@t275005746/gse 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (207) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.yml +42 -0
  2. package/.github/ISSUE_TEMPLATE/change_request.yml +50 -0
  3. package/.github/ISSUE_TEMPLATE/config.yml +5 -0
  4. package/.github/PULL_REQUEST_TEMPLATE.md +38 -0
  5. package/.github/workflows/validate-gse.yml +33 -0
  6. package/.gse/README.md +18 -0
  7. package/.gse/gse-development-protocol.md +50 -0
  8. package/.gse/project-profile.md +29 -0
  9. package/.gse/quality-gates.md +25 -0
  10. package/.gse/releases/public-channel-publication-pending.md +49 -0
  11. package/.gse/releases/public-ci-run-pending.md +53 -0
  12. package/.gse/releases/public-release-owner-required.md +65 -0
  13. package/.gse/releases/public-repository-settings-owner-required.md +59 -0
  14. package/.gse/releases/public-security-contact-owner-required.md +45 -0
  15. package/.gse/state.json +27 -0
  16. package/CHANGELOG.md +24 -0
  17. package/CONTRIBUTING.md +64 -0
  18. package/LICENSE +21 -0
  19. package/README.md +236 -0
  20. package/README.zh-CN.md +236 -0
  21. package/SECURITY.md +41 -0
  22. package/SKILL.md +148 -0
  23. package/SUPPORT.md +38 -0
  24. package/agents/openai.yaml +4 -0
  25. package/assets/marketplace/README.md +7 -0
  26. package/assets/marketplace/gse-listing.json +75 -0
  27. package/assets/templates/acceptance-execution-packet.md +73 -0
  28. package/assets/templates/adr.md +14 -0
  29. package/assets/templates/change-brief.md +16 -0
  30. package/assets/templates/design.md +18 -0
  31. package/assets/templates/dispatch-packet.md +104 -0
  32. package/assets/templates/evidence.md +14 -0
  33. package/assets/templates/execution-quality-pack.md +65 -0
  34. package/assets/templates/goal-map.md +21 -0
  35. package/assets/templates/host-adapter.md +48 -0
  36. package/assets/templates/host-ui-invocation-record.md +42 -0
  37. package/assets/templates/incident-review.md +60 -0
  38. package/assets/templates/public-channel-publication-record.md +49 -0
  39. package/assets/templates/public-ci-run-record.md +53 -0
  40. package/assets/templates/public-release-record.md +65 -0
  41. package/assets/templates/public-repository-settings-record.md +59 -0
  42. package/assets/templates/public-security-contact-record.md +45 -0
  43. package/assets/templates/release-trust-record.md +32 -0
  44. package/assets/templates/review.md +18 -0
  45. package/assets/templates/spec.md +16 -0
  46. package/assets/templates/target-adoption-evidence.md +29 -0
  47. package/assets/templates/tasks.md +17 -0
  48. package/assets/templates/update-release-acceptance-record.md +58 -0
  49. package/examples/README.md +22 -0
  50. package/examples/agent-runtime-host/.claude/gse-adapter.md +6 -0
  51. package/examples/agent-runtime-host/.codex/gse-adapter.md +7 -0
  52. package/examples/agent-runtime-host/.gse/goal-map.md +7 -0
  53. package/examples/agent-runtime-host/.gse/project-profile.md +27 -0
  54. package/examples/agent-runtime-host/.gse/tooling.md +5 -0
  55. package/examples/agent-runtime-host/.mcp.json +9 -0
  56. package/examples/agent-runtime-host/AGENTS.md +5 -0
  57. package/examples/agent-runtime-host/README.md +10 -0
  58. package/examples/agent-runtime-host/docs/model-routing.md +5 -0
  59. package/examples/cli-tool/.gse/project-profile.md +21 -0
  60. package/examples/cli-tool/AGENTS.md +5 -0
  61. package/examples/cli-tool/README.md +12 -0
  62. package/examples/cli-tool/package.json +21 -0
  63. package/examples/small-app/.env.example +2 -0
  64. package/examples/small-app/.github/workflows/ci.yml +8 -0
  65. package/examples/small-app/AGENTS.md +5 -0
  66. package/examples/small-app/README.md +12 -0
  67. package/examples/small-app/package.json +26 -0
  68. package/examples/small-app/playwright.config.ts +4 -0
  69. package/package.json +53 -0
  70. package/references/adoption-recipes.md +171 -0
  71. package/references/agent-roles.md +49 -0
  72. package/references/architecture-health.md +101 -0
  73. package/references/benchmark-audit.md +73 -0
  74. package/references/commands.md +295 -0
  75. package/references/community-channels.md +46 -0
  76. package/references/compatibility.md +70 -0
  77. package/references/design-basis.md +38 -0
  78. package/references/domain-model.md +129 -0
  79. package/references/domain-quality-gates.md +75 -0
  80. package/references/drift-audit.md +81 -0
  81. package/references/evidence-taxonomy.md +123 -0
  82. package/references/file-ownership.md +107 -0
  83. package/references/final-readiness.md +84 -0
  84. package/references/forward-test.md +133 -0
  85. package/references/goal-map.md +36 -0
  86. package/references/host-adapters.md +119 -0
  87. package/references/learning-system.md +35 -0
  88. package/references/marketplace-discovery.md +46 -0
  89. package/references/model-routing.md +103 -0
  90. package/references/open-source-defaults.md +39 -0
  91. package/references/operating-model.md +52 -0
  92. package/references/packaging.md +277 -0
  93. package/references/project-agent-workspace.md +89 -0
  94. package/references/project-bootstrap.md +122 -0
  95. package/references/project-profile.md +57 -0
  96. package/references/public-release.md +174 -0
  97. package/references/quality-gates.md +100 -0
  98. package/references/recovery.md +176 -0
  99. package/references/release-trust.md +43 -0
  100. package/references/release.md +126 -0
  101. package/references/review.md +141 -0
  102. package/references/router.md +90 -0
  103. package/references/spec-workflow.md +66 -0
  104. package/references/task-levels.md +81 -0
  105. package/references/tool-adapters.md +73 -0
  106. package/scripts/audit-acceptance-execution-packet.mjs +133 -0
  107. package/scripts/audit-adoption-recipes.mjs +99 -0
  108. package/scripts/audit-adoption.mjs +154 -0
  109. package/scripts/audit-change-lifecycle.mjs +77 -0
  110. package/scripts/audit-change-system.mjs +134 -0
  111. package/scripts/audit-ci-readiness.mjs +107 -0
  112. package/scripts/audit-close-gate.mjs +323 -0
  113. package/scripts/audit-command-adapters.mjs +91 -0
  114. package/scripts/audit-command-execution.mjs +210 -0
  115. package/scripts/audit-commands.mjs +117 -0
  116. package/scripts/audit-compatibility.mjs +149 -0
  117. package/scripts/audit-completion-readiness.mjs +292 -0
  118. package/scripts/audit-distribution.mjs +251 -0
  119. package/scripts/audit-domain-quality-gates.mjs +108 -0
  120. package/scripts/audit-evidence-placeholders.mjs +126 -0
  121. package/scripts/audit-final-acceptance-packet.mjs +148 -0
  122. package/scripts/audit-final-form-progress-report.mjs +161 -0
  123. package/scripts/audit-final-form-stale-copy.mjs +221 -0
  124. package/scripts/audit-final-readiness-promotion.mjs +255 -0
  125. package/scripts/audit-final-readiness.mjs +226 -0
  126. package/scripts/audit-fixtures.mjs +154 -0
  127. package/scripts/audit-fresh-session-readiness.mjs +177 -0
  128. package/scripts/audit-gse.mjs +275 -0
  129. package/scripts/audit-host-adapters.mjs +119 -0
  130. package/scripts/audit-host-runtime-evidence-handoff.mjs +159 -0
  131. package/scripts/audit-host-runtime-invocation-drill.mjs +240 -0
  132. package/scripts/audit-host-runtime-invocations.mjs +254 -0
  133. package/scripts/audit-host-ui-invocation.mjs +132 -0
  134. package/scripts/audit-learning-system.mjs +103 -0
  135. package/scripts/audit-local-final-form-completion.mjs +131 -0
  136. package/scripts/audit-marketplace-discovery.mjs +122 -0
  137. package/scripts/audit-npm-package-metadata.mjs +155 -0
  138. package/scripts/audit-npm-publish-dry-run.mjs +169 -0
  139. package/scripts/audit-npm-tarball-install.mjs +191 -0
  140. package/scripts/audit-open-source-defaults.mjs +92 -0
  141. package/scripts/audit-open-source-readiness.mjs +97 -0
  142. package/scripts/audit-owner-external-gate-kit.mjs +218 -0
  143. package/scripts/audit-project.mjs +323 -0
  144. package/scripts/audit-public-acceptance-command-dry-run-drill.mjs +203 -0
  145. package/scripts/audit-public-acceptance-handoff.mjs +142 -0
  146. package/scripts/audit-public-acceptance-readiness.mjs +224 -0
  147. package/scripts/audit-public-channel-publication.mjs +248 -0
  148. package/scripts/audit-public-ci-run.mjs +184 -0
  149. package/scripts/audit-public-collaboration-templates.mjs +98 -0
  150. package/scripts/audit-public-external-gate-probe.mjs +206 -0
  151. package/scripts/audit-public-release-checklist.mjs +133 -0
  152. package/scripts/audit-public-release-decision.mjs +201 -0
  153. package/scripts/audit-public-release-metadata.mjs +176 -0
  154. package/scripts/audit-public-repository-settings.mjs +237 -0
  155. package/scripts/audit-public-security-contact.mjs +171 -0
  156. package/scripts/audit-readme-docs.mjs +185 -0
  157. package/scripts/audit-recovery-readiness.mjs +98 -0
  158. package/scripts/audit-release-bundle.mjs +251 -0
  159. package/scripts/audit-release-owner-action-plan-drill.mjs +277 -0
  160. package/scripts/audit-release-owner-action-plan.mjs +164 -0
  161. package/scripts/audit-release-readiness.mjs +106 -0
  162. package/scripts/audit-release-status-manifest.mjs +165 -0
  163. package/scripts/audit-release-trust.mjs +62 -0
  164. package/scripts/audit-remote-distribution.mjs +266 -0
  165. package/scripts/audit-roadmap-consistency.mjs +235 -0
  166. package/scripts/audit-signing.mjs +147 -0
  167. package/scripts/audit-state-freshness.mjs +113 -0
  168. package/scripts/audit-target-adoption-evidence.mjs +117 -0
  169. package/scripts/audit-target-project.mjs +507 -0
  170. package/scripts/audit-update-release-acceptance.mjs +136 -0
  171. package/scripts/audit-v1-target-validation.mjs +269 -0
  172. package/scripts/audit-validation-profiles.mjs +125 -0
  173. package/scripts/close-change.mjs +116 -0
  174. package/scripts/discover-project-profile.mjs +307 -0
  175. package/scripts/forward-test-gse.mjs +146 -0
  176. package/scripts/generate-command-adapter.mjs +231 -0
  177. package/scripts/generate-final-acceptance-packet.mjs +181 -0
  178. package/scripts/generate-final-form-progress-report.mjs +205 -0
  179. package/scripts/generate-host-adapter.mjs +73 -0
  180. package/scripts/generate-host-runtime-evidence-handoff.mjs +206 -0
  181. package/scripts/generate-owner-external-gate-kit.mjs +295 -0
  182. package/scripts/generate-public-acceptance-handoff.mjs +168 -0
  183. package/scripts/generate-public-release-checklist.mjs +207 -0
  184. package/scripts/generate-release-bundle.mjs +505 -0
  185. package/scripts/generate-release-owner-action-plan.mjs +172 -0
  186. package/scripts/generate-release-status-manifest.mjs +200 -0
  187. package/scripts/generate-session-prompt.mjs +188 -0
  188. package/scripts/gse.mjs +67 -0
  189. package/scripts/init-change.mjs +265 -0
  190. package/scripts/init-project.mjs +785 -0
  191. package/scripts/install-gse.mjs +234 -0
  192. package/scripts/lib/evidence-placeholders.mjs +28 -0
  193. package/scripts/package-gse.mjs +174 -0
  194. package/scripts/probe-public-external-gates.mjs +167 -0
  195. package/scripts/record-host-invocation.mjs +151 -0
  196. package/scripts/record-learning.mjs +137 -0
  197. package/scripts/record-public-channel-publication.mjs +178 -0
  198. package/scripts/record-public-ci-run.mjs +180 -0
  199. package/scripts/record-public-release.mjs +175 -0
  200. package/scripts/record-public-repository-settings.mjs +209 -0
  201. package/scripts/record-public-security-contact.mjs +157 -0
  202. package/scripts/run-gse-command.mjs +538 -0
  203. package/scripts/run-validation-profile.mjs +146 -0
  204. package/scripts/sign-gse-package.mjs +83 -0
  205. package/scripts/update-project-state.mjs +223 -0
  206. package/scripts/validate-gse.mjs +1168 -0
  207. package/scripts/verify-gse-package.mjs +85 -0
@@ -0,0 +1,89 @@
1
+ # Project Agent Workspace
2
+
3
+ Use this when the user asks whether GSE can create a project-local directory for agent workflow files, hooks, skills, roles, LSP notes, MCP notes, plugins, and tool adapters.
4
+
5
+ ## Design Rule
6
+
7
+ GSE owns `.gse/` as the portable layer. Tool-specific folders are adapters, not the source of truth.
8
+
9
+ ```text
10
+ project-root/
11
+ .gse/
12
+ README.md
13
+ goal-map.md
14
+ quality-gates.md
15
+ tooling.md
16
+ learnings.md
17
+ agent-workspace.md
18
+ agents/
19
+ roles.md
20
+ dispatch.md
21
+ hooks/
22
+ README.md
23
+ skills/
24
+ README.md
25
+ mcp/
26
+ README.md
27
+ lsp/
28
+ README.md
29
+ plugins/
30
+ README.md
31
+ changes/
32
+ evidence/
33
+ templates/
34
+ ```
35
+
36
+ ## Why `.gse/` Instead of `.claude/` or `.codex/`
37
+
38
+ - `.claude/`, `.codex/`, `.agents/`, and product-specific runtime folders can be useful, but they bind the project to one host.
39
+ - `.gse/` is the neutral contract any agent can read.
40
+ - Adapters may mirror or link from `.gse/`, but durable workflow decisions should remain in `.gse/`.
41
+
42
+ ## Directory Responsibilities
43
+
44
+ | Path | Purpose | Required |
45
+ |---|---|---|
46
+ | `.gse/goal-map.md` | Current goals, priorities, risks, next slice | yes |
47
+ | `.gse/quality-gates.md` | Verification and release gates | yes |
48
+ | `.gse/tooling.md` | Available tools and optional adapters | yes |
49
+ | `.gse/agent-workspace.md` | Map of local agent folders and host adapters | standard+ |
50
+ | `.gse/agents/roles.md` | Role definitions and boundaries | standard+ |
51
+ | `.gse/agents/dispatch.md` | How to delegate work when subagents exist | standard+ |
52
+ | `.gse/hooks/README.md` | Hook ideas and host-specific hook mapping | enterprise |
53
+ | `.gse/skills/README.md` | Project-local skill inventory and install notes | standard+ |
54
+ | `.gse/mcp/README.md` | MCP servers, permissions, and setup notes | enterprise |
55
+ | `.gse/lsp/README.md` | Indexing/LSP commands and symbol navigation notes | standard+ |
56
+ | `.gse/plugins/README.md` | Optional plugins and runtime adapters | enterprise |
57
+
58
+ ## Host Adapter Pattern
59
+
60
+ Use adapters only when the host supports them:
61
+
62
+ - Codex: `.codex/`, Codex skills, MCP config, available subagent tools.
63
+ - Claude Code: `.claude/`, commands, hooks, agents, MCP config.
64
+ - Hermes or AION-like runtimes: runtime skills, worker adapters, memory, tool substrate.
65
+ - WorkBuddy or other hosts: local docs, commands, MCP, index, and automation conventions.
66
+
67
+ When an adapter is needed, write a short pointer from the host folder back to `.gse/` rather than duplicating the whole process.
68
+
69
+ ## Lessons Borrowed From Skill Repositories
70
+
71
+ Verified local observations from `mattpocock/skills` snapshot:
72
+
73
+ - Skills are organized by bucket, such as `engineering/` and `productivity/`.
74
+ - It has a setup skill that configures per-repo assumptions before other skills rely on them.
75
+ - It uses project docs such as `CONTEXT.md`, ADRs, issue tracker config, and a router skill.
76
+ - It distinguishes user-invoked and model-invoked skills.
77
+
78
+ GSE adopts the same principles at a workflow level: setup first, local context first, small composable roles, and a router-like goal map. GSE does not copy its Claude-specific plugin layout as a hard requirement.
79
+
80
+ ## Missing Areas To Keep Tracking
81
+
82
+ - Secrets and permission boundaries for MCP/tools.
83
+ - Cross-agent lock files or ownership rules for concurrent edits.
84
+ - CI integration for quality gates.
85
+ - Release and rollback playbooks.
86
+ - Observability for long-running agent work: traces, cost, failed commands, retries.
87
+ - Prompt/context budgets and compaction handoff format.
88
+ - Drift audits for stale local skills, hooks, or generated docs.
89
+
@@ -0,0 +1,122 @@
1
+ # Project Bootstrap
2
+
3
+ Use this when initializing GSE in a project.
4
+
5
+ Use `references/adoption-recipes.md` when choosing between fresh install, existing repo adoption, GSE update, or host adapter adoption paths.
6
+
7
+ ## Modes
8
+
9
+ - `auto`: default mode; chooses a scaffold from project files, scripts, CI, host folders, and runtime/tooling signals.
10
+ - `lite`: minimal workflow files for small tasks or small projects.
11
+ - `standard`: adds project-local agent workspace files for durable agent-assisted development.
12
+ - `enterprise`: adds hooks, MCP, plugins, release, incident, and audit placeholders for large or long-running projects.
13
+
14
+ ## Minimal `.gse/` Files
15
+
16
+ ```text
17
+ .gse/
18
+ README.md
19
+ state.json
20
+ project-profile.md
21
+ goal-map.md
22
+ goals/
23
+ README.md
24
+ quality-gates.md
25
+ tooling.md
26
+ learnings.md
27
+ changes/
28
+ evidence/
29
+ index.jsonl
30
+ templates/
31
+ ```
32
+
33
+ ## Standard Agent Workspace Files
34
+
35
+ See `project-agent-workspace.md` for responsibilities.
36
+
37
+ ```text
38
+ .gse/
39
+ agent-workspace.md
40
+ agents/
41
+ roles.md
42
+ dispatch.md
43
+ skills/
44
+ README.md
45
+ lsp/
46
+ README.md
47
+ ```
48
+
49
+ ## Enterprise Files
50
+
51
+ ```text
52
+ .gse/
53
+ hooks/README.md
54
+ mcp/README.md
55
+ plugins/README.md
56
+ release.md
57
+ incident-review.md
58
+ audit.md
59
+ ```
60
+
61
+ ## Host Adapter Files
62
+
63
+ When `enterprise` mode is selected and host folders already exist, `init-project.mjs` can add thin adapters such as:
64
+
65
+ ```text
66
+ .codex/gse-adapter.md
67
+ .claude/gse-adapter.md
68
+ ```
69
+
70
+ These files point back to `.gse/` and must not duplicate the portable goal map, quality gates, or evidence log.
71
+
72
+ For new host command/pointer adapters, prefer:
73
+
74
+ ```bash
75
+ node <skill-dir>/scripts/generate-command-adapter.mjs --target <project-root> --host claude|codex|hermes|workbuddy|copilot|gemini|generic|all
76
+ ```
77
+
78
+ The older `.codex/gse-adapter.md` and `.claude/gse-adapter.md` files remain compatibility pointers for existing scaffold and fixture coverage.
79
+
80
+ ## Recommended Command
81
+
82
+ ```bash
83
+ node <skill-dir>/scripts/init-project.mjs --target <project-root>
84
+ ```
85
+
86
+ This uses `--mode auto`. Pass `--mode lite`, `--mode standard`, or `--mode enterprise` when the project owner wants a specific scaffold.
87
+
88
+ The script should not overwrite existing files unless `--force` is passed.
89
+
90
+ ## Bootstrap Smoke
91
+
92
+ Use this after changing scaffold behavior or before trusting a packaged GSE skill:
93
+
94
+ ```bash
95
+ node <skill-dir>/scripts/audit-project.mjs --root <skill-dir>
96
+ ```
97
+
98
+ This verifies `lite`, `standard`, `enterprise`, and representative `auto` scaffold selection in temporary directories and checks rerun safety. It does not certify arbitrary real repositories, package installs, CI, or fresh-session acceptance.
99
+
100
+ ## AGENTS.md Integration
101
+
102
+ Add a short project rule only with explicit approval:
103
+
104
+ ```markdown
105
+ ## GSE Workflow
106
+
107
+ This project follows GSE (Goal-Spec-Evidence Engineering). Start meaningful work by reading `.gse/README.md`, bind non-trivial tasks to `.gse/goal-map.md`, and finish with evidence in `.gse/evidence/` or the project-specific evidence log.
108
+ ```
109
+
110
+ ## Bootstrap Acceptance
111
+
112
+ - `.gse/README.md` exists.
113
+ - `.gse/state.json` exists and records mode, phase, current slice status, tool statuses, last evidence, and residual risks.
114
+ - `.gse/project-profile.md` exists and can capture project-specific standards, commands, tools, and permissions.
115
+ - Goal map has a North Star and Current Focus section.
116
+ - `.gse/evidence/index.jsonl` exists and contains at least one machine-readable adoption or slice record.
117
+ - `.gse/goals/README.md` exists so large projects can place module-level goal details outside the root goal map.
118
+ - Quality gates list at least universal, code, UI, release, and learning gates.
119
+ - Tooling file records available and optional tools.
120
+ - Standard mode records project-local agent workspace files.
121
+ - Enterprise mode records hooks, MCP, plugins, release, incident, and audit placeholders.
122
+ - Enterprise auto mode writes compatibility host adapter files for existing `.codex/` or `.claude/` folders; command adapters for broader hosts use `generate-command-adapter.mjs`.
@@ -0,0 +1,57 @@
1
+ # Project Profile
2
+
3
+ Use this when a project has its own development standards, commands, tool connections, CI, MCP servers, LSP/index setup, release process, security rules, or agent-host conventions.
4
+
5
+ ## Principle
6
+
7
+ Project-local rules override generic GSE defaults. GSE should adapt to the project, not flatten the project into a generic workflow.
8
+
9
+ ## Discovery Order
10
+
11
+ Read only what is relevant to the task and risk level:
12
+
13
+ 1. Agent rules: `AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, `.cursorrules`, `.windsurfrules`, or host equivalents.
14
+ 2. Project docs: README, CONTRIBUTING, CODING_STANDARDS, architecture docs, ADRs, `CONTEXT.md`.
15
+ 3. Commands and scripts: `package.json`, `Makefile`, task runners, CI workflows, test config.
16
+ 4. Tooling connections: MCP config, browser/Playwright config, LSP/index config, deployment config, observability config.
17
+ 5. Secrets and permissions: `.env.example`, secret docs, write-capable tools, destructive commands.
18
+ 6. Existing GSE files: `.gse/project-profile.md`, `.gse/tooling.md`, `.gse/quality-gates.md`.
19
+
20
+ Avoid reading generated output, large logs, lockfiles, caches, screenshots, or archives unless the current task needs them.
21
+
22
+ ## What To Capture
23
+
24
+ Keep `.gse/project-profile.md` short and factual:
25
+
26
+ - Product or system identity.
27
+ - Repository type and main languages/frameworks.
28
+ - Development commands and focused verification commands.
29
+ - Coding standards and formatting rules.
30
+ - Testing strategy and required gates.
31
+ - Tool connections: MCP, LSP/index, browser automation, CI, deploy, observability.
32
+ - Model routing: project-approved providers, model/tool ids, capability fit, cost/latency expectations, privacy limits, and fallback policy.
33
+ - Agent host adapters: Codex, Claude Code, Hermes/AION-style runtime, WorkBuddy, or other hosts; use `references/compatibility.md` for support status labels.
34
+ - Security and permission boundaries.
35
+ - Release and rollback expectations.
36
+ - Known gotchas.
37
+
38
+ ## Conflict Rules
39
+
40
+ - User instruction in the current conversation wins.
41
+ - Project rules beat GSE generic defaults.
42
+ - More specific docs beat broad docs when they clearly apply to the current subsystem.
43
+ - If two project rules conflict, surface the conflict before editing.
44
+ - Never invent tool availability. Mark unverified connections as `unknown` until tested or documented.
45
+
46
+ ## Refresh Triggers
47
+
48
+ Use `references/drift-audit.md` when current project facts may have diverged from recorded profile, tooling, host, release, or permission assumptions.
49
+
50
+ Refresh `.gse/project-profile.md` when:
51
+
52
+ - The user says a tool/config/standard exists but GSE cannot see it.
53
+ - A command fails because the wrong package manager, shell, or service was assumed.
54
+ - CI/test/deploy config changes.
55
+ - New MCP, LSP, browser, worker, model, or plugin connections are added.
56
+ - A recurring issue appears in evidence or incident reviews.
57
+
@@ -0,0 +1,174 @@
1
+ # Public Release Metadata
2
+
3
+ Use this gate when GSE, a project-local GSE scaffold, or a GSE-derived package is prepared for public GitHub, marketplace, catalog, registry, or external handoff.
4
+
5
+ Public release metadata is not a substitute for legal review, maintainer approval, CI, or marketplace approval. It makes the release state auditable so agents do not claim public readiness from local tests alone.
6
+
7
+ ## Required Metadata
8
+
9
+ Before a public release can be called accepted, record:
10
+
11
+ - Release name or version.
12
+ - Release date or intended release window.
13
+ - Distribution channel: GitHub repository, package registry, marketplace/catalog, internal handoff, or direct archive.
14
+ - License decision: license identifier, license file path, and who approved it.
15
+ - Changelog or release notes path.
16
+ - Install/update instructions path.
17
+ - Verification commands and latest result.
18
+ - Signing or integrity policy.
19
+ - Public CI run: public workflow run URL, commit SHA, required checks, result, and acceptance evidence.
20
+ - Public security contact: owner-approved disclosure path and policy update evidence.
21
+ - Public repository settings: issues, PRs, security policy visibility, branch protection, and required checks.
22
+ - Public channel publication: registry package, GitHub release, marketplace, or catalog evidence when any public channel is claimed.
23
+ - Community/support channel: optional maintainer support, sponsorship, affiliate, or related-service link, if owner-approved.
24
+ - Known risks and unsupported claims.
25
+ - Owner acceptance or explicit reason acceptance is still pending.
26
+
27
+ ## License Decision
28
+
29
+ GSE must not choose a license by guessing. If the project has no approved license, record `owner-required` and keep public release acceptance pending.
30
+
31
+ For the GSE skill itself, the owner-approved mainstream open-source default is MIT. See `references/open-source-defaults.md`. This default does not imply public repository, CI, registry, marketplace, or host runtime acceptance until those external records exist.
32
+
33
+ Minimum license record:
34
+
35
+ ```text
36
+ License status: owner-required | selected | not-public
37
+ SPDX identifier:
38
+ License file:
39
+ Approved by:
40
+ Decision date:
41
+ Notes:
42
+ ```
43
+
44
+ Use `assets/templates/public-release-record.md` when a release needs a compact owner-facing decision record.
45
+
46
+ Use `scripts/record-public-release.mjs` to create a project-local record without hand-editing the template:
47
+
48
+ ```bash
49
+ node <skill>/scripts/record-public-release.mjs --root <skill-or-project> --license-status owner-required --json
50
+ ```
51
+
52
+ For `--license-status selected`, the command requires `--spdx`, `--license-file`, `--approved-by`, `--decision-date`, and `--evidence-status accepted`. This keeps license acceptance from being implied by a partially filled record.
53
+
54
+ For `--license-status not-public`, the command requires `--approved-by` and `--decision-date`. Use this when the owner explicitly decides the package is not approved for public open-source release yet.
55
+
56
+ Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` to verify that the owner-required, selected-license, and not-public decision paths behave correctly. The audit uses a temporary fixture for selected-license success and does not choose a license for the real project.
57
+
58
+ ## Public Release Checklist
59
+
60
+ Use the generated checklist when the owner needs the public-release work in execution order instead of grouped by responsibility:
61
+
62
+ ```bash
63
+ node <skill>/scripts/generate-public-release-checklist.mjs --root <skill-or-project> --force --json
64
+ node <skill>/scripts/audit-public-release-checklist.mjs --root <skill-or-project> --json
65
+ ```
66
+
67
+ The checklist is a runway, not an acceptance record. It keeps the order explicit: release bundle, public repository settings, security contact, public CI, registry publication, marketplace listing, native slash-command evidence, other host runtime evidence, then final readiness audits.
68
+
69
+ ## Public CI Run
70
+
71
+ Local CI workflow files are not proof that public CI has run. If GSE is claimed to have public CI evidence, record the real public workflow run.
72
+
73
+ Use `assets/templates/public-ci-run-record.md` for a compact record, or generate one with:
74
+
75
+ ```bash
76
+ node <skill>/scripts/record-public-ci-run.mjs --root <skill-or-project> --run-status pending --json
77
+ ```
78
+
79
+ For `--run-status accepted`, the command requires repository URL, workflow name, workflow file, run URL, commit SHA, branch, required checks, evidence owner, evidence date, evidence URL or run id, `--run-conclusion success`, `--evidence-status accepted`, `--accepted-by`, `--accepted-at`, `--proves-public-ci-run true`, and `--proves-required-checks true`.
80
+
81
+ Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` to verify pending and accepted CI run record mechanics. The audit uses temporary fixture evidence and does not run GitHub Actions.
82
+
83
+ ## Public Security Contact
84
+
85
+ GSE must not invent a public vulnerability disclosure address. If the owner has not approved a public security contact, keep the contact status pending and do not claim public release acceptance.
86
+
87
+ Use `assets/templates/public-security-contact-record.md` for a compact record, or generate one with:
88
+
89
+ ```bash
90
+ node <skill>/scripts/record-public-security-contact.mjs --root <skill-or-project> --contact-status pending --json
91
+ ```
92
+
93
+ For `--contact-status accepted`, the command requires a public contact type and value, owner evidence, evidence date, evidence URL or run id, `--is-public true`, `--security-policy-updated true`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
94
+
95
+ Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` to verify pending and accepted record mechanics. The audit uses temporary fixture evidence and does not create a real public security contact.
96
+
97
+ ## Public Repository Settings
98
+
99
+ Public repository settings are external evidence. Local files can define the required shape, but they do not prove that a public GitHub repository has issues, pull requests, security policy visibility, branch protection, or required checks configured.
100
+
101
+ Use `assets/templates/public-repository-settings-record.md` for a compact record, or generate one with:
102
+
103
+ ```bash
104
+ node <skill>/scripts/record-public-repository-settings.mjs --root <skill-or-project> --settings-status pending --json
105
+ ```
106
+
107
+ For `--settings-status verified`, the command requires a public repository URL, evidence owner, evidence date, evidence URL or run id, enabled issues/PRs/security policy, branch protection, required status checks, review-before-merge, conversation resolution, force-push restriction, deletion restriction, and required check names.
108
+
109
+ For `--settings-status accepted`, the command also requires `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
110
+
111
+ Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` to verify the pending, verified, and accepted record mechanics. The audit uses temporary fixture evidence and does not configure a real public repository.
112
+
113
+ ## Public Channel Publication
114
+
115
+ Discovery metadata, local packages, release bundles, and URL-install smokes are not public publication. If GSE is claimed to be published through a registry, marketplace, catalog, or GitHub release, record the real channel evidence.
116
+
117
+ Use `assets/templates/public-channel-publication-record.md` for a compact record, or generate one with:
118
+
119
+ ```bash
120
+ node <skill>/scripts/record-public-channel-publication.mjs --root <skill-or-project> --publication-status pending --json
121
+ ```
122
+
123
+ For `--publication-status accepted`, the command requires channel type, channel name, channel URL, version, owner evidence, evidence date, evidence URL or run id, review status `approved` or `published`, `--accepted-by`, `--accepted-at`, and `--evidence-status accepted`.
124
+
125
+ For package registry claims, accepted evidence also requires `--artifact-digest` and `--proves-registry-publication true`. For marketplace or catalog claims, accepted evidence requires `--proves-marketplace-approval true`.
126
+
127
+ Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` to verify pending, registry-publication, and marketplace-approval record mechanics. The audit uses temporary fixture evidence and does not publish to a real channel.
128
+
129
+ ## Community And Support Links
130
+
131
+ Community links are not release channels. They can help users find support or related maintainer services, but they do not prove registry publication, marketplace approval, public CI, security disclosure, or host runtime support.
132
+
133
+ For GSE, GateHub (`https://gatehub.top/`) is the current owner-candidate community/support link. Use `references/community-channels.md` before adding it to a public repository, release note, or listing.
134
+
135
+ ## Changelog Policy
136
+
137
+ Use the project convention first. If none exists, keep a `CHANGELOG.md` with:
138
+
139
+ - user-facing changes,
140
+ - operator or maintainer changes,
141
+ - breaking changes,
142
+ - migration and rollback notes,
143
+ - verification evidence,
144
+ - known limits and unsupported claims.
145
+
146
+ Do not paste long command output, private reasoning, secrets, provider payloads, or screenshots into a changelog. Link to evidence files instead.
147
+
148
+ ## Acceptance Levels
149
+
150
+ - `result`: metadata files exist but are not verified.
151
+ - `verified`: metadata files, scripts, changelog policy, and owner-decision placeholders are structurally checked.
152
+ - `accepted`: owner license decision, release channel, verification evidence, and required approvals are recorded.
153
+
154
+ Do not mark `accepted` when the release is only locally validated.
155
+
156
+ ## Integration
157
+
158
+ - Use `references/open-source-defaults.md` for the mainstream public release preset.
159
+ - Use `references/community-channels.md` for optional maintainer support, sponsorship, affiliate, or related-service links.
160
+ - Run `scripts/audit-public-release-metadata.mjs --root <skill-or-project>` before public handoff.
161
+ - Run `scripts/audit-public-release-decision.mjs --root <skill-or-project>` before claiming release-decision mechanics are complete.
162
+ - Use `scripts/record-public-release.mjs --root <skill-or-project>` to write the release decision record.
163
+ - Run `scripts/audit-public-ci-run.mjs --root <skill-or-project>` before claiming public CI run record mechanics are complete.
164
+ - Use `scripts/record-public-ci-run.mjs --root <skill-or-project>` to write public CI run evidence.
165
+ - Run `scripts/audit-public-security-contact.mjs --root <skill-or-project>` before claiming security contact record mechanics are complete.
166
+ - Use `scripts/record-public-security-contact.mjs --root <skill-or-project>` to write the public security contact evidence record.
167
+ - Run `scripts/audit-public-repository-settings.mjs --root <skill-or-project>` before claiming repository settings record mechanics are complete.
168
+ - Use `scripts/record-public-repository-settings.mjs --root <skill-or-project>` to write the repository settings evidence record.
169
+ - Run `scripts/audit-public-channel-publication.mjs --root <skill-or-project>` before claiming public channel publication record mechanics are complete.
170
+ - Use `scripts/record-public-channel-publication.mjs --root <skill-or-project>` to write public registry, marketplace, catalog, or release publication evidence.
171
+ - Run `scripts/validate-gse.mjs --root <skill>` before publishing the GSE skill itself.
172
+ - Use `references/release.md` for release-level gates and rollback guidance.
173
+ - Use `references/release-trust.md` for signing, public key custody, and artifact trust.
174
+ - Use `references/marketplace-discovery.md` when preparing marketplace or catalog metadata.
@@ -0,0 +1,100 @@
1
+ # Quality Gates
2
+
3
+ Pick gates by task risk.
4
+
5
+ ## Universal Gate
6
+
7
+ - Outcome matches request.
8
+ - Scope did not expand silently.
9
+ - Acceptance has evidence.
10
+ - Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
11
+ - Do not claim `verified` or `accepted` when evidence only proves `result`.
12
+ - Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
13
+ - Final answer states evidence and remaining risk.
14
+ - Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
15
+ - Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
16
+ - Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
17
+ - Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
18
+ - Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
19
+
20
+ ## Code Gates
21
+
22
+ - Focused tests for changed behavior.
23
+ - Typecheck/lint/build when relevant.
24
+ - Regression test for bug fixes when feasible.
25
+ - No unrelated refactors.
26
+
27
+ ## Gate Profiles
28
+
29
+ Use the lightest gate profile that proves the claim.
30
+
31
+ ### Lite Gate
32
+
33
+ Use for docs, scripts, copy, narrow state labels, and low-risk local helpers.
34
+
35
+ - Required: one focused command, structural check, or explicit manual evidence.
36
+ - Optional: encoding check when docs changed.
37
+ - Avoid by default: full build, browser smoke, distribution audit, or close gate unless the change touches those surfaces.
38
+
39
+ ### Standard Gate
40
+
41
+ Use for user-visible product slices, shared state contracts, API behavior, persistence, or cross-file workflows.
42
+
43
+ - Required: focused tests for changed behavior.
44
+ - Add one relevant integration smoke when the slice affects a visible or persisted path.
45
+ - Build/typecheck is required when touching Next build-time code, shared TypeScript contracts, generated package shape, or release/install behavior.
46
+
47
+ ### Enterprise Gate
48
+
49
+ Use for public release, install/update, security, migrations, cross-host support, skill/scaffold changes, or high-blast-radius architecture.
50
+
51
+ - Required: focused tests plus the hard gate matching the claim.
52
+ - Examples: distribution audit for install claims, release bundle audit for release handoff claims, browser smoke for UI reliability claims, security scan for permission/secrets claims.
53
+ - For GSE distribution checks, use `--profile smoke` for routine package/install/CLI/integrity evidence and `--profile full` for release, handoff, or installed-copy validation claims.
54
+ - Full validation belongs here, not on every small product slice.
55
+
56
+ Gate selection should be stated in evidence when a task could reasonably look heavier than the chosen profile.
57
+
58
+ Portable validation profile runner:
59
+
60
+ ```text
61
+ node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --profile lite|standard|enterprise|release
62
+ ```
63
+
64
+ Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
65
+
66
+ ## UI Gates
67
+
68
+ - Component test or browser smoke for visible behavior.
69
+ - Screenshot or visual inspection for layout-sensitive work.
70
+ - Loading, empty, error, success, retry, and cancelled states covered when relevant.
71
+
72
+ ## Agent/Product Gates
73
+
74
+ - State machine transitions are explicit.
75
+ - Stop/retry/recovery behavior is defined.
76
+ - Tool/process traces do not reveal hidden reasoning, secrets, or raw provider payloads.
77
+ - Short/simple chats avoid heavy workflow paths.
78
+
79
+ ## Release Gates
80
+
81
+ Use `references/release.md` when a task affects shipping, install, upgrade, runtime compatibility, migration, rollback, changelog/release notes, or release acceptance.
82
+
83
+ - Build/install smoke.
84
+ - Migration and rollback notes.
85
+ - Changelog or release note.
86
+ - Known risk list.
87
+ - Observability or incident path for risky changes.
88
+
89
+ ## Domain Gates
90
+
91
+ Use `references/domain-quality-gates.md` to select only the domain gates that match the risk. Do not force all gates onto Lite tasks.
92
+
93
+ - Security/privacy: secrets, auth, permissions, user data, provider payloads, logs, browser traces, or tool permissions.
94
+ - Performance/cost: latency, heavy context loading, loops, model/tool routing, workers, queues, or large files.
95
+ - Accessibility: keyboard flow, focus, forms, semantics, contrast, responsive UI, or user-facing navigation.
96
+ - Resilience/recovery: retry, cancellation, timeout, idempotency, duplicate prevention, fallback, or state recovery.
97
+ - UI/browser: loading, empty, error, success, streaming, routing, layout, screenshot, or browser smoke needs.
98
+ - API/state: contracts, persistence, sessions, caches, state machines, concurrency, or idempotency.
99
+ - Data/migration: schema, storage, generated artifacts, import/export, compatibility, rollback, or downgrade risk.
100
+ - Model/tool routing: provider behavior, fallback, MCP, browser, subagent, tool status, permissions, or cost route.