long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: project docs, scripts, deployment configs, and evidence

Browse Source
This commit is contained in:
long-agent
2026-04-02 11:22:17 +08:00
parent 4718980ab5
commit bbeeb63dfa
396 changed files with 165018 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

804
docs/evidence/ops/2026-03-27/quality/QUALITY_AUDIT_20260327-182910.md Normal file
View File

@@ -0,0 +1,804 @@
# 2026-03-27 全量测试与质量审计
## 1.3 2026-03-28 Q-004 latest remediation note XIII
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `89.72 / 77.57 / 84.48 / 90.64`
- `src/app/App.tsx` is now `100 / 100 / 100 / 100`
- `src/app/RootLayout.tsx` is now `100 / 100 / 100 / 100`
- `src/components/common/ErrorBoundary/ErrorBoundary.tsx` is now `100 / 83.33 / 100 / 100`
- The latest remediation closed three more previously real frontend hotspots:
- `App.tsx` is no longer an open `Q-004` gap
- `RootLayout.tsx` is no longer an open `Q-004` gap
- `ErrorBoundary.tsx` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- after the shell and boundary layer were closed, the remaining higher-value frontend gaps narrow further to router, dashboard, and shared page-state coverage
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-110341.md`
## 1.2 2026-03-28 Q-004 latest remediation note XII
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `89.06 / 77.14 / 83.56 / 89.96`
- `src/pages/auth/ForgotPasswordPage/ForgotPasswordPage.tsx` is now `100 / 75 / 100 / 100`
- `src/pages/auth/ResetPasswordPage/ResetPasswordPage.tsx` is now `95 / 94.44 / 100 / 95`
- The latest remediation closed two more previously real frontend hotspots:
- `ForgotPasswordPage` is no longer an open `Q-004` gap
- `ResetPasswordPage` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- after the auth recovery pages were closed, the remaining higher-value frontend gaps shift more toward app shell, routing, error-boundary, and dashboard entry-point coverage
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-105226.md`
## 1.1 2026-03-28 Q-004 latest remediation note XI
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `85.89 / 74.91 / 81.87 / 86.71`
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx` is now `90.35 / 75.51 / 92.45 / 90.13`
- The latest remediation closed one more previously real frontend hotspot:
- `src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- with `client.ts` and `ProfileSecurityPage` closed, the next highest-value frontend gaps now shift toward auth recovery pages such as `ForgotPasswordPage` and `ResetPasswordPage`
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-104341.md`
## 1.0 2026-03-28 Q-004 latest remediation note X
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `83.86 / 72.68 / 79.87 / 84.72`
- `src/lib/http/client.ts` is now `100 / 92.30 / 100 / 100`
- The latest remediation closed one more previously real frontend hotspot:
- `src/lib/http/client.ts` is no longer an open `Q-004` gap
- This pass also closed one real validation-hygiene defect in production code:
- cached shared refresh waiters no longer leave an unhandled rejected promise behind when refresh fails
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gap is now more concentrated in deeper `ProfileSecurityPage`
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-102456.md`
## 0.9 2026-03-28 Q-004 latest remediation note IX
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `80.06 / 67.61 / 78.00 / 80.91`
- `src/lib/http/csrf.ts` is now `100 / 88.46 / 100 / 100`
- The latest remediation closed one more previously real frontend hotspot:
- `src/lib/http/csrf.ts` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in `src/lib/http/client.ts` and deeper `ProfileSecurityPage`
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-083841.md`
## 0.8 2026-03-28 Q-004 latest remediation note VIII
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `78.91 / 66.06 / 77.07 / 79.73`
- `src/pages/auth/RegisterPage/RegisterPage.tsx` is now `93.42 / 85.24 / 87.5 / 95.89`
- The latest remediation closed one more previously real frontend hotspot:
- `RegisterPage` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in deeper `ProfileSecurityPage` and `lib/http`
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-082843.md`
## 0.7 2026-03-28 Q-004 latest remediation note VII
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `78.38 / 64.77 / 76.92 / 79.19`
- `src/pages/auth/LoginPage/LoginPage.tsx` is now `92.56 / 84.09 / 86.2 / 95.61`
- The latest remediation closed one more previously real frontend hotspot:
- `LoginPage` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in `RegisterPage`, deeper `ProfileSecurityPage`, and `lib/http`
- The validation hygiene note remains materially unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- one concurrent `lint` + `build` attempt produced a transient Windows/Vite `index.html` emit-path failure, while the required standalone `build` rerun passed immediately afterward
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-081514.md`
## 0.6 2026-03-28 Q-004 latest remediation note VI
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `76.00 / 63.91 / 75.07 / 76.84`
- `src/app/providers` is now `96.38 / 93.75`
- `src/app/providers/AuthProvider.tsx` is now `100%`
- The latest remediation closed one more previously real frontend hotspot:
- `AuthProvider` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value frontend gaps are now more concentrated in `LoginPage`, `RegisterPage`, deeper `ProfileSecurityPage`, and `lib/http`
- The validation hygiene note remains unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-075725.md`
## 0.5 2026-03-28 Q-004 latest remediation note V
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `74.54 / 63.57 / 74.61 / 75.35`
- `src/pages/admin/UsersPage` is now `95.06%`
- `src/pages/admin/WebhooksPage` is now `94.92%`
- `internal/repository` is now `67.1%`
- The latest remediation closed two previously dominant frontend gap clusters:
- `UsersPage` drawers/modals are no longer one of the main remaining blockers
- `WebhooksPage` modal/drawer components are no longer one of the main remaining blockers
- A new real backend defect pair was discovered and fixed during this pass:
- `internal/repository/role.go`
- explicit `status=0` role creation was previously persisted as enabled
- `internal/repository/permission.go`
- explicit `status=0` permission creation was previously persisted as enabled
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value gaps are now more concentrated in deeper `ProfileSecurityPage`, `LoginPage`, `RegisterPage`, `AuthProvider`, `lib/http`, and still-remaining repository depth
- The validation hygiene note remains unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-011431.md`
## 0.4 2026-03-28 Q-004 latest remediation note IV
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `68.32 / 54.12 / 68.15 / 69.28`
- `src/pages/admin/RolesPage` is now at `94.53%`
- `src/pages/admin/PermissionsPage` is now at `93.51%`
- `src/pages/admin/ProfilePage/ProfilePage.tsx` is now at `91.42%`
- `internal/auth/providers` is now `80.6%`
- `internal/repository` remains `37.1%`
- The latest remediation changed the real gap map materially:
- provider coverage is no longer one of the dominant blockers
- `RolesPage`, `PermissionsPage`, and `ProfilePage` are no longer dominant uncovered admin page clusters
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the remaining highest-value gaps are now concentrated in `internal/repository` depth plus still-uncovered frontend modal/drawer components, especially under `UsersPage` and `WebhooksPage`, and deeper remaining `ProfileSecurityPage` branches
- The validation hygiene note remains unchanged:
- `npm.cmd run test:coverage` passed again, but still emitted one post-summary jsdom `AggregateError` network-noise line
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-003416.md`
## 0.3 2026-03-27 Q-004 latest remediation note III
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `56.81 / 44.67 / 57.38 / 57.57`
- `src/pages/admin/LoginLogsPage/LoginLogsPage.tsx` is now at `93.1%`
- `src/pages/admin/OperationLogsPage/OperationLogsPage.tsx` is now at `91.52%`
- frontend `services` coverage remains `86.2%`
- `internal/auth/providers` is now `28.7%`
- `internal/repository` remains `37.1%`
- The latest remediation reduced two real gaps materially:
- admin log pages are no longer among the main page-level hotspots
- provider coverage is no longer extremely shallow, but it is still far from closure-grade depth
- A new validation hygiene note also appeared during this pass:
- `npm.cmd run test:coverage` passed, but still emitted one post-summary jsdom `AggregateError` network-noise line
- this is not a failing gate for the current pass, but it is still real and should not be misrepresented as a perfectly clean run
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- the main remaining gaps are now concentrated in deeper `internal/auth/providers` paths and still-uncovered admin pages/components
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-233824.md`
## 0.2 2026-03-27 Q-004 latest remediation note II
- `Q-004` was remediated further after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `52.05 / 42.86 / 51.84 / 52.69`
- frontend `services` coverage is now `86.2%`
- `internal/auth/providers` is now `15.2%`
- `internal/repository` remains `37.1%`
- The latest remediation reduced the frontend service-layer gap substantially.
- The updated real boundary is unchanged in principle:
- `internal/auth/providers` is still too shallow to truthfully mark `Q-004` closed
- there are still multiple uncovered admin pages/components outside the already-remediated `UsersPage` and `ProfileSecurityPage`
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-224352.md`
## 0.1 2026-03-27 Q-004 latest remediation note
- `Q-004` has been remediated further after this audit, but it is still not closed.
- Newly verified outcomes:
- frontend overall coverage is now `49.18 / 42.86 / 44.92 / 49.79`
- `UsersPage.tsx` is now at `90.98%` statements and `68.75%` branches
- `ProfileSecurityPage.tsx` is now at `70.17%` statements and `48.97%` branches
- `internal/repository` is now at `37.1%`
- `internal/auth/providers` is now at `8.5%`
- A new real defect was discovered and fixed during this remediation pass:
- `internal/repository/device.go`
- device create requests with explicit `status=0` were previously persisted as active because the DB default swallowed the zero value
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-221835.md`
- Updated real boundary:
- `UsersPage` and `ProfileSecurityPage` are no longer the primary blockers they were at audit time
- `internal/auth/providers` still remains too shallow to truthfully mark `Q-004` closed
## 0. 2026-03-27 优先级整改补充结论
以下内容覆盖本报告中 Q-001 / Q-002 / Q-003 的“当前真实状态”:
- Q-001 会话安全整改已完成并复验通过。
- 浏览器端不再把 access token、refresh token、用户信息、角色信息持久化到 `localStorage` / `sessionStorage`
- refresh continuity 已切到后端 `HttpOnly` refresh cookie。
- 为避免无会话用户访问受保护页时盲打 `/auth/refresh` 产生浏览器 `400 Bad Request` console error后端新增了非敏感会话存在标记 cookie前端先判断是否值得恢复再决定是否发起 refresh。
- Q-002 OAuth 信任边界整改已完成并复验通过。
- `return_to` 不再基于 `X-Forwarded-*` 推导的 request origin 做隐式同源放行。
- 当前只接受绝对路径,或显式 allowlist origin。
- Q-003 随机降级 fail-open 已完成整改并复验通过。
- `crypto/rand` 失败时不再静默退化到更弱随机源。
- 本轮补充整改还关闭了一个真实回归:
- 鉴于会话模型从 Web Storage 切到 cookie + memory 后,真实浏览器 E2E 一度出现公开页/无会话访问时的刷新噪音与登录后路由竞态。
- 该问题现已通过“会话存在标记 cookie + AuthProvider 恢复策略收敛 + 认证态导出去竞态 + E2E 基座修正”收口。
最新补充验证命令:
```powershell
go test ./... -count=1
go vet ./...
go build ./cmd/server
cd D:\project\frontend\admin
npm.cmd run test:run
npm.cmd run lint
npm.cmd run build
powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1
```
最新补充真实结论:
- Q-001 / Q-002 / Q-003 已不再是本项目“当前进行时”的开放问题。
- Q-004 已完成一轮增补整改并通过真实复验,但当前仍是“部分收口、未完全关闭”状态。
- Frontend overall coverage 已从审计时的 `29.38 / 29.32 / 24.84 / 29.78` 提升到 `41.06 / 38.48 / 36.00 / 41.47`
- 重点目标中:
- `router` 已到 `47.72%`
- `RequireAuth` / `RequireAdmin` 已到 `100%`
- `AdminLayout` 已到 `80.00%`
- `ImportExportPage` 已到 `83.58%`
- `WebhooksPage` 已到 `93.15%`
- `services/webhooks.ts` 已到 `100%`
- `internal/database` 已到 `83.2%`
- `internal/repository` 已到 `15.1%`
- 本轮还顺带关闭了一个真实构建问题:
- 在当前 Windows + `Vite 8` + `--configLoader native` 组合下,默认 HTML 输入会导致绝对路径 `index.html` 发射错误;现已通过显式 `rollupOptions.input = 'index.html'` 收口。
-`internal/auth/providers` 仍仅 `4.0%`,前端 `UsersPage` / `ProfileSecurityPage` 仍有明显缺口。
- 当前剩余真实缺口收敛为:
- Q-004 自动化覆盖率深度不足
- Q-005 dev toolchain SCA 未清零
- Q-006 外部告警交付证据未闭环
补充证据:
- [`docs/evidence/ops/2026-03-27/quality/AUTH_SESSION_REMEDIATION_20260327-194100.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/AUTH_SESSION_REMEDIATION_20260327-194100.md)
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-212336.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-212336.md)
- [`docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-214422.md`](/D:/project/docs/evidence/ops/2026-03-27/quality/COVERAGE_REMEDIATION_20260327-214422.md)
## 1. 审计方法
- 会话内可用 skill 中没有现成的通用 testing/quality skill。
- 使用 `skill-installer` 检索了可安装技能,识别到 `playwright``security-best-practices` 可覆盖真实浏览器验证与安全审计。
- 由于当前沙箱对 skill 安装临时目录写入有限制,未能将 skill 正式安装到本地目录;本轮直接拉取并按其规范执行:
- `playwright`:以 CLI-first / real browser 为原则,沿用项目现有真实浏览器 E2E 路径验证。
- `security-best-practices`:按 Go backend + React/TypeScript frontend 的安全审计规则做证据化检查。
- 同时严格按照项目自身质量基线执行:`docs/team/QUALITY_STANDARD.md`
## 2. 已执行门禁
### 2.1 Backend
```powershell
go vet ./...
go test ./... -count=1
go build ./cmd/server
go test ./... -cover
```
结论:通过。
### 2.2 Frontend
```powershell
cd frontend/admin
npm.cmd run lint
npm.cmd run test:run
npm.cmd run build
npm.cmd run test:coverage
```
结论:通过。
### 2.3 Real Browser E2E
```powershell
cd frontend/admin
powershell -ExecutionPolicy Bypass -File .\scripts\run-playwright-auth-e2e.ps1
```
结论:通过。
本轮真实浏览器场景包含:
- `admin-bootstrap`
- `public-registration`
- `email-activation`
- `login-surface`
- `auth-workflow`
- `responsive-login`
- `desktop-mobile-navigation`
### 2.4 运维治理与交付证据
```powershell
powershell -ExecutionPolicy Bypass -File .\scripts\ops\run-sca-evidence.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\capture-local-baseline.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\validate-alerting-package.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\drill-alertmanager-render.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\drill-sqlite-backup-restore.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\drill-config-isolation.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\drill-local-rollback.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\ops\validate-secret-boundary.ps1
```
结论:
- SCA生产依赖通过完整依赖树未清零。
- 本地观测基线:通过。
- Alerting 包结构校验:通过,但外部通知闭环未完成。
- Alertmanager 渲染演练:通过。
- SQLite 备份恢复演练:通过。
- 配置/环境隔离演练:通过。
- 本地回滚演练:通过。
- 密钥边界校验:通过。
## 3. 正向结论
- 当前项目“可执行质量门禁”整体较强:后端、前端、真实浏览器 E2E、本地治理演练都能真实跑通。
- 真实浏览器链路已经不是 smoke 假闭环,而是可重复执行的产品级主链路验证。
- 前端未发现明显高信号 DOM XSS 反模式:
- 未扫到 `dangerouslySetInnerHTML`
- 未扫到 `eval/new Function/document.write`
- Release 模式下对 wildcard CORS 有显式拒绝测试,基础安全头中间件也已接入。
## 4. 真实问题清单
### Q-001 高风险:浏览器端仍将 access/refresh token 持久化到 Web Storage
- 位置:
- `frontend/admin/src/lib/storage/token-storage.ts:4-5`
- `frontend/admin/src/lib/storage/token-storage.ts:25-27`
- `frontend/admin/src/lib/http/auth-session.ts:5-6`
- `frontend/admin/src/lib/http/auth-session.ts:121-123`
- `frontend/admin/src/lib/http/auth-session.ts:140`
- `frontend/admin/src/lib/http/auth-session.ts:153`
- 证据:
- refresh token 落在 `localStorage`
- access token、用户信息、角色信息落在 `sessionStorage`
- 影响:
- 一旦前端发生 XSS、浏览器扩展注入或同机恶意读取令牌可被直接窃取。
- 这不符合企业级生产产品对会话凭证的保守策略。
- 结论:
- 当前“功能可用”不等于“会话安全成熟”。
- 更稳妥的方向应是 `HttpOnly + Secure + SameSite` cookie或 BFF / server session 模式。
### Q-002 高风险OAuth return_to 校验依赖未受信任代理证明的转发头
- 位置:
- `internal/api/handler/auth.go:511-524`
- `internal/api/handler/auth.go:567-588`
- 证据:
- `oauthRequestOrigin` 直接信任 `X-Forwarded-Proto``X-Forwarded-Host`
- `resolveOAuthReturnTo` 允许 `return_to` 与该 request origin 相同即通过
- 影响:
- 如果边缘代理未明确剥离/重写这些头,攻击者可能伪造头值影响 OAuth 回跳来源判断。
- 该问题至少会造成 origin trust 边界不清;在配置失误时可退化为开放跳转/回跳接收面扩大。
- 结论:
- 这是典型的“代码层看见依赖 forwarded headers但仓内没有可信代理证明”的问题。
- 当前应视为高风险边界项,而不是默认安全。
### Q-003 中风险:安全敏感随机值存在 fail-open 降级
- 位置:
- `internal/auth/jwt.go:62-65`
- `internal/service/email.go:295-297`
- `internal/service/captcha.go:142-145`
- 证据:
- `crypto/rand` 失败后JWT JTI / email code / captcha ID 会退化到时间戳或 `math/rand`
- 影响:
- 熵源异常时没有 fail closed而是继续生成可预测性更强的值。
- 这不是主路径问题,但不符合严格生产安全设计。
- 结论:
- 应改为显式报错并阻断相关安全流程,而不是静默降级。
### Q-004 中风险:自动化覆盖率不足,回归安全网偏薄
- Frontend 总覆盖率:
- statements `29.38%`
- branches `29.32%`
- functions `24.84%`
- lines `29.78%`
- Backend 覆盖率示例:
- `internal/service` `51.8%`
- `internal/api/handler` `31.4%`
- `internal/auth` `34.3%`
- `internal/auth/providers` `1.5%`
- `internal/repository` `10.5%`
- `internal/database` `0.0%`
- 影响:
- 当前 E2E 很强,但底层模块和异常分支的自动回归网仍然偏弱。
### Q-005 中风险:完整依赖树 SCA 未清零
- 结果:
- `npm audit production`: `0`
- `npm audit full`: `22`
- 其中 `21 moderate``1 high`
- `govulncheck reachable findings`: `0`
- 主要链路:
- `picomatch` 高危
- `vite` / `vitest` / `typescript-eslint` / `eslint` 相关 dev toolchain 链路存在中危项
- 影响:
- 生产依赖当前较干净。
- 但工程供应链本身还不能称为“完全收口”。
### Q-006 中风险:外部告警交付证据未闭环
- 结果:
- `Repo-level alerting package structurally ready: True`
- `Repo-level oncall/delivery package fully closed: False`
- 影响:
- 仓内模板、结构、演练已具备。
- 但真实外部通知联系人/渠道的交付闭环证据还缺。
## 5. 综合判断
### 5.1 已达到的水平
- 可以真实表述为:
- “项目当前可执行质量门禁整体通过,后端/前端/真实浏览器 E2E/本地治理演练已形成一轮真实闭环。”
### 5.2 不能夸大的表述
- 目前不能真实表述为:
- “已经完全达到企业级生产上线质量”
- “安全与治理材料全部闭环”
- “自动化测试覆盖已经充分”
### 5.3 真实状态
- 当前更准确的结论是:
- 执行层面很强,产品主链路和真实浏览器验证已明显成熟。
- 但安全会话模型、反向代理信任边界、覆盖率、dev 供应链漏洞、外部告警交付证据,仍是生产级质量的真实缺口。
## 6. 下一步优先级
1. 会话安全整改
- 移除 Web Storage 中的 access/refresh token 持久化。
- 切到 HttpOnly cookie 或 BFF / server session。
2. OAuth 信任边界整改
- 不再直接信任 `X-Forwarded-*`
- 显式配置 trusted proxy / trusted origin并补 runtime 证据。
3. fail-open 随机降级整改
- `crypto/rand` 失败即报错,不再退化到时间戳或 `math/rand`
4. 覆盖率提升
- Frontend 优先补 `AuthProvider``router``AdminLayout``UsersPage``WebhooksPage``ImportExportPage`
- Backend 优先补 `internal/auth/providers``internal/repository``internal/database`
5. 清理 dev toolchain SCA
- 升级 `vite/vitest/eslint/typescript-eslint` 及其传递依赖,消除 `picomatch` 链路风险。
6. 补齐真实外部告警交付证据
- 接入真实通知渠道并形成可审计投递记录。
## 7. 本轮证据
- `docs/team/QUALITY_STANDARD.md`
- `docs/status/REAL_PROJECT_STATUS.md`
- `docs/PROJECT_REVIEW_REPORT.md`
- `docs/evidence/ops/2026-03-27/e2e/ADMIN_BOOTSTRAP_CLOSURE_20260327-173914.md`
- `docs/evidence/ops/2026-03-27/sca/SCA_SUMMARY_20260327-181910.md`
- `docs/evidence/ops/2026-03-27/observability/LOCAL_BASELINE_20260327-182005.md`
- `docs/evidence/ops/2026-03-27/alerting/ALERTING_PACKAGE_20260327-182058.md`
- `docs/evidence/ops/2026-03-27/backup-restore/20260327-182059/`
- `docs/evidence/ops/2026-03-27/config-isolation/20260327-182059/`
- `docs/evidence/ops/2026-03-27/rollback/20260327-182059/`
- `docs/evidence/ops/2026-03-27/secret-boundary/20260327-181910/`
## 8. 2026-03-28 Q-004 Closure Update
- Real status update:
- `Q-004` is improved again, but still cannot be honestly declared closed.
- Newly closed frontend hotspot:
- `frontend/admin/src/app/router.tsx` is now at `100 / 100 / 100 / 100`.
- Validation evidence added:
- targeted router test
- full frontend `test:run`
- `lint`
- `build`
- full frontend `test:coverage`
- Current frontend full coverage after this pass:
- statements `90.74%`
- branches `77.74%`
- functions `87.40%`
- lines `90.87%`
- Main remaining `Q-004` frontend hotspots now narrow to:
- `src/pages/admin/DashboardPage/DashboardPage.tsx`
- `src/components/feedback/PageState/PageState.tsx`
- additional lower-coverage shared/admin surfaces outside this pass
- Real hygiene gap still open:
- the successful frontend coverage run still prints one post-summary jsdom `AggregateError` network-noise line
- Evidence:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-121611.md`
## 9. 2026-03-28 Dashboard Closure Update
- Real status update:
- `Q-004` improved again, but still cannot be honestly declared closed.
- Newly closed frontend hotspot:
- `frontend/admin/src/pages/admin/DashboardPage/DashboardPage.tsx` is now at `100 / 100 / 100 / 100`.
- Validation evidence added:
- targeted dashboard test
- `lint`
- `build`
- full frontend `test:coverage`
- Current frontend full coverage after this pass:
- statements `91.66%`
- branches `78.26%`
- functions `87.86%`
- lines `91.82%`
- Main remaining `Q-004` frontend hotspots now narrow to:
- `src/components/feedback/PageState/PageState.tsx`
- additional lower-coverage shared/admin surfaces outside this pass
- Real hygiene gap still open:
- the successful frontend coverage run still prints one post-summary jsdom `AggregateError` network-noise line
- Evidence:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-122517.md`
## 10. 2026-03-28 PageState Closure Update
- Real status update:
- `Q-004` improved again, but still cannot be honestly declared closed.
- Newly closed frontend hotspot:
- `frontend/admin/src/components/feedback/PageState/PageState.tsx` is now at `100 / 100 / 100 / 100`.
- Validation evidence added:
- targeted PageState test
- `lint`
- `build`
- full frontend `test:coverage`
- Current frontend full coverage after this pass:
- statements `91.71%`
- branches `78.52%`
- functions `88.01%`
- lines `91.86%`
- Main remaining `Q-004` frontend hotspots now narrow to:
- `src/layouts/AdminLayout/AdminLayout.tsx`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/lib/errors/AppError.ts`
- `src/lib/storage/token-storage.ts`
- additional lower-coverage shared/admin surfaces outside this pass
- Real hygiene gap still open:
- the successful frontend coverage run still prints one post-summary jsdom `AggregateError` network-noise line
- Evidence:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-123228.md`
## 11. 2026-03-28 AdminLayout Closure Update
- Real status update:
- `Q-004` improved again, but still cannot be honestly declared closed.
- Newly closed frontend hotspot:
- `frontend/admin/src/layouts/AdminLayout/AdminLayout.tsx` is now at `100 / 100 / 100 / 100`.
- Validation evidence added:
- targeted AdminLayout test
- `lint`
- `build`
- full frontend `test:coverage`
- Current frontend full coverage after this pass:
- statements `92.06%`
- branches `79.29%`
- functions `89.09%`
- lines `92.22%`
- Main remaining `Q-004` frontend hotspots now narrow to:
- `src/lib/storage/token-storage.ts`
- `src/lib/errors/AppError.ts`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- additional lower-coverage shared/admin surfaces outside this pass
- Real hygiene gap still open:
- the successful frontend coverage run still prints one post-summary jsdom `AggregateError` network-noise line
- Evidence:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-124756.md`
## 12. 2026-03-28 Token Storage Closure Update
- Real status update:
- `Q-004` improved again, but still cannot be honestly declared closed.
- Newly closed frontend hotspot:
- `frontend/admin/src/lib/storage/token-storage.ts` is now at `100 / 100 / 100 / 100`.
- Validation evidence added:
- targeted token-storage test
- `lint`
- `build`
- full frontend `test:coverage`
- Current frontend full coverage after this pass:
- statements `92.32%`
- branches `79.63%`
- functions `89.70%`
- lines `92.49%`
- Main remaining `Q-004` frontend hotspots now narrow to:
- `src/lib/errors/AppError.ts`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- additional lower-coverage shared/admin surfaces outside this pass
- Real hygiene gap still open:
- the successful frontend coverage run still prints one post-summary jsdom `AggregateError` network-noise line
- Evidence:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-125454.md`
## 13. 2026-03-28 AppError Closure Update
- Real status update:
- `Q-004` improved again, but still cannot be honestly declared closed.
- Newly closed frontend hotspot:
- `frontend/admin/src/lib/errors/AppError.ts` is now at `100 / 100 / 100 / 100`.
- `frontend/admin/src/lib/errors/index.ts` is now at `100 / 100 / 100 / 100`.
- Validation evidence added:
- targeted AppError module test
- `lint`
- `build`
- full frontend `test:coverage`
- Current frontend full coverage after this pass:
- statements `93.07%`
- branches `81.35%`
- functions `90.32%`
- lines `93.26%`
- Main remaining `Q-004` frontend hotspots now narrow to:
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx`
- `src/pages/NotFoundPage/NotFoundPage.tsx`
- `src/lib/hooks/useBreadcrumbs.ts`
- `src/app/providers/ThemeProvider.tsx`
- additional lower-coverage shared/admin surfaces outside this pass
- Real hygiene gap still open:
- the successful frontend coverage run still prints one post-summary jsdom `AggregateError` network-noise line
- Evidence:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md`
## 1.4 2026-03-28 Q-004 latest remediation note XIV
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `93.56 / 81.95 / 90.93 / 93.71`
- `src/pages/admin/ImportExportPage/ImportExportPage.tsx` is now `100 / 100 / 100 / 100`
- The latest remediation closed one more previously real frontend hotspot:
- `ImportExportPage.tsx` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- after the import/export page was closed, the remaining higher-value frontend gaps narrow further to `NotFoundPage`, `useBreadcrumbs`, `ThemeProvider`, and the still-open coverage-noise hygiene issue
- The validation hygiene note changed slightly but remains materially open:
- `ImportExportPage` tests no longer emit the extra jsdom `window.getComputedStyle(..., pseudoElt)` noise from `rc-table`
- `npm.cmd run test:coverage` still passed again while emitting post-summary jsdom `AggregateError` network-noise lines
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-142248.md`
## 1.5 2026-03-28 Q-004 latest remediation note XV
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `93.69 / 81.95 / 91.24 / 93.85`
- `src/pages/NotFoundPage/NotFoundPage.tsx` is now `100 / 100 / 100 / 100`
- The latest remediation closed one more previously real frontend hotspot:
- `NotFoundPage.tsx` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- after the 404 page was closed, the remaining higher-value frontend gaps narrow further to `useBreadcrumbs`, `ThemeProvider`, and the still-open coverage-noise hygiene issue
- The validation hygiene note remains materially open:
- `npm.cmd run test:coverage` still passed again while emitting post-summary jsdom `AggregateError` network-noise lines
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-143209.md`
## 1.6 2026-03-28 Q-004 latest remediation note XVI
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `93.84 / 82.29 / 91.21 / 94.01`
- `src/lib/hooks/useBreadcrumbs.ts` is now `100 / 100 / 100 / 100`
- The latest remediation closed one more previously real frontend hotspot:
- `useBreadcrumbs.ts` is no longer an open `Q-004` gap
- This pass also removed one small piece of dead frontend complexity:
- the hook's parent-injection branch was redundant under the current route model and has been removed rather than artificially test-forced
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- after the breadcrumb hook was closed, the remaining higher-value frontend gaps narrow further to `ThemeProvider` plus the still-open coverage-noise hygiene issue
- The validation hygiene note remains materially open:
- `npm.cmd run test:coverage` still passed again while emitting post-summary jsdom `AggregateError` network-noise lines
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144036.md`
## 1.7 2026-03-28 Q-004 latest remediation note XVII
- `Q-004` was remediated further again after the previous addendum and still remains open.
- Newly verified outcomes:
- frontend overall coverage is now `93.93 / 82.29 / 91.37 / 94.10`
- `src/app/providers/ThemeProvider.tsx` is now `100 / 100 / 100 / 100`
- The latest remediation closed one more previously real frontend hotspot:
- `ThemeProvider.tsx` is no longer an open `Q-004` gap
- The updated real boundary remains:
- `Q-004` still cannot be truthfully closed
- after the theme provider was closed, the remaining frontend gap for this closure track narrows to the still-open post-summary jsdom `AggregateError` coverage-noise issue
- The validation hygiene note remains materially open:
- `npm.cmd run test:coverage` still passed again while emitting post-summary jsdom `AggregateError` network-noise lines
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-144756.md`
## 1.8 2026-03-28 Q-004 latest remediation note XVIII
- `Q-004` for the `frontend/admin` closure track can now be truthfully closed.
- Newly verified outcomes:
- frontend overall coverage is now `93.98 / 82.29 / 91.37 / 94.15`
- `src/app/router.tsx` remains `100 / 100 / 100 / 100` in the latest full-suite coverage run
- full frontend coverage completed with `54` passing test files and `248` passing tests
- The final materially open blocker is now closed:
- the successful `npm.cmd run test:coverage` run no longer emits the previously recurring post-summary jsdom `AggregateError` network-noise lines
- The real closure boundary is now:
- all previously identified frontend hotspots in this `Q-004` closure track remain closed
- the validation hygiene path is clean enough to honestly close `Q-004`
- a separate npm global config warning still prints after command completion, but it is external environment noise rather than a project-generated failure
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-151952.md`
## 1.9 2026-03-28 Q-005 SCA closure note XIX
- `Q-005` can now be truthfully closed.
- Newly verified outcomes:
- `npm audit production` is now `0`
- `npm audit full` is now `0`
- `govulncheck reachable findings` remain `0`
- The remediation that closed the dev-toolchain supply-chain gap was:
- upgrade `vite` to `8.0.3`
- upgrade `vitest` and `@vitest/coverage-v8` to `4.1.2`
- upgrade `typescript-eslint` to `8.57.2`
- pin vulnerable transitive chains with `overrides` for `picomatch` and `brace-expansion`
- Re-verification after the dependency update also passed:
- `frontend/admin` `lint`
- `frontend/admin` production `build`
- full frontend `test:coverage`
- The updated real boundary is now:
- `Q-004` and `Q-005` are both closed for the current closure track
- the next unclosed cross-cutting governance gap is `Q-006` external alert delivery evidence
- the separate product/external-proof boundary around live third-party OAuth provider browser evidence also still remains
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-28/sca/SCA_SUMMARY_20260328-220806.md`
## 2.0 2026-03-29 Q-006 readiness note XX
- `Q-006` still cannot be truthfully closed, but the repo-side closure path is stricter than before.
- Newly verified outcomes:
- alerting package structural validation still passes on the latest run
- render drill still passes on the latest run
- a new strict live-delivery drill now exists and fails closed on placeholder/example values
- The latest repo-side hardening for this gap is:
- add `scripts/ops/drill-alertmanager-live-delivery.ps1`
- refuse unresolved placeholders, `example.*` addresses/hosts, and placeholder secrets before any network attempt
- emit only redacted config artifacts and masked recipient evidence
- remove the date-rollover false blocker in `validate-alerting-package.ps1` by falling back to the latest available baseline evidence
- The updated real boundary is now:
- repo-side alert delivery verification tooling is materially better prepared
- `Q-006` remains open because no real non-placeholder on-call delivery environment has been injected and no successful live SMTP acceptance evidence has yet been captured
- the remaining closure work is external-environment proof, not another repo-local template/rendering fix
- Latest evidence for this addendum:
- `docs/evidence/ops/2026-03-29/alerting/ALERTING_PACKAGE_20260329-100316.md`
- `docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_RENDER_DRILL.md`
- `docs/evidence/ops/2026-03-29/alerting/20260329-100315/ALERTMANAGER_LIVE_DELIVERY_DRILL.md`