# sanook-cli - Doramagic AI Context Pack

> 定位：安装前体验与判断资产。它帮助宿主 AI 有一个好的开始，但不代表已经安装、执行或验证目标项目。

## 充分原则

- **充分原则，不是压缩原则**：AI Context Pack 应该充分到让宿主 AI 在开工前理解项目价值、能力边界、使用入口、风险和证据来源；它可以分层组织，但不以最短摘要为目标。
- **压缩策略**：只压缩噪声和重复内容，不压缩会影响判断和开工质量的上下文。

## 给宿主 AI 的使用方式

你正在读取 Doramagic 为 sanook-cli 编译的 AI Context Pack。请把它当作开工前上下文：帮助用户理解适合谁、能做什么、如何开始、哪些必须安装后验证、风险在哪里。不要声称你已经安装、运行或执行了目标项目。

## Claim 消费规则

- **事实来源**：Repo Evidence + Claim/Evidence Graph；Human Wiki 只提供显著性、术语和叙事结构。
- **事实最低状态**：`supported`
- `supported`：可以作为项目事实使用，但回答中必须引用 claim_id 和证据路径。
- `weak`：只能作为低置信度线索，必须要求用户继续核实。
- `inferred`：只能用于风险提示或待确认问题，不能包装成项目事实。
- `unverified`：不得作为事实使用，应明确说证据不足。
- `contradicted`：必须展示冲突来源，不得替用户强行选择一个版本。

## 它最适合谁

- **正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**：README 或插件配置提到多个宿主 AI。 证据：`README.md` Claim：`clm_0003` supported 0.86
- **希望把专业流程带进宿主 AI 的用户**：仓库包含 Skill 文档。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等 Claim：`clm_0004` supported 0.86

## 它能做什么

- **AI Skill / Agent 指令资产库**（可做安装前预览）：项目包含可被宿主 AI 读取的 Skill 或 Agent 指令文件，可用于把专业流程带入 Claude、Codex、Cursor 等宿主。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等 Claim：`clm_0001` supported 0.86
- **命令行启动或安装流程**（需要安装后验证）：项目文档中存在可执行命令，真实使用需要在本地或宿主环境中运行这些命令。 证据：`README.md` Claim：`clm_0002` supported 0.86

## 怎么开始

- `npm install -g sanook-cli   # or: npx sanook-cli` 证据：`README.md` Claim：`clm_0005` supported 0.86
- `curl -fsSL https://sanook.ai/install.sh | bash` 证据：`README.md` Claim：`clm_0006` supported 0.86
- `curl http://127.0.0.1:8787/v1/chat/completions \` 证据：`README.md` Claim：`clm_0007` supported 0.86

## 继续前判断卡

- **当前建议**：需要管理员/安全审批
- **为什么**：继续前可能涉及密钥、账号、外部服务或敏感上下文，建议先经过管理员或安全审批。

### 30 秒判断

- **现在怎么做**：需要管理员/安全审批
- **最小安全下一步**：先跑 Prompt Preview；若涉及凭证或企业环境，先审批再试装
- **先别相信**：工具权限边界不能在安装前相信。
- **继续会触碰**：命令执行、宿主 AI 配置、本地环境或项目文件

### 现在可以相信

- **适合人群线索：正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**（supported）：有 supported claim 或项目证据支撑，但仍不等于真实安装效果。 证据：`README.md` Claim：`clm_0003` supported 0.86
- **适合人群线索：希望把专业流程带进宿主 AI 的用户**（supported）：有 supported claim 或项目证据支撑，但仍不等于真实安装效果。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等 Claim：`clm_0004` supported 0.86
- **能力存在：AI Skill / Agent 指令资产库**（supported）：可以相信项目包含这类能力线索；是否适合你的具体任务仍要试用或安装后验证。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等 Claim：`clm_0001` supported 0.86
- **能力存在：命令行启动或安装流程**（supported）：可以相信项目包含这类能力线索；是否适合你的具体任务仍要试用或安装后验证。 证据：`README.md` Claim：`clm_0002` supported 0.86
- **存在 Quick Start / 安装命令线索**（supported）：可以相信项目文档出现过启动或安装入口；不要因此直接在主力环境运行。 证据：`README.md` Claim：`clm_0005` supported 0.86

### 现在还不能相信

- **工具权限边界不能在安装前相信。**（unverified）：MCP/tool 类项目通常会触碰文件、网络、浏览器或外部 API，必须真实检查权限和日志。
- **真实输出质量不能在安装前相信。**（unverified）：Prompt Preview 只能展示引导方式，不能证明真实项目中的结果质量。
- **宿主 AI 版本兼容性不能在安装前相信。**（unverified）：Claude、Cursor、Codex、Gemini 等宿主加载规则和版本差异必须在真实环境验证。
- **不会污染现有宿主 AI 行为，不能直接相信。**（inferred）：Skill、plugin、AGENTS/CLAUDE/GEMINI 指令可能改变宿主 AI 的默认行为。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等
- **可安全回滚不能默认相信。**（unverified）：除非项目明确提供卸载和恢复说明，否则必须先在隔离环境验证。
- **真实安装后是否与用户当前宿主 AI 版本兼容？**（unverified）：兼容性只能通过实际宿主环境验证。
- **项目输出质量是否满足用户具体任务？**（unverified）：安装前预览只能展示流程和边界，不能替代真实评测。
- **安装命令是否需要网络、权限或全局写入？**（unverified）：这影响企业环境和个人环境的安装风险。 证据：`README.md`

### 继续会触碰什么

- **命令执行**：包管理器、网络下载、本地插件目录、项目配置或用户主目录。 原因：运行第一条命令就可能产生环境改动；必须先判断是否值得跑。 证据：`README.md`
- **宿主 AI 配置**：Claude/Codex/Cursor/Gemini/OpenCode 等宿主的 plugin、Skill 或规则加载配置。 原因：宿主配置会改变 AI 后续工作方式，可能和用户已有规则冲突。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等
- **本地环境或项目文件**：安装结果、插件缓存、项目配置或本地依赖目录。 原因：安装前无法证明写入范围和回滚方式，需要隔离验证。 证据：`README.md`
- **环境变量 / API Key**：项目入口文档明确出现 API key、token、secret 或账号凭证配置。 原因：如果真实安装需要凭证，应先使用测试凭证并经过权限/合规判断。 证据：`CHANGELOG.md`, `README.md`, `README.th.md`, `src/mcp.ts`
- **宿主 AI 上下文**：AI Context Pack、Prompt Preview、Skill 路由、风险规则和项目事实。 原因：导入上下文会影响宿主 AI 后续判断，必须避免把未验证项包装成事实。

### 最小安全下一步

- **先跑 Prompt Preview**：用安装前交互式试用判断工作方式是否匹配，不需要授权或改环境。（适用：任何项目都适用，尤其是输出质量未知时。）
- **只在隔离目录或测试账号试装**：避免安装命令污染主力宿主 AI、真实项目或用户主目录。（适用：存在命令执行、插件配置或本地写入线索时。）
- **先备份宿主 AI 配置**：Skill、plugin、规则文件可能改变 Claude/Cursor/Codex 的默认行为。（适用：存在插件 manifest、Skill 或宿主规则入口时。）
- **不要使用真实生产凭证**：环境变量/API key 一旦进入宿主或工具链，可能产生账号和合规风险。（适用：出现 API、TOKEN、KEY、SECRET 等环境线索时。）
- **安装后只验证一个最小任务**：先验证加载、兼容、输出质量和回滚，再决定是否深用。（适用：准备从试用进入真实工作流时。）

### 退出方式

- **保留安装前状态**：记录原始宿主配置和项目状态，后续才能判断是否可恢复。
- **准备移除宿主 plugin / Skill / 规则入口**：如果试装后行为异常，可以把宿主 AI 恢复到试装前状态。
- **记录安装命令和写入路径**：没有明确卸载说明时，至少要知道哪些目录或配置需要手动清理。
- **准备撤销测试 API key 或 token**：测试凭证泄露或误用时，可以快速止损。
- **如果没有回滚路径，不进入主力环境**：不可回滚是继续前阻断项，不应靠信任或运气继续。

## 哪些只能预览

- 解释项目适合谁和能做什么
- 基于项目文档演示典型对话流程
- 帮助用户判断是否值得安装或继续研究

## 哪些必须安装后验证

- 真实安装 Skill、插件或 CLI
- 执行脚本、修改本地文件或访问外部服务
- 验证真实输出质量、性能和兼容性

## 边界与风险判断卡

- **把安装前预览误认为真实运行**：用户可能高估项目已经完成的配置、权限和兼容性验证。 处理方式：明确区分 prompt_preview_can_do 与 runtime_required。 Claim：`clm_0008` inferred 0.45
- **命令执行会修改本地环境**：安装命令可能写入用户主目录、宿主插件目录或项目配置。 处理方式：先在隔离环境或测试账号中运行。 证据：`README.md` Claim：`clm_0009` supported 0.86
- **待确认**：真实安装后是否与用户当前宿主 AI 版本兼容？。原因：兼容性只能通过实际宿主环境验证。
- **待确认**：项目输出质量是否满足用户具体任务？。原因：安装前预览只能展示流程和边界，不能替代真实评测。
- **待确认**：安装命令是否需要网络、权限或全局写入？。原因：这影响企业环境和个人环境的安装风险。

## 开工前工作上下文

### 加载顺序

- 先读取 how_to_use.host_ai_instruction，建立安装前判断资产的边界。
- 读取 claim_graph_summary，确认事实来自 Claim/Evidence Graph，而不是 Human Wiki 叙事。
- 再读取 intended_users、capabilities 和 quick_start_candidates，判断用户是否匹配。
- 需要执行具体任务时，优先查 role_skill_index，再查 evidence_index。
- 遇到真实安装、文件修改、网络访问、性能或兼容性问题时，转入 risk_card 和 boundaries.runtime_required。

### 任务路由

- **AI Skill / Agent 指令资产库**：先基于 role_skill_index / evidence_index 帮用户挑选可用角色、Skill 或工作流。 边界：可做安装前 Prompt 体验。 证据：`skills/agent-tool-mcp-builder/SKILL.md`, `skills/api-design-review/SKILL.md`, `skills/async-concurrency-correctness/SKILL.md`, `skills/audit-accessibility-wcag/SKILL.md` 等 Claim：`clm_0001` supported 0.86
- **命令行启动或安装流程**：先说明这是安装后验证能力，再给出安装前检查清单。 边界：必须真实安装或运行后验证。 证据：`README.md` Claim：`clm_0002` supported 0.86

### 上下文规模

- 文件总数：650
- 重要文件覆盖：40/650
- 证据索引条目：152
- 角色 / Skill 条目：146

### 证据不足时的处理

- **missing_evidence**：说明证据不足，要求用户提供目标文件、README 段落或安装后验证记录；不要补全事实。
- **out_of_scope_request**：说明该任务超出当前 AI Context Pack 证据范围，并建议用户先查看 Human Manual 或真实安装后验证。
- **runtime_request**：给出安装前检查清单和命令来源，但不要替用户执行命令或声称已执行。
- **source_conflict**：同时展示冲突来源，标记为待核实，不要强行选择一个版本。

## Prompt Recipes

### 适配判断

- 目标：判断这个项目是否适合用户当前任务。
- 预期输出：适配结论、关键理由、证据引用、安装前可预览内容、必须安装后验证内容、下一步建议。

```text
请基于 sanook-cli 的 AI Context Pack，先问我 3 个必要问题，然后判断它是否适合我的任务。回答必须包含：适合谁、能做什么、不能做什么、是否值得安装、证据来自哪里。所有项目事实必须引用 evidence_refs、source_paths 或 claim_id。
```

### 安装前体验

- 目标：让用户在安装前感受核心工作流，同时避免把预览包装成真实能力或营销承诺。
- 预期输出：一段带边界标签的体验剧本、安装后验证清单和谨慎建议；不含真实运行承诺或强营销表述。

```text
请把 sanook-cli 当作安装前体验资产，而不是已安装工具或真实运行环境。

请严格输出四段：
1. 先问我 3 个必要问题。
2. 给出一段“体验剧本”：用 [安装前可预览]、[必须安装后验证]、[证据不足] 三种标签展示它可能如何引导工作流。
3. 给出安装后验证清单：列出哪些能力只有真实安装、真实宿主加载、真实项目运行后才能确认。
4. 给出谨慎建议：只能说“值得继续研究/试装”“先补充信息后再判断”或“不建议继续”，不得替项目背书。

硬性边界：
- 不要声称已经安装、运行、执行测试、修改文件或产生真实结果。
- 不要写“自动适配”“确保通过”“完美适配”“强烈建议安装”等承诺性表达。
- 如果描述安装后的工作方式，必须使用“如果安装成功且宿主正确加载 Skill，它可能会……”这种条件句。
- 体验剧本只能写成“示例台词/假设流程”：使用“可能会询问/可能会建议/可能会展示”，不要写“已写入、已生成、已通过、正在运行、正在生成”。
- Prompt Preview 不负责给安装命令；如用户准备试装，只能提示先阅读 Quick Start 和 Risk Card，并在隔离环境验证。
- 所有项目事实必须来自 supported claim、evidence_refs 或 source_paths；inferred/unverified 只能作风险或待确认项。

```

### 角色 / Skill 选择

- 目标：从项目里的角色或 Skill 中挑选最匹配的资产。
- 预期输出：候选角色或 Skill 列表，每项包含适用场景、证据路径、风险边界和是否需要安装后验证。

```text
请读取 role_skill_index，根据我的目标任务推荐 3-5 个最相关的角色或 Skill。每个推荐都要说明适用场景、可能输出、风险边界和 evidence_refs。
```

### 风险预检

- 目标：安装或引入前识别环境、权限、规则冲突和质量风险。
- 预期输出：环境、权限、依赖、许可、宿主冲突、质量风险和未知项的检查清单。

```text
请基于 risk_card、boundaries 和 quick_start_candidates，给我一份安装前风险预检清单。不要替我执行命令，只说明我应该检查什么、为什么检查、失败会有什么影响。
```

### 宿主 AI 开工指令

- 目标：把项目上下文转成一次对话开始前的宿主 AI 指令。
- 预期输出：一段边界明确、证据引用明确、适合复制给宿主 AI 的开工前指令。

```text
请基于 sanook-cli 的 AI Context Pack，生成一段我可以粘贴给宿主 AI 的开工前指令。这段指令必须遵守 not_runtime=true，不能声称项目已经安装、运行或产生真实结果。
```

## 角色 / Skill 索引

- 共索引 146 个角色 / Skill / 项目文档条目。

- **agent-tool-mcp-builder**（skill）：Designs agent tools and builds MCP servers tool schemas, naming, error shapes, auth, context-efficient results when exposing capabilities to an LLM agent or scaffolding a Model Context Protocol server. 激活提示：当用户任务与“agent-tool-mcp-builder”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/agent-tool-mcp-builder/SKILL.md`
- **api-design-review**（skill）：Designs and reviews HTTP/REST and RPC API surfaces — resource naming, verbs, status codes, pagination, versioning, idempotency, error envelopes, and backward compatibility. Use when creating a new endpoint or changing an existing API contract. 激活提示：当用户任务与“api-design-review”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/api-design-review/SKILL.md`
- **async-concurrency-correctness**（skill）：Writes and fixes correct async/concurrent code across Python asyncio , TypeScript Promises , Rust tokio , and Go goroutines/channels , targeting deadlocks, races, cancellation, and backpressure. 激活提示：当用户任务与“async-concurrency-correctness”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/async-concurrency-correctness/SKILL.md`
- **audit-accessibility-wcag**（skill）：Audits and fixes markup/JSX for WCAG 2.2 AA compliance — alt text, ARIA, heading order, contrast, keyboard nav, focus management; used before shipping UI or preparing an a11y review. 激活提示：当用户任务与“audit-accessibility-wcag”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/audit-accessibility-wcag/SKILL.md`
- **audit-license-compliance**（skill）：Audits open-source license compliance — resolves SPDX identifiers across the full transitive dependency tree license-checker/scancode , classifies copyleft GPL/AGPL/LGPL exposure against the distribution model, enforces an allow/deny CI policy, and generates NOTICE/THIRD-PARTY attribution files. 激活提示：当用户任务与“audit-license-compliance”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/audit-license-compliance/SKILL.md`
- **audit-technical-seo**（skill）：Audits and fixes technical/on-page SEO — meta tags, Open Graph/Twitter cards, JSON-LD structured data, canonicals, sitemap, robots.txt; used when improving discoverability or fixing crawlability. 激活提示：当用户任务与“audit-technical-seo”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/audit-technical-seo/SKILL.md`
- **auth-jwt-session**（skill）：Implements authentication and session management JWT issuing/verification, refresh rotation, sessions, cookies, OAuth2/OIDC flows, RBAC checks when building or fixing how a backend logs users in and authorizes requests. 激活提示：当用户任务与“auth-jwt-session”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/auth-jwt-session/SKILL.md`
- **author-codemod**（skill）：Writes, fixture-tests, and runs codebase-wide automated transforms codemods that parse source to an AST and rewrite nodes via grammar-aware tools jscodeshift/ts-morph, ast-grep, Comby, libcst/Bowler, OpenRewrite , dry-running before applying one mechanical change across many files. Use when a structural edit must hit many call sites reliably and find-replace would mangle strings, comments, or shadowed names. 激活提示：当用户任务与“author-codemod”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/author-codemod/SKILL.md`
- **brainstorm-design**（skill）：Run a structured design conversation that explores requirements, proposes 2-3 approaches with tradeoffs, and converges on a validated design BEFORE any code is written — used when a feature/idea is fuzzy or under-specified. 激活提示：当用户任务与“brainstorm-design”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/brainstorm-design/SKILL.md`
- **build-audit-logging**（skill）：Builds tamper-evident audit logging — structured actor/action/target/result records for security-relevant events, append-only hash-chained or WORM/object-lock storage, PII-safe payloads that log references not raw data, and regulation-driven retention — to satisfy SOC2/HIPAA-style controls and support incident forensics. 激活提示：当用户任务与“build-audit-logging”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-audit-logging/SKILL.md`
- **build-cdc-streaming-pipeline**（skill）：Designs change-data-capture and streaming pipelines — log-based CDC off a DB transaction log Debezium/WAL/binlog , topic-per-table fan-out onto Kafka/Kinesis, consumer-group/offset/rebalance correctness, windowed/stateful stream processing with watermarks, exactly-once vs at-least-once-plus-idempotent delivery, and Avro/Protobuf schema-registry evolution. 激活提示：当用户任务与“build-cdc-streaming-pipeline”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-cdc-streaming-pipeline/SKILL.md`
- **build-cli-tool**（skill）：Designs the UX and contract of a command-line program in any language — argument parsing via a real lib commander/yargs, click/typer, cobra, clap , meaningful exit codes, the stdout=data / stderr=logs split so the tool pipes cleanly, TTY-aware color/spinners that auto-plain when redirected, a --json machine mode, layered config precedence, signal cleanup, and shell completion. Covers the whole interface contract tha… 激活提示：当用户任务与“build-cli-tool”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-cli-tool/SKILL.md`
- **build-data-table**（skill）：Builds production data grids that stay fast and accessible at 10k–1M+ rows — decide server-side vs client-side sort/filter/paginate by the dataset-fits-in-memory test client only under ~10k rows, otherwise push to the API and treat the table as a controlled view of server state , ROW-VIRTUALIZE with TanStack Virtual or react-window so only the visible window mounts fixed estimateSize, overscan 5–10, measureElement f… 激活提示：当用户任务与“build-data-table”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-data-table/SKILL.md`
- **build-etl-pipeline**（skill）：Designs and implements ETL/ELT pipelines — extract from sources, transform/normalize, load to a warehouse — with idempotency, incremental loads, scheduling, and orchestration patterns. 激活提示：当用户任务与“build-etl-pipeline”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-etl-pipeline/SKILL.md`
- **build-form-validation**（skill）：Implements type-safe forms with React Hook Form + Zod or server-action validation — schemas, field arrays, multi-step flows, and accessible error handling; used when building or fixing forms. 激活提示：当用户任务与“build-form-validation”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-form-validation/SKILL.md`
- **build-native-mobile-ui**（skill）：Builds native mobile UI in SwiftUI iOS and Jetpack Compose Android — declarative layout List/LazyVStack vs Scaffold/LazyColumn , unidirectional state with hoisting @Observable vs ViewModel/StateFlow , typed navigation stacks with deep links, adaptive sizing size classes/WindowSizeClass , light/dark theming via semantic tokens, lifecycle-correct side effects, recomposition control, and VoiceOver/TalkBack accessibilit… 激活提示：当用户任务与“build-native-mobile-ui”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-native-mobile-ui/SKILL.md`
- **build-office-docs**（skill）：Generates and edits Office documents DOCX/PPTX programmatically from data or templates, including styled reports, tables, headers/footers, tracked changes, and slide decks. 激活提示：当用户任务与“build-office-docs”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-office-docs/SKILL.md`
- **build-offline-first-sync**（skill）：Designs offline-first client data layers — a local store SQLite/Room/Core Data/WatermelonDB , a durable outbound mutation queue with idempotency keys, optimistic local writes, cursor-based delta pull, conflict resolution last-writer-wins/vector clocks/CRDT , tombstone deletes, and reconnect reconciliation. 激活提示：当用户任务与“build-offline-first-sync”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-offline-first-sync/SKILL.md`
- **build-react-component**（skill）：Scaffolds production-grade React/Next.js components with proper props typing, server vs client component boundaries, and composition; used when building or restructuring UI components. 激活提示：当用户任务与“build-react-component”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-react-component/SKILL.md`
- **build-realtime-channel**（skill）：Builds realtime push channels over WebSocket/SSE — auth-on-connect, heartbeat/zombie eviction, topic subscribe/publish with per-topic authz and presence, sequence-numbered resume for missed-message recovery, client reconnect with backoff+jitter, and a Redis/NATS pub/sub backplane with send-buffer limits for horizontal scale. 激活提示：当用户任务与“build-realtime-channel”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-realtime-channel/SKILL.md`
- **build-spreadsheet**（skill）：Creates and edits XLSX workbooks with formulas, multi-sheet references, cell formatting, conditional formatting, pivot-style summaries, and native Excel charts. 激活提示：当用户任务与“build-spreadsheet”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-spreadsheet/SKILL.md`
- **build-vector-search**（skill）：Builds semantic/vector search — pick an embedding model + dimensionality and whether to truncate Matryoshka dims and the matching distance metric cosine/dot/L2, normalize to unit length so cosine == dot and IP is correct , an ANN index with the recall/latency/memory tradeoff understood HNSW M/efConstruction/efSearch for low-latency RAM-resident; IVF-PQ nlist/nprobe/PQ for billion-scale compressed; flat/exact for <10… 激活提示：当用户任务与“build-vector-search”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/build-vector-search/SKILL.md`
- **caching-strategy**（skill）：Designs caching layers cache-aside, write-through, TTLs, invalidation, stampede protection typically with Redis to cut latency and database load when responses are slow or repeated. 激活提示：当用户任务与“caching-strategy”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/caching-strategy/SKILL.md`
- **cicd-pipeline-author**（skill）：Designs and hardens CI/CD pipelines across GitHub Actions, GitLab CI, Jenkins, and CircleCI — caching, matrix builds, least-privilege tokens, pinned actions, and OIDC instead of long-lived secrets. Triggers when writing or fixing a pipeline/workflow file, speeding up CI, or securing a build. 激活提示：当用户任务与“cicd-pipeline-author”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/cicd-pipeline-author/SKILL.md`
- **cloud-cost-optimize**（skill）：Performs FinOps cost optimization on AWS/GCP/Azure — right-sizing instances, spotting idle/orphaned resources, Savings Plans/Reserved/committed-use analysis, storage tiering, and cost anomaly investigation. Triggers when a cloud bill spikes, doing a cost review, or right-sizing infrastructure. 激活提示：当用户任务与“cloud-cost-optimize”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/cloud-cost-optimize/SKILL.md`
- **code-comments**（skill）：Adds high-signal code comments and docstrings that explain WHY intent, invariants, gotchas rather than restating WHAT, in the language's idiomatic doc format JSDoc/TSDoc, Google/NumPy Python docstrings, rustdoc, godoc — without over-commenting. 激活提示：当用户任务与“code-comments”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/code-comments/SKILL.md`
- **code-review**（skill）：Reviews the current git diff or a target PR/branch for correctness bugs, logic errors, edge cases, and missing error handling, grouping findings by severity Critical/Warning/Suggestion . Use after implementing a non-trivial change and before declaring it done, or when asked to review a PR. 激活提示：当用户任务与“code-review”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/code-review/SKILL.md`
- **compose-local-dev-stack**（skill）：Wires a local multi-service development stack with Docker Compose — app plus backing datastores Postgres/Redis/Kafka , dependency-ordered healthchecks depends on condition: service healthy , pinned images and named volumes, seed/init scripts, hot-reload bind mounts, profiles, and one-command up/down/reset via a Makefile. 激活提示：当用户任务与“compose-local-dev-stack”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/compose-local-dev-stack/SKILL.md`
- **configure-bundler-build**（skill）：Configures and optimizes the JS/TS build toolchain — tsconfig plus a bundler Vite/esbuild/Rollup/tsup/webpack — for correct module output ESM/CJS/dual + types , code splitting, tree-shaking, sourcemaps, env injection, and fast incremental builds. 激活提示：当用户任务与“configure-bundler-build”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/configure-bundler-build/SKILL.md`
- **configure-dns-tls**（skill）：Configures DNS records and TLS for a service — A/AAAA/CNAME/ALIAS/MX/TXT/CAA, zero-downtime cutovers via pre-lowered TTL, automated ACME/Let's Encrypt/cert-manager issuance and auto-renewal, and TLS 1.2+/1.3-only settings with HSTS, OCSP stapling, and 80→443 redirect — eliminating expired-cert and bad-cutover outages. 激活提示：当用户任务与“configure-dns-tls”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/configure-dns-tls/SKILL.md`
- **configure-reverse-proxy-lb**（skill）：Configures a reverse proxy / load balancer nginx, Envoy, Caddy, HAProxy in front of services — upstream pools, active/passive health checks, per-hop connect/read/send timeouts, TLS termination vs passthrough, idempotent-only retries with circuit breaking, sticky sessions, and zero-drop graceful reloads. 激活提示：当用户任务与“configure-reverse-proxy-lb”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/configure-reverse-proxy-lb/SKILL.md`
- **configure-security-headers-csp**（skill）：Configures HTTP response security headers and a strict, nonce/hash-based Content-Security-Policy — script-src with a per-request nonce or sha256 hash plus 'strict-dynamic' so you can drop host allowlists and 'unsafe-inline' , object-src 'none', base-uri 'none', frame-ancestors to control framing, a Report-Only rollout via report-to/report-uri before enforcing, plus HSTS with includeSubDomains+preload, X-Content-Type… 激活提示：当用户任务与“configure-security-headers-csp”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/configure-security-headers-csp/SKILL.md`
- **contract-testing**（skill）：Implements consumer-driven contract testing so services deploy independently without a full integration environment — the consumer's unit tests record concrete request/response expectations against a stub Pact pact-jvm / pact-js / pact-python , or Spring Cloud Contract DSL , the resulting contract pact file / Spring stub jar is published to a broker Pact Broker / PactFlow tagged by consumer version + branch + enviro… 激活提示：当用户任务与“contract-testing”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/contract-testing/SKILL.md`
- **datetime-timezone-correctness**（skill）：Implements and fixes correct date/time handling — UTC/instant storage, IANA timezone and DST conversion gaps and overlaps , explicit ISO-8601 parsing/formatting, calendar-vs-elapsed duration math, DST-stable RRULE recurrence, and monotonic-vs-wall-clock duration measurement. 激活提示：当用户任务与“datetime-timezone-correctness”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/datetime-timezone-correctness/SKILL.md`
- **db-migration-safety**（skill）：Reviews and writes database migrations for safety — lock contention, blocking DDL on large tables, data-loss/destructive operations, missing indexes, and rollback plans. Use before running any schema change against a real or production database. 激活提示：当用户任务与“db-migration-safety”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/db-migration-safety/SKILL.md`
- **debug-ci-pipeline-failure**（skill）：Debugs a red CI job to root cause instead of blind-rerunning — reproduce locally in the SAME image act -j , gitlab-runner exec , circleci local execute , or docker run the exact pinned digest , read the full log + the real exit code 124=timeout, 137=OOM/SIGKILL, 143=SIGTERM, 139=segfault , then classify into flaky / env-drift / poisoned-or-stale cache / resource-OOM / missing-secret / timeout / test-ordering / netwo… 激活提示：当用户任务与“debug-ci-pipeline-failure”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/debug-ci-pipeline-failure/SKILL.md`
- **debug-flaky-tests**（skill）：Diagnoses and fixes non-deterministic test failures at root cause instead of masking them with retries — classify the flake test-order/shared-state pollution, async timing/sleep races, real-clock/timezone dependence, unseeded RNG, network/IO/external calls, resource leaks, port/temp-dir collisions , reproduce it reliably loop the test 50–1000×, randomize order with a fixed seed, run in isolation vs full suite to loc… 激活提示：当用户任务与“debug-flaky-tests”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/debug-flaky-tests/SKILL.md`
- **debug-frontend-browser**（skill）：Diagnoses runtime UI bugs live in the browser — console/network errors, hydration mismatches, failed renders, CORS, broken interactions; used when a page misbehaves at runtime. 激活提示：当用户任务与“debug-frontend-browser”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/debug-frontend-browser/SKILL.md`
- **debug-root-cause**（skill）：Diagnoses a failing test, crash, exception, or wrong output by reproducing the failure, isolating the cause, and fixing at the root — never by suppressing the error or weakening assertions. 激活提示：当用户任务与“debug-root-cause”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/debug-root-cause/SKILL.md`
- **defend-llm-prompt-injection**（skill）：Hardens an LLM feature against prompt injection, jailbreaks, and unsafe output — isolating untrusted content as data, adding input/output guardrails, an injection classifier, PII/secret redaction before logging, least-privilege tools with human-in-the-loop, output-schema validation, and moderation — so untrusted text cannot hijack the model or exfiltrate data. 激活提示：当用户任务与“defend-llm-prompt-injection”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/defend-llm-prompt-injection/SKILL.md`
- **deliver-webhooks**（skill）：Builds the producer side of webhooks — you dispatch signed events to customers' HTTPS endpoints. Sign every payload with HMAC-SHA256 over "{timestamp}.{raw body}" in a versioned signature header with per-endpoint secrets and rotation overlap; deliver at-least-once with exponential backoff + jitter over hours, then dead-letter with manual replay; send thin events id, type, ts, minimal data so consumers re-fetch the r… 激活提示：当用户任务与“deliver-webhooks”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/deliver-webhooks/SKILL.md`
- **dependency-upgrade**（skill）：Upgrades and audits project dependencies safely — reads changelogs/breaking changes, bumps versions, fixes resulting breakage, and verifies with tests/build. Use when updating packages, resolving version conflicts, or patching a vulnerable dependency. 激活提示：当用户任务与“dependency-upgrade”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/dependency-upgrade/SKILL.md`
- **deploy-release**（skill）：Prepares and runs a safe deploy/release — pre-flight checks tests/build green, env vars, migrations applied , versioning/tagging, rollout, and post-deploy smoke verification with a rollback path. Use when shipping a build to staging/production. 激活提示：当用户任务与“deploy-release”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/deploy-release/SKILL.md`
- **design-api-pagination**（skill）：Designs paginated list endpoints that stay correct and fast under concurrent writes — cursor/keyset pagination over a stable total ordering with a unique tie-break key e.g. ORDER BY created at DESC, id DESC and WHERE created at,id < ?,? , opaque base64url-encoded cursors that bind sort+filter so they can't be tampered or reused across queries, a sane page size default 20-50 and hard cap 100 , and the {data, next cur… 激活提示：当用户任务与“design-api-pagination”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-api-pagination/SKILL.md`
- **design-authorization-model**（skill）：Designs an authorization model — RBAC/ABAC/ReBAC, multi-tenant isolation, resource ownership, and policy-as-code OPA/Cedar/Oso — keeping authZ decisions separate from authN identity in a centralized, testable policy layer enforced down to the data tier. 激活提示：当用户任务与“design-authorization-model”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-authorization-model/SKILL.md`
- **design-backup-dr-recovery**（skill）：Designs and validates backup, point-in-time-recovery, and disaster-recovery strategy for datastores — sets RPO/RTO targets, configures snapshot plus continuous WAL/binlog/oplog archiving for PITR, 3-2-1 immutable retention, automated test-restores, and cross-region replica failover with split-brain fencing. 激活提示：当用户任务与“design-backup-dr-recovery”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-backup-dr-recovery/SKILL.md`
- **design-event-sourcing-cqrs**（skill）：Designs event-sourced and CQRS systems — past-tense immutable event schemas, aggregate boundaries with command→validate→emit→apply and expected-version optimistic concurrency, append-only per-stream event store with outbox publishing, rebuildable idempotent projections, snapshotting, and versioned upcasting for event evolution. 激活提示：当用户任务与“design-event-sourcing-cqrs”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-event-sourcing-cqrs/SKILL.md`
- **design-multi-tenancy**（skill）：Architects a SaaS so many customer orgs share infrastructure without leaking into each other — picking an isolation model shared schema + Postgres RLS, schema-per-tenant, or database-per-tenant against an explicit cost/blast-radius/ops tradeoff table, resolving and propagating tenant context from request to DB session, and enforcing isolation in depth app-layer query scoping PLUS RLS as the safety net so a single fo… 激活提示：当用户任务与“design-multi-tenancy”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-multi-tenancy/SKILL.md`
- **design-protobuf-grpc-service**（skill）：Designs and evolves gRPC/protobuf service contracts — message and service definitions, unary vs streaming RPC selection, wire-compatible schema evolution reserved tags, safe vs breaking changes , canonical status codes, deadlines/cancellation, interceptors, and buf-driven codegen plus breaking-change detection. 激活提示：当用户任务与“design-protobuf-grpc-service”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-protobuf-grpc-service/SKILL.md`
- **design-relational-schema**（skill）：Designs a normalized relational schema from requirements — entities, relationships, PK strategy surrogate bigint vs natural vs UUIDv7/ULID , 1:1/1:N/M:N and inheritance modeling, 3NF/BCNF normalization, invariants encoded as UNIQUE/CHECK/FK/exclusion constraints, and deliberate read-path denormalization with stated consistency tradeoffs. 激活提示：当用户任务与“design-relational-schema”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-relational-schema/SKILL.md`
- **design-search-index-infra**（skill）：Designs full-text and vector search infrastructure — Elasticsearch/OpenSearch mappings and analyzers, vector index parameters HNSW M/efConstruction, IVF nlist/PQ , BM25+vector hybrid via RRF, offline relevance tuning, capacity/shard topology, and alias-based zero-downtime reindex. 激活提示：当用户任务与“design-search-index-infra”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-search-index-infra/SKILL.md`
- **design-state-machine**（skill）：Models a lifecycle order status, connection, checkout/approval flow, device/job state as an EXPLICIT finite state machine or statechart instead of boolean-flag soup — enumerate states + events as closed sets, define transitions as a total state×event →state function with guards and entry/exit actions, make the current state a single persisted column not N booleans , reject every undefined state,event pair loudly, an… 激活提示：当用户任务与“design-state-machine”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-state-machine/SKILL.md`
- **design-token-system**（skill）：Architects a framework-agnostic design-token system with primitive/semantic/component tiers, theming and multi-brand/dark-mode alias contracts, and multi-platform export CSS vars, Tailwind, JS/TS, iOS/Android from one W3C-DTCG source via Style Dictionary. 激活提示：当用户任务与“design-token-system”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/design-token-system/SKILL.md`
- **diff-table-parity**（skill）：Compares two tables or query results and diagnoses exactly how they differ — row counts, key set differences, per-column value mismatches — for migration and refactor validation. 激活提示：当用户任务与“diff-table-parity”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/diff-table-parity/SKILL.md`
- **distributed-locks-leases**（skill）：Implements distributed mutual exclusion and leader election correctly across processes/nodes — Redis SET key token NX PX with a unique random token + Lua compare-and-delete unlock never bare DEL , etcd/ZooKeeper/Consul leases lease grant + TTL + keepAlive renewal, ephemeral znode + watch on predecessor for leader election , and Postgres advisory locks pg advisory lock / pg try advisory xact lock for single-DB serial… 激活提示：当用户任务与“distributed-locks-leases”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/distributed-locks-leases/SKILL.md`
- **dockerfile-optimize**（skill）：Authors and optimizes Dockerfiles for small, secure, fast-building container images: multi-stage builds, minimal/distroless bases, layer caching, non-root users, and .dockerignore. Triggers when writing or reviewing a Dockerfile, shrinking image size, fixing slow builds, or hardening a container image. 激活提示：当用户任务与“dockerfile-optimize”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/dockerfile-optimize/SKILL.md`
- **encrypt-sensitive-data**（skill）：Encrypts sensitive data at rest, in transit, and per-field using AEAD-only ciphers AES-256-GCM or ChaCha20-Poly1305 — never ECB, never unauthenticated CBC, never raw RSA — envelope encryption where a KMS-held KEK wraps a per-record/per-tenant DEK, per-column field encryption for PII with deterministic-vs-randomized chosen per query need, strict unique-nonce/IV discipline random 96-bit or counter, NEVER reused under… 激活提示：当用户任务与“encrypt-sensitive-data”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/encrypt-sensitive-data/SKILL.md`
- **error-message**（skill）：Sanook writes and audits user-facing error and exception messages so they state what failed, why, and the next action — actionable, specific, non-blaming, no leaked internals — applying a consistent voice across CLI/API/UI. 激活提示：当用户任务与“error-message”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/error-message/SKILL.md`
- **estimate-work**（skill）：Produces grounded effort estimates for a task/feature — decomposing into subtasks, assigning size story points or t-shirt S/M/L , surfacing assumptions, unknowns, and risk buffers, and giving an optimistic/likely/pessimistic range instead of a single false number. 激活提示：当用户任务与“estimate-work”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/estimate-work/SKILL.md`
- **explore-codebase**（skill）：Explores an unfamiliar codebase to map architecture, locate where a feature lives, and find reusable utilities before writing code — returning a concise summary of entrypoints, key modules, and conventions. Use when entering a new repo or before a change that spans files you don't know yet. 激活提示：当用户任务与“explore-codebase”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/explore-codebase/SKILL.md`
- **feature-flags-rollout**（skill）：Implements feature flags and progressive delivery — kill switches, percentage/targeted rollouts, sticky hashed bucketing, fail-safe evaluation, 1→10→50→100 ramps with guardrail-metric rollback, and TTL-enforced stale-flag cleanup — so changes ship decoupled from deploys and reverse in seconds. 激活提示：当用户任务与“feature-flags-rollout”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/feature-flags-rollout/SKILL.md`
- **file-upload-object-storage**（skill）：Implements secure file/image/video upload to object storage via short-lived presigned URLs or POST policies, with content-type + size validation, magic-byte verification, non-guessable tenant-scoped key namespacing, multipart/resumable transfer, private buckets with signed-URL access, and post-upload scan/transcode + lifecycle cleanup. 激活提示：当用户任务与“file-upload-object-storage”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/file-upload-object-storage/SKILL.md`
- **fuzz-dynamic-security-test**（skill）：Sets up dynamic security testing — coverage-guided fuzzing of parsers and input handlers libFuzzer/cargo-fuzz/AFL++/go test -fuzz/atheris and DAST scanning of a running app OWASP ZAP/nuclei — wired into CI with seed corpora, crash minimization, baseline suppression, and regression-corpus commits. 激活提示：当用户任务与“fuzz-dynamic-security-test”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/fuzz-dynamic-security-test/SKILL.md`
- **git-commit-pr**（skill）：Stages and writes a Conventional Commits message from the actual diff, then opens a pull request with a structured description summary, changes, test plan using the gh CLI. Use when changes are ready to commit and/or turn into a PR. 激活提示：当用户任务与“git-commit-pr”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/git-commit-pr/SKILL.md`
- **gitops-deploy-workflow**（skill）：Sets up GitOps delivery with ArgoCD or Flux CD — declarative app definitions, app-of-apps/Kustomize overlays, sync policies, progressive delivery canary/blue-green , and drift reconciliation. Triggers when configuring ArgoCD/Flux, structuring a GitOps repo, or debugging out-of-sync/drift. 激活提示：当用户任务与“gitops-deploy-workflow”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/gitops-deploy-workflow/SKILL.md`
- **harden-llm-app-reliability**（skill）：Hardens LLM API calls for production with per-call timeouts and cancellation, exponential-backoff-plus-full-jitter retries on 429/500/529 that honor Retry-After, model fallback, one-round structured-output repair, refusal/stop reason handling, and a circuit-breaker degraded mode so a flaky provider never breaks the feature. 激活提示：当用户任务与“harden-llm-app-reliability”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/harden-llm-app-reliability/SKILL.md`
- **i18n-localization-setup**（skill）：Externalizes user-facing text into message catalogs keyed by stable IDs and wires locale-correct rendering — ICU MessageFormat plurals/gender/select, named-placeholder interpolation, Intl/CLDR number/date/list/relative-time formatting, RTL/bidi via logical CSS, and an extract→translate→compile pipeline with pseudo-localization. 激活提示：当用户任务与“i18n-localization-setup”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/i18n-localization-setup/SKILL.md`
- **idempotency-keys**（skill）：Makes operations safe to repeat so retries and at-least-once delivery don't double-charge or double-create — idempotency by design first PUT/upsert, conditional writes with version/ETag/If-Match, natural deterministic keys, set-don't-increment and by key second client Idempotency-Key header, a dedup table keyed unique on the key that stores request fingerprint + status + response and replays the SAME response, 409 i… 激活提示：当用户任务与“idempotency-keys”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/idempotency-keys/SKILL.md`
- **implement-from-design**（skill）：Translates a design Figma/screenshot/mockup into pixel-faithful, responsive, token-driven frontend code, then visually diffs the result; used when building UI from a visual spec. 激活提示：当用户任务与“implement-from-design”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/implement-from-design/SKILL.md`
- **implement-push-notifications**（skill）：Implements end-to-end mobile push — APNs token-auth and FCM HTTP v1 provider setup, device-token registration and rotation, alert vs silent/data payload schemas, the server send path, foreground/background/killed receipt handling, tap-to-deep-link routing, rich media via service extensions, and permission-prompt UX. 激活提示：当用户任务与“implement-push-notifications”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/implement-push-notifications/SKILL.md`
- **incident-response-sre**（skill）：Drives live incident response and postmortems SRE-style: severity triage P0–P3 , log/metric/trace correlation to find what changed, safe mitigation, comms updates, and blameless postmortem with action items. Triggers during an active incident/outage, on-call triage, or writing a postmortem afterward. 激活提示：当用户任务与“incident-response-sre”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/incident-response-sre/SKILL.md`
- **ingest-webhook-secure**（skill）：Builds secure inbound webhook receivers that verify HMAC/asymmetric signatures over the raw body, reject replays via signed-timestamp windows and seen-id stores, dedup idempotently on provider event id, and fast-ack within timeout before processing async. Use when receiving callbacks from an external service that must be authentic, non-replayed, and handled exactly once. 激活提示：当用户任务与“ingest-webhook-secure”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/ingest-webhook-secure/SKILL.md`
- **integrate-oauth-oidc**（skill）：Integrates a THIRD-PARTY identity provider via OpenID Connect — "Log in with Google/GitHub/Microsoft/Apple" or acting as an OAuth client to a third-party API. Uses the Authorization Code flow with PKCE S256 everywhere SPA, native, server ; mandatory state CSRF + nonce replay ; exact-match redirect uri; server-side code→token exchange no client secret in public clients ; strict ID-token validation against JWKS; safe… 激活提示：当用户任务与“integrate-oauth-oidc”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/integrate-oauth-oidc/SKILL.md`
- **k8s-debug-workload**（skill）：Systematically diagnoses live Kubernetes workload failures — CrashLoopBackOff, ImagePullBackOff, OOMKilled, pending pods, failing probes — by gathering describe/logs/events/node status and isolating root cause. Triggers when a pod won't start, keeps restarting, or a deployment is stuck/unhealthy in a cluster. 激活提示：当用户任务与“k8s-debug-workload”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/k8s-debug-workload/SKILL.md`
- **k8s-manifest-review**（skill）：Reviews and writes Kubernetes / Helm manifests for production-readiness: resource requests/limits, probes, security contexts, PodDisruptionBudgets, standard labels, and validation via kubeconform/conftest. Triggers when authoring or reviewing k8s YAML or Helm charts, or before applying manifests to a cluster. 激活提示：当用户任务与“k8s-manifest-review”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/k8s-manifest-review/SKILL.md`
- **llm-eval-harness**（skill）：Builds an evaluation harness for LLM/agent outputs using golden datasets, code-based scorers, and LLM-as-judge, run as a regression gate when prompts, models, or RAG configs change. 激活提示：当用户任务与“llm-eval-harness”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/llm-eval-harness/SKILL.md`
- **load-stress-test**（skill）：Designs and runs load, stress, soak, and spike tests against an HTTP/gRPC service using an open arrival-rate model — driving a realistic endpoint mix with think-time past the saturation knee and reporting latency percentiles, throughput ceiling, and breaking point against machine-checkable SLO thresholds. 激活提示：当用户任务与“load-stress-test”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/load-stress-test/SKILL.md`
- **manage-client-server-state**（skill）：Sets up server-state with TanStack Query caching, mutations, optimistic updates, hydration and picks the right client-state tool; used when wiring data fetching or untangling state. 激活提示：当用户任务与“manage-client-server-state”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/manage-client-server-state/SKILL.md`
- **map-privacy-data-gdpr**（skill）：Implements privacy/data-protection engineering — personal-data inventory/mapping RoPA , lawful-basis and versioned consent capture, DSAR machine-readable export and right-to-erasure cascades across derived data/logs/backups, TTL/scheduled retention purge, and PII minimization/pseudonymization — for GDPR/CCPA-style compliance. 激活提示：当用户任务与“map-privacy-data-gdpr”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/map-privacy-data-gdpr/SKILL.md`
- **mermaid-diagram**（skill）：Turn requirements, code, or a system description into validated Mermaid diagrams flowchart, sequence, class, ER, state, C4, Gantt, mindmap, git graph and verify they render via mermaid-cli before delivering. 激活提示：当用户任务与“mermaid-diagram”描述的流程高度相关时，先用它做安装前体验，再决定是否安装。 证据：`skills/mermaid-diagram/SKILL.md`
- 其余 66 个条目见 `AI_CONTEXT_PACK.json`。

## 证据索引

- 共索引 152 条证据。

- **Overview**（documentation）：Sanook CLI The terminal AI coding agent with a memory that outlives the session. Bring your own key · 9 providers · MCP · Obsidian second brain · gateway & cron 🇹🇭 อ่านภาษาไทย 证据：`README.md`
- **{{VAULT NAME}}**（documentation）：ระบบ "สมองที่สอง" second brain บน Obsidian — คลังความรู้ + ความจำของ AI agent ที่ทำงานต่อเนื่องข้าม session ได้ 证据：`second-brain/README.md`
- **Package**（package_manifest）：{ "name": "sanook-cli", "version": "0.5.7", "description": "A terminal AI coding agent — BYOK, 9 providers, MCP, cron gateway, skills, and git awareness. Built from scratch in TypeScript.", "type": "module", "bin": { "sanook": "dist/bin.js", "sanookai": "dist/bin.js" }, "files": "dist", "skills", "second-brain", "scripts/postinstall.mjs", "README.md", "CHANGELOG.md", "LICENSE", ".env.example" , "scripts": { "dev": "tsx src/bin.ts", "build": "node -e \"require 'node:fs' .rmSync 'dist',{recursive:true,force:true} \" && tsc -p tsconfig.build.json && node scripts/copy-dashboard-static.mjs && node -e \"require 'node:fs' .chmodSync 'dist/bin.js',0o755 \"", "typecheck": "tsc --noEmit", "test": "vi… 证据：`package.json`
- **AGENTS — Operating Config for "{{VAULT NAME}}"**（documentation）：AGENTS — Operating Config for "{{VAULT NAME}}" 证据：`second-brain/AGENTS.md`
- **Operating Constitution — ผู้ช่วยของ {{OWNER NAME}}**（documentation）：Operating Constitution — ผู้ช่วยของ {{OWNER NAME}} 证据：`second-brain/CLAUDE.md`
- **Gemini — Operating Config for "{{VAULT NAME}}"**（documentation）：Gemini — Operating Config for "{{VAULT NAME}}" 证据：`second-brain/GEMINI.md`
- **When to Use**（skill_instruction）：Reach for this when an LLM agent — not a human — is the caller: 证据：`skills/agent-tool-mcp-builder/SKILL.md`
- **When to Use**（skill_instruction）：Invoke before writing or merging any change that alters an API contract: 证据：`skills/api-design-review/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the code touches more than one thing happening at once and correctness depends on ordering, timing, or shared state : 证据：`skills/async-concurrency-correctness/SKILL.md`
- **When to Use**（skill_instruction）：Trigger this skill when the task is to audit or fix UI for accessibility: WCAG 2.2 AA, screen readers, ARIA, keyboard nav, color contrast, focus management, or preparing an a11y review. 证据：`skills/audit-accessibility-wcag/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the question is about license obligations , not which versions to ship or whether the build is tamper-proof: 证据：`skills/audit-license-compliance/SKILL.md`
- **When to Use**（skill_instruction）：Trigger this skill when the request involves: improving search discoverability/indexing, adding or fixing / tags, Open Graph or Twitter Card previews, schema.org / JSON-LD structured data, canonical URLs, sitemap.xml , robots.txt , hreflang , or "why isn't this page showing up / previewing right on social". No API keys, crawler accounts, or paid tools required — this is static analysis + code fixes on the project's own source. 证据：`skills/audit-technical-seo/SKILL.md`
- **When to Use**（skill_instruction）：Use when writing or fixing the code that logs a user in and authorizes their requests: 证据：`skills/auth-jwt-session/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the same structural edit must hit many files and correctness depends on understanding the code's grammar, not its text: 证据：`skills/author-codemod/SKILL.md`
- **When to Use**（skill_instruction）：Invoke when the request is a design decision, not a typing task . Concrete triggers: 证据：`skills/brainstorm-design/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the requirement is a defensible record of who did what to whom , not operational telemetry: 证据：`skills/build-audit-logging/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when data must flow as a continuous change stream , not land in scheduled batches: 证据：`skills/build-cdc-streaming-pipeline/SKILL.md`
- **When to Use**（skill_instruction）：- "I'm writing a CLI — how should I structure subcommands, flags, and help?" - "My tool breaks when I pipe it tool jq or redirect to a file — output is garbled / has color codes." - "CI can't tell why my command failed — every error exits 1." - "I need a --json mode so scripts can parse my output." - "Colors/spinners show up in log files but shouldn't" / "respect NO COLOR ." - "How do I take a secret without it leaking in ps / shell history?" - "Add shell completion / a --dry-run / proper Ctrl-C cleanup." 证据：`skills/build-cli-tool/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when you're building a real data grid, not a static : 证据：`skills/build-data-table/SKILL.md`
- **When to Use**（skill_instruction）：Use when the work is a repeatable, scheduled flow that moves data from one or more sources into a sink/warehouse — not a one-off transform of a single file. Signals: "ingest from the API every hour", "incremental load", "CDC", "backfill", "dedup on load", "Airflow DAG", "dbt models", "the nightly job". 证据：`skills/build-etl-pipeline/SKILL.md`
- **When to Use**（skill_instruction）：Use this skill when building or fixing a form in a React/Next.js codebase — anything touching react-hook-form , zod , zodResolver , field arrays, multi-step/wizard flows, or server-action input validation. This covers the client form layer : schema-driven validation, RHF wiring, accessible errors, and the client↔server-action contract. 证据：`skills/build-form-validation/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when building or reviewing a native iOS/Android screen in a declarative UI framework SwiftUI or Jetpack Compose, i.e. Swift/Kotlin — not React Native or Flutter : 证据：`skills/build-native-mobile-ui/SKILL.md`
- **When to Use**（skill_instruction）：Trigger this skill when the task produces or modifies a .docx or .pptx file: 证据：`skills/build-office-docs/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this when the client is the source of truth while offline and must converge with a server later, not just cache responses: 证据：`skills/build-offline-first-sync/SKILL.md`
- **When to Use**（skill_instruction）：Use this skill when creating, scaffolding, or restructuring a React/Next.js component, page, or layout. It is most valuable when you must decide Server vs Client Component boundaries, design a typed props contract, or lay out files. Skip it for trivial edits to an existing component text/className tweaks, prop renames — just edit directly. 证据：`skills/build-react-component/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the request is about pushing live data to clients over a long-lived connection : 证据：`skills/build-realtime-channel/SKILL.md`
- **When to Use**（skill_instruction）：Use this skill to produce a .xlsx artifact a human will open in Excel — a financial model, budget, tracker, report, or dashboard. The deliverable is a live workbook: formulas recalculate, charts re-render, sheets cross-reference. 证据：`skills/build-spreadsheet/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the task is the quality and mechanics of vector retrieval itself — embeddings, the ANN index, hybrid/rerank, and measuring relevance: 证据：`skills/build-vector-search/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when a read is slow or repeated and the underlying data is more read than written and tolerant of some staleness . 证据：`skills/caching-strategy/SKILL.md`
- **When to Use**（skill_instruction）：Use this skill when the task touches a pipeline definition file or its performance/security: 证据：`skills/cicd-pipeline-author/SKILL.md`
- **When to Use**（skill_instruction）：- Cloud bill jumped vs last month/period and you need to find what and why before paying it. - Scheduled FinOps / cost review of an account, project, or subscription. - Right-sizing a fleet EC2 / Compute Engine / VM Scale Sets, RDS/Cloud SQL, EKS/GKE/AKS nodes . - Hunting idle or orphaned resources draining money with zero traffic. - Deciding commitment strategy: Savings Plans / Reserved Instances / Committed-Use Discounts vs Spot/Preemptible. 证据：`skills/cloud-cost-optimize/SKILL.md`
- **When to Use**（skill_instruction）：- User says "comment this", "add docstrings", "document this function/module/class", or "explain this tricky block". - Prepping code for handoff or review where intent isn't obvious. - Legacy code with zero comments where you must infer and record WHY. - NOT for prose docs README/guides/API pages — that's write-docs . - NOT a refactor — if logic looks wrong, flag it separately; this skill changes comments only. 证据：`skills/code-comments/SKILL.md`
- **When to Use**（skill_instruction）：- Right after finishing a non-trivial implementation, before reporting it as done. - When explicitly asked to review a PR, branch, or working-tree diff. - When a change touches logic, control flow, data handling, or error paths across one or more files. 证据：`skills/code-review/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this when the request is about standing up the app's runtime dependencies on a laptop , reproducibly, with one command: 证据：`skills/compose-local-dev-stack/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the problem is how source compiles and emits , not how it runs in a browser or container: 证据：`skills/configure-bundler-build/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the task is names and certificates — getting a domain to resolve to your service and serving valid HTTPS that renews itself: 证据：`skills/configure-dns-tls/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the request is about the proxy/LB layer between clients and your services : 证据：`skills/configure-reverse-proxy-lb/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the task is setting HTTP response headers and CSP as defense-in-depth policy , not chasing one specific vulnerability: 证据：`skills/configure-security-headers-csp/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when two or more independently deployed services integrate and you want integration confidence at unit-test speed, not via a fragile end-to-end stack: 证据：`skills/contract-testing/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the bug or task is about what a timestamp means , not how it looks on screen: 证据：`skills/datetime-timezone-correctness/SKILL.md`
- **When to Use**（skill_instruction）：Trigger this skill before writing or running ANY of these against a real/production DB: 证据：`skills/db-migration-safety/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when a CI job is failing and you need to find out WHY before touching anything: 证据：`skills/debug-ci-pipeline-failure/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when a test's pass/fail result is non-deterministic — same code, different outcome: 证据：`skills/debug-flaky-tests/SKILL.md`
- **When to Use**（skill_instruction）：The page is already rendering or failing to in a real browser and behaves wrong. Reach here when: 证据：`skills/debug-frontend-browser/SKILL.md`
- **When to Use**（skill_instruction）：Invoke when a failure already exists and you need to find why : 证据：`skills/debug-root-cause/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when untrusted text flows into a model that has power tools, private data, side effects — the question is containment , not output quality: 证据：`skills/defend-llm-prompt-injection/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when your service emits events that third parties subscribe to and you must deliver them verifiably and reliably: 证据：`skills/deliver-webhooks/SKILL.md`
- **When to Use**（skill_instruction）：- A package is outdated and you need it updated new feature, bug fix, or just freshness . - A security advisory / CVE affects a direct or transitive dependency and needs patching. - A version conflict or broken lockfile blocks install peer-dep mismatch, resolution error . - A major-version bump is requested and the resulting breakage must be fixed and verified. 证据：`skills/dependency-upgrade/SKILL.md`
- **When to Use**（skill_instruction）：Use this skill when shipping a build to staging or production : cutting a release, tagging a version, or rolling out a deployment. Do not use it for local dev runs, hotfix branches that never reach a shared environment, or read-only inspection of a running service. 证据：`skills/deploy-release/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when an endpoint returns a list that's too big for one response and must page through it correctly: 证据：`skills/design-api-pagination/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the question is "is this caller allowed to do this to this resource?" — not "who is this caller?": 证据：`skills/design-authorization-model/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the question is "can we get the data back, and how fast" — not how to change the schema: 证据：`skills/design-backup-dr-recovery/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the domain needs the history of changes as first-class truth , not just the current row: 证据：`skills/design-event-sourcing-cqrs/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the question is "how do I keep tenant A's data away from tenant B while they share the same stack?" — the isolation architecture, not the per-user permissions inside one org: 证据：`skills/design-multi-tenancy/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the contract is a .proto / gRPC wire format , not an HTTP/JSON shape: 证据：`skills/design-protobuf-grpc-service/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when you're designing the shape of the data , before any table exists: 证据：`skills/design-relational-schema/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this when the request is about the search index itself — how documents are mapped, scored, and stored — not the application logic that calls it: 证据：`skills/design-search-index-infra/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when an entity moves through named stages and only some moves are legal: 证据：`skills/design-state-machine/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this skill when the problem is the token architecture and export pipeline , not a single component's styling: 证据：`skills/design-token-system/SKILL.md`
- **When to Use**（skill_instruction）：Reach for this when the question is "are A and B the same data, and if not, exactly how do they differ?" Concrete triggers: 证据：`skills/diff-table-parity/SKILL.md`
- 其余 92 条证据见 `AI_CONTEXT_PACK.json` 或 `EVIDENCE_INDEX.json`。

## 宿主 AI 必须遵守的规则

- **把本资产当作开工前上下文，而不是运行环境。**：AI Context Pack 只包含证据化项目理解，不包含目标项目的可执行状态。 证据：`README.md`, `second-brain/README.md`, `package.json`
- **回答用户时区分可预览内容与必须安装后才能验证的内容。**：安装前体验的消费者价值来自降低误装和误判，而不是伪装成真实运行。 证据：`README.md`, `second-brain/README.md`, `package.json`

## 用户开工前应该回答的问题

- 你准备在哪个宿主 AI 或本地环境中使用它？
- 你只是想先体验工作流，还是准备真实安装？
- 你最在意的是安装成本、输出质量、还是和现有规则的冲突？

## 验收标准

- 所有能力声明都能回指到 evidence_refs 中的文件路径。
- AI_CONTEXT_PACK.md 没有把预览包装成真实运行。
- 用户能在 3 分钟内看懂适合谁、能做什么、如何开始和风险边界。

---

## Doramagic Context Augmentation

下面内容用于强化 Repomix/AI Context Pack 主体。Human Manual 只提供阅读骨架；踩坑日志会被转成宿主 AI 必须遵守的工作约束。

## Human Manual 骨架

使用规则：这里只是项目阅读路线和显著性信号，不是事实权威。具体事实仍必须回到 repo evidence / Claim Graph。

宿主 AI 硬性规则：
- 不得把页标题、章节顺序、摘要或 importance 当作项目事实证据。
- 解释 Human Manual 骨架时，必须明确说它只是阅读路线/显著性信号。
- 能力、安装、兼容性、运行状态和风险判断必须引用 repo evidence、source path 或 Claim Graph。

- **项目概述、快速开始与整体架构**：importance `high`
  - source_paths: README.md, package.json, src/bin.ts, src/cli-args.ts, src/commands.ts
- **代理循环、工具沙箱与模型提供商**：importance `high`
  - source_paths: src/loop.ts, src/agentContext.ts, src/approval.ts, src/checkpoint.ts, src/compaction.ts
- **分层记忆系统与第二大脑工作区**：importance `high`
  - source_paths: src/memory.ts, src/memory-store.ts, src/memory-log.ts, src/turn-retrieval.ts, src/tools/remember.ts
- **网关、消息通道、MCP、技能与本地面板**：importance `high`
  - source_paths: src/gateway/serve.ts, src/gateway/server.ts, src/gateway/auth.ts, src/gateway/config.ts, src/gateway/scheduler.ts

## Repo Inspection Evidence / 源码检查证据

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `914c0319db94fa5b650c708bbd04095e4f75dcbf`
- inspected_files: `README.md`, `package.json`, `docs/INSTALL_INFRA.md`, `src/agentContext.ts`, `src/approval.test.ts`, `src/approval.ts`, `src/auth-config.test.ts`, `src/auto-maintain.test.ts`, `src/auto-maintain.ts`, `src/bin.ts`, `src/brain-consolidate.test.ts`, `src/brain-consolidate.ts`, `src/brain-context.test.ts`, `src/brain-context.ts`, `src/brain-doctor.test.ts`, `src/brain-doctor.ts`, `src/brain-eval.test.ts`, `src/brain-eval.ts`, `src/brain-final.test.ts`, `src/brain-final.ts`

宿主 AI 硬性规则：
- 没有 repo_clone_verified=true 时，不得声称已经读过源码。
- 没有 repo_inspection_verified=true 时，不得把 README/docs/package 文件判断写成事实。
- 没有 quick_start_verified=true 时，不得声称 Quick Start 已跑通。

## Doramagic Pitfall Constraints / 踩坑约束

这些规则来自 Doramagic 发现、验证或编译过程中的项目专属坑点。宿主 AI 必须把它们当作工作约束，而不是普通说明文字。

### Constraint 1: 可能修改宿主 AI 配置

- Trigger: 项目面向 Claude/Cursor/Codex/Gemini/OpenCode 等宿主，或安装命令涉及用户配置目录。
- Host AI rule: 列出会写入的配置文件、目录和卸载/回滚步骤。
- Why it matters: 安装可能改变本机 AI 工具行为，用户需要知道写入位置和回滚方法。
- Evidence: capability.host_targets | https://github.com/Sir-chawakorn/sanook-cli | host_targets=mcp_host, claude, claude_code, gemini_cli, codex
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 2: 能力判断依赖假设

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: 将假设转成下游验证清单。
- Why it matters: 假设不成立时，用户拿不到承诺的能力。
- Evidence: capability.assumptions | https://github.com/Sir-chawakorn/sanook-cli | README/documentation is current enough for a first validation pass.
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 3: 维护活跃度未知

- Trigger: 未记录 last_activity_observed。
- Host AI rule: 补 GitHub 最近 commit、release、issue/PR 响应信号。
- Why it matters: 新项目、停更项目和活跃项目会被混在一起，推荐信任度下降。
- Evidence: evidence.maintainer_signals | https://github.com/Sir-chawakorn/sanook-cli | last_activity_observed missing
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

- Trigger: no_demo
- Evidence: downstream_validation.risk_items | https://github.com/Sir-chawakorn/sanook-cli | no_demo; severity=medium
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 5: 存在评分风险

- Trigger: no_demo
- Why it matters: 风险会影响是否适合普通用户安装。
- Evidence: risks.scoring_risks | https://github.com/Sir-chawakorn/sanook-cli | no_demo; severity=medium
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 6: issue/PR 响应质量未知

- Trigger: issue_or_pr_quality=unknown。
- Host AI rule: 抽样最近 issue/PR，判断是否长期无人处理。
- Why it matters: 用户无法判断遇到问题后是否有人维护。
- Evidence: evidence.maintainer_signals | https://github.com/Sir-chawakorn/sanook-cli | issue_or_pr_quality=unknown
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 7: 发布节奏不明确

- Trigger: release_recency=unknown。
- Host AI rule: 确认最近 release/tag 和 README 安装命令是否一致。
- Why it matters: 安装命令和文档可能落后于代码，用户踩坑概率升高。
- Evidence: evidence.maintainer_signals | https://github.com/Sir-chawakorn/sanook-cli | release_recency=unknown
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。