npm - pdd-skills - Versions diffs - 3.0.5 → 3.1.0 - Mend

pdd-skills 3.0.5 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/README.md +144 -26
package/config/bug-patterns.yaml +293 -0
package/config/gate-config.yaml +73 -0
package/config/prd-rules.yaml +112 -0
package/docs/i18n-spec.md +120 -0
package/docs/lessons.md +201 -0
package/docs/plans/00-beginner-guide.md +3164 -0
package/docs/tasks.md +91 -0
package/docs/token-checklist.md +72 -0
package/docs/vm-tasks.md +497 -0
package/package.json +2 -2
package/scaffolds/python-fullstack/backend/app/api/v1/departments.py +90 -0
package/scaffolds/python-fullstack/backend/app/api/v1/dict_items.py +72 -0
package/scaffolds/python-fullstack/backend/app/api/v1/router.py +3 -1
package/scaffolds/python-fullstack/backend/app/models/__init__.py +5 -1
package/scaffolds/python-fullstack/backend/app/models/dict_item.py +45 -0
package/scaffolds/python-fullstack/backend/app/schemas/common.py +38 -1
package/scaffolds/python-fullstack/backend/app/schemas/department.py +32 -0
package/scaffolds/python-fullstack/backend/app/schemas/dict_item.py +61 -0
package/scaffolds/python-fullstack/backend/scripts/seed_base_data.py +173 -0
package/scaffolds/python-fullstack/frontend/src/api/departments.ts +32 -0
package/scaffolds/python-fullstack/frontend/src/api/dict_items.ts +31 -0
package/scaffolds/python-fullstack/frontend/src/main.ts +3 -0
package/scaffolds/python-fullstack/frontend/src/styles/global-reset.css +71 -0
package/scaffolds/python-fullstack/frontend/src/utils/safeAlert.ts +36 -0
package/scaffolds/ruoyi/README.md +32 -0
package/scaffolds/ruoyi/sql/seed_base_data.sql +90 -0
package/scripts/linter/gate-engine.js +292 -0
package/scripts/linter/run-linters.js +10 -1
package/scripts/openapi-contract-sync.js +270 -0
package/skills/core/pdd-ba/SKILL.md +8 -4
package/skills/core/pdd-code-reviewer/SKILL.md +108 -2
package/skills/core/pdd-extract-features/SKILL.md +40 -10
package/skills/core/pdd-generate-spec/SKILL.md +142 -4
package/skills/core/pdd-implement-feature/SKILL.md +82 -10
package/skills/core/pdd-main/SKILL.md +73 -1
package/skills/core/pdd-verify-feature/SKILL.md +60 -0
package/skills/expert/expert-ruoyi/SKILL.md +75 -0
package/skills/pr/pdd-template-engine/SKILL.md +80 -0
package/templates/prd-template.prdx +149 -10

package/README.md CHANGED Viewed

@@ -1,14 +1,14 @@
 # PDD-Skills v3.0
-[![Version](https://img.shields.io/badge/version-3.0.1-blue.svg null)](https://github.com/pdd-skills/pdd-skills)
+[![Version](https://img.shields.io/badge/version-3.1.0-blue.svg null)](https://github.com/pdd-skills/pdd-skills)
 [![Node](https://img.shields.io/badge/node-%3E%3D18.0.0-green.svg null)](https://nodejs.org/)
 [![License](https://img.shields.io/badge/license-MIT-orange.svg null)](LICENSE)
-[![Tasks](https://img.shields.io/badge/tasks-153%2F153-brightgreen.svg null)](docs/tasks.md)
-[![Milestones](https://img.shields.io/badge/milestones-29%2F29-success.svg null)](docs/tasks.md)
+[![Patterns](https://img.shields.io/badge/bug_patterns-14-purple.svg null)](config/bug-patterns.yaml)
+[![Gate](https://img.shields.io/badge/gate_rules-30-critical.svg null)](config/prd-rules.yaml)
 > **PRD 驱动的 AI 原生软件开发工作流框架**
 >
-> 从需求文档到代码交付的全链路自动化平台 — **7 大 Phase**、**29 个里程碑**、**153 项任务**、**100% 完成** 🎉
+> 从需求文档到代码交付的全链路自动化平台 — **7 大 Phase**、**双脚手架**、**14 个 Bug 模式**、**30 条 PRD 规则**、**4 级质量门控**
 ***
@@ -27,6 +27,7 @@
   - [Phase 6: 生态建设](#phase-6-生态建设)
   - [📊 Phase 7: PDD Visual Manager](#-phase-7-pdd-visual-manager)
 - [技能系统](#技能系统)
+- [配置中心](#配置中心)
 - [API 层](#api-层)
 - [MCP 协议集成](#mcp-协议集成)
 - [SDK 使用指南](#sdk-使用指南)
@@ -229,18 +230,16 @@ scaffolds/python-fullstack/
 | 指标          | 数值                                            |
 | ----------- | --------------------------------------------- |
-| **版本**      | v3.0.2                                        |
-| **总任务数**    | 153 (**100% 完成**)                             |
-| **里程碑数**    | 29 (**100% 达成**)                              |
+| **版本**      | v3.1.0                                        |
 | **核心技能**    | 11 个（全双语 🇨🇳🇺🇸）                            |
-| **专家技能**    | 2 个（安全 + 性能）                                  |
-| **代码文件**    | \~80 个 `lib/*.js` 模块（含 Phase 7 新增 38 个）       |
+| **专家技能**    | 4 个（安全 + 性能 + 若依 + Activiti）                                  |
+| **PR技能**    | 5 个（模板引擎 + 多轮审查 + PR创建/审查/合并）                 |
+| **Bug模式库**  | 14 个（7通用 + 7若依专用），集中式管理 `config/bug-patterns.yaml` |
+| **PRD规则**   | 30 条（6大类），集中式管理 `config/prd-rules.yaml`      |
+| **质量门控**    | 4级（Blocker/Critical/Warning/Info）+ 0-100评分    |
+| **脚手架模板**   | 2 个（Python Fullstack + 若依RuoYi）               |
 | **协议支持**    | RESTful + MCP + gRPC + SSE                    |
 | **SDK 语言**  | JavaScript + Python                           |
-| **示例插件**    | 3 个（hello-world / code-stats / custom-linter） |
-| **社区文档**    | 5 套（\~10,700 行）                               |
-| **VM 新增代码** | \~6000 行（Phase 7）                             |
-| **脚手架模板**   | 1 个（python-fullstack 全栈模板）                     |
 ***
@@ -445,6 +444,8 @@ pdd config --get key                              # 读取配置项
 | ---------------------- | --------------------------------------- | -------------------------------------- |
 | **expert-security**    | SQL注入 / XSS / CSRF / 命令注入 / 路径遍历 / SSRF | OWASP Top 10 2021 完整覆盖，8 条安全铁律         |
 | **expert-performance** | CPU / 内存 / I/O / 网络 / 锁竞争诊断             | HikariCP / Redis多级缓存 / G1 GC调优 / P99指标 |
+| **expert-ruoyi**       | 若依框架全流程开发 / 代码生成 / 权限配置 / 菜单管理          | 7个若依Bug模式(PATTERN-R001~R007) + Spec模板参考 |
+| **expert-activiti**    | Activiti 7工作流引擎 / BPMN 2.0 / 流程部署管理      | 流程设计规范 + BPMN校验规则                       |
 ### Phase 4: 平台化建设
@@ -1014,9 +1015,9 @@ skills/
 │   ├── pdd-ba/             # 业务分析
 │   ├── pdd-extract-features/
 │   ├── pdd-generate-spec/
-│   ├── pdd-implement-feature/
-│   ├── pdd-verify-feature/
-│   ├── pdd-code-reviewer/
+│   ├── pdd-implement-feature/  # 含上下文注入 + 微验证
+│   ├── pdd-verify-feature/     # 含契约一致性验证
+│   ├── pdd-code-reviewer/      # 含Bug模式库匹配 + UX一致性
 │   ├── pdd-doc-change/
 │   ├── pdd-doc-gardener/
 │   ├── pdd-entropy-reduction/
@@ -1024,7 +1025,16 @@ skills/
 │
 ├── expert/                  # 专家技能 (按需加载)
 │   ├── expert-security/    # 安全审计专家
-│   └── expert-performance/ # 性能优化专家
+│   ├── expert-performance/ # 性能优化专家
+│   ├── expert-ruoyi/       # 若依框架专家 (含Bug模式库R001~R007)
+│   └── expert-activiti/    # Activiti工作流专家
+│
+├── pr/                      # PR与交付技能
+│   ├── pdd-template-engine/    # PRD感知动态模板引擎
+│   ├── pdd-multi-review/       # 三轮代码审查
+│   ├── pdd-pr-create/          # PR创建
+│   ├── pdd-pr-review/          # PR审查
+│   └── pdd-pr-merge/           # PR合并
 │
 ├── openspec/                # OpenSpec 协作技能
 │   ├── openspec-explore/
@@ -1040,6 +1050,99 @@ skills/
 ***
+## 配置中心
+> **Single Source of Truth 原则**：所有配置集中管理，技能和脚本通过引用获取，避免散落和不一致。
+### 配置文件一览
+| 配置文件 | 用途 | 消费方 |
+|---------|------|--------|
+| `config/bug-patterns.yaml` | Bug模式库（14个模式） | pdd-code-reviewer, pdd-verify-feature, pdd-implement-feature, pdd-template-engine, expert-ruoyi |
+| `config/prd-rules.yaml` | PRD检测规则（30条，6大类） | pdd-linter, run-linters.js |
+| `config/gate-config.yaml` | 质量门控配置（4级阻断+评分权重） | gate-engine.js |
+### Bug模式库架构
+```
+config/bug-patterns.yaml          ← 唯一真相源
+├── categories.general            # 通用模式 PATTERN-001~007
+│   ├── PATTERN-001  datetime字段类型陷阱
+│   ├── PATTERN-002  静态路由注册顺序错误
+│   ├── PATTERN-003  枚举硬编码/编码不一致
+│   ├── PATTERN-004  alert()未用safeAlert()包装
+│   ├── PATTERN-005  my-tasks查询条件不完整
+│   ├── PATTERN-006  Options接口路由顺序(同002)
+│   └── PATTERN-007  编号生成未检查已存在记录
+└── categories.ruoyi              # 若依专用 PATTERN-R001~R007
+    ├── PATTERN-R001  权限注解缺失
+    ├── PATTERN-R002  菜单配置不完整
+    ├── PATTERN-R003  数据权限未配置
+    ├── PATTERN-R004  Redis缓存未清除
+    ├── PATTERN-R005  参数校验缺失
+    ├── PATTERN-R006  XSS防护缺失
+    └── PATTERN-R007  操作日志缺失
+```
+### PRD检测规则架构
+```
+config/prd-rules.yaml             ← 唯一真相源 (30条规则)
+├── structure (7条)               # PRD结构完整性
+├── content (8条)                 # 内容质量
+├── uiux (6条)                    # UI/UX规范
+│   ├── uiux-form-mapping-exists  # 表单控件映射表 (BLOCKER)
+│   ├── uiux-no-uuid-input        # 禁止UUID输入 (BLOCKER)
+│   ├── uiux-options-api-listed   # Options API声明 (BLOCKER)
+│   ├── uiux-page-list            # 页面清单
+│   ├── uiux-seed-data-declared   # 种子数据声明
+│   └── uiux-wireframe-exists     # 线框图
+├── data_model (4条)              # 数据模型规范
+│   ├── dm-enum-convention        # 枚举编码约定 (BLOCKER)
+│   ├── dm-permission-matrix      # 权限矩阵 (BLOCKER)
+│   ├── dm-type-explicit          # 类型显式声明
+│   └── dm-audit-fields           # 审计字段
+└── api_design (3条)              # API设计规范
+    ├── api-options-endpoint      # Options端点 (BLOCKER)
+    ├── api-param-location        # 参数位置
+    └── api-error-format          # 错误格式
+```
+### 质量门控流程
+```
+PRD文档 → prd-linter (30条规则) → gate-engine (4级门控) → 评分卡
+                                                            │
+                                              ┌─────────────┼─────────────┐
+                                              ▼             ▼             ▼
+                                         BLOCKER       CRITICAL      WARNING/INFO
+                                         (阻断)        (必须修复)     (建议修复)
+                                              │             │
+                                              ▼             ▼
+                                         Score = 0     Score -= 15/5/1
+                                              │             │
+                                              ▼             ▼
+                                         Grade: F      Grade: A~D
+                                              │             │
+                                              ▼             ▼
+                                         ❌ FAIL        ✅ PASS
+```
+### 更新流程
+```bash
+# 新增Bug模式 → 只需编辑一个文件
+vim config/bug-patterns.yaml    # 各skill自动通过引用获取
+# 修改BLOCKER规则 → 只需编辑一个文件
+vim config/gate-config.yaml     # gate-engine.js自动读取
+# 修改PRD检测规则 → 只需编辑一个文件
+vim config/prd-rules.yaml       # run-linters.js自动读取
+```
+***
 ## API 层
 ### 启动 API 服务器
@@ -1511,11 +1614,16 @@ pdd-skills-v3/
 │   └── openspec/               # 10 个 OpenSpec 技能
 │
 ├── scripts/                   # 工具脚本
+│   ├── linter/                # PRD Linter 工具链
+│   │   ├── prd-linter.js      # PRD Linter 引擎
+│   │   ├── prd-rules.yaml     # (符号链接→config/)
+│   │   ├── gate-engine.js     # 4级门控引擎 (读取config/gate-config.yaml)
+│   │   ├── report-generator.js# 报告生成器
+│   │   └── run-linters.js     # Linter运行器 (集成Gate Engine)
+│   ├── openapi-contract-sync.js # OpenAPI契约同步工具
 │   ├── skill-linter.py        # Skill 文件检查器
-│   ├── skill-rules.yaml       # Linter 规则配置
 │   ├── i18n-checker.js         # 双语合规检查
-│   ├── token-analyzer.js       # Token 分析
-│   └── ...
+│   └── token-analyzer.js       # Token 分析
 │
 ├── docs/                       # 社区文档 (~10,700 行)
 │   ├── user-guide/
@@ -1526,9 +1634,18 @@ pdd-skills-v3/
 │   └── tasks.md               # 任务跟踪 (153/100%)
 │
 ├── templates/                 # 项目模板
-├── config/                    # 配置文件
+├── config/                    # 配置中心 (Single Source of Truth)
+│   ├── bug-patterns.yaml      # Bug模式库 (14个模式, 唯一真相源)
+│   ├── prd-rules.yaml         # PRD检测规则 (30条, 6大类)
+│   ├── gate-config.yaml       # 质量门控配置 (4级阻断+评分权重)
+│   ├── bpmn-rules.yaml        # BPMN校验规则
+│   ├── checkstyle.xml         # Java Checkstyle配置
+│   ├── eslint.config.js       # ESLint配置
+│   ├── pmd.xml                # PMD配置
+│   ├── ruff.toml              # Python Ruff配置
+│   └── sqlfluff.cfg           # SQL SQLFluff配置
 ├── hooks/                     # Hook 配置
-└── package.json               # v3.0.1
+└── package.json               # v3.1.0
 ```
 ***
@@ -1613,9 +1730,10 @@ CLI 参数 > 环境变量 > .pddrc.local > .pddrc > defaults
 | 版本         | 日期         | 重要变更                                                                                                                                            |
 | ---------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| **v3.1.0** | 2026-04-15 | **智能能力+生态集成**: Bug模式库集中化(14模式), PRD Linter扩展(30规则6大类), 4级门控引擎(Blocker/Critical/Warning/Info), OpenAPI契约同步, PRD感知动态模板, MVP分层交付策略, 上下文注入+微验证, expert-ruoyi+expert-activiti专家技能, 若依RuoYi脚手架支持, 种子数据分层设计 |
 | **v3.0.2** | 2026-04-12 | **脚手架系统发布**: python-fullstack 全栈模板(FastAPI+Vue3), 数据权限引擎, OAuth2六平台认证, 工作流状态机引擎, 响应式前端, 4份架构设计文档, Docker一键部署, CI流水线 |
-| **v3.0.1** | 2026-04-07 | **PDD Visual Manager 发布**: Web Dashboard + Terminal TUI 双形态可视化监控, 11个REST API端点, SSE实时推送, Canvas图表引擎, ANSI TUI组件库 (59/59 任务 100%, 4/4 里程碑 100%) |
-| **v3.0.0** | 2026-04-05 | **正式发布版**: 6大Phase全部完成 + 插件系统 + OpenClaw + gRPC + Python SDK + 暂缓清零 (94/94 任务 100%)                                                             |
+| **v3.0.1** | 2026-04-07 | **PDD Visual Manager 发布**: Web Dashboard + Terminal TUI 双形态可视化监控, 11个REST API端点, SSE实时推送, Canvas图表引擎, ANSI TUI组件库 |
+| **v3.0.0** | 2026-04-05 | **正式发布版**: 6大Phase全部完成 + 插件系统 + OpenClaw + gRPC + Python SDK + 暂缓清零                                                             |
 | v2.x       | 2026-03    | 内部迭代版本: MCP/SDK/缓存/Token/质量/迭代                                                                                                                  |
 | v1.x       | 2025-12    | 初始版本: 基础设施 + 核心技能 + Linter                                                                                                                      |
@@ -1636,9 +1754,9 @@ CLI 参数 > 环境变量 > .pddrc.local > .pddrc > defaults
 ***
 <p align="center">
-  <b>PDD-Skills v3.0 — 让 AI 成为你的全职结对编程伙伴 🤖</b>
+  <b>PDD-Skills v3.1 — 让 AI 成为你的全职结对编程伙伴 🤖</b>
 </p>
 <p align="center">
-  <sub>153/153 Tasks ✅ · 29/29 Milestones ✅ · 100% Complete 🎉</sub>
+  <sub>14 Bug Patterns ✅ · 30 PRD Rules ✅ · 4-Level Gate ✅ · Dual Scaffold ✅</sub>
 </p>

package/config/bug-patterns.yaml ADDED Viewed

@@ -0,0 +1,293 @@
+# Bug Pattern Library / Bug模式库
+#
+# 唯一真相源 (Single Source of Truth)
+# 所有SKILL.md和脚本必须引用此文件，不得内联副本
+#
+# 更新流程:
+#   1. 在此文件中添加/修改模式
+#   2. 运行 scripts/linter/validate-patterns.js 验证格式
+#   3. 各skill自动通过引用获取最新模式
+#
+# 模式ID命名规范:
+#   - 通用模式: PATTERN-NNN (如 PATTERN-001)
+#   - 若依专用: PATTERN-RNNN (如 PATTERN-R001)
+#   - 未来脚手架: PATTERN-JNNN (Java/Spring), PATTERN-GNNN (Go) 等
+meta:
+  version: "1.0.0"
+  last_updated: "2026-04-15"
+  source: "资产评估处置管理系统首次项目实践复盘"
+  maintainers: ["pdd-skills-v3"]
+categories:
+  general:
+    name: "通用模式 (Python Fullstack)"
+    description: "适用于所有Python Fullstack项目的常见Bug模式"
+    patterns:
+      - id: PATTERN-001
+        name: "datetime字段类型陷阱"
+        name_en: "datetime field type trap"
+        description: "datetime字段必须用field_validator或field_serializer处理，不能声明为str"
+        trigger: "Pydantic Schema包含datetime字段"
+        prevention: "使用 @field_serializer 或 model_config=json_encoders"
+        severity: critical
+        detection:
+          - "Schema中 created_at/updated_at 字段类型为 str"
+          - "datetime字段缺少序列化配置"
+        fix_example: |
+          # ❌ 错误
+          created_at: str
+          # ✅ 正确
+          created_at: datetime
+          # 并在Schema中添加:
+          @field_serializer('created_at')
+          def serialize_datetime(self, dt): return dt.isoformat() if dt else None
+        related_rules: ["dm-type-explicit"]
+        tags: ["schema", "datetime", "serialization"]
+      - id: PATTERN-002
+        name: "静态路由注册顺序错误"
+        name_en: "Static route registration order error"
+        description: "静态路由(/options, /me等)必须在动态路由(/{id})之前注册，否则被动态路由拦截"
+        trigger: "FastAPI路由文件同时包含/options和/{id}"
+        prevention: "路由注册顺序: /me → / → /options → /{id}"
+        severity: critical
+        detection:
+          - "router.py中 /options 定义在 /{id} 之后"
+          - "访问/options返回404或数据异常"
+        fix_example: |
+          # ❌ 错误
+          @router.get("/{id}")
+          @router.get("/options")
+          # ✅ 正确
+          @router.get("/options")
+          @router.get("/{id}")
+        related_rules: ["api-options-endpoint", "uiux-options-api-listed"]
+        tags: ["routing", "fastapi", "options-api"]
+      - id: PATTERN-003
+        name: "枚举硬编码/编码不一致"
+        name_en: "Enum hardcoding / inconsistent coding"
+        description: "枚举值散落硬编码在前端代码中，且编码风格不统一(大小写混用/中英混用)"
+        trigger: "定义Enum或状态字段"
+        prevention: "编码值统一用snake_case小写英文，显示名用中文映射，通过字典表/Options API管理"
+        severity: warning
+        detection:
+          - "前端 if status === '1' 散落各处"
+          - "枚举值大小写不统一(ACTIVE vs active vs Active)"
+        fix_example: |
+          # ❌ 错误
+          if (row.status === '1') { ... }
+          # ✅ 正确
+          const STATUS_MAP = { draft: '草稿', pending: '待审批', approved: '已通过' }
+        related_rules: ["dm-enum-convention"]
+        tags: ["enum", "coding-convention", "frontend"]
+      - id: PATTERN-004
+        name: "alert()未用safeAlert()包装"
+        name_en: "alert() not wrapped with safeAlert()"
+        description: "前端使用原生alert()可能导致非string参数报错"
+        trigger: "前端代码使用alert()"
+        prevention: "safeAlert确保参数为string类型"
+        severity: warning
+        detection:
+          - "Vue组件中使用 alert(...) 而非 safeAlert(...)"
+        fix_example: |
+          # ❌ 错误
+          alert(res.message)
+          # ✅ 正确
+          safeAlert(res.message)
+        related_rules: []
+        tags: ["frontend", "vue", "safety"]
+      - id: PATTERN-005
+        name: "my-tasks查询条件不完整"
+        name_en: "Incomplete my-tasks query conditions"
+        description: "我的任务查询必须同时匹配evaluator_id和created_by，否则遗漏任务"
+        trigger: "实现'我的任务'列表接口"
+        prevention: "OR(evaluator_id==user_id, created_by==user_id)"
+        severity: critical
+        detection:
+          - "我的任务接口只查 evaluator_id 或只查 created_by"
+        fix_example: |
+          # ❌ 错误
+          query = query.filter(Evaluation.evaluator_id == user_id)
+          # ✅ 正确
+          query = query.filter(
+            or_(Evaluation.evaluator_id == user_id, Evaluation.created_by == user_id)
+          )
+        related_rules: []
+        tags: ["query", "business-logic"]
+      - id: PATTERN-006
+        name: "Options接口路由顺序(同PATTERN-002)"
+        name_en: "Options API route order (same as PATTERN-002)"
+        description: "PATTERN-002的特化版本，专指/options端点的路由注册顺序问题"
+        trigger: "实现下拉选项API"
+        prevention: "参见PATTERN-002"
+        severity: critical
+        detection:
+          - "同PATTERN-002"
+        fix_example: "参见PATTERN-002"
+        related_rules: ["api-options-endpoint"]
+        tags: ["routing", "options-api"]
+        alias_of: "PATTERN-002"
+      - id: PATTERN-007
+        name: "编号生成未检查已存在记录"
+        name_en: "ID generation without checking existing records"
+        description: "自动编号生成时未检查数据库中已存在的最大编号，可能导致编号冲突"
+        trigger: "实现task_no等自动编号"
+        prevention: "SELECT MAX(task_no) WHERE task_no LIKE prefix%"
+        severity: critical
+        detection:
+          - "编号生成逻辑直接使用计数而非MAX查询"
+          - "并发场景下出现重复编号"
+        fix_example: |
+          # ❌ 错误
+          new_no = f"TASK-{count + 1:04d}"
+          # ✅ 正确
+          max_no = db.query(func.max(Task.task_no)).filter(
+            Task.task_no.like(f"TASK-{prefix}%")
+          ).scalar()
+          next_seq = int(max_no.split("-")[-1]) + 1 if max_no else 1
+        related_rules: []
+        tags: ["business-logic", "concurrency"]
+  ruoyi:
+    name: "若依专用模式 (RuoYi Framework)"
+    description: "若依框架特有的常见Bug模式"
+    patterns:
+      - id: PATTERN-R001
+        name: "权限注解缺失"
+        name_en: "Missing permission annotation"
+        description: "Controller方法缺少@PreAuthorize注解，导致接口无权限控制"
+        trigger: "新增Controller方法"
+        prevention: "每个接口方法必须配置@PreAuthorize注解"
+        severity: critical
+        detection:
+          - "Controller方法无@PreAuthorize注解"
+          - "接口可被任意角色访问"
+        fix_example: |
+          # ❌ 错误
+          @GetMapping("/list")
+          public TableDataInfo list(Evaluation evaluation) { ... }
+          # ✅ 正确
+          @PreAuthorize("@ss.hasPermi('eval:evaluation:list')")
+          @GetMapping("/list")
+          public TableDataInfo list(Evaluation evaluation) { ... }
+        related_rules: ["dm-permission-matrix"]
+        tags: ["ruoyi", "permission", "security"]
+      - id: PATTERN-R002
+        name: "菜单配置不完整"
+        name_en: "Incomplete menu configuration"
+        description: "新增页面未配置sys_menu记录，导致页面404或按钮不显示"
+        trigger: "新增功能页面"
+        prevention: "所有页面(含隐藏页)必须配置sys_menu INSERT语句"
+        severity: critical
+        detection:
+          - "新页面通过菜单访问返回404"
+          - "按钮权限不显示"
+        fix_example: |
+          -- 必须提供的菜单SQL
+          INSERT INTO sys_menu VALUES(2000, '评估管理', 0, 1, 'evaluation', NULL, '', 1, 0, 'M', '0', '0', '', 'eval', 'admin', sysdate(), '', NULL, '');
+        related_rules: []
+        tags: ["ruoyi", "menu", "configuration"]
+      - id: PATTERN-R003
+        name: "数据权限未配置"
+        name_en: "Data scope not configured"
+        description: "Service方法缺少@DataScope注解，用户可看到跨部门数据"
+        trigger: "实现列表查询接口"
+        prevention: "Service方法添加@DataScope注解"
+        severity: critical
+        detection:
+          - "普通用户能看到其他部门的数据"
+          - "Service查询方法无@DataScope"
+        fix_example: |
+          # ❌ 错误
+          public List<Evaluation> selectEvaluationList(Evaluation evaluation) { ... }
+          # ✅ 正确
+          @DataScope(deptAlias = "d")
+          public List<Evaluation> selectEvaluationList(Evaluation evaluation) { ... }
+        related_rules: ["dm-permission-matrix"]
+        tags: ["ruoyi", "data-scope", "security"]
+      - id: PATTERN-R004
+        name: "Redis缓存未清除"
+        name_en: "Redis cache not cleared"
+        description: "修改权限/菜单后未清除Redis缓存，导致修改不生效"
+        trigger: "修改权限或菜单配置"
+        prevention: "修改权限/菜单后必须清除Redis缓存"
+        severity: warning
+        detection:
+          - "权限修改后用户仍可访问旧权限的接口"
+          - "菜单修改后页面不更新"
+        fix_example: |
+          // 修改权限后执行
+          redisCache.deleteObject(Constants.LOGIN_TOKEN_KEY + userId);
+        related_rules: []
+        tags: ["ruoyi", "redis", "cache"]
+      - id: PATTERN-R005
+        name: "参数校验缺失"
+        name_en: "Missing parameter validation"
+        description: "@RequestBody参数未添加@Validated注解，校验注解不生效"
+        trigger: "新增POST/PUT接口"
+        prevention: "所有@RequestBody参数添加@Validated"
+        severity: warning
+        detection:
+          - "提交空字段无校验提示"
+          - "@RequestBody参数缺少@Validated"
+        fix_example: |
+          # ❌ 错误
+          @PostMapping
+          public AjaxResult add(@RequestBody Evaluation evaluation) { ... }
+          # ✅ 正确
+          @PostMapping
+          public AjaxResult add(@Validated @RequestBody Evaluation evaluation) { ... }
+        related_rules: []
+        tags: ["ruoyi", "validation"]
+      - id: PATTERN-R006
+        name: "XSS防护缺失"
+        name_en: "Missing XSS protection"
+        description: "文本字段未添加@Xss注解，存在XSS攻击风险"
+        trigger: "新增文本输入字段"
+        prevention: "所有String类型文本字段添加@Xss"
+        severity: warning
+        detection:
+          - "文本字段可输入<script>标签"
+          - "Bo实体类String字段无@Xss注解"
+        fix_example: |
+          # ❌ 错误
+          @NotBlank(message = "名称不能为空")
+          private String evalName;
+          # ✅ 正确
+          @Xss
+          @NotBlank(message = "名称不能为空")
+          private String evalName;
+        related_rules: []
+        tags: ["ruoyi", "xss", "security"]
+      - id: PATTERN-R007
+        name: "操作日志缺失"
+        name_en: "Missing operation log"
+        description: "增删改操作未添加@Log注解，无法追溯操作记录"
+        trigger: "新增CUD操作接口"
+        prevention: "所有CUD操作添加@Log注解"
+        severity: info
+        detection:
+          - "操作后sys_oper_log表中无记录"
+          - "CUD方法无@Log注解"
+        fix_example: |
+          # ❌ 错误
+          @DeleteMapping("/{ids}")
+          public AjaxResult remove(@PathVariable Long[] ids) { ... }
+          # ✅ 正确
+          @Log(title = "评估管理", businessType = BusinessType.DELETE)
+          @DeleteMapping("/{ids}")
+          public AjaxResult remove(@PathVariable Long[] ids) { ... }
+        related_rules: []
+        tags: ["ruoyi", "audit", "logging"]

package/config/gate-config.yaml ADDED Viewed

@@ -0,0 +1,73 @@
+# Gate Engine Configuration / 门控引擎配置
+#
+# 唯一真相源 (Single Source of Truth)
+# gate-engine.js 必须从此文件读取配置，不得硬编码
+#
+# 修改流程:
+#   1. 在此文件中修改BLOCKER规则列表或评分权重
+#   2. gate-engine.js 自动读取最新配置
+#   3. 无需修改JS代码
+meta:
+  version: "1.0.0"
+  last_updated: "2026-04-15"
+gate_levels:
+  - id: blocker
+    exit_code: 1
+    message: "🚫 BLOCKER: 流程被阻断，必须修复后才能继续"
+    color: "red"
+  - id: critical
+    exit_code: 1
+    message: "🔴 CRITICAL: 严重问题，必须修复"
+    color: "red"
+  - id: warning
+    exit_code: 0
+    message: "🟡 WARNING: 建议修复，非阻塞"
+    color: "yellow"
+  - id: info
+    exit_code: 0
+    message: "🔵 INFO: 可选优化"
+    color: "blue"
+severity_mapping:
+  error: critical
+  warn: warning
+  info: info
+blocker_rule_ids:
+  - uiux-no-uuid-input
+  - dm-enum-convention
+  - dm-permission-matrix
+  - uiux-form-mapping-exists
+  - uiux-options-api-listed
+  - api-options-endpoint
+  - prd-has-out-of-scope
+blocker_fix_suggestions:
+  uiux-no-uuid-input: "外键字段使用Select组件而非手动输入"
+  dm-enum-convention: "在PRD中添加枚举编码约定章节"
+  dm-permission-matrix: "在PRD中添加角色×状态×操作权限矩阵"
+  uiux-form-mapping-exists: "在PRD中添加表单字段组件映射表"
+  uiux-options-api-listed: "在PRD中列出所有Options API数据源"
+  api-options-endpoint: "在PRD接口设计中声明/options端点"
+  prd-has-out-of-scope: "在PRD中明确声明超出范围的功能"
+score_weights:
+  blocker_base: 0
+  critical_max_issues_for_nonzero: 5
+  critical_floor_score: 20
+  base_score: 100
+  critical_penalty: 15
+  warning_penalty: 5
+  info_penalty: 1
+grade_thresholds:
+  A: 90
+  B: 80
+  C: 70
+  D: 60
+  F: 0