npm - @therocketcode/gsd-core - Versions diffs - 1.4.0 - Mend

@therocketcode/gsd-core 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (568) hide show

package/.claude-plugin/plugin.json +23 -0
package/GEMINI.md +53 -0
package/LICENSE +21 -0
package/README.ja-JP.md +125 -0
package/README.ko-KR.md +125 -0
package/README.md +144 -0
package/README.pt-BR.md +125 -0
package/README.zh-CN.md +125 -0
package/agents/gsd-advisor-researcher.md +108 -0
package/agents/gsd-ai-researcher.md +114 -0
package/agents/gsd-assumptions-analyzer.md +105 -0
package/agents/gsd-code-fixer.md +668 -0
package/agents/gsd-code-reviewer.md +387 -0
package/agents/gsd-codebase-mapper.md +853 -0
package/agents/gsd-debug-session-manager.md +314 -0
package/agents/gsd-debugger.md +1452 -0
package/agents/gsd-doc-classifier.md +168 -0
package/agents/gsd-doc-synthesizer.md +204 -0
package/agents/gsd-doc-verifier.md +217 -0
package/agents/gsd-doc-writer.md +616 -0
package/agents/gsd-domain-researcher.md +147 -0
package/agents/gsd-eval-auditor.md +191 -0
package/agents/gsd-eval-planner.md +154 -0
package/agents/gsd-executor.md +785 -0
package/agents/gsd-framework-selector.md +160 -0
package/agents/gsd-integration-checker.md +470 -0
package/agents/gsd-intel-updater.md +342 -0
package/agents/gsd-nyquist-auditor.md +203 -0
package/agents/gsd-pattern-mapper.md +335 -0
package/agents/gsd-phase-researcher.md +867 -0
package/agents/gsd-plan-checker.md +978 -0
package/agents/gsd-planner.md +1204 -0
package/agents/gsd-project-researcher.md +611 -0
package/agents/gsd-research-synthesizer.md +259 -0
package/agents/gsd-roadmapper.md +688 -0
package/agents/gsd-security-auditor.md +155 -0
package/agents/gsd-ui-auditor.md +495 -0
package/agents/gsd-ui-checker.md +309 -0
package/agents/gsd-ui-researcher.md +374 -0
package/agents/gsd-user-profiler.md +171 -0
package/agents/gsd-verifier.md +923 -0
package/assets/gsd-logo-2000-transparent.png +0 -0
package/assets/gsd-logo-2000-transparent.svg +17 -0
package/assets/gsd-logo-2000.png +0 -0
package/assets/gsd-logo-2000.svg +21 -0
package/assets/terminal.svg +68 -0
package/bin/install.js +12726 -0
package/bin/lib/ui-safety-gate.cjs +107 -0
package/commands/gsd/add-tests.md +42 -0
package/commands/gsd/ai-integration-phase.md +37 -0
package/commands/gsd/audit-fix.md +34 -0
package/commands/gsd/audit-milestone.md +37 -0
package/commands/gsd/audit-uat.md +24 -0
package/commands/gsd/autonomous.md +48 -0
package/commands/gsd/capture.md +62 -0
package/commands/gsd/cleanup.md +24 -0
package/commands/gsd/code-review.md +59 -0
package/commands/gsd/complete-milestone.md +143 -0
package/commands/gsd/config.md +56 -0
package/commands/gsd/debug.md +52 -0
package/commands/gsd/discover-product.md +65 -0
package/commands/gsd/discuss-phase.md +77 -0
package/commands/gsd/docs-update.md +49 -0
package/commands/gsd/eval-review.md +33 -0
package/commands/gsd/execute-phase.md +66 -0
package/commands/gsd/explore.md +27 -0
package/commands/gsd/extract-learnings.md +23 -0
package/commands/gsd/fast.md +31 -0
package/commands/gsd/forensics.md +57 -0
package/commands/gsd/graphify.md +204 -0
package/commands/gsd/health.md +31 -0
package/commands/gsd/help.md +28 -0
package/commands/gsd/import.md +45 -0
package/commands/gsd/inbox.md +39 -0
package/commands/gsd/ingest-docs.md +42 -0
package/commands/gsd/manager.md +45 -0
package/commands/gsd/map-codebase.md +83 -0
package/commands/gsd/milestone-summary.md +51 -0
package/commands/gsd/model-domain.md +65 -0
package/commands/gsd/mvp-phase.md +45 -0
package/commands/gsd/new-milestone.md +45 -0
package/commands/gsd/new-project.md +47 -0
package/commands/gsd/ns-context.md +23 -0
package/commands/gsd/ns-ideate.md +24 -0
package/commands/gsd/ns-manage.md +29 -0
package/commands/gsd/ns-project.md +22 -0
package/commands/gsd/ns-review.md +26 -0
package/commands/gsd/ns-workflow.md +28 -0
package/commands/gsd/pause-work.md +43 -0
package/commands/gsd/phase.md +56 -0
package/commands/gsd/plan-phase.md +64 -0
package/commands/gsd/plan-review-convergence.md +59 -0
package/commands/gsd/pr-branch.md +26 -0
package/commands/gsd/profile-user.md +46 -0
package/commands/gsd/progress.md +48 -0
package/commands/gsd/quick.md +174 -0
package/commands/gsd/recommend-architecture.md +64 -0
package/commands/gsd/resume-work.md +30 -0
package/commands/gsd/review-backlog.md +63 -0
package/commands/gsd/review.md +42 -0
package/commands/gsd/secure-phase.md +36 -0
package/commands/gsd/settings.md +29 -0
package/commands/gsd/ship.md +24 -0
package/commands/gsd/sketch.md +60 -0
package/commands/gsd/spec-phase.md +63 -0
package/commands/gsd/spike.md +57 -0
package/commands/gsd/stats.md +20 -0
package/commands/gsd/surface.md +155 -0
package/commands/gsd/testing-strategy.md +65 -0
package/commands/gsd/thread.md +24 -0
package/commands/gsd/ui-phase.md +35 -0
package/commands/gsd/ui-review.md +33 -0
package/commands/gsd/ultraplan-phase.md +34 -0
package/commands/gsd/undo.md +35 -0
package/commands/gsd/update.md +49 -0
package/commands/gsd/validate-phase.md +36 -0
package/commands/gsd/verify-work.md +39 -0
package/commands/gsd/workspace.md +52 -0
package/commands/gsd/workstreams.md +70 -0
package/gemini-extension.json +6 -0
package/gsd-core/bin/check-latest-version.cjs +161 -0
package/gsd-core/bin/gsd-tools.cjs +1928 -0
package/gsd-core/bin/lib/active-workstream-store.cjs +291 -0
package/gsd-core/bin/lib/adr-parser.cjs +399 -0
package/gsd-core/bin/lib/agent-command-router.cjs +68 -0
package/gsd-core/bin/lib/artifacts.cjs +51 -0
package/gsd-core/bin/lib/audit.cjs +743 -0
package/gsd-core/bin/lib/check-command-router.cjs +343 -0
package/gsd-core/bin/lib/cjs-command-router-adapter.cjs +81 -0
package/gsd-core/bin/lib/cli-exit.cjs +42 -0
package/gsd-core/bin/lib/clock.cjs +95 -0
package/gsd-core/bin/lib/clusters.cjs +132 -0
package/gsd-core/bin/lib/code-review-flags.cjs +59 -0
package/gsd-core/bin/lib/command-aliases.cjs +809 -0
package/gsd-core/bin/lib/command-arg-projection.cjs +55 -0
package/gsd-core/bin/lib/command-routing-hub.cjs +300 -0
package/gsd-core/bin/lib/commands.cjs +1203 -0
package/gsd-core/bin/lib/config-schema.cjs +29 -0
package/gsd-core/bin/lib/config-types.cjs +19 -0
package/gsd-core/bin/lib/config.cjs +738 -0
package/gsd-core/bin/lib/configuration.cjs +239 -0
package/gsd-core/bin/lib/context-utilization.cjs +48 -0
package/gsd-core/bin/lib/core.cjs +2051 -0
package/gsd-core/bin/lib/decisions.cjs +118 -0
package/gsd-core/bin/lib/docs.cjs +252 -0
package/gsd-core/bin/lib/drift.cjs +364 -0
package/gsd-core/bin/lib/fallow-runner.cjs +115 -0
package/gsd-core/bin/lib/frontmatter.cjs +442 -0
package/gsd-core/bin/lib/gap-checker.cjs +257 -0
package/gsd-core/bin/lib/graphify.cjs +496 -0
package/gsd-core/bin/lib/gsd2-import.cjs +456 -0
package/gsd-core/bin/lib/init-command-router.cjs +62 -0
package/gsd-core/bin/lib/init.cjs +1815 -0
package/gsd-core/bin/lib/install-profiles.cjs +584 -0
package/gsd-core/bin/lib/installer-migration-authoring.cjs +122 -0
package/gsd-core/bin/lib/installer-migration-report.cjs +350 -0
package/gsd-core/bin/lib/installer-migrations/000-first-time-baseline.cjs +218 -0
package/gsd-core/bin/lib/installer-migrations/001-legacy-orphan-files.cjs +48 -0
package/gsd-core/bin/lib/installer-migrations/002-codex-legacy-hooks-json.cjs +94 -0
package/gsd-core/bin/lib/installer-migrations/003-rename-get-shit-done-to-gsd-core.cjs +108 -0
package/gsd-core/bin/lib/installer-migrations.cjs +823 -0
package/gsd-core/bin/lib/intel.cjs +590 -0
package/gsd-core/bin/lib/learnings.cjs +270 -0
package/gsd-core/bin/lib/legacy-cleanup.cjs +253 -0
package/gsd-core/bin/lib/milestone.cjs +373 -0
package/gsd-core/bin/lib/model-catalog.cjs +154 -0
package/gsd-core/bin/lib/model-profiles.cjs +24 -0
package/gsd-core/bin/lib/observability/event.cjs +51 -0
package/gsd-core/bin/lib/observability/logger.cjs +146 -0
package/gsd-core/bin/lib/observability/redaction.cjs +48 -0
package/gsd-core/bin/lib/package-identity.cjs +35 -0
package/gsd-core/bin/lib/package-legitimacy.cjs +368 -0
package/gsd-core/bin/lib/phase-command-router.cjs +189 -0
package/gsd-core/bin/lib/phase-lifecycle.cjs +74 -0
package/gsd-core/bin/lib/phase.cjs +1307 -0
package/gsd-core/bin/lib/phases-command-router.cjs +43 -0
package/gsd-core/bin/lib/plan-scan.cjs +91 -0
package/gsd-core/bin/lib/planning-workspace.cjs +245 -0
package/gsd-core/bin/lib/profile-output.cjs +1120 -0
package/gsd-core/bin/lib/profile-pipeline.cjs +517 -0
package/gsd-core/bin/lib/project-root.cjs +119 -0
package/gsd-core/bin/lib/prompt-budget.cjs +305 -0
package/gsd-core/bin/lib/research-provider.cjs +137 -0
package/gsd-core/bin/lib/research-store.cjs +167 -0
package/gsd-core/bin/lib/review-reviewer-selection.cjs +121 -0
package/gsd-core/bin/lib/roadmap-command-router.cjs +166 -0
package/gsd-core/bin/lib/roadmap-upgrade.cjs +476 -0
package/gsd-core/bin/lib/roadmap.cjs +600 -0
package/gsd-core/bin/lib/runtime-artifact-layout.cjs +312 -0
package/gsd-core/bin/lib/runtime-config-adapter-registry.cjs +56 -0
package/gsd-core/bin/lib/runtime-homes.cjs +190 -0
package/gsd-core/bin/lib/runtime-name-policy.cjs +96 -0
package/gsd-core/bin/lib/runtime-slash.cjs +119 -0
package/gsd-core/bin/lib/schema-detect.cjs +159 -0
package/gsd-core/bin/lib/secrets.cjs +34 -0
package/gsd-core/bin/lib/security.cjs +480 -0
package/gsd-core/bin/lib/semver-compare.cjs +42 -0
package/gsd-core/bin/lib/shell-command-projection.cjs +533 -0
package/gsd-core/bin/lib/state-command-router.cjs +160 -0
package/gsd-core/bin/lib/state-document.cjs +259 -0
package/gsd-core/bin/lib/state.cjs +2010 -0
package/gsd-core/bin/lib/surface.cjs +449 -0
package/gsd-core/bin/lib/task-command-router.cjs +85 -0
package/gsd-core/bin/lib/template.cjs +237 -0
package/gsd-core/bin/lib/uat.cjs +297 -0
package/gsd-core/bin/lib/ui-safety-gate.cjs +98 -0
package/gsd-core/bin/lib/update-context.cjs +218 -0
package/gsd-core/bin/lib/validate-command-router.cjs +91 -0
package/gsd-core/bin/lib/validate.cjs +112 -0
package/gsd-core/bin/lib/verification-command-router.cjs +31 -0
package/gsd-core/bin/lib/verification.cjs +193 -0
package/gsd-core/bin/lib/verify-command-router.cjs +44 -0
package/gsd-core/bin/lib/verify.cjs +1451 -0
package/gsd-core/bin/lib/workstream-inventory-builder.cjs +81 -0
package/gsd-core/bin/lib/workstream-inventory.cjs +147 -0
package/gsd-core/bin/lib/workstream-name-policy.cjs +91 -0
package/gsd-core/bin/lib/workstream.cjs +380 -0
package/gsd-core/bin/lib/worktree-base-ref.cjs +325 -0
package/gsd-core/bin/lib/worktree-safety.cjs +943 -0
package/gsd-core/bin/shared/config-defaults.manifest.json +98 -0
package/gsd-core/bin/shared/config-schema.manifest.json +192 -0
package/gsd-core/bin/shared/model-catalog.json +149 -0
package/gsd-core/bin/shared/runtime-aliases.manifest.json +75 -0
package/gsd-core/bin/verify-reapply-patches.cjs +349 -0
package/gsd-core/contexts/dev.md +21 -0
package/gsd-core/contexts/research.md +22 -0
package/gsd-core/contexts/review.md +23 -0
package/gsd-core/references/agent-contracts.md +79 -0
package/gsd-core/references/ai-evals.md +156 -0
package/gsd-core/references/ai-frameworks.md +186 -0
package/gsd-core/references/architecture-decision.md +74 -0
package/gsd-core/references/artifact-types.md +131 -0
package/gsd-core/references/auth-in-tests.md +91 -0
package/gsd-core/references/autonomous-smart-discuss.md +277 -0
package/gsd-core/references/checkpoints.md +814 -0
package/gsd-core/references/common-bug-patterns.md +114 -0
package/gsd-core/references/context-budget.md +85 -0
package/gsd-core/references/continuation-format.md +253 -0
package/gsd-core/references/db-test-isolation.md +54 -0
package/gsd-core/references/debugger-philosophy.md +76 -0
package/gsd-core/references/decimal-phase-calculation.md +64 -0
package/gsd-core/references/doc-conflict-engine.md +91 -0
package/gsd-core/references/domain-modeling.md +80 -0
package/gsd-core/references/domain-probes.md +125 -0
package/gsd-core/references/e2e-tiering.md +35 -0
package/gsd-core/references/execute-mvp-tdd.md +81 -0
package/gsd-core/references/executor-examples.md +110 -0
package/gsd-core/references/few-shot-examples/plan-checker.md +73 -0
package/gsd-core/references/few-shot-examples/verifier.md +109 -0
package/gsd-core/references/flaky-test-checklist.md +22 -0
package/gsd-core/references/gate-prompts.md +100 -0
package/gsd-core/references/gates.md +70 -0
package/gsd-core/references/git-integration.md +298 -0
package/gsd-core/references/git-planning-commit.md +40 -0
package/gsd-core/references/ios-scaffold.md +123 -0
package/gsd-core/references/mandatory-initial-read.md +2 -0
package/gsd-core/references/model-profile-resolution.md +38 -0
package/gsd-core/references/model-profiles.md +245 -0
package/gsd-core/references/mvp-concepts.md +49 -0
package/gsd-core/references/phase-argument-parsing.md +61 -0
package/gsd-core/references/planner-antipatterns.md +89 -0
package/gsd-core/references/planner-chunked.md +49 -0
package/gsd-core/references/planner-gap-closure.md +62 -0
package/gsd-core/references/planner-graphify-auto-update.md +67 -0
package/gsd-core/references/planner-human-verify-mode.md +57 -0
package/gsd-core/references/planner-interface-context.md +62 -0
package/gsd-core/references/planner-load-graph-context.md +36 -0
package/gsd-core/references/planner-mvp-mode.md +53 -0
package/gsd-core/references/planner-reviews.md +39 -0
package/gsd-core/references/planner-revision.md +87 -0
package/gsd-core/references/planner-source-audit.md +73 -0
package/gsd-core/references/planning-config.md +473 -0
package/gsd-core/references/product-discovery.md +49 -0
package/gsd-core/references/project-skills-discovery.md +19 -0
package/gsd-core/references/questioning.md +162 -0
package/gsd-core/references/realistic-test-data.md +44 -0
package/gsd-core/references/research-documentation-lookup.md +29 -0
package/gsd-core/references/research-philosophy.md +29 -0
package/gsd-core/references/research-verification-protocol.md +27 -0
package/gsd-core/references/revision-loop.md +97 -0
package/gsd-core/references/scout-codebase.md +51 -0
package/gsd-core/references/skeleton-template.md +48 -0
package/gsd-core/references/sketch-interactivity.md +41 -0
package/gsd-core/references/sketch-theme-system.md +94 -0
package/gsd-core/references/sketch-tooling.md +45 -0
package/gsd-core/references/sketch-variant-patterns.md +81 -0
package/gsd-core/references/spidr-splitting.md +69 -0
package/gsd-core/references/tdd.md +330 -0
package/gsd-core/references/test-containers.md +55 -0
package/gsd-core/references/test-strategy.md +75 -0
package/gsd-core/references/thinking-models-debug.md +44 -0
package/gsd-core/references/thinking-models-execution.md +50 -0
package/gsd-core/references/thinking-models-planning.md +62 -0
package/gsd-core/references/thinking-models-research.md +50 -0
package/gsd-core/references/thinking-models-verification.md +55 -0
package/gsd-core/references/thinking-partner.md +96 -0
package/gsd-core/references/ui-brand.md +162 -0
package/gsd-core/references/universal-anti-patterns.md +63 -0
package/gsd-core/references/user-profiling.md +681 -0
package/gsd-core/references/user-story-template.md +58 -0
package/gsd-core/references/verification-overrides.md +227 -0
package/gsd-core/references/verification-patterns.md +612 -0
package/gsd-core/references/verify-mvp-mode.md +85 -0
package/gsd-core/references/workstream-flag.md +111 -0
package/gsd-core/references/worktree-branch-check.md +38 -0
package/gsd-core/references/worktree-path-safety.md +67 -0
package/gsd-core/templates/AI-SPEC.md +246 -0
package/gsd-core/templates/DEBUG.md +169 -0
package/gsd-core/templates/README.md +77 -0
package/gsd-core/templates/SECURITY.md +61 -0
package/gsd-core/templates/UAT.md +265 -0
package/gsd-core/templates/UI-SPEC.md +100 -0
package/gsd-core/templates/VALIDATION.md +76 -0
package/gsd-core/templates/adr.md +58 -0
package/gsd-core/templates/claude-md.md +145 -0
package/gsd-core/templates/codebase/architecture.md +255 -0
package/gsd-core/templates/codebase/concerns.md +310 -0
package/gsd-core/templates/codebase/conventions.md +307 -0
package/gsd-core/templates/codebase/integrations.md +280 -0
package/gsd-core/templates/codebase/stack.md +186 -0
package/gsd-core/templates/codebase/structure.md +285 -0
package/gsd-core/templates/codebase/testing.md +480 -0
package/gsd-core/templates/config.json +62 -0
package/gsd-core/templates/context.md +352 -0
package/gsd-core/templates/continue-here.md +78 -0
package/gsd-core/templates/copilot-instructions.md +7 -0
package/gsd-core/templates/debug-subagent-prompt.md +91 -0
package/gsd-core/templates/dev-preferences.md +21 -0
package/gsd-core/templates/discovery.md +146 -0
package/gsd-core/templates/discussion-log.md +63 -0
package/gsd-core/templates/domain-model.md +54 -0
package/gsd-core/templates/milestone-archive.md +123 -0
package/gsd-core/templates/milestone.md +115 -0
package/gsd-core/templates/phase-prompt.md +610 -0
package/gsd-core/templates/planner-subagent-prompt.md +117 -0
package/gsd-core/templates/product-brief.md +55 -0
package/gsd-core/templates/project.md +186 -0
package/gsd-core/templates/requirements.md +231 -0
package/gsd-core/templates/research-project/ARCHITECTURE.md +204 -0
package/gsd-core/templates/research-project/FEATURES.md +147 -0
package/gsd-core/templates/research-project/PITFALLS.md +200 -0
package/gsd-core/templates/research-project/STACK.md +120 -0
package/gsd-core/templates/research-project/SUMMARY.md +170 -0
package/gsd-core/templates/research.md +592 -0
package/gsd-core/templates/retrospective.md +54 -0
package/gsd-core/templates/roadmap.md +202 -0
package/gsd-core/templates/spec.md +307 -0
package/gsd-core/templates/state.md +195 -0
package/gsd-core/templates/summary-complex.md +59 -0
package/gsd-core/templates/summary-minimal.md +41 -0
package/gsd-core/templates/summary-standard.md +48 -0
package/gsd-core/templates/summary.md +248 -0
package/gsd-core/templates/test-strategy.md +50 -0
package/gsd-core/templates/user-profile.md +146 -0
package/gsd-core/templates/user-setup.md +311 -0
package/gsd-core/templates/verification-report.md +322 -0
package/gsd-core/workflows/_runtime-launcher.snippet.sh +1 -0
package/gsd-core/workflows/add-backlog.md +91 -0
package/gsd-core/workflows/add-phase.md +113 -0
package/gsd-core/workflows/add-tests.md +355 -0
package/gsd-core/workflows/add-todo.md +161 -0
package/gsd-core/workflows/ai-integration-phase.md +295 -0
package/gsd-core/workflows/analyze-dependencies.md +96 -0
package/gsd-core/workflows/audit-fix.md +178 -0
package/gsd-core/workflows/audit-milestone.md +360 -0
package/gsd-core/workflows/audit-uat.md +110 -0
package/gsd-core/workflows/autonomous.md +797 -0
package/gsd-core/workflows/check-todos.md +180 -0
package/gsd-core/workflows/cleanup.md +195 -0
package/gsd-core/workflows/code-review-fix.md +502 -0
package/gsd-core/workflows/code-review.md +658 -0
package/gsd-core/workflows/complete-milestone.md +855 -0
package/gsd-core/workflows/debug.md +237 -0
package/gsd-core/workflows/diagnose-issues.md +245 -0
package/gsd-core/workflows/discover-product.md +112 -0
package/gsd-core/workflows/discovery-phase.md +291 -0
package/gsd-core/workflows/discuss-phase/modes/advisor.md +176 -0
package/gsd-core/workflows/discuss-phase/modes/all.md +28 -0
package/gsd-core/workflows/discuss-phase/modes/analyze.md +44 -0
package/gsd-core/workflows/discuss-phase/modes/auto.md +57 -0
package/gsd-core/workflows/discuss-phase/modes/batch.md +52 -0
package/gsd-core/workflows/discuss-phase/modes/chain.md +98 -0
package/gsd-core/workflows/discuss-phase/modes/default.md +141 -0
package/gsd-core/workflows/discuss-phase/modes/power.md +44 -0
package/gsd-core/workflows/discuss-phase/modes/text.md +55 -0
package/gsd-core/workflows/discuss-phase/templates/checkpoint.json +18 -0
package/gsd-core/workflows/discuss-phase/templates/context.md +136 -0
package/gsd-core/workflows/discuss-phase/templates/discussion-log.md +50 -0
package/gsd-core/workflows/discuss-phase-assumptions.md +675 -0
package/gsd-core/workflows/discuss-phase-power.md +291 -0
package/gsd-core/workflows/discuss-phase.md +499 -0
package/gsd-core/workflows/do.md +111 -0
package/gsd-core/workflows/docs-update.md +1176 -0
package/gsd-core/workflows/edit-phase.md +295 -0
package/gsd-core/workflows/eval-review.md +156 -0
package/gsd-core/workflows/execute-phase/steps/codebase-drift-gate.md +95 -0
package/gsd-core/workflows/execute-phase/steps/per-plan-worktree-gate.md +94 -0
package/gsd-core/workflows/execute-phase/steps/post-merge-gate.md +117 -0
package/gsd-core/workflows/execute-phase.md +1752 -0
package/gsd-core/workflows/execute-plan.md +526 -0
package/gsd-core/workflows/explore.md +146 -0
package/gsd-core/workflows/extract-learnings.md +243 -0
package/gsd-core/workflows/fast.md +124 -0
package/gsd-core/workflows/forensics.md +279 -0
package/gsd-core/workflows/graduation.md +196 -0
package/gsd-core/workflows/health.md +224 -0
package/gsd-core/workflows/help/modes/brief.md +22 -0
package/gsd-core/workflows/help/modes/default.md +50 -0
package/gsd-core/workflows/help/modes/full.md +789 -0
package/gsd-core/workflows/help/modes/topic.md +74 -0
package/gsd-core/workflows/help.md +24 -0
package/gsd-core/workflows/import.md +256 -0
package/gsd-core/workflows/inbox.md +387 -0
package/gsd-core/workflows/ingest-docs.md +340 -0
package/gsd-core/workflows/insert-phase.md +152 -0
package/gsd-core/workflows/list-phase-assumptions.md +178 -0
package/gsd-core/workflows/list-workspaces.md +57 -0
package/gsd-core/workflows/manager.md +393 -0
package/gsd-core/workflows/map-codebase.md +446 -0
package/gsd-core/workflows/milestone-summary.md +224 -0
package/gsd-core/workflows/model-domain.md +162 -0
package/gsd-core/workflows/mvp-phase.md +222 -0
package/gsd-core/workflows/new-milestone.md +635 -0
package/gsd-core/workflows/new-project.md +1555 -0
package/gsd-core/workflows/new-workspace.md +240 -0
package/gsd-core/workflows/next.md +299 -0
package/gsd-core/workflows/node-repair.md +92 -0
package/gsd-core/workflows/note.md +158 -0
package/gsd-core/workflows/pause-work.md +244 -0
package/gsd-core/workflows/plan-milestone-gaps.md +281 -0
package/gsd-core/workflows/plan-phase.md +1814 -0
package/gsd-core/workflows/plan-review-convergence.md +346 -0
package/gsd-core/workflows/plant-seed.md +230 -0
package/gsd-core/workflows/pr-branch.md +157 -0
package/gsd-core/workflows/profile-user.md +453 -0
package/gsd-core/workflows/progress.md +699 -0
package/gsd-core/workflows/quick.md +1017 -0
package/gsd-core/workflows/reapply-patches.md +426 -0
package/gsd-core/workflows/recommend-architecture.md +135 -0
package/gsd-core/workflows/remove-phase.md +156 -0
package/gsd-core/workflows/remove-workspace.md +108 -0
package/gsd-core/workflows/resume-project.md +332 -0
package/gsd-core/workflows/review.md +748 -0
package/gsd-core/workflows/scan.md +107 -0
package/gsd-core/workflows/secure-phase.md +182 -0
package/gsd-core/workflows/session-report.md +146 -0
package/gsd-core/workflows/settings-advanced.md +810 -0
package/gsd-core/workflows/settings-integrations.md +312 -0
package/gsd-core/workflows/settings.md +566 -0
package/gsd-core/workflows/ship.md +405 -0
package/gsd-core/workflows/sketch-wrap-up.md +286 -0
package/gsd-core/workflows/sketch.md +361 -0
package/gsd-core/workflows/spec-phase.md +263 -0
package/gsd-core/workflows/spike-wrap-up.md +307 -0
package/gsd-core/workflows/spike.md +453 -0
package/gsd-core/workflows/stats.md +80 -0
package/gsd-core/workflows/sync-skills.md +182 -0
package/gsd-core/workflows/testing-strategy.md +122 -0
package/gsd-core/workflows/thread.md +222 -0
package/gsd-core/workflows/transition.md +694 -0
package/gsd-core/workflows/ui-phase.md +328 -0
package/gsd-core/workflows/ui-review.md +193 -0
package/gsd-core/workflows/ultraplan-phase.md +199 -0
package/gsd-core/workflows/undo.md +314 -0
package/gsd-core/workflows/update.md +496 -0
package/gsd-core/workflows/validate-phase.md +181 -0
package/gsd-core/workflows/verify-phase.md +544 -0
package/gsd-core/workflows/verify-work.md +781 -0
package/hooks/dist/gsd-check-update-worker.js +108 -0
package/hooks/dist/gsd-check-update.js +66 -0
package/hooks/dist/gsd-config-reload.js +133 -0
package/hooks/dist/gsd-context-monitor.js +195 -0
package/hooks/dist/gsd-cursor-post-tool.js +75 -0
package/hooks/dist/gsd-cursor-session-start.js +52 -0
package/hooks/dist/gsd-graphify-update.sh +158 -0
package/hooks/dist/gsd-phase-boundary.sh +47 -0
package/hooks/dist/gsd-prompt-guard.js +97 -0
package/hooks/dist/gsd-read-guard.js +101 -0
package/hooks/dist/gsd-read-injection-scanner.js +203 -0
package/hooks/dist/gsd-session-state.sh +59 -0
package/hooks/dist/gsd-statusline.js +566 -0
package/hooks/dist/gsd-update-banner.js +138 -0
package/hooks/dist/gsd-validate-commit.sh +57 -0
package/hooks/dist/gsd-workflow-guard.js +167 -0
package/hooks/dist/gsd-worktree-path-guard.js +169 -0
package/hooks/dist/lib/git-cmd.js +150 -0
package/hooks/dist/lib/gsd-graphify-rebuild.sh +65 -0
package/hooks/dist/managed-hooks-registry.cjs +38 -0
package/hooks/gsd-check-update-worker.js +108 -0
package/hooks/gsd-check-update.js +66 -0
package/hooks/gsd-config-reload.js +133 -0
package/hooks/gsd-context-monitor.js +195 -0
package/hooks/gsd-cursor-post-tool.js +75 -0
package/hooks/gsd-cursor-session-start.js +52 -0
package/hooks/gsd-graphify-update.sh +158 -0
package/hooks/gsd-phase-boundary.sh +47 -0
package/hooks/gsd-prompt-guard.js +97 -0
package/hooks/gsd-read-guard.js +101 -0
package/hooks/gsd-read-injection-scanner.js +203 -0
package/hooks/gsd-session-state.sh +59 -0
package/hooks/gsd-statusline.js +566 -0
package/hooks/gsd-update-banner.js +138 -0
package/hooks/gsd-validate-commit.sh +57 -0
package/hooks/gsd-workflow-guard.js +167 -0
package/hooks/gsd-worktree-path-guard.js +169 -0
package/hooks/hooks.json +69 -0
package/hooks/lib/git-cmd.js +150 -0
package/hooks/lib/gsd-graphify-rebuild.sh +65 -0
package/hooks/managed-hooks-registry.cjs +38 -0
package/package.json +115 -0
package/scripts/affected-tests-lib.cjs +542 -0
package/scripts/audit-workflow-script-paths.cjs +73 -0
package/scripts/base64-scan.sh +351 -0
package/scripts/build-hooks.js +247 -0
package/scripts/changeset/README.md +129 -0
package/scripts/changeset/cli.cjs +590 -0
package/scripts/changeset/github-release-notes.cjs +199 -0
package/scripts/changeset/lint.cjs +111 -0
package/scripts/changeset/new.cjs +137 -0
package/scripts/changeset/parse.cjs +114 -0
package/scripts/changeset/render.cjs +34 -0
package/scripts/changeset/serialize.cjs +130 -0
package/scripts/check-alias-drift.cjs +114 -0
package/scripts/check-env.cjs +312 -0
package/scripts/check-npm-integrity.cjs +215 -0
package/scripts/ci-guard-runner.cjs +22 -0
package/scripts/ci-prepare-test-scope.cjs +51 -0
package/scripts/ci-rebase-check.cjs +86 -0
package/scripts/ci-test-scope.cjs +431 -0
package/scripts/command-contract-helpers.cjs +64 -0
package/scripts/diff-touches-shipped-paths.cjs +155 -0
package/scripts/fix-slash-commands.cjs +147 -0
package/scripts/gen-inventory-manifest.cjs +115 -0
package/scripts/gen-research-agents.cjs +276 -0
package/scripts/generate-package-identity.cjs +125 -0
package/scripts/issue-dedupe.cjs +278 -0
package/scripts/lib/allowlist-ratchet.cjs +136 -0
package/scripts/lib/cli-exit.cjs +56 -0
package/scripts/lint-command-contract.cjs +114 -0
package/scripts/lint-descriptions.cjs +87 -0
package/scripts/lint-docs-required.cjs +222 -0
package/scripts/lint-legacy-dir-name.cjs +160 -0
package/scripts/lint-package-identity-drift.cjs +141 -0
package/scripts/lint-pr-check-project-dir.cjs +99 -0
package/scripts/lint-shell-command-projection-drift.cjs +62 -0
package/scripts/lint-skill-deps.cjs +185 -0
package/scripts/lint-test-file-count.allowlist.json +135 -0
package/scripts/lint-test-file-count.cjs +246 -0
package/scripts/mutation-matrix.cjs +222 -0
package/scripts/pr-template-policy.cjs +268 -0
package/scripts/prompt-injection-scan.sh +207 -0
package/scripts/release-notes/discord-release-summary.cjs +373 -0
package/scripts/release-notes/format-github-release-notes.cjs +261 -0
package/scripts/release-tarball-smoke.cjs +629 -0
package/scripts/research-profiles.cjs +149 -0
package/scripts/run-affected-tests.cjs +7 -0
package/scripts/run-cross-platform-tests.cjs +67 -0
package/scripts/run-tests.cjs +315 -0
package/scripts/secret-scan-lint.sh +231 -0
package/scripts/secret-scan.sh +358 -0
package/scripts/setup-branch-protection.sh +236 -0
package/scripts/strip-prose-atrefs.cjs +106 -0
package/scripts/sync-manifest-versions.cjs +119 -0
package/scripts/sync-rulesets.sh +34 -0
package/scripts/sync-runtime-launcher.cjs +399 -0
package/scripts/test-failure-reasons.cjs +34 -0
package/scripts/verify-npm-publish.cjs +240 -0
package/scripts/workflow-policy.cjs +450 -0

package/gsd-core/bin/lib/observability/logger.cjs ADDED Viewed

@@ -0,0 +1,146 @@
+"use strict";
+/**
+ * DispatchLogger interface + default implementation — issue #177 (ADR-0174 P1.3).
+ *
+ * Interface:
+ *   { onEvent(event: DispatchEvent): void }
+ *
+ * Default behaviour (createDefaultLogger):
+ *   1. Silent on success — no stdout/stderr when result.kind === 'ok'.
+ *   2. Structured JSON to stderr on error — one line per dispatch error.
+ *   3. Opt-in audit file — when GSD_AUDIT=1 OR config.audit.enabled===true,
+ *      appends every event (success + error) as one JSON line to
+ *      .planning/.gsd-trace.jsonl relative to `cwd`. Creates .planning/ if absent.
+ *   4. Args redaction — args omitted by default; included when GSD_AUDIT_ARGS=1.
+ *
+ * No-op logger (createNoOpLogger):
+ *   Silent on all events. Used as the Hub default when no logger is injected.
+ *
+ * ADR-457 build-at-publish: the hand-written bin/lib/observability/logger.cjs
+ * collapsed to a TypeScript source of truth. Behaviour is preserved
+ * byte-for-behaviour from the prior hand-written .cjs; only types are added.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const redaction_cjs_1 = require("./redaction.cjs");
+const AUDIT_FILE_NAME = '.gsd-trace.jsonl';
+const PLANNING_DIR = '.planning';
+// ─── helpers ─────────────────────────────────────────────────────────────────
+/**
+ * Safely serialise a value to JSON, falling back to a placeholder on circular refs.
+ */
+function _safeStringify(value) {
+    try {
+        return JSON.stringify(value);
+    }
+    catch {
+        return JSON.stringify({ _serializationError: true });
+    }
+}
+/**
+ * Determine whether the audit file should be written to.
+ */
+function _isAuditEnabled(config) {
+    if (process.env['GSD_AUDIT'] === '1')
+        return true;
+    if (config && config.audit && config.audit.enabled === true)
+        return true;
+    return false;
+}
+/**
+ * Build the redacted plain object for the audit file.
+ * Preserves the full DispatchEvent structure.
+ */
+function _toAuditRecord(event) {
+    return (0, redaction_cjs_1.redactEvent)(event);
+}
+/**
+ * Build the flattened stderr error line.
+ *
+ * Per ADR-0174 P1.3 contract: { "kind": "<variant>", "traceId": "<uuid>", ...typedPayload }
+ * The result's kind is promoted to top-level and the typed payload fields are spread in.
+ * The `result` wrapper is removed.
+ */
+function _toStderrRecord(event) {
+    const redacted = (0, redaction_cjs_1.redactEvent)(event);
+    const { result, ...eventWithoutResult } = redacted;
+    // Flatten: top-level gets kind + typed payload fields from result
+    const resultObj = result;
+    const { kind, ...typedPayload } = resultObj;
+    return Object.assign({}, eventWithoutResult, { kind }, typedPayload);
+}
+/**
+ * Append one JSON line to the audit file.
+ * Creates .planning/ directory if it does not exist.
+ *
+ * Uses synchronous fs API (crash-safe for v1 — dispatch is synchronous).
+ */
+function _appendAuditLine(cwd, event) {
+    const planningDir = node_path_1.default.join(cwd, PLANNING_DIR);
+    // Ensure the directory exists
+    if (!node_fs_1.default.existsSync(planningDir)) {
+        node_fs_1.default.mkdirSync(planningDir, { recursive: true });
+    }
+    const auditPath = node_path_1.default.join(planningDir, AUDIT_FILE_NAME);
+    node_fs_1.default.appendFileSync(auditPath, _safeStringify(event) + '\n', 'utf8');
+}
+/**
+ * Create a no-op logger. All events are silently dropped.
+ * This is the Hub's default when no logger is injected by the caller.
+ */
+function createNoOpLogger() {
+    return {
+        onEvent(_event) {
+            // intentionally empty
+        },
+    };
+}
+/**
+ * Create the default DispatchLogger.
+ */
+function createDefaultLogger({ cwd = process.cwd(), config } = {}) {
+    return {
+        /**
+         * @param event - A DispatchEvent from the Hub.
+         */
+        onEvent(event) {
+            const resultObj = event && event['result'];
+            const isOk = resultObj && resultObj['kind'] === 'ok';
+            // ── Audit file (both ok and error) ────────────────────────────────────
+            if (_isAuditEnabled(config)) {
+                try {
+                    const auditRecord = _toAuditRecord(event);
+                    _appendAuditLine(cwd, auditRecord);
+                }
+                catch (auditErr) {
+                    // Audit errors must not surface to callers
+                    process.stderr.write(_safeStringify({
+                        level: 'warn',
+                        source: 'DispatchLogger',
+                        message: 'audit file write failed: ' + String(auditErr?.message ?? auditErr),
+                    }) + '\n');
+                }
+            }
+            // ── Stderr on error ───────────────────────────────────────────────────
+            if (!isOk) {
+                try {
+                    const stderrRecord = _toStderrRecord(event);
+                    process.stderr.write(_safeStringify(stderrRecord) + '\n');
+                }
+                catch (stderrErr) {
+                    // Last-resort: we cannot throw from the logger
+                    process.stderr.write(_safeStringify({
+                        level: 'warn',
+                        source: 'DispatchLogger',
+                        message: 'stderr emit failed: ' + String(stderrErr?.message ?? stderrErr),
+                    }) + '\n');
+                }
+            }
+            // ── Silent on success (no else branch needed) ─────────────────────────
+        },
+    };
+}
+module.exports = { createDefaultLogger, createNoOpLogger };

package/gsd-core/bin/lib/observability/redaction.cjs ADDED Viewed

@@ -0,0 +1,48 @@
+"use strict";
+/**
+ * Arg redaction policy — issue #177 (ADR-457 build-at-publish: the
+ * hand-written bin/lib/observability/redaction.cjs collapsed to a TypeScript
+ * source of truth). Behaviour is preserved byte-for-behaviour from the prior
+ * hand-written .cjs; only types are added.
+ *
+ * Privacy default: args are OMITTED from every emitted event (both stderr
+ * and file audit). Opt-in: set GSD_AUDIT_ARGS=1 to include args verbatim.
+ *
+ * This module is deliberately simple and has no side effects — redaction
+ * decisions are stateless reads of process.env at call time so that tests
+ * can toggle the env var without module-level caching issues.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shouldIncludeArgs = shouldIncludeArgs;
+exports.redactEvent = redactEvent;
+/**
+ * Returns true when the caller has opted in to including args in events.
+ * Only GSD_AUDIT_ARGS === '1' enables inclusion; any other value (including
+ * empty string, 'true', 'yes') keeps the default of omitting args.
+ */
+function shouldIncludeArgs() {
+    return process.env.GSD_AUDIT_ARGS === '1';
+}
+/**
+ * Return a redacted copy of a DispatchEvent.
+ *
+ * If args should be omitted (default), strips the `args` field entirely.
+ * If args should be included (GSD_AUDIT_ARGS=1), passes the event through
+ * unchanged (args were already set by makeDispatchEvent with includeArgs:true,
+ * or absent — in which case they stay absent).
+ *
+ * The original event object is never mutated (it is frozen by makeDispatchEvent).
+ *
+ * @param event - A DispatchEvent (frozen or plain).
+ * @returns A new plain object with the same fields, minus args when redacted.
+ */
+function redactEvent(event) {
+    if (shouldIncludeArgs()) {
+        // Include path: return a shallow copy with args preserved if present
+        const copy = Object.assign({}, event);
+        return copy;
+    }
+    // Exclude path: build a copy omitting `args`
+    const { args: _dropped, ...rest } = event;
+    return rest;
+}

package/gsd-core/bin/lib/package-identity.cjs ADDED Viewed

@@ -0,0 +1,35 @@
+// @generated by scripts/generate-package-identity.cjs from package.json — DO NOT EDIT.
+// Single source for GSD package coordinates (issue #498). Regenerate with:
+//   node scripts/generate-package-identity.cjs
+'use strict';
+const packageName = "@therocketcode/gsd-core";
+const binName = "gsd-core";
+const repoSlug = "TheRocketCodeMX/gsd-core";
+const repoUrl = "https://github.com/TheRocketCodeMX/gsd-core";
+const changelogRawUrl = "https://raw.githubusercontent.com/TheRocketCodeMX/gsd-core/main/CHANGELOG.md";
+const cacheSlug = "therocketcode-gsd-core";
+const updateCacheFileName = "gsd-update-check-therocketcode-gsd-core.json";
+function formatManualInstall({ packageName, binName, scope, runtime } = {}) {
+  const runtimeFlag = runtime ? ` --${runtime}` : '';
+  return `npx -y --package=${packageName}@latest -- ${binName}${runtimeFlag} --${scope}`;
+}
+function manualInstallCommand(opts = {}) {
+  return formatManualInstall({ packageName, binName, scope: opts.scope, runtime: opts.runtime });
+}
+module.exports = Object.freeze({
+  packageName,
+  // PACKAGE_NAME: back-compat alias for #516-era consumers. Baked here, so it
+  // survives the installed tree's synthetic package.json (fixes the #378 undefined).
+  PACKAGE_NAME: packageName,
+  binName,
+  repoSlug,
+  repoUrl,
+  changelogRawUrl,
+  cacheSlug,
+  updateCacheFileName,
+  manualInstallCommand,
+});

package/gsd-core/bin/lib/package-legitimacy.cjs ADDED Viewed

@@ -0,0 +1,368 @@
+"use strict";
+/**
+ * Package Legitimacy Module
+ *
+ * Replaces the bolt-on prose slopcheck gate (which pip-installed `slopcheck`
+ * and degraded ALL packages to [ASSUMED] when pip failed) with registry-API
+ * verdicts computed in code.
+ *
+ * Public interface:
+ *   DEFAULT_THRESHOLDS  — baseline thresholds
+ *   classifyPackage     — pure function: signals → { verdict, reasons }
+ *   checkPackages       — async: resolves registry signals and classifies
+ *   _setHttpGet         — test seam: override the HTTP transport (pass null to restore)
+ *
+ * All network IO is injected via a `registry` client option so that tests
+ * never touch the real network (same seam pattern as clock injection).
+ *
+ * ADR-457 build-at-publish: authored as TypeScript .cts → emits .cjs via tsc.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+const https = __importStar(require("node:https"));
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const DEFAULT_THRESHOLDS = {
+    minAgeDays: 30,
+    minWeeklyDownloads: 1000,
+    requireRepo: true,
+};
+// Matches common dangerous postinstall execution patterns.
+// Deliberately EXCLUDES bare https?:// (over-fires on legit packages like
+// esbuild/sharp/node-gyp that reference download URLs without executing them).
+// Shell-execution / download-and-exec signatures only:
+const SUSPICIOUS_POSTINSTALL_RE = /(curl |wget |\|\s*(ba)?sh|bash -c|sh -c|node -e|eval|base64 -d|\/etc\/|\.\.\/|~\/|nc |>\s*\/)/i;
+// ---------------------------------------------------------------------------
+// Severity ordering for verdict merging (SLOP > SUS > OK)
+// ---------------------------------------------------------------------------
+const SEVERITY = { OK: 0, SUS: 1, SLOP: 2 };
+function moreSevereVerdict(a, b) {
+    return SEVERITY[a] >= SEVERITY[b] ? a : b;
+}
+// ---------------------------------------------------------------------------
+// classifyPackage — pure, no IO
+// ---------------------------------------------------------------------------
+function classifyPackage(signals, { thresholds = DEFAULT_THRESHOLDS, clock = Date } = {}) {
+    const reasons = [];
+    // Terminal: package does not exist
+    if (signals.exists === false) {
+        return { verdict: 'SLOP', reasons: ['does-not-exist'] };
+    }
+    // Age check
+    if (signals.publishedAt == null) {
+        reasons.push('unknown-age');
+    }
+    else {
+        const parsed = Date.parse(String(signals.publishedAt));
+        if (!Number.isFinite(parsed)) {
+            // Unparseable date — treat as unknown
+            reasons.push('unknown-age');
+        }
+        else {
+            const ageDays = Math.floor((clock.now() - parsed) / 86_400_000);
+            if (ageDays < thresholds.minAgeDays) {
+                reasons.push('too-new');
+            }
+        }
+    }
+    // Downloads check
+    const downloads = signals.weeklyDownloads;
+    if (downloads == null) {
+        reasons.push('unknown-downloads');
+    }
+    else if (typeof downloads !== 'number' || !Number.isFinite(downloads)) {
+        // Odd type / NaN — treat as unknown
+        reasons.push('unknown-downloads');
+    }
+    else if (downloads < thresholds.minWeeklyDownloads) {
+        reasons.push('low-downloads');
+    }
+    // Repository check
+    if (thresholds.requireRepo && !signals.repoUrl) {
+        reasons.push('no-repository');
+    }
+    // Deprecated check
+    if (signals.deprecated === true) {
+        reasons.push('deprecated');
+    }
+    // Suspicious postinstall (npm only — but apply whenever postinstall is present)
+    if (signals.postinstall != null && typeof signals.postinstall === 'string') {
+        if (SUSPICIOUS_POSTINSTALL_RE.test(signals.postinstall)) {
+            reasons.push('suspicious-postinstall');
+        }
+    }
+    // Terminal: suspicious postinstall is a slopsquatting execution risk
+    if (reasons.includes('suspicious-postinstall')) {
+        return { verdict: 'SLOP', reasons };
+    }
+    const verdict = reasons.length > 0 ? 'SUS' : 'OK';
+    return { verdict, reasons };
+}
+// ---------------------------------------------------------------------------
+// Injectable HTTP transport (test seam — W1)
+// ---------------------------------------------------------------------------
+/** The real HTTPS transport — resolves { statusCode, body } */
+function realHttpsGet(url, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const req = https.get(url, { headers: { 'User-Agent': 'gsd-core-package-legitimacy/1.0' } }, (res) => {
+            const chunks = [];
+            res.on('data', (c) => chunks.push(c));
+            res.on('end', () => resolve({
+                statusCode: res.statusCode ?? 0,
+                body: Buffer.concat(chunks).toString('utf8'),
+            }));
+            res.on('error', reject);
+        });
+        req.setTimeout(timeoutMs, () => {
+            req.destroy(new Error(`timeout after ${timeoutMs}ms`));
+        });
+        req.on('error', reject);
+    });
+}
+/** Module-level transport pointer — overrideable via _setHttpGet for tests */
+let httpsGet = realHttpsGet;
+/**
+ * Test seam: replace the HTTP transport. Pass null to restore the real transport.
+ * Tests call this before exercising a real-adapter code path; always restore in finally.
+ */
+function _setHttpGet(fn) {
+    httpsGet = fn ?? realHttpsGet;
+}
+// ---------------------------------------------------------------------------
+// Real registry adapters (not exercised by tests — tests inject fakes)
+// ---------------------------------------------------------------------------
+function degradedSignals() {
+    return {
+        exists: null,
+        publishedAt: null,
+        weeklyDownloads: null,
+        repoUrl: null,
+        deprecated: false,
+        postinstall: null,
+    };
+}
+async function lookupNpm(name, version) {
+    try {
+        const resp = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, 5000);
+        if (resp.statusCode === 404)
+            return { ...degradedSignals(), exists: false };
+        if (resp.statusCode < 200 || resp.statusCode >= 300)
+            return degradedSignals();
+        const data = JSON.parse(resp.body);
+        if (data.error)
+            return { ...degradedSignals(), exists: false };
+        const time = data.time ?? {};
+        const allVersions = data.versions ?? {};
+        // I3: when a specific version is requested, verify it exists
+        if (version !== undefined) {
+            if (!(version in allVersions)) {
+                return { ...degradedSignals(), exists: false };
+            }
+        }
+        const latestVersion = data['dist-tags']?.latest ?? '';
+        const resolvedVersion = version !== undefined ? version : latestVersion;
+        const versionMeta = allVersions[resolvedVersion] ?? {};
+        const scripts = versionMeta.scripts ??
+            {};
+        const postinstall = scripts.postinstall ?? null;
+        const repoField = versionMeta.repository;
+        let repoUrl = null;
+        if (typeof repoField === 'string')
+            repoUrl = repoField;
+        else if (repoField && typeof repoField.url === 'string') {
+            repoUrl = repoField.url;
+        }
+        const deprecated = typeof versionMeta.deprecated === 'string' ? true : false;
+        // Fetch weekly download count from the npm downloads API
+        let weeklyDownloads = null;
+        try {
+            const dlResp = await httpsGet(`https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(name)}`, 5000);
+            if (dlResp.statusCode >= 200 && dlResp.statusCode < 300) {
+                const dlData = JSON.parse(dlResp.body);
+                if (typeof dlData.downloads === 'number') {
+                    weeklyDownloads = dlData.downloads;
+                }
+            }
+        }
+        catch {
+            // Degraded: leave weeklyDownloads as null, never throw
+        }
+        return {
+            exists: true,
+            publishedAt: time[resolvedVersion] ?? time.created ?? null,
+            weeklyDownloads,
+            repoUrl,
+            deprecated,
+            postinstall,
+            ecosystem: 'npm',
+        };
+    }
+    catch {
+        return degradedSignals();
+    }
+}
+async function lookupPypi(name, version) {
+    try {
+        const resp = await httpsGet(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`, 5000);
+        if (resp.statusCode === 404)
+            return { ...degradedSignals(), exists: false };
+        if (resp.statusCode < 200 || resp.statusCode >= 300)
+            return degradedSignals();
+        const data = JSON.parse(resp.body);
+        const info = data.info ?? {};
+        // I3: when a specific version is requested, verify it exists in releases
+        const releases = data.releases ?? {};
+        if (version !== undefined) {
+            if (!(version in releases)) {
+                return { ...degradedSignals(), exists: false };
+            }
+        }
+        // Finding 2: when version is provided, derive publishedAt from the
+        // version-specific release record rather than the package-level urls[] array
+        // (which reflects the latest release, not the requested version).
+        let uploadTime = null;
+        if (version !== undefined) {
+            const versionFiles = releases[version] ?? [];
+            uploadTime =
+                versionFiles.length > 0
+                    ? versionFiles[0].upload_time_iso_8601 ?? null
+                    : null;
+        }
+        else {
+            const urls = data.urls ?? [];
+            uploadTime =
+                urls.length > 0 ? urls[0].upload_time_iso_8601 ?? null : null;
+        }
+        const projectUrls = info.project_urls;
+        const repoUrl = projectUrls?.['Source'] ??
+            projectUrls?.['Homepage'] ??
+            info.home_page ??
+            null;
+        return {
+            exists: true,
+            publishedAt: uploadTime,
+            weeklyDownloads: null, // PyPI weekly downloads require a separate API
+            repoUrl: repoUrl || null,
+            deprecated: false, // PyPI doesn't have a first-class deprecated field
+            postinstall: null, // Not applicable for PyPI
+            ecosystem: 'pypi',
+        };
+    }
+    catch {
+        return degradedSignals();
+    }
+}
+async function lookupCrates(name, version) {
+    try {
+        const resp = await httpsGet(`https://crates.io/api/v1/crates/${encodeURIComponent(name)}`, 5000);
+        if (resp.statusCode === 404)
+            return { ...degradedSignals(), exists: false };
+        if (resp.statusCode < 200 || resp.statusCode >= 300)
+            return degradedSignals();
+        const data = JSON.parse(resp.body);
+        const krate = data.crate ?? {};
+        // I3: when a specific version is requested, verify it exists in versions list
+        const versions = data.versions ?? [];
+        if (version !== undefined) {
+            const found = versions.some((v) => v.num === version);
+            if (!found) {
+                return { ...degradedSignals(), exists: false };
+            }
+        }
+        const repoUrl = krate.repository ?? null;
+        // Finding 2: when version is provided, use the version-specific created_at
+        // rather than the package-level crate.created_at (first-ever publish date).
+        let created;
+        if (version !== undefined) {
+            const versionObj = versions.find((v) => v.num === version);
+            created = versionObj?.created_at ?? null;
+        }
+        else {
+            created = krate.created_at ?? null;
+        }
+        // recent_downloads is a 90-day count; normalize to a weekly figure for comparison
+        // against minWeeklyDownloads (which is a weekly threshold).
+        const rawDownloads = krate.recent_downloads;
+        const downloads = (rawDownloads != null && typeof Number(rawDownloads) === 'number' && !isNaN(Number(rawDownloads)))
+            ? Math.round(Number(rawDownloads) * 7 / 90)
+            : null;
+        return {
+            exists: true,
+            publishedAt: created,
+            weeklyDownloads: downloads,
+            repoUrl,
+            deprecated: false,
+            postinstall: null,
+            ecosystem: 'crates',
+        };
+    }
+    catch {
+        return degradedSignals();
+    }
+}
+const realRegistry = {
+    async lookup(ecosystem, name, version) {
+        switch (ecosystem) {
+            case 'npm':
+                return lookupNpm(name, version);
+            case 'pypi':
+                return lookupPypi(name, version);
+            case 'crates':
+                return lookupCrates(name, version);
+            default:
+                return degradedSignals();
+        }
+    },
+};
+// ---------------------------------------------------------------------------
+// checkPackages — orchestrates lookup + classify + slopcheck merge
+// ---------------------------------------------------------------------------
+async function checkPackages({ ecosystem, packages, version }, { registry = realRegistry, clock = Date, thresholds = DEFAULT_THRESHOLDS, slopcheck = null, } = {}) {
+    const results = [];
+    for (const name of packages) {
+        const signals = await registry.lookup(ecosystem, name, version);
+        const { verdict: registryVerdict, reasons } = classifyPackage(signals, { thresholds, clock });
+        let finalVerdict = registryVerdict;
+        if (slopcheck != null) {
+            const slopVerdict = await slopcheck.check(ecosystem, name);
+            if (slopVerdict != null) {
+                finalVerdict = moreSevereVerdict(finalVerdict, slopVerdict);
+            }
+        }
+        results.push({ name, verdict: finalVerdict, signals, reasons });
+    }
+    return results;
+}
+module.exports = { DEFAULT_THRESHOLDS, classifyPackage, checkPackages, _setHttpGet };