@hongmaple0820/scale-engine 0.23.0 → 0.25.0

package/docs/DEPENDENCY_AUDIT.md

@@ -0,0 +1,89 @@
+# Dependency Audit
+
+Dependency Audit is the G7 dependency sub-gate for SCALE Engine.
+It adds supply-chain checks without introducing a separate gate number such as `G6.8`.
+
+## Scope
+
+The auditor is intentionally bounded:
+
+- reads `package-lock.json`
+- audits direct dependencies by default
+- supports `--changed-packages` for lockfile-diff workflows
+- scans only selected package roots under `node_modules`
+- caps package count and files per package
+- does not contact the registry by default
+- does not run install scripts
+
+This keeps local verification usable while still catching high-risk dependency behavior.
+
+## Commands
+
+```bash
+scale dependency audit
+scale dependency audit --json
+scale dependency audit --mode strict
+scale dependency audit --changed-packages left-pad,@scope/tool --json
+```
+
+The command exits non-zero when the active mode has blocking findings.
+
+## G7 Integration
+
+`SecurityGate` now emits two first-class evidence sources:
+
+- `built-in-security-scan`: source code security scan
+- `dependency-audit`: dependency supply-chain scan
+
+Both remain under `G7 Security`.
+
+## Policy
+
+Policy lives at `.scale/security/dependency-policy.json`:
+
+```json
+{
+  "version": 1,
+  "mode": "compatibility",
+  "maxPackages": 50,
+  "maxPackageFiles": 25,
+  "allowPackages": [],
+  "baselineFindings": []
+}
+```
+
+Modes:
+
+- `compatibility`: blocks `CRITICAL`
+- `strict`: blocks `CRITICAL` and `HIGH`
+- `offline`: keeps local-only behavior; current offline findings follow compatibility blocking
+
+Use `baselineFindings` for accepted legacy dependency risk:
+
+```json
+{
+  "baselineFindings": [
+    {
+      "packageName": "legacy-tool",
+      "version": "1.2.3",
+      "ruleId": "dependency.install-script",
+      "reason": "Pinned and reviewed during migration window."
+    }
+  ]
+}
+```
+
+Prefer a baseline over `allowPackages` when only one finding is accepted. `allowPackages` suppresses all findings for that package.
+
+## Current Findings
+
+The first implementation detects:
+
+- install lifecycle scripts
+- executable bin scripts
+- deprecated packages from lockfile metadata
+- dynamic code execution: `eval`, `new Function`
+- shell execution patterns
+- suspicious network access patterns
+
+Future network-backed checks can add npm registry metadata and `npm audit --json` ingestion, but they should stay optional and evidence-backed.

package/docs/EVOLUTION_SHADOW_MODE.md

@@ -0,0 +1,63 @@
+# Evolution Shadow Mode
+
+SCALE V2 keeps self-evolution useful without letting one-off failures become hard blockers too early.
+
+## Flow
+
+```text
+Gate Failure
+  -> Defect
+  -> Lesson
+  -> Proposed Rule
+  -> Shadow Rule
+  -> Candidate Hook
+  -> Approved Blocking Hook
+```
+
+## Gate Failure To Defect
+
+`GateSystem` emits `gate.failed` for failed gate results. `AutoDefectCreator` tracks consecutive failures per session and gate stage.
+
+Default behavior:
+
+- three consecutive failures create one `Defect`
+- a passing `gate.executed` event resets the streak
+- defect payload uses `rootCauseCategory=gate_failure`
+- the original blockers, evidence, evidence record id, stage, and streak count are stored in defect context
+
+This is evidence capture only. It does not change source code or generate a hook.
+
+## Rule Maturity
+
+New rules start in `shadow` mode. Shadow rules can record hits, but they do not block development.
+
+Promotion requires:
+
+- shadow hits >= 10
+- at least one defect evidence id
+- rollback method present
+- false positive rate within threshold
+- explicit approval before a blocking hook is allowed
+
+`RuleMaturity` exposes:
+
+- `createShadowRuleMaturity`
+- `recordShadowHit`
+- `evaluateRulePromotion`
+- `approveRuleMaturity`
+
+## Hook Boundary
+
+`HookGenerator` still requires `rule.approved === true`.
+
+For V2 rules that carry maturity metadata, it also requires:
+
+```text
+rule.maturity.stage === "approved-blocking"
+```
+
+That means proposed or shadow rules can be observed and improved, but cannot become blocking hooks until explicitly promoted.
+
+## Current Scope
+
+This release slice wires the core library path and gate events. CLI approval commands and persistent rule-maturity storage can be added later without changing the safety model.

package/docs/EXTERNAL_REFERENCES.md

@@ -0,0 +1,58 @@
+# External Reference Inventory
+
+This inventory is the source of truth for external projects, community skills, MCP servers, CLIs, and adapter targets referenced by SCALE. It complements [Third-Party Skills and External References](THIRD_PARTY_SKILLS.md).
+
+The inventory is intentionally conservative:
+
+- A row here is an acknowledgement and governance record, not a claim that upstream code is vendored.
+- License is only marked when it has been explicitly reviewed in this repository. Unknown or unverified projects stay `review-required`.
+- Any future vendoring, source copying, modified redistribution, bundled assets, logos, examples, or generated derivatives must preserve upstream license text, copyright notices, NOTICE files, source URL, pinned revision, and modification notes.
+- External services and memory providers remain disabled or read-only by default until privacy, retention, credential, and deletion boundaries are reviewed.
+
+## Current References
+
+| Upstream | Role in SCALE | Usage status | License status | Primary source surface |
+| --- | --- | --- | --- | --- |
+| [OthmanAdi/planning-with-files](https://github.com/OthmanAdi/planning-with-files) | File-backed planning workflow reference | adapted concept, not vendored | MIT | `SkillRepository`, README, `THIRD_PARTY_SKILLS` |
+| [rohitg00/agentmemory](https://github.com/rohitg00/agentmemory) | Optional external memory provider | external provider, read-only by default | Apache-2.0 | `MemoryProviders`, `SkillRepository`, README |
+| [garrytan/gbrain](https://github.com/garrytan/gbrain) | Optional graph memory provider | external provider, read-only by default | MIT | `MemoryProviders`, `SkillRepository`, README |
+| [anthropics/skills](https://github.com/anthropics/skills) | Frontend and webapp testing skill references | external skill reference | review-required | `SkillRepository`, `SkillCatalog`, `ToolCapabilityRegistry` |
+| [anthropics/claude-code](https://github.com/anthropics/claude-code) | Graphify and playwright-interactive skill references | optional discovery reference | review-required | `SkillDiscovery` |
+| [VoltAgent/awesome-design-md](https://github.com/VoltAgent/awesome-design-md) | Design system and DESIGN.md guidance | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
+| [nextlevelbuilder/ui-ux-pro-max-skill](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill) | UI/UX design intelligence reference | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [eze-is/web-access](https://github.com/eze-is/web-access) | Web research and browser automation skill | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
+| [vercel-labs/agent-browser](https://github.com/vercel-labs/agent-browser) | Browser automation CLI | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [ChromeDevTools/chrome-devtools-mcp](https://github.com/ChromeDevTools/chrome-devtools-mcp) | Chrome DevTools MCP integration | MCP reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [trycua/cua](https://github.com/trycua/cua) | Desktop computer-use automation | restricted external automation reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [microsoft/playwright](https://github.com/microsoft/playwright) | Browser automation and validation | optional discovery reference | review-required | `SkillDiscovery` |
+| [google-gemini/gemini-cli](https://github.com/google-gemini/gemini-cli) | Gemini CLI and community skill examples | external CLI and skill reference | review-required | `SkillRepository`, `SkillCatalog`, adapters |
+| [openai/codex](https://github.com/openai/codex) | Codex CLI adapter and external reviewer | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, adapters |
+| [sst/opencode](https://github.com/sst/opencode) | OpenCode CLI reference used by routing | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
+| [opencode-ai/opencode](https://github.com/opencode-ai/opencode) | OpenCode adapter source comment | adapter target reference | review-required | `OpenCodeAdapter` |
+| [facebook/react](https://github.com/facebook/react) | React fix skill example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
+| [vercel/next.js](https://github.com/vercel/next.js) | Next.js documentation update skill example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
+| [vercel-labs/skills](https://github.com/vercel-labs/skills) | Skill discovery example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
+| [Shubhamsaboo/awesome-llm-apps](https://github.com/Shubhamsaboo/awesome-llm-apps) | Full-stack agent skill example | external skill reference | review-required | `SkillCatalog` |
+| [jnMetaCode/agency-agents-zh](https://github.com/jnMetaCode/agency-agents-zh) | Chinese role preset reference | external preset reference | review-required | `SkillRepository` |
+| [yizhiyanhua-ai/fireworks-tech-graph](https://github.com/yizhiyanhua-ai/fireworks-tech-graph) | Diagram skill discovery and installer reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [github/awesome-copilot](https://github.com/github/awesome-copilot) | Excalidraw diagram skill source | optional install reference | review-required | `ExternalSkills`, `SkillInstaller`, installation workflow doc |
+| [Cocoon-AI/architecture-diagram-generator](https://github.com/Cocoon-AI/architecture-diagram-generator) | Architecture diagram skill reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [heygen-com/hyperframes](https://github.com/heygen-com/hyperframes) | Video generation CLI reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [op7418/guizang-ppt-skill](https://github.com/op7418/guizang-ppt-skill) | PPT generation skill reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [QwenLM/qwen-code](https://github.com/QwenLM/qwen-code) | QCoder adapter target | adapter target reference | review-required | `QCoderAdapter` |
+| [openclaw-ai/openclaw](https://github.com/openclaw-ai/openclaw) | OpenClaw adapter target | adapter target reference | review-required | `OpenClawAdapter` |
+| [hermes-ai/hermes](https://github.com/hermes-ai/hermes) | Hermes adapter target | adapter target reference | review-required | `HermesAdapter` |
+| [Hmbown/deepseek-tui](https://github.com/Hmbown/deepseek-tui) | DeepSeek TUI adapter target | adapter target reference | review-required | `DeepSeekTuiAdapter` |
+| [Aider-AI/aider](https://github.com/Aider-AI/aider) | Aider adapter target | adapter target reference | review-required | `AiderAdapter` |
+
+## Required Maintenance
+
+When a new GitHub upstream is referenced from `src/skills`, `src/tools`, `src/adapters`, or current tool orchestration docs, update this inventory in the same change. `tests/docs/externalReferences.test.ts` scans those surfaces and fails if a referenced upstream is missing from this file.
+
+Before promoting any `review-required` item to a declared license status, record:
+
+1. upstream license file and revision
+2. upstream copyright and NOTICE obligations
+3. whether SCALE vendors code, adapts concepts, or only links to the project
+4. modification notes for copied or derived files
+5. installation, script, and permission review evidence

package/docs/GOVERNANCE_DASHBOARD.md

@@ -34,10 +34,26 @@ The dashboard reads existing local evidence:
 | --- | --- |
 | Runtime evidence | `.scale/evidence/runtime/` |
 | Workflow eval | `.scale/evals/runs/` and `.scale/evals/failures/` |
+| Workflow metrics | `.scale/metrics/tasks.jsonl` |
+| Gate evidence | `.scale/evidence/GATE-*.json` |
+| Command runs | `.scale/evidence/command-runs/` |
+| Model usage | `.scale/model-usage/usage.jsonl` |
 | Memory Brain | `.scale/memory/brain.sqlite` |
 | Resource Governance | workspace files plus `.scale/resource-policy.json` and `.scale/assets.json` |
 | HTML artifacts | task artifact manifests and rendered HTML files |
 
+## Aggregated Metrics
+
+V2.0 adds `MetricsAggregator` as the dashboard aggregation layer. It keeps the dashboard read-only and derives the following metrics from existing evidence:
+
+- recent task count and first-pass rate
+- average fix iterations
+- gate failure distribution
+- command output compression token savings
+- model usage and prompt-cache savings
+
+Each number must trace back to local JSON/JSONL evidence. If a source is absent, the dashboard reports zero rather than inventing values.
+
 ## Status Model
 
 - Runtime evidence failures are blocking.

package/docs/MEMORY_FABRIC.md

@@ -105,3 +105,30 @@ runtime evidence -> memory pack -> memory settle -> 人审 -> knowledge/docs/rul
 - 当前版本不内置向量数据库；如果项目配置了 SQLite knowledge base，会使用现有召回接口。
 - 当前版本只检测 Graphify 产物是否存在并生成摘要，不主动运行 Graphify。
 - HTML 可视化报告适合后续加在 context pack 之上；Memory Fabric 的核心产物先保持 JSON/Markdown，方便 diff、测试和 CLI 集成。
+
+## Memory Provider Router
+
+SCALE now treats strong memory systems as providers instead of rebuilding them inside the workflow engine.
+
+Default provider order:
+
+```text
+agentmemory -> gbrain -> scale-local
+```
+
+Commands:
+
+```bash
+scale memory provider init
+scale memory provider status --json
+scale memory provider recall "OAuth callback Redis state" --json
+```
+
+Provider rules:
+
+- `agentmemory` and `gbrain` are external providers and start disabled until endpoint, privacy, retention, and delete boundaries are reviewed.
+- External providers are read-only by default. Writes require an explicit provider policy change.
+- `scale-local` remains the fallback provider through Memory Brain and only promotes reviewed, evidence-backed memory.
+- `memory pack` automatically includes a `provider-memory` section when provider recall returns relevant active memories.
+
+This keeps agents flexible: they can ask the router for memory before planning, verification, review, or release, while SCALE still records which provider was used and why fallback was required.

package/docs/README.md

@@ -18,6 +18,8 @@
 | --- | --- |
 | [RESOURCE_GOVERNANCE.md](RESOURCE_GOVERNANCE.md) | 文档、报告、媒体、脚本、临时产物的生命周期治理 |
 | [ENGINEERING_STANDARDS.md](ENGINEERING_STANDARDS.md) | 日志、安全、ORM、框架、测试、部署等工程规范 |
+| [BACKGROUND_HUNTER.md](BACKGROUND_HUNTER.md) | Background Hunter 只读主动巡检、诊断交接和 ignore baseline |
+| [DEPENDENCY_AUDIT.md](DEPENDENCY_AUDIT.md) | 供应链依赖审计、G7 dependency 子门禁和 dependency policy |
 | [TOOL_ORCHESTRATION.md](TOOL_ORCHESTRATION.md) | skills、MCP、CLI、浏览器、桌面自动化的编排策略 |
 | [RUNTIME_EVIDENCE.md](RUNTIME_EVIDENCE.md) | 会话 ledger、运行时证据和最终交付检查 |
 | [MEMORY_FABRIC.md](MEMORY_FABRIC.md) | Runtime evidence、session events、knowledge recall 和 graph status 的预算化上下文包 |
@@ -26,6 +28,8 @@
 | [CODE_INTELLIGENCE.md](CODE_INTELLIGENCE.md) | CodeGraph、Graphify 和显式 fallback 的代码智能与探索 ROI |
 | [WORKFLOW_EVAL.md](WORKFLOW_EVAL.md) | Workflow Eval、pass@k 指标、Failure Replay 和改进候选 |
 | [SKILL_RADAR.md](SKILL_RADAR.md) | Skill Radar、能力置信度、证据要求和供应链安全检查 |
+| [THIRD_PARTY_SKILLS.md](THIRD_PARTY_SKILLS.md) | 第三方 skill 致谢、授权边界、引用方式和 vendoring 策略 |
+| [EXTERNAL_REFERENCES.md](EXTERNAL_REFERENCES.md) | 外部项目、skills、MCP、CLI 和适配器引用的完整清单 |
 | [UPGRADE_MANAGEMENT.md](UPGRADE_MANAGEMENT.md) | SCALE CLI、governance pack、skills、MCP 和 CLI 工具的安全升级流程 |
 | [GOVERNANCE_DASHBOARD.md](GOVERNANCE_DASHBOARD.md) | Runtime、eval、memory、resource、HTML artifact 的统一治理面板 |
 | [RELEASE_READINESS.md](RELEASE_READINESS.md) | 发版前质量门槛、官方 demo 和真实项目落地验收 |
@@ -35,6 +39,14 @@
 | [VIBE-TEMPLATES.md](VIBE-TEMPLATES.md) | 可复制的 Vibe Coding 提示词模板 |
 | [LEADERSHIP-PRESETS.md](LEADERSHIP-PRESETS.md) | CEO、CTO、PM、Architect 等内置领导者角色预设 |
 
+## 当前规划与执行蓝图
+
+这些文档描述计划中的架构演进，不代表当前 CLI 已全部实现。进入实现前应按文档中的验收标准和红线逐项拆分任务。
+
+| 文档 | 说明 |
+| --- | --- |
+| [plans/2026-05-20-scale-engine-v2-final-architecture-plan.md](plans/2026-05-20-scale-engine-v2-final-architecture-plan.md) | SCALE Engine V2.0 最终架构落地方案：Prompt Cache、Dashboard 聚合、Background Hunter、供应链门禁、动态/视觉验证和 Evolution Shadow Mode |
+
 ## 架构与参考
 
 | 文档 | 说明 |

package/docs/SKILL-REPOSITORY.md

@@ -0,0 +1,57 @@
+# SCALE Skill 仓库
+
+这个仓库视图用于让 Agent 按任务渐进式发现、激活和编排 skills/MCP/CLI，而不是一次性把所有能力塞进上下文。
+
+## 渐进式披露
+
+1. 启动时只读取 Skill 元数据和一句话描述。
+2. 任务命中时才读取完整 SKILL.md。
+3. scripts、references、assets 只在明确需要时懒加载。
+
+## 安全安装
+
+- 安装前必须执行安全扫描，阻断 `curl | bash`、`Invoke-Expression`、危险删除和非 HTTPS 来源。
+- npm/npx 来源必须补充 `npm audit signatures`、来源仓库、许可证和版本/commit 固定检查。
+- 任何第三方 Skill 都先进入隔离审查，再写入项目或全局 skills 目录。
+
+## 供应链防护清单
+
+- review-skill-frontmatter
+- inspect-scripts-directory
+- verify-license-and-source
+- verify-attribution-and-notice
+- pin-source-revision
+- npm-audit-signatures
+
+## Skill 目录
+
+| ID | 类别 | 信任 | 主要用途 | 组合建议 |
+| --- | --- | --- | --- | --- |
+| `planning-with-files` | planning | community | Use persistent planning files, progress logs, findings, active-plan selection, and plan attestation for long-running agent work. | memory-brain, web-access, code-reviewer |
+| `agentmemory` | memory | community | Use as an optional external memory provider via REST or MCP when teams want cross-agent persistent memory beyond SCALE local Memory Brain. | memory-brain, mcp-chrome-devtools, codex-cli |
+| `gbrain` | memory | community | Use as an optional graph-backed memory provider for long-running project knowledge, entity relationships, and background memory maintenance. | memory-brain, agentmemory, codegraph |
+| `frontend-design` | ui | official | UI 视觉方向、布局、组件状态和前端实现约束。 | awesome-design-md, ui-ux-pro-max, webapp-testing |
+| `awesome-design-md` | ui | ecosystem | 建立产品级设计规范和视觉语言。 | ui-ux-pro-max, frontend-design |
+| `ui-ux-pro-max` | ui | ecosystem | 补齐体验策略、交互状态和 UI 验收维度。 | awesome-design-md, webapp-testing |
+| `webapp-testing` | testing | official | 验证页面点击、表单、控制台、截图和端到端行为。 | agent-browser, mcp-chrome-devtools |
+| `web-access` | browser | ecosystem | 获取一手资料、动态页面内容、网页证据和来源引用。 | agent-browser, mcp-chrome-devtools |
+| `agent-browser` | browser | ecosystem | 与 Web 页面真实交互，补齐手工验收证据。 | web-access, webapp-testing, mcp-chrome-devtools |
+| `mcp-chrome-devtools` | browser | ecosystem | 调试控制台错误、网络请求、页面状态和性能问题。 | agent-browser, webapp-testing |
+| `cua` | desktop | ecosystem | 操作桌面应用并收集端侧截图、状态和副作用边界证据。 | web-access, agent-browser |
+| `code-reviewer` | review | official | 合并前分级审查缺陷、安全、可维护性和测试风险。 | security-and-hardening, update-docs |
+| `fix` | review | official | 提交前清理格式和 lint 问题。 | code-reviewer |
+| `pr-creator` | review | official | 生成标准 PR 描述和合并前说明。 | code-reviewer, update-docs |
+| `update-docs` | docs | official | 发现并更新受代码变更影响的长期文档。 | documentation-and-adrs |
+| `find-skills` | discovery | ecosystem | 按任务意图搜索合适 Skill，再进入安全扫描。 | web-access |
+| `codex-cli` | agent-cli | official | 外部 CLI 审查和命令级证据。 | gemini-cli, opencode-cli |
+| `gemini-cli` | agent-cli | official | 外部 CLI 审查和命令级证据。 | codex-cli, opencode-cli |
+| `opencode-cli` | agent-cli | ecosystem | 外部 CLI 审查和命令级证据。 | codex-cli, gemini-cli |
+| `agency-agents-zh` | role-library | community | 提供 CEO、CTO、工程、设计、产品等角色预设参考。 | skill-safety-scan |
+
+## Third-Party Attribution
+
+| ID | License | Usage | Notice |
+| --- | --- | --- | --- |
+| `planning-with-files` | MIT | adapted-concept | Inspired by and compatible with OthmanAdi/planning-with-files. SCALE should not copy upstream files unless the MIT license text and attribution are included. |
+| `agentmemory` | Apache-2.0 | external-reference | Optional external integration only. Do not vendor agentmemory code into SCALE without preserving Apache-2.0 license text, modification notices, and any upstream NOTICE obligations. |
+| `gbrain` | MIT | external-reference | Optional external provider only. Do not vendor GBrain code into SCALE without preserving MIT license text, source revision, and modification notices. |

package/docs/SKILL_RADAR.md

@@ -55,6 +55,8 @@ The score is not a promise that the tool will work. It is a routing signal. Any
 | `externalCli` | Codex, Gemini, OpenCode, external agent CLI | disabled by default; dry-run and output evidence |
 | `review` | PR, merge, release, code review | reviewer skills, severity findings |
 | `docs` | docs, README, ADR, governance asset | doc impact and source-of-truth evidence |
+| `planning` | plans, task_plan, findings, progress, long-running work | file-backed planning, progress logs, plan attestation |
+| `memory` | memory, recall, knowledge, persistent memory, agentmemory, gbrain | provider-routed memory through agentmemory, gbrain, or scale-local fallback |
 | `discovery` | skill, MCP, tool, capability discovery | find-skills plus safety review |
 
 ## Evidence Contract
@@ -66,6 +68,8 @@ Each recommendation carries required evidence. Examples:
 - Desktop work: `operator-boundary`, `desktop-screenshot`, `affected-app`
 - External CLI work: `cli-version-check`, `command`, `exit-code`, `output-summary`
 - Review work: `review-report`, `finding-list`, `severity`
+- Planning work: `task-plan`, `findings-log`, `progress-log`, `plan-attestation`
+- Memory work: `memory-provider-health`, `privacy-boundary`, `data-retention-policy`, `query-result`
 
 If evidence is missing, the final delivery should list the capability as unverified rather than claiming it was used successfully.
 
@@ -78,9 +82,12 @@ If evidence is missing, the final delivery should list the capability as unverif
 - destructive install patterns
 - npm/npx lifecycle script review
 - required source, license, and revision checks
+- third-party attribution and NOTICE checks
 
 This is intentionally conservative. Third-party skills should start in review-required mode and be promoted only after inspection.
 
+External skill references and acknowledgements are tracked in [Third-Party Skills and External References](THIRD_PARTY_SKILLS.md) and the full [External Reference Inventory](EXTERNAL_REFERENCES.md). SCALE should not vendor community skill code unless the license text, source revision, copyright notice, and modification notes are preserved.
+
 ## Policy Integration
 
 Skill Radar reads `.scale/tools.json` through the Tool Policy layer. Defaults:

package/docs/THIRD_PARTY_SKILLS.md

@@ -0,0 +1,57 @@
+# Third-Party Skills and External References
+
+This document records external skill projects that SCALE may learn from, recommend, or integrate with. It is a governance boundary, not a vendoring manifest. The complete cross-repo inventory is maintained in [External Reference Inventory](EXTERNAL_REFERENCES.md).
+
+## Policy
+
+- Do not vendor third-party skill code, images, logos, examples, or marketing copy unless the license review explicitly allows redistribution.
+- Preserve upstream license text, copyright notices, NOTICE files, source URL, and source revision before any vendored or modified redistribution.
+- Mark modified files and document what changed from upstream.
+- Treat optional external services as review-required until privacy, retention, credential, and delete boundaries are reviewed.
+- `scale skill doctor --supply-chain` must include license, attribution, script, and pinned-revision checks for third-party skills.
+- Community skills start as `review-required`; promotion requires real installation evidence and a recorded safety decision.
+
+## Highlighted External References
+
+| Project | License | Upstream | SCALE usage | Redistribution status |
+| --- | --- | --- | --- | --- |
+| Planning with Files | MIT | [OthmanAdi/planning-with-files](https://github.com/OthmanAdi/planning-with-files) | Adapt concepts for file-backed plans, findings, progress logs, active-plan routing, and plan attestation. | Not vendored. |
+| agentmemory | Apache-2.0 | [rohitg00/agentmemory](https://github.com/rohitg00/agentmemory) | Optional external memory provider via REST or MCP for teams that need cross-agent persistent memory beyond local SCALE Memory Brain. | Not vendored. |
+| GBrain | MIT | [garrytan/gbrain](https://github.com/garrytan/gbrain) | Optional graph memory provider for brain repos, hybrid search, entity relationships, MCP, and background maintenance. | Not vendored. |
+
+Other referenced skills, MCP servers, CLIs, discovery candidates, and adapter targets are listed in [External Reference Inventory](EXTERNAL_REFERENCES.md). Unknown licenses stay `review-required`; do not treat a repository link as redistribution permission.
+
+## Acknowledgements
+
+SCALE acknowledges these upstream projects and contributors:
+
+- `OthmanAdi/planning-with-files`, Copyright (c) 2026 Ahmad Adi.
+- `rohitg00/agentmemory` and its upstream contributors.
+- `garrytan/gbrain` and its upstream contributors.
+- All upstream projects listed in [External Reference Inventory](EXTERNAL_REFERENCES.md) according to their licenses and contribution histories.
+
+The current SCALE implementation records these projects as external references or adapted concepts. It does not copy their source code into this repository.
+
+## Vendoring Checklist
+
+If SCALE later vendors or modifies any third-party skill, the change must include:
+
+1. Full upstream license text in the distributed package.
+2. Upstream copyright and NOTICE material.
+3. Source repository URL and pinned revision.
+4. Modification notes for every copied or changed file.
+5. Tests or doctor checks proving the attribution metadata is present.
+6. README and generated skill repository documentation updates.
+
+## Runtime Boundaries
+
+External memory providers must not be enabled silently. Before use, record:
+
+- provider endpoint and health check evidence
+- project data scope
+- credential boundary
+- retention and deletion policy
+- whether data leaves the local machine or team-controlled infrastructure
+- whether provider writes are disabled, candidate-only, or explicitly enabled
+
+External planning skills must not replace SCALE task evidence. They can improve the plan artifact shape, but final delivery still requires verification output, changed-file evidence, and explicit unverified-risk notes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hongmaple0820/scale-engine",
-  "version": "0.23.0",
+  "version": "0.25.0",
   "description": "Executable AI agent governance with workflow gates, evidence, skill/tool orchestration, and traceable HTML artifacts",
   "type": "module",
   "bin": {
@@ -19,18 +19,25 @@
     "docs/README.md",
     "docs/CODE_INTELLIGENCE.md",
     "docs/CONTEXT_BUDGET.md",
+    "docs/BACKGROUND_HUNTER.md",
+    "docs/DEPENDENCY_AUDIT.md",
+    "docs/ACTIVE_SECURITY_VISUAL_GATES.md",
+    "docs/EVOLUTION_SHADOW_MODE.md",
     "docs/WORKFLOW_EVAL.md",
     "docs/SKILL_RADAR.md",
+    "docs/SKILL-REPOSITORY.md",
+    "docs/THIRD_PARTY_SKILLS.md",
+    "docs/EXTERNAL_REFERENCES.md",
     "docs/MEMORY_BRAIN.md",
     "docs/GOVERNANCE_DASHBOARD.md",
-    "docs/GITLAB_FLOW.md",
-    "docs/MEMORY_FABRIC.md",
-    "docs/RUNTIME_EVIDENCE.md",
-    "docs/RESOURCE_GOVERNANCE.md",
-    "docs/start",
-    "image",
-    "examples/demo-projects/agent-governance-demo"
-  ],
+    "docs/GITLAB_FLOW.md",
+    "docs/MEMORY_FABRIC.md",
+    "docs/RUNTIME_EVIDENCE.md",
+    "docs/RESOURCE_GOVERNANCE.md",
+    "docs/start",
+    "image",
+    "examples/demo-projects/agent-governance-demo"
+  ],
   "publishConfig": {
     "access": "public"
   },