feat: sync lijiaoqiao implementation and staging validation artifacts

2026-03-31 13:40:00 +08:00
parent 0e5ecd930e
commit e9338dec28
686 changed files with 29213 additions and 168 deletions
--- a/reports/dependency/compat_matrix_2026-03-27.md
+++ b/reports/dependency/compat_matrix_2026-03-27.md
@@ -0,0 +1,16 @@
+# Dependency Compatibility Matrix（2026-03-27）
+
+- Audit-Status: PASS
+
+| Component | Baseline | Current | Result | Note |
+|---|---|---|---|---|
+| Go | 1.21.x | 1.21.x（文档基线） | PASS | 与架构基线一致 |
+| PostgreSQL | 15.x | 15.x（SQL 语法） | PASS | DDL 在 PG15 实测通过 |
+| Redis | 7.x | 7.x（文档基线） | PASS | 与架构基线一致 |
+| subapi | X.Y.Z fixed | 未变更 | PASS | 无依赖升级 |
+| Frontend Node | 20.x LTS | 未变更 | PASS | 无依赖升级 |
+
+## Conclusion
+
+1. 本次无 runtime 依赖变更。
+2. 兼容性审计结果可放行。
--- a/reports/dependency/dependency_audit_result_2026-03-27.md
+++ b/reports/dependency/dependency_audit_result_2026-03-27.md
@@ -0,0 +1,10 @@
+# Dependency Audit Check Result (2026-03-27)
+
+- Result: PASS
+- M-017 (`dependency_compat_audit_pass_pct`): 100%
+- Checked files:
+  1. reports/dependency/sbom_2026-03-27.spdx.json
+  2. reports/dependency/lockfile_diff_2026-03-27.md
+  3. reports/dependency/compat_matrix_2026-03-27.md
+  4. reports/dependency/risk_register_2026-03-27.md
+
--- a/reports/dependency/lockfile_diff_2026-03-27.md
+++ b/reports/dependency/lockfile_diff_2026-03-27.md
@@ -0,0 +1,15 @@
+# Lockfile Diff（2026-03-27）
+
+- Audit-Status: PASS
+- Scope: Baseline document-only sync
+
+## Summary
+
+1. `go.mod/go.sum`：无本次变更。
+2. `package-lock.json` / `pnpm-lock.yaml`：无本次变更。
+3. `pom.xml`：无本次变更。
+
+## Risk
+
+1. 本次提交仅含文档与 SQL，不涉及应用依赖升级。
+2. 依赖风险等级：Low。
--- a/reports/dependency/risk_register_2026-03-27.md
+++ b/reports/dependency/risk_register_2026-03-27.md
@@ -0,0 +1,14 @@
+# Dependency Risk Register（2026-03-27）
+
+- Audit-Status: PASS
+
+| Risk ID | Risk | Severity | Mitigation | Owner | Status |
+|---|---|---|---|---|---|
+| DEP-R-001 | 未锁定 subapi 精确版本导致回归 | High | 固定 `X.Y.Z` + 三重Gate | ARCH | Open |
+| DEP-R-002 | 锁文件漂移未触发审计 | Medium | CI 强制执行 dependency-audit-check | PLAT | Open |
+| DEP-R-003 | 漏洞库更新导致新 Critical CVE | High | 夜间扫描 + 发布阻断 | SEC | Open |
+
+## Conclusion
+
+1. 当前无新增依赖变更触发的阻断项。
+2. 风险条目已登记并进入持续治理。
--- a/reports/dependency/sbom_2026-03-27.spdx.json
+++ b/reports/dependency/sbom_2026-03-27.spdx.json
@@ -0,0 +1,32 @@
+{
+  "spdxVersion": "SPDX-2.3",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "lijiaoqiao-dependency-sbom-2026-03-27",
+  "documentNamespace": "https://lijiaoqiao.local/sbom/2026-03-27",
+  "creationInfo": {
+    "created": "2026-03-27T12:00:00Z",
+    "creators": [
+      "Tool: codex-manual-baseline"
+    ]
+  },
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-Go",
+      "name": "go-runtime",
+      "versionInfo": "1.21.x",
+      "downloadLocation": "NOASSERTION"
+    },
+    {
+      "SPDXID": "SPDXRef-Package-PostgreSQL",
+      "name": "postgresql",
+      "versionInfo": "15.x",
+      "downloadLocation": "NOASSERTION"
+    },
+    {
+      "SPDXID": "SPDXRef-Package-Redis",
+      "name": "redis",
+      "versionInfo": "7.x",
+      "downloadLocation": "NOASSERTION"
+    }
+  ]
+}