@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,277 +1,277 @@
1
- # Packaging And Maintenance
2
-
3
- Use this when preparing GSE itself for handoff, update, local installation, or a versioned internal release.
4
-
5
- Use `references/adoption-recipes.md` for applying or updating GSE inside a target project after the skill package itself is validated.
6
-
7
- This is a packaging readiness guide, not a registry publication process. Do not claim marketplace distribution, host plugin support, signing, open-source license acceptance, or v1.0 acceptance unless that evidence exists. Use `references/public-release.md` before public GitHub, marketplace, catalog, registry, or external package handoff.
8
-
9
- ## Package Boundary
10
-
11
- The GSE skill package includes:
12
-
13
- - `package.json` as Node package metadata for local packing, CLI bin exposure, and future registry handoff.
14
- - `SKILL.md` as the small entrypoint.
15
- - `CHANGELOG.md` as the public-release change history and unsupported-claims boundary.
16
- - `CONTRIBUTING.md`, `SECURITY.md`, and `SUPPORT.md` as public repository collaboration, vulnerability-reporting, and support boundaries.
17
- - `.github/workflows/validate-gse.yml` as the portable GitHub Actions validation template for public repository use.
18
- - `.github/PULL_REQUEST_TEMPLATE.md` and `.github/ISSUE_TEMPLATE/` as evidence-first public collaboration templates.
19
- - `references/` as progressive-disclosure guidance.
20
- - `scripts/` as repeatable audits, generators, discovery, validation, and forward-test probes.
21
- - `assets/templates/` as reusable project artifacts.
22
- - `assets/marketplace/` as portable discovery metadata for catalogs and marketplaces.
23
- - `examples/` as lightweight adoption fixtures.
24
- - `agents/openai.yaml` as optional host UI metadata.
25
- - `.gse/` as the GSE self-development source of truth.
26
-
27
- Do not package temporary output, command logs, screenshots, secrets, generated cache folders, `.learnings/`, or host-specific local credentials.
28
-
29
- Generated package and release manifests must not expose the packager's local absolute source path. Keep local paths in command output only, not in distributable metadata.
30
-
31
- ## Version And Release Label
32
-
33
- GSE currently uses an internal readiness label rather than a published semver package.
34
-
35
- Release labels should use this format until a real package manager or registry exists:
36
-
37
- ```text
38
- gse-internal-YYYY-MM-DD-N
39
- ```
40
-
41
- Increment `N` for multiple release candidates on the same day.
42
-
43
- Use semver only after there is a maintained distribution channel and backward-compatibility policy.
44
-
45
- ## Release Validation Gate
46
-
47
- Before handing off or calling a GSE package release-ready, run:
48
-
49
- ```text
50
- node <skill>/scripts/validate-gse.mjs --root <skill>
51
- ```
52
-
53
- The release is not ready if validation fails, if the skill validator is skipped unexpectedly, or if a required evidence gate is only `result` when the release level requires `verified` or `accepted`.
54
-
55
- `validate-gse.mjs` currently covers structural self-audit, project bootstrap smoke, fixture adoption, existing-repo adoption, host adapter generation, compatibility matrix, documented fixture forward-test, fresh-session readiness, local package/install distribution audit, remote URL distribution integrity audit, package signing and verification audit, release trust policy, public release metadata, release bundle generation, open-source repository readiness, CI workflow readiness, public collaboration templates, marketplace discovery metadata, host UI invocation readiness, skill metadata validation, and BOM scanning.
56
-
57
- ## Distribution Audit Profiles
58
-
59
- Before public handoff or registry preparation, verify Node package metadata:
60
-
61
- ```text
62
- node <skill>/scripts/audit-npm-package-metadata.mjs --root <skill> --json
63
- node <skill>/scripts/audit-npm-tarball-install.mjs --root <skill> --json
64
- node <skill>/scripts/audit-npm-publish-dry-run.mjs --root <skill> --json
65
- npm pack --dry-run --json
66
- ```
67
-
68
- The metadata audit proves package metadata and dry-run pack contents. The tarball install audit creates a real local npm tarball, installs it into a clean temporary consumer project, runs the installed `gse` bin, and runs an installed README audit. The publish dry-run audit checks npm publication metadata, CLI bin preservation, required runtime files, integrity fields, and harmful metadata auto-correction warnings. These checks do not publish to npm, reserve a package name, verify a public repository, or prove registry approval.
69
-
70
- Use the right distribution profile for the claim:
71
-
72
- ```text
73
- node <skill>/scripts/audit-distribution.mjs --root <skill> --profile smoke
74
- node <skill>/scripts/audit-remote-distribution.mjs --root <skill> --profile smoke
75
- node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile smoke
76
- ```
77
-
78
- `smoke` verifies package creation, install, installed entrypoints, CLI status, remote URL install, and remote integrity/tamper behavior. It skips the nested installed-copy `validate-gse` run.
79
-
80
- Use `full` before release, package handoff, install/update claims, or when the installed copy itself must be validated:
81
-
82
- ```text
83
- node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile full
84
- ```
85
-
86
- ## CI Workflow Template
87
-
88
- GSE includes a GitHub Actions workflow template at `.github/workflows/validate-gse.yml`.
89
-
90
- The template runs:
91
-
92
- ```text
93
- node scripts/validate-gse.mjs --root . --skip-skill-validator --json
94
- node scripts/audit-final-readiness.mjs --root . --json
95
- node scripts/audit-final-acceptance-packet.mjs --root . --json
96
- ```
97
-
98
- Run the local CI readiness audit with:
99
-
100
- ```text
101
- node <skill>/scripts/audit-ci-readiness.mjs --root <skill>
102
- ```
103
-
104
- This verifies the workflow file, trigger coverage, Node setup, validation commands, and final-readiness boundary checks. It does not prove a real public GitHub Actions run, branch protection, required status checks, or marketplace CI policy.
105
-
106
- ## Release Bundle
107
-
108
- Use a release bundle when handing GSE to another host, another repository, or a maintainer who needs the install commands, validation checklist, public-release record, and unsupported-claims boundary in one directory:
109
-
110
- ```text
111
- node <skill>/scripts/generate-release-bundle.mjs --root <skill> --label <release-label> --out <bundle-dir>
112
- ```
113
-
114
- For a focused bundle check, run:
115
-
116
- ```text
117
- node <skill>/scripts/audit-release-bundle.mjs --root <skill>
118
- ```
119
-
120
- This verifies that the bundle contains a release summary, install commands, validation checklist, public-release record, handoff files, manifest, and owner action plan. The bundle generator creates a fresh release status manifest and owner action plan during bundle creation instead of trusting stale cached acceptance files. The audit writes to an isolated temporary directory so it does not mutate the canonical release bundle path during validation. It still does not publish GSE, choose a license, approve a marketplace listing, or prove host-native slash-command support.
121
-
122
- ## Release Status Manifest
123
-
124
- Use the release status manifest when another host, CI job, marketplace checklist, or maintainer needs a machine-readable summary of GSE readiness:
125
-
126
- ```text
127
- node <skill>/scripts/generate-release-status-manifest.mjs --root <skill> --out <skill>/.gse/acceptance/release-status-manifest.json --force
128
- node <skill>/scripts/audit-release-status-manifest.mjs --root <skill>
129
- ```
130
-
131
- The manifest summarizes verified rows, owner-required rows, external-required rows, install/distribution status, public acceptance gates, host runtime evidence counts, host runtime fixture drill status, and verification commands. It is generated from current audits and records; it does not create owner decisions, external publication, public CI, marketplace approval, or native slash-command evidence.
132
-
133
- ## Release Owner Action Plan
134
-
135
- Use the owner action plan when a human owner or maintainer needs the next concrete public-release actions grouped by responsible party:
136
-
137
- ```text
138
- node <skill>/scripts/generate-release-owner-action-plan.mjs --root <skill> --force --json
139
- node <skill>/scripts/audit-release-owner-action-plan.mjs --root <skill> --json
140
- node <skill>/scripts/audit-release-owner-action-plan-drill.mjs --root <skill> --json
141
- ```
142
-
143
- The plan is generated from `.gse/acceptance/release-status-manifest.json`. It groups pending gates by project owner, repository owner, external CI, external registry, external marketplace, and host runtime. It includes the record command and required evidence for each gate. It does not select a license, configure a repository, run public CI, publish a package, approve a marketplace listing, or prove native slash-command support.
144
-
145
- The drill runs the plan path in a temporary fixture: it generates the manifest and plan, creates accepted fixture records for every owner/external gate family, verifies final readiness promotes to `publicAccepted: verified`, verifies the public acceptance doctor reports zero pending gates, and then removes the fixture. This proves the workflow mechanics without claiming real public acceptance.
146
-
147
- ## Local Package And Install
148
-
149
- Use this path before claiming GSE can be copied or installed outside its current development folder:
150
-
151
- ```text
152
- node <skill>/scripts/package-gse.mjs --root <skill> --out <package-dir> --label <release-label>
153
- node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir>
154
- node <install-skill-dir>/scripts/validate-gse.mjs --root <install-skill-dir> --skip-skill-validator --skip-distribution --skip-completion-readiness
155
- ```
156
-
157
- For a one-command local distribution proof, run:
158
-
159
- ```text
160
- node <skill>/scripts/audit-distribution.mjs --root <skill>
161
- ```
162
-
163
- This proves file-based packaging, install, and installed-copy validation. It still does not prove registry publication, remote-machine install, signing, shell completion, or marketplace discovery.
164
-
165
- ## Remote URL Install And Integrity
166
-
167
- GSE packages include a `gse-package-manifest.json` with `sha256` hashes for packaged files.
168
-
169
- Install from a URL-shaped package source with:
170
-
171
- ```text
172
- node <skill>/scripts/install-gse.mjs --source-url <file-or-http-package-url> --target <install-skill-dir>
173
- ```
174
-
175
- Run the focused remote distribution audit with:
176
-
177
- ```text
178
- node <skill>/scripts/audit-remote-distribution.mjs --root <skill>
179
- ```
180
-
181
- This starts a temporary HTTP package source, installs from `--source-url`, validates the installed copy, then tampers with a package file to verify the integrity gate fails. It proves URL install and manifest integrity behavior locally. It still does not prove public registry publication, trusted signing, marketplace discovery, or remote-machine network conditions.
182
-
183
- ## Signing And Verification
184
-
185
- Use Ed25519 signing when a package needs tamper evidence beyond raw file hashes:
186
-
187
- ```text
188
- node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem>
189
- node <skill>/scripts/verify-gse-package.mjs --package <package-dir> --public-key <public.pem>
190
- node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir> --public-key <public.pem>
191
- ```
192
-
193
- For local audit keys only:
194
-
195
- ```text
196
- node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem> --generate-key
197
- ```
198
-
199
- Run the focused signing audit with:
200
-
201
- ```text
202
- node <skill>/scripts/audit-signing.mjs --root <skill>
203
- ```
204
-
205
- This proves signing mechanics, signature verification, signed install, and tamper rejection. It does not prove maintainer identity, public key custody, transparency logs, marketplace trust, or a production release policy.
206
-
207
- For public or shared releases, also complete `references/release-trust.md` and `assets/templates/release-trust-record.md`. This is the Release Trust record for the package. A package can be signed and verified without being trusted; trusted release status requires owner acceptance, public key fingerprint publication, custody rules, rotation policy, and revocation path.
208
-
209
- For public open-source releases, also complete `references/public-release.md` and `assets/templates/public-release-record.md`. GSE must not choose a license by guessing; accepted public release requires an owner-selected license or an explicit `not-public` decision.
210
-
211
- ## Marketplace Discovery
212
-
213
- Use `references/marketplace-discovery.md` and `assets/marketplace/gse-listing.json` when preparing a public listing, catalog entry, plugin page, or marketplace submission.
214
-
215
- Run:
216
-
217
- ```text
218
- node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
219
- ```
220
-
221
- This verifies local discovery metadata and search-language fit. It does not prove marketplace approval, public search indexing, registry publication, maintainer identity, or host-native installation.
222
-
223
- ## Release Notes
224
-
225
- Use `references/release.md` as the general release policy. For GSE skill releases, keep notes short:
226
-
227
- ```text
228
- Release label:
229
- Date:
230
- Readiness: not ready | result | verified | accepted
231
- Changed:
232
- Validation:
233
- Compatibility impact:
234
- Migration or rollback:
235
- Known risks:
236
- Follow-up slices:
237
- ```
238
-
239
- Rules:
240
-
241
- - Link to `.gse/evidence/YYYY-MM-DD.md` instead of pasting long command output.
242
- - Separate user-facing workflow changes from internal script/refactoring changes.
243
- - Mark unavailable or unverified host tools honestly.
244
- - Keep true fresh-session acceptance separate from fresh-session readiness.
245
-
246
- ## Install Or Update Handoff
247
-
248
- For a local handoff, provide:
249
-
250
- - Skill path: `<install-skill-dir>` or the target install path.
251
- - Release label or date.
252
- - Validation command and latest result.
253
- - Evidence log path.
254
- - Known residual risks.
255
- - Next slice from `.gse/current-slice.md`.
256
-
257
- For project-local GSE updates or release-readiness changes, use `assets/templates/update-release-acceptance-record.md` to preserve local decisions, changed files, commands run, rollback notes, owner gate, accepted-by status, and residual risks.
258
-
259
- If copying GSE to another machine or host, run validation after copy and record the result in that environment. Host-specific capabilities remain `unknown` until checked there.
260
-
261
- ## Rollback
262
-
263
- For low-risk GSE documentation/script changes, rollback is file-level revert of the touched artifacts plus re-running `validate-gse.mjs`.
264
-
265
- For scaffold, generator, or template changes that may affect downstream projects, also record:
266
-
267
- - Which generated files or adapters may need regeneration.
268
- - Whether existing project `.gse/` folders are compatible.
269
- - Whether host adapters need manual review.
270
-
271
- ## Readiness Status
272
-
273
- - `result`: packaging notes or release artifacts exist.
274
- - `verified`: `validate-gse.mjs` passes and release notes identify residual risks.
275
- - `accepted`: required owner, fresh-session, release policy, or distribution gate accepts the release.
276
-
277
- Do not call a release accepted only because local validation passed unless the current release policy explicitly says local validation is sufficient.
1
+ # Packaging And Maintenance
2
+
3
+ Use this when preparing GSE itself for handoff, update, local installation, or a versioned internal release.
4
+
5
+ Use `references/adoption-recipes.md` for applying or updating GSE inside a target project after the skill package itself is validated.
6
+
7
+ This is a packaging readiness guide, not a registry publication process. Do not claim marketplace distribution, host plugin support, signing, open-source license acceptance, or v1.0 acceptance unless that evidence exists. Use `references/public-release.md` before public GitHub, marketplace, catalog, registry, or external package handoff.
8
+
9
+ ## Package Boundary
10
+
11
+ The GSE skill package includes:
12
+
13
+ - `package.json` as Node package metadata for local packing, CLI bin exposure, and future registry handoff.
14
+ - `SKILL.md` as the small entrypoint.
15
+ - `CHANGELOG.md` as the public-release change history and unsupported-claims boundary.
16
+ - `CONTRIBUTING.md`, `SECURITY.md`, and `SUPPORT.md` as public repository collaboration, vulnerability-reporting, and support boundaries.
17
+ - `.github/workflows/validate-gse.yml` as the portable GitHub Actions validation template for public repository use.
18
+ - `.github/PULL_REQUEST_TEMPLATE.md` and `.github/ISSUE_TEMPLATE/` as evidence-first public collaboration templates.
19
+ - `references/` as progressive-disclosure guidance.
20
+ - `scripts/` as repeatable audits, generators, discovery, validation, and forward-test probes.
21
+ - `assets/templates/` as reusable project artifacts.
22
+ - `assets/marketplace/` as portable discovery metadata for catalogs and marketplaces.
23
+ - `examples/` as lightweight adoption fixtures.
24
+ - `agents/openai.yaml` as optional host UI metadata.
25
+ - `.gse/` as the GSE self-development source of truth.
26
+
27
+ Do not package temporary output, command logs, screenshots, secrets, generated cache folders, `.learnings/`, or host-specific local credentials.
28
+
29
+ Generated package and release manifests must not expose the packager's local absolute source path. Keep local paths in command output only, not in distributable metadata.
30
+
31
+ ## Version And Release Label
32
+
33
+ GSE currently uses an internal readiness label rather than a published semver package.
34
+
35
+ Release labels should use this format until a real package manager or registry exists:
36
+
37
+ ```text
38
+ gse-internal-YYYY-MM-DD-N
39
+ ```
40
+
41
+ Increment `N` for multiple release candidates on the same day.
42
+
43
+ Use semver only after there is a maintained distribution channel and backward-compatibility policy.
44
+
45
+ ## Release Validation Gate
46
+
47
+ Before handing off or calling a GSE package release-ready, run:
48
+
49
+ ```text
50
+ node <skill>/scripts/validate-gse.mjs --root <skill>
51
+ ```
52
+
53
+ The release is not ready if validation fails, if the skill validator is skipped unexpectedly, or if a required evidence gate is only `result` when the release level requires `verified` or `accepted`.
54
+
55
+ `validate-gse.mjs` currently covers structural self-audit, project bootstrap smoke, fixture adoption, existing-repo adoption, host adapter generation, compatibility matrix, documented fixture forward-test, fresh-session readiness, local package/install distribution audit, remote URL distribution integrity audit, package signing and verification audit, release trust policy, public release metadata, release bundle generation, open-source repository readiness, CI workflow readiness, public collaboration templates, marketplace discovery metadata, host UI invocation readiness, skill metadata validation, and BOM scanning.
56
+
57
+ ## Distribution Audit Profiles
58
+
59
+ Before public handoff or registry preparation, verify Node package metadata:
60
+
61
+ ```text
62
+ node <skill>/scripts/audit-npm-package-metadata.mjs --root <skill> --json
63
+ node <skill>/scripts/audit-npm-tarball-install.mjs --root <skill> --json
64
+ node <skill>/scripts/audit-npm-publish-dry-run.mjs --root <skill> --json
65
+ npm pack --dry-run --json
66
+ ```
67
+
68
+ The metadata audit proves package metadata and dry-run pack contents. The tarball install audit creates a real local npm tarball, installs it into a clean temporary consumer project, runs the installed `gse` bin, and runs an installed README audit. The publish dry-run audit checks npm publication metadata, CLI bin preservation, required runtime files, integrity fields, and harmful metadata auto-correction warnings. These checks do not publish to npm, reserve a package name, verify a public repository, or prove registry approval.
69
+
70
+ Use the right distribution profile for the claim:
71
+
72
+ ```text
73
+ node <skill>/scripts/audit-distribution.mjs --root <skill> --profile smoke
74
+ node <skill>/scripts/audit-remote-distribution.mjs --root <skill> --profile smoke
75
+ node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile smoke
76
+ ```
77
+
78
+ `smoke` verifies package creation, install, installed entrypoints, CLI status, remote URL install, and remote integrity/tamper behavior. It skips the nested installed-copy `validate-gse` run.
79
+
80
+ Use `full` before release, package handoff, install/update claims, or when the installed copy itself must be validated:
81
+
82
+ ```text
83
+ node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile full
84
+ ```
85
+
86
+ ## CI Workflow Template
87
+
88
+ GSE includes a GitHub Actions workflow template at `.github/workflows/validate-gse.yml`.
89
+
90
+ The template runs:
91
+
92
+ ```text
93
+ node scripts/validate-gse.mjs --root . --skip-skill-validator --json
94
+ node scripts/audit-final-readiness.mjs --root . --json
95
+ node scripts/audit-final-acceptance-packet.mjs --root . --json
96
+ ```
97
+
98
+ Run the local CI readiness audit with:
99
+
100
+ ```text
101
+ node <skill>/scripts/audit-ci-readiness.mjs --root <skill>
102
+ ```
103
+
104
+ This verifies the workflow file, trigger coverage, Node setup, validation commands, and final-readiness boundary checks. It does not prove a real public GitHub Actions run, branch protection, required status checks, or marketplace CI policy.
105
+
106
+ ## Release Bundle
107
+
108
+ Use a release bundle when handing GSE to another host, another repository, or a maintainer who needs the install commands, validation checklist, public-release record, and unsupported-claims boundary in one directory:
109
+
110
+ ```text
111
+ node <skill>/scripts/generate-release-bundle.mjs --root <skill> --label <release-label> --out <bundle-dir>
112
+ ```
113
+
114
+ For a focused bundle check, run:
115
+
116
+ ```text
117
+ node <skill>/scripts/audit-release-bundle.mjs --root <skill>
118
+ ```
119
+
120
+ This verifies that the bundle contains a release summary, install commands, validation checklist, public-release record, handoff files, manifest, and owner action plan. The bundle generator creates a fresh release status manifest and owner action plan during bundle creation instead of trusting stale cached acceptance files. The audit writes to an isolated temporary directory so it does not mutate the canonical release bundle path during validation. It still does not publish GSE, choose a license, approve a marketplace listing, or prove host-native slash-command support.
121
+
122
+ ## Release Status Manifest
123
+
124
+ Use the release status manifest when another host, CI job, marketplace checklist, or maintainer needs a machine-readable summary of GSE readiness:
125
+
126
+ ```text
127
+ node <skill>/scripts/generate-release-status-manifest.mjs --root <skill> --out <skill>/.gse/acceptance/release-status-manifest.json --force
128
+ node <skill>/scripts/audit-release-status-manifest.mjs --root <skill>
129
+ ```
130
+
131
+ The manifest summarizes verified rows, owner-required rows, external-required rows, install/distribution status, public acceptance gates, host runtime evidence counts, host runtime fixture drill status, and verification commands. It is generated from current audits and records; it does not create owner decisions, external publication, public CI, marketplace approval, or native slash-command evidence.
132
+
133
+ ## Release Owner Action Plan
134
+
135
+ Use the owner action plan when a human owner or maintainer needs the next concrete public-release actions grouped by responsible party:
136
+
137
+ ```text
138
+ node <skill>/scripts/generate-release-owner-action-plan.mjs --root <skill> --force --json
139
+ node <skill>/scripts/audit-release-owner-action-plan.mjs --root <skill> --json
140
+ node <skill>/scripts/audit-release-owner-action-plan-drill.mjs --root <skill> --json
141
+ ```
142
+
143
+ The plan is generated from `.gse/acceptance/release-status-manifest.json`. It groups pending gates by project owner, repository owner, external CI, external registry, external marketplace, and host runtime. It includes the record command and required evidence for each gate. It does not select a license, configure a repository, run public CI, publish a package, approve a marketplace listing, or prove native slash-command support.
144
+
145
+ The drill runs the plan path in a temporary fixture: it generates the manifest and plan, creates accepted fixture records for every owner/external gate family, verifies final readiness promotes to `publicAccepted: verified`, verifies the public acceptance doctor reports zero pending gates, and then removes the fixture. This proves the workflow mechanics without claiming real public acceptance.
146
+
147
+ ## Local Package And Install
148
+
149
+ Use this path before claiming GSE can be copied or installed outside its current development folder:
150
+
151
+ ```text
152
+ node <skill>/scripts/package-gse.mjs --root <skill> --out <package-dir> --label <release-label>
153
+ node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir>
154
+ node <install-skill-dir>/scripts/validate-gse.mjs --root <install-skill-dir> --skip-skill-validator --skip-distribution --skip-completion-readiness
155
+ ```
156
+
157
+ For a one-command local distribution proof, run:
158
+
159
+ ```text
160
+ node <skill>/scripts/audit-distribution.mjs --root <skill>
161
+ ```
162
+
163
+ This proves file-based packaging, install, and installed-copy validation. It still does not prove registry publication, remote-machine install, signing, shell completion, or marketplace discovery.
164
+
165
+ ## Remote URL Install And Integrity
166
+
167
+ GSE packages include a `gse-package-manifest.json` with `sha256` hashes for packaged files.
168
+
169
+ Install from a URL-shaped package source with:
170
+
171
+ ```text
172
+ node <skill>/scripts/install-gse.mjs --source-url <file-or-http-package-url> --target <install-skill-dir>
173
+ ```
174
+
175
+ Run the focused remote distribution audit with:
176
+
177
+ ```text
178
+ node <skill>/scripts/audit-remote-distribution.mjs --root <skill>
179
+ ```
180
+
181
+ This starts a temporary HTTP package source, installs from `--source-url`, validates the installed copy, then tampers with a package file to verify the integrity gate fails. It proves URL install and manifest integrity behavior locally. It still does not prove public registry publication, trusted signing, marketplace discovery, or remote-machine network conditions.
182
+
183
+ ## Signing And Verification
184
+
185
+ Use Ed25519 signing when a package needs tamper evidence beyond raw file hashes:
186
+
187
+ ```text
188
+ node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem>
189
+ node <skill>/scripts/verify-gse-package.mjs --package <package-dir> --public-key <public.pem>
190
+ node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir> --public-key <public.pem>
191
+ ```
192
+
193
+ For local audit keys only:
194
+
195
+ ```text
196
+ node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem> --generate-key
197
+ ```
198
+
199
+ Run the focused signing audit with:
200
+
201
+ ```text
202
+ node <skill>/scripts/audit-signing.mjs --root <skill>
203
+ ```
204
+
205
+ This proves signing mechanics, signature verification, signed install, and tamper rejection. It does not prove maintainer identity, public key custody, transparency logs, marketplace trust, or a production release policy.
206
+
207
+ For public or shared releases, also complete `references/release-trust.md` and `assets/templates/release-trust-record.md`. This is the Release Trust record for the package. A package can be signed and verified without being trusted; trusted release status requires owner acceptance, public key fingerprint publication, custody rules, rotation policy, and revocation path.
208
+
209
+ For public open-source releases, also complete `references/public-release.md` and `assets/templates/public-release-record.md`. GSE must not choose a license by guessing; accepted public release requires an owner-selected license or an explicit `not-public` decision.
210
+
211
+ ## Marketplace Discovery
212
+
213
+ Use `references/marketplace-discovery.md` and `assets/marketplace/gse-listing.json` when preparing a public listing, catalog entry, plugin page, or marketplace submission.
214
+
215
+ Run:
216
+
217
+ ```text
218
+ node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
219
+ ```
220
+
221
+ This verifies local discovery metadata and search-language fit. It does not prove marketplace approval, public search indexing, registry publication, maintainer identity, or host-native installation.
222
+
223
+ ## Release Notes
224
+
225
+ Use `references/release.md` as the general release policy. For GSE skill releases, keep notes short:
226
+
227
+ ```text
228
+ Release label:
229
+ Date:
230
+ Readiness: not ready | result | verified | accepted
231
+ Changed:
232
+ Validation:
233
+ Compatibility impact:
234
+ Migration or rollback:
235
+ Known risks:
236
+ Follow-up slices:
237
+ ```
238
+
239
+ Rules:
240
+
241
+ - Link to `.gse/evidence/YYYY-MM-DD.md` instead of pasting long command output.
242
+ - Separate user-facing workflow changes from internal script/refactoring changes.
243
+ - Mark unavailable or unverified host tools honestly.
244
+ - Keep true fresh-session acceptance separate from fresh-session readiness.
245
+
246
+ ## Install Or Update Handoff
247
+
248
+ For a local handoff, provide:
249
+
250
+ - Skill path: `<install-skill-dir>` or the target install path.
251
+ - Release label or date.
252
+ - Validation command and latest result.
253
+ - Evidence log path.
254
+ - Known residual risks.
255
+ - Next slice from `.gse/current-slice.md`.
256
+
257
+ For project-local GSE updates or release-readiness changes, use `assets/templates/update-release-acceptance-record.md` to preserve local decisions, changed files, commands run, rollback notes, owner gate, accepted-by status, and residual risks.
258
+
259
+ If copying GSE to another machine or host, run validation after copy and record the result in that environment. Host-specific capabilities remain `unknown` until checked there.
260
+
261
+ ## Rollback
262
+
263
+ For low-risk GSE documentation/script changes, rollback is file-level revert of the touched artifacts plus re-running `validate-gse.mjs`.
264
+
265
+ For scaffold, generator, or template changes that may affect downstream projects, also record:
266
+
267
+ - Which generated files or adapters may need regeneration.
268
+ - Whether existing project `.gse/` folders are compatible.
269
+ - Whether host adapters need manual review.
270
+
271
+ ## Readiness Status
272
+
273
+ - `result`: packaging notes or release artifacts exist.
274
+ - `verified`: `validate-gse.mjs` passes and release notes identify residual risks.
275
+ - `accepted`: required owner, fresh-session, release policy, or distribution gate accepts the release.
276
+
277
+ Do not call a release accepted only because local validation passed unless the current release policy explicitly says local validation is sufficient.