@t275005746/gse 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
- package/.github/ISSUE_TEMPLATE/config.yml +5 -5
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
- package/.github/workflows/validate-gse.yml +33 -33
- package/.gse/README.md +18 -18
- package/.gse/gse-development-protocol.md +50 -50
- package/.gse/project-profile.md +29 -29
- package/.gse/quality-gates.md +25 -25
- package/.gse/releases/public-registry-publication-npm.md +49 -0
- package/.gse/releases/public-release-owner-required.md +65 -65
- package/.gse/releases/public-security-contact-owner-required.md +45 -45
- package/.gse/state.json +147 -27
- package/CHANGELOG.md +31 -15
- package/CONTRIBUTING.md +64 -64
- package/LICENSE +21 -21
- package/README.md +14 -7
- package/README.zh-CN.md +14 -7
- package/SECURITY.md +41 -41
- package/SKILL.md +32 -12
- package/SUPPORT.md +38 -38
- package/assets/marketplace/README.md +7 -7
- package/assets/marketplace/gse-listing.json +75 -75
- package/assets/templates/acceptance-execution-packet.md +73 -73
- package/assets/templates/adr.md +14 -14
- package/assets/templates/change-brief.md +16 -16
- package/assets/templates/design.md +18 -18
- package/assets/templates/dispatch-packet.md +100 -92
- package/assets/templates/evidence.md +15 -9
- package/assets/templates/execution-quality-pack.md +65 -65
- package/assets/templates/goal-map.md +21 -21
- package/assets/templates/host-adapter.md +48 -48
- package/assets/templates/host-ui-invocation-record.md +42 -42
- package/assets/templates/incident-review.md +60 -60
- package/assets/templates/public-channel-publication-record.md +49 -49
- package/assets/templates/public-ci-run-record.md +53 -53
- package/assets/templates/public-release-record.md +65 -65
- package/assets/templates/public-repository-settings-record.md +59 -59
- package/assets/templates/public-security-contact-record.md +45 -45
- package/assets/templates/release-trust-record.md +32 -32
- package/assets/templates/review.md +18 -18
- package/assets/templates/role-fallback-packet.md +49 -0
- package/assets/templates/spec.md +16 -16
- package/assets/templates/target-adoption-evidence.md +29 -29
- package/assets/templates/tasks.md +17 -17
- package/assets/templates/update-release-acceptance-record.md +58 -58
- package/examples/README.md +22 -22
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
- package/examples/agent-runtime-host/.gse/tooling.md +5 -5
- package/examples/agent-runtime-host/.mcp.json +9 -9
- package/examples/agent-runtime-host/AGENTS.md +5 -5
- package/examples/agent-runtime-host/README.md +10 -10
- package/examples/agent-runtime-host/docs/model-routing.md +5 -5
- package/examples/cli-tool/.gse/project-profile.md +21 -21
- package/examples/cli-tool/AGENTS.md +5 -5
- package/examples/cli-tool/README.md +12 -12
- package/examples/cli-tool/package.json +21 -21
- package/examples/small-app/.env.example +2 -2
- package/examples/small-app/.github/workflows/ci.yml +8 -8
- package/examples/small-app/AGENTS.md +5 -5
- package/examples/small-app/README.md +12 -12
- package/examples/small-app/package.json +26 -26
- package/examples/small-app/playwright.config.ts +4 -4
- package/package.json +52 -44
- package/references/adoption-recipes.md +171 -171
- package/references/agent-roles.md +42 -21
- package/references/architecture-health.md +101 -101
- package/references/benchmark-audit.md +73 -73
- package/references/commands.md +74 -45
- package/references/community-channels.md +46 -46
- package/references/compatibility.md +70 -70
- package/references/design-basis.md +38 -38
- package/references/domain-model.md +129 -129
- package/references/domain-quality-gates.md +75 -75
- package/references/drift-audit.md +81 -80
- package/references/evidence-taxonomy.md +145 -108
- package/references/file-ownership.md +97 -93
- package/references/final-form-roadmap.md +201 -0
- package/references/final-readiness.md +84 -84
- package/references/forward-test.md +133 -133
- package/references/goal-map.md +36 -36
- package/references/host-adapters.md +129 -101
- package/references/learning-system.md +42 -26
- package/references/maintenance-cadence.md +51 -0
- package/references/marketplace-discovery.md +46 -46
- package/references/model-routing.md +103 -103
- package/references/open-source-defaults.md +39 -39
- package/references/operating-model.md +52 -52
- package/references/packaging.md +277 -277
- package/references/project-agent-workspace.md +89 -89
- package/references/project-bootstrap.md +122 -122
- package/references/project-guards.md +52 -0
- package/references/project-profile.md +57 -57
- package/references/public-release.md +174 -174
- package/references/quality-gates.md +96 -89
- package/references/recovery.md +176 -176
- package/references/release-trust.md +43 -43
- package/references/release.md +126 -126
- package/references/review.md +141 -141
- package/references/role-dispatch-fallback.md +54 -0
- package/references/router.md +90 -90
- package/references/spec-workflow.md +66 -66
- package/references/task-levels.md +81 -81
- package/references/tool-adapters.md +80 -70
- package/scripts/audit-acceptance-execution-packet.mjs +133 -133
- package/scripts/audit-adoption-recipes.mjs +99 -99
- package/scripts/audit-change-lifecycle.mjs +77 -77
- package/scripts/audit-change-system.mjs +134 -134
- package/scripts/audit-ci-readiness.mjs +107 -107
- package/scripts/audit-close-gate-hardening.mjs +188 -0
- package/scripts/audit-close-gate.mjs +448 -262
- package/scripts/audit-command-adapters.mjs +91 -91
- package/scripts/audit-command-execution.mjs +212 -199
- package/scripts/audit-commands.mjs +7 -5
- package/scripts/audit-compatibility.mjs +149 -149
- package/scripts/audit-completion-plan-drill.mjs +230 -0
- package/scripts/audit-completion-readiness.mjs +290 -287
- package/scripts/audit-continue-preflight.mjs +234 -0
- package/scripts/audit-distribution.mjs +251 -251
- package/scripts/audit-domain-quality-gates.mjs +108 -108
- package/scripts/audit-evidence-levels.mjs +217 -0
- package/scripts/audit-evidence-placeholders.mjs +126 -126
- package/scripts/audit-evidence-review-queue.mjs +206 -0
- package/scripts/audit-final-acceptance-packet.mjs +9 -9
- package/scripts/audit-final-form-progress-report.mjs +19 -18
- package/scripts/audit-final-form-roadmap.mjs +157 -0
- package/scripts/audit-final-form-stale-copy.mjs +2 -2
- package/scripts/audit-final-readiness-promotion.mjs +255 -255
- package/scripts/audit-final-readiness.mjs +226 -226
- package/scripts/audit-fixtures.mjs +154 -154
- package/scripts/audit-fresh-session-readiness.mjs +177 -177
- package/scripts/audit-host-capabilities.mjs +237 -0
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
- package/scripts/audit-host-runtime-invocations.mjs +254 -254
- package/scripts/audit-host-ui-invocation.mjs +132 -132
- package/scripts/audit-installed-sync.mjs +203 -0
- package/scripts/audit-learning-drift.mjs +292 -0
- package/scripts/audit-learning-promotion.mjs +351 -0
- package/scripts/audit-learning-system.mjs +24 -14
- package/scripts/audit-local-final-form-completion.mjs +11 -10
- package/scripts/audit-maintenance-cadence.mjs +139 -0
- package/scripts/audit-maintenance-snapshot.mjs +181 -0
- package/scripts/audit-marketplace-discovery.mjs +122 -122
- package/scripts/audit-npm-package-metadata.mjs +160 -154
- package/scripts/audit-npm-publish-dry-run.mjs +194 -166
- package/scripts/audit-npm-tarball-install.mjs +195 -189
- package/scripts/audit-open-source-defaults.mjs +92 -92
- package/scripts/audit-open-source-readiness.mjs +97 -97
- package/scripts/audit-owner-external-gate-kit.mjs +12 -11
- package/scripts/audit-project-guards.mjs +189 -0
- package/scripts/audit-project.mjs +144 -141
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
- package/scripts/audit-public-acceptance-handoff.mjs +10 -10
- package/scripts/audit-public-acceptance-readiness.mjs +222 -222
- package/scripts/audit-public-channel-publication.mjs +248 -248
- package/scripts/audit-public-ci-run.mjs +184 -184
- package/scripts/audit-public-collaboration-templates.mjs +98 -98
- package/scripts/audit-public-external-gate-probe.mjs +206 -206
- package/scripts/audit-public-release-checklist.mjs +17 -15
- package/scripts/audit-public-release-decision.mjs +201 -201
- package/scripts/audit-public-release-metadata.mjs +176 -176
- package/scripts/audit-public-repository-settings.mjs +237 -237
- package/scripts/audit-public-security-contact.mjs +171 -171
- package/scripts/audit-readme-docs.mjs +6 -4
- package/scripts/audit-recovery-readiness.mjs +98 -98
- package/scripts/audit-release-bundle.mjs +13 -11
- package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
- package/scripts/audit-release-owner-action-plan.mjs +10 -10
- package/scripts/audit-release-readiness.mjs +106 -106
- package/scripts/audit-release-status-manifest.mjs +4 -4
- package/scripts/audit-release-trust.mjs +62 -62
- package/scripts/audit-remote-distribution.mjs +266 -266
- package/scripts/audit-roadmap-consistency.mjs +234 -230
- package/scripts/audit-role-dispatch-fallback.mjs +212 -0
- package/scripts/audit-session-sync.mjs +127 -0
- package/scripts/audit-signing.mjs +147 -147
- package/scripts/audit-state-freshness.mjs +20 -14
- package/scripts/audit-state-repair.mjs +360 -0
- package/scripts/audit-target-adoption-evidence.mjs +117 -117
- package/scripts/audit-target-hardening-drills.mjs +267 -0
- package/scripts/audit-target-project.mjs +507 -507
- package/scripts/audit-tool-fallback-policy.mjs +180 -0
- package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
- package/scripts/audit-update-release-acceptance.mjs +136 -136
- package/scripts/audit-v1-target-validation.mjs +269 -269
- package/scripts/audit-validation-profiles.mjs +125 -123
- package/scripts/backfill-evidence-levels.mjs +98 -0
- package/scripts/check-encoding.mjs +72 -0
- package/scripts/close-change.mjs +116 -116
- package/scripts/discover-project-profile.mjs +307 -307
- package/scripts/generate-command-adapter.mjs +231 -231
- package/scripts/generate-continue-packet.mjs +1214 -0
- package/scripts/generate-final-acceptance-packet.mjs +188 -173
- package/scripts/generate-final-form-progress-report.mjs +191 -189
- package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
- package/scripts/generate-maintenance-snapshot.mjs +216 -0
- package/scripts/generate-owner-external-gate-kit.mjs +295 -295
- package/scripts/generate-public-acceptance-handoff.mjs +168 -156
- package/scripts/generate-public-release-checklist.mjs +207 -207
- package/scripts/generate-release-bundle.mjs +505 -505
- package/scripts/generate-release-owner-action-plan.mjs +172 -171
- package/scripts/generate-release-status-manifest.mjs +199 -198
- package/scripts/generate-session-prompt.mjs +188 -188
- package/scripts/gse.mjs +67 -67
- package/scripts/init-change.mjs +265 -265
- package/scripts/init-project.mjs +793 -712
- package/scripts/install-gse.mjs +234 -234
- package/scripts/lib/evidence-placeholders.mjs +28 -28
- package/scripts/package-gse.mjs +174 -174
- package/scripts/probe-public-external-gates.mjs +167 -167
- package/scripts/record-host-invocation.mjs +151 -151
- package/scripts/record-learning.mjs +37 -8
- package/scripts/record-public-channel-publication.mjs +178 -178
- package/scripts/record-public-ci-run.mjs +180 -180
- package/scripts/record-public-release.mjs +175 -175
- package/scripts/record-public-repository-settings.mjs +209 -209
- package/scripts/record-public-security-contact.mjs +157 -157
- package/scripts/record-session-sync.mjs +87 -0
- package/scripts/run-gse-command.mjs +79 -47
- package/scripts/run-validation-profile.mjs +24 -5
- package/scripts/sign-gse-package.mjs +83 -83
- package/scripts/update-project-state.mjs +223 -223
- package/scripts/validate-gse.mjs +216 -0
- package/scripts/verify-gse-package.mjs +85 -85
|
@@ -1,174 +1,174 @@
|
|
|
1
|
-
# Public Release Metadata
|
|
2
|
-
|
|
3
|
-
Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
|
|
4
|
-
|
|
5
|
-
Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
|
|
6
|
-
|
|
7
|
-
## Required Metadata
|
|
8
|
-
|
|
9
|
-
Before a public release can be called accepted, record:
|
|
10
|
-
|
|
11
|
-
- Release name or version.
|
|
12
|
-
- Release date or intended release window.
|
|
13
|
-
- Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
|
|
14
|
-
- License decision: license identifier, license file path, and who approved it.
|
|
15
|
-
- Changelog or release notes path.
|
|
16
|
-
- Install/update instructions path.
|
|
17
|
-
- Verification commands and latest result.
|
|
18
|
-
- Signing or integrity policy.
|
|
19
|
-
- Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
|
|
20
|
-
- Public security contact: owner-approved disclosure path and policy update evidence.
|
|
21
|
-
- Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
|
|
22
|
-
- Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
|
|
23
|
-
- Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
|
|
24
|
-
- Known risks and unsupported claims.
|
|
25
|
-
- Owner acceptance or explicit reason acceptance is still pending.
|
|
26
|
-
|
|
27
|
-
## License Decision
|
|
28
|
-
|
|
29
|
-
GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
|
|
30
|
-
|
|
31
|
-
For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
|
|
32
|
-
|
|
33
|
-
Minimum license record:
|
|
34
|
-
|
|
35
|
-
```text
|
|
36
|
-
License status: owner-required | selected | not-public
|
|
37
|
-
SPDX identifier:
|
|
38
|
-
License file:
|
|
39
|
-
Approved by:
|
|
40
|
-
Decision date:
|
|
41
|
-
Notes:
|
|
42
|
-
```
|
|
43
|
-
|
|
44
|
-
Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
|
|
45
|
-
|
|
46
|
-
Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
|
|
47
|
-
|
|
48
|
-
```bash
|
|
49
|
-
node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
|
|
50
|
-
```
|
|
51
|
-
|
|
52
|
-
For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
|
|
53
|
-
|
|
54
|
-
For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
|
|
55
|
-
|
|
56
|
-
Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
|
|
57
|
-
|
|
58
|
-
## Public Release Checklist
|
|
59
|
-
|
|
60
|
-
Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
|
|
61
|
-
|
|
62
|
-
```bash
|
|
63
|
-
node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
|
|
64
|
-
node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
|
|
65
|
-
```
|
|
66
|
-
|
|
67
|
-
The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
|
|
68
|
-
|
|
69
|
-
## Public CI Run
|
|
70
|
-
|
|
71
|
-
Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
|
|
72
|
-
|
|
73
|
-
Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
|
|
74
|
-
|
|
75
|
-
```bash
|
|
76
|
-
node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
|
|
77
|
-
```
|
|
78
|
-
|
|
79
|
-
For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
|
|
80
|
-
|
|
81
|
-
Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
|
|
82
|
-
|
|
83
|
-
## Public Security Contact
|
|
84
|
-
|
|
85
|
-
GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
|
|
86
|
-
|
|
87
|
-
Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
|
|
88
|
-
|
|
89
|
-
```bash
|
|
90
|
-
node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
|
|
91
|
-
```
|
|
92
|
-
|
|
93
|
-
For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
94
|
-
|
|
95
|
-
Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
|
|
96
|
-
|
|
97
|
-
## Public Repository Settings
|
|
98
|
-
|
|
99
|
-
Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
|
|
100
|
-
|
|
101
|
-
Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
|
|
102
|
-
|
|
103
|
-
```bash
|
|
104
|
-
node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
|
|
105
|
-
```
|
|
106
|
-
|
|
107
|
-
For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
|
|
108
|
-
|
|
109
|
-
For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
110
|
-
|
|
111
|
-
Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
|
|
112
|
-
|
|
113
|
-
## Public Channel Publication
|
|
114
|
-
|
|
115
|
-
Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
|
|
116
|
-
|
|
117
|
-
Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
|
|
118
|
-
|
|
119
|
-
```bash
|
|
120
|
-
node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
|
|
121
|
-
```
|
|
122
|
-
|
|
123
|
-
For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
124
|
-
|
|
125
|
-
For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
|
|
126
|
-
|
|
127
|
-
Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
|
|
128
|
-
|
|
129
|
-
## Community And Support Links
|
|
130
|
-
|
|
131
|
-
Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
|
|
132
|
-
|
|
133
|
-
For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
|
|
134
|
-
|
|
135
|
-
## Changelog Policy
|
|
136
|
-
|
|
137
|
-
Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
|
|
138
|
-
|
|
139
|
-
- user-facing changes,
|
|
140
|
-
- operator or maintainer changes,
|
|
141
|
-
- breaking changes,
|
|
142
|
-
- migration and rollback notes,
|
|
143
|
-
- verification evidence,
|
|
144
|
-
- known limits and unsupported claims.
|
|
145
|
-
|
|
146
|
-
Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
|
|
147
|
-
|
|
148
|
-
## Acceptance Levels
|
|
149
|
-
|
|
150
|
-
- `result`: metadata files exist but are not verified.
|
|
151
|
-
- `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
|
|
152
|
-
- `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
|
|
153
|
-
|
|
154
|
-
Do not mark `accepted` when the release is only locally validated.
|
|
155
|
-
|
|
156
|
-
## Integration
|
|
157
|
-
|
|
158
|
-
- Use `references/open-source-defaults.md` for the mainstream public release preset.
|
|
159
|
-
- Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
|
|
160
|
-
- Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
|
|
161
|
-
- Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
|
|
162
|
-
- Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
|
|
163
|
-
- Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
|
|
164
|
-
- Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
|
|
165
|
-
- Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
|
|
166
|
-
- Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
|
|
167
|
-
- Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
|
|
168
|
-
- Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
|
|
169
|
-
- Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
|
|
170
|
-
- Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
|
|
171
|
-
- Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
|
|
172
|
-
- Use `references/release.md` for release-level gates and rollback guidance.
|
|
173
|
-
- Use `references/release-trust.md` for signing, public key custody, and artifact trust.
|
|
174
|
-
- Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
|
|
1
|
+
# Public Release Metadata
|
|
2
|
+
|
|
3
|
+
Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
|
|
4
|
+
|
|
5
|
+
Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
|
|
6
|
+
|
|
7
|
+
## Required Metadata
|
|
8
|
+
|
|
9
|
+
Before a public release can be called accepted, record:
|
|
10
|
+
|
|
11
|
+
- Release name or version.
|
|
12
|
+
- Release date or intended release window.
|
|
13
|
+
- Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
|
|
14
|
+
- License decision: license identifier, license file path, and who approved it.
|
|
15
|
+
- Changelog or release notes path.
|
|
16
|
+
- Install/update instructions path.
|
|
17
|
+
- Verification commands and latest result.
|
|
18
|
+
- Signing or integrity policy.
|
|
19
|
+
- Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
|
|
20
|
+
- Public security contact: owner-approved disclosure path and policy update evidence.
|
|
21
|
+
- Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
|
|
22
|
+
- Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
|
|
23
|
+
- Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
|
|
24
|
+
- Known risks and unsupported claims.
|
|
25
|
+
- Owner acceptance or explicit reason acceptance is still pending.
|
|
26
|
+
|
|
27
|
+
## License Decision
|
|
28
|
+
|
|
29
|
+
GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
|
|
30
|
+
|
|
31
|
+
For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
|
|
32
|
+
|
|
33
|
+
Minimum license record:
|
|
34
|
+
|
|
35
|
+
```text
|
|
36
|
+
License status: owner-required | selected | not-public
|
|
37
|
+
SPDX identifier:
|
|
38
|
+
License file:
|
|
39
|
+
Approved by:
|
|
40
|
+
Decision date:
|
|
41
|
+
Notes:
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
|
|
45
|
+
|
|
46
|
+
Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
|
|
47
|
+
|
|
48
|
+
```bash
|
|
49
|
+
node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
|
|
53
|
+
|
|
54
|
+
For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
|
|
55
|
+
|
|
56
|
+
Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
|
|
57
|
+
|
|
58
|
+
## Public Release Checklist
|
|
59
|
+
|
|
60
|
+
Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
|
|
64
|
+
node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
|
|
68
|
+
|
|
69
|
+
## Public CI Run
|
|
70
|
+
|
|
71
|
+
Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
|
|
72
|
+
|
|
73
|
+
Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
|
|
80
|
+
|
|
81
|
+
Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
|
|
82
|
+
|
|
83
|
+
## Public Security Contact
|
|
84
|
+
|
|
85
|
+
GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
|
|
86
|
+
|
|
87
|
+
Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
94
|
+
|
|
95
|
+
Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
|
|
96
|
+
|
|
97
|
+
## Public Repository Settings
|
|
98
|
+
|
|
99
|
+
Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
|
|
100
|
+
|
|
101
|
+
Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
|
|
102
|
+
|
|
103
|
+
```bash
|
|
104
|
+
node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
|
|
108
|
+
|
|
109
|
+
For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
110
|
+
|
|
111
|
+
Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
|
|
112
|
+
|
|
113
|
+
## Public Channel Publication
|
|
114
|
+
|
|
115
|
+
Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
|
|
116
|
+
|
|
117
|
+
Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
|
|
118
|
+
|
|
119
|
+
```bash
|
|
120
|
+
node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
124
|
+
|
|
125
|
+
For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
|
|
126
|
+
|
|
127
|
+
Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
|
|
128
|
+
|
|
129
|
+
## Community And Support Links
|
|
130
|
+
|
|
131
|
+
Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
|
|
132
|
+
|
|
133
|
+
For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
|
|
134
|
+
|
|
135
|
+
## Changelog Policy
|
|
136
|
+
|
|
137
|
+
Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
|
|
138
|
+
|
|
139
|
+
- user-facing changes,
|
|
140
|
+
- operator or maintainer changes,
|
|
141
|
+
- breaking changes,
|
|
142
|
+
- migration and rollback notes,
|
|
143
|
+
- verification evidence,
|
|
144
|
+
- known limits and unsupported claims.
|
|
145
|
+
|
|
146
|
+
Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
|
|
147
|
+
|
|
148
|
+
## Acceptance Levels
|
|
149
|
+
|
|
150
|
+
- `result`: metadata files exist but are not verified.
|
|
151
|
+
- `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
|
|
152
|
+
- `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
|
|
153
|
+
|
|
154
|
+
Do not mark `accepted` when the release is only locally validated.
|
|
155
|
+
|
|
156
|
+
## Integration
|
|
157
|
+
|
|
158
|
+
- Use `references/open-source-defaults.md` for the mainstream public release preset.
|
|
159
|
+
- Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
|
|
160
|
+
- Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
|
|
161
|
+
- Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
|
|
162
|
+
- Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
|
|
163
|
+
- Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
|
|
164
|
+
- Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
|
|
165
|
+
- Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
|
|
166
|
+
- Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
|
|
167
|
+
- Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
|
|
168
|
+
- Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
|
|
169
|
+
- Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
|
|
170
|
+
- Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
|
|
171
|
+
- Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
|
|
172
|
+
- Use `references/release.md` for release-level gates and rollback guidance.
|
|
173
|
+
- Use `references/release-trust.md` for signing, public key custody, and artifact trust.
|
|
174
|
+
- Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
|
|
@@ -1,100 +1,107 @@
|
|
|
1
|
-
# Quality Gates
|
|
2
|
-
|
|
3
|
-
Pick gates by task risk.
|
|
4
|
-
|
|
5
|
-
## Universal Gate
|
|
6
|
-
|
|
7
|
-
- Outcome matches request.
|
|
8
|
-
- Scope did not expand silently.
|
|
1
|
+
# Quality Gates
|
|
2
|
+
|
|
3
|
+
Pick gates by task risk.
|
|
4
|
+
|
|
5
|
+
## Universal Gate
|
|
6
|
+
|
|
7
|
+
- Outcome matches request.
|
|
8
|
+
- Scope did not expand silently.
|
|
9
9
|
- Acceptance has evidence.
|
|
10
10
|
- Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
|
|
11
|
+
- Evidence level uses `evidence-taxonomy.md`: `result`, `verified-unit`, `verified-component`, `verified-api`, `verified-browser`, `verified-ci`, `accepted-owner`, `accepted-release`, or `external-required`.
|
|
11
12
|
- Do not claim `verified` or `accepted` when evidence only proves `result`.
|
|
13
|
+
- Do not describe `verified-component` or `verified-api` as `verified-browser`; record a downgrade when browser proof was required but only component/API proof ran.
|
|
12
14
|
- Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
|
|
13
|
-
-
|
|
15
|
+
- Close checks must surface role-dispatch honesty, staged/unstaged/untracked worktree state, and staged generated/test artifacts before a slice is called complete.
|
|
16
|
+
- Final answer states evidence and remaining risk.
|
|
14
17
|
- Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
|
|
18
|
+
- Check `.gse/project-guards.md` through `/gse continue` or `scripts/audit-project-guards.mjs` when recurring lessons may affect the slice.
|
|
19
|
+
- Check `.gse/host-capabilities.md` through `/gse continue` or `scripts/audit-host-capabilities.mjs` before claiming native slash-command, browser, MCP, LSP, subagent, or CI support.
|
|
20
|
+
- Check learning drift through `/gse continue` or `scripts/audit-learning-drift.mjs` before closing repeated-failure lessons as enforced.
|
|
15
21
|
- Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
|
|
16
|
-
- Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
|
|
17
|
-
- Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
|
|
18
|
-
- Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
|
|
19
|
-
|
|
20
|
-
## Code Gates
|
|
21
|
-
|
|
22
|
-
- Focused tests for changed behavior.
|
|
23
|
-
- Typecheck/lint/build when relevant.
|
|
24
|
-
- Regression test for bug fixes when feasible.
|
|
25
|
-
- No unrelated refactors.
|
|
26
|
-
|
|
27
|
-
## Gate Profiles
|
|
28
|
-
|
|
29
|
-
Use the lightest gate profile that proves the claim.
|
|
30
|
-
|
|
31
|
-
### Lite Gate
|
|
32
|
-
|
|
33
|
-
Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
|
|
34
|
-
|
|
35
|
-
- Required: one focused command, structural check, or explicit manual evidence.
|
|
36
|
-
- Optional: encoding check when docs changed.
|
|
37
|
-
- Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
|
|
38
|
-
|
|
39
|
-
### Standard Gate
|
|
40
|
-
|
|
41
|
-
Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
|
|
42
|
-
|
|
43
|
-
- Required: focused tests for changed behavior.
|
|
44
|
-
- Add one relevant integration smoke when the slice affects a visible or persisted path.
|
|
45
|
-
- Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
|
|
46
|
-
|
|
47
|
-
### Enterprise Gate
|
|
48
|
-
|
|
49
|
-
Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
|
|
50
|
-
|
|
51
|
-
- Required: focused tests plus the hard gate matching the claim.
|
|
52
|
-
- Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
|
|
53
|
-
- For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
|
|
54
|
-
- Full validation belongs here, not on every small product slice.
|
|
55
|
-
|
|
56
|
-
Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
|
|
57
|
-
|
|
58
|
-
Portable validation profile runner:
|
|
59
|
-
|
|
60
|
-
```text
|
|
61
|
-
node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
|
|
62
|
-
```
|
|
63
|
-
|
|
64
|
-
Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
|
|
65
|
-
|
|
22
|
+
- Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
|
|
23
|
+
- Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
|
|
24
|
+
- Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
|
|
25
|
+
|
|
26
|
+
## Code Gates
|
|
27
|
+
|
|
28
|
+
- Focused tests for changed behavior.
|
|
29
|
+
- Typecheck/lint/build when relevant.
|
|
30
|
+
- Regression test for bug fixes when feasible.
|
|
31
|
+
- No unrelated refactors.
|
|
32
|
+
|
|
33
|
+
## Gate Profiles
|
|
34
|
+
|
|
35
|
+
Use the lightest gate profile that proves the claim.
|
|
36
|
+
|
|
37
|
+
### Lite Gate
|
|
38
|
+
|
|
39
|
+
Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
|
|
40
|
+
|
|
41
|
+
- Required: one focused command, structural check, or explicit manual evidence.
|
|
42
|
+
- Optional: encoding check when docs changed.
|
|
43
|
+
- Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
|
|
44
|
+
|
|
45
|
+
### Standard Gate
|
|
46
|
+
|
|
47
|
+
Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
|
|
48
|
+
|
|
49
|
+
- Required: focused tests for changed behavior.
|
|
50
|
+
- Add one relevant integration smoke when the slice affects a visible or persisted path.
|
|
51
|
+
- Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
|
|
52
|
+
|
|
53
|
+
### Enterprise Gate
|
|
54
|
+
|
|
55
|
+
Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
|
|
56
|
+
|
|
57
|
+
- Required: focused tests plus the hard gate matching the claim.
|
|
58
|
+
- Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
|
|
59
|
+
- For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
|
|
60
|
+
- Full validation belongs here, not on every small product slice.
|
|
61
|
+
|
|
62
|
+
Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
|
|
63
|
+
|
|
64
|
+
Portable validation profile runner:
|
|
65
|
+
|
|
66
|
+
```text
|
|
67
|
+
node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
|
|
71
|
+
|
|
66
72
|
## UI Gates
|
|
67
73
|
|
|
68
74
|
- Component test or browser smoke for visible behavior.
|
|
69
75
|
- Screenshot or visual inspection for layout-sensitive work.
|
|
76
|
+
- Use `verified-component` for component-only UI proof and `verified-browser` for browser/screenshot-backed UI proof.
|
|
70
77
|
- Loading, empty, error, success, retry, and cancelled states covered when relevant.
|
|
71
|
-
|
|
72
|
-
## Agent/Product Gates
|
|
73
|
-
|
|
74
|
-
- State machine transitions are explicit.
|
|
75
|
-
- Stop/retry/recovery behavior is defined.
|
|
76
|
-
- Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
|
|
77
|
-
- Short/simple chats avoid heavy workflow paths.
|
|
78
|
-
|
|
79
|
-
## Release Gates
|
|
80
|
-
|
|
81
|
-
Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
|
|
82
|
-
|
|
83
|
-
- Build/install smoke.
|
|
84
|
-
- Migration and rollback notes.
|
|
85
|
-
- Changelog or release note.
|
|
86
|
-
- Known risk list.
|
|
87
|
-
- Observability or incident path for risky changes.
|
|
88
|
-
|
|
89
|
-
## Domain Gates
|
|
90
|
-
|
|
91
|
-
Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
|
|
92
|
-
|
|
93
|
-
- Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
|
|
94
|
-
- Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
|
|
95
|
-
- Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
|
|
96
|
-
- Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
|
|
97
|
-
- UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
|
|
98
|
-
- API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
|
|
99
|
-
- Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
|
|
100
|
-
- Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.
|
|
78
|
+
|
|
79
|
+
## Agent/Product Gates
|
|
80
|
+
|
|
81
|
+
- State machine transitions are explicit.
|
|
82
|
+
- Stop/retry/recovery behavior is defined.
|
|
83
|
+
- Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
|
|
84
|
+
- Short/simple chats avoid heavy workflow paths.
|
|
85
|
+
|
|
86
|
+
## Release Gates
|
|
87
|
+
|
|
88
|
+
Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
|
|
89
|
+
|
|
90
|
+
- Build/install smoke.
|
|
91
|
+
- Migration and rollback notes.
|
|
92
|
+
- Changelog or release note.
|
|
93
|
+
- Known risk list.
|
|
94
|
+
- Observability or incident path for risky changes.
|
|
95
|
+
|
|
96
|
+
## Domain Gates
|
|
97
|
+
|
|
98
|
+
Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
|
|
99
|
+
|
|
100
|
+
- Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
|
|
101
|
+
- Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
|
|
102
|
+
- Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
|
|
103
|
+
- Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
|
|
104
|
+
- UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
|
|
105
|
+
- API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
|
|
106
|
+
- Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
|
|
107
|
+
- Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.
|