@t275005746/gse 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/.gse/state.json +147 -26
  2. package/CHANGELOG.md +19 -3
  3. package/README.md +13 -6
  4. package/README.zh-CN.md +13 -6
  5. package/SKILL.md +32 -12
  6. package/assets/templates/dispatch-packet.md +22 -14
  7. package/assets/templates/evidence.md +11 -5
  8. package/assets/templates/role-fallback-packet.md +49 -0
  9. package/package.json +18 -10
  10. package/references/agent-roles.md +41 -20
  11. package/references/commands.md +74 -45
  12. package/references/drift-audit.md +2 -1
  13. package/references/evidence-taxonomy.md +46 -9
  14. package/references/file-ownership.md +17 -13
  15. package/references/final-form-roadmap.md +201 -0
  16. package/references/final-readiness.md +3 -3
  17. package/references/host-adapters.md +38 -10
  18. package/references/learning-system.md +24 -8
  19. package/references/maintenance-cadence.md +51 -0
  20. package/references/project-guards.md +52 -0
  21. package/references/quality-gates.md +18 -11
  22. package/references/role-dispatch-fallback.md +54 -0
  23. package/references/tool-adapters.md +13 -3
  24. package/scripts/audit-close-gate-hardening.mjs +188 -0
  25. package/scripts/audit-close-gate.mjs +219 -33
  26. package/scripts/audit-command-execution.mjs +30 -17
  27. package/scripts/audit-commands.mjs +7 -5
  28. package/scripts/audit-completion-plan-drill.mjs +230 -0
  29. package/scripts/audit-completion-readiness.mjs +9 -6
  30. package/scripts/audit-continue-preflight.mjs +234 -0
  31. package/scripts/audit-evidence-levels.mjs +217 -0
  32. package/scripts/audit-evidence-review-queue.mjs +206 -0
  33. package/scripts/audit-final-acceptance-packet.mjs +9 -9
  34. package/scripts/audit-final-form-progress-report.mjs +19 -18
  35. package/scripts/audit-final-form-roadmap.mjs +157 -0
  36. package/scripts/audit-final-form-stale-copy.mjs +2 -2
  37. package/scripts/audit-final-readiness.mjs +3 -3
  38. package/scripts/audit-fresh-session-readiness.mjs +1 -1
  39. package/scripts/audit-host-capabilities.mjs +237 -0
  40. package/scripts/audit-installed-sync.mjs +203 -0
  41. package/scripts/audit-learning-drift.mjs +292 -0
  42. package/scripts/audit-learning-promotion.mjs +351 -0
  43. package/scripts/audit-learning-system.mjs +24 -14
  44. package/scripts/audit-local-final-form-completion.mjs +11 -10
  45. package/scripts/audit-maintenance-cadence.mjs +139 -0
  46. package/scripts/audit-maintenance-snapshot.mjs +181 -0
  47. package/scripts/audit-npm-package-metadata.mjs +8 -2
  48. package/scripts/audit-npm-publish-dry-run.mjs +10 -4
  49. package/scripts/audit-npm-tarball-install.mjs +9 -3
  50. package/scripts/audit-owner-external-gate-kit.mjs +12 -11
  51. package/scripts/audit-project-guards.mjs +189 -0
  52. package/scripts/audit-project.mjs +14 -11
  53. package/scripts/audit-public-acceptance-handoff.mjs +10 -10
  54. package/scripts/audit-public-acceptance-readiness.mjs +6 -6
  55. package/scripts/audit-public-release-checklist.mjs +17 -15
  56. package/scripts/audit-release-bundle.mjs +13 -11
  57. package/scripts/audit-release-owner-action-plan-drill.mjs +5 -4
  58. package/scripts/audit-release-owner-action-plan.mjs +10 -10
  59. package/scripts/audit-release-status-manifest.mjs +4 -4
  60. package/scripts/audit-roadmap-consistency.mjs +11 -7
  61. package/scripts/audit-role-dispatch-fallback.mjs +212 -0
  62. package/scripts/audit-session-sync.mjs +127 -0
  63. package/scripts/audit-state-freshness.mjs +6 -5
  64. package/scripts/audit-state-repair.mjs +360 -0
  65. package/scripts/audit-target-hardening-drills.mjs +267 -0
  66. package/scripts/audit-tool-fallback-policy.mjs +180 -0
  67. package/scripts/audit-ui-browser-evidence-policy.mjs +191 -0
  68. package/scripts/audit-validation-profiles.mjs +6 -4
  69. package/scripts/backfill-evidence-levels.mjs +98 -0
  70. package/scripts/check-encoding.mjs +72 -0
  71. package/scripts/generate-continue-packet.mjs +1214 -0
  72. package/scripts/generate-final-acceptance-packet.mjs +23 -8
  73. package/scripts/generate-final-form-progress-report.mjs +25 -23
  74. package/scripts/generate-host-runtime-evidence-handoff.mjs +23 -16
  75. package/scripts/generate-maintenance-snapshot.mjs +216 -0
  76. package/scripts/generate-public-acceptance-handoff.mjs +26 -14
  77. package/scripts/generate-release-owner-action-plan.mjs +4 -3
  78. package/scripts/generate-release-status-manifest.mjs +4 -3
  79. package/scripts/init-project.mjs +144 -63
  80. package/scripts/record-learning.mjs +37 -8
  81. package/scripts/record-session-sync.mjs +87 -0
  82. package/scripts/run-gse-command.mjs +79 -47
  83. package/scripts/run-validation-profile.mjs +24 -5
  84. package/scripts/validate-gse.mjs +216 -0
@@ -2,11 +2,13 @@
2
2
 
3
3
  Use this when a project needs GSE to work across Codex, Claude Code, Hermes/AION-style runtimes, WorkBuddy, Copilot-style agents, Gemini-style agents, or another agent host. Use `references/compatibility.md` to check host support status and adoption evidence before making capability claims.
4
4
 
5
- ## Core Rule
6
-
7
- `.gse/` is the portable source of truth. Host-specific folders are adapters.
8
-
9
- Adapters may expose commands, hooks, skills, MCP servers, indexes, or local UI metadata for one host, but they must point back to `.gse/` for project policy, goals, evidence, quality gates, and learning rules.
5
+ ## Core Rule
6
+
7
+ `.gse/` is the portable source of truth. Host-specific folders are adapters.
8
+
9
+ Adapters may expose commands, hooks, skills, MCP servers, indexes, or local UI metadata for one host, but they must point back to `.gse/` for project policy, goals, evidence, quality gates, and learning rules.
10
+
11
+ Process skills such as OpenSpec, Superpowers, Comet, and GSE can define workflow discipline, specs, roles, evidence, and quality gates. They do not create host-native slash commands, real subagent dispatch, browser automation, MCP servers, LSP indexes, CI runners, or host UI integration. Treat those as host capabilities and verify them through records before claiming support.
10
12
 
11
13
  ## Adapter Decision
12
14
 
@@ -17,7 +19,7 @@ Create or update a host adapter only when at least one condition is true:
17
19
  - A host-specific capability needs a short pointer to `.gse/` to avoid duplicate policy.
18
20
  - A migration is needed from an existing `.claude/`, `.codex/`, `.agents/`, or runtime-specific workflow into `.gse/`.
19
21
 
20
- Do not create host folders just for decoration. If the host capability is unknown, document it as `unknown` in `.gse/project-profile.md` or `.gse/tooling.md`.
22
+ Do not create host folders just for decoration. If the host capability is unknown, document it as `unknown` in `.gse/project-profile.md`, `.gse/tooling.md`, or `.gse/host-capabilities.md`.
21
23
 
22
24
  ## Supported Host Shapes
23
25
 
@@ -75,9 +77,9 @@ node <gse-skill>/scripts/audit-host-runtime-invocation-drill.mjs --root <skill-o
75
77
 
76
78
  The drill writes temporary records for Claude, Codex, Hermes/AION-style, WorkBuddy, and generic hosts, then audits native versus portable evidence counts. It proves the record/audit mechanics only; it does not prove real host runtime support.
77
79
 
78
- Generated adapters are not runtime proof. A host capability becomes verified only when a persistent host invocation record exists and the audit can parse it.
79
-
80
- Minimum fields:
80
+ Generated adapters are not runtime proof. A host capability becomes verified only when a persistent host invocation record exists and the audit can parse it.
81
+
82
+ Minimum fields:
81
83
 
82
84
  - Host name and adapter path.
83
85
  - Source of truth: always `.gse/` unless the project explicitly says otherwise.
@@ -85,7 +87,33 @@ Minimum fields:
85
87
  - Unverified or unavailable capabilities.
86
88
  - How to start meaningful work in this host.
87
89
  - Safety and permissions.
88
- - Drift check owner or cadence.
90
+ - Drift check owner or cadence.
91
+
92
+ ## Host Capability Records
93
+
94
+ Use `.gse/host-capabilities.md` to keep a compact, auditable status table for host-native and tool capabilities:
95
+
96
+ - `native-slash-command`
97
+ - `browser`
98
+ - `mcp`
99
+ - `lsp`
100
+ - `subagent`
101
+ - `ci`
102
+
103
+ Status vocabulary: `verified`, `documented`, `unknown`, `unavailable`, `external-required`.
104
+
105
+ Rules:
106
+
107
+ - `verified` needs concrete project or host evidence.
108
+ - Native slash-command support cannot be verified from portable `run-gse-command.mjs` output.
109
+ - `documented` and `external-required` rows must include a claim boundary.
110
+ - Missing records are a continuation warning for new projects; invalid or overclaimed records fail the host capability audit.
111
+
112
+ Audit command:
113
+
114
+ ```text
115
+ node <gse-skill>/scripts/audit-host-capabilities.mjs --target <project-root> --json
116
+ ```
89
117
 
90
118
  ## Tool Status Rules
91
119
 
@@ -21,15 +21,31 @@ Learnings keep long projects from repeating mistakes.
21
21
 
22
22
  Use `references/drift-audit.md` when a repeated lesson suggests stale docs, stale project-profile facts, stale host adapters, stale tool assumptions, or stale evidence state.
23
23
 
24
- - First occurrence: learning note.
25
- - Second occurrence: checklist or template update.
26
- - Third occurrence: project rule or quality gate.
27
- - Fifth occurrence: script, test, or dedicated skill.
24
+ - First occurrence: learning note.
25
+ - Second occurrence: checklist or template update.
26
+ - Third occurrence: project guard, project rule, or quality gate.
27
+ - Fifth occurrence: script, test, or dedicated skill.
28
+
29
+ Use `scripts/audit-learning-promotion.mjs --target <project-root> --json` to classify and count repeated lessons. The audit is read-only by default. Use `/gse learn --promote --execute` only to write `.gse/learning-promotions.md` candidate output; it does not mutate `.gse/project-guards.md`, `.gse/quality-gates.md`, templates, scripts, or skill files without a deliberate follow-up change.
30
+
31
+ Use `scripts/audit-learning-drift.mjs --root <gse-skill> --target <project-root> --json` after promotion analysis. It checks whether promoted guard or script candidates are covered by project guards, quality gates, `/gse continue`, `/gse close`, or a focused audit script. Uncovered high-severity candidates are surfaced as warnings so the next slice can deliberately promote them.
32
+
33
+ Promotion categories:
34
+
35
+ - `shell`: shell syntax, host command behavior, Windows/Unix command differences.
36
+ - `encoding`: UTF-8, mojibake, localized document handling.
37
+ - `evidence`: JSONL, evidence levels, stale records, close gates.
38
+ - `browser`: browser smoke, Playwright, screenshot, component-test downgrade.
39
+ - `git`: sparse checkout, staging, commit boundaries.
40
+ - `host-tool`: subagents, MCP, LSP, native slash commands, host runtime claims.
41
+ - `project-rule`: canonical plans, AGENTS.md, local project conventions.
42
+ - `release`: CI, registry, marketplace, security contact, release evidence.
28
43
 
29
44
  ## Suggested Stores
30
45
 
31
- - `.gse/learnings.md` for portable project lessons.
32
- - `.learnings/` when the project already uses that convention.
33
- - `AGENTS.md` for durable project rules.
34
- - ADRs for architectural decisions.
46
+ - `.gse/learnings.md` for portable project lessons.
47
+ - `.gse/project-guards.md` for recurring preflight rules promoted from lessons.
48
+ - `.learnings/` when the project already uses that convention.
49
+ - `AGENTS.md` for durable project rules.
50
+ - ADRs for architectural decisions.
35
51
 
@@ -0,0 +1,51 @@
1
+ # GSE Maintenance Cadence
2
+
3
+ GSE final form requires recurring checks, not only one-time release proof. This cadence keeps benchmark coverage, drift detection, security review, forward testing, and target-project drills visible while host-native slash-command evidence remains an external gate.
4
+
5
+ ## Cadence Table
6
+
7
+ | Area | Trigger | Minimum Cadence | Evidence | Command |
8
+ |---|---|---|---|---|
9
+ | Benchmark audit | Non-trivial GSE capability change or new comparable engineering skill | Monthly or before release | `.gse/benchmark-audits/` entry or roadmap update | `node scripts/audit-final-form-roadmap.mjs --root . --json` |
10
+ | Drift audit | Project guard, learning, adapter, command, or state model changes | Weekly or before close | Learning drift and state freshness output | `node scripts/audit-learning-drift.mjs --root . --target . --json` |
11
+ | Dependency and security review | Release, install, package, registry, CI, or external input changes | Monthly or before release | Release trust, CI readiness, and public acceptance outputs | `node scripts/audit-release-trust.mjs --root . --json` |
12
+ | Forward test | Non-trivial routing, command, scaffold, validation, or package change | Before release and after major workflow changes | Fixture or fresh-session forward-test evidence | `node scripts/forward-test-gse.mjs --root . --json` |
13
+ | Target-project hardening drill | GSE adoption, continue, close, host capability, or learning behavior changes | Weekly or before public release | Read-only target drill output | `node scripts/audit-target-hardening-drills.mjs --root . --json` |
14
+ | Public acceptance doctor | Public release, registry, marketplace, host, or owner evidence changes | Before release or public claim | Pending owner/external gate report | `node scripts/audit-public-acceptance-readiness.mjs --root . --json` |
15
+ | Command runner smoke | `/gse` command routing, portable command wrapper, or short-entry behavior changes | Every command-router change | Portable runner output from `scripts/run-gse-command.mjs` | `node scripts/run-gse-command.mjs --root . --target . --command "/gse maintenance" --json --compact` |
16
+ | Installed skill sync | Any capability upgrade shipped from source to installed skill | Every capability upgrade | Installed-copy hash comparison and command smoke from `scripts/audit-installed-sync.mjs` | `node scripts/audit-installed-sync.mjs --root . --installed-root <installed-skill-dir> --json` |
17
+ | Active session sync | Any capability upgrade that should reach active GSE-using sessions | Every capability upgrade when active sessions exist | Honest sent, archived, unavailable, failed, or skipped records from `scripts/record-session-sync.mjs` plus `scripts/audit-session-sync.mjs` | `node scripts/audit-session-sync.mjs --root . --require-installed --require-thread <thread-id> --json` |
18
+
19
+ ## Maintenance Snapshot
20
+
21
+ Use a snapshot when the goal is to prove that the recurring checks actually ran, not only that the cadence is documented.
22
+
23
+ ```powershell
24
+ node scripts/generate-maintenance-snapshot.mjs --root . --target . --installed-root <installed-skill-dir> --execute --json
25
+ ```
26
+
27
+ The canonical output is `.gse/maintenance/latest-maintenance-snapshot.json` plus a Markdown sibling. Without `--installed-root`, the installed-sync row is package-only and must not be used as installed-copy freshness proof.
28
+
29
+ For an installed package smoke, use package mode so source-worktree-only roadmap and release-bundle freshness checks do not become false blockers:
30
+
31
+ ```powershell
32
+ node scripts/generate-maintenance-snapshot.mjs --root <installed-skill-dir> --target <installed-skill-dir> --package-smoke --skip-release-bundle --json
33
+ ```
34
+
35
+ Package smoke proves the installed copy can run the maintenance command set. The source repository remains responsible for canonical roadmap, release bundle, and installed-root freshness evidence.
36
+
37
+ ## Close Rule
38
+
39
+ Maintenance evidence is not a substitute for native host evidence, public CI, marketplace approval, or owner acceptance. It only proves that GSE has a repeatable upkeep loop and that remaining external gates stay visible.
40
+
41
+ Before claiming a maintenance-sensitive slice complete, run:
42
+
43
+ ```powershell
44
+ node scripts/audit-maintenance-cadence.mjs --root . --json
45
+ node scripts/generate-maintenance-snapshot.mjs --root . --target . --installed-root <installed-skill-dir> --execute --json
46
+ node scripts/audit-maintenance-snapshot.mjs --root . --json
47
+ node scripts/run-gse-command.mjs --root . --target . --command "/gse maintenance" --json --compact
48
+ node scripts/audit-installed-sync.mjs --root . --installed-root <installed-skill-dir> --json
49
+ node scripts/audit-session-sync.mjs --root . --json
50
+ node scripts/run-validation-profile.mjs --target . --profile lite --json
51
+ ```
@@ -0,0 +1,52 @@
1
+ # Project Guards
2
+
3
+ Project guards are reusable preflight rules promoted from repeated project lessons.
4
+
5
+ They sit between learning notes and hard quality gates:
6
+
7
+ ```text
8
+ lesson -> project guard -> quality gate -> script/test/skill update
9
+ ```
10
+
11
+ Use guards when a mistake is likely to recur across sessions, but the rule still needs project context.
12
+
13
+ ## Guard File
14
+
15
+ Default project-local path:
16
+
17
+ ```text
18
+ .gse/project-guards.md
19
+ ```
20
+
21
+ The file uses a small table so humans can edit it and scripts can audit it:
22
+
23
+ | ID | Guard | Severity | Trigger | Check | Status |
24
+ |---|---|---|---|---|---|
25
+ | UTF8-DOC | Use UTF-8-safe readers for Chinese or multilingual docs before judging mojibake. | high | Chinese docs or encoding complaint | Read with Node UTF-8 or another UTF-8-safe viewer; run the project encoding check when docs changed. | active |
26
+
27
+ ## Default Guard Set
28
+
29
+ - `WIN-SHELL`: shell syntax must match the active host.
30
+ - `SPARSE-GIT`: sparse checkout must be checked before staging generated workflow folders.
31
+ - `UTF8-DOC`: multilingual docs need UTF-8-safe reads and encoding checks.
32
+ - `EVIDENCE-STALE`: stale or broken evidence is a preflight issue.
33
+ - `UI-EVIDENCE`: UI/browser downgrades must be labeled explicitly.
34
+ - `SUBAGENT-HONEST`: subagent dispatch claims require real host evidence.
35
+ - `SYNC-NO-INTERRUPT`: cross-thread GSE upgrade sync must not interrupt a running project session.
36
+
37
+ ## Continue Behavior
38
+
39
+ `/gse continue` reads `.gse/project-guards.md` when present and returns an active guard summary in the compact packet.
40
+
41
+ Missing guard files are a warning for mature projects, not a hard failure. Broken state or evidence remains the hard preflight failure.
42
+
43
+ ## Promotion
44
+
45
+ - First occurrence: record in `.gse/learnings.md`.
46
+ - Second occurrence: update a checklist, template, or guard candidate.
47
+ - Third occurrence: promote to `.gse/project-guards.md` or `.gse/quality-gates.md`.
48
+ - Fifth occurrence: automate as a script, test, or skill update.
49
+
50
+ Do not hardcode product-specific behavior into the GSE skill. AION and MuseFlow can supply examples and evidence, but project guards must stay generic.
51
+
52
+ Cross-thread sync is a guard-sensitive action: prefer evidence records, release notes, or owner action notes. Send a message to another active project session only when it is idle or the owner explicitly asks for immediate sync.
@@ -6,13 +6,19 @@ Pick gates by task risk.
6
6
 
7
7
  - Outcome matches request.
8
8
  - Scope did not expand silently.
9
- - Acceptance has evidence.
10
- - Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
11
- - Do not claim `verified` or `accepted` when evidence only proves `result`.
12
- - Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
9
+ - Acceptance has evidence.
10
+ - Evidence status uses `evidence-taxonomy.md`: result, verified, or accepted.
11
+ - Evidence level uses `evidence-taxonomy.md`: `result`, `verified-unit`, `verified-component`, `verified-api`, `verified-browser`, `verified-ci`, `accepted-owner`, `accepted-release`, or `external-required`.
12
+ - Do not claim `verified` or `accepted` when evidence only proves `result`.
13
+ - Do not describe `verified-component` or `verified-api` as `verified-browser`; record a downgrade when browser proof was required but only component/API proof ran.
14
+ - Dirty worktree contains only intended files; use `references/file-ownership.md` when ownership or pre-existing changes are unclear.
15
+ - Close checks must surface role-dispatch honesty, staged/unstaged/untracked worktree state, and staged generated/test artifacts before a slice is called complete.
13
16
  - Final answer states evidence and remaining risk.
14
- - Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
15
- - Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
17
+ - Use `references/recovery.md` when work is interrupted, verification fails, rollback/resume decisions are needed, or another agent/session must continue.
18
+ - Check `.gse/project-guards.md` through `/gse continue` or `scripts/audit-project-guards.mjs` when recurring lessons may affect the slice.
19
+ - Check `.gse/host-capabilities.md` through `/gse continue` or `scripts/audit-host-capabilities.mjs` before claiming native slash-command, browser, MCP, LSP, subagent, or CI support.
20
+ - Check learning drift through `/gse continue` or `scripts/audit-learning-drift.mjs` before closing repeated-failure lessons as enforced.
21
+ - Use `references/review.md` when task risk requires spec compliance, code quality, architecture drift, security/privacy, regression, or evidence review.
16
22
  - Use `references/domain-quality-gates.md` when task risk involves security/privacy, performance/cost, accessibility, resilience/recovery, UI/browser, API/state, data/migration, model/tool routing, or release/operations concerns.
17
23
  - Use `references/architecture-health.md` when the task touches structural boundaries, coupling, source-of-truth drift, ownership, dependency/security risk, performance/resilience, migration, or release impact.
18
24
  - Use `references/forward-test.md` for non-trivial GSE skill, scaffold, router, role, adapter, release, recovery, or packaging changes.
@@ -63,11 +69,12 @@ node <gse-skill>/scripts/run-validation-profile.mjs --target <project-root> --pr
63
69
 
64
70
  Use this runner when a host, user, or future agent needs a stable command instead of hand-selecting individual audit scripts.
65
71
 
66
- ## UI Gates
67
-
68
- - Component test or browser smoke for visible behavior.
69
- - Screenshot or visual inspection for layout-sensitive work.
70
- - Loading, empty, error, success, retry, and cancelled states covered when relevant.
72
+ ## UI Gates
73
+
74
+ - Component test or browser smoke for visible behavior.
75
+ - Screenshot or visual inspection for layout-sensitive work.
76
+ - Use `verified-component` for component-only UI proof and `verified-browser` for browser/screenshot-backed UI proof.
77
+ - Loading, empty, error, success, retry, and cancelled states covered when relevant.
71
78
 
72
79
  ## Agent/Product Gates
73
80
 
@@ -0,0 +1,54 @@
1
+ # Role Dispatch Fallback
2
+
3
+ Use this reference when real subagent tools are unavailable, unknown, or not appropriate for the current slice.
4
+
5
+ GSE must never turn role names into fake delegation. A role packet is evidence that the work boundary was explicit; it is not evidence that a real subagent ran unless the host produced current dispatch evidence.
6
+
7
+ ## Required Roles
8
+
9
+ The portable fallback set is:
10
+
11
+ | Role | Purpose | Default write access | Fallback output |
12
+ |---|---|---|---|
13
+ | Planner | Define outcome, scope, acceptance, evidence, risk, and next action. | docs/state only | Slice plan with non-goals and selected gates |
14
+ | Locator | Locate files, symbols, commands, existing tests, and ownership boundaries. | read-only | File/function/test map and relevant patterns |
15
+ | Implementer | Make the bounded code or document change. | assigned files only | Diff summary and files changed |
16
+ | Verifier | Run focused tests, smokes, audits, or structural checks. | evidence/test output only | Commands, results, evidence level, residual risk |
17
+ | Reviewer | Review spec compliance, regression risk, quality, and missing tests. | read-only | Findings or explicit no-findings report |
18
+ | Docs/Evidence | Record slice evidence, state changes, release notes, and learnings. | docs/evidence only | Evidence record and state/doc update summary |
19
+ | Release | Check release, public, owner, CI, package, and host-runtime boundaries. | docs/release only | Release readiness and external gate summary |
20
+
21
+ ## Fallback Packet Requirements
22
+
23
+ Every auditable role packet, whether real or sequential, must state:
24
+
25
+ - Execution mode: `real-subagent`, `sequential-role`, or `handoff-session`.
26
+ - Real delegation used: `yes` or `no`.
27
+ - Host/tool used and tool status.
28
+ - Fallback reason when real delegation is not used.
29
+ - Role, objective, allowed files, forbidden files, and expected output.
30
+ - Role output evidence.
31
+ - Verification command or check.
32
+ - Evidence level.
33
+ - Stop condition.
34
+ - Claim boundary.
35
+
36
+ ## Claim Boundary
37
+
38
+ - `real-subagent` means a current host dispatch tool created an agent/task and returned evidence.
39
+ - `sequential-role` means the main agent executed the role checklist locally.
40
+ - `handoff-session` means another human or agent session owns the work after handoff.
41
+ - File/tool parallelism is not subagent dispatch.
42
+ - A role packet without dispatch evidence can still prove disciplined fallback, but it cannot prove real multi-agent execution.
43
+
44
+ ## Close Rule
45
+
46
+ Before a slice closes, the coordinator should be able to answer:
47
+
48
+ 1. Which roles were required for this slice?
49
+ 2. Which roles ran as real delegation, sequential fallback, or handoff?
50
+ 3. What files or evidence did each role touch?
51
+ 4. What verification or review did each role produce?
52
+ 5. What claim must not be made because a tool was unavailable?
53
+
54
+ `scripts/audit-close-gate.mjs` enforces the no-fake-dispatch boundary when `.gse/agents/role-fallback-packets.md` is present: a row that says real delegation was used must also have verified tool status.
@@ -1,6 +1,8 @@
1
1
  # Tool Adapters
2
2
 
3
- GSE has few hard requirements. Tools enhance the workflow when available.
3
+ GSE has few hard requirements. Tools enhance the workflow when available.
4
+ Use markdown fallback when optional tools are unavailable.
5
+ Do not treat optional tools as hard prerequisites.
4
6
 
5
7
  ## Minimum Tools
6
8
 
@@ -31,7 +33,7 @@ Avoid broad reads of generated outputs, logs, lockfiles, or historical archives
31
33
 
32
34
  Use `references/drift-audit.md` when recorded tool status, command assumptions, MCP, LSP/index, browser, CI, package manager, or deployment facts may be stale.
33
35
 
34
- Use `project-profile.md` to record tool connections and status.
36
+ Use `.gse/project-profile.md`, `.gse/tooling.md`, and `.gse/host-capabilities.md` to record tool connections and status.
35
37
 
36
38
  Status vocabulary:
37
39
 
@@ -40,7 +42,15 @@ Status vocabulary:
40
42
  - `unknown`: not confirmed.
41
43
  - `unavailable`: expected but missing or failing.
42
44
 
43
- Project-specific commands and standards override generic recommendations. If the project says to use `pnpm`, `bun`, `make`, a custom smoke script, a specific LSP/index, or a private MCP server, follow that after verifying it is present or documenting its status.
45
+ Project-specific commands and standards override generic recommendations. If the project says to use `pnpm`, `bun`, `make`, a custom smoke script, a specific LSP/index, or a private MCP server, follow that after verifying it is present or documenting its status.
46
+
47
+ For the standard host/tool capability table, run:
48
+
49
+ ```text
50
+ node <gse-skill>/scripts/audit-host-capabilities.mjs --target <project-root> --json
51
+ ```
52
+
53
+ This audit checks native slash-command, browser, MCP, LSP/index, subagent dispatch, and CI rows. It labels missing records as a warning, but fails invalid statuses, `verified` rows without evidence, and native slash-command overclaims based only on portable command output.
44
54
 
45
55
  ## Model Routing
46
56
 
@@ -0,0 +1,188 @@
1
+ #!/usr/bin/env node
2
+ import fs from 'node:fs'
3
+ import os from 'node:os'
4
+ import path from 'node:path'
5
+ import { spawnSync } from 'node:child_process'
6
+
7
+ const args = process.argv.slice(2)
8
+
9
+ function readArg(name, fallback = null) {
10
+ const index = args.indexOf(name)
11
+ if (index === -1) return fallback
12
+ return args[index + 1] ?? fallback
13
+ }
14
+
15
+ const root = path.resolve(readArg('--root', path.join(import.meta.dirname, '..')))
16
+ const jsonOnly = args.includes('--json')
17
+
18
+ function run(command, commandArgs, cwd) {
19
+ const result = spawnSync(command, commandArgs, {
20
+ cwd,
21
+ encoding: 'utf8',
22
+ windowsHide: true,
23
+ })
24
+ return {
25
+ command: [command, ...commandArgs].join(' '),
26
+ status: result.status ?? 1,
27
+ stdout: (result.stdout ?? '').trim(),
28
+ stderr: (result.stderr ?? '').trim(),
29
+ }
30
+ }
31
+
32
+ function runNode(script, commandArgs, cwd = root) {
33
+ return run(process.execPath, [path.join(root, 'scripts', script), ...commandArgs], cwd)
34
+ }
35
+
36
+ function write(filePath, text) {
37
+ fs.mkdirSync(path.dirname(filePath), { recursive: true })
38
+ fs.writeFileSync(filePath, text, 'utf8')
39
+ }
40
+
41
+ function rolePacket(realDelegationUsed = 'no', toolStatus = 'unknown') {
42
+ const plannerMode = realDelegationUsed === 'yes' ? 'real-subagent' : 'sequential-role'
43
+ const rows = [
44
+ ['Planner', plannerMode, realDelegationUsed, toolStatus, 'Plan', 'fixture plan', 'Plan accepted', 'read-only'],
45
+ ['Locator', 'sequential-role', 'no', 'unknown', 'File map', 'fixture map', 'Files identified', 'read-only'],
46
+ ['Implementer', 'sequential-role', 'no', 'unknown', 'Patch', 'fixture patch', 'Patch complete', 'assigned files'],
47
+ ['Verifier', 'sequential-role', 'no', 'unknown', 'Test results', 'fixture tests', 'Focused checks pass', 'evidence only'],
48
+ ['Reviewer', 'sequential-role', 'no', 'unknown', 'Review notes', 'fixture review', 'No blocking findings', 'read-only'],
49
+ ['Docs/Evidence', 'sequential-role', 'no', 'unknown', 'Evidence log', 'fixture evidence', 'Evidence recorded', 'docs/evidence only'],
50
+ ['Release', 'sequential-role', 'no', 'unknown', 'Claim boundary', 'fixture release', 'External gates visible', 'read-only'],
51
+ ]
52
+ return [
53
+ '# Role Fallback Packets',
54
+ '',
55
+ '| Role | Mode | Real delegation used | Tool status | Fallback output | Evidence | Stop condition | Write access |',
56
+ '|---|---|---|---|---|---|---|---|',
57
+ ...rows.map((row) => '| ' + row.join(' | ') + ' |'),
58
+ '',
59
+ ].join('\n')
60
+ }
61
+
62
+ function createProject(label, options = {}) {
63
+ const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gse-close-hardening-' + label + '-'))
64
+ write(path.join(dir, '.gse', 'README.md'), '# GSE\n')
65
+ write(path.join(dir, '.gse', 'project-profile.md'), '# Project Profile\n')
66
+ write(path.join(dir, '.gse', 'goal-map.md'), '# Goal Map\n\nNext action: close fixture.\n')
67
+ write(path.join(dir, '.gse', 'quality-gates.md'), '# Quality Gates\n\n- Evidence required.\n')
68
+ write(path.join(dir, '.gse', 'evidence', '2026-07-08.md'), '# Evidence\n\nVerified fixture.\n')
69
+ write(
70
+ path.join(dir, '.gse', 'state.json'),
71
+ JSON.stringify(
72
+ {
73
+ schemaVersion: 1,
74
+ projectName: 'close-hardening-fixture',
75
+ mode: 'standard',
76
+ phase: 'verify',
77
+ currentSlice: {
78
+ id: 'close-hardening-fixture',
79
+ outcome: 'Fixture close gate hardening.',
80
+ status: 'verified',
81
+ nextAction: 'Close fixture.',
82
+ },
83
+ toolStatuses: {
84
+ browser: 'unknown',
85
+ lsp: 'unknown',
86
+ mcp: 'unknown',
87
+ subagents: 'unknown',
88
+ ci: 'unknown',
89
+ },
90
+ lastEvidence: '.gse/evidence/2026-07-08.md',
91
+ residualRisks: [],
92
+ },
93
+ null,
94
+ 2,
95
+ ) + '\n',
96
+ )
97
+ write(
98
+ path.join(dir, '.gse', 'evidence', 'index.jsonl'),
99
+ JSON.stringify({
100
+ date: '2026-07-08',
101
+ recordType: 'slice',
102
+ status: 'verified',
103
+ evidenceLevel: 'verified-unit',
104
+ requiredEvidenceLevel: 'verified-unit',
105
+ summary: 'Fixture close gate hardening evidence.',
106
+ evidenceFile: '.gse/evidence/2026-07-08.md',
107
+ commands: ['node scripts/audit-close-gate.mjs --target <fixture> --json'],
108
+ nextAction: 'Close fixture.',
109
+ }) + '\n',
110
+ )
111
+ write(
112
+ path.join(dir, '.gse', 'agents', 'role-fallback-packets.md'),
113
+ rolePacket(options.realDelegationUsed ?? 'no', options.toolStatus ?? 'unknown'),
114
+ )
115
+ run('git', ['init'], dir)
116
+ run('git', ['config', 'user.email', 'gse-fixture@example.local'], dir)
117
+ run('git', ['config', 'user.name', 'GSE Fixture'], dir)
118
+ run('git', ['add', '.'], dir)
119
+ run('git', ['commit', '-m', 'fixture'], dir)
120
+ return dir
121
+ }
122
+
123
+ function parseReport(result) {
124
+ try {
125
+ return JSON.parse(result.stdout)
126
+ } catch (error) {
127
+ return { parseError: error.message, stdout: result.stdout, stderr: result.stderr }
128
+ }
129
+ }
130
+
131
+ function getCheck(report, id) {
132
+ return report.checks?.find((item) => item.id === id) ?? null
133
+ }
134
+
135
+ function check(id, label, ok, evidence, risk = '') {
136
+ return { id, label, status: ok ? 'passed' : 'failed', evidence, risk }
137
+ }
138
+
139
+ const cleanDir = createProject('clean')
140
+ const fakeDir = createProject('fake-dispatch', { realDelegationUsed: 'yes', toolStatus: 'unknown' })
141
+ const dirtyDir = createProject('dirty')
142
+ write(path.join(dirtyDir, 'src', 'changed.txt'), 'dirty fixture\n')
143
+ const generatedDir = createProject('generated')
144
+ write(path.join(generatedDir, 'output', 'playwright', 'screen.png'), 'generated artifact\n')
145
+ run('git', ['add', 'output/playwright/screen.png'], generatedDir)
146
+
147
+ const cleanReport = parseReport(runNode('audit-close-gate.mjs', ['--target', cleanDir, '--json']))
148
+ const fakeReport = parseReport(runNode('audit-close-gate.mjs', ['--target', fakeDir, '--json']))
149
+ const dirtyReport = parseReport(runNode('audit-close-gate.mjs', ['--target', dirtyDir, '--json']))
150
+ const generatedReport = parseReport(runNode('audit-close-gate.mjs', ['--target', generatedDir, '--json']))
151
+
152
+ const checks = [
153
+ check('CGH01', 'clean fixture close gate is ready with honest role fallback', cleanReport.summary?.status === 'ready' && getCheck(cleanReport, 'CG10')?.status === 'passed' && getCheck(cleanReport, 'CG11')?.status === 'passed' && getCheck(cleanReport, 'CG12')?.status === 'passed', 'clean close gate fixture'),
154
+ check('CGH02', 'fake real-subagent claim fails close gate', fakeReport.summary?.status === 'not-ready' && getCheck(fakeReport, 'CG10')?.status === 'failed', getCheck(fakeReport, 'CG10')?.evidence ?? 'missing CG10'),
155
+ check('CGH03', 'dirty worktree is surfaced before close', dirtyReport.summary?.status === 'ready-with-warnings' && getCheck(dirtyReport, 'CG11')?.status === 'warning', getCheck(dirtyReport, 'CG11')?.evidence ?? 'missing CG11'),
156
+ check('CGH04', 'staged generated artifacts fail close gate', generatedReport.summary?.status === 'not-ready' && getCheck(generatedReport, 'CG12')?.status === 'failed', getCheck(generatedReport, 'CG12')?.evidence ?? 'missing CG12'),
157
+ ]
158
+
159
+ for (const dir of [cleanDir, fakeDir, dirtyDir, generatedDir]) {
160
+ fs.rmSync(dir, { recursive: true, force: true })
161
+ }
162
+
163
+ const passed = checks.filter((item) => item.status === 'passed').length
164
+ const failed = checks.length - passed
165
+ const report = {
166
+ root,
167
+ generatedAt: new Date().toISOString(),
168
+ summary: {
169
+ status: failed === 0 ? 'passed' : 'failed',
170
+ passed,
171
+ failed,
172
+ total: checks.length,
173
+ },
174
+ workflows: {
175
+ closeGateHardening: failed === 0 ? 'verified' : 'failed',
176
+ fakeDispatchCloseGate: failed === 0 ? 'verified' : 'failed',
177
+ fileOwnershipCloseGate: failed === 0 ? 'verified' : 'failed',
178
+ },
179
+ checks,
180
+ limits: [
181
+ 'This audit verifies close-gate mechanics with local fixtures.',
182
+ 'It does not prove real subagent dispatch or native slash-command host support.',
183
+ ],
184
+ }
185
+
186
+ if (jsonOnly) console.log(JSON.stringify(report, null, 2))
187
+ else console.log(JSON.stringify(report, null, 2))
188
+ if (failed > 0) process.exit(1)