@t275005746/gse 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (207) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -0
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -0
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -0
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -0
  5. package/.github/workflows/validate-gse.yml +33 -0
  6. package/.gse/README.md +18 -0
  7. package/.gse/gse-development-protocol.md +50 -0
  8. package/.gse/project-profile.md +29 -0
  9. package/.gse/quality-gates.md +25 -0
  10. package/.gse/releases/public-channel-publication-pending.md +49 -0
  11. package/.gse/releases/public-ci-run-pending.md +53 -0
  12. package/.gse/releases/public-release-owner-required.md +65 -0
  13. package/.gse/releases/public-repository-settings-owner-required.md +59 -0
  14. package/.gse/releases/public-security-contact-owner-required.md +45 -0
  15. package/.gse/state.json +27 -0
  16. package/CHANGELOG.md +24 -0
  17. package/CONTRIBUTING.md +64 -0
  18. package/LICENSE +21 -0
  19. package/README.md +236 -0
  20. package/README.zh-CN.md +236 -0
  21. package/SECURITY.md +41 -0
  22. package/SKILL.md +148 -0
  23. package/SUPPORT.md +38 -0
  24. package/agents/openai.yaml +4 -0
  25. package/assets/marketplace/README.md +7 -0
  26. package/assets/marketplace/gse-listing.json +75 -0
  27. package/assets/templates/acceptance-execution-packet.md +73 -0
  28. package/assets/templates/adr.md +14 -0
  29. package/assets/templates/change-brief.md +16 -0
  30. package/assets/templates/design.md +18 -0
  31. package/assets/templates/dispatch-packet.md +104 -0
  32. package/assets/templates/evidence.md +14 -0
  33. package/assets/templates/execution-quality-pack.md +65 -0
  34. package/assets/templates/goal-map.md +21 -0
  35. package/assets/templates/host-adapter.md +48 -0
  36. package/assets/templates/host-ui-invocation-record.md +42 -0
  37. package/assets/templates/incident-review.md +60 -0
  38. package/assets/templates/public-channel-publication-record.md +49 -0
  39. package/assets/templates/public-ci-run-record.md +53 -0
  40. package/assets/templates/public-release-record.md +65 -0
  41. package/assets/templates/public-repository-settings-record.md +59 -0
  42. package/assets/templates/public-security-contact-record.md +45 -0
  43. package/assets/templates/release-trust-record.md +32 -0
  44. package/assets/templates/review.md +18 -0
  45. package/assets/templates/spec.md +16 -0
  46. package/assets/templates/target-adoption-evidence.md +29 -0
  47. package/assets/templates/tasks.md +17 -0
  48. package/assets/templates/update-release-acceptance-record.md +58 -0
  49. package/examples/README.md +22 -0
  50. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -0
  51. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -0
  52. package/examples/agent-runtime-host/.gse/goal-map.md +7 -0
  53. package/examples/agent-runtime-host/.gse/project-profile.md +27 -0
  54. package/examples/agent-runtime-host/.gse/tooling.md +5 -0
  55. package/examples/agent-runtime-host/.mcp.json +9 -0
  56. package/examples/agent-runtime-host/AGENTS.md +5 -0
  57. package/examples/agent-runtime-host/README.md +10 -0
  58. package/examples/agent-runtime-host/docs/model-routing.md +5 -0
  59. package/examples/cli-tool/.gse/project-profile.md +21 -0
  60. package/examples/cli-tool/AGENTS.md +5 -0
  61. package/examples/cli-tool/README.md +12 -0
  62. package/examples/cli-tool/package.json +21 -0
  63. package/examples/small-app/.env.example +2 -0
  64. package/examples/small-app/.github/workflows/ci.yml +8 -0
  65. package/examples/small-app/AGENTS.md +5 -0
  66. package/examples/small-app/README.md +12 -0
  67. package/examples/small-app/package.json +26 -0
  68. package/examples/small-app/playwright.config.ts +4 -0
  69. package/package.json +53 -0
  70. package/references/adoption-recipes.md +171 -0
  71. package/references/agent-roles.md +49 -0
  72. package/references/architecture-health.md +101 -0
  73. package/references/benchmark-audit.md +73 -0
  74. package/references/commands.md +295 -0
  75. package/references/community-channels.md +46 -0
  76. package/references/compatibility.md +70 -0
  77. package/references/design-basis.md +38 -0
  78. package/references/domain-model.md +129 -0
  79. package/references/domain-quality-gates.md +75 -0
  80. package/references/drift-audit.md +81 -0
  81. package/references/evidence-taxonomy.md +123 -0
  82. package/references/file-ownership.md +107 -0
  83. package/references/final-readiness.md +84 -0
  84. package/references/forward-test.md +133 -0
  85. package/references/goal-map.md +36 -0
  86. package/references/host-adapters.md +119 -0
  87. package/references/learning-system.md +35 -0
  88. package/references/marketplace-discovery.md +46 -0
  89. package/references/model-routing.md +103 -0
  90. package/references/open-source-defaults.md +39 -0
  91. package/references/operating-model.md +52 -0
  92. package/references/packaging.md +277 -0
  93. package/references/project-agent-workspace.md +89 -0
  94. package/references/project-bootstrap.md +122 -0
  95. package/references/project-profile.md +57 -0
  96. package/references/public-release.md +174 -0
  97. package/references/quality-gates.md +100 -0
  98. package/references/recovery.md +176 -0
  99. package/references/release-trust.md +43 -0
  100. package/references/release.md +126 -0
  101. package/references/review.md +141 -0
  102. package/references/router.md +90 -0
  103. package/references/spec-workflow.md +66 -0
  104. package/references/task-levels.md +81 -0
  105. package/references/tool-adapters.md +73 -0
  106. package/scripts/audit-acceptance-execution-packet.mjs +133 -0
  107. package/scripts/audit-adoption-recipes.mjs +99 -0
  108. package/scripts/audit-adoption.mjs +154 -0
  109. package/scripts/audit-change-lifecycle.mjs +77 -0
  110. package/scripts/audit-change-system.mjs +134 -0
  111. package/scripts/audit-ci-readiness.mjs +107 -0
  112. package/scripts/audit-close-gate.mjs +323 -0
  113. package/scripts/audit-command-adapters.mjs +91 -0
  114. package/scripts/audit-command-execution.mjs +210 -0
  115. package/scripts/audit-commands.mjs +117 -0
  116. package/scripts/audit-compatibility.mjs +149 -0
  117. package/scripts/audit-completion-readiness.mjs +292 -0
  118. package/scripts/audit-distribution.mjs +251 -0
  119. package/scripts/audit-domain-quality-gates.mjs +108 -0
  120. package/scripts/audit-evidence-placeholders.mjs +126 -0
  121. package/scripts/audit-final-acceptance-packet.mjs +148 -0
  122. package/scripts/audit-final-form-progress-report.mjs +161 -0
  123. package/scripts/audit-final-form-stale-copy.mjs +221 -0
  124. package/scripts/audit-final-readiness-promotion.mjs +255 -0
  125. package/scripts/audit-final-readiness.mjs +226 -0
  126. package/scripts/audit-fixtures.mjs +154 -0
  127. package/scripts/audit-fresh-session-readiness.mjs +177 -0
  128. package/scripts/audit-gse.mjs +275 -0
  129. package/scripts/audit-host-adapters.mjs +119 -0
  130. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -0
  131. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -0
  132. package/scripts/audit-host-runtime-invocations.mjs +254 -0
  133. package/scripts/audit-host-ui-invocation.mjs +132 -0
  134. package/scripts/audit-learning-system.mjs +103 -0
  135. package/scripts/audit-local-final-form-completion.mjs +131 -0
  136. package/scripts/audit-marketplace-discovery.mjs +122 -0
  137. package/scripts/audit-npm-package-metadata.mjs +155 -0
  138. package/scripts/audit-npm-publish-dry-run.mjs +169 -0
  139. package/scripts/audit-npm-tarball-install.mjs +191 -0
  140. package/scripts/audit-open-source-defaults.mjs +92 -0
  141. package/scripts/audit-open-source-readiness.mjs +97 -0
  142. package/scripts/audit-owner-external-gate-kit.mjs +218 -0
  143. package/scripts/audit-project.mjs +323 -0
  144. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -0
  145. package/scripts/audit-public-acceptance-handoff.mjs +142 -0
  146. package/scripts/audit-public-acceptance-readiness.mjs +224 -0
  147. package/scripts/audit-public-channel-publication.mjs +248 -0
  148. package/scripts/audit-public-ci-run.mjs +184 -0
  149. package/scripts/audit-public-collaboration-templates.mjs +98 -0
  150. package/scripts/audit-public-external-gate-probe.mjs +206 -0
  151. package/scripts/audit-public-release-checklist.mjs +133 -0
  152. package/scripts/audit-public-release-decision.mjs +201 -0
  153. package/scripts/audit-public-release-metadata.mjs +176 -0
  154. package/scripts/audit-public-repository-settings.mjs +237 -0
  155. package/scripts/audit-public-security-contact.mjs +171 -0
  156. package/scripts/audit-readme-docs.mjs +185 -0
  157. package/scripts/audit-recovery-readiness.mjs +98 -0
  158. package/scripts/audit-release-bundle.mjs +251 -0
  159. package/scripts/audit-release-owner-action-plan-drill.mjs +277 -0
  160. package/scripts/audit-release-owner-action-plan.mjs +164 -0
  161. package/scripts/audit-release-readiness.mjs +106 -0
  162. package/scripts/audit-release-status-manifest.mjs +165 -0
  163. package/scripts/audit-release-trust.mjs +62 -0
  164. package/scripts/audit-remote-distribution.mjs +266 -0
  165. package/scripts/audit-roadmap-consistency.mjs +235 -0
  166. package/scripts/audit-signing.mjs +147 -0
  167. package/scripts/audit-state-freshness.mjs +113 -0
  168. package/scripts/audit-target-adoption-evidence.mjs +117 -0
  169. package/scripts/audit-target-project.mjs +507 -0
  170. package/scripts/audit-update-release-acceptance.mjs +136 -0
  171. package/scripts/audit-v1-target-validation.mjs +269 -0
  172. package/scripts/audit-validation-profiles.mjs +125 -0
  173. package/scripts/close-change.mjs +116 -0
  174. package/scripts/discover-project-profile.mjs +307 -0
  175. package/scripts/forward-test-gse.mjs +146 -0
  176. package/scripts/generate-command-adapter.mjs +231 -0
  177. package/scripts/generate-final-acceptance-packet.mjs +181 -0
  178. package/scripts/generate-final-form-progress-report.mjs +205 -0
  179. package/scripts/generate-host-adapter.mjs +73 -0
  180. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -0
  181. package/scripts/generate-owner-external-gate-kit.mjs +295 -0
  182. package/scripts/generate-public-acceptance-handoff.mjs +168 -0
  183. package/scripts/generate-public-release-checklist.mjs +207 -0
  184. package/scripts/generate-release-bundle.mjs +505 -0
  185. package/scripts/generate-release-owner-action-plan.mjs +172 -0
  186. package/scripts/generate-release-status-manifest.mjs +200 -0
  187. package/scripts/generate-session-prompt.mjs +188 -0
  188. package/scripts/gse.mjs +67 -0
  189. package/scripts/init-change.mjs +265 -0
  190. package/scripts/init-project.mjs +785 -0
  191. package/scripts/install-gse.mjs +234 -0
  192. package/scripts/lib/evidence-placeholders.mjs +28 -0
  193. package/scripts/package-gse.mjs +174 -0
  194. package/scripts/probe-public-external-gates.mjs +167 -0
  195. package/scripts/record-host-invocation.mjs +151 -0
  196. package/scripts/record-learning.mjs +137 -0
  197. package/scripts/record-public-channel-publication.mjs +178 -0
  198. package/scripts/record-public-ci-run.mjs +180 -0
  199. package/scripts/record-public-release.mjs +175 -0
  200. package/scripts/record-public-repository-settings.mjs +209 -0
  201. package/scripts/record-public-security-contact.mjs +157 -0
  202. package/scripts/run-gse-command.mjs +538 -0
  203. package/scripts/run-validation-profile.mjs +146 -0
  204. package/scripts/sign-gse-package.mjs +83 -0
  205. package/scripts/update-project-state.mjs +223 -0
  206. package/scripts/validate-gse.mjs +1168 -0
  207. package/scripts/verify-gse-package.mjs +85 -0
@@ -0,0 +1,119 @@
1
+ # Host Adapters
2
+
3
+ Use this when a project needs GSE to work across Codex, Claude Code, Hermes/AION-style runtimes, WorkBuddy, Copilot-style agents, Gemini-style agents, or another agent host. Use `references/compatibility.md` to check host support status and adoption evidence before making capability claims.
4
+
5
+ ## Core Rule
6
+
7
+ `.gse/` is the portable source of truth. Host-specific folders are adapters.
8
+
9
+ Adapters may expose commands, hooks, skills, MCP servers, indexes, or local UI metadata for one host, but they must point back to `.gse/` for project policy, goals, evidence, quality gates, and learning rules.
10
+
11
+ ## Adapter Decision
12
+
13
+ Create or update a host adapter only when at least one condition is true:
14
+
15
+ - The host has a real folder, command, hook, skill, MCP, index, or plugin mechanism.
16
+ - The project already has host-specific rules that future agents need to find.
17
+ - A host-specific capability needs a short pointer to `.gse/` to avoid duplicate policy.
18
+ - A migration is needed from an existing `.claude/`, `.codex/`, `.agents/`, or runtime-specific workflow into `.gse/`.
19
+
20
+ Do not create host folders just for decoration. If the host capability is unknown, document it as `unknown` in `.gse/project-profile.md` or `.gse/tooling.md`.
21
+
22
+ ## Supported Host Shapes
23
+
24
+ | Host shape | Common adapter location | Adapter should contain | Must not contain |
25
+ |---|---|---|---|
26
+ | Codex-style | `.codex/`, Codex skills, MCP config | Pointer to `.gse/`, skill routing notes, MCP/index notes when verified | Full duplicate goal map or stale project rules |
27
+ | Claude Code-style | `.claude/commands/`, `.claude/agents/`, `.claude/hooks/` | Command/agent/hook entrypoints that read `.gse/` first | Independent process constitution that conflicts with `.gse/` |
28
+ | Hermes/AION-style runtime | runtime skills, worker adapters, memory/tool substrate docs | Runtime bridge notes and internal capability mapping | User-facing product identity or runtime leakage |
29
+ | WorkBuddy/other IDE agents | local docs, plugin settings, task templates | How that host finds `.gse/` and which tools are verified | Claims that unsupported subagent or tool APIs exist |
30
+ | Copilot/Gemini-style assistants | repository instructions, workspace docs | Short instruction to use `.gse/project-profile.md` and relevant gates | Host-specific long workflow copies |
31
+
32
+ ## Adapter Contents
33
+
34
+ Use `assets/templates/host-adapter.md` for each adapter note.
35
+
36
+ For command adapters, use:
37
+
38
+ ```text
39
+ node <gse-skill>/scripts/generate-command-adapter.mjs --target <project-root> --host claude|codex|hermes|workbuddy|copilot|gemini|generic|all
40
+ ```
41
+
42
+ This creates the smallest host command pointer available for the selected host. Generated files must still point back to `.gse/`.
43
+
44
+ Generated command adapter locations:
45
+
46
+ | Host | Generated path | Native slash-command claim |
47
+ |---|---|---|
48
+ | Claude Code-style | `.claude/commands/gse.md` | yes, file-shape only; runtime proof still needs a host invocation record |
49
+ | Codex-style | `.codex/gse-command.md` | no |
50
+ | Hermes/AION-style runtime | `.gse/host-adapters/hermes-runtime.md` | no |
51
+ | WorkBuddy-style IDE agent | `.gse/host-adapters/workbuddy.md` | no |
52
+ | GitHub Copilot-style assistant | `.github/copilot-instructions.md` | no |
53
+ | Gemini-style assistant | `GEMINI.md` | no |
54
+ | Generic or unknown agent host | `.gse/host-adapters/generic-agent.md` | no |
55
+
56
+ The Hermes, WorkBuddy, Copilot, Gemini, and generic adapters are portable pointers. They exist to prevent host workflow drift, not to prove runtime support.
57
+
58
+ For real host execution evidence, use:
59
+
60
+ ```text
61
+ node <gse-skill>/scripts/record-host-invocation.mjs --root <skill-or-project> --host <host> --invocation-method <method> --evidence-owner <owner> --evidence <thread-or-log> --portable-text-command true --native-slash-command false
62
+ ```
63
+
64
+ Then run:
65
+
66
+ ```text
67
+ node <gse-skill>/scripts/audit-host-runtime-invocations.mjs --root <skill-or-project>
68
+ ```
69
+
70
+ Before release handoff or cross-host claims, run the fixture drill:
71
+
72
+ ```text
73
+ node <gse-skill>/scripts/audit-host-runtime-invocation-drill.mjs --root <skill-or-project>
74
+ ```
75
+
76
+ The drill writes temporary records for Claude, Codex, Hermes/AION-style, WorkBuddy, and generic hosts, then audits native versus portable evidence counts. It proves the record/audit mechanics only; it does not prove real host runtime support.
77
+
78
+ Generated adapters are not runtime proof. A host capability becomes verified only when a persistent host invocation record exists and the audit can parse it.
79
+
80
+ Minimum fields:
81
+
82
+ - Host name and adapter path.
83
+ - Source of truth: always `.gse/` unless the project explicitly says otherwise.
84
+ - Verified capabilities: commands, hooks, MCP, LSP/index, subagents, browser, CI.
85
+ - Unverified or unavailable capabilities.
86
+ - How to start meaningful work in this host.
87
+ - Safety and permissions.
88
+ - Drift check owner or cadence.
89
+
90
+ ## Tool Status Rules
91
+
92
+ Use the same vocabulary as `references/tool-adapters.md`:
93
+
94
+ - `verified`: checked in this project or trusted local docs.
95
+ - `documented`: present in docs or config, not tested in this session.
96
+ - `unknown`: not confirmed.
97
+ - `unavailable`: expected but missing or failing.
98
+
99
+ Never mark a host capability as `verified` because another host has it. Subagents, hooks, MCP, and browser tools are host-specific.
100
+
101
+ ## Drift Prevention
102
+
103
+ Use `references/drift-audit.md` when host-specific folders, hooks, skills, MCP, subagents, runtime adapters, or capability claims may have drifted from `.gse/`.
104
+
105
+ When adding a host adapter:
106
+
107
+ 1. Keep policy in `.gse/` and link back from the host folder.
108
+ 2. Copy only the shortest host-specific command or pointer needed.
109
+ 3. Add the adapter to `.gse/project-profile.md` under `Agent Host Adapters`.
110
+ 4. Add any verified commands to `.gse/tooling.md`.
111
+ 5. If the adapter changes task routing, update `.gse/goal-map.md` or `.gse/quality-gates.md` only once in the portable layer.
112
+
113
+ ## Review Checklist
114
+
115
+ - Does the adapter point to `.gse/` before host-specific instructions?
116
+ - Are verified and unverified capabilities separated?
117
+ - Are secrets and write-capable tools documented without exposing credentials?
118
+ - Is there only one authoritative goal map and evidence location?
119
+ - Can a future agent using a different host still follow the project workflow?
@@ -0,0 +1,35 @@
1
+ # Learning System
2
+
3
+ Learnings keep long projects from repeating mistakes.
4
+
5
+ ## Capture When
6
+
7
+ - User corrects an assumption.
8
+ - A command, tool, API, or integration fails unexpectedly.
9
+ - A bug root cause was non-obvious.
10
+ - A recurring workflow can be shortened or hardened.
11
+ - A missing quality gate allowed a defect through.
12
+
13
+ ## Do Not Capture
14
+
15
+ - Raw chain of thought.
16
+ - Temporary attempts.
17
+ - Long command output.
18
+ - One-off details unlikely to help future work.
19
+
20
+ ## Upgrade Rule
21
+
22
+ Use `references/drift-audit.md` when a repeated lesson suggests stale docs, stale project-profile facts, stale host adapters, stale tool assumptions, or stale evidence state.
23
+
24
+ - First occurrence: learning note.
25
+ - Second occurrence: checklist or template update.
26
+ - Third occurrence: project rule or quality gate.
27
+ - Fifth occurrence: script, test, or dedicated skill.
28
+
29
+ ## Suggested Stores
30
+
31
+ - `.gse/learnings.md` for portable project lessons.
32
+ - `.learnings/` when the project already uses that convention.
33
+ - `AGENTS.md` for durable project rules.
34
+ - ADRs for architectural decisions.
35
+
@@ -0,0 +1,46 @@
1
+ # Marketplace Discovery
2
+
3
+ Use this when preparing GSE for a public catalog, skill marketplace, plugin listing, GitHub release page, or internal agent-workflow registry.
4
+
5
+ Discovery metadata should help people find and evaluate GSE without overstating trust.
6
+
7
+ ## Required Metadata
8
+
9
+ - Name and display name.
10
+ - Short tagline and summary.
11
+ - Categories and keywords that describe the workflow naturally.
12
+ - Entrypoints for humans and agents.
13
+ - Validation commands.
14
+ - Distribution and signing references.
15
+ - Host support status with honest labels.
16
+ - Boundaries and unverified claims.
17
+
18
+ The canonical local metadata file is:
19
+
20
+ ```text
21
+ assets/marketplace/gse-listing.json
22
+ ```
23
+
24
+ ## Search Language
25
+
26
+ Use normal explanatory language around terms such as agentic engineering, spec-driven development, SDD, AI coding agents, goal maps, evidence gates, OpenSpec-style changes, and Superpowers-style execution. Do not add isolated search-term blocks that read like keyword stuffing.
27
+
28
+ ## Trust Boundary
29
+
30
+ Discovery metadata is not marketplace approval.
31
+
32
+ A listing can be:
33
+
34
+ - `result`: drafted metadata exists.
35
+ - `verified`: metadata passes local audit and matches package validation.
36
+ - `accepted`: the target marketplace, catalog owner, or release owner accepts it.
37
+
38
+ ## Validation
39
+
40
+ Run:
41
+
42
+ ```text
43
+ node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
44
+ ```
45
+
46
+ For release trust, also use `references/release-trust.md`.
@@ -0,0 +1,103 @@
1
+ # Model Routing
2
+
3
+ Use this when GSE work needs to choose a model, provider, hosted tool, local tool, browser agent, worker, or role-specific agent capability.
4
+
5
+ ## Core Rule
6
+
7
+ Route by capability first, then cost, latency, privacy, context size, tool use, reliability, and evidence.
8
+
9
+ Do not hard-code one provider, one model family, or one host as the GSE default. Projects may define preferred providers, but GSE must preserve a portable fallback path.
10
+
11
+ ## Capability-First Selection
12
+
13
+ Define the task capability before picking a model:
14
+
15
+ | Capability | Typical use | Routing preference |
16
+ |---|---|---|
17
+ | Fast classification | triage, route selection, small labels | lowest reliable latency/cost |
18
+ | Code location | symbol search, call chains, existing tests | LSP/index/search before stronger model reasoning |
19
+ | Mechanical edit | narrow transforms, boilerplate, local fixes | lower-cost coding-capable model if verification is strong |
20
+ | Implementation | bounded code slice, tests, integration | standard coding model with project context |
21
+ | Architecture/root cause | invariants, multi-file reasoning, debugging | highest-reasoning model available and approved |
22
+ | Review/QA | spec compliance, security, regressions, UI evidence | independent reviewer model or fresh context when risk is high |
23
+ | Long context synthesis | session working set, docs, logs, migration notes | model with adequate context and summarization behavior |
24
+ | Tool/worker execution | browser, shell, MCP, CI, queue, runtime worker | verified host/tool adapter, not just model choice |
25
+
26
+ ## Status Vocabulary
27
+
28
+ Keep model availability separate from model behavior.
29
+
30
+ - `documented`: project docs, provider config, or host settings mention the model/tool.
31
+ - `verified`: this session or project evidence ran the model/tool successfully for the relevant capability.
32
+ - `unknown`: no trustworthy evidence yet.
33
+ - `unavailable`: expected model/tool is missing, blocked, failing, or forbidden.
34
+
35
+ A documented model is not verified. A verified chat response does not verify tool use, long context, latency, cost, or privacy behavior.
36
+
37
+ ## Routing Inputs
38
+
39
+ Record these in `.gse/project-profile.md`, `.gse/tooling.md`, or a host adapter when relevant:
40
+
41
+ - Provider or host:
42
+ - Model/tool id:
43
+ - Capability:
44
+ - Status: documented | verified | unknown | unavailable
45
+ - Evidence path or command:
46
+ - Cost tier:
47
+ - Latency expectation:
48
+ - Context limit or practical context budget:
49
+ - Tool-use support:
50
+ - Privacy/security boundary:
51
+ - Fallback:
52
+ - Known failure modes:
53
+
54
+ ## Decision Order
55
+
56
+ 1. Use project-specific routing rules if they exist and do not conflict with current user instruction.
57
+ 2. Prefer verified local tools for code location, tests, browser smoke, and CI before spending model reasoning.
58
+ 3. Choose the cheapest/fastest model that can satisfy the capability with adequate verification.
59
+ 4. Escalate to a stronger model when there is a clear reasoning, context, safety, or integration gap.
60
+ 5. Use fresh context for review, QA, or high-risk architecture when current-session context may bias the result.
61
+ 6. Fall back to a documented or generic model only when the task risk is low or verification can catch mistakes.
62
+ 7. Record residual risk when model behavior is unknown or only structurally verified.
63
+
64
+ ## Fallback Rules
65
+
66
+ - If preferred model is unavailable, use the next project-approved model with the same capability class.
67
+ - If tool-use support is unavailable, switch to manual shell/browser/CI verification when possible.
68
+ - If long-context support is unavailable, build a smaller working set and record omitted context.
69
+ - If privacy constraints forbid remote models, use local tools, local models, or ask for a project-approved path.
70
+ - If cost is high, reduce context, split the task, or use lower-tier models for locator/QA roles.
71
+ - Do not claim a fallback preserved quality unless focused evidence proves it.
72
+
73
+ ## Evidence Requirements
74
+
75
+ For model routing claims, record:
76
+
77
+ ```text
78
+ Capability:
79
+ Chosen model/tool:
80
+ Why this route:
81
+ Status: documented | verified | unknown | unavailable
82
+ Cost/latency notes:
83
+ Context/tool-use notes:
84
+ Privacy/security notes:
85
+ Fallback:
86
+ Evidence:
87
+ Residual risk:
88
+ ```
89
+
90
+ ## What Not To Do
91
+
92
+ - Do not route all tasks to the strongest model by default.
93
+ - Do not route all tasks to the cheapest model when failure would be expensive.
94
+ - Do not treat provider marketing claims as project evidence.
95
+ - Do not expose secrets, raw provider payloads, hidden reasoning, or private tool traces in user-facing output.
96
+ - Do not confuse model routing with provider adapter implementation.
97
+
98
+ ## Project Integration
99
+
100
+ - `references/project-profile.md` records project-approved providers, model/tool ids, privacy limits, and fallback policy.
101
+ - `references/tool-adapters.md` records availability and verification status for host tools and model-backed tools.
102
+ - `references/host-adapters.md` records host-specific model, subagent, MCP, browser, and worker capabilities.
103
+ - `references/evidence-taxonomy.md` decides whether routing evidence is result, verified, or accepted.
@@ -0,0 +1,39 @@
1
+ # GSE Open-Source Defaults
2
+
3
+ Use this reference when preparing GSE for a public repository or when a project asks to follow the mainstream open-source path.
4
+
5
+ ## Recommended Default
6
+
7
+ GSE's owner-approved default route is:
8
+
9
+ - License: MIT.
10
+ - Repository: public GitHub repository.
11
+ - CI: GitHub Actions with required checks.
12
+ - Security: `SECURITY.md` plus GitHub Security Advisory or another owner-approved public disclosure path.
13
+ - Release channel: GitHub Release first; package registry or marketplace only after real publication evidence exists.
14
+ - Command UX: portable `/gse ...` commands, with native slash-command claims only after a host runtime record proves native execution.
15
+
16
+ ## Why This Default
17
+
18
+ - MIT is widely understood by open-source tool users and keeps integration friction low.
19
+ - GitHub public repository plus GitHub Actions gives public, linkable evidence for repository settings and CI.
20
+ - GitHub Release provides a simple first public channel without pretending a registry or marketplace approved the package.
21
+ - Portable `/gse ...` command semantics work across hosts even when native slash-command APIs differ.
22
+
23
+ ## Claim Boundaries
24
+
25
+ - A local `LICENSE` file proves the license text exists; accepted license status requires an owner-approved release record.
26
+ - A local GitHub Actions workflow file does not prove public CI. Use a real public run URL and `scripts/record-public-ci-run.mjs`.
27
+ - A local `SECURITY.md` does not prove a public security contact. Use `scripts/record-public-security-contact.mjs` after the disclosure path is public and owner-approved.
28
+ - A generated package or release bundle does not prove public publication. Use `scripts/record-public-channel-publication.mjs` after a real channel URL exists.
29
+ - Generated host adapter pointers do not prove native slash commands. Use `scripts/record-host-invocation.mjs` with real host evidence.
30
+
31
+ ## Minimal Public Release Order
32
+
33
+ 1. Record the owner-approved MIT license decision.
34
+ 2. Publish or mirror GSE into a public GitHub repository.
35
+ 3. Enable repository settings: issues, pull requests, security policy visibility, branch protection, required checks, review before merge, conversation resolution, force-push restriction, and deletion restriction.
36
+ 4. Run public GitHub Actions and record the run URL, commit SHA, branch, and required checks.
37
+ 5. Create a GitHub Release and record the release URL.
38
+ 6. Record host runtime invocation evidence for each claimed host.
39
+ 7. Re-run final readiness and public acceptance audits.
@@ -0,0 +1,52 @@
1
+ # Operating Model
2
+
3
+ Use the same loop for every task, scaled by task level.
4
+
5
+ ## 1. Goal
6
+
7
+ Identify the project goal, user outcome, current priority, and non-goals.
8
+
9
+ For long-running work, bind to `.gse/goal-map.md` or the project's existing goal map.
10
+
11
+ ## 2. Spec
12
+
13
+ Define boundaries before implementation:
14
+
15
+ - Inputs and outputs
16
+ - UI/API/state behavior
17
+ - Error and recovery behavior
18
+ - Permissions and privacy boundaries
19
+ - Acceptance criteria
20
+ - Test or smoke plan
21
+
22
+ Do not over-spec Level 1 tasks.
23
+
24
+ ## 3. Execute
25
+
26
+ Use the smallest verifiable slice.
27
+
28
+ - Locate code with `rg`, `rg --files`, LSP, or an index before editing.
29
+ - Follow existing patterns.
30
+ - Keep unrelated refactors out.
31
+ - Use subagents only when actual dispatch tools exist and ownership is clear.
32
+ - Use `references/file-ownership.md` before editing dirty files, shared files, or files assigned to another role.
33
+ - Avoid making every internal state transition its own product slice. When several small states only matter as one user-visible chain, merge them and verify the chain.
34
+
35
+ ## 4. Evidence
36
+
37
+ Completion needs evidence appropriate to the risk:
38
+
39
+ - Unit/component/contract test
40
+ - API smoke
41
+ - Browser or Playwright smoke
42
+ - Build/typecheck/lint
43
+ - Screenshot or trace for UI
44
+ - Commit hash or change summary
45
+
46
+ Choose the gate profile from `references/task-levels.md` and `references/quality-gates.md`. A small docs or state slice should not pay the same verification cost as a release/install/cross-host slice. Conversely, release, public contract, install, and host-runtime claims need hard gates and cannot be proven by narrow tests alone.
47
+
48
+ ## 5. Learn
49
+
50
+ Record reusable lessons when a failure, correction, tool gap, repeated bug, or better process is discovered.
51
+
52
+ Escalate repeated lessons into quality gates or project rules.
@@ -0,0 +1,277 @@
1
+ # Packaging And Maintenance
2
+
3
+ Use this when preparing GSE itself for handoff, update, local installation, or a versioned internal release.
4
+
5
+ Use `references/adoption-recipes.md` for applying or updating GSE inside a target project after the skill package itself is validated.
6
+
7
+ This is a packaging readiness guide, not a registry publication process. Do not claim marketplace distribution, host plugin support, signing, open-source license acceptance, or v1.0 acceptance unless that evidence exists. Use `references/public-release.md` before public GitHub, marketplace, catalog, registry, or external package handoff.
8
+
9
+ ## Package Boundary
10
+
11
+ The GSE skill package includes:
12
+
13
+ - `package.json` as Node package metadata for local packing, CLI bin exposure, and future registry handoff.
14
+ - `SKILL.md` as the small entrypoint.
15
+ - `CHANGELOG.md` as the public-release change history and unsupported-claims boundary.
16
+ - `CONTRIBUTING.md`, `SECURITY.md`, and `SUPPORT.md` as public repository collaboration, vulnerability-reporting, and support boundaries.
17
+ - `.github/workflows/validate-gse.yml` as the portable GitHub Actions validation template for public repository use.
18
+ - `.github/PULL_REQUEST_TEMPLATE.md` and `.github/ISSUE_TEMPLATE/` as evidence-first public collaboration templates.
19
+ - `references/` as progressive-disclosure guidance.
20
+ - `scripts/` as repeatable audits, generators, discovery, validation, and forward-test probes.
21
+ - `assets/templates/` as reusable project artifacts.
22
+ - `assets/marketplace/` as portable discovery metadata for catalogs and marketplaces.
23
+ - `examples/` as lightweight adoption fixtures.
24
+ - `agents/openai.yaml` as optional host UI metadata.
25
+ - `.gse/` as the GSE self-development source of truth.
26
+
27
+ Do not package temporary output, command logs, screenshots, secrets, generated cache folders, `.learnings/`, or host-specific local credentials.
28
+
29
+ Generated package and release manifests must not expose the packager's local absolute source path. Keep local paths in command output only, not in distributable metadata.
30
+
31
+ ## Version And Release Label
32
+
33
+ GSE currently uses an internal readiness label rather than a published semver package.
34
+
35
+ Release labels should use this format until a real package manager or registry exists:
36
+
37
+ ```text
38
+ gse-internal-YYYY-MM-DD-N
39
+ ```
40
+
41
+ Increment `N` for multiple release candidates on the same day.
42
+
43
+ Use semver only after there is a maintained distribution channel and backward-compatibility policy.
44
+
45
+ ## Release Validation Gate
46
+
47
+ Before handing off or calling a GSE package release-ready, run:
48
+
49
+ ```text
50
+ node <skill>/scripts/validate-gse.mjs --root <skill>
51
+ ```
52
+
53
+ The release is not ready if validation fails, if the skill validator is skipped unexpectedly, or if a required evidence gate is only `result` when the release level requires `verified` or `accepted`.
54
+
55
+ `validate-gse.mjs` currently covers structural self-audit, project bootstrap smoke, fixture adoption, existing-repo adoption, host adapter generation, compatibility matrix, documented fixture forward-test, fresh-session readiness, local package/install distribution audit, remote URL distribution integrity audit, package signing and verification audit, release trust policy, public release metadata, release bundle generation, open-source repository readiness, CI workflow readiness, public collaboration templates, marketplace discovery metadata, host UI invocation readiness, skill metadata validation, and BOM scanning.
56
+
57
+ ## Distribution Audit Profiles
58
+
59
+ Before public handoff or registry preparation, verify Node package metadata:
60
+
61
+ ```text
62
+ node <skill>/scripts/audit-npm-package-metadata.mjs --root <skill> --json
63
+ node <skill>/scripts/audit-npm-tarball-install.mjs --root <skill> --json
64
+ node <skill>/scripts/audit-npm-publish-dry-run.mjs --root <skill> --json
65
+ npm pack --dry-run --json
66
+ ```
67
+
68
+ The metadata audit proves package metadata and dry-run pack contents. The tarball install audit creates a real local npm tarball, installs it into a clean temporary consumer project, runs the installed `gse` bin, and runs an installed README audit. The publish dry-run audit checks npm publication metadata, CLI bin preservation, required runtime files, integrity fields, and harmful metadata auto-correction warnings. These checks do not publish to npm, reserve a package name, verify a public repository, or prove registry approval.
69
+
70
+ Use the right distribution profile for the claim:
71
+
72
+ ```text
73
+ node <skill>/scripts/audit-distribution.mjs --root <skill> --profile smoke
74
+ node <skill>/scripts/audit-remote-distribution.mjs --root <skill> --profile smoke
75
+ node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile smoke
76
+ ```
77
+
78
+ `smoke` verifies package creation, install, installed entrypoints, CLI status, remote URL install, and remote integrity/tamper behavior. It skips the nested installed-copy `validate-gse` run.
79
+
80
+ Use `full` before release, package handoff, install/update claims, or when the installed copy itself must be validated:
81
+
82
+ ```text
83
+ node <skill>/scripts/validate-gse.mjs --root <skill> --distribution-profile full
84
+ ```
85
+
86
+ ## CI Workflow Template
87
+
88
+ GSE includes a GitHub Actions workflow template at `.github/workflows/validate-gse.yml`.
89
+
90
+ The template runs:
91
+
92
+ ```text
93
+ node scripts/validate-gse.mjs --root . --skip-skill-validator --json
94
+ node scripts/audit-final-readiness.mjs --root . --json
95
+ node scripts/audit-final-acceptance-packet.mjs --root . --json
96
+ ```
97
+
98
+ Run the local CI readiness audit with:
99
+
100
+ ```text
101
+ node <skill>/scripts/audit-ci-readiness.mjs --root <skill>
102
+ ```
103
+
104
+ This verifies the workflow file, trigger coverage, Node setup, validation commands, and final-readiness boundary checks. It does not prove a real public GitHub Actions run, branch protection, required status checks, or marketplace CI policy.
105
+
106
+ ## Release Bundle
107
+
108
+ Use a release bundle when handing GSE to another host, another repository, or a maintainer who needs the install commands, validation checklist, public-release record, and unsupported-claims boundary in one directory:
109
+
110
+ ```text
111
+ node <skill>/scripts/generate-release-bundle.mjs --root <skill> --label <release-label> --out <bundle-dir>
112
+ ```
113
+
114
+ For a focused bundle check, run:
115
+
116
+ ```text
117
+ node <skill>/scripts/audit-release-bundle.mjs --root <skill>
118
+ ```
119
+
120
+ This verifies that the bundle contains a release summary, install commands, validation checklist, public-release record, handoff files, manifest, and owner action plan. The bundle generator creates a fresh release status manifest and owner action plan during bundle creation instead of trusting stale cached acceptance files. The audit writes to an isolated temporary directory so it does not mutate the canonical release bundle path during validation. It still does not publish GSE, choose a license, approve a marketplace listing, or prove host-native slash-command support.
121
+
122
+ ## Release Status Manifest
123
+
124
+ Use the release status manifest when another host, CI job, marketplace checklist, or maintainer needs a machine-readable summary of GSE readiness:
125
+
126
+ ```text
127
+ node <skill>/scripts/generate-release-status-manifest.mjs --root <skill> --out <skill>/.gse/acceptance/release-status-manifest.json --force
128
+ node <skill>/scripts/audit-release-status-manifest.mjs --root <skill>
129
+ ```
130
+
131
+ The manifest summarizes verified rows, owner-required rows, external-required rows, install/distribution status, public acceptance gates, host runtime evidence counts, host runtime fixture drill status, and verification commands. It is generated from current audits and records; it does not create owner decisions, external publication, public CI, marketplace approval, or native slash-command evidence.
132
+
133
+ ## Release Owner Action Plan
134
+
135
+ Use the owner action plan when a human owner or maintainer needs the next concrete public-release actions grouped by responsible party:
136
+
137
+ ```text
138
+ node <skill>/scripts/generate-release-owner-action-plan.mjs --root <skill> --force --json
139
+ node <skill>/scripts/audit-release-owner-action-plan.mjs --root <skill> --json
140
+ node <skill>/scripts/audit-release-owner-action-plan-drill.mjs --root <skill> --json
141
+ ```
142
+
143
+ The plan is generated from `.gse/acceptance/release-status-manifest.json`. It groups pending gates by project owner, repository owner, external CI, external registry, external marketplace, and host runtime. It includes the record command and required evidence for each gate. It does not select a license, configure a repository, run public CI, publish a package, approve a marketplace listing, or prove native slash-command support.
144
+
145
+ The drill runs the plan path in a temporary fixture: it generates the manifest and plan, creates accepted fixture records for every owner/external gate family, verifies final readiness promotes to `publicAccepted: verified`, verifies the public acceptance doctor reports zero pending gates, and then removes the fixture. This proves the workflow mechanics without claiming real public acceptance.
146
+
147
+ ## Local Package And Install
148
+
149
+ Use this path before claiming GSE can be copied or installed outside its current development folder:
150
+
151
+ ```text
152
+ node <skill>/scripts/package-gse.mjs --root <skill> --out <package-dir> --label <release-label>
153
+ node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir>
154
+ node <install-skill-dir>/scripts/validate-gse.mjs --root <install-skill-dir> --skip-skill-validator --skip-distribution --skip-completion-readiness
155
+ ```
156
+
157
+ For a one-command local distribution proof, run:
158
+
159
+ ```text
160
+ node <skill>/scripts/audit-distribution.mjs --root <skill>
161
+ ```
162
+
163
+ This proves file-based packaging, install, and installed-copy validation. It still does not prove registry publication, remote-machine install, signing, shell completion, or marketplace discovery.
164
+
165
+ ## Remote URL Install And Integrity
166
+
167
+ GSE packages include a `gse-package-manifest.json` with `sha256` hashes for packaged files.
168
+
169
+ Install from a URL-shaped package source with:
170
+
171
+ ```text
172
+ node <skill>/scripts/install-gse.mjs --source-url <file-or-http-package-url> --target <install-skill-dir>
173
+ ```
174
+
175
+ Run the focused remote distribution audit with:
176
+
177
+ ```text
178
+ node <skill>/scripts/audit-remote-distribution.mjs --root <skill>
179
+ ```
180
+
181
+ This starts a temporary HTTP package source, installs from `--source-url`, validates the installed copy, then tampers with a package file to verify the integrity gate fails. It proves URL install and manifest integrity behavior locally. It still does not prove public registry publication, trusted signing, marketplace discovery, or remote-machine network conditions.
182
+
183
+ ## Signing And Verification
184
+
185
+ Use Ed25519 signing when a package needs tamper evidence beyond raw file hashes:
186
+
187
+ ```text
188
+ node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem>
189
+ node <skill>/scripts/verify-gse-package.mjs --package <package-dir> --public-key <public.pem>
190
+ node <skill>/scripts/install-gse.mjs --source <package-dir> --target <install-skill-dir> --public-key <public.pem>
191
+ ```
192
+
193
+ For local audit keys only:
194
+
195
+ ```text
196
+ node <skill>/scripts/sign-gse-package.mjs --package <package-dir> --private-key <private.pem> --public-key <public.pem> --generate-key
197
+ ```
198
+
199
+ Run the focused signing audit with:
200
+
201
+ ```text
202
+ node <skill>/scripts/audit-signing.mjs --root <skill>
203
+ ```
204
+
205
+ This proves signing mechanics, signature verification, signed install, and tamper rejection. It does not prove maintainer identity, public key custody, transparency logs, marketplace trust, or a production release policy.
206
+
207
+ For public or shared releases, also complete `references/release-trust.md` and `assets/templates/release-trust-record.md`. This is the Release Trust record for the package. A package can be signed and verified without being trusted; trusted release status requires owner acceptance, public key fingerprint publication, custody rules, rotation policy, and revocation path.
208
+
209
+ For public open-source releases, also complete `references/public-release.md` and `assets/templates/public-release-record.md`. GSE must not choose a license by guessing; accepted public release requires an owner-selected license or an explicit `not-public` decision.
210
+
211
+ ## Marketplace Discovery
212
+
213
+ Use `references/marketplace-discovery.md` and `assets/marketplace/gse-listing.json` when preparing a public listing, catalog entry, plugin page, or marketplace submission.
214
+
215
+ Run:
216
+
217
+ ```text
218
+ node <skill>/scripts/audit-marketplace-discovery.mjs --root <skill> --json
219
+ ```
220
+
221
+ This verifies local discovery metadata and search-language fit. It does not prove marketplace approval, public search indexing, registry publication, maintainer identity, or host-native installation.
222
+
223
+ ## Release Notes
224
+
225
+ Use `references/release.md` as the general release policy. For GSE skill releases, keep notes short:
226
+
227
+ ```text
228
+ Release label:
229
+ Date:
230
+ Readiness: not ready | result | verified | accepted
231
+ Changed:
232
+ Validation:
233
+ Compatibility impact:
234
+ Migration or rollback:
235
+ Known risks:
236
+ Follow-up slices:
237
+ ```
238
+
239
+ Rules:
240
+
241
+ - Link to `.gse/evidence/YYYY-MM-DD.md` instead of pasting long command output.
242
+ - Separate user-facing workflow changes from internal script/refactoring changes.
243
+ - Mark unavailable or unverified host tools honestly.
244
+ - Keep true fresh-session acceptance separate from fresh-session readiness.
245
+
246
+ ## Install Or Update Handoff
247
+
248
+ For a local handoff, provide:
249
+
250
+ - Skill path: `<install-skill-dir>` or the target install path.
251
+ - Release label or date.
252
+ - Validation command and latest result.
253
+ - Evidence log path.
254
+ - Known residual risks.
255
+ - Next slice from `.gse/current-slice.md`.
256
+
257
+ For project-local GSE updates or release-readiness changes, use `assets/templates/update-release-acceptance-record.md` to preserve local decisions, changed files, commands run, rollback notes, owner gate, accepted-by status, and residual risks.
258
+
259
+ If copying GSE to another machine or host, run validation after copy and record the result in that environment. Host-specific capabilities remain `unknown` until checked there.
260
+
261
+ ## Rollback
262
+
263
+ For low-risk GSE documentation/script changes, rollback is file-level revert of the touched artifacts plus re-running `validate-gse.mjs`.
264
+
265
+ For scaffold, generator, or template changes that may affect downstream projects, also record:
266
+
267
+ - Which generated files or adapters may need regeneration.
268
+ - Whether existing project `.gse/` folders are compatible.
269
+ - Whether host adapters need manual review.
270
+
271
+ ## Readiness Status
272
+
273
+ - `result`: packaging notes or release artifacts exist.
274
+ - `verified`: `validate-gse.mjs` passes and release notes identify residual risks.
275
+ - `accepted`: required owner, fresh-session, release policy, or distribution gate accepts the release.
276
+
277
+ Do not call a release accepted only because local validation passed unless the current release policy explicitly says local validation is sufficient.