一键导入
pre-release
Release readiness gate: runs all AI audit skills in sequence and produces a go/no-go report. Use before triggering the release workflow.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Release readiness gate: runs all AI audit skills in sequence and produces a go/no-go report. Use before triggering the release workflow.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Write the next version entry at the top of CHANGELOG.md by summarizing all changes since the last tagged release. Use when preparing release notes.
Audit GitHub Actions workflows for efficiency and recommend fixes to reduce CI minutes and costs. Use when asked to improve CI performance.
Fix CI failures in a loop until all GitHub workflow runs on the current branch are green. Use when CI is failing and needs automated repair.
AI-powered security scanner — OWASP Top 10, CWE Top 25, KMIP authorization, FIPS gating, memory safety, side-channel, supply chain, and 20 vulnerability families. Use when asked to review code security, audit KMIP access control, or scan for vulnerabilities.
Comprehensive cryptographic audit: FIPS 140-3, BSI TR-02102, ANSSI, NIST SP 800-series compliance, algorithm allow-list, key sizes, feature-flag gating, OpenSSL provider init, key lifecycle, multi-standard matrix, and academic cryptanalysis cross-check. Use when touching crate/crypto/, algorithm selection, or key management code.
Comprehensive security audit orchestrator: invokes /security-review, /cryptography-review, /threat-model, and /standards-review in sequence. Produces a unified go/no-go report. Use for full security audit before release or after significant changes.
| name | pre-release |
| description | Release readiness gate: runs all AI audit skills in sequence and produces a go/no-go report. Use before triggering the release workflow. |
Run this skill before triggering release.yml. It orchestrates all AI audit skills
in the correct order and produces a structured go/no-go report.
The
release.ymlworkflow handles the deterministic part (version bump, doc generation, Nix hash recompute, packaging CI, SBOM, git-flow finalization). This skill handles the judgment-based part that cannot be automated in CI.
git log --oneline $(git describe --tags --abbrev=0)..HEAD
git diff --stat $(git describe --tags --abbrev=0)..HEAD
Record: which crates changed, whether crypto/KMIP/auth/UI was touched, whether any
non-fips feature gate was added or removed.
Invoke /kms-sync-rules with the full diff since the last tag.
Verify every applicable sub-rule (4.1–4.17) is satisfied. Block on any open item.
Invoke /security-review on each changed area:
crate/server/src/core/operations/ if any KMIP operation changedcrate/server/src/middlewares/ if auth changedcrate/server/src/routes/ if any endpoint changedcrate/crypto/src/ if any crypto primitive changedBlock on any HIGH or CRITICAL finding.
Invoke /cryptography-review on crate/crypto/src/.
Skip if no file under crate/crypto/ or crate/server/src/openssl_providers.rs changed.
Block on: disallowed algorithm added, missing #[cfg(feature = "non-fips")] gate,
incorrect key size, OpenSSL provider init bypassed, multi-standard compliance divergence.
Invoke /standards-review on the changed areas.
Skip if the change is purely internal refactoring with no spec-level behavioral difference.
Block on: any 🔴 Violation (contradicts a MUST/SHALL requirement in a governing standard).
Invoke /kmip-compliance for each changed operation.
Skip if no file under crate/kmip/, crate/server/src/core/operations/, or
crate/server/src/core/operations/dispatch.rs changed.
Block on: spec deviation, missing dispatch arm, missing access control check.
Invoke /threat-model in incremental mode if any of these changed:
crate/server/src/middlewares/crate/server/src/routes/crate/server/src/config/crate/hsm/Skip if only internal refactoring or test changes.
Run locally to confirm CI will pass:
cargo clippy-all # zero warnings required
cargo fmt --all # no formatting drift
cargo test-fips # full FIPS suite
cargo test-non-fips # full non-FIPS suite
Invoke /kms-changelog.
Verify CHANGELOG/<branch>.md covers every user-visible change:
public API signatures, CLI flags/output, config keys, default behavior,
supported algorithms, operator-visible error messages.
Invoke /kms-release-notes <version> (substitute the actual semver).
This aggregates all CHANGELOG/*.md files into a single human-readable release
note at CHANGELOG/RELEASE_<version>.md. Review it before proceeding:
Produce this exact report:
## Pre-Release Readiness Report — v<X.Y.Z>
| Check | Status | Blocking findings |
|-------|--------|-------------------|
| Sync rules (4.1–4.17) | ✅ PASS / ❌ BLOCK | [list open items] |
| Security review | ✅ PASS / ❌ BLOCK | [HIGH/CRITICAL findings] |
| FIPS audit | ✅ PASS / ⏭ SKIPPED / ❌ BLOCK | [violations] |
| KMIP compliance | ✅ PASS / ⏭ SKIPPED / ❌ BLOCK | [spec deviations] |
| Threat model | ✅ PASS / ⏭ SKIPPED / ❌ BLOCK | [new unmitigated threats] |
| Clippy | ✅ PASS / ❌ BLOCK | [warning count] |
| Test suite (FIPS) | ✅ PASS / ❌ BLOCK | [failing tests] |
| Test suite (non-FIPS) | ✅ PASS / ❌ BLOCK | [failing tests] |
| CHANGELOG | ✅ PASS / ❌ BLOCK | [missing entries] || Release notes | ✅ PASS / ❌ BLOCK | [missing sections] |
### Verdict
**GO** — all checks pass. Trigger `release.yml` with inputs:
- `new_version`: <X.Y.Z>
- `base`: develop
**NO-GO** — resolve blocking findings before release.
All ❌ BLOCK items must be resolved before triggering release.yml.
⏭ SKIPPED items are acceptable when the skip condition is confirmed.