字符串' },
+        { pattern: /setInterval\s*\(\s*["'`]/, desc: 'setInterval传入字符串' },
+        { pattern: /\.outerHTML\s*=/, desc: 'outerHTML赋值' },
+        { pattern: /jquery|\$\(.*\)\.html\s*\(/i, desc: 'jQuery.html()使用' }
+      ];
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { pattern, desc } of dangerousPatterns) {
+          if (pattern.test(line) && !line.trim().startsWith('//') && !line.trim().startsWith('*')) {
+            risks.push({
+              type: 'xss_risk',
+              description: desc,
+              line: i + 1,
+              context: line.trim().substring(0, 65)
+            });
+          }
+        }
+      }
+      // 检查URL中的用户输入（开放重定向风险）
+      if (/location\.(href|assign|replace)\s*=/.test(code) &&
+          /(req|request|params|query|body|input)/.test(code)) {
+        risks.push({
+          type: 'open_redirect',
+          description: '可能存在开放重定向风险',
+          severity: 'high'
+        });
+      }
+      // 检查是否有安全措施
+      const hasSanitization =
+        /sanitize|escape|encodeURI|encodeURIComponent|DOMPurify|he\.encode|xss/i.test(code);
+      return {
+        passed: risks.filter(r => r.severity === 'high').length === 0 && risks.length <= 1,
+        deduction: Math.min(
+          risks.filter(r => r.severity === 'high').length * 10 +
+          risks.filter(r => r.severity !== 'high').length * 4,
+          20
+        ),
+        message: risks.length > 0
+          ? `发现${risks.length}个潜在XSS风险点`
+          : hasSanitization ? '有基本的XSS防护措施' : '未发现明显XSS风险',
+        suggestion: '使用textContent代替innerHTML；对动态内容使用DOMPurify等库进行HTML净化；对所有用户输入进行编码后输出',
+        line: risks.length > 0 ? risks[0].line : null
+      };
+    }
+  },
+  {
+    name: 'hardcodedSecrets',
+    description: '硬编码敏感信息: 密钥、密码、Token不应写在源码中',
+    maxScore: 25,
+    check(code, ext) {
+      const lines = code.split('\n');
+      const secrets = [];
+      // 敏感信息模式
+      const secretPatterns = [
+        { regex: /(?:password|passwd|pwd)\s*[:=]\s*["'][^"']{3,}["']/i, label: '密码' },
+        { regex: /(?:api[_-]?key|apikey)\s*[:=]\s*["'][^"']{5,}["']/i, label: 'API Key' },
+        { regex: /(?:secret|token|auth[_-]?token|access[_-]?token)\s*[:=]\s*["'][^"']{10,}["']/i, label: 'Secret/Token' },
+        { regex: /(?:private[_-]?key|privkey)\s*[:=]\s*["']BEGIN/i, label: '私钥' },
+        { regex: /(?:connection[_-]?string|connstr|mongodb|mysql|redis)[:\s]*["'][^"']+password/i, label: '数据库连接串(含密码)' },
+        { regex: /aws_access_key_id\s*[:=]\s*["'][A-Z0-9]{16,}["']/i, label: 'AWS Access Key' },
+        { regex: /aws_secret_access_key\s*[:=]\s*["'][A-Za-z0-9\/+=]{30,}["']/i, label: 'AWS Secret Key' },
+        { regex: /(?:jwt[_-]?secret|jwt[_-]?key)\s*[:=]\s*["'][^"']{10,}["']/i, label: 'JWT Secret' },
+        { regex: /bcrypt\.genSaltSync\(\)|bcrypt\.hashSync\(/, label: '同步加密调用' }
+      ];
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { regex, label } of secretPatterns) {
+          if (regex.test(line)) {
+            // 排除示例代码、注释、占位符
+            if (this._isRealSecret(line)) {
+              secrets.push({
+                type: label,
+                line: i + 1,
+                context: this._maskSensitive(line.trim())
+              });
+            }
+          }
+        }
+      }
+      // 检查是否正确使用环境变量
+      const usesEnvVars = /process\.env\.\w+/.test(code);
+      const usesConfigModule = /config\.\w+/.test(code) || /require\(['"]config['"]\)/.test(code);
+      const hasSecretManagement = usesEnvVars || usesConfigModule;
+      return {
+        passed: secrets.length === 0,
+        deduction: Math.min(secrets.length * 6, 25),
+        message: secrets.length > 0
+          ? `发现${secrets.length}处可能的硬编码敏感信息: ${[...new Set(secrets.map(s => s.type))].join(', ')}`
+          : hasSecretManagement ? '敏感信息通过环境变量/配置管理' : '未发现硬编码密钥',
+        suggestion: '使用process.env或配置管理服务存储敏感信息；将密钥移至.env文件并加入.gitignore；使用密钥管理服务(AWS KMS/Vault)',
+        line: secrets.length > 0 ? secrets[0].line : null
+      };
+    },
+    _isRealSecret(line) {
+      // 排除以下情况：
+      // 注释行
+      if (line.trim().startsWith('//') || line.trim().startsWith('*') || line.trim().startsWith('#')) return false;
+      // 占位符
+      if (/your-|<.*>|xxx|TODO|FIXME|placeholder|change.me|replace/i.test(line)) return false;
+      // 空值
+      if (/["']\s*["']|""|''/.test(line)) return false;
+      // 示例值
+      if (/example|sample|test|demo|fake|mock/i.test(line)) return false;
+      return true;
+    },
+    _maskSensitive(str) {
+      // 隐藏敏感值的中间部分
+      return str.replace(/(["'])([^"']{2})([^"]*)(\1)/g, '$1$2***$4');
+    }
+  },
+  {
+    name: 'inputValidation',
+    description: '输入验证: 所有外部输入必须经过校验和清理',
+    maxScore: 15,
+    check(code, ext) {
+      const lines = code.split('\n');
+      const unvalidatedInputs = [];
+      // 外部输入来源
+      const inputSources = [
+        { pattern: /req\.body\b/, source: '请求体(req.body)' },
+        { pattern: /req\.query\b/, source: '查询参数(req.query)' },
+        { pattern: /req\.params\b/, source: '路径参数(req.params)' },
+        { pattern: /req\.headers\b/, source: '请求头(req.headers)' },
+        { pattern: /request\.body\b/, source: '请求体(request.body)' },
+        { pattern: /urlSearchParams|URLSearchParams|searchParams/, source: 'URL参数' },
+        { pattern: /formData|FormData/, source: '表单数据' },
+        { pattern: /process\.argv/, source: '命令行参数' },
+        { pattern: /localStorage|sessionStorage|cookie/i, source: '浏览器存储' }
+      ];
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { pattern, source } of inputSources) {
+          if (pattern.test(line)) {
+            // 检查后续几行是否有校验逻辑
+            const nextLines = lines.slice(i, Math.min(i + 8, lines.length));
+            const hasValidation = nextLines.some(l =>
+              /validate|check|verify|schema|joi|yup|zod|sanitiz|escape|trim|typeof|instanceof|guard|assert/.test(l)
+            );
+            // 检查是否有类型检查
+            const hasTypeCheck = nextLines.some(l =>
+              /===|!==|typeof |instanceof |Number\(|parseInt|parseFloat/.test(l)
+            );
+            if (!hasValidation && !hasTypeCheck) {
+              // 排除简单的属性访问（如 req.body.user）
+              if (!/req\.(body|query|params)\.\w+$/.test(line.trim())) {
+                unvalidatedInputs.push({
+                  source,
+                  line: i + 1,
+                  context: line.trim().substring(0, 55)
+                });
+              }
+            }
+          }
+        }
+      }
+      // 去重：同一来源只报告一次
+      const uniqueSources = [...new Set(unvalidatedInputs.map(u => u.source))];
+      return {
+        passed: unvalidatedInputs.length <= 1,
+        deduction: Math.min(unvalidatedInputs.length * 3, 15),
+        message: unvalidatedInputs.length > 0
+          ? `${unvalidatedInputs.length}处外部输入缺少校验: ${uniqueSources.join(', ')}`
+          : '外部输入均有适当的校验',
+        suggestion: '在路由入口层使用Joi/Yup/Zod等Schema验证库；对用户输入进行类型强制转换和白名单过滤',
+        line: unvalidatedInputs.length > 0 ? unvalidatedInputs[0].line : null
+      };
+    }
+  },
+  {
+    name: 'dependencySecurity',
+    description: '依赖安全: 使用已知安全的依赖版本，避免有漏洞的包',
+    maxScore: 10,
+    check(code, ext) {
+      const issues = [];
+      // 已知的有安全问题或废弃的依赖
+      const vulnerableDeps = [
+        { pkg: 'lodash', versionPattern: /^<4\.17\.21/, reason: '原型污染漏洞(CVE-2021-23337)' },
+        { pkg: 'express', versionPattern: /^<4\.18\.2/, reason: '旧版本可能有已知漏洞' },
+        { pkg: 'debug', versionPattern: /^<4\.3\.3/, reason: '远程代码执行风险' },
+        { pkg: 'minimist', versionPattern: /^<1\.2\.6/, reason: '原型链污染' },
+        { pkg: 'ws', versionPattern: /^<8\.5\.0/, reason: '多个安全修复' }
+      ];
+      // 检测使用的危险函数
+      const dangerousFunctions = [
+        { pattern: /eval\s*\(/, name: 'eval()', risk: '代码注入' },
+        { pattern: /child_process|exec\s*\(|spawn\s*\(/, name: '子进程执行', risk: '命令注入' },
+        { pattern: /vm\.runIn|vm\.Script/, name: 'VM模块', risk: '沙箱逃逸' },
+        { pattern: /fs\.\w+File.*req\.|fs\.\w+File.*input/, name: '文件路径来自用户', risk: '路径遍历' }
+      ];
+      const lines = code.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { pattern, name, risk } of dangerousFunctions) {
+          if (pattern.test(line) && !line.trim().startsWith('//')) {
+            issues.push({
+              type: 'dangerous_function',
+              function: name,
+              risk,
+              line: i + 1
+            });
+          }
+        }
+      }
+      // 检查package.json中的依赖（简化版：仅检测import）
+      const importedPackages = new Set();
+      const importMatches = code.matchAll(/from\s+['"]([^'"]+)['"]/g);
+      for (const match of importMatches) {
+        const pkg = match[1].split('/')[0];
+        if (!pkg.startsWith('.') && pkg !== 'node:' && !pkg.startsWith('@types/')) {
+          importedPackages.add(pkg);
+        }
+      }
+      // 检查是否有已知的废弃或不安全依赖
+      for (const pkg of importedPackages) {
+        const vulnDep = vulnerableDeps.find(v => v.pkg === pkg);
+        if (vulnDep) {
+          issues.push({
+            type: 'vulnerable_dependency',
+            package: pkg,
+            reason: vulnDep.reason
+          });
+        }
+      }
+      return {
+        passed: issues.filter(i => i.type === 'dangerous_function').length === 0,
+        deduction: Math.min(
+          issues.filter(i => i.type === 'dangerous_function').length * 4 +
+          issues.filter(i => i.type === 'vulnerable_dependency').length * 2,
+          10
+        ),
+        message: issues.length > 0
+          ? `发现${issues.length}个依赖安全问题`
+          : '依赖使用看起来安全',
+        suggestion: '避免使用eval()和child_process.exec()处理用户输入；定期运行npm audit修复已知漏洞；使用npm outdated检查过时依赖',
+        line: issues.length > 0 ? issues[0].line : null
+      };
+    }
+  },
+  {
+    name: 'insecureConfig',
+    description: '不安全配置: CORS、Cookie、HTTPS等安全相关配置检查',
+    maxScore: 5,
+    check(code, ext) {
+      const issues = [];
+      const lines = code.split('\n');
+      // CORS通配符
+      if (/origin\s*:\s*["']\*["']|Access-Control-Allow-Origin\s*:\s*\*/.test(code)) {
+        // 检查是否是开发环境
+        const isDevEnv = /development|dev|local/i.test(code);
+        if (!isDevEnv) {
+          issues.push({ type: 'cors_wildcard', detail: 'CORS允许所有来源(*)' });
+        }
+      }
+      // Cookie安全设置缺失
+      if (/cookie|Cookie/.test(code)) {
+        const hasSecureFlag = /secure\s*:\s*true|{.*secure:.*true/.test(code);
+        const hasHttpOnly = /httpOnly\s*:\s*true|{.*httpOnly:.*true/.test(code);
+        const hasSameSite = /sameSite|same-site/.test(code);
+        if (!hasSecureFlag || !hasHttpOnly || !hasSameSite) {
+          issues.push({
+            type: 'insecure_cookie',
+            detail: `Cookie缺少安全选项: ${[
+              !hasSecureFlag ? 'secure标志' : null,
+              !hasHttpOnly ? 'httpOnly标志' : null,
+              !hasSameSite ? 'SameSite属性' : null
+            ].filter(Boolean).join(', ')}`,
+            severity: 'medium'
+          });
+        }
+      }
+      // HTTPS强制跳转缺失（Web应用）
+      if (/express|koa|fastify|http\.createServer/.test(code)) {
+        const hasHttpsEnforcement = /forceSSL|enforceHTTPS|helmet|hsts|strict-transport-security/.test(code);
+        if (!hasHttpsEnforcement) {
+          issues.push({
+            type: 'no_https_enforcement',
+            detail: '未检测到HTTPS强制跳转/HSTS设置',
+            severity: 'low'
+          });
+        }
+      }
+      // 错误信息泄露
+      if (/err\.stack|error\.stack|console\.(log|error)\(err/.test(code)) {
+        const isInProductionHandler = /production|NODE_ENV\s*===\s*['"]production['"]/.test(code);
+        if (!isInProductionHandler) {
+          issues.push({
+            type: 'error_info_leak',
+            detail: '可能向客户端暴露详细错误堆栈'
+          });
+        }
+      }
+      return {
+        passed: issues.filter(i => i.severity !== 'low').length === 0,
+        deduction: Math.min(issues.length * 2, 5),
+        message: issues.length > 0
+          ? `发现${issues.length}项安全配置问题`
+          : '安全配置基本合理',
+        suggestion: 'CORS限制为特定域名；Cookie设置secure/httpOnly/sameSite属性；生产环境隐藏错误详情；启用HSTS',
+        line: issues.length > 0 ? issues[0]?.line || null : null
+      };
+    }
+  }
+];
+export default rules;