@t275005746/gse 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -42
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -50
- package/.github/ISSUE_TEMPLATE/config.yml +5 -5
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -38
- package/.github/workflows/validate-gse.yml +33 -33
- package/.gse/README.md +18 -18
- package/.gse/gse-development-protocol.md +50 -50
- package/.gse/project-profile.md +29 -29
- package/.gse/quality-gates.md +25 -25
- package/.gse/releases/public-registry-publication-npm.md +49 -0
- package/.gse/releases/public-release-owner-required.md +65 -65
- package/.gse/releases/public-security-contact-owner-required.md +45 -45
- package/.gse/state.json +147 -27
- package/CHANGELOG.md +31 -15
- package/CONTRIBUTING.md +64 -64
- package/LICENSE +21 -21
- package/README.md +14 -7
- package/README.zh-CN.md +14 -7
- package/SECURITY.md +41 -41
- package/SKILL.md +32 -12
- package/SUPPORT.md +38 -38
- package/assets/marketplace/README.md +7 -7
- package/assets/marketplace/gse-listing.json +75 -75
- package/assets/templates/acceptance-execution-packet.md +73 -73
- package/assets/templates/adr.md +14 -14
- package/assets/templates/change-brief.md +16 -16
- package/assets/templates/design.md +18 -18
- package/assets/templates/dispatch-packet.md +100 -92
- package/assets/templates/evidence.md +15 -9
- package/assets/templates/execution-quality-pack.md +65 -65
- package/assets/templates/goal-map.md +21 -21
- package/assets/templates/host-adapter.md +48 -48
- package/assets/templates/host-ui-invocation-record.md +42 -42
- package/assets/templates/incident-review.md +60 -60
- package/assets/templates/public-channel-publication-record.md +49 -49
- package/assets/templates/public-ci-run-record.md +53 -53
- package/assets/templates/public-release-record.md +65 -65
- package/assets/templates/public-repository-settings-record.md +59 -59
- package/assets/templates/public-security-contact-record.md +45 -45
- package/assets/templates/release-trust-record.md +32 -32
- package/assets/templates/review.md +18 -18
- package/assets/templates/role-fallback-packet.md +49 -0
- package/assets/templates/spec.md +16 -16
- package/assets/templates/target-adoption-evidence.md +29 -29
- package/assets/templates/tasks.md +17 -17
- package/assets/templates/update-release-acceptance-record.md +58 -58
- package/examples/README.md +22 -22
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -6
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -7
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -7
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -27
- package/examples/agent-runtime-host/.gse/tooling.md +5 -5
- package/examples/agent-runtime-host/.mcp.json +9 -9
- package/examples/agent-runtime-host/AGENTS.md +5 -5
- package/examples/agent-runtime-host/README.md +10 -10
- package/examples/agent-runtime-host/docs/model-routing.md +5 -5
- package/examples/cli-tool/.gse/project-profile.md +21 -21
- package/examples/cli-tool/AGENTS.md +5 -5
- package/examples/cli-tool/README.md +12 -12
- package/examples/cli-tool/package.json +21 -21
- package/examples/small-app/.env.example +2 -2
- package/examples/small-app/.github/workflows/ci.yml +8 -8
- package/examples/small-app/AGENTS.md +5 -5
- package/examples/small-app/README.md +12 -12
- package/examples/small-app/package.json +26 -26
- package/examples/small-app/playwright.config.ts +4 -4
- package/package.json +52 -44
- package/references/adoption-recipes.md +171 -171
- package/references/agent-roles.md +42 -21
- package/references/architecture-health.md +101 -101
- package/references/benchmark-audit.md +73 -73
- package/references/commands.md +74 -45
- package/references/community-channels.md +46 -46
- package/references/compatibility.md +70 -70
- package/references/design-basis.md +38 -38
- package/references/domain-model.md +129 -129
- package/references/domain-quality-gates.md +75 -75
- package/references/drift-audit.md +81 -80
- package/references/evidence-taxonomy.md +145 -108
- package/references/file-ownership.md +97 -93
- package/references/final-form-roadmap.md +201 -0
- package/references/final-readiness.md +84 -84
- package/references/forward-test.md +133 -133
- package/references/goal-map.md +36 -36
- package/references/host-adapters.md +129 -101
- package/references/learning-system.md +42 -26
- package/references/maintenance-cadence.md +51 -0
- package/references/marketplace-discovery.md +46 -46
- package/references/model-routing.md +103 -103
- package/references/open-source-defaults.md +39 -39
- package/references/operating-model.md +52 -52
- package/references/packaging.md +277 -277
- package/references/project-agent-workspace.md +89 -89
- package/references/project-bootstrap.md +122 -122
- package/references/project-guards.md +52 -0
- package/references/project-profile.md +57 -57
- package/references/public-release.md +174 -174
- package/references/quality-gates.md +96 -89
- package/references/recovery.md +176 -176
- package/references/release-trust.md +43 -43
- package/references/release.md +126 -126
- package/references/review.md +141 -141
- package/references/role-dispatch-fallback.md +54 -0
- package/references/router.md +90 -90
- package/references/spec-workflow.md +66 -66
- package/references/task-levels.md +81 -81
- package/references/tool-adapters.md +80 -70
- package/scripts/audit-acceptance-execution-packet.mjs +133 -133
- package/scripts/audit-adoption-recipes.mjs +99 -99
- package/scripts/audit-change-lifecycle.mjs +77 -77
- package/scripts/audit-change-system.mjs +134 -134
- package/scripts/audit-ci-readiness.mjs +107 -107
- package/scripts/audit-close-gate-hardening.mjs +188 -0
- package/scripts/audit-close-gate.mjs +448 -262
- package/scripts/audit-command-adapters.mjs +91 -91
- package/scripts/audit-command-execution.mjs +212 -199
- package/scripts/audit-commands.mjs +7 -5
- package/scripts/audit-compatibility.mjs +149 -149
- package/scripts/audit-completion-plan-drill.mjs +230 -0
- package/scripts/audit-completion-readiness.mjs +290 -287
- package/scripts/audit-continue-preflight.mjs +234 -0
- package/scripts/audit-distribution.mjs +251 -251
- package/scripts/audit-domain-quality-gates.mjs +108 -108
- package/scripts/audit-evidence-levels.mjs +217 -0
- package/scripts/audit-evidence-placeholders.mjs +126 -126
- package/scripts/audit-evidence-review-queue.mjs +206 -0
- package/scripts/audit-final-acceptance-packet.mjs +9 -9
- package/scripts/audit-final-form-progress-report.mjs +19 -18
- package/scripts/audit-final-form-roadmap.mjs +157 -0
- package/scripts/audit-final-form-stale-copy.mjs +2 -2
- package/scripts/audit-final-readiness-promotion.mjs +255 -255
- package/scripts/audit-final-readiness.mjs +226 -226
- package/scripts/audit-fixtures.mjs +154 -154
- package/scripts/audit-fresh-session-readiness.mjs +177 -177
- package/scripts/audit-host-capabilities.mjs +237 -0
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -159
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -240
- package/scripts/audit-host-runtime-invocations.mjs +254 -254
- package/scripts/audit-host-ui-invocation.mjs +132 -132
- package/scripts/audit-installed-sync.mjs +203 -0
- package/scripts/audit-learning-drift.mjs +292 -0
- package/scripts/audit-learning-promotion.mjs +351 -0
- package/scripts/audit-learning-system.mjs +24 -14
- package/scripts/audit-local-final-form-completion.mjs +11 -10
- package/scripts/audit-maintenance-cadence.mjs +139 -0
- package/scripts/audit-maintenance-snapshot.mjs +181 -0
- package/scripts/audit-marketplace-discovery.mjs +122 -122
- package/scripts/audit-npm-package-metadata.mjs +160 -154
- package/scripts/audit-npm-publish-dry-run.mjs +194 -166
- package/scripts/audit-npm-tarball-install.mjs +195 -189
- package/scripts/audit-open-source-defaults.mjs +92 -92
- package/scripts/audit-open-source-readiness.mjs +97 -97
- package/scripts/audit-owner-external-gate-kit.mjs +12 -11
- package/scripts/audit-project-guards.mjs +189 -0
- package/scripts/audit-project.mjs +144 -141
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -203
- package/scripts/audit-public-acceptance-handoff.mjs +10 -10
- package/scripts/audit-public-acceptance-readiness.mjs +222 -222
- package/scripts/audit-public-channel-publication.mjs +248 -248
- package/scripts/audit-public-ci-run.mjs +184 -184
- package/scripts/audit-public-collaboration-templates.mjs +98 -98
- package/scripts/audit-public-external-gate-probe.mjs +206 -206
- package/scripts/audit-public-release-checklist.mjs +17 -15
- package/scripts/audit-public-release-decision.mjs +201 -201
- package/scripts/audit-public-release-metadata.mjs +176 -176
- package/scripts/audit-public-repository-settings.mjs +237 -237
- package/scripts/audit-public-security-contact.mjs +171 -171
- package/scripts/audit-readme-docs.mjs +6 -4
- package/scripts/audit-recovery-readiness.mjs +98 -98
- package/scripts/audit-release-bundle.mjs +13 -11
- package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
- package/scripts/audit-release-owner-action-plan.mjs +10 -10
- package/scripts/audit-release-readiness.mjs +106 -106
- package/scripts/audit-release-status-manifest.mjs +4 -4
- package/scripts/audit-release-trust.mjs +62 -62
- package/scripts/audit-remote-distribution.mjs +266 -266
- package/scripts/audit-roadmap-consistency.mjs +234 -230
- package/scripts/audit-role-dispatch-fallback.mjs +212 -0
- package/scripts/audit-session-sync.mjs +127 -0
- package/scripts/audit-signing.mjs +147 -147
- package/scripts/audit-state-freshness.mjs +20 -14
- package/scripts/audit-state-repair.mjs +360 -0
- package/scripts/audit-target-adoption-evidence.mjs +117 -117
- package/scripts/audit-target-hardening-drills.mjs +267 -0
- package/scripts/audit-target-project.mjs +507 -507
- package/scripts/audit-tool-fallback-policy.mjs +180 -0
- package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
- package/scripts/audit-update-release-acceptance.mjs +136 -136
- package/scripts/audit-v1-target-validation.mjs +269 -269
- package/scripts/audit-validation-profiles.mjs +125 -123
- package/scripts/backfill-evidence-levels.mjs +98 -0
- package/scripts/check-encoding.mjs +72 -0
- package/scripts/close-change.mjs +116 -116
- package/scripts/discover-project-profile.mjs +307 -307
- package/scripts/generate-command-adapter.mjs +231 -231
- package/scripts/generate-continue-packet.mjs +1214 -0
- package/scripts/generate-final-acceptance-packet.mjs +188 -173
- package/scripts/generate-final-form-progress-report.mjs +191 -189
- package/scripts/generate-host-runtime-evidence-handoff.mjs +198 -191
- package/scripts/generate-maintenance-snapshot.mjs +216 -0
- package/scripts/generate-owner-external-gate-kit.mjs +295 -295
- package/scripts/generate-public-acceptance-handoff.mjs +168 -156
- package/scripts/generate-public-release-checklist.mjs +207 -207
- package/scripts/generate-release-bundle.mjs +505 -505
- package/scripts/generate-release-owner-action-plan.mjs +172 -171
- package/scripts/generate-release-status-manifest.mjs +199 -198
- package/scripts/generate-session-prompt.mjs +188 -188
- package/scripts/gse.mjs +67 -67
- package/scripts/init-change.mjs +265 -265
- package/scripts/init-project.mjs +793 -712
- package/scripts/install-gse.mjs +234 -234
- package/scripts/lib/evidence-placeholders.mjs +28 -28
- package/scripts/package-gse.mjs +174 -174
- package/scripts/probe-public-external-gates.mjs +167 -167
- package/scripts/record-host-invocation.mjs +151 -151
- package/scripts/record-learning.mjs +37 -8
- package/scripts/record-public-channel-publication.mjs +178 -178
- package/scripts/record-public-ci-run.mjs +180 -180
- package/scripts/record-public-release.mjs +175 -175
- package/scripts/record-public-repository-settings.mjs +209 -209
- package/scripts/record-public-security-contact.mjs +157 -157
- package/scripts/record-session-sync.mjs +87 -0
- package/scripts/run-gse-command.mjs +79 -47
- package/scripts/run-validation-profile.mjs +24 -5
- package/scripts/sign-gse-package.mjs +83 -83
- package/scripts/update-project-state.mjs +223 -223
- package/scripts/validate-gse.mjs +216 -0
- package/scripts/verify-gse-package.mjs +85 -85
package/scripts/validate-gse.mjs
CHANGED
|
@@ -590,6 +590,18 @@ checks.push({
|
|
|
590
590
|
: null,
|
|
591
591
|
stderr: roadmapConsistency.stderr,
|
|
592
592
|
})
|
|
593
|
+
const finalFormRoadmap = run(process.execPath, [path.join(root, 'scripts', 'audit-final-form-roadmap.mjs'), '--root', root, '--json'])
|
|
594
|
+
const finalFormRoadmapData = parseJson(finalFormRoadmap.stdout)
|
|
595
|
+
checks.push({
|
|
596
|
+
id: 'validate-14b',
|
|
597
|
+
label: 'final-form roadmap contract audit',
|
|
598
|
+
status: finalFormRoadmap.status === 0 ? 'passed' : 'failed',
|
|
599
|
+
command: finalFormRoadmap.command,
|
|
600
|
+
summary: finalFormRoadmapData
|
|
601
|
+
? { status: finalFormRoadmapData.summary?.status, checks: finalFormRoadmapData.summary ? finalFormRoadmapData.summary.passed + '/' + finalFormRoadmapData.summary.total : null, finalFormRoadmap: finalFormRoadmapData.workflows?.finalFormRoadmap }
|
|
602
|
+
: null,
|
|
603
|
+
stderr: finalFormRoadmap.stderr,
|
|
604
|
+
})
|
|
593
605
|
if (skipCompletionReadiness) {
|
|
594
606
|
checks.push({
|
|
595
607
|
id: 'validate-15',
|
|
@@ -983,6 +995,114 @@ checks.push({
|
|
|
983
995
|
: null,
|
|
984
996
|
stderr: commandSemantics.stderr,
|
|
985
997
|
})
|
|
998
|
+
const continuePreflight = run(process.execPath, [path.join(root, 'scripts', 'audit-continue-preflight.mjs'), '--root', root, '--json'])
|
|
999
|
+
const continuePreflightData = parseJson(continuePreflight.stdout)
|
|
1000
|
+
checks.push({
|
|
1001
|
+
id: 'validate-22a',
|
|
1002
|
+
label: '/gse continue hard preflight audit',
|
|
1003
|
+
status: continuePreflight.status === 0 ? 'passed' : 'failed',
|
|
1004
|
+
command: continuePreflight.command,
|
|
1005
|
+
summary: continuePreflightData
|
|
1006
|
+
? { status: continuePreflightData.summary?.status, checks: continuePreflightData.summary ? continuePreflightData.summary.passed + '/' + continuePreflightData.summary.total : null, continueHardPreflight: continuePreflightData.workflows?.continueHardPreflight, stateCompaction: continuePreflightData.workflows?.stateCompaction }
|
|
1007
|
+
: null,
|
|
1008
|
+
stderr: continuePreflight.stderr,
|
|
1009
|
+
})
|
|
1010
|
+
const completionPlanDrill = run(process.execPath, [path.join(root, 'scripts', 'audit-completion-plan-drill.mjs'), '--root', root, '--json'])
|
|
1011
|
+
const completionPlanDrillData = parseJson(completionPlanDrill.stdout)
|
|
1012
|
+
checks.push({
|
|
1013
|
+
id: 'validate-22a1',
|
|
1014
|
+
label: '/gse continue completion plan drill audit',
|
|
1015
|
+
status: completionPlanDrill.status === 0 ? 'passed' : 'failed',
|
|
1016
|
+
command: completionPlanDrill.command,
|
|
1017
|
+
summary: completionPlanDrillData
|
|
1018
|
+
? { status: completionPlanDrillData.summary?.status, checks: completionPlanDrillData.summary ? completionPlanDrillData.summary.passed + '/' + completionPlanDrillData.summary.total : null, completionPlanDrill: completionPlanDrillData.workflows?.completionPlanDrill, cleanWorktreeFalsePositiveGuard: completionPlanDrillData.workflows?.cleanWorktreeFalsePositiveGuard }
|
|
1019
|
+
: null,
|
|
1020
|
+
stderr: completionPlanDrill.stderr,
|
|
1021
|
+
})
|
|
1022
|
+
const projectGuards = run(process.execPath, [path.join(root, 'scripts', 'audit-project-guards.mjs'), '--root', root, '--json'])
|
|
1023
|
+
const projectGuardsData = parseJson(projectGuards.stdout)
|
|
1024
|
+
checks.push({
|
|
1025
|
+
id: 'validate-22a2',
|
|
1026
|
+
label: 'project guard preflight audit',
|
|
1027
|
+
status: projectGuards.status === 0 ? 'passed' : 'failed',
|
|
1028
|
+
command: projectGuards.command,
|
|
1029
|
+
summary: projectGuardsData
|
|
1030
|
+
? { status: projectGuardsData.summary?.status, checks: projectGuardsData.summary ? projectGuardsData.summary.passed + '/' + projectGuardsData.summary.total : null, projectGuards: projectGuardsData.workflows?.projectGuards, initProjectGuardScaffold: projectGuardsData.workflows?.initProjectGuardScaffold }
|
|
1031
|
+
: null,
|
|
1032
|
+
stderr: projectGuards.stderr,
|
|
1033
|
+
})
|
|
1034
|
+
const evidenceLevels = run(process.execPath, [path.join(root, 'scripts', 'audit-evidence-levels.mjs'), '--root', root, '--target', root, '--json'])
|
|
1035
|
+
const evidenceLevelsData = parseJson(evidenceLevels.stdout)
|
|
1036
|
+
checks.push({
|
|
1037
|
+
id: 'validate-22a3',
|
|
1038
|
+
label: 'explicit evidence level taxonomy audit',
|
|
1039
|
+
status: evidenceLevels.status === 0 ? 'passed' : 'failed',
|
|
1040
|
+
command: evidenceLevels.command,
|
|
1041
|
+
summary: evidenceLevelsData
|
|
1042
|
+
? { status: evidenceLevelsData.summary?.status, checks: evidenceLevelsData.summary ? evidenceLevelsData.summary.passed + '/' + evidenceLevelsData.summary.total : null, evidenceLevels: evidenceLevelsData.workflows?.evidenceLevels, downgraded: evidenceLevelsData.workflows?.downgraded, missingLevel: evidenceLevelsData.workflows?.missingLevel }
|
|
1043
|
+
: null,
|
|
1044
|
+
stderr: evidenceLevels.stderr,
|
|
1045
|
+
})
|
|
1046
|
+
const evidenceReviewQueue = run(process.execPath, [path.join(root, 'scripts', 'audit-evidence-review-queue.mjs'), '--root', root, '--target', root, '--json'])
|
|
1047
|
+
const evidenceReviewQueueData = parseJson(evidenceReviewQueue.stdout)
|
|
1048
|
+
checks.push({
|
|
1049
|
+
id: 'validate-22a3a',
|
|
1050
|
+
label: 'historical evidence review queue audit',
|
|
1051
|
+
status: evidenceReviewQueue.status === 0 ? 'passed' : 'failed',
|
|
1052
|
+
command: evidenceReviewQueue.command,
|
|
1053
|
+
summary: evidenceReviewQueueData
|
|
1054
|
+
? { status: evidenceReviewQueueData.summary?.status, checks: evidenceReviewQueueData.summary ? evidenceReviewQueueData.summary.passed + '/' + evidenceReviewQueueData.summary.total : null, evidenceReviewQueue: evidenceReviewQueueData.workflows?.evidenceReviewQueue, needsReview: evidenceReviewQueueData.reviewQueue?.needsReview, eligibleForStrongerReview: evidenceReviewQueueData.reviewQueue?.eligibleForStrongerReview }
|
|
1055
|
+
: null,
|
|
1056
|
+
stderr: evidenceReviewQueue.stderr,
|
|
1057
|
+
})
|
|
1058
|
+
const uiBrowserEvidencePolicy = run(process.execPath, [path.join(root, 'scripts', 'audit-ui-browser-evidence-policy.mjs'), '--root', root, '--target', root, '--json'])
|
|
1059
|
+
const uiBrowserEvidencePolicyData = parseJson(uiBrowserEvidencePolicy.stdout)
|
|
1060
|
+
checks.push({
|
|
1061
|
+
id: 'validate-22a3b',
|
|
1062
|
+
label: 'UI/browser evidence policy audit',
|
|
1063
|
+
status: uiBrowserEvidencePolicy.status === 0 ? 'passed' : 'failed',
|
|
1064
|
+
command: uiBrowserEvidencePolicy.command,
|
|
1065
|
+
summary: uiBrowserEvidencePolicyData
|
|
1066
|
+
? { status: uiBrowserEvidencePolicyData.summary?.status, checks: uiBrowserEvidencePolicyData.summary ? uiBrowserEvidencePolicyData.summary.passed + '/' + uiBrowserEvidencePolicyData.summary.total : null, uiBrowserEvidencePolicy: uiBrowserEvidencePolicyData.workflows?.uiBrowserEvidencePolicy, targetDowngrades: uiBrowserEvidencePolicyData.workflows?.targetDowngrades }
|
|
1067
|
+
: null,
|
|
1068
|
+
stderr: uiBrowserEvidencePolicy.stderr,
|
|
1069
|
+
})
|
|
1070
|
+
const roleDispatchFallback = run(process.execPath, [path.join(root, 'scripts', 'audit-role-dispatch-fallback.mjs'), '--root', root, '--target', root, '--json'])
|
|
1071
|
+
const roleDispatchFallbackData = parseJson(roleDispatchFallback.stdout)
|
|
1072
|
+
checks.push({
|
|
1073
|
+
id: 'validate-22a4',
|
|
1074
|
+
label: 'role dispatch fallback packet audit',
|
|
1075
|
+
status: roleDispatchFallback.status === 0 ? 'passed' : 'failed',
|
|
1076
|
+
command: roleDispatchFallback.command,
|
|
1077
|
+
summary: roleDispatchFallbackData
|
|
1078
|
+
? { status: roleDispatchFallbackData.summary?.status, checks: roleDispatchFallbackData.summary ? roleDispatchFallbackData.summary.passed + '/' + roleDispatchFallbackData.summary.total : null, roleDispatchFallback: roleDispatchFallbackData.workflows?.roleDispatchFallback, packets: roleDispatchFallbackData.workflows?.packets, sequentialFallbackRoles: roleDispatchFallbackData.workflows?.sequentialFallbackRoles }
|
|
1079
|
+
: null,
|
|
1080
|
+
stderr: roleDispatchFallback.stderr,
|
|
1081
|
+
})
|
|
1082
|
+
const closeGateHardening = run(process.execPath, [path.join(root, 'scripts', 'audit-close-gate-hardening.mjs'), '--root', root, '--json'])
|
|
1083
|
+
const closeGateHardeningData = parseJson(closeGateHardening.stdout)
|
|
1084
|
+
checks.push({
|
|
1085
|
+
id: 'validate-22a6',
|
|
1086
|
+
label: 'close gate fake-dispatch and file-ownership hardening audit',
|
|
1087
|
+
status: closeGateHardening.status === 0 ? 'passed' : 'failed',
|
|
1088
|
+
command: closeGateHardening.command,
|
|
1089
|
+
summary: closeGateHardeningData
|
|
1090
|
+
? { status: closeGateHardeningData.summary?.status, checks: closeGateHardeningData.summary ? closeGateHardeningData.summary.passed + '/' + closeGateHardeningData.summary.total : null, fakeDispatchCloseGate: closeGateHardeningData.workflows?.fakeDispatchCloseGate, fileOwnershipCloseGate: closeGateHardeningData.workflows?.fileOwnershipCloseGate }
|
|
1091
|
+
: null,
|
|
1092
|
+
stderr: closeGateHardening.stderr,
|
|
1093
|
+
})
|
|
1094
|
+
const stateRepair = run(process.execPath, [path.join(root, 'scripts', 'audit-state-repair.mjs'), '--root', root, '--target', root, '--json'])
|
|
1095
|
+
const stateRepairData = parseJson(stateRepair.stdout)
|
|
1096
|
+
checks.push({
|
|
1097
|
+
id: 'validate-22a5',
|
|
1098
|
+
label: 'state and evidence repair path audit',
|
|
1099
|
+
status: stateRepair.status === 0 ? 'passed' : 'failed',
|
|
1100
|
+
command: stateRepair.command,
|
|
1101
|
+
summary: stateRepairData
|
|
1102
|
+
? { status: stateRepairData.summary?.status, actions: stateRepairData.summary?.actions, hard: stateRepairData.summary?.hard, warnings: stateRepairData.summary?.warnings, writes: stateRepairData.summary?.writes }
|
|
1103
|
+
: null,
|
|
1104
|
+
stderr: stateRepair.stderr,
|
|
1105
|
+
})
|
|
986
1106
|
const learningSystem = run(process.execPath, [path.join(root, 'scripts', 'audit-learning-system.mjs'), '--root', root, '--json'])
|
|
987
1107
|
const learningSystemData = parseJson(learningSystem.stdout)
|
|
988
1108
|
checks.push({
|
|
@@ -995,6 +1115,102 @@ checks.push({
|
|
|
995
1115
|
: null,
|
|
996
1116
|
stderr: learningSystem.stderr,
|
|
997
1117
|
})
|
|
1118
|
+
const learningPromotion = run(process.execPath, [path.join(root, 'scripts', 'audit-learning-promotion.mjs'), '--root', root, '--target', root, '--json'])
|
|
1119
|
+
const learningPromotionData = parseJson(learningPromotion.stdout)
|
|
1120
|
+
checks.push({
|
|
1121
|
+
id: 'validate-22c',
|
|
1122
|
+
label: 'learning promotion automation audit',
|
|
1123
|
+
status: learningPromotion.status === 0 ? 'passed' : 'failed',
|
|
1124
|
+
command: learningPromotion.command,
|
|
1125
|
+
summary: learningPromotionData
|
|
1126
|
+
? { status: learningPromotionData.summary?.status, checks: learningPromotionData.summary ? learningPromotionData.summary.passed + '/' + learningPromotionData.summary.total : null, promoted: learningPromotionData.summary?.promoted, guardCandidates: learningPromotionData.summary?.guardCandidates }
|
|
1127
|
+
: null,
|
|
1128
|
+
stderr: learningPromotion.stderr,
|
|
1129
|
+
})
|
|
1130
|
+
const learningDrift = run(process.execPath, [path.join(root, 'scripts', 'audit-learning-drift.mjs'), '--root', root, '--target', root, '--json'])
|
|
1131
|
+
const learningDriftData = parseJson(learningDrift.stdout)
|
|
1132
|
+
checks.push({
|
|
1133
|
+
id: 'validate-22c2',
|
|
1134
|
+
label: 'learning promotion drift audit',
|
|
1135
|
+
status: learningDrift.status === 0 ? 'passed' : 'failed',
|
|
1136
|
+
command: learningDrift.command,
|
|
1137
|
+
summary: learningDriftData
|
|
1138
|
+
? { status: learningDriftData.summary?.status, checks: learningDriftData.summary ? learningDriftData.summary.passed + '/' + learningDriftData.summary.total : null, candidates: learningDriftData.summary?.candidates, enforced: learningDriftData.summary?.enforced, highUnenforced: learningDriftData.summary?.highUnenforced }
|
|
1139
|
+
: null,
|
|
1140
|
+
stderr: learningDrift.stderr,
|
|
1141
|
+
})
|
|
1142
|
+
const hostCapabilities = run(process.execPath, [path.join(root, 'scripts', 'audit-host-capabilities.mjs'), '--root', root, '--target', root, '--json'])
|
|
1143
|
+
const hostCapabilitiesData = parseJson(hostCapabilities.stdout)
|
|
1144
|
+
checks.push({
|
|
1145
|
+
id: 'validate-22d',
|
|
1146
|
+
label: 'host capability record audit',
|
|
1147
|
+
status: hostCapabilities.status === 0 ? 'passed' : 'failed',
|
|
1148
|
+
command: hostCapabilities.command,
|
|
1149
|
+
summary: hostCapabilitiesData
|
|
1150
|
+
? { status: hostCapabilitiesData.summary?.status, checks: hostCapabilitiesData.summary ? hostCapabilitiesData.summary.passed + '/' + hostCapabilitiesData.summary.total : null, hostCapabilityRecords: hostCapabilitiesData.workflows?.hostCapabilityRecords, nativeSlashCommandBoundary: hostCapabilitiesData.workflows?.nativeSlashCommandBoundary }
|
|
1151
|
+
: null,
|
|
1152
|
+
stderr: hostCapabilities.stderr,
|
|
1153
|
+
})
|
|
1154
|
+
const toolFallbackPolicy = run(process.execPath, [path.join(root, 'scripts', 'audit-tool-fallback-policy.mjs'), '--root', root, '--target', root, '--json'])
|
|
1155
|
+
const toolFallbackPolicyData = parseJson(toolFallbackPolicy.stdout)
|
|
1156
|
+
checks.push({
|
|
1157
|
+
id: 'validate-22d2',
|
|
1158
|
+
label: 'optional tool fallback policy audit',
|
|
1159
|
+
status: toolFallbackPolicy.status === 0 ? 'passed' : 'failed',
|
|
1160
|
+
command: toolFallbackPolicy.command,
|
|
1161
|
+
summary: toolFallbackPolicyData
|
|
1162
|
+
? { status: toolFallbackPolicyData.summary?.status, checks: toolFallbackPolicyData.summary ? toolFallbackPolicyData.summary.passed + '/' + toolFallbackPolicyData.summary.total : null, optionalToolFallbackPolicy: toolFallbackPolicyData.workflows?.optionalToolFallbackPolicy }
|
|
1163
|
+
: null,
|
|
1164
|
+
stderr: toolFallbackPolicy.stderr,
|
|
1165
|
+
})
|
|
1166
|
+
const targetHardeningDrills = run(process.execPath, [path.join(root, 'scripts', 'audit-target-hardening-drills.mjs'), '--root', root, '--json'])
|
|
1167
|
+
const targetHardeningDrillsData = parseJson(targetHardeningDrills.stdout)
|
|
1168
|
+
checks.push({
|
|
1169
|
+
id: 'validate-22e',
|
|
1170
|
+
label: 'target project hardening drill audit',
|
|
1171
|
+
status: targetHardeningDrills.status === 0 ? 'passed' : 'failed',
|
|
1172
|
+
command: targetHardeningDrills.command,
|
|
1173
|
+
summary: targetHardeningDrillsData
|
|
1174
|
+
? { status: targetHardeningDrillsData.summary?.status, checks: targetHardeningDrillsData.summary ? targetHardeningDrillsData.summary.passed + '/' + targetHardeningDrillsData.summary.total : null, mode: targetHardeningDrillsData.summary?.mode, targetHardeningDrills: targetHardeningDrillsData.workflows?.targetHardeningDrills }
|
|
1175
|
+
: null,
|
|
1176
|
+
stderr: targetHardeningDrills.stderr,
|
|
1177
|
+
})
|
|
1178
|
+
const maintenanceCadence = run(process.execPath, [path.join(root, 'scripts', 'audit-maintenance-cadence.mjs'), '--root', root, '--json'])
|
|
1179
|
+
const maintenanceCadenceData = parseJson(maintenanceCadence.stdout)
|
|
1180
|
+
checks.push({
|
|
1181
|
+
id: 'validate-22f',
|
|
1182
|
+
label: 'maintenance cadence audit',
|
|
1183
|
+
status: maintenanceCadence.status === 0 ? 'passed' : 'failed',
|
|
1184
|
+
command: maintenanceCadence.command,
|
|
1185
|
+
summary: maintenanceCadenceData
|
|
1186
|
+
? { status: maintenanceCadenceData.summary?.status, checks: maintenanceCadenceData.summary ? maintenanceCadenceData.summary.passed + '/' + maintenanceCadenceData.summary.total : null, maintenanceCadence: maintenanceCadenceData.workflows?.maintenanceCadence }
|
|
1187
|
+
: null,
|
|
1188
|
+
stderr: maintenanceCadence.stderr,
|
|
1189
|
+
})
|
|
1190
|
+
const maintenanceSnapshot = run(process.execPath, [path.join(root, 'scripts', 'audit-maintenance-snapshot.mjs'), '--root', root, '--json'])
|
|
1191
|
+
const maintenanceSnapshotData = parseJson(maintenanceSnapshot.stdout)
|
|
1192
|
+
checks.push({
|
|
1193
|
+
id: 'validate-22f2',
|
|
1194
|
+
label: 'maintenance snapshot audit',
|
|
1195
|
+
status: maintenanceSnapshot.status === 0 ? 'passed' : 'failed',
|
|
1196
|
+
command: maintenanceSnapshot.command,
|
|
1197
|
+
summary: maintenanceSnapshotData
|
|
1198
|
+
? { status: maintenanceSnapshotData.summary?.status, checks: maintenanceSnapshotData.summary ? maintenanceSnapshotData.summary.passed + '/' + maintenanceSnapshotData.summary.total : null, maintenanceSnapshot: maintenanceSnapshotData.workflows?.maintenanceSnapshot }
|
|
1199
|
+
: null,
|
|
1200
|
+
stderr: maintenanceSnapshot.stderr,
|
|
1201
|
+
})
|
|
1202
|
+
const installedSync = run(process.execPath, [path.join(root, 'scripts', 'audit-installed-sync.mjs'), '--root', root, '--json'])
|
|
1203
|
+
const installedSyncData = parseJson(installedSync.stdout)
|
|
1204
|
+
checks.push({
|
|
1205
|
+
id: 'validate-22g',
|
|
1206
|
+
label: 'installed sync freshness audit',
|
|
1207
|
+
status: installedSync.status === 0 ? 'passed' : 'failed',
|
|
1208
|
+
command: installedSync.command,
|
|
1209
|
+
summary: installedSyncData
|
|
1210
|
+
? { status: installedSyncData.summary?.status, checks: installedSyncData.summary ? installedSyncData.summary.passed + '/' + installedSyncData.summary.total : null, freshPackage: installedSyncData.workflows?.freshPackage, installedSync: installedSyncData.workflows?.installedSync }
|
|
1211
|
+
: null,
|
|
1212
|
+
stderr: installedSync.stderr,
|
|
1213
|
+
})
|
|
998
1214
|
const readmeDocs = run(process.execPath, [path.join(root, 'scripts', 'audit-readme-docs.mjs'), '--root', root, '--json'])
|
|
999
1215
|
const readmeDocsData = parseJson(readmeDocs.stdout)
|
|
1000
1216
|
checks.push({
|
|
@@ -1,85 +1,85 @@
|
|
|
1
|
-
#!/usr/bin/env node
|
|
2
|
-
import fs from 'node:fs'
|
|
3
|
-
import path from 'node:path'
|
|
4
|
-
import crypto from 'node:crypto'
|
|
5
|
-
|
|
6
|
-
const args = process.argv.slice(2)
|
|
7
|
-
|
|
8
|
-
function readArg(name, fallback = null) {
|
|
9
|
-
const index = args.indexOf(name)
|
|
10
|
-
if (index === -1) return fallback
|
|
11
|
-
return args[index + 1] ?? fallback
|
|
12
|
-
}
|
|
13
|
-
|
|
14
|
-
const packageDir = path.resolve(readArg('--package', process.cwd()))
|
|
15
|
-
const publicKeyPath = path.resolve(readArg('--public-key', path.join(packageDir, 'gse-signing-public.pem')))
|
|
16
|
-
const signaturePath = path.resolve(readArg('--signature', path.join(packageDir, 'gse-package-signature.json')))
|
|
17
|
-
const jsonOnly = args.includes('--json')
|
|
18
|
-
|
|
19
|
-
function sha256(filePath) {
|
|
20
|
-
return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex')
|
|
21
|
-
}
|
|
22
|
-
|
|
23
|
-
function fingerprint(pem) {
|
|
24
|
-
return crypto.createHash('sha256').update(pem).digest('hex')
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
function check(id, label, ok, evidence, risk = '') {
|
|
28
|
-
return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
|
|
29
|
-
}
|
|
30
|
-
|
|
31
|
-
function readJson(filePath) {
|
|
32
|
-
if (!fs.existsSync(filePath)) return null
|
|
33
|
-
return JSON.parse(fs.readFileSync(filePath, 'utf8').replace(/^\uFEFF/, ''))
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
const manifestPath = path.join(packageDir, 'gse-package-manifest.json')
|
|
37
|
-
const manifest = readJson(manifestPath)
|
|
38
|
-
const signatureRecord = readJson(signaturePath)
|
|
39
|
-
const publicKeyPem = fs.existsSync(publicKeyPath) ? fs.readFileSync(publicKeyPath, 'utf8') : ''
|
|
40
|
-
|
|
41
|
-
const files = manifest?.files ?? []
|
|
42
|
-
const hashMismatches = []
|
|
43
|
-
for (const relativePath of files) {
|
|
44
|
-
const fullPath = path.join(packageDir, relativePath)
|
|
45
|
-
const expected = manifest?.fileHashes?.[relativePath]
|
|
46
|
-
const actual = fs.existsSync(fullPath) ? sha256(fullPath) : null
|
|
47
|
-
if (!expected || actual !== expected) hashMismatches.push({ relativePath, expected, actual })
|
|
48
|
-
}
|
|
49
|
-
const recomputedDigest = manifest
|
|
50
|
-
? crypto.createHash('sha256').update(JSON.stringify({ files: manifest.files, fileHashes: manifest.fileHashes })).digest('hex')
|
|
51
|
-
: null
|
|
52
|
-
const payloadText = signatureRecord?.payload ? JSON.stringify(signatureRecord.payload) : ''
|
|
53
|
-
let signatureOk = false
|
|
54
|
-
try {
|
|
55
|
-
signatureOk = Boolean(publicKeyPem && signatureRecord?.signature && crypto.verify(null, Buffer.from(payloadText), publicKeyPem, Buffer.from(signatureRecord.signature, 'base64')))
|
|
56
|
-
} catch {
|
|
57
|
-
signatureOk = false
|
|
58
|
-
}
|
|
59
|
-
|
|
60
|
-
const checks = [
|
|
61
|
-
check('SIG01', 'manifest exists', Boolean(manifest), manifestPath),
|
|
62
|
-
check('SIG02', 'signature record exists', Boolean(signatureRecord), signaturePath),
|
|
63
|
-
check('SIG03', 'public key exists', Boolean(publicKeyPem), publicKeyPath),
|
|
64
|
-
check('SIG04', 'all file hashes match manifest', hashMismatches.length === 0, hashMismatches.length ? JSON.stringify(hashMismatches.slice(0, 5)) : 'all files'),
|
|
65
|
-
check('SIG05', 'manifest package digest matches file hash table', Boolean(manifest?.integrity?.packageDigest && recomputedDigest === manifest.integrity.packageDigest), 'integrity.packageDigest'),
|
|
66
|
-
check('SIG06', 'signature payload matches manifest digest', Boolean(signatureRecord?.payload?.packageDigest && signatureRecord.payload.packageDigest === manifest?.integrity?.packageDigest), 'signature payload packageDigest'),
|
|
67
|
-
check('SIG07', 'signature verifies with public key', signatureOk, 'ed25519 signature'),
|
|
68
|
-
check('SIG08', 'public key fingerprint matches signature record', Boolean(publicKeyPem && signatureRecord?.publicKeyFingerprint === fingerprint(publicKeyPem)), 'public key fingerprint'),
|
|
69
|
-
]
|
|
70
|
-
|
|
71
|
-
const passed = checks.filter((item) => item.status === 'passed').length
|
|
72
|
-
const failed = checks.length - passed
|
|
73
|
-
const report = {
|
|
74
|
-
packageDir,
|
|
75
|
-
generatedAt: new Date().toISOString(),
|
|
76
|
-
summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
|
|
77
|
-
workflows: { packageSignature: failed === 0 ? 'verified' : 'failed' },
|
|
78
|
-
checks,
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
if (jsonOnly) console.log(JSON.stringify(report, null, 2))
|
|
82
|
-
else console.log(JSON.stringify(report, null, 2))
|
|
83
|
-
|
|
84
|
-
if (failed > 0) process.exit(1)
|
|
85
|
-
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import fs from 'node:fs'
|
|
3
|
+
import path from 'node:path'
|
|
4
|
+
import crypto from 'node:crypto'
|
|
5
|
+
|
|
6
|
+
const args = process.argv.slice(2)
|
|
7
|
+
|
|
8
|
+
function readArg(name, fallback = null) {
|
|
9
|
+
const index = args.indexOf(name)
|
|
10
|
+
if (index === -1) return fallback
|
|
11
|
+
return args[index + 1] ?? fallback
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
const packageDir = path.resolve(readArg('--package', process.cwd()))
|
|
15
|
+
const publicKeyPath = path.resolve(readArg('--public-key', path.join(packageDir, 'gse-signing-public.pem')))
|
|
16
|
+
const signaturePath = path.resolve(readArg('--signature', path.join(packageDir, 'gse-package-signature.json')))
|
|
17
|
+
const jsonOnly = args.includes('--json')
|
|
18
|
+
|
|
19
|
+
function sha256(filePath) {
|
|
20
|
+
return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex')
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
function fingerprint(pem) {
|
|
24
|
+
return crypto.createHash('sha256').update(pem).digest('hex')
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
function check(id, label, ok, evidence, risk = '') {
|
|
28
|
+
return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
function readJson(filePath) {
|
|
32
|
+
if (!fs.existsSync(filePath)) return null
|
|
33
|
+
return JSON.parse(fs.readFileSync(filePath, 'utf8').replace(/^\uFEFF/, ''))
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
const manifestPath = path.join(packageDir, 'gse-package-manifest.json')
|
|
37
|
+
const manifest = readJson(manifestPath)
|
|
38
|
+
const signatureRecord = readJson(signaturePath)
|
|
39
|
+
const publicKeyPem = fs.existsSync(publicKeyPath) ? fs.readFileSync(publicKeyPath, 'utf8') : ''
|
|
40
|
+
|
|
41
|
+
const files = manifest?.files ?? []
|
|
42
|
+
const hashMismatches = []
|
|
43
|
+
for (const relativePath of files) {
|
|
44
|
+
const fullPath = path.join(packageDir, relativePath)
|
|
45
|
+
const expected = manifest?.fileHashes?.[relativePath]
|
|
46
|
+
const actual = fs.existsSync(fullPath) ? sha256(fullPath) : null
|
|
47
|
+
if (!expected || actual !== expected) hashMismatches.push({ relativePath, expected, actual })
|
|
48
|
+
}
|
|
49
|
+
const recomputedDigest = manifest
|
|
50
|
+
? crypto.createHash('sha256').update(JSON.stringify({ files: manifest.files, fileHashes: manifest.fileHashes })).digest('hex')
|
|
51
|
+
: null
|
|
52
|
+
const payloadText = signatureRecord?.payload ? JSON.stringify(signatureRecord.payload) : ''
|
|
53
|
+
let signatureOk = false
|
|
54
|
+
try {
|
|
55
|
+
signatureOk = Boolean(publicKeyPem && signatureRecord?.signature && crypto.verify(null, Buffer.from(payloadText), publicKeyPem, Buffer.from(signatureRecord.signature, 'base64')))
|
|
56
|
+
} catch {
|
|
57
|
+
signatureOk = false
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
const checks = [
|
|
61
|
+
check('SIG01', 'manifest exists', Boolean(manifest), manifestPath),
|
|
62
|
+
check('SIG02', 'signature record exists', Boolean(signatureRecord), signaturePath),
|
|
63
|
+
check('SIG03', 'public key exists', Boolean(publicKeyPem), publicKeyPath),
|
|
64
|
+
check('SIG04', 'all file hashes match manifest', hashMismatches.length === 0, hashMismatches.length ? JSON.stringify(hashMismatches.slice(0, 5)) : 'all files'),
|
|
65
|
+
check('SIG05', 'manifest package digest matches file hash table', Boolean(manifest?.integrity?.packageDigest && recomputedDigest === manifest.integrity.packageDigest), 'integrity.packageDigest'),
|
|
66
|
+
check('SIG06', 'signature payload matches manifest digest', Boolean(signatureRecord?.payload?.packageDigest && signatureRecord.payload.packageDigest === manifest?.integrity?.packageDigest), 'signature payload packageDigest'),
|
|
67
|
+
check('SIG07', 'signature verifies with public key', signatureOk, 'ed25519 signature'),
|
|
68
|
+
check('SIG08', 'public key fingerprint matches signature record', Boolean(publicKeyPem && signatureRecord?.publicKeyFingerprint === fingerprint(publicKeyPem)), 'public key fingerprint'),
|
|
69
|
+
]
|
|
70
|
+
|
|
71
|
+
const passed = checks.filter((item) => item.status === 'passed').length
|
|
72
|
+
const failed = checks.length - passed
|
|
73
|
+
const report = {
|
|
74
|
+
packageDir,
|
|
75
|
+
generatedAt: new Date().toISOString(),
|
|
76
|
+
summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
|
|
77
|
+
workflows: { packageSignature: failed === 0 ? 'verified' : 'failed' },
|
|
78
|
+
checks,
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
if (jsonOnly) console.log(JSON.stringify(report, null, 2))
|
|
82
|
+
else console.log(JSON.stringify(report, null, 2))
|
|
83
|
+
|
|
84
|
+
if (failed > 0) process.exit(1)
|
|
85
|
+
|