@t275005746/gse 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -5
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
  5. package/.github/workflows/validate-gse.yml +33 -33
  6. package/.gse/README.md +18 -18
  7. package/.gse/gse-development-protocol.md +50 -50
  8. package/.gse/project-profile.md +29 -29
  9. package/.gse/quality-gates.md +25 -25
  10. package/.gse/releases/public-registry-publication-npm.md +49 -0
  11. package/.gse/releases/public-release-owner-required.md +65 -65
  12. package/.gse/releases/public-security-contact-owner-required.md +45 -45
  13. package/.gse/state.json +147 -27
  14. package/CHANGELOG.md +31 -15
  15. package/CONTRIBUTING.md +64 -64
  16. package/LICENSE +21 -21
  17. package/README.md +14 -7
  18. package/README.zh-CN.md +14 -7
  19. package/SECURITY.md +41 -41
  20. package/SKILL.md +32 -12
  21. package/SUPPORT.md +38 -38
  22. package/assets/marketplace/README.md +7 -7
  23. package/assets/marketplace/gse-listing.json +75 -75
  24. package/assets/templates/acceptance-execution-packet.md +73 -73
  25. package/assets/templates/adr.md +14 -14
  26. package/assets/templates/change-brief.md +16 -16
  27. package/assets/templates/design.md +18 -18
  28. package/assets/templates/dispatch-packet.md +100 -92
  29. package/assets/templates/evidence.md +15 -9
  30. package/assets/templates/execution-quality-pack.md +65 -65
  31. package/assets/templates/goal-map.md +21 -21
  32. package/assets/templates/host-adapter.md +48 -48
  33. package/assets/templates/host-ui-invocation-record.md +42 -42
  34. package/assets/templates/incident-review.md +60 -60
  35. package/assets/templates/public-channel-publication-record.md +49 -49
  36. package/assets/templates/public-ci-run-record.md +53 -53
  37. package/assets/templates/public-release-record.md +65 -65
  38. package/assets/templates/public-repository-settings-record.md +59 -59
  39. package/assets/templates/public-security-contact-record.md +45 -45
  40. package/assets/templates/release-trust-record.md +32 -32
  41. package/assets/templates/review.md +18 -18
  42. package/assets/templates/role-fallback-packet.md +49 -0
  43. package/assets/templates/spec.md +16 -16
  44. package/assets/templates/target-adoption-evidence.md +29 -29
  45. package/assets/templates/tasks.md +17 -17
  46. package/assets/templates/update-release-acceptance-record.md +58 -58
  47. package/examples/README.md +22 -22
  48. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
  49. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
  50. package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
  51. package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
  52. package/examples/agent-runtime-host/.gse/tooling.md +5 -5
  53. package/examples/agent-runtime-host/.mcp.json +9 -9
  54. package/examples/agent-runtime-host/AGENTS.md +5 -5
  55. package/examples/agent-runtime-host/README.md +10 -10
  56. package/examples/agent-runtime-host/docs/model-routing.md +5 -5
  57. package/examples/cli-tool/.gse/project-profile.md +21 -21
  58. package/examples/cli-tool/AGENTS.md +5 -5
  59. package/examples/cli-tool/README.md +12 -12
  60. package/examples/cli-tool/package.json +21 -21
  61. package/examples/small-app/.env.example +2 -2
  62. package/examples/small-app/.github/workflows/ci.yml +8 -8
  63. package/examples/small-app/AGENTS.md +5 -5
  64. package/examples/small-app/README.md +12 -12
  65. package/examples/small-app/package.json +26 -26
  66. package/examples/small-app/playwright.config.ts +4 -4
  67. package/package.json +52 -44
  68. package/references/adoption-recipes.md +171 -171
  69. package/references/agent-roles.md +42 -21
  70. package/references/architecture-health.md +101 -101
  71. package/references/benchmark-audit.md +73 -73
  72. package/references/commands.md +74 -45
  73. package/references/community-channels.md +46 -46
  74. package/references/compatibility.md +70 -70
  75. package/references/design-basis.md +38 -38
  76. package/references/domain-model.md +129 -129
  77. package/references/domain-quality-gates.md +75 -75
  78. package/references/drift-audit.md +81 -80
  79. package/references/evidence-taxonomy.md +145 -108
  80. package/references/file-ownership.md +97 -93
  81. package/references/final-form-roadmap.md +201 -0
  82. package/references/final-readiness.md +84 -84
  83. package/references/forward-test.md +133 -133
  84. package/references/goal-map.md +36 -36
  85. package/references/host-adapters.md +129 -101
  86. package/references/learning-system.md +42 -26
  87. package/references/maintenance-cadence.md +51 -0
  88. package/references/marketplace-discovery.md +46 -46
  89. package/references/model-routing.md +103 -103
  90. package/references/open-source-defaults.md +39 -39
  91. package/references/operating-model.md +52 -52
  92. package/references/packaging.md +277 -277
  93. package/references/project-agent-workspace.md +89 -89
  94. package/references/project-bootstrap.md +122 -122
  95. package/references/project-guards.md +52 -0
  96. package/references/project-profile.md +57 -57
  97. package/references/public-release.md +174 -174
  98. package/references/quality-gates.md +96 -89
  99. package/references/recovery.md +176 -176
  100. package/references/release-trust.md +43 -43
  101. package/references/release.md +126 -126
  102. package/references/review.md +141 -141
  103. package/references/role-dispatch-fallback.md +54 -0
  104. package/references/router.md +90 -90
  105. package/references/spec-workflow.md +66 -66
  106. package/references/task-levels.md +81 -81
  107. package/references/tool-adapters.md +80 -70
  108. package/scripts/audit-acceptance-execution-packet.mjs +133 -133
  109. package/scripts/audit-adoption-recipes.mjs +99 -99
  110. package/scripts/audit-change-lifecycle.mjs +77 -77
  111. package/scripts/audit-change-system.mjs +134 -134
  112. package/scripts/audit-ci-readiness.mjs +107 -107
  113. package/scripts/audit-close-gate-hardening.mjs +188 -0
  114. package/scripts/audit-close-gate.mjs +448 -262
  115. package/scripts/audit-command-adapters.mjs +91 -91
  116. package/scripts/audit-command-execution.mjs +212 -199
  117. package/scripts/audit-commands.mjs +7 -5
  118. package/scripts/audit-compatibility.mjs +149 -149
  119. package/scripts/audit-completion-plan-drill.mjs +230 -0
  120. package/scripts/audit-completion-readiness.mjs +290 -287
  121. package/scripts/audit-continue-preflight.mjs +234 -0
  122. package/scripts/audit-distribution.mjs +251 -251
  123. package/scripts/audit-domain-quality-gates.mjs +108 -108
  124. package/scripts/audit-evidence-levels.mjs +217 -0
  125. package/scripts/audit-evidence-placeholders.mjs +126 -126
  126. package/scripts/audit-evidence-review-queue.mjs +206 -0
  127. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  128. package/scripts/audit-final-form-progress-report.mjs +19 -18
  129. package/scripts/audit-final-form-roadmap.mjs +157 -0
  130. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  131. package/scripts/audit-final-readiness-promotion.mjs +255 -255
  132. package/scripts/audit-final-readiness.mjs +226 -226
  133. package/scripts/audit-fixtures.mjs +154 -154
  134. package/scripts/audit-fresh-session-readiness.mjs +177 -177
  135. package/scripts/audit-host-capabilities.mjs +237 -0
  136. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
  137. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
  138. package/scripts/audit-host-runtime-invocations.mjs +254 -254
  139. package/scripts/audit-host-ui-invocation.mjs +132 -132
  140. package/scripts/audit-installed-sync.mjs +203 -0
  141. package/scripts/audit-learning-drift.mjs +292 -0
  142. package/scripts/audit-learning-promotion.mjs +351 -0
  143. package/scripts/audit-learning-system.mjs +24 -14
  144. package/scripts/audit-local-final-form-completion.mjs +11 -10
  145. package/scripts/audit-maintenance-cadence.mjs +139 -0
  146. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  147. package/scripts/audit-marketplace-discovery.mjs +122 -122
  148. package/scripts/audit-npm-package-metadata.mjs +160 -154
  149. package/scripts/audit-npm-publish-dry-run.mjs +194 -166
  150. package/scripts/audit-npm-tarball-install.mjs +195 -189
  151. package/scripts/audit-open-source-defaults.mjs +92 -92
  152. package/scripts/audit-open-source-readiness.mjs +97 -97
  153. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  154. package/scripts/audit-project-guards.mjs +189 -0
  155. package/scripts/audit-project.mjs +144 -141
  156. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
  157. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  158. package/scripts/audit-public-acceptance-readiness.mjs +222 -222
  159. package/scripts/audit-public-channel-publication.mjs +248 -248
  160. package/scripts/audit-public-ci-run.mjs +184 -184
  161. package/scripts/audit-public-collaboration-templates.mjs +98 -98
  162. package/scripts/audit-public-external-gate-probe.mjs +206 -206
  163. package/scripts/audit-public-release-checklist.mjs +17 -15
  164. package/scripts/audit-public-release-decision.mjs +201 -201
  165. package/scripts/audit-public-release-metadata.mjs +176 -176
  166. package/scripts/audit-public-repository-settings.mjs +237 -237
  167. package/scripts/audit-public-security-contact.mjs +171 -171
  168. package/scripts/audit-readme-docs.mjs +6 -4
  169. package/scripts/audit-recovery-readiness.mjs +98 -98
  170. package/scripts/audit-release-bundle.mjs +13 -11
  171. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  172. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  173. package/scripts/audit-release-readiness.mjs +106 -106
  174. package/scripts/audit-release-status-manifest.mjs +4 -4
  175. package/scripts/audit-release-trust.mjs +62 -62
  176. package/scripts/audit-remote-distribution.mjs +266 -266
  177. package/scripts/audit-roadmap-consistency.mjs +234 -230
  178. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  179. package/scripts/audit-session-sync.mjs +127 -0
  180. package/scripts/audit-signing.mjs +147 -147
  181. package/scripts/audit-state-freshness.mjs +20 -14
  182. package/scripts/audit-state-repair.mjs +360 -0
  183. package/scripts/audit-target-adoption-evidence.mjs +117 -117
  184. package/scripts/audit-target-hardening-drills.mjs +267 -0
  185. package/scripts/audit-target-project.mjs +507 -507
  186. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  187. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  188. package/scripts/audit-update-release-acceptance.mjs +136 -136
  189. package/scripts/audit-v1-target-validation.mjs +269 -269
  190. package/scripts/audit-validation-profiles.mjs +125 -123
  191. package/scripts/backfill-evidence-levels.mjs +98 -0
  192. package/scripts/check-encoding.mjs +72 -0
  193. package/scripts/close-change.mjs +116 -116
  194. package/scripts/discover-project-profile.mjs +307 -307
  195. package/scripts/generate-command-adapter.mjs +231 -231
  196. package/scripts/generate-continue-packet.mjs +1214 -0
  197. package/scripts/generate-final-acceptance-packet.mjs +188 -173
  198. package/scripts/generate-final-form-progress-report.mjs +191 -189
  199. package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
  200. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  201. package/scripts/generate-owner-external-gate-kit.mjs +295 -295
  202. package/scripts/generate-public-acceptance-handoff.mjs +168 -156
  203. package/scripts/generate-public-release-checklist.mjs +207 -207
  204. package/scripts/generate-release-bundle.mjs +505 -505
  205. package/scripts/generate-release-owner-action-plan.mjs +172 -171
  206. package/scripts/generate-release-status-manifest.mjs +199 -198
  207. package/scripts/generate-session-prompt.mjs +188 -188
  208. package/scripts/gse.mjs +67 -67
  209. package/scripts/init-change.mjs +265 -265
  210. package/scripts/init-project.mjs +793 -712
  211. package/scripts/install-gse.mjs +234 -234
  212. package/scripts/lib/evidence-placeholders.mjs +28 -28
  213. package/scripts/package-gse.mjs +174 -174
  214. package/scripts/probe-public-external-gates.mjs +167 -167
  215. package/scripts/record-host-invocation.mjs +151 -151
  216. package/scripts/record-learning.mjs +37 -8
  217. package/scripts/record-public-channel-publication.mjs +178 -178
  218. package/scripts/record-public-ci-run.mjs +180 -180
  219. package/scripts/record-public-release.mjs +175 -175
  220. package/scripts/record-public-repository-settings.mjs +209 -209
  221. package/scripts/record-public-security-contact.mjs +157 -157
  222. package/scripts/record-session-sync.mjs +87 -0
  223. package/scripts/run-gse-command.mjs +79 -47
  224. package/scripts/run-validation-profile.mjs +24 -5
  225. package/scripts/sign-gse-package.mjs +83 -83
  226. package/scripts/update-project-state.mjs +223 -223
  227. package/scripts/validate-gse.mjs +216 -0
  228. package/scripts/verify-gse-package.mjs +85 -85
@@ -590,6 +590,18 @@ checks.push({
590
590
  : null,
591
591
  stderr: roadmapConsistency.stderr,
592
592
  })
593
+ const finalFormRoadmap = run(process.execPath, [path.join(root, 'scripts', 'audit-final-form-roadmap.mjs'), '--root', root, '--json'])
594
+ const finalFormRoadmapData = parseJson(finalFormRoadmap.stdout)
595
+ checks.push({
596
+ id: 'validate-14b',
597
+ label: 'final-form roadmap contract audit',
598
+ status: finalFormRoadmap.status === 0 ? 'passed' : 'failed',
599
+ command: finalFormRoadmap.command,
600
+ summary: finalFormRoadmapData
601
+ ? { status: finalFormRoadmapData.summary?.status, checks: finalFormRoadmapData.summary ? finalFormRoadmapData.summary.passed + '/' + finalFormRoadmapData.summary.total : null, finalFormRoadmap: finalFormRoadmapData.workflows?.finalFormRoadmap }
602
+ : null,
603
+ stderr: finalFormRoadmap.stderr,
604
+ })
593
605
  if (skipCompletionReadiness) {
594
606
  checks.push({
595
607
  id: 'validate-15',
@@ -983,6 +995,114 @@ checks.push({
983
995
  : null,
984
996
  stderr: commandSemantics.stderr,
985
997
  })
998
+ const continuePreflight = run(process.execPath, [path.join(root, 'scripts', 'audit-continue-preflight.mjs'), '--root', root, '--json'])
999
+ const continuePreflightData = parseJson(continuePreflight.stdout)
1000
+ checks.push({
1001
+ id: 'validate-22a',
1002
+ label: '/gse continue hard preflight audit',
1003
+ status: continuePreflight.status === 0 ? 'passed' : 'failed',
1004
+ command: continuePreflight.command,
1005
+ summary: continuePreflightData
1006
+ ? { status: continuePreflightData.summary?.status, checks: continuePreflightData.summary ? continuePreflightData.summary.passed + '/' + continuePreflightData.summary.total : null, continueHardPreflight: continuePreflightData.workflows?.continueHardPreflight, stateCompaction: continuePreflightData.workflows?.stateCompaction }
1007
+ : null,
1008
+ stderr: continuePreflight.stderr,
1009
+ })
1010
+ const completionPlanDrill = run(process.execPath, [path.join(root, 'scripts', 'audit-completion-plan-drill.mjs'), '--root', root, '--json'])
1011
+ const completionPlanDrillData = parseJson(completionPlanDrill.stdout)
1012
+ checks.push({
1013
+ id: 'validate-22a1',
1014
+ label: '/gse continue completion plan drill audit',
1015
+ status: completionPlanDrill.status === 0 ? 'passed' : 'failed',
1016
+ command: completionPlanDrill.command,
1017
+ summary: completionPlanDrillData
1018
+ ? { status: completionPlanDrillData.summary?.status, checks: completionPlanDrillData.summary ? completionPlanDrillData.summary.passed + '/' + completionPlanDrillData.summary.total : null, completionPlanDrill: completionPlanDrillData.workflows?.completionPlanDrill, cleanWorktreeFalsePositiveGuard: completionPlanDrillData.workflows?.cleanWorktreeFalsePositiveGuard }
1019
+ : null,
1020
+ stderr: completionPlanDrill.stderr,
1021
+ })
1022
+ const projectGuards = run(process.execPath, [path.join(root, 'scripts', 'audit-project-guards.mjs'), '--root', root, '--json'])
1023
+ const projectGuardsData = parseJson(projectGuards.stdout)
1024
+ checks.push({
1025
+ id: 'validate-22a2',
1026
+ label: 'project guard preflight audit',
1027
+ status: projectGuards.status === 0 ? 'passed' : 'failed',
1028
+ command: projectGuards.command,
1029
+ summary: projectGuardsData
1030
+ ? { status: projectGuardsData.summary?.status, checks: projectGuardsData.summary ? projectGuardsData.summary.passed + '/' + projectGuardsData.summary.total : null, projectGuards: projectGuardsData.workflows?.projectGuards, initProjectGuardScaffold: projectGuardsData.workflows?.initProjectGuardScaffold }
1031
+ : null,
1032
+ stderr: projectGuards.stderr,
1033
+ })
1034
+ const evidenceLevels = run(process.execPath, [path.join(root, 'scripts', 'audit-evidence-levels.mjs'), '--root', root, '--target', root, '--json'])
1035
+ const evidenceLevelsData = parseJson(evidenceLevels.stdout)
1036
+ checks.push({
1037
+ id: 'validate-22a3',
1038
+ label: 'explicit evidence level taxonomy audit',
1039
+ status: evidenceLevels.status === 0 ? 'passed' : 'failed',
1040
+ command: evidenceLevels.command,
1041
+ summary: evidenceLevelsData
1042
+ ? { status: evidenceLevelsData.summary?.status, checks: evidenceLevelsData.summary ? evidenceLevelsData.summary.passed + '/' + evidenceLevelsData.summary.total : null, evidenceLevels: evidenceLevelsData.workflows?.evidenceLevels, downgraded: evidenceLevelsData.workflows?.downgraded, missingLevel: evidenceLevelsData.workflows?.missingLevel }
1043
+ : null,
1044
+ stderr: evidenceLevels.stderr,
1045
+ })
1046
+ const evidenceReviewQueue = run(process.execPath, [path.join(root, 'scripts', 'audit-evidence-review-queue.mjs'), '--root', root, '--target', root, '--json'])
1047
+ const evidenceReviewQueueData = parseJson(evidenceReviewQueue.stdout)
1048
+ checks.push({
1049
+ id: 'validate-22a3a',
1050
+ label: 'historical evidence review queue audit',
1051
+ status: evidenceReviewQueue.status === 0 ? 'passed' : 'failed',
1052
+ command: evidenceReviewQueue.command,
1053
+ summary: evidenceReviewQueueData
1054
+ ? { status: evidenceReviewQueueData.summary?.status, checks: evidenceReviewQueueData.summary ? evidenceReviewQueueData.summary.passed + '/' + evidenceReviewQueueData.summary.total : null, evidenceReviewQueue: evidenceReviewQueueData.workflows?.evidenceReviewQueue, needsReview: evidenceReviewQueueData.reviewQueue?.needsReview, eligibleForStrongerReview: evidenceReviewQueueData.reviewQueue?.eligibleForStrongerReview }
1055
+ : null,
1056
+ stderr: evidenceReviewQueue.stderr,
1057
+ })
1058
+ const uiBrowserEvidencePolicy = run(process.execPath, [path.join(root, 'scripts', 'audit-ui-browser-evidence-policy.mjs'), '--root', root, '--target', root, '--json'])
1059
+ const uiBrowserEvidencePolicyData = parseJson(uiBrowserEvidencePolicy.stdout)
1060
+ checks.push({
1061
+ id: 'validate-22a3b',
1062
+ label: 'UI/browser evidence policy audit',
1063
+ status: uiBrowserEvidencePolicy.status === 0 ? 'passed' : 'failed',
1064
+ command: uiBrowserEvidencePolicy.command,
1065
+ summary: uiBrowserEvidencePolicyData
1066
+ ? { status: uiBrowserEvidencePolicyData.summary?.status, checks: uiBrowserEvidencePolicyData.summary ? uiBrowserEvidencePolicyData.summary.passed + '/' + uiBrowserEvidencePolicyData.summary.total : null, uiBrowserEvidencePolicy: uiBrowserEvidencePolicyData.workflows?.uiBrowserEvidencePolicy, targetDowngrades: uiBrowserEvidencePolicyData.workflows?.targetDowngrades }
1067
+ : null,
1068
+ stderr: uiBrowserEvidencePolicy.stderr,
1069
+ })
1070
+ const roleDispatchFallback = run(process.execPath, [path.join(root, 'scripts', 'audit-role-dispatch-fallback.mjs'), '--root', root, '--target', root, '--json'])
1071
+ const roleDispatchFallbackData = parseJson(roleDispatchFallback.stdout)
1072
+ checks.push({
1073
+ id: 'validate-22a4',
1074
+ label: 'role dispatch fallback packet audit',
1075
+ status: roleDispatchFallback.status === 0 ? 'passed' : 'failed',
1076
+ command: roleDispatchFallback.command,
1077
+ summary: roleDispatchFallbackData
1078
+ ? { status: roleDispatchFallbackData.summary?.status, checks: roleDispatchFallbackData.summary ? roleDispatchFallbackData.summary.passed + '/' + roleDispatchFallbackData.summary.total : null, roleDispatchFallback: roleDispatchFallbackData.workflows?.roleDispatchFallback, packets: roleDispatchFallbackData.workflows?.packets, sequentialFallbackRoles: roleDispatchFallbackData.workflows?.sequentialFallbackRoles }
1079
+ : null,
1080
+ stderr: roleDispatchFallback.stderr,
1081
+ })
1082
+ const closeGateHardening = run(process.execPath, [path.join(root, 'scripts', 'audit-close-gate-hardening.mjs'), '--root', root, '--json'])
1083
+ const closeGateHardeningData = parseJson(closeGateHardening.stdout)
1084
+ checks.push({
1085
+ id: 'validate-22a6',
1086
+ label: 'close gate fake-dispatch and file-ownership hardening audit',
1087
+ status: closeGateHardening.status === 0 ? 'passed' : 'failed',
1088
+ command: closeGateHardening.command,
1089
+ summary: closeGateHardeningData
1090
+ ? { status: closeGateHardeningData.summary?.status, checks: closeGateHardeningData.summary ? closeGateHardeningData.summary.passed + '/' + closeGateHardeningData.summary.total : null, fakeDispatchCloseGate: closeGateHardeningData.workflows?.fakeDispatchCloseGate, fileOwnershipCloseGate: closeGateHardeningData.workflows?.fileOwnershipCloseGate }
1091
+ : null,
1092
+ stderr: closeGateHardening.stderr,
1093
+ })
1094
+ const stateRepair = run(process.execPath, [path.join(root, 'scripts', 'audit-state-repair.mjs'), '--root', root, '--target', root, '--json'])
1095
+ const stateRepairData = parseJson(stateRepair.stdout)
1096
+ checks.push({
1097
+ id: 'validate-22a5',
1098
+ label: 'state and evidence repair path audit',
1099
+ status: stateRepair.status === 0 ? 'passed' : 'failed',
1100
+ command: stateRepair.command,
1101
+ summary: stateRepairData
1102
+ ? { status: stateRepairData.summary?.status, actions: stateRepairData.summary?.actions, hard: stateRepairData.summary?.hard, warnings: stateRepairData.summary?.warnings, writes: stateRepairData.summary?.writes }
1103
+ : null,
1104
+ stderr: stateRepair.stderr,
1105
+ })
986
1106
  const learningSystem = run(process.execPath, [path.join(root, 'scripts', 'audit-learning-system.mjs'), '--root', root, '--json'])
987
1107
  const learningSystemData = parseJson(learningSystem.stdout)
988
1108
  checks.push({
@@ -995,6 +1115,102 @@ checks.push({
995
1115
  : null,
996
1116
  stderr: learningSystem.stderr,
997
1117
  })
1118
+ const learningPromotion = run(process.execPath, [path.join(root, 'scripts', 'audit-learning-promotion.mjs'), '--root', root, '--target', root, '--json'])
1119
+ const learningPromotionData = parseJson(learningPromotion.stdout)
1120
+ checks.push({
1121
+ id: 'validate-22c',
1122
+ label: 'learning promotion automation audit',
1123
+ status: learningPromotion.status === 0 ? 'passed' : 'failed',
1124
+ command: learningPromotion.command,
1125
+ summary: learningPromotionData
1126
+ ? { status: learningPromotionData.summary?.status, checks: learningPromotionData.summary ? learningPromotionData.summary.passed + '/' + learningPromotionData.summary.total : null, promoted: learningPromotionData.summary?.promoted, guardCandidates: learningPromotionData.summary?.guardCandidates }
1127
+ : null,
1128
+ stderr: learningPromotion.stderr,
1129
+ })
1130
+ const learningDrift = run(process.execPath, [path.join(root, 'scripts', 'audit-learning-drift.mjs'), '--root', root, '--target', root, '--json'])
1131
+ const learningDriftData = parseJson(learningDrift.stdout)
1132
+ checks.push({
1133
+ id: 'validate-22c2',
1134
+ label: 'learning promotion drift audit',
1135
+ status: learningDrift.status === 0 ? 'passed' : 'failed',
1136
+ command: learningDrift.command,
1137
+ summary: learningDriftData
1138
+ ? { status: learningDriftData.summary?.status, checks: learningDriftData.summary ? learningDriftData.summary.passed + '/' + learningDriftData.summary.total : null, candidates: learningDriftData.summary?.candidates, enforced: learningDriftData.summary?.enforced, highUnenforced: learningDriftData.summary?.highUnenforced }
1139
+ : null,
1140
+ stderr: learningDrift.stderr,
1141
+ })
1142
+ const hostCapabilities = run(process.execPath, [path.join(root, 'scripts', 'audit-host-capabilities.mjs'), '--root', root, '--target', root, '--json'])
1143
+ const hostCapabilitiesData = parseJson(hostCapabilities.stdout)
1144
+ checks.push({
1145
+ id: 'validate-22d',
1146
+ label: 'host capability record audit',
1147
+ status: hostCapabilities.status === 0 ? 'passed' : 'failed',
1148
+ command: hostCapabilities.command,
1149
+ summary: hostCapabilitiesData
1150
+ ? { status: hostCapabilitiesData.summary?.status, checks: hostCapabilitiesData.summary ? hostCapabilitiesData.summary.passed + '/' + hostCapabilitiesData.summary.total : null, hostCapabilityRecords: hostCapabilitiesData.workflows?.hostCapabilityRecords, nativeSlashCommandBoundary: hostCapabilitiesData.workflows?.nativeSlashCommandBoundary }
1151
+ : null,
1152
+ stderr: hostCapabilities.stderr,
1153
+ })
1154
+ const toolFallbackPolicy = run(process.execPath, [path.join(root, 'scripts', 'audit-tool-fallback-policy.mjs'), '--root', root, '--target', root, '--json'])
1155
+ const toolFallbackPolicyData = parseJson(toolFallbackPolicy.stdout)
1156
+ checks.push({
1157
+ id: 'validate-22d2',
1158
+ label: 'optional tool fallback policy audit',
1159
+ status: toolFallbackPolicy.status === 0 ? 'passed' : 'failed',
1160
+ command: toolFallbackPolicy.command,
1161
+ summary: toolFallbackPolicyData
1162
+ ? { status: toolFallbackPolicyData.summary?.status, checks: toolFallbackPolicyData.summary ? toolFallbackPolicyData.summary.passed + '/' + toolFallbackPolicyData.summary.total : null, optionalToolFallbackPolicy: toolFallbackPolicyData.workflows?.optionalToolFallbackPolicy }
1163
+ : null,
1164
+ stderr: toolFallbackPolicy.stderr,
1165
+ })
1166
+ const targetHardeningDrills = run(process.execPath, [path.join(root, 'scripts', 'audit-target-hardening-drills.mjs'), '--root', root, '--json'])
1167
+ const targetHardeningDrillsData = parseJson(targetHardeningDrills.stdout)
1168
+ checks.push({
1169
+ id: 'validate-22e',
1170
+ label: 'target project hardening drill audit',
1171
+ status: targetHardeningDrills.status === 0 ? 'passed' : 'failed',
1172
+ command: targetHardeningDrills.command,
1173
+ summary: targetHardeningDrillsData
1174
+ ? { status: targetHardeningDrillsData.summary?.status, checks: targetHardeningDrillsData.summary ? targetHardeningDrillsData.summary.passed + '/' + targetHardeningDrillsData.summary.total : null, mode: targetHardeningDrillsData.summary?.mode, targetHardeningDrills: targetHardeningDrillsData.workflows?.targetHardeningDrills }
1175
+ : null,
1176
+ stderr: targetHardeningDrills.stderr,
1177
+ })
1178
+ const maintenanceCadence = run(process.execPath, [path.join(root, 'scripts', 'audit-maintenance-cadence.mjs'), '--root', root, '--json'])
1179
+ const maintenanceCadenceData = parseJson(maintenanceCadence.stdout)
1180
+ checks.push({
1181
+ id: 'validate-22f',
1182
+ label: 'maintenance cadence audit',
1183
+ status: maintenanceCadence.status === 0 ? 'passed' : 'failed',
1184
+ command: maintenanceCadence.command,
1185
+ summary: maintenanceCadenceData
1186
+ ? { status: maintenanceCadenceData.summary?.status, checks: maintenanceCadenceData.summary ? maintenanceCadenceData.summary.passed + '/' + maintenanceCadenceData.summary.total : null, maintenanceCadence: maintenanceCadenceData.workflows?.maintenanceCadence }
1187
+ : null,
1188
+ stderr: maintenanceCadence.stderr,
1189
+ })
1190
+ const maintenanceSnapshot = run(process.execPath, [path.join(root, 'scripts', 'audit-maintenance-snapshot.mjs'), '--root', root, '--json'])
1191
+ const maintenanceSnapshotData = parseJson(maintenanceSnapshot.stdout)
1192
+ checks.push({
1193
+ id: 'validate-22f2',
1194
+ label: 'maintenance snapshot audit',
1195
+ status: maintenanceSnapshot.status === 0 ? 'passed' : 'failed',
1196
+ command: maintenanceSnapshot.command,
1197
+ summary: maintenanceSnapshotData
1198
+ ? { status: maintenanceSnapshotData.summary?.status, checks: maintenanceSnapshotData.summary ? maintenanceSnapshotData.summary.passed + '/' + maintenanceSnapshotData.summary.total : null, maintenanceSnapshot: maintenanceSnapshotData.workflows?.maintenanceSnapshot }
1199
+ : null,
1200
+ stderr: maintenanceSnapshot.stderr,
1201
+ })
1202
+ const installedSync = run(process.execPath, [path.join(root, 'scripts', 'audit-installed-sync.mjs'), '--root', root, '--json'])
1203
+ const installedSyncData = parseJson(installedSync.stdout)
1204
+ checks.push({
1205
+ id: 'validate-22g',
1206
+ label: 'installed sync freshness audit',
1207
+ status: installedSync.status === 0 ? 'passed' : 'failed',
1208
+ command: installedSync.command,
1209
+ summary: installedSyncData
1210
+ ? { status: installedSyncData.summary?.status, checks: installedSyncData.summary ? installedSyncData.summary.passed + '/' + installedSyncData.summary.total : null, freshPackage: installedSyncData.workflows?.freshPackage, installedSync: installedSyncData.workflows?.installedSync }
1211
+ : null,
1212
+ stderr: installedSync.stderr,
1213
+ })
998
1214
  const readmeDocs = run(process.execPath, [path.join(root, 'scripts', 'audit-readme-docs.mjs'), '--root', root, '--json'])
999
1215
  const readmeDocsData = parseJson(readmeDocs.stdout)
1000
1216
  checks.push({
@@ -1,85 +1,85 @@
1
- #!/usr/bin/env node
2
- import fs from 'node:fs'
3
- import path from 'node:path'
4
- import crypto from 'node:crypto'
5
-
6
- const args = process.argv.slice(2)
7
-
8
- function readArg(name, fallback = null) {
9
- const index = args.indexOf(name)
10
- if (index === -1) return fallback
11
- return args[index + 1] ?? fallback
12
- }
13
-
14
- const packageDir = path.resolve(readArg('--package', process.cwd()))
15
- const publicKeyPath = path.resolve(readArg('--public-key', path.join(packageDir, 'gse-signing-public.pem')))
16
- const signaturePath = path.resolve(readArg('--signature', path.join(packageDir, 'gse-package-signature.json')))
17
- const jsonOnly = args.includes('--json')
18
-
19
- function sha256(filePath) {
20
- return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex')
21
- }
22
-
23
- function fingerprint(pem) {
24
- return crypto.createHash('sha256').update(pem).digest('hex')
25
- }
26
-
27
- function check(id, label, ok, evidence, risk = '') {
28
- return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
29
- }
30
-
31
- function readJson(filePath) {
32
- if (!fs.existsSync(filePath)) return null
33
- return JSON.parse(fs.readFileSync(filePath, 'utf8').replace(/^\uFEFF/, ''))
34
- }
35
-
36
- const manifestPath = path.join(packageDir, 'gse-package-manifest.json')
37
- const manifest = readJson(manifestPath)
38
- const signatureRecord = readJson(signaturePath)
39
- const publicKeyPem = fs.existsSync(publicKeyPath) ? fs.readFileSync(publicKeyPath, 'utf8') : ''
40
-
41
- const files = manifest?.files ?? []
42
- const hashMismatches = []
43
- for (const relativePath of files) {
44
- const fullPath = path.join(packageDir, relativePath)
45
- const expected = manifest?.fileHashes?.[relativePath]
46
- const actual = fs.existsSync(fullPath) ? sha256(fullPath) : null
47
- if (!expected || actual !== expected) hashMismatches.push({ relativePath, expected, actual })
48
- }
49
- const recomputedDigest = manifest
50
- ? crypto.createHash('sha256').update(JSON.stringify({ files: manifest.files, fileHashes: manifest.fileHashes })).digest('hex')
51
- : null
52
- const payloadText = signatureRecord?.payload ? JSON.stringify(signatureRecord.payload) : ''
53
- let signatureOk = false
54
- try {
55
- signatureOk = Boolean(publicKeyPem && signatureRecord?.signature && crypto.verify(null, Buffer.from(payloadText), publicKeyPem, Buffer.from(signatureRecord.signature, 'base64')))
56
- } catch {
57
- signatureOk = false
58
- }
59
-
60
- const checks = [
61
- check('SIG01', 'manifest exists', Boolean(manifest), manifestPath),
62
- check('SIG02', 'signature record exists', Boolean(signatureRecord), signaturePath),
63
- check('SIG03', 'public key exists', Boolean(publicKeyPem), publicKeyPath),
64
- check('SIG04', 'all file hashes match manifest', hashMismatches.length === 0, hashMismatches.length ? JSON.stringify(hashMismatches.slice(0, 5)) : 'all files'),
65
- check('SIG05', 'manifest package digest matches file hash table', Boolean(manifest?.integrity?.packageDigest && recomputedDigest === manifest.integrity.packageDigest), 'integrity.packageDigest'),
66
- check('SIG06', 'signature payload matches manifest digest', Boolean(signatureRecord?.payload?.packageDigest && signatureRecord.payload.packageDigest === manifest?.integrity?.packageDigest), 'signature payload packageDigest'),
67
- check('SIG07', 'signature verifies with public key', signatureOk, 'ed25519 signature'),
68
- check('SIG08', 'public key fingerprint matches signature record', Boolean(publicKeyPem && signatureRecord?.publicKeyFingerprint === fingerprint(publicKeyPem)), 'public key fingerprint'),
69
- ]
70
-
71
- const passed = checks.filter((item) => item.status === 'passed').length
72
- const failed = checks.length - passed
73
- const report = {
74
- packageDir,
75
- generatedAt: new Date().toISOString(),
76
- summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
77
- workflows: { packageSignature: failed === 0 ? 'verified' : 'failed' },
78
- checks,
79
- }
80
-
81
- if (jsonOnly) console.log(JSON.stringify(report, null, 2))
82
- else console.log(JSON.stringify(report, null, 2))
83
-
84
- if (failed > 0) process.exit(1)
85
-
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import path from 'node:path'
4
+ import crypto from 'node:crypto'
5
+
6
+ const args = process.argv.slice(2)
7
+
8
+ function readArg(name, fallback = null) {
9
+ const index = args.indexOf(name)
10
+ if (index === -1) return fallback
11
+ return args[index + 1] ?? fallback
12
+ }
13
+
14
+ const packageDir = path.resolve(readArg('--package', process.cwd()))
15
+ const publicKeyPath = path.resolve(readArg('--public-key', path.join(packageDir, 'gse-signing-public.pem')))
16
+ const signaturePath = path.resolve(readArg('--signature', path.join(packageDir, 'gse-package-signature.json')))
17
+ const jsonOnly = args.includes('--json')
18
+
19
+ function sha256(filePath) {
20
+ return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex')
21
+ }
22
+
23
+ function fingerprint(pem) {
24
+ return crypto.createHash('sha256').update(pem).digest('hex')
25
+ }
26
+
27
+ function check(id, label, ok, evidence, risk = '') {
28
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
29
+ }
30
+
31
+ function readJson(filePath) {
32
+ if (!fs.existsSync(filePath)) return null
33
+ return JSON.parse(fs.readFileSync(filePath, 'utf8').replace(/^\uFEFF/, ''))
34
+ }
35
+
36
+ const manifestPath = path.join(packageDir, 'gse-package-manifest.json')
37
+ const manifest = readJson(manifestPath)
38
+ const signatureRecord = readJson(signaturePath)
39
+ const publicKeyPem = fs.existsSync(publicKeyPath) ? fs.readFileSync(publicKeyPath, 'utf8') : ''
40
+
41
+ const files = manifest?.files ?? []
42
+ const hashMismatches = []
43
+ for (const relativePath of files) {
44
+ const fullPath = path.join(packageDir, relativePath)
45
+ const expected = manifest?.fileHashes?.[relativePath]
46
+ const actual = fs.existsSync(fullPath) ? sha256(fullPath) : null
47
+ if (!expected || actual !== expected) hashMismatches.push({ relativePath, expected, actual })
48
+ }
49
+ const recomputedDigest = manifest
50
+ ? crypto.createHash('sha256').update(JSON.stringify({ files: manifest.files, fileHashes: manifest.fileHashes })).digest('hex')
51
+ : null
52
+ const payloadText = signatureRecord?.payload ? JSON.stringify(signatureRecord.payload) : ''
53
+ let signatureOk = false
54
+ try {
55
+ signatureOk = Boolean(publicKeyPem && signatureRecord?.signature && crypto.verify(null, Buffer.from(payloadText), publicKeyPem, Buffer.from(signatureRecord.signature, 'base64')))
56
+ } catch {
57
+ signatureOk = false
58
+ }
59
+
60
+ const checks = [
61
+ check('SIG01', 'manifest exists', Boolean(manifest), manifestPath),
62
+ check('SIG02', 'signature record exists', Boolean(signatureRecord), signaturePath),
63
+ check('SIG03', 'public key exists', Boolean(publicKeyPem), publicKeyPath),
64
+ check('SIG04', 'all file hashes match manifest', hashMismatches.length === 0, hashMismatches.length ? JSON.stringify(hashMismatches.slice(0, 5)) : 'all files'),
65
+ check('SIG05', 'manifest package digest matches file hash table', Boolean(manifest?.integrity?.packageDigest && recomputedDigest === manifest.integrity.packageDigest), 'integrity.packageDigest'),
66
+ check('SIG06', 'signature payload matches manifest digest', Boolean(signatureRecord?.payload?.packageDigest && signatureRecord.payload.packageDigest === manifest?.integrity?.packageDigest), 'signature payload packageDigest'),
67
+ check('SIG07', 'signature verifies with public key', signatureOk, 'ed25519 signature'),
68
+ check('SIG08', 'public key fingerprint matches signature record', Boolean(publicKeyPem && signatureRecord?.publicKeyFingerprint === fingerprint(publicKeyPem)), 'public key fingerprint'),
69
+ ]
70
+
71
+ const passed = checks.filter((item) => item.status === 'passed').length
72
+ const failed = checks.length - passed
73
+ const report = {
74
+ packageDir,
75
+ generatedAt: new Date().toISOString(),
76
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
77
+ workflows: { packageSignature: failed === 0 ? 'verified' : 'failed' },
78
+ checks,
79
+ }
80
+
81
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
82
+ else console.log(JSON.stringify(report, null, 2))
83
+
84
+ if (failed > 0) process.exit(1)
85
+