@t275005746/gse 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/.gse/state.json +147 -26
  2. package/CHANGELOG.md +19 -3
  3. package/README.md +13 -6
  4. package/README.zh-CN.md +13 -6
  5. package/SKILL.md +32 -12
  6. package/assets/templates/dispatch-packet.md +22 -14
  7. package/assets/templates/evidence.md +11 -5
  8. package/assets/templates/role-fallback-packet.md +49 -0
  9. package/package.json +18 -10
  10. package/references/agent-roles.md +41 -20
  11. package/references/commands.md +74 -45
  12. package/references/drift-audit.md +2 -1
  13. package/references/evidence-taxonomy.md +46 -9
  14. package/references/file-ownership.md +17 -13
  15. package/references/final-form-roadmap.md +201 -0
  16. package/references/final-readiness.md +3 -3
  17. package/references/host-adapters.md +38 -10
  18. package/references/learning-system.md +24 -8
  19. package/references/maintenance-cadence.md +51 -0
  20. package/references/project-guards.md +52 -0
  21. package/references/quality-gates.md +18 -11
  22. package/references/role-dispatch-fallback.md +54 -0
  23. package/references/tool-adapters.md +13 -3
  24. package/scripts/audit-close-gate-hardening.mjs +188 -0
  25. package/scripts/audit-close-gate.mjs +219 -33
  26. package/scripts/audit-command-execution.mjs +30 -17
  27. package/scripts/audit-commands.mjs +7 -5
  28. package/scripts/audit-completion-plan-drill.mjs +230 -0
  29. package/scripts/audit-completion-readiness.mjs +9 -6
  30. package/scripts/audit-continue-preflight.mjs +234 -0
  31. package/scripts/audit-evidence-levels.mjs +217 -0
  32. package/scripts/audit-evidence-review-queue.mjs +206 -0
  33. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  34. package/scripts/audit-final-form-progress-report.mjs +19 -18
  35. package/scripts/audit-final-form-roadmap.mjs +157 -0
  36. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  37. package/scripts/audit-final-readiness.mjs +3 -3
  38. package/scripts/audit-fresh-session-readiness.mjs +1 -1
  39. package/scripts/audit-host-capabilities.mjs +237 -0
  40. package/scripts/audit-installed-sync.mjs +203 -0
  41. package/scripts/audit-learning-drift.mjs +292 -0
  42. package/scripts/audit-learning-promotion.mjs +351 -0
  43. package/scripts/audit-learning-system.mjs +24 -14
  44. package/scripts/audit-local-final-form-completion.mjs +11 -10
  45. package/scripts/audit-maintenance-cadence.mjs +139 -0
  46. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  47. package/scripts/audit-npm-package-metadata.mjs +8 -2
  48. package/scripts/audit-npm-publish-dry-run.mjs +10 -4
  49. package/scripts/audit-npm-tarball-install.mjs +9 -3
  50. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  51. package/scripts/audit-project-guards.mjs +189 -0
  52. package/scripts/audit-project.mjs +14 -11
  53. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  54. package/scripts/audit-public-acceptance-readiness.mjs +6 -6
  55. package/scripts/audit-public-release-checklist.mjs +17 -15
  56. package/scripts/audit-release-bundle.mjs +13 -11
  57. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  58. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  59. package/scripts/audit-release-status-manifest.mjs +4 -4
  60. package/scripts/audit-roadmap-consistency.mjs +11 -7
  61. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  62. package/scripts/audit-session-sync.mjs +127 -0
  63. package/scripts/audit-state-freshness.mjs +6 -5
  64. package/scripts/audit-state-repair.mjs +360 -0
  65. package/scripts/audit-target-hardening-drills.mjs +267 -0
  66. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  67. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  68. package/scripts/audit-validation-profiles.mjs +6 -4
  69. package/scripts/backfill-evidence-levels.mjs +98 -0
  70. package/scripts/check-encoding.mjs +72 -0
  71. package/scripts/generate-continue-packet.mjs +1214 -0
  72. package/scripts/generate-final-acceptance-packet.mjs +23 -8
  73. package/scripts/generate-final-form-progress-report.mjs +25 -23
  74. package/scripts/generate-host-runtime-evidence-handoff.mjs +23 -16
  75. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  76. package/scripts/generate-public-acceptance-handoff.mjs +26 -14
  77. package/scripts/generate-release-owner-action-plan.mjs +4 -3
  78. package/scripts/generate-release-status-manifest.mjs +4 -3
  79. package/scripts/init-project.mjs +144 -63
  80. package/scripts/record-learning.mjs +37 -8
  81. package/scripts/record-session-sync.mjs +87 -0
  82. package/scripts/run-gse-command.mjs +79 -47
  83. package/scripts/run-validation-profile.mjs +24 -5
  84. package/scripts/validate-gse.mjs +216 -0
@@ -0,0 +1,181 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import os from 'node:os'
4
+ import path from 'node:path'
5
+ import { spawnSync } from 'node:child_process'
6
+
7
+ const args = process.argv.slice(2)
8
+
9
+ function readArg(name, fallback = null) {
10
+ const index = args.indexOf(name)
11
+ if (index === -1) return fallback
12
+ return args[index + 1] ?? fallback
13
+ }
14
+
15
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
16
+ const jsonOnly = args.includes('--json')
17
+
18
+ function read(relativePath) {
19
+ const fullPath = path.join(root, relativePath)
20
+ return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, 'utf8').replace(/^\uFEFF/, '') : ''
21
+ }
22
+
23
+ function exists(relativePath) {
24
+ return fs.existsSync(path.join(root, relativePath))
25
+ }
26
+
27
+ function run(script, commandArgs) {
28
+ const result = spawnSync(process.execPath, [path.join(root, 'scripts', script), ...commandArgs], {
29
+ cwd: root,
30
+ encoding: 'utf8',
31
+ windowsHide: true,
32
+ })
33
+ const stdout = (result.stdout ?? '').trim()
34
+ let data = null
35
+ try {
36
+ data = JSON.parse(stdout)
37
+ } catch {
38
+ data = null
39
+ }
40
+ return {
41
+ command: [process.execPath, path.join(root, 'scripts', script), ...commandArgs].join(' '),
42
+ status: result.status ?? 1,
43
+ ok: (result.status ?? 1) === 0 || data?.summary?.failed === 0,
44
+ data,
45
+ stderr: (result.stderr ?? '').trim(),
46
+ }
47
+ }
48
+
49
+ function check(id, label, ok, evidence, risk = '') {
50
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
51
+ }
52
+
53
+ const skill = read('SKILL.md')
54
+ const maintenanceRef = read('references/maintenance-cadence.md')
55
+ const commandRunner = read('scripts/run-gse-command.mjs')
56
+ const validationProfile = read('scripts/run-validation-profile.mjs')
57
+ const validator = read('scripts/validate-gse.mjs')
58
+ const snapshotScript = read('scripts/generate-maintenance-snapshot.mjs')
59
+ const canonicalSnapshotPath = path.join(root, '.gse', 'maintenance', 'latest-maintenance-snapshot.json')
60
+ let canonicalSnapshot = null
61
+ try {
62
+ canonicalSnapshot = fs.existsSync(canonicalSnapshotPath)
63
+ ? JSON.parse(fs.readFileSync(canonicalSnapshotPath, 'utf8').replace(/^\uFEFF/, ''))
64
+ : null
65
+ } catch {
66
+ canonicalSnapshot = null
67
+ }
68
+
69
+ const dryRun = run('generate-maintenance-snapshot.mjs', ['--root', root, '--target', root, '--skip-release-bundle', '--json'])
70
+ const packageSmokeRun = run('generate-maintenance-snapshot.mjs', ['--root', root, '--target', root, '--package-smoke', '--skip-release-bundle', '--json'])
71
+ const tempOut = path.join(fs.mkdtempSync(path.join(os.tmpdir(), 'gse-maintenance-snapshot-')), 'snapshot.json')
72
+ const writeRun = run('generate-maintenance-snapshot.mjs', ['--root', root, '--target', root, '--skip-release-bundle', '--out', tempOut, '--execute', '--json'])
73
+ const writtenSnapshot = fs.existsSync(tempOut)
74
+ ? JSON.parse(fs.readFileSync(tempOut, 'utf8').replace(/^\uFEFF/, ''))
75
+ : null
76
+
77
+ function runCanonicalFailureFixture() {
78
+ const fixtureRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'gse-maintenance-canonical-failure-'))
79
+ const fixtureScripts = path.join(fixtureRoot, 'scripts')
80
+ const fixtureMaintenance = path.join(fixtureRoot, '.gse', 'maintenance')
81
+ fs.mkdirSync(fixtureScripts, { recursive: true })
82
+ fs.mkdirSync(fixtureMaintenance, { recursive: true })
83
+ fs.copyFileSync(path.join(root, 'scripts', 'generate-maintenance-snapshot.mjs'), path.join(fixtureScripts, 'generate-maintenance-snapshot.mjs'))
84
+ fs.writeFileSync(path.join(fixtureScripts, 'audit-maintenance-cadence.mjs'), [
85
+ '#!/usr/bin/env node',
86
+ 'console.log(JSON.stringify({ summary: { status: "failed", passed: 0, failed: 1, total: 1 } }))',
87
+ 'process.exit(1)',
88
+ '',
89
+ ].join('\n'), 'utf8')
90
+ const canonicalPath = path.join(fixtureMaintenance, 'latest-maintenance-snapshot.json')
91
+ const failedPath = path.join(fixtureMaintenance, 'latest-maintenance-snapshot.failed.json')
92
+ const previousCanonical = {
93
+ schemaVersion: 1,
94
+ summary: { status: 'passed' },
95
+ fixtureMarker: 'previous-passing-snapshot',
96
+ }
97
+ fs.writeFileSync(canonicalPath, JSON.stringify(previousCanonical, null, 2) + '\n', 'utf8')
98
+ const result = spawnSync(process.execPath, [
99
+ path.join(fixtureScripts, 'generate-maintenance-snapshot.mjs'),
100
+ '--root',
101
+ fixtureRoot,
102
+ '--target',
103
+ fixtureRoot,
104
+ '--execute',
105
+ '--json',
106
+ ], {
107
+ cwd: fixtureRoot,
108
+ encoding: 'utf8',
109
+ windowsHide: true,
110
+ })
111
+ let canonicalAfter = null
112
+ let failedSnapshot = null
113
+ let stdout = null
114
+ try {
115
+ canonicalAfter = JSON.parse(fs.readFileSync(canonicalPath, 'utf8').replace(/^\uFEFF/, ''))
116
+ } catch {
117
+ canonicalAfter = null
118
+ }
119
+ try {
120
+ failedSnapshot = JSON.parse(fs.readFileSync(failedPath, 'utf8').replace(/^\uFEFF/, ''))
121
+ } catch {
122
+ failedSnapshot = null
123
+ }
124
+ try {
125
+ stdout = JSON.parse((result.stdout ?? '').trim())
126
+ } catch {
127
+ stdout = null
128
+ }
129
+ return {
130
+ command: [process.execPath, path.join(fixtureScripts, 'generate-maintenance-snapshot.mjs'), '--root', fixtureRoot, '--target', fixtureRoot, '--execute', '--json'].join(' '),
131
+ status: result.status ?? 1,
132
+ canonicalPreserved: canonicalAfter?.fixtureMarker === previousCanonical.fixtureMarker && canonicalAfter?.summary?.status === 'passed',
133
+ failedWritten: failedSnapshot?.summary?.status === 'failed' && failedSnapshot?.canonicalWritePolicy === 'failed-canonical-write-isolated',
134
+ stdoutPolicy: stdout?.canonicalWritePolicy === 'failed-canonical-write-isolated',
135
+ stderr: (result.stderr ?? '').trim(),
136
+ }
137
+ }
138
+
139
+ const canonicalFailureFixture = runCanonicalFailureFixture()
140
+
141
+ const requiredIds = ['MS01', 'MS02', 'MS03', 'MS04', 'MS05', 'MS06', 'MS07', 'MS08', 'MS09']
142
+ const checks = [
143
+ check('MSS01', 'maintenance snapshot generator exists', exists('scripts/generate-maintenance-snapshot.mjs'), 'scripts/generate-maintenance-snapshot.mjs'),
144
+ check('MSS02', 'snapshot generator runs read-only dry-run', dryRun.ok && dryRun.data?.summary?.status === 'passed', dryRun.command, dryRun.stderr),
145
+ check('MSS03', 'snapshot covers recurring final-form check set', requiredIds.every((id) => dryRun.data?.results?.some((item) => item.id === id)), requiredIds.join(', ')),
146
+ check('MSS04', 'snapshot write is execute-gated and writes JSON/Markdown', writeRun.ok && fs.existsSync(tempOut) && fs.existsSync(tempOut.replace(/\.json$/i, '.md')), tempOut),
147
+ check('MSS05', 'written snapshot has machine-readable result summaries', writtenSnapshot?.results?.every((item) => item.id && item.area && item.status && item.command), 'snapshot results'),
148
+ check('MSS06', 'SKILL routes maintenance snapshot helper', skill.includes('generate-maintenance-snapshot.mjs') && skill.includes('audit-maintenance-snapshot.mjs'), 'SKILL.md'),
149
+ check('MSS07', 'maintenance reference documents snapshot command', maintenanceRef.includes('generate-maintenance-snapshot.mjs') && maintenanceRef.includes('latest-maintenance-snapshot.json'), 'references/maintenance-cadence.md'),
150
+ check('MSS08', 'portable /gse maintenance route uses snapshot generator', commandRunner.includes('generate-maintenance-snapshot.mjs') && commandRunner.includes('snapshot'), 'scripts/run-gse-command.mjs'),
151
+ check('MSS09', 'validation profile includes maintenance snapshot audit', validationProfile.includes('audit-maintenance-snapshot.mjs'), 'scripts/run-validation-profile.mjs'),
152
+ check('MSS10', 'consolidated validator includes maintenance snapshot audit', validator.includes('audit-maintenance-snapshot.mjs'), 'scripts/validate-gse.mjs'),
153
+ check('MSS11', 'canonical snapshot is present when recorded', canonicalSnapshot ? canonicalSnapshot.summary?.status === 'passed' : true, canonicalSnapshotPath),
154
+ check('MSS12', 'snapshot preserves host-native slash-command boundary', snapshotScript.includes('does not prove native host slash-command support'), 'scripts/generate-maintenance-snapshot.mjs'),
155
+ check('MSS13', 'snapshot supports installed package smoke mode', packageSmokeRun.ok && packageSmokeRun.data?.summary?.packageSmoke === true && !packageSmokeRun.data?.results?.some((item) => item.id === 'MS02'), packageSmokeRun.command, packageSmokeRun.stderr),
156
+ check('MSS14', 'failed canonical maintenance snapshot writes are isolated from the last passing latest snapshot', canonicalFailureFixture.status !== 0 && canonicalFailureFixture.canonicalPreserved && canonicalFailureFixture.failedWritten && canonicalFailureFixture.stdoutPolicy, canonicalFailureFixture.command, canonicalFailureFixture.stderr),
157
+ check('MSS15', 'snapshot documents canonical failure isolation policy', snapshotScript.includes('failed checks are written to latest-maintenance-snapshot.failed.json'), 'scripts/generate-maintenance-snapshot.mjs'),
158
+ ]
159
+
160
+ const passed = checks.filter((item) => item.status === 'passed').length
161
+ const failed = checks.length - passed
162
+ const report = {
163
+ root,
164
+ generatedAt: new Date().toISOString(),
165
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
166
+ workflows: {
167
+ maintenanceSnapshot: failed === 0 ? 'verified' : 'failed',
168
+ dryRunStatus: dryRun.data?.summary?.status ?? 'unknown',
169
+ writeStatus: writeRun.data?.summary?.status ?? 'unknown',
170
+ },
171
+ limits: [
172
+ 'This audit verifies snapshot mechanics and routing.',
173
+ 'It does not prove a native host slash command or replace installed-root sync evidence.',
174
+ ],
175
+ checks,
176
+ }
177
+
178
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
179
+ else console.log(JSON.stringify(report, null, 2))
180
+
181
+ if (failed > 0) process.exit(1)
@@ -60,7 +60,13 @@ const packRun = process.platform === 'win32'
60
60
  : run('npm', ['pack', '--dry-run', '--json'])
61
61
  const packData = parseJson(packRun.stdout)
62
62
  const packFiles = new Set((Array.isArray(packData) ? packData[0]?.files : []).map((item) => item.path))
63
- const packageFiles = new Set(pkg?.files ?? [])
63
+ const packageFiles = new Set(pkg?.files ?? [])
64
+ const repositoryUrl = typeof pkg?.repository === 'string' ? pkg.repository : pkg?.repository?.url
65
+ const expectedRepositoryUrls = new Set([
66
+ 'git+https://github.com/275005746/gse.git',
67
+ 'https://github.com/275005746/gse.git',
68
+ 'https://github.com/275005746/gse',
69
+ ])
64
70
  const requiredPackageFiles = [
65
71
  'SKILL.md',
66
72
  'README.md',
@@ -92,7 +98,7 @@ const checks = [
92
98
  check('NPM06', 'files whitelist includes core skill content', requiredFilesWhitelist.every((item) => packageFiles.has(item)), requiredFilesWhitelist.join(', ')),
93
99
  check('NPM07', 'npm pack dry-run succeeds', packRun.status === 0 && Array.isArray(packData) && packData.length === 1, packRun.command, packRun.stderr),
94
100
  check('NPM08', 'npm pack dry-run includes required runtime files', requiredPackageFiles.every((item) => packFiles.has(item)), requiredPackageFiles.filter((item) => !packFiles.has(item)).join(', ') || 'all required files present'),
95
- check('NPM09', 'npm package metadata does not claim registry publication', !pkg?.publishConfig && !pkg?.repository, 'no publishConfig or repository claim until public repo/channel evidence exists'),
101
+ check('NPM09', 'npm package metadata points at the public GSE repository without publishConfig overrides', !pkg?.publishConfig && expectedRepositoryUrls.has(repositoryUrl), 'repository=' + (repositoryUrl ?? 'missing') + ', publishConfig=' + (pkg?.publishConfig ? 'present' : 'absent')),
96
102
  ]
97
103
 
98
104
  const passed = checks.filter((item) => item.status === 'passed').length
@@ -56,8 +56,14 @@ function check(id, label, ok, evidence, risk = '') {
56
56
  return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
57
57
  }
58
58
 
59
- const pkg = readJson('package.json')
60
- const publishRun = npm(['publish', '--dry-run', '--json'])
59
+ const pkg = readJson('package.json')
60
+ const repositoryUrl = typeof pkg?.repository === 'string' ? pkg.repository : pkg?.repository?.url
61
+ const expectedRepositoryUrls = new Set([
62
+ 'git+https://github.com/275005746/gse.git',
63
+ 'https://github.com/275005746/gse.git',
64
+ 'https://github.com/275005746/gse',
65
+ ])
66
+ const publishRun = npm(['publish', '--dry-run', '--json'])
61
67
  const publishData = parseJson(publishRun.stdout)
62
68
  const usablePublishData = publishData?.name && publishData?.version ? publishData : null
63
69
  const alreadyPublished = publishRun.status !== 0 && /previously published versions/i.test(publishRun.stderr)
@@ -123,8 +129,8 @@ const checks = [
123
129
  check('NPD04', 'publish package includes required runtime files', packRun.status === 0 && requiredPublishFiles.every((item) => publishFiles.has(item)), requiredPublishFiles.filter((item) => !publishFiles.has(item)).join(', ') || 'all required publish files present'),
124
130
  check('NPD05', 'publish or registry metadata reports tarball integrity fields', typeof effectiveData?.shasum === 'string' && typeof effectiveData?.integrity === 'string' && effectiveData.integrity.startsWith('sha512-'), 'shasum and integrity'),
125
131
  check('NPD06', 'publish dry-run does not auto-correct or remove package metadata', unexpectedWarningLines.length === 0, unexpectedWarningLines.join(' | ') || 'no harmful npm warnings'),
126
- check('NPD07', 'package still does not claim actual registry publication', !pkg?.publishConfig && !pkg?.repository, 'no publishConfig or repository claim until public repo/channel evidence exists'),
127
- ]
132
+ check('NPD07', 'package metadata points at the public GSE repository without publishConfig overrides', !pkg?.publishConfig && expectedRepositoryUrls.has(repositoryUrl), 'repository=' + (repositoryUrl ?? 'missing') + ', publishConfig=' + (pkg?.publishConfig ? 'present' : 'absent')),
133
+ ]
128
134
 
129
135
  const passed = checks.filter((item) => item.status === 'passed').length
130
136
  const failed = checks.length - passed
@@ -78,8 +78,14 @@ const tarballPath = packItem?.filename ? path.join(tempRoot, packItem.filename)
78
78
  const installRun = tarballPath
79
79
  ? npm(['install', tarballPath, '--ignore-scripts', '--no-audit', '--no-fund'], consumerRoot)
80
80
  : { command: 'npm install skipped; tarball not created', cwd: consumerRoot, status: 1, stdout: '', stderr: 'tarball not created' }
81
- const installedRoot = path.join(consumerRoot, 'node_modules', '@t275005746', 'gse')
82
- const installedPkg = safeReadJson(path.join(installedRoot, 'package.json'))
81
+ const installedRoot = path.join(consumerRoot, 'node_modules', '@t275005746', 'gse')
82
+ const installedPkg = safeReadJson(path.join(installedRoot, 'package.json'))
83
+ const repositoryUrl = typeof installedPkg?.repository === 'string' ? installedPkg.repository : installedPkg?.repository?.url
84
+ const expectedRepositoryUrls = new Set([
85
+ 'git+https://github.com/275005746/gse.git',
86
+ 'https://github.com/275005746/gse.git',
87
+ 'https://github.com/275005746/gse',
88
+ ])
83
89
  const binPath = process.platform === 'win32'
84
90
  ? path.join(consumerRoot, 'node_modules', '.bin', 'gse.cmd')
85
91
  : path.join(consumerRoot, 'node_modules', '.bin', 'gse')
@@ -115,7 +121,7 @@ const checks = [
115
121
  check('NTI05', 'installed package exposes gse bin shim', exists(binPath), binPath),
116
122
  check('NTI06', 'installed gse bin runs status command', binRun.status === 0 && binData?.command === '/gse status' && binData?.project?.stateValid === true, binRun.command, binRun.stderr),
117
123
  check('NTI07', 'installed README audit passes', readmeAudit.status === 0 && readmeData?.summary?.failed === 0, readmeAudit.command, readmeAudit.stderr),
118
- check('NTI08', 'package metadata does not claim public registry publication', !installedPkg?.publishConfig && !installedPkg?.repository, 'no publishConfig or repository claim'),
124
+ check('NTI08', 'installed package metadata points at the public GSE repository without publishConfig overrides', !installedPkg?.publishConfig && expectedRepositoryUrls.has(repositoryUrl), 'repository=' + (repositoryUrl ?? 'missing') + ', publishConfig=' + (installedPkg?.publishConfig ? 'present' : 'absent')),
119
125
  ]
120
126
 
121
127
  const passed = checks.filter((item) => item.status === 'passed').length
@@ -120,10 +120,11 @@ const skill = read('SKILL.md')
120
120
  const validate = read('scripts/validate-gse.mjs')
121
121
  const bundleGenerator = read('scripts/generate-release-bundle.mjs')
122
122
  const bundleAudit = read('scripts/audit-release-bundle.mjs')
123
- const expectedAreas = (manifest?.gates ?? []).map((gate) => gate.area)
124
- const expectedScripts = [...new Set((manifest?.gates ?? [])
125
- .map((gate) => String(gate.recordCommand ?? '').match(/node scripts\/([^ ]+)/)?.[1] ?? '')
126
- .filter(Boolean))]
123
+ const expectedAreas = (manifest?.gates ?? []).map((gate) => gate.area)
124
+ const hasPendingGates = expectedAreas.length > 0
125
+ const expectedScripts = [...new Set((manifest?.gates ?? [])
126
+ .map((gate) => String(gate.recordCommand ?? '').match(/node scripts\/([^ ]+)/)?.[1] ?? '')
127
+ .filter(Boolean))]
127
128
  const kitRecordTemplatesAreComplete = !commands.includes('--invocation-status') &&
128
129
  !finalPacket.includes('--invocation-status') &&
129
130
  !publicHandoff.includes('--invocation-status') &&
@@ -138,7 +139,7 @@ const kitRecordTemplatesAreComplete = !commands.includes('--invocation-status')
138
139
  !/record-[a-z-]+\.mjs[^\n`]*[<>]/.test(publicHandoff) &&
139
140
  !/record-[a-z-]+\.mjs[^\n`]*[<>]/.test(releaseOwnerActionPlan) &&
140
141
  !/record-[a-z-]+\.mjs[^\n`]*[<>]/.test(hostHandoff) &&
141
- commands.includes('--status accepted')
142
+ (hasPendingGates ? commands.includes('--status accepted') : manifest?.publicAccepted === 'verified')
142
143
  const kitVerificationCommandsAreShellSafe = !/(audit-[a-z-]+|validate-gse|generate-release-status-manifest)\.mjs[^\n`]*[<>]/.test(verificationCommands) &&
143
144
  !/(audit-[a-z-]+|validate-gse)\.mjs[^\n`]*[<>]/.test(releaseStatusManifest) &&
144
145
  !/(audit-[a-z-]+|validate-gse|generate-release-status-manifest)\.mjs[^\n`]*[<>]/.test(releaseOwnerActionPlan) &&
@@ -148,22 +149,22 @@ const checks = [
148
149
  check('OEG01', 'owner/external gate kit generator exists', exists('scripts/generate-owner-external-gate-kit.mjs'), 'scripts/generate-owner-external-gate-kit.mjs'),
149
150
  check('OEG02', 'generator produces the kit directory', generated?.status === 0 && generatedData?.status === 'written', generated?.stderr || out),
150
151
  check('OEG03', 'kit includes required files', requiredKitFilesPresent, requiredKitFiles.join(', ')),
151
- check('OEG04', 'machine-readable pending gates cover current final owner/external gates', expectedAreas.length > 0 && expectedAreas.every((area) => manifest?.gates?.some((gate) => gate.area === area)) && !manifest?.gates?.some((gate) => gate.area === 'License decision'), expectedAreas.join(', ') + '; License decision resolved'),
152
- check('OEG05', 'record commands map to real scripts', expectedScripts.length > 0 && expectedScripts.every((script) => commands.includes(script)) && !commands.includes('proves-public-registry-publication') && (!commands.includes('record-public-channel-publication.mjs') || commands.includes('--proves-registry-publication true') || commands.includes('--proves-marketplace-approval true')), expectedScripts.join(', ')),
153
- check('OEG05b', 'record commands include dry-run preflight commands for accepted evidence', commands.includes('Preflight command') && commands.includes('--dry-run --json'), 'record-commands.md'),
152
+ check('OEG04', 'machine-readable pending gates cover current final owner/external gates', (hasPendingGates ? expectedAreas.every((area) => manifest?.gates?.some((gate) => gate.area === area)) : manifest?.pendingGateCount === 0 && manifest?.publicAccepted === 'verified') && !manifest?.gates?.some((gate) => gate.area === 'License decision'), hasPendingGates ? expectedAreas.join(', ') + '; License decision resolved' : '0 pending gates; publicAccepted verified; License decision resolved'),
153
+ check('OEG05', 'record commands map to real scripts', hasPendingGates ? (expectedScripts.length > 0 && expectedScripts.every((script) => commands.includes(script)) && !commands.includes('proves-public-registry-publication') && (!commands.includes('record-public-channel-publication.mjs') || commands.includes('--proves-registry-publication true') || commands.includes('--proves-marketplace-approval true'))) : commands.includes('GSE Owner / External Gate Record Commands'), expectedScripts.join(', ')),
154
+ check('OEG05b', 'record commands include dry-run preflight commands for accepted evidence', hasPendingGates ? (commands.includes('Preflight command') && commands.includes('--dry-run --json')) : !commands.includes('Preflight command'), 'record-commands.md'),
154
155
  check('OEG05c', 'kit uses complete record command templates', kitRecordTemplatesAreComplete, 'no ellipsis, no stale host invocation flag, host records use --status accepted'),
155
156
  check('OEG06', 'kit preserves anti-overclaim boundaries', readme.includes('does not choose a license') && readme.includes('Do not claim native slash-command support') && verificationCommands.includes('Local fixture drills, pointer adapters, and generated handoff files do not count as external acceptance'), 'README.md, verification-commands.md'),
156
157
  check('OEG07', 'kit verification commands include portable probe, final readiness, preflight drill, and close gate', verificationCommands.includes('run-gse-command.mjs') && verificationCommands.includes('/gse probe') && !verificationCommands.includes('node scripts/probe-public-external-gates.mjs') && verificationCommands.includes('audit-final-readiness.mjs') && verificationCommands.includes('audit-public-acceptance-readiness.mjs') && verificationCommands.includes('audit-public-acceptance-command-dry-run-drill.mjs') && verificationCommands.includes('audit-close-gate.mjs'), 'verification-commands.md'),
157
- check('OEG08', 'kit contains fresh final acceptance, public handoff, host handoff, manifest, and owner action plan', finalPacket.includes('GSE Final Acceptance Packet') && publicHandoff.includes('GSE Public Acceptance Handoff') && hostHandoff.includes('GSE Host Runtime Evidence Handoff') && releaseStatusManifest.includes('"publicAccepted": "not-accepted"') && releaseOwnerActionPlan.includes('GSE Release Owner Action Plan'), 'generated kit artifacts'),
158
+ check('OEG08', 'kit contains fresh final acceptance, public handoff, host handoff, manifest, and owner action plan', finalPacket.includes('GSE Final Acceptance Packet') && publicHandoff.includes('GSE Public Acceptance Handoff') && hostHandoff.includes('GSE Host Runtime Evidence Handoff') && releaseStatusManifest.includes('"publicAccepted": "' + (manifest?.publicAccepted ?? 'unknown') + '"') && releaseOwnerActionPlan.includes('GSE Release Owner Action Plan'), 'generated kit artifacts'),
158
159
  check('OEG09', 'kit manifest marks generated handoff artifacts as fresh', manifest?.generatedFresh?.finalAcceptancePacket === true && manifest?.generatedFresh?.publicAcceptanceHandoff === true && manifest?.generatedFresh?.hostRuntimeEvidenceHandoff === true && manifest?.generatedFresh?.releaseStatusManifest === true && manifest?.generatedFresh?.releaseOwnerActionPlan === true, 'kit-manifest.json'),
159
- check('OEG09b', 'kit manifest carries preflight commands for every pending gate', (manifest?.gates?.length ?? 0) > 0 && manifest.gates.every((gate) => gate.preflightCommand?.includes('--dry-run --json')), 'kit-manifest.json'),
160
+ check('OEG09b', 'kit manifest carries preflight commands for every pending gate', hasPendingGates ? manifest.gates.every((gate) => gate.preflightCommand?.includes('--dry-run --json')) : manifest?.pendingGateCount === 0, 'kit-manifest.json'),
160
161
  check('OEG10', 'skill routes users to the owner/external gate kit', skill.includes('generate-owner-external-gate-kit.mjs') && skill.includes('audit-owner-external-gate-kit.mjs'), 'SKILL.md'),
161
162
  check('OEG11', 'validator includes owner/external gate kit audit', validate.includes('audit-owner-external-gate-kit.mjs'), 'scripts/validate-gse.mjs'),
162
163
  check('OEG12', 'release bundle includes owner/external gate kit', bundleGenerator.includes('generate-owner-external-gate-kit.mjs') && bundleAudit.includes('owner-external-gate-kit'), 'release bundle generator/audit'),
163
164
  check('OEG13', 'kit verification commands use shell-safe placeholders', kitVerificationCommandsAreShellSafe, 'verification commands use __GSE__ instead of <gse>'),
164
165
  check('OEG14', 'canonical owner/external gate kit exists', canonicalRequiredKitFilesPresent, '.gse/acceptance/owner-external-gate-kit/'),
165
166
  check('OEG15', 'canonical owner/external gate kit matches current generated gate snapshot', canonicalManifest?.publicAccepted === manifest?.publicAccepted && canonicalManifest?.pendingGateCount === manifest?.pendingGateCount && sameJson(stableGateSnapshot(canonicalManifest), stableGateSnapshot(manifest)), '.gse/acceptance/owner-external-gate-kit/kit-manifest.json'),
166
- check('OEG16', 'canonical owner/external gate kit preserves current handoff commands and boundaries', canonicalReadme.includes('GSE Owner / External Gate Kit') && canonicalActionPacket.includes('Public accepted: ' + (manifest?.publicAccepted ?? 'unknown')) && canonicalCommands.includes('--dry-run --json') && canonicalCommands.includes('--status accepted') && canonicalVerificationCommands.includes('run-gse-command.mjs') && canonicalVerificationCommands.includes('/gse probe') && !canonicalVerificationCommands.includes('node scripts/probe-public-external-gates.mjs') && canonicalVerificationCommands.includes('audit-public-acceptance-command-dry-run-drill.mjs') && canonicalVerificationCommands.includes('__GSE__'), '.gse/acceptance/owner-external-gate-kit/'),
167
+ check('OEG16', 'canonical owner/external gate kit preserves current handoff commands and boundaries', canonicalReadme.includes('GSE Owner / External Gate Kit') && canonicalActionPacket.includes('Public accepted: ' + (manifest?.publicAccepted ?? 'unknown')) && (hasPendingGates ? (canonicalCommands.includes('--dry-run --json') && canonicalCommands.includes('--status accepted')) : !canonicalCommands.includes('Preflight command')) && canonicalVerificationCommands.includes('run-gse-command.mjs') && canonicalVerificationCommands.includes('/gse probe') && !canonicalVerificationCommands.includes('node scripts/probe-public-external-gates.mjs') && canonicalVerificationCommands.includes('audit-public-acceptance-command-dry-run-drill.mjs') && canonicalVerificationCommands.includes('__GSE__'), '.gse/acceptance/owner-external-gate-kit/'),
167
168
  ]
168
169
 
169
170
  const passed = checks.filter((item) => item.status === 'passed').length
@@ -0,0 +1,189 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import os from 'node:os'
4
+ import path from 'node:path'
5
+ import { fileURLToPath } from 'node:url'
6
+ import { spawnSync } from 'node:child_process'
7
+
8
+ const args = process.argv.slice(2)
9
+
10
+ function readArg(name, fallback = null) {
11
+ const index = args.indexOf(name)
12
+ if (index === -1) return fallback
13
+ return args[index + 1] ?? fallback
14
+ }
15
+
16
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
17
+ const targetArg = readArg('--target')
18
+ const jsonOnly = args.includes('--json')
19
+
20
+ function readText(filePath) {
21
+ return fs.existsSync(filePath) ? fs.readFileSync(filePath, 'utf8').replace(/^\uFEFF/, '') : ''
22
+ }
23
+
24
+ function parseGuardTable(text) {
25
+ const rows = []
26
+ for (const line of text.split(/\r?\n/)) {
27
+ const trimmed = line.trim()
28
+ if (!trimmed.startsWith('|')) continue
29
+ if (/^\|\s*-+/.test(trimmed)) continue
30
+ if (/^\|\s*ID\s*\|/i.test(trimmed)) continue
31
+ const cells = trimmed
32
+ .slice(1, trimmed.endsWith('|') ? -1 : undefined)
33
+ .split('|')
34
+ .map((cell) => cell.trim())
35
+ if (cells.length < 6) continue
36
+ rows.push({
37
+ id: cells[0],
38
+ guard: cells[1],
39
+ severity: cells[2],
40
+ trigger: cells[3],
41
+ check: cells[4],
42
+ status: cells[5],
43
+ })
44
+ }
45
+ return rows
46
+ }
47
+
48
+ export function readProjectGuards(target) {
49
+ const filePath = path.join(target, '.gse', 'project-guards.md')
50
+ const exists = fs.existsSync(filePath)
51
+ const text = exists ? readText(filePath) : ''
52
+ const guards = parseGuardTable(text)
53
+ const active = guards.filter((guard) => guard.status.toLowerCase() === 'active')
54
+ const requiredIds = ['WIN-SHELL', 'SPARSE-GIT', 'UTF8-DOC', 'EVIDENCE-STALE', 'UI-EVIDENCE', 'SUBAGENT-HONEST', 'SYNC-NO-INTERRUPT']
55
+ const ids = new Set(guards.map((guard) => guard.id))
56
+ const missingDefaultIds = requiredIds.filter((id) => !ids.has(id))
57
+ const incomplete = guards.filter((guard) =>
58
+ !guard.id ||
59
+ !guard.guard ||
60
+ !guard.severity ||
61
+ !guard.trigger ||
62
+ !guard.check ||
63
+ !guard.status,
64
+ )
65
+ const invalidSeverity = guards.filter((guard) => !['low', 'medium', 'high', 'critical'].includes(guard.severity.toLowerCase()))
66
+ const invalidStatus = guards.filter((guard) => !['active', 'inactive', 'candidate'].includes(guard.status.toLowerCase()))
67
+ const status = !exists
68
+ ? 'warning'
69
+ : guards.length === 0 || incomplete.length > 0 || invalidSeverity.length > 0 || invalidStatus.length > 0
70
+ ? 'failed'
71
+ : missingDefaultIds.length > 0
72
+ ? 'warning'
73
+ : 'passed'
74
+ return {
75
+ path: '.gse/project-guards.md',
76
+ exists,
77
+ status,
78
+ guards,
79
+ active,
80
+ summary: {
81
+ total: guards.length,
82
+ active: active.length,
83
+ missingDefaultIds,
84
+ incomplete: incomplete.map((guard) => guard.id || '(blank)'),
85
+ invalidSeverity: invalidSeverity.map((guard) => guard.id),
86
+ invalidStatus: invalidStatus.map((guard) => guard.id),
87
+ },
88
+ }
89
+ }
90
+
91
+ function run(script, commandArgs) {
92
+ const result = spawnSync(process.execPath, [path.join(root, 'scripts', script), ...commandArgs], {
93
+ cwd: root,
94
+ encoding: 'utf8',
95
+ windowsHide: true,
96
+ })
97
+ return {
98
+ command: [process.execPath, path.join(root, 'scripts', script), ...commandArgs].join(' '),
99
+ status: result.status ?? 1,
100
+ stdout: (result.stdout ?? '').trim(),
101
+ stderr: (result.stderr ?? '').trim(),
102
+ }
103
+ }
104
+
105
+ function check(id, label, ok, evidence, risk = '') {
106
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
107
+ }
108
+
109
+ function createFixture() {
110
+ const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gse-project-guards-'))
111
+ const init = run('init-project.mjs', ['--target', dir, '--mode', 'lite', '--json'])
112
+ return { dir, init }
113
+ }
114
+
115
+ function audit(target) {
116
+ const resolvedTarget = path.resolve(target)
117
+ const guardResult = readProjectGuards(resolvedTarget)
118
+ const checks = [
119
+ check('PG01', 'project guard file is present or reported as warning', guardResult.exists || guardResult.status === 'warning', guardResult.exists ? guardResult.path : 'missing guard file warning'),
120
+ check('PG02', 'guard table parses at least one active guard when file exists', !guardResult.exists || guardResult.active.length > 0, `${guardResult.active.length} active guard(s)`),
121
+ check('PG03', 'guard rows have valid severity and status values', guardResult.summary.invalidSeverity.length === 0 && guardResult.summary.invalidStatus.length === 0, 'severity/status vocabulary'),
122
+ check('PG04', 'default guard IDs are present when scaffolded', !guardResult.exists || guardResult.summary.missingDefaultIds.length === 0, guardResult.summary.missingDefaultIds.join(', ') || 'default guards present'),
123
+ check('PG05', 'guard audit keeps missing file as warning instead of hard failure', true, 'missing file policy is warning'),
124
+ ]
125
+ const passed = checks.filter((item) => item.status === 'passed').length
126
+ const failed = checks.length - passed
127
+ return {
128
+ target: resolvedTarget,
129
+ generatedAt: new Date().toISOString(),
130
+ summary: { status: failed === 0 ? guardResult.status : 'failed', passed, failed, total: checks.length },
131
+ workflows: {
132
+ projectGuards: guardResult.status === 'failed' ? 'failed' : 'verified',
133
+ continuePreflightGuardSection: 'available',
134
+ },
135
+ projectGuards: guardResult,
136
+ checks,
137
+ limits: [
138
+ 'Project guards are soft continuation preflight rules in this slice.',
139
+ 'Broken state or evidence index remains the hard /gse continue failure.',
140
+ 'AION and MuseFlow lessons are examples; this audit does not hardcode product-specific behavior.',
141
+ ],
142
+ }
143
+ }
144
+
145
+ function selfTestReport() {
146
+ const fixture = createFixture()
147
+ const fixtureReport = audit(fixture.dir)
148
+ const missingDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gse-project-guards-missing-'))
149
+ fs.mkdirSync(path.join(missingDir, '.gse'), { recursive: true })
150
+ const missingReport = audit(missingDir)
151
+ fs.rmSync(fixture.dir, { recursive: true, force: true })
152
+ fs.rmSync(missingDir, { recursive: true, force: true })
153
+ const checks = [
154
+ check('PGA01', 'init-project creates project guards', fixture.init.status === 0 && fixtureReport.projectGuards.exists, 'scripts/init-project.mjs'),
155
+ check('PGA02', 'default scaffold contains seven active guards', fixtureReport.projectGuards.summary.active === 7, `${fixtureReport.projectGuards.summary.active} active guard(s)`),
156
+ check('PGA03', 'missing guard file is warning, not hard failure', missingReport.projectGuards.status === 'warning', 'missing fixture'),
157
+ check('PGA04', 'default guard set includes real-project lesson categories', ['WIN-SHELL', 'SPARSE-GIT', 'UTF8-DOC', 'EVIDENCE-STALE', 'UI-EVIDENCE', 'SUBAGENT-HONEST', 'SYNC-NO-INTERRUPT'].every((id) => fixtureReport.projectGuards.guards.some((guard) => guard.id === id)), 'default guard IDs'),
158
+ ]
159
+ const passed = checks.filter((item) => item.status === 'passed').length
160
+ const failed = checks.length - passed
161
+ return {
162
+ root,
163
+ generatedAt: new Date().toISOString(),
164
+ summary: { status: failed === 0 ? 'passed' : 'failed', passed, failed, total: checks.length },
165
+ workflows: {
166
+ projectGuards: failed === 0 ? 'verified' : 'failed',
167
+ initProjectGuardScaffold: failed === 0 ? 'verified' : 'failed',
168
+ },
169
+ fixture: {
170
+ scaffoldStatus: fixtureReport.projectGuards.status,
171
+ missingStatus: missingReport.projectGuards.status,
172
+ activeGuards: fixtureReport.projectGuards.active.map((guard) => guard.id),
173
+ },
174
+ checks,
175
+ limits: [
176
+ 'This audit verifies guard scaffold and parsing mechanics.',
177
+ 'It does not prove every project-specific guard has been promoted yet.',
178
+ ],
179
+ }
180
+ }
181
+
182
+ const isCli = process.argv[1] && fileURLToPath(import.meta.url) === path.resolve(process.argv[1])
183
+
184
+ if (isCli) {
185
+ const report = targetArg ? audit(targetArg) : selfTestReport()
186
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
187
+ else console.log(JSON.stringify(report, null, 2))
188
+ if (report.summary.status === 'failed') process.exit(1)
189
+ }
@@ -23,10 +23,12 @@ const commonFiles = [
23
23
  '.gse/README.md',
24
24
  '.gse/state.json',
25
25
  '.gse/project-profile.md',
26
- '.gse/goal-map.md',
27
- '.gse/quality-gates.md',
28
- '.gse/tooling.md',
29
- '.gse/learnings.md',
26
+ '.gse/goal-map.md',
27
+ '.gse/quality-gates.md',
28
+ '.gse/project-guards.md',
29
+ '.gse/tooling.md',
30
+ '.gse/host-capabilities.md',
31
+ '.gse/learnings.md',
30
32
  '.gse/evidence/index.jsonl',
31
33
  '.gse/goals/README.md',
32
34
  '.gse/templates/change-brief.md',
@@ -39,12 +41,13 @@ const commonFiles = [
39
41
  ]
40
42
 
41
43
  const standardFiles = [
42
- '.gse/agent-workspace.md',
43
- '.gse/agents/roles.md',
44
- '.gse/agents/dispatch.md',
45
- '.gse/skills/README.md',
46
- '.gse/lsp/README.md',
47
- ]
44
+ '.gse/agent-workspace.md',
45
+ '.gse/agents/roles.md',
46
+ '.gse/agents/dispatch.md',
47
+ '.gse/agents/role-fallback-packets.md',
48
+ '.gse/skills/README.md',
49
+ '.gse/lsp/README.md',
50
+ ]
48
51
 
49
52
  const enterpriseFiles = [
50
53
  '.gse/hooks/README.md',
@@ -184,7 +187,7 @@ function auditMode(mode, tempRoot) {
184
187
  const changedOnRerun = compareSignatures(before, after)
185
188
  const writtenCount = firstJson?.results?.filter((item) => item.status === 'written').length ?? 0
186
189
  const skippedCount = secondJson?.results?.filter((item) => item.status === 'skipped').length ?? 0
187
- const expectedWrites = expectation.files.length
190
+ const expectedWrites = expectation.files.length + 1
188
191
  const ok =
189
192
  firstRun.status === 0 &&
190
193
  secondRun.status === 0 &&
@@ -71,23 +71,23 @@ const hasRegistryGate = requiredGates.includes('Public registry publication')
71
71
  const requiredCommands = [...new Set(currentPendingGates
72
72
  .map((gate) => String(gate.recordCommand ?? '').match(/scripts\/([\w-]+\.mjs)/)?.[1])
73
73
  .filter(Boolean))]
74
- const antiOverclaim = [
75
- 'does not choose a license',
76
- 'does not choose a license, publish a package, configure a repository, approve a marketplace listing, or prove host-native slash-command support',
77
- 'Do not claim public release acceptance',
78
- 'Do not claim native slash-command support',
79
- ]
74
+ const antiOverclaim = [
75
+ 'does not choose a license',
76
+ 'does not choose a license, publish a package, configure a repository, approve a marketplace listing, or prove optional host-native slash-command support',
77
+ 'Do not claim public release acceptance',
78
+ 'Do not claim native slash-command support',
79
+ ]
80
80
 
81
81
  const checks = [
82
82
  check('PAH01', 'public acceptance handoff generator exists', exists('scripts/generate-public-acceptance-handoff.mjs'), 'scripts/generate-public-acceptance-handoff.mjs'),
83
83
  check('PAH02', 'generator is based on the public acceptance doctor', generator.includes('audit-public-acceptance-readiness.mjs') && generator.includes('pendingGates'), 'generator calls doctor and renders pending gates'),
84
84
  check('PAH03', 'generator produces a handoff file', generated?.status === 0 && generatedData?.status === 'written' && handoff.length > 0, generated?.stderr || out),
85
- check('PAH04', 'handoff covers all current final-form gates', requiredGates.length > 0 && requiredGates.every((term) => handoff.includes(term)) && !handoff.includes('### 1. Owner decision - License decision'), requiredGates.join(', ') + '; License decision resolved'),
85
+ check('PAH04', 'handoff covers all current required final-form gates or states none are pending', (requiredGates.length === 0 && handoff.includes('No owner/external gates are pending')) || (requiredGates.length > 0 && requiredGates.every((term) => handoff.includes(term)) && !handoff.includes('### 1. Owner decision - License decision')), requiredGates.join(', ') || 'none'),
86
86
  check('PAH05', 'handoff reuses existing record commands', requiredCommands.every((term) => handoff.includes(term)), requiredCommands.join(', ')),
87
87
  check('PAH05b', 'handoff registry publication command matches real record CLI when pending', !hasRegistryGate || (handoff.includes('--proves-registry-publication true') && !handoff.includes('--proves-public-registry-publication')), hasRegistryGate ? 'record-public-channel-publication.mjs uses --proves-registry-publication' : 'registry publication already verified'),
88
- check('PAH05c', 'handoff includes dry-run preflight commands for accepted records', handoff.includes('Preflight command') && handoff.includes('--dry-run --json'), 'dry-run preflight commands'),
88
+ check('PAH05c', 'handoff includes dry-run preflight commands when accepted records are pending', requiredGates.length === 0 || (handoff.includes('Preflight command') && handoff.includes('--dry-run --json')), 'dry-run preflight commands'),
89
89
  check('PAH06', 'handoff preserves anti-overclaim boundaries', antiOverclaim.every((term) => handoff.includes(term)), antiOverclaim.join(', ')),
90
- check('PAH07', 'handoff preserves current public acceptance boundary', handoff.includes('Public accepted: not-accepted') && generatedData?.summary?.publicAccepted === 'not-accepted', 'publicAccepted not-accepted'),
90
+ check('PAH07', 'handoff preserves current public acceptance boundary', handoff.includes('Public accepted: verified') && generatedData?.summary?.publicAccepted === 'verified', 'publicAccepted verified'),
91
91
  check('PAH08', 'skill routes users to public acceptance handoff', skill.includes('generate-public-acceptance-handoff.mjs'), 'SKILL.md'),
92
92
  check('PAH09', 'consolidated validator includes handoff audit', validate.includes('audit-public-acceptance-handoff.mjs'), 'scripts/validate-gse.mjs'),
93
93
  ]
@@ -104,7 +104,7 @@ const report = {
104
104
  },
105
105
  limits: [
106
106
  'This audit verifies handoff generation and claim boundaries only.',
107
- 'It does not choose a license, publish a package, configure a repository, run public CI, approve a marketplace listing, or prove host-native slash commands.',
107
+ 'It does not choose a license, publish a package, configure a repository, run public CI, approve a marketplace listing, or prove optional host-native slash commands.',
108
108
  ],
109
109
  checks,
110
110
  }