@t275005746/gse 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (207) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -0
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -0
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -0
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -0
  5. package/.github/workflows/validate-gse.yml +33 -0
  6. package/.gse/README.md +18 -0
  7. package/.gse/gse-development-protocol.md +50 -0
  8. package/.gse/project-profile.md +29 -0
  9. package/.gse/quality-gates.md +25 -0
  10. package/.gse/releases/public-channel-publication-pending.md +49 -0
  11. package/.gse/releases/public-ci-run-pending.md +53 -0
  12. package/.gse/releases/public-release-owner-required.md +65 -0
  13. package/.gse/releases/public-repository-settings-owner-required.md +59 -0
  14. package/.gse/releases/public-security-contact-owner-required.md +45 -0
  15. package/.gse/state.json +27 -0
  16. package/CHANGELOG.md +24 -0
  17. package/CONTRIBUTING.md +64 -0
  18. package/LICENSE +21 -0
  19. package/README.md +236 -0
  20. package/README.zh-CN.md +236 -0
  21. package/SECURITY.md +41 -0
  22. package/SKILL.md +148 -0
  23. package/SUPPORT.md +38 -0
  24. package/agents/openai.yaml +4 -0
  25. package/assets/marketplace/README.md +7 -0
  26. package/assets/marketplace/gse-listing.json +75 -0
  27. package/assets/templates/acceptance-execution-packet.md +73 -0
  28. package/assets/templates/adr.md +14 -0
  29. package/assets/templates/change-brief.md +16 -0
  30. package/assets/templates/design.md +18 -0
  31. package/assets/templates/dispatch-packet.md +104 -0
  32. package/assets/templates/evidence.md +14 -0
  33. package/assets/templates/execution-quality-pack.md +65 -0
  34. package/assets/templates/goal-map.md +21 -0
  35. package/assets/templates/host-adapter.md +48 -0
  36. package/assets/templates/host-ui-invocation-record.md +42 -0
  37. package/assets/templates/incident-review.md +60 -0
  38. package/assets/templates/public-channel-publication-record.md +49 -0
  39. package/assets/templates/public-ci-run-record.md +53 -0
  40. package/assets/templates/public-release-record.md +65 -0
  41. package/assets/templates/public-repository-settings-record.md +59 -0
  42. package/assets/templates/public-security-contact-record.md +45 -0
  43. package/assets/templates/release-trust-record.md +32 -0
  44. package/assets/templates/review.md +18 -0
  45. package/assets/templates/spec.md +16 -0
  46. package/assets/templates/target-adoption-evidence.md +29 -0
  47. package/assets/templates/tasks.md +17 -0
  48. package/assets/templates/update-release-acceptance-record.md +58 -0
  49. package/examples/README.md +22 -0
  50. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -0
  51. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -0
  52. package/examples/agent-runtime-host/.gse/goal-map.md +7 -0
  53. package/examples/agent-runtime-host/.gse/project-profile.md +27 -0
  54. package/examples/agent-runtime-host/.gse/tooling.md +5 -0
  55. package/examples/agent-runtime-host/.mcp.json +9 -0
  56. package/examples/agent-runtime-host/AGENTS.md +5 -0
  57. package/examples/agent-runtime-host/README.md +10 -0
  58. package/examples/agent-runtime-host/docs/model-routing.md +5 -0
  59. package/examples/cli-tool/.gse/project-profile.md +21 -0
  60. package/examples/cli-tool/AGENTS.md +5 -0
  61. package/examples/cli-tool/README.md +12 -0
  62. package/examples/cli-tool/package.json +21 -0
  63. package/examples/small-app/.env.example +2 -0
  64. package/examples/small-app/.github/workflows/ci.yml +8 -0
  65. package/examples/small-app/AGENTS.md +5 -0
  66. package/examples/small-app/README.md +12 -0
  67. package/examples/small-app/package.json +26 -0
  68. package/examples/small-app/playwright.config.ts +4 -0
  69. package/package.json +53 -0
  70. package/references/adoption-recipes.md +171 -0
  71. package/references/agent-roles.md +49 -0
  72. package/references/architecture-health.md +101 -0
  73. package/references/benchmark-audit.md +73 -0
  74. package/references/commands.md +295 -0
  75. package/references/community-channels.md +46 -0
  76. package/references/compatibility.md +70 -0
  77. package/references/design-basis.md +38 -0
  78. package/references/domain-model.md +129 -0
  79. package/references/domain-quality-gates.md +75 -0
  80. package/references/drift-audit.md +81 -0
  81. package/references/evidence-taxonomy.md +123 -0
  82. package/references/file-ownership.md +107 -0
  83. package/references/final-readiness.md +84 -0
  84. package/references/forward-test.md +133 -0
  85. package/references/goal-map.md +36 -0
  86. package/references/host-adapters.md +119 -0
  87. package/references/learning-system.md +35 -0
  88. package/references/marketplace-discovery.md +46 -0
  89. package/references/model-routing.md +103 -0
  90. package/references/open-source-defaults.md +39 -0
  91. package/references/operating-model.md +52 -0
  92. package/references/packaging.md +277 -0
  93. package/references/project-agent-workspace.md +89 -0
  94. package/references/project-bootstrap.md +122 -0
  95. package/references/project-profile.md +57 -0
  96. package/references/public-release.md +174 -0
  97. package/references/quality-gates.md +100 -0
  98. package/references/recovery.md +176 -0
  99. package/references/release-trust.md +43 -0
  100. package/references/release.md +126 -0
  101. package/references/review.md +141 -0
  102. package/references/router.md +90 -0
  103. package/references/spec-workflow.md +66 -0
  104. package/references/task-levels.md +81 -0
  105. package/references/tool-adapters.md +73 -0
  106. package/scripts/audit-acceptance-execution-packet.mjs +133 -0
  107. package/scripts/audit-adoption-recipes.mjs +99 -0
  108. package/scripts/audit-adoption.mjs +154 -0
  109. package/scripts/audit-change-lifecycle.mjs +77 -0
  110. package/scripts/audit-change-system.mjs +134 -0
  111. package/scripts/audit-ci-readiness.mjs +107 -0
  112. package/scripts/audit-close-gate.mjs +323 -0
  113. package/scripts/audit-command-adapters.mjs +91 -0
  114. package/scripts/audit-command-execution.mjs +210 -0
  115. package/scripts/audit-commands.mjs +117 -0
  116. package/scripts/audit-compatibility.mjs +149 -0
  117. package/scripts/audit-completion-readiness.mjs +292 -0
  118. package/scripts/audit-distribution.mjs +251 -0
  119. package/scripts/audit-domain-quality-gates.mjs +108 -0
  120. package/scripts/audit-evidence-placeholders.mjs +126 -0
  121. package/scripts/audit-final-acceptance-packet.mjs +148 -0
  122. package/scripts/audit-final-form-progress-report.mjs +161 -0
  123. package/scripts/audit-final-form-stale-copy.mjs +221 -0
  124. package/scripts/audit-final-readiness-promotion.mjs +255 -0
  125. package/scripts/audit-final-readiness.mjs +226 -0
  126. package/scripts/audit-fixtures.mjs +154 -0
  127. package/scripts/audit-fresh-session-readiness.mjs +177 -0
  128. package/scripts/audit-gse.mjs +275 -0
  129. package/scripts/audit-host-adapters.mjs +119 -0
  130. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -0
  131. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -0
  132. package/scripts/audit-host-runtime-invocations.mjs +254 -0
  133. package/scripts/audit-host-ui-invocation.mjs +132 -0
  134. package/scripts/audit-learning-system.mjs +103 -0
  135. package/scripts/audit-local-final-form-completion.mjs +131 -0
  136. package/scripts/audit-marketplace-discovery.mjs +122 -0
  137. package/scripts/audit-npm-package-metadata.mjs +155 -0
  138. package/scripts/audit-npm-publish-dry-run.mjs +169 -0
  139. package/scripts/audit-npm-tarball-install.mjs +191 -0
  140. package/scripts/audit-open-source-defaults.mjs +92 -0
  141. package/scripts/audit-open-source-readiness.mjs +97 -0
  142. package/scripts/audit-owner-external-gate-kit.mjs +218 -0
  143. package/scripts/audit-project.mjs +323 -0
  144. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -0
  145. package/scripts/audit-public-acceptance-handoff.mjs +142 -0
  146. package/scripts/audit-public-acceptance-readiness.mjs +224 -0
  147. package/scripts/audit-public-channel-publication.mjs +248 -0
  148. package/scripts/audit-public-ci-run.mjs +184 -0
  149. package/scripts/audit-public-collaboration-templates.mjs +98 -0
  150. package/scripts/audit-public-external-gate-probe.mjs +206 -0
  151. package/scripts/audit-public-release-checklist.mjs +133 -0
  152. package/scripts/audit-public-release-decision.mjs +201 -0
  153. package/scripts/audit-public-release-metadata.mjs +176 -0
  154. package/scripts/audit-public-repository-settings.mjs +237 -0
  155. package/scripts/audit-public-security-contact.mjs +171 -0
  156. package/scripts/audit-readme-docs.mjs +185 -0
  157. package/scripts/audit-recovery-readiness.mjs +98 -0
  158. package/scripts/audit-release-bundle.mjs +251 -0
  159. package/scripts/audit-release-owner-action-plan-drill.mjs +277 -0
  160. package/scripts/audit-release-owner-action-plan.mjs +164 -0
  161. package/scripts/audit-release-readiness.mjs +106 -0
  162. package/scripts/audit-release-status-manifest.mjs +165 -0
  163. package/scripts/audit-release-trust.mjs +62 -0
  164. package/scripts/audit-remote-distribution.mjs +266 -0
  165. package/scripts/audit-roadmap-consistency.mjs +235 -0
  166. package/scripts/audit-signing.mjs +147 -0
  167. package/scripts/audit-state-freshness.mjs +113 -0
  168. package/scripts/audit-target-adoption-evidence.mjs +117 -0
  169. package/scripts/audit-target-project.mjs +507 -0
  170. package/scripts/audit-update-release-acceptance.mjs +136 -0
  171. package/scripts/audit-v1-target-validation.mjs +269 -0
  172. package/scripts/audit-validation-profiles.mjs +125 -0
  173. package/scripts/close-change.mjs +116 -0
  174. package/scripts/discover-project-profile.mjs +307 -0
  175. package/scripts/forward-test-gse.mjs +146 -0
  176. package/scripts/generate-command-adapter.mjs +231 -0
  177. package/scripts/generate-final-acceptance-packet.mjs +181 -0
  178. package/scripts/generate-final-form-progress-report.mjs +205 -0
  179. package/scripts/generate-host-adapter.mjs +73 -0
  180. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -0
  181. package/scripts/generate-owner-external-gate-kit.mjs +295 -0
  182. package/scripts/generate-public-acceptance-handoff.mjs +168 -0
  183. package/scripts/generate-public-release-checklist.mjs +207 -0
  184. package/scripts/generate-release-bundle.mjs +505 -0
  185. package/scripts/generate-release-owner-action-plan.mjs +172 -0
  186. package/scripts/generate-release-status-manifest.mjs +200 -0
  187. package/scripts/generate-session-prompt.mjs +188 -0
  188. package/scripts/gse.mjs +67 -0
  189. package/scripts/init-change.mjs +265 -0
  190. package/scripts/init-project.mjs +785 -0
  191. package/scripts/install-gse.mjs +234 -0
  192. package/scripts/lib/evidence-placeholders.mjs +28 -0
  193. package/scripts/package-gse.mjs +174 -0
  194. package/scripts/probe-public-external-gates.mjs +167 -0
  195. package/scripts/record-host-invocation.mjs +151 -0
  196. package/scripts/record-learning.mjs +137 -0
  197. package/scripts/record-public-channel-publication.mjs +178 -0
  198. package/scripts/record-public-ci-run.mjs +180 -0
  199. package/scripts/record-public-release.mjs +175 -0
  200. package/scripts/record-public-repository-settings.mjs +209 -0
  201. package/scripts/record-public-security-contact.mjs +157 -0
  202. package/scripts/run-gse-command.mjs +538 -0
  203. package/scripts/run-validation-profile.mjs +146 -0
  204. package/scripts/sign-gse-package.mjs +83 -0
  205. package/scripts/update-project-state.mjs +223 -0
  206. package/scripts/validate-gse.mjs +1168 -0
  207. package/scripts/verify-gse-package.mjs +85 -0
@@ -0,0 +1,295 @@
1
+ # GSE Commands
2
+
3
+ Use this when the user writes `/gse ...`, `gse: ...`, or asks for command-style GSE usage.
4
+
5
+ These are host-neutral command semantics. They define what an agent should do. They do not prove that the current host has native slash-command support. If the host supports custom slash commands, host adapters may map these commands to native entries. If not, treat the text command as an instruction and execute the matching route.
6
+
7
+ Portable adapter helper:
8
+
9
+ ```text
10
+ node <gse-skill>/scripts/generate-command-adapter.mjs --target <project-root> --host claude|codex|hermes|workbuddy|copilot|gemini|generic|all
11
+ ```
12
+
13
+ Portable execution helper:
14
+
15
+ ```text
16
+ node <gse-skill>/scripts/gse.mjs continue --target <project-root>
17
+ node <gse-skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse continue"
18
+ node <gse-skill>/scripts/run-gse-command.mjs --target <gse-skill> --command "/gse owner-actions" --json --compact
19
+ node <gse-skill>/scripts/run-gse-command.mjs --target <gse-skill> --command "/gse probe --public-repo-url __PUBLIC_REPO_URL__" --json
20
+ node <gse-skill>/scripts/run-gse-command.mjs --target <gse-skill> --command "/gse package" --json
21
+ node <gse-skill>/scripts/run-gse-command.mjs --target <gse-skill> --command "/gse install --source __PACKAGE_DIR__ --install-target __INSTALL_SKILL_DIR__" --json
22
+ node <gse-skill>/scripts/run-gse-command.mjs --target <gse-skill> --command "/gse public-release" --json
23
+ node <gse-skill>/scripts/run-gse-command.mjs --target <project-root> --command "/gse learn --summary __LESSON__" --execute --json
24
+ ```
25
+
26
+ Validation profile helper:
27
+
28
+ ```text
29
+ node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
30
+ ```
31
+
32
+ Portable command execution audit:
33
+
34
+ ```text
35
+ node <gse-skill>/scripts/audit-command-execution.mjs --root <gse-skill> --profile lite|full
36
+ ```
37
+
38
+ The Claude adapter writes `.claude/commands/gse.md`, matching Claude Code's documented project command shape. The Codex adapter writes a pointer file because project-level native `/gse` command files are not verified for Codex in this package. Hermes, WorkBuddy, Copilot, Gemini, and generic adapters write portable pointer files only; they do not prove host runtime invocation.
39
+
40
+ ## Command Map
41
+
42
+ | Command | Purpose | Primary Route | Required Inputs | Typical Verification |
43
+ |---|---|---|---|---|
44
+ | `/gse help` | Show available GSE commands and the current project entry files | Command help | `SKILL.md`, `references/commands.md` | none or file inspection |
45
+ | `/gse init` | Initialize `.gse/` in a new project | Project bootstrap | project rules, `project-bootstrap.md` | scaffold file check |
46
+ | `/gse adopt` | Adopt GSE in an existing project without overwriting local rules | Project adoption | project rules, `adoption-recipes.md`, `project-profile.md` | discovery or adoption smoke |
47
+ | `/gse continue` | Continue the current project from its goal map or canonical plan | Execute workflow | project rules, `.gse/project-profile.md`, goal map or canonical plan | focused test/smoke for the slice |
48
+ | `/gse status` | Show current project state; for the GSE skill, show final-form progress and remaining public/host blockers | Status workflow | `.gse/state.json`; for GSE skill, final readiness audits | state/report inspection |
49
+ | `/gse doctor` | Diagnose public/host acceptance blockers for the GSE skill, or target-project GSE readiness for normal projects | Final acceptance or project doctor | final readiness matrix, `.gse/state.json`, project profile | public acceptance doctor or target project doctor |
50
+ | `/gse acceptance` | Alias for `/gse doctor` when the user wants final acceptance boundaries | Final acceptance doctor | final readiness matrix and owner/external evidence records | public acceptance doctor |
51
+ | `/gse owner-actions` | Show the remaining owner/external actions required before the GSE skill can claim public acceptance | Owner/external action packet | final readiness matrix and public acceptance doctor | owner action command smoke |
52
+ | `/gse probe` | Probe supplied owner/external evidence locations before accepted records are written | Public external gate probe | public repo/security/CI/registry/marketplace/host evidence inputs | public external gate probe audit |
53
+ | `/gse release` | Dry-run or generate the GSE release bundle for open-source/package handoff | Release bundle workflow | release metadata, package snapshot, acceptance handoff, owner/external kit | release bundle audit |
54
+ | `/gse package` | Dry-run or generate a local installable GSE package | Package workflow | package label and output directory | package manifest or distribution audit |
55
+ | `/gse install` | Dry-run or install GSE from a local package path or URL-shaped package source | Install workflow | package source and install target | install dry-run or installed CLI smoke |
56
+ | `/gse public-release` | Dry-run or generate the ordered public release checklist for owner execution | Public release checklist workflow | release status manifest and pending owner/external gates | public release checklist audit |
57
+ | `/gse change` | Create or normalize a GSE change spec pack | Spec workflow | change id, task level, goal map | change folder structure check |
58
+ | `/gse slice` | Define or normalize outcome, scope, acceptance, evidence, risk, and next action | Spec workflow | `goal-map.md`, `spec-workflow.md`, `quality-gates.md` | structural check |
59
+ | `/gse verify` | Run the smallest verification that proves the current slice | Verification gate | `quality-gates.md`, project profile, evidence taxonomy | focused test/API/browser smoke |
60
+ | `/gse learn` | Record a reusable lesson in `.gse/learnings.md` | Learning workflow | summary, trigger, source, optional impact | learning command audit |
61
+ | `/gse audit` | Check workflow drift, stale claims, missing evidence, or too-heavy process | Audit workflow | `benchmark-audit.md`, `drift-audit.md`, project profile | audit script or checklist |
62
+ | `/gse close` | Check whether the current slice is ready to close | Close readiness check | `.gse/state.json`, evidence index, quality gates | close gate audit |
63
+
64
+ ## Aliases
65
+
66
+ - `gse help` -> `/gse help`
67
+ - `gse init` -> `/gse init`
68
+ - `gse adopt` -> `/gse adopt`
69
+ - `gse continue` -> `/gse continue`
70
+ - `gse next` -> `/gse continue`
71
+ - `gse status` -> `/gse status`
72
+ - `gse doctor` -> `/gse doctor`
73
+ - `gse acceptance` -> `/gse acceptance`
74
+ - `gse owner-actions` -> `/gse owner-actions`
75
+ - `gse owner` -> `/gse owner-actions`
76
+ - `gse probe` -> `/gse probe`
77
+ - `gse release` -> `/gse release`
78
+ - `gse package` -> `/gse package`
79
+ - `gse install` -> `/gse install`
80
+ - `gse public-release` -> `/gse public-release`
81
+ - `gse change` -> `/gse change`
82
+ - `gse spec` -> `/gse change`
83
+ - `gse slice` -> `/gse slice`
84
+ - `gse verify` -> `/gse verify`
85
+ - `gse learn` -> `/gse learn`
86
+ - `gse audit` -> `/gse audit`
87
+ - `gse close` -> `/gse close`
88
+
89
+ ## Usage Examples
90
+
91
+ ```text
92
+ /gse continue AION
93
+ ```
94
+
95
+ Expected behavior:
96
+
97
+ 1. Enter the project root.
98
+ 2. Read project rules, `.gse/state.json`, and `.gse/project-profile.md`.
99
+ 3. Read the project's canonical plan when one is declared.
100
+ 4. Pick the next verifiable slice from the machine-readable state plus goal map.
101
+ 5. Execute, verify, record evidence, update `.gse/state.json` and `.gse/evidence/index.jsonl`, and close only when accepted by the applicable gate.
102
+
103
+ Portable helper:
104
+
105
+ ```text
106
+ node <gse-skill>/scripts/generate-session-prompt.mjs --target <project-root>
107
+ ```
108
+
109
+ For existing projects that have `.gse/` but do not yet have machine-readable continuation files:
110
+
111
+ ```text
112
+ node <gse-skill>/scripts/update-project-state.mjs --target <project-root>
113
+ ```
114
+
115
+ ```text
116
+ /gse init --mode standard
117
+ ```
118
+
119
+ Expected behavior:
120
+
121
+ 1. Inspect existing project rules first.
122
+ 2. Create `.gse/` if missing.
123
+ 3. Preserve existing project-specific rules.
124
+ 4. Run a scaffold or structure check.
125
+
126
+ ```text
127
+ /gse change add-user-login --level standard
128
+ ```
129
+
130
+ Expected behavior:
131
+
132
+ 1. Create `.gse/changes/add-user-login/`.
133
+ 2. Add `brief.md`, `spec.md`, `design.md`, `tasks.md`, `evidence.md`, `review.md`, and `execution-quality-pack.md`.
134
+ 3. Keep OpenSpec and Superpowers optional: use them when available, otherwise use the GSE markdown pack.
135
+ 4. Do not overwrite existing change files unless explicitly forced.
136
+
137
+ Portable helper:
138
+
139
+ ```text
140
+ node <gse-skill>/scripts/init-change.mjs --target <project-root> --change-id add-user-login --level standard
141
+ ```
142
+
143
+ ```text
144
+ /gse verify --profile lite
145
+ ```
146
+
147
+ Expected behavior:
148
+
149
+ 1. Select a validation profile from `lite`, `standard`, `enterprise`, or `release`.
150
+ 2. Run `scripts/run-validation-profile.mjs` with that profile.
151
+ 3. Keep release/distribution-heavy checks out of `lite` and `standard` unless the selected profile requires them.
152
+ 4. Report skipped heavy gates as a deliberate profile boundary, not as hidden success.
153
+ 5. Use the lite command execution audit for routine command coverage; reserve the full command execution audit for release-grade confidence.
154
+
155
+ ```text
156
+ /gse audit
157
+ ```
158
+
159
+ Expected behavior:
160
+
161
+ 1. Check whether project rules, `.gse/`, goal map, quality gates, tooling, and evidence are aligned.
162
+ 2. Report gaps as `missing`, `weak`, `verified`, or `accepted`.
163
+ 3. Do not fix unrelated project code unless explicitly asked.
164
+
165
+ ```text
166
+ /gse learn --summary "Prefer UTF-8 safe readers for Chinese docs before judging mojibake" --trigger "encoding review" --source "project slice"
167
+ ```
168
+
169
+ Expected behavior:
170
+
171
+ 1. Dry-run the learning entry by default and show the target `.gse/learnings.md` path.
172
+ 2. Require `--summary`; accept optional `--trigger`, `--source`, `--impact`, and `--promotion`.
173
+ 3. Append the entry only when `--execute` is supplied.
174
+ 4. Skip duplicate summaries instead of appending repeated lessons.
175
+ 5. Keep raw chain-of-thought, long logs, and temporary attempts out of learnings.
176
+
177
+ ```text
178
+ /gse status
179
+ ```
180
+
181
+ Expected behavior:
182
+
183
+ 1. For normal projects, read `.gse/state.json` and show phase, current slice, next action, and declared project files.
184
+ 2. For the GSE skill package itself, run the final-form progress report in dry-run mode and show local engineering readiness, full final-form readiness, pending owner/external gates, and `publicAccepted`.
185
+ 3. Do not treat status output as completion evidence unless the relevant gate audit is also recorded.
186
+
187
+ ```text
188
+ /gse doctor
189
+ ```
190
+
191
+ Expected behavior:
192
+
193
+ 1. For the GSE skill package, run the public acceptance doctor and list remaining owner/external blockers with concrete record commands.
194
+ 2. For normal target projects, run the target project doctor and report `.gse/` readiness, canonical plan visibility, evidence state, and host adapter drift.
195
+ 3. Keep owner-required and external-required gates explicit. Do not convert local mechanics into public acceptance.
196
+
197
+ ```text
198
+ /gse owner-actions
199
+ ```
200
+
201
+ Expected behavior:
202
+
203
+ 1. For the GSE skill package itself, return a compact owner/external action list from the public acceptance doctor.
204
+ 2. Include the pending gate count, responsible party, required evidence, record command, and dry-run preflight command for each gate.
205
+ 3. Prefer `--json --compact` when handing the action list to a project owner or maintainer; compact mode returns only the owner action packet without local runner diagnostics.
206
+ 4. Keep the output as a collection checklist. It does not publish, approve, configure, or accept anything by itself.
207
+ 5. For normal projects, use `/gse doctor` instead; `/gse owner-actions` is only for the GSE skill's public/host final-form gates.
208
+
209
+ ```text
210
+ /gse probe --public-repo-url __PUBLIC_REPO_URL__
211
+ ```
212
+
213
+ Expected behavior:
214
+
215
+ 1. For the GSE skill package itself, run `scripts/probe-public-external-gates.mjs`.
216
+ 2. Accept only explicit evidence input flags such as `--public-repo-url`, `--security-contact-url`, `--public-ci-run-url`, `--registry-package-url`, `--marketplace-url`, `--native-host-evidence`, and `--other-host-evidence`.
217
+ 3. Return `waiting-for-input` when no evidence inputs are supplied.
218
+ 4. Reject placeholder, example, local, or missing evidence before accepted records are written.
219
+ 5. Keep the output as a preflight. It does not publish, approve, configure, or accept anything by itself.
220
+
221
+ ```text
222
+ /gse release
223
+ ```
224
+
225
+ Expected behavior:
226
+
227
+ 1. For the GSE skill package itself, dry-run `scripts/generate-release-bundle.mjs`.
228
+ 2. Report release bundle readiness, validation summary, and public acceptance boundary without writing the canonical bundle.
229
+ 3. Accept optional `--label` and `--out` values for release-bundle naming and output routing.
230
+ 4. Only write a bundle when the command is run with `--execute`.
231
+ 5. Keep the output as release handoff preparation. It does not publish a package, approve a marketplace listing, configure a repository, or mark public acceptance complete.
232
+
233
+ ```text
234
+ /gse package
235
+ ```
236
+
237
+ Expected behavior:
238
+
239
+ 1. For the GSE skill package itself, dry-run `scripts/package-gse.mjs`.
240
+ 2. Report package readiness, intended output, file count, and manifest path without writing package files.
241
+ 3. Accept optional `--label` and `--out` values for package naming and output routing.
242
+ 4. Only write a package when the command is run with `--execute`.
243
+ 5. Keep the output as local packaging evidence. It does not publish to a registry or mark public acceptance complete.
244
+
245
+ ```text
246
+ /gse install --source __PACKAGE_DIR__ --install-target __INSTALL_SKILL_DIR__
247
+ ```
248
+
249
+ Expected behavior:
250
+
251
+ 1. For the GSE skill package itself, dry-run `scripts/install-gse.mjs`.
252
+ 2. Accept `--source <package-dir>` or `--source-url <file-or-http-package-url>`.
253
+ 3. Use `--install-target <install-skill-dir>` for the destination so it does not conflict with the command runner's own `--target <gse-root>`.
254
+ 4. Only write the install target when the command is run with `--execute`.
255
+ 5. Keep the output as local or URL-shaped installability evidence. It does not publish to a registry, approve a marketplace listing, or prove global host installation.
256
+
257
+ ```text
258
+ /gse public-release
259
+ ```
260
+
261
+ Expected behavior:
262
+
263
+ 1. For the GSE skill package itself, dry-run `scripts/generate-public-release-checklist.mjs`.
264
+ 2. Show the ordered public release checklist covering repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, and final verification.
265
+ 3. Accept optional `--out` and `--manifest` values for checklist output routing.
266
+ 4. Only write a checklist when the command is run with `--execute`.
267
+ 5. Keep the output as an owner execution runway. It does not publish, approve, configure, or accept anything by itself.
268
+
269
+ ## Host Adapter Rules
270
+
271
+ - Do not claim native slash-command support unless the current host exposes it and it was verified.
272
+ - Do not treat generated pointer files as runtime proof; run the host or a host-specific smoke before claiming the command executes natively.
273
+ - Record real UI, slash-command, command-palette, plugin, or background-thread invocation with `scripts/record-host-invocation.mjs` or `assets/templates/host-ui-invocation-record.md`; validate a completed record with `scripts/audit-host-ui-invocation.mjs --record <file>` and aggregate persistent host records with `scripts/audit-host-runtime-invocations.mjs`.
274
+ - For Codex, Claude Code, Hermes/AION-style runtimes, WorkBuddy, or future hosts, map native command files back to this reference instead of duplicating all policy.
275
+ - If a host has no slash-command mechanism, the text command still works as a natural-language trigger for the skill.
276
+ - Keep command output short and route to the relevant reference file instead of loading every GSE document.
277
+
278
+ ## Completion Rules
279
+
280
+ - `/gse continue`, `/gse verify`, and `/gse close` must preserve the result -> verified -> accepted distinction.
281
+ - `/gse close` is read-only in the portable command runner. It cannot mark a slice complete, archive a change, or write evidence by itself.
282
+ - Portable close check:
283
+
284
+ ```text
285
+ node <gse-skill>/scripts/audit-close-gate.mjs --target <project-root>
286
+ ```
287
+
288
+ - To archive a named change pack after evidence exists, use the explicit change lifecycle script:
289
+
290
+ ```text
291
+ node <gse-skill>/scripts/close-change.mjs --target <project-root> --change-id <change-id> --status result|verified|accepted --json
292
+ ```
293
+
294
+ - `/gse audit` cannot certify arbitrary repositories unless project-specific checks ran.
295
+ - `/gse init` and `/gse adopt` cannot overwrite existing project workflow files without explicit owner approval or `--force` with a recorded reason.
@@ -0,0 +1,46 @@
1
+ # Community Channels
2
+
3
+ Use this when a public GSE release needs owner-approved contribution, support, sponsorship, or service links.
4
+
5
+ Community channels are release metadata. They help people find the right place to ask questions, support the maintainer, or discover related services. They do not prove package publication, marketplace approval, security disclosure readiness, or host-native command support.
6
+
7
+ ## Current Owner Candidate
8
+
9
+ GateHub can be listed as an optional maintainer support and service link after owner approval:
10
+
11
+ - Name: GateHub
12
+ - URL: https://gatehub.top/
13
+ - Public page title observed on 2026-07-07: `GateHub - AI API Gateway`
14
+ - Public subtitle observed on 2026-07-07: `AI大模型代理平台`
15
+ - Public contact observed on 2026-07-07: `QQ:275005746`
16
+ - Recommended use in GSE docs: optional support, sponsorship, affiliate, or maintainer-service link.
17
+
18
+ Do not describe GateHub as:
19
+
20
+ - the official GSE package registry,
21
+ - a marketplace approval channel,
22
+ - a vulnerability disclosure channel,
23
+ - proof of public CI, release, or host runtime support,
24
+ - a required dependency for using GSE.
25
+
26
+ ## Placement
27
+
28
+ Recommended locations:
29
+
30
+ - `SUPPORT.md`: optional maintainer/community support channel.
31
+ - Public repository sidebar or GitHub profile: project support or service link.
32
+ - Release notes: optional "Support the maintainer" link when the release owner approves it.
33
+ - Marketplace/catalog listing: support URL or related service URL, if the marketplace allows it.
34
+
35
+ Avoid putting the link into the core workflow explanation, command reference, quality gates, or installation steps unless GateHub becomes a verified part of that workflow.
36
+
37
+ ## Acceptance
38
+
39
+ A community channel can be called:
40
+
41
+ - `result`: the link and intended use are documented.
42
+ - `verified`: the link resolves and the docs preserve claim boundaries.
43
+ - `accepted`: the owner approves the public placement and the target public page, repository, or listing contains the link.
44
+
45
+ Keep security contact separate. A support or service contact is not a vulnerability disclosure policy unless the owner explicitly accepts it as such and `SECURITY.md` is updated.
46
+
@@ -0,0 +1,70 @@
1
+ # Compatibility And Adoption Matrix
2
+
3
+ Use this to record what GSE can honestly claim across agent hosts. This matrix is about GSE portability, not proof that every host-specific tool is installed in a project.
4
+
5
+ ## Status Vocabulary
6
+
7
+ - `verified`: backed by a local file, script, fixture, command, or trusted project-specific evidence in the current GSE skill or target project.
8
+ - `documented`: described by GSE references, examples, or project files, but not exercised in the current evidence set.
9
+ - `unknown`: no reliable evidence yet.
10
+ - `unavailable`: expected capability is missing or failed when checked.
11
+
12
+ Never upgrade a host capability from `documented` to `verified` just because another host has a similar capability.
13
+
14
+ ## Portable Source Of Truth
15
+
16
+ `.gse/` is the portable source of truth for goals, profile, quality gates, evidence, learning, and project-specific workflow rules.
17
+
18
+ Host-specific folders are adapters. They may contain commands, hooks, skills, MCP notes, UI metadata, or short pointers, but they should point back to `.gse/` instead of copying the whole workflow.
19
+
20
+ ## Host Matrix
21
+
22
+ | Host family | Adapter location | Source-of-truth pointer | Current status | Evidence | Fallback |
23
+ |---|---|---|---|---|---|
24
+ | Codex-style | `.codex/`, Codex skills, MCP config | Must point to `.gse/` | `verified` for fixture pointer; host tools are project-specific | `examples/agent-runtime-host/.codex/gse-adapter.md`, `scripts/forward-test-gse.mjs`, `scripts/audit-fixtures.mjs` | Use `SKILL.md`, `.gse/project-profile.md`, and markdown workflow when Codex host tools are absent |
25
+ | Claude Code-style | `.claude/commands/`, `.claude/agents/`, `.claude/hooks/` | Must point to `.gse/` | `verified` for fixture pointer; commands/agents/hooks remain project-specific | `examples/agent-runtime-host/.claude/gse-adapter.md`, `scripts/forward-test-gse.mjs`, `scripts/audit-fixtures.mjs` | Use `.gse/` docs directly; do not duplicate goal maps into `.claude/` |
26
+ | Hermes/AION-style runtime | `.gse/host-adapters/hermes-runtime.md`, runtime skills, worker adapters, memory/tool substrate docs | Must keep AION/product policy in `.gse/` or project docs; runtime details are adapters | `verified` for generated pointer; runtime tools remain project-specific | `scripts/generate-command-adapter.mjs`, `scripts/audit-command-adapters.mjs`, `references/host-adapters.md`, `references/model-routing.md`, `examples/agent-runtime-host/docs/model-routing.md` | Treat runtime capabilities as `unknown` until project evidence verifies workers, memory, tools, or model routing |
27
+ | WorkBuddy/other IDE agents | `.gse/host-adapters/workbuddy.md`, local docs, plugin settings, task templates | Must point to `.gse/` | `verified` for generated pointer; IDE tools remain project-specific | `scripts/generate-command-adapter.mjs`, `scripts/audit-command-adapters.mjs`, `SKILL.md`, `references/host-adapters.md` | Use `.gse/README.md`, `.gse/project-profile.md`, and `references/router.md` when no host adapter exists |
28
+ | Copilot/Gemini-style assistants | repository instructions, workspace docs | Short instruction to read `.gse/project-profile.md` and relevant gates | `documented` | `references/host-adapters.md` | Use repository instructions plus `.gse/` files; keep advanced tool claims `unknown` |
29
+ | Unknown or custom host | `.gse/host-adapters/generic-agent.md`, host-specific docs decided by the project | Must link back to `.gse/` | `verified` for generated generic pointer; host runtime remains unknown | `scripts/generate-command-adapter.mjs`, `scripts/audit-command-adapters.mjs` | Create a fuller adapter from `assets/templates/host-adapter.md` only when the project has a real host mechanism |
30
+
31
+ ## Capability Matrix
32
+
33
+ | Capability | Portable GSE layer | Codex-style | Claude Code-style | Hermes/AION-style | WorkBuddy/other | Notes |
34
+ |---|---|---|---|---|---|---|
35
+ | Goal map and evidence | `verified` | `documented` | `documented` | `documented` | `documented` | Portable files live under `.gse/`; host adapters should point there |
36
+ | Project bootstrap | `verified` | `documented` | `documented` | `documented` | `documented` | Verified by `scripts/audit-project.mjs` and `scripts/validate-gse.mjs` |
37
+ | Project profile discovery | `verified` | `documented` | `documented` | `documented` | `documented` | Verified by `scripts/audit-adoption.mjs`; host use still depends on project files |
38
+ | Host adapter pointer | `verified` for generated pointers | `verified` | `verified` | `verified` for generated pointer | `verified` for generated pointer | Generated pointers are verified by `scripts/audit-command-adapters.mjs`; runtime invocation still needs host records |
39
+ | Subagents | `documented` fallback rules | `unknown` | `unknown` | `unknown` | `unknown` | Real subagent availability must be checked per host/session |
40
+ | MCP | `documented` status vocabulary | `unknown` | `unknown` | `unknown` | `unknown` | Config presence is documented, not tool availability |
41
+ | LSP/index | `documented` recommendation | `unknown` | `unknown` | `unknown` | `unknown` | Verify per project before relying on symbol navigation |
42
+ | Browser/Playwright | `documented` evidence rules | `unknown` | `unknown` | `unknown` | `unknown` | Fixture config can document Playwright; running browser tests is separate evidence |
43
+ | Model routing | `documented` reference | `unknown` | `unknown` | `documented` | `unknown` | Provider/model behavior needs provider-specific evidence |
44
+ | Hooks/plugins | `documented` adapter rule | `unknown` | `unknown` | `unknown` | `unknown` | Do not enable hooks or plugins without project approval and evidence |
45
+
46
+ ## Adoption Rules
47
+
48
+ 1. Start from `.gse/README.md`, `.gse/project-profile.md`, and `.gse/goal-map.md` when they exist.
49
+ 2. If a host folder exists, read only the short host adapter first, then return to `.gse/` for policy and evidence.
50
+ 3. Record host-specific commands, hooks, MCP servers, subagents, models, browser tools, and indexes as `unknown` until checked in that project/session.
51
+ 4. Use `documented` for config or docs that exist but have not been executed.
52
+ 5. Use `verified` only when current evidence proves the claim.
53
+ 6. Use `unavailable` when an expected host feature is missing or failing.
54
+ 7. Use `references/drift-audit.md` when host folders and `.gse/` disagree.
55
+
56
+ ## Minimum Host Adapter
57
+
58
+ A host adapter should be short:
59
+
60
+ ```text
61
+ # <Host> Adapter
62
+
63
+ Source of truth: `.gse/`.
64
+
65
+ - Read `.gse/project-profile.md` before using host-specific tools.
66
+ - Mark host capabilities verified only after current-session evidence.
67
+ - Use `references/drift-audit.md` when adapter claims and current tools disagree.
68
+ ```
69
+
70
+ Use `assets/templates/host-adapter.md` when a fuller adapter record is needed.
@@ -0,0 +1,38 @@
1
+ # GSE Design Basis
2
+
3
+ This file separates verified sources from design judgment.
4
+
5
+ ## Verified Local Sources
6
+
7
+ - `skill-creator` requires a concise `SKILL.md`, optional `references/`, `scripts/`, and `assets/`, with progressive disclosure and validation.
8
+ - `agentic-engineering` defines eval-first execution, agent-sized decomposition, model routing, and review focus for AI-generated code.
9
+ - `subagent-driven-development` defines fresh subagents per task, explicit roles, spec review, code quality review, and never faking delegation.
10
+ - `comet` combines OpenSpec and Superpowers through open, design, build, verify, archive phases, with hotfix/tweak presets and state files.
11
+ - `openspec-propose` creates proposal, design, specs, and tasks as change artifacts.
12
+ - `self-improvement` records reusable learnings, errors, feature requests, and promotes recurring lessons into project rules.
13
+ - `ci-cd-and-automation` and `code-review-and-quality` describe automated gates and review axes as quality enforcement mechanisms.
14
+
15
+ ## User Requirements Captured
16
+
17
+ - GSE must target large, long-running commercial projects first, while degrading for small projects.
18
+ - GSE must be agent-agnostic across Codex, Claude Code, Hermes, WorkBuddy, and similar tools.
19
+ - GSE must support goal maps, specs, evidence, roles, tool acceleration, learning, release, incident, and quality gates.
20
+ - GSE must have few hard prerequisites; optional tools should enhance, not block.
21
+ - GSE itself must be developed using GSE principles.
22
+ - GSE must not invent unsupported facts; evidence and assumptions must be separated.
23
+ - GSE must proactively benchmark itself and project workflows against mature skills and public practices, then convert gaps into goals, gates, templates, or scripts.
24
+
25
+ ## Design Judgments
26
+
27
+ - Use GSE as the public name because it is short, avoids AES encryption ambiguity, and captures the core loop.
28
+ - Use `.gse/` as the durable project folder because hidden workflow folders are familiar and avoid polluting product docs.
29
+ - Use task levels so small tasks do not inherit enterprise ceremony.
30
+ - Use markdown fallback for all optional tools so the workflow remains portable.
31
+ - Use benchmark audits as a recurring design mechanism because a purely reactive process lets users discover missing requirements through failures.
32
+
33
+ ## Open Questions
34
+
35
+ - Whether GSE should later publish official adapters for specific hosts, such as Codex Desktop or Claude Code.
36
+ - Whether GSE should include a telemetry dashboard by default or only recommend skill-usage as an optional enhancement.
37
+ - Whether project initialization should update `AGENTS.md` automatically or require explicit approval.
38
+ - How often benchmark audits should run by default: every major project phase, every N slices, or only on explicit request.
@@ -0,0 +1,129 @@
1
+ # Domain Model
2
+
3
+ Use this when GSE needs to consume or update a project's domain language, glossary, context files, or ADRs.
4
+
5
+ ## Purpose
6
+
7
+ Long-running agent work fails when project language drifts. GSE keeps a small domain model layer so future agents can use the project's own words instead of rediscovering or renaming concepts every session.
8
+
9
+ ## Source Files
10
+
11
+ Read these in order when relevant:
12
+
13
+ 1. `.gse/project-profile.md` for the project identity and known docs.
14
+ 2. `CONTEXT.md` for a single-context project glossary.
15
+ 3. `CONTEXT-MAP.md` for monorepos or multi-domain projects.
16
+ 4. `docs/adr/` or context-specific ADR folders for decisions.
17
+ 5. Product specs only after glossary/ADR context is understood.
18
+
19
+ Do not read all context files in a large monorepo. Use `CONTEXT-MAP.md` or project-profile evidence to pick the relevant context.
20
+
21
+ ## File Roles
22
+
23
+ | File | Purpose | Should Not Contain |
24
+ |---|---|---|
25
+ | `.gse/project-profile.md` | Short project identity, commands, tools, gates, and doc map | Full glossary, implementation specs, large logs |
26
+ | `CONTEXT.md` | Domain glossary and ubiquitous language | Implementation details, task lists, transient notes |
27
+ | `CONTEXT-MAP.md` | Map from subsystem/domain to its context and ADR files | Detailed definitions that belong in each context |
28
+ | `docs/adr/*.md` | Durable architectural or product decisions | Ordinary implementation notes or temporary preferences |
29
+ | `.gse/changes/*` | Current change outcome, scope, acceptance, evidence | Canonical domain definitions |
30
+
31
+ ## Single-Context Project
32
+
33
+ Use one root `CONTEXT.md` when the project has one dominant domain language.
34
+
35
+ ```text
36
+ project/
37
+ CONTEXT.md
38
+ docs/adr/
39
+ .gse/project-profile.md
40
+ ```
41
+
42
+ `CONTEXT.md` should define terms like:
43
+
44
+ - Canonical term.
45
+ - Meaning in this project.
46
+ - Terms not to use.
47
+ - Important relationships to other terms.
48
+ - A short example scenario when it prevents ambiguity.
49
+
50
+ ## Multi-Context Project
51
+
52
+ Use `CONTEXT-MAP.md` when one glossary would mix unrelated domains.
53
+
54
+ ```text
55
+ project/
56
+ CONTEXT-MAP.md
57
+ apps/admin/CONTEXT.md
58
+ services/billing/CONTEXT.md
59
+ services/billing/docs/adr/
60
+ docs/adr/
61
+ ```
62
+
63
+ `CONTEXT-MAP.md` should map:
64
+
65
+ - Context name.
66
+ - Path to context file.
67
+ - Related code paths.
68
+ - Related ADR path.
69
+ - Owner or review expectation when known.
70
+
71
+ ## When To Update The Domain Model
72
+
73
+ Update domain files only when the change is durable:
74
+
75
+ - A term is ambiguous, overloaded, or repeatedly explained.
76
+ - The user resolves a naming conflict.
77
+ - Code and user language disagree about a domain concept.
78
+ - A new durable product concept is introduced.
79
+ - A future agent would likely make a wrong assumption without the note.
80
+
81
+ Do not update domain files for:
82
+
83
+ - Temporary implementation details.
84
+ - One-off task notes.
85
+ - Test fixtures that are not domain examples.
86
+ - Preferences that belong in project profile or quality gates.
87
+
88
+ ## ADR Boundary
89
+
90
+ Create or suggest an ADR only when all are true:
91
+
92
+ 1. Hard to reverse: changing later has meaningful cost.
93
+ 2. Surprising without context: future agents or maintainers would ask why.
94
+ 3. Real trade-off: there were plausible alternatives.
95
+
96
+ If any condition is missing, record the fact in the change evidence or project profile instead of creating an ADR.
97
+
98
+ ## Conflict Handling
99
+
100
+ If project language conflicts:
101
+
102
+ 1. Quote the conflicting sources by path.
103
+ 2. Do not silently choose one.
104
+ 3. Ask or propose the smallest resolution.
105
+ 4. Record the resolved canonical term in the right context file.
106
+ 5. If the resolution is hard to reverse and surprising, create or propose an ADR.
107
+
108
+ ## GSE Integration
109
+
110
+ - `project-profile.md` points agents to the relevant context and ADR files.
111
+ - `spec-workflow.md` should use canonical domain terms from context files.
112
+ - `quality-gates.md` can require domain-language checks for high-risk changes.
113
+ - `evidence-taxonomy.md` still decides whether the domain update is result, verified, or accepted.
114
+
115
+ ## Evidence Examples
116
+
117
+ Result:
118
+
119
+ - Added a new glossary entry to `CONTEXT.md`.
120
+
121
+ Verified:
122
+
123
+ - Checked the changed spec and code references use the canonical term.
124
+ - Confirmed no conflicting term remains in touched files.
125
+
126
+ Accepted:
127
+
128
+ - User, domain owner, reviewer, or policy accepts the new canonical term.
129
+
@@ -0,0 +1,75 @@
1
+ # Domain Quality Gates
2
+
3
+ Use this when a task has domain risk beyond basic file or script correctness. Pick only the gates that match the changed behavior and project risk.
4
+
5
+ This reference is risk-based. Lite work should not inherit every gate by default. Commercial, user-visible, data-bearing, security-sensitive, release, or long-running work should receive stronger gates.
6
+
7
+ ## Selection Rule
8
+
9
+ Choose gates by asking:
10
+
11
+ 1. What could fail for users, data, operators, maintainers, or future agents?
12
+ 2. Which project files, tests, commands, docs, or runtime checks can prove the risk is controlled?
13
+ 3. Is the evidence `result`, `verified`, or `accepted` according to `references/evidence-taxonomy.md`?
14
+ 4. Is a tool merely documented, or was it actually run in this project/session?
15
+
16
+ Do not claim scan, benchmark, browser, accessibility, security, or resilience results unless the relevant command or inspection was actually executed.
17
+
18
+ ## Scale Guidance
19
+
20
+ | Level | Default domain gate weight |
21
+ |---|---|
22
+ | Lite | Use only the directly relevant gate and one focused evidence point. |
23
+ | Standard | Use relevant domain gates plus regression or smoke evidence. |
24
+ | Enterprise | Use a risk matrix, review axis, release/recovery path, and project-specific evidence. |
25
+
26
+ Upgrade the gate weight when a change touches public APIs, user data, auth, payments, model/provider routing, migrations, release, cross-module state, worker orchestration, browser automation, or main-path UX.
27
+
28
+ ## Gate Matrix
29
+
30
+ | Domain | Trigger | Minimum evidence | Escalate when |
31
+ |---|---|---|---|
32
+ | Security/privacy | Secrets, auth, permissions, user data, provider payloads, MCP/tools, browser traces, logs | Secret scan or file inspection, permission boundary review, no raw secrets/provider payloads in committed or user-visible output | Data exposure, auth bypass, destructive tools, public release, external services |
33
+ | Performance/cost | Latency, heavy context loading, loops, model/tool routing, worker queues, browser automation, large files | Focused timing, complexity review, query/count check, or explicit cost/latency rationale | Main path, repeated tasks, expensive models, user-visible slowness, scale-sensitive code |
34
+ | Accessibility | UI, keyboard flow, forms, visual states, text contrast, semantic structure | Browser smoke, component inspection, keyboard/focus check, or accessibility tool result when available | User-facing UI, forms, navigation, mobile/responsive layout, public release |
35
+ | Resilience/recovery | Retry, cancellation, timeout, idempotency, duplicate prevention, state recovery, fallback | Failure-path inspection, focused test/smoke for retry/cancel/error state, recovery record when interrupted | Worker/runtime changes, long tasks, external APIs, stateful workflows, release rollback |
36
+ | UI/browser | Visual behavior, loading/empty/error/success states, routing, layout, streaming, browser automation | Browser smoke, screenshot/visual inspection, component test, or DOM/state inspection | Main user flow, responsive UI, visual regression risk, rich interaction |
37
+ | API/state | API contracts, persistence, state machines, cache, sessions, concurrency, idempotency | Focused API smoke, state transition test, schema/config inspection, replay/idempotency check | Public API, cross-session state, migrations, concurrent writes, data retention |
38
+ | Data/migration | Schema, storage, generated artifacts, imports/exports, backward compatibility | Migration/rollback notes, fixture data smoke, backup/restore plan, compatibility check | Production data, irreversible transform, downgrade uncertainty, multi-version support |
39
+ | Model/tool routing | Model provider, tool call, MCP, browser, subagent, permission, cost route | Tool status marked documented/verified/unknown/unavailable; provider/model behavior verified only after execution | New provider, fallback, sensitive data, expensive model, hidden tool traces |
40
+ | Release/operations | Install, update, release notes, rollback, incident, observability | `references/release.md`, `references/recovery.md`, release readiness audit, known risks | Public handoff, package update, runtime compatibility, incident hotfix |
41
+
42
+ ## Evidence Mapping
43
+
44
+ Use the narrowest evidence that would fail if the changed behavior were broken.
45
+
46
+ - File inspection can verify docs, templates, source-of-truth boundaries, and secret absence in touched files.
47
+ - Focused tests can verify code behavior, state transitions, error paths, and regressions.
48
+ - API smokes can verify contracts, persistence, and session behavior.
49
+ - Browser smokes can verify UI, accessibility basics, streaming, loading/error states, and layout-sensitive flows.
50
+ - Architecture/review scans can verify coupling, ownership, release risk, and residual risk when runtime execution is not available.
51
+
52
+ If evidence is unavailable, record `unknown` or `not ready`; do not promote to `verified`.
53
+
54
+ ## Review Routing
55
+
56
+ - Use `references/review.md` for spec compliance, code quality, architecture drift, security/privacy, regression, and evidence review axes.
57
+ - Use `references/architecture-health.md` when the task touches structural boundaries, source-of-truth drift, dependency/security risk, performance/resilience, migration, or release impact.
58
+ - Use `references/release.md` and `references/recovery.md` when domain risk affects release, rollback, migration, incident response, or future-agent continuation.
59
+ - Use `.gse/project-profile.md` for project-specific commands, owners, threat model, performance budget, browser matrix, release gates, and compliance requirements.
60
+
61
+ ## Output Format
62
+
63
+ Record domain gates compactly:
64
+
65
+ ```text
66
+ Domain gates selected:
67
+ Why selected:
68
+ Evidence run:
69
+ Evidence status: result | verified | accepted | not ready
70
+ Unverified tools:
71
+ Residual risk:
72
+ Next action:
73
+ ```
74
+
75
+ For skipped gates, say why they are not applicable or what evidence would be needed later.