@t275005746/gse 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (207) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -0
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -0
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -0
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -0
  5. package/.github/workflows/validate-gse.yml +33 -0
  6. package/.gse/README.md +18 -0
  7. package/.gse/gse-development-protocol.md +50 -0
  8. package/.gse/project-profile.md +29 -0
  9. package/.gse/quality-gates.md +25 -0
  10. package/.gse/releases/public-channel-publication-pending.md +49 -0
  11. package/.gse/releases/public-ci-run-pending.md +53 -0
  12. package/.gse/releases/public-release-owner-required.md +65 -0
  13. package/.gse/releases/public-repository-settings-owner-required.md +59 -0
  14. package/.gse/releases/public-security-contact-owner-required.md +45 -0
  15. package/.gse/state.json +27 -0
  16. package/CHANGELOG.md +24 -0
  17. package/CONTRIBUTING.md +64 -0
  18. package/LICENSE +21 -0
  19. package/README.md +236 -0
  20. package/README.zh-CN.md +236 -0
  21. package/SECURITY.md +41 -0
  22. package/SKILL.md +148 -0
  23. package/SUPPORT.md +38 -0
  24. package/agents/openai.yaml +4 -0
  25. package/assets/marketplace/README.md +7 -0
  26. package/assets/marketplace/gse-listing.json +75 -0
  27. package/assets/templates/acceptance-execution-packet.md +73 -0
  28. package/assets/templates/adr.md +14 -0
  29. package/assets/templates/change-brief.md +16 -0
  30. package/assets/templates/design.md +18 -0
  31. package/assets/templates/dispatch-packet.md +104 -0
  32. package/assets/templates/evidence.md +14 -0
  33. package/assets/templates/execution-quality-pack.md +65 -0
  34. package/assets/templates/goal-map.md +21 -0
  35. package/assets/templates/host-adapter.md +48 -0
  36. package/assets/templates/host-ui-invocation-record.md +42 -0
  37. package/assets/templates/incident-review.md +60 -0
  38. package/assets/templates/public-channel-publication-record.md +49 -0
  39. package/assets/templates/public-ci-run-record.md +53 -0
  40. package/assets/templates/public-release-record.md +65 -0
  41. package/assets/templates/public-repository-settings-record.md +59 -0
  42. package/assets/templates/public-security-contact-record.md +45 -0
  43. package/assets/templates/release-trust-record.md +32 -0
  44. package/assets/templates/review.md +18 -0
  45. package/assets/templates/spec.md +16 -0
  46. package/assets/templates/target-adoption-evidence.md +29 -0
  47. package/assets/templates/tasks.md +17 -0
  48. package/assets/templates/update-release-acceptance-record.md +58 -0
  49. package/examples/README.md +22 -0
  50. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -0
  51. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -0
  52. package/examples/agent-runtime-host/.gse/goal-map.md +7 -0
  53. package/examples/agent-runtime-host/.gse/project-profile.md +27 -0
  54. package/examples/agent-runtime-host/.gse/tooling.md +5 -0
  55. package/examples/agent-runtime-host/.mcp.json +9 -0
  56. package/examples/agent-runtime-host/AGENTS.md +5 -0
  57. package/examples/agent-runtime-host/README.md +10 -0
  58. package/examples/agent-runtime-host/docs/model-routing.md +5 -0
  59. package/examples/cli-tool/.gse/project-profile.md +21 -0
  60. package/examples/cli-tool/AGENTS.md +5 -0
  61. package/examples/cli-tool/README.md +12 -0
  62. package/examples/cli-tool/package.json +21 -0
  63. package/examples/small-app/.env.example +2 -0
  64. package/examples/small-app/.github/workflows/ci.yml +8 -0
  65. package/examples/small-app/AGENTS.md +5 -0
  66. package/examples/small-app/README.md +12 -0
  67. package/examples/small-app/package.json +26 -0
  68. package/examples/small-app/playwright.config.ts +4 -0
  69. package/package.json +53 -0
  70. package/references/adoption-recipes.md +171 -0
  71. package/references/agent-roles.md +49 -0
  72. package/references/architecture-health.md +101 -0
  73. package/references/benchmark-audit.md +73 -0
  74. package/references/commands.md +295 -0
  75. package/references/community-channels.md +46 -0
  76. package/references/compatibility.md +70 -0
  77. package/references/design-basis.md +38 -0
  78. package/references/domain-model.md +129 -0
  79. package/references/domain-quality-gates.md +75 -0
  80. package/references/drift-audit.md +81 -0
  81. package/references/evidence-taxonomy.md +123 -0
  82. package/references/file-ownership.md +107 -0
  83. package/references/final-readiness.md +84 -0
  84. package/references/forward-test.md +133 -0
  85. package/references/goal-map.md +36 -0
  86. package/references/host-adapters.md +119 -0
  87. package/references/learning-system.md +35 -0
  88. package/references/marketplace-discovery.md +46 -0
  89. package/references/model-routing.md +103 -0
  90. package/references/open-source-defaults.md +39 -0
  91. package/references/operating-model.md +52 -0
  92. package/references/packaging.md +277 -0
  93. package/references/project-agent-workspace.md +89 -0
  94. package/references/project-bootstrap.md +122 -0
  95. package/references/project-profile.md +57 -0
  96. package/references/public-release.md +174 -0
  97. package/references/quality-gates.md +100 -0
  98. package/references/recovery.md +176 -0
  99. package/references/release-trust.md +43 -0
  100. package/references/release.md +126 -0
  101. package/references/review.md +141 -0
  102. package/references/router.md +90 -0
  103. package/references/spec-workflow.md +66 -0
  104. package/references/task-levels.md +81 -0
  105. package/references/tool-adapters.md +73 -0
  106. package/scripts/audit-acceptance-execution-packet.mjs +133 -0
  107. package/scripts/audit-adoption-recipes.mjs +99 -0
  108. package/scripts/audit-adoption.mjs +154 -0
  109. package/scripts/audit-change-lifecycle.mjs +77 -0
  110. package/scripts/audit-change-system.mjs +134 -0
  111. package/scripts/audit-ci-readiness.mjs +107 -0
  112. package/scripts/audit-close-gate.mjs +323 -0
  113. package/scripts/audit-command-adapters.mjs +91 -0
  114. package/scripts/audit-command-execution.mjs +210 -0
  115. package/scripts/audit-commands.mjs +117 -0
  116. package/scripts/audit-compatibility.mjs +149 -0
  117. package/scripts/audit-completion-readiness.mjs +292 -0
  118. package/scripts/audit-distribution.mjs +251 -0
  119. package/scripts/audit-domain-quality-gates.mjs +108 -0
  120. package/scripts/audit-evidence-placeholders.mjs +126 -0
  121. package/scripts/audit-final-acceptance-packet.mjs +148 -0
  122. package/scripts/audit-final-form-progress-report.mjs +161 -0
  123. package/scripts/audit-final-form-stale-copy.mjs +221 -0
  124. package/scripts/audit-final-readiness-promotion.mjs +255 -0
  125. package/scripts/audit-final-readiness.mjs +226 -0
  126. package/scripts/audit-fixtures.mjs +154 -0
  127. package/scripts/audit-fresh-session-readiness.mjs +177 -0
  128. package/scripts/audit-gse.mjs +275 -0
  129. package/scripts/audit-host-adapters.mjs +119 -0
  130. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -0
  131. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -0
  132. package/scripts/audit-host-runtime-invocations.mjs +254 -0
  133. package/scripts/audit-host-ui-invocation.mjs +132 -0
  134. package/scripts/audit-learning-system.mjs +103 -0
  135. package/scripts/audit-local-final-form-completion.mjs +131 -0
  136. package/scripts/audit-marketplace-discovery.mjs +122 -0
  137. package/scripts/audit-npm-package-metadata.mjs +155 -0
  138. package/scripts/audit-npm-publish-dry-run.mjs +169 -0
  139. package/scripts/audit-npm-tarball-install.mjs +191 -0
  140. package/scripts/audit-open-source-defaults.mjs +92 -0
  141. package/scripts/audit-open-source-readiness.mjs +97 -0
  142. package/scripts/audit-owner-external-gate-kit.mjs +218 -0
  143. package/scripts/audit-project.mjs +323 -0
  144. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -0
  145. package/scripts/audit-public-acceptance-handoff.mjs +142 -0
  146. package/scripts/audit-public-acceptance-readiness.mjs +224 -0
  147. package/scripts/audit-public-channel-publication.mjs +248 -0
  148. package/scripts/audit-public-ci-run.mjs +184 -0
  149. package/scripts/audit-public-collaboration-templates.mjs +98 -0
  150. package/scripts/audit-public-external-gate-probe.mjs +206 -0
  151. package/scripts/audit-public-release-checklist.mjs +133 -0
  152. package/scripts/audit-public-release-decision.mjs +201 -0
  153. package/scripts/audit-public-release-metadata.mjs +176 -0
  154. package/scripts/audit-public-repository-settings.mjs +237 -0
  155. package/scripts/audit-public-security-contact.mjs +171 -0
  156. package/scripts/audit-readme-docs.mjs +185 -0
  157. package/scripts/audit-recovery-readiness.mjs +98 -0
  158. package/scripts/audit-release-bundle.mjs +251 -0
  159. package/scripts/audit-release-owner-action-plan-drill.mjs +277 -0
  160. package/scripts/audit-release-owner-action-plan.mjs +164 -0
  161. package/scripts/audit-release-readiness.mjs +106 -0
  162. package/scripts/audit-release-status-manifest.mjs +165 -0
  163. package/scripts/audit-release-trust.mjs +62 -0
  164. package/scripts/audit-remote-distribution.mjs +266 -0
  165. package/scripts/audit-roadmap-consistency.mjs +235 -0
  166. package/scripts/audit-signing.mjs +147 -0
  167. package/scripts/audit-state-freshness.mjs +113 -0
  168. package/scripts/audit-target-adoption-evidence.mjs +117 -0
  169. package/scripts/audit-target-project.mjs +507 -0
  170. package/scripts/audit-update-release-acceptance.mjs +136 -0
  171. package/scripts/audit-v1-target-validation.mjs +269 -0
  172. package/scripts/audit-validation-profiles.mjs +125 -0
  173. package/scripts/close-change.mjs +116 -0
  174. package/scripts/discover-project-profile.mjs +307 -0
  175. package/scripts/forward-test-gse.mjs +146 -0
  176. package/scripts/generate-command-adapter.mjs +231 -0
  177. package/scripts/generate-final-acceptance-packet.mjs +181 -0
  178. package/scripts/generate-final-form-progress-report.mjs +205 -0
  179. package/scripts/generate-host-adapter.mjs +73 -0
  180. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -0
  181. package/scripts/generate-owner-external-gate-kit.mjs +295 -0
  182. package/scripts/generate-public-acceptance-handoff.mjs +168 -0
  183. package/scripts/generate-public-release-checklist.mjs +207 -0
  184. package/scripts/generate-release-bundle.mjs +505 -0
  185. package/scripts/generate-release-owner-action-plan.mjs +172 -0
  186. package/scripts/generate-release-status-manifest.mjs +200 -0
  187. package/scripts/generate-session-prompt.mjs +188 -0
  188. package/scripts/gse.mjs +67 -0
  189. package/scripts/init-change.mjs +265 -0
  190. package/scripts/init-project.mjs +785 -0
  191. package/scripts/install-gse.mjs +234 -0
  192. package/scripts/lib/evidence-placeholders.mjs +28 -0
  193. package/scripts/package-gse.mjs +174 -0
  194. package/scripts/probe-public-external-gates.mjs +167 -0
  195. package/scripts/record-host-invocation.mjs +151 -0
  196. package/scripts/record-learning.mjs +137 -0
  197. package/scripts/record-public-channel-publication.mjs +178 -0
  198. package/scripts/record-public-ci-run.mjs +180 -0
  199. package/scripts/record-public-release.mjs +175 -0
  200. package/scripts/record-public-repository-settings.mjs +209 -0
  201. package/scripts/record-public-security-contact.mjs +157 -0
  202. package/scripts/run-gse-command.mjs +538 -0
  203. package/scripts/run-validation-profile.mjs +146 -0
  204. package/scripts/sign-gse-package.mjs +83 -0
  205. package/scripts/update-project-state.mjs +223 -0
  206. package/scripts/validate-gse.mjs +1168 -0
  207. package/scripts/verify-gse-package.mjs +85 -0
@@ -0,0 +1,235 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import path from 'node:path'
4
+
5
+ const args = process.argv.slice(2)
6
+
7
+ function readArg(name, fallback = null) {
8
+ const index = args.indexOf(name)
9
+ if (index === -1) return fallback
10
+ return args[index + 1] ?? fallback
11
+ }
12
+
13
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
14
+ const jsonOnly = args.includes('--json')
15
+
16
+ function read(relativePath) {
17
+ const fullPath = path.join(root, relativePath)
18
+ return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, 'utf8') : ''
19
+ }
20
+
21
+ function exists(relativePath) {
22
+ return fs.existsSync(path.join(root, relativePath))
23
+ }
24
+
25
+ function check(id, label, ok, evidence, risk = '') {
26
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
27
+ }
28
+
29
+ const masterPlan = read('.gse/gse-design-master-plan.md')
30
+ const goalMap = read('.gse/goal-map.md')
31
+ const validate = read('scripts/validate-gse.mjs')
32
+
33
+ const requiredVerifiedAssets = [
34
+ 'references/router.md',
35
+ 'references/evidence-taxonomy.md',
36
+ 'references/domain-model.md',
37
+ 'references/file-ownership.md',
38
+ 'references/forward-test.md',
39
+ 'references/review.md',
40
+ 'references/architecture-health.md',
41
+ 'references/release.md',
42
+ 'references/public-release.md',
43
+ 'references/recovery.md',
44
+ 'references/drift-audit.md',
45
+ 'references/compatibility.md',
46
+ 'references/packaging.md',
47
+ 'references/release-trust.md',
48
+ 'references/domain-quality-gates.md',
49
+ 'assets/templates/release-trust-record.md',
50
+ 'assets/templates/public-release-record.md',
51
+ 'assets/templates/acceptance-execution-packet.md',
52
+ 'assets/templates/target-adoption-evidence.md',
53
+ 'assets/templates/update-release-acceptance-record.md',
54
+ 'references/commands.md',
55
+ 'README.md',
56
+ 'README.zh-CN.md',
57
+ 'CONTRIBUTING.md',
58
+ 'SECURITY.md',
59
+ 'SUPPORT.md',
60
+ '.github/workflows/validate-gse.yml',
61
+ '.github/PULL_REQUEST_TEMPLATE.md',
62
+ '.github/ISSUE_TEMPLATE/bug_report.yml',
63
+ '.github/ISSUE_TEMPLATE/change_request.yml',
64
+ 'assets/templates/public-channel-publication-record.md',
65
+ 'assets/templates/public-ci-run-record.md',
66
+ 'assets/templates/public-security-contact-record.md',
67
+ 'assets/templates/public-repository-settings-record.md',
68
+ 'scripts/audit-gse.mjs',
69
+ 'scripts/validate-gse.mjs',
70
+ 'scripts/audit-target-project.mjs',
71
+ 'scripts/generate-session-prompt.mjs',
72
+ 'scripts/run-gse-command.mjs',
73
+ 'scripts/audit-command-execution.mjs',
74
+ 'scripts/audit-close-gate.mjs',
75
+ 'scripts/update-project-state.mjs',
76
+ 'scripts/init-change.mjs',
77
+ 'scripts/audit-change-system.mjs',
78
+ 'scripts/audit-roadmap-consistency.mjs',
79
+ 'scripts/audit-commands.mjs',
80
+ 'scripts/audit-readme-docs.mjs',
81
+ 'scripts/package-gse.mjs',
82
+ 'scripts/install-gse.mjs',
83
+ 'scripts/audit-distribution.mjs',
84
+ 'scripts/audit-remote-distribution.mjs',
85
+ 'scripts/sign-gse-package.mjs',
86
+ 'scripts/verify-gse-package.mjs',
87
+ 'scripts/audit-signing.mjs',
88
+ 'scripts/generate-command-adapter.mjs',
89
+ 'scripts/audit-command-adapters.mjs',
90
+ 'scripts/close-change.mjs',
91
+ 'scripts/audit-change-lifecycle.mjs',
92
+ 'scripts/audit-public-release-metadata.mjs',
93
+ 'scripts/record-public-release.mjs',
94
+ 'scripts/audit-public-release-decision.mjs',
95
+ 'scripts/record-public-ci-run.mjs',
96
+ 'scripts/audit-public-ci-run.mjs',
97
+ 'scripts/record-public-security-contact.mjs',
98
+ 'scripts/audit-public-security-contact.mjs',
99
+ 'scripts/record-public-channel-publication.mjs',
100
+ 'scripts/audit-public-channel-publication.mjs',
101
+ 'scripts/generate-release-bundle.mjs',
102
+ 'scripts/audit-release-bundle.mjs',
103
+ 'scripts/audit-open-source-readiness.mjs',
104
+ 'scripts/audit-ci-readiness.mjs',
105
+ 'scripts/audit-public-collaboration-templates.mjs',
106
+ 'scripts/record-public-repository-settings.mjs',
107
+ 'scripts/audit-public-repository-settings.mjs',
108
+ 'scripts/record-host-invocation.mjs',
109
+ 'scripts/audit-host-runtime-invocations.mjs',
110
+ 'references/final-readiness.md',
111
+ 'scripts/audit-final-readiness.mjs',
112
+ 'scripts/audit-final-readiness-promotion.mjs',
113
+ 'scripts/audit-final-form-stale-copy.mjs',
114
+ 'scripts/generate-final-acceptance-packet.mjs',
115
+ 'scripts/audit-final-acceptance-packet.mjs',
116
+ '.gse/releases/public-release-owner-required.md',
117
+ '.gse/releases/public-security-contact-owner-required.md',
118
+ ]
119
+
120
+ const stalePhrases = [
121
+ 'dedicated router missing',
122
+ 'taxonomy and archive lifecycle missing',
123
+ 'domain model reference should be expanded',
124
+ 'lock rules and forward-test examples missing',
125
+ 'vertical slice discipline is partially covered',
126
+ 'gate taxonomy and audit script missing',
127
+ 'review/architecture scan references need stronger integration',
128
+ 'Status: next.',
129
+ 'Status: planned.',
130
+ ]
131
+
132
+ const currentStatusTerms = [
133
+ 'router, command semantics, task levels, and tool routing are verified',
134
+ 'bilingual README docs',
135
+ 'native `.gse/changes/<change-id>/` change pack generation',
136
+ 'execution-quality pack templates',
137
+ 'domain model reference and ADR template are verified',
138
+ 'role docs, dispatch packet, file ownership, and forward-test fallback are verified',
139
+ 'review protocol and architecture health references are verified',
140
+ 'v0.2 - Self-Auditing GSE',
141
+ 'Status: verified.',
142
+ 'v0.3 - Project-Aware GSE',
143
+ 'Status: verified pending external acceptance.',
144
+ 'v0.4 - Quality And Release GSE',
145
+ 'v1.0 - Productized GSE',
146
+ 'Status: verified.',
147
+ 'owner-approved AION project-write acceptance is executed',
148
+ 'AION/MuseFlow v1 target validation',
149
+ 'target-project doctor',
150
+ '.gse/state.json',
151
+ '.gse/evidence/index.jsonl',
152
+ 'session prompt generator',
153
+ 'Close gate verifies',
154
+ 'safe project-local state/index update path',
155
+ 'local package/install distribution audit',
156
+ 'remote URL distribution and integrity audit',
157
+ 'package signing and verification audit',
158
+ 'portable command execution audit',
159
+ 'release trust and key custody policy audit',
160
+ 'public release metadata audit',
161
+ 'public release decision lifecycle audit',
162
+ 'public CI run record audit',
163
+ 'MIT license decision',
164
+ 'public channel publication record audit',
165
+ 'release bundle generation audit',
166
+ 'open-source repository readiness audit',
167
+ 'CI workflow readiness audit',
168
+ 'public collaboration template audit',
169
+ 'public security contact record audit',
170
+ 'public repository settings record audit',
171
+ 'host runtime invocation record mechanics',
172
+ 'final readiness matrix',
173
+ 'final-form progress report',
174
+ 'final readiness promotion audit',
175
+ 'final acceptance packet',
176
+ 'host command adapter audit',
177
+ 'change close/archive lifecycle',
178
+ 'OpenSpec-style requirements',
179
+ 'Superpowers-style execution skills',
180
+ 'AION and MuseFlow',
181
+ ]
182
+
183
+ const checks = [
184
+ check('RC01', 'roadmap consistency audit is wired into validator', validate.includes('audit-roadmap-consistency.mjs'), 'scripts/validate-gse.mjs'),
185
+ check('RC02', 'required verified roadmap assets exist', requiredVerifiedAssets.every(exists), requiredVerifiedAssets.join(', ')),
186
+ check('RC03', 'master plan no longer contains stale missing/planned status phrases', stalePhrases.every((phrase) => !masterPlan.includes(phrase)), stalePhrases.join(', ')),
187
+ check('RC04', 'master plan contains current verified status terms', currentStatusTerms.every((term) => masterPlan.includes(term)), currentStatusTerms.join(', ')),
188
+ check('RC05', 'goal map tracks v1 execution-state work as verified', goalMap.includes('GSE-008') && goalMap.includes('Productize v1.0 execution-state workflow') && goalMap.includes('verified') && goalMap.includes('audit-v1-target-validation.mjs'), '.gse/goal-map.md'),
189
+ check('RC06', 'master plan preserves target validation while keeping current final-form limits explicit', masterPlan.includes('AION/MuseFlow v1 target validation are verified') && masterPlan.includes('MIT license decision') && masterPlan.includes('Remaining final-form work is real public security contact approval, real public repository settings, public CI run, real public registry publication, real public marketplace approval, host-native slash-command support, and other host runtime invocation records.') && masterPlan.includes('P1: harden GSE beyond the verified v1.0 execution-state workflow') && !masterPlan.includes('This does not yet prove the full v1.0 execution-state layer') && !masterPlan.includes('owner license selection remains required before an accepted public release'), '.gse/gse-design-master-plan.md'),
190
+ ]
191
+
192
+ const passed = checks.filter((item) => item.status === 'passed').length
193
+ const failed = checks.length - passed
194
+ const report = {
195
+ root,
196
+ generatedAt: new Date().toISOString(),
197
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
198
+ workflows: { roadmapConsistency: failed === 0 ? 'verified' : 'failed' },
199
+ limits: [
200
+ 'This audit checks GSE roadmap/status consistency against local verified artifacts.',
201
+ 'It does not certify arbitrary repositories or execute fresh-session acceptance.',
202
+ ],
203
+ checks,
204
+ }
205
+
206
+ function renderMarkdown(data) {
207
+ const lines = []
208
+ lines.push('# GSE Roadmap Consistency Audit')
209
+ lines.push('')
210
+ lines.push('Generated: ' + data.generatedAt)
211
+ lines.push('Root: ' + data.root)
212
+ lines.push('')
213
+ lines.push('## Summary')
214
+ lines.push('')
215
+ lines.push('- Status: ' + data.summary.status)
216
+ lines.push('- Checks: ' + data.summary.passed + '/' + data.summary.total)
217
+ lines.push('- Roadmap consistency: ' + data.workflows.roadmapConsistency)
218
+ lines.push('')
219
+ lines.push('## Checks')
220
+ lines.push('')
221
+ for (const item of data.checks) {
222
+ const marker = item.status === 'passed' ? '[x]' : '[ ]'
223
+ lines.push('- ' + marker + ' ' + item.id + ' ' + item.label + ': ' + item.evidence)
224
+ }
225
+ lines.push('')
226
+ lines.push('## Limits')
227
+ lines.push('')
228
+ for (const item of data.limits) lines.push('- ' + item)
229
+ return lines.join('\n') + '\n'
230
+ }
231
+
232
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
233
+ else console.log(renderMarkdown(report))
234
+
235
+ if (failed > 0) process.exit(1)
@@ -0,0 +1,147 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import os from 'node:os'
4
+ import path from 'node:path'
5
+ import { spawnSync } from 'node:child_process'
6
+
7
+ const args = process.argv.slice(2)
8
+
9
+ function readArg(name, fallback = null) {
10
+ const index = args.indexOf(name)
11
+ if (index === -1) return fallback
12
+ return args[index + 1] ?? fallback
13
+ }
14
+
15
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
16
+ const jsonOnly = args.includes('--json')
17
+
18
+ function run(command, commandArgs, cwd = root) {
19
+ const result = spawnSync(command, commandArgs, { cwd, encoding: 'utf8', windowsHide: true })
20
+ return {
21
+ command: [command, ...commandArgs].join(' '),
22
+ status: result.status ?? 1,
23
+ stdout: (result.stdout ?? '').trim(),
24
+ stderr: (result.stderr ?? '').trim(),
25
+ }
26
+ }
27
+
28
+ function parseJson(text) {
29
+ try { return JSON.parse(text) } catch { return null }
30
+ }
31
+
32
+ function check(id, label, ok, evidence, risk = '') {
33
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
34
+ }
35
+
36
+ const tempRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'gse-signing-'))
37
+ const packageOut = path.join(tempRoot, 'package')
38
+ const installTarget = path.join(tempRoot, 'installed-gse')
39
+ const tamperedPackage = path.join(tempRoot, 'tampered-package')
40
+ const tamperedTarget = path.join(tempRoot, 'tampered-installed')
41
+ const privateKey = path.join(tempRoot, 'gse-private.pem')
42
+ const publicKey = path.join(tempRoot, 'gse-public.pem')
43
+
44
+ const packageRun = run(process.execPath, [
45
+ path.join(root, 'scripts', 'package-gse.mjs'),
46
+ '--root',
47
+ root,
48
+ '--out',
49
+ packageOut,
50
+ '--label',
51
+ 'gse-signing-audit',
52
+ '--json',
53
+ ])
54
+ const signRun = run(process.execPath, [
55
+ path.join(root, 'scripts', 'sign-gse-package.mjs'),
56
+ '--package',
57
+ packageOut,
58
+ '--private-key',
59
+ privateKey,
60
+ '--public-key',
61
+ publicKey,
62
+ '--generate-key',
63
+ '--json',
64
+ ])
65
+ const verifyRun = run(process.execPath, [
66
+ path.join(root, 'scripts', 'verify-gse-package.mjs'),
67
+ '--package',
68
+ packageOut,
69
+ '--public-key',
70
+ publicKey,
71
+ '--json',
72
+ ])
73
+ const installRun = run(process.execPath, [
74
+ path.join(root, 'scripts', 'install-gse.mjs'),
75
+ '--source',
76
+ packageOut,
77
+ '--target',
78
+ installTarget,
79
+ '--public-key',
80
+ publicKey,
81
+ '--json',
82
+ ])
83
+
84
+ fs.cpSync(packageOut, tamperedPackage, { recursive: true })
85
+ fs.appendFileSync(path.join(tamperedPackage, 'SKILL.md'), '\nTampered for signature audit.\n', 'utf8')
86
+ const tamperedVerify = run(process.execPath, [
87
+ path.join(root, 'scripts', 'verify-gse-package.mjs'),
88
+ '--package',
89
+ tamperedPackage,
90
+ '--public-key',
91
+ publicKey,
92
+ '--json',
93
+ ])
94
+ const tamperedInstall = run(process.execPath, [
95
+ path.join(root, 'scripts', 'install-gse.mjs'),
96
+ '--source',
97
+ tamperedPackage,
98
+ '--target',
99
+ tamperedTarget,
100
+ '--public-key',
101
+ publicKey,
102
+ '--json',
103
+ ])
104
+
105
+ const signData = parseJson(signRun.stdout)
106
+ const verifyData = parseJson(verifyRun.stdout)
107
+ const installData = parseJson(installRun.stdout)
108
+ const tamperedVerifyData = parseJson(tamperedVerify.stdout)
109
+ const tamperedInstallData = parseJson(tamperedInstall.stdout)
110
+
111
+ const checks = [
112
+ check('SIGN01', 'package command succeeds', packageRun.status === 0, packageRun.command),
113
+ check('SIGN02', 'sign command creates signature and keys', signRun.status === 0 && fs.existsSync(path.join(packageOut, 'gse-package-signature.json')) && fs.existsSync(publicKey), signRun.command),
114
+ check('SIGN03', 'verify command accepts signed package', verifyRun.status === 0 && verifyData?.summary?.failed === 0, verifyRun.command),
115
+ check('SIGN04', 'install command accepts signed package with public key', installRun.status === 0 && installData?.signature?.status === 'verified', installRun.command),
116
+ check('SIGN05', 'tampered package fails signature/hash verification', tamperedVerify.status === 1 && tamperedVerifyData?.summary?.failed > 0, tamperedVerify.command),
117
+ check('SIGN06', 'install command rejects tampered signed package', tamperedInstall.status === 1 && (tamperedInstallData?.signature?.status === 'failed' || tamperedInstallData?.summary?.integrityFailed > 0), tamperedInstall.command),
118
+ check('SIGN07', 'signature uses Ed25519', signData?.algorithm === 'ed25519', 'sign-gse-package output'),
119
+ ]
120
+
121
+ const passed = checks.filter((item) => item.status === 'passed').length
122
+ const failed = checks.length - passed
123
+ const report = {
124
+ root,
125
+ generatedAt: new Date().toISOString(),
126
+ tempRoot,
127
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
128
+ workflows: {
129
+ packageSigning: signRun.status === 0 ? 'verified' : 'failed',
130
+ signatureVerification: verifyRun.status === 0 ? 'verified' : 'failed',
131
+ signedInstall: installRun.status === 0 ? 'verified' : 'failed',
132
+ tamperRejection: tamperedVerify.status === 1 && tamperedInstall.status === 1 ? 'verified' : 'failed',
133
+ },
134
+ commands: [packageRun.command, signRun.command, verifyRun.command, installRun.command, tamperedVerify.command, tamperedInstall.command],
135
+ limits: [
136
+ 'This audit verifies local Ed25519 signing and verification mechanics.',
137
+ 'It does not prove public key custody, maintainer identity, transparency logs, or marketplace trust.',
138
+ ],
139
+ checks,
140
+ }
141
+
142
+ fs.rmSync(tempRoot, { recursive: true, force: true })
143
+
144
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
145
+ else console.log(JSON.stringify(report, null, 2))
146
+
147
+ if (failed > 0) process.exit(1)
@@ -0,0 +1,113 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import path from 'node:path'
4
+ import { spawnSync } from 'node:child_process'
5
+
6
+ const args = process.argv.slice(2)
7
+
8
+ function readArg(name, fallback = null) {
9
+ const index = args.indexOf(name)
10
+ if (index === -1) return fallback
11
+ return args[index + 1] ?? fallback
12
+ }
13
+
14
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
15
+ const jsonOnly = args.includes('--json')
16
+
17
+ function read(relativePath) {
18
+ const fullPath = path.join(root, relativePath)
19
+ return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, 'utf8').replace(/^\uFEFF/, '') : ''
20
+ }
21
+
22
+ function parseJson(text) {
23
+ try { return JSON.parse(text) } catch { return null }
24
+ }
25
+
26
+ function run(script, commandArgs) {
27
+ const result = spawnSync(process.execPath, [path.join(root, 'scripts', script), ...commandArgs], {
28
+ cwd: root,
29
+ encoding: 'utf8',
30
+ windowsHide: true,
31
+ })
32
+ return {
33
+ status: result.status ?? 1,
34
+ stdout: (result.stdout ?? '').trim(),
35
+ stderr: (result.stderr ?? '').trim(),
36
+ command: [process.execPath, path.join(root, 'scripts', script), ...commandArgs].join(' '),
37
+ }
38
+ }
39
+
40
+ function check(id, label, ok, evidence, risk = '') {
41
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
42
+ }
43
+
44
+ const stateText = read('.gse/state.json')
45
+ const state = parseJson(stateText)
46
+ const doctorRun = run('audit-public-acceptance-readiness.mjs', ['--root', root, '--json'])
47
+ const doctor = parseJson(doctorRun.stdout)
48
+ const pendingAreas = (doctor?.pendingGates ?? []).map((gate) => gate.area).sort()
49
+ const stateSearch = [
50
+ state?.currentSlice?.id,
51
+ state?.currentSlice?.outcome,
52
+ state?.currentSlice?.status,
53
+ state?.currentSlice?.nextAction,
54
+ ...(state?.residualRisks ?? []),
55
+ ].join('\n')
56
+
57
+ const staleResolvedGatePhrases = [
58
+ 'authorize GitHub workflow scope',
59
+ 'run public CI',
60
+ 'public CI remains pending',
61
+ 'public CI run remains pending',
62
+ 'public security contact remains pending',
63
+ 'public repository settings remain pending',
64
+ 'marketplace approval remains pending',
65
+ 'marketplace approval, and native slash-command proof are not verified',
66
+ '7 pending owner/external gates',
67
+ 'public CI, marketplace approval',
68
+ ]
69
+
70
+ const staleMatches = staleResolvedGatePhrases.filter((phrase) => stateSearch.includes(phrase))
71
+ const mentionsAllPending = pendingAreas.every((area) => stateSearch.includes(area) || (
72
+ area === 'Public registry publication' && stateSearch.includes('registry publication')
73
+ ) || (
74
+ area === 'Native slash command' && stateSearch.includes('Native slash-command')
75
+ ))
76
+
77
+ const checks = [
78
+ check('STF01', 'state JSON exists and parses', Boolean(state), '.gse/state.json'),
79
+ check('STF02', 'public acceptance doctor runs before state freshness check', doctorRun.status === 0 && doctor?.summary?.status === 'passed', doctorRun.command),
80
+ check('STF03', 'state next action mentions every current pending final-form gate', mentionsAllPending && pendingAreas.length === 2, pendingAreas.join(', ')),
81
+ check('STF04', 'state no longer routes users to resolved public CI/security/repository/marketplace gates', staleMatches.length === 0, staleMatches.length ? staleMatches.join('; ') : '.gse/state.json'),
82
+ check(
83
+ 'STF05',
84
+ 'state marks current registry work as externally blocked by npm auth/publication',
85
+ state?.currentSlice?.id === 'GSE-108-public-registry-publication' &&
86
+ state?.currentSlice?.status === 'blocked-external-auth' &&
87
+ (stateSearch.includes('npm is not logged in') || stateSearch.includes('not yet published on npm')),
88
+ '.gse/state.json',
89
+ ),
90
+ check('STF06', 'state points users to current doctor as source of truth', stateSearch.includes('/gse doctor') || stateSearch.includes('audit-public-acceptance-readiness.mjs'), '.gse/state.json'),
91
+ ]
92
+
93
+ const passed = checks.filter((item) => item.status === 'passed').length
94
+ const failed = checks.length - passed
95
+ const report = {
96
+ root,
97
+ generatedAt: new Date().toISOString(),
98
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
99
+ workflows: {
100
+ stateFreshness: failed === 0 ? 'verified' : 'failed',
101
+ pendingGates: pendingAreas,
102
+ },
103
+ limits: [
104
+ 'This audit checks the machine-readable GSE state summary against the current public acceptance doctor.',
105
+ 'It does not publish to npm or prove native slash-command support.',
106
+ ],
107
+ checks,
108
+ }
109
+
110
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
111
+ else console.log(JSON.stringify(report, null, 2))
112
+
113
+ if (failed > 0) process.exit(1)
@@ -0,0 +1,117 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import path from 'node:path'
4
+
5
+ const args = process.argv.slice(2)
6
+
7
+ function readArg(name, fallback = null) {
8
+ const index = args.indexOf(name)
9
+ if (index === -1) return fallback
10
+ return args[index + 1] ?? fallback
11
+ }
12
+
13
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
14
+ const jsonOnly = args.includes('--json')
15
+
16
+ function read(relativePath) {
17
+ const fullPath = path.join(root, relativePath)
18
+ return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, 'utf8') : ''
19
+ }
20
+
21
+ function exists(relativePath) {
22
+ return fs.existsSync(path.join(root, relativePath))
23
+ }
24
+
25
+ function check(id, label, ok, evidence, risk = '') {
26
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
27
+ }
28
+
29
+ const template = read('assets/templates/target-adoption-evidence.md')
30
+ const recipes = read('references/adoption-recipes.md')
31
+ const discovery = read('scripts/discover-project-profile.mjs')
32
+ const validate = read('scripts/validate-gse.mjs')
33
+
34
+ const fields = [
35
+ 'Target project:',
36
+ 'Adoption path:',
37
+ 'Project rules read:',
38
+ 'Files inspected:',
39
+ 'Files changed:',
40
+ 'Commands run:',
41
+ 'Detected project type:',
42
+ 'Detected package manager:',
43
+ 'Detected scripts:',
44
+ 'Host/tool statuses:',
45
+ 'Evidence status:',
46
+ 'Accepted by:',
47
+ 'Residual risks:',
48
+ 'Next action:',
49
+ ]
50
+
51
+ const noOverclaim = [
52
+ 'documented` until executed',
53
+ 'unknown` unless the tool was actually checked',
54
+ 'Do not claim arbitrary real-repo certification',
55
+ 'host runtime support',
56
+ 'subagent support',
57
+ 'browser support',
58
+ 'MCP support',
59
+ 'CI support',
60
+ 'release publication',
61
+ 'owner acceptance',
62
+ 'Accepted by: not accepted',
63
+ ]
64
+
65
+ const checks = [
66
+ check('TAE01', 'target adoption evidence template exists', exists('assets/templates/target-adoption-evidence.md'), 'assets/templates/target-adoption-evidence.md'),
67
+ check('TAE02', 'template captures target-project evidence fields', fields.every((item) => template.includes(item)), fields.join(', ')),
68
+ check('TAE03', 'template prevents real-repo and host capability overclaims', noOverclaim.every((item) => template.includes(item)), 'anti-overclaim rules'),
69
+ check('TAE04', 'adoption recipes route real target evidence to template', recipes.includes('assets/templates/target-adoption-evidence.md') && recipes.includes('Accepted by: not accepted'), 'references/adoption-recipes.md'),
70
+ check('TAE05', 'discovery captures namespaced project scripts', discovery.includes('/^(smoke|evidence|replay|eval|release|deploy|publish|electron):/') && discovery.includes('package.json smoke script'), 'scripts/discover-project-profile.mjs'),
71
+ check('TAE06', 'consolidated validator includes this audit', validate.includes('audit-target-adoption-evidence.mjs'), 'scripts/validate-gse.mjs'),
72
+ ]
73
+
74
+ const passed = checks.filter((item) => item.status === 'passed').length
75
+ const failed = checks.length - passed
76
+ const report = {
77
+ root,
78
+ generatedAt: new Date().toISOString(),
79
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
80
+ workflows: { targetAdoptionEvidence: failed === 0 ? 'verified' : 'failed' },
81
+ limits: [
82
+ 'This audit verifies the target-project evidence template and discovery support only.',
83
+ 'It does not certify any arbitrary repository or accept a host/runtime capability.',
84
+ ],
85
+ checks,
86
+ }
87
+
88
+ function renderMarkdown(data) {
89
+ const lines = []
90
+ lines.push('# GSE Target Adoption Evidence Audit')
91
+ lines.push('')
92
+ lines.push('Generated: ' + data.generatedAt)
93
+ lines.push('Root: ' + data.root)
94
+ lines.push('')
95
+ lines.push('## Summary')
96
+ lines.push('')
97
+ lines.push('- Status: ' + data.summary.status)
98
+ lines.push('- Checks: ' + data.summary.passed + '/' + data.summary.total)
99
+ lines.push('- Target adoption evidence: ' + data.workflows.targetAdoptionEvidence)
100
+ lines.push('')
101
+ lines.push('## Checks')
102
+ lines.push('')
103
+ for (const item of data.checks) {
104
+ const marker = item.status === 'passed' ? '[x]' : '[ ]'
105
+ lines.push('- ' + marker + ' ' + item.id + ' ' + item.label + ': ' + item.evidence)
106
+ }
107
+ lines.push('')
108
+ lines.push('## Limits')
109
+ lines.push('')
110
+ for (const item of data.limits) lines.push('- ' + item)
111
+ return lines.join('\n') + '\n'
112
+ }
113
+
114
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
115
+ else console.log(renderMarkdown(report))
116
+
117
+ if (failed > 0) process.exit(1)