npm - universal-dev-standards - Versions diffs - 5.5.0 → 5.7.0 - Mend

universal-dev-standards 5.5.0 → 5.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

package/bundled/core/release-quality-manifest.md CHANGED Viewed

@@ -16,11 +16,14 @@ A Release Quality Manifest makes quality evidence:
 ## Schema
+The RQM now covers **16 quality dimensions** matching `release-readiness-gate.md`. Automated gates appear here; human-verified gates appear in the Release Readiness Sign-off document.
 ```yaml
-release: vibeops-commercial-1.2.0
+release: app-commercial-1.2.0
 generated_at: "2026-05-05T04:00:00Z"
 commit: "abc1234"
 gates:
+  # ── Automated quality gates ──────────────────────────────
   unit_coverage:
     actual: "73%"
     target: "80%"
@@ -57,7 +60,42 @@ gates:
     actual: true
     target: true
     status: pass
-overall: WARN   # worst gate status (2 warns, no fails)
+  # ── Extended dimensions (aligned with release-readiness-gate.md) ──
+  a11y_critical:             # Dimension 3: axe-core critical violations
+    actual: 0
+    target: 0
+    status: pass
+  a11y_serious:              # Dimension 3: axe-core serious violations
+    actual: 0
+    target: 0
+    status: pass
+  contract_drift:            # Dimension 4: consumer contracts failing (n/a if no consumers)
+    actual: 0
+    target: 0
+    status: pass             # or "n/a" if no API consumers
+  cross_flow_cuj_pass_rate:  # Dimension 6: critical user journey pass rate
+    actual: "100%"
+    target: "95%"
+    status: pass
+  browser_tier1_pass_rate:   # Dimension 9: Tier-1 browser matrix (n/a for non-frontend)
+    actual: "100%"
+    target: "100%"
+    status: pass             # or "n/a" for CLI/backend
+  capacity_headroom_cpu_pct: # Dimension 10: CPU headroom at projected peak (n/a for small projects)
+    actual: "42%"
+    target: "30%"
+    status: pass             # or "n/a" for small-scale projects
+  smoke_pass_rate:           # Dimension 14: post-deploy smoke (populated after staging deploy)
+    actual: "100%"
+    target: "100%"
+    status: pass
+  flow_gate_report:          # Dimension 16: Multi-Gate Flow verification
+    gate_0_complete: true    # all flows with ≥3 steps have §2.4 + §9.4 filled
+    gate_1_pr_coverage: true # all PRs touching flows include terminal-state tests
+    gate_3_ci_pass: true     # Decision Table CI all green; branch coverage ≥ 90%
+    gate_4_uat_signoff: true # UAT sign-off table signed
+    status: pass
+overall: WARN   # worst gate status across all dimensions (2 warns, no fails)
 ```
 ## Status Semantics
@@ -68,15 +106,23 @@ overall: WARN   # worst gate status (2 warns, no fails)
 | `warn` | Within acceptable deviation (see per-gate policy) | Document reason; no release block |
 | `fail` | Below hard minimum | **Blocks release** |
-### Per-Gate Hard Minimums (Examples)
-| Gate | Warn Band | Fail Threshold |
-|------|-----------|----------------|
-| unit_coverage | target - 10pp to target | below target - 10pp |
-| mutation_score | target - 5pp to target | below target - 5pp |
-| sca_critical_cve | — | any critical CVE = fail |
-| container_cve_critical | — | any critical CVE = fail |
-| e2e_pass_rate | target - 3pp to target | below target - 3pp |
+### Per-Gate Hard Minimums
+| Gate | Warn Band | Fail Threshold | Release Readiness Dimension |
+|------|-----------|----------------|----------------------------|
+| unit_coverage | target - 10pp to target | below target - 10pp | (core RQM) |
+| mutation_score | target - 5pp to target | below target - 5pp | (core RQM) |
+| sca_critical_cve | — | any critical CVE = fail | Dim 2 (Security) |
+| container_cve_critical | — | any critical CVE = fail | Dim 2 (Security) |
+| e2e_pass_rate | target - 3pp to target | below target - 3pp | (core RQM) |
+| a11y_critical | — | > 0 = fail | Dim 3 (a11y) |
+| a11y_serious | project threshold | project threshold + 1-2 | Dim 3 (a11y) |
+| contract_drift | — | any red consumer contract = fail (if n/a: skip) | Dim 4 (Contract) |
+| cross_flow_cuj_pass_rate | 90–95% | < 90% | Dim 6 (Cross-flow Regression) |
+| browser_tier1_pass_rate | — | < 100% (if n/a: skip) | Dim 9 (Browser Compat) |
+| capacity_headroom_cpu_pct | 20–30% | < 20% (if n/a: skip) | Dim 10 (Capacity) |
+| smoke_pass_rate | — | any smoke failure = fail | Dim 14 (Smoke) |
+| flow_gate_report | gate_3_ci_pass=false | gate_0_complete=false OR gate_4_uat_signoff=false | Dim 16 (Multi-Gate Flow) |
 ## Automated Generation
@@ -121,7 +167,7 @@ YAML
 Generate a Markdown table alongside the YAML for inclusion in release notes:
 ```markdown
-## Release Quality Gates — vibeops-commercial-1.2.0
+## Release Quality Gates — app-commercial-1.2.0
 | Gate | Actual | Target | Status |
 |------|--------|--------|--------|

package/bundled/core/release-readiness-gate.md ADDED Viewed

@@ -0,0 +1,184 @@
+# Release Readiness Gate
+> **Language**: English | [繁體中文](../locales/zh-TW/core/release-readiness-gate.md)
+**Version**: 1.0.0
+**Last Updated**: 2026-05-05
+**Applicability**: All software projects preparing a production release
+**Scope**: universal
+**Industry Standards**: ISO/IEC 25010 (Product Quality), ISTQB Advanced Test Manager
+**References**: `core/release-quality-manifest.md`, `core/flow-based-testing.md`
+---
+## Purpose
+This standard defines a **single, aggregated Release Readiness Gate** that unifies all quality dimensions into one explicit go/no-go decision before production deployment.
+Without this gate, quality evidence is spread across 16+ separate standards. Teams pass individual checks but ship with unverified dimensions, because no one document says "you must pass *all of these* before release."
+The Release Readiness Gate:
+- **Aggregates** 16 quality dimensions into a tiered checklist
+- **Connects** human sign-off (this document) to machine-readable evidence (`release-quality-manifest.md`)
+- **Distinguishes** blocking criteria from advisory warnings
+- **Scales** via Tier-1 / Tier-2 / Tier-3 classification to fit projects of different types and risk levels
+---
+## Relationship to Release Quality Manifest (RQM)
+| Artifact | Format | Audience | Purpose |
+|----------|--------|----------|---------|
+| **Release Readiness Sign-off** (this document's template) | Markdown checklist | Humans (PM, QA, Eng Lead, Business) | Go/no-go decision, accountability, audit trail |
+| **Release Quality Manifest** (`release-quality-manifest.md`) | YAML/JSON | CI, tooling, customers | Machine-readable aggregation, automated gate enforcement |
+These two artifacts are generated **in parallel** for every release. The Sign-off covers human-verified dimensions; the RQM covers automated dimensions. Both must be `PASS` / `WARN` (never `FAIL`) before production deployment.
+---
+## Tier Classification
+| Tier | Requirement | Miss = ? | Who Applies |
+|------|-------------|---------|-------------|
+| **Tier-1** | Must pass; release blocked if `FAIL` | Hard block | All projects |
+| **Tier-2** | Should pass; `WARN` documented with rationale; no block | Documented WARN | All projects |
+| **Tier-3** | Applicable when feature set or domain requires it; `N/A` is valid | N/A accepted | Depends on project type |
+---
+## 16-Dimension Release Readiness Matrix
+| # | Dimension | Tier | Gate Type | Blocking Criterion | Evidence | Standard | Responsible |
+|---|-----------|------|-----------|-------------------|----------|---------|-------------|
+| 1 | **Performance / Load** | 2 | Automated | p95 latency regression > 10%; headroom < 20% | Load test report | `performance-standards.md` | Eng Lead + SRE |
+| 2 | **Security** (SAST/DAST/SCA/secrets) | 1 | Automated | Any Critical/High CVE, SAST High unfixed, secret in diff | SARIF, Trivy, SBOM | `pipeline-security-gates.md` | SecEng / Eng Lead |
+| 3 | **Accessibility (a11y)** | 2 | Automated + Manual | axe-core critical > 0; keyboard nav path broken | axe report, screen reader log | `accessibility-standards.md` §Release-Blocking Threshold | QA + UX |
+| 4 | **API / Contract Testing** | 3 | Automated | Upstream consumer contract red; N-1 compat broken | Pact broker report | `contract-testing-standards.md` | API owner |
+| 5 | **Database Migration** | 1 | Automated | up/rollback/idempotency test fails; data-preservation test fails | `data-migration-testing.md` gate results | `data-migration-testing.md` | DB Lead |
+| 6 | **Cross-flow Regression** | 2 | Automated | Critical user journey pass rate < 95%; business-critical flow combo fails | Cross-flow regression report | `cross-flow-regression.md` | QA Lead |
+| 7 | **Operational Readiness** | 1 | Manual | Runbook missing; alerting unconfigured; no rollback procedure | Runbook link, alert rule review | `runbook-standards.md`, `alerting-standards.md` | SRE / Ops |
+| 8 | **Localization / i18n** | 2 | Automated | MISSING or MAJOR i18n gap in release (semver gap) | `check-translation-sync.sh` output | `translation-lifecycle-standards.md` | i18n Lead |
+| 9 | **Browser / Device Compatibility** | 3 | Automated | Tier-1 browser/device pass rate < 100% | Playwright matrix report | `browser-compatibility-standards.md` | Frontend QA |
+| 10 | **Capacity Sign-off** | 3 | Manual | Headroom < 30% at projected peak; no Eng+SRE sign-off | Capacity forecast + sign-off | `performance-standards.md` §Per-Release Capacity Sign-off | SRE + Eng Lead |
+| 11 | **Compliance / Privacy** | 3 | Manual | GDPR/CCPA violation; audit log missing; retention policy broken | Privacy review checklist | `privacy-standards.md` | DPO / Legal |
+| 12 | **Documentation Completeness** | 2 | Manual | CHANGELOG missing for release; customer-facing docs not updated | CHANGELOG diff, docs review | `changelog-standards.md`, `documentation-lifecycle.md` | Tech Writer / PM |
+| 13 | **Rollback / Disaster Recovery** | 1 | Manual | No tested rollback procedure for this release; RTO > threshold | DR drill record; rollback script | `rollback-standards.md`, `disaster-recovery-drill.md` | SRE |
+| 14 | **Production Smoke / Canary** | 1 | Automated | Post-deploy smoke fails; canary error rate > SLO | Smoke test results; canary dashboard | `smoke-test.md`, `cd-deployment-strategies.md` | SRE / DevOps |
+| 15 | **Feature Flag Governance** | 2 | Manual | Default state not reviewed; kill-switch not tested | Flag audit checklist | `feature-flag-standards.md` | PM + Eng Lead |
+| 16 | **Multi-Gate Flow Verification** | 2 | Automated + Manual | Gate 0 missing for any flow with ≥ 3 steps; Gate 3 CI fail; Gate 4 UAT sign-off missing | `flow_gate_report.json`; UAT sign-off table | `flow-based-testing.md` §Multi-Gate | QA Lead + Business |
+> **Note on Tier-3**: Mark as `N/A` when not applicable (e.g., browser matrix for a CLI tool; contract testing for a standalone service with no API consumers). `N/A` requires a rationale comment in the sign-off.
+---
+## Release Readiness Sign-off Template
+> Copy this template for each release. File as `.release-readiness/<version>.md` in the repo root, or attach to the release artifact.
+```markdown
+# Release Readiness Sign-off
+**Release**: [tag/version]
+**Date**: [YYYY-MM-DD]
+**Environment**: Pre-Production → Production
+**RQM Artifact**: [link or commit SHA]
+## Tier-1 Gates (ALL must be PASS)
+| # | Dimension | Status | Evidence | Sign-off |
+|---|-----------|--------|----------|---------|
+| 2 | Security (SAST/DAST/SCA) | PASS / FAIL | [link] | [name] |
+| 5 | Database Migration | PASS / FAIL | [link] | [name] |
+| 7 | Operational Readiness | PASS / FAIL | [link] | [name] |
+| 13 | Rollback / DR | PASS / FAIL | [link] | [name] |
+| 14 | Production Smoke/Canary | PASS / FAIL | [link] | [name] |
+## Tier-2 Gates (WARN must have rationale)
+| # | Dimension | Status | Evidence | Rationale (if WARN) | Sign-off |
+|---|-----------|--------|----------|---------------------|---------|
+| 1 | Performance / Load | PASS / WARN / FAIL | [link] | | [name] |
+| 3 | Accessibility | PASS / WARN / FAIL | [link] | | [name] |
+| 6 | Cross-flow Regression | PASS / WARN / FAIL | [link] | | [name] |
+| 8 | Localization / i18n | PASS / WARN / FAIL | [link] | | [name] |
+| 12 | Documentation | PASS / WARN / FAIL | [link] | | [name] |
+| 15 | Feature Flag Governance | PASS / WARN / FAIL | [link] | | [name] |
+| 16 | Multi-Gate Flow Verification | PASS / WARN / FAIL | [link] | | [name] |
+## Tier-3 Gates (N/A with rationale allowed)
+| # | Dimension | Status | Evidence | Rationale (if N/A) | Sign-off |
+|---|-----------|--------|----------|---------------------|---------|
+| 4 | API / Contract Testing | PASS / WARN / N/A | [link] | | [name] |
+| 9 | Browser / Device Compat | PASS / WARN / N/A | [link] | | [name] |
+| 10 | Capacity Sign-off | PASS / WARN / N/A | [link] | | [name] |
+| 11 | Compliance / Privacy | PASS / WARN / N/A | [link] | | [name] |
+## Overall Decision
+- [ ] **GO** — All Tier-1 PASS; all WARN documented; all N/A have rationale
+- [ ] **NO-GO** — One or more Tier-1 FAIL, or undocumented WARN
+**Decision made by**: [name, role]
+**Date**: [YYYY-MM-DD]
+```
+---
+## Status Semantics
+| Status | Meaning | Release Impact |
+|--------|---------|----------------|
+| `PASS` | Meets or exceeds all criteria | None |
+| `WARN` | Below target but above hard minimum; rationale documented | Allowed; logged |
+| `FAIL` | Below hard minimum; unresolved | **Blocks release** |
+| `N/A` | Dimension not applicable to this project/release; rationale documented | Allowed |
+---
+## When to Create the Sign-off
+| Milestone | Action |
+|-----------|--------|
+| Release candidate tagged | Create `.release-readiness/<version>.md` from template; fill evidence links |
+| Pre-UAT deployment | Gate 3 CI results populated; Tier-1 automated gates verified |
+| UAT sign-off (Gate 4) | Tier-3 manual gates completed; Multi-Gate Flow row finalized |
+| Production deployment decision | Overall GO/NO-GO decision signed by release owner |
+The sign-off is **not** an afterthought — Gate 0 (PRD completeness) and Gate 1 (PR-level tests) must be satisfied long before the sign-off document is created. The sign-off aggregates evidence that was being collected throughout the release cycle.
+---
+## Anti-Patterns
+- **Creating the sign-off the day of deployment** — evidence should be collected incrementally throughout the release cycle
+- **Marking WARN without rationale** — WARN without documented reason is functionally equivalent to ignoring the gate
+- **Skipping Tier-3 entirely without N/A rationale** — if browser testing is omitted for a web app, that must be explicitly justified
+- **Treating the Sign-off as a rubber stamp** — every row requires a named sign-off owner; anonymous collective ownership means no real accountability
+- **Using a shared sign-off for multiple releases** — one sign-off per release tag; do not reuse across versions
+---
+## See Also
+- `release-quality-manifest.md` — machine-readable RQM (the automated counterpart to this sign-off)
+- `flow-based-testing.md` — Multi-Gate Flow Model (Dimension 16)
+- `branch-completion.md` — branch-level gate (prerequisite; not equivalent to release readiness)
+- `verification-evidence.md` — evidence standards (all evidence links must meet this standard)
+- `deployment-standards.md` — post-deploy gate integration
+---
+## Version History
+| Version | Date | Changes |
+|---------|------|---------|
+| 1.0.0 | 2026-05-05 | Initial release: 16-dimension matrix, tiered sign-off template, RQM integration |
+---
+## License
+This standard is released under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/).
+**Source**: [universal-dev-standards](https://github.com/AsiaOstrich/universal-dev-standards)

package/bundled/core/sast-advanced.md CHANGED Viewed

@@ -141,7 +141,7 @@ sast:
 ### `.gitleaks.toml` Configuration Example
 ```toml
-title = "VibeOps Gitleaks Configuration"
+title = "Gitleaks Configuration (example)"
 version = "8"
 [extend]
@@ -149,11 +149,11 @@ version = "8"
 useDefault = true
 [[rules]]
-id = "vibeops-license-key"
-description = "VibeOps license key"
-regex = '''vibeops[_\-]?license[_\-]?key\s*[:=]\s*["']?([A-Za-z0-9\-]{32,})["']?'''
+id = "app-license-key"
+description = "App license key"
+regex = '''app[_\-]?license[_\-]?key\s*[:=]\s*["']?([A-Za-z0-9\-]{32,})["']?'''
 severity = "CRITICAL"
-tags = ["license", "vibeops"]
+tags = ["license", "app"]
 [[allowlist.commits]]
 # Example: allow a specific commit hash that was remediated

package/bundled/core/secure-op.md CHANGED Viewed

@@ -12,7 +12,7 @@
 **Secure-Op** 是針對 AI Agent 系統的安全操作方法論，定義 AI Agent 在執行高風險操作時必須遵循的六大安全支柱。
-本標準源自 VibeOps Guardian OPA Sidecar（XSPEC-146）的實作經驗，並沉澱為通用 UDS 標準，供任何採用 UDS 的 AI Agent 系統套用。
+本標準源自 External Guardian OPA Sidecar reference implementation (XSPEC-146 from an external project)的實作經驗，並沉澱為通用 UDS 標準，供任何採用 UDS 的 AI Agent 系統套用。
 ### 核心理念
@@ -214,9 +214,9 @@ AI Agent 系統必須防護 Prompt Injection 攻擊，防止惡意輸入繞過
 ## 實作參考
-### VibeOps Guardian（TypeScript 參考實作）
+### External Guardian (reference implementation)（TypeScript 參考實作）
-VibeOps Guardian OPA Sidecar（XSPEC-146）是 Secure-Op 的完整 TypeScript 參考實作，包含：
+External Guardian OPA Sidecar reference implementation (XSPEC-146 from an external project)是 Secure-Op 的完整 TypeScript 參考實作，包含：
 - **GuardianService**：主要 Veto-based 決策管線
 - **SobrScorer**：SOBR 四維風險評分
@@ -224,7 +224,7 @@ VibeOps Guardian OPA Sidecar（XSPEC-146）是 Secure-Op 的完整 TypeScript
 - **HitlNotifier**：Webhook Adapter（支援 Slack/Teams）
 - **PromptInjectionDetector**：正則表達式 + 模式比對
-> 路徑：`vibeops/src/guardian/`（VibeOps repo，AGPL-3.0）
+> 路徑：external Guardian implementation (separately licensed)
 ### 最小實作清單
@@ -298,7 +298,7 @@ Secure-Op 標準分為三個實作等級（Priority Levels）：
 ### 對於生產環境 AI Agent 系統
-完整實作六大支柱，使用 VibeOps Guardian 作為參考或直接引用。
+完整實作六大支柱，使用 External Guardian (reference implementation) 作為參考或直接引用。
 ### 對於法規要求環境（金融、醫療、政府）

package/bundled/core/security-decision.md CHANGED Viewed

@@ -30,7 +30,7 @@ In non-interactive (CI/CD) environments, `ask` is treated as `deny` — there is
 ## projectSettings Trust Radius
-Configuration from `projectSettings` (`.devap/`, `.vibeops/`) is excluded from security-sensitive operations to prevent malicious repository injection:
+Configuration from `projectSettings` (`.adoption/` style directories) is excluded from security-sensitive operations to prevent malicious repository injection:
 **Blocked operations from projectSettings**:
 - Setting `requiresUserConfirmation: false`

package/bundled/core/server-ops-security.md CHANGED Viewed

@@ -11,7 +11,7 @@
 ### 為什麼 AI 自主運維需要伺服器操作安全？
-AI 自主運維系統（如 VibeOps）在生產環境中以自動化方式執行高權限操作——部署服務、管理容器、調用外部 API、存取資料庫。這些能力若缺乏適當的基礎設施安全防護，將帶來遠超傳統 Web 應用的風險：
+AI 自主運維系統（如 AI Agent / pipeline runtime）在生產環境中以自動化方式執行高權限操作——部署服務、管理容器、調用外部 API、存取資料庫。這些能力若缺乏適當的基礎設施安全防護，將帶來遠超傳統 Web 應用的風險：
 - **攻擊面擴大**：AI Agent 持續運行，攻擊者只需一個進入點即可橫向移動
 - **自動化即武器**：被入侵的 AI Agent 可自動執行大規模破壞（刪除資料、外洩機密）
@@ -38,7 +38,7 @@ PubkeyAuthentication yes
 Port 2222                    # 改為非預設 Port
 MaxAuthTries 3
 LoginGraceTime 30
-AllowUsers deploy vibeops    # 明確白名單
+AllowUsers deploy ai-agent    # 明確白名單
 ClientAliveInterval 300
 ClientAliveCountMax 2
 ```
@@ -159,21 +159,21 @@ sudo lynis audit system
 ```bash
 # 建立無 shell 的服務帳號
-sudo useradd -r -s /sbin/nologin -d /opt/vibeops vibeops
-sudo mkdir -p /opt/vibeops
-sudo chown vibeops:vibeops /opt/vibeops
-sudo chmod 750 /opt/vibeops
+sudo useradd -r -s /sbin/nologin -d /opt/ai-agent ai-agent
+sudo mkdir -p /opt/ai-agent
+sudo chown ai-agent:ai-agent /opt/ai-agent
+sudo chmod 750 /opt/ai-agent
 # 驗證：不可切換到此帳號
-sudo -u vibeops /bin/bash  # 應拒絕
+sudo -u ai-agent /bin/bash  # 應拒絕
 ```
 #### sudo 設定（最小授權）
-`/etc/sudoers.d/vibeops`：
+`/etc/sudoers.d/ai-agent`：
 ```
-# 允許 vibeops 重啟特定服務（明確命令）
-vibeops ALL=(ALL) NOPASSWD: /bin/systemctl restart vibeops-agent
+# 允許 ai-agent 重啟特定服務（明確命令）
+ai-agent ALL=(ALL) NOPASSWD: /bin/systemctl restart ai-agent-agent
 # 禁止 NOPASSWD ALL 寫法
 ```
@@ -357,7 +357,7 @@ Load Balancer / API Gateway（唯一對外入口）
 Internal VPC / Overlay Network
   │
 ┌──────────────────────────────────────┐
-│  VibeOps Agent  │  Database  │  Monitoring │
+│  AI Agent       │  Database  │  Monitoring │
 │  (port: 3000)   │ (port: 5432)│ (port: 9090) │
 └──────────────────────────────────────┘
 所有節點均不直接對外
@@ -365,9 +365,9 @@ Internal VPC / Overlay Network
 #### AI Agent 出站白名單設定
-`/etc/vibeops/outbound-allowlist.conf`（範例）：
+`/etc/ai-agent/outbound-allowlist.conf`（範例）：
 ```
-# VibeOps Agent 出站流量白名單
+# AI Agent 出站流量白名單
 ALLOW api.openai.com:443          # OpenAI API
 ALLOW registry.npmjs.org:443      # npm registry
 ALLOW api.github.com:443          # GitHub API
@@ -425,7 +425,7 @@ Guardian OPA Sidecar（XSPEC-146/147）作為 AI Agent 的決策閘道，其所
 | 服務 | Unix 帳號 | Shell | Sudo | 說明 |
 |------|----------|-------|------|------|
-| VibeOps Agent | `vibeops` | /sbin/nologin | 限定指令 | 主要 AI 執行帳號 |
+| AI Agent | `ai-agent` | /sbin/nologin | 限定指令 | 主要 AI 執行帳號 |
 | Guardian OPA | `guardian` | /sbin/nologin | 無 | OPA 決策引擎 |
 | Prometheus | `prometheus` | /sbin/nologin | 無 | 監控收集 |
 | 部署腳本 | `deployer` | /bin/bash | 限定指令 | CI/CD 用途 |
@@ -437,7 +437,7 @@ Guardian OPA Sidecar（XSPEC-146/147）作為 AI Agent 的決策閘道，其所
 ```
 端點: api.openai.com:443
 用途: 大型語言模型 API 呼叫
-負責人: VibeOps 核心團隊
+負責人: AI 平台維運團隊
 最後審查: 2026-05-04
 ```

package/bundled/core/smoke-test.md CHANGED Viewed

@@ -37,7 +37,7 @@ check() {
   echo "OK:   ${path} → HTTP ${status}"
 }
-echo "=== VibeOps Smoke Test ==="
+echo "=== Smoke Test ==="
 check "/health"
 check "/api/status"
 echo "=== PASS ==="

package/bundled/core/standard-admission-criteria.md CHANGED Viewed

@@ -46,7 +46,7 @@
 ### 4. AI-executable（AI 可消費）
-至少一個 DevAP QualityGate / VibeOps Agent prompt / Skill 能消費：
+至少一個 Quality Gate (adoption layer) / Agent prompt (採用層) / Skill 能消費：
 - 定義清楚的 guidelines（每條可驗證）
 - 至少 2 個 Given-When-Then scenarios

package/bundled/core/standard-lifecycle-management.md CHANGED Viewed

@@ -59,7 +59,7 @@ Deprecated ──(migration done)───→ Archived
 ## Usage Examples
-- **Scenario 1 — Trial → Active**：`retry-standards` 處於 trial。2026-08-01 審視發現 DevAP Fix Loop 和 VibeOps Builder 均採用且無重大缺陷 → 轉 Active，`since=2026-08-01`，移除 `expires`
+- **Scenario 1 — Trial → Active**：`retry-standards` 處於 trial。2026-08-01 審視發現 Fix Loop（採用層） 和 Builder Agent (採用層) 均採用且無重大缺陷 → 轉 Active，`since=2026-08-01`，移除 `expires`
 - **Scenario 2 — Trial 逾期自動 Archived**：某標準 trial 期限 2026-10-17 到期未通過驗證 → 狀態轉 Archived，記錄原因
 - **Scenario 3 — Deprecated 帶遷移**：`legacy-retry-logic` 被 `retry-standards` 取代 → `status=deprecated, supersedes=retry-standards, migration_guide=docs/migrations/retry-v1-to-v2.md`；Skill 使用時顯示警告

package/bundled/core/supply-chain-attestation.md CHANGED Viewed

@@ -48,12 +48,12 @@ jq '.components[] | select(.licenses[].license.id | test("GPL"))' sbom.cdx.json
 ```yaml
 - name: Generate SLSA L1 provenance
   run: |
-    IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "vibeops:commercial-${VERSION}" 2>/dev/null || echo "N/A")
+    IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "your-app:commercial-${VERSION}" 2>/dev/null || echo "N/A")
     cat > provenance.json << PROVEOF
     {
       "_type": "https://in-toto.io/Statement/v0.1",
       "predicateType": "https://slsa.dev/provenance/v0.2",
-      "subject": [{"name": "vibeops-commercial-${VERSION}", "digest": {"sha256": "$(sha256sum vibeops-commercial-${VERSION}.tar.gz | cut -d' ' -f1)"}}],
+      "subject": [{"name": "app-commercial-${VERSION}", "digest": {"sha256": "$(sha256sum app-commercial-${VERSION}.tar.gz | cut -d' ' -f1)"}}],
       "predicate": {
         "buildType": "https://github.com/Attestations/GitHubActionsWorkflow@v1",
         "builder": {"id": "https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"},
@@ -99,8 +99,8 @@ cosign verify-blob --key cosign.pub --signature provenance.json.sig provenance.j
 ## Release Bundle Structure
 ```
-vibeops-commercial-v1.3.0/
-├── vibeops-commercial-v1.3.0.docker.tar.gz   # Primary artefact
+app-commercial-v1.3.0/
+├── app-commercial-v1.3.0.docker.tar.gz   # Primary artefact
 ├── sbom.cdx.json                              # CycloneDX SBOM
 ├── sbom.cdx.json.sig                          # cosign signature
 ├── provenance.json                            # SLSA L1 provenance

package/bundled/core/token-budget.md CHANGED Viewed

@@ -46,9 +46,9 @@ Compression operations need output space to succeed. Reserve constants:
 ## Applicable Scenarios
-- DevAP task execution token monitoring
-- VibeOps 9-Agent pipeline cumulative context management
-- VibeOps PipelineMemory Snip trigger condition
+- Task execution token monitoring (adoption layer)
+- Multi-agent pipeline cumulative context management (adoption layer)
+- PipelineMemory Snip trigger condition (adoption layer)
 - Any environment with `maxTotalTokens` limit
 ## References

package/bundled/locales/zh-CN/CHANGELOG.md CHANGED Viewed

@@ -1,8 +1,8 @@
 ---
 source: ../../CHANGELOG.md
-source_version: 5.5.0
-translation_version: 5.5.0
-last_synced: 2026-05-05
+source_version: 5.7.0
+translation_version: 5.7.0
+last_synced: 2026-05-08
 status: current
 ---
@@ -17,6 +17,52 @@ status: current
 ## [Unreleased]
+## [5.7.0] - 2026-05-08
+> **跨平台脚本迁移**（XSPEC-179 + XSPEC-180）：bash 脚本逐步被单一来源的
+> TypeScript / Node.js ESM 等价实现取代，可在 macOS / Linux / Windows 上以
+> 相同方式执行。原 `.sh` 文件保留并加上 `DEPRECATED` 警告以维持向后兼容。
+### 新增
+- **AI 工具表格补全**（`README.md`、`locales/zh-TW/README.md`、`locales/zh-CN/README.md`）：补上五个遗漏工具——GitHub Copilot、OpenAI Codex、Aider、Continue、Google Antigravity。新增 ⚠ Minimal 状态图例。（`1b588e1`）
+- **`scripts/bump-version.mjs`**（XSPEC-179 Phase 1）：跨平台版本升版实现，与原 `.sh` 对等。（`1a44e14`）
+- **`scripts/install-hooks.mjs`**（XSPEC-179 Phase 1）：跨平台 git hooks 安装程序；于 Windows 自动跳过 `chmod`。（`1a44e14`）
+- **`scripts/pre-commit.mjs`**（XSPEC-180）：pre-commit hook 的 Node.js ESM 实现，平台分支于 Windows 调用 `check-translation-sync.ps1`，其他平台调用 `.sh`。（`1572869`）
+- **7 个 TypeScript 检查脚本**（XSPEC-179 Phase 2，`0a26d14`）：从 bash 迁移至单一 TypeScript 来源，通过 `tsx` 执行：
+  - `scripts/check-ai-behavior-sync.ts`
+  - `scripts/check-commit-spec-reference.ts`
+  - `scripts/check-flow-gate-report.ts`
+  - `scripts/check-integration-commands-sync.ts`
+  - `scripts/check-registry-completeness.ts`
+  - `scripts/check-release-readiness-signoff.ts`
+  - `scripts/check-workflow-compliance.ts`
+- **`tsx@^4.20.0`** 加入 root `devDependencies`（XSPEC-179 Phase 2，`0a26d14`）。
+- **7 个 npm scripts** 串接 TypeScript 检查脚本（`0a26d14`）：`check:ai-behavior`、`check:commit-spec`、`check:flow-gate`、`check:integration-commands`、`check:registry`、`check:release-signoff`、`check:workflow-compliance`。
+### 变更
+- **下游项目解耦**（6 批次，`ebe716c`–`2392c0f`）：所有公开叙述中对特定下游产品（DevAP / VibeOps）的直接引用已替换为采用层中性术语，涵盖 130+ 个文件。UDS 重申为纯 MIT + CC BY 4.0 标准库，与任何特定采用层无依赖关系。
+- **REGISTRY**：`roo-code` integration tier 从 `planned` 升为 `partial`；AI 工具表格中将 Roo Code 独立成行（不再与 Cline 合并）。（`1b588e1`）
+- **`.githooks/pre-commit`**（XSPEC-180，`1572869`）：从 51 行 bash 精简为 16 行 POSIX `sh` 薄壳层，将实际逻辑委派给 `scripts/pre-commit.mjs`。
+- **`scripts/bump-version.mjs`**（`19ad314`）：新增 `buildCmd()` 辅助函数，于 Windows 自动切换为 PowerShell + `.ps1` 来调用 `check-version-sync` / `check-translation-sync`，恢复 Windows 平台对等性。
+- **XSPEC-179 Phase 2 策略修订**（`0a26d14`）：放弃先前的 `.sh` + `.ps1` 双轨方案，改采**单一 TypeScript 来源**策略。单一 `.ts` 通过 `tsx` 在所有平台上行为一致，消除「只能在 Windows 验证」的反馈落差。
+### 弃用
+- **`scripts/bump-version.sh`**（`1a44e14`）：标记为 DEPRECATED，由 `bump-version.mjs` 取代。
+- **`scripts/install-hooks.sh`**（`1a44e14`）：标记为 DEPRECATED，由 `install-hooks.mjs` 取代。
+- **7 个 legacy `check-*.sh` 脚本**（`0a26d14`）：对应的 `.ts` 版本（如上）已成为 canonical 实现。`.sh` 文件保留供 legacy Linux/macOS 环境使用，但不应再新增功能。
+### 移除
+- **`.devap/` 目录**（`2392c0f`）：移除孤儿 DevAP dogfooding 安装目录。DevAP 已于 2026-04-28 退场（XSPEC-086/095）。
+### 修复
+- **`scripts/check-release-readiness-signoff.sh`**（`0a26d14`，于 TypeScript 移植时顺带修复的潜伏 bug）：原本错误的 `grep -c "0\n0"` 样式（永远无法匹配到字面 `\n`）已修正，现在能可靠侦测缺漏的 sign-off 信号。
+- **`scripts/check-integration-commands-sync.sh`**（`0a26d14`，于 TypeScript 移植时顺带修复的潜伏 bug）：消除 `find` 与下游 consumer 之间 broken pipe 引发的 SIGPIPE 噪音。
 ## [5.3.2] - 2026-04-27
 > **修补版本发布**：Bug 修复 —— `uds update -y` 现在会自动安装/更新 Skills 和 Commands，不再只显示提示信息。
@@ -865,7 +911,8 @@ status: current
 - 范本：需求文档范本
 - 集成：OpenSpec 框架
-[Unreleased]: https://github.com/AsiaOstrich/universal-dev-standards/compare/v3.0.0...HEAD
+[Unreleased]: https://github.com/AsiaOstrich/universal-dev-standards/compare/v5.7.0...HEAD
+[5.7.0]: https://github.com/AsiaOstrich/universal-dev-standards/compare/v5.6.0...v5.7.0
 [3.0.0]: https://github.com/AsiaOstrich/universal-dev-standards/compare/v2.3.0...v3.0.0
 [2.3.0]: https://github.com/AsiaOstrich/universal-dev-standards/compare/v2.2.0...v2.3.0
 [2.2.0]: https://github.com/AsiaOstrich/universal-dev-standards/compare/v2.1.0...v2.2.0