@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
@@ -1,126 +1,126 @@
1
- # Release Workflow
2
-
3
- Use this when a GSE slice affects shipping, installation, upgrade, runtime compatibility, user-visible behavior, migrations, rollback, changelog policy, or long-running project readiness.
4
-
5
- Release workflow is a gate, not a deployment tool. It defines what must be known before claiming a release is ready.
6
-
7
- ## Trigger Conditions
8
-
9
- Run this workflow when any of these are true:
10
-
11
- - A change is intended for a versioned release, public handoff, package update, installer update, or user-facing delivery.
12
- - A change affects install, bootstrap, update, compatibility, migration, rollback, data retention, or runtime configuration.
13
- - A change modifies product identity, permissions, model/provider routing, worker behavior, state persistence, evidence gates, or generated project scaffold files.
14
- - A bug fix touches a main path where regression risk matters.
15
- - Architecture health scan reports migration, release, rollback, dependency, security, or ownership risk.
16
- - The project requires changelog, release notes, approvals, or deployment evidence.
17
-
18
- For tiny internal edits with no release surface, record why release workflow is not applicable.
19
-
20
- ## Release Levels
21
-
22
- Pick the smallest release level that matches the blast radius.
23
-
24
- | Level | Use when | Minimum gate |
25
- |---|---|---|
26
- | Patch | Bug fix, doc correction, template wording, low-risk scaffold update | Focused verification, known risk, release note if user-visible |
27
- | Minor | New capability, new template, new script behavior, new adapter route, non-breaking workflow change | Focused verification, backward compatibility check, rollback or revert path, release notes |
28
- | Major | Breaking workflow, migration, removed behavior, changed source of truth, broad architecture change | Migration plan, rollback plan, compatibility notes, architecture health scan, release acceptance evidence |
29
- | Incident hotfix | Urgent fix for broken main path, data risk, security/privacy issue, release blocker | Minimal safe fix, reproduction or failure evidence, focused verification, incident follow-up |
30
-
31
- ## Minimum Release Checklist
32
-
33
- Before calling a release ready, confirm:
34
-
35
- - Outcome and scope match the accepted goal or spec.
36
- - Version or release label is known, or the project explicitly does not use version labels.
37
- - Changelog or release notes explain user-visible changes, breaking changes, migration notes, and known risks.
38
- - Focused verification proves the changed behavior, not only file existence.
39
- - Compatibility impact is checked against supported hosts, runtimes, package managers, project modes, and important configuration paths.
40
- - Migration and rollback expectations are documented for any state, schema, config, scaffold, or runtime change.
41
- - Security, privacy, permissions, secrets, and raw tool/provider traces are reviewed when relevant.
42
- - Observability, error diagnosis, or incident path is adequate for risky changes.
43
- - Evidence status is classified with references/evidence-taxonomy.md: result, verified, or accepted.
44
- - Follow-up slices are recorded instead of hidden in final prose.
45
-
46
- ## Migration And Rollback
47
-
48
- Capture migration and rollback at the same level of detail as the risk.
49
-
50
- For low-risk changes:
51
-
52
- - State whether revert is enough.
53
- - Name the files or artifacts that would be reverted.
54
-
55
- For stateful or compatibility-impacting changes:
56
-
57
- - Define old state, new state, and compatibility window.
58
- - Define data backup, restore, or fallback behavior.
59
- - Define how to detect failed migration or partial rollout.
60
- - Define whether downgrade is supported.
61
-
62
- For release-blocking uncertainty, do not claim accepted. Record a decision needed or follow-up slice.
63
-
64
- ## Changelog And Release Notes Policy
65
-
66
- Use the project convention first. If none exists, keep release notes short and structured:
67
-
68
- ```text
69
- Release label:
70
- Date:
71
- Type: patch | minor | major | incident hotfix
72
- Highlights:
73
- Changed:
74
- Fixed:
75
- Migration or rollback:
76
- Known risks:
77
- Verification:
78
- Follow-up slices:
79
- ```
80
-
81
- Rules:
82
-
83
- - Mention user-visible behavior separately from internal implementation.
84
- - Mark breaking changes clearly.
85
- - Do not include secrets, raw provider payloads, private reasoning, or noisy command logs.
86
- - Link to evidence files or CI/test results instead of pasting long output.
87
- - If the release is internal-only, say so and explain the affected operators or future agents.
88
-
89
- ## Release Evidence Record
90
-
91
- Use `assets/templates/update-release-acceptance-record.md` when a project needs to preserve local decisions, changed files, rollback notes, owner gate, accepted-by status, and residual risk in one compact record.
92
-
93
- For quick release notes, use this concise format in evidence logs or release notes:
94
-
95
- ```text
96
- Release scope:
97
- Release level:
98
- Readiness: not ready | result | verified | accepted
99
- Verification evidence:
100
- Compatibility evidence:
101
- Migration or rollback:
102
- Known risks:
103
- Decisions needed:
104
- Follow-up slices:
105
- ```
106
-
107
- Readiness meanings:
108
-
109
- - not ready: required release evidence is missing or contradicted.
110
- - result: release artifacts or notes exist, but behavior is not verified.
111
- - verified: focused checks prove release-relevant behavior in the current environment.
112
- - accepted: the required owner, CI, smoke, or production-like evidence for this release level has passed.
113
-
114
- Do not mark `accepted` only because local validation passed. Use `accepted` only when the required owner, release policy, CI gate, smoke gate, archive gate, or explicitly named acceptance policy accepts the verified result.
115
-
116
- ## Integration
117
-
118
- - Use references/quality-gates.md for the base release gate list.
119
- - Use references/public-release.md before public GitHub, marketplace, catalog, registry, or external package handoff.
120
- - Use references/architecture-health.md when migration, rollback, dependency, security, performance, resilience, compatibility, or source-of-truth risk exists.
121
- - Use references/review.md for spec compliance, code quality, security/privacy, regression, and evidence review before release.
122
- - Use references/project-profile.md for project-specific release commands, versioning, deployment, rollback, and approval rules.
123
- - Use references/evidence-taxonomy.md to avoid overstating readiness.
124
- - Use references/recovery.md when release work is interrupted, rollback is possible, verification fails, or future-agent continuation is needed.
125
- - Use references/forward-test.md for non-trivial GSE release, scaffold, adapter, recovery, or packaging changes.
126
- - Use `assets/templates/update-release-acceptance-record.md` for project-local update and release acceptance records.
1
+ # Release Workflow
2
+
3
+ Use this when a GSE slice affects shipping, installation, upgrade, runtime compatibility, user-visible behavior, migrations, rollback, changelog policy, or long-running project readiness.
4
+
5
+ Release workflow is a gate, not a deployment tool. It defines what must be known before claiming a release is ready.
6
+
7
+ ## Trigger Conditions
8
+
9
+ Run this workflow when any of these are true:
10
+
11
+ - A change is intended for a versioned release, public handoff, package update, installer update, or user-facing delivery.
12
+ - A change affects install, bootstrap, update, compatibility, migration, rollback, data retention, or runtime configuration.
13
+ - A change modifies product identity, permissions, model/provider routing, worker behavior, state persistence, evidence gates, or generated project scaffold files.
14
+ - A bug fix touches a main path where regression risk matters.
15
+ - Architecture health scan reports migration, release, rollback, dependency, security, or ownership risk.
16
+ - The project requires changelog, release notes, approvals, or deployment evidence.
17
+
18
+ For tiny internal edits with no release surface, record why release workflow is not applicable.
19
+
20
+ ## Release Levels
21
+
22
+ Pick the smallest release level that matches the blast radius.
23
+
24
+ | Level | Use when | Minimum gate |
25
+ |---|---|---|
26
+ | Patch | Bug fix, doc correction, template wording, low-risk scaffold update | Focused verification, known risk, release note if user-visible |
27
+ | Minor | New capability, new template, new script behavior, new adapter route, non-breaking workflow change | Focused verification, backward compatibility check, rollback or revert path, release notes |
28
+ | Major | Breaking workflow, migration, removed behavior, changed source of truth, broad architecture change | Migration plan, rollback plan, compatibility notes, architecture health scan, release acceptance evidence |
29
+ | Incident hotfix | Urgent fix for broken main path, data risk, security/privacy issue, release blocker | Minimal safe fix, reproduction or failure evidence, focused verification, incident follow-up |
30
+
31
+ ## Minimum Release Checklist
32
+
33
+ Before calling a release ready, confirm:
34
+
35
+ - Outcome and scope match the accepted goal or spec.
36
+ - Version or release label is known, or the project explicitly does not use version labels.
37
+ - Changelog or release notes explain user-visible changes, breaking changes, migration notes, and known risks.
38
+ - Focused verification proves the changed behavior, not only file existence.
39
+ - Compatibility impact is checked against supported hosts, runtimes, package managers, project modes, and important configuration paths.
40
+ - Migration and rollback expectations are documented for any state, schema, config, scaffold, or runtime change.
41
+ - Security, privacy, permissions, secrets, and raw tool/provider traces are reviewed when relevant.
42
+ - Observability, error diagnosis, or incident path is adequate for risky changes.
43
+ - Evidence status is classified with references/evidence-taxonomy.md: result, verified, or accepted.
44
+ - Follow-up slices are recorded instead of hidden in final prose.
45
+
46
+ ## Migration And Rollback
47
+
48
+ Capture migration and rollback at the same level of detail as the risk.
49
+
50
+ For low-risk changes:
51
+
52
+ - State whether revert is enough.
53
+ - Name the files or artifacts that would be reverted.
54
+
55
+ For stateful or compatibility-impacting changes:
56
+
57
+ - Define old state, new state, and compatibility window.
58
+ - Define data backup, restore, or fallback behavior.
59
+ - Define how to detect failed migration or partial rollout.
60
+ - Define whether downgrade is supported.
61
+
62
+ For release-blocking uncertainty, do not claim accepted. Record a decision needed or follow-up slice.
63
+
64
+ ## Changelog And Release Notes Policy
65
+
66
+ Use the project convention first. If none exists, keep release notes short and structured:
67
+
68
+ ```text
69
+ Release label:
70
+ Date:
71
+ Type: patch | minor | major | incident hotfix
72
+ Highlights:
73
+ Changed:
74
+ Fixed:
75
+ Migration or rollback:
76
+ Known risks:
77
+ Verification:
78
+ Follow-up slices:
79
+ ```
80
+
81
+ Rules:
82
+
83
+ - Mention user-visible behavior separately from internal implementation.
84
+ - Mark breaking changes clearly.
85
+ - Do not include secrets, raw provider payloads, private reasoning, or noisy command logs.
86
+ - Link to evidence files or CI/test results instead of pasting long output.
87
+ - If the release is internal-only, say so and explain the affected operators or future agents.
88
+
89
+ ## Release Evidence Record
90
+
91
+ Use `assets/templates/update-release-acceptance-record.md` when a project needs to preserve local decisions, changed files, rollback notes, owner gate, accepted-by status, and residual risk in one compact record.
92
+
93
+ For quick release notes, use this concise format in evidence logs or release notes:
94
+
95
+ ```text
96
+ Release scope:
97
+ Release level:
98
+ Readiness: not ready | result | verified | accepted
99
+ Verification evidence:
100
+ Compatibility evidence:
101
+ Migration or rollback:
102
+ Known risks:
103
+ Decisions needed:
104
+ Follow-up slices:
105
+ ```
106
+
107
+ Readiness meanings:
108
+
109
+ - not ready: required release evidence is missing or contradicted.
110
+ - result: release artifacts or notes exist, but behavior is not verified.
111
+ - verified: focused checks prove release-relevant behavior in the current environment.
112
+ - accepted: the required owner, CI, smoke, or production-like evidence for this release level has passed.
113
+
114
+ Do not mark `accepted` only because local validation passed. Use `accepted` only when the required owner, release policy, CI gate, smoke gate, archive gate, or explicitly named acceptance policy accepts the verified result.
115
+
116
+ ## Integration
117
+
118
+ - Use references/quality-gates.md for the base release gate list.
119
+ - Use references/public-release.md before public GitHub, marketplace, catalog, registry, or external package handoff.
120
+ - Use references/architecture-health.md when migration, rollback, dependency, security, performance, resilience, compatibility, or source-of-truth risk exists.
121
+ - Use references/review.md for spec compliance, code quality, security/privacy, regression, and evidence review before release.
122
+ - Use references/project-profile.md for project-specific release commands, versioning, deployment, rollback, and approval rules.
123
+ - Use references/evidence-taxonomy.md to avoid overstating readiness.
124
+ - Use references/recovery.md when release work is interrupted, rollback is possible, verification fails, or future-agent continuation is needed.
125
+ - Use references/forward-test.md for non-trivial GSE release, scaffold, adapter, recovery, or packaging changes.
126
+ - Use `assets/templates/update-release-acceptance-record.md` for project-local update and release acceptance records.
@@ -1,141 +1,141 @@
1
- # Review Protocol
2
-
3
- Use this when GSE work needs a review beyond simple local verification: code changes, workflow rules, scaffolds, agent roles, adapters, release paths, security-sensitive behavior, or user-visible product behavior.
4
-
5
- ## Core Rule
6
-
7
- Review must answer two separate questions:
8
-
9
- 1. Spec compliance: did we build the requested thing and only the requested thing?
10
- 2. Code/workflow quality: is the result maintainable, safe, testable, and consistent with the project?
11
-
12
- Do not collapse these into a vague "looks good" check.
13
-
14
- ## When Review Is Required
15
-
16
- | Task risk | Review requirement |
17
- |---|---|
18
- | Level 1 tiny edit | Optional; self-check against acceptance is enough when evidence is direct |
19
- | Level 2 normal slice | Required if code, shared config, reusable templates, workflow rules, or user-visible behavior changed |
20
- | Level 3 large/risky work | Required; separate spec compliance, quality, QA/evidence, and coordinator integration review |
21
- | Security/privacy/release impact | Required; include security/privacy and rollback/evidence review |
22
- | Multi-agent or delegated work | Required when roles modify files or produce evidence |
23
-
24
- Review is unnecessary for evidence-only status updates, typo-only edits, or transient notes unless they change process meaning.
25
-
26
- ## Review Axes
27
-
28
- ### 1. Spec Compliance Review
29
-
30
- Checks whether the result matches the defined outcome, scope, non-goals, and acceptance criteria.
31
-
32
- Questions:
33
-
34
- - Does the change satisfy the requested outcome?
35
- - Did scope expand silently?
36
- - Were non-goals respected?
37
- - Are required files/artifacts present?
38
- - Is the evidence directly tied to acceptance?
39
- - Are user-visible names, identities, and permissions correct?
40
-
41
- ### 2. Code Quality Review
42
-
43
- Checks maintainability and implementation quality.
44
-
45
- Questions:
46
-
47
- - Does the change follow existing project patterns?
48
- - Is the code or workflow simpler than the problem requires?
49
- - Are abstractions justified?
50
- - Are generated files, lockfiles, or unrelated refactors avoided?
51
- - Are edge cases, errors, retries, cancellation, or recovery handled when relevant?
52
-
53
- ### 3. Architecture Drift Review
54
-
55
- Checks whether the change preserves project boundaries and long-term shape.
56
-
57
- Questions:
58
-
59
- - Did this introduce a new pattern without need?
60
- - Does it cross module, package, product, or host boundaries incorrectly?
61
- - Does it duplicate a source of truth?
62
- - Does it create coupling that future agents will misunderstand?
63
- - Should the issue be handled by a `references/architecture-health.md` scan?
64
-
65
- ### 4. Security And Privacy Review
66
-
67
- Checks user data, secrets, permissions, external services, and tool traces.
68
-
69
- Questions:
70
-
71
- - Are secrets, tokens, raw provider payloads, and hidden reasoning excluded from user-visible output and committed files?
72
- - Are write-capable tools and destructive commands bounded?
73
- - Are external inputs treated as untrusted?
74
- - Are privacy constraints respected for model routing, logs, browser traces, and MCP/tools?
75
-
76
- ### 5. Regression And Missing-Test Review
77
-
78
- Checks whether the verification actually covers the changed behavior.
79
-
80
- Questions:
81
-
82
- - Would the focused test/smoke fail if the change were broken?
83
- - Are existing tests or checks enough for this risk?
84
- - Is a regression test needed for a bug fix?
85
- - Are UI/API/state/error/cancel/retry paths covered when relevant?
86
-
87
- ### 6. Evidence Review
88
-
89
- Checks whether the final claim is supported.
90
-
91
- Questions:
92
-
93
- - Is the status result, verified, or accepted according to `references/evidence-taxonomy.md`?
94
- - Is residual risk recorded?
95
- - Is a forward test required by `references/forward-test.md`?
96
- - Are tool statuses documented, verified, unknown, or unavailable without exaggeration?
97
-
98
- ## Review Output
99
-
100
- Use this concise format:
101
-
102
- ```text
103
- Review type: spec compliance | code quality | architecture drift | security/privacy | regression/missing-test | evidence
104
- Verdict: approve | request changes | needs context | not applicable
105
- Severity: critical | important | suggestion | note
106
- Findings:
107
- Evidence checked:
108
- Required fixes:
109
- Deferred risks:
110
- ```
111
-
112
- For no-issue reviews, say which axes were checked. Do not rubber-stamp with only `LGTM`.
113
-
114
- ## Severity Rules
115
-
116
- - `critical`: security issue, data loss, broken main path, destructive operation, irreversible release risk.
117
- - `important`: likely bug, missing acceptance evidence, meaningful architecture drift, missing regression coverage.
118
- - `suggestion`: improvement that is useful but not required for this slice.
119
- - `note`: context for future work, no action required.
120
-
121
- ## Multi-Agent Review Order
122
-
123
- When using real subagents or sequential role simulation:
124
-
125
- 1. Builder reports files changed and verification run.
126
- 2. Spec compliance review checks scope and acceptance first.
127
- 3. Code quality review checks maintainability and risks second.
128
- 4. QA/evidence review confirms the verification story.
129
- 5. Coordinator integrates findings and decides final status.
130
-
131
- Do not start code-quality approval before unresolved spec compliance issues are addressed.
132
-
133
- ## Project Integration
134
-
135
- - `references/agent-roles.md` defines Reviewer and QA responsibilities.
136
- - `assets/templates/dispatch-packet.md` records whether spec compliance, code quality, QA/evidence, and coordinator review are required.
137
- - `references/architecture-health.md` defines structural scan triggers, scope levels, findings, risks, decisions, and follow-up slices.
138
- - `references/quality-gates.md` decides when review is required by risk.
139
- - `references/domain-quality-gates.md` selects security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, and release/operations gates by domain risk.
140
- - `references/evidence-taxonomy.md` decides whether a reviewed result is verified or accepted.
141
- - `.gse/project-profile.md` can add project-specific review standards, owners, or required commands.
1
+ # Review Protocol
2
+
3
+ Use this when GSE work needs a review beyond simple local verification: code changes, workflow rules, scaffolds, agent roles, adapters, release paths, security-sensitive behavior, or user-visible product behavior.
4
+
5
+ ## Core Rule
6
+
7
+ Review must answer two separate questions:
8
+
9
+ 1. Spec compliance: did we build the requested thing and only the requested thing?
10
+ 2. Code/workflow quality: is the result maintainable, safe, testable, and consistent with the project?
11
+
12
+ Do not collapse these into a vague "looks good" check.
13
+
14
+ ## When Review Is Required
15
+
16
+ | Task risk | Review requirement |
17
+ |---|---|
18
+ | Level 1 tiny edit | Optional; self-check against acceptance is enough when evidence is direct |
19
+ | Level 2 normal slice | Required if code, shared config, reusable templates, workflow rules, or user-visible behavior changed |
20
+ | Level 3 large/risky work | Required; separate spec compliance, quality, QA/evidence, and coordinator integration review |
21
+ | Security/privacy/release impact | Required; include security/privacy and rollback/evidence review |
22
+ | Multi-agent or delegated work | Required when roles modify files or produce evidence |
23
+
24
+ Review is unnecessary for evidence-only status updates, typo-only edits, or transient notes unless they change process meaning.
25
+
26
+ ## Review Axes
27
+
28
+ ### 1. Spec Compliance Review
29
+
30
+ Checks whether the result matches the defined outcome, scope, non-goals, and acceptance criteria.
31
+
32
+ Questions:
33
+
34
+ - Does the change satisfy the requested outcome?
35
+ - Did scope expand silently?
36
+ - Were non-goals respected?
37
+ - Are required files/artifacts present?
38
+ - Is the evidence directly tied to acceptance?
39
+ - Are user-visible names, identities, and permissions correct?
40
+
41
+ ### 2. Code Quality Review
42
+
43
+ Checks maintainability and implementation quality.
44
+
45
+ Questions:
46
+
47
+ - Does the change follow existing project patterns?
48
+ - Is the code or workflow simpler than the problem requires?
49
+ - Are abstractions justified?
50
+ - Are generated files, lockfiles, or unrelated refactors avoided?
51
+ - Are edge cases, errors, retries, cancellation, or recovery handled when relevant?
52
+
53
+ ### 3. Architecture Drift Review
54
+
55
+ Checks whether the change preserves project boundaries and long-term shape.
56
+
57
+ Questions:
58
+
59
+ - Did this introduce a new pattern without need?
60
+ - Does it cross module, package, product, or host boundaries incorrectly?
61
+ - Does it duplicate a source of truth?
62
+ - Does it create coupling that future agents will misunderstand?
63
+ - Should the issue be handled by a `references/architecture-health.md` scan?
64
+
65
+ ### 4. Security And Privacy Review
66
+
67
+ Checks user data, secrets, permissions, external services, and tool traces.
68
+
69
+ Questions:
70
+
71
+ - Are secrets, tokens, raw provider payloads, and hidden reasoning excluded from user-visible output and committed files?
72
+ - Are write-capable tools and destructive commands bounded?
73
+ - Are external inputs treated as untrusted?
74
+ - Are privacy constraints respected for model routing, logs, browser traces, and MCP/tools?
75
+
76
+ ### 5. Regression And Missing-Test Review
77
+
78
+ Checks whether the verification actually covers the changed behavior.
79
+
80
+ Questions:
81
+
82
+ - Would the focused test/smoke fail if the change were broken?
83
+ - Are existing tests or checks enough for this risk?
84
+ - Is a regression test needed for a bug fix?
85
+ - Are UI/API/state/error/cancel/retry paths covered when relevant?
86
+
87
+ ### 6. Evidence Review
88
+
89
+ Checks whether the final claim is supported.
90
+
91
+ Questions:
92
+
93
+ - Is the status result, verified, or accepted according to `references/evidence-taxonomy.md`?
94
+ - Is residual risk recorded?
95
+ - Is a forward test required by `references/forward-test.md`?
96
+ - Are tool statuses documented, verified, unknown, or unavailable without exaggeration?
97
+
98
+ ## Review Output
99
+
100
+ Use this concise format:
101
+
102
+ ```text
103
+ Review type: spec compliance | code quality | architecture drift | security/privacy | regression/missing-test | evidence
104
+ Verdict: approve | request changes | needs context | not applicable
105
+ Severity: critical | important | suggestion | note
106
+ Findings:
107
+ Evidence checked:
108
+ Required fixes:
109
+ Deferred risks:
110
+ ```
111
+
112
+ For no-issue reviews, say which axes were checked. Do not rubber-stamp with only `LGTM`.
113
+
114
+ ## Severity Rules
115
+
116
+ - `critical`: security issue, data loss, broken main path, destructive operation, irreversible release risk.
117
+ - `important`: likely bug, missing acceptance evidence, meaningful architecture drift, missing regression coverage.
118
+ - `suggestion`: improvement that is useful but not required for this slice.
119
+ - `note`: context for future work, no action required.
120
+
121
+ ## Multi-Agent Review Order
122
+
123
+ When using real subagents or sequential role simulation:
124
+
125
+ 1. Builder reports files changed and verification run.
126
+ 2. Spec compliance review checks scope and acceptance first.
127
+ 3. Code quality review checks maintainability and risks second.
128
+ 4. QA/evidence review confirms the verification story.
129
+ 5. Coordinator integrates findings and decides final status.
130
+
131
+ Do not start code-quality approval before unresolved spec compliance issues are addressed.
132
+
133
+ ## Project Integration
134
+
135
+ - `references/agent-roles.md` defines Reviewer and QA responsibilities.
136
+ - `assets/templates/dispatch-packet.md` records whether spec compliance, code quality, QA/evidence, and coordinator review are required.
137
+ - `references/architecture-health.md` defines structural scan triggers, scope levels, findings, risks, decisions, and follow-up slices.
138
+ - `references/quality-gates.md` decides when review is required by risk.
139
+ - `references/domain-quality-gates.md` selects security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, and release/operations gates by domain risk.
140
+ - `references/evidence-taxonomy.md` decides whether a reviewed result is verified or accepted.
141
+ - `.gse/project-profile.md` can add project-specific review standards, owners, or required commands.
@@ -0,0 +1,54 @@
1
+ # Role Dispatch Fallback
2
+
3
+ Use this reference when real subagent tools are unavailable, unknown, or not appropriate for the current slice.
4
+
5
+ GSE must never turn role names into fake delegation. A role packet is evidence that the work boundary was explicit; it is not evidence that a real subagent ran unless the host produced current dispatch evidence.
6
+
7
+ ## Required Roles
8
+
9
+ The portable fallback set is:
10
+
11
+ | Role | Purpose | Default write access | Fallback output |
12
+ |---|---|---|---|
13
+ | Planner | Define outcome, scope, acceptance, evidence, risk, and next action. | docs/state only | Slice plan with non-goals and selected gates |
14
+ | Locator | Locate files, symbols, commands, existing tests, and ownership boundaries. | read-only | File/function/test map and relevant patterns |
15
+ | Implementer | Make the bounded code or document change. | assigned files only | Diff summary and files changed |
16
+ | Verifier | Run focused tests, smokes, audits, or structural checks. | evidence/test output only | Commands, results, evidence level, residual risk |
17
+ | Reviewer | Review spec compliance, regression risk, quality, and missing tests. | read-only | Findings or explicit no-findings report |
18
+ | Docs/Evidence | Record slice evidence, state changes, release notes, and learnings. | docs/evidence only | Evidence record and state/doc update summary |
19
+ | Release | Check release, public, owner, CI, package, and host-runtime boundaries. | docs/release only | Release readiness and external gate summary |
20
+
21
+ ## Fallback Packet Requirements
22
+
23
+ Every auditable role packet, whether real or sequential, must state:
24
+
25
+ - Execution mode: `real-subagent`, `sequential-role`, or `handoff-session`.
26
+ - Real delegation used: `yes` or `no`.
27
+ - Host/tool used and tool status.
28
+ - Fallback reason when real delegation is not used.
29
+ - Role, objective, allowed files, forbidden files, and expected output.
30
+ - Role output evidence.
31
+ - Verification command or check.
32
+ - Evidence level.
33
+ - Stop condition.
34
+ - Claim boundary.
35
+
36
+ ## Claim Boundary
37
+
38
+ - `real-subagent` means a current host dispatch tool created an agent/task and returned evidence.
39
+ - `sequential-role` means the main agent executed the role checklist locally.
40
+ - `handoff-session` means another human or agent session owns the work after handoff.
41
+ - File/tool parallelism is not subagent dispatch.
42
+ - A role packet without dispatch evidence can still prove disciplined fallback, but it cannot prove real multi-agent execution.
43
+
44
+ ## Close Rule
45
+
46
+ Before a slice closes, the coordinator should be able to answer:
47
+
48
+ 1. Which roles were required for this slice?
49
+ 2. Which roles ran as real delegation, sequential fallback, or handoff?
50
+ 3. What files or evidence did each role touch?
51
+ 4. What verification or review did each role produce?
52
+ 5. What claim must not be made because a tool was unavailable?
53
+
54
+ `scripts/audit-close-gate.mjs` enforces the no-fake-dispatch boundary when `.gse/agents/role-fallback-packets.md` is present: a row that says real delegation was used must also have verified tool status.