@t275005746/gse 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (207) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -0
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -0
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -0
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -0
  5. package/.github/workflows/validate-gse.yml +33 -0
  6. package/.gse/README.md +18 -0
  7. package/.gse/gse-development-protocol.md +50 -0
  8. package/.gse/project-profile.md +29 -0
  9. package/.gse/quality-gates.md +25 -0
  10. package/.gse/releases/public-channel-publication-pending.md +49 -0
  11. package/.gse/releases/public-ci-run-pending.md +53 -0
  12. package/.gse/releases/public-release-owner-required.md +65 -0
  13. package/.gse/releases/public-repository-settings-owner-required.md +59 -0
  14. package/.gse/releases/public-security-contact-owner-required.md +45 -0
  15. package/.gse/state.json +27 -0
  16. package/CHANGELOG.md +24 -0
  17. package/CONTRIBUTING.md +64 -0
  18. package/LICENSE +21 -0
  19. package/README.md +236 -0
  20. package/README.zh-CN.md +236 -0
  21. package/SECURITY.md +41 -0
  22. package/SKILL.md +148 -0
  23. package/SUPPORT.md +38 -0
  24. package/agents/openai.yaml +4 -0
  25. package/assets/marketplace/README.md +7 -0
  26. package/assets/marketplace/gse-listing.json +75 -0
  27. package/assets/templates/acceptance-execution-packet.md +73 -0
  28. package/assets/templates/adr.md +14 -0
  29. package/assets/templates/change-brief.md +16 -0
  30. package/assets/templates/design.md +18 -0
  31. package/assets/templates/dispatch-packet.md +104 -0
  32. package/assets/templates/evidence.md +14 -0
  33. package/assets/templates/execution-quality-pack.md +65 -0
  34. package/assets/templates/goal-map.md +21 -0
  35. package/assets/templates/host-adapter.md +48 -0
  36. package/assets/templates/host-ui-invocation-record.md +42 -0
  37. package/assets/templates/incident-review.md +60 -0
  38. package/assets/templates/public-channel-publication-record.md +49 -0
  39. package/assets/templates/public-ci-run-record.md +53 -0
  40. package/assets/templates/public-release-record.md +65 -0
  41. package/assets/templates/public-repository-settings-record.md +59 -0
  42. package/assets/templates/public-security-contact-record.md +45 -0
  43. package/assets/templates/release-trust-record.md +32 -0
  44. package/assets/templates/review.md +18 -0
  45. package/assets/templates/spec.md +16 -0
  46. package/assets/templates/target-adoption-evidence.md +29 -0
  47. package/assets/templates/tasks.md +17 -0
  48. package/assets/templates/update-release-acceptance-record.md +58 -0
  49. package/examples/README.md +22 -0
  50. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -0
  51. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -0
  52. package/examples/agent-runtime-host/.gse/goal-map.md +7 -0
  53. package/examples/agent-runtime-host/.gse/project-profile.md +27 -0
  54. package/examples/agent-runtime-host/.gse/tooling.md +5 -0
  55. package/examples/agent-runtime-host/.mcp.json +9 -0
  56. package/examples/agent-runtime-host/AGENTS.md +5 -0
  57. package/examples/agent-runtime-host/README.md +10 -0
  58. package/examples/agent-runtime-host/docs/model-routing.md +5 -0
  59. package/examples/cli-tool/.gse/project-profile.md +21 -0
  60. package/examples/cli-tool/AGENTS.md +5 -0
  61. package/examples/cli-tool/README.md +12 -0
  62. package/examples/cli-tool/package.json +21 -0
  63. package/examples/small-app/.env.example +2 -0
  64. package/examples/small-app/.github/workflows/ci.yml +8 -0
  65. package/examples/small-app/AGENTS.md +5 -0
  66. package/examples/small-app/README.md +12 -0
  67. package/examples/small-app/package.json +26 -0
  68. package/examples/small-app/playwright.config.ts +4 -0
  69. package/package.json +53 -0
  70. package/references/adoption-recipes.md +171 -0
  71. package/references/agent-roles.md +49 -0
  72. package/references/architecture-health.md +101 -0
  73. package/references/benchmark-audit.md +73 -0
  74. package/references/commands.md +295 -0
  75. package/references/community-channels.md +46 -0
  76. package/references/compatibility.md +70 -0
  77. package/references/design-basis.md +38 -0
  78. package/references/domain-model.md +129 -0
  79. package/references/domain-quality-gates.md +75 -0
  80. package/references/drift-audit.md +81 -0
  81. package/references/evidence-taxonomy.md +123 -0
  82. package/references/file-ownership.md +107 -0
  83. package/references/final-readiness.md +84 -0
  84. package/references/forward-test.md +133 -0
  85. package/references/goal-map.md +36 -0
  86. package/references/host-adapters.md +119 -0
  87. package/references/learning-system.md +35 -0
  88. package/references/marketplace-discovery.md +46 -0
  89. package/references/model-routing.md +103 -0
  90. package/references/open-source-defaults.md +39 -0
  91. package/references/operating-model.md +52 -0
  92. package/references/packaging.md +277 -0
  93. package/references/project-agent-workspace.md +89 -0
  94. package/references/project-bootstrap.md +122 -0
  95. package/references/project-profile.md +57 -0
  96. package/references/public-release.md +174 -0
  97. package/references/quality-gates.md +100 -0
  98. package/references/recovery.md +176 -0
  99. package/references/release-trust.md +43 -0
  100. package/references/release.md +126 -0
  101. package/references/review.md +141 -0
  102. package/references/router.md +90 -0
  103. package/references/spec-workflow.md +66 -0
  104. package/references/task-levels.md +81 -0
  105. package/references/tool-adapters.md +73 -0
  106. package/scripts/audit-acceptance-execution-packet.mjs +133 -0
  107. package/scripts/audit-adoption-recipes.mjs +99 -0
  108. package/scripts/audit-adoption.mjs +154 -0
  109. package/scripts/audit-change-lifecycle.mjs +77 -0
  110. package/scripts/audit-change-system.mjs +134 -0
  111. package/scripts/audit-ci-readiness.mjs +107 -0
  112. package/scripts/audit-close-gate.mjs +323 -0
  113. package/scripts/audit-command-adapters.mjs +91 -0
  114. package/scripts/audit-command-execution.mjs +210 -0
  115. package/scripts/audit-commands.mjs +117 -0
  116. package/scripts/audit-compatibility.mjs +149 -0
  117. package/scripts/audit-completion-readiness.mjs +292 -0
  118. package/scripts/audit-distribution.mjs +251 -0
  119. package/scripts/audit-domain-quality-gates.mjs +108 -0
  120. package/scripts/audit-evidence-placeholders.mjs +126 -0
  121. package/scripts/audit-final-acceptance-packet.mjs +148 -0
  122. package/scripts/audit-final-form-progress-report.mjs +161 -0
  123. package/scripts/audit-final-form-stale-copy.mjs +221 -0
  124. package/scripts/audit-final-readiness-promotion.mjs +255 -0
  125. package/scripts/audit-final-readiness.mjs +226 -0
  126. package/scripts/audit-fixtures.mjs +154 -0
  127. package/scripts/audit-fresh-session-readiness.mjs +177 -0
  128. package/scripts/audit-gse.mjs +275 -0
  129. package/scripts/audit-host-adapters.mjs +119 -0
  130. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -0
  131. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -0
  132. package/scripts/audit-host-runtime-invocations.mjs +254 -0
  133. package/scripts/audit-host-ui-invocation.mjs +132 -0
  134. package/scripts/audit-learning-system.mjs +103 -0
  135. package/scripts/audit-local-final-form-completion.mjs +131 -0
  136. package/scripts/audit-marketplace-discovery.mjs +122 -0
  137. package/scripts/audit-npm-package-metadata.mjs +155 -0
  138. package/scripts/audit-npm-publish-dry-run.mjs +169 -0
  139. package/scripts/audit-npm-tarball-install.mjs +191 -0
  140. package/scripts/audit-open-source-defaults.mjs +92 -0
  141. package/scripts/audit-open-source-readiness.mjs +97 -0
  142. package/scripts/audit-owner-external-gate-kit.mjs +218 -0
  143. package/scripts/audit-project.mjs +323 -0
  144. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -0
  145. package/scripts/audit-public-acceptance-handoff.mjs +142 -0
  146. package/scripts/audit-public-acceptance-readiness.mjs +224 -0
  147. package/scripts/audit-public-channel-publication.mjs +248 -0
  148. package/scripts/audit-public-ci-run.mjs +184 -0
  149. package/scripts/audit-public-collaboration-templates.mjs +98 -0
  150. package/scripts/audit-public-external-gate-probe.mjs +206 -0
  151. package/scripts/audit-public-release-checklist.mjs +133 -0
  152. package/scripts/audit-public-release-decision.mjs +201 -0
  153. package/scripts/audit-public-release-metadata.mjs +176 -0
  154. package/scripts/audit-public-repository-settings.mjs +237 -0
  155. package/scripts/audit-public-security-contact.mjs +171 -0
  156. package/scripts/audit-readme-docs.mjs +185 -0
  157. package/scripts/audit-recovery-readiness.mjs +98 -0
  158. package/scripts/audit-release-bundle.mjs +251 -0
  159. package/scripts/audit-release-owner-action-plan-drill.mjs +277 -0
  160. package/scripts/audit-release-owner-action-plan.mjs +164 -0
  161. package/scripts/audit-release-readiness.mjs +106 -0
  162. package/scripts/audit-release-status-manifest.mjs +165 -0
  163. package/scripts/audit-release-trust.mjs +62 -0
  164. package/scripts/audit-remote-distribution.mjs +266 -0
  165. package/scripts/audit-roadmap-consistency.mjs +235 -0
  166. package/scripts/audit-signing.mjs +147 -0
  167. package/scripts/audit-state-freshness.mjs +113 -0
  168. package/scripts/audit-target-adoption-evidence.mjs +117 -0
  169. package/scripts/audit-target-project.mjs +507 -0
  170. package/scripts/audit-update-release-acceptance.mjs +136 -0
  171. package/scripts/audit-v1-target-validation.mjs +269 -0
  172. package/scripts/audit-validation-profiles.mjs +125 -0
  173. package/scripts/close-change.mjs +116 -0
  174. package/scripts/discover-project-profile.mjs +307 -0
  175. package/scripts/forward-test-gse.mjs +146 -0
  176. package/scripts/generate-command-adapter.mjs +231 -0
  177. package/scripts/generate-final-acceptance-packet.mjs +181 -0
  178. package/scripts/generate-final-form-progress-report.mjs +205 -0
  179. package/scripts/generate-host-adapter.mjs +73 -0
  180. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -0
  181. package/scripts/generate-owner-external-gate-kit.mjs +295 -0
  182. package/scripts/generate-public-acceptance-handoff.mjs +168 -0
  183. package/scripts/generate-public-release-checklist.mjs +207 -0
  184. package/scripts/generate-release-bundle.mjs +505 -0
  185. package/scripts/generate-release-owner-action-plan.mjs +172 -0
  186. package/scripts/generate-release-status-manifest.mjs +200 -0
  187. package/scripts/generate-session-prompt.mjs +188 -0
  188. package/scripts/gse.mjs +67 -0
  189. package/scripts/init-change.mjs +265 -0
  190. package/scripts/init-project.mjs +785 -0
  191. package/scripts/install-gse.mjs +234 -0
  192. package/scripts/lib/evidence-placeholders.mjs +28 -0
  193. package/scripts/package-gse.mjs +174 -0
  194. package/scripts/probe-public-external-gates.mjs +167 -0
  195. package/scripts/record-host-invocation.mjs +151 -0
  196. package/scripts/record-learning.mjs +137 -0
  197. package/scripts/record-public-channel-publication.mjs +178 -0
  198. package/scripts/record-public-ci-run.mjs +180 -0
  199. package/scripts/record-public-release.mjs +175 -0
  200. package/scripts/record-public-repository-settings.mjs +209 -0
  201. package/scripts/record-public-security-contact.mjs +157 -0
  202. package/scripts/run-gse-command.mjs +538 -0
  203. package/scripts/run-validation-profile.mjs +146 -0
  204. package/scripts/sign-gse-package.mjs +83 -0
  205. package/scripts/update-project-state.mjs +223 -0
  206. package/scripts/validate-gse.mjs +1168 -0
  207. package/scripts/verify-gse-package.mjs +85 -0
@@ -0,0 +1,176 @@
1
+ # Recovery And Handoff
2
+
3
+ Use this when work is interrupted, verification fails, a tool or runtime is unavailable, partial edits exist, release rollback may be needed, or a future agent must continue without relying on hidden context.
4
+
5
+ Recovery and handoff are part of the evidence loop. The goal is to make the current state understandable, resumable, and reversible.
6
+
7
+ ## Trigger Conditions
8
+
9
+ Run this protocol when any of these are true:
10
+
11
+ - A session is interrupted, refreshed, compacted, or handed to another agent or host.
12
+ - A command, tool, MCP server, browser path, model route, subagent dispatch, or verification gate fails unexpectedly.
13
+ - The worktree has partial edits, generated artifacts, dirty files, or uncertain ownership.
14
+ - A release, migration, rollback, hotfix, incident, or compatibility issue is involved.
15
+ - The current agent cannot finish safely within the active slice but has useful evidence or decisions to preserve.
16
+ - The user asks to continue from another session, branch, host, or agent.
17
+
18
+ Do not create a heavy handoff for a tiny completed edit that already has direct evidence and no residual risk.
19
+
20
+ ## Failure Classification
21
+
22
+ Classify the situation before deciding the next step.
23
+
24
+ | Class | Meaning | Default action |
25
+ |---|---|---|
26
+ | recoverable failure | A command, test, tool, or assumption failed, but the path is still clear | Record failure, fix smallest cause, rerun focused evidence |
27
+ | blocked work | Progress needs user input, missing credentials, unavailable external service, or unavailable required tool | Record blocker, preserve state, ask for the smallest required input |
28
+ | rollback required | Current edits or release state are unsafe, misleading, or harmful | Stop new work, identify owned edits, follow project rollback policy |
29
+ | handoff required | Another session, agent, host, branch, or future run must continue | Record goal, current state, changed files, evidence, risks, and next action |
30
+ | incident recovery | Main path, data, security, privacy, release, or user-visible behavior is broken | Stabilize first, preserve evidence, route through release/incident gates |
31
+
32
+ Never hide a failed check by reducing acceptance. Either fix it, mark it as residual risk, or move the slice to not ready.
33
+
34
+ ## Resume Or Rollback Decision
35
+
36
+ Choose one path and record why:
37
+
38
+ - Resume: use when edits are scoped, evidence is trustworthy, and the next verification step is clear.
39
+ - Repair: use when a known broken command, test, route, or doc can be fixed inside the current slice.
40
+ - Roll back owned edits: use when the current changes are unsafe, contradict scope, or cannot be verified.
41
+ - Preserve and hand off: use when meaningful progress exists but completion requires another session, role, host, or external condition.
42
+ - Stop and ask: use when user input is required and any assumption would risk data, security, release, or product direction.
43
+
44
+ Do not revert user work or unrelated dirty files. Use references/file-ownership.md before rollback or cleanup.
45
+
46
+ ## Failed Verification Path
47
+
48
+ When verification fails, do not reduce the acceptance bar to make the slice look complete.
49
+
50
+ Use this sequence:
51
+
52
+ 1. Preserve the failed command, status, and narrow failure reason.
53
+ 2. Decide whether the failure invalidates the result, only blocks verification, or exposes unrelated existing risk.
54
+ 3. Fix the smallest reusable artifact when the cause is inside the slice.
55
+ 4. Re-run the same focused verification before adding new scope.
56
+ 5. If the failure cannot be fixed in the slice, mark readiness `not ready` or `result`, record the blocker, and set the next action.
57
+
58
+ If the failure concerns release, migration, rollback, public behavior, security/privacy, or data safety, route through `references/release.md` before claiming readiness.
59
+
60
+ ## Release Recovery Path
61
+
62
+ Use this when release validation, install/update handoff, migration, rollback, compatibility, or incident gates fail.
63
+
64
+ Minimum release recovery record:
65
+
66
+ ```text
67
+ Release scope:
68
+ Failed gate:
69
+ Release level:
70
+ Readiness after failure: not ready | result | verified | accepted
71
+ What changed:
72
+ What remains safe:
73
+ Rollback or resume decision:
74
+ Files or artifacts to revert:
75
+ Verification to rerun:
76
+ Owner or decision needed:
77
+ Next action:
78
+ ```
79
+
80
+ Rules:
81
+
82
+ - Do not call a release accepted while a required release gate is failing.
83
+ - Prefer file-level revert for low-risk docs/scripts when ownership is clear.
84
+ - For generated scaffolds, host adapters, state, schema, runtime config, or compatibility-impacting changes, document downstream regeneration or migration impact.
85
+ - If rollback touches user or unrelated files, stop and use `references/file-ownership.md` before changing them.
86
+
87
+ ## Incident Follow-Up Path
88
+
89
+ Use `assets/templates/incident-review.md` when the recovery involves user-visible breakage, data loss/corruption risk, security/privacy risk, release blocker, repeated failed verification, or a broken main path.
90
+
91
+ Incident follow-up must separate:
92
+
93
+ - Impact and affected users/systems.
94
+ - Timeline and detection signal.
95
+ - Root cause and contributing factors.
96
+ - Immediate stabilization.
97
+ - Verification that proves stabilization.
98
+ - Long-term prevention tasks.
99
+ - Evidence links and owners.
100
+
101
+ Do not turn every failed command into an incident. Use incident review only when the failure has product, release, safety, or repeated-process significance.
102
+
103
+ ## Future-Agent Continuation Packet
104
+
105
+ When work must continue elsewhere, provide a compact packet that a future agent can run without hidden memory:
106
+
107
+ ```text
108
+ Goal or spec:
109
+ Active slice:
110
+ Current evidence status:
111
+ Changed files:
112
+ Files intentionally untouched:
113
+ Commands already run:
114
+ Failed or unavailable tools:
115
+ Release/recovery decision:
116
+ Rollback notes:
117
+ Next verification command:
118
+ Next action:
119
+ ```
120
+
121
+ If the handoff is meant to prove fresh-session acceptance, use `references/forward-test.md` and record `accepted by: fresh-session` only after a separate session actually follows the packet.
122
+
123
+ ## Minimum Recovery Record
124
+
125
+ Use this compact format in evidence logs, handoffs, or final status:
126
+
127
+ ```text
128
+ Recovery class:
129
+ Current objective:
130
+ Current state:
131
+ Changed files:
132
+ Commands run:
133
+ Failed or unavailable tools:
134
+ Evidence that still holds:
135
+ Evidence that is missing or weak:
136
+ Rollback or resume decision:
137
+ Risks:
138
+ Next action:
139
+ ```
140
+
141
+ Keep command output short. Link to logs or evidence files instead of pasting noisy output.
142
+
143
+ ## Handoff Requirements
144
+
145
+ A future-agent handoff must include:
146
+
147
+ - The active goal or spec and the current slice outcome.
148
+ - Files changed and files intentionally left untouched.
149
+ - Commands/tests/smokes already run and their result status.
150
+ - Known blockers, assumptions, unavailable tools, and residual risk.
151
+ - The next concrete action, not a vague instruction to investigate everything.
152
+ - Any project-specific rules from `.gse/project-profile.md`, AGENTS.md, or host adapter notes that affected the work.
153
+ - Whether the work is result, verified, accepted, blocked, rollback required, or not ready according to references/evidence-taxonomy.md.
154
+
155
+ If real subagent tools are unavailable, say so. A sequential-role note or handoff is not real delegation.
156
+
157
+ ## Verification After Recovery
158
+
159
+ After resuming from recovery or handoff:
160
+
161
+ - Re-read the controlling goal, current slice, and project rules before editing.
162
+ - Inspect current files instead of trusting the handoff blindly.
163
+ - Re-run the smallest focused evidence that proves the recovered path still works.
164
+ - Reclassify readiness with references/evidence-taxonomy.md.
165
+ - Update the evidence log with what changed since the handoff.
166
+
167
+ If evidence changed or contradicted the handoff, prefer current-state evidence.
168
+
169
+ ## Integration
170
+
171
+ - Use references/file-ownership.md before reverting, moving, deleting, or cleaning files.
172
+ - Use references/release.md when recovery affects release, rollback, migration, changelog/release notes, or release acceptance.
173
+ - Use references/quality-gates.md when failed verification, cancellation, retry, or recovery behavior affects completion.
174
+ - Use references/review.md when recovery changes code, shared workflow rules, release paths, security/privacy behavior, or user-visible product behavior.
175
+ - Use references/forward-test.md when recovery or handoff rules become reusable GSE behavior that future agents must follow.
176
+ - Use references/learning-system.md only for reusable lessons; do not log noisy transient failures.
@@ -0,0 +1,43 @@
1
+ # Release Trust
2
+
3
+ Use this when preparing GSE for public, shared, or marketplace-style distribution.
4
+
5
+ GSE signing mechanics prove that a package matches a signed manifest. They do not prove maintainer identity, public key custody, account security, or marketplace trust. Treat those as release governance.
6
+
7
+ ## Required Release Trust Record
8
+
9
+ For every public release, record:
10
+
11
+ - Release label and package digest.
12
+ - Public key fingerprint.
13
+ - Maintainer or release owner.
14
+ - Signing machine or signing environment.
15
+ - Key custody location.
16
+ - Rotation policy.
17
+ - Revocation path if a key is compromised.
18
+ - Verification command used by a fresh install.
19
+ - Accepted by owner or release authority.
20
+
21
+ Use `assets/templates/release-trust-record.md`.
22
+
23
+ ## Key Custody Rules
24
+
25
+ Key custody is a release owner responsibility.
26
+
27
+ - Do not commit private keys.
28
+ - Do not package private keys.
29
+ - Do not generate production keys inside a temporary audit folder.
30
+ - Store production private keys in a host secret store, hardware-backed key store, or explicitly approved private release environment.
31
+ - Publish public keys and fingerprints with release notes.
32
+ - Rotate keys when custody changes, maintainer access changes, or compromise is suspected.
33
+ - Keep an owner-approved revocation note for retired keys.
34
+
35
+ ## Verification Rules
36
+
37
+ A release can claim:
38
+
39
+ - `signed`: a package signature exists.
40
+ - `verified`: `verify-gse-package.mjs` passes against the published public key.
41
+ - `trusted`: signed and verified, with an owner-accepted release trust record.
42
+
43
+ Do not claim `trusted` from signing alone.
@@ -0,0 +1,126 @@
1
+ # Release Workflow
2
+
3
+ Use this when a GSE slice affects shipping, installation, upgrade, runtime compatibility, user-visible behavior, migrations, rollback, changelog policy, or long-running project readiness.
4
+
5
+ Release workflow is a gate, not a deployment tool. It defines what must be known before claiming a release is ready.
6
+
7
+ ## Trigger Conditions
8
+
9
+ Run this workflow when any of these are true:
10
+
11
+ - A change is intended for a versioned release, public handoff, package update, installer update, or user-facing delivery.
12
+ - A change affects install, bootstrap, update, compatibility, migration, rollback, data retention, or runtime configuration.
13
+ - A change modifies product identity, permissions, model/provider routing, worker behavior, state persistence, evidence gates, or generated project scaffold files.
14
+ - A bug fix touches a main path where regression risk matters.
15
+ - Architecture health scan reports migration, release, rollback, dependency, security, or ownership risk.
16
+ - The project requires changelog, release notes, approvals, or deployment evidence.
17
+
18
+ For tiny internal edits with no release surface, record why release workflow is not applicable.
19
+
20
+ ## Release Levels
21
+
22
+ Pick the smallest release level that matches the blast radius.
23
+
24
+ | Level | Use when | Minimum gate |
25
+ |---|---|---|
26
+ | Patch | Bug fix, doc correction, template wording, low-risk scaffold update | Focused verification, known risk, release note if user-visible |
27
+ | Minor | New capability, new template, new script behavior, new adapter route, non-breaking workflow change | Focused verification, backward compatibility check, rollback or revert path, release notes |
28
+ | Major | Breaking workflow, migration, removed behavior, changed source of truth, broad architecture change | Migration plan, rollback plan, compatibility notes, architecture health scan, release acceptance evidence |
29
+ | Incident hotfix | Urgent fix for broken main path, data risk, security/privacy issue, release blocker | Minimal safe fix, reproduction or failure evidence, focused verification, incident follow-up |
30
+
31
+ ## Minimum Release Checklist
32
+
33
+ Before calling a release ready, confirm:
34
+
35
+ - Outcome and scope match the accepted goal or spec.
36
+ - Version or release label is known, or the project explicitly does not use version labels.
37
+ - Changelog or release notes explain user-visible changes, breaking changes, migration notes, and known risks.
38
+ - Focused verification proves the changed behavior, not only file existence.
39
+ - Compatibility impact is checked against supported hosts, runtimes, package managers, project modes, and important configuration paths.
40
+ - Migration and rollback expectations are documented for any state, schema, config, scaffold, or runtime change.
41
+ - Security, privacy, permissions, secrets, and raw tool/provider traces are reviewed when relevant.
42
+ - Observability, error diagnosis, or incident path is adequate for risky changes.
43
+ - Evidence status is classified with references/evidence-taxonomy.md: result, verified, or accepted.
44
+ - Follow-up slices are recorded instead of hidden in final prose.
45
+
46
+ ## Migration And Rollback
47
+
48
+ Capture migration and rollback at the same level of detail as the risk.
49
+
50
+ For low-risk changes:
51
+
52
+ - State whether revert is enough.
53
+ - Name the files or artifacts that would be reverted.
54
+
55
+ For stateful or compatibility-impacting changes:
56
+
57
+ - Define old state, new state, and compatibility window.
58
+ - Define data backup, restore, or fallback behavior.
59
+ - Define how to detect failed migration or partial rollout.
60
+ - Define whether downgrade is supported.
61
+
62
+ For release-blocking uncertainty, do not claim accepted. Record a decision needed or follow-up slice.
63
+
64
+ ## Changelog And Release Notes Policy
65
+
66
+ Use the project convention first. If none exists, keep release notes short and structured:
67
+
68
+ ```text
69
+ Release label:
70
+ Date:
71
+ Type: patch | minor | major | incident hotfix
72
+ Highlights:
73
+ Changed:
74
+ Fixed:
75
+ Migration or rollback:
76
+ Known risks:
77
+ Verification:
78
+ Follow-up slices:
79
+ ```
80
+
81
+ Rules:
82
+
83
+ - Mention user-visible behavior separately from internal implementation.
84
+ - Mark breaking changes clearly.
85
+ - Do not include secrets, raw provider payloads, private reasoning, or noisy command logs.
86
+ - Link to evidence files or CI/test results instead of pasting long output.
87
+ - If the release is internal-only, say so and explain the affected operators or future agents.
88
+
89
+ ## Release Evidence Record
90
+
91
+ Use `assets/templates/update-release-acceptance-record.md` when a project needs to preserve local decisions, changed files, rollback notes, owner gate, accepted-by status, and residual risk in one compact record.
92
+
93
+ For quick release notes, use this concise format in evidence logs or release notes:
94
+
95
+ ```text
96
+ Release scope:
97
+ Release level:
98
+ Readiness: not ready | result | verified | accepted
99
+ Verification evidence:
100
+ Compatibility evidence:
101
+ Migration or rollback:
102
+ Known risks:
103
+ Decisions needed:
104
+ Follow-up slices:
105
+ ```
106
+
107
+ Readiness meanings:
108
+
109
+ - not ready: required release evidence is missing or contradicted.
110
+ - result: release artifacts or notes exist, but behavior is not verified.
111
+ - verified: focused checks prove release-relevant behavior in the current environment.
112
+ - accepted: the required owner, CI, smoke, or production-like evidence for this release level has passed.
113
+
114
+ Do not mark `accepted` only because local validation passed. Use `accepted` only when the required owner, release policy, CI gate, smoke gate, archive gate, or explicitly named acceptance policy accepts the verified result.
115
+
116
+ ## Integration
117
+
118
+ - Use references/quality-gates.md for the base release gate list.
119
+ - Use references/public-release.md before public GitHub, marketplace, catalog, registry, or external package handoff.
120
+ - Use references/architecture-health.md when migration, rollback, dependency, security, performance, resilience, compatibility, or source-of-truth risk exists.
121
+ - Use references/review.md for spec compliance, code quality, security/privacy, regression, and evidence review before release.
122
+ - Use references/project-profile.md for project-specific release commands, versioning, deployment, rollback, and approval rules.
123
+ - Use references/evidence-taxonomy.md to avoid overstating readiness.
124
+ - Use references/recovery.md when release work is interrupted, rollback is possible, verification fails, or future-agent continuation is needed.
125
+ - Use references/forward-test.md for non-trivial GSE release, scaffold, adapter, recovery, or packaging changes.
126
+ - Use `assets/templates/update-release-acceptance-record.md` for project-local update and release acceptance records.
@@ -0,0 +1,141 @@
1
+ # Review Protocol
2
+
3
+ Use this when GSE work needs a review beyond simple local verification: code changes, workflow rules, scaffolds, agent roles, adapters, release paths, security-sensitive behavior, or user-visible product behavior.
4
+
5
+ ## Core Rule
6
+
7
+ Review must answer two separate questions:
8
+
9
+ 1. Spec compliance: did we build the requested thing and only the requested thing?
10
+ 2. Code/workflow quality: is the result maintainable, safe, testable, and consistent with the project?
11
+
12
+ Do not collapse these into a vague "looks good" check.
13
+
14
+ ## When Review Is Required
15
+
16
+ | Task risk | Review requirement |
17
+ |---|---|
18
+ | Level 1 tiny edit | Optional; self-check against acceptance is enough when evidence is direct |
19
+ | Level 2 normal slice | Required if code, shared config, reusable templates, workflow rules, or user-visible behavior changed |
20
+ | Level 3 large/risky work | Required; separate spec compliance, quality, QA/evidence, and coordinator integration review |
21
+ | Security/privacy/release impact | Required; include security/privacy and rollback/evidence review |
22
+ | Multi-agent or delegated work | Required when roles modify files or produce evidence |
23
+
24
+ Review is unnecessary for evidence-only status updates, typo-only edits, or transient notes unless they change process meaning.
25
+
26
+ ## Review Axes
27
+
28
+ ### 1. Spec Compliance Review
29
+
30
+ Checks whether the result matches the defined outcome, scope, non-goals, and acceptance criteria.
31
+
32
+ Questions:
33
+
34
+ - Does the change satisfy the requested outcome?
35
+ - Did scope expand silently?
36
+ - Were non-goals respected?
37
+ - Are required files/artifacts present?
38
+ - Is the evidence directly tied to acceptance?
39
+ - Are user-visible names, identities, and permissions correct?
40
+
41
+ ### 2. Code Quality Review
42
+
43
+ Checks maintainability and implementation quality.
44
+
45
+ Questions:
46
+
47
+ - Does the change follow existing project patterns?
48
+ - Is the code or workflow simpler than the problem requires?
49
+ - Are abstractions justified?
50
+ - Are generated files, lockfiles, or unrelated refactors avoided?
51
+ - Are edge cases, errors, retries, cancellation, or recovery handled when relevant?
52
+
53
+ ### 3. Architecture Drift Review
54
+
55
+ Checks whether the change preserves project boundaries and long-term shape.
56
+
57
+ Questions:
58
+
59
+ - Did this introduce a new pattern without need?
60
+ - Does it cross module, package, product, or host boundaries incorrectly?
61
+ - Does it duplicate a source of truth?
62
+ - Does it create coupling that future agents will misunderstand?
63
+ - Should the issue be handled by a `references/architecture-health.md` scan?
64
+
65
+ ### 4. Security And Privacy Review
66
+
67
+ Checks user data, secrets, permissions, external services, and tool traces.
68
+
69
+ Questions:
70
+
71
+ - Are secrets, tokens, raw provider payloads, and hidden reasoning excluded from user-visible output and committed files?
72
+ - Are write-capable tools and destructive commands bounded?
73
+ - Are external inputs treated as untrusted?
74
+ - Are privacy constraints respected for model routing, logs, browser traces, and MCP/tools?
75
+
76
+ ### 5. Regression And Missing-Test Review
77
+
78
+ Checks whether the verification actually covers the changed behavior.
79
+
80
+ Questions:
81
+
82
+ - Would the focused test/smoke fail if the change were broken?
83
+ - Are existing tests or checks enough for this risk?
84
+ - Is a regression test needed for a bug fix?
85
+ - Are UI/API/state/error/cancel/retry paths covered when relevant?
86
+
87
+ ### 6. Evidence Review
88
+
89
+ Checks whether the final claim is supported.
90
+
91
+ Questions:
92
+
93
+ - Is the status result, verified, or accepted according to `references/evidence-taxonomy.md`?
94
+ - Is residual risk recorded?
95
+ - Is a forward test required by `references/forward-test.md`?
96
+ - Are tool statuses documented, verified, unknown, or unavailable without exaggeration?
97
+
98
+ ## Review Output
99
+
100
+ Use this concise format:
101
+
102
+ ```text
103
+ Review type: spec compliance | code quality | architecture drift | security/privacy | regression/missing-test | evidence
104
+ Verdict: approve | request changes | needs context | not applicable
105
+ Severity: critical | important | suggestion | note
106
+ Findings:
107
+ Evidence checked:
108
+ Required fixes:
109
+ Deferred risks:
110
+ ```
111
+
112
+ For no-issue reviews, say which axes were checked. Do not rubber-stamp with only `LGTM`.
113
+
114
+ ## Severity Rules
115
+
116
+ - `critical`: security issue, data loss, broken main path, destructive operation, irreversible release risk.
117
+ - `important`: likely bug, missing acceptance evidence, meaningful architecture drift, missing regression coverage.
118
+ - `suggestion`: improvement that is useful but not required for this slice.
119
+ - `note`: context for future work, no action required.
120
+
121
+ ## Multi-Agent Review Order
122
+
123
+ When using real subagents or sequential role simulation:
124
+
125
+ 1. Builder reports files changed and verification run.
126
+ 2. Spec compliance review checks scope and acceptance first.
127
+ 3. Code quality review checks maintainability and risks second.
128
+ 4. QA/evidence review confirms the verification story.
129
+ 5. Coordinator integrates findings and decides final status.
130
+
131
+ Do not start code-quality approval before unresolved spec compliance issues are addressed.
132
+
133
+ ## Project Integration
134
+
135
+ - `references/agent-roles.md` defines Reviewer and QA responsibilities.
136
+ - `assets/templates/dispatch-packet.md` records whether spec compliance, code quality, QA/evidence, and coordinator review are required.
137
+ - `references/architecture-health.md` defines structural scan triggers, scope levels, findings, risks, decisions, and follow-up slices.
138
+ - `references/quality-gates.md` decides when review is required by risk.
139
+ - `references/domain-quality-gates.md` selects security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, and release/operations gates by domain risk.
140
+ - `references/evidence-taxonomy.md` decides whether a reviewed result is verified or accepted.
141
+ - `.gse/project-profile.md` can add project-specific review standards, owners, or required commands.
@@ -0,0 +1,90 @@
1
+ # Router
2
+
3
+ Use this to choose the GSE path before loading detailed references. The router selects; it does not replace the selected reference files.
4
+
5
+ ## Inputs
6
+
7
+ Classify the request with these inputs:
8
+
9
+ - Work target: GSE skill itself, a project adopting GSE, or ordinary project work inside a GSE project.
10
+ - Task level: Lite, Standard, or Enterprise from `task-levels.md`.
11
+ - Change type: setup, feature, bug, refactor, research, UI, release, incident, skill improvement, or tool adapter.
12
+ - Tool availability: verified, documented, unknown, or unavailable from `tool-adapters.md`.
13
+ - Project constraints: `.gse/project-profile.md`, AGENTS/CLAUDE/GEMINI rules, CI, MCP, LSP, browser, release, and security boundaries.
14
+ - Command-style usage: `/gse ...`, `gse: ...`, or equivalent natural-language command from `commands.md`.
15
+
16
+ ## Universal Start
17
+
18
+ For meaningful work:
19
+
20
+ 1. Read project or skill rules first.
21
+ 2. Read `.gse/project-profile.md` when working inside a project.
22
+ 3. Read `.gse/gse-design-master-plan.md`, `.gse/goal-map.md`, and `.gse/current-slice.md` when improving GSE itself.
23
+ 4. If the request starts with `/gse` or `gse:`, load `references/commands.md` and map the command before selecting the route.
24
+ 5. Select one route below.
25
+ 6. Load only the reference files required by that route.
26
+
27
+ ## Route Map
28
+
29
+ | Situation | Route | Required References | Optional Adapters |
30
+ |---|---|---|---|
31
+ | User asks `/gse ...` or `gse: ...` | Command routing | `commands.md`, then the mapped route reference | host-specific slash command adapters |
32
+ | Improve GSE skill itself | GSE self-development | `.gse/gse-development-protocol.md`, `.gse/gse-design-master-plan.md`, `benchmark-audit.md` | `audit-gse.mjs`, `skill-creator`, benchmark repos |
33
+ | Initialize GSE in a project | Project bootstrap | `project-bootstrap.md`, `project-profile.md`, `project-agent-workspace.md` | `init-project.mjs` |
34
+ | Discover project rules/tools | Project profile | `project-profile.md`, `tool-adapters.md` | future `discover-project-profile.mjs`, LSP, MCP, CI |
35
+ | Plan feature or product slice | Spec workflow | `task-levels.md`, `goal-map.md`, `spec-workflow.md`, `quality-gates.md` | OpenSpec, Comet, subagents |
36
+ | Implement bounded slice | Execute workflow | `operating-model.md`, `quality-gates.md`, `tool-adapters.md` | TDD, LSP, browser QA, CI |
37
+ | Debug bug or incident | Recovery workflow | `quality-gates.md`, `learning-system.md`; add recovery reference when available | browser/API smoke, logs, incident review |
38
+ | UI or browser-visible change | UI verification | `quality-gates.md`, `tool-adapters.md`, project profile | Browser, Playwright, screenshots |
39
+ | Multi-agent execution | Role workflow | `agent-roles.md`, `quality-gates.md` | subagent tools, worktrees, file ownership reference when available |
40
+ | Release or migration | Release workflow | `quality-gates.md`; add release reference when available | CI, deployment, smoke, rollback |
41
+ | Add or evaluate tool adapter | Adapter workflow | `tool-adapters.md`, `project-profile.md`, `benchmark-audit.md` for GSE changes | MCP, LSP, browser, model routing |
42
+ | Record reusable lesson | Learning workflow | `learning-system.md` | self-improvement |
43
+
44
+ ## Level Rules
45
+
46
+ Lite:
47
+
48
+ - Use when the task is small, local, low-risk, and independently verifiable.
49
+ - Keep artifacts minimal: outcome, scope, acceptance, evidence, next action.
50
+ - Do not create a change folder unless it prevents confusion.
51
+
52
+ Standard:
53
+
54
+ - Use for user-visible behavior, API/state changes, multi-file edits, project setup, or GSE reference/script changes.
55
+ - Bind to goal map or current slice.
56
+ - Record evidence in `.gse/evidence/` or the project evidence log.
57
+
58
+ Enterprise:
59
+
60
+ - Use for cross-module architecture, release, migration, security, multi-agent execution, compliance, or long-running productization.
61
+ - Require explicit gates for risk, rollback, ownership, verification, and learning.
62
+
63
+ ## Tool Routing Rules
64
+
65
+ - Use `rg`/`rg --files` first for code and file discovery.
66
+ - Use LSP/index when verified or documented for the project.
67
+ - Use browser/Playwright for user-visible UI behavior.
68
+ - Use API smoke or focused tests for API/state behavior.
69
+ - Use OpenSpec or Comet when the project has them and the change benefits from formal lifecycle artifacts.
70
+ - Use subagents only when real dispatch tools exist; otherwise execute roles sequentially and say so.
71
+ - Use markdown fallback when optional tools are unavailable.
72
+
73
+ ## GSE Self-Development Route
74
+
75
+ When changing GSE itself:
76
+
77
+ 1. Read `.gse/gse-design-master-plan.md`, `.gse/goal-map.md`, and `.gse/current-slice.md`.
78
+ 2. Run or consult `scripts/audit-gse.mjs` to see current structural gaps.
79
+ 3. If the change is non-trivial, update or create a benchmark audit.
80
+ 4. Prefer scripts/templates/gates for repeatable behavior.
81
+ 5. Validate with focused smoke.
82
+ 6. Update `.gse/evidence/YYYY-MM-DD.md`, goal map, and current slice.
83
+
84
+ ## Anti-Routes
85
+
86
+ - Do not use GSE as a reason to ignore project rules.
87
+ - Do not load every reference file by default.
88
+ - Do not treat optional tools as hard prerequisites.
89
+ - Do not claim a route succeeded without evidence.
90
+ - Do not keep adding prose when a script or template would make the behavior repeatable.
@@ -0,0 +1,66 @@
1
+ # Spec Workflow
2
+
3
+ Use specs to prevent agents from implementing vague intent.
4
+
5
+ ## Markdown Fallback
6
+
7
+ Create `.gse/changes/<change-id>/` with:
8
+
9
+ ```text
10
+ brief.md # why and user outcome
11
+ spec.md # behavior and acceptance
12
+ design.md # approach, state, risk, privacy
13
+ tasks.md # verifiable slices
14
+ evidence.md # proof and verification
15
+ review.md # review findings and closure
16
+ execution-quality-pack.md # skills, tool routing, quality gates, evidence, closure
17
+ ```
18
+
19
+ Portable helper:
20
+
21
+ ```text
22
+ node <gse-skill>/scripts/init-change.mjs --target <project-root> --change-id <change-id> --level lite|standard|enterprise
23
+ ```
24
+
25
+ Close and archive helper:
26
+
27
+ ```text
28
+ node <gse-skill>/scripts/close-change.mjs --target <project-root> --change-id <change-id> --status result|verified|accepted
29
+ ```
30
+
31
+ Closing a change moves `.gse/changes/<change-id>/` to `.gse/archive/<date>-<change-id>/` and appends a `change-archive` record to `.gse/evidence/index.jsonl`.
32
+
33
+ ## Optional OpenSpec Adapter
34
+
35
+ Use OpenSpec when the project has it and the task changes a capability, API, state machine, data model, or public contract.
36
+
37
+ Expected OpenSpec artifacts:
38
+
39
+ - proposal.md
40
+ - design.md
41
+ - tasks.md
42
+ - delta specs
43
+
44
+ ## Optional Comet Adapter
45
+
46
+ Use Comet when a full change lifecycle is useful and the skill/tools are installed.
47
+
48
+ Comet is suitable for Level 2 and Level 3 work that benefits from open, design, build, verify, archive phases.
49
+
50
+ ## Optional Superpowers Adapter
51
+
52
+ Use Superpowers when complex planning, staged execution, subagent orchestration, or multi-pass review is available and useful.
53
+
54
+ GSE's native fallback is `execution-quality-pack.md` plus `references/quality-gates.md`, `references/domain-quality-gates.md`, `references/agent-roles.md`, and `references/review.md`.
55
+
56
+ Do not require Superpowers for Lite tasks or when the current host does not expose the needed tools.
57
+
58
+ ## Spec Quality Checklist
59
+
60
+ - User outcome is explicit.
61
+ - Non-goals are explicit.
62
+ - Acceptance is testable.
63
+ - Error and recovery behavior is covered for risky paths.
64
+ - Privacy and permission boundaries are stated when relevant.
65
+ - Evidence type is known before implementation.
66
+ - Execution skills, tool routing, selected quality gates, and review closure are explicit for Standard and Enterprise work.