@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
@@ -0,0 +1,201 @@
1
+ # GSE Final Form Roadmap
2
+
3
+ This roadmap defines the final product shape for GSE itself. It is the canonical continuation plan for GSE development after local v1 capability has been proven.
4
+
5
+ The goal is not another patch cycle. Final form means a capable agent can enter a new or existing project, run a short GSE entry command, understand the project, select the next slice, execute with the right level of rigor, prove the result, and carry lessons forward without a long hand-written prompt.
6
+
7
+ ## Completion Definition
8
+
9
+ GSE reaches final form when a new agent can enter any supported project and use `/gse continue` to obtain:
10
+
11
+ - the project identity, current goal, active slice, and next action,
12
+ - the required spec, quality gates, and evidence level,
13
+ - the available tools, missing tools, role boundaries, and fallback path,
14
+ - pending owner/external release evidence, plus any optional adapter claims that are not being made,
15
+ - the learning rules that should affect the current run,
16
+ - the exact checks needed before completion can be claimed.
17
+
18
+ Broken state, stale evidence, unsupported tool claims, noisy risk lists, and missing host/runtime evidence must be surfaced before implementation begins.
19
+
20
+ ## Final Form Priorities
21
+
22
+ | Priority | Area | Outcome | Acceptance |
23
+ |---|---|---|---|
24
+ | P0 | Short entry takeover | `/gse continue` replaces long goal prompts for mature projects | A project with `.gse/` returns current slice, next action, claim-boundary evidence, and required checks through the portable runner; host-native command evidence is recorded only when a specific host adapter claims it |
25
+ | P1 | State system | Project state is readable, compact, repairable, and not a risk dump | State separates current summary, active slice, top risks, blocked gates, next checks, and archived risk history |
26
+ | P2 | Evidence gate | Claims cannot outrun evidence | Evidence index validity is a preflight gate; bad JSONL, stale records, and downgraded UI/browser proof are labeled before close |
27
+ | P3 | Spec and change lifecycle | GSE provides OpenSpec-style change control without requiring OpenSpec | Change packs move through proposed, active, implemented, verified, accepted, and archived states with goal-map links |
28
+ | P4 | Roles and subagents | GSE provides Superpowers-style execution discipline without requiring a specific subagent host | Planner, locator, implementer, verifier, reviewer, doc/evidence, and release roles have dispatch packets and fallback checklists; process skills do not prove real host dispatch |
29
+ | P5 | Tool and quality gates | Tool use is fast, explicit, and project-aware | LSP/index, browser, Playwright, MCP, CI, package manager, Windows shell, sparse checkout, UTF-8, and project custom gates are preflighted when relevant |
30
+ | P6 | Learning automation | Repeated failures become guards | Lessons dedupe, classify severity, and promote into project quality gates, templates, scripts, or skill updates |
31
+ | P7 | Project init and adapters | New projects get the right scaffold without heavy prerequisites | Lite, Standard, and Enterprise scaffolds create `.gse/` plus optional host pointers for `.codex`, `.claude`, `.mcp`, and similar folders |
32
+ | P8 | Release and distribution | GSE is installable, auditable, and maintainable as an open-source skill product | npm/package install, GitHub release, public CI, security contact, repository settings, registry/marketplace records, bilingual docs, checksums/signing, and update paths are verified or honestly gated |
33
+ | P9 | Benchmark and drills | GSE remains competitive with mature engineering skills | Regular audits compare against OpenSpec, Superpowers/BMAD-style roles, Comet-style phase discipline, and real projects such as AION and MuseFlow |
34
+ | P10 | Final acceptance | Final claims are backed by real evidence at the right claim level | AION doctor, MuseFlow doctor, new-project bootstrap, `/gse continue`, evidence repair, state compaction, role dispatch, learning promotion, package publication, public CI, and portable command execution pass; host-native invocation is optional per host adapter and must be recorded before that adapter claims it |
35
+
36
+ ## First Execution Wave
37
+
38
+ 1. Done: make `/gse continue` run a hard preflight: state JSON, evidence index, project profile, quality gates, canonical plan, stale risks, and pending owner/external release evidence when the target exposes it.
39
+ 2. Done: split `.gse/state.json` into a compact default view and an archived risk/decision history so active sessions do not inherit unreadable residual risk blocks.
40
+ 3. Done for continuation: promote evidence index validity from target-project doctor finding to blocking preflight for `/gse continue`; close-gate evidence index validation already remains in place.
41
+ 4. Done: add explicit evidence levels for UI/browser/API/CI/owner/release/external proof: `verified-unit`, `verified-component`, `verified-api`, `verified-browser`, `verified-ci`, `accepted-owner`, `accepted-release`, and `external-required`.
42
+ 5. Done: convert reusable lessons from AION and MuseFlow into guards: Windows shell syntax, sparse checkout staging, UTF-8-safe Chinese docs, stale evidence, browser-smoke downgrade labeling, no fake subagent dispatch, and non-interrupting cross-thread sync.
43
+
44
+ ## Final Form Execution Plan
45
+
46
+ This plan turns the completion definition into ordered implementation waves. It is the working plan for GSE itself, not a project roadmap for projects that use GSE.
47
+
48
+ ### Wave 1 - Short Entry And State Control
49
+
50
+ Outcome: mature projects can resume from a short `/gse continue` entry instead of a long hand-written prompt.
51
+
52
+ Status: verified; the hard preflight, compact state packet, completion plan, project guards, explicit evidence levels, role fallback readiness, and state/evidence repair path are verified. Native host slash-command evidence is an optional adapter claim, not a GSE core completion gate.
53
+
54
+ Completed slices:
55
+
56
+ - Done: `completionPlan` gives future agents exact required close steps, required close commands, and active conditional commands for encoding, installed-sync, maintenance snapshot, release bundle, and session sync.
57
+ - Done: completionPlan drill audit verifies clean worktrees have no false active conditionals and dirty docs/scripts/references/acceptance/evidence changes activate the expected close checks.
58
+ - Done: state repair path provides `/gse repair`, `CP14`, and concrete repair actions for stale state, bad JSONL, missing evidence files, next-action drift, and overlong residual risks.
59
+ - Done: `gateTaxonomy` separates core workflow blockers from release gates and host-adapter claim gates in `/gse continue` compact state.
60
+ - Done: generated/noisy artifacts stay visible in `/gse continue` as ignored paths but no longer count as actionable changes or trigger conditional close commands by themselves.
61
+ - Done: active residual risks and archived risk history are counted separately so `/gse continue` does not make historical risk archive entries look like current blockers.
62
+ - Done: the human-facing `/gse continue` prompt is a short action packet with project, root, slice, next action, close summary, risk summary, gate boundary, and do-step instead of long explanatory prose.
63
+
64
+ Acceptance:
65
+
66
+ - `/gse continue` shows current slice, next action, top risks, claim-boundary evidence, required checks, relevant guard rules, evidence status, and completion plan.
67
+ - Bad evidence and stale state fail before implementation or return a repair action.
68
+ - Default output stays compact; historical risk detail stays archived.
69
+
70
+ ### Wave 2 - Spec, Role, And Execution Discipline
71
+
72
+ Outcome: GSE provides OpenSpec-style change control and Superpowers-style execution discipline without requiring either tool.
73
+
74
+ Status: locally verified for portable execution discipline; role fallback packet outputs, no-fake-dispatch close checks, file-ownership/staged-artifact close checks, and host capability record audits are verified. Real-host dispatch evidence remains host-specific future evidence.
75
+
76
+ Boundary: OpenSpec-style and Superpowers-style workflows define requirements, change control, execution discipline, and review quality. They do not provide native slash commands, subagent dispatch, browser tooling, MCP, LSP, CI, or host UI integration by themselves. GSE follows the same boundary: those capabilities are optional host adapters and must be recorded as host evidence before they are claimed.
77
+
78
+ Required slices:
79
+
80
+ - Change lifecycle hardening: every active change can be opened, verified, closed, archived, and linked back to the goal map.
81
+ - Done: role packet execution fallback: planner, locator, implementer, verifier, reviewer, doc/evidence, and release roles have auditable packet outputs for sequential fallback.
82
+ - Done: no-fake-dispatch guard: close gate blocks real-subagent claims unless the current host/tool status is verified.
83
+ - Done: file ownership and dirty-worktree guard: close gate reports staged, unstaged, untracked, mixed, conflict, and generated/test artifact paths before close.
84
+
85
+ Acceptance:
86
+
87
+ - A real target project can run a change pack from open to archive.
88
+ - Role packets work both with real subagents and sequential fallback.
89
+ - Close gate rejects missing evidence, missing review, fake dispatch, and unrelated staged files when the project can expose that data.
90
+
91
+ ### Wave 3 - Learning To Guard Promotion
92
+
93
+ Outcome: repeated user corrections and project failures become reusable engineering controls.
94
+
95
+ Status: locally verified; learning capture, duplicate occurrence counting, deterministic promotion analysis, candidate-only promotion reports, `/gse continue` CP15 visibility, and learning drift detection for promoted-but-unenforced candidates are verified.
96
+
97
+ Completed slices:
98
+
99
+ - Done: learning classifier categorizes lessons by shell, encoding, evidence, browser, git, host-tool, project-rule, and release.
100
+ - Done: duplicate learning capture increments `Occurrences` without appending noisy duplicate entries.
101
+ - Done: promotion paths follow note -> checklist/template -> guard/quality gate -> script/skill.
102
+ - Done: `/gse learn --promote` is read-only by default, `/gse learn --promote --execute` writes candidate-only `.gse/learning-promotions.md`, and `/gse continue` surfaces CP15 learning promotion status.
103
+
104
+ Completed slices:
105
+
106
+ - Done: drift audit detects when promoted learning candidates are not covered by project guards, quality gates, `/gse continue`, `/gse close`, or focused audit scripts.
107
+
108
+ Acceptance:
109
+
110
+ - A lesson can be recorded once, deduped, and promoted into a project guard with evidence.
111
+ - `/gse continue` and `/gse close` both surface promoted high-severity guards.
112
+ - AION/MuseFlow lessons are used as examples but no AION/MuseFlow-specific behavior is hardcoded.
113
+
114
+ ### Wave 4 - Tool And Host Runtime Adapters
115
+
116
+ Outcome: GSE stays portable while using available tools aggressively.
117
+
118
+ Completed slices:
119
+
120
+ - Done: host capability audit records track native slash-command, browser, MCP, LSP, subagent, and CI status as `verified`, `documented`, `unknown`, `unavailable`, or `external-required`, with `/gse continue` `CP16` visibility and overclaim checks.
121
+ - Done: target-project hardening drills run GSE doctor, `/gse continue`, close gate, host capability, and learning drift checks against configured real projects without mutating target worktrees.
122
+ - Done: optional tool fallback policy audit verifies markdown fallback and claim boundaries across tool adapters, router, model routing, host adapters, project profile, generated command adapters, continue packet wiring, and validation profiles.
123
+
124
+ Required slices:
125
+
126
+ - Native slash-command evidence: record real host-native `/gse continue` invocation only when a host adapter claims native support.
127
+ - Done: Browser/UI evidence policy: `scripts/audit-ui-browser-evidence-policy.mjs` verifies that `verified-component`, `verified-api`, `verified-browser`, screenshot/visual inspection rules, continue/close downgrade surfacing, and validation wiring stay aligned.
128
+
129
+ Acceptance:
130
+
131
+ - GSE never claims native host support from portable command evidence alone.
132
+ - Browser/UI verification downgrade is labeled before close.
133
+ - Host adapter docs point back to `.gse/` and do not duplicate canonical rules.
134
+
135
+ ### Wave 5 - Distribution, Public Trust, And Maintenance
136
+
137
+ Outcome: GSE can be installed, audited, updated, and maintained as an open-source skill product.
138
+
139
+ Required slices:
140
+
141
+ - Public release evidence: repository settings, CI, security contact, registry/package channel, marketplace/catalog, release bundle, checksum/signing, and update path records.
142
+ - Done: Installed skill sync: `scripts/audit-installed-sync.mjs` verifies fresh package output, package metadata/version preservation, source-root privacy, installed-copy hash parity, and installed-copy `/gse maintenance` smoke when `--installed-root` is supplied.
143
+ - Done: Session sync records: `scripts/record-session-sync.mjs` and `scripts/audit-session-sync.mjs` make installed-copy refresh and active-session sync attempts auditable without treating notification as adoption.
144
+ - Public docs hardening: keep README and bilingual docs concise, search-friendly, and free of defensive caveat bloat.
145
+ - Done: Maintenance cadence: `references/maintenance-cadence.md`, `/gse maintenance`, and `scripts/audit-maintenance-cadence.mjs` verify benchmark audit, drift audit, dependency/security review, forward-test, target drill, public acceptance, and installed-skill sync coverage.
146
+ - Done: Maintenance snapshot failure isolation: failed canonical `latest-maintenance-snapshot.json` writes are redirected to `latest-maintenance-snapshot.failed.json` so release-bundle and maintenance freshness loops keep the last passing canonical snapshot.
147
+
148
+ Acceptance:
149
+
150
+ - `validate-gse` passes the appropriate profile for the release stage.
151
+ - Public acceptance rows are accepted only with real owner/external evidence.
152
+ - A clean consumer project can install GSE, run `gse status`, initialize `.gse/`, and execute `/gse continue` through the portable runner.
153
+
154
+ ## Current Final-Form Gap List
155
+
156
+ These items should drive future slices only when the claim is being made:
157
+
158
+ - Short entry takeover is verified through the portable runner; `/gse continue` now exposes a compact action prompt, `completionPlan`, `gateTaxonomy`, generated/noisy ignored paths, and active-versus-archived risk counts. Real host-native slash-command evidence is optional per host adapter.
159
+ - Project guards, learning promotion candidates, learning drift status, no-fake-dispatch/file-ownership close checks, host capability records, and target-project hardening drills now surface or execute through portable audits; AION/MuseFlow drill warnings remain project-local readiness signals, not GSE hard failures.
160
+ - Evidence index validity is a hard preflight; evidence level granularity, state/evidence repair actions, and conservative historical evidence-level backfill are implemented.
161
+ - Role fallback packets and host capability records are auditable through scaffold, `/gse continue`, and focused audits; real subagent dispatch still needs current host evidence.
162
+ - Process skills such as OpenSpec, Superpowers, Comet, and GSE provide workflow discipline and portable artifacts; they do not satisfy host-native slash-command, subagent, browser, MCP, LSP, CI, or host UI evidence rows.
163
+ - Learning capture, occurrence counting, classification, candidate promotion, candidate drift detection, and read-only target-project hardening drills are locally verified; remaining gaps are project-specific product evidence and external host evidence.
164
+ - Public/package release mechanics, browser/UI evidence policy, maintenance cadence, installed/package sync freshness checks, active-session sync records, and portable command execution are verified; optional host-native slash-command evidence is recorded only for hosts that actually expose native support.
165
+ - Failed canonical maintenance snapshot writes are isolated from the last passing snapshot; `.failed.json` is the diagnostic surface for failed runs.
166
+
167
+ ## Goal Mode Operating Contract
168
+
169
+ Use this when continuing GSE itself in a goal-mode session:
170
+
171
+ ```text
172
+ Goal: implement GSE final form as a portable, installable, evidence-driven engineering skill for long-running agent-assisted software projects.
173
+
174
+ Workspace:
175
+ <path-to-gse-repo>
176
+
177
+ Start:
178
+ 1. Read the installed GSE `SKILL.md`.
179
+ 2. Read .gse/gse-design-master-plan.md, .gse/goal-map.md, .gse/current-slice.md, .gse/state.json, and references/final-form-roadmap.md.
180
+ 3. Continue from the current slice and the highest-priority unfinished Final Form roadmap item.
181
+ 4. Keep GSE generic. Do not add AION-only or MuseFlow-only behavior; use them as drills and evidence targets.
182
+
183
+ Loop:
184
+ Goal -> Spec -> Execute -> Evidence -> Learn.
185
+
186
+ Slice rule:
187
+ Do one verifiable slice at a time. Each slice must state outcome, scope, acceptance, evidence, risk, and next action. Prefer executable scripts, templates, and gates over prose-only rules.
188
+
189
+ Verification:
190
+ Run the smallest focused audit that proves the slice. For docs-only final-form routing changes, run audit-final-form-roadmap, roadmap consistency, JSON/UTF-8 sanity, and a smoke validation profile. For release or package claims, run the matching release/package audit.
191
+
192
+ Evidence:
193
+ Append evidence to .gse/evidence/YYYY-MM-DD.md and .gse/evidence/index.jsonl. Do not claim public, native host, marketplace, registry, CI, or owner acceptance without matching accepted records.
194
+
195
+ Completion:
196
+ A slice is complete only after focused validation passes, evidence is recorded, state/current-slice/goal-map are updated, and the changes are committed.
197
+ ```
198
+
199
+ ## Claim Boundary
200
+
201
+ This roadmap is a contract for final-form development, not proof for every optional adapter claim. The live claim boundary remains `references/final-readiness.md` plus `scripts/audit-final-readiness.mjs`.
@@ -1,84 +1,84 @@
1
- # Final Readiness Matrix
2
-
3
- Use this when deciding whether GSE can be called open-source-ready, installable, and cross-host usable.
4
-
5
- This matrix is a claim boundary. It separates local verified capability from owner-required or external evidence. Do not collapse these states into a single "done" label.
6
-
7
- ## Status Vocabulary
8
-
9
- - `verified`: GSE has current local evidence from scripts, records, or package/install audits.
10
- - `owner-required`: the owner must make or approve a decision before the claim can become accepted.
11
- - `external-required`: a marketplace, public registry, host runtime, security contact, CI, or other external system must provide evidence.
12
- - `not-claimed`: GSE deliberately does not claim this capability.
13
-
14
- ## Readiness Areas
15
-
16
- The table below describes the baseline/status source for each row. The current truth is computed by `scripts/audit-final-readiness.mjs`; record-driven rows can promote from `owner-required` or `external-required` to `verified` only after accepted evidence records exist.
17
-
18
- | Area | Accepted claim requires | Status source / baseline |
19
- |---|---|---|
20
- | Skill structure | `SKILL.md`, references, scripts, assets, metadata, and validator pass | verified |
21
- | Project scaffold | `init-project`, project doctor, state, goal map, evidence index, close gate | verified |
22
- | Local install | package, install, installed-copy validation, package CLI entrypoint, and installed short CLI status command | verified |
23
- | npm tarball install | real local npm tarball creation, install into a clean consumer project, installed `gse` bin execution, and installed README audit | verified |
24
- | npm publish dry-run | npm publish dry-run keeps package identity, CLI bin metadata, required runtime files, and integrity fields without harmful metadata auto-correction | verified |
25
- | URL install | remote URL install, installed-copy validation, URL-installed short CLI status command, manifest integrity, and tamper rejection | verified |
26
- | Signing | package signing, verification, signed install, and tamper rejection | verified |
27
- | Open-source collaboration | README, contributing, security, support, changelog, public release metadata | verified |
28
- | CI workflow template | public repository workflow file plus local CI-readiness audit | verified |
29
- | Public CI run record | pending and accepted public CI run record mechanics | verified |
30
- | Public collaboration templates | issue and PR templates that require outcome, scope, evidence, risk, and claim boundaries | verified |
31
- | Public repository settings record | pending, verified, and accepted repository settings record mechanics | verified |
32
- | Public CI run | real public CI run URL or status-check evidence | record-driven external gate |
33
- | Public repository settings | real repository URL, issue/PR settings, branch protection, required checks, and maintainer acceptance | record-driven external gate |
34
- | License decision | owner-selected license or explicit not-public decision | record-driven owner gate |
35
- | Public security contact record | pending and accepted public security contact record mechanics | verified |
36
- | Public security contact | owner-approved vulnerability disclosure path | record-driven owner gate |
37
- | Public channel publication record | pending, registry publication, and marketplace approval record mechanics | verified |
38
- | Public registry publication | real public package or registry publication evidence | record-driven external gate |
39
- | Marketplace approval | real marketplace/catalog approval or publication evidence | record-driven external gate |
40
- | Portable command execution | `run-gse-command.mjs` command semantics audit | verified |
41
- | Host adapters | generated adapter files and compatibility matrix audit | verified |
42
- | Native slash command | verified host invocation record with native slash support | record-driven external gate |
43
- | Other host runtime invocation | verified invocation records per host | record-driven external gate |
44
-
45
- Do not read the baseline column as live status. For example, once the owner-selected license record is accepted, the audit reports `License decision` as `verified` even though the row remains an owner-gated claim type.
46
-
47
- ## Audit Command
48
-
49
- ```text
50
- node <gse-skill>/scripts/audit-final-readiness.mjs --root <gse-skill>
51
- ```
52
-
53
- The audit must report external and owner gates as incomplete unless corresponding records exist. It is valid for the audit to pass while still reporting `owner-required` or `external-required`; passing means the matrix is honest and complete, not that every external gate is satisfied.
54
-
55
- Accepted owner/external records promote final rows only when the record contains accepted evidence and the relevant boundary proof. For example, a public CI row requires an accepted public CI run record with a successful conclusion and required-check proof; a registry row requires accepted publication evidence with registry proof; native slash command support requires a host invocation record that proves native slash-command support.
56
-
57
- Use the promotion audit to verify that this path still works:
58
-
59
- ```text
60
- node <gse-skill>/scripts/audit-final-readiness-promotion.mjs --root <gse-skill>
61
- ```
62
-
63
- ## Acceptance Packet
64
-
65
- When owner-required or external-required rows remain, generate a handoff packet instead of burying follow-up work in prose:
66
-
67
- ```text
68
- node <gse-skill>/scripts/generate-final-acceptance-packet.mjs --root <gse-skill> --out <gse-skill>/.gse/acceptance/final-acceptance-packet.md --force
69
- ```
70
-
71
- The packet lists the verified local capabilities, every pending owner/external gate, the exact next evidence action, and the anti-overclaim rules. It is a continuation artifact, not acceptance by itself.
72
-
73
- ## Completion Boundary
74
-
75
- GSE can be described as locally verified and release-ready for handoff when the matrix passes and the verified rows have evidence.
76
-
77
- GSE can be described as publicly accepted only after:
78
-
79
- - owner-selected license or explicit not-public decision is recorded,
80
- - public security contact policy is approved when public release is intended,
81
- - public repository settings evidence exists when a public source repository is claimed,
82
- - public CI run evidence exists when public CI is claimed,
83
- - registry or marketplace publication evidence exists when those channels are claimed,
84
- - native slash-command support is recorded per host before it is claimed.
1
+ # Final Readiness Matrix
2
+
3
+ Use this when deciding whether GSE can be called open-source-ready, installable, and cross-host usable.
4
+
5
+ This matrix is a claim boundary. It separates local verified capability from owner-required or external evidence. Do not collapse these states into a single "done" label.
6
+
7
+ ## Status Vocabulary
8
+
9
+ - `verified`: GSE has current local evidence from scripts, records, or package/install audits.
10
+ - `owner-required`: the owner must make or approve a decision before the claim can become accepted.
11
+ - `external-required`: a marketplace, public registry, host runtime, security contact, CI, or other external system must provide evidence.
12
+ - `not-claimed`: GSE deliberately does not claim this capability.
13
+
14
+ ## Readiness Areas
15
+
16
+ The table below describes the baseline/status source for each row. The current truth is computed by `scripts/audit-final-readiness.mjs`; record-driven rows can promote from `owner-required` or `external-required` to `verified` only after accepted evidence records exist.
17
+
18
+ | Area | Accepted claim requires | Status source / baseline |
19
+ |---|---|---|
20
+ | Skill structure | `SKILL.md`, references, scripts, assets, metadata, and validator pass | verified |
21
+ | Project scaffold | `init-project`, project doctor, state, goal map, evidence index, close gate | verified |
22
+ | Local install | package, install, installed-copy validation, package CLI entrypoint, and installed short CLI status command | verified |
23
+ | npm tarball install | real local npm tarball creation, install into a clean consumer project, installed `gse` bin execution, and installed README audit | verified |
24
+ | npm publish dry-run | npm publish dry-run keeps package identity, CLI bin metadata, required runtime files, and integrity fields without harmful metadata auto-correction | verified |
25
+ | URL install | remote URL install, installed-copy validation, URL-installed short CLI status command, manifest integrity, and tamper rejection | verified |
26
+ | Signing | package signing, verification, signed install, and tamper rejection | verified |
27
+ | Open-source collaboration | README, contributing, security, support, changelog, public release metadata | verified |
28
+ | CI workflow template | public repository workflow file plus local CI-readiness audit | verified |
29
+ | Public CI run record | pending and accepted public CI run record mechanics | verified |
30
+ | Public collaboration templates | issue and PR templates that require outcome, scope, evidence, risk, and claim boundaries | verified |
31
+ | Public repository settings record | pending, verified, and accepted repository settings record mechanics | verified |
32
+ | Public CI run | real public CI run URL or status-check evidence | record-driven external gate |
33
+ | Public repository settings | real repository URL, issue/PR settings, branch protection, required checks, and maintainer acceptance | record-driven external gate |
34
+ | License decision | owner-selected license or explicit not-public decision | record-driven owner gate |
35
+ | Public security contact record | pending and accepted public security contact record mechanics | verified |
36
+ | Public security contact | owner-approved vulnerability disclosure path | record-driven owner gate |
37
+ | Public channel publication record | pending, registry publication, and marketplace approval record mechanics | verified |
38
+ | Public registry publication | real public package or registry publication evidence | record-driven external gate |
39
+ | Marketplace approval | real marketplace/catalog approval or publication evidence | record-driven external gate |
40
+ | Portable command execution | `run-gse-command.mjs` command semantics audit | verified |
41
+ | Host adapters | generated adapter files and compatibility matrix audit | verified |
42
+ | Native slash command | optional per-host adapter claim; verified only if a host invocation record proves native slash support | not claimed by GSE core |
43
+ | Other host runtime invocation | verified invocation records per host | record-driven external gate |
44
+
45
+ Do not read the baseline column as live status. For example, once the owner-selected license record is accepted, the audit reports `License decision` as `verified` even though the row remains an owner-gated claim type.
46
+
47
+ ## Audit Command
48
+
49
+ ```text
50
+ node <gse-skill>/scripts/audit-final-readiness.mjs --root <gse-skill>
51
+ ```
52
+
53
+ The audit must report external and owner gates as incomplete unless corresponding records exist. It is valid for the audit to pass while still reporting `owner-required` or `external-required`; passing means the matrix is honest and complete, not that every external gate is satisfied.
54
+
55
+ Accepted owner/external records promote final rows only when the record contains accepted evidence and the relevant boundary proof. For example, a public CI row requires an accepted public CI run record with a successful conclusion and required-check proof; a registry row requires accepted publication evidence with registry proof. Native slash command support is a per-host optional adapter claim, not a GSE core completion gate; claim it only after a host invocation record proves native slash-command support.
56
+
57
+ Use the promotion audit to verify that this path still works:
58
+
59
+ ```text
60
+ node <gse-skill>/scripts/audit-final-readiness-promotion.mjs --root <gse-skill>
61
+ ```
62
+
63
+ ## Acceptance Packet
64
+
65
+ When owner-required or external-required rows remain, generate a handoff packet instead of burying follow-up work in prose:
66
+
67
+ ```text
68
+ node <gse-skill>/scripts/generate-final-acceptance-packet.mjs --root <gse-skill> --out <gse-skill>/.gse/acceptance/final-acceptance-packet.md --force
69
+ ```
70
+
71
+ The packet lists the verified local capabilities, every pending owner/external gate, the exact next evidence action, and the anti-overclaim rules. It is a continuation artifact, not acceptance by itself.
72
+
73
+ ## Completion Boundary
74
+
75
+ GSE can be described as locally verified and release-ready for handoff when the matrix passes and the verified rows have evidence.
76
+
77
+ GSE can be described as publicly accepted only after:
78
+
79
+ - owner-selected license or explicit not-public decision is recorded,
80
+ - public security contact policy is approved when public release is intended,
81
+ - public repository settings evidence exists when a public source repository is claimed,
82
+ - public CI run evidence exists when public CI is claimed,
83
+ - registry or marketplace publication evidence exists when those channels are claimed,
84
+ - native slash-command support is recorded per host before it is claimed by that host adapter.