@t275005746/gse 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (180) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +3 -4
  14. package/CHANGELOG.md +24 -24
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +1 -1
  18. package/README.zh-CN.md +1 -1
  19. package/SECURITY.md +41 -41
  20. package/SUPPORT.md +38 -38
  21. package/assets/marketplace/README.md +7 -7
  22. package/assets/marketplace/gse-listing.json +75 -75
  23. package/assets/templates/acceptance-execution-packet.md +73 -73
  24. package/assets/templates/adr.md +14 -14
  25. package/assets/templates/change-brief.md +16 -16
  26. package/assets/templates/design.md +18 -18
  27. package/assets/templates/dispatch-packet.md +104 -104
  28. package/assets/templates/evidence.md +14 -14
  29. package/assets/templates/execution-quality-pack.md +65 -65
  30. package/assets/templates/goal-map.md +21 -21
  31. package/assets/templates/host-adapter.md +48 -48
  32. package/assets/templates/host-ui-invocation-record.md +42 -42
  33. package/assets/templates/incident-review.md +60 -60
  34. package/assets/templates/public-channel-publication-record.md +49 -49
  35. package/assets/templates/public-ci-run-record.md +53 -53
  36. package/assets/templates/public-release-record.md +65 -65
  37. package/assets/templates/public-repository-settings-record.md +59 -59
  38. package/assets/templates/public-security-contact-record.md +45 -45
  39. package/assets/templates/release-trust-record.md +32 -32
  40. package/assets/templates/review.md +18 -18
  41. package/assets/templates/spec.md +16 -16
  42. package/assets/templates/target-adoption-evidence.md +29 -29
  43. package/assets/templates/tasks.md +17 -17
  44. package/assets/templates/update-release-acceptance-record.md +58 -58
  45. package/examples/README.md +22 -22
  46. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  47. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  48. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  49. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  50. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  51. package/examples/agent-runtime-host/.mcp.json +9 -9
  52. package/examples/agent-runtime-host/AGENTS.md +5 -5
  53. package/examples/agent-runtime-host/README.md +10 -10
  54. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  55. package/examples/cli-tool/.gse/project-profile.md +21 -21
  56. package/examples/cli-tool/AGENTS.md +5 -5
  57. package/examples/cli-tool/README.md +12 -12
  58. package/examples/cli-tool/package.json +21 -21
  59. package/examples/small-app/.env.example +2 -2
  60. package/examples/small-app/.github/workflows/ci.yml +8 -8
  61. package/examples/small-app/AGENTS.md +5 -5
  62. package/examples/small-app/README.md +12 -12
  63. package/examples/small-app/package.json +26 -26
  64. package/examples/small-app/playwright.config.ts +4 -4
  65. package/package.json +53 -53
  66. package/references/adoption-recipes.md +171 -171
  67. package/references/agent-roles.md +49 -49
  68. package/references/architecture-health.md +101 -101
  69. package/references/benchmark-audit.md +73 -73
  70. package/references/community-channels.md +46 -46
  71. package/references/compatibility.md +70 -70
  72. package/references/design-basis.md +38 -38
  73. package/references/domain-model.md +129 -129
  74. package/references/domain-quality-gates.md +75 -75
  75. package/references/drift-audit.md +81 -81
  76. package/references/evidence-taxonomy.md +123 -123
  77. package/references/file-ownership.md +107 -107
  78. package/references/final-readiness.md +84 -84
  79. package/references/forward-test.md +133 -133
  80. package/references/goal-map.md +36 -36
  81. package/references/host-adapters.md +119 -119
  82. package/references/learning-system.md +35 -35
  83. package/references/marketplace-discovery.md +46 -46
  84. package/references/model-routing.md +103 -103
  85. package/references/open-source-defaults.md +39 -39
  86. package/references/operating-model.md +52 -52
  87. package/references/packaging.md +277 -277
  88. package/references/project-agent-workspace.md +89 -89
  89. package/references/project-bootstrap.md +122 -122
  90. package/references/project-profile.md +57 -57
  91. package/references/public-release.md +174 -174
  92. package/references/quality-gates.md +100 -100
  93. package/references/recovery.md +176 -176
  94. package/references/release-trust.md +43 -43
  95. package/references/release.md +126 -126
  96. package/references/review.md +141 -141
  97. package/references/router.md +90 -90
  98. package/references/spec-workflow.md +66 -66
  99. package/references/task-levels.md +81 -81
  100. package/references/tool-adapters.md +73 -73
  101. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  102. package/scripts/audit-adoption-recipes.mjs +99 -99
  103. package/scripts/audit-change-lifecycle.mjs +77 -77
  104. package/scripts/audit-change-system.mjs +134 -134
  105. package/scripts/audit-ci-readiness.mjs +107 -107
  106. package/scripts/audit-close-gate.mjs +323 -323
  107. package/scripts/audit-command-adapters.mjs +91 -91
  108. package/scripts/audit-command-execution.mjs +210 -210
  109. package/scripts/audit-compatibility.mjs +149 -149
  110. package/scripts/audit-completion-readiness.mjs +292 -292
  111. package/scripts/audit-distribution.mjs +251 -251
  112. package/scripts/audit-domain-quality-gates.mjs +108 -108
  113. package/scripts/audit-evidence-placeholders.mjs +126 -126
  114. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  115. package/scripts/audit-final-readiness.mjs +226 -226
  116. package/scripts/audit-fixtures.mjs +154 -154
  117. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  118. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  119. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  120. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  121. package/scripts/audit-host-ui-invocation.mjs +132 -132
  122. package/scripts/audit-marketplace-discovery.mjs +122 -122
  123. package/scripts/audit-npm-package-metadata.mjs +155 -155
  124. package/scripts/audit-npm-publish-dry-run.mjs +191 -169
  125. package/scripts/audit-npm-tarball-install.mjs +191 -191
  126. package/scripts/audit-open-source-defaults.mjs +92 -92
  127. package/scripts/audit-open-source-readiness.mjs +97 -97
  128. package/scripts/audit-project.mjs +138 -138
  129. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  130. package/scripts/audit-public-acceptance-readiness.mjs +224 -224
  131. package/scripts/audit-public-channel-publication.mjs +248 -248
  132. package/scripts/audit-public-ci-run.mjs +184 -184
  133. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  134. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  135. package/scripts/audit-public-release-decision.mjs +201 -201
  136. package/scripts/audit-public-release-metadata.mjs +176 -176
  137. package/scripts/audit-public-repository-settings.mjs +237 -237
  138. package/scripts/audit-public-security-contact.mjs +171 -171
  139. package/scripts/audit-readme-docs.mjs +6 -4
  140. package/scripts/audit-recovery-readiness.mjs +98 -98
  141. package/scripts/audit-release-readiness.mjs +106 -106
  142. package/scripts/audit-release-trust.mjs +62 -62
  143. package/scripts/audit-remote-distribution.mjs +266 -266
  144. package/scripts/audit-roadmap-consistency.mjs +235 -235
  145. package/scripts/audit-signing.mjs +147 -147
  146. package/scripts/audit-state-freshness.mjs +14 -9
  147. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  148. package/scripts/audit-target-project.mjs +507 -507
  149. package/scripts/audit-update-release-acceptance.mjs +136 -136
  150. package/scripts/audit-v1-target-validation.mjs +269 -269
  151. package/scripts/audit-validation-profiles.mjs +125 -125
  152. package/scripts/close-change.mjs +116 -116
  153. package/scripts/discover-project-profile.mjs +307 -307
  154. package/scripts/generate-command-adapter.mjs +231 -231
  155. package/scripts/generate-final-acceptance-packet.mjs +181 -181
  156. package/scripts/generate-final-form-progress-report.mjs +205 -205
  157. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -206
  158. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  159. package/scripts/generate-public-acceptance-handoff.mjs +168 -168
  160. package/scripts/generate-public-release-checklist.mjs +207 -207
  161. package/scripts/generate-release-bundle.mjs +505 -505
  162. package/scripts/generate-release-owner-action-plan.mjs +172 -172
  163. package/scripts/generate-release-status-manifest.mjs +200 -200
  164. package/scripts/generate-session-prompt.mjs +188 -188
  165. package/scripts/gse.mjs +67 -67
  166. package/scripts/init-change.mjs +265 -265
  167. package/scripts/init-project.mjs +785 -785
  168. package/scripts/install-gse.mjs +234 -234
  169. package/scripts/lib/evidence-placeholders.mjs +28 -28
  170. package/scripts/package-gse.mjs +174 -174
  171. package/scripts/probe-public-external-gates.mjs +167 -167
  172. package/scripts/record-host-invocation.mjs +151 -151
  173. package/scripts/record-public-channel-publication.mjs +178 -178
  174. package/scripts/record-public-ci-run.mjs +180 -180
  175. package/scripts/record-public-release.mjs +175 -175
  176. package/scripts/record-public-repository-settings.mjs +209 -209
  177. package/scripts/record-public-security-contact.mjs +157 -157
  178. package/scripts/sign-gse-package.mjs +83 -83
  179. package/scripts/update-project-state.mjs +223 -223
  180. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,171 +1,171 @@
1
- # Adoption Recipes
2
-
3
- Use this when applying GSE to a project or updating an existing GSE installation.
4
-
5
- These recipes are host-neutral. They do not certify arbitrary repositories, install external tools, publish GSE, or verify host runtime capabilities. Treat project and host capabilities as `unknown` until checked in that project/session.
6
-
7
- ## Recipe 1: Fresh Project Install
8
-
9
- Use when a project has no `.gse/` folder yet.
10
-
11
- Steps:
12
-
13
- 1. Read project rules first: `AGENTS.md`, `CLAUDE.md`, README, or equivalent.
14
- 2. Choose mode from `references/task-levels.md` and `references/project-bootstrap.md`: `lite`, `standard`, or `enterprise`.
15
- 3. Run:
16
-
17
- ```text
18
- node <gse-skill>/scripts/init-project.mjs --target <project-root> --mode <mode>
19
- ```
20
-
21
- 4. Inspect generated `.gse/state.json`, `.gse/project-profile.md`, `.gse/goal-map.md`, `.gse/quality-gates.md`, `.gse/tooling.md`, and `.gse/evidence/index.jsonl`.
22
- 5. Record project-specific commands, standards, permissions, and owners in `.gse/project-profile.md`.
23
- 6. Run the smallest project verification that proves the install is usable, such as checking files exist and reading `.gse/README.md`.
24
- Prefer the target doctor when available:
25
-
26
- ```text
27
- node <gse-skill>/scripts/audit-target-project.mjs --target <project-root>
28
- ```
29
-
30
- 7. Record residual risk: commands, CI, browser, MCP, LSP, subagents, models, and release paths remain `unknown` until executed.
31
-
32
- Evidence status: `result` when files exist; `verified` only after focused project inspection or smoke proves the generated workflow is usable.
33
-
34
- ## Recipe 2: Existing Repo Adoption
35
-
36
- Use when a repository already has rules, scripts, CI, host folders, or partial `.gse/` files.
37
-
38
- Steps:
39
-
40
- 1. Read project rules and existing workflow docs before generating anything.
41
- 2. Run discovery without writing:
42
-
43
- ```text
44
- node <gse-skill>/scripts/discover-project-profile.mjs --target <project-root> --json
45
- ```
46
-
47
- 3. Treat discovered scripts/configs as `documented`, not `verified`, until the commands actually run.
48
- 4. If `.gse/project-profile.md` already exists, do not overwrite it without explicit `--force` and a reason. Do not overwrite existing project workflow files just because GSE has defaults.
49
- 5. If writing is approved, use:
50
-
51
- ```text
52
- node <gse-skill>/scripts/discover-project-profile.mjs --target <project-root> --write
53
- ```
54
-
55
- 6. Preserve project-specific standards, host adapters, existing evidence logs, and owner decisions.
56
- 7. Record whether adoption is `result`, `verified`, or `accepted` using `references/evidence-taxonomy.md`.
57
-
58
- Evidence status: `verified` for controlled fixture behavior when `scripts/audit-adoption.mjs` passes; real repos need project-specific evidence.
59
-
60
- ## Recipe 3: Update Existing GSE
61
-
62
- Use when a project already follows GSE and the skill or project-local `.gse/` files need an update.
63
-
64
- Steps:
65
-
66
- 1. Read `.gse/project-profile.md`, `.gse/goal-map.md`, `.gse/current-slice.md` if present, and host adapter notes.
67
- Prefer `.gse/state.json` and `.gse/evidence/index.jsonl` when present because they are the machine-readable continuation state.
68
- 2. Identify whether the update affects templates, scripts, host adapters, quality gates, release/recovery, or project rules.
69
- 3. Preserve local project decisions. Do not replace project `.gse/` files with skill defaults unless the project owner approves.
70
- 4. Run skill validation after updating the skill package:
71
-
72
- ```text
73
- node <gse-skill>/scripts/validate-gse.mjs --root <gse-skill>
74
- ```
75
-
76
- 5. Run project-local validation or smoke for the affected workflow.
77
- For read-only workflow drift checks, run:
78
-
79
- ```text
80
- node <gse-skill>/scripts/audit-target-project.mjs --target <project-root>
81
- ```
82
-
83
- If the project predates `.gse/state.json` and `.gse/evidence/index.jsonl`, add only the missing machine-readable continuation files:
84
-
85
- ```text
86
- node <gse-skill>/scripts/update-project-state.mjs --target <project-root>
87
- ```
88
-
89
- 6. Record changed files, migration/rollback notes, evidence status, residual risks, and next action in the project evidence log.
90
-
91
- Evidence status: `verified` only when the project-local update path and affected workflow have focused evidence.
92
-
93
- ## Recipe 4: Host Adapter Adoption
94
-
95
- Use when a project needs Codex, Claude Code, Hermes/AION-style runtime, WorkBuddy, Copilot/Gemini-style, or custom host pointers.
96
-
97
- Steps:
98
-
99
- 1. Read `references/compatibility.md` and `references/host-adapters.md`.
100
- 2. Generate short command/pointer adapters only when the host has a real adapter location:
101
-
102
- ```text
103
- node <gse-skill>/scripts/generate-command-adapter.mjs --target <project-root> --host claude|codex|hermes|workbuddy|copilot|gemini|generic|all
104
- ```
105
-
106
- `scripts/generate-host-adapter.mjs` is a legacy fixture helper for the older Codex/Claude markdown adapter smoke. Prefer `generate-command-adapter.mjs` for new project adoption.
107
-
108
- 3. Keep `.gse/` as the source of truth. Do not copy goal maps, quality gates, or evidence into host folders.
109
- 4. Mark host capabilities as `verified`, `documented`, `unknown`, or `unavailable` based on current evidence.
110
- 5. Run `scripts/audit-host-adapters.mjs` for GSE fixture coverage, then run project-specific inspection for the target project.
111
-
112
- Evidence status: fixture generation can be `verified`; actual host runtime tools remain project/session-specific.
113
-
114
- ## Recipe 5: CLI Or Package Project Adoption
115
-
116
- Use when a project is primarily a command-line tool, reusable package, SDK, plugin, or library rather than a web app.
117
-
118
- Steps:
119
-
120
- 1. Read package docs and project rules before changing workflow files: `README.md`, `AGENTS.md`, `CONTRIBUTING.md`, package manifest, and release notes if present.
121
- 2. Run discovery first:
122
-
123
- ```text
124
- node <gse-skill>/scripts/discover-project-profile.mjs --target <project-root> --json
125
- ```
126
-
127
- 3. Treat `bin` entries, package scripts, publish commands, signing, registry, and shell integration as `documented` or `unknown` until a focused smoke proves them.
128
- 4. Preserve package metadata, release notes, compatibility policy, and existing publish/rollback instructions.
129
- 5. Prefer a small command smoke before broader tests, such as `npm run smoke`, `node ./bin/<name> --help`, `npm pack --dry-run`, or the project equivalent.
130
- 6. Record exit-code behavior, changed files, package artifacts intentionally ignored, residual release risk, and next action.
131
-
132
- Evidence status: fixture coverage can be `verified`; real package install, registry access, publish permissions, global install, and shell completion require project-specific evidence.
133
-
134
- ## Adoption Record
135
-
136
- Use this compact record in `.gse/evidence/` or the project evidence log:
137
-
138
- ```text
139
- Adoption recipe:
140
- Project path:
141
- Mode or host:
142
- Project rules read:
143
- Commands run:
144
- Files created or changed:
145
- Preserved project-specific rules:
146
- Host/tool statuses:
147
- Validation evidence:
148
- Evidence status: result | verified | accepted | not ready
149
- Residual risk:
150
- Next action:
151
- ```
152
-
153
- For real target-project evidence, use `assets/templates/target-adoption-evidence.md`. Keep discovered scripts and configs as `documented` until executed, and keep `Accepted by: not accepted` unless a real acceptance gate ran.
154
-
155
- Use `assets/templates/acceptance-execution-packet.md` before writing project-local `.gse/` artifacts or claiming owner-approved adoption acceptance.
156
-
157
- ## Verification Commands
158
-
159
- Use only the commands that match the recipe and risk:
160
-
161
- ```text
162
- node <gse-skill>/scripts/audit-project.mjs --root <gse-skill>
163
- node <gse-skill>/scripts/audit-adoption.mjs --root <gse-skill>
164
- node <gse-skill>/scripts/audit-command-adapters.mjs --root <gse-skill>
165
- node <gse-skill>/scripts/audit-host-adapters.mjs --root <gse-skill>
166
- node <gse-skill>/scripts/audit-fixtures.mjs --root <gse-skill>
167
- node <gse-skill>/scripts/audit-target-project.mjs --target <project-root>
168
- node <gse-skill>/scripts/validate-gse.mjs --root <gse-skill>
169
- ```
170
-
171
- These commands verify GSE fixtures and skill readiness. They do not certify arbitrary production repositories. Real adoption still needs project-specific inspection, focused smokes, and evidence.
1
+ # Adoption Recipes
2
+
3
+ Use this when applying GSE to a project or updating an existing GSE installation.
4
+
5
+ These recipes are host-neutral. They do not certify arbitrary repositories, install external tools, publish GSE, or verify host runtime capabilities. Treat project and host capabilities as `unknown` until checked in that project/session.
6
+
7
+ ## Recipe 1: Fresh Project Install
8
+
9
+ Use when a project has no `.gse/` folder yet.
10
+
11
+ Steps:
12
+
13
+ 1. Read project rules first: `AGENTS.md`, `CLAUDE.md`, README, or equivalent.
14
+ 2. Choose mode from `references/task-levels.md` and `references/project-bootstrap.md`: `lite`, `standard`, or `enterprise`.
15
+ 3. Run:
16
+
17
+ ```text
18
+ node <gse-skill>/scripts/init-project.mjs --target <project-root> --mode <mode>
19
+ ```
20
+
21
+ 4. Inspect generated `.gse/state.json`, `.gse/project-profile.md`, `.gse/goal-map.md`, `.gse/quality-gates.md`, `.gse/tooling.md`, and `.gse/evidence/index.jsonl`.
22
+ 5. Record project-specific commands, standards, permissions, and owners in `.gse/project-profile.md`.
23
+ 6. Run the smallest project verification that proves the install is usable, such as checking files exist and reading `.gse/README.md`.
24
+ Prefer the target doctor when available:
25
+
26
+ ```text
27
+ node <gse-skill>/scripts/audit-target-project.mjs --target <project-root>
28
+ ```
29
+
30
+ 7. Record residual risk: commands, CI, browser, MCP, LSP, subagents, models, and release paths remain `unknown` until executed.
31
+
32
+ Evidence status: `result` when files exist; `verified` only after focused project inspection or smoke proves the generated workflow is usable.
33
+
34
+ ## Recipe 2: Existing Repo Adoption
35
+
36
+ Use when a repository already has rules, scripts, CI, host folders, or partial `.gse/` files.
37
+
38
+ Steps:
39
+
40
+ 1. Read project rules and existing workflow docs before generating anything.
41
+ 2. Run discovery without writing:
42
+
43
+ ```text
44
+ node <gse-skill>/scripts/discover-project-profile.mjs --target <project-root> --json
45
+ ```
46
+
47
+ 3. Treat discovered scripts/configs as `documented`, not `verified`, until the commands actually run.
48
+ 4. If `.gse/project-profile.md` already exists, do not overwrite it without explicit `--force` and a reason. Do not overwrite existing project workflow files just because GSE has defaults.
49
+ 5. If writing is approved, use:
50
+
51
+ ```text
52
+ node <gse-skill>/scripts/discover-project-profile.mjs --target <project-root> --write
53
+ ```
54
+
55
+ 6. Preserve project-specific standards, host adapters, existing evidence logs, and owner decisions.
56
+ 7. Record whether adoption is `result`, `verified`, or `accepted` using `references/evidence-taxonomy.md`.
57
+
58
+ Evidence status: `verified` for controlled fixture behavior when `scripts/audit-adoption.mjs` passes; real repos need project-specific evidence.
59
+
60
+ ## Recipe 3: Update Existing GSE
61
+
62
+ Use when a project already follows GSE and the skill or project-local `.gse/` files need an update.
63
+
64
+ Steps:
65
+
66
+ 1. Read `.gse/project-profile.md`, `.gse/goal-map.md`, `.gse/current-slice.md` if present, and host adapter notes.
67
+ Prefer `.gse/state.json` and `.gse/evidence/index.jsonl` when present because they are the machine-readable continuation state.
68
+ 2. Identify whether the update affects templates, scripts, host adapters, quality gates, release/recovery, or project rules.
69
+ 3. Preserve local project decisions. Do not replace project `.gse/` files with skill defaults unless the project owner approves.
70
+ 4. Run skill validation after updating the skill package:
71
+
72
+ ```text
73
+ node <gse-skill>/scripts/validate-gse.mjs --root <gse-skill>
74
+ ```
75
+
76
+ 5. Run project-local validation or smoke for the affected workflow.
77
+ For read-only workflow drift checks, run:
78
+
79
+ ```text
80
+ node <gse-skill>/scripts/audit-target-project.mjs --target <project-root>
81
+ ```
82
+
83
+ If the project predates `.gse/state.json` and `.gse/evidence/index.jsonl`, add only the missing machine-readable continuation files:
84
+
85
+ ```text
86
+ node <gse-skill>/scripts/update-project-state.mjs --target <project-root>
87
+ ```
88
+
89
+ 6. Record changed files, migration/rollback notes, evidence status, residual risks, and next action in the project evidence log.
90
+
91
+ Evidence status: `verified` only when the project-local update path and affected workflow have focused evidence.
92
+
93
+ ## Recipe 4: Host Adapter Adoption
94
+
95
+ Use when a project needs Codex, Claude Code, Hermes/AION-style runtime, WorkBuddy, Copilot/Gemini-style, or custom host pointers.
96
+
97
+ Steps:
98
+
99
+ 1. Read `references/compatibility.md` and `references/host-adapters.md`.
100
+ 2. Generate short command/pointer adapters only when the host has a real adapter location:
101
+
102
+ ```text
103
+ node <gse-skill>/scripts/generate-command-adapter.mjs --target <project-root> --host claude|codex|hermes|workbuddy|copilot|gemini|generic|all
104
+ ```
105
+
106
+ `scripts/generate-host-adapter.mjs` is a legacy fixture helper for the older Codex/Claude markdown adapter smoke. Prefer `generate-command-adapter.mjs` for new project adoption.
107
+
108
+ 3. Keep `.gse/` as the source of truth. Do not copy goal maps, quality gates, or evidence into host folders.
109
+ 4. Mark host capabilities as `verified`, `documented`, `unknown`, or `unavailable` based on current evidence.
110
+ 5. Run `scripts/audit-host-adapters.mjs` for GSE fixture coverage, then run project-specific inspection for the target project.
111
+
112
+ Evidence status: fixture generation can be `verified`; actual host runtime tools remain project/session-specific.
113
+
114
+ ## Recipe 5: CLI Or Package Project Adoption
115
+
116
+ Use when a project is primarily a command-line tool, reusable package, SDK, plugin, or library rather than a web app.
117
+
118
+ Steps:
119
+
120
+ 1. Read package docs and project rules before changing workflow files: `README.md`, `AGENTS.md`, `CONTRIBUTING.md`, package manifest, and release notes if present.
121
+ 2. Run discovery first:
122
+
123
+ ```text
124
+ node <gse-skill>/scripts/discover-project-profile.mjs --target <project-root> --json
125
+ ```
126
+
127
+ 3. Treat `bin` entries, package scripts, publish commands, signing, registry, and shell integration as `documented` or `unknown` until a focused smoke proves them.
128
+ 4. Preserve package metadata, release notes, compatibility policy, and existing publish/rollback instructions.
129
+ 5. Prefer a small command smoke before broader tests, such as `npm run smoke`, `node ./bin/<name> --help`, `npm pack --dry-run`, or the project equivalent.
130
+ 6. Record exit-code behavior, changed files, package artifacts intentionally ignored, residual release risk, and next action.
131
+
132
+ Evidence status: fixture coverage can be `verified`; real package install, registry access, publish permissions, global install, and shell completion require project-specific evidence.
133
+
134
+ ## Adoption Record
135
+
136
+ Use this compact record in `.gse/evidence/` or the project evidence log:
137
+
138
+ ```text
139
+ Adoption recipe:
140
+ Project path:
141
+ Mode or host:
142
+ Project rules read:
143
+ Commands run:
144
+ Files created or changed:
145
+ Preserved project-specific rules:
146
+ Host/tool statuses:
147
+ Validation evidence:
148
+ Evidence status: result | verified | accepted | not ready
149
+ Residual risk:
150
+ Next action:
151
+ ```
152
+
153
+ For real target-project evidence, use `assets/templates/target-adoption-evidence.md`. Keep discovered scripts and configs as `documented` until executed, and keep `Accepted by: not accepted` unless a real acceptance gate ran.
154
+
155
+ Use `assets/templates/acceptance-execution-packet.md` before writing project-local `.gse/` artifacts or claiming owner-approved adoption acceptance.
156
+
157
+ ## Verification Commands
158
+
159
+ Use only the commands that match the recipe and risk:
160
+
161
+ ```text
162
+ node <gse-skill>/scripts/audit-project.mjs --root <gse-skill>
163
+ node <gse-skill>/scripts/audit-adoption.mjs --root <gse-skill>
164
+ node <gse-skill>/scripts/audit-command-adapters.mjs --root <gse-skill>
165
+ node <gse-skill>/scripts/audit-host-adapters.mjs --root <gse-skill>
166
+ node <gse-skill>/scripts/audit-fixtures.mjs --root <gse-skill>
167
+ node <gse-skill>/scripts/audit-target-project.mjs --target <project-root>
168
+ node <gse-skill>/scripts/validate-gse.mjs --root <gse-skill>
169
+ ```
170
+
171
+ These commands verify GSE fixtures and skill readiness. They do not certify arbitrary production repositories. Real adoption still needs project-specific inspection, focused smokes, and evidence.
@@ -1,49 +1,49 @@
1
- # Agent Roles
2
-
3
- Use roles to make multi-agent work predictable.
4
-
5
- ## Coordinator
6
-
7
- Owns scope, task level, context selection, final integration, and final answer.
8
-
9
- Never delegates final judgment.
10
-
11
- ## Product Analyst
12
-
13
- Clarifies user outcome, pain, audience, competitive baseline, and priority.
14
-
15
- ## Architect
16
-
17
- Defines state, data flow, module boundaries, contracts, risks, and rollback.
18
-
19
- ## Code Locator
20
-
21
- Read-only. Finds files, symbols, call chains, existing tests, and local patterns.
22
-
23
- ## Builder
24
-
25
- Implements a bounded slice. Avoids unrelated refactors.
26
-
27
- ## Reviewer
28
-
29
- Checks correctness, regressions, architecture drift, security, and missing tests using `references/review.md`.
30
-
31
- ## QA
32
-
33
- Runs focused verification, browser smoke, API smoke, or screenshot checks.
34
-
35
- ## Docs/Evidence
36
-
37
- Writes evidence, changelog notes, ADR links, and learning entries. Does not modify implementation unless explicitly assigned.
38
-
39
- ## Dispatch Rules
40
-
41
- - Use real subagent tools only when exposed by the current host.
42
- - Give each agent a role, files allowed, expected output, and forbidden actions. Use `assets/templates/dispatch-packet.md` when the assignment needs durable boundaries or evidence.
43
- - Avoid parallel writes to the same files.
44
- - If subagents are unavailable, execute roles sequentially in the main session and say so.
45
-
46
- ## File Ownership
47
-
48
- Use `references/file-ownership.md` before assigning write access, running parallel implementation, or editing in a dirty worktree. Keep locator, reviewer, and QA roles read-only unless explicitly assigned otherwise.
49
-
1
+ # Agent Roles
2
+
3
+ Use roles to make multi-agent work predictable.
4
+
5
+ ## Coordinator
6
+
7
+ Owns scope, task level, context selection, final integration, and final answer.
8
+
9
+ Never delegates final judgment.
10
+
11
+ ## Product Analyst
12
+
13
+ Clarifies user outcome, pain, audience, competitive baseline, and priority.
14
+
15
+ ## Architect
16
+
17
+ Defines state, data flow, module boundaries, contracts, risks, and rollback.
18
+
19
+ ## Code Locator
20
+
21
+ Read-only. Finds files, symbols, call chains, existing tests, and local patterns.
22
+
23
+ ## Builder
24
+
25
+ Implements a bounded slice. Avoids unrelated refactors.
26
+
27
+ ## Reviewer
28
+
29
+ Checks correctness, regressions, architecture drift, security, and missing tests using `references/review.md`.
30
+
31
+ ## QA
32
+
33
+ Runs focused verification, browser smoke, API smoke, or screenshot checks.
34
+
35
+ ## Docs/Evidence
36
+
37
+ Writes evidence, changelog notes, ADR links, and learning entries. Does not modify implementation unless explicitly assigned.
38
+
39
+ ## Dispatch Rules
40
+
41
+ - Use real subagent tools only when exposed by the current host.
42
+ - Give each agent a role, files allowed, expected output, and forbidden actions. Use `assets/templates/dispatch-packet.md` when the assignment needs durable boundaries or evidence.
43
+ - Avoid parallel writes to the same files.
44
+ - If subagents are unavailable, execute roles sequentially in the main session and say so.
45
+
46
+ ## File Ownership
47
+
48
+ Use `references/file-ownership.md` before assigning write access, running parallel implementation, or editing in a dirty worktree. Keep locator, reviewer, and QA roles read-only unless explicitly assigned otherwise.
49
+
@@ -1,101 +1,101 @@
1
- # Architecture Health
2
-
3
- Use this when a change may affect the long-term shape of a project, not only the immediate behavior. Architecture health checks look for structural drift that can make future work slower, riskier, or harder for agents to understand.
4
-
5
- ## Trigger Conditions
6
-
7
- Run an architecture health scan when any of these are true:
8
-
9
- - A change crosses module boundaries, package boundaries, runtime boundaries, product boundaries, or host adapter boundaries.
10
- - A new subsystem, provider, model route, worker, storage layer, queue, browser/runtime path, or deployment path is added.
11
- - Repeated bugs suggest hidden coupling, unclear ownership, duplicated logic, or a missing source of truth.
12
- - A dependency, security boundary, permission model, migration, release path, or rollback path changes.
13
- - Performance, resilience, cancellation, retry, state recovery, or observability behavior is material to the slice.
14
- - Project docs, generated artifacts, code, and .gse/ records disagree about the intended design.
15
-
16
- Do not run a broad scan for tiny local edits unless the edit touches a structural boundary.
17
-
18
- ## Scope Levels
19
-
20
- Pick the smallest scan that can prove the risk is understood.
21
-
22
- | Level | Use when | Minimum evidence |
23
- |---|---|---|
24
- | Lightweight local scan | One file, one module, one adapter, or one narrow workflow changed | Relevant files, nearest tests/checks, project rules that govern the area |
25
- | Subsystem scan | A feature crosses modules, storage/state, API/UI, worker/runtime, or tool boundaries | Call flow, data ownership, source-of-truth records, focused verification |
26
- | Broad architecture review | Large refactor, new platform capability, release/migration risk, recurring failures, or uncertain ownership | Architecture docs, ADRs, project profile, dependency/release notes, evidence and follow-up slices |
27
-
28
- ## Scan Axes
29
-
30
- ### Module Boundaries
31
-
32
- - Are module boundaries, package boundaries, runtime boundaries, and host adapter boundaries still clear?
33
- - Did the change import across layers in a way the project does not already allow?
34
- - Is shared behavior placed in the right owner instead of copied into callers?
35
-
36
- ### Coupling And Cohesion
37
-
38
- - Did the change create tight coupling between UI, API, worker, storage, tools, models, or host-specific adapters?
39
- - Can a future agent change one concern without understanding unrelated concerns?
40
- - Are abstractions justified by repeated complexity or existing project patterns?
41
-
42
- ### Source Of Truth Drift
43
-
44
- - Is there one source of truth for goals, specs, state, memory, routing, configuration, and evidence?
45
- - Do docs, code, scripts, templates, generated files, and .gse/ records agree?
46
- - Are compatibility names or legacy internal names contained behind adapters rather than exposed as product truth?
47
-
48
- ### Dependency And Security Risk
49
-
50
- - Did dependencies, provider SDKs, MCP/tool integrations, or browser/runtime permissions change?
51
- - Are dependency and security assumptions verified, documented, or explicitly unknown?
52
- - Are secrets, raw provider payloads, hidden reasoning, and privileged tool traces excluded from user-visible or committed outputs?
53
-
54
- ### Ownership And Change Control
55
-
56
- - Which module, team, role, or agent owns the changed behavior?
57
- - Are file ownership and multi-agent lock rules clear enough to prevent overlapping edits?
58
- - Does the change need an ADR, project-profile update, or future release note?
59
-
60
- ### Performance And Resilience
61
-
62
- - Could the design add latency, heavy context loading, unnecessary worker paths, repeated browser loops, or expensive model routes?
63
- - Are cancellation, retry, timeout, recovery, idempotency, and duplicate prevention considered where relevant?
64
- - Is observability enough to diagnose failure without leaking sensitive data?
65
-
66
- ### Migration And Release Impact
67
-
68
- - Does the change affect install, upgrade, data migration, backward compatibility, rollback, or release acceptance?
69
- - Are migration and release risks captured as decisions or follow-up slices rather than hidden assumptions?
70
- - Is the verification scope strong enough for the release risk?
71
-
72
- ## Output Format
73
-
74
- Keep the output concise. Link to evidence instead of pasting long logs.
75
-
76
- ```text
77
- Scan scope:
78
- Findings:
79
- Risks:
80
- Decisions needed:
81
- Follow-up slices:
82
- Evidence:
83
- ```
84
-
85
- ## Classification Rules
86
-
87
- - Findings are observed facts from code, docs, scripts, tests, or runtime behavior.
88
- - Risks are plausible future failures or maintenance costs that the current evidence does not eliminate.
89
- - Decisions needed are architecture choices that require owner, user, or project-standard confirmation.
90
- - Follow-up slices are bounded implementation or documentation steps that can be verified later.
91
-
92
- Do not label a guess as a finding. If evidence is indirect, record it as a risk or assumption and choose a follow-up slice.
93
-
94
- ## Integration
95
-
96
- - Use references/review.md for the review axes and severity language.
97
- - Use references/quality-gates.md to decide whether architecture health is required for the task risk.
98
- - Use references/file-ownership.md when ownership, dirty worktree, or multi-agent overlap is unclear.
99
- - Use references/project-profile.md and project architecture docs as the source of project-specific standards.
100
- - Use references/release.md when architecture risk affects migration, rollback, compatibility, changelog/release notes, or release acceptance.
101
- - Use references/evidence-taxonomy.md to classify the final claim as result, verified, or accepted.
1
+ # Architecture Health
2
+
3
+ Use this when a change may affect the long-term shape of a project, not only the immediate behavior. Architecture health checks look for structural drift that can make future work slower, riskier, or harder for agents to understand.
4
+
5
+ ## Trigger Conditions
6
+
7
+ Run an architecture health scan when any of these are true:
8
+
9
+ - A change crosses module boundaries, package boundaries, runtime boundaries, product boundaries, or host adapter boundaries.
10
+ - A new subsystem, provider, model route, worker, storage layer, queue, browser/runtime path, or deployment path is added.
11
+ - Repeated bugs suggest hidden coupling, unclear ownership, duplicated logic, or a missing source of truth.
12
+ - A dependency, security boundary, permission model, migration, release path, or rollback path changes.
13
+ - Performance, resilience, cancellation, retry, state recovery, or observability behavior is material to the slice.
14
+ - Project docs, generated artifacts, code, and .gse/ records disagree about the intended design.
15
+
16
+ Do not run a broad scan for tiny local edits unless the edit touches a structural boundary.
17
+
18
+ ## Scope Levels
19
+
20
+ Pick the smallest scan that can prove the risk is understood.
21
+
22
+ | Level | Use when | Minimum evidence |
23
+ |---|---|---|
24
+ | Lightweight local scan | One file, one module, one adapter, or one narrow workflow changed | Relevant files, nearest tests/checks, project rules that govern the area |
25
+ | Subsystem scan | A feature crosses modules, storage/state, API/UI, worker/runtime, or tool boundaries | Call flow, data ownership, source-of-truth records, focused verification |
26
+ | Broad architecture review | Large refactor, new platform capability, release/migration risk, recurring failures, or uncertain ownership | Architecture docs, ADRs, project profile, dependency/release notes, evidence and follow-up slices |
27
+
28
+ ## Scan Axes
29
+
30
+ ### Module Boundaries
31
+
32
+ - Are module boundaries, package boundaries, runtime boundaries, and host adapter boundaries still clear?
33
+ - Did the change import across layers in a way the project does not already allow?
34
+ - Is shared behavior placed in the right owner instead of copied into callers?
35
+
36
+ ### Coupling And Cohesion
37
+
38
+ - Did the change create tight coupling between UI, API, worker, storage, tools, models, or host-specific adapters?
39
+ - Can a future agent change one concern without understanding unrelated concerns?
40
+ - Are abstractions justified by repeated complexity or existing project patterns?
41
+
42
+ ### Source Of Truth Drift
43
+
44
+ - Is there one source of truth for goals, specs, state, memory, routing, configuration, and evidence?
45
+ - Do docs, code, scripts, templates, generated files, and .gse/ records agree?
46
+ - Are compatibility names or legacy internal names contained behind adapters rather than exposed as product truth?
47
+
48
+ ### Dependency And Security Risk
49
+
50
+ - Did dependencies, provider SDKs, MCP/tool integrations, or browser/runtime permissions change?
51
+ - Are dependency and security assumptions verified, documented, or explicitly unknown?
52
+ - Are secrets, raw provider payloads, hidden reasoning, and privileged tool traces excluded from user-visible or committed outputs?
53
+
54
+ ### Ownership And Change Control
55
+
56
+ - Which module, team, role, or agent owns the changed behavior?
57
+ - Are file ownership and multi-agent lock rules clear enough to prevent overlapping edits?
58
+ - Does the change need an ADR, project-profile update, or future release note?
59
+
60
+ ### Performance And Resilience
61
+
62
+ - Could the design add latency, heavy context loading, unnecessary worker paths, repeated browser loops, or expensive model routes?
63
+ - Are cancellation, retry, timeout, recovery, idempotency, and duplicate prevention considered where relevant?
64
+ - Is observability enough to diagnose failure without leaking sensitive data?
65
+
66
+ ### Migration And Release Impact
67
+
68
+ - Does the change affect install, upgrade, data migration, backward compatibility, rollback, or release acceptance?
69
+ - Are migration and release risks captured as decisions or follow-up slices rather than hidden assumptions?
70
+ - Is the verification scope strong enough for the release risk?
71
+
72
+ ## Output Format
73
+
74
+ Keep the output concise. Link to evidence instead of pasting long logs.
75
+
76
+ ```text
77
+ Scan scope:
78
+ Findings:
79
+ Risks:
80
+ Decisions needed:
81
+ Follow-up slices:
82
+ Evidence:
83
+ ```
84
+
85
+ ## Classification Rules
86
+
87
+ - Findings are observed facts from code, docs, scripts, tests, or runtime behavior.
88
+ - Risks are plausible future failures or maintenance costs that the current evidence does not eliminate.
89
+ - Decisions needed are architecture choices that require owner, user, or project-standard confirmation.
90
+ - Follow-up slices are bounded implementation or documentation steps that can be verified later.
91
+
92
+ Do not label a guess as a finding. If evidence is indirect, record it as a risk or assumption and choose a follow-up slice.
93
+
94
+ ## Integration
95
+
96
+ - Use references/review.md for the review axes and severity language.
97
+ - Use references/quality-gates.md to decide whether architecture health is required for the task risk.
98
+ - Use references/file-ownership.md when ownership, dirty worktree, or multi-agent overlap is unclear.
99
+ - Use references/project-profile.md and project architecture docs as the source of project-specific standards.
100
+ - Use references/release.md when architecture risk affects migration, rollback, compatibility, changelog/release notes, or release acceptance.
101
+ - Use references/evidence-taxonomy.md to classify the final claim as result, verified, or accepted.