docs(web): provenance / source-of-truth copy (harvest of #3440 by @donglovejava)

[Hmbown]

Harvests the provenance / source-of-truth copy from #3440 (by @donglovejava) onto current main.

What landed

• web/components/footer.tsx: a Provenance section shown on all locales (replaces the zh-only mirror list), starring the official GitHub link; mirrors labelled as SHA256-verified China-network accelerators.
• web/app/[locale]/install/page.tsx: an "Official source" label on the Mainland China network section.
• docs/CNB_MIRROR.md: a Provenance section with a checksum verification path.

Dropped from the original branch (out of scope / would regress main): stray working files, workflow edits, and a SECURITY.md contact change that regresses the current address. The current Gitee mirror URL is preserved.

Credit preserved via Co-authored-by: donglovejava.

🤖 Generated with Claude Code

https://claude.ai/code/session_01991fnUqBbWSgiUFw33L8XX

---

Generated by Claude Code

[claude]

Claude finished @Hmbown's task in 1m 59s —— View job

---

PR Review: docs(web) provenance / source-of-truth copy

• Gather context and read changed files
• Review docs/CNB_MIRROR.md
• Review web/app/[locale]/install/page.tsx
• Review web/components/footer.tsx
• Post findings

---

Overall: Clean harvest — scope is right, credit preserved, the SECURITY.md regression was correctly dropped. Two issues worth resolving before merge.

---

docs/CNB_MIRROR.md — factual error in the new Provenance section

The added text (lines 16–18) says:

Every CNB release includes codewhale-artifacts-sha256.txt, which matches the SHA256 manifest published on GitHub Releases.

This is incorrect. Inspecting .cnb.yml, the pipeline builds codewhale-linux-x64 and codewhale-tui-linux-x64 from source on Tencent-hosted runners and then generates the checksum file with:

sha256sum codewhale-linux-x64 codewhale-tui-linux-x64 > codewhale-artifacts-sha256.txt

The resulting checksums are of CNB-built binaries, not a copy of the GitHub manifest. They will differ from GitHub's because the build environment differs (and CNB only ships Linux x64 while GitHub ships macOS/Windows too). A user who tries to cross-check a CNB download against the GitHub manifest will see a mismatch and falsely conclude something is wrong.

The sha256sum -c snippet is still correct as a self-consistency check (verifying the downloaded CNB binary against the CNB-generated manifest), but the "matches GitHub Releases" claim should be dropped.

Suggested fix — replace:

Every CNB release includes `codewhale-artifacts-sha256.txt`, which matches the
SHA256 manifest published on GitHub Releases.

with something like:

Every CNB release includes `codewhale-artifacts-sha256.txt` — a SHA256 manifest
of the CNB-built Linux x64 binaries, generated from the same source commit
that is tagged on GitHub.

Fix this →

---

web/components/footer.tsx — mirror link labels not localized for EN

The Provenance block is now shown to both locales, which is the stated goal. However, three of the mirror links carry Chinese-only labels that EN-locale users will see:

• CNB 镜像 (line 116)
• npmmirror (line 117, acceptable as a proper name)

CNB 镜像 specifically reads as Chinese to an EN reader. The old code gated the entire block behind {isZh && ...}, so this never appeared for EN users. Now it does, without a translated label.

Minimal fix: conditionally render the label for EN, e.g.:

<a …>{isZh ? "CNB 镜像" : "CNB mirror"}</a>

Fix this →

---

web/app/[locale]/install/page.tsx — looks good

The "Official source:" label addition is clean. Both EN and ZH branches are consistent, text-indigo matches the existing eyebrow color on the parent section, and the sentence flows naturally in both languages.

---

Minor (non-blocking)

• All new <a target="_blank"> elements use rel="noopener" but not rel="noreferrer". This is a pre-existing pattern in the file so not a regression, but the combined attribute is the recommended practice.
• The ★ glyph in ★ Official GitHub / ★ 官方 GitHub is a nice visual anchor; screen readers will announce it as "black star" — worth a quick check against your a11y bar.

[claude]

Claude finished @Hmbown's task in 2m 9s —— View job

---

PR Review: docs(web) provenance / source-of-truth copy

• Read changed files
• Review docs/CNB_MIRROR.md
• Review web/app/[locale]/install/page.tsx
• Review web/components/footer.tsx
• Post findings

---

Overall: Both issues flagged in the first review pass have been addressed. The PR is clean and ready to merge.

---

docs/CNB_MIRROR.md — factual error fixed ✅

The Provenance section now correctly reads:

Every CNB release includes codewhale-artifacts-sha256.txt — a SHA256 manifest of the CNB-built Linux x64 binaries, generated from the same source commit that is tagged on GitHub. (CNB builds from source, so these checksums cover the CNB-built artifacts, not GitHub's release assets.)

The original "matches the SHA256 manifest published on GitHub Releases" claim is gone; the parenthetical disclaimer is accurate and pre-empts confusion for users who try to cross-check CNB downloads against GitHub's manifest.

---

web/components/footer.tsx — EN localization fixed ✅

The CNB link now uses {isZh ? "CNB 镜像" : "CNB mirror"} (line 116), so EN-locale users see English. Gitee mirror gets the same treatment. The old {isZh && ...} gate has been replaced by a block shown to both locales with full bilingual labels throughout.

---

web/app/[locale]/install/page.tsx — looks good ✅

<strong className="text-indigo">Official source:</strong> / 官方源： was added cleanly to both EN and ZH branches of the Mainland China network section. Color and weight match the surrounding eyebrow style. No regressions to other install paths.

---

Minor (non-blocking, carry-forward)

• Footer prose ambiguity: "content is auto-synced and verified via SHA256 manifests" could be read as "the mirror's content is verified against GitHub via SHA256", but the SHA256 manifests actually verify CNB-built binary integrity, not mirror-vs-GitHub equivalence (the git force-push is what guarantees code parity). This is low-risk for a footer blurb but could mislead a careful reader.
• rel="noopener" without noreferrer — pre-existing pattern across the file; not a regression introduced here.
• ★ glyph — screen readers will announce "black star" before "Official GitHub" / "官方 GitHub"; worth a quick a11y check against your bar.