refactor(workflows): migrate nightly openspec archive to monthly and enforce cross-platform tooling

Rename nightly-openspec-archive workflows and actions to monthly cadence.
Replace platform-specific shell scripts with Go-based linactl test-go.
Add reusable CI workflows for e2e tests, host-only build smoke, image
publish, and redis cluster smoke. Update service dependency injection to
use explicit construction and add submodule guards for plugin tests.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: gqcn

.agents/skills/lina-review/SKILL.md

@@ -241,6 +241,18 @@ compatibility: 依赖 OpenSpec CLI、GoFrame v2 技能、lina-e2e 技能。
 5. 验证缓存更新与成功的权威数据源写入耦合，而非在事务仍可能回滚前发出。遗漏的失效事件、进程重启和过期的分布式条目必须有恢复路径（如 TTL、版本检查、重建/穿透读取、对账或显式重载）。
 6. 测试或审查证据应在适当的风险级别覆盖变更的缓存行为，特别是单机与集群模式分支、多实例失效、有界陈旧性、重试/重建行为，以及缓存后端不可用时的面向调用方行为。
 
+#### 开发工具与脚本跨平台审查
+
+**触发条件**：任何修改 `Makefile`、`make.cmd`、`hack/makefiles/`、`hack/scripts/`、`hack/tests/scripts/`、`hack/tools/`、`.github/workflows/` 中开发/构建/测试入口，或新增/修改 `.sh`、`.ps1`、`.cmd`、`.mjs`、工具型 `Go` 代码的变更
+
+对每个开发工具或脚本变更，还需执行**跨平台执行审查**：
+1. 默认开发、构建、测试、代码生成、资源打包、服务启停、CI 辅助和仓库治理入口必须能在 `Windows`、`Linux`、`macOS` 上运行。标记依赖单一平台默认命令或语义的实现，例如 `bash`、`sh`、`sed`、`awk`、`grep`、`perl`、`lsof`、`pgrep`、`xargs`、`kill`、`rm`、`cp`、`mv`、`mkdir -p`、POSIX 路径分隔符、Unix 信号或 PowerShell 专属语法。
+2. 长期维护的仓库工具应优先实现为 `Go` 工具，并通过 `go run ./hack/tools/<tool>`、`linactl` 或薄包装入口调用。审查是否把文件复制、目录遍历、配置改写、进程启停、端口探测、HTTP smoke、压缩/解压、模板渲染和静态扫描等逻辑留在 Shell 管道中；能合理迁移到 Go 标准库或已有 Go 组件的，应报告为问题。
+3. `Makefile` 与 `make.cmd` 只能作为兼容包装层，不得承载复杂业务逻辑；二者应委托 `linactl` 或其他跨平台工具。标记在包装层新增不可移植命令、平台专属环境写法或与 Go workspace/plugin workspace 规则冲突的隐式覆盖。
+4. `hack/scripts/` 不应继续承载长期维护脚本。新增或保留 `.sh`、`.ps1` 等平台脚本时，审查结论必须说明无法使用 Go 工具链的原因、受支持平台、等价跨平台入口和验证方式；没有说明的平台脚本应标记为严重问题。
+5. 工具变更必须提供匹配验证证据，例如 `cd hack/tools/linactl && go test ./... -count=1`、`go run ./hack/tools/linactl test-scripts`、目标 Go 工具单元测试、跨平台 smoke 或静态扫描。仅使用 `bash -n`、本机 Shell 试跑或单平台 workflow 不能证明跨平台合规。
+6. 如果变更无开发工具或脚本影响，审查结论应明确说明该判断。
+
 ### 6. SQL 规范审查
 
 **触发条件**：`apps/lina-core/manifest/sql/`、`apps/lina-core/manifest/sql/mock-data/`、`apps/lina-plugins/**/manifest/sql/` 下新增或修改的文件，或相关交付文档中嵌入的 `SQL` 片段
@@ -304,6 +316,9 @@ compatibility: 依赖 OpenSpec CLI、GoFrame v2 技能、lina-e2e 技能。
 ### 分布式缓存一致性审查
 ✓ 已审查分布式缓存一致性 / ⚠ 发现 N 个缓存一致性问题
 
+### 开发工具与脚本跨平台审查
+✓ 开发工具和脚本跨平台合规 / ⚠ 发现 N 个跨平台问题
+
 ### SQL 审查
 ✓ 无 SQL 变更 / ✓ SQL 变更合规 / ⚠ 发现 N 个 SQL 问题
 

.github/actions/host-only-artifact-smoke/action.yml

@@ -0,0 +1,155 @@
+# Host-only artifact smoke test composite action.
+# Boots the compiled backend binary in single-node mode and validates health, login, and plugin endpoints.
+# 宿主模式构建产物冒烟测试复合操作。
+# 以单节点模式启动编译后的后端二进制文件，校验健康检查、登录和插件列表等核心接口。
+name: Host-only Artifact Smoke
+description: Start a host-only backend artifact in Linux GitHub Actions jobs and verify core endpoints.
+
+# Path overrides let callers reuse this action for different build profiles.
+# 路径覆盖参数允许调用方为不同构建配置复用本操作。
+inputs:
+  binary-path:
+    description: Path to the built LinaPro backend artifact.
+    required: false
+    default: temp/host-only-output/lina
+  log-path:
+    description: Path for the backend smoke log.
+    required: false
+    default: temp/host-only-smoke/lina-core.log
+
+runs:
+  using: composite
+  steps:
+    # Start the binary, poll the health endpoint, then verify login and plugin list responses.
+    # 启动二进制文件，轮询健康检查接口，然后验证登录和插件列表响应。
+    - name: Run Host-only Artifact Smoke
+      shell: bash
+      env:
+        BINARY_PATH: ${{ inputs.binary-path }}
+        LOG_PATH: ${{ inputs.log-path }}
+      run: |
+        # Resolve relative paths against the workspace root.
+        # 将相对路径解析为基于工作区根目录的绝对路径。
+        case "${BINARY_PATH}" in
+          /*) binary_abs="${BINARY_PATH}" ;;
+          *) binary_abs="${GITHUB_WORKSPACE}/${BINARY_PATH}" ;;
+        esac
+        case "${LOG_PATH}" in
+          /*) log_abs="${LOG_PATH}" ;;
+          *) log_abs="${GITHUB_WORKSPACE}/${LOG_PATH}" ;;
+        esac
+
+        # Ensure the log directory exists and register a cleanup trap for the backend process.
+        # 确保日志目录存在，并注册清理钩子以在脚本退出时终止后端进程。
+        mkdir -p "$(dirname "${log_abs}")"
+        backend_pid=""
+        cleanup() {
+          if [ -n "${backend_pid}" ] && kill -0 "${backend_pid}" 2>/dev/null; then
+            kill "${backend_pid}" 2>/dev/null || true
+            wait "${backend_pid}" 2>/dev/null || true
+          fi
+        }
+        trap cleanup EXIT INT TERM
+
+        # Launch the backend binary from the lina-core app directory, redirecting output to the log file.
+        # 从 lina-core 应用目录启动后端二进制文件，将输出重定向到日志文件。
+        pushd apps/lina-core >/dev/null
+        "${binary_abs}" > "${log_abs}" 2>&1 &
+        backend_pid="$!"
+        popd >/dev/null
+
+        # Poll the health endpoint for up to 90 seconds, expecting single-node host-only mode.
+        # 轮询健康检查接口最多 90 秒，期望返回单节点宿主模式。
+        response=""
+        for _ in $(seq 1 90); do
+          if ! kill -0 "${backend_pid}" 2>/dev/null; then
+            echo "Host-only backend exited before health check passed" >&2
+            echo "Check log: ${LOG_PATH}" >&2
+            exit 1
+          fi
+          response="$(curl -fsS "http://127.0.0.1:8080/api/v1/health" 2>/dev/null || true)"
+          if [ -n "${response}" ] && HEALTH_RESPONSE="${response}" python3 - <<'PY'
+        import json
+        import os
+        import sys
+
+        payload = json.loads(os.environ["HEALTH_RESPONSE"])
+        data = payload.get("data", payload)
+        if payload.get("code", 0) == 0 and data.get("status") == "ok" and data.get("mode") == "single":
+            sys.exit(0)
+        sys.exit(1)
+        PY
+          then
+            break
+          fi
+          sleep 1
+        done
+
+        # Fail fast if the health endpoint never responded.
+        # 如果健康检查接口始终未响应则立即失败。
+        if [ -z "${response}" ]; then
+          echo "Host-only backend did not return a health response" >&2
+          echo "Check log: ${LOG_PATH}" >&2
+          exit 1
+        fi
+
+        # Validate the final health response payload in detail.
+        # 详细校验最终的健康检查响应载荷。
+        HEALTH_RESPONSE="${response}" python3 - <<'PY'
+        import json
+        import os
+
+        payload = json.loads(os.environ["HEALTH_RESPONSE"])
+        data = payload.get("data", payload)
+        if payload.get("code", 0) != 0:
+            raise SystemExit(f"health business code is not zero: {payload!r}")
+        if data.get("status") != "ok":
+            raise SystemExit(f"expected health status ok, got: {payload!r}")
+        if data.get("mode") != "single":
+            raise SystemExit(f"expected single-node host-only mode, got: {payload!r}")
+        PY
+
+        # Authenticate with the default admin account and extract the access token.
+        # 使用默认管理员账号登录并提取访问令牌。
+        login_response="$(
+          curl -fsS \
+            -H "Content-Type: application/json" \
+            -d '{"username":"admin","password":"admin123"}' \
+            "http://127.0.0.1:8080/api/v1/auth/login"
+        )"
+        token="$(LOGIN_RESPONSE="${login_response}" python3 - <<'PY'
+        import json
+        import os
+
+        payload = json.loads(os.environ["LOGIN_RESPONSE"])
+        data = payload.get("data", payload)
+        if payload.get("code", 0) != 0:
+            raise SystemExit(f"login business code is not zero: {payload!r}")
+        token = data.get("accessToken")
+        if not token:
+            raise SystemExit(f"login response did not contain accessToken: {payload!r}")
+        print(token)
+        PY
+        )"
+
+        # Verify that no source plugins are loaded in host-only mode.
+        # 验证宿主模式下未加载任何源码插件。
+        plugins_response="$(
+          curl -fsS \
+            -H "Authorization: Bearer ${token}" \
+            "http://127.0.0.1:8080/api/v1/plugins?type=source"
+        )"
+        PLUGINS_RESPONSE="${plugins_response}" python3 - <<'PY'
+        import json
+        import os
+
+        payload = json.loads(os.environ["PLUGINS_RESPONSE"])
+        data = payload.get("data", payload)
+        if payload.get("code", 0) != 0:
+            raise SystemExit(f"plugin list business code is not zero: {payload!r}")
+        plugin_items = data.get("list") or []
+        if plugin_items:
+            raise SystemExit(f"expected no source plugins in host-only artifact, got: {plugin_items!r}")
+        if data.get("total", 0) != 0:
+            raise SystemExit(f"expected source plugin total=0 in host-only artifact, got: {payload!r}")
+        PY

.github/actions/monthly-openspec-detect-changes/action.yml

@@ -0,0 +1,28 @@
+# Detect whether the monthly OpenSpec archive task produced workspace changes.
+# Outputs a boolean flag consumed by downstream steps to decide whether to open a PR.
+# 检测月度 OpenSpec 归档任务是否产生了工作区变更。
+# 输出布尔标志供下游步骤判断是否需要创建 Pull Request。
+name: Monthly OpenSpec Detect Changes
+description: Detect whether monthly auto archive produced OpenSpec changes.
+
+outputs:
+  changed:
+    description: Whether the current workspace has OpenSpec changes.
+    value: ${{ steps.archive-diff.outputs.changed }}
+
+runs:
+  using: composite
+  steps:
+    # Compare the openspec directory against HEAD; any diff means changes were produced.
+    # 将 openspec 目录与 HEAD 进行比较，存在差异即表示产生了变更。
+    - name: Detect Archive Changes
+      id: archive-diff
+      shell: bash
+      run: |
+        if git diff --quiet -- openspec; then
+          echo "changed=false" >> "${GITHUB_OUTPUT}"
+          echo "Auto archive produced no OpenSpec changes."
+        else
+          echo "changed=true" >> "${GITHUB_OUTPUT}"
+          echo "Auto archive produced OpenSpec changes."
+        fi

…/nightly-openspec-finalize-pr/action.yml …/monthly-openspec-finalize-pr/action.yml.github/actions/nightly-openspec-finalize-pr/action.yml renamed to .github/actions/monthly-openspec-finalize-pr/action.yml .github/actions/nightly-openspec-finalize-pr/action.yml renamed to .github/actions/monthly-openspec-finalize-pr/action.yml

@@ -1,9 +1,19 @@
-name: Nightly OpenSpec Finalize Pull Request
+# Validate, scope-guard, and create or update the monthly OpenSpec archive pull request.
+# Runs openspec validate, ensures only openspec/ files changed, then commits and pushes a PR.
+# 校验、作用域守护并创建或更新月度 OpenSpec 归档 Pull Request。
+# 运行 openspec validate，确保仅有 openspec/ 文件变更，然后提交并推送 Pull Request。
+name: Monthly OpenSpec Finalize Pull Request
 description: Validate generated OpenSpec changes, guard their scope, and create or update the archive pull request.
 
+# changed: skip all work when the archive step produced no diff.
+# openspec-version: pinned CLI version for reproducible validation.
+# base-branch / pr-branch / pr-title: PR targeting and commit metadata.
+# changed: 当归档步骤未产生差异时跳过所有后续工作。
+# openspec-version: 固定 CLI 版本以保证校验结果可重现。
+# base-branch / pr-branch / pr-title: PR 目标分支和提交元数据。
 inputs:
   changed:
-    description: Whether the nightly archive task produced OpenSpec changes.
+    description: Whether the monthly archive task produced OpenSpec changes.
     required: true
   openspec-version:
     description: OpenSpec CLI version to run.
@@ -14,7 +24,7 @@ inputs:
   pr-branch:
     description: Pull request head branch.
     required: false
-    default: automation/nightly-openspec-archive
+    default: automation/monthly-openspec-archive
   pr-title:
     description: Pull request title and commit message.
     required: false
@@ -23,6 +33,8 @@ inputs:
 runs:
   using: composite
   steps:
+    # Run the OpenSpec validator against all change manifests.
+    # 对所有变更清单运行 OpenSpec 校验器。
     - name: Validate OpenSpec
       if: ${{ inputs.changed == 'true' }}
       shell: bash
@@ -31,6 +43,8 @@ runs:
       run: |
         npx -y "@fission-ai/openspec@${OPENSPEC_VERSION}" validate --all
 
+    # Collect all modified and untracked files, then reject anything outside openspec/.
+    # 收集所有修改和未跟踪的文件，然后拒绝 openspec/ 之外的任何变更。
     - name: Guard Generated Changes
       shell: bash
       run: |
@@ -61,6 +75,8 @@ runs:
         console.log('Generated file changes are within the allowed OpenSpec scope.');
         NODE
 
+    # Commit the archived changes and create or update the PR via GitHub CLI.
+    # 提交归档变更并通过 GitHub CLI 创建或更新 Pull Request。
     - name: Create or Update Archive Pull Request
       if: ${{ inputs.changed == 'true' }}
       shell: bash
@@ -72,29 +88,37 @@ runs:
       run: |
         set -euo pipefail
 
+        # Configure the bot identity for automated commits.
+        # 为自动化提交配置机器人身份。
         git config user.name "github-actions[bot]"
         git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
         git switch -c "${PR_BRANCH}"
         git add openspec
 
+        # Exit early if there is nothing new to commit.
+        # 如果没有新的变更需要提交则提前退出。
         if git diff --cached --quiet; then
           echo "No staged archive changes to include in the pull request."
           exit 0
         fi
 
         git commit -m "${PR_TITLE}"
 
+        # Push with force-with-lease when the remote branch already exists, otherwise push normally.
+        # 远程分支已存在时使用 force-with-lease 推送，否则正常推送。
         remote_sha="$(git ls-remote --heads origin "${PR_BRANCH}" | awk '{print $1}')"
         if [ -n "${remote_sha}" ]; then
           git push --force-with-lease="refs/heads/${PR_BRANCH}:${remote_sha}" origin "HEAD:${PR_BRANCH}"
         else
           git push origin "HEAD:${PR_BRANCH}"
         fi
 
-        pr_body="${RUNNER_TEMP}/nightly-openspec-archive-pr.md"
+        # Prepare the PR body describing the automated archive contents.
+        # 准备描述自动归档内容的 PR 正文。
+        pr_body="${RUNNER_TEMP}/monthly-openspec-archive-pr.md"
         cat > "${pr_body}" <<'EOF'
-        This PR was created by the nightly OpenSpec archive workflow.
+        This PR was created by the monthly OpenSpec archive workflow.
 
         It contains only `openspec/**` archive and archive consolidation updates.
 
@@ -103,6 +127,8 @@ runs:
         - generated change scope guard for `openspec/**`
         EOF
 
+        # Check for an existing open PR; update it if found, otherwise create a new one.
+        # 检查是否已存在打开的 PR，如存在则更新，否则创建新的。
         pr_number="$(gh pr list --head "${PR_BRANCH}" --state open --json number --jq '.[0].number // ""')"
         if [ -n "${pr_number}" ]; then
           gh pr edit "${pr_number}" --title "${PR_TITLE}" --body-file "${pr_body}" --base "${BASE_BRANCH}"

.github/actions/monthly-openspec-setup/action.yml

@@ -0,0 +1,24 @@
+# Prepare the shared runner environment for monthly OpenSpec workflows.
+# Sets the timezone to Asia/Shanghai and installs the required Node.js version.
+# 为月度 OpenSpec 工作流准备共享 Runner 环境。
+# 将时区设置为 Asia/Shanghai 并安装所需的 Node.js 版本。
+name: Monthly OpenSpec Setup
+description: Prepare the shared runner environment after repository checkout.
+
+runs:
+  using: composite
+  steps:
+    # Align the runner clock with the project timezone for consistent log timestamps.
+    # 将 Runner 时钟与项目时区对齐，确保日志时间戳一致。
+    - name: Setup Timezone
+      shell: bash
+      run: |
+        sudo ln -snf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
+        echo Asia/Shanghai | sudo tee /etc/timezone
+
+    # Install Node.js for running the OpenSpec CLI via npx.
+    # 安装 Node.js 以便通过 npx 运行 OpenSpec CLI。
+    - name: Setup Node
+      uses: actions/setup-node@v6
+      with:
+        node-version: "23"