@hongmaple0820/scale-engine 0.25.0 → 0.27.0

package/docs/DEPENDENCY_AUDIT.md

@@ -1,89 +1,118 @@
-# Dependency Audit
-
-Dependency Audit is the G7 dependency sub-gate for SCALE Engine.
-It adds supply-chain checks without introducing a separate gate number such as `G6.8`.
-
-## Scope
-
-The auditor is intentionally bounded:
-
-- reads `package-lock.json`
-- audits direct dependencies by default
-- supports `--changed-packages` for lockfile-diff workflows
-- scans only selected package roots under `node_modules`
-- caps package count and files per package
-- does not contact the registry by default
-- does not run install scripts
-
-This keeps local verification usable while still catching high-risk dependency behavior.
-
-## Commands
-
-```bash
-scale dependency audit
-scale dependency audit --json
-scale dependency audit --mode strict
-scale dependency audit --changed-packages left-pad,@scope/tool --json
-```
-
-The command exits non-zero when the active mode has blocking findings.
-
-## G7 Integration
-
-`SecurityGate` now emits two first-class evidence sources:
-
-- `built-in-security-scan`: source code security scan
-- `dependency-audit`: dependency supply-chain scan
-
-Both remain under `G7 Security`.
-
-## Policy
-
-Policy lives at `.scale/security/dependency-policy.json`:
-
-```json
-{
-  "version": 1,
-  "mode": "compatibility",
-  "maxPackages": 50,
-  "maxPackageFiles": 25,
-  "allowPackages": [],
-  "baselineFindings": []
-}
-```
-
-Modes:
-
-- `compatibility`: blocks `CRITICAL`
-- `strict`: blocks `CRITICAL` and `HIGH`
-- `offline`: keeps local-only behavior; current offline findings follow compatibility blocking
-
-Use `baselineFindings` for accepted legacy dependency risk:
-
-```json
-{
-  "baselineFindings": [
-    {
-      "packageName": "legacy-tool",
-      "version": "1.2.3",
-      "ruleId": "dependency.install-script",
-      "reason": "Pinned and reviewed during migration window."
-    }
-  ]
-}
-```
-
-Prefer a baseline over `allowPackages` when only one finding is accepted. `allowPackages` suppresses all findings for that package.
-
-## Current Findings
-
-The first implementation detects:
-
-- install lifecycle scripts
-- executable bin scripts
-- deprecated packages from lockfile metadata
-- dynamic code execution: `eval`, `new Function`
-- shell execution patterns
-- suspicious network access patterns
-
-Future network-backed checks can add npm registry metadata and `npm audit --json` ingestion, but they should stay optional and evidence-backed.
+# Dependency Audit
+
+Dependency Audit is the G7 dependency sub-gate for SCALE Engine.
+It adds supply-chain checks without introducing a separate gate number such as `G6.8`.
+
+## Scope
+
+The auditor is intentionally bounded:
+
+- reads `package-lock.json`
+- audits direct dependencies by default
+- supports `--changed-packages` for lockfile-diff workflows
+- scans only selected package roots under `node_modules`
+- caps package count and files per package
+- does not contact the registry by default
+- does not run install scripts
+
+This keeps local verification usable while still catching high-risk dependency behavior.
+
+## Commands
+
+```bash
+scale dependency audit
+scale dependency audit --json
+scale dependency audit --mode strict
+scale dependency audit --changed-packages left-pad,@scope/tool --json
+```
+
+The command exits non-zero when the active mode has blocking findings.
+
+## Verification Command Safety
+
+SCALE verification commands are security-sensitive because they are often run in CI.
+The core verification paths (`verify-task`, phase verification, workflow eval attempts, and gate commands) execute configured commands without shell expansion by default.
+
+Allowed by default:
+
+```bash
+npm run build
+npm test -- --runInBand
+node scripts/check.js --changed
+```
+
+Blocked by default:
+
+```bash
+npm test && curl https://example.com
+node scripts/check.js | tee out.txt
+```
+
+Shell metacharacters such as `&&`, `|`, `;`, `<`, `>`, backticks, and unquoted `$` are rejected before execution. Use package scripts or checked-in helper scripts for composed commands. `SCALE_ALLOW_SHELL_COMMANDS=1` re-enables shell execution only for trusted local runs and must not be enabled for untrusted PR or user-controlled CI inputs.
+
+## G7 Integration
+
+`SecurityGate` now emits two first-class evidence sources:
+
+- `built-in-security-scan`: source code security scan
+- `dependency-audit`: dependency supply-chain scan
+
+Both remain under `G7 Security`.
+
+## Policy
+
+Policy lives at `.scale/security/dependency-policy.json`:
+
+```json
+{
+  "version": 1,
+  "mode": "compatibility",
+  "maxPackages": 50,
+  "maxPackageFiles": 25,
+  "allowPackages": [],
+  "baselineFindings": []
+}
+```
+
+Modes:
+
+- `compatibility`: blocks `CRITICAL`
+- `strict`: blocks `CRITICAL` and `HIGH`
+- `offline`: keeps local-only behavior; current offline findings follow compatibility blocking
+
+Use `baselineFindings` for accepted legacy dependency risk:
+
+```json
+{
+  "baselineFindings": [
+    {
+      "packageName": "legacy-tool",
+      "version": "1.2.3",
+      "ruleId": "dependency.install-script",
+      "reason": "Pinned and reviewed during migration window."
+    }
+  ]
+}
+```
+
+Prefer a baseline over `allowPackages` when only one finding is accepted. `allowPackages` suppresses all findings for that package.
+
+## Current Findings
+
+The first implementation detects:
+
+- install lifecycle scripts
+- executable bin scripts
+- deprecated packages from lockfile metadata
+- built-in ownership/provenance watchlist matches
+- dynamic code execution: `eval`, `new Function`
+- shell execution patterns
+- suspicious network access patterns
+
+The built-in ownership/provenance watchlist currently blocks exact versions that were flagged by external package behavior analysis:
+
+- `content-type@2.0.0`
+- `type-is@2.1.0`
+- `type-js@2.1.0` (kept as a defensive alias for reports that use this package name)
+
+Future network-backed checks can add npm registry metadata and `npm audit --json` ingestion, but they should stay optional and evidence-backed.

package/docs/EVOLUTION_SHADOW_MODE.md

@@ -1,63 +1,63 @@
-# Evolution Shadow Mode
-
-SCALE V2 keeps self-evolution useful without letting one-off failures become hard blockers too early.
-
-## Flow
-
-```text
-Gate Failure
-  -> Defect
-  -> Lesson
-  -> Proposed Rule
-  -> Shadow Rule
-  -> Candidate Hook
-  -> Approved Blocking Hook
-```
-
-## Gate Failure To Defect
-
-`GateSystem` emits `gate.failed` for failed gate results. `AutoDefectCreator` tracks consecutive failures per session and gate stage.
-
-Default behavior:
-
-- three consecutive failures create one `Defect`
-- a passing `gate.executed` event resets the streak
-- defect payload uses `rootCauseCategory=gate_failure`
-- the original blockers, evidence, evidence record id, stage, and streak count are stored in defect context
-
-This is evidence capture only. It does not change source code or generate a hook.
-
-## Rule Maturity
-
-New rules start in `shadow` mode. Shadow rules can record hits, but they do not block development.
-
-Promotion requires:
-
-- shadow hits >= 10
-- at least one defect evidence id
-- rollback method present
-- false positive rate within threshold
-- explicit approval before a blocking hook is allowed
-
-`RuleMaturity` exposes:
-
-- `createShadowRuleMaturity`
-- `recordShadowHit`
-- `evaluateRulePromotion`
-- `approveRuleMaturity`
-
-## Hook Boundary
-
-`HookGenerator` still requires `rule.approved === true`.
-
-For V2 rules that carry maturity metadata, it also requires:
-
-```text
-rule.maturity.stage === "approved-blocking"
-```
-
-That means proposed or shadow rules can be observed and improved, but cannot become blocking hooks until explicitly promoted.
-
-## Current Scope
-
-This release slice wires the core library path and gate events. CLI approval commands and persistent rule-maturity storage can be added later without changing the safety model.
+# Evolution Shadow Mode
+
+SCALE V2 keeps self-evolution useful without letting one-off failures become hard blockers too early.
+
+## Flow
+
+```text
+Gate Failure
+  -> Defect
+  -> Lesson
+  -> Proposed Rule
+  -> Shadow Rule
+  -> Candidate Hook
+  -> Approved Blocking Hook
+```
+
+## Gate Failure To Defect
+
+`GateSystem` emits `gate.failed` for failed gate results. `AutoDefectCreator` tracks consecutive failures per session and gate stage.
+
+Default behavior:
+
+- three consecutive failures create one `Defect`
+- a passing `gate.executed` event resets the streak
+- defect payload uses `rootCauseCategory=gate_failure`
+- the original blockers, evidence, evidence record id, stage, and streak count are stored in defect context
+
+This is evidence capture only. It does not change source code or generate a hook.
+
+## Rule Maturity
+
+New rules start in `shadow` mode. Shadow rules can record hits, but they do not block development.
+
+Promotion requires:
+
+- shadow hits >= 10
+- at least one defect evidence id
+- rollback method present
+- false positive rate within threshold
+- explicit approval before a blocking hook is allowed
+
+`RuleMaturity` exposes:
+
+- `createShadowRuleMaturity`
+- `recordShadowHit`
+- `evaluateRulePromotion`
+- `approveRuleMaturity`
+
+## Hook Boundary
+
+`HookGenerator` still requires `rule.approved === true`.
+
+For V2 rules that carry maturity metadata, it also requires:
+
+```text
+rule.maturity.stage === "approved-blocking"
+```
+
+That means proposed or shadow rules can be observed and improved, but cannot become blocking hooks until explicitly promoted.
+
+## Current Scope
+
+This release slice wires the core library path and gate events. CLI approval commands and persistent rule-maturity storage can be added later without changing the safety model.

package/docs/EXTERNAL_REFERENCES.md

@@ -1,58 +1,63 @@
-# External Reference Inventory
-
-This inventory is the source of truth for external projects, community skills, MCP servers, CLIs, and adapter targets referenced by SCALE. It complements [Third-Party Skills and External References](THIRD_PARTY_SKILLS.md).
-
-The inventory is intentionally conservative:
-
-- A row here is an acknowledgement and governance record, not a claim that upstream code is vendored.
-- License is only marked when it has been explicitly reviewed in this repository. Unknown or unverified projects stay `review-required`.
-- Any future vendoring, source copying, modified redistribution, bundled assets, logos, examples, or generated derivatives must preserve upstream license text, copyright notices, NOTICE files, source URL, pinned revision, and modification notes.
-- External services and memory providers remain disabled or read-only by default until privacy, retention, credential, and deletion boundaries are reviewed.
-
-## Current References
-
-| Upstream | Role in SCALE | Usage status | License status | Primary source surface |
-| --- | --- | --- | --- | --- |
-| [OthmanAdi/planning-with-files](https://github.com/OthmanAdi/planning-with-files) | File-backed planning workflow reference | adapted concept, not vendored | MIT | `SkillRepository`, README, `THIRD_PARTY_SKILLS` |
-| [rohitg00/agentmemory](https://github.com/rohitg00/agentmemory) | Optional external memory provider | external provider, read-only by default | Apache-2.0 | `MemoryProviders`, `SkillRepository`, README |
-| [garrytan/gbrain](https://github.com/garrytan/gbrain) | Optional graph memory provider | external provider, read-only by default | MIT | `MemoryProviders`, `SkillRepository`, README |
-| [anthropics/skills](https://github.com/anthropics/skills) | Frontend and webapp testing skill references | external skill reference | review-required | `SkillRepository`, `SkillCatalog`, `ToolCapabilityRegistry` |
-| [anthropics/claude-code](https://github.com/anthropics/claude-code) | Graphify and playwright-interactive skill references | optional discovery reference | review-required | `SkillDiscovery` |
-| [VoltAgent/awesome-design-md](https://github.com/VoltAgent/awesome-design-md) | Design system and DESIGN.md guidance | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
-| [nextlevelbuilder/ui-ux-pro-max-skill](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill) | UI/UX design intelligence reference | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
-| [eze-is/web-access](https://github.com/eze-is/web-access) | Web research and browser automation skill | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
-| [vercel-labs/agent-browser](https://github.com/vercel-labs/agent-browser) | Browser automation CLI | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
-| [ChromeDevTools/chrome-devtools-mcp](https://github.com/ChromeDevTools/chrome-devtools-mcp) | Chrome DevTools MCP integration | MCP reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
-| [trycua/cua](https://github.com/trycua/cua) | Desktop computer-use automation | restricted external automation reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
-| [microsoft/playwright](https://github.com/microsoft/playwright) | Browser automation and validation | optional discovery reference | review-required | `SkillDiscovery` |
-| [google-gemini/gemini-cli](https://github.com/google-gemini/gemini-cli) | Gemini CLI and community skill examples | external CLI and skill reference | review-required | `SkillRepository`, `SkillCatalog`, adapters |
-| [openai/codex](https://github.com/openai/codex) | Codex CLI adapter and external reviewer | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, adapters |
-| [sst/opencode](https://github.com/sst/opencode) | OpenCode CLI reference used by routing | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
-| [opencode-ai/opencode](https://github.com/opencode-ai/opencode) | OpenCode adapter source comment | adapter target reference | review-required | `OpenCodeAdapter` |
-| [facebook/react](https://github.com/facebook/react) | React fix skill example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
-| [vercel/next.js](https://github.com/vercel/next.js) | Next.js documentation update skill example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
-| [vercel-labs/skills](https://github.com/vercel-labs/skills) | Skill discovery example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
-| [Shubhamsaboo/awesome-llm-apps](https://github.com/Shubhamsaboo/awesome-llm-apps) | Full-stack agent skill example | external skill reference | review-required | `SkillCatalog` |
-| [jnMetaCode/agency-agents-zh](https://github.com/jnMetaCode/agency-agents-zh) | Chinese role preset reference | external preset reference | review-required | `SkillRepository` |
-| [yizhiyanhua-ai/fireworks-tech-graph](https://github.com/yizhiyanhua-ai/fireworks-tech-graph) | Diagram skill discovery and installer reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
-| [github/awesome-copilot](https://github.com/github/awesome-copilot) | Excalidraw diagram skill source | optional install reference | review-required | `ExternalSkills`, `SkillInstaller`, installation workflow doc |
-| [Cocoon-AI/architecture-diagram-generator](https://github.com/Cocoon-AI/architecture-diagram-generator) | Architecture diagram skill reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
-| [heygen-com/hyperframes](https://github.com/heygen-com/hyperframes) | Video generation CLI reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
-| [op7418/guizang-ppt-skill](https://github.com/op7418/guizang-ppt-skill) | PPT generation skill reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
-| [QwenLM/qwen-code](https://github.com/QwenLM/qwen-code) | QCoder adapter target | adapter target reference | review-required | `QCoderAdapter` |
-| [openclaw-ai/openclaw](https://github.com/openclaw-ai/openclaw) | OpenClaw adapter target | adapter target reference | review-required | `OpenClawAdapter` |
-| [hermes-ai/hermes](https://github.com/hermes-ai/hermes) | Hermes adapter target | adapter target reference | review-required | `HermesAdapter` |
-| [Hmbown/deepseek-tui](https://github.com/Hmbown/deepseek-tui) | DeepSeek TUI adapter target | adapter target reference | review-required | `DeepSeekTuiAdapter` |
-| [Aider-AI/aider](https://github.com/Aider-AI/aider) | Aider adapter target | adapter target reference | review-required | `AiderAdapter` |
-
-## Required Maintenance
-
-When a new GitHub upstream is referenced from `src/skills`, `src/tools`, `src/adapters`, or current tool orchestration docs, update this inventory in the same change. `tests/docs/externalReferences.test.ts` scans those surfaces and fails if a referenced upstream is missing from this file.
-
-Before promoting any `review-required` item to a declared license status, record:
-
-1. upstream license file and revision
-2. upstream copyright and NOTICE obligations
-3. whether SCALE vendors code, adapts concepts, or only links to the project
-4. modification notes for copied or derived files
-5. installation, script, and permission review evidence
+# External Reference Inventory
+
+This inventory is the source of truth for external projects, community skills, MCP servers, CLIs, and adapter targets referenced by SCALE. It complements [Third-Party Skills and External References](THIRD_PARTY_SKILLS.md).
+
+The inventory is intentionally conservative:
+
+- A row here is an acknowledgement and governance record, not a claim that upstream code is vendored.
+- License is only marked when it has been explicitly reviewed in this repository. Unknown or unverified projects stay `review-required`.
+- Any future vendoring, source copying, modified redistribution, bundled assets, logos, examples, or generated derivatives must preserve upstream license text, copyright notices, NOTICE files, source URL, pinned revision, and modification notes.
+- External services and memory providers remain disabled or read-only by default until privacy, retention, credential, and deletion boundaries are reviewed.
+
+## Current References
+
+| Upstream | Role in SCALE | Usage status | License status | Primary source surface |
+| --- | --- | --- | --- | --- |
+| [OthmanAdi/planning-with-files](https://github.com/OthmanAdi/planning-with-files) | File-backed planning workflow reference | adapted concept, not vendored | MIT | `SkillRepository`, README, `THIRD_PARTY_SKILLS` |
+| [rohitg00/agentmemory](https://github.com/rohitg00/agentmemory) | Optional external memory provider | external provider, read-only by default | Apache-2.0 | `MemoryProviders`, `SkillRepository`, README |
+| [garrytan/gbrain](https://github.com/garrytan/gbrain) | Optional graph memory provider | external provider, read-only by default | MIT | `MemoryProviders`, `SkillRepository`, README |
+| [anthropics/skills](https://github.com/anthropics/skills) | Frontend and webapp testing skill references | external skill reference | review-required | `SkillRepository`, `SkillCatalog`, `ToolCapabilityRegistry` |
+| [anthropics/claude-code](https://github.com/anthropics/claude-code) | Graphify and playwright-interactive skill references | optional discovery reference | review-required | `SkillDiscovery` |
+| [VoltAgent/awesome-design-md](https://github.com/VoltAgent/awesome-design-md) | Design system and DESIGN.md guidance | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
+| [nextlevelbuilder/ui-ux-pro-max-skill](https://github.com/nextlevelbuilder/ui-ux-pro-max-skill) | UI/UX design intelligence reference | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [eze-is/web-access](https://github.com/eze-is/web-access) | Web research and browser automation skill | external skill reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
+| [vercel-labs/agent-browser](https://github.com/vercel-labs/agent-browser) | Browser automation CLI | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [ChromeDevTools/chrome-devtools-mcp](https://github.com/ChromeDevTools/chrome-devtools-mcp) | Chrome DevTools MCP integration | MCP reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [trycua/cua](https://github.com/trycua/cua) | Desktop computer-use automation | restricted external automation reference | review-required | `SkillRepository`, `ExternalSkills`, `ToolCapabilityRegistry` |
+| [microsoft/playwright](https://github.com/microsoft/playwright) | Browser automation and validation | optional discovery reference | review-required | `SkillDiscovery` |
+| [google-gemini/gemini-cli](https://github.com/google-gemini/gemini-cli) | Gemini CLI and community skill examples | external CLI and skill reference | review-required | `SkillRepository`, `SkillCatalog`, adapters |
+| [openai/codex](https://github.com/openai/codex) | Codex CLI adapter and external reviewer | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, adapters |
+| [sst/opencode](https://github.com/sst/opencode) | OpenCode CLI reference used by routing | external CLI reference | review-required | `SkillRepository`, `ExternalSkills`, `SkillDoctor` |
+| [opencode-ai/opencode](https://github.com/opencode-ai/opencode) | OpenCode adapter source comment | adapter target reference | review-required | `OpenCodeAdapter` |
+| [facebook/react](https://github.com/facebook/react) | React fix skill example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
+| [vercel/next.js](https://github.com/vercel/next.js) | Next.js documentation update skill example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
+| [vercel-labs/skills](https://github.com/vercel-labs/skills) | Skill discovery example | external skill reference | review-required | `SkillRepository`, `SkillCatalog` |
+| [Shubhamsaboo/awesome-llm-apps](https://github.com/Shubhamsaboo/awesome-llm-apps) | Full-stack agent skill example | external skill reference | review-required | `SkillCatalog` |
+| [jnMetaCode/agency-agents-zh](https://github.com/jnMetaCode/agency-agents-zh) | Chinese role preset reference | external preset reference | review-required | `SkillRepository` |
+| [yizhiyanhua-ai/fireworks-tech-graph](https://github.com/yizhiyanhua-ai/fireworks-tech-graph) | Diagram skill discovery and installer reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [github/awesome-copilot](https://github.com/github/awesome-copilot) | Excalidraw diagram skill source | optional install reference | review-required | `ExternalSkills`, `SkillInstaller`, installation workflow doc |
+| [Cocoon-AI/architecture-diagram-generator](https://github.com/Cocoon-AI/architecture-diagram-generator) | Architecture diagram skill reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [heygen-com/hyperframes](https://github.com/heygen-com/hyperframes) | Video generation CLI reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [op7418/guizang-ppt-skill](https://github.com/op7418/guizang-ppt-skill) | PPT generation skill reference | optional install reference | review-required | `ExternalSkills`, `SkillDiscovery`, `SkillInstaller` |
+| [QwenLM/qwen-code](https://github.com/QwenLM/qwen-code) | QCoder adapter target | adapter target reference | review-required | `QCoderAdapter` |
+| [Qoder docs](https://docs.qoder.com/) | Qoder adapter target | adapter target reference | review-required | `QoderAdapter` |
+| JCode | JCode adapter target; upstream source and license still need review | provisional adapter target reference | review-required | `JCodeAdapter` |
+| [Cline docs](https://docs.cline.bot/) | Cline adapter target | adapter target reference | review-required | `ClineAdapter` |
+| [Kilo Code docs](https://docs.kilocode.ai/) | Kilo Code adapter target | adapter target reference | review-required | `KiloCodeAdapter` |
+| [Google Antigravity docs](https://antigravity.google/docs/) | Antigravity adapter target | adapter target reference | review-required | `AntigravityAdapter` |
+| [openclaw-ai/openclaw](https://github.com/openclaw-ai/openclaw) | OpenClaw adapter target | adapter target reference | review-required | `OpenClawAdapter` |
+| [hermes-ai/hermes](https://github.com/hermes-ai/hermes) | Hermes adapter target | adapter target reference | review-required | `HermesAdapter` |
+| [Hmbown/deepseek-tui](https://github.com/Hmbown/deepseek-tui) | DeepSeek TUI adapter target | adapter target reference | review-required | `DeepSeekTuiAdapter` |
+| [Aider-AI/aider](https://github.com/Aider-AI/aider) | Aider adapter target | adapter target reference | review-required | `AiderAdapter` |
+
+## Required Maintenance
+
+When a new GitHub upstream is referenced from `src/skills`, `src/tools`, `src/adapters`, or current tool orchestration docs, update this inventory in the same change. `tests/docs/externalReferences.test.ts` scans those surfaces and fails if a referenced upstream is missing from this file.
+
+Before promoting any `review-required` item to a declared license status, record:
+
+1. upstream license file and revision
+2. upstream copyright and NOTICE obligations
+3. whether SCALE vendors code, adapts concepts, or only links to the project
+4. modification notes for copied or derived files
+5. installation, script, and permission review evidence