@t275005746/gse 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -0
- package/.github/ISSUE_TEMPLATE/change_request.yml +50 -0
- package/.github/ISSUE_TEMPLATE/config.yml +5 -0
- package/.github/PULL_REQUEST_TEMPLATE.md +38 -0
- package/.github/workflows/validate-gse.yml +33 -0
- package/.gse/README.md +18 -0
- package/.gse/gse-development-protocol.md +50 -0
- package/.gse/project-profile.md +29 -0
- package/.gse/quality-gates.md +25 -0
- package/.gse/releases/public-channel-publication-pending.md +49 -0
- package/.gse/releases/public-ci-run-pending.md +53 -0
- package/.gse/releases/public-release-owner-required.md +65 -0
- package/.gse/releases/public-repository-settings-owner-required.md +59 -0
- package/.gse/releases/public-security-contact-owner-required.md +45 -0
- package/.gse/state.json +27 -0
- package/CHANGELOG.md +24 -0
- package/CONTRIBUTING.md +64 -0
- package/LICENSE +21 -0
- package/README.md +236 -0
- package/README.zh-CN.md +236 -0
- package/SECURITY.md +41 -0
- package/SKILL.md +148 -0
- package/SUPPORT.md +38 -0
- package/agents/openai.yaml +4 -0
- package/assets/marketplace/README.md +7 -0
- package/assets/marketplace/gse-listing.json +75 -0
- package/assets/templates/acceptance-execution-packet.md +73 -0
- package/assets/templates/adr.md +14 -0
- package/assets/templates/change-brief.md +16 -0
- package/assets/templates/design.md +18 -0
- package/assets/templates/dispatch-packet.md +104 -0
- package/assets/templates/evidence.md +14 -0
- package/assets/templates/execution-quality-pack.md +65 -0
- package/assets/templates/goal-map.md +21 -0
- package/assets/templates/host-adapter.md +48 -0
- package/assets/templates/host-ui-invocation-record.md +42 -0
- package/assets/templates/incident-review.md +60 -0
- package/assets/templates/public-channel-publication-record.md +49 -0
- package/assets/templates/public-ci-run-record.md +53 -0
- package/assets/templates/public-release-record.md +65 -0
- package/assets/templates/public-repository-settings-record.md +59 -0
- package/assets/templates/public-security-contact-record.md +45 -0
- package/assets/templates/release-trust-record.md +32 -0
- package/assets/templates/review.md +18 -0
- package/assets/templates/spec.md +16 -0
- package/assets/templates/target-adoption-evidence.md +29 -0
- package/assets/templates/tasks.md +17 -0
- package/assets/templates/update-release-acceptance-record.md +58 -0
- package/examples/README.md +22 -0
- package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -0
- package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -0
- package/examples/agent-runtime-host/.gse/goal-map.md +7 -0
- package/examples/agent-runtime-host/.gse/project-profile.md +27 -0
- package/examples/agent-runtime-host/.gse/tooling.md +5 -0
- package/examples/agent-runtime-host/.mcp.json +9 -0
- package/examples/agent-runtime-host/AGENTS.md +5 -0
- package/examples/agent-runtime-host/README.md +10 -0
- package/examples/agent-runtime-host/docs/model-routing.md +5 -0
- package/examples/cli-tool/.gse/project-profile.md +21 -0
- package/examples/cli-tool/AGENTS.md +5 -0
- package/examples/cli-tool/README.md +12 -0
- package/examples/cli-tool/package.json +21 -0
- package/examples/small-app/.env.example +2 -0
- package/examples/small-app/.github/workflows/ci.yml +8 -0
- package/examples/small-app/AGENTS.md +5 -0
- package/examples/small-app/README.md +12 -0
- package/examples/small-app/package.json +26 -0
- package/examples/small-app/playwright.config.ts +4 -0
- package/package.json +53 -0
- package/references/adoption-recipes.md +171 -0
- package/references/agent-roles.md +49 -0
- package/references/architecture-health.md +101 -0
- package/references/benchmark-audit.md +73 -0
- package/references/commands.md +295 -0
- package/references/community-channels.md +46 -0
- package/references/compatibility.md +70 -0
- package/references/design-basis.md +38 -0
- package/references/domain-model.md +129 -0
- package/references/domain-quality-gates.md +75 -0
- package/references/drift-audit.md +81 -0
- package/references/evidence-taxonomy.md +123 -0
- package/references/file-ownership.md +107 -0
- package/references/final-readiness.md +84 -0
- package/references/forward-test.md +133 -0
- package/references/goal-map.md +36 -0
- package/references/host-adapters.md +119 -0
- package/references/learning-system.md +35 -0
- package/references/marketplace-discovery.md +46 -0
- package/references/model-routing.md +103 -0
- package/references/open-source-defaults.md +39 -0
- package/references/operating-model.md +52 -0
- package/references/packaging.md +277 -0
- package/references/project-agent-workspace.md +89 -0
- package/references/project-bootstrap.md +122 -0
- package/references/project-profile.md +57 -0
- package/references/public-release.md +174 -0
- package/references/quality-gates.md +100 -0
- package/references/recovery.md +176 -0
- package/references/release-trust.md +43 -0
- package/references/release.md +126 -0
- package/references/review.md +141 -0
- package/references/router.md +90 -0
- package/references/spec-workflow.md +66 -0
- package/references/task-levels.md +81 -0
- package/references/tool-adapters.md +73 -0
- package/scripts/audit-acceptance-execution-packet.mjs +133 -0
- package/scripts/audit-adoption-recipes.mjs +99 -0
- package/scripts/audit-adoption.mjs +154 -0
- package/scripts/audit-change-lifecycle.mjs +77 -0
- package/scripts/audit-change-system.mjs +134 -0
- package/scripts/audit-ci-readiness.mjs +107 -0
- package/scripts/audit-close-gate.mjs +323 -0
- package/scripts/audit-command-adapters.mjs +91 -0
- package/scripts/audit-command-execution.mjs +210 -0
- package/scripts/audit-commands.mjs +117 -0
- package/scripts/audit-compatibility.mjs +149 -0
- package/scripts/audit-completion-readiness.mjs +292 -0
- package/scripts/audit-distribution.mjs +251 -0
- package/scripts/audit-domain-quality-gates.mjs +108 -0
- package/scripts/audit-evidence-placeholders.mjs +126 -0
- package/scripts/audit-final-acceptance-packet.mjs +148 -0
- package/scripts/audit-final-form-progress-report.mjs +161 -0
- package/scripts/audit-final-form-stale-copy.mjs +221 -0
- package/scripts/audit-final-readiness-promotion.mjs +255 -0
- package/scripts/audit-final-readiness.mjs +226 -0
- package/scripts/audit-fixtures.mjs +154 -0
- package/scripts/audit-fresh-session-readiness.mjs +177 -0
- package/scripts/audit-gse.mjs +275 -0
- package/scripts/audit-host-adapters.mjs +119 -0
- package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -0
- package/scripts/audit-host-runtime-invocation-drill.mjs +240 -0
- package/scripts/audit-host-runtime-invocations.mjs +254 -0
- package/scripts/audit-host-ui-invocation.mjs +132 -0
- package/scripts/audit-learning-system.mjs +103 -0
- package/scripts/audit-local-final-form-completion.mjs +131 -0
- package/scripts/audit-marketplace-discovery.mjs +122 -0
- package/scripts/audit-npm-package-metadata.mjs +155 -0
- package/scripts/audit-npm-publish-dry-run.mjs +169 -0
- package/scripts/audit-npm-tarball-install.mjs +191 -0
- package/scripts/audit-open-source-defaults.mjs +92 -0
- package/scripts/audit-open-source-readiness.mjs +97 -0
- package/scripts/audit-owner-external-gate-kit.mjs +218 -0
- package/scripts/audit-project.mjs +323 -0
- package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -0
- package/scripts/audit-public-acceptance-handoff.mjs +142 -0
- package/scripts/audit-public-acceptance-readiness.mjs +224 -0
- package/scripts/audit-public-channel-publication.mjs +248 -0
- package/scripts/audit-public-ci-run.mjs +184 -0
- package/scripts/audit-public-collaboration-templates.mjs +98 -0
- package/scripts/audit-public-external-gate-probe.mjs +206 -0
- package/scripts/audit-public-release-checklist.mjs +133 -0
- package/scripts/audit-public-release-decision.mjs +201 -0
- package/scripts/audit-public-release-metadata.mjs +176 -0
- package/scripts/audit-public-repository-settings.mjs +237 -0
- package/scripts/audit-public-security-contact.mjs +171 -0
- package/scripts/audit-readme-docs.mjs +185 -0
- package/scripts/audit-recovery-readiness.mjs +98 -0
- package/scripts/audit-release-bundle.mjs +251 -0
- package/scripts/audit-release-owner-action-plan-drill.mjs +277 -0
- package/scripts/audit-release-owner-action-plan.mjs +164 -0
- package/scripts/audit-release-readiness.mjs +106 -0
- package/scripts/audit-release-status-manifest.mjs +165 -0
- package/scripts/audit-release-trust.mjs +62 -0
- package/scripts/audit-remote-distribution.mjs +266 -0
- package/scripts/audit-roadmap-consistency.mjs +235 -0
- package/scripts/audit-signing.mjs +147 -0
- package/scripts/audit-state-freshness.mjs +113 -0
- package/scripts/audit-target-adoption-evidence.mjs +117 -0
- package/scripts/audit-target-project.mjs +507 -0
- package/scripts/audit-update-release-acceptance.mjs +136 -0
- package/scripts/audit-v1-target-validation.mjs +269 -0
- package/scripts/audit-validation-profiles.mjs +125 -0
- package/scripts/close-change.mjs +116 -0
- package/scripts/discover-project-profile.mjs +307 -0
- package/scripts/forward-test-gse.mjs +146 -0
- package/scripts/generate-command-adapter.mjs +231 -0
- package/scripts/generate-final-acceptance-packet.mjs +181 -0
- package/scripts/generate-final-form-progress-report.mjs +205 -0
- package/scripts/generate-host-adapter.mjs +73 -0
- package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -0
- package/scripts/generate-owner-external-gate-kit.mjs +295 -0
- package/scripts/generate-public-acceptance-handoff.mjs +168 -0
- package/scripts/generate-public-release-checklist.mjs +207 -0
- package/scripts/generate-release-bundle.mjs +505 -0
- package/scripts/generate-release-owner-action-plan.mjs +172 -0
- package/scripts/generate-release-status-manifest.mjs +200 -0
- package/scripts/generate-session-prompt.mjs +188 -0
- package/scripts/gse.mjs +67 -0
- package/scripts/init-change.mjs +265 -0
- package/scripts/init-project.mjs +785 -0
- package/scripts/install-gse.mjs +234 -0
- package/scripts/lib/evidence-placeholders.mjs +28 -0
- package/scripts/package-gse.mjs +174 -0
- package/scripts/probe-public-external-gates.mjs +167 -0
- package/scripts/record-host-invocation.mjs +151 -0
- package/scripts/record-learning.mjs +137 -0
- package/scripts/record-public-channel-publication.mjs +178 -0
- package/scripts/record-public-ci-run.mjs +180 -0
- package/scripts/record-public-release.mjs +175 -0
- package/scripts/record-public-repository-settings.mjs +209 -0
- package/scripts/record-public-security-contact.mjs +157 -0
- package/scripts/run-gse-command.mjs +538 -0
- package/scripts/run-validation-profile.mjs +146 -0
- package/scripts/sign-gse-package.mjs +83 -0
- package/scripts/update-project-state.mjs +223 -0
- package/scripts/validate-gse.mjs +1168 -0
- package/scripts/verify-gse-package.mjs +85 -0
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
# Project Agent Workspace
|
|
2
|
+
|
|
3
|
+
Use this when the user asks whether GSE can create a project-local directory for agent workflow files, hooks, skills, roles, LSP notes, MCP notes, plugins, and tool adapters.
|
|
4
|
+
|
|
5
|
+
## Design Rule
|
|
6
|
+
|
|
7
|
+
GSE owns `.gse/` as the portable layer. Tool-specific folders are adapters, not the source of truth.
|
|
8
|
+
|
|
9
|
+
```text
|
|
10
|
+
project-root/
|
|
11
|
+
.gse/
|
|
12
|
+
README.md
|
|
13
|
+
goal-map.md
|
|
14
|
+
quality-gates.md
|
|
15
|
+
tooling.md
|
|
16
|
+
learnings.md
|
|
17
|
+
agent-workspace.md
|
|
18
|
+
agents/
|
|
19
|
+
roles.md
|
|
20
|
+
dispatch.md
|
|
21
|
+
hooks/
|
|
22
|
+
README.md
|
|
23
|
+
skills/
|
|
24
|
+
README.md
|
|
25
|
+
mcp/
|
|
26
|
+
README.md
|
|
27
|
+
lsp/
|
|
28
|
+
README.md
|
|
29
|
+
plugins/
|
|
30
|
+
README.md
|
|
31
|
+
changes/
|
|
32
|
+
evidence/
|
|
33
|
+
templates/
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
## Why `.gse/` Instead of `.claude/` or `.codex/`
|
|
37
|
+
|
|
38
|
+
- `.claude/`, `.codex/`, `.agents/`, and product-specific runtime folders can be useful, but they bind the project to one host.
|
|
39
|
+
- `.gse/` is the neutral contract any agent can read.
|
|
40
|
+
- Adapters may mirror or link from `.gse/`, but durable workflow decisions should remain in `.gse/`.
|
|
41
|
+
|
|
42
|
+
## Directory Responsibilities
|
|
43
|
+
|
|
44
|
+
| Path | Purpose | Required |
|
|
45
|
+
|---|---|---|
|
|
46
|
+
| `.gse/goal-map.md` | Current goals, priorities, risks, next slice | yes |
|
|
47
|
+
| `.gse/quality-gates.md` | Verification and release gates | yes |
|
|
48
|
+
| `.gse/tooling.md` | Available tools and optional adapters | yes |
|
|
49
|
+
| `.gse/agent-workspace.md` | Map of local agent folders and host adapters | standard+ |
|
|
50
|
+
| `.gse/agents/roles.md` | Role definitions and boundaries | standard+ |
|
|
51
|
+
| `.gse/agents/dispatch.md` | How to delegate work when subagents exist | standard+ |
|
|
52
|
+
| `.gse/hooks/README.md` | Hook ideas and host-specific hook mapping | enterprise |
|
|
53
|
+
| `.gse/skills/README.md` | Project-local skill inventory and install notes | standard+ |
|
|
54
|
+
| `.gse/mcp/README.md` | MCP servers, permissions, and setup notes | enterprise |
|
|
55
|
+
| `.gse/lsp/README.md` | Indexing/LSP commands and symbol navigation notes | standard+ |
|
|
56
|
+
| `.gse/plugins/README.md` | Optional plugins and runtime adapters | enterprise |
|
|
57
|
+
|
|
58
|
+
## Host Adapter Pattern
|
|
59
|
+
|
|
60
|
+
Use adapters only when the host supports them:
|
|
61
|
+
|
|
62
|
+
- Codex: `.codex/`, Codex skills, MCP config, available subagent tools.
|
|
63
|
+
- Claude Code: `.claude/`, commands, hooks, agents, MCP config.
|
|
64
|
+
- Hermes or AION-like runtimes: runtime skills, worker adapters, memory, tool substrate.
|
|
65
|
+
- WorkBuddy or other hosts: local docs, commands, MCP, index, and automation conventions.
|
|
66
|
+
|
|
67
|
+
When an adapter is needed, write a short pointer from the host folder back to `.gse/` rather than duplicating the whole process.
|
|
68
|
+
|
|
69
|
+
## Lessons Borrowed From Skill Repositories
|
|
70
|
+
|
|
71
|
+
Verified local observations from `mattpocock/skills` snapshot:
|
|
72
|
+
|
|
73
|
+
- Skills are organized by bucket, such as `engineering/` and `productivity/`.
|
|
74
|
+
- It has a setup skill that configures per-repo assumptions before other skills rely on them.
|
|
75
|
+
- It uses project docs such as `CONTEXT.md`, ADRs, issue tracker config, and a router skill.
|
|
76
|
+
- It distinguishes user-invoked and model-invoked skills.
|
|
77
|
+
|
|
78
|
+
GSE adopts the same principles at a workflow level: setup first, local context first, small composable roles, and a router-like goal map. GSE does not copy its Claude-specific plugin layout as a hard requirement.
|
|
79
|
+
|
|
80
|
+
## Missing Areas To Keep Tracking
|
|
81
|
+
|
|
82
|
+
- Secrets and permission boundaries for MCP/tools.
|
|
83
|
+
- Cross-agent lock files or ownership rules for concurrent edits.
|
|
84
|
+
- CI integration for quality gates.
|
|
85
|
+
- Release and rollback playbooks.
|
|
86
|
+
- Observability for long-running agent work: traces, cost, failed commands, retries.
|
|
87
|
+
- Prompt/context budgets and compaction handoff format.
|
|
88
|
+
- Drift audits for stale local skills, hooks, or generated docs.
|
|
89
|
+
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
# Project Bootstrap
|
|
2
|
+
|
|
3
|
+
Use this when initializing GSE in a project.
|
|
4
|
+
|
|
5
|
+
Use `references/adoption-recipes.md` when choosing between fresh install, existing repo adoption, GSE update, or host adapter adoption paths.
|
|
6
|
+
|
|
7
|
+
## Modes
|
|
8
|
+
|
|
9
|
+
- `auto`: default mode; chooses a scaffold from project files, scripts, CI, host folders, and runtime/tooling signals.
|
|
10
|
+
- `lite`: minimal workflow files for small tasks or small projects.
|
|
11
|
+
- `standard`: adds project-local agent workspace files for durable agent-assisted development.
|
|
12
|
+
- `enterprise`: adds hooks, MCP, plugins, release, incident, and audit placeholders for large or long-running projects.
|
|
13
|
+
|
|
14
|
+
## Minimal `.gse/` Files
|
|
15
|
+
|
|
16
|
+
```text
|
|
17
|
+
.gse/
|
|
18
|
+
README.md
|
|
19
|
+
state.json
|
|
20
|
+
project-profile.md
|
|
21
|
+
goal-map.md
|
|
22
|
+
goals/
|
|
23
|
+
README.md
|
|
24
|
+
quality-gates.md
|
|
25
|
+
tooling.md
|
|
26
|
+
learnings.md
|
|
27
|
+
changes/
|
|
28
|
+
evidence/
|
|
29
|
+
index.jsonl
|
|
30
|
+
templates/
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
## Standard Agent Workspace Files
|
|
34
|
+
|
|
35
|
+
See `project-agent-workspace.md` for responsibilities.
|
|
36
|
+
|
|
37
|
+
```text
|
|
38
|
+
.gse/
|
|
39
|
+
agent-workspace.md
|
|
40
|
+
agents/
|
|
41
|
+
roles.md
|
|
42
|
+
dispatch.md
|
|
43
|
+
skills/
|
|
44
|
+
README.md
|
|
45
|
+
lsp/
|
|
46
|
+
README.md
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Enterprise Files
|
|
50
|
+
|
|
51
|
+
```text
|
|
52
|
+
.gse/
|
|
53
|
+
hooks/README.md
|
|
54
|
+
mcp/README.md
|
|
55
|
+
plugins/README.md
|
|
56
|
+
release.md
|
|
57
|
+
incident-review.md
|
|
58
|
+
audit.md
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
## Host Adapter Files
|
|
62
|
+
|
|
63
|
+
When `enterprise` mode is selected and host folders already exist, `init-project.mjs` can add thin adapters such as:
|
|
64
|
+
|
|
65
|
+
```text
|
|
66
|
+
.codex/gse-adapter.md
|
|
67
|
+
.claude/gse-adapter.md
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
These files point back to `.gse/` and must not duplicate the portable goal map, quality gates, or evidence log.
|
|
71
|
+
|
|
72
|
+
For new host command/pointer adapters, prefer:
|
|
73
|
+
|
|
74
|
+
```bash
|
|
75
|
+
node <skill-dir>/scripts/generate-command-adapter.mjs --target <project-root> --host claude|codex|hermes|workbuddy|copilot|gemini|generic|all
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
The older `.codex/gse-adapter.md` and `.claude/gse-adapter.md` files remain compatibility pointers for existing scaffold and fixture coverage.
|
|
79
|
+
|
|
80
|
+
## Recommended Command
|
|
81
|
+
|
|
82
|
+
```bash
|
|
83
|
+
node <skill-dir>/scripts/init-project.mjs --target <project-root>
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
This uses `--mode auto`. Pass `--mode lite`, `--mode standard`, or `--mode enterprise` when the project owner wants a specific scaffold.
|
|
87
|
+
|
|
88
|
+
The script should not overwrite existing files unless `--force` is passed.
|
|
89
|
+
|
|
90
|
+
## Bootstrap Smoke
|
|
91
|
+
|
|
92
|
+
Use this after changing scaffold behavior or before trusting a packaged GSE skill:
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
node <skill-dir>/scripts/audit-project.mjs --root <skill-dir>
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
This verifies `lite`, `standard`, `enterprise`, and representative `auto` scaffold selection in temporary directories and checks rerun safety. It does not certify arbitrary real repositories, package installs, CI, or fresh-session acceptance.
|
|
99
|
+
|
|
100
|
+
## AGENTS.md Integration
|
|
101
|
+
|
|
102
|
+
Add a short project rule only with explicit approval:
|
|
103
|
+
|
|
104
|
+
```markdown
|
|
105
|
+
## GSE Workflow
|
|
106
|
+
|
|
107
|
+
This project follows GSE (Goal-Spec-Evidence Engineering). Start meaningful work by reading `.gse/README.md`, bind non-trivial tasks to `.gse/goal-map.md`, and finish with evidence in `.gse/evidence/` or the project-specific evidence log.
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
## Bootstrap Acceptance
|
|
111
|
+
|
|
112
|
+
- `.gse/README.md` exists.
|
|
113
|
+
- `.gse/state.json` exists and records mode, phase, current slice status, tool statuses, last evidence, and residual risks.
|
|
114
|
+
- `.gse/project-profile.md` exists and can capture project-specific standards, commands, tools, and permissions.
|
|
115
|
+
- Goal map has a North Star and Current Focus section.
|
|
116
|
+
- `.gse/evidence/index.jsonl` exists and contains at least one machine-readable adoption or slice record.
|
|
117
|
+
- `.gse/goals/README.md` exists so large projects can place module-level goal details outside the root goal map.
|
|
118
|
+
- Quality gates list at least universal, code, UI, release, and learning gates.
|
|
119
|
+
- Tooling file records available and optional tools.
|
|
120
|
+
- Standard mode records project-local agent workspace files.
|
|
121
|
+
- Enterprise mode records hooks, MCP, plugins, release, incident, and audit placeholders.
|
|
122
|
+
- Enterprise auto mode writes compatibility host adapter files for existing `.codex/` or `.claude/` folders; command adapters for broader hosts use `generate-command-adapter.mjs`.
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# Project Profile
|
|
2
|
+
|
|
3
|
+
Use this when a project has its own development standards, commands, tool connections, CI, MCP servers, LSP/index setup, release process, security rules, or agent-host conventions.
|
|
4
|
+
|
|
5
|
+
## Principle
|
|
6
|
+
|
|
7
|
+
Project-local rules override generic GSE defaults. GSE should adapt to the project, not flatten the project into a generic workflow.
|
|
8
|
+
|
|
9
|
+
## Discovery Order
|
|
10
|
+
|
|
11
|
+
Read only what is relevant to the task and risk level:
|
|
12
|
+
|
|
13
|
+
1. Agent rules: `AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, `.cursorrules`, `.windsurfrules`, or host equivalents.
|
|
14
|
+
2. Project docs: README, CONTRIBUTING, CODING_STANDARDS, architecture docs, ADRs, `CONTEXT.md`.
|
|
15
|
+
3. Commands and scripts: `package.json`, `Makefile`, task runners, CI workflows, test config.
|
|
16
|
+
4. Tooling connections: MCP config, browser/Playwright config, LSP/index config, deployment config, observability config.
|
|
17
|
+
5. Secrets and permissions: `.env.example`, secret docs, write-capable tools, destructive commands.
|
|
18
|
+
6. Existing GSE files: `.gse/project-profile.md`, `.gse/tooling.md`, `.gse/quality-gates.md`.
|
|
19
|
+
|
|
20
|
+
Avoid reading generated output, large logs, lockfiles, caches, screenshots, or archives unless the current task needs them.
|
|
21
|
+
|
|
22
|
+
## What To Capture
|
|
23
|
+
|
|
24
|
+
Keep `.gse/project-profile.md` short and factual:
|
|
25
|
+
|
|
26
|
+
- Product or system identity.
|
|
27
|
+
- Repository type and main languages/frameworks.
|
|
28
|
+
- Development commands and focused verification commands.
|
|
29
|
+
- Coding standards and formatting rules.
|
|
30
|
+
- Testing strategy and required gates.
|
|
31
|
+
- Tool connections: MCP, LSP/index, browser automation, CI, deploy, observability.
|
|
32
|
+
- Model routing: project-approved providers, model/tool ids, capability fit, cost/latency expectations, privacy limits, and fallback policy.
|
|
33
|
+
- Agent host adapters: Codex, Claude Code, Hermes/AION-style runtime, WorkBuddy, or other hosts; use `references/compatibility.md` for support status labels.
|
|
34
|
+
- Security and permission boundaries.
|
|
35
|
+
- Release and rollback expectations.
|
|
36
|
+
- Known gotchas.
|
|
37
|
+
|
|
38
|
+
## Conflict Rules
|
|
39
|
+
|
|
40
|
+
- User instruction in the current conversation wins.
|
|
41
|
+
- Project rules beat GSE generic defaults.
|
|
42
|
+
- More specific docs beat broad docs when they clearly apply to the current subsystem.
|
|
43
|
+
- If two project rules conflict, surface the conflict before editing.
|
|
44
|
+
- Never invent tool availability. Mark unverified connections as `unknown` until tested or documented.
|
|
45
|
+
|
|
46
|
+
## Refresh Triggers
|
|
47
|
+
|
|
48
|
+
Use `references/drift-audit.md` when current project facts may have diverged from recorded profile, tooling, host, release, or permission assumptions.
|
|
49
|
+
|
|
50
|
+
Refresh `.gse/project-profile.md` when:
|
|
51
|
+
|
|
52
|
+
- The user says a tool/config/standard exists but GSE cannot see it.
|
|
53
|
+
- A command fails because the wrong package manager, shell, or service was assumed.
|
|
54
|
+
- CI/test/deploy config changes.
|
|
55
|
+
- New MCP, LSP, browser, worker, model, or plugin connections are added.
|
|
56
|
+
- A recurring issue appears in evidence or incident reviews.
|
|
57
|
+
|
|
@@ -0,0 +1,174 @@
|
|
|
1
|
+
# Public Release Metadata
|
|
2
|
+
|
|
3
|
+
Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
|
|
4
|
+
|
|
5
|
+
Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
|
|
6
|
+
|
|
7
|
+
## Required Metadata
|
|
8
|
+
|
|
9
|
+
Before a public release can be called accepted, record:
|
|
10
|
+
|
|
11
|
+
- Release name or version.
|
|
12
|
+
- Release date or intended release window.
|
|
13
|
+
- Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
|
|
14
|
+
- License decision: license identifier, license file path, and who approved it.
|
|
15
|
+
- Changelog or release notes path.
|
|
16
|
+
- Install/update instructions path.
|
|
17
|
+
- Verification commands and latest result.
|
|
18
|
+
- Signing or integrity policy.
|
|
19
|
+
- Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
|
|
20
|
+
- Public security contact: owner-approved disclosure path and policy update evidence.
|
|
21
|
+
- Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
|
|
22
|
+
- Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
|
|
23
|
+
- Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
|
|
24
|
+
- Known risks and unsupported claims.
|
|
25
|
+
- Owner acceptance or explicit reason acceptance is still pending.
|
|
26
|
+
|
|
27
|
+
## License Decision
|
|
28
|
+
|
|
29
|
+
GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
|
|
30
|
+
|
|
31
|
+
For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
|
|
32
|
+
|
|
33
|
+
Minimum license record:
|
|
34
|
+
|
|
35
|
+
```text
|
|
36
|
+
License status: owner-required | selected | not-public
|
|
37
|
+
SPDX identifier:
|
|
38
|
+
License file:
|
|
39
|
+
Approved by:
|
|
40
|
+
Decision date:
|
|
41
|
+
Notes:
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
|
|
45
|
+
|
|
46
|
+
Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
|
|
47
|
+
|
|
48
|
+
```bash
|
|
49
|
+
node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
|
|
53
|
+
|
|
54
|
+
For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
|
|
55
|
+
|
|
56
|
+
Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
|
|
57
|
+
|
|
58
|
+
## Public Release Checklist
|
|
59
|
+
|
|
60
|
+
Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
|
|
64
|
+
node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
|
|
68
|
+
|
|
69
|
+
## Public CI Run
|
|
70
|
+
|
|
71
|
+
Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
|
|
72
|
+
|
|
73
|
+
Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
|
|
80
|
+
|
|
81
|
+
Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
|
|
82
|
+
|
|
83
|
+
## Public Security Contact
|
|
84
|
+
|
|
85
|
+
GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
|
|
86
|
+
|
|
87
|
+
Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
94
|
+
|
|
95
|
+
Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
|
|
96
|
+
|
|
97
|
+
## Public Repository Settings
|
|
98
|
+
|
|
99
|
+
Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
|
|
100
|
+
|
|
101
|
+
Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
|
|
102
|
+
|
|
103
|
+
```bash
|
|
104
|
+
node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
|
|
108
|
+
|
|
109
|
+
For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
110
|
+
|
|
111
|
+
Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
|
|
112
|
+
|
|
113
|
+
## Public Channel Publication
|
|
114
|
+
|
|
115
|
+
Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
|
|
116
|
+
|
|
117
|
+
Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
|
|
118
|
+
|
|
119
|
+
```bash
|
|
120
|
+
node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
|
|
124
|
+
|
|
125
|
+
For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
|
|
126
|
+
|
|
127
|
+
Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
|
|
128
|
+
|
|
129
|
+
## Community And Support Links
|
|
130
|
+
|
|
131
|
+
Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
|
|
132
|
+
|
|
133
|
+
For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
|
|
134
|
+
|
|
135
|
+
## Changelog Policy
|
|
136
|
+
|
|
137
|
+
Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
|
|
138
|
+
|
|
139
|
+
- user-facing changes,
|
|
140
|
+
- operator or maintainer changes,
|
|
141
|
+
- breaking changes,
|
|
142
|
+
- migration and rollback notes,
|
|
143
|
+
- verification evidence,
|
|
144
|
+
- known limits and unsupported claims.
|
|
145
|
+
|
|
146
|
+
Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
|
|
147
|
+
|
|
148
|
+
## Acceptance Levels
|
|
149
|
+
|
|
150
|
+
- `result`: metadata files exist but are not verified.
|
|
151
|
+
- `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
|
|
152
|
+
- `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
|
|
153
|
+
|
|
154
|
+
Do not mark `accepted` when the release is only locally validated.
|
|
155
|
+
|
|
156
|
+
## Integration
|
|
157
|
+
|
|
158
|
+
- Use `references/open-source-defaults.md` for the mainstream public release preset.
|
|
159
|
+
- Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
|
|
160
|
+
- Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
|
|
161
|
+
- Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
|
|
162
|
+
- Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
|
|
163
|
+
- Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
|
|
164
|
+
- Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
|
|
165
|
+
- Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
|
|
166
|
+
- Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
|
|
167
|
+
- Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
|
|
168
|
+
- Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
|
|
169
|
+
- Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
|
|
170
|
+
- Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
|
|
171
|
+
- Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
|
|
172
|
+
- Use `references/release.md` for release-level gates and rollback guidance.
|
|
173
|
+
- Use `references/release-trust.md` for signing, public key custody, and artifact trust.
|
|
174
|
+
- Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
# Quality Gates
|
|
2
|
+
|
|
3
|
+
Pick gates by task risk.
|
|
4
|
+
|
|
5
|
+
## Universal Gate
|
|
6
|
+
|
|
7
|
+
- Outcome matches request.
|
|
8
|
+
- Scope did not expand silently.
|
|
9
|
+
- Acceptance has evidence.
|
|
10
|
+
- Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
|
|
11
|
+
- Do not claim `verified` or `accepted` when evidence only proves `result`.
|
|
12
|
+
- Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
|
|
13
|
+
- Final answer states evidence and remaining risk.
|
|
14
|
+
- Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
|
|
15
|
+
- Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
|
|
16
|
+
- Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
|
|
17
|
+
- Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
|
|
18
|
+
- Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
|
|
19
|
+
|
|
20
|
+
## Code Gates
|
|
21
|
+
|
|
22
|
+
- Focused tests for changed behavior.
|
|
23
|
+
- Typecheck/lint/build when relevant.
|
|
24
|
+
- Regression test for bug fixes when feasible.
|
|
25
|
+
- No unrelated refactors.
|
|
26
|
+
|
|
27
|
+
## Gate Profiles
|
|
28
|
+
|
|
29
|
+
Use the lightest gate profile that proves the claim.
|
|
30
|
+
|
|
31
|
+
### Lite Gate
|
|
32
|
+
|
|
33
|
+
Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
|
|
34
|
+
|
|
35
|
+
- Required: one focused command, structural check, or explicit manual evidence.
|
|
36
|
+
- Optional: encoding check when docs changed.
|
|
37
|
+
- Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
|
|
38
|
+
|
|
39
|
+
### Standard Gate
|
|
40
|
+
|
|
41
|
+
Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
|
|
42
|
+
|
|
43
|
+
- Required: focused tests for changed behavior.
|
|
44
|
+
- Add one relevant integration smoke when the slice affects a visible or persisted path.
|
|
45
|
+
- Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
|
|
46
|
+
|
|
47
|
+
### Enterprise Gate
|
|
48
|
+
|
|
49
|
+
Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
|
|
50
|
+
|
|
51
|
+
- Required: focused tests plus the hard gate matching the claim.
|
|
52
|
+
- Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
|
|
53
|
+
- For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
|
|
54
|
+
- Full validation belongs here, not on every small product slice.
|
|
55
|
+
|
|
56
|
+
Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
|
|
57
|
+
|
|
58
|
+
Portable validation profile runner:
|
|
59
|
+
|
|
60
|
+
```text
|
|
61
|
+
node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
|
|
65
|
+
|
|
66
|
+
## UI Gates
|
|
67
|
+
|
|
68
|
+
- Component test or browser smoke for visible behavior.
|
|
69
|
+
- Screenshot or visual inspection for layout-sensitive work.
|
|
70
|
+
- Loading, empty, error, success, retry, and cancelled states covered when relevant.
|
|
71
|
+
|
|
72
|
+
## Agent/Product Gates
|
|
73
|
+
|
|
74
|
+
- State machine transitions are explicit.
|
|
75
|
+
- Stop/retry/recovery behavior is defined.
|
|
76
|
+
- Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
|
|
77
|
+
- Short/simple chats avoid heavy workflow paths.
|
|
78
|
+
|
|
79
|
+
## Release Gates
|
|
80
|
+
|
|
81
|
+
Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
|
|
82
|
+
|
|
83
|
+
- Build/install smoke.
|
|
84
|
+
- Migration and rollback notes.
|
|
85
|
+
- Changelog or release note.
|
|
86
|
+
- Known risk list.
|
|
87
|
+
- Observability or incident path for risky changes.
|
|
88
|
+
|
|
89
|
+
## Domain Gates
|
|
90
|
+
|
|
91
|
+
Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
|
|
92
|
+
|
|
93
|
+
- Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
|
|
94
|
+
- Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
|
|
95
|
+
- Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
|
|
96
|
+
- Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
|
|
97
|
+
- UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
|
|
98
|
+
- API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
|
|
99
|
+
- Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
|
|
100
|
+
- Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.
|