@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,174 +1,174 @@
1
- # Public Release Metadata
2
-
3
- Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
4
-
5
- Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
6
-
7
- ## Required Metadata
8
-
9
- Before a public release can be called accepted, record:
10
-
11
- - Release name or version.
12
- - Release date or intended release window.
13
- - Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
14
- - License decision: license identifier, license file path, and who approved it.
15
- - Changelog or release notes path.
16
- - Install/update instructions path.
17
- - Verification commands and latest result.
18
- - Signing or integrity policy.
19
- - Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
20
- - Public security contact: owner-approved disclosure path and policy update evidence.
21
- - Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
22
- - Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
23
- - Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
24
- - Known risks and unsupported claims.
25
- - Owner acceptance or explicit reason acceptance is still pending.
26
-
27
- ## License Decision
28
-
29
- GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
30
-
31
- For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
32
-
33
- Minimum license record:
34
-
35
- ```text
36
- License status: owner-required | selected | not-public
37
- SPDX identifier:
38
- License file:
39
- Approved by:
40
- Decision date:
41
- Notes:
42
- ```
43
-
44
- Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
45
-
46
- Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
47
-
48
- ```bash
49
- node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
50
- ```
51
-
52
- For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
53
-
54
- For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
55
-
56
- Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
57
-
58
- ## Public Release Checklist
59
-
60
- Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
61
-
62
- ```bash
63
- node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
64
- node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
65
- ```
66
-
67
- The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
68
-
69
- ## Public CI Run
70
-
71
- Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
72
-
73
- Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
74
-
75
- ```bash
76
- node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
77
- ```
78
-
79
- For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
80
-
81
- Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
82
-
83
- ## Public Security Contact
84
-
85
- GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
86
-
87
- Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
88
-
89
- ```bash
90
- node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
91
- ```
92
-
93
- For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
94
-
95
- Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
96
-
97
- ## Public Repository Settings
98
-
99
- Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
100
-
101
- Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
102
-
103
- ```bash
104
- node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
105
- ```
106
-
107
- For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
108
-
109
- For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
110
-
111
- Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
112
-
113
- ## Public Channel Publication
114
-
115
- Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
116
-
117
- Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
118
-
119
- ```bash
120
- node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
121
- ```
122
-
123
- For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
124
-
125
- For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
126
-
127
- Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
128
-
129
- ## Community And Support Links
130
-
131
- Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
132
-
133
- For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
134
-
135
- ## Changelog Policy
136
-
137
- Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
138
-
139
- - user-facing changes,
140
- - operator or maintainer changes,
141
- - breaking changes,
142
- - migration and rollback notes,
143
- - verification evidence,
144
- - known limits and unsupported claims.
145
-
146
- Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
147
-
148
- ## Acceptance Levels
149
-
150
- - `result`: metadata files exist but are not verified.
151
- - `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
152
- - `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
153
-
154
- Do not mark `accepted` when the release is only locally validated.
155
-
156
- ## Integration
157
-
158
- - Use `references/open-source-defaults.md` for the mainstream public release preset.
159
- - Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
160
- - Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
161
- - Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
162
- - Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
163
- - Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
164
- - Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
165
- - Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
166
- - Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
167
- - Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
168
- - Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
169
- - Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
170
- - Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
171
- - Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
172
- - Use `references/release.md` for release-level gates and rollback guidance.
173
- - Use `references/release-trust.md` for signing, public key custody, and artifact trust.
174
- - Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
1
+ # Public Release Metadata
2
+
3
+ Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
4
+
5
+ Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
6
+
7
+ ## Required Metadata
8
+
9
+ Before a public release can be called accepted, record:
10
+
11
+ - Release name or version.
12
+ - Release date or intended release window.
13
+ - Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
14
+ - License decision: license identifier, license file path, and who approved it.
15
+ - Changelog or release notes path.
16
+ - Install/update instructions path.
17
+ - Verification commands and latest result.
18
+ - Signing or integrity policy.
19
+ - Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
20
+ - Public security contact: owner-approved disclosure path and policy update evidence.
21
+ - Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
22
+ - Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
23
+ - Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
24
+ - Known risks and unsupported claims.
25
+ - Owner acceptance or explicit reason acceptance is still pending.
26
+
27
+ ## License Decision
28
+
29
+ GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
30
+
31
+ For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
32
+
33
+ Minimum license record:
34
+
35
+ ```text
36
+ License status: owner-required | selected | not-public
37
+ SPDX identifier:
38
+ License file:
39
+ Approved by:
40
+ Decision date:
41
+ Notes:
42
+ ```
43
+
44
+ Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
45
+
46
+ Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
47
+
48
+ ```bash
49
+ node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
50
+ ```
51
+
52
+ For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
53
+
54
+ For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
55
+
56
+ Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
57
+
58
+ ## Public Release Checklist
59
+
60
+ Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
61
+
62
+ ```bash
63
+ node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
64
+ node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
65
+ ```
66
+
67
+ The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
68
+
69
+ ## Public CI Run
70
+
71
+ Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
72
+
73
+ Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
74
+
75
+ ```bash
76
+ node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
77
+ ```
78
+
79
+ For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
80
+
81
+ Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
82
+
83
+ ## Public Security Contact
84
+
85
+ GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
86
+
87
+ Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
88
+
89
+ ```bash
90
+ node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
91
+ ```
92
+
93
+ For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
94
+
95
+ Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
96
+
97
+ ## Public Repository Settings
98
+
99
+ Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
100
+
101
+ Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
102
+
103
+ ```bash
104
+ node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
105
+ ```
106
+
107
+ For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
108
+
109
+ For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
110
+
111
+ Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
112
+
113
+ ## Public Channel Publication
114
+
115
+ Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
116
+
117
+ Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
118
+
119
+ ```bash
120
+ node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
121
+ ```
122
+
123
+ For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
124
+
125
+ For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
126
+
127
+ Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
128
+
129
+ ## Community And Support Links
130
+
131
+ Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
132
+
133
+ For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
134
+
135
+ ## Changelog Policy
136
+
137
+ Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
138
+
139
+ - user-facing changes,
140
+ - operator or maintainer changes,
141
+ - breaking changes,
142
+ - migration and rollback notes,
143
+ - verification evidence,
144
+ - known limits and unsupported claims.
145
+
146
+ Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
147
+
148
+ ## Acceptance Levels
149
+
150
+ - `result`: metadata files exist but are not verified.
151
+ - `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
152
+ - `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
153
+
154
+ Do not mark `accepted` when the release is only locally validated.
155
+
156
+ ## Integration
157
+
158
+ - Use `references/open-source-defaults.md` for the mainstream public release preset.
159
+ - Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
160
+ - Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
161
+ - Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
162
+ - Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
163
+ - Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
164
+ - Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
165
+ - Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
166
+ - Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
167
+ - Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
168
+ - Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
169
+ - Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
170
+ - Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
171
+ - Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
172
+ - Use `references/release.md` for release-level gates and rollback guidance.
173
+ - Use `references/release-trust.md` for signing, public key custody, and artifact trust.
174
+ - Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
@@ -1,100 +1,107 @@
1
- # Quality Gates
2
-
3
- Pick gates by task risk.
4
-
5
- ## Universal Gate
6
-
7
- - Outcome matches request.
8
- - Scope did not expand silently.
1
+ # Quality Gates
2
+
3
+ Pick gates by task risk.
4
+
5
+ ## Universal Gate
6
+
7
+ - Outcome matches request.
8
+ - Scope did not expand silently.
9
9
  - Acceptance has evidence.
10
10
  - Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
11
+ - Evidence level uses `evidence-taxonomy.md`: `result`, `verified-unit`, `verified-component`, `verified-api`, `verified-browser`, `verified-ci`, `accepted-owner`, `accepted-release`, or `external-required`.
11
12
  - Do not claim `verified` or `accepted` when evidence only proves `result`.
13
+ - Do not describe `verified-component` or `verified-api` as `verified-browser`; record a downgrade when browser proof was required but only component/API proof ran.
12
14
  - Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
13
- - Final answer states evidence and remaining risk.
15
+ - Close checks must surface role-dispatch honesty, staged/unstaged/untracked worktree state, and staged generated/test artifacts before a slice is called complete.
16
+ - Final answer states evidence and remaining risk.
14
17
  - Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
18
+ - Check `.gse/project-guards.md` through `/gse continue` or `scripts/audit-project-guards.mjs` when recurring lessons may affect the slice.
19
+ - Check `.gse/host-capabilities.md` through `/gse continue` or `scripts/audit-host-capabilities.mjs` before claiming native slash-command, browser, MCP, LSP, subagent, or CI support.
20
+ - Check learning drift through `/gse continue` or `scripts/audit-learning-drift.mjs` before closing repeated-failure lessons as enforced.
15
21
  - Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
16
- - Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
17
- - Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
18
- - Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
19
-
20
- ## Code Gates
21
-
22
- - Focused tests for changed behavior.
23
- - Typecheck/lint/build when relevant.
24
- - Regression test for bug fixes when feasible.
25
- - No unrelated refactors.
26
-
27
- ## Gate Profiles
28
-
29
- Use the lightest gate profile that proves the claim.
30
-
31
- ### Lite Gate
32
-
33
- Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
34
-
35
- - Required: one focused command, structural check, or explicit manual evidence.
36
- - Optional: encoding check when docs changed.
37
- - Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
38
-
39
- ### Standard Gate
40
-
41
- Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
42
-
43
- - Required: focused tests for changed behavior.
44
- - Add one relevant integration smoke when the slice affects a visible or persisted path.
45
- - Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
46
-
47
- ### Enterprise Gate
48
-
49
- Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
50
-
51
- - Required: focused tests plus the hard gate matching the claim.
52
- - Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
53
- - For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
54
- - Full validation belongs here, not on every small product slice.
55
-
56
- Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
57
-
58
- Portable validation profile runner:
59
-
60
- ```text
61
- node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
62
- ```
63
-
64
- Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
65
-
22
+ - Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
23
+ - Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
24
+ - Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
25
+
26
+ ## Code Gates
27
+
28
+ - Focused tests for changed behavior.
29
+ - Typecheck/lint/build when relevant.
30
+ - Regression test for bug fixes when feasible.
31
+ - No unrelated refactors.
32
+
33
+ ## Gate Profiles
34
+
35
+ Use the lightest gate profile that proves the claim.
36
+
37
+ ### Lite Gate
38
+
39
+ Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
40
+
41
+ - Required: one focused command, structural check, or explicit manual evidence.
42
+ - Optional: encoding check when docs changed.
43
+ - Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
44
+
45
+ ### Standard Gate
46
+
47
+ Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
48
+
49
+ - Required: focused tests for changed behavior.
50
+ - Add one relevant integration smoke when the slice affects a visible or persisted path.
51
+ - Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
52
+
53
+ ### Enterprise Gate
54
+
55
+ Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
56
+
57
+ - Required: focused tests plus the hard gate matching the claim.
58
+ - Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
59
+ - For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
60
+ - Full validation belongs here, not on every small product slice.
61
+
62
+ Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
63
+
64
+ Portable validation profile runner:
65
+
66
+ ```text
67
+ node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
68
+ ```
69
+
70
+ Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
71
+
66
72
  ## UI Gates
67
73
 
68
74
  - Component test or browser smoke for visible behavior.
69
75
  - Screenshot or visual inspection for layout-sensitive work.
76
+ - Use `verified-component` for component-only UI proof and `verified-browser` for browser/screenshot-backed UI proof.
70
77
  - Loading, empty, error, success, retry, and cancelled states covered when relevant.
71
-
72
- ## Agent/Product Gates
73
-
74
- - State machine transitions are explicit.
75
- - Stop/retry/recovery behavior is defined.
76
- - Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
77
- - Short/simple chats avoid heavy workflow paths.
78
-
79
- ## Release Gates
80
-
81
- Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
82
-
83
- - Build/install smoke.
84
- - Migration and rollback notes.
85
- - Changelog or release note.
86
- - Known risk list.
87
- - Observability or incident path for risky changes.
88
-
89
- ## Domain Gates
90
-
91
- Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
92
-
93
- - Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
94
- - Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
95
- - Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
96
- - Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
97
- - UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
98
- - API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
99
- - Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
100
- - Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.
78
+
79
+ ## Agent/Product Gates
80
+
81
+ - State machine transitions are explicit.
82
+ - Stop/retry/recovery behavior is defined.
83
+ - Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
84
+ - Short/simple chats avoid heavy workflow paths.
85
+
86
+ ## Release Gates
87
+
88
+ Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
89
+
90
+ - Build/install smoke.
91
+ - Migration and rollback notes.
92
+ - Changelog or release note.
93
+ - Known risk list.
94
+ - Observability or incident path for risky changes.
95
+
96
+ ## Domain Gates
97
+
98
+ Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
99
+
100
+ - Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
101
+ - Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
102
+ - Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
103
+ - Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
104
+ - UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
105
+ - API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
106
+ - Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
107
+ - Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.