@t275005746/gse 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
- package/.github/ISSUE_TEMPLATE/config.yml +5 -5
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
- package/.github/workflows/validate-gse.yml +33 -33
- package/.gse/README.md +18 -18
- package/.gse/gse-development-protocol.md +50 -50
- package/.gse/project-profile.md +29 -29
- package/.gse/quality-gates.md +25 -25
- package/.gse/releases/public-registry-publication-npm.md +49 -0
- package/.gse/releases/public-release-owner-required.md +65 -65
- package/.gse/releases/public-security-contact-owner-required.md +45 -45
- package/.gse/state.json +147 -27
- package/CHANGELOG.md +31 -15
- package/CONTRIBUTING.md +64 -64
- package/LICENSE +21 -21
- package/README.md +14 -7
- package/README.zh-CN.md +14 -7
- package/SECURITY.md +41 -41
- package/SKILL.md +32 -12
- package/SUPPORT.md +38 -38
- package/assets/marketplace/README.md +7 -7
- package/assets/marketplace/gse-listing.json +75 -75
- package/assets/templates/acceptance-execution-packet.md +73 -73
- package/assets/templates/adr.md +14 -14
- package/assets/templates/change-brief.md +16 -16
- package/assets/templates/design.md +18 -18
- package/assets/templates/dispatch-packet.md +100 -92
- package/assets/templates/evidence.md +15 -9
- package/assets/templates/execution-quality-pack.md +65 -65
- package/assets/templates/goal-map.md +21 -21
- package/assets/templates/host-adapter.md +48 -48
- package/assets/templates/host-ui-invocation-record.md +42 -42
- package/assets/templates/incident-review.md +60 -60
- package/assets/templates/public-channel-publication-record.md +49 -49
- package/assets/templates/public-ci-run-record.md +53 -53
- package/assets/templates/public-release-record.md +65 -65
- package/assets/templates/public-repository-settings-record.md +59 -59
- package/assets/templates/public-security-contact-record.md +45 -45
- package/assets/templates/release-trust-record.md +32 -32
- package/assets/templates/review.md +18 -18
- package/assets/templates/role-fallback-packet.md +49 -0
- package/assets/templates/spec.md +16 -16
- package/assets/templates/target-adoption-evidence.md +29 -29
- package/assets/templates/tasks.md +17 -17
- package/assets/templates/update-release-acceptance-record.md +58 -58
- package/examples/README.md +22 -22
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
- package/examples/agent-runtime-host/.gse/tooling.md +5 -5
- package/examples/agent-runtime-host/.mcp.json +9 -9
- package/examples/agent-runtime-host/AGENTS.md +5 -5
- package/examples/agent-runtime-host/README.md +10 -10
- package/examples/agent-runtime-host/docs/model-routing.md +5 -5
- package/examples/cli-tool/.gse/project-profile.md +21 -21
- package/examples/cli-tool/AGENTS.md +5 -5
- package/examples/cli-tool/README.md +12 -12
- package/examples/cli-tool/package.json +21 -21
- package/examples/small-app/.env.example +2 -2
- package/examples/small-app/.github/workflows/ci.yml +8 -8
- package/examples/small-app/AGENTS.md +5 -5
- package/examples/small-app/README.md +12 -12
- package/examples/small-app/package.json +26 -26
- package/examples/small-app/playwright.config.ts +4 -4
- package/package.json +52 -44
- package/references/adoption-recipes.md +171 -171
- package/references/agent-roles.md +42 -21
- package/references/architecture-health.md +101 -101
- package/references/benchmark-audit.md +73 -73
- package/references/commands.md +74 -45
- package/references/community-channels.md +46 -46
- package/references/compatibility.md +70 -70
- package/references/design-basis.md +38 -38
- package/references/domain-model.md +129 -129
- package/references/domain-quality-gates.md +75 -75
- package/references/drift-audit.md +81 -80
- package/references/evidence-taxonomy.md +145 -108
- package/references/file-ownership.md +97 -93
- package/references/final-form-roadmap.md +201 -0
- package/references/final-readiness.md +84 -84
- package/references/forward-test.md +133 -133
- package/references/goal-map.md +36 -36
- package/references/host-adapters.md +129 -101
- package/references/learning-system.md +42 -26
- package/references/maintenance-cadence.md +51 -0
- package/references/marketplace-discovery.md +46 -46
- package/references/model-routing.md +103 -103
- package/references/open-source-defaults.md +39 -39
- package/references/operating-model.md +52 -52
- package/references/packaging.md +277 -277
- package/references/project-agent-workspace.md +89 -89
- package/references/project-bootstrap.md +122 -122
- package/references/project-guards.md +52 -0
- package/references/project-profile.md +57 -57
- package/references/public-release.md +174 -174
- package/references/quality-gates.md +96 -89
- package/references/recovery.md +176 -176
- package/references/release-trust.md +43 -43
- package/references/release.md +126 -126
- package/references/review.md +141 -141
- package/references/role-dispatch-fallback.md +54 -0
- package/references/router.md +90 -90
- package/references/spec-workflow.md +66 -66
- package/references/task-levels.md +81 -81
- package/references/tool-adapters.md +80 -70
- package/scripts/audit-acceptance-execution-packet.mjs +133 -133
- package/scripts/audit-adoption-recipes.mjs +99 -99
- package/scripts/audit-change-lifecycle.mjs +77 -77
- package/scripts/audit-change-system.mjs +134 -134
- package/scripts/audit-ci-readiness.mjs +107 -107
- package/scripts/audit-close-gate-hardening.mjs +188 -0
- package/scripts/audit-close-gate.mjs +448 -262
- package/scripts/audit-command-adapters.mjs +91 -91
- package/scripts/audit-command-execution.mjs +212 -199
- package/scripts/audit-commands.mjs +7 -5
- package/scripts/audit-compatibility.mjs +149 -149
- package/scripts/audit-completion-plan-drill.mjs +230 -0
- package/scripts/audit-completion-readiness.mjs +290 -287
- package/scripts/audit-continue-preflight.mjs +234 -0
- package/scripts/audit-distribution.mjs +251 -251
- package/scripts/audit-domain-quality-gates.mjs +108 -108
- package/scripts/audit-evidence-levels.mjs +217 -0
- package/scripts/audit-evidence-placeholders.mjs +126 -126
- package/scripts/audit-evidence-review-queue.mjs +206 -0
- package/scripts/audit-final-acceptance-packet.mjs +9 -9
- package/scripts/audit-final-form-progress-report.mjs +19 -18
- package/scripts/audit-final-form-roadmap.mjs +157 -0
- package/scripts/audit-final-form-stale-copy.mjs +2 -2
- package/scripts/audit-final-readiness-promotion.mjs +255 -255
- package/scripts/audit-final-readiness.mjs +226 -226
- package/scripts/audit-fixtures.mjs +154 -154
- package/scripts/audit-fresh-session-readiness.mjs +177 -177
- package/scripts/audit-host-capabilities.mjs +237 -0
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
- package/scripts/audit-host-runtime-invocations.mjs +254 -254
- package/scripts/audit-host-ui-invocation.mjs +132 -132
- package/scripts/audit-installed-sync.mjs +203 -0
- package/scripts/audit-learning-drift.mjs +292 -0
- package/scripts/audit-learning-promotion.mjs +351 -0
- package/scripts/audit-learning-system.mjs +24 -14
- package/scripts/audit-local-final-form-completion.mjs +11 -10
- package/scripts/audit-maintenance-cadence.mjs +139 -0
- package/scripts/audit-maintenance-snapshot.mjs +181 -0
- package/scripts/audit-marketplace-discovery.mjs +122 -122
- package/scripts/audit-npm-package-metadata.mjs +160 -154
- package/scripts/audit-npm-publish-dry-run.mjs +194 -166
- package/scripts/audit-npm-tarball-install.mjs +195 -189
- package/scripts/audit-open-source-defaults.mjs +92 -92
- package/scripts/audit-open-source-readiness.mjs +97 -97
- package/scripts/audit-owner-external-gate-kit.mjs +12 -11
- package/scripts/audit-project-guards.mjs +189 -0
- package/scripts/audit-project.mjs +144 -141
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
- package/scripts/audit-public-acceptance-handoff.mjs +10 -10
- package/scripts/audit-public-acceptance-readiness.mjs +222 -222
- package/scripts/audit-public-channel-publication.mjs +248 -248
- package/scripts/audit-public-ci-run.mjs +184 -184
- package/scripts/audit-public-collaboration-templates.mjs +98 -98
- package/scripts/audit-public-external-gate-probe.mjs +206 -206
- package/scripts/audit-public-release-checklist.mjs +17 -15
- package/scripts/audit-public-release-decision.mjs +201 -201
- package/scripts/audit-public-release-metadata.mjs +176 -176
- package/scripts/audit-public-repository-settings.mjs +237 -237
- package/scripts/audit-public-security-contact.mjs +171 -171
- package/scripts/audit-readme-docs.mjs +6 -4
- package/scripts/audit-recovery-readiness.mjs +98 -98
- package/scripts/audit-release-bundle.mjs +13 -11
- package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
- package/scripts/audit-release-owner-action-plan.mjs +10 -10
- package/scripts/audit-release-readiness.mjs +106 -106
- package/scripts/audit-release-status-manifest.mjs +4 -4
- package/scripts/audit-release-trust.mjs +62 -62
- package/scripts/audit-remote-distribution.mjs +266 -266
- package/scripts/audit-roadmap-consistency.mjs +234 -230
- package/scripts/audit-role-dispatch-fallback.mjs +212 -0
- package/scripts/audit-session-sync.mjs +127 -0
- package/scripts/audit-signing.mjs +147 -147
- package/scripts/audit-state-freshness.mjs +20 -14
- package/scripts/audit-state-repair.mjs +360 -0
- package/scripts/audit-target-adoption-evidence.mjs +117 -117
- package/scripts/audit-target-hardening-drills.mjs +267 -0
- package/scripts/audit-target-project.mjs +507 -507
- package/scripts/audit-tool-fallback-policy.mjs +180 -0
- package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
- package/scripts/audit-update-release-acceptance.mjs +136 -136
- package/scripts/audit-v1-target-validation.mjs +269 -269
- package/scripts/audit-validation-profiles.mjs +125 -123
- package/scripts/backfill-evidence-levels.mjs +98 -0
- package/scripts/check-encoding.mjs +72 -0
- package/scripts/close-change.mjs +116 -116
- package/scripts/discover-project-profile.mjs +307 -307
- package/scripts/generate-command-adapter.mjs +231 -231
- package/scripts/generate-continue-packet.mjs +1214 -0
- package/scripts/generate-final-acceptance-packet.mjs +188 -173
- package/scripts/generate-final-form-progress-report.mjs +191 -189
- package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
- package/scripts/generate-maintenance-snapshot.mjs +216 -0
- package/scripts/generate-owner-external-gate-kit.mjs +295 -295
- package/scripts/generate-public-acceptance-handoff.mjs +168 -156
- package/scripts/generate-public-release-checklist.mjs +207 -207
- package/scripts/generate-release-bundle.mjs +505 -505
- package/scripts/generate-release-owner-action-plan.mjs +172 -171
- package/scripts/generate-release-status-manifest.mjs +199 -198
- package/scripts/generate-session-prompt.mjs +188 -188
- package/scripts/gse.mjs +67 -67
- package/scripts/init-change.mjs +265 -265
- package/scripts/init-project.mjs +793 -712
- package/scripts/install-gse.mjs +234 -234
- package/scripts/lib/evidence-placeholders.mjs +28 -28
- package/scripts/package-gse.mjs +174 -174
- package/scripts/probe-public-external-gates.mjs +167 -167
- package/scripts/record-host-invocation.mjs +151 -151
- package/scripts/record-learning.mjs +37 -8
- package/scripts/record-public-channel-publication.mjs +178 -178
- package/scripts/record-public-ci-run.mjs +180 -180
- package/scripts/record-public-release.mjs +175 -175
- package/scripts/record-public-repository-settings.mjs +209 -209
- package/scripts/record-public-security-contact.mjs +157 -157
- package/scripts/record-session-sync.mjs +87 -0
- package/scripts/run-gse-command.mjs +79 -47
- package/scripts/run-validation-profile.mjs +24 -5
- package/scripts/sign-gse-package.mjs +83 -83
- package/scripts/update-project-state.mjs +223 -223
- package/scripts/validate-gse.mjs +216 -0
- package/scripts/verify-gse-package.mjs +85 -85
|
@@ -1,176 +1,176 @@
|
|
|
1
|
-
#!/usr/bin/env node
|
|
2
|
-
import fs from 'node:fs'
|
|
3
|
-
import path from 'node:path'
|
|
4
|
-
import { spawnSync } from 'node:child_process'
|
|
5
|
-
|
|
6
|
-
const args = process.argv.slice(2)
|
|
7
|
-
|
|
8
|
-
function readArg(name, fallback = null) {
|
|
9
|
-
const index = args.indexOf(name)
|
|
10
|
-
if (index === -1) return fallback
|
|
11
|
-
return args[index + 1] ?? fallback
|
|
12
|
-
}
|
|
13
|
-
|
|
14
|
-
const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
|
|
15
|
-
const jsonOnly = args.includes('--json')
|
|
16
|
-
|
|
17
|
-
function read(relativePath) {
|
|
18
|
-
const fullPath = path.join(root, relativePath)
|
|
19
|
-
return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, 'utf8') : ''
|
|
20
|
-
}
|
|
21
|
-
|
|
22
|
-
function exists(relativePath) {
|
|
23
|
-
return fs.existsSync(path.join(root, relativePath))
|
|
24
|
-
}
|
|
25
|
-
|
|
26
|
-
function check(id, label, ok, evidence, risk = '') {
|
|
27
|
-
return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
const skill = read('SKILL.md')
|
|
31
|
-
const release = read('references/release.md')
|
|
32
|
-
const publicRelease = read('references/public-release.md')
|
|
33
|
-
const releaseTrust = read('references/release-trust.md')
|
|
34
|
-
const marketplace = read('references/marketplace-discovery.md')
|
|
35
|
-
const changelog = read('CHANGELOG.md')
|
|
36
|
-
const template = read('assets/templates/public-release-record.md')
|
|
37
|
-
const validate = read('scripts/validate-gse.mjs')
|
|
38
|
-
const recordScript = read('scripts/record-public-release.mjs')
|
|
39
|
-
|
|
40
|
-
function run(command, commandArgs) {
|
|
41
|
-
const result = spawnSync(command, commandArgs, {
|
|
42
|
-
cwd: root,
|
|
43
|
-
encoding: 'utf8',
|
|
44
|
-
windowsHide: true,
|
|
45
|
-
})
|
|
46
|
-
return {
|
|
47
|
-
status: result.status ?? 1,
|
|
48
|
-
stdout: (result.stdout ?? '').trim(),
|
|
49
|
-
stderr: (result.stderr ?? '').trim(),
|
|
50
|
-
}
|
|
51
|
-
}
|
|
52
|
-
|
|
53
|
-
function parseJson(stdout) {
|
|
54
|
-
try {
|
|
55
|
-
return JSON.parse(stdout)
|
|
56
|
-
} catch {
|
|
57
|
-
return null
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
|
|
61
|
-
const ownerRequiredDryRun = exists('scripts/record-public-release.mjs')
|
|
62
|
-
? run(process.execPath, [path.join(root, 'scripts', 'record-public-release.mjs'), '--root', root, '--license-status', 'owner-required', '--dry-run', '--json'])
|
|
63
|
-
: null
|
|
64
|
-
const ownerRequiredData = ownerRequiredDryRun ? parseJson(ownerRequiredDryRun.stdout) : null
|
|
65
|
-
const selectedFailureRun = exists('scripts/record-public-release.mjs')
|
|
66
|
-
? run(process.execPath, [path.join(root, 'scripts', 'record-public-release.mjs'), '--root', root, '--license-status', 'selected', '--dry-run', '--json'])
|
|
67
|
-
: null
|
|
68
|
-
const selectedFailureData = selectedFailureRun ? parseJson(selectedFailureRun.stdout) : null
|
|
69
|
-
|
|
70
|
-
const ownerLicensePending =
|
|
71
|
-
publicRelease.includes('GSE must not choose a license by guessing') &&
|
|
72
|
-
publicRelease.includes('owner-required') &&
|
|
73
|
-
changelog.includes('Open-source license selection remains an owner decision')
|
|
74
|
-
|
|
75
|
-
const releaseRecord = read('.gse/releases/public-release-owner-required.md')
|
|
76
|
-
const ownerRequiredRecord =
|
|
77
|
-
releaseRecord.includes('License status: owner-required') &&
|
|
78
|
-
releaseRecord.includes('Evidence status: result')
|
|
79
|
-
const selectedAcceptedRecord =
|
|
80
|
-
releaseRecord.includes('License status: selected') &&
|
|
81
|
-
releaseRecord.includes('SPDX identifier: MIT') &&
|
|
82
|
-
releaseRecord.includes('License file: LICENSE') &&
|
|
83
|
-
releaseRecord.includes('Evidence status: accepted')
|
|
84
|
-
const releaseRecordStatus = selectedAcceptedRecord
|
|
85
|
-
? 'accepted-license-decision'
|
|
86
|
-
: ownerRequiredRecord
|
|
87
|
-
? 'owner-required'
|
|
88
|
-
: 'unknown'
|
|
89
|
-
|
|
90
|
-
const releaseRecordFields = [
|
|
91
|
-
'Release name:',
|
|
92
|
-
'Release version or label:',
|
|
93
|
-
'Distribution channel:',
|
|
94
|
-
'License status:',
|
|
95
|
-
'SPDX identifier:',
|
|
96
|
-
'License file:',
|
|
97
|
-
'Approved by:',
|
|
98
|
-
'Changelog path:',
|
|
99
|
-
'Validation command:',
|
|
100
|
-
'Known unsupported claims:',
|
|
101
|
-
'Evidence status:',
|
|
102
|
-
]
|
|
103
|
-
|
|
104
|
-
const changelogTerms = [
|
|
105
|
-
'# Changelog',
|
|
106
|
-
'## Unreleased',
|
|
107
|
-
'### Added',
|
|
108
|
-
'### Verified',
|
|
109
|
-
'### Not Yet Accepted',
|
|
110
|
-
'Public registry publication and marketplace approval are not verified',
|
|
111
|
-
]
|
|
112
|
-
|
|
113
|
-
const checks = [
|
|
114
|
-
check('PR01', 'public release reference exists', exists('references/public-release.md'), 'references/public-release.md'),
|
|
115
|
-
check('PR02', 'public release record template exists', exists('assets/templates/public-release-record.md'), 'assets/templates/public-release-record.md'),
|
|
116
|
-
check('PR03', 'changelog exists with public-release boundaries', exists('CHANGELOG.md') && changelogTerms.every((term) => changelog.includes(term)), 'CHANGELOG.md'),
|
|
117
|
-
check('PR04', 'license decision is owner-gated and not guessed', ownerLicensePending, 'references/public-release.md, CHANGELOG.md'),
|
|
118
|
-
check('PR05', 'public release record captures owner/license/release evidence fields', releaseRecordFields.every((field) => template.includes(field)), releaseRecordFields.join(', ')),
|
|
119
|
-
check('PR06', 'release docs route to public metadata, trust, and marketplace gates', release.includes('references/public-release.md') && publicRelease.includes('references/release-trust.md') && publicRelease.includes('references/marketplace-discovery.md') && releaseTrust.includes('release-trust') && marketplace.includes('marketplace'), 'release, public-release, release-trust, marketplace references'),
|
|
120
|
-
check('PR07', 'SKILL routes public release metadata reference', skill.includes('references/public-release.md'), 'SKILL.md Reference Routing'),
|
|
121
|
-
check('PR08', 'validator includes public release metadata audit', validate.includes('audit-public-release-metadata.mjs'), 'scripts/validate-gse.mjs'),
|
|
122
|
-
check('PR09', 'public release record command exists and is documented', exists('scripts/record-public-release.mjs') && publicRelease.includes('scripts/record-public-release.mjs') && skill.includes('record-public-release.mjs'), 'scripts/record-public-release.mjs, references/public-release.md, SKILL.md'),
|
|
123
|
-
check('PR10', 'public release record command can dry-run owner-required state', ownerRequiredDryRun?.status === 0 && ownerRequiredData?.status === 'ready' && ownerRequiredData?.licenseStatus === 'owner-required', 'record-public-release owner-required dry-run'),
|
|
124
|
-
check('PR11', 'selected license mode requires owner decision fields', selectedFailureRun?.status !== 0 && selectedFailureData?.status === 'failed' && selectedFailureData?.errors?.some((item) => item.includes('--spdx')) && recordScript.includes('selected license requires --approved-by'), 'record-public-release selected dry-run failure'),
|
|
125
|
-
check('PR12', 'public release decision record is preserved', exists('.gse/releases/public-release-owner-required.md') && (ownerRequiredRecord || selectedAcceptedRecord), '.gse/releases/public-release-owner-required.md'),
|
|
126
|
-
]
|
|
127
|
-
|
|
128
|
-
const passed = checks.filter((item) => item.status === 'passed').length
|
|
129
|
-
const failed = checks.length - passed
|
|
130
|
-
const report = {
|
|
131
|
-
root,
|
|
132
|
-
generatedAt: new Date().toISOString(),
|
|
133
|
-
summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
|
|
134
|
-
workflows: {
|
|
135
|
-
publicReleaseMetadata: failed === 0 ? 'verified' : 'failed',
|
|
136
|
-
publicReleaseAcceptance: releaseRecordStatus,
|
|
137
|
-
},
|
|
138
|
-
limits: [
|
|
139
|
-
'This audit verifies public-release metadata structure, changelog policy, owner-gated license decision, and routing.',
|
|
140
|
-
'It does not choose a license, publish to GitHub, approve a marketplace listing, or certify legal suitability.',
|
|
141
|
-
'Accepted public release still requires public repository, CI, security contact, channel publication, and host-runtime evidence when those claims are made.',
|
|
142
|
-
],
|
|
143
|
-
checks,
|
|
144
|
-
}
|
|
145
|
-
|
|
146
|
-
function renderMarkdown(data) {
|
|
147
|
-
const lines = []
|
|
148
|
-
lines.push('# GSE Public Release Metadata Audit')
|
|
149
|
-
lines.push('')
|
|
150
|
-
lines.push('Generated: ' + data.generatedAt)
|
|
151
|
-
lines.push('Root: ' + data.root)
|
|
152
|
-
lines.push('')
|
|
153
|
-
lines.push('## Summary')
|
|
154
|
-
lines.push('')
|
|
155
|
-
lines.push('- Status: ' + data.summary.status)
|
|
156
|
-
lines.push('- Checks: ' + data.summary.passed + '/' + data.summary.total)
|
|
157
|
-
lines.push('- Public release metadata: ' + data.workflows.publicReleaseMetadata)
|
|
158
|
-
lines.push('- Public release acceptance: ' + data.workflows.publicReleaseAcceptance)
|
|
159
|
-
lines.push('')
|
|
160
|
-
lines.push('## Checks')
|
|
161
|
-
lines.push('')
|
|
162
|
-
for (const item of data.checks) {
|
|
163
|
-
const marker = item.status === 'passed' ? '[x]' : '[ ]'
|
|
164
|
-
lines.push('- ' + marker + ' ' + item.id + ' ' + item.label + ': ' + item.evidence)
|
|
165
|
-
}
|
|
166
|
-
lines.push('')
|
|
167
|
-
lines.push('## Limits')
|
|
168
|
-
lines.push('')
|
|
169
|
-
for (const item of data.limits) lines.push('- ' + item)
|
|
170
|
-
return lines.join('\n') + '\n'
|
|
171
|
-
}
|
|
172
|
-
|
|
173
|
-
if (jsonOnly) console.log(JSON.stringify(report, null, 2))
|
|
174
|
-
else console.log(renderMarkdown(report))
|
|
175
|
-
|
|
176
|
-
if (failed > 0) process.exit(1)
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import fs from 'node:fs'
|
|
3
|
+
import path from 'node:path'
|
|
4
|
+
import { spawnSync } from 'node:child_process'
|
|
5
|
+
|
|
6
|
+
const args = process.argv.slice(2)
|
|
7
|
+
|
|
8
|
+
function readArg(name, fallback = null) {
|
|
9
|
+
const index = args.indexOf(name)
|
|
10
|
+
if (index === -1) return fallback
|
|
11
|
+
return args[index + 1] ?? fallback
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
|
|
15
|
+
const jsonOnly = args.includes('--json')
|
|
16
|
+
|
|
17
|
+
function read(relativePath) {
|
|
18
|
+
const fullPath = path.join(root, relativePath)
|
|
19
|
+
return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, 'utf8') : ''
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
function exists(relativePath) {
|
|
23
|
+
return fs.existsSync(path.join(root, relativePath))
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
function check(id, label, ok, evidence, risk = '') {
|
|
27
|
+
return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
const skill = read('SKILL.md')
|
|
31
|
+
const release = read('references/release.md')
|
|
32
|
+
const publicRelease = read('references/public-release.md')
|
|
33
|
+
const releaseTrust = read('references/release-trust.md')
|
|
34
|
+
const marketplace = read('references/marketplace-discovery.md')
|
|
35
|
+
const changelog = read('CHANGELOG.md')
|
|
36
|
+
const template = read('assets/templates/public-release-record.md')
|
|
37
|
+
const validate = read('scripts/validate-gse.mjs')
|
|
38
|
+
const recordScript = read('scripts/record-public-release.mjs')
|
|
39
|
+
|
|
40
|
+
function run(command, commandArgs) {
|
|
41
|
+
const result = spawnSync(command, commandArgs, {
|
|
42
|
+
cwd: root,
|
|
43
|
+
encoding: 'utf8',
|
|
44
|
+
windowsHide: true,
|
|
45
|
+
})
|
|
46
|
+
return {
|
|
47
|
+
status: result.status ?? 1,
|
|
48
|
+
stdout: (result.stdout ?? '').trim(),
|
|
49
|
+
stderr: (result.stderr ?? '').trim(),
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
function parseJson(stdout) {
|
|
54
|
+
try {
|
|
55
|
+
return JSON.parse(stdout)
|
|
56
|
+
} catch {
|
|
57
|
+
return null
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
const ownerRequiredDryRun = exists('scripts/record-public-release.mjs')
|
|
62
|
+
? run(process.execPath, [path.join(root, 'scripts', 'record-public-release.mjs'), '--root', root, '--license-status', 'owner-required', '--dry-run', '--json'])
|
|
63
|
+
: null
|
|
64
|
+
const ownerRequiredData = ownerRequiredDryRun ? parseJson(ownerRequiredDryRun.stdout) : null
|
|
65
|
+
const selectedFailureRun = exists('scripts/record-public-release.mjs')
|
|
66
|
+
? run(process.execPath, [path.join(root, 'scripts', 'record-public-release.mjs'), '--root', root, '--license-status', 'selected', '--dry-run', '--json'])
|
|
67
|
+
: null
|
|
68
|
+
const selectedFailureData = selectedFailureRun ? parseJson(selectedFailureRun.stdout) : null
|
|
69
|
+
|
|
70
|
+
const ownerLicensePending =
|
|
71
|
+
publicRelease.includes('GSE must not choose a license by guessing') &&
|
|
72
|
+
publicRelease.includes('owner-required') &&
|
|
73
|
+
changelog.includes('Open-source license selection remains an owner decision')
|
|
74
|
+
|
|
75
|
+
const releaseRecord = read('.gse/releases/public-release-owner-required.md')
|
|
76
|
+
const ownerRequiredRecord =
|
|
77
|
+
releaseRecord.includes('License status: owner-required') &&
|
|
78
|
+
releaseRecord.includes('Evidence status: result')
|
|
79
|
+
const selectedAcceptedRecord =
|
|
80
|
+
releaseRecord.includes('License status: selected') &&
|
|
81
|
+
releaseRecord.includes('SPDX identifier: MIT') &&
|
|
82
|
+
releaseRecord.includes('License file: LICENSE') &&
|
|
83
|
+
releaseRecord.includes('Evidence status: accepted')
|
|
84
|
+
const releaseRecordStatus = selectedAcceptedRecord
|
|
85
|
+
? 'accepted-license-decision'
|
|
86
|
+
: ownerRequiredRecord
|
|
87
|
+
? 'owner-required'
|
|
88
|
+
: 'unknown'
|
|
89
|
+
|
|
90
|
+
const releaseRecordFields = [
|
|
91
|
+
'Release name:',
|
|
92
|
+
'Release version or label:',
|
|
93
|
+
'Distribution channel:',
|
|
94
|
+
'License status:',
|
|
95
|
+
'SPDX identifier:',
|
|
96
|
+
'License file:',
|
|
97
|
+
'Approved by:',
|
|
98
|
+
'Changelog path:',
|
|
99
|
+
'Validation command:',
|
|
100
|
+
'Known unsupported claims:',
|
|
101
|
+
'Evidence status:',
|
|
102
|
+
]
|
|
103
|
+
|
|
104
|
+
const changelogTerms = [
|
|
105
|
+
'# Changelog',
|
|
106
|
+
'## Unreleased',
|
|
107
|
+
'### Added',
|
|
108
|
+
'### Verified',
|
|
109
|
+
'### Not Yet Accepted',
|
|
110
|
+
'Public registry publication and marketplace approval are not verified',
|
|
111
|
+
]
|
|
112
|
+
|
|
113
|
+
const checks = [
|
|
114
|
+
check('PR01', 'public release reference exists', exists('references/public-release.md'), 'references/public-release.md'),
|
|
115
|
+
check('PR02', 'public release record template exists', exists('assets/templates/public-release-record.md'), 'assets/templates/public-release-record.md'),
|
|
116
|
+
check('PR03', 'changelog exists with public-release boundaries', exists('CHANGELOG.md') && changelogTerms.every((term) => changelog.includes(term)), 'CHANGELOG.md'),
|
|
117
|
+
check('PR04', 'license decision is owner-gated and not guessed', ownerLicensePending, 'references/public-release.md, CHANGELOG.md'),
|
|
118
|
+
check('PR05', 'public release record captures owner/license/release evidence fields', releaseRecordFields.every((field) => template.includes(field)), releaseRecordFields.join(', ')),
|
|
119
|
+
check('PR06', 'release docs route to public metadata, trust, and marketplace gates', release.includes('references/public-release.md') && publicRelease.includes('references/release-trust.md') && publicRelease.includes('references/marketplace-discovery.md') && releaseTrust.includes('release-trust') && marketplace.includes('marketplace'), 'release, public-release, release-trust, marketplace references'),
|
|
120
|
+
check('PR07', 'SKILL routes public release metadata reference', skill.includes('references/public-release.md'), 'SKILL.md Reference Routing'),
|
|
121
|
+
check('PR08', 'validator includes public release metadata audit', validate.includes('audit-public-release-metadata.mjs'), 'scripts/validate-gse.mjs'),
|
|
122
|
+
check('PR09', 'public release record command exists and is documented', exists('scripts/record-public-release.mjs') && publicRelease.includes('scripts/record-public-release.mjs') && skill.includes('record-public-release.mjs'), 'scripts/record-public-release.mjs, references/public-release.md, SKILL.md'),
|
|
123
|
+
check('PR10', 'public release record command can dry-run owner-required state', ownerRequiredDryRun?.status === 0 && ownerRequiredData?.status === 'ready' && ownerRequiredData?.licenseStatus === 'owner-required', 'record-public-release owner-required dry-run'),
|
|
124
|
+
check('PR11', 'selected license mode requires owner decision fields', selectedFailureRun?.status !== 0 && selectedFailureData?.status === 'failed' && selectedFailureData?.errors?.some((item) => item.includes('--spdx')) && recordScript.includes('selected license requires --approved-by'), 'record-public-release selected dry-run failure'),
|
|
125
|
+
check('PR12', 'public release decision record is preserved', exists('.gse/releases/public-release-owner-required.md') && (ownerRequiredRecord || selectedAcceptedRecord), '.gse/releases/public-release-owner-required.md'),
|
|
126
|
+
]
|
|
127
|
+
|
|
128
|
+
const passed = checks.filter((item) => item.status === 'passed').length
|
|
129
|
+
const failed = checks.length - passed
|
|
130
|
+
const report = {
|
|
131
|
+
root,
|
|
132
|
+
generatedAt: new Date().toISOString(),
|
|
133
|
+
summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
|
|
134
|
+
workflows: {
|
|
135
|
+
publicReleaseMetadata: failed === 0 ? 'verified' : 'failed',
|
|
136
|
+
publicReleaseAcceptance: releaseRecordStatus,
|
|
137
|
+
},
|
|
138
|
+
limits: [
|
|
139
|
+
'This audit verifies public-release metadata structure, changelog policy, owner-gated license decision, and routing.',
|
|
140
|
+
'It does not choose a license, publish to GitHub, approve a marketplace listing, or certify legal suitability.',
|
|
141
|
+
'Accepted public release still requires public repository, CI, security contact, channel publication, and host-runtime evidence when those claims are made.',
|
|
142
|
+
],
|
|
143
|
+
checks,
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
function renderMarkdown(data) {
|
|
147
|
+
const lines = []
|
|
148
|
+
lines.push('# GSE Public Release Metadata Audit')
|
|
149
|
+
lines.push('')
|
|
150
|
+
lines.push('Generated: ' + data.generatedAt)
|
|
151
|
+
lines.push('Root: ' + data.root)
|
|
152
|
+
lines.push('')
|
|
153
|
+
lines.push('## Summary')
|
|
154
|
+
lines.push('')
|
|
155
|
+
lines.push('- Status: ' + data.summary.status)
|
|
156
|
+
lines.push('- Checks: ' + data.summary.passed + '/' + data.summary.total)
|
|
157
|
+
lines.push('- Public release metadata: ' + data.workflows.publicReleaseMetadata)
|
|
158
|
+
lines.push('- Public release acceptance: ' + data.workflows.publicReleaseAcceptance)
|
|
159
|
+
lines.push('')
|
|
160
|
+
lines.push('## Checks')
|
|
161
|
+
lines.push('')
|
|
162
|
+
for (const item of data.checks) {
|
|
163
|
+
const marker = item.status === 'passed' ? '[x]' : '[ ]'
|
|
164
|
+
lines.push('- ' + marker + ' ' + item.id + ' ' + item.label + ': ' + item.evidence)
|
|
165
|
+
}
|
|
166
|
+
lines.push('')
|
|
167
|
+
lines.push('## Limits')
|
|
168
|
+
lines.push('')
|
|
169
|
+
for (const item of data.limits) lines.push('- ' + item)
|
|
170
|
+
return lines.join('\n') + '\n'
|
|
171
|
+
}
|
|
172
|
+
|
|
173
|
+
if (jsonOnly) console.log(JSON.stringify(report, null, 2))
|
|
174
|
+
else console.log(renderMarkdown(report))
|
|
175
|
+
|
|
176
|
+
if (failed > 0) process.exit(1)
|