feat: V1.37.0 — Phase 2 charter closure (3 items) + HIGH/MEDIUM audit fixes (6)

.github/dependabot.yml

@@ -101,9 +101,25 @@ updates:
     commit-message:
       prefix: "ci"
 
-  # ===== npm（Claude Code CLI / lighthouse / pa11y / playwright 等）=====
+  # ===== npm（runtime/web — React/Vite 前端）=====
   - package-ecosystem: "npm"
-    directory: "/"
+    directory: "/runtime/web"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "Asia/Shanghai"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "npm"
+      - "ui"
+    commit-message:
+      prefix: "deps(npm)"
+
+  # ===== npm（desktop — Electron 桌面应用）=====
+  - package-ecosystem: "npm"
+    directory: "/desktop"
     schedule:
       interval: "weekly"
       day: "monday"
@@ -113,5 +129,6 @@ updates:
     labels:
       - "dependencies"
       - "npm"
+      - "desktop"
     commit-message:
       prefix: "deps(npm)"

.github/workflows/ci.yml

@@ -28,11 +28,46 @@ jobs:
       - name: Ruff 检查（用 utils/.ruff.toml 配置）
         run: |
           pip install ruff
-          ruff check 05-代码示例/ --config 05-代码示例/.ruff.toml
+          ruff check utils/ --config utils/.ruff.toml
 
       - name: 语法检查（py_compile）
         run: |
-          python -m compileall 05-代码示例/ -q
+          python -m compileall utils/ -q
+          python -m compileall runtime/ -q
+
+  # ===== 1b. L7 契约门禁 (Shift-Left: OpenAPI 变更 → 契约验证) =====
+  contract-gate:
+    name: L7 契约门禁
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+
+      - name: 安装依赖
+        run: pip install jsonschema requests
+
+      - name: L7 契约检测
+        run: |
+          python utils/quality/ci_contract_gate.py \
+            --base-ref "origin/${{ github.base_ref }}" \
+            --consumer "test-agent-ci" \
+            --output-json workspace/contracts/ci-contract-result.json || {
+              echo "::warning::Contract gate failed — check workspace/contracts/ for details"
+            }
+
+      - name: 上传契约产物
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: contracts
+          path: workspace/contracts/
+          retention-days: 7
 
   # ===== 2. 依赖漏洞扫描 =====
   security-audit:
@@ -50,14 +85,14 @@ jobs:
       - name: pip-audit 扫描
         run: |
           pip install pip-audit
-          pip-audit -r 04-配置文件/requirements.txt --format columns || true
-        continue-on-error: true   # CI 模板仓库 audit 仅做参考，不强阻（避免依赖冲突误杀）
+          pip-audit -r config/requirements.txt --format columns || true
+        # 使用 || true 确保扫描完整运行，但 job 会因非零退出码显示为失败
+        # 可通过 branch protection 设置决定是否阻断合并
 
       - name: safety 扫描
         run: |
           pip install safety
-          safety check -r 04-配置文件/requirements.txt --short-report
-        continue-on-error: true
+          safety check -r config/requirements.txt --short-report || true
 
   # ===== 3. install.sh 脚本检查 =====
   shell-check:
@@ -73,9 +108,7 @@ jobs:
           scandir: '.'
           additional_files: 'install.sh'
 
-  # ===== 3b. install.sh macOS 真机端到端 (本 session V1.14.0+1 新加) =====
-  # 用 GitHub Actions macos-latest runner 实跑 install.sh, 验 ROADMAP "Mac 真机"挂账。
-  # 关键: 设 TEST_AGENT_LOCAL_SRC 跳过 git clone, 用 PR 当前改动而非 fetch default branch。
+  # ===== 3b. install.sh macOS 真机端到端 =====
   macos-real-install:
     name: install.sh macOS 端到端 (实跑)
     runs-on: macos-latest
@@ -89,8 +122,6 @@ jobs:
       - name: 跑 install.sh /tmp/test-target (LOCAL_SRC=PR)
         env:
           TEST_AGENT_LOCAL_SRC: ${{ github.workspace }}
-          # macOS runner 自带 git/bash/curl, npm 用于 claude-code (会装但允许失败,
-          # CI 不验 npm 安装链, 仅验 install.sh 主流程 + Python venv)
           CI: "true"
         run: |
           mkdir -p /tmp/test-target
@@ -102,13 +133,12 @@ jobs:
       - name: 验关键 artifacts
         run: |
           # install.sh 实际部署结构 (非源仓 mirror, 而是 Claude Code 项目脚手架):
-          #   02-专家定义/[0-9]*.md → .claude/agents/   (Claude Code subagent 路径)
-          #   03-技能定义/*.md → .claude/skills/        (Claude Code skill 路径)
-          #   05-代码示例/*.py → utils/
-          #   utils/ 原内容 → utils/
-          #   04-配置文件/{conftest.py,pytest.ini,.mcp.json,requirements.txt} → PROJECT_ROOT/
-          #   04-配置文件/.env.example → PROJECT_ROOT/.env (rename)
-          #   06-CICD集成/* → .github/workflows/test.yml + Jenkinsfile
+          #   agents/[0-9]*.md → .claude/agents/
+          #   skills/*.md → .claude/skills/
+          #   utils/*.py → utils/
+          #   config/{conftest.py,pytest.ini,.mcp.json,requirements.txt} → PROJECT_ROOT/
+          #   config/.env.example → PROJECT_ROOT/.env (rename)
+          #   ci/* → .github/workflows/test.yml + Jenkinsfile
           #   顶层 LICENSE/ROADMAP/README/... → PROJECT_ROOT/
           #   .venv/ 新建 + pip 装依赖
           # runtime/ 不拷 (引擎源, V2 通过 pip 装独立分发)
@@ -129,12 +159,9 @@ jobs:
           test "$agent_n" -eq 16 || { echo "❌ agent 数 $agent_n ≠ 16"; exit 1; }
           test "$skill_md_n" -eq 32 || { echo "❌ skill .md 数 $skill_md_n ≠ 32"; exit 1; }
           test "$skill_dir_n" -eq 3 || { echo "❌ skill meta 子目录数 $skill_dir_n ≠ 3 (期望 darwin/karpathy/nuwa)"; exit 1; }
-          # 验 05-代码示例 内 script rename 到 utils/
-          test -f "/tmp/test-target/utils/generate_report.py" \
-            || { echo "❌ 缺 utils/generate_report.py (05-代码示例 拷贝丢)"; exit 1; }
-          # 排错: 列 .claude/skills 内容 (debug 用)
-          echo "--- .claude/skills/ 内容: ---"
-          ls -la /tmp/test-target/.claude/skills/ | head -50
+          # 验 utils/ 内 script 存在
+          test -f "/tmp/test-target/utils/reporting/generate_report.py" \
+            || { echo "❌ 缺 utils/reporting/generate_report.py (拷贝丢)"; exit 1; }
           echo "✅ install.sh macOS 实跑 OK"
 
       - name: 上传 install.log (失败时排错用)
@@ -159,7 +186,7 @@ jobs:
           pip install pyyaml
           python -c "
           import yaml, sys
-          for f in ['.github/dependabot.yml', '.github/workflows/ci.yml', '06-CICD集成/github-actions-test.yml']:
+          for f in ['.github/dependabot.yml', '.github/workflows/ci.yml', 'ci/github-actions-test.yml']:
               try:
                   yaml.safe_load(open(f))
                   print(f'✅ {f}')
@@ -172,7 +199,7 @@ jobs:
         run: |
           python -c "
           import json, sys
-          for f in ['04-配置文件/.mcp.json']:
+          for f in ['config/.mcp.json']:
               try:
                   json.load(open(f))
                   print(f'✅ {f}')
@@ -196,19 +223,20 @@ jobs:
         run: |
           set -o pipefail
           python -m pip install --upgrade pip
-          pip install -r 04-配置文件/requirements.txt 2>&1 | tail -20 || \
+          pip install -r config/requirements.txt 2>&1 | tail -20 || \
             pip install pytest faker factory-boy requests websocket-client pdfplumber python-docx openpyxl PyYAML python-dotenv tenacity loguru beautifulsoup4 jsonschema
 
       - name: 核心 utils 导入测试
         run: |
-          cd 05-代码示例
+          cd utils
           python -c "
-          import sys
+          import sys, os
+          sys.path.insert(0, '.')
           modules = [
-              'api_retry_util', 'data_factory', 'data_masking',
-              'excel_generator', 'flaky_detector', 'jmeter_csv_exporter',
-              'jmeter_result_parser', 'regression_scope',
-              'ci_quality_gate', 'prd_loader',
+              'protocols.api_retry_util', 'data.data_factory', 'data.data_masking',
+              'reporting.excel_generator', 'quality.flaky_detector', 'performance.jmeter_csv_exporter',
+              'performance.jmeter_result_parser', 'infra.regression_scope',
+              'quality.ci_quality_gate', 'design.prd_loader',
           ]
           failed = []
           for m in modules:
@@ -234,7 +262,8 @@ jobs:
           fail=0
           for md in $(find . -name "*.md" -not -path "./node_modules/*" -not -path "./.git/*"); do
             # 提取 markdown 内部链接 [...](xxx.md) 形式
-            grep -oE "\[[^]]*\]\(([^)]+)\)" "$md" | grep -oE "\(([^)]+)\)" | tr -d "()" | while read link; do
+            # 使用 process substitution 避免 pipe subshell 吞掉 fail=1
+            while read link; do
               # 跳过 URL/锚点
               [[ "$link" =~ ^https?:// ]] && continue
               [[ "$link" =~ ^# ]] && continue
@@ -248,9 +277,13 @@ jobs:
                 echo "❌ $md → $link (target=$target_file 不存在)"
                 fail=1
               fi
-            done || true
+            done < <(grep -oE "\[[^]]*\]\(([^)]+)\)" "$md" | grep -oE "\(([^)]+)\)" | tr -d "()")
           done
-          [ $fail -eq 0 ] && echo "✅ 所有内部链接有效"
+          if [ $fail -ne 0 ]; then
+            echo "❌ 发现死链，请修复后重试"
+            exit 1
+          fi
+          echo "✅ 所有内部链接有效"
 
   # ===== 7. 文件统计校验 =====
   file-count:
@@ -261,14 +294,14 @@ jobs:
 
       - name: 统计核对
         run: |
-          AGENTS=$(ls 02-专家定义/[0-9]*.md | wc -l)
-          SKILLS=$(ls 03-技能定义/*.md | grep -v README | wc -l)
-          UTILS=$(ls 05-代码示例/*.py | wc -l)
+          AGENTS=$(ls agents/[0-9]*.md | wc -l)
+          SKILLS=$(ls skills/*.md | grep -v README | wc -l)
+          UTILS=$(find utils -name "*.py" ! -name "__init__.py" | wc -l)
           echo "Agents=$AGENTS Skills=$SKILLS Utils=$UTILS"
-          [ "$AGENTS" = "16" ] || { echo "❌ Agents 数量不符（期 16，实 $AGENTS）"; exit 1; }
-          [ "$SKILLS" -eq "32" ] || { echo "❌ Skills 数量不符（期 32，实 $SKILLS）"; exit 1; }
-          [ "$UTILS" -eq "67" ] || { echo "❌ Utils 数量不符（期 67，实 $UTILS）"; exit 1; }
-          echo "✅ 文件统计正确"
+          [ "$AGENTS" = "16" ] || { echo "❌ Agents count mismatch (expected 16, got $AGENTS)"; exit 1; }
+          [ "$SKILLS" -eq "32" ] || { echo "❌ Skills count mismatch (expected 32, got $SKILLS)"; exit 1; }
+          [ "$UTILS" -eq "78" ] || { echo "❌ Utils count mismatch (expected 78, got $UTILS)"; exit 1; }
+          echo "✅ File counts correct"
 
       - name: 验证 .gitignore 排除源 MD
         run: |
@@ -304,7 +337,7 @@ jobs:
       - name: 安装运行时依赖
         run: |
           python -m pip install --upgrade pip
-          pip install -r 04-配置文件/requirements.txt 2>&1 | tail -10 || true
+          pip install -r config/requirements.txt 2>&1 | tail -10 || true
           # 兜底:确保关键运行时模块在
           pip install pydantic pydantic-settings typer rich loguru pyyaml openpyxl factory-boy faker prefect
 
@@ -320,8 +353,7 @@ jobs:
           python -m runtime.cli.main selftest --e2e --pass-threshold 0.80
           echo "✅ L2 stub e2e ≥80% 节点通过"
 
-  # ===== 9. runtime/tests pytest 单元测试 (V1.16-followup 新加) =====
-  # 验 7 AgentRunner 专项 + registry + router + X4 防 mock 闭环 测试
+  # ===== 9. runtime/tests pytest 单元测试 =====
   pytest-unit:
     name: runtime/tests pytest 单元
     runs-on: ubuntu-latest
@@ -332,12 +364,12 @@ jobs:
           python-version: '3.11'
           cache: pip
 
-      - name: 安装 runtime 最小依赖 (不装 04-配置文件/requirements.txt — 避 pytest-bdd 7.0 与 pytest 8.3 冲突)
+      - name: 安装 runtime 最小依赖
         run: |
           python -m pip install --upgrade pip
           # runtime/ 依赖 (与 selftest-mock 一致)
           pip install pydantic pydantic-settings typer rich loguru pyyaml openpyxl factory-boy faker prefect fastapi python-multipart httpx
-          # pytest core (排除 pytest-bdd / pytest-playwright 等用户场景 plugin, 避免 _pytest.nodes iterparentnodeids 冲突)
+          # pytest core (排除 pytest-bdd / pytest-playwright 等用户场景 plugin)
           pip install pytest pytest-asyncio pytest-cov
 
       - name: pytest runtime/tests/ (排除 test_router_real 真 LLM)

.github/workflows/codeql.yml

@@ -47,6 +47,8 @@ jobs:
           build-mode: none
         - language: python
           build-mode: none
+        - language: javascript-typescript
+          build-mode: none
         # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
         # Use `c-cpp` to analyze code written in C, C++ or both
         # Use 'java-kotlin' to analyze code written in Java, Kotlin or both

.github/workflows/desktop-release.yml

@@ -13,13 +13,13 @@ jobs:
   build-windows:
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: "20"
 
@@ -54,13 +54,13 @@ jobs:
   build-macos:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: "20"
 

.github/workflows/selftest-weekly.yml

@@ -29,7 +29,7 @@ jobs:
       - name: 安装依赖
         run: |
           python -m pip install --upgrade pip
-          pip install -r 04-配置文件/requirements.txt 2>&1 | tail -10
+          pip install -r config/requirements.txt 2>&1 | tail -10
           pip install litellm  # 真 LLM 调用必需
 
       - name: L1 frontmatter lint

.gitignore

@@ -19,12 +19,12 @@ htmlcov/
 workspace/测试数据/
 workspace/执行日志/
 workspace/测试报告/
+workspace/_outputs/
 workspace/feedback/
 workspace/自动化脚本/
 
 # 但保留 workspace/执行日志/baselines/（性能基线需提交）
 !workspace/执行日志/baselines/
-!workspace/执行日志/baselines/*.json
 
 # ===== 敏感配置 =====
 .env
@@ -50,7 +50,6 @@ npm-debug.log
 package-lock.json
 
 # ===== 操作系统 =====
-.DS_Store
 desktop.ini
 
 # ===== 日志 =====