@t275005746/gse 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
- package/.github/ISSUE_TEMPLATE/config.yml +5 -5
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
- package/.github/workflows/validate-gse.yml +33 -33
- package/.gse/README.md +18 -18
- package/.gse/gse-development-protocol.md +50 -50
- package/.gse/project-profile.md +29 -29
- package/.gse/quality-gates.md +25 -25
- package/.gse/releases/public-registry-publication-npm.md +49 -0
- package/.gse/releases/public-release-owner-required.md +65 -65
- package/.gse/releases/public-security-contact-owner-required.md +45 -45
- package/.gse/state.json +147 -27
- package/CHANGELOG.md +31 -15
- package/CONTRIBUTING.md +64 -64
- package/LICENSE +21 -21
- package/README.md +14 -7
- package/README.zh-CN.md +14 -7
- package/SECURITY.md +41 -41
- package/SKILL.md +32 -12
- package/SUPPORT.md +38 -38
- package/assets/marketplace/README.md +7 -7
- package/assets/marketplace/gse-listing.json +75 -75
- package/assets/templates/acceptance-execution-packet.md +73 -73
- package/assets/templates/adr.md +14 -14
- package/assets/templates/change-brief.md +16 -16
- package/assets/templates/design.md +18 -18
- package/assets/templates/dispatch-packet.md +100 -92
- package/assets/templates/evidence.md +15 -9
- package/assets/templates/execution-quality-pack.md +65 -65
- package/assets/templates/goal-map.md +21 -21
- package/assets/templates/host-adapter.md +48 -48
- package/assets/templates/host-ui-invocation-record.md +42 -42
- package/assets/templates/incident-review.md +60 -60
- package/assets/templates/public-channel-publication-record.md +49 -49
- package/assets/templates/public-ci-run-record.md +53 -53
- package/assets/templates/public-release-record.md +65 -65
- package/assets/templates/public-repository-settings-record.md +59 -59
- package/assets/templates/public-security-contact-record.md +45 -45
- package/assets/templates/release-trust-record.md +32 -32
- package/assets/templates/review.md +18 -18
- package/assets/templates/role-fallback-packet.md +49 -0
- package/assets/templates/spec.md +16 -16
- package/assets/templates/target-adoption-evidence.md +29 -29
- package/assets/templates/tasks.md +17 -17
- package/assets/templates/update-release-acceptance-record.md +58 -58
- package/examples/README.md +22 -22
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
- package/examples/agent-runtime-host/.gse/tooling.md +5 -5
- package/examples/agent-runtime-host/.mcp.json +9 -9
- package/examples/agent-runtime-host/AGENTS.md +5 -5
- package/examples/agent-runtime-host/README.md +10 -10
- package/examples/agent-runtime-host/docs/model-routing.md +5 -5
- package/examples/cli-tool/.gse/project-profile.md +21 -21
- package/examples/cli-tool/AGENTS.md +5 -5
- package/examples/cli-tool/README.md +12 -12
- package/examples/cli-tool/package.json +21 -21
- package/examples/small-app/.env.example +2 -2
- package/examples/small-app/.github/workflows/ci.yml +8 -8
- package/examples/small-app/AGENTS.md +5 -5
- package/examples/small-app/README.md +12 -12
- package/examples/small-app/package.json +26 -26
- package/examples/small-app/playwright.config.ts +4 -4
- package/package.json +52 -44
- package/references/adoption-recipes.md +171 -171
- package/references/agent-roles.md +42 -21
- package/references/architecture-health.md +101 -101
- package/references/benchmark-audit.md +73 -73
- package/references/commands.md +74 -45
- package/references/community-channels.md +46 -46
- package/references/compatibility.md +70 -70
- package/references/design-basis.md +38 -38
- package/references/domain-model.md +129 -129
- package/references/domain-quality-gates.md +75 -75
- package/references/drift-audit.md +81 -80
- package/references/evidence-taxonomy.md +145 -108
- package/references/file-ownership.md +97 -93
- package/references/final-form-roadmap.md +201 -0
- package/references/final-readiness.md +84 -84
- package/references/forward-test.md +133 -133
- package/references/goal-map.md +36 -36
- package/references/host-adapters.md +129 -101
- package/references/learning-system.md +42 -26
- package/references/maintenance-cadence.md +51 -0
- package/references/marketplace-discovery.md +46 -46
- package/references/model-routing.md +103 -103
- package/references/open-source-defaults.md +39 -39
- package/references/operating-model.md +52 -52
- package/references/packaging.md +277 -277
- package/references/project-agent-workspace.md +89 -89
- package/references/project-bootstrap.md +122 -122
- package/references/project-guards.md +52 -0
- package/references/project-profile.md +57 -57
- package/references/public-release.md +174 -174
- package/references/quality-gates.md +96 -89
- package/references/recovery.md +176 -176
- package/references/release-trust.md +43 -43
- package/references/release.md +126 -126
- package/references/review.md +141 -141
- package/references/role-dispatch-fallback.md +54 -0
- package/references/router.md +90 -90
- package/references/spec-workflow.md +66 -66
- package/references/task-levels.md +81 -81
- package/references/tool-adapters.md +80 -70
- package/scripts/audit-acceptance-execution-packet.mjs +133 -133
- package/scripts/audit-adoption-recipes.mjs +99 -99
- package/scripts/audit-change-lifecycle.mjs +77 -77
- package/scripts/audit-change-system.mjs +134 -134
- package/scripts/audit-ci-readiness.mjs +107 -107
- package/scripts/audit-close-gate-hardening.mjs +188 -0
- package/scripts/audit-close-gate.mjs +448 -262
- package/scripts/audit-command-adapters.mjs +91 -91
- package/scripts/audit-command-execution.mjs +212 -199
- package/scripts/audit-commands.mjs +7 -5
- package/scripts/audit-compatibility.mjs +149 -149
- package/scripts/audit-completion-plan-drill.mjs +230 -0
- package/scripts/audit-completion-readiness.mjs +290 -287
- package/scripts/audit-continue-preflight.mjs +234 -0
- package/scripts/audit-distribution.mjs +251 -251
- package/scripts/audit-domain-quality-gates.mjs +108 -108
- package/scripts/audit-evidence-levels.mjs +217 -0
- package/scripts/audit-evidence-placeholders.mjs +126 -126
- package/scripts/audit-evidence-review-queue.mjs +206 -0
- package/scripts/audit-final-acceptance-packet.mjs +9 -9
- package/scripts/audit-final-form-progress-report.mjs +19 -18
- package/scripts/audit-final-form-roadmap.mjs +157 -0
- package/scripts/audit-final-form-stale-copy.mjs +2 -2
- package/scripts/audit-final-readiness-promotion.mjs +255 -255
- package/scripts/audit-final-readiness.mjs +226 -226
- package/scripts/audit-fixtures.mjs +154 -154
- package/scripts/audit-fresh-session-readiness.mjs +177 -177
- package/scripts/audit-host-capabilities.mjs +237 -0
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
- package/scripts/audit-host-runtime-invocations.mjs +254 -254
- package/scripts/audit-host-ui-invocation.mjs +132 -132
- package/scripts/audit-installed-sync.mjs +203 -0
- package/scripts/audit-learning-drift.mjs +292 -0
- package/scripts/audit-learning-promotion.mjs +351 -0
- package/scripts/audit-learning-system.mjs +24 -14
- package/scripts/audit-local-final-form-completion.mjs +11 -10
- package/scripts/audit-maintenance-cadence.mjs +139 -0
- package/scripts/audit-maintenance-snapshot.mjs +181 -0
- package/scripts/audit-marketplace-discovery.mjs +122 -122
- package/scripts/audit-npm-package-metadata.mjs +160 -154
- package/scripts/audit-npm-publish-dry-run.mjs +194 -166
- package/scripts/audit-npm-tarball-install.mjs +195 -189
- package/scripts/audit-open-source-defaults.mjs +92 -92
- package/scripts/audit-open-source-readiness.mjs +97 -97
- package/scripts/audit-owner-external-gate-kit.mjs +12 -11
- package/scripts/audit-project-guards.mjs +189 -0
- package/scripts/audit-project.mjs +144 -141
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
- package/scripts/audit-public-acceptance-handoff.mjs +10 -10
- package/scripts/audit-public-acceptance-readiness.mjs +222 -222
- package/scripts/audit-public-channel-publication.mjs +248 -248
- package/scripts/audit-public-ci-run.mjs +184 -184
- package/scripts/audit-public-collaboration-templates.mjs +98 -98
- package/scripts/audit-public-external-gate-probe.mjs +206 -206
- package/scripts/audit-public-release-checklist.mjs +17 -15
- package/scripts/audit-public-release-decision.mjs +201 -201
- package/scripts/audit-public-release-metadata.mjs +176 -176
- package/scripts/audit-public-repository-settings.mjs +237 -237
- package/scripts/audit-public-security-contact.mjs +171 -171
- package/scripts/audit-readme-docs.mjs +6 -4
- package/scripts/audit-recovery-readiness.mjs +98 -98
- package/scripts/audit-release-bundle.mjs +13 -11
- package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
- package/scripts/audit-release-owner-action-plan.mjs +10 -10
- package/scripts/audit-release-readiness.mjs +106 -106
- package/scripts/audit-release-status-manifest.mjs +4 -4
- package/scripts/audit-release-trust.mjs +62 -62
- package/scripts/audit-remote-distribution.mjs +266 -266
- package/scripts/audit-roadmap-consistency.mjs +234 -230
- package/scripts/audit-role-dispatch-fallback.mjs +212 -0
- package/scripts/audit-session-sync.mjs +127 -0
- package/scripts/audit-signing.mjs +147 -147
- package/scripts/audit-state-freshness.mjs +20 -14
- package/scripts/audit-state-repair.mjs +360 -0
- package/scripts/audit-target-adoption-evidence.mjs +117 -117
- package/scripts/audit-target-hardening-drills.mjs +267 -0
- package/scripts/audit-target-project.mjs +507 -507
- package/scripts/audit-tool-fallback-policy.mjs +180 -0
- package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
- package/scripts/audit-update-release-acceptance.mjs +136 -136
- package/scripts/audit-v1-target-validation.mjs +269 -269
- package/scripts/audit-validation-profiles.mjs +125 -123
- package/scripts/backfill-evidence-levels.mjs +98 -0
- package/scripts/check-encoding.mjs +72 -0
- package/scripts/close-change.mjs +116 -116
- package/scripts/discover-project-profile.mjs +307 -307
- package/scripts/generate-command-adapter.mjs +231 -231
- package/scripts/generate-continue-packet.mjs +1214 -0
- package/scripts/generate-final-acceptance-packet.mjs +188 -173
- package/scripts/generate-final-form-progress-report.mjs +191 -189
- package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
- package/scripts/generate-maintenance-snapshot.mjs +216 -0
- package/scripts/generate-owner-external-gate-kit.mjs +295 -295
- package/scripts/generate-public-acceptance-handoff.mjs +168 -156
- package/scripts/generate-public-release-checklist.mjs +207 -207
- package/scripts/generate-release-bundle.mjs +505 -505
- package/scripts/generate-release-owner-action-plan.mjs +172 -171
- package/scripts/generate-release-status-manifest.mjs +199 -198
- package/scripts/generate-session-prompt.mjs +188 -188
- package/scripts/gse.mjs +67 -67
- package/scripts/init-change.mjs +265 -265
- package/scripts/init-project.mjs +793 -712
- package/scripts/install-gse.mjs +234 -234
- package/scripts/lib/evidence-placeholders.mjs +28 -28
- package/scripts/package-gse.mjs +174 -174
- package/scripts/probe-public-external-gates.mjs +167 -167
- package/scripts/record-host-invocation.mjs +151 -151
- package/scripts/record-learning.mjs +37 -8
- package/scripts/record-public-channel-publication.mjs +178 -178
- package/scripts/record-public-ci-run.mjs +180 -180
- package/scripts/record-public-release.mjs +175 -175
- package/scripts/record-public-repository-settings.mjs +209 -209
- package/scripts/record-public-security-contact.mjs +157 -157
- package/scripts/record-session-sync.mjs +87 -0
- package/scripts/run-gse-command.mjs +79 -47
- package/scripts/run-validation-profile.mjs +24 -5
- package/scripts/sign-gse-package.mjs +83 -83
- package/scripts/update-project-state.mjs +223 -223
- package/scripts/validate-gse.mjs +216 -0
- package/scripts/verify-gse-package.mjs +85 -85
|
@@ -1,169 +1,197 @@
|
|
|
1
|
-
#!/usr/bin/env node
|
|
2
|
-
import fs from 'node:fs'
|
|
3
|
-
import path from 'node:path'
|
|
4
|
-
import { spawnSync } from 'node:child_process'
|
|
5
|
-
|
|
6
|
-
const args = process.argv.slice(2)
|
|
7
|
-
|
|
8
|
-
function readArg(name, fallback = null) {
|
|
9
|
-
const index = args.indexOf(name)
|
|
10
|
-
if (index === -1) return fallback
|
|
11
|
-
return args[index + 1] ?? fallback
|
|
12
|
-
}
|
|
13
|
-
|
|
14
|
-
const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
|
|
15
|
-
const jsonOnly = args.includes('--json')
|
|
16
|
-
|
|
17
|
-
function readJson(relativePath) {
|
|
18
|
-
const fullPath = path.join(root, relativePath)
|
|
19
|
-
if (!fs.existsSync(fullPath)) return null
|
|
20
|
-
try {
|
|
21
|
-
return JSON.parse(fs.readFileSync(fullPath, 'utf8').replace(/^\uFEFF/, ''))
|
|
22
|
-
} catch {
|
|
23
|
-
return null
|
|
24
|
-
}
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
function run(command, commandArgs) {
|
|
28
|
-
const result = spawnSync(command, commandArgs, {
|
|
29
|
-
cwd: root,
|
|
30
|
-
encoding: 'utf8',
|
|
31
|
-
windowsHide: true,
|
|
32
|
-
})
|
|
33
|
-
return {
|
|
34
|
-
command: [command, ...commandArgs].join(' '),
|
|
35
|
-
status: result.status ?? 1,
|
|
36
|
-
stdout: (result.stdout ?? '').trim(),
|
|
37
|
-
stderr: (result.stderr ?? '').trim(),
|
|
38
|
-
}
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
function npm(commandArgs) {
|
|
42
|
-
return process.platform === 'win32'
|
|
43
|
-
? run('cmd', ['/c', 'npm', ...commandArgs])
|
|
44
|
-
: run('npm', commandArgs)
|
|
45
|
-
}
|
|
46
|
-
|
|
47
|
-
function parseJson(text) {
|
|
48
|
-
try {
|
|
49
|
-
return JSON.parse(text)
|
|
50
|
-
} catch {
|
|
51
|
-
return null
|
|
52
|
-
}
|
|
53
|
-
}
|
|
54
|
-
|
|
55
|
-
function check(id, label, ok, evidence, risk = '') {
|
|
56
|
-
return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
|
|
57
|
-
}
|
|
58
|
-
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import fs from 'node:fs'
|
|
3
|
+
import path from 'node:path'
|
|
4
|
+
import { spawnSync } from 'node:child_process'
|
|
5
|
+
|
|
6
|
+
const args = process.argv.slice(2)
|
|
7
|
+
|
|
8
|
+
function readArg(name, fallback = null) {
|
|
9
|
+
const index = args.indexOf(name)
|
|
10
|
+
if (index === -1) return fallback
|
|
11
|
+
return args[index + 1] ?? fallback
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
|
|
15
|
+
const jsonOnly = args.includes('--json')
|
|
16
|
+
|
|
17
|
+
function readJson(relativePath) {
|
|
18
|
+
const fullPath = path.join(root, relativePath)
|
|
19
|
+
if (!fs.existsSync(fullPath)) return null
|
|
20
|
+
try {
|
|
21
|
+
return JSON.parse(fs.readFileSync(fullPath, 'utf8').replace(/^\uFEFF/, ''))
|
|
22
|
+
} catch {
|
|
23
|
+
return null
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
function run(command, commandArgs) {
|
|
28
|
+
const result = spawnSync(command, commandArgs, {
|
|
29
|
+
cwd: root,
|
|
30
|
+
encoding: 'utf8',
|
|
31
|
+
windowsHide: true,
|
|
32
|
+
})
|
|
33
|
+
return {
|
|
34
|
+
command: [command, ...commandArgs].join(' '),
|
|
35
|
+
status: result.status ?? 1,
|
|
36
|
+
stdout: (result.stdout ?? '').trim(),
|
|
37
|
+
stderr: (result.stderr ?? '').trim(),
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
function npm(commandArgs) {
|
|
42
|
+
return process.platform === 'win32'
|
|
43
|
+
? run('cmd', ['/c', 'npm', ...commandArgs])
|
|
44
|
+
: run('npm', commandArgs)
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
function parseJson(text) {
|
|
48
|
+
try {
|
|
49
|
+
return JSON.parse(text)
|
|
50
|
+
} catch {
|
|
51
|
+
return null
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
function check(id, label, ok, evidence, risk = '') {
|
|
56
|
+
return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
|
|
57
|
+
}
|
|
58
|
+
|
|
59
59
|
const pkg = readJson('package.json')
|
|
60
|
+
const repositoryUrl = typeof pkg?.repository === 'string' ? pkg.repository : pkg?.repository?.url
|
|
61
|
+
const expectedRepositoryUrls = new Set([
|
|
62
|
+
'git+https://github.com/275005746/gse.git',
|
|
63
|
+
'https://github.com/275005746/gse.git',
|
|
64
|
+
'https://github.com/275005746/gse',
|
|
65
|
+
])
|
|
60
66
|
const publishRun = npm(['publish', '--dry-run', '--json'])
|
|
61
|
-
const publishData = parseJson(publishRun.stdout)
|
|
62
|
-
const
|
|
63
|
-
const
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
67
|
+
const publishData = parseJson(publishRun.stdout)
|
|
68
|
+
const usablePublishData = publishData?.name && publishData?.version ? publishData : null
|
|
69
|
+
const alreadyPublished = publishRun.status !== 0 && /previously published versions/i.test(publishRun.stderr)
|
|
70
|
+
const registryViewRun = alreadyPublished && pkg?.name && pkg?.version
|
|
71
|
+
? npm(['view', `${pkg.name}@${pkg.version}`, '--json'])
|
|
72
|
+
: null
|
|
73
|
+
const registryViewData = registryViewRun ? parseJson(registryViewRun.stdout) : null
|
|
74
|
+
const packRun = npm(['pack', '--dry-run', '--json'])
|
|
75
|
+
const packData = parseJson(packRun.stdout)
|
|
76
|
+
const packEntry = Array.isArray(packData) ? packData[0] : null
|
|
77
|
+
const publishFiles = new Set(((usablePublishData?.files ?? packEntry?.files) ?? []).map((item) => item.path))
|
|
78
|
+
const effectiveData = usablePublishData ?? (registryViewData
|
|
79
|
+
? {
|
|
80
|
+
id: `${registryViewData.name}@${registryViewData.version}`,
|
|
81
|
+
name: registryViewData.name,
|
|
82
|
+
version: registryViewData.version,
|
|
83
|
+
filename: registryViewData.dist?.tarball ? path.basename(registryViewData.dist.tarball) : undefined,
|
|
84
|
+
size: packEntry?.size,
|
|
85
|
+
unpackedSize: packEntry?.unpackedSize,
|
|
86
|
+
files: packEntry?.files,
|
|
87
|
+
shasum: registryViewData.dist?.shasum,
|
|
88
|
+
integrity: registryViewData.dist?.integrity,
|
|
89
|
+
}
|
|
90
|
+
: null)
|
|
91
|
+
const harmfulWarnings = [
|
|
92
|
+
/auto-corrected some errors/i,
|
|
93
|
+
/errors corrected/i,
|
|
94
|
+
/invalid and removed/i,
|
|
95
|
+
/empty "bin" was removed/i,
|
|
96
|
+
/bin\[.*\].*removed/i,
|
|
97
|
+
]
|
|
98
|
+
const allowedWarnings = [
|
|
99
|
+
/requires you to be logged in/i,
|
|
100
|
+
/Publishing to .* \(dry-run\)/i,
|
|
101
|
+
]
|
|
102
|
+
const warningLines = publishRun.stderr
|
|
103
|
+
.split(/\r?\n/)
|
|
104
|
+
.map((line) => line.trim())
|
|
105
|
+
.filter(Boolean)
|
|
106
|
+
const unexpectedWarningLines = warningLines.filter((line) => {
|
|
107
|
+
if (!/^npm (warn|notice)\b/i.test(line)) return false
|
|
108
|
+
if (harmfulWarnings.some((pattern) => pattern.test(line))) return true
|
|
109
|
+
return !allowedWarnings.some((pattern) => pattern.test(line))
|
|
110
|
+
})
|
|
111
|
+
|
|
112
|
+
const requiredPublishFiles = [
|
|
113
|
+
'package.json',
|
|
114
|
+
'SKILL.md',
|
|
115
|
+
'README.md',
|
|
116
|
+
'README.zh-CN.md',
|
|
117
|
+
'LICENSE',
|
|
118
|
+
'scripts/gse.mjs',
|
|
119
|
+
'scripts/validate-gse.mjs',
|
|
120
|
+
'scripts/audit-npm-publish-dry-run.mjs',
|
|
121
|
+
'references/commands.md',
|
|
122
|
+
'references/packaging.md',
|
|
123
|
+
]
|
|
124
|
+
|
|
125
|
+
const checks = [
|
|
126
|
+
check('NPD01', 'npm publish dry-run command succeeds or published version is registry-verifiable', (publishRun.status === 0 && Boolean(usablePublishData)) || (alreadyPublished && registryViewRun?.status === 0 && Boolean(registryViewData)), alreadyPublished ? `${publishRun.command}; ${registryViewRun?.command ?? 'npm view not run'}` : publishRun.command, publishRun.stderr),
|
|
127
|
+
check('NPD02', 'publish target resolves to the expected package identity', effectiveData?.name === pkg?.name && effectiveData?.version === pkg?.version && effectiveData?.id === `${pkg?.name}@${pkg?.version}`, effectiveData ? `${effectiveData.id}` : 'missing publish dry-run or registry JSON'),
|
|
128
|
+
check('NPD03', 'publish dry-run preserves CLI package metadata before publication', pkg?.bin?.gse === 'scripts/gse.mjs' && fs.existsSync(path.join(root, 'scripts', 'gse.mjs')), 'bin.gse=' + (pkg?.bin?.gse ?? 'missing')),
|
|
129
|
+
check('NPD04', 'publish package includes required runtime files', packRun.status === 0 && requiredPublishFiles.every((item) => publishFiles.has(item)), requiredPublishFiles.filter((item) => !publishFiles.has(item)).join(', ') || 'all required publish files present'),
|
|
130
|
+
check('NPD05', 'publish or registry metadata reports tarball integrity fields', typeof effectiveData?.shasum === 'string' && typeof effectiveData?.integrity === 'string' && effectiveData.integrity.startsWith('sha512-'), 'shasum and integrity'),
|
|
131
|
+
check('NPD06', 'publish dry-run does not auto-correct or remove package metadata', unexpectedWarningLines.length === 0, unexpectedWarningLines.join(' | ') || 'no harmful npm warnings'),
|
|
132
|
+
check('NPD07', 'package metadata points at the public GSE repository without publishConfig overrides', !pkg?.publishConfig && expectedRepositoryUrls.has(repositoryUrl), 'repository=' + (repositoryUrl ?? 'missing') + ', publishConfig=' + (pkg?.publishConfig ? 'present' : 'absent')),
|
|
69
133
|
]
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
.
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
'The npm login warning is allowed for dry-run; metadata auto-correction warnings are not allowed.',
|
|
135
|
-
],
|
|
136
|
-
checks,
|
|
137
|
-
}
|
|
138
|
-
|
|
139
|
-
function renderMarkdown(data) {
|
|
140
|
-
const lines = []
|
|
141
|
-
lines.push('# GSE npm Publish Dry-Run Audit')
|
|
142
|
-
lines.push('')
|
|
143
|
-
lines.push('Generated: ' + data.generatedAt)
|
|
144
|
-
lines.push('Root: ' + data.root)
|
|
145
|
-
lines.push('')
|
|
146
|
-
lines.push('## Summary')
|
|
147
|
-
lines.push('')
|
|
148
|
-
lines.push('- Status: ' + data.summary.status)
|
|
149
|
-
lines.push('- Checks: ' + data.summary.passed + '/' + data.summary.total)
|
|
150
|
-
lines.push('- npm publish dry-run: ' + data.workflows.npmPublishDryRun)
|
|
151
|
-
lines.push('- Registry publication: ' + data.workflows.registryPublication)
|
|
152
|
-
lines.push('')
|
|
153
|
-
lines.push('## Checks')
|
|
154
|
-
lines.push('')
|
|
155
|
-
for (const item of data.checks) {
|
|
156
|
-
const marker = item.status === 'passed' ? '[x]' : '[ ]'
|
|
157
|
-
lines.push('- ' + marker + ' ' + item.id + ' ' + item.label + ': ' + item.evidence)
|
|
158
|
-
}
|
|
159
|
-
lines.push('')
|
|
160
|
-
lines.push('## Limits')
|
|
161
|
-
lines.push('')
|
|
162
|
-
for (const item of data.limits) lines.push('- ' + item)
|
|
163
|
-
return lines.join('\n') + '\n'
|
|
164
|
-
}
|
|
165
|
-
|
|
166
|
-
if (jsonOnly) console.log(JSON.stringify(report, null, 2))
|
|
167
|
-
else console.log(renderMarkdown(report))
|
|
168
|
-
|
|
169
|
-
if (failed > 0) process.exit(1)
|
|
134
|
+
|
|
135
|
+
const passed = checks.filter((item) => item.status === 'passed').length
|
|
136
|
+
const failed = checks.length - passed
|
|
137
|
+
const report = {
|
|
138
|
+
root,
|
|
139
|
+
generatedAt: new Date().toISOString(),
|
|
140
|
+
summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
|
|
141
|
+
workflows: {
|
|
142
|
+
npmPublishDryRun: failed === 0 ? 'verified' : 'failed',
|
|
143
|
+
registryPublication: alreadyPublished && registryViewData ? 'published' : 'not-published',
|
|
144
|
+
},
|
|
145
|
+
publish: effectiveData
|
|
146
|
+
? {
|
|
147
|
+
id: effectiveData.id,
|
|
148
|
+
name: effectiveData.name,
|
|
149
|
+
version: effectiveData.version,
|
|
150
|
+
filename: effectiveData.filename,
|
|
151
|
+
size: effectiveData.size,
|
|
152
|
+
unpackedSize: effectiveData.unpackedSize,
|
|
153
|
+
fileCount: effectiveData.files?.length ?? 0,
|
|
154
|
+
integrity: effectiveData.integrity,
|
|
155
|
+
}
|
|
156
|
+
: null,
|
|
157
|
+
warnings: warningLines,
|
|
158
|
+
commands: [publishRun.command],
|
|
159
|
+
limits: [
|
|
160
|
+
'This audit verifies npm publish dry-run metadata only.',
|
|
161
|
+
'It does not publish GSE, reserve the package name, prove npm ownership, or create public registry evidence.',
|
|
162
|
+
'The npm login warning is allowed for dry-run; metadata auto-correction warnings are not allowed.',
|
|
163
|
+
],
|
|
164
|
+
checks,
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
function renderMarkdown(data) {
|
|
168
|
+
const lines = []
|
|
169
|
+
lines.push('# GSE npm Publish Dry-Run Audit')
|
|
170
|
+
lines.push('')
|
|
171
|
+
lines.push('Generated: ' + data.generatedAt)
|
|
172
|
+
lines.push('Root: ' + data.root)
|
|
173
|
+
lines.push('')
|
|
174
|
+
lines.push('## Summary')
|
|
175
|
+
lines.push('')
|
|
176
|
+
lines.push('- Status: ' + data.summary.status)
|
|
177
|
+
lines.push('- Checks: ' + data.summary.passed + '/' + data.summary.total)
|
|
178
|
+
lines.push('- npm publish dry-run: ' + data.workflows.npmPublishDryRun)
|
|
179
|
+
lines.push('- Registry publication: ' + data.workflows.registryPublication)
|
|
180
|
+
lines.push('')
|
|
181
|
+
lines.push('## Checks')
|
|
182
|
+
lines.push('')
|
|
183
|
+
for (const item of data.checks) {
|
|
184
|
+
const marker = item.status === 'passed' ? '[x]' : '[ ]'
|
|
185
|
+
lines.push('- ' + marker + ' ' + item.id + ' ' + item.label + ': ' + item.evidence)
|
|
186
|
+
}
|
|
187
|
+
lines.push('')
|
|
188
|
+
lines.push('## Limits')
|
|
189
|
+
lines.push('')
|
|
190
|
+
for (const item of data.limits) lines.push('- ' + item)
|
|
191
|
+
return lines.join('\n') + '\n'
|
|
192
|
+
}
|
|
193
|
+
|
|
194
|
+
if (jsonOnly) console.log(JSON.stringify(report, null, 2))
|
|
195
|
+
else console.log(renderMarkdown(report))
|
|
196
|
+
|
|
197
|
+
if (failed > 0) process.exit(1)
|