proof-pr 0.1.14 → 0.1.15

package/README.md

@@ -12,7 +12,7 @@ ProofPR 是给开源维护者和工程团队使用的 PR 证据门禁。它在
 npx proof-pr@latest --version
 ```
 
-当前应输出 `0.1.14`。
+当前应输出 `0.1.15`。
 
 不知道用哪个功能时：
 
@@ -35,7 +35,13 @@ npx proof-pr@latest demo --list
 npx proof-pr@latest init
 ```
 
-这个命令会生成 `.proofpr.yml` 和 `.github/workflows/proofpr.yml`，提交后打开 PR 即可看到报告。
+这个命令会生成 `.proofpr.yml`、`.github/workflows/proofpr.yml` 和 `.github/pull_request_template.md`，提交后打开 PR 即可看到报告。
+
+已接入仓库单独补 PR 模板：
+
+```bash
+npx proof-pr@latest template
+```
 
 体检接入状态：
 
@@ -43,7 +49,7 @@ npx proof-pr@latest init
 npx proof-pr@latest doctor
 ```
 
-这个命令会检查配置文件、workflow、Action 版本、PR 权限和本地 diff 是否可读。
+这个命令会检查配置文件、workflow、PR 模板、Action 版本、PR 权限和本地 diff 是否可读。
 
 本地扫描当前分支：
 
@@ -54,7 +60,7 @@ npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
 扫描内置案例：
 
 ```bash
-npx proof-pr@latest scan --diff-file examples/cases/workflow-untrusted-checkout.diff --locale zh-CN
+npx proof-pr@latest demo workflow --locale zh-CN
 ```
 
 生成独立 HTML 可视化报告：
@@ -72,7 +78,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
 ## GitHub Action
 
 ```yaml
-- uses: linsk27/proof-pr@v0.1.14
+- uses: linsk27/proof-pr@v0.1.15
   with:
     fail-on: high
     comment: "true"

package/dist/index.js

@@ -25728,7 +25728,7 @@ function dedupeFindings(findings) {
 
 
 const execFileAsync = (0,external_node_util_namespaceObject.promisify)(external_node_child_process_.execFile);
-const CLI_VERSION = "0.1.14";
+const CLI_VERSION = "0.1.15";
 const DEMO_CASES = [
     {
         id: "workflow",
@@ -25869,6 +25869,7 @@ build_program
     .description("Check whether ProofPR is installed correctly in the current repository.")
     .option("--config <path>", "Path to .proofpr.yml.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--pr-template-path <path>", "Path to the pull request template.", ".github/pull_request_template.md")
     .option("--base <ref>", "Base git ref used for local diff checks.", "origin/main")
     .option("--head <ref>", "Head git ref used for local diff checks.", "HEAD")
     .action(async (options) => {
@@ -25878,6 +25879,15 @@ build_program
         process.exitCode = 1;
     }
 });
+build_program
+    .command("template")
+    .description("Create a ProofPR-friendly pull request template.")
+    .option("--output <path>", "Path to write the pull request template.", ".github/pull_request_template.md")
+    .option("--force", "Overwrite the existing template.", false)
+    .action(async (options) => {
+    await writeIfMissing(options.output, renderPullRequestTemplate(), options.force);
+    process.stdout.write(`ProofPR pull request template written to ${options.output}\n\nNext:\n1. Commit the template.\n2. Ask contributors to fill verification, reproduction, screenshot, changelog, and permission rationale sections when relevant.\n3. Run npx proof-pr@latest doctor to check setup.\n`);
+});
 build_program
     .command("demo")
     .description("Run a built-in ProofPR demo case without cloning this repository.")
@@ -25951,13 +25961,26 @@ build_program
     .description("Create a starter .proofpr.yml and GitHub Actions workflow.")
     .option("--config-path <path>", "Path to write the ProofPR configuration file.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to write the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--no-pr-template", "Skip creating .github/pull_request_template.md.")
+    .option("--pr-template-path <path>", "Path to write the pull request template.", ".github/pull_request_template.md")
     .option("--preset <preset>", `Config preset: ${listConfigPresets().join(", ")}.`, parsePresetOption, "open-source-maintainer")
     .option("--fail-on <level>", "Workflow failure threshold: low, medium, high, or never.", parseFailLevel, "high")
     .option("--force", "Overwrite existing files.", false)
     .action(async (options) => {
     await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
     await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
-    process.stdout.write(`ProofPR initialized.\n\nCreated:\n- ${options.configPath}\n- ${options.workflowPath}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n\nNeed another task?\nnpx proof-pr@latest guide\n`);
+    const created = [options.configPath, options.workflowPath];
+    const skipped = [];
+    if (options.prTemplate) {
+        const wroteTemplate = await writeIfMissingSoft(options.prTemplatePath, renderPullRequestTemplate(), options.force);
+        if (wroteTemplate) {
+            created.push(options.prTemplatePath);
+        }
+        else {
+            skipped.push(`${options.prTemplatePath} already exists`);
+        }
+    }
+    process.stdout.write(`ProofPR initialized.\n\nCreated:\n${created.map((item) => `- ${item}`).join("\n")}${skipped.length > 0 ? `\n\nSkipped:\n${skipped.map((item) => `- ${item}`).join("\n")}` : ""}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n\nNeed another task?\nnpx proof-pr@latest guide\n`);
 });
 build_program
     .command("benchmark")
@@ -26004,36 +26027,40 @@ function renderGuide() {
 
 1. 接入 GitHub PR 自动检查
    npx proof-pr@latest init
-   然后提交 .proofpr.yml 和 .github/workflows/proofpr.yml，打开 PR 后看评论和 Actions summary。
+   然后提交 .proofpr.yml、.github/workflows/proofpr.yml 和 .github/pull_request_template.md，打开 PR 后看评论和 Actions summary。
 
 2. 体检当前仓库接入状态
    npx proof-pr@latest doctor
-   检查配置文件、workflow、Action 版本、PR 权限和本地 diff 是否正常。
+   检查配置文件、workflow、PR 模板、Action 版本、PR 权限和本地 diff 是否正常。
 
-3. 本地检查当前分支
+3. 已接入仓库，单独补 PR 模板
+   npx proof-pr@latest template
+   引导贡献者填写验证、复现、截图、changelog 和权限理由。
+
+4. 本地检查当前分支
    npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
    适合在发 PR 前先看风险、证据评分和 Review 行动清单。
 
-4. 生成可分享 HTML 报告
+5. 生成可分享 HTML 报告
    npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html --output proofpr-report.html
    生成后用浏览器打开 proofpr-report.html。
 
-5. 生成 GitHub Code Scanning 的 SARIF
+6. 生成 GitHub Code Scanning 的 SARIF
    npx proof-pr@latest scan --base origin/main --head HEAD --format sarif --output proofpr.sarif
    适合在 CI 里配合 github/codeql-action/upload-sarif 使用。
 
-6. 不接入仓库，先试跑内置案例
+7. 不接入仓库，先试跑内置案例
    npx proof-pr@latest demo workflow --locale zh-CN
    不需要 clone 仓库或寻找 examples 文件，也能快速看到 ProofPR 会抓什么风险。
 
-7. 查看所有内置案例
+8. 查看所有内置案例
    npx proof-pr@latest demo --list
 
-8. 验证规则样本是否仍然命中
+9. 验证规则样本是否仍然命中
    npx proof-pr@latest benchmark --cases benchmarks/cases
    适合维护 ProofPR 规则或发版前回归。
 
-9. 调整审查强度
+10. 调整审查强度
    打开 .proofpr.yml，把 preset 改成 security-strict、dependency-careful 或 mcp-security。
 
 结果在哪里看：
@@ -26113,6 +26140,7 @@ async function runDoctor(options) {
         checks.push({ level: "fail", title: `缺少 ${options.workflowPath}` });
         nextSteps.add("运行 npx proof-pr@latest init 生成 .github/workflows/proofpr.yml。");
     }
+    await inspectPullRequestTemplate(options.prTemplatePath, checks, nextSteps);
     await inspectGitDiff(options, checks, nextSteps);
     if (nextSteps.size === 0) {
         nextSteps.add("当前接入状态正常；可以打开 PR，或运行 npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN 做本地自查。");
@@ -26158,6 +26186,29 @@ function inspectWorkflow(workflow, checks, nextSteps) {
         nextSteps.add("建议在 workflow permissions 中加入 contents: read。");
     }
 }
+async function inspectPullRequestTemplate(path, checks, nextSteps) {
+    if (!(await pathExists(path))) {
+        checks.push({ level: "warn", title: `缺少 ${path}` });
+        nextSteps.add("运行 npx proof-pr@latest template 生成 PR 模板，引导贡献者补充验证、复现、截图和权限理由。");
+        return;
+    }
+    const template = await (0,promises_namespaceObject.readFile)(path, "utf8");
+    checks.push({ level: "pass", title: `${path} 已存在` });
+    if (/验证|verification|test/i.test(template)) {
+        checks.push({ level: "pass", title: "PR 模板会提示验证证据" });
+    }
+    else {
+        checks.push({ level: "warn", title: "PR 模板没有明显的验证证据提示" });
+        nextSteps.add("在 PR 模板中加入“验证方式”栏目，减少 ProofPR 报告里的证据不足。");
+    }
+    if (/复现|reproduction|before|after|截图|screenshot|权限|permission/i.test(template)) {
+        checks.push({ level: "pass", title: "PR 模板覆盖复现、截图或权限理由提示" });
+    }
+    else {
+        checks.push({ level: "warn", title: "PR 模板缺少复现、截图或权限理由提示" });
+        nextSteps.add("在 PR 模板中加入复现、截图、changelog、权限理由等可选栏目。");
+    }
+}
 async function inspectGitDiff(options, checks, nextSteps) {
     try {
         const { stdout } = await execFileAsync("git", ["rev-parse", "--is-inside-work-tree"]);
@@ -26244,6 +26295,14 @@ async function writeIfMissing(path, contents, force) {
     await (0,promises_namespaceObject.mkdir)((0,external_node_path_.dirname)(path), { recursive: true });
     await (0,promises_namespaceObject.writeFile)(path, contents, "utf8");
 }
+async function writeIfMissingSoft(path, contents, force) {
+    if (!force && (await pathExists(path))) {
+        return false;
+    }
+    await (0,promises_namespaceObject.mkdir)((0,external_node_path_.dirname)(path), { recursive: true });
+    await (0,promises_namespaceObject.writeFile)(path, contents, "utf8");
+    return true;
+}
 async function writeOutput(path, contents) {
     await (0,promises_namespaceObject.mkdir)((0,external_node_path_.dirname)(path), { recursive: true });
     await (0,promises_namespaceObject.writeFile)(path, contents, "utf8");
@@ -26291,6 +26350,33 @@ jobs:
           annotations: "true"
 `;
 }
+function renderPullRequestTemplate() {
+    return `## 变更说明
+
+请说明这个 PR 为什么需要、改了什么、影响范围是什么。
+
+## 验证方式
+
+- [ ] 已运行自动化测试：
+- [ ] 已完成手动验证：
+- [ ] 不需要测试，原因：
+
+## 复现 / Before & After
+
+如果是 bug fix，请写复现步骤、预期结果和实际结果。
+如果是 UI 改动，请附 before/after 截图或录屏。
+
+## 依赖 / CI / 权限 / MCP 变更
+
+如果改了依赖、lockfile、GitHub Actions、MCP、环境变量或权限，请说明原因和安全影响。
+
+## 发布风险
+
+- [ ] 无破坏性变更
+- [ ] 需要迁移说明 / changelog
+- [ ] 需要灰度或回滚方案
+`;
+}
 function renderOutput(result, format, locale) {
     if (format === "json") {
         return JSON.stringify(result, null, 2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.14",
+  "version": "0.1.15",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",