@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # GSE
2
2
 
3
- English | [简体中文](README.zh-CN.md)
3
+ English | [简体中文](https://github.com/275005746/gse/blob/main/README.zh-CN.md)
4
4
 
5
5
  Goal-Spec-Evidence Engineering for long-running agent-assisted software projects.
6
6
 
@@ -22,12 +22,19 @@ Goal -> Spec -> Execute -> Evidence -> Learn
22
22
  - Optional adapters for host folders, LSP notes, MCP notes, hooks, plugins, and project skills
23
23
  - Release, packaging, public-collaboration, and evidence-gate workflows for mature projects
24
24
 
25
- ## Installation
26
-
27
- Use GSE from a checked-out copy:
28
-
29
- ```bash
30
- node scripts/validate-gse.mjs --root . --json
25
+ ## Installation
26
+
27
+ Install from npm:
28
+
29
+ ```bash
30
+ npm install -g @t275005746/gse
31
+ gse status --target .
32
+ ```
33
+
34
+ Use GSE from a checked-out copy:
35
+
36
+ ```bash
37
+ node scripts/validate-gse.mjs --root . --json
31
38
  ```
32
39
 
33
40
  Package a checked-out copy for handoff:
package/README.zh-CN.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # GSE
2
2
 
3
- [English](README.md) | 简体中文
3
+ [English](https://github.com/275005746/gse/blob/main/README.md) | 简体中文
4
4
 
5
5
  面向长期 agent 辅助软件项目的 Goal-Spec-Evidence Engineering。
6
6
 
@@ -22,12 +22,19 @@ Goal -> Spec -> Execute -> Evidence -> Learn
22
22
  - 可选 host folders、LSP、MCP、hooks、plugins、project skills 适配说明
23
23
  - 面向成熟项目的 release、packaging、public collaboration 和 evidence gate 工作流
24
24
 
25
- ## 安装
26
-
27
- 从已检出的 GSE 副本直接使用:
28
-
29
- ```bash
30
- node scripts/validate-gse.mjs --root . --json
25
+ ## 安装
26
+
27
+ npm 安装:
28
+
29
+ ```bash
30
+ npm install -g @t275005746/gse
31
+ gse status --target .
32
+ ```
33
+
34
+ 从已检出的 GSE 副本直接使用:
35
+
36
+ ```bash
37
+ node scripts/validate-gse.mjs --root . --json
31
38
  ```
32
39
 
33
40
  把已检出的副本打包给其他环境:
package/SECURITY.md CHANGED
@@ -1,41 +1,41 @@
1
- # Security Policy
2
-
3
- GSE is an agent workflow skill and scaffold. Security reports may involve scripts, generated project files, host adapters, package/install behavior, signing, release trust, or documentation that could cause unsafe claims.
4
-
5
- ## Supported Scope
6
-
7
- Security-relevant areas include:
8
-
9
- - Package, install, URL install, manifest integrity, signing, and verification scripts.
10
- - Generated host adapters and command pointers.
11
- - Tool permission guidance, MCP/tool routing guidance, and release trust policy.
12
- - Evidence, logs, and templates that could leak secrets or raw provider payloads.
13
- - Documentation that could cause agents to bypass owner approval, license decisions, or unsupported host boundaries.
14
-
15
- ## Reporting
16
-
17
- Until a public security contact is chosen, do not publish exploit details in public issues.
18
-
19
- Use the project owner's private reporting channel. If no channel exists, record the issue privately in the maintainers' current coordination channel and mark the public release status as blocked until a contact path exists.
20
-
21
- Minimum report contents:
22
-
23
- - Affected GSE version, release label, or commit.
24
- - Affected file or generated artifact.
25
- - Reproduction steps.
26
- - Impact and likely affected users or hosts.
27
- - Whether secrets, credentials, private prompts, provider payloads, or user data are involved.
28
- - Suggested mitigation if known.
29
-
30
- ## Handling
31
-
32
- - Do not claim a fix is verified until a focused reproduction or audit proves the changed behavior.
33
- - Do not publish a release if signing, package integrity, or owner trust evidence is contradicted.
34
- - If a public package may be affected, use `references/release-trust.md` and `assets/templates/release-trust-record.md` to record revocation, rotation, and follow-up.
35
- - If a project-local GSE scaffold is affected, notify the affected project session or maintainer with the exact files and validation commands.
36
-
37
- ## Current Limits
38
-
39
- - No public vulnerability disclosure address has been owner-approved yet.
40
- - Public marketplace approval and registry publication are not verified.
41
- - Host-native slash-command support is not verified unless a host-specific invocation record exists.
1
+ # Security Policy
2
+
3
+ GSE is an agent workflow skill and scaffold. Security reports may involve scripts, generated project files, host adapters, package/install behavior, signing, release trust, or documentation that could cause unsafe claims.
4
+
5
+ ## Supported Scope
6
+
7
+ Security-relevant areas include:
8
+
9
+ - Package, install, URL install, manifest integrity, signing, and verification scripts.
10
+ - Generated host adapters and command pointers.
11
+ - Tool permission guidance, MCP/tool routing guidance, and release trust policy.
12
+ - Evidence, logs, and templates that could leak secrets or raw provider payloads.
13
+ - Documentation that could cause agents to bypass owner approval, license decisions, or unsupported host boundaries.
14
+
15
+ ## Reporting
16
+
17
+ Until a public security contact is chosen, do not publish exploit details in public issues.
18
+
19
+ Use the project owner's private reporting channel. If no channel exists, record the issue privately in the maintainers' current coordination channel and mark the public release status as blocked until a contact path exists.
20
+
21
+ Minimum report contents:
22
+
23
+ - Affected GSE version, release label, or commit.
24
+ - Affected file or generated artifact.
25
+ - Reproduction steps.
26
+ - Impact and likely affected users or hosts.
27
+ - Whether secrets, credentials, private prompts, provider payloads, or user data are involved.
28
+ - Suggested mitigation if known.
29
+
30
+ ## Handling
31
+
32
+ - Do not claim a fix is verified until a focused reproduction or audit proves the changed behavior.
33
+ - Do not publish a release if signing, package integrity, or owner trust evidence is contradicted.
34
+ - If a public package may be affected, use `references/release-trust.md` and `assets/templates/release-trust-record.md` to record revocation, rotation, and follow-up.
35
+ - If a project-local GSE scaffold is affected, notify the affected project session or maintainer with the exact files and validation commands.
36
+
37
+ ## Current Limits
38
+
39
+ - No public vulnerability disclosure address has been owner-approved yet.
40
+ - Public marketplace approval and registry publication are not verified.
41
+ - Host-native slash-command support is not verified unless a host-specific invocation record exists.
package/SKILL.md CHANGED
@@ -37,19 +37,32 @@ Default stance: keep the workflow as light as the task allows and as rigorous as
37
37
  Portable command helpers:
38
38
 
39
39
  - Short CLI wrapper: `node <skill>/scripts/gse.mjs status --target <project-root> --json`
40
- - Short continuation prompt: `node <skill>/scripts/generate-session-prompt.mjs --target <project-root>`
41
- - Portable command runner: `node <skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse continue"`
42
- - Validation profile runner: `node <skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release`
40
+ - Short continuation packet: `node <skill>/scripts/generate-continue-packet.mjs --target <project-root>`
41
+ - Portable command runner: `node <skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse continue"`
42
+ - State/evidence repair doctor: `node <skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse repair" --json`
43
+ - Direct repair audit: `node <skill>/scripts/audit-state-repair.mjs --target <project-root> --json`
44
+ - Validation profile runner: `node <skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release`
43
45
  - Command execution audit: `node <skill>/scripts/audit-command-execution.mjs --root <skill> --profile lite|full`
44
- - Close readiness check: `node <skill>/scripts/audit-close-gate.mjs --target <project-root>`
46
+ - Close readiness check: `node <skill>/scripts/audit-close-gate.mjs --target <project-root>`
47
+ - Project guard preflight: `node <skill>/scripts/audit-project-guards.mjs --target <project-root> --json`
45
48
  - GSE owner/external action list: `node <skill>/scripts/run-gse-command.mjs --target <skill> --command "/gse owner-actions" --json --compact`
46
49
  - Owner/external live evidence probe: `node <skill>/scripts/run-gse-command.mjs --target <skill> --command "/gse probe --public-repo-url <url>" --json`
47
50
  - Release bundle dry-run/write route: `node <skill>/scripts/run-gse-command.mjs --target <skill> --command "/gse release" --json`
48
51
  - Package dry-run/write route: `node <skill>/scripts/run-gse-command.mjs --target <skill> --command "/gse package" --json`
49
52
  - Install dry-run/write route: `node <skill>/scripts/run-gse-command.mjs --target <skill> --command "/gse install --source <package-dir> --install-target <install-skill-dir>" --json`
50
53
  - Public release checklist route: `node <skill>/scripts/run-gse-command.mjs --target <skill> --command "/gse public-release" --json`
51
- - Learning capture route: `node <skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse learn --summary <lesson>" --execute --json`
52
- - Existing project state/index update: `node <skill>/scripts/update-project-state.mjs --target <project-root>`
54
+ - Learning capture route: `node <skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse learn --summary <lesson>" --execute --json`
55
+ - Learning drift audit: `node <skill>/scripts/audit-learning-drift.mjs --root <skill> --target <project-root> --json`
56
+ - Target hardening drills: `node <skill>/scripts/audit-target-hardening-drills.mjs --root <skill> --aion-target <project-root> --museflow-target <project-root> --json`
57
+ - Maintenance cadence audit: `node <skill>/scripts/audit-maintenance-cadence.mjs --root <skill> --json`
58
+ - Maintenance snapshot: `node <skill>/scripts/generate-maintenance-snapshot.mjs --root <skill> --target <project-root> --installed-root <installed-skill-dir> --execute --json`
59
+ - Installed package smoke: `node <skill>/scripts/generate-maintenance-snapshot.mjs --root <installed-skill-dir> --target <installed-skill-dir> --package-smoke --skip-release-bundle --json`
60
+ - Installed sync audit: `node <skill>/scripts/audit-installed-sync.mjs --root <skill> --installed-root <installed-skill-dir> --json`
61
+ - Session sync record audit: `node <skill>/scripts/audit-session-sync.mjs --root <skill> --json`
62
+ - Conservative evidence-level backfill: `node <skill>/scripts/backfill-evidence-levels.mjs --root <project-root> --json`
63
+ - Historical evidence review queue: `node <skill>/scripts/audit-evidence-review-queue.mjs --root <skill> --target <project-root> --json`
64
+ - UI/browser evidence policy audit: `node <skill>/scripts/audit-ui-browser-evidence-policy.mjs --root <skill> --target <project-root> --json`
65
+ - Existing project state/index update: `node <skill>/scripts/update-project-state.mjs --target <project-root>`
53
66
  - Change spec pack: `node <skill>/scripts/init-change.mjs --target <project-root> --change-id <id> --level lite|standard|enterprise`
54
67
  - Public release record: `node <skill>/scripts/record-public-release.mjs --root <project-root> --license-status owner-required`
55
68
  - Release bundle: `node <skill>/scripts/generate-release-bundle.mjs --root <skill> --label <release-label> --out <bundle-dir>`
@@ -100,8 +113,9 @@ For long-running projects, bind the work to `.gse/goal-map.md` or the project's
100
113
  - Project-specific standards and tools: `references/project-profile.md`
101
114
  - Project-local agent workspace: `references/project-agent-workspace.md`
102
115
  - Host-specific adapters: `references/host-adapters.md`, `references/compatibility.md`
103
- - Benchmark and gap audit: `references/benchmark-audit.md`
104
- - Task level selection: `references/task-levels.md`
116
+ - Benchmark and gap audit: `references/benchmark-audit.md`
117
+ - Final form roadmap: `references/final-form-roadmap.md`, `scripts/audit-final-form-roadmap.mjs`
118
+ - Task level selection: `references/task-levels.md`
105
119
  - Goal maps: `references/goal-map.md`
106
120
  - Specs and change folders: `references/spec-workflow.md`
107
121
  - Agent roles and ownership: `references/agent-roles.md`, `references/file-ownership.md`
@@ -128,7 +142,7 @@ For long-running projects, bind the work to `.gse/goal-map.md` or the project's
128
142
  - Release owner action plan drill: `scripts/audit-release-owner-action-plan-drill.mjs`
129
143
  - Public release checklist: `scripts/generate-public-release-checklist.mjs`, `scripts/audit-public-release-checklist.mjs`
130
144
  - Final-form progress report: `scripts/generate-final-form-progress-report.mjs`, `scripts/audit-final-form-progress-report.mjs`
131
- - Packaging and maintenance: `references/packaging.md`
145
+ - Packaging and maintenance: `references/packaging.md`, `references/maintenance-cadence.md`, `scripts/audit-maintenance-cadence.mjs`, `scripts/generate-maintenance-snapshot.mjs`, `scripts/audit-maintenance-snapshot.mjs`, `scripts/audit-installed-sync.mjs`, `scripts/record-session-sync.mjs`, `scripts/audit-session-sync.mjs`
132
146
  - CI readiness: `.github/workflows/validate-gse.yml`, `scripts/audit-ci-readiness.mjs`
133
147
  - Public collaboration templates: `.github/PULL_REQUEST_TEMPLATE.md`, `.github/ISSUE_TEMPLATE/`, `scripts/audit-public-collaboration-templates.mjs`
134
148
  - Release trust and key custody: `references/release-trust.md`
@@ -142,7 +156,13 @@ For long-running projects, bind the work to `.gse/goal-map.md` or the project's
142
156
  - Final acceptance packet: `scripts/generate-final-acceptance-packet.mjs`, `scripts/audit-final-acceptance-packet.mjs`
143
157
  - Recovery and handoff: `references/recovery.md`
144
158
  - Forward testing: `references/forward-test.md`
145
- - Learning loop: `references/learning-system.md`
146
- - Learning capture: `scripts/record-learning.mjs`, `scripts/audit-learning-system.mjs`
147
- - Drift audit: `references/drift-audit.md`
159
+ - Learning loop: `references/learning-system.md`
160
+ - Learning capture: `scripts/record-learning.mjs`, `scripts/audit-learning-system.mjs`
161
+ - Learning drift: `scripts/audit-learning-drift.mjs`
162
+ - Conservative evidence-level backfill: `scripts/backfill-evidence-levels.mjs`
163
+ - Historical evidence review queue: `scripts/audit-evidence-review-queue.mjs`
164
+ - UI/browser evidence policy: `scripts/audit-ui-browser-evidence-policy.mjs`
165
+ - Target hardening drills: `scripts/audit-target-hardening-drills.mjs`
166
+ - Project guards: `references/project-guards.md`, `scripts/audit-project-guards.mjs`
167
+ - Drift audit: `references/drift-audit.md`
148
168
  - Design basis and source boundaries: `references/design-basis.md`
package/SUPPORT.md CHANGED
@@ -1,38 +1,38 @@
1
- # Support
2
-
3
- Use this file to decide where to start when GSE behavior is confusing, incomplete, or blocked.
4
-
5
- ## First Checks
6
-
7
- Run:
8
-
9
- ```text
10
- node scripts/validate-gse.mjs --root <gse-root> --json
11
- ```
12
-
13
- For a target project using GSE, run:
14
-
15
- ```text
16
- node scripts/audit-target-project.mjs --target <project-root> --json
17
- node scripts/generate-session-prompt.mjs --target <project-root>
18
- node scripts/audit-close-gate.mjs --target <project-root> --json
19
- ```
20
-
21
- For package or install issues, run:
22
-
23
- ```text
24
- node scripts/audit-distribution.mjs --root <gse-root> --json
25
- node scripts/audit-remote-distribution.mjs --root <gse-root> --json
26
- ```
27
-
28
- ## What To Include In A Support Request
29
-
30
- - GSE root path or installed package path.
31
- - Target project path, if any.
32
- - Command run and the compact JSON summary.
33
- - Whether the problem is skill usage, project scaffold, package/install, host adapter, release, or evidence gating.
34
- - Whether optional tools such as OpenSpec, Comet, Superpowers, LSP, browser automation, MCP, or subagents were actually available.
35
-
36
- ## Community
37
-
38
- GateHub (`https://gatehub.top/`) supports GSE development and contributor coordination.
1
+ # Support
2
+
3
+ Use this file to decide where to start when GSE behavior is confusing, incomplete, or blocked.
4
+
5
+ ## First Checks
6
+
7
+ Run:
8
+
9
+ ```text
10
+ node scripts/validate-gse.mjs --root <gse-root> --json
11
+ ```
12
+
13
+ For a target project using GSE, run:
14
+
15
+ ```text
16
+ node scripts/audit-target-project.mjs --target <project-root> --json
17
+ node scripts/generate-session-prompt.mjs --target <project-root>
18
+ node scripts/audit-close-gate.mjs --target <project-root> --json
19
+ ```
20
+
21
+ For package or install issues, run:
22
+
23
+ ```text
24
+ node scripts/audit-distribution.mjs --root <gse-root> --json
25
+ node scripts/audit-remote-distribution.mjs --root <gse-root> --json
26
+ ```
27
+
28
+ ## What To Include In A Support Request
29
+
30
+ - GSE root path or installed package path.
31
+ - Target project path, if any.
32
+ - Command run and the compact JSON summary.
33
+ - Whether the problem is skill usage, project scaffold, package/install, host adapter, release, or evidence gating.
34
+ - Whether optional tools such as OpenSpec, Comet, Superpowers, LSP, browser automation, MCP, or subagents were actually available.
35
+
36
+ ## Community
37
+
38
+ GateHub (`https://gatehub.top/`) supports GSE development and contributor coordination.
@@ -1,7 +1,7 @@
1
- # Marketplace Metadata
2
-
3
- This folder contains portable discovery metadata for publishing or listing GSE in a skill, plugin, or agent-workflow catalog.
4
-
5
- The metadata is intentionally host-neutral. It describes what GSE is, how to validate it, which entrypoints matter, and which host capabilities still require separate runtime evidence.
6
-
7
- Do not add maintainer secrets, local machine paths, private project names, or unverified marketplace approval claims here.
1
+ # Marketplace Metadata
2
+
3
+ This folder contains portable discovery metadata for publishing or listing GSE in a skill, plugin, or agent-workflow catalog.
4
+
5
+ The metadata is intentionally host-neutral. It describes what GSE is, how to validate it, which entrypoints matter, and which host capabilities still require separate runtime evidence.
6
+
7
+ Do not add maintainer secrets, local machine paths, private project names, or unverified marketplace approval claims here.
@@ -1,75 +1,75 @@
1
- {
2
- "schemaVersion": 1,
3
- "name": "gse",
4
- "displayName": "GSE",
5
- "tagline": "Goal-Spec-Evidence Engineering for long-running agentic software projects.",
6
- "summary": "Goal-Spec-Evidence workflow skill for AI coding agents that turns ad hoc development into goal maps, scoped specs, focused execution, evidence gates, and reusable learning.",
7
- "categories": [
8
- "agentic engineering",
9
- "software development workflow",
10
- "spec-driven development",
11
- "AI coding agents",
12
- "project governance"
13
- ],
14
- "keywords": [
15
- "GSE",
16
- "Goal-Spec-Evidence",
17
- "agentic engineering",
18
- "spec-driven development",
19
- "SDD",
20
- "AI coding agent workflow",
21
- "evidence gates",
22
- "goal map",
23
- "project scaffolding",
24
- "OpenSpec-style changes",
25
- "Superpowers-style execution"
26
- ],
27
- "hostSupport": [
28
- {
29
- "host": "Codex-style agents",
30
- "status": "documented",
31
- "adapter": ".codex/gse-command.md",
32
- "notes": "Portable runner and pointer adapter are verified; project-level native slash-command execution is host-specific."
33
- },
34
- {
35
- "host": "Claude Code-style agents",
36
- "status": "documented",
37
- "adapter": ".claude/commands/gse.md",
38
- "notes": "Generated command file shape is verified in fixtures; real host invocation requires host runtime evidence."
39
- },
40
- {
41
- "host": "Custom agent runtimes",
42
- "status": "documented",
43
- "adapter": "runtime-specific bridge",
44
- "notes": "Runtime capabilities should be verified inside the target project before being marked verified."
45
- }
46
- ],
47
- "entrypoints": [
48
- "SKILL.md",
49
- "package.json",
50
- "README.md",
51
- "README.zh-CN.md",
52
- "scripts/init-project.mjs",
53
- "scripts/run-gse-command.mjs",
54
- "scripts/validate-gse.mjs",
55
- "scripts/audit-npm-package-metadata.mjs",
56
- "scripts/audit-npm-tarball-install.mjs"
57
- ],
58
- "verification": [
59
- "node scripts/validate-gse.mjs --root . --json",
60
- "node scripts/audit-npm-package-metadata.mjs --root . --json",
61
- "node scripts/audit-marketplace-discovery.mjs --root . --json",
62
- "node scripts/audit-host-ui-invocation.mjs --root . --json"
63
- ],
64
- "distribution": {
65
- "packageScript": "scripts/package-gse.mjs",
66
- "installScript": "scripts/install-gse.mjs",
67
- "signingScript": "scripts/sign-gse-package.mjs",
68
- "trustPolicy": "references/release-trust.md"
69
- },
70
- "boundaries": [
71
- "GSE is not a hosted service.",
72
- "GSE does not require OpenSpec, Superpowers, Comet, MCP, LSP, browser automation, or subagents.",
73
- "Marketplace approval, maintainer identity, and native host UI invocation require separate evidence."
74
- ]
75
- }
1
+ {
2
+ "schemaVersion": 1,
3
+ "name": "gse",
4
+ "displayName": "GSE",
5
+ "tagline": "Goal-Spec-Evidence Engineering for long-running agentic software projects.",
6
+ "summary": "Goal-Spec-Evidence workflow skill for AI coding agents that turns ad hoc development into goal maps, scoped specs, focused execution, evidence gates, and reusable learning.",
7
+ "categories": [
8
+ "agentic engineering",
9
+ "software development workflow",
10
+ "spec-driven development",
11
+ "AI coding agents",
12
+ "project governance"
13
+ ],
14
+ "keywords": [
15
+ "GSE",
16
+ "Goal-Spec-Evidence",
17
+ "agentic engineering",
18
+ "spec-driven development",
19
+ "SDD",
20
+ "AI coding agent workflow",
21
+ "evidence gates",
22
+ "goal map",
23
+ "project scaffolding",
24
+ "OpenSpec-style changes",
25
+ "Superpowers-style execution"
26
+ ],
27
+ "hostSupport": [
28
+ {
29
+ "host": "Codex-style agents",
30
+ "status": "documented",
31
+ "adapter": ".codex/gse-command.md",
32
+ "notes": "Portable runner and pointer adapter are verified; project-level native slash-command execution is host-specific."
33
+ },
34
+ {
35
+ "host": "Claude Code-style agents",
36
+ "status": "documented",
37
+ "adapter": ".claude/commands/gse.md",
38
+ "notes": "Generated command file shape is verified in fixtures; real host invocation requires host runtime evidence."
39
+ },
40
+ {
41
+ "host": "Custom agent runtimes",
42
+ "status": "documented",
43
+ "adapter": "runtime-specific bridge",
44
+ "notes": "Runtime capabilities should be verified inside the target project before being marked verified."
45
+ }
46
+ ],
47
+ "entrypoints": [
48
+ "SKILL.md",
49
+ "package.json",
50
+ "README.md",
51
+ "README.zh-CN.md",
52
+ "scripts/init-project.mjs",
53
+ "scripts/run-gse-command.mjs",
54
+ "scripts/validate-gse.mjs",
55
+ "scripts/audit-npm-package-metadata.mjs",
56
+ "scripts/audit-npm-tarball-install.mjs"
57
+ ],
58
+ "verification": [
59
+ "node scripts/validate-gse.mjs --root . --json",
60
+ "node scripts/audit-npm-package-metadata.mjs --root . --json",
61
+ "node scripts/audit-marketplace-discovery.mjs --root . --json",
62
+ "node scripts/audit-host-ui-invocation.mjs --root . --json"
63
+ ],
64
+ "distribution": {
65
+ "packageScript": "scripts/package-gse.mjs",
66
+ "installScript": "scripts/install-gse.mjs",
67
+ "signingScript": "scripts/sign-gse-package.mjs",
68
+ "trustPolicy": "references/release-trust.md"
69
+ },
70
+ "boundaries": [
71
+ "GSE is not a hosted service.",
72
+ "GSE does not require OpenSpec, Superpowers, Comet, MCP, LSP, browser automation, or subagents.",
73
+ "Marketplace approval, maintainer identity, and native host UI invocation require separate evidence."
74
+ ]
75
+ }
@@ -1,73 +1,73 @@
1
- # Acceptance Execution Packet
2
-
3
- Use this packet when GSE needs external acceptance evidence instead of another structural audit.
4
-
5
- Choose exactly one path per packet.
6
-
7
- ```text
8
- Acceptance path: fresh-session | owner-approved project write
9
- Target project or session:
10
- Purpose:
11
- Required inputs:
12
- Allowed files:
13
- Forbidden files:
14
- Allowed commands:
15
- Forbidden commands:
16
- Expected output:
17
- Evidence record path:
18
- Acceptance gate:
19
- Accepted by:
20
- Stop conditions:
21
- Residual risk if incomplete:
22
- Next action after completion:
23
- ```
24
-
25
- ## Fresh-Session Path
26
-
27
- Use when a separate session, thread, host worker, or equivalent can run the GSE continuation path without hidden conversation history.
28
-
29
- Required inputs:
30
-
31
- - `SKILL.md`
32
- - `.gse/gse-design-master-plan.md`
33
- - `.gse/goal-map.md`
34
- - `.gse/current-slice.md`
35
- - `references/forward-test.md`
36
- - `references/evidence-taxonomy.md`
37
-
38
- Acceptance gate: the separate session identifies the current slice, states outcome/scope/acceptance/evidence/risk/next action, runs or describes the smallest valid verification, and records `Accepted by: fresh-session` only if it actually executed the packet.
39
-
40
- ## Owner-Approved Project Write Path
41
-
42
- Use when a target project owner explicitly allows GSE to write project-local `.gse/` adoption or update artifacts.
43
-
44
- Required inputs:
45
-
46
- - Project owner approval text or issue/task link.
47
- - Target project rule file such as `AGENTS.md`, `CLAUDE.md`, or README.
48
- - `references/adoption-recipes.md`
49
- - `assets/templates/target-adoption-evidence.md`
50
- - `assets/templates/update-release-acceptance-record.md`
51
-
52
- Default allowed files:
53
-
54
- - `.gse/README.md`
55
- - `.gse/project-profile.md`
56
- - `.gse/goal-map.md`
57
- - `.gse/quality-gates.md`
58
- - `.gse/tooling.md`
59
- - `.gse/evidence/YYYY-MM-DD.md`
60
-
61
- Default forbidden files:
62
-
63
- - Source code, lockfiles, secrets, generated outputs, screenshots, build artifacts, and unrelated host config.
64
-
65
- Acceptance gate: the owner-approved project record exists, project-local verification ran, residual risks are recorded, and the owner or named policy accepts the verified record.
66
-
67
- ## Anti-Overclaim Rules
68
-
69
- - Do not write `Accepted by: fresh-session` unless a separate session actually ran the packet.
70
- - Do not write `Accepted by: owner` unless owner approval is explicit and recorded.
71
- - Do not treat a generated packet, local validation, fixture audit, or read-only discovery as acceptance.
72
- - Do not expand allowed files or commands without updating the packet and recording why.
73
- - If a stop condition occurs, record `Evidence status: not ready` or `verified` with `Accepted by: not accepted`.
1
+ # Acceptance Execution Packet
2
+
3
+ Use this packet when GSE needs external acceptance evidence instead of another structural audit.
4
+
5
+ Choose exactly one path per packet.
6
+
7
+ ```text
8
+ Acceptance path: fresh-session | owner-approved project write
9
+ Target project or session:
10
+ Purpose:
11
+ Required inputs:
12
+ Allowed files:
13
+ Forbidden files:
14
+ Allowed commands:
15
+ Forbidden commands:
16
+ Expected output:
17
+ Evidence record path:
18
+ Acceptance gate:
19
+ Accepted by:
20
+ Stop conditions:
21
+ Residual risk if incomplete:
22
+ Next action after completion:
23
+ ```
24
+
25
+ ## Fresh-Session Path
26
+
27
+ Use when a separate session, thread, host worker, or equivalent can run the GSE continuation path without hidden conversation history.
28
+
29
+ Required inputs:
30
+
31
+ - `SKILL.md`
32
+ - `.gse/gse-design-master-plan.md`
33
+ - `.gse/goal-map.md`
34
+ - `.gse/current-slice.md`
35
+ - `references/forward-test.md`
36
+ - `references/evidence-taxonomy.md`
37
+
38
+ Acceptance gate: the separate session identifies the current slice, states outcome/scope/acceptance/evidence/risk/next action, runs or describes the smallest valid verification, and records `Accepted by: fresh-session` only if it actually executed the packet.
39
+
40
+ ## Owner-Approved Project Write Path
41
+
42
+ Use when a target project owner explicitly allows GSE to write project-local `.gse/` adoption or update artifacts.
43
+
44
+ Required inputs:
45
+
46
+ - Project owner approval text or issue/task link.
47
+ - Target project rule file such as `AGENTS.md`, `CLAUDE.md`, or README.
48
+ - `references/adoption-recipes.md`
49
+ - `assets/templates/target-adoption-evidence.md`
50
+ - `assets/templates/update-release-acceptance-record.md`
51
+
52
+ Default allowed files:
53
+
54
+ - `.gse/README.md`
55
+ - `.gse/project-profile.md`
56
+ - `.gse/goal-map.md`
57
+ - `.gse/quality-gates.md`
58
+ - `.gse/tooling.md`
59
+ - `.gse/evidence/YYYY-MM-DD.md`
60
+
61
+ Default forbidden files:
62
+
63
+ - Source code, lockfiles, secrets, generated outputs, screenshots, build artifacts, and unrelated host config.
64
+
65
+ Acceptance gate: the owner-approved project record exists, project-local verification ran, residual risks are recorded, and the owner or named policy accepts the verified record.
66
+
67
+ ## Anti-Overclaim Rules
68
+
69
+ - Do not write `Accepted by: fresh-session` unless a separate session actually ran the packet.
70
+ - Do not write `Accepted by: owner` unless owner approval is explicit and recorded.
71
+ - Do not treat a generated packet, local validation, fixture audit, or read-only discovery as acceptance.
72
+ - Do not expand allowed files or commands without updating the packet and recording why.
73
+ - If a stop condition occurs, record `Evidence status: not ready` or `verified` with `Accepted by: not accepted`.