feat(harness): 门控产出结构化发现(code/severity)+ 拒绝路径测试 (#6) #222
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/ci.yml | |
| # License: Apache-2.0 | |
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| permissions: | |
| actions: read | |
| contents: read | |
| pull-requests: read | |
| security-events: write | |
| jobs: | |
| # ========================================================================= | |
| # 1. License compliance (Constitution §3) | |
| # ========================================================================= | |
| licenses: | |
| name: License compliance (§3) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install Rust 1.95.0 | |
| uses: dtolnay/rust-toolchain@stable | |
| with: { toolchain: "1.95.0" } | |
| - name: Install cargo-deny | |
| run: cargo install cargo-deny --version =0.19.4 --locked | |
| - name: Rust license check | |
| working-directory: 04-backend | |
| run: cargo deny check licenses bans advisories sources | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2.2.0 | |
| with: { bun-version: "1.3.13" } | |
| - name: Frontend license check | |
| working-directory: 03-frontend | |
| run: | | |
| bun install --frozen-lockfile | |
| bunx license-checker --failOn "GPL;AGPL;LGPL;SSPL;BUSL;Commons Clause" --production | |
| - name: Setup Python 3.14 | |
| uses: actions/setup-python@v6.2.0 | |
| with: { python-version: "3.14" } | |
| - name: Python license check | |
| working-directory: 04-backend/agent-orchestrator | |
| run: | | |
| pip install uv==0.5.14 pip-licenses==5.0.0 | |
| uv pip install --system . | |
| pip-licenses --fail-on="GPL;AGPL;LGPL;SSPL;BUSL" | |
| # ========================================================================= | |
| # 2. Rust backend | |
| # ========================================================================= | |
| rust: | |
| name: Rust (fmt · clippy · test) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: "1.95.0" | |
| components: rustfmt, clippy | |
| - uses: Swatinem/rust-cache@v2.9.1 | |
| with: | |
| workspaces: "04-backend -> target" | |
| - name: cargo fmt | |
| working-directory: 04-backend | |
| run: cargo fmt --all -- --check | |
| - name: cargo clippy | |
| working-directory: 04-backend | |
| run: cargo clippy --all-targets --all-features -- -D warnings | |
| - name: cargo test | |
| working-directory: 04-backend | |
| run: cargo test --all-features --workspace | |
| - name: cargo build --release | |
| working-directory: 04-backend | |
| run: cargo build --release --bin architoken-gateway | |
| # ========================================================================= | |
| # 3. Go database agent | |
| # ========================================================================= | |
| go: | |
| name: Go database agent (test · smoke) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 04-backend/database-agent-go/go.mod | |
| cache-dependency-path: 04-backend/database-agent-go/go.mod | |
| - name: database-agent-go smoke | |
| run: 04-backend/scripts/smoke-database-agent-go.sh | |
| # ========================================================================= | |
| # 4. Python agent | |
| # ========================================================================= | |
| python: | |
| name: Python (ruff · mypy · pytest) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: actions/setup-python@v6.2.0 | |
| with: { python-version: "3.14" } | |
| - run: pip install uv==0.5.14 | |
| - name: Install | |
| working-directory: 04-backend/agent-orchestrator | |
| run: uv pip install --system -e ".[dev]" | |
| - name: Ruff | |
| working-directory: 04-backend/agent-orchestrator | |
| run: ruff check src tests | |
| - name: Mypy | |
| working-directory: 04-backend/agent-orchestrator | |
| run: mypy src | |
| - name: Pytest | |
| working-directory: 04-backend/agent-orchestrator | |
| run: pytest --cov=architoken_agent --cov-report=xml | |
| # ========================================================================= | |
| # 5. Worker adapters | |
| # ========================================================================= | |
| workers: | |
| name: Workers (contracts · BOM) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: actions/setup-python@v6.2.0 | |
| with: { python-version: "3.12" } | |
| - run: pip install uv==0.5.14 | |
| - name: Pytest | |
| working-directory: 06-workers | |
| run: uv run --extra test pytest | |
| # ========================================================================= | |
| # 6. Frontend | |
| # ========================================================================= | |
| frontend: | |
| name: Frontend (lint · typecheck · test · e2e · build) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: oven-sh/setup-bun@v2.2.0 | |
| with: { bun-version: "1.3.13" } | |
| - name: Install | |
| working-directory: 03-frontend | |
| run: bun install --frozen-lockfile | |
| - name: Lint | |
| working-directory: 03-frontend | |
| run: bun run lint | |
| - name: Typecheck | |
| working-directory: 03-frontend | |
| run: bun run typecheck | |
| - name: Test | |
| working-directory: 03-frontend | |
| run: bun run test | |
| - name: Install Playwright Chromium | |
| working-directory: 03-frontend | |
| run: bunx playwright install --with-deps chromium | |
| - name: E2E | |
| working-directory: 03-frontend | |
| run: bun run test:e2e | |
| - name: Build | |
| working-directory: 03-frontend | |
| run: bun run build | |
| # ========================================================================= | |
| # 7. OpenAPI contract | |
| # ========================================================================= | |
| openapi: | |
| name: OpenAPI spec validation (§5) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: actions/setup-node@v5.0.0 | |
| with: { node-version: "25.9.0" } | |
| - run: npm install -g @redocly/cli@2.30.0 @openapitools/openapi-generator-cli@2.23.0 | |
| - run: redocly lint 04-backend/openapi.yaml | |
| - name: Generate SDK (sanity) | |
| run: | | |
| openapi-generator-cli generate \ | |
| -i 04-backend/openapi.yaml \ | |
| -g typescript-fetch \ | |
| -o /tmp/sdk-ts | |
| # ========================================================================= | |
| # 8. P0 production gates | |
| # ========================================================================= | |
| p0-production-gates: | |
| name: P0 production gates (CDE · ops audit · DR) | |
| runs-on: ubuntu-24.04 | |
| services: | |
| postgres: | |
| image: pgvector/pgvector:pg16 | |
| env: | |
| POSTGRES_USER: architoken | |
| POSTGRES_PASSWORD: architoken_dev_only | |
| POSTGRES_DB: architoken | |
| ports: | |
| - 5433:5432 | |
| options: >- | |
| --health-cmd "pg_isready -U architoken -d architoken" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 10 | |
| env: | |
| DATABASE_URL: postgres://architoken:architoken_dev_only@127.0.0.1:5433/architoken | |
| ARCHITOKEN_P0_APPLY_BASE_MIGRATIONS: "1" | |
| ARCHITOKEN_P0_INCLUDE_WORKERS: "0" | |
| ARCHITOKEN_P0_INCLUDE_BOM_DB_BRIDGE: "0" | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install PostgreSQL client | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y postgresql-client | |
| - name: P0 smoke gates | |
| run: 04-backend/scripts/smoke-p0-production-gates.sh | |
| # Closes the audit blind spot: the heavy-steel BOM→database bridge used | |
| # to be verified only against developer-local workbooks (~/下载). This | |
| # gate replays all migrations on a scratch DB, generates synthetic | |
| # sources, reconciles them through the real worker parser and runs the | |
| # full bridge assertions. | |
| - name: BOM database bridge gate (synthetic sources) | |
| run: 04-backend/scripts/smoke-bom-db-bridge-synthetic.sh | |
| # ========================================================================= | |
| # 9. Security scan | |
| # ========================================================================= | |
| security: | |
| name: Security · SAST · SBOM | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Trivy filesystem scan | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| scan-type: fs | |
| format: sarif | |
| output: trivy.sarif | |
| severity: CRITICAL,HIGH | |
| - name: Upload SARIF artifact | |
| uses: actions/upload-artifact@v7.0.1 | |
| with: | |
| name: trivy-sarif | |
| path: trivy.sarif | |
| if-no-files-found: error |