朱子纯 / erp-workflow-plugin

Replaces the phase-level read-only behavior-gate with a per-FE acceptance dimension: each FE is approved only when the code-reviewer approves AND runtime behavior verification is green. Behavior defects (dead control / sentinel text mismatch) become fixable must-fix that drive verify->fix->re-verify, not halts.

- reviewWithFixLoop (frontend only, via if(fe)): at the approve gate, behaviorSubGate boots this FE's full stack + seeds sentinels, enumerates this FE's routes, two-tier asserts. Hard issues with a locator -> fixPrompt -> functional reverify -> next behaviorRound; soft text (i18n/literal/semantic) -> adjudicate(continue); behaviorRound bounded by BEHAVIOR_FE_MAX=3, env race by BEHAVIOR_ATTEMPT_MAX=2. Backend featureLoop branch unchanged.

- New runFrontendSkeleton stage (before featureLoop(frontend)): App shell + full lazy router + FeStub placeholders + shared nav, so the app is buildable at every mid-phase point; tdd swaps FeStub->real component per FE. Idempotent via fe-skeleton-done tag.

- BEHAVIOR_GATE_SCHEMA gains build-failed envError kind (sibling-FE-unimpl short-circuit, not a bug) + locator-not-resolvable coverage reason; deriveSpec emits a per-FE route-scope section, reviewer validates it.

- Removed phase-level runBehaviorGate + 'Behavior' phase; kept phase-level testGate (regression). REVIEW_HARD_ROUNDS 8->10.

- Safety: test-DB naming guard pushed into scripts-setup-test-db.mjs template (fail-closed unless name contains test/_dev/_local or ALLOW_NONTEST_DROP=1) + 3 tests.

- agentType stays erp-workflow:code-reviewer. v1 design doc marked SUPERSEDED; v2 design at docs/design/2026-06-02-frontend-behavior-in-review-loop.md.

Verified: wrapped syntax check SYNTAX_OK, 87/87 lib tests pass, no orphan refs, no time/random builtins, top-level return intact. Not yet run end-to-end against a real ERP project.

validate-ddl now recognizes the db-init A.1 DDL form (CREATE TABLE →
CREATE INDEX → ALTER TABLE ADD FK), so schemas with out-of-body indexes/
FKs no longer report false-positive index/FK diffs. Adds a second parse
pass (mergeStandaloneIndexes / mergeStandaloneForeignKeys), string-literal
blanking so DEFAULT/COMMENT text isn't mistaken for real DDL, backtick
non-ASCII identifier support across all matchers (H3), and shared index-
column normalization (strip backtick / prefix-length / ASC|DESC) on both
docs and DDL sides. Chinese 主键/唯一 index labels map to PRIMARY/UNIQUE.

apply-ddl resolves mysql2 from the target project dir (not the plugin),
rejects 【人工填写】 credential placeholders before connecting, and exits 2
on missing config/DDL paths. setup-test-db template validates schema as an
ASCII identifier before interpolating it into DROP/CREATE. db-init gains a
B.1 toolchain precheck (mysql2 module + mysql client) before any DROP.

- resolveDbConfig only ever received the 5 DB_* keys dbEnvFromConfig emits;
  the MYSQL_*/DB_PASS/DB_NAME fallbacks had no producer (dead speculative
  generality, a dotenv-era leftover). Remove them.
- collapse the config → DB_* env-shape → connection two-hop: resolveDbConfig
  now reads config.database.{host,port,user,password,schema} directly, and
  dbEnvFromConfig is removed.
- CLI contract (node apply-ddl.mjs <configPath> <ddlPath>), the only caller
  via db-init, is unchanged.
- rewrite tests to the parsed-config shape; drop the alias-only tests. 53 pass.

- delete lib/merge-gitignore.mjs + merge-gitignore.test.mjs: over-engineered for a once-run greenfield step (base .gitignore usually absent; duplicate ignore patterns are harmless)
- D now uses C.1-style Read+Write: Write template if no .gitignore, else append missing lines (consistent with render.mjs removal + scope-lock direct-write)
- removes the 'pre-Write empty .gitignore' fragility (Write self-creates); skeleton-gen drops Bash(node *) from allowed-tools

- remove render.mjs/render.test.mjs (scope-lock now writes REQ cards directly)
- add yaml-config.mjs: minimal 2-level YAML reader (+ tests)
- apply-ddl: parse config-vars.yaml database: section instead of .env.local dotenv; drop assertSafeDbTarget host-whitelist + schema guards (config-vars.yaml is trusted)
- merge-gitignore/validate-ddl: self-contained pathToFileURL comment (no longer 'see render.mjs')

Independent Claude + Codex review of the working-tree diff surfaced
23 issues; all applied in-place across three domains.

workflows/coding.mjs (9):
- spec/plan/verify/review prompts now git-commit their artifacts
  (closes milestone-dirty-worktree halt risk)
- CHECKBOX_STATE_SCHEMA requires `state` + defensive guard in reviewWithFixLoop
- writeDocs08FieldPromptM scopes edits to module via line anchor
- assertSafeId guards Router output (module/REQ/FE ids)
- featureLoop captures reviewWithFixLoop's return value
- dateFromArtifactPath rejects impossible dates (9999-99-99 etc.)
- terminal HALT review-unresolved message disambiguated
- updated comment on top-level `return` (ESM vs node --check)

lib/validate-ddl.mjs + tests (10):
- extractType preserves unsigned/signed modifiers
- KEY/INDEX fallthrough no longer creates spurious 'KEY' columns
- FOREIGN KEY REFERENCES accepts schema-qualified `db.table`
- index keys normalized to name:kind:cols (UNIQUE-aware)
- FK keys include ON DELETE action (defaults to RESTRICT)
- CREATE TEMPORARY TABLE parsed
- parseForeignKeyBullet/parseIndexBullet reject prose bullets
- +10 regression tests (62 total, all pass)
- merge-gitignore.mjs docstring synced to implementation

skills/ (4):
- docs-06 template header: § 一~二 → § 一~三
- downstream-gen §A steps renumbered 1-7 (was 1,3,4,5,6,7,8)
- docs-08 initial template adds tokens.css checkbox
- coding-start drops "已在后台启动" wording (Workflow is synchronous)

- 新增 scope-lock/templates/config-vars-template.yaml：非敏感项目级配置
  （包名/端口/前端包名/初始账号）+ secrets_ref 键名引用 .env.local；
  A1 E.2 锁定。docs/07 改为只记规则/约定不记具体值。
- 连带更新 skeleton-gen / plan-start 闸门 2 / frontend-scope-lock /
  CLAUDE-template / README / docs-06·07 模板对齐新的配置分层与 docs/06 小节编号。
- lib 修复（含回归测试）：
  - apply-ddl: 抽出 resolveDbConfig，DB_SCHEMA 为契约 schema 键，缺库名 fail-closed (M1)
  - render: 用 Object.hasOwn 拒绝原型链继承键，guard process.argv[1]
  - validate-ddl: 解析 ### 索引/### 外键 bullet (C2)、剥 SQL 注释防幽灵表 (L4)、PRIMARY 归一化
- coding.mjs: Router 把全部前端 FE 聚合为单一末尾 frontend-phase 模块；
  新增 branchSetupPrompt 功能分支生命周期 (C1)；diff 区间改三点 diff；fix 后复跑 verify。

…frontend scope-lock) + de-bash + ERP-confirmable