gsdd-cli 0.19.2 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +1 -0
  2. package/agents/DISTILLATION.md +16 -4
  3. package/agents/README.md +12 -0
  4. package/agents/approach-explorer.md +4 -4
  5. package/agents/executor.md +3 -0
  6. package/agents/integration-checker.md +2 -2
  7. package/agents/mapper.md +2 -2
  8. package/agents/planner.md +13 -1
  9. package/agents/researcher.md +2 -2
  10. package/agents/roadmapper.md +3 -1
  11. package/agents/synthesizer.md +2 -2
  12. package/agents/verifier.md +2 -0
  13. package/bin/gsdd.mjs +4 -5
  14. package/bin/lib/health.mjs +21 -3
  15. package/bin/lib/init-runtime.mjs +3 -0
  16. package/bin/lib/lifecycle-state.mjs +2 -2
  17. package/bin/lib/rendering.mjs +5 -0
  18. package/bin/lib/templates.mjs +1 -1
  19. package/bin/lib/ui-proof.mjs +467 -0
  20. package/distilled/DESIGN.md +88 -7
  21. package/distilled/EVIDENCE-INDEX.md +14 -0
  22. package/distilled/templates/delegates/approach-explorer.md +1 -1
  23. package/distilled/templates/delegates/mapper-arch.md +1 -1
  24. package/distilled/templates/delegates/mapper-concerns.md +1 -1
  25. package/distilled/templates/delegates/mapper-quality.md +1 -1
  26. package/distilled/templates/delegates/mapper-tech.md +1 -1
  27. package/distilled/templates/delegates/plan-checker.md +4 -2
  28. package/distilled/templates/delegates/researcher-architecture.md +1 -1
  29. package/distilled/templates/delegates/researcher-features.md +1 -1
  30. package/distilled/templates/delegates/researcher-pitfalls.md +1 -1
  31. package/distilled/templates/delegates/researcher-stack.md +1 -1
  32. package/distilled/templates/delegates/researcher-synthesizer.md +2 -2
  33. package/distilled/templates/ui-proof.md +174 -0
  34. package/distilled/workflows/audit-milestone.md +2 -1
  35. package/distilled/workflows/execute.md +7 -8
  36. package/distilled/workflows/map-codebase.md +4 -4
  37. package/distilled/workflows/new-project.md +8 -8
  38. package/distilled/workflows/plan.md +12 -11
  39. package/distilled/workflows/quick.md +6 -0
  40. package/distilled/workflows/verify.md +6 -4
  41. package/package.json +1 -1
package/README.md CHANGED
@@ -346,6 +346,7 @@ Workflows are agent skills or commands, not plain shell utilities. How you invok
346
346
  | `npx -y gsdd-cli init [--tools <platform>]` | Set up `.planning/`, generate skills/adapters |
347
347
  | `npx -y gsdd-cli update [--tools <platform>] [--templates]` | Regenerate skills/adapters and refresh the repo-local helper runtime; `--templates` refreshes `.planning/templates/` and role contracts |
348
348
  | `npx -y gsdd-cli health [--json]` | Check workspace integrity and generated-surface freshness (healthy/degraded/broken) |
349
+ | `npx -y gsdd-cli ui-proof validate <path> [--claim <public\|publication\|tracked\|delivery\|release>]` | Validate UI proof bundle metadata without requiring browser tooling; use `--claim` only when validating that stronger proof use |
349
350
  | `npx -y gsdd-cli file-op <copy\|delete\|regex-sub>` | Run deterministic workspace-confined file copy, delete, and regex substitution |
350
351
  | `npx -y gsdd-cli find-phase [N]` | Show phase info as JSON (for agent consumption) |
351
352
  | `npx -y gsdd-cli phase-status <N> <status>` | Update a single ROADMAP phase status through the status-aware helper |
@@ -54,7 +54,7 @@ Evidence map from each of the 10 canonical GSDD roles to their GSD sources, with
54
54
  - Explicit "Scope" table showing scope × trigger × focus × output location
55
55
  - Clear statement: "Same algorithm, different scope. The scope is a context input, not a different role."
56
56
 
57
- **Rationale:** The GSD original had two roles (project and phase researcher) that followed the identical algorithm but with a scope parameter. GSDD merged them into one canonical role taking scope as input, reducing the role count from 11 to 9 (later 10 with approach-explorer in D29) while preserving all leverage. This is the clean merger mentioned in D2.
57
+ **Rationale:** The GSD original had two roles (project and phase researcher) that followed the identical algorithm but with a scope parameter. GSDD merged them into one canonical role taking scope as input, reducing duplicate role contracts while preserving the current 10-role catalog. This is the clean merger mentioned in D2.
58
58
 
59
59
  ---
60
60
 
@@ -362,11 +362,23 @@ Cross-source best practices applied to GSDD role contracts, audited against 6 ex
362
362
 
363
363
  | Principle | What It Means | Source | GSDD Implementation |
364
364
  |-----------|--------------|--------|---------------------|
365
- | **Context isolation** | Research and heavy reads go in subagents; only compressed summaries enter the main context | Anthropic "Building effective agents" (Dec 2024): orchestrator-worker pattern — sub-agents do deep technical work and return condensed summaries | Approach explorer research subagents return ~1000-token summaries; plan-checker runs in fresh context |
365
+ | **Context isolation** | Research and heavy reads go in subagents; only compressed summaries enter the main context | Anthropic "Building effective agents" (Dec 2024): orchestrator-worker pattern — sub-agents do deep technical work and return condensed summaries | Approach explorer research subagents return 500-800 token agent-mediated summaries; plan-checker runs in fresh context |
366
366
  | **JIT context loading** | Never say "read everything." Specify what to extract from each file | LangChain "Context Engineering for Agents" (2025): Select step of Write/Select/Compress/Isolate — load only the specific content needed, not full files | `<input_contract>` with extraction guidance: "From SPEC.md read ONLY locked decisions" |
367
367
  | **Intermediate persistence** | For long interactions, write confirmed state to disk incrementally | Anthropic BEA: agent memory outside context window. LangChain CE: Write pattern — confirmed state persisted to disk | Approach explorer writes decisions to disk as they're confirmed during conversation |
368
368
  | **Progressive disclosure** | Don't front-load all context; let agents discover incrementally | LangChain CE: Compress/Isolate patterns — agents assemble understanding incrementally rather than loading everything upfront | Gray areas presented individually; research loaded per area on demand |
369
369
 
370
+ ### Subagent Return Tiers
371
+
372
+ Use the smallest return that preserves the downstream decision. Full documents stay on disk unless a role explicitly owns a durable artifact update.
373
+
374
+ | Tier | Use When | Return Size |
375
+ |------|----------|-------------|
376
+ | Routing summary | The orchestrator only needs a signal, category, or next-step recommendation | 100-200 tokens |
377
+ | Human-read summary | The user will read the summary directly to understand options or findings | 300-500 tokens |
378
+ | Agent-mediated discussion | The orchestrator must discuss findings with the user and answer follow-up questions without re-querying the subagent | 500-800 tokens |
379
+
380
+ This replaces the prior mixed guidance around sentence-count summaries, single-tier token budgets, and larger undifferentiated summaries. The deliberate boundary is conservative: subagents are useful for read-heavy or artifact-backed isolation, not for hidden implementation orchestration or overlapping writes without explicit write-set ownership.
381
+
370
382
  ### Prompt Structure (medium leverage)
371
383
 
372
384
  | Principle | What It Means | Source | GSDD Implementation |
@@ -381,7 +393,7 @@ Cross-source best practices applied to GSDD role contracts, audited against 6 ex
381
393
 
382
394
  | Principle | What It Means | Source | GSDD Implementation |
383
395
  |-----------|--------------|--------|---------------------|
384
- | **Authority language: intentional leverage** | Anthropic Claude warns "CRITICAL:" can overtrigger on newer models. GSDD decision: **keep CRITICAL: for mandatory initial-read** — a genuine compliance-critical instruction where skipping causes cascading failures. Emphasis markers work when rare and specific (signal-to-noise principle: one CRITICAL: in a role contract is a load-bearing gate; ten would be noise). Use normal language for algorithm steps, scope guidance, and quality rules. | Anthropic Claude prompting docs (overtriggering caution) + technical writing signal-to-noise principle. GSDD applies the caution selectively: only compliance-critical context gates use CRITICAL: | `CRITICAL: Mandatory initial read` kept in all 7 roles. `NEVER` kept for security (mapper secret protection). Normal language used for algorithm steps, scope guidance, and quality rules |
396
+ | **Authority language: intentional leverage** | Anthropic Claude warns "CRITICAL:" can overtrigger on newer models. GSDD decision: keep `CRITICAL:` only for compliance-critical context gates where skipping causes cascading failures. Emphasis markers work when rare and specific (signal-to-noise principle: one CRITICAL: in a role contract is a load-bearing gate; ten would be noise). Use normal language for algorithm steps, scope guidance, and quality rules. | Anthropic Claude prompting docs (overtriggering caution) + technical writing signal-to-noise principle. GSDD applies the caution selectively: only compliance-critical context gates use CRITICAL: | Most roles keep `CRITICAL: Mandatory initial read`; executor now uses `CRITICAL: Tiered context intake` so mandatory-now, task-scoped, reference-only, and conditional reads replace blanket preload. `NEVER` kept for security (mapper secret protection). Normal language used for algorithm steps, scope guidance, and quality rules |
385
397
  | **Tell what to do, not just what not to do** | Anti-patterns alone are insufficient; pair with positive instructions | Anthropic Claude: "Tell Claude what to do instead of what not to do" | Every role has both `<anti_patterns>` AND positive algorithm/process sections |
386
398
  | **Context for instructions** | Explain WHY a rule exists so the agent can generalize | Anthropic Claude: "Providing context or motivation behind your instructions helps Claude better understand your goals" | Research quality rules explain WHY: "Training data is a hypothesis. Verify before asserting." |
387
399
 
@@ -417,5 +429,5 @@ When sources conflict, these resolutions apply:
417
429
  |----------|------------|-----|
418
430
  | Authority language ("YOU MUST" vs. normal) | Keep CRITICAL: for mandatory initial-read (compliance-critical). Use normal language elsewhere | Emphasis markers work when rare and specific (signal-to-noise). Anthropic's overtriggering concern applies to general guidance; a single CRITICAL: for a mandatory context gate is a load-bearing instruction, not noise |
419
431
  | Example count (2 vs. 3-5) | Target 3+ for conversational agents; inline format examples are sufficient for structured output agents | Anthropic's 3-5 recommendation is general; interactive roles benefit more than output-only roles |
420
- | Subagent return size (200 vs. 1000-2000 tokens) | Use 300-500 tokens | Anthropic's 1000-2000 is upper bound; 200 was too tight for structured approach summaries with trade-offs |
432
+ | Subagent return size (200 vs. 1000-2000 tokens) | Use the three-tier return model: 100-200 for routing, 300-500 for human-read summaries, and 500-800 for agent-mediated discussion | Anthropic's 1000-2000 is an upper bound; 200 is too tight for structured approach summaries with trade-offs, while returning full raw research defeats context isolation |
421
433
  | "Don't invent alternatives" vs. "try fallback strategies" | Keep "don't invent" for approach research; use fallbacks for information retrieval | These solve different problems: manufacturing fake options is worse than acknowledging one viable path |
package/agents/README.md CHANGED
@@ -11,8 +11,20 @@ Vendor-agnostic role contracts for Workspine's agent architecture.
11
11
 
12
12
  Roles define what an agent is. Delegates define what an agent does in a specific workflow context.
13
13
 
14
+ ## Deliberate Subagent Boundary
15
+
16
+ Workspine uses subagents when isolation earns its cost: research, review, mapping, synthesis, and integration checks may run as read-only or artifact-backed delegation, with summaries returned to the orchestrator and full detail written to disk when detail is needed later.
17
+
18
+ Subagents must not become hidden implementation orchestration. Implementation remains plan-scoped and write-set constrained; overlapping implementation writes require explicit write-set ownership in the approved plan before any parallelism is safe.
19
+
20
+ Roadmapper is intentionally role-only/direct invocation in the current catalog. There is no roadmapper delegate because roadmap creation is sequential, coverage-sensitive, and writes `.planning/ROADMAP.md`; a future delegate would need a proven thin-wrapper use case before it is added.
21
+
22
+ Leverage record: lost flexibility to add delegates by symmetry; kept the two-layer role/delegate architecture and summaries-up/documents-to-disk model; gained a conservative boundary that prevents subagents from implying agent teams, parallel PR orchestration, or runtime parity claims.
23
+
14
24
  ## Lifecycle Roles
15
25
 
26
+ The catalog contains 10 canonical roles across lifecycle, audit, and utility responsibilities.
27
+
16
28
  | Role | File | Absorbs From (GSD) |
17
29
  |------|------|---------------------|
18
30
  | Mapper | `mapper.md` | `gsd-codebase-mapper.md` |
@@ -90,7 +90,7 @@ Generate 3-4 **phase-specific** gray areas. Not generic categories — concrete
90
90
 
91
91
  ## Step 3: Research Approaches (Technical and Hybrid Only)
92
92
 
93
- For each technical or hybrid gray area, research 2-3 viable approaches.
93
+ For each technical or hybrid gray area, use a read-only research subagent when isolation earns its cost, then research 2-3 viable approaches.
94
94
 
95
95
  **Source hierarchy:**
96
96
  1. Existing codebase — what patterns are already established?
@@ -311,7 +311,7 @@ Ready for assumptions?"
311
311
 
312
312
  <research_subagent_prompt>
313
313
 
314
- When the orchestrator spawns a read-only research subagent for a technical or hybrid gray area, use this prompt template. Substitute the bracketed values. One subagent is spawned per gray area.
314
+ When the orchestrator spawns a read-only research subagent for a technical or hybrid gray area, use this prompt template. Substitute the bracketed values. One subagent is spawned per gray area and returns an agent-mediated discussion summary, not raw notes.
315
315
 
316
316
  ```
317
317
  You are a research subagent for approach exploration. Your job: investigate viable approaches for ONE gray area and return a compressed structured summary. You do NOT interact with the user — read, search, and return findings only.
@@ -341,9 +341,9 @@ Training data is a hypothesis. Verify before asserting. Do NOT recommend a libra
341
341
  - Do NOT recommend deprecated or unmaintained libraries
342
342
  - Do NOT present "roll your own" as an approach unless existing libraries genuinely fail to solve the problem
343
343
  - Do NOT include approaches you cannot source
344
- - Do NOT exceed 1000 tokens in your response
344
+ - Do NOT exceed 800 tokens in your response
345
345
 
346
- ## Output Format (under 1000 tokens)
346
+ ## Output Format (500-800 tokens)
347
347
 
348
348
  For each of 2-3 viable approaches:
349
349
  - **Name**
@@ -209,6 +209,9 @@ Before reporting a task complete:
209
209
  - if a UI change is involved, verify the relevant rendering path
210
210
  - if an API change is involved, hit the endpoint or targeted integration path
211
211
  - A task is not complete because code was written. It is complete when the intended verification path actually passes.
212
+
213
+ ### UI Proof Execution
214
+ If the plan defines UI proof slots, record observed proof against the exact claim, route/state, observation, evidence kind, artifact path or manual step, privacy metadata, result, and claim limit before claiming task completion. Artifact metadata must include `visibility`, `retention`, `sensitivity`, and `safe_to_publish`; raw screenshots, traces, videos, DOM snapshots, and reports are local-only/unsafe by default and cannot back public, tracked, delivery, release, or publication proof claims. Use `gsdd ui-proof validate <path>` or `gsdd health` when a bundle exists. Artifact count, source comments, AST/cAST findings, semantic search, and Semble-like retrieval are not proof. Missing or weakly linked evidence must be recorded as proof debt, waiver, deferment, or reduced claim language rather than satisfied proof.
212
215
  </execution_loop>
213
216
 
214
217
  <checkpoint_protocol>
@@ -5,7 +5,7 @@
5
5
  <role>
6
6
  You are an integration checker. You verify that phases work together as a system, not just individually.
7
7
 
8
- Your job: check cross-phase wiring, API coverage, auth protection, and end-to-end user flows. Return a structured report to the milestone auditor.
8
+ Your job: check cross-phase wiring, API coverage, auth protection, and end-to-end user flows. This is read-only verification: inspect artifacts and code, return a structured report to the milestone auditor, and do not write implementation changes.
9
9
 
10
10
  CRITICAL: Mandatory initial read
11
11
 
@@ -283,7 +283,7 @@ The integration checker is milestone-scoped:
283
283
  - maps each milestone requirement to its integration path
284
284
  - does NOT verify single-phase goal completion; that is the verifier's job
285
285
  - does NOT run the application or execute tests; this is static analysis
286
- - does NOT write output to disk; it returns a structured report to the milestone auditor
286
+ - does NOT write output to disk or mutate source files; it is a read-only subagent-style check that returns a structured report to the milestone auditor
287
287
  </scope_boundary>
288
288
 
289
289
  <anti_patterns>
package/agents/mapper.md CHANGED
@@ -19,7 +19,7 @@ Accountable for producing accurate, file-path-rich analysis of an existing codeb
19
19
  - `arch` -> ARCHITECTURE.md
20
20
  - `quality` -> CONVENTIONS.md
21
21
  - `concerns` -> CONCERNS.md
22
- - **Return:** Brief confirmation (document names + line counts). NOT document contents -- the point is reducing context transfer to the orchestrator.
22
+ - **Return:** Routing summary only (100-200 tokens: document names, line counts, and the highest-signal flags). NOT document contents -- the point is reducing context transfer to the orchestrator while the full artifacts stay on disk.
23
23
 
24
24
  ## Downstream Consumers
25
25
 
@@ -39,7 +39,7 @@ This means: file paths are critical (planner needs to navigate directly), patter
39
39
  2. **Explore the codebase** thoroughly for the assigned focus area. Use file listing, content search, and targeted file reads. Read actual code -- do not guess.
40
40
  3. **Fill the document template** with findings. Replace all placeholders with real data. Use "Not detected" for genuinely absent items.
41
41
  4. **Write document(s)** to the designated output directory.
42
- 5. **Return confirmation only** -- document names and line counts. Do not echo contents back.
42
+ 5. **Return summary only** -- document names, line counts, and highest-signal flags. Do not echo contents back.
43
43
 
44
44
  ## Focus Area Guidance
45
45
 
package/agents/planner.md CHANGED
@@ -10,6 +10,7 @@ Your job:
10
10
  - decompose the phase into dependency-aware plans and waves
11
11
  - derive must-haves from the phase goal
12
12
  - return structured planning output instead of prose-only recommendations
13
+ - use research or checker subagents only for read-only or fresh-context review; do not plan hidden implementation orchestration
13
14
 
14
15
  CRITICAL: Mandatory initial read — if the prompt contains a `<files_to_read>` block, read every file listed there before doing any other work. That is your primary context.
15
16
  </role>
@@ -152,6 +153,14 @@ Any checkpoint must be justified by the task itself, not by planner caution or h
152
153
  Any plan containing `checkpoint:*` must set `autonomous: false`.
153
154
  </task_contract>
154
155
 
156
+ <ui_proof_planning>
157
+ For UI-sensitive work, plan proof slots that can later be matched exactly to claim, route/state, observation, evidence kind, artifact path or manual step, privacy metadata, result, and claim limit. Use only the stable evidence kinds `code`, `test`, `runtime`, `delivery`, and `human`.
158
+
159
+ Require observed artifacts to carry `visibility`, `retention`, `sensitivity`, and `safe_to_publish`; when a planned slot is meant to support public, publication, tracked, delivery, or release proof, say to validate the observed bundle with `gsdd ui-proof validate <path> --claim <...>`. `gsdd ui-proof validate`/`gsdd health` must catch invalid bundle metadata when present.
160
+
161
+ Do not let source annotations, AST/cAST findings, semantic search, comments, or Semble-like retrieval satisfy proof slots; they are discovery hints only. Human acceptance can narrow or waive a claim and record proof debt, but it must not turn missing or mismatched non-human evidence into `satisfied` proof.
162
+ </ui_proof_planning>
163
+
155
164
  <dependency_graph_example>
156
165
  Example dependency graph:
157
166
 
@@ -176,13 +185,14 @@ Wave 3: C
176
185
  Wave rule:
177
186
  - if a task's verify step depends on a test file or artifact, an earlier wave must create it
178
187
  - if two tasks touch the same critical file or one task's output is another task's input, they are not parallel
188
+ - parallel implementation is allowed only when the approved plan names explicit, disjoint write-set ownership
179
189
  </dependency_graph_example>
180
190
 
181
191
  <output>
182
192
  Write one or more `PLAN.md` files to the phase directory.
183
193
 
184
194
  Keep the current GSDD schema exactly:
185
- - frontmatter keys: `phase`, `plan`, `type`, `wave`, `runtime`, `assurance`, `depends_on`, `files-modified`, `autonomous`, `requirements`, `non_goals`, `hard_boundaries`, `escalation_triggers`, `approval_gates`, `anti_regression_targets`, `known_unknowns`, `high_leverage_surfaces`, `second_pass_required`, `closure_claim_limit`, `parallelism_budget`, `leverage`, `must_haves`
195
+ - frontmatter keys: `phase`, `plan`, `type`, `wave`, `runtime`, `assurance`, `depends_on`, `files-modified`, `autonomous`, `requirements`, `non_goals`, `hard_boundaries`, `escalation_triggers`, `approval_gates`, `anti_regression_targets`, `known_unknowns`, `ui_proof_slots`, `no_ui_proof_rationale`, `high_leverage_surfaces`, `second_pass_required`, `closure_claim_limit`, `parallelism_budget`, `leverage`, `must_haves`
186
196
  - typed tasks with `files`, `action`, `verify`, and `done`
187
197
 
188
198
  Typed frontmatter example:
@@ -213,6 +223,8 @@ anti_regression_targets:
213
223
  - Existing session middleware behavior remains unchanged for already-supported routes.
214
224
  known_unknowns:
215
225
  - Exact copy wording for auth errors may still need product confirmation.
226
+ ui_proof_slots: []
227
+ no_ui_proof_rationale: Not UI-sensitive; scoped work does not claim a visible UI outcome.
216
228
  high_leverage_surfaces: []
217
229
  second_pass_required: false
218
230
  closure_claim_limit: Do not claim phase completion until verification satisfies the evidence contract for the scoped truths.
@@ -26,7 +26,7 @@ Same algorithm, different scope. The scope is a context input, not a different r
26
26
 
27
27
  - **Artifacts (project scope):** STACK.md, FEATURES.md, ARCHITECTURE.md, PITFALLS.md (+ COMPARISON.md or FEASIBILITY.md if applicable mode)
28
28
  - **Artifacts (phase scope):** Single RESEARCH.md with sections: Standard Stack, Architecture Patterns, Don't Hand-Roll, Common Pitfalls, Code Examples
29
- - **Return:** Structured summary with key findings, confidence assessment, and open questions
29
+ - **Return:** Human-read structured summary (300-500 tokens) with key findings, confidence assessment, and open questions. Do not return raw research; full detail belongs in the written artifact.
30
30
 
31
31
  ## Core Algorithm
32
32
 
@@ -43,7 +43,7 @@ Same algorithm, different scope. The scope is a context input, not a different r
43
43
  - Single unverified source -> LOW confidence, flag for validation
44
44
  5. **Run quality checklist:** All domains investigated? Negative claims verified with official docs? Multiple sources for critical claims? Confidence levels assigned honestly?
45
45
  6. **Write output files** to the designated directory.
46
- 7. **Return structured result** to orchestrator. Do not commit -- orchestrator handles git.
46
+ 7. **Return structured summary** to orchestrator. Do not return raw research and do not commit -- orchestrator handles git.
47
47
 
48
48
  ## Quality Guarantees
49
49
 
@@ -5,6 +5,8 @@
5
5
  <role>
6
6
  You are a roadmapper. You turn requirements into a phased delivery plan that downstream planners can execute without guessing.
7
7
 
8
+ Roadmapper is role-only/direct invocation in the current Workspine contract, not a delegate. Roadmap creation is sequential, coverage-sensitive, and owns `.planning/ROADMAP.md`; do not route it through a hidden subagent wrapper unless a future plan explicitly adds that delegate.
9
+
8
10
  Your job:
9
11
  - derive phases from requirements instead of imposing a template
10
12
  - map every in-scope requirement to exactly one phase
@@ -292,5 +294,5 @@ If a section does not improve requirement coverage, dependency order, or observa
292
294
  ## Vendor Hints
293
295
 
294
296
  - **Tools required:** file read, file write, content search
295
- - **Parallelizable:** No - roadmapping is sequential and coverage-sensitive
297
+ - **Parallelizable:** No - roadmapping is sequential, coverage-sensitive, and writes `.planning/ROADMAP.md` directly
296
298
  - **Context budget:** Moderate - the reasoning work is heavier than the I/O
@@ -9,7 +9,7 @@ Your job:
9
9
  - read the full research outputs
10
10
  - extract the most decision-relevant findings
11
11
  - cross-reference them into roadmap implications
12
- - return a structured handoff the roadmapper can use directly
12
+ - return an agent-mediated structured summary the roadmapper can use directly
13
13
 
14
14
  CRITICAL: Mandatory initial read
15
15
 
@@ -75,7 +75,7 @@ Assign confidence by area based on source quality and identify any unresolved ga
75
75
 
76
76
  ## Step 6: Write the summary and return a structured handoff
77
77
 
78
- Write `.planning/research/SUMMARY.md`. Return a short structured summary to the orchestrator.
78
+ Write `.planning/research/SUMMARY.md`. Return a 500-800 token structured summary to the orchestrator so downstream discussion can preserve recommendation reasoning without returning the full document.
79
79
  </execution_flow>
80
80
 
81
81
  <cross_reference_dimensions>
@@ -123,6 +123,8 @@ Do not return a flat symptom list when the same underlying breakage explains mul
123
123
 
124
124
  Visual correctness, live interaction quality, and some external integrations still need explicit human checks.
125
125
 
126
+ For UI proof slots, fail closed unless observed proof is matched to the exact claim, route/state, observation, evidence kind, artifact path or manual step, privacy metadata, result, and claim limit. Artifact metadata must include `visibility`, `retention`, `sensitivity`, and `safe_to_publish`; local-only or unsafe artifacts cannot back public, tracked, delivery, release, or publication proof claims, and `gsdd ui-proof validate`/`gsdd health` metadata failures block the stronger proof claim. Screenshots, traces, reports, Gherkin, a11y scans, E2E outputs, manual notes, source annotations, AST/cAST findings, semantic search, comments, and Semble-like retrieval do not satisfy proof by existence alone. Human acceptance records risk, waiver, deferment, proof debt, or a narrowed claim; it does not upgrade missing or mismatched non-human proof to `satisfied`.
127
+
126
128
  ## Step 9: Determine overall status
127
129
 
128
130
  - `passed` when all programmatic checks pass and no human-only checks remain
package/bin/gsdd.mjs CHANGED
@@ -19,6 +19,7 @@ import { cmdFileOp } from './lib/file-ops.mjs';
19
19
  import { createCmdHealth } from './lib/health.mjs';
20
20
  import { cmdLifecyclePreflight } from './lib/lifecycle-preflight.mjs';
21
21
  import { cmdSessionFingerprint } from './lib/session-fingerprint.mjs';
22
+ import { cmdUiProof } from './lib/ui-proof.mjs';
22
23
  import { resolveWorkspaceContext } from './lib/workspace-root.mjs';
23
24
 
24
25
  const __filename = fileURLToPath(import.meta.url);
@@ -107,6 +108,7 @@ const COMMANDS = {
107
108
  'file-op': cmdFileOp,
108
109
  'lifecycle-preflight': cmdLifecyclePreflight,
109
110
  'session-fingerprint': cmdSessionFingerprint,
111
+ 'ui-proof': cmdUiProof,
110
112
  'find-phase': cmdFindPhase,
111
113
  'phase-status': cmdPhaseStatus,
112
114
  verify: cmdVerify,
@@ -132,8 +134,5 @@ async function runCli(cliCommand = command, ...cliArgs) {
132
134
  await COMMANDS[cliCommand](...normalizedArgs);
133
135
  }
134
136
 
135
- if (IS_MAIN) {
136
- await runCli();
137
- }
138
-
139
- export { cmdHelp, cmdInit, cmdUpdate, cmdModels, cmdHealth, cmdFileOp, cmdLifecyclePreflight, cmdSessionFingerprint, cmdFindPhase, cmdPhaseStatus, cmdVerify, cmdScaffold, runCli, FRAMEWORK_VERSION, createCliContext };
137
+ if (IS_MAIN) await runCli();
138
+ export { cmdHelp, cmdInit, cmdUpdate, cmdModels, cmdHealth, cmdFileOp, cmdLifecyclePreflight, cmdSessionFingerprint, cmdUiProof, cmdFindPhase, cmdPhaseStatus, cmdVerify, cmdScaffold, runCli, FRAMEWORK_VERSION, createCliContext };
@@ -4,12 +4,13 @@
4
4
  // evaluate once, so CWD must be computed inside function bodies.
5
5
 
6
6
  import { existsSync, readFileSync, readdirSync } from 'fs';
7
- import { join } from 'path';
7
+ import { join, relative } from 'path';
8
8
  import { readManifest, detectModifications } from './manifest.mjs';
9
9
  import { output } from './cli-utils.mjs';
10
10
  import { runTruthChecks, TRUTH_CHECK_IDS } from './health-truth.mjs';
11
11
  import { evaluateLifecycleState } from './lifecycle-state.mjs';
12
12
  import { evaluateRuntimeFreshness } from './runtime-freshness.mjs';
13
+ import { findUiProofBundleFiles, readUiProofBundleFile, validateUiProofBundle } from './ui-proof.mjs';
13
14
  import { resolveWorkspaceContext } from './workspace-root.mjs';
14
15
 
15
16
  /**
@@ -31,7 +32,7 @@ export function createCmdHealth(ctx) {
31
32
  }
32
33
  const cwd = workspaceRoot;
33
34
  const frameworkSourceMode = isFrameworkSourceRepo(cwd);
34
- const healthCheckIds = ['E1', 'E2', 'E3', 'E4', 'E5', 'E6', 'E7', 'E8', 'E9', 'W1', 'W2', 'W3', 'W4', 'W5', 'W6', ...TRUTH_CHECK_IDS, 'I1', 'I2', 'I3'];
35
+ const healthCheckIds = ['E1', 'E2', 'E3', 'E4', 'E5', 'E6', 'E7', 'E8', 'E9', 'E10', 'W1', 'W2', 'W3', 'W4', 'W5', 'W6', ...TRUTH_CHECK_IDS, 'I1', 'I2', 'I3'];
35
36
 
36
37
  // Pre-init guard
37
38
  if (!existsSync(join(planningDir, 'config.json'))) {
@@ -123,7 +124,7 @@ export function createCmdHealth(ctx) {
123
124
  }
124
125
 
125
126
  // E8: critical root template files missing
126
- const requiredRootFiles = ['spec.md', 'roadmap.md', 'auth-matrix.md'];
127
+ const requiredRootFiles = ['spec.md', 'roadmap.md', 'auth-matrix.md', 'ui-proof.md'];
127
128
  const missingRoot = requiredRootFiles.filter((f) => !existsSync(join(templatesDir, f)));
128
129
  if (missingRoot.length > 0) {
129
130
  errors.push({ id: 'E8', severity: 'ERROR', message: `.planning/templates/ missing critical root files: ${missingRoot.join(', ')}`, fix: 'Run `npx -y gsdd-cli update --templates`' });
@@ -140,6 +141,23 @@ export function createCmdHealth(ctx) {
140
141
  }
141
142
  }
142
143
 
144
+ // E10: known UI proof bundles must satisfy deterministic metadata/privacy validation.
145
+ for (const bundlePath of findUiProofBundleFiles(planningDir)) {
146
+ const relativePath = relative(cwd, bundlePath).replace(/\\/g, '/');
147
+ const parsed = readUiProofBundleFile(bundlePath);
148
+ const validation = parsed.errors.length > 0
149
+ ? { valid: false, errors: parsed.errors }
150
+ : validateUiProofBundle(parsed.bundle);
151
+ if (!validation.valid) {
152
+ errors.push({
153
+ id: 'E10',
154
+ severity: 'ERROR',
155
+ message: `${relativePath} has invalid UI proof metadata (${validation.errors.map((entry) => entry.code).join(', ')})`,
156
+ fix: 'Run `gsdd ui-proof validate <path>` and add required privacy metadata, claim limits, fixed evidence kinds, observation artifact references, and safe-to-publish handling.',
157
+ });
158
+ }
159
+ }
160
+
143
161
  // --- WARNING checks ---
144
162
 
145
163
  // W1: generation-manifest.json missing
@@ -187,6 +187,8 @@ Commands:
187
187
  lifecycle-preflight <surface> [phase]
188
188
  Inspect deterministic lifecycle gate results for a workflow surface
189
189
  session-fingerprint write Rebaseline planning-state drift after reviewing changed planning files
190
+ ui-proof validate <path> [--claim <public|publication|tracked|delivery|release>]
191
+ Validate UI proof metadata; use --claim for stronger proof uses
190
192
  help Show this summary
191
193
 
192
194
  Platforms (for --tools):
@@ -257,6 +259,7 @@ Advanced/internal helpers (kept available, but not the primary first-run user st
257
259
  lifecycle-preflight Inspect deterministic lifecycle gate results for a workflow surface
258
260
  session-fingerprint Rebaseline the local planning-state fingerprint after review
259
261
  phase-status Update ROADMAP.md phase status through the local helper surface
262
+ ui-proof Validate UI proof metadata; use --claim for stronger proof uses
260
263
  file-op Deterministic workspace-confined file copy/delete/text mutation
261
264
  `;
262
265
  }
@@ -6,7 +6,7 @@ const BROWNFIELD_CHANGE_DIR = 'brownfield-change';
6
6
  const PHASE_LINE_RE = /^\s*[-*]\s*\[([ x-])\]\s*\*\*Phase\s+(\d+(?:\.\d+)*[a-z]?):\s*(.+?)\*\*(?:\s+—\s+\[([^\]]+)])?/i;
7
7
  const PHASE_DETAIL_HEADING_RE = /^(#{3,})\s+Phase\s+(\d+(?:\.\d+)*[a-z]?)(?::|\b)/i;
8
8
  const PHASE_DETAIL_STATUS_RE = /^\s*\*\*Status\*\*:\s*\[([ x-])\]/i;
9
- const ACTIVE_MILESTONE_HEADING_RE = /^###\s+(v[^\s]+)\s+(.+)$/im;
9
+ const ACTIVE_MILESTONE_HEADING_RE = /^#{2,3}\s+(v[^\s]+)\s+(.+)$/im;
10
10
  const MILESTONE_LEDGER_HEADING_RE = /^##\s+(?:✅\s+)?(v[^\s]+)\s*(?:—|-)?\s*(.*)$/i;
11
11
  const DETAILS_OPEN_RE = /<details\b/i;
12
12
  const DETAILS_CLOSE_RE = /<\/details>/i;
@@ -274,7 +274,7 @@ export function readBrownfieldChangeState(planningDir) {
274
274
  handoffPath,
275
275
  title: extractMarkdownHeading(changeArtifact.body),
276
276
  changeId: changeArtifact.frontmatter.change || null,
277
- currentStatus: changeArtifact.frontmatter.status || extractBulletLabel(currentStatusSection, 'Current posture'),
277
+ currentStatus: extractBulletLabel(currentStatusSection, 'Current posture') || changeArtifact.frontmatter.status || null,
278
278
  currentIntegrationSurface: extractBulletLabel(currentStatusSection, 'Current branch / integration surface'),
279
279
  currentOwnerRuntime: extractBulletLabel(currentStatusSection, 'Current owner / runtime'),
280
280
  nextAction: collapseMarkdownSection(nextActionSection),
@@ -13,6 +13,7 @@ const HELPER_LIB_FILES = Object.freeze([
13
13
  'lifecycle-state.mjs',
14
14
  'phase.mjs',
15
15
  'session-fingerprint.mjs',
16
+ 'ui-proof.mjs',
16
17
  'workspace-root.mjs',
17
18
  ]);
18
19
 
@@ -47,6 +48,7 @@ import { cmdFileOp } from './lib/file-ops.mjs';
47
48
  import { cmdLifecyclePreflight } from './lib/lifecycle-preflight.mjs';
48
49
  import { cmdPhaseStatus } from './lib/phase.mjs';
49
50
  import { cmdSessionFingerprint } from './lib/session-fingerprint.mjs';
51
+ import { cmdUiProof } from './lib/ui-proof.mjs';
50
52
  import { bootstrapHelperWorkspace, consumeWorkspaceRootArg, resolveWorkspaceContext } from './lib/workspace-root.mjs';
51
53
 
52
54
  const COMMANDS = {
@@ -54,6 +56,7 @@ const COMMANDS = {
54
56
  'lifecycle-preflight': cmdLifecyclePreflight,
55
57
  'phase-status': cmdPhaseStatus,
56
58
  'session-fingerprint': cmdSessionFingerprint,
59
+ 'ui-proof': cmdUiProof,
57
60
  };
58
61
 
59
62
  function printHelp() {
@@ -71,6 +74,8 @@ function printHelp() {
71
74
  ' Example: node .planning/bin/gsdd.mjs lifecycle-preflight verify 1 --expects-mutation phase-status',
72
75
  ' session-fingerprint write',
73
76
  ' Rebaseline planning-state drift after reviewing changed planning files',
77
+ ' ui-proof validate <path> [--claim <public|publication|tracked|delivery|release>]',
78
+ ' Validate UI proof metadata; use --claim for stronger proof uses',
74
79
  '',
75
80
  'Advanced option:',
76
81
  ' --workspace-root <path> Override workspace root discovery before or after the subcommand',
@@ -23,7 +23,7 @@ export function installProjectTemplates({ planningDir, distilledDir, agentsDir }
23
23
  console.log(` - WARN: missing expected template subdir: ${subdir}/`);
24
24
  }
25
25
  }
26
- const expectedRootFiles = ['spec.md', 'roadmap.md', 'auth-matrix.md'];
26
+ const expectedRootFiles = ['spec.md', 'roadmap.md', 'auth-matrix.md', 'ui-proof.md'];
27
27
  for (const file of expectedRootFiles) {
28
28
  if (!existsSync(join(localTemplatesDir, file))) {
29
29
  console.log(` - WARN: missing expected root template file: ${file}`);