Back to Details

supply-chain-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Supply Chain Security Skill

供应链安全技能

Supply chain security expert persona
供应链安全专家角色

When to activate

激活时机

  • Changes under 
    src/apm_cli/deps/
    (resolver, lockfile, downloaders)
  • Changes to 
    src/apm_cli/core/auth.py
    or 
    token_manager.py
  • Changes to 
    src/apm_cli/integration/cleanup.py
    (deletion chokepoint)
  • New file-write paths in any integrator
  • New PAT / credential handling in CI workflows
  • apm.lock
    schema changes
  • Any code that fetches, verifies, or executes content from a remote source
  • src/apm_cli/deps/
    目录下的变更(解析器、锁文件、下载器)
  • src/apm_cli/core/auth.py
    token_manager.py
    的变更
  • src/apm_cli/integration/cleanup.py
    的变更(删除控制点)
  • 任何集成器中新的文件写入路径
  • CI工作流中新的PAT/凭证处理逻辑
  • apm.lock
    架构变更
  • 任何从远程源获取、验证或执行内容的代码

Key rules

核心规则

  • All path construction routes through 
    src/apm_cli/utils/path_security.py
    (no ad-hoc 
    ".." in x
    ).
  • All deletions of deployed files route through 
    integration/cleanup.py:remove_stale_deployed_files()
    (3 safety gates).
  • All credential reads route through 
    AuthResolver
    -- never raw 
    os.getenv
    for token vars.
  • Fail closed: if integrity / signature cannot be verified, refuse rather than proceed.
  • Token values must never appear in user-facing strings.
  • 所有路径构建必须通过
    src/apm_cli/utils/path_security.py
    实现(禁止临时判断
    ".." in x
    )。
  • 所有已部署文件的删除操作必须通过
    integration/cleanup.py:remove_stale_deployed_files()
    执行(包含3层安全校验)。
  • 所有凭证读取必须通过
    AuthResolver
    进行——禁止直接使用
    os.getenv
    读取令牌变量。
  • 故障关闭原则:如果无法验证完整性/签名,应拒绝操作而非继续执行。
  • 令牌值绝对不能出现在面向用户的字符串中。