@t275005746/gse 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (180) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +3 -4
  14. package/CHANGELOG.md +24 -24
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +1 -1
  18. package/README.zh-CN.md +1 -1
  19. package/SECURITY.md +41 -41
  20. package/SUPPORT.md +38 -38
  21. package/assets/marketplace/README.md +7 -7
  22. package/assets/marketplace/gse-listing.json +75 -75
  23. package/assets/templates/acceptance-execution-packet.md +73 -73
  24. package/assets/templates/adr.md +14 -14
  25. package/assets/templates/change-brief.md +16 -16
  26. package/assets/templates/design.md +18 -18
  27. package/assets/templates/dispatch-packet.md +104 -104
  28. package/assets/templates/evidence.md +14 -14
  29. package/assets/templates/execution-quality-pack.md +65 -65
  30. package/assets/templates/goal-map.md +21 -21
  31. package/assets/templates/host-adapter.md +48 -48
  32. package/assets/templates/host-ui-invocation-record.md +42 -42
  33. package/assets/templates/incident-review.md +60 -60
  34. package/assets/templates/public-channel-publication-record.md +49 -49
  35. package/assets/templates/public-ci-run-record.md +53 -53
  36. package/assets/templates/public-release-record.md +65 -65
  37. package/assets/templates/public-repository-settings-record.md +59 -59
  38. package/assets/templates/public-security-contact-record.md +45 -45
  39. package/assets/templates/release-trust-record.md +32 -32
  40. package/assets/templates/review.md +18 -18
  41. package/assets/templates/spec.md +16 -16
  42. package/assets/templates/target-adoption-evidence.md +29 -29
  43. package/assets/templates/tasks.md +17 -17
  44. package/assets/templates/update-release-acceptance-record.md +58 -58
  45. package/examples/README.md +22 -22
  46. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  47. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  48. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  49. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  50. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  51. package/examples/agent-runtime-host/.mcp.json +9 -9
  52. package/examples/agent-runtime-host/AGENTS.md +5 -5
  53. package/examples/agent-runtime-host/README.md +10 -10
  54. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  55. package/examples/cli-tool/.gse/project-profile.md +21 -21
  56. package/examples/cli-tool/AGENTS.md +5 -5
  57. package/examples/cli-tool/README.md +12 -12
  58. package/examples/cli-tool/package.json +21 -21
  59. package/examples/small-app/.env.example +2 -2
  60. package/examples/small-app/.github/workflows/ci.yml +8 -8
  61. package/examples/small-app/AGENTS.md +5 -5
  62. package/examples/small-app/README.md +12 -12
  63. package/examples/small-app/package.json +26 -26
  64. package/examples/small-app/playwright.config.ts +4 -4
  65. package/package.json +53 -53
  66. package/references/adoption-recipes.md +171 -171
  67. package/references/agent-roles.md +49 -49
  68. package/references/architecture-health.md +101 -101
  69. package/references/benchmark-audit.md +73 -73
  70. package/references/community-channels.md +46 -46
  71. package/references/compatibility.md +70 -70
  72. package/references/design-basis.md +38 -38
  73. package/references/domain-model.md +129 -129
  74. package/references/domain-quality-gates.md +75 -75
  75. package/references/drift-audit.md +81 -81
  76. package/references/evidence-taxonomy.md +123 -123
  77. package/references/file-ownership.md +107 -107
  78. package/references/final-readiness.md +84 -84
  79. package/references/forward-test.md +133 -133
  80. package/references/goal-map.md +36 -36
  81. package/references/host-adapters.md +119 -119
  82. package/references/learning-system.md +35 -35
  83. package/references/marketplace-discovery.md +46 -46
  84. package/references/model-routing.md +103 -103
  85. package/references/open-source-defaults.md +39 -39
  86. package/references/operating-model.md +52 -52
  87. package/references/packaging.md +277 -277
  88. package/references/project-agent-workspace.md +89 -89
  89. package/references/project-bootstrap.md +122 -122
  90. package/references/project-profile.md +57 -57
  91. package/references/public-release.md +174 -174
  92. package/references/quality-gates.md +100 -100
  93. package/references/recovery.md +176 -176
  94. package/references/release-trust.md +43 -43
  95. package/references/release.md +126 -126
  96. package/references/review.md +141 -141
  97. package/references/router.md +90 -90
  98. package/references/spec-workflow.md +66 -66
  99. package/references/task-levels.md +81 -81
  100. package/references/tool-adapters.md +73 -73
  101. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  102. package/scripts/audit-adoption-recipes.mjs +99 -99
  103. package/scripts/audit-change-lifecycle.mjs +77 -77
  104. package/scripts/audit-change-system.mjs +134 -134
  105. package/scripts/audit-ci-readiness.mjs +107 -107
  106. package/scripts/audit-close-gate.mjs +323 -323
  107. package/scripts/audit-command-adapters.mjs +91 -91
  108. package/scripts/audit-command-execution.mjs +210 -210
  109. package/scripts/audit-compatibility.mjs +149 -149
  110. package/scripts/audit-completion-readiness.mjs +292 -292
  111. package/scripts/audit-distribution.mjs +251 -251
  112. package/scripts/audit-domain-quality-gates.mjs +108 -108
  113. package/scripts/audit-evidence-placeholders.mjs +126 -126
  114. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  115. package/scripts/audit-final-readiness.mjs +226 -226
  116. package/scripts/audit-fixtures.mjs +154 -154
  117. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  118. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  119. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  120. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  121. package/scripts/audit-host-ui-invocation.mjs +132 -132
  122. package/scripts/audit-marketplace-discovery.mjs +122 -122
  123. package/scripts/audit-npm-package-metadata.mjs +155 -155
  124. package/scripts/audit-npm-publish-dry-run.mjs +191 -169
  125. package/scripts/audit-npm-tarball-install.mjs +191 -191
  126. package/scripts/audit-open-source-defaults.mjs +92 -92
  127. package/scripts/audit-open-source-readiness.mjs +97 -97
  128. package/scripts/audit-project.mjs +138 -138
  129. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  130. package/scripts/audit-public-acceptance-readiness.mjs +224 -224
  131. package/scripts/audit-public-channel-publication.mjs +248 -248
  132. package/scripts/audit-public-ci-run.mjs +184 -184
  133. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  134. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  135. package/scripts/audit-public-release-decision.mjs +201 -201
  136. package/scripts/audit-public-release-metadata.mjs +176 -176
  137. package/scripts/audit-public-repository-settings.mjs +237 -237
  138. package/scripts/audit-public-security-contact.mjs +171 -171
  139. package/scripts/audit-readme-docs.mjs +6 -4
  140. package/scripts/audit-recovery-readiness.mjs +98 -98
  141. package/scripts/audit-release-readiness.mjs +106 -106
  142. package/scripts/audit-release-trust.mjs +62 -62
  143. package/scripts/audit-remote-distribution.mjs +266 -266
  144. package/scripts/audit-roadmap-consistency.mjs +235 -235
  145. package/scripts/audit-signing.mjs +147 -147
  146. package/scripts/audit-state-freshness.mjs +14 -9
  147. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  148. package/scripts/audit-target-project.mjs +507 -507
  149. package/scripts/audit-update-release-acceptance.mjs +136 -136
  150. package/scripts/audit-v1-target-validation.mjs +269 -269
  151. package/scripts/audit-validation-profiles.mjs +125 -125
  152. package/scripts/close-change.mjs +116 -116
  153. package/scripts/discover-project-profile.mjs +307 -307
  154. package/scripts/generate-command-adapter.mjs +231 -231
  155. package/scripts/generate-final-acceptance-packet.mjs +181 -181
  156. package/scripts/generate-final-form-progress-report.mjs +205 -205
  157. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -206
  158. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  159. package/scripts/generate-public-acceptance-handoff.mjs +168 -168
  160. package/scripts/generate-public-release-checklist.mjs +207 -207
  161. package/scripts/generate-release-bundle.mjs +505 -505
  162. package/scripts/generate-release-owner-action-plan.mjs +172 -172
  163. package/scripts/generate-release-status-manifest.mjs +200 -200
  164. package/scripts/generate-session-prompt.mjs +188 -188
  165. package/scripts/gse.mjs +67 -67
  166. package/scripts/init-change.mjs +265 -265
  167. package/scripts/init-project.mjs +785 -785
  168. package/scripts/install-gse.mjs +234 -234
  169. package/scripts/lib/evidence-placeholders.mjs +28 -28
  170. package/scripts/package-gse.mjs +174 -174
  171. package/scripts/probe-public-external-gates.mjs +167 -167
  172. package/scripts/record-host-invocation.mjs +151 -151
  173. package/scripts/record-public-channel-publication.mjs +178 -178
  174. package/scripts/record-public-ci-run.mjs +180 -180
  175. package/scripts/record-public-release.mjs +175 -175
  176. package/scripts/record-public-repository-settings.mjs +209 -209
  177. package/scripts/record-public-security-contact.mjs +157 -157
  178. package/scripts/sign-gse-package.mjs +83 -83
  179. package/scripts/update-project-state.mjs +223 -223
  180. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,126 +1,126 @@
1
- # Release Workflow
2
-
3
- Use this when a GSE slice affects shipping, installation, upgrade, runtime compatibility, user-visible behavior, migrations, rollback, changelog policy, or long-running project readiness.
4
-
5
- Release workflow is a gate, not a deployment tool. It defines what must be known before claiming a release is ready.
6
-
7
- ## Trigger Conditions
8
-
9
- Run this workflow when any of these are true:
10
-
11
- - A change is intended for a versioned release, public handoff, package update, installer update, or user-facing delivery.
12
- - A change affects install, bootstrap, update, compatibility, migration, rollback, data retention, or runtime configuration.
13
- - A change modifies product identity, permissions, model/provider routing, worker behavior, state persistence, evidence gates, or generated project scaffold files.
14
- - A bug fix touches a main path where regression risk matters.
15
- - Architecture health scan reports migration, release, rollback, dependency, security, or ownership risk.
16
- - The project requires changelog, release notes, approvals, or deployment evidence.
17
-
18
- For tiny internal edits with no release surface, record why release workflow is not applicable.
19
-
20
- ## Release Levels
21
-
22
- Pick the smallest release level that matches the blast radius.
23
-
24
- | Level | Use when | Minimum gate |
25
- |---|---|---|
26
- | Patch | Bug fix, doc correction, template wording, low-risk scaffold update | Focused verification, known risk, release note if user-visible |
27
- | Minor | New capability, new template, new script behavior, new adapter route, non-breaking workflow change | Focused verification, backward compatibility check, rollback or revert path, release notes |
28
- | Major | Breaking workflow, migration, removed behavior, changed source of truth, broad architecture change | Migration plan, rollback plan, compatibility notes, architecture health scan, release acceptance evidence |
29
- | Incident hotfix | Urgent fix for broken main path, data risk, security/privacy issue, release blocker | Minimal safe fix, reproduction or failure evidence, focused verification, incident follow-up |
30
-
31
- ## Minimum Release Checklist
32
-
33
- Before calling a release ready, confirm:
34
-
35
- - Outcome and scope match the accepted goal or spec.
36
- - Version or release label is known, or the project explicitly does not use version labels.
37
- - Changelog or release notes explain user-visible changes, breaking changes, migration notes, and known risks.
38
- - Focused verification proves the changed behavior, not only file existence.
39
- - Compatibility impact is checked against supported hosts, runtimes, package managers, project modes, and important configuration paths.
40
- - Migration and rollback expectations are documented for any state, schema, config, scaffold, or runtime change.
41
- - Security, privacy, permissions, secrets, and raw tool/provider traces are reviewed when relevant.
42
- - Observability, error diagnosis, or incident path is adequate for risky changes.
43
- - Evidence status is classified with references/evidence-taxonomy.md: result, verified, or accepted.
44
- - Follow-up slices are recorded instead of hidden in final prose.
45
-
46
- ## Migration And Rollback
47
-
48
- Capture migration and rollback at the same level of detail as the risk.
49
-
50
- For low-risk changes:
51
-
52
- - State whether revert is enough.
53
- - Name the files or artifacts that would be reverted.
54
-
55
- For stateful or compatibility-impacting changes:
56
-
57
- - Define old state, new state, and compatibility window.
58
- - Define data backup, restore, or fallback behavior.
59
- - Define how to detect failed migration or partial rollout.
60
- - Define whether downgrade is supported.
61
-
62
- For release-blocking uncertainty, do not claim accepted. Record a decision needed or follow-up slice.
63
-
64
- ## Changelog And Release Notes Policy
65
-
66
- Use the project convention first. If none exists, keep release notes short and structured:
67
-
68
- ```text
69
- Release label:
70
- Date:
71
- Type: patch | minor | major | incident hotfix
72
- Highlights:
73
- Changed:
74
- Fixed:
75
- Migration or rollback:
76
- Known risks:
77
- Verification:
78
- Follow-up slices:
79
- ```
80
-
81
- Rules:
82
-
83
- - Mention user-visible behavior separately from internal implementation.
84
- - Mark breaking changes clearly.
85
- - Do not include secrets, raw provider payloads, private reasoning, or noisy command logs.
86
- - Link to evidence files or CI/test results instead of pasting long output.
87
- - If the release is internal-only, say so and explain the affected operators or future agents.
88
-
89
- ## Release Evidence Record
90
-
91
- Use `assets/templates/update-release-acceptance-record.md` when a project needs to preserve local decisions, changed files, rollback notes, owner gate, accepted-by status, and residual risk in one compact record.
92
-
93
- For quick release notes, use this concise format in evidence logs or release notes:
94
-
95
- ```text
96
- Release scope:
97
- Release level:
98
- Readiness: not ready | result | verified | accepted
99
- Verification evidence:
100
- Compatibility evidence:
101
- Migration or rollback:
102
- Known risks:
103
- Decisions needed:
104
- Follow-up slices:
105
- ```
106
-
107
- Readiness meanings:
108
-
109
- - not ready: required release evidence is missing or contradicted.
110
- - result: release artifacts or notes exist, but behavior is not verified.
111
- - verified: focused checks prove release-relevant behavior in the current environment.
112
- - accepted: the required owner, CI, smoke, or production-like evidence for this release level has passed.
113
-
114
- Do not mark `accepted` only because local validation passed. Use `accepted` only when the required owner, release policy, CI gate, smoke gate, archive gate, or explicitly named acceptance policy accepts the verified result.
115
-
116
- ## Integration
117
-
118
- - Use references/quality-gates.md for the base release gate list.
119
- - Use references/public-release.md before public GitHub, marketplace, catalog, registry, or external package handoff.
120
- - Use references/architecture-health.md when migration, rollback, dependency, security, performance, resilience, compatibility, or source-of-truth risk exists.
121
- - Use references/review.md for spec compliance, code quality, security/privacy, regression, and evidence review before release.
122
- - Use references/project-profile.md for project-specific release commands, versioning, deployment, rollback, and approval rules.
123
- - Use references/evidence-taxonomy.md to avoid overstating readiness.
124
- - Use references/recovery.md when release work is interrupted, rollback is possible, verification fails, or future-agent continuation is needed.
125
- - Use references/forward-test.md for non-trivial GSE release, scaffold, adapter, recovery, or packaging changes.
126
- - Use `assets/templates/update-release-acceptance-record.md` for project-local update and release acceptance records.
1
+ # Release Workflow
2
+
3
+ Use this when a GSE slice affects shipping, installation, upgrade, runtime compatibility, user-visible behavior, migrations, rollback, changelog policy, or long-running project readiness.
4
+
5
+ Release workflow is a gate, not a deployment tool. It defines what must be known before claiming a release is ready.
6
+
7
+ ## Trigger Conditions
8
+
9
+ Run this workflow when any of these are true:
10
+
11
+ - A change is intended for a versioned release, public handoff, package update, installer update, or user-facing delivery.
12
+ - A change affects install, bootstrap, update, compatibility, migration, rollback, data retention, or runtime configuration.
13
+ - A change modifies product identity, permissions, model/provider routing, worker behavior, state persistence, evidence gates, or generated project scaffold files.
14
+ - A bug fix touches a main path where regression risk matters.
15
+ - Architecture health scan reports migration, release, rollback, dependency, security, or ownership risk.
16
+ - The project requires changelog, release notes, approvals, or deployment evidence.
17
+
18
+ For tiny internal edits with no release surface, record why release workflow is not applicable.
19
+
20
+ ## Release Levels
21
+
22
+ Pick the smallest release level that matches the blast radius.
23
+
24
+ | Level | Use when | Minimum gate |
25
+ |---|---|---|
26
+ | Patch | Bug fix, doc correction, template wording, low-risk scaffold update | Focused verification, known risk, release note if user-visible |
27
+ | Minor | New capability, new template, new script behavior, new adapter route, non-breaking workflow change | Focused verification, backward compatibility check, rollback or revert path, release notes |
28
+ | Major | Breaking workflow, migration, removed behavior, changed source of truth, broad architecture change | Migration plan, rollback plan, compatibility notes, architecture health scan, release acceptance evidence |
29
+ | Incident hotfix | Urgent fix for broken main path, data risk, security/privacy issue, release blocker | Minimal safe fix, reproduction or failure evidence, focused verification, incident follow-up |
30
+
31
+ ## Minimum Release Checklist
32
+
33
+ Before calling a release ready, confirm:
34
+
35
+ - Outcome and scope match the accepted goal or spec.
36
+ - Version or release label is known, or the project explicitly does not use version labels.
37
+ - Changelog or release notes explain user-visible changes, breaking changes, migration notes, and known risks.
38
+ - Focused verification proves the changed behavior, not only file existence.
39
+ - Compatibility impact is checked against supported hosts, runtimes, package managers, project modes, and important configuration paths.
40
+ - Migration and rollback expectations are documented for any state, schema, config, scaffold, or runtime change.
41
+ - Security, privacy, permissions, secrets, and raw tool/provider traces are reviewed when relevant.
42
+ - Observability, error diagnosis, or incident path is adequate for risky changes.
43
+ - Evidence status is classified with references/evidence-taxonomy.md: result, verified, or accepted.
44
+ - Follow-up slices are recorded instead of hidden in final prose.
45
+
46
+ ## Migration And Rollback
47
+
48
+ Capture migration and rollback at the same level of detail as the risk.
49
+
50
+ For low-risk changes:
51
+
52
+ - State whether revert is enough.
53
+ - Name the files or artifacts that would be reverted.
54
+
55
+ For stateful or compatibility-impacting changes:
56
+
57
+ - Define old state, new state, and compatibility window.
58
+ - Define data backup, restore, or fallback behavior.
59
+ - Define how to detect failed migration or partial rollout.
60
+ - Define whether downgrade is supported.
61
+
62
+ For release-blocking uncertainty, do not claim accepted. Record a decision needed or follow-up slice.
63
+
64
+ ## Changelog And Release Notes Policy
65
+
66
+ Use the project convention first. If none exists, keep release notes short and structured:
67
+
68
+ ```text
69
+ Release label:
70
+ Date:
71
+ Type: patch | minor | major | incident hotfix
72
+ Highlights:
73
+ Changed:
74
+ Fixed:
75
+ Migration or rollback:
76
+ Known risks:
77
+ Verification:
78
+ Follow-up slices:
79
+ ```
80
+
81
+ Rules:
82
+
83
+ - Mention user-visible behavior separately from internal implementation.
84
+ - Mark breaking changes clearly.
85
+ - Do not include secrets, raw provider payloads, private reasoning, or noisy command logs.
86
+ - Link to evidence files or CI/test results instead of pasting long output.
87
+ - If the release is internal-only, say so and explain the affected operators or future agents.
88
+
89
+ ## Release Evidence Record
90
+
91
+ Use `assets/templates/update-release-acceptance-record.md` when a project needs to preserve local decisions, changed files, rollback notes, owner gate, accepted-by status, and residual risk in one compact record.
92
+
93
+ For quick release notes, use this concise format in evidence logs or release notes:
94
+
95
+ ```text
96
+ Release scope:
97
+ Release level:
98
+ Readiness: not ready | result | verified | accepted
99
+ Verification evidence:
100
+ Compatibility evidence:
101
+ Migration or rollback:
102
+ Known risks:
103
+ Decisions needed:
104
+ Follow-up slices:
105
+ ```
106
+
107
+ Readiness meanings:
108
+
109
+ - not ready: required release evidence is missing or contradicted.
110
+ - result: release artifacts or notes exist, but behavior is not verified.
111
+ - verified: focused checks prove release-relevant behavior in the current environment.
112
+ - accepted: the required owner, CI, smoke, or production-like evidence for this release level has passed.
113
+
114
+ Do not mark `accepted` only because local validation passed. Use `accepted` only when the required owner, release policy, CI gate, smoke gate, archive gate, or explicitly named acceptance policy accepts the verified result.
115
+
116
+ ## Integration
117
+
118
+ - Use references/quality-gates.md for the base release gate list.
119
+ - Use references/public-release.md before public GitHub, marketplace, catalog, registry, or external package handoff.
120
+ - Use references/architecture-health.md when migration, rollback, dependency, security, performance, resilience, compatibility, or source-of-truth risk exists.
121
+ - Use references/review.md for spec compliance, code quality, security/privacy, regression, and evidence review before release.
122
+ - Use references/project-profile.md for project-specific release commands, versioning, deployment, rollback, and approval rules.
123
+ - Use references/evidence-taxonomy.md to avoid overstating readiness.
124
+ - Use references/recovery.md when release work is interrupted, rollback is possible, verification fails, or future-agent continuation is needed.
125
+ - Use references/forward-test.md for non-trivial GSE release, scaffold, adapter, recovery, or packaging changes.
126
+ - Use `assets/templates/update-release-acceptance-record.md` for project-local update and release acceptance records.
@@ -1,141 +1,141 @@
1
- # Review Protocol
2
-
3
- Use this when GSE work needs a review beyond simple local verification: code changes, workflow rules, scaffolds, agent roles, adapters, release paths, security-sensitive behavior, or user-visible product behavior.
4
-
5
- ## Core Rule
6
-
7
- Review must answer two separate questions:
8
-
9
- 1. Spec compliance: did we build the requested thing and only the requested thing?
10
- 2. Code/workflow quality: is the result maintainable, safe, testable, and consistent with the project?
11
-
12
- Do not collapse these into a vague "looks good" check.
13
-
14
- ## When Review Is Required
15
-
16
- | Task risk | Review requirement |
17
- |---|---|
18
- | Level 1 tiny edit | Optional; self-check against acceptance is enough when evidence is direct |
19
- | Level 2 normal slice | Required if code, shared config, reusable templates, workflow rules, or user-visible behavior changed |
20
- | Level 3 large/risky work | Required; separate spec compliance, quality, QA/evidence, and coordinator integration review |
21
- | Security/privacy/release impact | Required; include security/privacy and rollback/evidence review |
22
- | Multi-agent or delegated work | Required when roles modify files or produce evidence |
23
-
24
- Review is unnecessary for evidence-only status updates, typo-only edits, or transient notes unless they change process meaning.
25
-
26
- ## Review Axes
27
-
28
- ### 1. Spec Compliance Review
29
-
30
- Checks whether the result matches the defined outcome, scope, non-goals, and acceptance criteria.
31
-
32
- Questions:
33
-
34
- - Does the change satisfy the requested outcome?
35
- - Did scope expand silently?
36
- - Were non-goals respected?
37
- - Are required files/artifacts present?
38
- - Is the evidence directly tied to acceptance?
39
- - Are user-visible names, identities, and permissions correct?
40
-
41
- ### 2. Code Quality Review
42
-
43
- Checks maintainability and implementation quality.
44
-
45
- Questions:
46
-
47
- - Does the change follow existing project patterns?
48
- - Is the code or workflow simpler than the problem requires?
49
- - Are abstractions justified?
50
- - Are generated files, lockfiles, or unrelated refactors avoided?
51
- - Are edge cases, errors, retries, cancellation, or recovery handled when relevant?
52
-
53
- ### 3. Architecture Drift Review
54
-
55
- Checks whether the change preserves project boundaries and long-term shape.
56
-
57
- Questions:
58
-
59
- - Did this introduce a new pattern without need?
60
- - Does it cross module, package, product, or host boundaries incorrectly?
61
- - Does it duplicate a source of truth?
62
- - Does it create coupling that future agents will misunderstand?
63
- - Should the issue be handled by a `references/architecture-health.md` scan?
64
-
65
- ### 4. Security And Privacy Review
66
-
67
- Checks user data, secrets, permissions, external services, and tool traces.
68
-
69
- Questions:
70
-
71
- - Are secrets, tokens, raw provider payloads, and hidden reasoning excluded from user-visible output and committed files?
72
- - Are write-capable tools and destructive commands bounded?
73
- - Are external inputs treated as untrusted?
74
- - Are privacy constraints respected for model routing, logs, browser traces, and MCP/tools?
75
-
76
- ### 5. Regression And Missing-Test Review
77
-
78
- Checks whether the verification actually covers the changed behavior.
79
-
80
- Questions:
81
-
82
- - Would the focused test/smoke fail if the change were broken?
83
- - Are existing tests or checks enough for this risk?
84
- - Is a regression test needed for a bug fix?
85
- - Are UI/API/state/error/cancel/retry paths covered when relevant?
86
-
87
- ### 6. Evidence Review
88
-
89
- Checks whether the final claim is supported.
90
-
91
- Questions:
92
-
93
- - Is the status result, verified, or accepted according to `references/evidence-taxonomy.md`?
94
- - Is residual risk recorded?
95
- - Is a forward test required by `references/forward-test.md`?
96
- - Are tool statuses documented, verified, unknown, or unavailable without exaggeration?
97
-
98
- ## Review Output
99
-
100
- Use this concise format:
101
-
102
- ```text
103
- Review type: spec compliance | code quality | architecture drift | security/privacy | regression/missing-test | evidence
104
- Verdict: approve | request changes | needs context | not applicable
105
- Severity: critical | important | suggestion | note
106
- Findings:
107
- Evidence checked:
108
- Required fixes:
109
- Deferred risks:
110
- ```
111
-
112
- For no-issue reviews, say which axes were checked. Do not rubber-stamp with only `LGTM`.
113
-
114
- ## Severity Rules
115
-
116
- - `critical`: security issue, data loss, broken main path, destructive operation, irreversible release risk.
117
- - `important`: likely bug, missing acceptance evidence, meaningful architecture drift, missing regression coverage.
118
- - `suggestion`: improvement that is useful but not required for this slice.
119
- - `note`: context for future work, no action required.
120
-
121
- ## Multi-Agent Review Order
122
-
123
- When using real subagents or sequential role simulation:
124
-
125
- 1. Builder reports files changed and verification run.
126
- 2. Spec compliance review checks scope and acceptance first.
127
- 3. Code quality review checks maintainability and risks second.
128
- 4. QA/evidence review confirms the verification story.
129
- 5. Coordinator integrates findings and decides final status.
130
-
131
- Do not start code-quality approval before unresolved spec compliance issues are addressed.
132
-
133
- ## Project Integration
134
-
135
- - `references/agent-roles.md` defines Reviewer and QA responsibilities.
136
- - `assets/templates/dispatch-packet.md` records whether spec compliance, code quality, QA/evidence, and coordinator review are required.
137
- - `references/architecture-health.md` defines structural scan triggers, scope levels, findings, risks, decisions, and follow-up slices.
138
- - `references/quality-gates.md` decides when review is required by risk.
139
- - `references/domain-quality-gates.md` selects security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, and release/operations gates by domain risk.
140
- - `references/evidence-taxonomy.md` decides whether a reviewed result is verified or accepted.
141
- - `.gse/project-profile.md` can add project-specific review standards, owners, or required commands.
1
+ # Review Protocol
2
+
3
+ Use this when GSE work needs a review beyond simple local verification: code changes, workflow rules, scaffolds, agent roles, adapters, release paths, security-sensitive behavior, or user-visible product behavior.
4
+
5
+ ## Core Rule
6
+
7
+ Review must answer two separate questions:
8
+
9
+ 1. Spec compliance: did we build the requested thing and only the requested thing?
10
+ 2. Code/workflow quality: is the result maintainable, safe, testable, and consistent with the project?
11
+
12
+ Do not collapse these into a vague "looks good" check.
13
+
14
+ ## When Review Is Required
15
+
16
+ | Task risk | Review requirement |
17
+ |---|---|
18
+ | Level 1 tiny edit | Optional; self-check against acceptance is enough when evidence is direct |
19
+ | Level 2 normal slice | Required if code, shared config, reusable templates, workflow rules, or user-visible behavior changed |
20
+ | Level 3 large/risky work | Required; separate spec compliance, quality, QA/evidence, and coordinator integration review |
21
+ | Security/privacy/release impact | Required; include security/privacy and rollback/evidence review |
22
+ | Multi-agent or delegated work | Required when roles modify files or produce evidence |
23
+
24
+ Review is unnecessary for evidence-only status updates, typo-only edits, or transient notes unless they change process meaning.
25
+
26
+ ## Review Axes
27
+
28
+ ### 1. Spec Compliance Review
29
+
30
+ Checks whether the result matches the defined outcome, scope, non-goals, and acceptance criteria.
31
+
32
+ Questions:
33
+
34
+ - Does the change satisfy the requested outcome?
35
+ - Did scope expand silently?
36
+ - Were non-goals respected?
37
+ - Are required files/artifacts present?
38
+ - Is the evidence directly tied to acceptance?
39
+ - Are user-visible names, identities, and permissions correct?
40
+
41
+ ### 2. Code Quality Review
42
+
43
+ Checks maintainability and implementation quality.
44
+
45
+ Questions:
46
+
47
+ - Does the change follow existing project patterns?
48
+ - Is the code or workflow simpler than the problem requires?
49
+ - Are abstractions justified?
50
+ - Are generated files, lockfiles, or unrelated refactors avoided?
51
+ - Are edge cases, errors, retries, cancellation, or recovery handled when relevant?
52
+
53
+ ### 3. Architecture Drift Review
54
+
55
+ Checks whether the change preserves project boundaries and long-term shape.
56
+
57
+ Questions:
58
+
59
+ - Did this introduce a new pattern without need?
60
+ - Does it cross module, package, product, or host boundaries incorrectly?
61
+ - Does it duplicate a source of truth?
62
+ - Does it create coupling that future agents will misunderstand?
63
+ - Should the issue be handled by a `references/architecture-health.md` scan?
64
+
65
+ ### 4. Security And Privacy Review
66
+
67
+ Checks user data, secrets, permissions, external services, and tool traces.
68
+
69
+ Questions:
70
+
71
+ - Are secrets, tokens, raw provider payloads, and hidden reasoning excluded from user-visible output and committed files?
72
+ - Are write-capable tools and destructive commands bounded?
73
+ - Are external inputs treated as untrusted?
74
+ - Are privacy constraints respected for model routing, logs, browser traces, and MCP/tools?
75
+
76
+ ### 5. Regression And Missing-Test Review
77
+
78
+ Checks whether the verification actually covers the changed behavior.
79
+
80
+ Questions:
81
+
82
+ - Would the focused test/smoke fail if the change were broken?
83
+ - Are existing tests or checks enough for this risk?
84
+ - Is a regression test needed for a bug fix?
85
+ - Are UI/API/state/error/cancel/retry paths covered when relevant?
86
+
87
+ ### 6. Evidence Review
88
+
89
+ Checks whether the final claim is supported.
90
+
91
+ Questions:
92
+
93
+ - Is the status result, verified, or accepted according to `references/evidence-taxonomy.md`?
94
+ - Is residual risk recorded?
95
+ - Is a forward test required by `references/forward-test.md`?
96
+ - Are tool statuses documented, verified, unknown, or unavailable without exaggeration?
97
+
98
+ ## Review Output
99
+
100
+ Use this concise format:
101
+
102
+ ```text
103
+ Review type: spec compliance | code quality | architecture drift | security/privacy | regression/missing-test | evidence
104
+ Verdict: approve | request changes | needs context | not applicable
105
+ Severity: critical | important | suggestion | note
106
+ Findings:
107
+ Evidence checked:
108
+ Required fixes:
109
+ Deferred risks:
110
+ ```
111
+
112
+ For no-issue reviews, say which axes were checked. Do not rubber-stamp with only `LGTM`.
113
+
114
+ ## Severity Rules
115
+
116
+ - `critical`: security issue, data loss, broken main path, destructive operation, irreversible release risk.
117
+ - `important`: likely bug, missing acceptance evidence, meaningful architecture drift, missing regression coverage.
118
+ - `suggestion`: improvement that is useful but not required for this slice.
119
+ - `note`: context for future work, no action required.
120
+
121
+ ## Multi-Agent Review Order
122
+
123
+ When using real subagents or sequential role simulation:
124
+
125
+ 1. Builder reports files changed and verification run.
126
+ 2. Spec compliance review checks scope and acceptance first.
127
+ 3. Code quality review checks maintainability and risks second.
128
+ 4. QA/evidence review confirms the verification story.
129
+ 5. Coordinator integrates findings and decides final status.
130
+
131
+ Do not start code-quality approval before unresolved spec compliance issues are addressed.
132
+
133
+ ## Project Integration
134
+
135
+ - `references/agent-roles.md` defines Reviewer and QA responsibilities.
136
+ - `assets/templates/dispatch-packet.md` records whether spec compliance, code quality, QA/evidence, and coordinator review are required.
137
+ - `references/architecture-health.md` defines structural scan triggers, scope levels, findings, risks, decisions, and follow-up slices.
138
+ - `references/quality-gates.md` decides when review is required by risk.
139
+ - `references/domain-quality-gates.md` selects security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, and release/operations gates by domain risk.
140
+ - `references/evidence-taxonomy.md` decides whether a reviewed result is verified or accepted.
141
+ - `.gse/project-profile.md` can add project-specific review standards, owners, or required commands.