npm - proof-pr - Versions diffs - 0.1.14 → 0.1.16 - Mend

proof-pr 0.1.14 → 0.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -12,7 +12,7 @@ ProofPR 是给开源维护者和工程团队使用的 PR 证据门禁。它在
 npx proof-pr@latest --version
 ```
-当前应输出 `0.1.14`。
+当前应输出 `0.1.16`。
 不知道用哪个功能时：
@@ -35,7 +35,13 @@ npx proof-pr@latest demo --list
 npx proof-pr@latest init
 ```
-这个命令会生成 `.proofpr.yml` 和 `.github/workflows/proofpr.yml`，提交后打开 PR 即可看到报告。
+这个命令会生成 `.proofpr.yml`、`.github/workflows/proofpr.yml` 和 `.github/pull_request_template.md`，提交后打开 PR 即可看到报告。
+已接入仓库单独补 PR 模板：
+```bash
+npx proof-pr@latest template
+```
 体检接入状态：
@@ -43,7 +49,7 @@ npx proof-pr@latest init
 npx proof-pr@latest doctor
 ```
-这个命令会检查配置文件、workflow、Action 版本、PR 权限和本地 diff 是否可读。
+这个命令会检查配置文件、workflow、PR 模板、Action 版本、PR 权限和本地 diff 是否可读。
 本地扫描当前分支：
@@ -54,7 +60,7 @@ npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
 扫描内置案例：
 ```bash
-npx proof-pr@latest scan --diff-file examples/cases/workflow-untrusted-checkout.diff --locale zh-CN
+npx proof-pr@latest demo workflow --locale zh-CN
 ```
 生成独立 HTML 可视化报告：
@@ -63,6 +69,8 @@ npx proof-pr@latest scan --diff-file examples/cases/workflow-untrusted-checkout.
 npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html --output proofpr-report.html
 ```
+HTML 报告支持筛选风险、搜索规则/文件/详情，并复制补证清单。
 运行 benchmark：
 ```bash
@@ -72,7 +80,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
 ## GitHub Action
 ```yaml
-- uses: linsk27/proof-pr@v0.1.14
+- uses: linsk27/proof-pr@v0.1.16
   with:
     fail-on: high
     comment: "true"
@@ -85,7 +93,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
 - 证据评分：0-100 分。
 - Review 门禁：正常 review、重点 review、先补证据、风险处理前不要合并。
 - Review 行动清单：维护者可直接执行的 checklist。
-- 可选输出：GitHub annotations、SARIF、benchmark report、独立 HTML 可视化报告；CLI 可用 `--output` 直接写文件。
+- 可选输出：GitHub annotations、SARIF、benchmark report、可筛选并可复制补证清单的独立 HTML 可视化报告；CLI 可用 `--output` 直接写文件。
 ## 常用预设

package/dist/index.js CHANGED Viewed

@@ -23378,6 +23378,7 @@ function renderHtmlReport(result, locale = "en") {
     const scoreGrade = formatEvidenceGrade(result.evidenceScore.grade, locale);
     const findingsBySeverity = countFindingsBySeverity(result.findings);
     const ruleCounts = countFindingsByRule(result.findings);
+    const fixPrompt = renderContributorFixPrompt(result, locale);
     const evidenceSignals = [
         [labels.prDescription, locale === "zh-CN" ? translateDescriptionState(result.summary.pullRequestDescription) : result.summary.pullRequestDescription, result.summary.pullRequestDescription === "present"],
         [labels.verification, yesNo(result.summary.verificationEvidence, locale), result.summary.verificationEvidence],
@@ -23549,6 +23550,69 @@ function renderHtmlReport(result, locale = "en") {
       gap: 10px;
     }
+    .fix-panel {
+      display: grid;
+      gap: 12px;
+    }
+    .fix-text {
+      margin: 0;
+      white-space: pre-wrap;
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      background: #fbfcfd;
+      padding: 12px;
+      color: var(--ink);
+      overflow-x: auto;
+    }
+    .copy-button, .filter-button {
+      appearance: none;
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      background: var(--panel);
+      color: var(--ink);
+      font: inherit;
+      font-size: 13px;
+      padding: 8px 11px;
+      cursor: pointer;
+    }
+    .copy-button {
+      justify-self: flex-start;
+      border-color: #b8d5f4;
+      background: var(--soft-blue);
+      color: var(--blue);
+      font-weight: 680;
+    }
+    .filterbar {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 8px;
+      margin-bottom: 12px;
+      align-items: center;
+    }
+    .filter-button.active {
+      border-color: #b8d5f4;
+      background: var(--soft-blue);
+      color: var(--blue);
+      font-weight: 680;
+    }
+    .finding-search {
+      min-width: min(320px, 100%);
+      flex: 1 1 240px;
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      background: #fff;
+      color: var(--ink);
+      font: inherit;
+      font-size: 13px;
+      padding: 8px 11px;
+    }
     .signal, .action, .focus, .deduction, .rule-row {
       border: 1px solid var(--line);
       border-radius: 8px;
@@ -23627,12 +23691,20 @@ function renderHtmlReport(result, locale = "en") {
       background: #fff;
     }
+    .finding[hidden] { display: none; }
     .finding-head {
       display: flex;
       justify-content: space-between;
       gap: 12px;
       align-items: flex-start;
       margin-bottom: 8px;
+      cursor: pointer;
+      list-style: none;
+    }
+    .finding-head::-webkit-details-marker {
+      display: none;
     }
     code {
@@ -23722,6 +23794,15 @@ function renderHtmlReport(result, locale = "en") {
         </div>
       </article>
+      <article class="card full">
+        <h2>${labels.quickFix}</h2>
+        <div class="fix-panel">
+          <p class="muted">${labels.quickFixHint}</p>
+          <pre class="fix-text" id="proofpr-fix-prompt">${escapeHtml(fixPrompt)}</pre>
+          <button class="copy-button" type="button" data-copy-target="proofpr-fix-prompt" data-label="${escapeHtml(labels.copyFix)}" data-copied="${escapeHtml(labels.copiedFix)}">${labels.copyFix}</button>
+        </div>
+      </article>
       <article class="card wide">
         <h2>${labels.reviewPlan}</h2>
         <div class="action-list">
@@ -23782,16 +23863,77 @@ function renderHtmlReport(result, locale = "en") {
       <article class="card full">
         <h2>${labels.findings}</h2>
+        <div class="filterbar" aria-label="${labels.findingFilters}">
+          ${findingFilterButton(labels.allFindings, "all", result.findings.length, true)}
+          ${findingFilterButton(labels.high, "high", findingsBySeverity.high)}
+          ${findingFilterButton(labels.medium, "medium", findingsBySeverity.medium)}
+          ${findingFilterButton(labels.low, "low", findingsBySeverity.low)}
+          ${findingFilterButton(labels.info, "info", findingsBySeverity.info)}
+          <input class="finding-search" id="proofpr-finding-search" type="search" placeholder="${escapeHtml(labels.searchFindings)}">
+        </div>
         <div class="finding-list">
           ${result.findings.length > 0
         ? result.findings.map((finding) => htmlFinding(finding, locale)).join("\n")
         : `<div class="muted">${labels.noFindings}</div>`}
+          <div class="muted" id="proofpr-empty-filter" hidden>${labels.noFilteredFindings}</div>
         </div>
       </article>
     </section>
     <p class="footer">${labels.footer}</p>
   </main>
+  <script>
+    (() => {
+      const buttons = Array.from(document.querySelectorAll("[data-filter-severity]"));
+      const search = document.getElementById("proofpr-finding-search");
+      const findings = Array.from(document.querySelectorAll("[data-finding]"));
+      const empty = document.getElementById("proofpr-empty-filter");
+      let activeSeverity = "all";
+      const applyFilters = () => {
+        const query = (search?.value || "").trim().toLowerCase();
+        let visible = 0;
+        for (const finding of findings) {
+          const severity = finding.getAttribute("data-severity") || "";
+          const haystack = finding.getAttribute("data-search") || "";
+          const severityMatches = activeSeverity === "all" || severity === activeSeverity;
+          const queryMatches = query === "" || haystack.includes(query);
+          const show = severityMatches && queryMatches;
+          finding.hidden = !show;
+          if (show) visible += 1;
+        }
+        if (empty) empty.hidden = visible !== 0 || findings.length === 0;
+      };
+      for (const button of buttons) {
+        button.addEventListener("click", () => {
+          activeSeverity = button.getAttribute("data-filter-severity") || "all";
+          for (const item of buttons) item.classList.toggle("active", item === button);
+          applyFilters();
+        });
+      }
+      search?.addEventListener("input", applyFilters);
+      for (const button of Array.from(document.querySelectorAll("[data-copy-target]"))) {
+        button.addEventListener("click", async () => {
+          const target = document.getElementById(button.getAttribute("data-copy-target") || "");
+          const text = target?.textContent || "";
+          try {
+            await navigator.clipboard.writeText(text);
+            button.textContent = button.getAttribute("data-copied") || button.textContent;
+            setTimeout(() => {
+              button.textContent = button.getAttribute("data-label") || button.textContent;
+            }, 1200);
+          } catch {
+            button.textContent = text;
+          }
+        });
+      }
+    })();
+  </script>
 </body>
 </html>
 `;
@@ -23844,9 +23986,14 @@ function renderEnglishMarkdownReport(result) {
         REPORT_MARKER,
         "# ProofPR Review",
         "",
-        `Risk: **${result.risk}**`,
-        `Evidence score: **${result.evidenceScore.value}/100 (${formatEvidenceGrade(result.evidenceScore.grade, "en")})**`,
-        `Review gate: **${formatReviewDecision(result.reviewDecision, "en")}**`,
+        "## Summary",
+        "",
+        "| Item | Result |",
+        "| --- | --- |",
+        `| Risk | **${result.risk}** |`,
+        `| Evidence score | **${result.evidenceScore.value}/100 (${formatEvidenceGrade(result.evidenceScore.grade, "en")})** |`,
+        `| Review gate | **${formatReviewDecision(result.reviewDecision, "en")}** |`,
+        `| Findings | ${result.findings.length} |`,
         "",
         "## Evidence",
         "",
@@ -23864,6 +24011,7 @@ function renderEnglishMarkdownReport(result) {
         ""
     ];
     appendEvidenceScoreSection(lines, result, "en");
+    appendQuickFixSection(lines, result, "en");
     appendReviewPlanSection(lines, result, "en");
     if (result.findings.length === 0) {
         lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
@@ -23881,9 +24029,14 @@ function renderChineseMarkdownReport(result) {
         REPORT_MARKER,
         "# ProofPR 审查报告",
         "",
-        `风险等级：**${translateRisk(result.risk)}**`,
-        `证据评分：**${result.evidenceScore.value}/100（${formatEvidenceGrade(result.evidenceScore.grade, "zh-CN")}）**`,
-        `Review 门禁：**${formatReviewDecision(result.reviewDecision, "zh-CN")}**`,
+        "## 总览",
+        "",
+        "| 项目 | 结果 |",
+        "| --- | --- |",
+        `| 风险等级 | **${translateRisk(result.risk)}** |`,
+        `| 证据评分 | **${result.evidenceScore.value}/100（${formatEvidenceGrade(result.evidenceScore.grade, "zh-CN")}）** |`,
+        `| Review 门禁 | **${formatReviewDecision(result.reviewDecision, "zh-CN")}** |`,
+        `| 风险发现 | ${result.findings.length} |`,
         "",
         "## 证据概览",
         "",
@@ -23901,6 +24054,7 @@ function renderChineseMarkdownReport(result) {
         ""
     ];
     appendEvidenceScoreSection(lines, result, "zh-CN");
+    appendQuickFixSection(lines, result, "zh-CN");
     appendReviewPlanSection(lines, result, "zh-CN");
     if (result.findings.length === 0) {
         lines.push("## 风险发现", "", "启用的规则没有发现需要优先关注的 review 风险。", "");
@@ -23937,6 +24091,13 @@ function appendEvidenceScoreSection(lines, result, locale) {
     }
     lines.push("");
 }
+function appendQuickFixSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## 可复制补证清单" : "## Copyable Fix Checklist", "");
+    lines.push(locale === "zh-CN"
+        ? "贡献者可以直接复制下面内容补到 PR 描述里，维护者也可以把它作为 review 回复。"
+        : "Contributors can paste this into the PR description; maintainers can also use it as a review reply.");
+    lines.push("", "```md", renderContributorFixPrompt(result, locale), "```", "");
+}
 function appendReviewPlanSection(lines, result, locale) {
     lines.push(locale === "zh-CN" ? "## Review 行动清单" : "## Review Plan", "");
     if (result.reviewPlan.actionItems.length > 0) {
@@ -23959,6 +24120,97 @@ function appendReviewPlanSection(lines, result, locale) {
     }
     lines.push("");
 }
+function renderContributorFixPrompt(result, locale) {
+    const missingEvidence = missingEvidenceLabels(result, locale);
+    const actions = result.reviewPlan.actionItems.slice(0, 6);
+    const focusFiles = result.reviewPlan.focusFiles.slice(0, 5);
+    if (locale === "zh-CN") {
+        const lines = [
+            "请在这个 PR 描述中补充以下内容，方便维护者继续 review：",
+            missingEvidence.length > 0 ? `ProofPR 当前最缺：${missingEvidence.join("、")}。` : "ProofPR 当前没有发现必须补充的证据项，可以保留关键验证记录。",
+            "",
+            "## 验证方式",
+            "- 自动化测试：",
+            "- 手动验证：",
+            "- 未覆盖或不适用的部分：",
+            "",
+            "## 复现 / Before & After",
+            "- 复现步骤或改动前状态：",
+            "- 改动后结果：",
+            "- 截图 / 录屏 / 日志链接：",
+            "",
+            "## 风险说明",
+            "- 依赖 / CI / 权限 / MCP 变更原因：",
+            "- 发布影响、迁移说明或回滚方案："
+        ];
+        if (actions.length > 0) {
+            lines.push("", "## ProofPR 需要处理的点");
+            for (const action of actions) {
+                lines.push(`- ${translateReviewActionTitle(action.actionId, action.title)}：${translateReviewActionDetail(action.actionId, action.detail)}`);
+            }
+        }
+        if (focusFiles.length > 0) {
+            lines.push("", "## 重点文件");
+            for (const file of focusFiles) {
+                lines.push(`- ${file.path}：${translateFocusReason(file.reasonId, file.reason)}`);
+            }
+        }
+        return lines.join("\n");
+    }
+    const lines = [
+        "Please add the following context to this PR so maintainers can continue review:",
+        missingEvidence.length > 0 ? `ProofPR is currently missing: ${missingEvidence.join(", ")}.` : "ProofPR did not find required missing evidence; keep the key verification notes visible.",
+        "",
+        "## Verification",
+        "- Automated tests:",
+        "- Manual verification:",
+        "- Not covered or not applicable:",
+        "",
+        "## Reproduction / Before & After",
+        "- Reproduction steps or previous state:",
+        "- Result after this change:",
+        "- Screenshot / recording / log link:",
+        "",
+        "## Risk Notes",
+        "- Dependency / CI / permission / MCP rationale:",
+        "- Release impact, migration notes, or rollback plan:"
+    ];
+    if (actions.length > 0) {
+        lines.push("", "## ProofPR Items To Resolve");
+        for (const action of actions) {
+            lines.push(`- ${action.title}: ${action.detail}`);
+        }
+    }
+    if (focusFiles.length > 0) {
+        lines.push("", "## Focus Files");
+        for (const file of focusFiles) {
+            lines.push(`- ${file.path}: ${file.reason}`);
+        }
+    }
+    return lines.join("\n");
+}
+function missingEvidenceLabels(result, locale) {
+    const labels = [];
+    if (result.summary.pullRequestDescription !== "present") {
+        labels.push(locale === "zh-CN" ? "清楚的 PR 描述" : "clear PR description");
+    }
+    if (!result.summary.verificationEvidence) {
+        labels.push(locale === "zh-CN" ? "测试或手动验证" : "test or manual verification");
+    }
+    if (!result.summary.reproductionEvidence) {
+        labels.push(locale === "zh-CN" ? "复现步骤或 before/after" : "reproduction steps or before/after context");
+    }
+    if (!result.summary.screenshotEvidence && result.findings.some((finding) => finding.ruleId.includes("screenshot"))) {
+        labels.push(locale === "zh-CN" ? "截图或录屏" : "screenshot or recording");
+    }
+    if (!result.summary.changelogEvidence && result.findings.some((finding) => finding.ruleId.includes("dependency-major-upgrade"))) {
+        labels.push(locale === "zh-CN" ? "changelog 或迁移说明" : "changelog or migration notes");
+    }
+    if (!result.summary.permissionRationaleEvidence && result.findings.some((finding) => finding.ruleId.includes("workflow"))) {
+        labels.push(locale === "zh-CN" ? "权限变更理由" : "permission rationale");
+    }
+    return labels;
+}
 function formatEnglishFinding(finding) {
     const lines = [
         `### ${finding.title}`,
@@ -24360,7 +24612,15 @@ function htmlLabels(locale) {
             permissionRationale: "权限理由",
             reviewPlan: "Review 行动清单",
             noActions: "没有额外行动项。",
+            quickFix: "一键补证建议",
+            quickFixHint: "复制这段内容到 PR 描述或评论里，贡献者按空白项补齐即可。",
+            copyFix: "复制补证清单",
+            copiedFix: "已复制",
             findingDistribution: "Finding 分布",
+            findingFilters: "筛选风险发现",
+            allFindings: "全部",
+            searchFindings: "搜索规则、文件或详情",
+            noFilteredFindings: "当前筛选条件下没有风险发现。",
             high: "高",
             medium: "中",
             low: "低",
@@ -24408,7 +24668,15 @@ function htmlLabels(locale) {
         permissionRationale: "Permission rationale",
         reviewPlan: "Review plan",
         noActions: "No additional action items.",
+        quickFix: "One-click evidence fix",
+        quickFixHint: "Copy this into the PR description or a review reply, then fill the blanks.",
+        copyFix: "Copy checklist",
+        copiedFix: "Copied",
         findingDistribution: "Finding distribution",
+        findingFilters: "Filter findings",
+        allFindings: "All",
+        searchFindings: "Search rules, files, or details",
+        noFilteredFindings: "No findings match the current filter.",
         high: "High",
         medium: "Medium",
         low: "Low",
@@ -24438,9 +24706,25 @@ function signalItem(name, state, ok) {
 function severityItem(severity, value, label) {
     return `<div class="severity ${severity === "high" ? "tone-high" : severity === "medium" ? "tone-medium" : severity === "low" ? "tone-low" : ""}"><strong>${value}</strong><span>${escapeHtml(label)}</span></div>`;
 }
+function findingFilterButton(label, severity, count, active = false) {
+    return `<button class="filter-button${active ? " active" : ""}" type="button" data-filter-severity="${escapeHtml(severity)}">${escapeHtml(label)} <span class="muted">${count}</span></button>`;
+}
 function htmlFinding(finding, locale) {
     const labels = htmlLabels(locale);
     const translated = locale === "zh-CN" ? translateFinding(finding) : finding;
+    const searchText = [
+        finding.ruleId,
+        finding.severity,
+        finding.path,
+        translated.title,
+        translated.message,
+        translated.recommendation,
+        ...(finding.evidence ?? [])
+    ]
+        .filter(Boolean)
+        .join(" ")
+        .toLowerCase()
+        .replace(/\s+/g, " ");
     const evidence = finding.evidence && finding.evidence.length > 0
         ? `<ul class="evidence-list">${finding.evidence
             .map((item) => `<li><code>${escapeHtml(locale === "zh-CN" ? translateEvidence(item) : item)}</code></li>`)
@@ -24452,19 +24736,19 @@ function htmlFinding(finding, locale) {
     const recommendation = translated.recommendation
         ? `<div class="muted">${labels.recommendation}: ${escapeHtml(translated.recommendation)}</div>`
         : "";
-    return `<div class="finding">
-    <div class="finding-head">
+    return `<details class="finding" open data-finding data-severity="${escapeHtml(finding.severity)}" data-search="${escapeHtml(searchText)}">
+    <summary class="finding-head">
       <div>
         <div class="finding-title">${escapeHtml(translated.title)}</div>
         <div class="muted">${labels.rule}: <code>${escapeHtml(finding.ruleId)}</code></div>
       </div>
       <span class="pill ${finding.severity === "high" ? "tone-high" : finding.severity === "medium" ? "tone-medium" : "tone-low"}">${escapeHtml(locale === "zh-CN" ? translateSeverity(finding.severity) : finding.severity)}</span>
-    </div>
+    </summary>
     ${path}
     <div class="muted">${labels.detail}: ${escapeHtml(translated.message)}</div>
     ${evidence}
     ${recommendation}
-  </div>`;
+  </details>`;
 }
 function countFindingsBySeverity(findings) {
     return findings.reduce((counts, finding) => {
@@ -25728,7 +26012,7 @@ function dedupeFindings(findings) {
 const execFileAsync = (0,external_node_util_namespaceObject.promisify)(external_node_child_process_.execFile);
-const CLI_VERSION = "0.1.14";
+const CLI_VERSION = "0.1.16";
 const DEMO_CASES = [
     {
         id: "workflow",
@@ -25869,6 +26153,7 @@ build_program
     .description("Check whether ProofPR is installed correctly in the current repository.")
     .option("--config <path>", "Path to .proofpr.yml.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--pr-template-path <path>", "Path to the pull request template.", ".github/pull_request_template.md")
     .option("--base <ref>", "Base git ref used for local diff checks.", "origin/main")
     .option("--head <ref>", "Head git ref used for local diff checks.", "HEAD")
     .action(async (options) => {
@@ -25878,6 +26163,15 @@ build_program
         process.exitCode = 1;
     }
 });
+build_program
+    .command("template")
+    .description("Create a ProofPR-friendly pull request template.")
+    .option("--output <path>", "Path to write the pull request template.", ".github/pull_request_template.md")
+    .option("--force", "Overwrite the existing template.", false)
+    .action(async (options) => {
+    await writeIfMissing(options.output, renderPullRequestTemplate(), options.force);
+    process.stdout.write(`ProofPR pull request template written to ${options.output}\n\nNext:\n1. Commit the template.\n2. Ask contributors to fill verification, reproduction, screenshot, changelog, and permission rationale sections when relevant.\n3. Run npx proof-pr@latest doctor to check setup.\n`);
+});
 build_program
     .command("demo")
     .description("Run a built-in ProofPR demo case without cloning this repository.")
@@ -25951,13 +26245,26 @@ build_program
     .description("Create a starter .proofpr.yml and GitHub Actions workflow.")
     .option("--config-path <path>", "Path to write the ProofPR configuration file.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to write the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--no-pr-template", "Skip creating .github/pull_request_template.md.")
+    .option("--pr-template-path <path>", "Path to write the pull request template.", ".github/pull_request_template.md")
     .option("--preset <preset>", `Config preset: ${listConfigPresets().join(", ")}.`, parsePresetOption, "open-source-maintainer")
     .option("--fail-on <level>", "Workflow failure threshold: low, medium, high, or never.", parseFailLevel, "high")
     .option("--force", "Overwrite existing files.", false)
     .action(async (options) => {
     await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
     await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
-    process.stdout.write(`ProofPR initialized.\n\nCreated:\n- ${options.configPath}\n- ${options.workflowPath}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n\nNeed another task?\nnpx proof-pr@latest guide\n`);
+    const created = [options.configPath, options.workflowPath];
+    const skipped = [];
+    if (options.prTemplate) {
+        const wroteTemplate = await writeIfMissingSoft(options.prTemplatePath, renderPullRequestTemplate(), options.force);
+        if (wroteTemplate) {
+            created.push(options.prTemplatePath);
+        }
+        else {
+            skipped.push(`${options.prTemplatePath} already exists`);
+        }
+    }
+    process.stdout.write(`ProofPR initialized.\n\nCreated:\n${created.map((item) => `- ${item}`).join("\n")}${skipped.length > 0 ? `\n\nSkipped:\n${skipped.map((item) => `- ${item}`).join("\n")}` : ""}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n\nNeed another task?\nnpx proof-pr@latest guide\n`);
 });
 build_program
     .command("benchmark")
@@ -26004,36 +26311,40 @@ function renderGuide() {
 1. 接入 GitHub PR 自动检查
    npx proof-pr@latest init
-   然后提交 .proofpr.yml 和 .github/workflows/proofpr.yml，打开 PR 后看评论和 Actions summary。
+   然后提交 .proofpr.yml、.github/workflows/proofpr.yml 和 .github/pull_request_template.md，打开 PR 后看评论和 Actions summary。
 2. 体检当前仓库接入状态
    npx proof-pr@latest doctor
-   检查配置文件、workflow、Action 版本、PR 权限和本地 diff 是否正常。
+   检查配置文件、workflow、PR 模板、Action 版本、PR 权限和本地 diff 是否正常。
+3. 已接入仓库，单独补 PR 模板
+   npx proof-pr@latest template
+   引导贡献者填写验证、复现、截图、changelog 和权限理由。
-3. 本地检查当前分支
+4. 本地检查当前分支
    npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
    适合在发 PR 前先看风险、证据评分和 Review 行动清单。
-4. 生成可分享 HTML 报告
+5. 生成可分享 HTML 报告
    npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html --output proofpr-report.html
    生成后用浏览器打开 proofpr-report.html。
-5. 生成 GitHub Code Scanning 的 SARIF
+6. 生成 GitHub Code Scanning 的 SARIF
    npx proof-pr@latest scan --base origin/main --head HEAD --format sarif --output proofpr.sarif
    适合在 CI 里配合 github/codeql-action/upload-sarif 使用。
-6. 不接入仓库，先试跑内置案例
+7. 不接入仓库，先试跑内置案例
    npx proof-pr@latest demo workflow --locale zh-CN
    不需要 clone 仓库或寻找 examples 文件，也能快速看到 ProofPR 会抓什么风险。
-7. 查看所有内置案例
+8. 查看所有内置案例
    npx proof-pr@latest demo --list
-8. 验证规则样本是否仍然命中
+9. 验证规则样本是否仍然命中
    npx proof-pr@latest benchmark --cases benchmarks/cases
    适合维护 ProofPR 规则或发版前回归。
-9. 调整审查强度
+10. 调整审查强度
    打开 .proofpr.yml，把 preset 改成 security-strict、dependency-careful 或 mcp-security。
 结果在哪里看：
@@ -26113,6 +26424,7 @@ async function runDoctor(options) {
         checks.push({ level: "fail", title: `缺少 ${options.workflowPath}` });
         nextSteps.add("运行 npx proof-pr@latest init 生成 .github/workflows/proofpr.yml。");
     }
+    await inspectPullRequestTemplate(options.prTemplatePath, checks, nextSteps);
     await inspectGitDiff(options, checks, nextSteps);
     if (nextSteps.size === 0) {
         nextSteps.add("当前接入状态正常；可以打开 PR，或运行 npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN 做本地自查。");
@@ -26158,6 +26470,29 @@ function inspectWorkflow(workflow, checks, nextSteps) {
         nextSteps.add("建议在 workflow permissions 中加入 contents: read。");
     }
 }
+async function inspectPullRequestTemplate(path, checks, nextSteps) {
+    if (!(await pathExists(path))) {
+        checks.push({ level: "warn", title: `缺少 ${path}` });
+        nextSteps.add("运行 npx proof-pr@latest template 生成 PR 模板，引导贡献者补充验证、复现、截图和权限理由。");
+        return;
+    }
+    const template = await (0,promises_namespaceObject.readFile)(path, "utf8");
+    checks.push({ level: "pass", title: `${path} 已存在` });
+    if (/验证|verification|test/i.test(template)) {
+        checks.push({ level: "pass", title: "PR 模板会提示验证证据" });
+    }
+    else {
+        checks.push({ level: "warn", title: "PR 模板没有明显的验证证据提示" });
+        nextSteps.add("在 PR 模板中加入“验证方式”栏目，减少 ProofPR 报告里的证据不足。");
+    }
+    if (/复现|reproduction|before|after|截图|screenshot|权限|permission/i.test(template)) {
+        checks.push({ level: "pass", title: "PR 模板覆盖复现、截图或权限理由提示" });
+    }
+    else {
+        checks.push({ level: "warn", title: "PR 模板缺少复现、截图或权限理由提示" });
+        nextSteps.add("在 PR 模板中加入复现、截图、changelog、权限理由等可选栏目。");
+    }
+}
 async function inspectGitDiff(options, checks, nextSteps) {
     try {
         const { stdout } = await execFileAsync("git", ["rev-parse", "--is-inside-work-tree"]);
@@ -26244,6 +26579,14 @@ async function writeIfMissing(path, contents, force) {
     await (0,promises_namespaceObject.mkdir)((0,external_node_path_.dirname)(path), { recursive: true });
     await (0,promises_namespaceObject.writeFile)(path, contents, "utf8");
 }
+async function writeIfMissingSoft(path, contents, force) {
+    if (!force && (await pathExists(path))) {
+        return false;
+    }
+    await (0,promises_namespaceObject.mkdir)((0,external_node_path_.dirname)(path), { recursive: true });
+    await (0,promises_namespaceObject.writeFile)(path, contents, "utf8");
+    return true;
+}
 async function writeOutput(path, contents) {
     await (0,promises_namespaceObject.mkdir)((0,external_node_path_.dirname)(path), { recursive: true });
     await (0,promises_namespaceObject.writeFile)(path, contents, "utf8");
@@ -26291,6 +26634,33 @@ jobs:
           annotations: "true"
 `;
 }
+function renderPullRequestTemplate() {
+    return `## 变更说明
+请说明这个 PR 为什么需要、改了什么、影响范围是什么。
+## 验证方式
+- [ ] 已运行自动化测试：
+- [ ] 已完成手动验证：
+- [ ] 不需要测试，原因：
+## 复现 / Before & After
+如果是 bug fix，请写复现步骤、预期结果和实际结果。
+如果是 UI 改动，请附 before/after 截图或录屏。
+## 依赖 / CI / 权限 / MCP 变更
+如果改了依赖、lockfile、GitHub Actions、MCP、环境变量或权限，请说明原因和安全影响。
+## 发布风险
+- [ ] 无破坏性变更
+- [ ] 需要迁移说明 / changelog
+- [ ] 需要灰度或回滚方案
+`;
+}
 function renderOutput(result, format, locale) {
     if (format === "json") {
         return JSON.stringify(result, null, 2);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",