universal-dev-standards 5.4.0 → 5.6.0

package/standards-registry.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "version": "5.4.0",
+  "version": "5.6.0",
   "lastUpdated": "2026-04-16",
   "description": "Standards registry for universal-dev-standards with integrated skills and AI-optimized formats",
   "formats": {
@@ -58,14 +58,14 @@
     "standards": {
       "name": "universal-dev-standards",
       "url": "https://github.com/AsiaOstrich/universal-dev-standards",
-      "version": "5.4.0"
+      "version": "5.6.0"
     },
     "skills": {
       "name": "universal-dev-standards",
       "url": "https://github.com/AsiaOstrich/universal-dev-standards",
       "localPath": "skills",
       "rawUrl": "https://raw.githubusercontent.com/AsiaOstrich/universal-dev-standards/main/skills",
-      "version": "5.4.0",
+      "version": "5.6.0",
       "note": "Skills are now included in the main repository under skills/"
     }
   },
@@ -1042,7 +1042,7 @@
       },
       "category": "skill",
       "skillName": "testing-guide",
-      "description": "Testing pyramid and recommended coverage ratios (70/20/7/3)",
+      "description": "Testing structure, FIRST principles, AAA pattern, and framework options. Coverage policy superseded by full-coverage-testing (XSPEC-178).",
       "options": {
         "test_level": {
           "default": null,
@@ -1088,6 +1088,18 @@
         }
       }
     },
+    {
+      "id": "full-coverage-testing",
+      "name": "Full Coverage Testing Standards",
+      "nameZh": "全覆蓋測試標準",
+      "source": {
+        "human": "core/testing-standards.md",
+        "ai": "ai/standards/full-coverage-testing.ai.yaml"
+      },
+      "category": "skill",
+      "skillName": "testing-guide",
+      "description": "Behavior-completeness full coverage paradigm: ratchet CI, anti-fake-test rules (no tautology/business-logic mock), STUB marker protocol (pre-push + deploy gates), @ac traceability. Replaces pyramid thresholds (XSPEC-178)."
+    },
     {
       "id": "documentation-structure",
       "name": "Documentation Structure",
@@ -1182,7 +1194,66 @@
       },
       "category": "skill",
       "skillName": "test-coverage-assistant",
-      "description": "Framework for evaluating test coverage completeness"
+      "description": "Framework for evaluating test coverage completeness across 10 dimensions"
+    },
+    {
+      "id": "flow-based-testing",
+      "name": "Flow-Based Testing",
+      "nameZh": "流程解構測試",
+      "source": {
+        "human": "core/flow-based-testing.md",
+        "ai": "ai/standards/flow-based-testing.ai.yaml"
+      },
+      "category": "skill",
+      "skillName": "e2e-assistant",
+      "description": "Flow decomposition methodology for testing multi-step processes with branch coverage"
+    },
+    {
+      "id": "mock-boundary",
+      "name": "Mock Boundary Standards",
+      "nameZh": "Mock 邊界規則",
+      "source": {
+        "human": "core/mock-boundary.md",
+        "ai": "ai/standards/mock-boundary.ai.yaml"
+      },
+      "category": "skill",
+      "skillName": "testing-guide",
+      "description": "Rules defining what can and cannot be mocked to prevent hollow tests"
+    },
+    {
+      "id": "security-testing",
+      "name": "Security Testing Standards",
+      "nameZh": "安全測試標準",
+      "source": {
+        "human": "core/security-testing.md",
+        "ai": "ai/standards/security-testing.ai.yaml"
+      },
+      "category": "skill",
+      "skillName": "security-scan-assistant",
+      "description": "SAST, dependency auditing, DAST, and secret scanning methodology"
+    },
+    {
+      "id": "llm-output-validation",
+      "name": "LLM Output Validation Standards",
+      "nameZh": "LLM 輸出驗證標準",
+      "source": {
+        "human": "core/llm-output-validation.md",
+        "ai": "ai/standards/llm-output-validation.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Standards for validating LLM and AI agent outputs: schema conformance, hallucination detection, prompt regression"
+    },
+    {
+      "id": "mutation-testing",
+      "name": "Mutation Testing Standards",
+      "nameZh": "突變測試標準",
+      "source": {
+        "human": "core/mutation-testing.md",
+        "ai": "ai/standards/mutation-testing.ai.yaml"
+      },
+      "category": "skill",
+      "skillName": "test-coverage-assistant",
+      "description": "Mutation testing methodology to evaluate test suite effectiveness"
     },
     {
       "id": "test-driven-development",
@@ -2158,6 +2229,413 @@
       },
       "category": "core",
       "description": "Security checkpoints embedded in CI pipeline — SAST, DAST, SCA, secrets scan with block/warn/log behavior"
+    },
+    {
+      "id": "slo-sli",
+      "name": "SLO/SLI Definition Standards",
+      "nameZh": "SLO/SLI 定義標準",
+      "source": {
+        "human": "core/slo-sli.md",
+        "ai": "ai/standards/slo-sli.ai.yaml"
+      },
+      "category": "core",
+      "description": "SLI selection per service type, SLO target-setting methodology, error budget policies, and multi-window burn-rate alerting"
+    },
+    {
+      "id": "runbook",
+      "name": "Runbook Writing Standards",
+      "nameZh": "Runbook 撰寫標準",
+      "source": {
+        "human": "core/runbook.md",
+        "ai": "ai/standards/runbook.ai.yaml"
+      },
+      "category": "core",
+      "description": "Required sections, reproducible steps, naming conventions, review cadence, and drill frequency for operational runbooks"
+    },
+    {
+      "id": "incident-response",
+      "name": "Incident Response Standards",
+      "nameZh": "事件回應標準",
+      "source": {
+        "human": "core/incident-response.md",
+        "ai": "ai/standards/incident-response.ai.yaml"
+      },
+      "category": "core",
+      "description": "Severity classification, IC role, stakeholder communication, blameless postmortem, on-call rotation, and incident metrics"
+    },
+    {
+      "id": "license-compliance",
+      "name": "License Compliance Standards",
+      "nameZh": "授權合規標準",
+      "source": {
+        "human": "core/license-compliance.md",
+        "ai": "ai/standards/license-compliance.ai.yaml"
+      },
+      "category": "core",
+      "description": "License tier classification, automated scanning in CI, SBOM generation, attribution notices, and violation remediation"
+    },
+    {
+      "id": "pii-classification",
+      "name": "PII Classification and Handling Standards",
+      "nameZh": "PII 分類與處理標準",
+      "source": {
+        "human": "core/pii-classification.md",
+        "ai": "ai/standards/pii-classification.ai.yaml"
+      },
+      "category": "core",
+      "description": "Three-tier PII sensitivity classification, data minimization, masking in non-production, retention schedules, and cross-border transfer controls"
+    },
+    {
+      "id": "audit-trail",
+      "name": "Audit Trail Standards",
+      "nameZh": "稽核追蹤標準",
+      "source": {
+        "human": "core/audit-trail.md",
+        "ai": "ai/standards/audit-trail.ai.yaml"
+      },
+      "category": "core",
+      "description": "Mandatory auditable events, record schema, immutability, retention periods, query/export, and SIEM integration"
+    },
+    {
+      "id": "schema-evolution",
+      "name": "Schema Evolution Standards",
+      "nameZh": "Schema 演進標準",
+      "source": {
+        "human": "core/schema-evolution.md",
+        "ai": "ai/standards/schema-evolution.ai.yaml"
+      },
+      "category": "core",
+      "description": "Backward-compatible change patterns, prohibited breaking changes, expand-contract migration, schema versioning, and CI compatibility checks"
+    },
+    {
+      "id": "data-contract",
+      "name": "Data Contract Standards",
+      "nameZh": "資料契約標準",
+      "source": {
+        "human": "core/data-contract.md",
+        "ai": "ai/standards/data-contract.ai.yaml"
+      },
+      "category": "core",
+      "description": "Data contract specification format, quality SLOs, breaking-change governance, automated contract testing, and consumer registration"
+    },
+    {
+      "id": "data-pipeline",
+      "name": "Data Pipeline Standards",
+      "nameZh": "資料管線標準",
+      "source": {
+        "human": "core/data-pipeline.md",
+        "ai": "ai/standards/data-pipeline.ai.yaml"
+      },
+      "category": "core",
+      "description": "Idempotency, error handling with DLQs, checkpointing, data lineage, pipeline observability SLOs, and testing requirements"
+    },
+    {
+      "id": "iac-design-principles",
+      "name": "Infrastructure as Code Design Principles",
+      "nameZh": "基礎設施即程式碼設計原則",
+      "source": {
+        "human": "core/iac-design-principles.md",
+        "ai": "ai/standards/iac-design-principles.ai.yaml"
+      },
+      "category": "core",
+      "description": "Four IaC principles (reproducible, immutable, idempotent, versioned), remote state with locking, and drift detection with three-category classification"
+    },
+    {
+      "id": "container-image-standards",
+      "name": "Container Image Build and Security Standards",
+      "nameZh": "容器映像建構與安全標準",
+      "source": {
+        "human": "core/container-image-standards.md",
+        "ai": "ai/standards/container-image-standards.ai.yaml"
+      },
+      "category": "core",
+      "description": "Dockerfile five principles (multi-stage, non-root, distroless, no secrets, SBOM labels), SBOM embedding via syft/trivy, and CVE scanning block policy"
+    },
+    {
+      "id": "secret-management-standards",
+      "name": "Secret Management and Credential Hygiene Standards",
+      "nameZh": "機密管理與憑證衛生標準",
+      "source": {
+        "human": "core/secret-management-standards.md",
+        "ai": "ai/standards/secret-management-standards.ai.yaml"
+      },
+      "category": "core",
+      "description": "Three secret source tiers (Vault, Cloud KMS, SOPS), rotation policies by credential type, hardcoded secret prevention, and safe injection patterns"
+    },
+    {
+      "id": "prd-standards",
+      "name": "Product Requirements Document Standards",
+      "nameZh": "產品需求文件標準",
+      "source": {
+        "human": "core/prd-standards.md",
+        "ai": "ai/standards/prd-standards.ai.yaml"
+      },
+      "category": "core",
+      "description": "PRD five sections (Problem, Persona, Metrics, Scope, Constraints), PRD-to-user-story bridge with metric traceability, and post-kickoff revision policy"
+    },
+    {
+      "id": "product-metrics-standards",
+      "name": "Product Metrics Framework Standards",
+      "nameZh": "產品指標框架標準",
+      "source": {
+        "human": "core/product-metrics-standards.md",
+        "ai": "ai/standards/product-metrics-standards.ai.yaml"
+      },
+      "category": "core",
+      "description": "Framework selection matrix (AARRR/HEART/North Star), North Star four criteria, three-level metric hierarchy, and anti-vanity metric rule"
+    },
+    {
+      "id": "user-story-mapping",
+      "name": "User Story Mapping Standards",
+      "nameZh": "使用者故事地圖標準",
+      "source": {
+        "human": "core/user-story-mapping.md",
+        "ai": "ai/standards/user-story-mapping.ai.yaml"
+      },
+      "category": "core",
+      "description": "Three-layer story map (Backbone, Walking Skeleton, Detail Stories), MVP horizontal slice rule, INVEST compliance per story, and GWT acceptance criteria"
+    },
+    {
+      "id": "secure-op",
+      "name": "Secure-Op Standard",
+      "nameZh": "AI Agent 安全操作標準",
+      "source": {
+        "human": "core/secure-op.md",
+        "ai": "ai/standards/secure-op.ai.yaml"
+      },
+      "category": "security",
+      "description": "AI Agent secure operation methodology: Veto-based decision, SOBR risk scoring, Fail-Closed principle, tamper-evident audit chain, HITL escalation, and prompt injection defense"
+    },
+    {
+      "id": "server-ops-security",
+      "name": "Server Operations Security",
+      "nameZh": "伺服器操作安全標準",
+      "source": {
+        "human": "core/server-ops-security.md",
+        "ai": "ai/standards/server-ops-security.ai.yaml"
+      },
+      "category": "security",
+      "description": "SSH hardening, host configuration, privilege management, bastion patterns, patch management SLA, and network isolation for AI Agent production environments"
+    },
+    {
+      "id": "container-security",
+      "name": "Container Security",
+      "nameZh": "容器安全標準",
+      "source": {
+        "human": "core/container-security.md",
+        "ai": "ai/standards/container-security.ai.yaml"
+      },
+      "category": "security",
+      "description": "Container image hardening, registry security, runtime protection, secrets management, Kubernetes network policy, and supply chain integrity for AI Agent production environments"
+    },
+    {
+      "id": "adversarial-test",
+      "name": "Adversarial Test Standards",
+      "nameZh": "對抗性測試標準",
+      "source": {
+        "human": "core/adversarial-test.md",
+        "ai": "ai/standards/adversarial-test.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Red-team corpus design for AI agents: OWASP LLM Top 10 adversarial probes (prompt injection LLM01, PII exfiltration LLM06, privilege escalation LLM08, source-agent spoofing)"
+    },
+    {
+      "id": "policy-as-code-testing",
+      "name": "Policy as Code Testing Standards",
+      "nameZh": "Policy as Code 測試標準",
+      "source": {
+        "human": "core/policy-as-code-testing.md",
+        "ai": "ai/standards/policy-as-code-testing.ai.yaml"
+      },
+      "category": "testing",
+      "description": "OPA Rego unit test standards: _test.rego file conventions, ALLOW/DENY/boundary cases, Fail-Closed default, CI opa test integration, anti-patterns (array.concat on sets)"
+    },
+    {
+      "id": "sast-advanced",
+      "name": "Advanced SAST Standards",
+      "nameZh": "進階 SAST 標準",
+      "source": {
+        "human": "core/sast-advanced.md",
+        "ai": "ai/standards/sast-advanced.ai.yaml"
+      },
+      "category": "security",
+      "description": "CodeQL semantic code analysis + secret scanning + Biome security rules. Complements dependency auditing with deep static analysis detecting injection vulnerabilities."
+    }
+    ,
+    {
+      "id": "prompt-regression",
+      "name": "Prompt Regression Standards",
+      "nameZh": "Prompt 回歸測試標準",
+      "source": {
+        "human": "core/prompt-regression.md",
+        "ai": "ai/standards/prompt-regression.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Golden SHA-256 checksum tests for AI agent prompt files. Detects unintended prompt changes in CI; requires documented acknowledgment when checksums are updated."
+    }
+    ,
+    {
+      "id": "supply-chain-attestation",
+      "name": "Supply Chain Attestation Standards",
+      "nameZh": "供應鏈溯源標準",
+      "source": {
+        "human": "core/supply-chain-attestation.md",
+        "ai": "ai/standards/supply-chain-attestation.ai.yaml"
+      },
+      "category": "security",
+      "description": "CycloneDX SBOM generation, SLSA provenance (L1/L2), and cosign signing for verifiable software supply chain integrity from source to deployed artefact."
+    }
+    ,
+    {
+      "id": "cost-budget-test",
+      "name": "Cost Budget Test Standards",
+      "nameZh": "成本預算測試標準",
+      "source": {
+        "human": "core/cost-budget-test.md",
+        "ai": "ai/standards/cost-budget-test.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Unit tests for AI agent token budget zone classification boundaries (safe/warning/danger/blocking), pipeline cost thresholds, and runaway-loop prevention guards."
+    }
+    ,
+    {
+      "id": "replay-test",
+      "name": "Replay Test Standards",
+      "nameZh": "回放測試標準",
+      "source": {
+        "human": "core/replay-test.md",
+        "ai": "ai/standards/replay-test.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Golden fixture recording and deterministic replay for AI agent pipelines. Enables customer bug reproduction, verdict regression detection, and incident investigation without a live LLM."
+    }
+    ,
+    {
+      "id": "smoke-test",
+      "name": "Smoke Test Standards",
+      "nameZh": "煙霧測試標準",
+      "source": {
+        "human": "core/smoke-test.md",
+        "ai": "ai/standards/smoke-test.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Post-deployment sanity checks verifying critical paths (health endpoint, core API) complete in under 30 seconds with zero external dependencies."
+    }
+    ,
+    {
+      "id": "property-based-testing",
+      "name": "Property-Based Testing Standards",
+      "nameZh": "屬性基礎測試標準",
+      "source": {
+        "human": "core/property-based-testing.md",
+        "ai": "ai/standards/property-based-testing.ai.yaml"
+      },
+      "category": "testing",
+      "description": "fast-check / Hypothesis property tests for pure functions: range clamping, determinism, monotonicity, round-trip. Complements example-based unit tests by generating hundreds of random inputs."
+    }
+    ,
+    {
+      "id": "disaster-recovery-drill",
+      "name": "Disaster Recovery Drill Standards",
+      "nameZh": "災難恢復演練標準",
+      "source": {
+        "human": "core/disaster-recovery-drill.md",
+        "ai": "ai/standards/disaster-recovery-drill.ai.yaml"
+      },
+      "category": "operations",
+      "description": "Quarterly DR drill protocol: RTO/RPO targets, backup restore verification, Game Day exercises, drill records retained 12 months."
+    }
+    ,
+    {
+      "id": "flaky-test-management",
+      "name": "Flaky Test Management Standards",
+      "nameZh": "不穩定測試管理標準",
+      "source": {
+        "human": "core/flaky-test-management.md",
+        "ai": "ai/standards/flaky-test-management.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Policies for detecting, quarantining (< 48h), and eliminating (< 30 days) flaky tests. Retry policy, root cause documentation, and quarantine annotation conventions."
+    }
+    ,
+    {
+      "id": "data-migration-testing",
+      "name": "Data Migration Testing Standards",
+      "nameZh": "資料遷移測試標準",
+      "source": {
+        "human": "core/data-migration-testing.md",
+        "ai": "ai/standards/data-migration-testing.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Standards for database schema migration tests: up/down/idempotency/data-preservation coverage. Requires isolated in-memory DB per test, verifiable rollback path, and data integrity after ALTER/DROP."
+    }
+    ,
+    {
+      "id": "chaos-injection-tests",
+      "name": "Chaos Injection Test Standards",
+      "nameZh": "混沌注入測試標準",
+      "source": {
+        "human": "core/chaos-injection-tests.md",
+        "ai": "ai/standards/chaos-injection-tests.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Executable chaos injection tests for AI agent systems: LLM timeout/rate-limit, DB disconnect rollback, policy-engine fail-closed, and inter-agent blast-radius containment tests."
+    }
+    ,
+    {
+      "id": "release-quality-manifest",
+      "name": "Release Quality Manifest Standards",
+      "nameZh": "發布品質宣言標準",
+      "source": {
+        "human": "core/release-quality-manifest.md",
+        "ai": "ai/standards/release-quality-manifest.ai.yaml"
+      },
+      "category": "deployment",
+      "description": "Machine-readable per-release Quality Manifest aggregating all gate results (coverage, mutation, CVE, SAST, E2E, container scan, SBOM, LLM hallucination). Auto-generated by CI; customer-shareable."
+    },
+    {
+      "id": "release-readiness-gate",
+      "name": "Release Readiness Gate",
+      "nameZh": "釋出準備閘門",
+      "source": {
+        "human": "core/release-readiness-gate.md",
+        "ai": "ai/standards/release-readiness-gate.ai.yaml"
+      },
+      "category": "deployment",
+      "description": "Single aggregated release gate covering 16 quality dimensions (Security, a11y, Performance, Contract, DB Migration, Cross-flow Regression, Operational Readiness, i18n, Browser Compat, Capacity, Compliance, Docs, Rollback, Smoke, Feature Flags, Multi-Gate Flow). Tiered sign-off template with RQM integration."
+    },
+    {
+      "id": "contract-testing-standards",
+      "name": "Contract Testing Standards",
+      "nameZh": "合約測試標準",
+      "source": {
+        "human": "core/contract-testing-standards.md",
+        "ai": "ai/standards/contract-testing-standards.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Consumer-driven contract testing (Pact/Spring Cloud Contract): consumer-driven flow, schema matchers, N-1 backward compatibility window, can-i-deploy release gate. Applies to projects with API consumers."
+    },
+    {
+      "id": "cross-flow-regression",
+      "name": "Cross-Flow Regression",
+      "nameZh": "跨流程回歸測試",
+      "source": {
+        "human": "core/cross-flow-regression.md",
+        "ai": "ai/standards/cross-flow-regression.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Cross-flow regression complementing per-flow Multi-Gate: Critical User Journey (CUJ) suite, sequential state threading, inter-flow state contamination detection. CUJ pass rate ≥ 95% required per release."
+    },
+    {
+      "id": "browser-compatibility-standards",
+      "name": "Browser Compatibility Standards",
+      "nameZh": "瀏覽器相容性標準",
+      "source": {
+        "human": "core/browser-compatibility-standards.md",
+        "ai": "ai/standards/browser-compatibility-standards.ai.yaml"
+      },
+      "category": "testing",
+      "description": "Browser/device support matrix (Tier-1/2/3), Playwright matrix config, viewport coverage (360/768/1280px), real iOS device testing, release gate. Applies to frontend/web projects; N/A for CLI/backend."
     }
   ]
 }