arthurpanhku · arthurpanhku · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,24 +6,38 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ---
 
-## [4.0.0] — 2026-03-29
+## [4.0.0] — 2026-03-30
+
+### Major Change
+This release pivots DocSentinel into an **AI-powered SSDLC (Secure Software Development Lifecycle) platform**, with full-phase coverage and intelligent agent orchestration.
 
 ### Added
-- **SSDLC Pipeline**: Full Secure Software Development Lifecycle support with 6 stage-specific assessment flows:
+- **SSDLC Full Lifecycle Support**: Six dedicated phase agents — Requirements, Design, Development, Testing, Deployment, and Operations — each with specialized skills, prompts, and knowledge base collections.
   - **Requirements**: Security requirements completeness, compliance mapping, risk analysis.
   - **Design**: Architecture security review, STRIDE/DREAD threat modeling, encryption/permission design.
   - **Development**: Secure coding standards, anti-injection/XSS controls verification.
   - **Testing**: SAST/DAST report triage, penetration test findings evaluation, vulnerability verification.
   - **Deployment**: Release readiness review, configuration security, key management, hardening.
   - **Operations**: Vulnerability monitoring, incident response evaluation, patch management, log audit.
+- **LangGraph Orchestration**: Stateful graph-based workflow engine replacing the custom orchestrator. Supports conditional routing, parallel execution, checkpointing, and human-in-the-loop interrupts.
+- **LangChain Integration**: Unified LLM abstraction, prompt templates, tool integration, and RAG chains via LangChain framework.
+- **Threat Modeling (STRIDE/DREAD)**: Design Agent performs automated threat modeling with STRIDE categorization and DREAD risk scoring.
+- **SAST/DAST Report Parsers**: Dedicated parsers for SARIF, SonarQube JSON, Checkmarx XML, Burp Suite XML, and OWASP ZAP reports.
+- **Phase-specific KB Collections**: Separate knowledge base collections per SSDLC phase (`kb_requirements`, `kb_design`, `kb_development`, `kb_testing`, `kb_deployment`, `kb_operations`).
+- **Cross-phase Traceability**: Findings from earlier phases automatically link to later phases (e.g. Design threats → Testing test cases → Operations monitoring rules).
+- **Phase-specific Skills**: 12 built-in personas across 6 SSDLC phases (Compliance Analyst, Threat Modeler, Secure Code Reviewer, Pentest Analyst, Release Reviewer, Vulnerability Monitor, etc.).
 - **SSDLC Stage Skills**: 6 built-in stage-specific skills with tailored system prompts, risk focus areas, and compliance framework mappings.
 - **SSDLC Auto-detection**: Router node can auto-detect the SSDLC stage from document content when not explicitly specified.
 
 ### Changed
-- **LangGraph Orchestrator**: Replaced custom `asyncio.gather` orchestration with **LangChain + LangGraph** stateful graph-based agent workflows. Graph nodes: Parser → SSDLC Router → Policy+Evidence (parallel fan-out) → Drafter → Reviewer.
+- **Orchestrator**: Replaced custom multi-agent pipeline with LangGraph `StateGraph` supporting conditional edges, shared state (`SSDLCState`), and persistent checkpointing. Graph nodes: Parser → SSDLC Router → Policy+Evidence (parallel fan-out) → Drafter → Reviewer.
+- **Assessment Reports**: Extended schema (v2.0) with `phase` field, `ThreatModel` object, `Vulnerability` array, and `CrossPhaseRef` for cross-phase traceability.
 - **Assessment API**: `POST /assessments` now accepts optional `ssdlc_stage` parameter.
 - **MCP Tools**: `assess_document` tool now accepts optional `ssdlc_stage` parameter.
 - **Report Schema**: Added `ssdlc_stage` field to `AssessmentReport.metadata`.
+- **PRD (SPEC.md)**: Rewritten as v4.0 with full SSDLC phase definitions, LangGraph/LangChain stack, and phase-specific user stories.
+- **Architecture (ARCHITECTURE.md)**: Rewritten as v4.0 with LangGraph state machine design, phase agent details, and SAST/DAST integration points.
+- **All documentation**: Updated to reflect SSDLC platform positioning, LangGraph orchestration, and LangChain framework.
 
 ---
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,8 +1,8 @@
 # Contributing to DocSentinel | 参与贡献
 
-Thank you for your interest in contributing. We welcome issues, pull requests, and feedback.
+Thank you for your interest in contributing to DocSentinel — an AI-powered SSDLC platform built on LangChain and LangGraph. We welcome issues, pull requests, and feedback.
 
-感谢你对 DocSentinel 的关注。我们欢迎提交 Issue、Pull Request 以及任何反馈。
+感谢你对 DocSentinel 的关注——这是一个基于 LangChain 和 LangGraph 构建的 AI 驱动 SSDLC 平台。我们欢迎提交 Issue、Pull Request 以及任何反馈。
 
 ---
 
@@ -12,7 +12,8 @@ Thank you for your interest in contributing. We welcome issues, pull requests, a
 
 1.  **Report bugs or suggest features**: Open a new [Issue](https://github.com/arthurpanhku/DocSentinel/issues) using the Bug report or Feature request template; include steps to reproduce or use case when possible.
 2.  **Submit code**: Fork the repo, create a branch, make your changes, and open a Pull Request to `main`. See "Development setup" and "Commit guidelines" below.
-3.  **Docs and examples**: Improvements to README, SPEC, code comments, or examples are welcome.
+3.  **Docs and examples**: Improvements to README, SPEC, ARCHITECTURE, code comments, or examples are welcome.
+4.  **SSDLC Skills**: Submit new phase-specific skills (personas) for any of the 6 SSDLC phases. See "Submit a Skill" below.
 
 ### Development setup
 
@@ -21,9 +22,10 @@ Thank you for your interest in contributing. We welcome issues, pull requests, a
     ```bash
     python3 -m venv .venv
     source .venv/bin/activate   # Windows: .venv\Scripts\activate
-    make install                # Install all dependencies
+    make install                # Install all dependencies (includes LangChain, LangGraph)
     pre-commit install          # Install git hooks
     ```
+-   **Key dependencies**: LangGraph (agent orchestration), LangChain (LLM abstraction), FastAPI (API), ChromaDB (vector store), Docling (parser).
 -   **MCP Development**:
     To test the MCP server, install in editable mode:
     ```bash
@@ -49,10 +51,18 @@ make lint                   # Check code style
 -   **PRs**: Please fill in the PR template (what changed, how to verify, docs updated or not). If related to an Issue, reference it in the description.
 -   **Code style**: Match existing style; optionally use [Black](https://github.com/psf/black) for Python formatting.
 
+### Submit a Skill
+
+Have a great security persona for an SSDLC phase? We welcome contributions:
+
+1.  Create a skill JSON following the schema in [docs/03-assessment-report-and-skill-contract.md](docs/03-assessment-report-and-skill-contract.md).
+2.  Tag it with the appropriate `ssdlc_phase` (requirements, design, development, testing, deployment, operations).
+3.  Submit via [Skill Template Issue](https://github.com/arthurpanhku/DocSentinel/issues/new?template=new_skill_template.md) or add to `examples/templates/`.
+
 ### Branching and releases
 
 -   The main development branch is **`main`**.
--   Releases are made via **Git tags** (e.g. `v0.1.0`) and [GitHub Releases](https://github.com/arthurpanhku/DocSentinel/releases); release notes are in [CHANGELOG.md](CHANGELOG.md).
+-   Releases are made via **Git tags** (e.g. `v4.0.0`) and [GitHub Releases](https://github.com/arthurpanhku/DocSentinel/releases); release notes are in [CHANGELOG.md](CHANGELOG.md).
 
 ---
 
@@ -62,7 +72,8 @@ make lint                   # Check code style
 
 1.  **报告问题或建议功能**：在 [Issues](https://github.com/arthurpanhku/DocSentinel/issues) 中新建 Bug 报告或功能建议，使用模板并尽量提供复现步骤或使用场景。
 2.  **提交代码**：Fork 本仓库，在本地创建分支，修改后提交 PR 到 `main`。请先阅读下方「开发环境」与「提交规范」。
-3.  **文档与示例**：改进 README、SPEC、注释或补充示例同样欢迎。
+3.  **文档与示例**：改进 README、SPEC、ARCHITECTURE、注释或补充示例同样欢迎。
+4.  **SSDLC 技能**：为 6 个 SSDLC 阶段中的任何一个提交新的阶段专用技能（角色）。见下方「提交 Skill」。
 
 ### 开发环境
 
@@ -71,14 +82,15 @@ make lint                   # Check code style
     ```bash
     python3 -m venv .venv
     source .venv/bin/activate   # Windows: .venv\Scripts\activate
-    make install                # 一键安装所有依赖（含开发依赖）
+    make install                # 一键安装所有依赖（含 LangChain、LangGraph、开发依赖）
     pre-commit install          # 安装 Git 提交钩子
     ```
+-   **核心依赖**：LangGraph（Agent 编排）、LangChain（LLM 抽象）、FastAPI（API）、ChromaDB（向量库）、Docling（解析器）。
 -   **MCP (Model Context Protocol) 开发**：
     调试 MCP Server 时，建议使用 `docsentinel-mcp` 命令行工具：
     ```bash
     pip install -e .            # 以编辑模式安装当前包
-    docsentinel-mcp --help           # 验证安装
+    docsentinel-mcp --help      # 验证安装
     ```
 
 ### 运行测试
@@ -99,7 +111,15 @@ make lint                   # 检查代码风格
 -   **PR**：请填写 PR 模板（改了什么、如何验证、是否更新文档）。若对应 Issue，在描述中注明并链接。
 -   **代码风格**：保持与现有代码一致；可选使用 [Black](https://github.com/psf/black) 格式化 Python 代码。
 
+### 提交 Skill
+
+如果你有适用于某个 SSDLC 阶段的安全角色，欢迎贡献：
+
+1.  按照 [docs/03-assessment-report-and-skill-contract.md](docs/03-assessment-report-and-skill-contract.md) 中的 Schema 创建 Skill JSON。
+2.  标注对应的 `ssdlc_phase`（requirements、design、development、testing、deployment、operations）。
+3.  通过 [Skill Template Issue](https://github.com/arthurpanhku/DocSentinel/issues/new?template=new_skill_template.md) 提交或添加到 `examples/templates/`。
+
 ### 分支与发布
 
 -   主开发分支为 **`main`**。
--   发版通过 **Git tag**（如 `v0.1.0`）与 [GitHub Releases](https://github.com/arthurpanhku/DocSentinel/releases) 完成；版本说明见 [CHANGELOG.md](CHANGELOG.md)。
+-   发版通过 **Git tag**（如 `v4.0.0`）与 [GitHub Releases](https://github.com/arthurpanhku/DocSentinel/releases) 完成；版本说明见 [CHANGELOG.md](CHANGELOG.md)。