specdo 1.0.2

package/dist/domains/quality.js

@@ -0,0 +1,368 @@
+/**
+ * Quality Domain Module
+ *
+ * 来源 (11 个，不含 review-to-solid):
+ *   - content/skills/code-reviewer/SKILL.md (45 行) + references/review-checklist.md (26 行)
+ *     正确性 / 安全 / 可维护性 / 性能 / 测试 5 维评审顺序
+ *   - content/skills/test-driven-development/SKILL.md (32 行)
+ *     Red-Green-Refactor 循环 + 行为命名 + 集成边界优先
+ *   - content/skills/systematic-debugging/SKILL.md (31 行)
+ *     5 步根因调查工作流（Reproduce/Localize/Trace/Fix/Verify）
+ *   - content/skills/verification-before-completion/SKILL.md (49 行)
+ *     完成前必须有新鲜证据；不得依赖旧 output / 子代理报告
+ *   - content/skills/performance-profiling/SKILL.md (65 行)
+ *     基线 → 热点 → 根因 → 优化 → 验证；前后端性能拆分
+ *   - content/skills/webapp-testing/SKILL.md (39 行)
+ *     Playwright 轻量 e2e + 降级链 (browser → jsdom → component → http)
+ *   - content/roles/04-quality-security/code-reviewer.toml (42 行)
+ *     evidence-driven review，1 normal + 1 failure path 验证
+ *   - content/roles/04-quality-security/debugger.toml (42 行)
+ *     fault-origin isolation，假设 vs 证据分离
+ *   - content/roles/04-quality-security/qa-expert.toml (42 行)
+ *     risk-based test scope；release gating
+ *   - content/roles/04-quality-security/test-automator.toml (42 行)
+ *     deterministic regression coverage；行为契约断言
+ *   - content/roles/04-quality-security/performance-engineer.toml (42 行)
+ *     bottleneck identification with measurement evidence
+ *
+ * 压缩方法:
+ *   1. code-reviewer 5 维评审顺序 → design.checklist 顶部 + implement.focusAreas
+ *   2. TDD Red-Green-Refactor → design.patterns + implement.patterns
+ *   3. systematic-debugging 5 步 → implement.focusAreas + implement.patterns
+ *   4. verification-before-completion 红旗短语 → implement.antiPatterns
+ *   5. performance-profiling 5 步工作流 → design.patterns + verify.checklist
+ *   6. webapp-testing 降级链 → implement.patterns
+ *   7. 5 个 role 的 quality checks → verify.checklist
+ *
+ * 与相邻领域的边界:
+ *   - 单词 'n+1' / 'query plan' / 'slow query' 归 backend；quality 用通用 'profile' / 'bottleneck'
+ *   - 'lighthouse' / 'core web vitals' / 'lcp' 归 frontend
+ *   - review-to-solid 不在此处；它是独立 Protocol，由 apply 命令显式注入
+ *   - 'review' 单词归 quality；operations 用多词 'pr description' / 'pr template'
+ */
+export const qualityDomain = {
+    name: 'quality',
+    description: 'Code review, debugging, test strategy (TDD/automation/QA), performance profiling, and verification discipline',
+    // ── Explore: 需求澄清 ─────────────────────────────────────
+    explore: {
+        signals: [
+            // 评审 / 代码质量
+            'review', 'code review', 'pr review', 'diff review', 'code reviewer',
+            'review comment', 'review feedback',
+            // 测试方法论
+            'test', 'tdd', 'red green refactor', 'unit test', 'integration test',
+            'e2e', 'end-to-end test', 'contract test', 'snapshot test',
+            'fixture', 'mock', 'flaky', 'flaky test', 'deterministic test',
+            'regression test', 'test coverage', 'coverage gap', 'test plan',
+            'playwright', 'jsdom',
+            // 调试 / 根因
+            'bug', 'debug', 'debugging', 'root cause', 'repro', 'reproduce',
+            'reproducer', 'minimal reproduction', 'stack trace', 'failure mode',
+            'intermittent failure', 'bisect',
+            // 验证 / 证据
+            'verify', 'verification', 'fresh evidence', 'smoke test',
+            'verification evidence',
+            // 性能方法论（与 backend / frontend 切分：通用方法论词）
+            'performance profiling', 'baseline metric', 'before/after benchmark',
+            'hotspot', 'bottleneck', 'memory leak', 'heap snapshot',
+            'performance regression', 'performance budget',
+        ],
+        questions: {
+            defaultCount: 8,
+            items: [
+                // ── Tier 1: 变更范围与风险 (priority 10) ──────────────
+                {
+                    text: 'What is the user-facing or system-facing change here, and what is the highest-risk failure mode if we get it wrong?',
+                    id: 'failure-mode',
+                    signals: ['test', 'quality', 'review', 'failure', 'risk', 'change', 'user', 'system'],
+                    priority: 10,
+                },
+                {
+                    text: 'Which invariants must this change preserve? How will we know if any are violated (assertions, tests, monitoring)?',
+                    signals: ['invariant', 'preserve', 'assert', 'test', 'monitoring', 'contract', 'guarantee', 'property'],
+                    priority: 9,
+                    requiresAnswer: ['quality:failure-mode'],
+                },
+                {
+                    text: 'What is the current test coverage on the affected code paths, and which paths are currently uncovered?',
+                    signals: ['coverage', 'test', 'uncovered', 'code', 'path', 'branch', 'line', 'missing'],
+                    priority: 9,
+                },
+                // ── Tier 2: 测试策略 (priority 9) ─────────────────────
+                {
+                    text: 'What is the test strategy mix? (unit for logic, integration for data/API boundaries, e2e for critical user flows) — what ratio?',
+                    signals: ['test', 'unit', 'integration', 'e2e', 'strategy', 'testing', 'pyramid', 'trophy'],
+                    priority: 9,
+                },
+                {
+                    text: 'What are the concrete test cases for the happy path, error path, edge cases, and boundary conditions? Name at least 5.',
+                    signals: ['test', 'case', 'happy path', 'error', 'edge case', 'boundary', 'scenario', 'coverage'],
+                    priority: 8,
+                },
+                {
+                    text: 'Are there property-based or fuzz tests for parsers, validators, serializers, or any code that consumes untrusted input?',
+                    signals: ['property-based', 'fuzz', 'parser', 'validator', 'serializer', 'untrusted', 'input', 'fast-check'],
+                    priority: 7,
+                },
+                {
+                    text: 'How are async and concurrent code paths tested? (race conditions, timeout scenarios, retry exhaustion, partial failure)',
+                    signals: ['async', 'concurrent', 'race', 'timeout', 'retry', 'test', 'flake', 'non-deterministic'],
+                    priority: 7,
+                },
+                // ── Tier 3: 测试数据与环境 (priority 7) ──────────────
+                {
+                    text: 'How is test data generated? (fixtures, factories, property-based generators) — does test data cover edge cases and production-like volumes?',
+                    signals: ['test', 'data', 'fixture', 'factory', 'generate', 'seed', 'mock', 'stub', 'edge'],
+                    priority: 7,
+                },
+                {
+                    text: 'Are integration tests isolated from each other? (no shared mutable state, each test sets up and tears down its own data)',
+                    signals: ['integration', 'test', 'isolation', 'shared', 'setup', 'teardown', 'database', 'state'],
+                    priority: 7,
+                },
+                {
+                    text: 'Do tests run deterministically? Are there time-dependent, random, or order-dependent tests that could be flaky?',
+                    signals: ['deterministic', 'flaky', 'test', 'time', 'random', 'order', 'race', 'non-deterministic', 'retry'],
+                    priority: 7,
+                },
+                // ── Tier 4: TDD 纪律 (priority 7) ─────────────────────
+                {
+                    text: 'Are you following TDD for this change? (test first → see it fail → minimal implementation → refactor) — or is there a reason not to?',
+                    signals: ['tdd', 'test-driven', 'test-first', 'red-green-refactor', 'discipline', 'workflow'],
+                    priority: 7,
+                },
+                {
+                    text: 'What is the falsifiability of each test? Can the test actually fail when the code is wrong (no false-positives or always-green tests)?',
+                    signals: ['test', 'falsifiable', 'false-positive', 'assertion', 'green', 'verify', 'prove'],
+                    priority: 6,
+                },
+                // ── Tier 5: Bug 调查与调试 (priority 7) ──────────────
+                {
+                    text: 'For bug fixes: do we have a minimal reproducer? Have we separated confirmed evidence from hypotheses? Can we reproduce reliably?',
+                    id: 'bug-reproducer',
+                    signals: ['bug', 'debug', 'reproducer', 'reproduce', 'evidence', 'hypothesis', 'root cause', 'investigation', 'fix'],
+                    priority: 8,
+                },
+                {
+                    text: 'What is the root cause, not just the symptom? Have we verified that the fix addresses the root cause and not just the observable effect?',
+                    signals: ['root cause', 'bug', 'fix', 'symptom', 'verify', 'investigation', '5 whys', 'fishbone'],
+                    priority: 8,
+                    requiresAnswer: ['quality:bug-reproducer'],
+                },
+                {
+                    text: 'Is there a regression test that would have caught this bug before it shipped? Add it now.',
+                    signals: ['regression', 'test', 'bug', 'caught', 'prevent', 'shipped', 'automated'],
+                    priority: 8,
+                    requiresAnswer: ['quality:bug-reproducer'],
+                },
+                // ── Tier 6: 代码审查 (priority 7) ─────────────────────
+                {
+                    text: 'What code review checklist applies to this change? (security, performance, correctness, style, test coverage — which dimensions matter most?)',
+                    signals: ['code review', 'review', 'checklist', 'security', 'performance', 'correctness', 'style', 'pr'],
+                    priority: 7,
+                },
+                {
+                    text: 'Is the diff reviewable and scoped? Are there abstractions introduced without removing repeated complexity? Any unrelated changes mixed in?',
+                    signals: ['diff', 'review', 'scope', 'abstraction', 'unrelated', 'clean', 'focused'],
+                    priority: 7,
+                },
+                {
+                    text: 'Have you reviewed your own diff before asking for review? (self-review catches ~30% of issues before wasting reviewer time)',
+                    signals: ['self-review', 'review', 'diff', 'pr', 'check', 'before'],
+                    priority: 6,
+                },
+                // ── Tier 7: 性能测试 (priority 6-7) ──────────────────
+                {
+                    text: 'For performance work: what is the measured baseline (p50/p95/p99), the target, and which workload shape produced the bottleneck?',
+                    signals: ['performance', 'benchmark', 'baseline', 'p50', 'p95', 'p99', 'profile', 'bottleneck', 'latency', 'throughput'],
+                    priority: 8,
+                },
+                {
+                    text: 'Is there a load test or stress test that validates the system under production-like concurrency and volume?',
+                    signals: ['load test', 'stress test', 'performance', 'benchmark', 'k6', 'artillery', 'jmeter', 'concurrency', 'volume'],
+                    priority: 7,
+                },
+                {
+                    text: 'Have memory leaks, goroutine leaks (Go), or event listener leaks (JS) been checked? Is there a heap profile or memory snapshot before/after?',
+                    signals: ['memory leak', 'profile', 'heap', 'snapshot', 'goroutine', 'listener', 'leak', 'gc', 'oom'],
+                    priority: 6,
+                },
+                // ── Tier 8: 验证 (priority 7-8) ──────────────────────
+                {
+                    text: 'What verification command actually proves the claim "this is done"? Has it been run with output captured as evidence?',
+                    signals: ['verification', 'prove', 'done', 'evidence', 'output', 'check', 'command', 'test', 'validate'],
+                    priority: 8,
+                },
+                {
+                    text: 'Has the change been tested in a staging or pre-production environment with production-like data and traffic?',
+                    signals: ['staging', 'pre-production', 'test', 'production-like', 'data', 'traffic', 'environment'],
+                    priority: 7,
+                },
+                {
+                    text: 'What is the rollback or follow-up plan if this change fails after merge? Who notices, how fast, and how do we recover?',
+                    signals: ['rollback', 'failure', 'merge', 'recover', 'incident', 'revert', 'monitoring', 'alert'],
+                    priority: 8,
+                },
+                // ── Tier 9: 代码质量 (priority 6) ────────────────────
+                {
+                    text: 'Are there any code smells? (deep nesting >4 levels, functions >50 lines, magic numbers, duplicated logic, commented-out code)',
+                    signals: ['code smell', 'nesting', 'refactor', 'duplicate', 'magic number', 'comment', 'clean code', 'maintain'],
+                    priority: 6,
+                },
+                {
+                    text: 'Is error handling comprehensive? Are errors explicitly handled at every level, or are there silent swallows and bare catch blocks?',
+                    signals: ['error', 'handling', 'catch', 'swallow', 'silent', 'exception', 'try', 'propagate', 'log'],
+                    priority: 7,
+                },
+                {
+                    text: 'Are there any hardcoded values that should be configuration? (URLs, timeouts, thresholds, feature flags, credentials)',
+                    signals: ['hardcoded', 'configuration', 'constant', 'magic number', 'env', 'flag', 'timeout', 'url'],
+                    priority: 6,
+                },
+                // ── Tier 10: 文档与可维护性 (priority 5-6) ────────────
+                {
+                    text: 'Is there sufficient documentation for the next developer? (complex algorithms explained, design decisions justified, non-obvious constraints noted)',
+                    signals: ['documentation', 'comment', 'readme', 'explain', 'decision', 'constraint', 'maintain'],
+                    priority: 5,
+                },
+                {
+                    text: 'Are there any dead code paths, unused imports, or deprecated functions that should be cleaned up in this change?',
+                    signals: ['dead code', 'unused', 'import', 'deprecated', 'cleanup', 'remove', 'legacy', 'stale'],
+                    priority: 5,
+                },
+                {
+                    text: 'Is the changelog or release notes updated for user-facing changes? Does it describe the what and why, not just the how?',
+                    signals: ['changelog', 'release notes', 'documentation', 'user', 'change', 'communicate'],
+                    priority: 5,
+                },
+            ],
+        },
+    },
+    // ── Design: 设计阶段 ─────────────────────────────────────
+    design: {
+        checklist: [
+            // 评审顺序 (code-reviewer)
+            'Review order is correctness → safety → maintainability → performance → tests; do not skip layers',
+            'Intent of the change is articulated before review starts: what user-facing or system-facing behavior is changing and why',
+            'Invariants the change must preserve are listed before hunting for violations',
+            'Mechanical changes (rename / format / lint) are separated from behavioral deltas in the review surface',
+            'For large diffs: entry points and high-risk files (auth / payments / data writes) are reviewed first',
+            // 测试策略 (qa-expert + test-automator + TDD)
+            'Test plan maps each critical risk to at least one validation path (positive / negative / boundary)',
+            'For new behavior: failing test exists before implementation (TDD red phase), expressing behavior at the public interface',
+            'Test names describe behavior (what), not implementation (how)',
+            'Regression coverage prioritizes high-risk paths; full exhaustive coverage is not the goal',
+            'Test fixtures and data setup minimize flakiness and hidden coupling between tests',
+            'For bug fixes: a regression test reproduces the bug before the fix, fails for the right reason, and passes after',
+            // 调试 / 根因 (systematic-debugging + debugger)
+            'For bug reports: confirmed evidence is separated from hypotheses before recommending action',
+            'Hypothesis ranking includes confidence level and what disconfirming evidence would look like',
+            'Fix strategy removes the cause, not just the symptom; defense-in-depth is considered for high-blast-radius bugs',
+            // 性能 (performance-profiling + performance-engineer)
+            'Performance work has a measured baseline and a target metric — not "feels slow" / "should be faster"',
+            'Bottleneck claim cites measurement source and confidence level; optimization targets the dominant cost center',
+            'Before/after validation plan is concrete and reproducible',
+            // 验证纪律 (verification-before-completion)
+            'Every "done" claim has an identified verification command and expected pass criteria recorded ahead of time',
+            'Release gating criteria are explicit; go/no-go decision signals are listed before review starts',
+        ],
+        patterns: {
+            'Five-Layer Review Order': 'Always review in this fixed order: Correctness (edge cases, invariants, error handling) → Safety (security, data, secrets) → Maintainability (structure, naming, interfaces) → Performance (hot paths, I/O, allocations, queries) → Tests (do they fail before fix? cover risky behavior?). One layer per pass on large diffs.',
+            'Red-Green-Refactor TDD Loop': 'Red: write a failing test expressing desired behavior at the public interface — ensure it fails for the right reason, not setup error. Green: smallest change to pass, no extra behavior. Refactor: improve structure while keeping tests green; do not change behavior in this phase.',
+            'Reproduce → Localize → Trace → Fix → Verify': 'Standard root-cause workflow. Reproduce: capture exact steps and error output. Localize: shrink failing scope to smallest file/test/input. Trace: follow data and control flow to first wrong state. Fix: smallest change addressing the root cause. Verify: re-run the failing test and related checks.',
+            'Baseline → Hotspots → Optimize → Verify': 'Standard performance workflow. Establish baseline metrics (response time, throughput, memory). Identify hotspots via profiler (CPU / memory / I/O / network). Apply targeted fixes to highest-impact areas only. Re-measure to confirm improvement without regression.',
+            'Risk-Based Test Scope': 'Test scope is proportional to user impact × change complexity, not "test everything". Map each P1 risk to at least one validation path. Boundary and negative cases get explicit coverage; happy-path-only is a downgrade.',
+            'Webapp Testing Fallback Order': 'When real-browser automation is unavailable: Playwright → DOM-level integration (jsdom) → component / state tests → HTTP health checks (curl -I). State exactly what was verified and what remains unverified at the real-browser layer.',
+            'Verification-Before-Completion Gate': 'Before reporting success: identify the proving command, run it now (not earlier), read actual output and exit status, compare to the claim, only then report. No "should work now" / "looks good to me" / "agent said it passed".',
+        },
+        antiPatterns: [
+            'Reviewing only the diff without understanding intent — leads to nitpicks on lines that should not exist at all',
+            'Snapshot-only assertions on complex output — passes regardless of actual behavior; freezes implementation, not contract',
+            'Calling something "fixed" before reproducing the original symptom — common path to regressions in production',
+            'Treating exhaustive coverage as a goal — wastes engineering time and obscures which tests guard which behavior',
+            'Defaulting to "let us add a test later" when fixing bugs — the fix is unverifiable without the regression test',
+            'Optimizing without measurement — kills readability and frequently slows the actual hot path',
+            'Mocking what you do not own at every boundary — couples tests to implementation, makes refactors painful',
+            'Using shared mutable state across test cases — produces order-dependent failures that look intermittent',
+        ],
+    },
+    // ── Implement: 实施阶段 ──────────────────────────────────
+    implement: {
+        focusAreas: [
+            // 评审执行 (code-reviewer + role)
+            'Review comments are Actionable (what to change) + Why (risk/benefit) + Scope (must-fix vs nice-to-have)',
+            'Severity reflects probability and blast radius, not style preference; nits are labeled as nits',
+            'Findings cite concrete code locations and user-impact relevance — not "this could be cleaner"',
+            'For large diffs: skim mechanical changes, deep-review behavioral deltas; preserve invariants explicitly',
+            // 调试 (systematic-debugging + debugger)
+            'No fixes without root-cause investigation — symptoms-only patches are explicitly rejected',
+            'Diagnostic logging added at component boundaries when stuck; removed or down-leveled before merge',
+            'Minimal reproduction case constructed to shrink problem space; bisect used to isolate introduction point',
+            'Concurrency / timing / ordering assumptions made explicit when investigating intermittent failures',
+            // 测试 (TDD + test-automator + qa-expert)
+            'Tests start from the public interface (API / function / UI behavior), not private helpers',
+            'Tests are deterministic: time, randomness, network, and filesystem are controlled or stubbed at the boundary',
+            'Mocking is bounded: prefer integration at boundaries; mock only slow / flaky external systems',
+            'Bug fixes ship with a regression test that fails before the fix and passes after',
+            'Test runtime cost and parallelization tradeoffs are documented when CI time changes materially',
+            // 性能 (performance-profiling + performance-engineer)
+            'Profiling produces a measurement report — CPU / memory / I/O / network — not a hunch',
+            'Caching layers (when introduced) declare key strategy, TTL, invalidation policy, and observability hooks',
+            'Frontend perf work distinguishes bundle issues (tree-shaking, code splitting, dynamic imports) from runtime issues (re-renders, virtualization, debounce)',
+            'Memory work uses heap snapshots / leak detection — not "memory feels high"',
+            // 验证 (verification-before-completion)
+            'Identify the proving command before claiming completion; run fresh, do not rely on old output',
+            'Subagent / tool success reports are not trusted without reviewing actual output',
+            'When verification was not run, say so explicitly instead of implying success',
+        ],
+        patterns: {
+            'Actionable Review Comment': 'Every review comment follows: WHAT to change → WHY (risk or benefit) → SCOPE (must-fix / nice-to-have / nit). No naked "this is wrong" or "could be cleaner". Reviewer owns the comment\'s utility, not the author\'s reaction.',
+            'Bug-First Regression Test': 'For every bug fix: (1) write a test that reproduces the symptom, (2) confirm it fails for the right reason, (3) apply the fix, (4) confirm the test passes. The test is committed alongside the fix; it is the regression guard.',
+            'Diagnostic Logging at Boundaries': 'When stuck on a bug: add structured logging at component boundaries (entry / exit / error path), reproduce, capture, then remove or down-level the logging before merging. Logging earns its keep through evidence, not habit.',
+            'Profile-Then-Optimize': 'Never optimize without a profile. Capture baseline → run profiler → identify hotspot → apply targeted fix → re-measure. Document the baseline number and the after number in the PR description.',
+            'Webapp Testing with Stable Locators': 'Playwright tests select by stable locator (role / accessible name / data-testid), assert visible text and URL changes, and use explicit minimal timeouts. Recon (screenshot / DOM list / console capture) before automation.',
+            'Fresh Verification Evidence': 'Before claiming "tests pass" / "build succeeds" / "bug fixed" / "ready for PR": run the proving command now, capture output, compare to claim, then report. Old output is not evidence.',
+        },
+        antiPatterns: [
+            'Saying "should work now" / "looks good to me" / "probably fixed" / "agent said it passed" — these are explicit red flags from verification-before-completion',
+            'Trusting subagent or tool success reports without reviewing the actual output',
+            'Substituting one verification check for another (running unit tests when an integration test was the contract)',
+            'Reusing old command output as evidence for a new claim — even one minute later, the codebase may have changed',
+            'Adding tests that pass without exercising the changed behavior — "test coverage" goes up, regression risk does not go down',
+            'Catching exceptions in tests just to make them green — silent failures in production, green CI in dev',
+            'Sorting an entire list to find min/max in hot paths, or running unbounded loops over user input — easy class of perf regression',
+            'Building hypotheses into the fix without disconfirming evidence — confirmation bias produces patches that work locally and break in prod',
+            'Treating "we will add tests after launch" as acceptable for a non-prototype change',
+        ],
+    },
+    // ── Verify: 验证阶段 ─────────────────────────────────────
+    verify: {
+        checklist: [
+            // 代码评审产出
+            'Review report contains: Summary, Major Issues (must-fix), Minor Suggestions, Test Plan, Follow-ups (non-blocking)',
+            'Each finding has: location, severity, evidence, and recommended action',
+            'Severity calibration sanity-check: P1 items would actually ship user-impacting failure, P3 items are not promoted',
+            // 测试与覆盖
+            'Tests cover risky logic and failure modes — not just happy paths',
+            'Test assertions are meaningful (behavior contract), not snapshot-everything',
+            'For bug fixes: regression test exists, was confirmed to fail before fix, and now passes',
+            'Test suite runs deterministically — no order dependencies, no flaky tests landing as "intermittent"',
+            'CI runtime impact is acceptable; if increased materially, justified in the PR description',
+            // 调试 / 根因
+            'For each bug investigation: root-cause statement is supported by evidence, not asserted from intuition',
+            'Fix removes the trigger condition; recurrence risk is explicitly addressed (defense-in-depth where blast radius is high)',
+            'One success path and one failure path exercised after the fix to confirm no collateral regression',
+            // 性能
+            'Performance change includes before/after measurements from a reproducible workload',
+            'Optimization targets the dominant cost center; minor noise improvements are explicitly labeled',
+            'Regression risk and fallback strategy documented for any non-trivial perf change',
+            // 验证证据
+            'All "this is done / fixed / passing" claims have fresh verification evidence captured (command + output + exit status)',
+            'Skipped or unrun checks are listed explicitly — no implied success',
+            'Environment-specific verifications that could not run locally are called out for runtime / staging confirmation',
+            // QA 发布门
+            'Release gating criteria are met: critical risks have at least one validation path, blockers are zero or explicitly accepted',
+        ],
+    },
+};
+//# sourceMappingURL=quality.js.map

package/dist/domains/quality.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"quality.js","sourceRoot":"","sources":["../../src/domains/quality.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAIH,MAAM,CAAC,MAAM,aAAa,GAAiB;IACzC,IAAI,EAAE,SAAS;IACf,WAAW,EACT,+GAA+G;IAEjH,yDAAyD;IAEzD,OAAO,EAAE;QACP,OAAO,EAAE;YACP,YAAY;YACZ,QAAQ,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe;YACpE,gBAAgB,EAAE,iBAAiB;YACnC,QAAQ;YACR,MAAM,EAAE,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,kBAAkB;YACpE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe;YAC1D,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,oBAAoB;YAC9D,iBAAiB,EAAE,eAAe,EAAE,cAAc,EAAE,WAAW;YAC/D,YAAY,EAAE,OAAO;YACrB,UAAU;YACV,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,WAAW;YAC/D,YAAY,EAAE,sBAAsB,EAAE,aAAa,EAAE,cAAc;YACnE,sBAAsB,EAAE,QAAQ;YAChC,UAAU;YACV,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,YAAY;YACxD,uBAAuB;YACvB,wCAAwC;YACxC,uBAAuB,EAAE,iBAAiB,EAAE,wBAAwB;YACpE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe;YACvD,wBAAwB,EAAE,oBAAoB;SAC/C;QAED,SAAS,EAAE;YACT,YAAY,EAAE,CAAC;YACf,KAAK,EAAE;gBACL,kDAAkD;gBAClD;oBACE,IAAI,EAAE,qHAAqH;oBAC3H,EAAE,EAAE,cAAc;oBAClB,OAAO,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;oBACrF,QAAQ,EAAE,EAAE;iBACb;gBACD;oBACE,IAAI,EAAE,mHAAmH;oBACzH,OAAO,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC;oBACvG,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,sBAAsB,CAAC;iBACzC;gBACD;oBACE,IAAI,EAAE,wGAAwG;oBAC9G,OAAO,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC;oBACvF,QAAQ,EAAE,CAAC;iBACZ;gBAED,qDAAqD;gBACrD;oBACE,IAAI,EAAE,iIAAiI;oBACvI,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;oBAC3F,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,wHAAwH;oBAC9H,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC;oBACjG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,yHAAyH;oBAC/H,OAAO,EAAE,CAAC,gBAAgB,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,CAAC;oBAC5G,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,yHAAyH;oBAC/H,OAAO,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,mBAAmB,CAAC;oBAClG,QAAQ,EAAE,CAAC;iBACZ;gBAED,iDAAiD;gBACjD;oBACE,IAAI,EAAE,6IAA6I;oBACnJ,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;oBAC3F,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,0HAA0H;oBAChI,OAAO,EAAE,CAAC,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC;oBACjG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,iHAAiH;oBACvH,OAAO,EAAE,CAAC,eAAe,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,OAAO,CAAC;oBAC5G,QAAQ,EAAE,CAAC;iBACZ;gBAED,uDAAuD;gBACvD;oBACE,IAAI,EAAE,sIAAsI;oBAC5I,OAAO,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,oBAAoB,EAAE,YAAY,EAAE,UAAU,CAAC;oBAC7F,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,wIAAwI;oBAC9I,OAAO,EAAE,CAAC,MAAM,EAAE,aAAa,EAAE,gBAAgB,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC;oBAC3F,QAAQ,EAAE,CAAC;iBACZ;gBAED,mDAAmD;gBACnD;oBACE,IAAI,EAAE,kIAAkI;oBACxI,EAAE,EAAE,gBAAgB;oBACpB,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,CAAC;oBACpH,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,0IAA0I;oBAChJ,OAAO,EAAE,CAAC,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,CAAC;oBACjG,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,wBAAwB,CAAC;iBAC3C;gBACD;oBACE,IAAI,EAAE,2FAA2F;oBACjG,OAAO,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC;oBACnF,QAAQ,EAAE,CAAC;oBACX,cAAc,EAAE,CAAC,wBAAwB,CAAC;iBAC3C;gBAED,qDAAqD;gBACrD;oBACE,IAAI,EAAE,+IAA+I;oBACrJ,OAAO,EAAE,CAAC,aAAa,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC;oBACxG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,4IAA4I;oBAClJ,OAAO,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,CAAC;oBACpF,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,6HAA6H;oBACnI,OAAO,EAAE,CAAC,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC;oBACnE,QAAQ,EAAE,CAAC;iBACZ;gBAED,oDAAoD;gBACpD;oBACE,IAAI,EAAE,kIAAkI;oBACxI,OAAO,EAAE,CAAC,aAAa,EAAE,WAAW,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,CAAC;oBACxH,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,6GAA6G;oBACnH,OAAO,EAAE,CAAC,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,CAAC;oBACvH,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,8IAA8I;oBACpJ,OAAO,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC;oBACrG,QAAQ,EAAE,CAAC;iBACZ;gBAED,sDAAsD;gBACtD;oBACE,IAAI,EAAE,uHAAuH;oBAC7H,OAAO,EAAE,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;oBACxG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,8GAA8G;oBACpH,OAAO,EAAE,CAAC,SAAS,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,CAAC;oBACnG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,wHAAwH;oBAC9H,OAAO,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC;oBACjG,QAAQ,EAAE,CAAC;iBACZ;gBAED,oDAAoD;gBACpD;oBACE,IAAI,EAAE,+HAA+H;oBACrI,OAAO,EAAE,CAAC,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,CAAC;oBAChH,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,oIAAoI;oBAC1I,OAAO,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,CAAC;oBACpG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,uHAAuH;oBAC7H,OAAO,EAAE,CAAC,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC;oBACpG,QAAQ,EAAE,CAAC;iBACZ;gBAED,kDAAkD;gBAClD;oBACE,IAAI,EAAE,qJAAqJ;oBAC3J,OAAO,EAAE,CAAC,eAAe,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,CAAC;oBAChG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,kHAAkH;oBACxH,OAAO,EAAE,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;oBAChG,QAAQ,EAAE,CAAC;iBACZ;gBACD;oBACE,IAAI,EAAE,yHAAyH;oBAC/H,OAAO,EAAE,CAAC,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC;oBACzF,QAAQ,EAAE,CAAC;iBACZ;aACF;SACF;KACF;IAED,wDAAwD;IAExD,MAAM,EAAE;QACN,SAAS,EAAE;YACT,uBAAuB;YACvB,kGAAkG;YAClG,0HAA0H;YAC1H,8EAA8E;YAC9E,wGAAwG;YACxG,sGAAsG;YACtG,0CAA0C;YAC1C,oGAAoG;YACpG,0HAA0H;YAC1H,+DAA+D;YAC/D,2FAA2F;YAC3F,mFAAmF;YACnF,kHAAkH;YAClH,4CAA4C;YAC5C,6FAA6F;YAC7F,8FAA8F;YAC9F,iHAAiH;YACjH,oDAAoD;YACpD,sGAAsG;YACtG,+GAA+G;YAC/G,2DAA2D;YAC3D,wCAAwC;YACxC,6GAA6G;YAC7G,iGAAiG;SAClG;QAED,QAAQ,EAAE;YACR,yBAAyB,EACvB,gUAAgU;YAClU,6BAA6B,EAC3B,wRAAwR;YAC1R,6CAA6C,EAC3C,0SAA0S;YAC5S,yCAAyC,EACvC,wQAAwQ;YAC1Q,uBAAuB,EACrB,4NAA4N;YAC9N,+BAA+B,EAC7B,0OAA0O;YAC5O,qCAAqC,EACnC,mOAAmO;SACtO;QAED,YAAY,EAAE;YACZ,gHAAgH;YAChH,yHAAyH;YACzH,8GAA8G;YAC9G,gHAAgH;YAChH,gHAAgH;YAChH,6FAA6F;YAC7F,0GAA0G;YAC1G,yGAAyG;SAC1G;KACF;IAED,wDAAwD;IAExD,SAAS,EAAE;QACT,UAAU,EAAE;YACV,8BAA8B;YAC9B,yGAAyG;YACzG,gGAAgG;YAChG,+FAA+F;YAC/F,yGAAyG;YACzG,uCAAuC;YACvC,2FAA2F;YAC3F,mGAAmG;YACnG,0GAA0G;YAC1G,oGAAoG;YACpG,wCAAwC;YACxC,2FAA2F;YAC3F,8GAA8G;YAC9G,+FAA+F;YAC/F,kFAAkF;YAClF,gGAAgG;YAChG,oDAAoD;YACpD,sFAAsF;YACtF,0GAA0G;YAC1G,2JAA2J;YAC3J,4EAA4E;YAC5E,sCAAsC;YACtC,+FAA+F;YAC/F,iFAAiF;YACjF,8EAA8E;SAC/E;QAED,QAAQ,EAAE;YACR,2BAA2B,EACzB,iOAAiO;YACnO,2BAA2B,EACzB,kOAAkO;YACpO,kCAAkC,EAChC,gOAAgO;YAClO,uBAAuB,EACrB,kMAAkM;YACpM,qCAAqC,EACnC,8NAA8N;YAChO,6BAA6B,EAC3B,yLAAyL;SAC5L;QAED,YAAY,EAAE;YACZ,8JAA8J;YAC9J,+EAA+E;YAC/E,gHAAgH;YAChH,+GAA+G;YAC/G,4HAA4H;YAC5H,uGAAuG;YACvG,iIAAiI;YACjI,0IAA0I;YAC1I,oFAAoF;SACrF;KACF;IAED,wDAAwD;IAExD,MAAM,EAAE;QACN,SAAS,EAAE;YACT,SAAS;YACT,mHAAmH;YACnH,wEAAwE;YACxE,mHAAmH;YACnH,QAAQ;YACR,kEAAkE;YAClE,6EAA6E;YAC7E,yFAAyF;YACzF,qGAAqG;YACrG,2FAA2F;YAC3F,UAAU;YACV,wGAAwG;YACxG,0HAA0H;YAC1H,mGAAmG;YACnG,KAAK;YACL,oFAAoF;YACpF,gGAAgG;YAChG,kFAAkF;YAClF,OAAO;YACP,wHAAwH;YACxH,oEAAoE;YACpE,iHAAiH;YACjH,SAAS;YACT,6HAA6H;SAC9H;KACF;CACF,CAAC"}

package/dist/domains/security.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Security Domain Module
+ *
+ * 来源:
+ *   - content/skills/security-hardening/SKILL.md (51 行)
+ *     OWASP Top 10 审计、安全标头、CVE 扫描、密钥管理
+ *   - content/roles/04-quality-security/security-auditor.toml (42 行)
+ *     安全审计方法、攻击面分析、风险排序
+ *
+ * 压缩方法:
+ *   1. OWASP Top 10 表格 → design.checklist + implement.antiPatterns
+ *   2. 安全标头模板 → design.patterns["Security Headers"]
+ *   3. 审计工作流 → verify.checklist
+ *   4. security-auditor focus areas → implement.focusAreas
+ *   5. 原始代码示例/Python脚本 → 丢弃（用户有自己的代码库）
+ */
+import type { DomainModule } from './types.js';
+export declare const securityDomain: DomainModule;
+//# sourceMappingURL=security.d.ts.map

package/dist/domains/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/domains/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,cAAc,EAAE,YAqY5B,CAAC"}