Back to Details

competition-supply-chain

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Supply Chain

竞赛供应链

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the challenge is really about provenance, dependency drift, build output, release flow, or what runtime artifact actually got shipped.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在
$ctf-sandbox-orchestrator
已激活并完成沙箱假设、节点归属、证据优先级的确定后,将本技能作为下游专用技能使用。如果尚未满足上述前置条件,请先返回
$ctf-sandbox-orchestrator
当挑战核心围绕制品溯源、依赖漂移、构建输出、发布流程,或者实际发布的运行时制品相关问题时,请使用本技能。
除非用户明确要求使用英文回复,否则请使用简体中文回复。

Quick Start

快速开始

  1. Split the problem into source, dependency resolution, build, packaging, publish, and runtime consumption.
  2. Decide where the first divergence occurs between intended artifact and runtime artifact.
  3. Keep provenance as a compact chain, not a scattered set of observations.
  4. Reproduce the smallest possible build or package path that still shows the issue.
  5. Separate checked-in intent from what the pipeline actually emitted.
  1. 将问题拆解为源码、依赖解析、构建、打包、发布、运行时消费几个环节。
  2. 确定预期制品与实际运行时制品的第一个分歧点出现的位置。
  3. 将溯源信息整理为紧凑的链路,而非零散的观察结果集合。
  4. 复现能够复现问题的最小构建或打包路径。
  5. 区分已提交的预期配置与流水线实际输出的内容。

Workflow

工作流

1. Trace Provenance End-To-End

1. 端到端溯源追踪

  • Map source checkout, lockfiles, dependency fetch, pre/post-install steps, build scripts, packaging, publish target, and runtime consumer.
  • Compare declared version, resolved version, and shipped artifact.
  • Note registry, cache, mirror, or CI environment differences.
  • 映射源码拉取、锁文件、依赖获取、安装前后置步骤、构建脚本、打包、发布目标、运行时消费方全链路。
  • 比对声明版本、解析后版本、已发布制品。
  • 记录镜像仓库、缓存、镜像源或CI环境的差异。

2. Reconcile Build-Time And Runtime

2. 对齐构建时与运行时信息

  • Compare manifests with image layers, mounted secrets, generated files, and runtime hooks.
  • Identify whether the decisive mutation happens in dependency install, build step, publish step, or runtime bootstrap.
  • 比对清单与镜像层、挂载的密钥、生成的文件、运行时钩子。
  • 识别决定性变更发生在依赖安装、构建步骤、发布步骤还是运行时启动阶段。

3. Report The Break Point

3. 上报断点

  • State the earliest point where provenance diverges.
  • Keep evidence in one short chain from source to runtime consumer.
  • 说明溯源链路出现分歧的最早节点。
  • 将证据整理为从源码到运行时消费方的短链路。

Read This Reference

参考文档

  • Load 
    references/supply-chain.md
    for the provenance checklist, evidence packaging, and common pipeline failure modes.
  • 加载
    references/supply-chain.md
    查看溯源检查清单、证据打包方法以及常见流水线故障模式。

What To Preserve

需要留存的信息

  • Declared dependency, resolved dependency, and runtime artifact versions
  • CI step names, registry pulls, artifact hashes, and image or package layers
  • The runtime consumer that actually accepts or executes the artifact
  • 声明的依赖、解析后的依赖、运行时制品版本
  • CI步骤名称、镜像仓库拉取记录、制品哈希、镜像或软件包层信息
  • 实际接收或执行制品的运行时消费方