@t275005746/gse 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
- package/.github/ISSUE_TEMPLATE/config.yml +5 -5
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
- package/.github/workflows/validate-gse.yml +33 -33
- package/.gse/README.md +18 -18
- package/.gse/gse-development-protocol.md +50 -50
- package/.gse/project-profile.md +29 -29
- package/.gse/quality-gates.md +25 -25
- package/.gse/releases/public-registry-publication-npm.md +49 -0
- package/.gse/releases/public-release-owner-required.md +65 -65
- package/.gse/releases/public-security-contact-owner-required.md +45 -45
- package/.gse/state.json +3 -4
- package/CHANGELOG.md +24 -24
- package/CONTRIBUTING.md +64 -64
- package/LICENSE +21 -21
- package/README.md +1 -1
- package/README.zh-CN.md +1 -1
- package/SECURITY.md +41 -41
- package/SUPPORT.md +38 -38
- package/assets/marketplace/README.md +7 -7
- package/assets/marketplace/gse-listing.json +75 -75
- package/assets/templates/acceptance-execution-packet.md +73 -73
- package/assets/templates/adr.md +14 -14
- package/assets/templates/change-brief.md +16 -16
- package/assets/templates/design.md +18 -18
- package/assets/templates/dispatch-packet.md +104 -104
- package/assets/templates/evidence.md +14 -14
- package/assets/templates/execution-quality-pack.md +65 -65
- package/assets/templates/goal-map.md +21 -21
- package/assets/templates/host-adapter.md +48 -48
- package/assets/templates/host-ui-invocation-record.md +42 -42
- package/assets/templates/incident-review.md +60 -60
- package/assets/templates/public-channel-publication-record.md +49 -49
- package/assets/templates/public-ci-run-record.md +53 -53
- package/assets/templates/public-release-record.md +65 -65
- package/assets/templates/public-repository-settings-record.md +59 -59
- package/assets/templates/public-security-contact-record.md +45 -45
- package/assets/templates/release-trust-record.md +32 -32
- package/assets/templates/review.md +18 -18
- package/assets/templates/spec.md +16 -16
- package/assets/templates/target-adoption-evidence.md +29 -29
- package/assets/templates/tasks.md +17 -17
- package/assets/templates/update-release-acceptance-record.md +58 -58
- package/examples/README.md +22 -22
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
- package/examples/agent-runtime-host/.gse/tooling.md +5 -5
- package/examples/agent-runtime-host/.mcp.json +9 -9
- package/examples/agent-runtime-host/AGENTS.md +5 -5
- package/examples/agent-runtime-host/README.md +10 -10
- package/examples/agent-runtime-host/docs/model-routing.md +5 -5
- package/examples/cli-tool/.gse/project-profile.md +21 -21
- package/examples/cli-tool/AGENTS.md +5 -5
- package/examples/cli-tool/README.md +12 -12
- package/examples/cli-tool/package.json +21 -21
- package/examples/small-app/.env.example +2 -2
- package/examples/small-app/.github/workflows/ci.yml +8 -8
- package/examples/small-app/AGENTS.md +5 -5
- package/examples/small-app/README.md +12 -12
- package/examples/small-app/package.json +26 -26
- package/examples/small-app/playwright.config.ts +4 -4
- package/package.json +53 -53
- package/references/adoption-recipes.md +171 -171
- package/references/agent-roles.md +49 -49
- package/references/architecture-health.md +101 -101
- package/references/benchmark-audit.md +73 -73
- package/references/community-channels.md +46 -46
- package/references/compatibility.md +70 -70
- package/references/design-basis.md +38 -38
- package/references/domain-model.md +129 -129
- package/references/domain-quality-gates.md +75 -75
- package/references/drift-audit.md +81 -81
- package/references/evidence-taxonomy.md +123 -123
- package/references/file-ownership.md +107 -107
- package/references/final-readiness.md +84 -84
- package/references/forward-test.md +133 -133
- package/references/goal-map.md +36 -36
- package/references/host-adapters.md +119 -119
- package/references/learning-system.md +35 -35
- package/references/marketplace-discovery.md +46 -46
- package/references/model-routing.md +103 -103
- package/references/open-source-defaults.md +39 -39
- package/references/operating-model.md +52 -52
- package/references/packaging.md +277 -277
- package/references/project-agent-workspace.md +89 -89
- package/references/project-bootstrap.md +122 -122
- package/references/project-profile.md +57 -57
- package/references/public-release.md +174 -174
- package/references/quality-gates.md +100 -100
- package/references/recovery.md +176 -176
- package/references/release-trust.md +43 -43
- package/references/release.md +126 -126
- package/references/review.md +141 -141
- package/references/router.md +90 -90
- package/references/spec-workflow.md +66 -66
- package/references/task-levels.md +81 -81
- package/references/tool-adapters.md +73 -73
- package/scripts/audit-acceptance-execution-packet.mjs +133 -133
- package/scripts/audit-adoption-recipes.mjs +99 -99
- package/scripts/audit-change-lifecycle.mjs +77 -77
- package/scripts/audit-change-system.mjs +134 -134
- package/scripts/audit-ci-readiness.mjs +107 -107
- package/scripts/audit-close-gate.mjs +323 -323
- package/scripts/audit-command-adapters.mjs +91 -91
- package/scripts/audit-command-execution.mjs +210 -210
- package/scripts/audit-compatibility.mjs +149 -149
- package/scripts/audit-completion-readiness.mjs +292 -292
- package/scripts/audit-distribution.mjs +251 -251
- package/scripts/audit-domain-quality-gates.mjs +108 -108
- package/scripts/audit-evidence-placeholders.mjs +126 -126
- package/scripts/audit-final-readiness-promotion.mjs +255 -255
- package/scripts/audit-final-readiness.mjs +226 -226
- package/scripts/audit-fixtures.mjs +154 -154
- package/scripts/audit-fresh-session-readiness.mjs +177 -177
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
- package/scripts/audit-host-runtime-invocations.mjs +254 -254
- package/scripts/audit-host-ui-invocation.mjs +132 -132
- package/scripts/audit-marketplace-discovery.mjs +122 -122
- package/scripts/audit-npm-package-metadata.mjs +155 -155
- package/scripts/audit-npm-publish-dry-run.mjs +191 -169
- package/scripts/audit-npm-tarball-install.mjs +191 -191
- package/scripts/audit-open-source-defaults.mjs +92 -92
- package/scripts/audit-open-source-readiness.mjs +97 -97
- package/scripts/audit-project.mjs +138 -138
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
- package/scripts/audit-public-acceptance-readiness.mjs +224 -224
- package/scripts/audit-public-channel-publication.mjs +248 -248
- package/scripts/audit-public-ci-run.mjs +184 -184
- package/scripts/audit-public-collaboration-templates.mjs +98 -98
- package/scripts/audit-public-external-gate-probe.mjs +206 -206
- package/scripts/audit-public-release-decision.mjs +201 -201
- package/scripts/audit-public-release-metadata.mjs +176 -176
- package/scripts/audit-public-repository-settings.mjs +237 -237
- package/scripts/audit-public-security-contact.mjs +171 -171
- package/scripts/audit-readme-docs.mjs +6 -4
- package/scripts/audit-recovery-readiness.mjs +98 -98
- package/scripts/audit-release-readiness.mjs +106 -106
- package/scripts/audit-release-trust.mjs +62 -62
- package/scripts/audit-remote-distribution.mjs +266 -266
- package/scripts/audit-roadmap-consistency.mjs +235 -235
- package/scripts/audit-signing.mjs +147 -147
- package/scripts/audit-state-freshness.mjs +14 -9
- package/scripts/audit-target-adoption-evidence.mjs +117 -117
- package/scripts/audit-target-project.mjs +507 -507
- package/scripts/audit-update-release-acceptance.mjs +136 -136
- package/scripts/audit-v1-target-validation.mjs +269 -269
- package/scripts/audit-validation-profiles.mjs +125 -125
- package/scripts/close-change.mjs +116 -116
- package/scripts/discover-project-profile.mjs +307 -307
- package/scripts/generate-command-adapter.mjs +231 -231
- package/scripts/generate-final-acceptance-packet.mjs +181 -181
- package/scripts/generate-final-form-progress-report.mjs +205 -205
- package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -206
- package/scripts/generate-owner-external-gate-kit.mjs +295 -295
- package/scripts/generate-public-acceptance-handoff.mjs +168 -168
- package/scripts/generate-public-release-checklist.mjs +207 -207
- package/scripts/generate-release-bundle.mjs +505 -505
- package/scripts/generate-release-owner-action-plan.mjs +172 -172
- package/scripts/generate-release-status-manifest.mjs +200 -200
- package/scripts/generate-session-prompt.mjs +188 -188
- package/scripts/gse.mjs +67 -67
- package/scripts/init-change.mjs +265 -265
- package/scripts/init-project.mjs +785 -785
- package/scripts/install-gse.mjs +234 -234
- package/scripts/lib/evidence-placeholders.mjs +28 -28
- package/scripts/package-gse.mjs +174 -174
- package/scripts/probe-public-external-gates.mjs +167 -167
- package/scripts/record-host-invocation.mjs +151 -151
- package/scripts/record-public-channel-publication.mjs +178 -178
- package/scripts/record-public-ci-run.mjs +180 -180
- package/scripts/record-public-release.mjs +175 -175
- package/scripts/record-public-repository-settings.mjs +209 -209
- package/scripts/record-public-security-contact.mjs +157 -157
- package/scripts/sign-gse-package.mjs +83 -83
- package/scripts/update-project-state.mjs +223 -223
- package/scripts/verify-gse-package.mjs +85 -85
package/references/packaging.md
CHANGED
|
@@ -1,277 +1,277 @@
|
|
|
1
|
-
# Packaging And Maintenance
|
|
2
|
-
|
|
3
|
-
Use this when preparing GSE itself for handoff, update, local installation, or a versioned internal release.
|
|
4
|
-
|
|
5
|
-
Use `references/adoption-recipes.md` for applying or updating GSE inside a target project after the skill package itself is validated.
|
|
6
|
-
|
|
7
|
-
This is a packaging readiness guide, not a registry publication process. Do not claim marketplace distribution, host plugin support, signing, open-source license acceptance, or v1.0 acceptance unless that evidence exists. Use `references/public-release.md` before public GitHub, marketplace, catalog, registry, or external package handoff.
|
|
8
|
-
|
|
9
|
-
## Package Boundary
|
|
10
|
-
|
|
11
|
-
The GSE skill package includes:
|
|
12
|
-
|
|
13
|
-
- `package.json` as Node package metadata for local packing, CLI bin exposure, and future registry handoff.
|
|
14
|
-
- `SKILL.md` as the small entrypoint.
|
|
15
|
-
- `CHANGELOG.md` as the public-release change history and unsupported-claims boundary.
|
|
16
|
-
- `CONTRIBUTING.md`, `SECURITY.md`, and `SUPPORT.md` as public repository collaboration, vulnerability-reporting, and support boundaries.
|
|
17
|
-
- `.github/workflows/validate-gse.yml` as the portable GitHub Actions validation template for public repository use.
|
|
18
|
-
- `.github/PULL_REQUEST_TEMPLATE.md` and `.github/ISSUE_TEMPLATE/` as evidence-first public collaboration templates.
|
|
19
|
-
- `references/` as progressive-disclosure guidance.
|
|
20
|
-
- `scripts/` as repeatable audits, generators, discovery, validation, and forward-test probes.
|
|
21
|
-
- `assets/templates/` as reusable project artifacts.
|
|
22
|
-
- `assets/marketplace/` as portable discovery metadata for catalogs and marketplaces.
|
|
23
|
-
- `examples/` as lightweight adoption fixtures.
|
|
24
|
-
- `agents/openai.yaml` as optional host UI metadata.
|
|
25
|
-
- `.gse/` as the GSE self-development source of truth.
|
|
26
|
-
|
|
27
|
-
Do not package temporary output, command logs, screenshots, secrets, generated cache folders, `.learnings/`, or host-specific local credentials.
|
|
28
|
-
|
|
29
|
-
Generated package and release manifests must not expose the packager's local absolute source path. Keep local paths in command output only, not in distributable metadata.
|
|
30
|
-
|
|
31
|
-
## Version And Release Label
|
|
32
|
-
|
|
33
|
-
GSE currently uses an internal readiness label rather than a published semver package.
|
|
34
|
-
|
|
35
|
-
Release labels should use this format until a real package manager or registry exists:
|
|
36
|
-
|
|
37
|
-
```text
|
|
38
|
-
gse-internal-YYYY-MM-DD-N
|
|
39
|
-
```
|
|
40
|
-
|
|
41
|
-
Increment `N` for multiple release candidates on the same day.
|
|
42
|
-
|
|
43
|
-
Use semver only after there is a maintained distribution channel and backward-compatibility policy.
|
|
44
|
-
|
|
45
|
-
## Release Validation Gate
|
|
46
|
-
|
|
47
|
-
Before handing off or calling a GSE package release-ready, run:
|
|
48
|
-
|
|
49
|
-
```text
|
|
50
|
-
node <skill>/scripts/validate-gse.mjs --root <skill>
|
|
51
|
-
```
|
|
52
|
-
|
|
53
|
-
The release is not ready if validation fails, if the skill validator is skipped unexpectedly, or if a required evidence gate is only `result` when the release level requires `verified` or `accepted`.
|
|
54
|
-
|
|
55
|
-
`validate-gse.mjs` currently covers structural self-audit, project bootstrap smoke, fixture adoption, existing-repo adoption, host adapter generation, compatibility matrix, documented fixture forward-test, fresh-session readiness, local package/install distribution audit, remote URL distribution integrity audit, package signing and verification audit, release trust policy, public release metadata, release bundle generation, open-source repository readiness, CI workflow readiness, public collaboration templates, marketplace discovery metadata, host UI invocation readiness, skill metadata validation, and BOM scanning.
|
|
56
|
-
|
|
57
|
-
## Distribution Audit Profiles
|
|
58
|
-
|
|
59
|
-
Before public handoff or registry preparation, verify Node package metadata:
|
|
60
|
-
|
|
61
|
-
```text
|
|
62
|
-
node <skill>/scripts/audit-npm-package-metadata.mjs --root <skill> --json
|
|
63
|
-
node <skill>/scripts/audit-npm-tarball-install.mjs --root <skill> --json
|
|
64
|
-
node <skill>/scripts/audit-npm-publish-dry-run.mjs --root <skill> --json
|
|
65
|
-
npm pack --dry-run --json
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
The metadata audit proves package metadata and dry-run pack contents. The tarball install audit creates a real local npm tarball, installs it into a clean temporary consumer project, runs the installed `gse` bin, and runs an installed README audit. The publish dry-run audit checks npm publication metadata, CLI bin preservation, required runtime files, integrity fields, and harmful metadata auto-correction warnings. These checks do not publish to npm, reserve a package name, verify a public repository, or prove registry approval.
|
|
69
|
-
|
|
70
|
-
Use the right distribution profile for the claim:
|
|
71
|
-
|
|
72
|
-
```text
|
|
73
|
-
node <skill>/scripts/audit-distribution.mjs --root <skill> --profile smoke
|
|
74
|
-
node <skill>/scripts/audit-remote-distribution.mjs --root <skill> --profile smoke
|
|
75
|
-
node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile smoke
|
|
76
|
-
```
|
|
77
|
-
|
|
78
|
-
`smoke` verifies package creation, install, installed entrypoints, CLI status, remote URL install, and remote integrity/tamper behavior. It skips the nested installed-copy `validate-gse` run.
|
|
79
|
-
|
|
80
|
-
Use `full` before release, package handoff, install/update claims, or when the installed copy itself must be validated:
|
|
81
|
-
|
|
82
|
-
```text
|
|
83
|
-
node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile full
|
|
84
|
-
```
|
|
85
|
-
|
|
86
|
-
## CI Workflow Template
|
|
87
|
-
|
|
88
|
-
GSE includes a GitHub Actions workflow template at `.github/workflows/validate-gse.yml`.
|
|
89
|
-
|
|
90
|
-
The template runs:
|
|
91
|
-
|
|
92
|
-
```text
|
|
93
|
-
node scripts/validate-gse.mjs --root . --skip-skill-validator --json
|
|
94
|
-
node scripts/audit-final-readiness.mjs --root . --json
|
|
95
|
-
node scripts/audit-final-acceptance-packet.mjs --root . --json
|
|
96
|
-
```
|
|
97
|
-
|
|
98
|
-
Run the local CI readiness audit with:
|
|
99
|
-
|
|
100
|
-
```text
|
|
101
|
-
node <skill>/scripts/audit-ci-readiness.mjs --root <skill>
|
|
102
|
-
```
|
|
103
|
-
|
|
104
|
-
This verifies the workflow file, trigger coverage, Node setup, validation commands, and final-readiness boundary checks. It does not prove a real public GitHub Actions run, branch protection, required status checks, or marketplace CI policy.
|
|
105
|
-
|
|
106
|
-
## Release Bundle
|
|
107
|
-
|
|
108
|
-
Use a release bundle when handing GSE to another host, another repository, or a maintainer who needs the install commands, validation checklist, public-release record, and unsupported-claims boundary in one directory:
|
|
109
|
-
|
|
110
|
-
```text
|
|
111
|
-
node <skill>/scripts/generate-release-bundle.mjs --root <skill> --label <release-label> --out <bundle-dir>
|
|
112
|
-
```
|
|
113
|
-
|
|
114
|
-
For a focused bundle check, run:
|
|
115
|
-
|
|
116
|
-
```text
|
|
117
|
-
node <skill>/scripts/audit-release-bundle.mjs --root <skill>
|
|
118
|
-
```
|
|
119
|
-
|
|
120
|
-
This verifies that the bundle contains a release summary, install commands, validation checklist, public-release record, handoff files, manifest, and owner action plan. The bundle generator creates a fresh release status manifest and owner action plan during bundle creation instead of trusting stale cached acceptance files. The audit writes to an isolated temporary directory so it does not mutate the canonical release bundle path during validation. It still does not publish GSE, choose a license, approve a marketplace listing, or prove host-native slash-command support.
|
|
121
|
-
|
|
122
|
-
## Release Status Manifest
|
|
123
|
-
|
|
124
|
-
Use the release status manifest when another host, CI job, marketplace checklist, or maintainer needs a machine-readable summary of GSE readiness:
|
|
125
|
-
|
|
126
|
-
```text
|
|
127
|
-
node <skill>/scripts/generate-release-status-manifest.mjs --root <skill> --out <skill>/.gse/acceptance/release-status-manifest.json --force
|
|
128
|
-
node <skill>/scripts/audit-release-status-manifest.mjs --root <skill>
|
|
129
|
-
```
|
|
130
|
-
|
|
131
|
-
The manifest summarizes verified rows, owner-required rows, external-required rows, install/distribution status, public acceptance gates, host runtime evidence counts, host runtime fixture drill status, and verification commands. It is generated from current audits and records; it does not create owner decisions, external publication, public CI, marketplace approval, or native slash-command evidence.
|
|
132
|
-
|
|
133
|
-
## Release Owner Action Plan
|
|
134
|
-
|
|
135
|
-
Use the owner action plan when a human owner or maintainer needs the next concrete public-release actions grouped by responsible party:
|
|
136
|
-
|
|
137
|
-
```text
|
|
138
|
-
node <skill>/scripts/generate-release-owner-action-plan.mjs --root <skill> --force --json
|
|
139
|
-
node <skill>/scripts/audit-release-owner-action-plan.mjs --root <skill> --json
|
|
140
|
-
node <skill>/scripts/audit-release-owner-action-plan-drill.mjs --root <skill> --json
|
|
141
|
-
```
|
|
142
|
-
|
|
143
|
-
The plan is generated from `.gse/acceptance/release-status-manifest.json`. It groups pending gates by project owner, repository owner, external CI, external registry, external marketplace, and host runtime. It includes the record command and required evidence for each gate. It does not select a license, configure a repository, run public CI, publish a package, approve a marketplace listing, or prove native slash-command support.
|
|
144
|
-
|
|
145
|
-
The drill runs the plan path in a temporary fixture: it generates the manifest and plan, creates accepted fixture records for every owner/external gate family, verifies final readiness promotes to `publicAccepted: verified`, verifies the public acceptance doctor reports zero pending gates, and then removes the fixture. This proves the workflow mechanics without claiming real public acceptance.
|
|
146
|
-
|
|
147
|
-
## Local Package And Install
|
|
148
|
-
|
|
149
|
-
Use this path before claiming GSE can be copied or installed outside its current development folder:
|
|
150
|
-
|
|
151
|
-
```text
|
|
152
|
-
node <skill>/scripts/package-gse.mjs --root <skill> --out <package-dir> --label <release-label>
|
|
153
|
-
node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir>
|
|
154
|
-
node <install-skill-dir>/scripts/validate-gse.mjs --root <install-skill-dir> --skip-skill-validator --skip-distribution --skip-completion-readiness
|
|
155
|
-
```
|
|
156
|
-
|
|
157
|
-
For a one-command local distribution proof, run:
|
|
158
|
-
|
|
159
|
-
```text
|
|
160
|
-
node <skill>/scripts/audit-distribution.mjs --root <skill>
|
|
161
|
-
```
|
|
162
|
-
|
|
163
|
-
This proves file-based packaging, install, and installed-copy validation. It still does not prove registry publication, remote-machine install, signing, shell completion, or marketplace discovery.
|
|
164
|
-
|
|
165
|
-
## Remote URL Install And Integrity
|
|
166
|
-
|
|
167
|
-
GSE packages include a `gse-package-manifest.json` with `sha256` hashes for packaged files.
|
|
168
|
-
|
|
169
|
-
Install from a URL-shaped package source with:
|
|
170
|
-
|
|
171
|
-
```text
|
|
172
|
-
node <skill>/scripts/install-gse.mjs --source-url <file-or-http-package-url> --target <install-skill-dir>
|
|
173
|
-
```
|
|
174
|
-
|
|
175
|
-
Run the focused remote distribution audit with:
|
|
176
|
-
|
|
177
|
-
```text
|
|
178
|
-
node <skill>/scripts/audit-remote-distribution.mjs --root <skill>
|
|
179
|
-
```
|
|
180
|
-
|
|
181
|
-
This starts a temporary HTTP package source, installs from `--source-url`, validates the installed copy, then tampers with a package file to verify the integrity gate fails. It proves URL install and manifest integrity behavior locally. It still does not prove public registry publication, trusted signing, marketplace discovery, or remote-machine network conditions.
|
|
182
|
-
|
|
183
|
-
## Signing And Verification
|
|
184
|
-
|
|
185
|
-
Use Ed25519 signing when a package needs tamper evidence beyond raw file hashes:
|
|
186
|
-
|
|
187
|
-
```text
|
|
188
|
-
node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem>
|
|
189
|
-
node <skill>/scripts/verify-gse-package.mjs --package <package-dir> --public-key <public.pem>
|
|
190
|
-
node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir> --public-key <public.pem>
|
|
191
|
-
```
|
|
192
|
-
|
|
193
|
-
For local audit keys only:
|
|
194
|
-
|
|
195
|
-
```text
|
|
196
|
-
node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem> --generate-key
|
|
197
|
-
```
|
|
198
|
-
|
|
199
|
-
Run the focused signing audit with:
|
|
200
|
-
|
|
201
|
-
```text
|
|
202
|
-
node <skill>/scripts/audit-signing.mjs --root <skill>
|
|
203
|
-
```
|
|
204
|
-
|
|
205
|
-
This proves signing mechanics, signature verification, signed install, and tamper rejection. It does not prove maintainer identity, public key custody, transparency logs, marketplace trust, or a production release policy.
|
|
206
|
-
|
|
207
|
-
For public or shared releases, also complete `references/release-trust.md` and `assets/templates/release-trust-record.md`. This is the Release Trust record for the package. A package can be signed and verified without being trusted; trusted release status requires owner acceptance, public key fingerprint publication, custody rules, rotation policy, and revocation path.
|
|
208
|
-
|
|
209
|
-
For public open-source releases, also complete `references/public-release.md` and `assets/templates/public-release-record.md`. GSE must not choose a license by guessing; accepted public release requires an owner-selected license or an explicit `not-public` decision.
|
|
210
|
-
|
|
211
|
-
## Marketplace Discovery
|
|
212
|
-
|
|
213
|
-
Use `references/marketplace-discovery.md` and `assets/marketplace/gse-listing.json` when preparing a public listing, catalog entry, plugin page, or marketplace submission.
|
|
214
|
-
|
|
215
|
-
Run:
|
|
216
|
-
|
|
217
|
-
```text
|
|
218
|
-
node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
|
|
219
|
-
```
|
|
220
|
-
|
|
221
|
-
This verifies local discovery metadata and search-language fit. It does not prove marketplace approval, public search indexing, registry publication, maintainer identity, or host-native installation.
|
|
222
|
-
|
|
223
|
-
## Release Notes
|
|
224
|
-
|
|
225
|
-
Use `references/release.md` as the general release policy. For GSE skill releases, keep notes short:
|
|
226
|
-
|
|
227
|
-
```text
|
|
228
|
-
Release label:
|
|
229
|
-
Date:
|
|
230
|
-
Readiness: not ready | result | verified | accepted
|
|
231
|
-
Changed:
|
|
232
|
-
Validation:
|
|
233
|
-
Compatibility impact:
|
|
234
|
-
Migration or rollback:
|
|
235
|
-
Known risks:
|
|
236
|
-
Follow-up slices:
|
|
237
|
-
```
|
|
238
|
-
|
|
239
|
-
Rules:
|
|
240
|
-
|
|
241
|
-
- Link to `.gse/evidence/YYYY-MM-DD.md` instead of pasting long command output.
|
|
242
|
-
- Separate user-facing workflow changes from internal script/refactoring changes.
|
|
243
|
-
- Mark unavailable or unverified host tools honestly.
|
|
244
|
-
- Keep true fresh-session acceptance separate from fresh-session readiness.
|
|
245
|
-
|
|
246
|
-
## Install Or Update Handoff
|
|
247
|
-
|
|
248
|
-
For a local handoff, provide:
|
|
249
|
-
|
|
250
|
-
- Skill path: `<install-skill-dir>` or the target install path.
|
|
251
|
-
- Release label or date.
|
|
252
|
-
- Validation command and latest result.
|
|
253
|
-
- Evidence log path.
|
|
254
|
-
- Known residual risks.
|
|
255
|
-
- Next slice from `.gse/current-slice.md`.
|
|
256
|
-
|
|
257
|
-
For project-local GSE updates or release-readiness changes, use `assets/templates/update-release-acceptance-record.md` to preserve local decisions, changed files, commands run, rollback notes, owner gate, accepted-by status, and residual risks.
|
|
258
|
-
|
|
259
|
-
If copying GSE to another machine or host, run validation after copy and record the result in that environment. Host-specific capabilities remain `unknown` until checked there.
|
|
260
|
-
|
|
261
|
-
## Rollback
|
|
262
|
-
|
|
263
|
-
For low-risk GSE documentation/script changes, rollback is file-level revert of the touched artifacts plus re-running `validate-gse.mjs`.
|
|
264
|
-
|
|
265
|
-
For scaffold, generator, or template changes that may affect downstream projects, also record:
|
|
266
|
-
|
|
267
|
-
- Which generated files or adapters may need regeneration.
|
|
268
|
-
- Whether existing project `.gse/` folders are compatible.
|
|
269
|
-
- Whether host adapters need manual review.
|
|
270
|
-
|
|
271
|
-
## Readiness Status
|
|
272
|
-
|
|
273
|
-
- `result`: packaging notes or release artifacts exist.
|
|
274
|
-
- `verified`: `validate-gse.mjs` passes and release notes identify residual risks.
|
|
275
|
-
- `accepted`: required owner, fresh-session, release policy, or distribution gate accepts the release.
|
|
276
|
-
|
|
277
|
-
Do not call a release accepted only because local validation passed unless the current release policy explicitly says local validation is sufficient.
|
|
1
|
+
# Packaging And Maintenance
|
|
2
|
+
|
|
3
|
+
Use this when preparing GSE itself for handoff, update, local installation, or a versioned internal release.
|
|
4
|
+
|
|
5
|
+
Use `references/adoption-recipes.md` for applying or updating GSE inside a target project after the skill package itself is validated.
|
|
6
|
+
|
|
7
|
+
This is a packaging readiness guide, not a registry publication process. Do not claim marketplace distribution, host plugin support, signing, open-source license acceptance, or v1.0 acceptance unless that evidence exists. Use `references/public-release.md` before public GitHub, marketplace, catalog, registry, or external package handoff.
|
|
8
|
+
|
|
9
|
+
## Package Boundary
|
|
10
|
+
|
|
11
|
+
The GSE skill package includes:
|
|
12
|
+
|
|
13
|
+
- `package.json` as Node package metadata for local packing, CLI bin exposure, and future registry handoff.
|
|
14
|
+
- `SKILL.md` as the small entrypoint.
|
|
15
|
+
- `CHANGELOG.md` as the public-release change history and unsupported-claims boundary.
|
|
16
|
+
- `CONTRIBUTING.md`, `SECURITY.md`, and `SUPPORT.md` as public repository collaboration, vulnerability-reporting, and support boundaries.
|
|
17
|
+
- `.github/workflows/validate-gse.yml` as the portable GitHub Actions validation template for public repository use.
|
|
18
|
+
- `.github/PULL_REQUEST_TEMPLATE.md` and `.github/ISSUE_TEMPLATE/` as evidence-first public collaboration templates.
|
|
19
|
+
- `references/` as progressive-disclosure guidance.
|
|
20
|
+
- `scripts/` as repeatable audits, generators, discovery, validation, and forward-test probes.
|
|
21
|
+
- `assets/templates/` as reusable project artifacts.
|
|
22
|
+
- `assets/marketplace/` as portable discovery metadata for catalogs and marketplaces.
|
|
23
|
+
- `examples/` as lightweight adoption fixtures.
|
|
24
|
+
- `agents/openai.yaml` as optional host UI metadata.
|
|
25
|
+
- `.gse/` as the GSE self-development source of truth.
|
|
26
|
+
|
|
27
|
+
Do not package temporary output, command logs, screenshots, secrets, generated cache folders, `.learnings/`, or host-specific local credentials.
|
|
28
|
+
|
|
29
|
+
Generated package and release manifests must not expose the packager's local absolute source path. Keep local paths in command output only, not in distributable metadata.
|
|
30
|
+
|
|
31
|
+
## Version And Release Label
|
|
32
|
+
|
|
33
|
+
GSE currently uses an internal readiness label rather than a published semver package.
|
|
34
|
+
|
|
35
|
+
Release labels should use this format until a real package manager or registry exists:
|
|
36
|
+
|
|
37
|
+
```text
|
|
38
|
+
gse-internal-YYYY-MM-DD-N
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
Increment `N` for multiple release candidates on the same day.
|
|
42
|
+
|
|
43
|
+
Use semver only after there is a maintained distribution channel and backward-compatibility policy.
|
|
44
|
+
|
|
45
|
+
## Release Validation Gate
|
|
46
|
+
|
|
47
|
+
Before handing off or calling a GSE package release-ready, run:
|
|
48
|
+
|
|
49
|
+
```text
|
|
50
|
+
node <skill>/scripts/validate-gse.mjs --root <skill>
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
The release is not ready if validation fails, if the skill validator is skipped unexpectedly, or if a required evidence gate is only `result` when the release level requires `verified` or `accepted`.
|
|
54
|
+
|
|
55
|
+
`validate-gse.mjs` currently covers structural self-audit, project bootstrap smoke, fixture adoption, existing-repo adoption, host adapter generation, compatibility matrix, documented fixture forward-test, fresh-session readiness, local package/install distribution audit, remote URL distribution integrity audit, package signing and verification audit, release trust policy, public release metadata, release bundle generation, open-source repository readiness, CI workflow readiness, public collaboration templates, marketplace discovery metadata, host UI invocation readiness, skill metadata validation, and BOM scanning.
|
|
56
|
+
|
|
57
|
+
## Distribution Audit Profiles
|
|
58
|
+
|
|
59
|
+
Before public handoff or registry preparation, verify Node package metadata:
|
|
60
|
+
|
|
61
|
+
```text
|
|
62
|
+
node <skill>/scripts/audit-npm-package-metadata.mjs --root <skill> --json
|
|
63
|
+
node <skill>/scripts/audit-npm-tarball-install.mjs --root <skill> --json
|
|
64
|
+
node <skill>/scripts/audit-npm-publish-dry-run.mjs --root <skill> --json
|
|
65
|
+
npm pack --dry-run --json
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
The metadata audit proves package metadata and dry-run pack contents. The tarball install audit creates a real local npm tarball, installs it into a clean temporary consumer project, runs the installed `gse` bin, and runs an installed README audit. The publish dry-run audit checks npm publication metadata, CLI bin preservation, required runtime files, integrity fields, and harmful metadata auto-correction warnings. These checks do not publish to npm, reserve a package name, verify a public repository, or prove registry approval.
|
|
69
|
+
|
|
70
|
+
Use the right distribution profile for the claim:
|
|
71
|
+
|
|
72
|
+
```text
|
|
73
|
+
node <skill>/scripts/audit-distribution.mjs --root <skill> --profile smoke
|
|
74
|
+
node <skill>/scripts/audit-remote-distribution.mjs --root <skill> --profile smoke
|
|
75
|
+
node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile smoke
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
`smoke` verifies package creation, install, installed entrypoints, CLI status, remote URL install, and remote integrity/tamper behavior. It skips the nested installed-copy `validate-gse` run.
|
|
79
|
+
|
|
80
|
+
Use `full` before release, package handoff, install/update claims, or when the installed copy itself must be validated:
|
|
81
|
+
|
|
82
|
+
```text
|
|
83
|
+
node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile full
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
## CI Workflow Template
|
|
87
|
+
|
|
88
|
+
GSE includes a GitHub Actions workflow template at `.github/workflows/validate-gse.yml`.
|
|
89
|
+
|
|
90
|
+
The template runs:
|
|
91
|
+
|
|
92
|
+
```text
|
|
93
|
+
node scripts/validate-gse.mjs --root . --skip-skill-validator --json
|
|
94
|
+
node scripts/audit-final-readiness.mjs --root . --json
|
|
95
|
+
node scripts/audit-final-acceptance-packet.mjs --root . --json
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
Run the local CI readiness audit with:
|
|
99
|
+
|
|
100
|
+
```text
|
|
101
|
+
node <skill>/scripts/audit-ci-readiness.mjs --root <skill>
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
This verifies the workflow file, trigger coverage, Node setup, validation commands, and final-readiness boundary checks. It does not prove a real public GitHub Actions run, branch protection, required status checks, or marketplace CI policy.
|
|
105
|
+
|
|
106
|
+
## Release Bundle
|
|
107
|
+
|
|
108
|
+
Use a release bundle when handing GSE to another host, another repository, or a maintainer who needs the install commands, validation checklist, public-release record, and unsupported-claims boundary in one directory:
|
|
109
|
+
|
|
110
|
+
```text
|
|
111
|
+
node <skill>/scripts/generate-release-bundle.mjs --root <skill> --label <release-label> --out <bundle-dir>
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
For a focused bundle check, run:
|
|
115
|
+
|
|
116
|
+
```text
|
|
117
|
+
node <skill>/scripts/audit-release-bundle.mjs --root <skill>
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
This verifies that the bundle contains a release summary, install commands, validation checklist, public-release record, handoff files, manifest, and owner action plan. The bundle generator creates a fresh release status manifest and owner action plan during bundle creation instead of trusting stale cached acceptance files. The audit writes to an isolated temporary directory so it does not mutate the canonical release bundle path during validation. It still does not publish GSE, choose a license, approve a marketplace listing, or prove host-native slash-command support.
|
|
121
|
+
|
|
122
|
+
## Release Status Manifest
|
|
123
|
+
|
|
124
|
+
Use the release status manifest when another host, CI job, marketplace checklist, or maintainer needs a machine-readable summary of GSE readiness:
|
|
125
|
+
|
|
126
|
+
```text
|
|
127
|
+
node <skill>/scripts/generate-release-status-manifest.mjs --root <skill> --out <skill>/.gse/acceptance/release-status-manifest.json --force
|
|
128
|
+
node <skill>/scripts/audit-release-status-manifest.mjs --root <skill>
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
The manifest summarizes verified rows, owner-required rows, external-required rows, install/distribution status, public acceptance gates, host runtime evidence counts, host runtime fixture drill status, and verification commands. It is generated from current audits and records; it does not create owner decisions, external publication, public CI, marketplace approval, or native slash-command evidence.
|
|
132
|
+
|
|
133
|
+
## Release Owner Action Plan
|
|
134
|
+
|
|
135
|
+
Use the owner action plan when a human owner or maintainer needs the next concrete public-release actions grouped by responsible party:
|
|
136
|
+
|
|
137
|
+
```text
|
|
138
|
+
node <skill>/scripts/generate-release-owner-action-plan.mjs --root <skill> --force --json
|
|
139
|
+
node <skill>/scripts/audit-release-owner-action-plan.mjs --root <skill> --json
|
|
140
|
+
node <skill>/scripts/audit-release-owner-action-plan-drill.mjs --root <skill> --json
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
The plan is generated from `.gse/acceptance/release-status-manifest.json`. It groups pending gates by project owner, repository owner, external CI, external registry, external marketplace, and host runtime. It includes the record command and required evidence for each gate. It does not select a license, configure a repository, run public CI, publish a package, approve a marketplace listing, or prove native slash-command support.
|
|
144
|
+
|
|
145
|
+
The drill runs the plan path in a temporary fixture: it generates the manifest and plan, creates accepted fixture records for every owner/external gate family, verifies final readiness promotes to `publicAccepted: verified`, verifies the public acceptance doctor reports zero pending gates, and then removes the fixture. This proves the workflow mechanics without claiming real public acceptance.
|
|
146
|
+
|
|
147
|
+
## Local Package And Install
|
|
148
|
+
|
|
149
|
+
Use this path before claiming GSE can be copied or installed outside its current development folder:
|
|
150
|
+
|
|
151
|
+
```text
|
|
152
|
+
node <skill>/scripts/package-gse.mjs --root <skill> --out <package-dir> --label <release-label>
|
|
153
|
+
node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir>
|
|
154
|
+
node <install-skill-dir>/scripts/validate-gse.mjs --root <install-skill-dir> --skip-skill-validator --skip-distribution --skip-completion-readiness
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
For a one-command local distribution proof, run:
|
|
158
|
+
|
|
159
|
+
```text
|
|
160
|
+
node <skill>/scripts/audit-distribution.mjs --root <skill>
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
This proves file-based packaging, install, and installed-copy validation. It still does not prove registry publication, remote-machine install, signing, shell completion, or marketplace discovery.
|
|
164
|
+
|
|
165
|
+
## Remote URL Install And Integrity
|
|
166
|
+
|
|
167
|
+
GSE packages include a `gse-package-manifest.json` with `sha256` hashes for packaged files.
|
|
168
|
+
|
|
169
|
+
Install from a URL-shaped package source with:
|
|
170
|
+
|
|
171
|
+
```text
|
|
172
|
+
node <skill>/scripts/install-gse.mjs --source-url <file-or-http-package-url> --target <install-skill-dir>
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
Run the focused remote distribution audit with:
|
|
176
|
+
|
|
177
|
+
```text
|
|
178
|
+
node <skill>/scripts/audit-remote-distribution.mjs --root <skill>
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
This starts a temporary HTTP package source, installs from `--source-url`, validates the installed copy, then tampers with a package file to verify the integrity gate fails. It proves URL install and manifest integrity behavior locally. It still does not prove public registry publication, trusted signing, marketplace discovery, or remote-machine network conditions.
|
|
182
|
+
|
|
183
|
+
## Signing And Verification
|
|
184
|
+
|
|
185
|
+
Use Ed25519 signing when a package needs tamper evidence beyond raw file hashes:
|
|
186
|
+
|
|
187
|
+
```text
|
|
188
|
+
node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem>
|
|
189
|
+
node <skill>/scripts/verify-gse-package.mjs --package <package-dir> --public-key <public.pem>
|
|
190
|
+
node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir> --public-key <public.pem>
|
|
191
|
+
```
|
|
192
|
+
|
|
193
|
+
For local audit keys only:
|
|
194
|
+
|
|
195
|
+
```text
|
|
196
|
+
node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem> --generate-key
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
Run the focused signing audit with:
|
|
200
|
+
|
|
201
|
+
```text
|
|
202
|
+
node <skill>/scripts/audit-signing.mjs --root <skill>
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
This proves signing mechanics, signature verification, signed install, and tamper rejection. It does not prove maintainer identity, public key custody, transparency logs, marketplace trust, or a production release policy.
|
|
206
|
+
|
|
207
|
+
For public or shared releases, also complete `references/release-trust.md` and `assets/templates/release-trust-record.md`. This is the Release Trust record for the package. A package can be signed and verified without being trusted; trusted release status requires owner acceptance, public key fingerprint publication, custody rules, rotation policy, and revocation path.
|
|
208
|
+
|
|
209
|
+
For public open-source releases, also complete `references/public-release.md` and `assets/templates/public-release-record.md`. GSE must not choose a license by guessing; accepted public release requires an owner-selected license or an explicit `not-public` decision.
|
|
210
|
+
|
|
211
|
+
## Marketplace Discovery
|
|
212
|
+
|
|
213
|
+
Use `references/marketplace-discovery.md` and `assets/marketplace/gse-listing.json` when preparing a public listing, catalog entry, plugin page, or marketplace submission.
|
|
214
|
+
|
|
215
|
+
Run:
|
|
216
|
+
|
|
217
|
+
```text
|
|
218
|
+
node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
This verifies local discovery metadata and search-language fit. It does not prove marketplace approval, public search indexing, registry publication, maintainer identity, or host-native installation.
|
|
222
|
+
|
|
223
|
+
## Release Notes
|
|
224
|
+
|
|
225
|
+
Use `references/release.md` as the general release policy. For GSE skill releases, keep notes short:
|
|
226
|
+
|
|
227
|
+
```text
|
|
228
|
+
Release label:
|
|
229
|
+
Date:
|
|
230
|
+
Readiness: not ready | result | verified | accepted
|
|
231
|
+
Changed:
|
|
232
|
+
Validation:
|
|
233
|
+
Compatibility impact:
|
|
234
|
+
Migration or rollback:
|
|
235
|
+
Known risks:
|
|
236
|
+
Follow-up slices:
|
|
237
|
+
```
|
|
238
|
+
|
|
239
|
+
Rules:
|
|
240
|
+
|
|
241
|
+
- Link to `.gse/evidence/YYYY-MM-DD.md` instead of pasting long command output.
|
|
242
|
+
- Separate user-facing workflow changes from internal script/refactoring changes.
|
|
243
|
+
- Mark unavailable or unverified host tools honestly.
|
|
244
|
+
- Keep true fresh-session acceptance separate from fresh-session readiness.
|
|
245
|
+
|
|
246
|
+
## Install Or Update Handoff
|
|
247
|
+
|
|
248
|
+
For a local handoff, provide:
|
|
249
|
+
|
|
250
|
+
- Skill path: `<install-skill-dir>` or the target install path.
|
|
251
|
+
- Release label or date.
|
|
252
|
+
- Validation command and latest result.
|
|
253
|
+
- Evidence log path.
|
|
254
|
+
- Known residual risks.
|
|
255
|
+
- Next slice from `.gse/current-slice.md`.
|
|
256
|
+
|
|
257
|
+
For project-local GSE updates or release-readiness changes, use `assets/templates/update-release-acceptance-record.md` to preserve local decisions, changed files, commands run, rollback notes, owner gate, accepted-by status, and residual risks.
|
|
258
|
+
|
|
259
|
+
If copying GSE to another machine or host, run validation after copy and record the result in that environment. Host-specific capabilities remain `unknown` until checked there.
|
|
260
|
+
|
|
261
|
+
## Rollback
|
|
262
|
+
|
|
263
|
+
For low-risk GSE documentation/script changes, rollback is file-level revert of the touched artifacts plus re-running `validate-gse.mjs`.
|
|
264
|
+
|
|
265
|
+
For scaffold, generator, or template changes that may affect downstream projects, also record:
|
|
266
|
+
|
|
267
|
+
- Which generated files or adapters may need regeneration.
|
|
268
|
+
- Whether existing project `.gse/` folders are compatible.
|
|
269
|
+
- Whether host adapters need manual review.
|
|
270
|
+
|
|
271
|
+
## Readiness Status
|
|
272
|
+
|
|
273
|
+
- `result`: packaging notes or release artifacts exist.
|
|
274
|
+
- `verified`: `validate-gse.mjs` passes and release notes identify residual risks.
|
|
275
|
+
- `accepted`: required owner, fresh-session, release policy, or distribution gate accepts the release.
|
|
276
|
+
|
|
277
|
+
Do not call a release accepted only because local validation passed unless the current release policy explicitly says local validation is sufficient.
|