@hongmaple0820/scale-engine 0.40.2 → 0.43.0

package/docs/workflow/GATES_AND_SCORE.md

@@ -10,10 +10,11 @@ Use `scale gates status` to inspect the active gate catalog.
 scale gates status --json
 ```
 
-The report separates three concepts that were previously easy to confuse:
+The report separates four concepts that were previously easy to confuse:
 
 - Core gates: `G0-G8`, used by workflow verification, preflight, and product smoke profiles.
 - Meta-governance gates: `G9-G15`, used by `scale meta-governance`.
+- Enhanced gates: `G16-G22`, covering commit discipline, doc hygiene, runtime evidence, code review, supply chain, context budget, and session health.
 - Extension gates: policy-backed checks such as engineering standards, product smoke policy, and tool evidence.
 
 `scale gates status` is intentionally read-only. It does not execute checks; it explains which checks exist and which policies are blocking.
@@ -28,6 +29,38 @@ Architecture and engineering standards are driven by project configuration:
 
 Preflight now uses changed-file standards scope when the target is inside a Git worktree. Non-Git projects keep the old full-scan behavior so bootstrap and fixture projects still get complete feedback.
 
+## Enhanced Gates (G16-G22)
+
+Added in v0.41.0, these gates cover commit discipline, runtime quality, and session hygiene:
+
+| Gate | Name | Blocking | Description |
+| --- | --- | --- | --- |
+| G16 | Commit Discipline | ✅ | Uncommitted file count (warn=10, block=25), time since last commit (warn=60min, block=180min), staged files >1MB, whitespace errors |
+| G17 | Documentation Hygiene | — | Changed markdown files must have valid internal links |
+| G18 | Runtime Evidence | ✅ | Task must have recorded runtime evidence with matching exit codes |
+| G19 | Code Review | ✅ (L/CRITICAL) | L and CRITICAL tasks require reviewed changes with resolved findings |
+| G20 | Supply Chain | ✅ | No CRITICAL/HIGH vulnerabilities; lock file must be consistent |
+| G21 | Context Budget | — | Advisory check on context token usage against configured budget |
+| G22 | Session Health | — | Advisory check on stale worktrees and session state consistency |
+
+Run enhanced gates individually:
+
+```bash
+bash scripts/gates/G16-verify.sh   # Commit Discipline
+bash scripts/gates/G17-verify.sh   # Documentation Hygiene
+bash scripts/gates/G18-verify.sh   # Runtime Evidence
+bash scripts/gates/G19-verify.sh   # Code Review
+bash scripts/gates/G20-verify.sh   # Supply Chain
+bash scripts/gates/G21-verify.sh   # Context Budget
+bash scripts/gates/G22-verify.sh   # Session Health
+```
+
+Or run all gates including enhanced:
+
+```bash
+bash scripts/gates/all.sh --all
+```
+
 ## Task Score
 
 Use `scale score task` to produce an algorithmic completion score.

package/docs/workflow/README.md

@@ -23,6 +23,25 @@ scale score task --changed --json
 scale prompt optimize --input "raw coding request" --json
 ```
 
+### SCALE 2.0 引擎命令
+
+```bash
+# Scale Shield — 钩子拦截
+scale shield compile          # 编译策略 + 安装 hook
+scale shield status           # 验证 hook 注册 + .scale/ 完整性
+scale shield test             # 运行 allow/block 测试
+
+# Scale Orchestrator — 编排守护进程
+scale orch start              # 启动 daemon
+scale orch status             # 查看状态 + workspace 列表
+
+# Scale Cortex — 持续进化
+scale cortex evolve           # 完整进化周期
+scale cortex extract          # 提取 Instincts
+scale cortex inject --minimal # 预览 SessionStart 注入
+scale cortex metrics --days 30 # 治理 ROI 报告
+```
+
 PowerShell:
 
 ```powershell
@@ -35,16 +54,45 @@ See [PROMPT_OPTIMIZATION.md](PROMPT_OPTIMIZATION.md) for the deterministic promp
 
 ## 门禁说明
 
-| Gate | 作用 |
-| --- | --- |
-| G1 | 探索是否记录到状态文件，且至少读了 3 个文件 |
-| G2 | 计划是否包含边界、异常、回滚、现实校验 |
-| G3 | `src/` 行为改动是否伴随测试改动 |
-| G4 | workflow 脚本是否可解析 |
-| G5 | `lint + typecheck + test + build` 是否通过 |
-| G6 | 任务证据和 `git diff --check` 是否通过 |
-| G7 | 安全面是否通过 |
-| G8 | Markdown 与工作流文档是否符合基础卫生规则 |
+SCALE 2.0 共 23 个门禁，分三层：核心门禁（G0-G8）、元治理门禁（G9-G15）、增强门禁（G16-G22）。
+
+### 核心门禁（G0-G8）
+
+| Gate | 作用 | 默认 | 阻断 |
+| --- | | --- | --- |
+| G0 | 构建命令或配置的验证命令必须通过 | ✅ | ✅ |
+| G1 | 探索是否记录到状态文件，且至少读了 3 个文件 | ✅ | — |
+| G2 | 计划是否包含边界、异常、回滚、现实校验 | ✅ | — |
+| G3 | `src/` 行为改动是否伴随测试改动 | ✅ | ✅ |
+| G4 | lint 命令必须通过 | ✅ | ✅ |
+| G5 | 测试命令必须通过 | ✅ | ✅ |
+| G6 | 覆盖率、任务证据和 diff hygiene 必须满足当前 profile | profile | ✅ |
+| G7 | 安全和依赖风险检查必须通过 | profile | ✅ |
+| G8 | 产品冒烟命令必须通过 | profile | ✅ |
+
+### 元治理门禁（G9-G15）
+
+| Gate | 作用 | 默认 | 阻断 |
+| --- | | --- | --- |
+| G9 | 知识库和 recall 能力是否被使用 | ✅ | — |
+| G10 | 改进候选是否有证据支撑 | — | — |
+| G11 | 护栏结果是否可见且可操作 | ✅ | — |
+| G12 | 工作流阶段和制品是否完整 | ✅ | — |
+| G13 | 多 Agent 协作是否有协调证据 | — | — |
+| G14 | 必需 skill 是否被选择和验证 | — | — |
+| G15 | 经验教训是否安全进入学习循环 | — | — |
+
+### 增强门禁（G16-G22）
+
+| Gate | 作用 | 默认 | 阻断 |
+| --- | | --- | --- |
+| G16 | 未提交文件数量和大文件阈值检查 | ✅ | ✅ |
+| G17 | 变更的文档链接有效性检查 | ✅ | — |
+| G18 | 运行时证据记录和退出码匹配 | ✅ | ✅ |
+| G19 | L/CRITICAL 任务需要代码审查记录 | profile | ✅ |
+| G20 | 无 CRITICAL/HIGH 漏洞；lock 文件一致性 | ✅ | ✅ |
+| G21 | 上下文 token 预算检查（advisory） | ✅ | — |
+| G22 | 会话健康检查：worktree 泄露和状态一致性 | ✅ | — |
 
 ## 分支策略
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hongmaple0820/scale-engine",
-  "version": "0.40.2",
+  "version": "0.43.0",
   "description": "Executable AI agent governance with workflow gates, evidence, skill/tool orchestration, and traceable HTML artifacts",
   "repository": {
     "type": "git",
@@ -25,28 +25,13 @@
   "files": [
     "dist",
     "docs/README.md",
-    "docs/AI_ENGINEERING_OS_POSITIONING.md",
-    "docs/CODE_INTELLIGENCE.md",
-    "docs/CONTEXT_BUDGET.md",
-    "docs/BACKGROUND_HUNTER.md",
-    "docs/DEPENDENCY_AUDIT.md",
-    "docs/ACTIVE_SECURITY_VISUAL_GATES.md",
-    "docs/EVOLUTION_SHADOW_MODE.md",
-    "docs/WORKFLOW_EVAL.md",
     "docs/SKILL_RADAR.md",
     "docs/SKILL-REPOSITORY.md",
-    "docs/THIRD_PARTY_SKILLS.md",
     "docs/EXTERNAL_REFERENCES.md",
-    "docs/MEMORY_BRAIN.md",
-    "docs/GOVERNANCE_DASHBOARD.md",
-    "docs/GITLAB_FLOW.md",
-    "docs/MEMORY_FABRIC.md",
-    "docs/RUNTIME_EVIDENCE.md",
-    "docs/RESOURCE_GOVERNANCE.md",
+    "docs/THIRD_PARTY_SKILLS.md",
     "docs/guides",
     "docs/start",
     "docs/workflow",
-    "image",
     "examples/demo-projects/agent-governance-demo",
     "scripts/workflow/lib",
     "scripts/workflow/setup-smoke.mjs",
@@ -89,6 +74,9 @@
     "type-is": "2.0.1",
     "qs": "6.15.2"
   },
+  "optionalDependencies": {
+    "playwright": "^1.50.0"
+  },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.0",
     "@types/js-yaml": "^4.0.9",

package/docs/ACTIVE_SECURITY_VISUAL_GATES.md

@@ -1,87 +0,0 @@
-# Active Security And Visual Gates
-
-SCALE V2 adds two optional verification layers for projects that can provide a runnable local target:
-
-- `ActiveRedTeam`: bounded dynamic security probes for configured HTTP targets.
-- `VisualGate`: structured visual review evidence for UI routes and UI specs.
-
-Both are conditional. A library or backend project with no runtime target should not pay the cost.
-
-## Active Security
-
-Active security is configured under `.scale/verification.json`:
-
-```json
-{
-  "security": {
-    "active": {
-      "enabled": true,
-      "baseUrl": "http://localhost:3000",
-      "startCommand": "npm run dev",
-      "targets": ["/api/login", "/api/users"],
-      "timeoutMs": 5000,
-      "maxRequests": 20
-    }
-  }
-}
-```
-
-Behavior:
-
-- missing or disabled config returns `SKIPPED`
-- invalid enabled config returns `FAILED` before sending probes
-- probes are capped by `maxRequests`
-- every request has a timeout
-- reflected probe payloads are `HIGH` findings and block
-- request errors and server errors are recorded as findings, but only configured blocker severity should fail the gate
-
-The first implementation exposes `runActiveRedTeam()` as a library API. It does not start a server by itself yet. CLI orchestration can wire `startCommand` later, but startup failure must become a `FAILED` result when that runner is added.
-
-## Visual Gate
-
-Visual verification is configured under `.scale/verification.json`:
-
-```json
-{
-  "visual": {
-    "enabled": true,
-    "baseUrl": "http://localhost:5173",
-    "specPath": "docs/ui/UI-SPEC.md",
-    "routes": ["/", "/settings"],
-    "reportPath": "docs/worklog/tasks/TASK-123/visual-report.json",
-    "blockingSeverities": ["critical", "high"]
-  }
-}
-```
-
-`VisualGate` consumes a structured report:
-
-```json
-{
-  "screenshots": [
-    { "route": "/", "path": "screenshots/home.png" }
-  ],
-  "findings": [
-    {
-      "severity": "high",
-      "route": "/",
-      "message": "Primary action overlaps the navigation bar.",
-      "evidence": "overlap ratio 0.42"
-    }
-  ]
-}
-```
-
-Behavior:
-
-- missing or disabled config passes with a `Visual gate skipped` evidence item
-- enabled config requires `baseUrl`, `specPath`, `routes`, and `reportPath`
-- missing or invalid visual report fails
-- default blockers are `critical` and `high`
-- VLM comments may be recorded in the report, but the gate blocks only on structured severity thresholds
-
-## Gate Numbering
-
-`VisualGate` uses `G9` when explicitly registered. It is not registered by default because meta governance also uses the G9-G15 range. Projects should register it only in UI verification profiles or dedicated task flows.
-
-Active security remains a security sub-check instead of a fractional gate number. It belongs under the broader G7 security lifecycle when wired into a concrete workflow.