@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,35 +1,51 @@
1
- # Learning System
2
-
3
- Learnings keep long projects from repeating mistakes.
4
-
5
- ## Capture When
6
-
7
- - User corrects an assumption.
8
- - A command, tool, API, or integration fails unexpectedly.
9
- - A bug root cause was non-obvious.
10
- - A recurring workflow can be shortened or hardened.
11
- - A missing quality gate allowed a defect through.
12
-
13
- ## Do Not Capture
14
-
15
- - Raw chain of thought.
16
- - Temporary attempts.
17
- - Long command output.
18
- - One-off details unlikely to help future work.
19
-
20
- ## Upgrade Rule
21
-
22
- Use `references/drift-audit.md` when a repeated lesson suggests stale docs, stale project-profile facts, stale host adapters, stale tool assumptions, or stale evidence state.
23
-
1
+ # Learning System
2
+
3
+ Learnings keep long projects from repeating mistakes.
4
+
5
+ ## Capture When
6
+
7
+ - User corrects an assumption.
8
+ - A command, tool, API, or integration fails unexpectedly.
9
+ - A bug root cause was non-obvious.
10
+ - A recurring workflow can be shortened or hardened.
11
+ - A missing quality gate allowed a defect through.
12
+
13
+ ## Do Not Capture
14
+
15
+ - Raw chain of thought.
16
+ - Temporary attempts.
17
+ - Long command output.
18
+ - One-off details unlikely to help future work.
19
+
20
+ ## Upgrade Rule
21
+
22
+ Use `references/drift-audit.md` when a repeated lesson suggests stale docs, stale project-profile facts, stale host adapters, stale tool assumptions, or stale evidence state.
23
+
24
24
  - First occurrence: learning note.
25
25
  - Second occurrence: checklist or template update.
26
- - Third occurrence: project rule or quality gate.
26
+ - Third occurrence: project guard, project rule, or quality gate.
27
27
  - Fifth occurrence: script, test, or dedicated skill.
28
28
 
29
- ## Suggested Stores
29
+ Use `scripts/audit-learning-promotion.mjs --target <project-root> --json` to classify and count repeated lessons. The audit is read-only by default. Use `/gse learn --promote --execute` only to write `.gse/learning-promotions.md` candidate output; it does not mutate `.gse/project-guards.md`, `.gse/quality-gates.md`, templates, scripts, or skill files without a deliberate follow-up change.
30
+
31
+ Use `scripts/audit-learning-drift.mjs --root <gse-skill> --target <project-root> --json` after promotion analysis. It checks whether promoted guard or script candidates are covered by project guards, quality gates, `/gse continue`, `/gse close`, or a focused audit script. Uncovered high-severity candidates are surfaced as warnings so the next slice can deliberately promote them.
30
32
 
33
+ Promotion categories:
34
+
35
+ - `shell`: shell syntax, host command behavior, Windows/Unix command differences.
36
+ - `encoding`: UTF-8, mojibake, localized document handling.
37
+ - `evidence`: JSONL, evidence levels, stale records, close gates.
38
+ - `browser`: browser smoke, Playwright, screenshot, component-test downgrade.
39
+ - `git`: sparse checkout, staging, commit boundaries.
40
+ - `host-tool`: subagents, MCP, LSP, native slash commands, host runtime claims.
41
+ - `project-rule`: canonical plans, AGENTS.md, local project conventions.
42
+ - `release`: CI, registry, marketplace, security contact, release evidence.
43
+
44
+ ## Suggested Stores
45
+
31
46
  - `.gse/learnings.md` for portable project lessons.
47
+ - `.gse/project-guards.md` for recurring preflight rules promoted from lessons.
32
48
  - `.learnings/` when the project already uses that convention.
33
49
  - `AGENTS.md` for durable project rules.
34
50
  - ADRs for architectural decisions.
35
-
51
+
@@ -0,0 +1,51 @@
1
+ # GSE Maintenance Cadence
2
+
3
+ GSE final form requires recurring checks, not only one-time release proof. This cadence keeps benchmark coverage, drift detection, security review, forward testing, and target-project drills visible while host-native slash-command evidence remains an external gate.
4
+
5
+ ## Cadence Table
6
+
7
+ | Area | Trigger | Minimum Cadence | Evidence | Command |
8
+ |---|---|---|---|---|
9
+ | Benchmark audit | Non-trivial GSE capability change or new comparable engineering skill | Monthly or before release | `.gse/benchmark-audits/` entry or roadmap update | `node scripts/audit-final-form-roadmap.mjs --root . --json` |
10
+ | Drift audit | Project guard, learning, adapter, command, or state model changes | Weekly or before close | Learning drift and state freshness output | `node scripts/audit-learning-drift.mjs --root . --target . --json` |
11
+ | Dependency and security review | Release, install, package, registry, CI, or external input changes | Monthly or before release | Release trust, CI readiness, and public acceptance outputs | `node scripts/audit-release-trust.mjs --root . --json` |
12
+ | Forward test | Non-trivial routing, command, scaffold, validation, or package change | Before release and after major workflow changes | Fixture or fresh-session forward-test evidence | `node scripts/forward-test-gse.mjs --root . --json` |
13
+ | Target-project hardening drill | GSE adoption, continue, close, host capability, or learning behavior changes | Weekly or before public release | Read-only target drill output | `node scripts/audit-target-hardening-drills.mjs --root . --json` |
14
+ | Public acceptance doctor | Public release, registry, marketplace, host, or owner evidence changes | Before release or public claim | Pending owner/external gate report | `node scripts/audit-public-acceptance-readiness.mjs --root . --json` |
15
+ | Command runner smoke | `/gse` command routing, portable command wrapper, or short-entry behavior changes | Every command-router change | Portable runner output from `scripts/run-gse-command.mjs` | `node scripts/run-gse-command.mjs --root . --target . --command "/gse maintenance" --json --compact` |
16
+ | Installed skill sync | Any capability upgrade shipped from source to installed skill | Every capability upgrade | Installed-copy hash comparison and command smoke from `scripts/audit-installed-sync.mjs` | `node scripts/audit-installed-sync.mjs --root . --installed-root <installed-skill-dir> --json` |
17
+ | Active session sync | Any capability upgrade that should reach active GSE-using sessions | Every capability upgrade when active sessions exist | Honest sent, archived, unavailable, failed, or skipped records from `scripts/record-session-sync.mjs` plus `scripts/audit-session-sync.mjs` | `node scripts/audit-session-sync.mjs --root . --require-installed --require-thread <thread-id> --json` |
18
+
19
+ ## Maintenance Snapshot
20
+
21
+ Use a snapshot when the goal is to prove that the recurring checks actually ran, not only that the cadence is documented.
22
+
23
+ ```powershell
24
+ node scripts/generate-maintenance-snapshot.mjs --root . --target . --installed-root <installed-skill-dir> --execute --json
25
+ ```
26
+
27
+ The canonical output is `.gse/maintenance/latest-maintenance-snapshot.json` plus a Markdown sibling. Without `--installed-root`, the installed-sync row is package-only and must not be used as installed-copy freshness proof.
28
+
29
+ For an installed package smoke, use package mode so source-worktree-only roadmap and release-bundle freshness checks do not become false blockers:
30
+
31
+ ```powershell
32
+ node scripts/generate-maintenance-snapshot.mjs --root <installed-skill-dir> --target <installed-skill-dir> --package-smoke --skip-release-bundle --json
33
+ ```
34
+
35
+ Package smoke proves the installed copy can run the maintenance command set. The source repository remains responsible for canonical roadmap, release bundle, and installed-root freshness evidence.
36
+
37
+ ## Close Rule
38
+
39
+ Maintenance evidence is not a substitute for native host evidence, public CI, marketplace approval, or owner acceptance. It only proves that GSE has a repeatable upkeep loop and that remaining external gates stay visible.
40
+
41
+ Before claiming a maintenance-sensitive slice complete, run:
42
+
43
+ ```powershell
44
+ node scripts/audit-maintenance-cadence.mjs --root . --json
45
+ node scripts/generate-maintenance-snapshot.mjs --root . --target . --installed-root <installed-skill-dir> --execute --json
46
+ node scripts/audit-maintenance-snapshot.mjs --root . --json
47
+ node scripts/run-gse-command.mjs --root . --target . --command "/gse maintenance" --json --compact
48
+ node scripts/audit-installed-sync.mjs --root . --installed-root <installed-skill-dir> --json
49
+ node scripts/audit-session-sync.mjs --root . --json
50
+ node scripts/run-validation-profile.mjs --target . --profile lite --json
51
+ ```
@@ -1,46 +1,46 @@
1
- # Marketplace Discovery
2
-
3
- Use this when preparing GSE for a public catalog, skill marketplace, plugin listing, GitHub release page, or internal agent-workflow registry.
4
-
5
- Discovery metadata should help people find and evaluate GSE without overstating trust.
6
-
7
- ## Required Metadata
8
-
9
- - Name and display name.
10
- - Short tagline and summary.
11
- - Categories and keywords that describe the workflow naturally.
12
- - Entrypoints for humans and agents.
13
- - Validation commands.
14
- - Distribution and signing references.
15
- - Host support status with honest labels.
16
- - Boundaries and unverified claims.
17
-
18
- The canonical local metadata file is:
19
-
20
- ```text
21
- assets/marketplace/gse-listing.json
22
- ```
23
-
24
- ## Search Language
25
-
26
- Use normal explanatory language around terms such as agentic engineering, spec-driven development, SDD, AI coding agents, goal maps, evidence gates, OpenSpec-style changes, and Superpowers-style execution. Do not add isolated search-term blocks that read like keyword stuffing.
27
-
28
- ## Trust Boundary
29
-
30
- Discovery metadata is not marketplace approval.
31
-
32
- A listing can be:
33
-
34
- - `result`: drafted metadata exists.
35
- - `verified`: metadata passes local audit and matches package validation.
36
- - `accepted`: the target marketplace, catalog owner, or release owner accepts it.
37
-
38
- ## Validation
39
-
40
- Run:
41
-
42
- ```text
43
- node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
44
- ```
45
-
46
- For release trust, also use `references/release-trust.md`.
1
+ # Marketplace Discovery
2
+
3
+ Use this when preparing GSE for a public catalog, skill marketplace, plugin listing, GitHub release page, or internal agent-workflow registry.
4
+
5
+ Discovery metadata should help people find and evaluate GSE without overstating trust.
6
+
7
+ ## Required Metadata
8
+
9
+ - Name and display name.
10
+ - Short tagline and summary.
11
+ - Categories and keywords that describe the workflow naturally.
12
+ - Entrypoints for humans and agents.
13
+ - Validation commands.
14
+ - Distribution and signing references.
15
+ - Host support status with honest labels.
16
+ - Boundaries and unverified claims.
17
+
18
+ The canonical local metadata file is:
19
+
20
+ ```text
21
+ assets/marketplace/gse-listing.json
22
+ ```
23
+
24
+ ## Search Language
25
+
26
+ Use normal explanatory language around terms such as agentic engineering, spec-driven development, SDD, AI coding agents, goal maps, evidence gates, OpenSpec-style changes, and Superpowers-style execution. Do not add isolated search-term blocks that read like keyword stuffing.
27
+
28
+ ## Trust Boundary
29
+
30
+ Discovery metadata is not marketplace approval.
31
+
32
+ A listing can be:
33
+
34
+ - `result`: drafted metadata exists.
35
+ - `verified`: metadata passes local audit and matches package validation.
36
+ - `accepted`: the target marketplace, catalog owner, or release owner accepts it.
37
+
38
+ ## Validation
39
+
40
+ Run:
41
+
42
+ ```text
43
+ node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
44
+ ```
45
+
46
+ For release trust, also use `references/release-trust.md`.
@@ -1,103 +1,103 @@
1
- # Model Routing
2
-
3
- Use this when GSE work needs to choose a model, provider, hosted tool, local tool, browser agent, worker, or role-specific agent capability.
4
-
5
- ## Core Rule
6
-
7
- Route by capability first, then cost, latency, privacy, context size, tool use, reliability, and evidence.
8
-
9
- Do not hard-code one provider, one model family, or one host as the GSE default. Projects may define preferred providers, but GSE must preserve a portable fallback path.
10
-
11
- ## Capability-First Selection
12
-
13
- Define the task capability before picking a model:
14
-
15
- | Capability | Typical use | Routing preference |
16
- |---|---|---|
17
- | Fast classification | triage, route selection, small labels | lowest reliable latency/cost |
18
- | Code location | symbol search, call chains, existing tests | LSP/index/search before stronger model reasoning |
19
- | Mechanical edit | narrow transforms, boilerplate, local fixes | lower-cost coding-capable model if verification is strong |
20
- | Implementation | bounded code slice, tests, integration | standard coding model with project context |
21
- | Architecture/root cause | invariants, multi-file reasoning, debugging | highest-reasoning model available and approved |
22
- | Review/QA | spec compliance, security, regressions, UI evidence | independent reviewer model or fresh context when risk is high |
23
- | Long context synthesis | session working set, docs, logs, migration notes | model with adequate context and summarization behavior |
24
- | Tool/worker execution | browser, shell, MCP, CI, queue, runtime worker | verified host/tool adapter, not just model choice |
25
-
26
- ## Status Vocabulary
27
-
28
- Keep model availability separate from model behavior.
29
-
30
- - `documented`: project docs, provider config, or host settings mention the model/tool.
31
- - `verified`: this session or project evidence ran the model/tool successfully for the relevant capability.
32
- - `unknown`: no trustworthy evidence yet.
33
- - `unavailable`: expected model/tool is missing, blocked, failing, or forbidden.
34
-
35
- A documented model is not verified. A verified chat response does not verify tool use, long context, latency, cost, or privacy behavior.
36
-
37
- ## Routing Inputs
38
-
39
- Record these in `.gse/project-profile.md`, `.gse/tooling.md`, or a host adapter when relevant:
40
-
41
- - Provider or host:
42
- - Model/tool id:
43
- - Capability:
44
- - Status: documented | verified | unknown | unavailable
45
- - Evidence path or command:
46
- - Cost tier:
47
- - Latency expectation:
48
- - Context limit or practical context budget:
49
- - Tool-use support:
50
- - Privacy/security boundary:
51
- - Fallback:
52
- - Known failure modes:
53
-
54
- ## Decision Order
55
-
56
- 1. Use project-specific routing rules if they exist and do not conflict with current user instruction.
57
- 2. Prefer verified local tools for code location, tests, browser smoke, and CI before spending model reasoning.
58
- 3. Choose the cheapest/fastest model that can satisfy the capability with adequate verification.
59
- 4. Escalate to a stronger model when there is a clear reasoning, context, safety, or integration gap.
60
- 5. Use fresh context for review, QA, or high-risk architecture when current-session context may bias the result.
61
- 6. Fall back to a documented or generic model only when the task risk is low or verification can catch mistakes.
62
- 7. Record residual risk when model behavior is unknown or only structurally verified.
63
-
64
- ## Fallback Rules
65
-
66
- - If preferred model is unavailable, use the next project-approved model with the same capability class.
67
- - If tool-use support is unavailable, switch to manual shell/browser/CI verification when possible.
68
- - If long-context support is unavailable, build a smaller working set and record omitted context.
69
- - If privacy constraints forbid remote models, use local tools, local models, or ask for a project-approved path.
70
- - If cost is high, reduce context, split the task, or use lower-tier models for locator/QA roles.
71
- - Do not claim a fallback preserved quality unless focused evidence proves it.
72
-
73
- ## Evidence Requirements
74
-
75
- For model routing claims, record:
76
-
77
- ```text
78
- Capability:
79
- Chosen model/tool:
80
- Why this route:
81
- Status: documented | verified | unknown | unavailable
82
- Cost/latency notes:
83
- Context/tool-use notes:
84
- Privacy/security notes:
85
- Fallback:
86
- Evidence:
87
- Residual risk:
88
- ```
89
-
90
- ## What Not To Do
91
-
92
- - Do not route all tasks to the strongest model by default.
93
- - Do not route all tasks to the cheapest model when failure would be expensive.
94
- - Do not treat provider marketing claims as project evidence.
95
- - Do not expose secrets, raw provider payloads, hidden reasoning, or private tool traces in user-facing output.
96
- - Do not confuse model routing with provider adapter implementation.
97
-
98
- ## Project Integration
99
-
100
- - `references/project-profile.md` records project-approved providers, model/tool ids, privacy limits, and fallback policy.
101
- - `references/tool-adapters.md` records availability and verification status for host tools and model-backed tools.
102
- - `references/host-adapters.md` records host-specific model, subagent, MCP, browser, and worker capabilities.
103
- - `references/evidence-taxonomy.md` decides whether routing evidence is result, verified, or accepted.
1
+ # Model Routing
2
+
3
+ Use this when GSE work needs to choose a model, provider, hosted tool, local tool, browser agent, worker, or role-specific agent capability.
4
+
5
+ ## Core Rule
6
+
7
+ Route by capability first, then cost, latency, privacy, context size, tool use, reliability, and evidence.
8
+
9
+ Do not hard-code one provider, one model family, or one host as the GSE default. Projects may define preferred providers, but GSE must preserve a portable fallback path.
10
+
11
+ ## Capability-First Selection
12
+
13
+ Define the task capability before picking a model:
14
+
15
+ | Capability | Typical use | Routing preference |
16
+ |---|---|---|
17
+ | Fast classification | triage, route selection, small labels | lowest reliable latency/cost |
18
+ | Code location | symbol search, call chains, existing tests | LSP/index/search before stronger model reasoning |
19
+ | Mechanical edit | narrow transforms, boilerplate, local fixes | lower-cost coding-capable model if verification is strong |
20
+ | Implementation | bounded code slice, tests, integration | standard coding model with project context |
21
+ | Architecture/root cause | invariants, multi-file reasoning, debugging | highest-reasoning model available and approved |
22
+ | Review/QA | spec compliance, security, regressions, UI evidence | independent reviewer model or fresh context when risk is high |
23
+ | Long context synthesis | session working set, docs, logs, migration notes | model with adequate context and summarization behavior |
24
+ | Tool/worker execution | browser, shell, MCP, CI, queue, runtime worker | verified host/tool adapter, not just model choice |
25
+
26
+ ## Status Vocabulary
27
+
28
+ Keep model availability separate from model behavior.
29
+
30
+ - `documented`: project docs, provider config, or host settings mention the model/tool.
31
+ - `verified`: this session or project evidence ran the model/tool successfully for the relevant capability.
32
+ - `unknown`: no trustworthy evidence yet.
33
+ - `unavailable`: expected model/tool is missing, blocked, failing, or forbidden.
34
+
35
+ A documented model is not verified. A verified chat response does not verify tool use, long context, latency, cost, or privacy behavior.
36
+
37
+ ## Routing Inputs
38
+
39
+ Record these in `.gse/project-profile.md`, `.gse/tooling.md`, or a host adapter when relevant:
40
+
41
+ - Provider or host:
42
+ - Model/tool id:
43
+ - Capability:
44
+ - Status: documented | verified | unknown | unavailable
45
+ - Evidence path or command:
46
+ - Cost tier:
47
+ - Latency expectation:
48
+ - Context limit or practical context budget:
49
+ - Tool-use support:
50
+ - Privacy/security boundary:
51
+ - Fallback:
52
+ - Known failure modes:
53
+
54
+ ## Decision Order
55
+
56
+ 1. Use project-specific routing rules if they exist and do not conflict with current user instruction.
57
+ 2. Prefer verified local tools for code location, tests, browser smoke, and CI before spending model reasoning.
58
+ 3. Choose the cheapest/fastest model that can satisfy the capability with adequate verification.
59
+ 4. Escalate to a stronger model when there is a clear reasoning, context, safety, or integration gap.
60
+ 5. Use fresh context for review, QA, or high-risk architecture when current-session context may bias the result.
61
+ 6. Fall back to a documented or generic model only when the task risk is low or verification can catch mistakes.
62
+ 7. Record residual risk when model behavior is unknown or only structurally verified.
63
+
64
+ ## Fallback Rules
65
+
66
+ - If preferred model is unavailable, use the next project-approved model with the same capability class.
67
+ - If tool-use support is unavailable, switch to manual shell/browser/CI verification when possible.
68
+ - If long-context support is unavailable, build a smaller working set and record omitted context.
69
+ - If privacy constraints forbid remote models, use local tools, local models, or ask for a project-approved path.
70
+ - If cost is high, reduce context, split the task, or use lower-tier models for locator/QA roles.
71
+ - Do not claim a fallback preserved quality unless focused evidence proves it.
72
+
73
+ ## Evidence Requirements
74
+
75
+ For model routing claims, record:
76
+
77
+ ```text
78
+ Capability:
79
+ Chosen model/tool:
80
+ Why this route:
81
+ Status: documented | verified | unknown | unavailable
82
+ Cost/latency notes:
83
+ Context/tool-use notes:
84
+ Privacy/security notes:
85
+ Fallback:
86
+ Evidence:
87
+ Residual risk:
88
+ ```
89
+
90
+ ## What Not To Do
91
+
92
+ - Do not route all tasks to the strongest model by default.
93
+ - Do not route all tasks to the cheapest model when failure would be expensive.
94
+ - Do not treat provider marketing claims as project evidence.
95
+ - Do not expose secrets, raw provider payloads, hidden reasoning, or private tool traces in user-facing output.
96
+ - Do not confuse model routing with provider adapter implementation.
97
+
98
+ ## Project Integration
99
+
100
+ - `references/project-profile.md` records project-approved providers, model/tool ids, privacy limits, and fallback policy.
101
+ - `references/tool-adapters.md` records availability and verification status for host tools and model-backed tools.
102
+ - `references/host-adapters.md` records host-specific model, subagent, MCP, browser, and worker capabilities.
103
+ - `references/evidence-taxonomy.md` decides whether routing evidence is result, verified, or accepted.
@@ -1,39 +1,39 @@
1
- # GSE Open-Source Defaults
2
-
3
- Use this reference when preparing GSE for a public repository or when a project asks to follow the mainstream open-source path.
4
-
5
- ## Recommended Default
6
-
7
- GSE's owner-approved default route is:
8
-
9
- - License: MIT.
10
- - Repository: public GitHub repository.
11
- - CI: GitHub Actions with required checks.
12
- - Security: `SECURITY.md` plus GitHub Security Advisory or another owner-approved public disclosure path.
13
- - Release channel: GitHub Release first; package registry or marketplace only after real publication evidence exists.
14
- - Command UX: portable `/gse ...` commands, with native slash-command claims only after a host runtime record proves native execution.
15
-
16
- ## Why This Default
17
-
18
- - MIT is widely understood by open-source tool users and keeps integration friction low.
19
- - GitHub public repository plus GitHub Actions gives public, linkable evidence for repository settings and CI.
20
- - GitHub Release provides a simple first public channel without pretending a registry or marketplace approved the package.
21
- - Portable `/gse ...` command semantics work across hosts even when native slash-command APIs differ.
22
-
23
- ## Claim Boundaries
24
-
25
- - A local `LICENSE` file proves the license text exists; accepted license status requires an owner-approved release record.
26
- - A local GitHub Actions workflow file does not prove public CI. Use a real public run URL and `scripts/record-public-ci-run.mjs`.
27
- - A local `SECURITY.md` does not prove a public security contact. Use `scripts/record-public-security-contact.mjs` after the disclosure path is public and owner-approved.
28
- - A generated package or release bundle does not prove public publication. Use `scripts/record-public-channel-publication.mjs` after a real channel URL exists.
29
- - Generated host adapter pointers do not prove native slash commands. Use `scripts/record-host-invocation.mjs` with real host evidence.
30
-
31
- ## Minimal Public Release Order
32
-
33
- 1. Record the owner-approved MIT license decision.
34
- 2. Publish or mirror GSE into a public GitHub repository.
35
- 3. Enable repository settings: issues, pull requests, security policy visibility, branch protection, required checks, review before merge, conversation resolution, force-push restriction, and deletion restriction.
36
- 4. Run public GitHub Actions and record the run URL, commit SHA, branch, and required checks.
37
- 5. Create a GitHub Release and record the release URL.
38
- 6. Record host runtime invocation evidence for each claimed host.
39
- 7. Re-run final readiness and public acceptance audits.
1
+ # GSE Open-Source Defaults
2
+
3
+ Use this reference when preparing GSE for a public repository or when a project asks to follow the mainstream open-source path.
4
+
5
+ ## Recommended Default
6
+
7
+ GSE's owner-approved default route is:
8
+
9
+ - License: MIT.
10
+ - Repository: public GitHub repository.
11
+ - CI: GitHub Actions with required checks.
12
+ - Security: `SECURITY.md` plus GitHub Security Advisory or another owner-approved public disclosure path.
13
+ - Release channel: GitHub Release first; package registry or marketplace only after real publication evidence exists.
14
+ - Command UX: portable `/gse ...` commands, with native slash-command claims only after a host runtime record proves native execution.
15
+
16
+ ## Why This Default
17
+
18
+ - MIT is widely understood by open-source tool users and keeps integration friction low.
19
+ - GitHub public repository plus GitHub Actions gives public, linkable evidence for repository settings and CI.
20
+ - GitHub Release provides a simple first public channel without pretending a registry or marketplace approved the package.
21
+ - Portable `/gse ...` command semantics work across hosts even when native slash-command APIs differ.
22
+
23
+ ## Claim Boundaries
24
+
25
+ - A local `LICENSE` file proves the license text exists; accepted license status requires an owner-approved release record.
26
+ - A local GitHub Actions workflow file does not prove public CI. Use a real public run URL and `scripts/record-public-ci-run.mjs`.
27
+ - A local `SECURITY.md` does not prove a public security contact. Use `scripts/record-public-security-contact.mjs` after the disclosure path is public and owner-approved.
28
+ - A generated package or release bundle does not prove public publication. Use `scripts/record-public-channel-publication.mjs` after a real channel URL exists.
29
+ - Generated host adapter pointers do not prove native slash commands. Use `scripts/record-host-invocation.mjs` with real host evidence.
30
+
31
+ ## Minimal Public Release Order
32
+
33
+ 1. Record the owner-approved MIT license decision.
34
+ 2. Publish or mirror GSE into a public GitHub repository.
35
+ 3. Enable repository settings: issues, pull requests, security policy visibility, branch protection, required checks, review before merge, conversation resolution, force-push restriction, and deletion restriction.
36
+ 4. Run public GitHub Actions and record the run URL, commit SHA, branch, and required checks.
37
+ 5. Create a GitHub Release and record the release URL.
38
+ 6. Record host runtime invocation evidence for each claimed host.
39
+ 7. Re-run final readiness and public acceptance audits.
@@ -1,52 +1,52 @@
1
- # Operating Model
2
-
3
- Use the same loop for every task, scaled by task level.
4
-
5
- ## 1. Goal
6
-
7
- Identify the project goal, user outcome, current priority, and non-goals.
8
-
9
- For long-running work, bind to `.gse/goal-map.md` or the project's existing goal map.
10
-
11
- ## 2. Spec
12
-
13
- Define boundaries before implementation:
14
-
15
- - Inputs and outputs
16
- - UI/API/state behavior
17
- - Error and recovery behavior
18
- - Permissions and privacy boundaries
19
- - Acceptance criteria
20
- - Test or smoke plan
21
-
22
- Do not over-spec Level 1 tasks.
23
-
24
- ## 3. Execute
25
-
26
- Use the smallest verifiable slice.
27
-
28
- - Locate code with `rg`, `rg --files`, LSP, or an index before editing.
29
- - Follow existing patterns.
30
- - Keep unrelated refactors out.
31
- - Use subagents only when actual dispatch tools exist and ownership is clear.
32
- - Use `references/file-ownership.md` before editing dirty files, shared files, or files assigned to another role.
33
- - Avoid making every internal state transition its own product slice. When several small states only matter as one user-visible chain, merge them and verify the chain.
34
-
35
- ## 4. Evidence
36
-
37
- Completion needs evidence appropriate to the risk:
38
-
39
- - Unit/component/contract test
40
- - API smoke
41
- - Browser or Playwright smoke
42
- - Build/typecheck/lint
43
- - Screenshot or trace for UI
44
- - Commit hash or change summary
45
-
46
- Choose the gate profile from `references/task-levels.md` and `references/quality-gates.md`. A small docs or state slice should not pay the same verification cost as a release/install/cross-host slice. Conversely, release, public contract, install, and host-runtime claims need hard gates and cannot be proven by narrow tests alone.
47
-
48
- ## 5. Learn
49
-
50
- Record reusable lessons when a failure, correction, tool gap, repeated bug, or better process is discovered.
51
-
52
- Escalate repeated lessons into quality gates or project rules.
1
+ # Operating Model
2
+
3
+ Use the same loop for every task, scaled by task level.
4
+
5
+ ## 1. Goal
6
+
7
+ Identify the project goal, user outcome, current priority, and non-goals.
8
+
9
+ For long-running work, bind to `.gse/goal-map.md` or the project's existing goal map.
10
+
11
+ ## 2. Spec
12
+
13
+ Define boundaries before implementation:
14
+
15
+ - Inputs and outputs
16
+ - UI/API/state behavior
17
+ - Error and recovery behavior
18
+ - Permissions and privacy boundaries
19
+ - Acceptance criteria
20
+ - Test or smoke plan
21
+
22
+ Do not over-spec Level 1 tasks.
23
+
24
+ ## 3. Execute
25
+
26
+ Use the smallest verifiable slice.
27
+
28
+ - Locate code with `rg`, `rg --files`, LSP, or an index before editing.
29
+ - Follow existing patterns.
30
+ - Keep unrelated refactors out.
31
+ - Use subagents only when actual dispatch tools exist and ownership is clear.
32
+ - Use `references/file-ownership.md` before editing dirty files, shared files, or files assigned to another role.
33
+ - Avoid making every internal state transition its own product slice. When several small states only matter as one user-visible chain, merge them and verify the chain.
34
+
35
+ ## 4. Evidence
36
+
37
+ Completion needs evidence appropriate to the risk:
38
+
39
+ - Unit/component/contract test
40
+ - API smoke
41
+ - Browser or Playwright smoke
42
+ - Build/typecheck/lint
43
+ - Screenshot or trace for UI
44
+ - Commit hash or change summary
45
+
46
+ Choose the gate profile from `references/task-levels.md` and `references/quality-gates.md`. A small docs or state slice should not pay the same verification cost as a release/install/cross-host slice. Conversely, release, public contract, install, and host-runtime claims need hard gates and cannot be proven by narrow tests alone.
47
+
48
+ ## 5. Learn
49
+
50
+ Record reusable lessons when a failure, correction, tool gap, repeated bug, or better process is discovered.
51
+
52
+ Escalate repeated lessons into quality gates or project rules.