docs: add 2026-04-18 optimization baseline to governance documents

- Add optimization baseline appendix to QUALITY_STANDARD.md defining current baseline gates for all future optimization work - Update REAL_PROJECT_STATUS.md with latest project status - Add experience summary to PROJECT_EXPERIENCE_SUMMARY.md - Add technical guide updates to TECHNICAL_GUIDE.md - Add FULL_CODE_REVIEW_REPORT_2026-04-17.md as reference document
2026-04-18 12:24:36 +08:00
parent bba44e820a
commit b6f330fe7d
5 changed files with 808 additions and 14 deletions
--- a/docs/status/REAL_PROJECT_STATUS.md
+++ b/docs/status/REAL_PROJECT_STATUS.md
@@ -1,6 +1,6 @@
 # REAL PROJECT STATUS

-## 2026-04-10 Review Update (TDD修复后)
+## 2026-04-10 复核更新（TDD修复后）

 本节记录 2026-04-10 TDD修复后的最新状态。

@@ -48,13 +48,13 @@

 ---

-## 2026-04-10 Review Update (原始)
+## 2026-04-10 复核更新（原始）

-This section supersedes older status summaries when they conflict with the
-fresh 2026-04-10 review evidence in
-`docs/code-review/PROJECT_REAL_COMPLETION_REVIEW_2026-04-10.md`.
+当本节与更早的状态摘要冲突时，以
+`docs/code-review/PROJECT_REAL_COMPLETION_REVIEW_2026-04-10.md`
+中的 2026-04-10 新鲜复核证据为准。

-### Fresh verification snapshot
+### 最新验证快照

 | Command | Result | Note |
 |------|------|------|
@@ -70,7 +70,7 @@ fresh 2026-04-10 review evidence in
 | `cd frontend/admin && npm.cmd audit --omit=dev --json --registry=https://registry.npmjs.org/` | `PASS` | production vulnerabilities `0` |
 | `cd frontend/admin && npm.cmd run e2e:full:win` | `FAIL` | browser E2E wrapper still fails in the backend build/bootstrap stage |

-### Current real blockers
+### 当前真实阻塞项

 - Full backend release-style verification is still red because of the `LL_001` login-log pagination SLA gate.
 - Browser-level E2E cannot yet be honestly claimed re-verified in the current review environment.
@@ -81,15 +81,14 @@ fresh 2026-04-10 review evidence in
  - `CreateAdmin` still hardcodes admin role ID `1` and skips the stronger validation pattern already used by admin bootstrap.
 - Avatar upload remains a visible stub on the backend.

-### Current honest external statement
+### 当前诚实的对外表述

-The project now has a mostly green routine verification baseline, but it still
-cannot be presented as fully release-closed. The correct statement is:
+项目当前已经具备“大部分常规验证为绿色”的基线，但仍不能表述为“完整发布闭环”。更准确的说法是：

- backend short-path checks, frontend lint/build/tests, dependency audit, and local vuln scan are green
- one full backend SLA gate is still red
- browser-level E2E is still not freshly closed in this review
- RBAC/admin-management hardening and avatar upload remain open items
+- 后端短路径检查、前端 lint/build/tests、依赖审计和本地漏洞扫描为绿色
+- 仍有一个完整后端 SLA 门禁为红灯
+- 浏览器级 E2E 在本轮复核中仍不能诚实宣称重新闭环
+- RBAC/管理员治理加固和头像上传相关治理项仍未全部关闭

 ## 2026-04-09 二次复核更新（与审查报告对齐）

@@ -1437,3 +1436,25 @@ powershell -ExecutionPolicy Bypass -File scripts/ops/validate-secret-boundary.ps
  - `npm.cmd run test:coverage` still exits successfully but prints one post-summary jsdom `AggregateError` network-noise line.
 - Evidence:
  - [`docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md`](/D:/project/docs/evidence/ops/2026-03-28/quality/COVERAGE_REMEDIATION_20260328-140215.md)
+## 2026-04-18 复核附录
+
+当本附录与下方旧状态表述冲突时，以本附录基于 2026-04-18 新鲜命令证据和直接代码核查得到的结论为准。
+
+### 最新验证快照
+
+| Command | Result | Note |
+|------|------|------|
+| `go build ./cmd/server` | `PASS` | 退出码 `0` |
+| `go vet ./...` | `PASS` | 退出码 `0` |
+| `go test ./... -count=1` | `PASS` | 退出码 `0`；总耗时约 `326.8s`；`internal/service` 用时 `316.011s` |
+| `cd frontend/admin && npm.cmd run lint` | `FAIL` | 当前工作区在 `src/lib/device-fingerprint.test.ts` 与 `src/lib/http/index.test.ts` 有 5 个 ESLint 错误 |
+| `cd frontend/admin && npm.cmd run build` | `PASS` | 退出码 `0` |
+
+### 当前真实情况
+
+- `AssignRoles` 已通过 `ReplaceUserRoles(...)` 实现，不再是 stub。
+- `CreateAdmin/DeleteAdmin` 已实现，且具备事务性/保护逻辑，不应再表述为缺失。
+- `UploadAvatar` 已实现；当前剩余问题是 `/uploads` 的公开暴露面，而不是后端 stub。
+- `PUT /api/v1/users/:id` 仍缺少 self-or-admin 授权校验，依然是真实的 IDOR 风险。
+- 密码登录仍绕过 TOTP/设备信任门禁，依然是真实的发布阻塞项。
+- `UserRepository.ListCursor()` 仍允许与 `created_at` 游标谓词不一致的排序字段，依然是真实的正确性缺陷。