Go模块供应链治理（sumdb-校验-代理）最佳实践

实现示例type Module = { path: string; version: string; hash: string } function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } const allowProxies = new Set<string>(['https://proxy.golang.org','https://goproxy.example.com']) function validProxy(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowProxies.has(x.origin) } catch { return false } } function validModule(m: Module): boolean { return !!m.path && /^v\d+\.\d+\.\d+/.test(m.version) && hex64(m.hash) } function evaluate(mods: Module[], proxy: string): { ok: boolean; errors: string[] } { const errors: string[] = []; if (!validProxy(proxy)) errors.push('proxy'); for (const m of mods) if (!validModule(m)) errors.push(`mod:${m.path}`); return { ok: errors.length === 0, errors } } 审计与运行治理使用官方或受控代理；记录模块路径、版本与哈希；异常阻断并回退。校验 sumdb 记录与本地哈希一致性，防止篡改。