@t275005746/gse 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (180) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +3 -4
  14. package/CHANGELOG.md +24 -24
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +1 -1
  18. package/README.zh-CN.md +1 -1
  19. package/SECURITY.md +41 -41
  20. package/SUPPORT.md +38 -38
  21. package/assets/marketplace/README.md +7 -7
  22. package/assets/marketplace/gse-listing.json +75 -75
  23. package/assets/templates/acceptance-execution-packet.md +73 -73
  24. package/assets/templates/adr.md +14 -14
  25. package/assets/templates/change-brief.md +16 -16
  26. package/assets/templates/design.md +18 -18
  27. package/assets/templates/dispatch-packet.md +104 -104
  28. package/assets/templates/evidence.md +14 -14
  29. package/assets/templates/execution-quality-pack.md +65 -65
  30. package/assets/templates/goal-map.md +21 -21
  31. package/assets/templates/host-adapter.md +48 -48
  32. package/assets/templates/host-ui-invocation-record.md +42 -42
  33. package/assets/templates/incident-review.md +60 -60
  34. package/assets/templates/public-channel-publication-record.md +49 -49
  35. package/assets/templates/public-ci-run-record.md +53 -53
  36. package/assets/templates/public-release-record.md +65 -65
  37. package/assets/templates/public-repository-settings-record.md +59 -59
  38. package/assets/templates/public-security-contact-record.md +45 -45
  39. package/assets/templates/release-trust-record.md +32 -32
  40. package/assets/templates/review.md +18 -18
  41. package/assets/templates/spec.md +16 -16
  42. package/assets/templates/target-adoption-evidence.md +29 -29
  43. package/assets/templates/tasks.md +17 -17
  44. package/assets/templates/update-release-acceptance-record.md +58 -58
  45. package/examples/README.md +22 -22
  46. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  47. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  48. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  49. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  50. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  51. package/examples/agent-runtime-host/.mcp.json +9 -9
  52. package/examples/agent-runtime-host/AGENTS.md +5 -5
  53. package/examples/agent-runtime-host/README.md +10 -10
  54. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  55. package/examples/cli-tool/.gse/project-profile.md +21 -21
  56. package/examples/cli-tool/AGENTS.md +5 -5
  57. package/examples/cli-tool/README.md +12 -12
  58. package/examples/cli-tool/package.json +21 -21
  59. package/examples/small-app/.env.example +2 -2
  60. package/examples/small-app/.github/workflows/ci.yml +8 -8
  61. package/examples/small-app/AGENTS.md +5 -5
  62. package/examples/small-app/README.md +12 -12
  63. package/examples/small-app/package.json +26 -26
  64. package/examples/small-app/playwright.config.ts +4 -4
  65. package/package.json +53 -53
  66. package/references/adoption-recipes.md +171 -171
  67. package/references/agent-roles.md +49 -49
  68. package/references/architecture-health.md +101 -101
  69. package/references/benchmark-audit.md +73 -73
  70. package/references/community-channels.md +46 -46
  71. package/references/compatibility.md +70 -70
  72. package/references/design-basis.md +38 -38
  73. package/references/domain-model.md +129 -129
  74. package/references/domain-quality-gates.md +75 -75
  75. package/references/drift-audit.md +81 -81
  76. package/references/evidence-taxonomy.md +123 -123
  77. package/references/file-ownership.md +107 -107
  78. package/references/final-readiness.md +84 -84
  79. package/references/forward-test.md +133 -133
  80. package/references/goal-map.md +36 -36
  81. package/references/host-adapters.md +119 -119
  82. package/references/learning-system.md +35 -35
  83. package/references/marketplace-discovery.md +46 -46
  84. package/references/model-routing.md +103 -103
  85. package/references/open-source-defaults.md +39 -39
  86. package/references/operating-model.md +52 -52
  87. package/references/packaging.md +277 -277
  88. package/references/project-agent-workspace.md +89 -89
  89. package/references/project-bootstrap.md +122 -122
  90. package/references/project-profile.md +57 -57
  91. package/references/public-release.md +174 -174
  92. package/references/quality-gates.md +100 -100
  93. package/references/recovery.md +176 -176
  94. package/references/release-trust.md +43 -43
  95. package/references/release.md +126 -126
  96. package/references/review.md +141 -141
  97. package/references/router.md +90 -90
  98. package/references/spec-workflow.md +66 -66
  99. package/references/task-levels.md +81 -81
  100. package/references/tool-adapters.md +73 -73
  101. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  102. package/scripts/audit-adoption-recipes.mjs +99 -99
  103. package/scripts/audit-change-lifecycle.mjs +77 -77
  104. package/scripts/audit-change-system.mjs +134 -134
  105. package/scripts/audit-ci-readiness.mjs +107 -107
  106. package/scripts/audit-close-gate.mjs +323 -323
  107. package/scripts/audit-command-adapters.mjs +91 -91
  108. package/scripts/audit-command-execution.mjs +210 -210
  109. package/scripts/audit-compatibility.mjs +149 -149
  110. package/scripts/audit-completion-readiness.mjs +292 -292
  111. package/scripts/audit-distribution.mjs +251 -251
  112. package/scripts/audit-domain-quality-gates.mjs +108 -108
  113. package/scripts/audit-evidence-placeholders.mjs +126 -126
  114. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  115. package/scripts/audit-final-readiness.mjs +226 -226
  116. package/scripts/audit-fixtures.mjs +154 -154
  117. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  118. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  119. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  120. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  121. package/scripts/audit-host-ui-invocation.mjs +132 -132
  122. package/scripts/audit-marketplace-discovery.mjs +122 -122
  123. package/scripts/audit-npm-package-metadata.mjs +155 -155
  124. package/scripts/audit-npm-publish-dry-run.mjs +191 -169
  125. package/scripts/audit-npm-tarball-install.mjs +191 -191
  126. package/scripts/audit-open-source-defaults.mjs +92 -92
  127. package/scripts/audit-open-source-readiness.mjs +97 -97
  128. package/scripts/audit-project.mjs +138 -138
  129. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  130. package/scripts/audit-public-acceptance-readiness.mjs +224 -224
  131. package/scripts/audit-public-channel-publication.mjs +248 -248
  132. package/scripts/audit-public-ci-run.mjs +184 -184
  133. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  134. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  135. package/scripts/audit-public-release-decision.mjs +201 -201
  136. package/scripts/audit-public-release-metadata.mjs +176 -176
  137. package/scripts/audit-public-repository-settings.mjs +237 -237
  138. package/scripts/audit-public-security-contact.mjs +171 -171
  139. package/scripts/audit-readme-docs.mjs +6 -4
  140. package/scripts/audit-recovery-readiness.mjs +98 -98
  141. package/scripts/audit-release-readiness.mjs +106 -106
  142. package/scripts/audit-release-trust.mjs +62 -62
  143. package/scripts/audit-remote-distribution.mjs +266 -266
  144. package/scripts/audit-roadmap-consistency.mjs +235 -235
  145. package/scripts/audit-signing.mjs +147 -147
  146. package/scripts/audit-state-freshness.mjs +14 -9
  147. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  148. package/scripts/audit-target-project.mjs +507 -507
  149. package/scripts/audit-update-release-acceptance.mjs +136 -136
  150. package/scripts/audit-v1-target-validation.mjs +269 -269
  151. package/scripts/audit-validation-profiles.mjs +125 -125
  152. package/scripts/close-change.mjs +116 -116
  153. package/scripts/discover-project-profile.mjs +307 -307
  154. package/scripts/generate-command-adapter.mjs +231 -231
  155. package/scripts/generate-final-acceptance-packet.mjs +181 -181
  156. package/scripts/generate-final-form-progress-report.mjs +205 -205
  157. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -206
  158. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  159. package/scripts/generate-public-acceptance-handoff.mjs +168 -168
  160. package/scripts/generate-public-release-checklist.mjs +207 -207
  161. package/scripts/generate-release-bundle.mjs +505 -505
  162. package/scripts/generate-release-owner-action-plan.mjs +172 -172
  163. package/scripts/generate-release-status-manifest.mjs +200 -200
  164. package/scripts/generate-session-prompt.mjs +188 -188
  165. package/scripts/gse.mjs +67 -67
  166. package/scripts/init-change.mjs +265 -265
  167. package/scripts/init-project.mjs +785 -785
  168. package/scripts/install-gse.mjs +234 -234
  169. package/scripts/lib/evidence-placeholders.mjs +28 -28
  170. package/scripts/package-gse.mjs +174 -174
  171. package/scripts/probe-public-external-gates.mjs +167 -167
  172. package/scripts/record-host-invocation.mjs +151 -151
  173. package/scripts/record-public-channel-publication.mjs +178 -178
  174. package/scripts/record-public-ci-run.mjs +180 -180
  175. package/scripts/record-public-release.mjs +175 -175
  176. package/scripts/record-public-repository-settings.mjs +209 -209
  177. package/scripts/record-public-security-contact.mjs +157 -157
  178. package/scripts/sign-gse-package.mjs +83 -83
  179. package/scripts/update-project-state.mjs +223 -223
  180. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,174 +1,174 @@
1
- # Public Release Metadata
2
-
3
- Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
4
-
5
- Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
6
-
7
- ## Required Metadata
8
-
9
- Before a public release can be called accepted, record:
10
-
11
- - Release name or version.
12
- - Release date or intended release window.
13
- - Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
14
- - License decision: license identifier, license file path, and who approved it.
15
- - Changelog or release notes path.
16
- - Install/update instructions path.
17
- - Verification commands and latest result.
18
- - Signing or integrity policy.
19
- - Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
20
- - Public security contact: owner-approved disclosure path and policy update evidence.
21
- - Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
22
- - Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
23
- - Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
24
- - Known risks and unsupported claims.
25
- - Owner acceptance or explicit reason acceptance is still pending.
26
-
27
- ## License Decision
28
-
29
- GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
30
-
31
- For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
32
-
33
- Minimum license record:
34
-
35
- ```text
36
- License status: owner-required | selected | not-public
37
- SPDX identifier:
38
- License file:
39
- Approved by:
40
- Decision date:
41
- Notes:
42
- ```
43
-
44
- Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
45
-
46
- Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
47
-
48
- ```bash
49
- node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
50
- ```
51
-
52
- For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
53
-
54
- For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
55
-
56
- Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
57
-
58
- ## Public Release Checklist
59
-
60
- Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
61
-
62
- ```bash
63
- node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
64
- node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
65
- ```
66
-
67
- The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
68
-
69
- ## Public CI Run
70
-
71
- Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
72
-
73
- Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
74
-
75
- ```bash
76
- node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
77
- ```
78
-
79
- For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
80
-
81
- Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
82
-
83
- ## Public Security Contact
84
-
85
- GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
86
-
87
- Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
88
-
89
- ```bash
90
- node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
91
- ```
92
-
93
- For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
94
-
95
- Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
96
-
97
- ## Public Repository Settings
98
-
99
- Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
100
-
101
- Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
102
-
103
- ```bash
104
- node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
105
- ```
106
-
107
- For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
108
-
109
- For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
110
-
111
- Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
112
-
113
- ## Public Channel Publication
114
-
115
- Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
116
-
117
- Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
118
-
119
- ```bash
120
- node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
121
- ```
122
-
123
- For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
124
-
125
- For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
126
-
127
- Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
128
-
129
- ## Community And Support Links
130
-
131
- Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
132
-
133
- For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
134
-
135
- ## Changelog Policy
136
-
137
- Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
138
-
139
- - user-facing changes,
140
- - operator or maintainer changes,
141
- - breaking changes,
142
- - migration and rollback notes,
143
- - verification evidence,
144
- - known limits and unsupported claims.
145
-
146
- Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
147
-
148
- ## Acceptance Levels
149
-
150
- - `result`: metadata files exist but are not verified.
151
- - `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
152
- - `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
153
-
154
- Do not mark `accepted` when the release is only locally validated.
155
-
156
- ## Integration
157
-
158
- - Use `references/open-source-defaults.md` for the mainstream public release preset.
159
- - Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
160
- - Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
161
- - Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
162
- - Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
163
- - Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
164
- - Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
165
- - Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
166
- - Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
167
- - Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
168
- - Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
169
- - Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
170
- - Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
171
- - Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
172
- - Use `references/release.md` for release-level gates and rollback guidance.
173
- - Use `references/release-trust.md` for signing, public key custody, and artifact trust.
174
- - Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
1
+ # Public Release Metadata
2
+
3
+ Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
4
+
5
+ Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
6
+
7
+ ## Required Metadata
8
+
9
+ Before a public release can be called accepted, record:
10
+
11
+ - Release name or version.
12
+ - Release date or intended release window.
13
+ - Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
14
+ - License decision: license identifier, license file path, and who approved it.
15
+ - Changelog or release notes path.
16
+ - Install/update instructions path.
17
+ - Verification commands and latest result.
18
+ - Signing or integrity policy.
19
+ - Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
20
+ - Public security contact: owner-approved disclosure path and policy update evidence.
21
+ - Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
22
+ - Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
23
+ - Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
24
+ - Known risks and unsupported claims.
25
+ - Owner acceptance or explicit reason acceptance is still pending.
26
+
27
+ ## License Decision
28
+
29
+ GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
30
+
31
+ For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
32
+
33
+ Minimum license record:
34
+
35
+ ```text
36
+ License status: owner-required | selected | not-public
37
+ SPDX identifier:
38
+ License file:
39
+ Approved by:
40
+ Decision date:
41
+ Notes:
42
+ ```
43
+
44
+ Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
45
+
46
+ Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
47
+
48
+ ```bash
49
+ node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
50
+ ```
51
+
52
+ For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
53
+
54
+ For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
55
+
56
+ Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
57
+
58
+ ## Public Release Checklist
59
+
60
+ Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
61
+
62
+ ```bash
63
+ node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
64
+ node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
65
+ ```
66
+
67
+ The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
68
+
69
+ ## Public CI Run
70
+
71
+ Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
72
+
73
+ Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
74
+
75
+ ```bash
76
+ node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
77
+ ```
78
+
79
+ For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
80
+
81
+ Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
82
+
83
+ ## Public Security Contact
84
+
85
+ GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
86
+
87
+ Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
88
+
89
+ ```bash
90
+ node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
91
+ ```
92
+
93
+ For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
94
+
95
+ Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
96
+
97
+ ## Public Repository Settings
98
+
99
+ Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
100
+
101
+ Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
102
+
103
+ ```bash
104
+ node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
105
+ ```
106
+
107
+ For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
108
+
109
+ For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
110
+
111
+ Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
112
+
113
+ ## Public Channel Publication
114
+
115
+ Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
116
+
117
+ Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
118
+
119
+ ```bash
120
+ node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
121
+ ```
122
+
123
+ For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
124
+
125
+ For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
126
+
127
+ Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
128
+
129
+ ## Community And Support Links
130
+
131
+ Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
132
+
133
+ For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
134
+
135
+ ## Changelog Policy
136
+
137
+ Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
138
+
139
+ - user-facing changes,
140
+ - operator or maintainer changes,
141
+ - breaking changes,
142
+ - migration and rollback notes,
143
+ - verification evidence,
144
+ - known limits and unsupported claims.
145
+
146
+ Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
147
+
148
+ ## Acceptance Levels
149
+
150
+ - `result`: metadata files exist but are not verified.
151
+ - `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
152
+ - `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
153
+
154
+ Do not mark `accepted` when the release is only locally validated.
155
+
156
+ ## Integration
157
+
158
+ - Use `references/open-source-defaults.md` for the mainstream public release preset.
159
+ - Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
160
+ - Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
161
+ - Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
162
+ - Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
163
+ - Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
164
+ - Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
165
+ - Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
166
+ - Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
167
+ - Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
168
+ - Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
169
+ - Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
170
+ - Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
171
+ - Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
172
+ - Use `references/release.md` for release-level gates and rollback guidance.
173
+ - Use `references/release-trust.md` for signing, public key custody, and artifact trust.
174
+ - Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
@@ -1,100 +1,100 @@
1
- # Quality Gates
2
-
3
- Pick gates by task risk.
4
-
5
- ## Universal Gate
6
-
7
- - Outcome matches request.
8
- - Scope did not expand silently.
9
- - Acceptance has evidence.
10
- - Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
11
- - Do not claim `verified` or `accepted` when evidence only proves `result`.
12
- - Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
13
- - Final answer states evidence and remaining risk.
14
- - Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
15
- - Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
16
- - Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
17
- - Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
18
- - Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
19
-
20
- ## Code Gates
21
-
22
- - Focused tests for changed behavior.
23
- - Typecheck/lint/build when relevant.
24
- - Regression test for bug fixes when feasible.
25
- - No unrelated refactors.
26
-
27
- ## Gate Profiles
28
-
29
- Use the lightest gate profile that proves the claim.
30
-
31
- ### Lite Gate
32
-
33
- Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
34
-
35
- - Required: one focused command, structural check, or explicit manual evidence.
36
- - Optional: encoding check when docs changed.
37
- - Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
38
-
39
- ### Standard Gate
40
-
41
- Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
42
-
43
- - Required: focused tests for changed behavior.
44
- - Add one relevant integration smoke when the slice affects a visible or persisted path.
45
- - Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
46
-
47
- ### Enterprise Gate
48
-
49
- Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
50
-
51
- - Required: focused tests plus the hard gate matching the claim.
52
- - Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
53
- - For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
54
- - Full validation belongs here, not on every small product slice.
55
-
56
- Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
57
-
58
- Portable validation profile runner:
59
-
60
- ```text
61
- node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
62
- ```
63
-
64
- Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
65
-
66
- ## UI Gates
67
-
68
- - Component test or browser smoke for visible behavior.
69
- - Screenshot or visual inspection for layout-sensitive work.
70
- - Loading, empty, error, success, retry, and cancelled states covered when relevant.
71
-
72
- ## Agent/Product Gates
73
-
74
- - State machine transitions are explicit.
75
- - Stop/retry/recovery behavior is defined.
76
- - Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
77
- - Short/simple chats avoid heavy workflow paths.
78
-
79
- ## Release Gates
80
-
81
- Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
82
-
83
- - Build/install smoke.
84
- - Migration and rollback notes.
85
- - Changelog or release note.
86
- - Known risk list.
87
- - Observability or incident path for risky changes.
88
-
89
- ## Domain Gates
90
-
91
- Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
92
-
93
- - Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
94
- - Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
95
- - Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
96
- - Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
97
- - UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
98
- - API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
99
- - Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
100
- - Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.
1
+ # Quality Gates
2
+
3
+ Pick gates by task risk.
4
+
5
+ ## Universal Gate
6
+
7
+ - Outcome matches request.
8
+ - Scope did not expand silently.
9
+ - Acceptance has evidence.
10
+ - Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
11
+ - Do not claim `verified` or `accepted` when evidence only proves `result`.
12
+ - Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
13
+ - Final answer states evidence and remaining risk.
14
+ - Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
15
+ - Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
16
+ - Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
17
+ - Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
18
+ - Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
19
+
20
+ ## Code Gates
21
+
22
+ - Focused tests for changed behavior.
23
+ - Typecheck/lint/build when relevant.
24
+ - Regression test for bug fixes when feasible.
25
+ - No unrelated refactors.
26
+
27
+ ## Gate Profiles
28
+
29
+ Use the lightest gate profile that proves the claim.
30
+
31
+ ### Lite Gate
32
+
33
+ Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
34
+
35
+ - Required: one focused command, structural check, or explicit manual evidence.
36
+ - Optional: encoding check when docs changed.
37
+ - Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
38
+
39
+ ### Standard Gate
40
+
41
+ Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
42
+
43
+ - Required: focused tests for changed behavior.
44
+ - Add one relevant integration smoke when the slice affects a visible or persisted path.
45
+ - Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
46
+
47
+ ### Enterprise Gate
48
+
49
+ Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
50
+
51
+ - Required: focused tests plus the hard gate matching the claim.
52
+ - Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
53
+ - For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
54
+ - Full validation belongs here, not on every small product slice.
55
+
56
+ Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
57
+
58
+ Portable validation profile runner:
59
+
60
+ ```text
61
+ node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
62
+ ```
63
+
64
+ Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
65
+
66
+ ## UI Gates
67
+
68
+ - Component test or browser smoke for visible behavior.
69
+ - Screenshot or visual inspection for layout-sensitive work.
70
+ - Loading, empty, error, success, retry, and cancelled states covered when relevant.
71
+
72
+ ## Agent/Product Gates
73
+
74
+ - State machine transitions are explicit.
75
+ - Stop/retry/recovery behavior is defined.
76
+ - Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
77
+ - Short/simple chats avoid heavy workflow paths.
78
+
79
+ ## Release Gates
80
+
81
+ Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
82
+
83
+ - Build/install smoke.
84
+ - Migration and rollback notes.
85
+ - Changelog or release note.
86
+ - Known risk list.
87
+ - Observability or incident path for risky changes.
88
+
89
+ ## Domain Gates
90
+
91
+ Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
92
+
93
+ - Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
94
+ - Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
95
+ - Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
96
+ - Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
97
+ - UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
98
+ - API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
99
+ - Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
100
+ - Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.