@t275005746/gse 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
- package/.github/ISSUE_TEMPLATE/config.yml +5 -5
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
- package/.github/workflows/validate-gse.yml +33 -33
- package/.gse/README.md +18 -18
- package/.gse/gse-development-protocol.md +50 -50
- package/.gse/project-profile.md +29 -29
- package/.gse/quality-gates.md +25 -25
- package/.gse/releases/public-registry-publication-npm.md +49 -0
- package/.gse/releases/public-release-owner-required.md +65 -65
- package/.gse/releases/public-security-contact-owner-required.md +45 -45
- package/.gse/state.json +3 -4
- package/CHANGELOG.md +24 -24
- package/CONTRIBUTING.md +64 -64
- package/LICENSE +21 -21
- package/README.md +1 -1
- package/README.zh-CN.md +1 -1
- package/SECURITY.md +41 -41
- package/SUPPORT.md +38 -38
- package/assets/marketplace/README.md +7 -7
- package/assets/marketplace/gse-listing.json +75 -75
- package/assets/templates/acceptance-execution-packet.md +73 -73
- package/assets/templates/adr.md +14 -14
- package/assets/templates/change-brief.md +16 -16
- package/assets/templates/design.md +18 -18
- package/assets/templates/dispatch-packet.md +104 -104
- package/assets/templates/evidence.md +14 -14
- package/assets/templates/execution-quality-pack.md +65 -65
- package/assets/templates/goal-map.md +21 -21
- package/assets/templates/host-adapter.md +48 -48
- package/assets/templates/host-ui-invocation-record.md +42 -42
- package/assets/templates/incident-review.md +60 -60
- package/assets/templates/public-channel-publication-record.md +49 -49
- package/assets/templates/public-ci-run-record.md +53 -53
- package/assets/templates/public-release-record.md +65 -65
- package/assets/templates/public-repository-settings-record.md +59 -59
- package/assets/templates/public-security-contact-record.md +45 -45
- package/assets/templates/release-trust-record.md +32 -32
- package/assets/templates/review.md +18 -18
- package/assets/templates/spec.md +16 -16
- package/assets/templates/target-adoption-evidence.md +29 -29
- package/assets/templates/tasks.md +17 -17
- package/assets/templates/update-release-acceptance-record.md +58 -58
- package/examples/README.md +22 -22
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
- package/examples/agent-runtime-host/.gse/tooling.md +5 -5
- package/examples/agent-runtime-host/.mcp.json +9 -9
- package/examples/agent-runtime-host/AGENTS.md +5 -5
- package/examples/agent-runtime-host/README.md +10 -10
- package/examples/agent-runtime-host/docs/model-routing.md +5 -5
- package/examples/cli-tool/.gse/project-profile.md +21 -21
- package/examples/cli-tool/AGENTS.md +5 -5
- package/examples/cli-tool/README.md +12 -12
- package/examples/cli-tool/package.json +21 -21
- package/examples/small-app/.env.example +2 -2
- package/examples/small-app/.github/workflows/ci.yml +8 -8
- package/examples/small-app/AGENTS.md +5 -5
- package/examples/small-app/README.md +12 -12
- package/examples/small-app/package.json +26 -26
- package/examples/small-app/playwright.config.ts +4 -4
- package/package.json +53 -53
- package/references/adoption-recipes.md +171 -171
- package/references/agent-roles.md +49 -49
- package/references/architecture-health.md +101 -101
- package/references/benchmark-audit.md +73 -73
- package/references/community-channels.md +46 -46
- package/references/compatibility.md +70 -70
- package/references/design-basis.md +38 -38
- package/references/domain-model.md +129 -129
- package/references/domain-quality-gates.md +75 -75
- package/references/drift-audit.md +81 -81
- package/references/evidence-taxonomy.md +123 -123
- package/references/file-ownership.md +107 -107
- package/references/final-readiness.md +84 -84
- package/references/forward-test.md +133 -133
- package/references/goal-map.md +36 -36
- package/references/host-adapters.md +119 -119
- package/references/learning-system.md +35 -35
- package/references/marketplace-discovery.md +46 -46
- package/references/model-routing.md +103 -103
- package/references/open-source-defaults.md +39 -39
- package/references/operating-model.md +52 -52
- package/references/packaging.md +277 -277
- package/references/project-agent-workspace.md +89 -89
- package/references/project-bootstrap.md +122 -122
- package/references/project-profile.md +57 -57
- package/references/public-release.md +174 -174
- package/references/quality-gates.md +100 -100
- package/references/recovery.md +176 -176
- package/references/release-trust.md +43 -43
- package/references/release.md +126 -126
- package/references/review.md +141 -141
- package/references/router.md +90 -90
- package/references/spec-workflow.md +66 -66
- package/references/task-levels.md +81 -81
- package/references/tool-adapters.md +73 -73
- package/scripts/audit-acceptance-execution-packet.mjs +133 -133
- package/scripts/audit-adoption-recipes.mjs +99 -99
- package/scripts/audit-change-lifecycle.mjs +77 -77
- package/scripts/audit-change-system.mjs +134 -134
- package/scripts/audit-ci-readiness.mjs +107 -107
- package/scripts/audit-close-gate.mjs +323 -323
- package/scripts/audit-command-adapters.mjs +91 -91
- package/scripts/audit-command-execution.mjs +210 -210
- package/scripts/audit-compatibility.mjs +149 -149
- package/scripts/audit-completion-readiness.mjs +292 -292
- package/scripts/audit-distribution.mjs +251 -251
- package/scripts/audit-domain-quality-gates.mjs +108 -108
- package/scripts/audit-evidence-placeholders.mjs +126 -126
- package/scripts/audit-final-readiness-promotion.mjs +255 -255
- package/scripts/audit-final-readiness.mjs +226 -226
- package/scripts/audit-fixtures.mjs +154 -154
- package/scripts/audit-fresh-session-readiness.mjs +177 -177
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
- package/scripts/audit-host-runtime-invocations.mjs +254 -254
- package/scripts/audit-host-ui-invocation.mjs +132 -132
- package/scripts/audit-marketplace-discovery.mjs +122 -122
- package/scripts/audit-npm-package-metadata.mjs +155 -155
- package/scripts/audit-npm-publish-dry-run.mjs +191 -169
- package/scripts/audit-npm-tarball-install.mjs +191 -191
- package/scripts/audit-open-source-defaults.mjs +92 -92
- package/scripts/audit-open-source-readiness.mjs +97 -97
- package/scripts/audit-project.mjs +138 -138
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
- package/scripts/audit-public-acceptance-readiness.mjs +224 -224
- package/scripts/audit-public-channel-publication.mjs +248 -248
- package/scripts/audit-public-ci-run.mjs +184 -184
- package/scripts/audit-public-collaboration-templates.mjs +98 -98
- package/scripts/audit-public-external-gate-probe.mjs +206 -206
- package/scripts/audit-public-release-decision.mjs +201 -201
- package/scripts/audit-public-release-metadata.mjs +176 -176
- package/scripts/audit-public-repository-settings.mjs +237 -237
- package/scripts/audit-public-security-contact.mjs +171 -171
- package/scripts/audit-readme-docs.mjs +6 -4
- package/scripts/audit-recovery-readiness.mjs +98 -98
- package/scripts/audit-release-readiness.mjs +106 -106
- package/scripts/audit-release-trust.mjs +62 -62
- package/scripts/audit-remote-distribution.mjs +266 -266
- package/scripts/audit-roadmap-consistency.mjs +235 -235
- package/scripts/audit-signing.mjs +147 -147
- package/scripts/audit-state-freshness.mjs +14 -9
- package/scripts/audit-target-adoption-evidence.mjs +117 -117
- package/scripts/audit-target-project.mjs +507 -507
- package/scripts/audit-update-release-acceptance.mjs +136 -136
- package/scripts/audit-v1-target-validation.mjs +269 -269
- package/scripts/audit-validation-profiles.mjs +125 -125
- package/scripts/close-change.mjs +116 -116
- package/scripts/discover-project-profile.mjs +307 -307
- package/scripts/generate-command-adapter.mjs +231 -231
- package/scripts/generate-final-acceptance-packet.mjs +181 -181
- package/scripts/generate-final-form-progress-report.mjs +205 -205
- package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -206
- package/scripts/generate-owner-external-gate-kit.mjs +295 -295
- package/scripts/generate-public-acceptance-handoff.mjs +168 -168
- package/scripts/generate-public-release-checklist.mjs +207 -207
- package/scripts/generate-release-bundle.mjs +505 -505
- package/scripts/generate-release-owner-action-plan.mjs +172 -172
- package/scripts/generate-release-status-manifest.mjs +200 -200
- package/scripts/generate-session-prompt.mjs +188 -188
- package/scripts/gse.mjs +67 -67
- package/scripts/init-change.mjs +265 -265
- package/scripts/init-project.mjs +785 -785
- package/scripts/install-gse.mjs +234 -234
- package/scripts/lib/evidence-placeholders.mjs +28 -28
- package/scripts/package-gse.mjs +174 -174
- package/scripts/probe-public-external-gates.mjs +167 -167
- package/scripts/record-host-invocation.mjs +151 -151
- package/scripts/record-public-channel-publication.mjs +178 -178
- package/scripts/record-public-ci-run.mjs +180 -180
- package/scripts/record-public-release.mjs +175 -175
- package/scripts/record-public-repository-settings.mjs +209 -209
- package/scripts/record-public-security-contact.mjs +157 -157
- package/scripts/sign-gse-package.mjs +83 -83
- package/scripts/update-project-state.mjs +223 -223
- package/scripts/verify-gse-package.mjs +85 -85
|
@@ -1,65 +1,65 @@
|
|
|
1
|
-
# Public Release Record
|
|
2
|
-
|
|
3
|
-
Release name: GSE
|
|
4
|
-
|
|
5
|
-
Release version or label: public-defaults
|
|
6
|
-
|
|
7
|
-
Release date: 2026-07-06
|
|
8
|
-
|
|
9
|
-
Distribution channel: github-public-repo-and-release-planned
|
|
10
|
-
|
|
11
|
-
Release scope: GSE public release metadata and distribution readiness
|
|
12
|
-
|
|
13
|
-
## License
|
|
14
|
-
|
|
15
|
-
License status: selected
|
|
16
|
-
|
|
17
|
-
SPDX identifier: MIT
|
|
18
|
-
|
|
19
|
-
License file: LICENSE
|
|
20
|
-
|
|
21
|
-
Approved by: owner-confirmed-in-current-codex-thread
|
|
22
|
-
|
|
23
|
-
Decision date: 2026-07-07
|
|
24
|
-
|
|
25
|
-
Notes: Owner-selected license decision recorded.
|
|
26
|
-
|
|
27
|
-
## Artifacts
|
|
28
|
-
|
|
29
|
-
Package or source path: <install-skill-dir>
|
|
30
|
-
|
|
31
|
-
Changelog path: CHANGELOG.md
|
|
32
|
-
|
|
33
|
-
Install/update instructions: references/packaging.md
|
|
34
|
-
|
|
35
|
-
Integrity or signing record: references/release-trust.md
|
|
36
|
-
|
|
37
|
-
Marketplace/catalog record: references/marketplace-discovery.md
|
|
38
|
-
|
|
39
|
-
## Verification
|
|
40
|
-
|
|
41
|
-
Validation command: node scripts/validate-gse.mjs --root <skill> --json
|
|
42
|
-
|
|
43
|
-
Validation result: pending current run
|
|
44
|
-
|
|
45
|
-
Focused smoke: scripts/audit-public-release-metadata.mjs
|
|
46
|
-
|
|
47
|
-
Acceptance evidence: Owner license decision accepted; public release still requires remaining public and host evidence.
|
|
48
|
-
|
|
49
|
-
## Risks
|
|
50
|
-
|
|
51
|
-
Known unsupported claims: public marketplace approval, public registry publication, legal suitability, and host-native slash-command runtime support are not implied by this record.
|
|
52
|
-
|
|
53
|
-
Known compatibility limits: host behavior must be verified per host runtime.
|
|
54
|
-
|
|
55
|
-
Rollback or unpublish path: remove public listing/package and publish corrected release record.
|
|
56
|
-
|
|
57
|
-
## Acceptance
|
|
58
|
-
|
|
59
|
-
Evidence status: accepted
|
|
60
|
-
|
|
61
|
-
Accepted by: owner-confirmed-in-current-codex-thread
|
|
62
|
-
|
|
63
|
-
Accepted at: 2026-07-07
|
|
64
|
-
|
|
65
|
-
Next action: Run release validation and preserve acceptance evidence.
|
|
1
|
+
# Public Release Record
|
|
2
|
+
|
|
3
|
+
Release name: GSE
|
|
4
|
+
|
|
5
|
+
Release version or label: public-defaults
|
|
6
|
+
|
|
7
|
+
Release date: 2026-07-06
|
|
8
|
+
|
|
9
|
+
Distribution channel: github-public-repo-and-release-planned
|
|
10
|
+
|
|
11
|
+
Release scope: GSE public release metadata and distribution readiness
|
|
12
|
+
|
|
13
|
+
## License
|
|
14
|
+
|
|
15
|
+
License status: selected
|
|
16
|
+
|
|
17
|
+
SPDX identifier: MIT
|
|
18
|
+
|
|
19
|
+
License file: LICENSE
|
|
20
|
+
|
|
21
|
+
Approved by: owner-confirmed-in-current-codex-thread
|
|
22
|
+
|
|
23
|
+
Decision date: 2026-07-07
|
|
24
|
+
|
|
25
|
+
Notes: Owner-selected license decision recorded.
|
|
26
|
+
|
|
27
|
+
## Artifacts
|
|
28
|
+
|
|
29
|
+
Package or source path: <install-skill-dir>
|
|
30
|
+
|
|
31
|
+
Changelog path: CHANGELOG.md
|
|
32
|
+
|
|
33
|
+
Install/update instructions: references/packaging.md
|
|
34
|
+
|
|
35
|
+
Integrity or signing record: references/release-trust.md
|
|
36
|
+
|
|
37
|
+
Marketplace/catalog record: references/marketplace-discovery.md
|
|
38
|
+
|
|
39
|
+
## Verification
|
|
40
|
+
|
|
41
|
+
Validation command: node scripts/validate-gse.mjs --root <skill> --json
|
|
42
|
+
|
|
43
|
+
Validation result: pending current run
|
|
44
|
+
|
|
45
|
+
Focused smoke: scripts/audit-public-release-metadata.mjs
|
|
46
|
+
|
|
47
|
+
Acceptance evidence: Owner license decision accepted; public release still requires remaining public and host evidence.
|
|
48
|
+
|
|
49
|
+
## Risks
|
|
50
|
+
|
|
51
|
+
Known unsupported claims: public marketplace approval, public registry publication, legal suitability, and host-native slash-command runtime support are not implied by this record.
|
|
52
|
+
|
|
53
|
+
Known compatibility limits: host behavior must be verified per host runtime.
|
|
54
|
+
|
|
55
|
+
Rollback or unpublish path: remove public listing/package and publish corrected release record.
|
|
56
|
+
|
|
57
|
+
## Acceptance
|
|
58
|
+
|
|
59
|
+
Evidence status: accepted
|
|
60
|
+
|
|
61
|
+
Accepted by: owner-confirmed-in-current-codex-thread
|
|
62
|
+
|
|
63
|
+
Accepted at: 2026-07-07
|
|
64
|
+
|
|
65
|
+
Next action: Run release validation and preserve acceptance evidence.
|
|
@@ -1,45 +1,45 @@
|
|
|
1
|
-
# Public Security Contact Record
|
|
2
|
-
|
|
3
|
-
Contact status: accepted
|
|
4
|
-
|
|
5
|
-
Contact type: url
|
|
6
|
-
|
|
7
|
-
Contact value: https://github.com/275005746/gse/blob/main/SECURITY.md
|
|
8
|
-
|
|
9
|
-
Policy path: `SECURITY.md`
|
|
10
|
-
|
|
11
|
-
Evidence owner: 275005746
|
|
12
|
-
|
|
13
|
-
Evidence date: 2026-07-07
|
|
14
|
-
|
|
15
|
-
Evidence URL or run id: https://github.com/275005746/gse/blob/main/SECURITY.md
|
|
16
|
-
|
|
17
|
-
## Public Disclosure Policy
|
|
18
|
-
|
|
19
|
-
- Is this contact public? true
|
|
20
|
-
- Security policy updated? true
|
|
21
|
-
- Private fallback channel: owner private coordination channel
|
|
22
|
-
- Response expectation: pending owner policy
|
|
23
|
-
- Embargo or disclosure notes: Do not publish exploit details until the public contact is owner-accepted.
|
|
24
|
-
|
|
25
|
-
## Verification
|
|
26
|
-
|
|
27
|
-
Verification command: node scripts/audit-open-source-readiness.mjs --root . --json
|
|
28
|
-
|
|
29
|
-
Verification result: pending
|
|
30
|
-
|
|
31
|
-
## Acceptance
|
|
32
|
-
|
|
33
|
-
Evidence status: accepted
|
|
34
|
-
|
|
35
|
-
Accepted by: 275005746
|
|
36
|
-
|
|
37
|
-
Accepted at: 2026-07-07
|
|
38
|
-
|
|
39
|
-
## Residual Risk
|
|
40
|
-
|
|
41
|
-
- Public security contact is not accepted until owner evidence is attached.
|
|
42
|
-
|
|
43
|
-
## Next Action
|
|
44
|
-
|
|
45
|
-
- Attach owner-approved public security contact evidence and re-run final readiness.
|
|
1
|
+
# Public Security Contact Record
|
|
2
|
+
|
|
3
|
+
Contact status: accepted
|
|
4
|
+
|
|
5
|
+
Contact type: url
|
|
6
|
+
|
|
7
|
+
Contact value: https://github.com/275005746/gse/blob/main/SECURITY.md
|
|
8
|
+
|
|
9
|
+
Policy path: `SECURITY.md`
|
|
10
|
+
|
|
11
|
+
Evidence owner: 275005746
|
|
12
|
+
|
|
13
|
+
Evidence date: 2026-07-07
|
|
14
|
+
|
|
15
|
+
Evidence URL or run id: https://github.com/275005746/gse/blob/main/SECURITY.md
|
|
16
|
+
|
|
17
|
+
## Public Disclosure Policy
|
|
18
|
+
|
|
19
|
+
- Is this contact public? true
|
|
20
|
+
- Security policy updated? true
|
|
21
|
+
- Private fallback channel: owner private coordination channel
|
|
22
|
+
- Response expectation: pending owner policy
|
|
23
|
+
- Embargo or disclosure notes: Do not publish exploit details until the public contact is owner-accepted.
|
|
24
|
+
|
|
25
|
+
## Verification
|
|
26
|
+
|
|
27
|
+
Verification command: node scripts/audit-open-source-readiness.mjs --root . --json
|
|
28
|
+
|
|
29
|
+
Verification result: pending
|
|
30
|
+
|
|
31
|
+
## Acceptance
|
|
32
|
+
|
|
33
|
+
Evidence status: accepted
|
|
34
|
+
|
|
35
|
+
Accepted by: 275005746
|
|
36
|
+
|
|
37
|
+
Accepted at: 2026-07-07
|
|
38
|
+
|
|
39
|
+
## Residual Risk
|
|
40
|
+
|
|
41
|
+
- Public security contact is not accepted until owner evidence is attached.
|
|
42
|
+
|
|
43
|
+
## Next Action
|
|
44
|
+
|
|
45
|
+
- Attach owner-approved public security contact evidence and re-run final readiness.
|
package/.gse/state.json
CHANGED
|
@@ -6,9 +6,9 @@
|
|
|
6
6
|
"phase": "release",
|
|
7
7
|
"currentSlice": {
|
|
8
8
|
"id": "GSE-108-public-registry-publication",
|
|
9
|
-
"outcome": "Complete the real public registry publication gate for @t275005746/gse, then record accepted publication evidence.",
|
|
10
|
-
"status": "
|
|
11
|
-
"nextAction": "
|
|
9
|
+
"outcome": "Complete the real public registry publication gate for @t275005746/gse, then record accepted publication evidence.",
|
|
10
|
+
"status": "verified",
|
|
11
|
+
"nextAction": "Collect real native slash-command host evidence for /gse continue, record it as accepted host invocation evidence, then re-run the public acceptance doctor."
|
|
12
12
|
},
|
|
13
13
|
"toolStatuses": {
|
|
14
14
|
"browser": "unknown",
|
|
@@ -19,7 +19,6 @@
|
|
|
19
19
|
},
|
|
20
20
|
"lastEvidence": ".gse/evidence/2026-07-07.md",
|
|
21
21
|
"residualRisks": [
|
|
22
|
-
"Public registry publication remains external-required because @t275005746/gse is not yet published on npm.",
|
|
23
22
|
"Native slash-command support remains external-required until a real host runtime proves native /gse invocation with accepted evidence.",
|
|
24
23
|
"Do not treat portable text-command routing, generated command pointers, package dry-runs, local tarball installs, or release bundles as public registry publication or native slash-command evidence.",
|
|
25
24
|
"Use /gse doctor and audit-public-acceptance-readiness.mjs as the current source of truth for pending final-form gates."
|
package/CHANGELOG.md
CHANGED
|
@@ -1,24 +1,24 @@
|
|
|
1
|
-
# Changelog
|
|
2
|
-
|
|
3
|
-
All notable GSE changes should be recorded here before a public package, catalog entry, or release handoff is marked ready.
|
|
4
|
-
|
|
5
|
-
## Unreleased
|
|
6
|
-
|
|
7
|
-
### Added
|
|
8
|
-
|
|
9
|
-
- Project bootstrap modes for Lite, Standard, and Enterprise `.gse/` scaffolds.
|
|
10
|
-
- Native Goal-Spec-Evidence operating model with change packs, execution-quality packs, evidence taxonomy, close gates, and target project audits.
|
|
11
|
-
- Portable `/gse` command semantics plus a host-neutral command runner.
|
|
12
|
-
- Local package/install, URL install with manifest integrity, Ed25519 signing, verification, and signed install audits.
|
|
13
|
-
- Release trust, marketplace discovery metadata, host invocation evidence records, and public-release metadata guidance.
|
|
14
|
-
|
|
15
|
-
### Verified
|
|
16
|
-
|
|
17
|
-
- `validate-gse.mjs` consolidates structural, project bootstrap, adoption, host adapter, compatibility, release, distribution, signing, command, target validation, and lifecycle audits.
|
|
18
|
-
- AION and MuseFlow were used as real long-running target-project validation fixtures for GSE adoption checks.
|
|
19
|
-
|
|
20
|
-
### Not Yet Accepted
|
|
21
|
-
|
|
22
|
-
- Public registry publication and marketplace approval are not verified.
|
|
23
|
-
- Host-native slash-command execution is not verified except where a host-specific record explicitly says so.
|
|
24
|
-
- Open-source license selection remains an owner decision and must be recorded before a public release is accepted.
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable GSE changes should be recorded here before a public package, catalog entry, or release handoff is marked ready.
|
|
4
|
+
|
|
5
|
+
## Unreleased
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- Project bootstrap modes for Lite, Standard, and Enterprise `.gse/` scaffolds.
|
|
10
|
+
- Native Goal-Spec-Evidence operating model with change packs, execution-quality packs, evidence taxonomy, close gates, and target project audits.
|
|
11
|
+
- Portable `/gse` command semantics plus a host-neutral command runner.
|
|
12
|
+
- Local package/install, URL install with manifest integrity, Ed25519 signing, verification, and signed install audits.
|
|
13
|
+
- Release trust, marketplace discovery metadata, host invocation evidence records, and public-release metadata guidance.
|
|
14
|
+
|
|
15
|
+
### Verified
|
|
16
|
+
|
|
17
|
+
- `validate-gse.mjs` consolidates structural, project bootstrap, adoption, host adapter, compatibility, release, distribution, signing, command, target validation, and lifecycle audits.
|
|
18
|
+
- AION and MuseFlow were used as real long-running target-project validation fixtures for GSE adoption checks.
|
|
19
|
+
|
|
20
|
+
### Not Yet Accepted
|
|
21
|
+
|
|
22
|
+
- Public registry publication and marketplace approval are not verified.
|
|
23
|
+
- Host-native slash-command execution is not verified except where a host-specific record explicitly says so.
|
|
24
|
+
- Open-source license selection remains an owner decision and must be recorded before a public release is accepted.
|
package/CONTRIBUTING.md
CHANGED
|
@@ -1,64 +1,64 @@
|
|
|
1
|
-
# Contributing to GSE
|
|
2
|
-
|
|
3
|
-
Thanks for helping improve GSE.
|
|
4
|
-
|
|
5
|
-
GSE is a workflow skill and project scaffold for agent-assisted software engineering. Contributions should make long-running project work more explicit, verifiable, portable, or easier to recover.
|
|
6
|
-
|
|
7
|
-
## What To Contribute
|
|
8
|
-
|
|
9
|
-
Good contributions usually fit one of these paths:
|
|
10
|
-
|
|
11
|
-
- Improve the Goal -> Spec -> Execute -> Evidence -> Learn workflow.
|
|
12
|
-
- Add or tighten an audit script.
|
|
13
|
-
- Improve project scaffold templates.
|
|
14
|
-
- Clarify host adapter boundaries.
|
|
15
|
-
- Add examples that prove a workflow in a small, reproducible project.
|
|
16
|
-
- Fix documentation that overstates support or leaves future agents guessing.
|
|
17
|
-
|
|
18
|
-
Avoid changes that make optional tools mandatory unless there is a clear fallback path.
|
|
19
|
-
|
|
20
|
-
## Development Rules
|
|
21
|
-
|
|
22
|
-
- Keep `SKILL.md` short and route details into `references/`.
|
|
23
|
-
- Prefer scripts and templates over repeated prose when behavior must be repeatable.
|
|
24
|
-
- Do not claim support for a host, marketplace, model, MCP server, subagent, or slash command unless there is evidence.
|
|
25
|
-
- Keep evidence statuses honest: `result`, `verified`, or `accepted`.
|
|
26
|
-
- Do not choose a public license on behalf of the owner. Use `references/public-release.md` and `scripts/record-public-release.mjs`.
|
|
27
|
-
|
|
28
|
-
## Validation
|
|
29
|
-
|
|
30
|
-
Before proposing a change, run:
|
|
31
|
-
|
|
32
|
-
```text
|
|
33
|
-
node scripts/validate-gse.mjs --root <gse-root> --json
|
|
34
|
-
```
|
|
35
|
-
|
|
36
|
-
For packaging or install behavior, also run:
|
|
37
|
-
|
|
38
|
-
```text
|
|
39
|
-
node scripts/audit-distribution.mjs --root <gse-root> --json
|
|
40
|
-
node scripts/audit-remote-distribution.mjs --root <gse-root> --json
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
For public release handoff, also run:
|
|
44
|
-
|
|
45
|
-
```text
|
|
46
|
-
node scripts/audit-release-bundle.mjs --root <gse-root> --json
|
|
47
|
-
node scripts/audit-public-release-metadata.mjs --root <gse-root> --json
|
|
48
|
-
```
|
|
49
|
-
|
|
50
|
-
## Evidence
|
|
51
|
-
|
|
52
|
-
Record meaningful changes in `.gse/evidence/YYYY-MM-DD.md` and append a compact record to `.gse/evidence/index.jsonl`.
|
|
53
|
-
|
|
54
|
-
Do not paste secrets, raw provider payloads, private reasoning, long command logs, screenshots, or noisy transient output into evidence files.
|
|
55
|
-
|
|
56
|
-
## Review
|
|
57
|
-
|
|
58
|
-
Review should check:
|
|
59
|
-
|
|
60
|
-
- The change maps to `.gse/goal-map.md` or the design master plan.
|
|
61
|
-
- Scope did not expand silently.
|
|
62
|
-
- Validation covers the changed behavior.
|
|
63
|
-
- Unsupported claims remain explicit.
|
|
64
|
-
- Installed-copy validation still passes when package behavior changes.
|
|
1
|
+
# Contributing to GSE
|
|
2
|
+
|
|
3
|
+
Thanks for helping improve GSE.
|
|
4
|
+
|
|
5
|
+
GSE is a workflow skill and project scaffold for agent-assisted software engineering. Contributions should make long-running project work more explicit, verifiable, portable, or easier to recover.
|
|
6
|
+
|
|
7
|
+
## What To Contribute
|
|
8
|
+
|
|
9
|
+
Good contributions usually fit one of these paths:
|
|
10
|
+
|
|
11
|
+
- Improve the Goal -> Spec -> Execute -> Evidence -> Learn workflow.
|
|
12
|
+
- Add or tighten an audit script.
|
|
13
|
+
- Improve project scaffold templates.
|
|
14
|
+
- Clarify host adapter boundaries.
|
|
15
|
+
- Add examples that prove a workflow in a small, reproducible project.
|
|
16
|
+
- Fix documentation that overstates support or leaves future agents guessing.
|
|
17
|
+
|
|
18
|
+
Avoid changes that make optional tools mandatory unless there is a clear fallback path.
|
|
19
|
+
|
|
20
|
+
## Development Rules
|
|
21
|
+
|
|
22
|
+
- Keep `SKILL.md` short and route details into `references/`.
|
|
23
|
+
- Prefer scripts and templates over repeated prose when behavior must be repeatable.
|
|
24
|
+
- Do not claim support for a host, marketplace, model, MCP server, subagent, or slash command unless there is evidence.
|
|
25
|
+
- Keep evidence statuses honest: `result`, `verified`, or `accepted`.
|
|
26
|
+
- Do not choose a public license on behalf of the owner. Use `references/public-release.md` and `scripts/record-public-release.mjs`.
|
|
27
|
+
|
|
28
|
+
## Validation
|
|
29
|
+
|
|
30
|
+
Before proposing a change, run:
|
|
31
|
+
|
|
32
|
+
```text
|
|
33
|
+
node scripts/validate-gse.mjs --root <gse-root> --json
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
For packaging or install behavior, also run:
|
|
37
|
+
|
|
38
|
+
```text
|
|
39
|
+
node scripts/audit-distribution.mjs --root <gse-root> --json
|
|
40
|
+
node scripts/audit-remote-distribution.mjs --root <gse-root> --json
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
For public release handoff, also run:
|
|
44
|
+
|
|
45
|
+
```text
|
|
46
|
+
node scripts/audit-release-bundle.mjs --root <gse-root> --json
|
|
47
|
+
node scripts/audit-public-release-metadata.mjs --root <gse-root> --json
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Evidence
|
|
51
|
+
|
|
52
|
+
Record meaningful changes in `.gse/evidence/YYYY-MM-DD.md` and append a compact record to `.gse/evidence/index.jsonl`.
|
|
53
|
+
|
|
54
|
+
Do not paste secrets, raw provider payloads, private reasoning, long command logs, screenshots, or noisy transient output into evidence files.
|
|
55
|
+
|
|
56
|
+
## Review
|
|
57
|
+
|
|
58
|
+
Review should check:
|
|
59
|
+
|
|
60
|
+
- The change maps to `.gse/goal-map.md` or the design master plan.
|
|
61
|
+
- Scope did not expand silently.
|
|
62
|
+
- Validation covers the changed behavior.
|
|
63
|
+
- Unsupported claims remain explicit.
|
|
64
|
+
- Installed-copy validation still passes when package behavior changes.
|
package/LICENSE
CHANGED
|
@@ -1,21 +1,21 @@
|
|
|
1
|
-
MIT License
|
|
2
|
-
|
|
3
|
-
Copyright (c) 2026 GSE contributors
|
|
4
|
-
|
|
5
|
-
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
-
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
-
in the Software without restriction, including without limitation the rights
|
|
8
|
-
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
-
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
-
furnished to do so, subject to the following conditions:
|
|
11
|
-
|
|
12
|
-
The above copyright notice and this permission notice shall be included in all
|
|
13
|
-
copies or substantial portions of the Software.
|
|
14
|
-
|
|
15
|
-
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
-
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
-
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
-
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
-
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
-
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
-
SOFTWARE.
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 GSE contributors
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
CHANGED
package/README.zh-CN.md
CHANGED
package/SECURITY.md
CHANGED
|
@@ -1,41 +1,41 @@
|
|
|
1
|
-
# Security Policy
|
|
2
|
-
|
|
3
|
-
GSE is an agent workflow skill and scaffold. Security reports may involve scripts, generated project files, host adapters, package/install behavior, signing, release trust, or documentation that could cause unsafe claims.
|
|
4
|
-
|
|
5
|
-
## Supported Scope
|
|
6
|
-
|
|
7
|
-
Security-relevant areas include:
|
|
8
|
-
|
|
9
|
-
- Package, install, URL install, manifest integrity, signing, and verification scripts.
|
|
10
|
-
- Generated host adapters and command pointers.
|
|
11
|
-
- Tool permission guidance, MCP/tool routing guidance, and release trust policy.
|
|
12
|
-
- Evidence, logs, and templates that could leak secrets or raw provider payloads.
|
|
13
|
-
- Documentation that could cause agents to bypass owner approval, license decisions, or unsupported host boundaries.
|
|
14
|
-
|
|
15
|
-
## Reporting
|
|
16
|
-
|
|
17
|
-
Until a public security contact is chosen, do not publish exploit details in public issues.
|
|
18
|
-
|
|
19
|
-
Use the project owner's private reporting channel. If no channel exists, record the issue privately in the maintainers' current coordination channel and mark the public release status as blocked until a contact path exists.
|
|
20
|
-
|
|
21
|
-
Minimum report contents:
|
|
22
|
-
|
|
23
|
-
- Affected GSE version, release label, or commit.
|
|
24
|
-
- Affected file or generated artifact.
|
|
25
|
-
- Reproduction steps.
|
|
26
|
-
- Impact and likely affected users or hosts.
|
|
27
|
-
- Whether secrets, credentials, private prompts, provider payloads, or user data are involved.
|
|
28
|
-
- Suggested mitigation if known.
|
|
29
|
-
|
|
30
|
-
## Handling
|
|
31
|
-
|
|
32
|
-
- Do not claim a fix is verified until a focused reproduction or audit proves the changed behavior.
|
|
33
|
-
- Do not publish a release if signing, package integrity, or owner trust evidence is contradicted.
|
|
34
|
-
- If a public package may be affected, use `references/release-trust.md` and `assets/templates/release-trust-record.md` to record revocation, rotation, and follow-up.
|
|
35
|
-
- If a project-local GSE scaffold is affected, notify the affected project session or maintainer with the exact files and validation commands.
|
|
36
|
-
|
|
37
|
-
## Current Limits
|
|
38
|
-
|
|
39
|
-
- No public vulnerability disclosure address has been owner-approved yet.
|
|
40
|
-
- Public marketplace approval and registry publication are not verified.
|
|
41
|
-
- Host-native slash-command support is not verified unless a host-specific invocation record exists.
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
GSE is an agent workflow skill and scaffold. Security reports may involve scripts, generated project files, host adapters, package/install behavior, signing, release trust, or documentation that could cause unsafe claims.
|
|
4
|
+
|
|
5
|
+
## Supported Scope
|
|
6
|
+
|
|
7
|
+
Security-relevant areas include:
|
|
8
|
+
|
|
9
|
+
- Package, install, URL install, manifest integrity, signing, and verification scripts.
|
|
10
|
+
- Generated host adapters and command pointers.
|
|
11
|
+
- Tool permission guidance, MCP/tool routing guidance, and release trust policy.
|
|
12
|
+
- Evidence, logs, and templates that could leak secrets or raw provider payloads.
|
|
13
|
+
- Documentation that could cause agents to bypass owner approval, license decisions, or unsupported host boundaries.
|
|
14
|
+
|
|
15
|
+
## Reporting
|
|
16
|
+
|
|
17
|
+
Until a public security contact is chosen, do not publish exploit details in public issues.
|
|
18
|
+
|
|
19
|
+
Use the project owner's private reporting channel. If no channel exists, record the issue privately in the maintainers' current coordination channel and mark the public release status as blocked until a contact path exists.
|
|
20
|
+
|
|
21
|
+
Minimum report contents:
|
|
22
|
+
|
|
23
|
+
- Affected GSE version, release label, or commit.
|
|
24
|
+
- Affected file or generated artifact.
|
|
25
|
+
- Reproduction steps.
|
|
26
|
+
- Impact and likely affected users or hosts.
|
|
27
|
+
- Whether secrets, credentials, private prompts, provider payloads, or user data are involved.
|
|
28
|
+
- Suggested mitigation if known.
|
|
29
|
+
|
|
30
|
+
## Handling
|
|
31
|
+
|
|
32
|
+
- Do not claim a fix is verified until a focused reproduction or audit proves the changed behavior.
|
|
33
|
+
- Do not publish a release if signing, package integrity, or owner trust evidence is contradicted.
|
|
34
|
+
- If a public package may be affected, use `references/release-trust.md` and `assets/templates/release-trust-record.md` to record revocation, rotation, and follow-up.
|
|
35
|
+
- If a project-local GSE scaffold is affected, notify the affected project session or maintainer with the exact files and validation commands.
|
|
36
|
+
|
|
37
|
+
## Current Limits
|
|
38
|
+
|
|
39
|
+
- No public vulnerability disclosure address has been owner-approved yet.
|
|
40
|
+
- Public marketplace approval and registry publication are not verified.
|
|
41
|
+
- Host-native slash-command support is not verified unless a host-specific invocation record exists.
|
package/SUPPORT.md
CHANGED
|
@@ -1,38 +1,38 @@
|
|
|
1
|
-
# Support
|
|
2
|
-
|
|
3
|
-
Use this file to decide where to start when GSE behavior is confusing, incomplete, or blocked.
|
|
4
|
-
|
|
5
|
-
## First Checks
|
|
6
|
-
|
|
7
|
-
Run:
|
|
8
|
-
|
|
9
|
-
```text
|
|
10
|
-
node scripts/validate-gse.mjs --root <gse-root> --json
|
|
11
|
-
```
|
|
12
|
-
|
|
13
|
-
For a target project using GSE, run:
|
|
14
|
-
|
|
15
|
-
```text
|
|
16
|
-
node scripts/audit-target-project.mjs --target <project-root> --json
|
|
17
|
-
node scripts/generate-session-prompt.mjs --target <project-root>
|
|
18
|
-
node scripts/audit-close-gate.mjs --target <project-root> --json
|
|
19
|
-
```
|
|
20
|
-
|
|
21
|
-
For package or install issues, run:
|
|
22
|
-
|
|
23
|
-
```text
|
|
24
|
-
node scripts/audit-distribution.mjs --root <gse-root> --json
|
|
25
|
-
node scripts/audit-remote-distribution.mjs --root <gse-root> --json
|
|
26
|
-
```
|
|
27
|
-
|
|
28
|
-
## What To Include In A Support Request
|
|
29
|
-
|
|
30
|
-
- GSE root path or installed package path.
|
|
31
|
-
- Target project path, if any.
|
|
32
|
-
- Command run and the compact JSON summary.
|
|
33
|
-
- Whether the problem is skill usage, project scaffold, package/install, host adapter, release, or evidence gating.
|
|
34
|
-
- Whether optional tools such as OpenSpec, Comet, Superpowers, LSP, browser automation, MCP, or subagents were actually available.
|
|
35
|
-
|
|
36
|
-
## Community
|
|
37
|
-
|
|
38
|
-
GateHub (`https://gatehub.top/`) supports GSE development and contributor coordination.
|
|
1
|
+
# Support
|
|
2
|
+
|
|
3
|
+
Use this file to decide where to start when GSE behavior is confusing, incomplete, or blocked.
|
|
4
|
+
|
|
5
|
+
## First Checks
|
|
6
|
+
|
|
7
|
+
Run:
|
|
8
|
+
|
|
9
|
+
```text
|
|
10
|
+
node scripts/validate-gse.mjs --root <gse-root> --json
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
For a target project using GSE, run:
|
|
14
|
+
|
|
15
|
+
```text
|
|
16
|
+
node scripts/audit-target-project.mjs --target <project-root> --json
|
|
17
|
+
node scripts/generate-session-prompt.mjs --target <project-root>
|
|
18
|
+
node scripts/audit-close-gate.mjs --target <project-root> --json
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
For package or install issues, run:
|
|
22
|
+
|
|
23
|
+
```text
|
|
24
|
+
node scripts/audit-distribution.mjs --root <gse-root> --json
|
|
25
|
+
node scripts/audit-remote-distribution.mjs --root <gse-root> --json
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
## What To Include In A Support Request
|
|
29
|
+
|
|
30
|
+
- GSE root path or installed package path.
|
|
31
|
+
- Target project path, if any.
|
|
32
|
+
- Command run and the compact JSON summary.
|
|
33
|
+
- Whether the problem is skill usage, project scaffold, package/install, host adapter, release, or evidence gating.
|
|
34
|
+
- Whether optional tools such as OpenSpec, Comet, Superpowers, LSP, browser automation, MCP, or subagents were actually available.
|
|
35
|
+
|
|
36
|
+
## Community
|
|
37
|
+
|
|
38
|
+
GateHub (`https://gatehub.top/`) supports GSE development and contributor coordination.
|