一键导入
kms-sync-rules
Auto-detect changed files via git diff and emit only the applicable AGENTS.md synchronization sub-rules as a checklist. Use after every code change.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Auto-detect changed files via git diff and emit only the applicable AGENTS.md synchronization sub-rules as a checklist. Use after every code change.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Write the next version entry at the top of CHANGELOG.md by summarizing all changes since the last tagged release. Use when preparing release notes.
Audit GitHub Actions workflows for efficiency and recommend fixes to reduce CI minutes and costs. Use when asked to improve CI performance.
Fix CI failures in a loop until all GitHub workflow runs on the current branch are green. Use when CI is failing and needs automated repair.
AI-powered security scanner — OWASP Top 10, CWE Top 25, KMIP authorization, FIPS gating, memory safety, side-channel, supply chain, and 20 vulnerability families. Use when asked to review code security, audit KMIP access control, or scan for vulnerabilities.
Comprehensive cryptographic audit: FIPS 140-3, BSI TR-02102, ANSSI, NIST SP 800-series compliance, algorithm allow-list, key sizes, feature-flag gating, OpenSSL provider init, key lifecycle, multi-standard matrix, and academic cryptanalysis cross-check. Use when touching crate/crypto/, algorithm selection, or key management code.
Comprehensive security audit orchestrator: invokes /security-review, /cryptography-review, /threat-model, and /standards-review in sequence. Produces a unified go/no-go report. Use for full security audit before release or after significant changes.
| name | kms-sync-rules |
| description | Auto-detect changed files via git diff and emit only the applicable AGENTS.md synchronization sub-rules as a checklist. Use after every code change. |
Detect changed files and emit only the synchronization sub-rules that apply to your current changes.
Run the following to discover what has changed:
# Staged + unstaged changes (working tree):
git diff --name-only HEAD
# Only staged changes (about to be committed):
git diff --name-only --cached
# Changes on this branch vs develop baseline:
git diff --name-only origin/develop...HEAD 2>/dev/null || git diff --name-only HEAD~1
Collect the union of changed paths. If no files are detected, ask the user to describe what they changed.
Apply this path → rule mapping to the detected file list:
| Path pattern | Sub-rules triggered |
|---|---|
crate/server/src/routes/** (new/modified handler) | 4.2, 4.10 |
crate/kmip/src/** or crate/server/src/core/operations/** | 4.3, 4.10 |
crate/clients/clap/src/** or crate/clients/ckms/src/** | 4.4, 4.15 |
ui/src/** (new UI feature path) | 4.1, 4.4 |
crate/clients/wasm/src/** | 4.5 |
crate/server/src/config/** | 4.6, 4.7 |
crate/server/src/middlewares/** or crate/server/src/config/wizard/auth_wizard.rs | 4.9 |
test_data/vectors/** or crate/test_kms_server/** | verify 4.10 completeness |
Cargo.lock or ui/pnpm-lock.yaml | 4.11 |
crate/server/src/routes/aws_xks/** or azure_ekm/** or google_cse/** or ms_dke/** | 4.12, 4.10 |
crate/hsm/** | 4.13 |
documentation/** or cli_documentation/** or README.md | 4.14 |
ui/tests/e2e/** | 4.16 |
crate/crypto/build.rs | 4.17 |
Additional heuristic checks:
#[cfg(feature = "non-fips")] changes → add 4.8crate/clients/ckms/src/commands.rs changed → add 4.15crate/server/src/start_kms_server.rs changed → verify 4.1, 4.2, 4.8, 4.9 as applicablecrate/server/src/middlewares/, crate/server/src/core/operations/, or crate/crypto/src/ and the change fixes a security bug → remind: update SECURITY.md with a COSMIAN-YYYY-NNN entry (run /security-review to generate it)Output only the sub-rules that were triggered. For each, print the full checklist from the reference below.
(triggered by: ui/src/** with new route, or start_kms_server.rs changes)
crate/server/src/start_kms_server.rs — add top-level path to spa_routes array (e.g. "/newfeature{_:.*}")ui/src/App.tsx — add <Route path="..." element={<Component />} />ui/src/menuItems.tsx — add baseMenu entry; key must match route path prefix(triggered by: crate/server/src/routes/**)
crate/server/src/routes/<module>/crate/server/src/routes/mod.rs — pub mod <module>; declaredcrate/server/src/start_kms_server.rs — web::scope(...) or .service(...) registered
crate/server/documentation/openapi.yaml — path, request/response schemas, tags addedcrate/test_kms_server/src/openapi_validation.rs tests to validate(triggered by: crate/kmip/src/**, crate/server/src/core/operations/**)
crate/kmip/src/kmip_2_1/kmip_operations.rs — request/response types defined; variant added to Operation enumcrate/server/src/core/operations/dispatch.rs — match arm added for the new operationcrate/server/src/core/operations/<operation>.rs — handler implementedcrate/server/src/core/operations/mod.rs/kmip-compliance <OperationName> to validate spec compliance(triggered by: crate/clients/clap/**, crate/clients/ckms/**, ui/src/**)
crate/clients/clap/src/actions/<module>/ — CLI action implementedcrate/clients/ckms/src/commands.rs — subcommand registered in CliCommands enumui/src/actions/<Module>/ — React component(s) createdui/src/App.tsx — <Route> entry addedui/src/menuItems.tsx — menu item addedcrate/server/src/start_kms_server.rs — SPA route added if new top-level pathcrate/clients/ckms/src/tests.rs — tests added for new subcommand(triggered by: crate/clients/wasm/src/**)
crate/clients/wasm/src/wasm.rs — #[wasm_bindgen] exported function addedwasm-pack build --target web (from crate/clients/wasm/)ui/src/wasm/pkg/ — regenerated TS types committed(triggered by: crate/server/src/config/**)
crate/server/src/config/command_line/clap_config.rs — struct field with #[clap(...)]crate/server/src/config/wizard/<*>_wizard.rs — interactive step added/updatedresources/kms.toml — reference config updatedcrate/server/kms_template.toml — tarball template updatedpkg/kms.toml — service deployment config updated(triggered by: crate/server/src/config/wizard/**)
crate/clients/client/src/config.rs — client config struct kept consistentTriggered by: non-fips feature changes detected in diff
#[cfg(feature = "non-fips")] at function/module level, not inlinecrate/server/src/start_kms_server.rs — scope wrapped in #[cfg(feature = "non-fips")] { ... }crate/server/src/core/operations/dispatch.rs — dispatch arm gated if needed#[cfg(feature = "non-fips")] on module or function#[cfg(feature = "non-fips")] on exported functionFIPS_MODE env var)test.skip(FIPS_MODE, "non-fips only") in Playwright specstest_data/vectors/non-fips/ or runner gated with #[cfg(feature = "non-fips")](triggered by: crate/server/src/middlewares/**, crate/server/src/config/wizard/auth_wizard.rs)
crate/server/src/config/crate/server/src/config/wizard/auth_wizard.rscrate/server/src/middlewares/start_kms_server.rs wraps the middleware with Condition::new(use_<auth>, <Middleware>)EnsureAuth::new boolean: use_jwt_auth || use_cert_auth || use_api_token_auth (every scope except mTLS-only)Triggered by: most code changes
test_data/vectors/<category>/<name>/manifest.toml and TTLV-JSON step files writtencrate/test_kms_server/src/vector_runner.rscrate/test_kms_server/README.md row added + total count updated/kms-test-vector for guided workflow(triggered by: Cargo.lock, ui/pnpm-lock.yaml)
nix/expected-hashes/ files with correct sha256-... hash from CI outputserver.vendor.{static,dynamic}.sha256, cli.vendor.{static,dynamic}.{darwin,linux}.sha256, ui.vendor.{fips,non-fips}.sha256, ui.pnpm.{darwin,linux}.sha256(triggered by: crate/server/src/routes/aws_xks/**, azure_ekm/**, google_cse/**, ms_dke/**)
crate/server/src/config/crate/server/src/config/wizard/advanced_wizard.rscrate/server/src/routes/<provider>/, declared in routes/mod.rsstart_kms_server.rs with correct auth middlewarecrate/server/documentation/openapi.yaml updatedcrate/clients/clap/src/actions/<provider>/ui/src/actions/CloudProviders/(triggered by: crate/hsm/**)
crate/hsm/<model>/crate/server/src/config/ or crate/hsm/base_hsm/crate/server/src/config/wizard/hsm_wizard.rstest_data/vectors/hsm/<model>/.github/workflows/test_all.yml(triggered by: documentation/**, cli_documentation/**, README.md)
documentation/docs/ — relevant .md page added/updated (run /docs-writer)documentation/mkdocs.yml — nav entry added under correct sectionREADME.md — brief summary + link added (no full duplication)cli_documentation/docs/ — CLI docs regenerated if CLI-visible (see Rule 4.15)(triggered by: crate/clients/ckms/src/**, crate/clients/clap/src/**)
cargo run --bin ckms -- markdown cli_documentation/docs/main_commands.md(triggered by: ui/tests/e2e/**)
ui/tests/e2e/README.md to reflect current spec files, FIPS-skip table, and test coverage(triggered by: crate/crypto/build.rs)
crate/crypto/build.rs — version, download URL, SHA-256 hash updatedcrate/server/src/openssl_providers.rs — provider init verified compatiblecbom/cbom.cdx.json — Cryptographic Bill of Materials updatedsbom/ — Software Bill of Materials updated