godpowers 0.15.0

package/extensions/security-pack/agents/god-soc2-auditor.md

@@ -0,0 +1,107 @@
+---
+name: god-soc2-auditor
+version: 1.0.0
+description: |
+  SOC 2 Common Criteria auditor. Maps controls to code/process evidence.
+  Produces auditor-ready findings document. Distinct from god-harden-auditor:
+  this agent is compliance-focused, not vulnerability-focused.
+
+  Spawned by: /god-soc2-audit
+  Extension: @godpowers/security-pack
+tools: Read, Bash, Grep, Glob, WebSearch
+---
+
+# God SOC 2 Auditor
+
+Map SOC 2 Common Criteria to your code and processes. Produce
+auditor-ready evidence.
+
+## Gate Check
+
+A deployed system exists. `.godpowers/deploy/STATE.md` and
+`.godpowers/observe/STATE.md` exist.
+
+## Process
+
+### 1. Scope
+
+Identify which SOC 2 trust services criteria apply:
+- **Security** (always required)
+- **Availability**
+- **Processing Integrity**
+- **Confidentiality**
+- **Privacy**
+
+For each in scope, map the relevant CC numbers (e.g., CC1.1 through CC9.2
+for Security).
+
+### 2. Evidence Collection
+
+For each criterion, find evidence in:
+- Code (auth, encryption, access controls)
+- Configuration (production hardening)
+- Process docs (incident response, change management)
+- Observability (audit logs, monitoring)
+- Personnel (training, access reviews)
+
+For each criterion, document:
+- **Control**: What the criterion requires
+- **Implementation**: How the system/process meets it
+- **Evidence**: Specific artifact references (file paths, log queries)
+- **Gap**: If not met, what's missing
+- **Remediation**: How to close the gap
+
+### 3. Finding Classification
+
+| Severity | Definition | Action |
+|----------|-----------|--------|
+| **Material weakness** | Critical control gap, audit-blocking | Fix before audit |
+| **Significant deficiency** | Important control gap | Fix in current period |
+| **Observation** | Minor improvement opportunity | Backlog |
+
+### 4. Output
+
+Write `.godpowers/compliance/soc2/FINDINGS.md`:
+
+```markdown
+# SOC 2 Compliance Audit
+
+Date: [ISO 8601]
+Trust Services Criteria in scope: [Security, ...]
+Reviewer: god-soc2-auditor (extension: @godpowers/security-pack)
+
+## Summary
+| Criterion | Status | Evidence | Gap |
+|-----------|--------|----------|-----|
+| CC1.1 Control Environment | Met | [path] | -- |
+| CC2.1 Communication and Information | Partial | [path] | [gap] |
+| ...
+
+## Material Weaknesses
+[Detailed findings]
+
+## Significant Deficiencies
+[Detailed findings]
+
+## Observations
+[Detailed findings]
+
+## Remediation Plan
+| Finding | Owner | Due | Verification |
+```
+
+## Have-Nots (extension-specific)
+
+#### SOC2-01 Control without code evidence
+A control marked "Met" without specific file paths or log queries. Fail.
+
+#### SOC2-02 Material weakness without remediation
+Material weakness has no remediation plan. Fail.
+
+#### SOC2-03 Compliance without security
+Checklist green but god-harden-auditor finds Critical vulnerabilities.
+SOC 2 audit is meaningless without underlying security. Fail.
+
+#### SOC2-04 Process docs without evidence of execution
+Incident response process documented but no incidents logged. Audit will
+ask "have you actually done this?". Fail.

package/extensions/security-pack/manifest.yaml

@@ -0,0 +1,39 @@
+apiVersion: godpowers/v1
+kind: Extension
+metadata:
+  name: "@godpowers/security-pack"
+  version: 0.1.0
+  description: |
+    Compliance-aware security agents for SOC 2, HIPAA, and PCI-DSS audits.
+    Layers on top of god-harden-auditor with regulation-specific checks.
+
+engines:
+  godpowers: ">=0.14.0 <2.0.0"
+
+provides:
+  agents:
+    - god-soc2-auditor
+    - god-hipaa-auditor
+    - god-pci-auditor
+  skills:
+    - god-soc2-audit
+    - god-hipaa-audit
+    - god-pci-audit
+  workflows:
+    - soc2-arc
+    - hipaa-arc
+    - pci-arc
+  have-nots:
+    - prefix: SOC2
+      description: SOC 2 Common Criteria checks
+    - prefix: HIPAA
+      description: HIPAA Security Rule checks (164.308, 164.310, 164.312)
+    - prefix: PCI
+      description: PCI-DSS 4.0 requirements
+
+activation:
+  on:
+    - skill: /god-soc2-audit
+    - skill: /god-hipaa-audit
+    - skill: /god-pci-audit
+    - extension-list-query: true

package/extensions/security-pack/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@godpowers/security-pack",
+  "version": "0.1.0",
+  "description": "Compliance-aware security agents for SOC 2, HIPAA, and PCI-DSS audits. Layers on top of god-harden-auditor with regulation-specific checks.",
+  "keywords": [
+    "godpowers",
+    "godpowers-extension",
+    "security",
+    "soc2",
+    "hipaa",
+    "pci-dss",
+    "compliance",
+    "audit"
+  ],
+  "author": "Godpowers",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aihxp/godpowers.git",
+    "directory": "extensions/security-pack"
+  },
+  "homepage": "https://github.com/aihxp/godpowers/tree/main/extensions/security-pack#readme",
+  "bugs": {
+    "url": "https://github.com/aihxp/godpowers/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "agents/",
+    "skills/",
+    "workflows/",
+    "manifest.yaml",
+    "README.md"
+  ],
+  "peerDependencies": {
+    "godpowers": ">=0.14.0 <2.0.0"
+  }
+}

package/extensions/security-pack/skills/god-hipaa-audit.md

@@ -0,0 +1,41 @@
+---
+name: god-hipaa-audit
+description: |
+  HIPAA Security Rule audit. Maps Administrative + Physical + Technical
+  Safeguards to code/process evidence. Requires @godpowers/security-pack.
+
+  Triggers on: "god hipaa", "/god-hipaa-audit", "HIPAA audit", "Security Rule"
+extension: "@godpowers/security-pack"
+---
+
+# /god-hipaa-audit
+
+HIPAA Security Rule audit (164.308, 164.310, 164.312).
+
+## Setup
+
+1. Verify @godpowers/security-pack is installed
+2. Confirm system handles ePHI (or route to /god-soc2-audit)
+3. Spawn god-hipaa-auditor
+
+## Verification
+
+After god-hipaa-auditor returns:
+1. Verify `.godpowers/compliance/hipaa/FINDINGS.md` exists
+2. No CRITICAL gaps unaddressed
+3. Update PROGRESS.md with HIPAA audit timestamp
+
+## On Completion
+
+```
+HIPAA audit complete: .godpowers/compliance/hipaa/FINDINGS.md
+
+Administrative gaps: [N]
+Physical gaps: [N]
+Technical gaps: [N]
+
+Suggested next:
+  - Address gaps via /god-feature workflows
+  - /god-pci-audit if PCI also applies
+  - Schedule next HIPAA audit in 90 days
+```

package/extensions/security-pack/skills/god-pci-audit.md

@@ -0,0 +1,40 @@
+---
+name: god-pci-audit
+description: |
+  PCI-DSS 4.0 audit. Maps the 12 requirements to code/process evidence.
+  Requires @godpowers/security-pack.
+
+  Triggers on: "god pci", "/god-pci-audit", "PCI-DSS audit", "PCI audit"
+extension: "@godpowers/security-pack"
+---
+
+# /god-pci-audit
+
+PCI-DSS 4.0 audit.
+
+## Setup
+
+1. Verify @godpowers/security-pack is installed
+2. Confirm system handles cardholder data (or determine SAQ scope)
+3. Spawn god-pci-auditor
+
+## Verification
+
+After god-pci-auditor returns:
+1. Verify `.godpowers/compliance/pci/FINDINGS.md` exists
+2. SAQ scope correctly identified
+3. Update PROGRESS.md
+
+## On Completion
+
+```
+PCI-DSS audit complete: .godpowers/compliance/pci/FINDINGS.md
+
+SAQ scope: [SAQ-A / SAQ-D / etc.]
+Requirements with gaps: [N of in-scope]
+
+Suggested next:
+  - Address gaps via /god-feature workflows
+  - Schedule quarterly scans (PCI requires quarterly)
+  - Annual pen test (PCI requires annual)
+```

package/extensions/security-pack/skills/god-soc2-audit.md

@@ -0,0 +1,42 @@
+---
+name: god-soc2-audit
+description: |
+  SOC 2 Common Criteria audit. Maps controls to code/process evidence,
+  produces auditor-ready findings. Requires @godpowers/security-pack.
+
+  Triggers on: "god soc2", "/god-soc2-audit", "SOC 2 audit", "CC1", "CC2"
+extension: "@godpowers/security-pack"
+---
+
+# /god-soc2-audit
+
+SOC 2 Common Criteria audit. Extension command.
+
+## Setup
+
+1. Verify @godpowers/security-pack is installed
+2. Verify deploy + observe tiers complete (`.godpowers/deploy/STATE.md` and
+   `.godpowers/observe/STATE.md` exist)
+3. Spawn god-soc2-auditor with full system access
+
+## Verification
+
+After god-soc2-auditor returns:
+1. Verify `.godpowers/compliance/soc2/FINDINGS.md` exists
+2. Verify no material weaknesses unaddressed
+3. Update PROGRESS.md with compliance audit timestamp
+
+## On Completion
+
+```
+SOC 2 audit complete: .godpowers/compliance/soc2/FINDINGS.md
+
+Material weaknesses: [N]
+Significant deficiencies: [N]
+Observations: [N]
+
+Suggested next:
+  - If material weaknesses exist: address them via /god-feature workflows
+  - Schedule next SOC 2 audit in 90 days
+  - /god-pci-audit or /god-hipaa-audit if other compliance applies
+```

package/extensions/security-pack/workflows/hipaa-arc.yaml

@@ -0,0 +1,15 @@
+apiVersion: godpowers/v1
+kind: Workflow
+metadata:
+  name: hipaa-arc
+  version: 1.0.0
+  description: |
+    HIPAA Security Rule audit. Extension workflow.
+    Run by /god-hipaa-audit.
+
+on: [/god-hipaa-audit]
+
+jobs:
+  hipaa-audit:
+    tier: 3
+    uses: god-hipaa-auditor@^1.0.0

package/extensions/security-pack/workflows/pci-arc.yaml

@@ -0,0 +1,15 @@
+apiVersion: godpowers/v1
+kind: Workflow
+metadata:
+  name: pci-arc
+  version: 1.0.0
+  description: |
+    PCI-DSS 4.0 audit. Extension workflow.
+    Run by /god-pci-audit.
+
+on: [/god-pci-audit]
+
+jobs:
+  pci-audit:
+    tier: 3
+    uses: god-pci-auditor@^1.0.0

package/extensions/security-pack/workflows/soc2-arc.yaml

@@ -0,0 +1,15 @@
+apiVersion: godpowers/v1
+kind: Workflow
+metadata:
+  name: soc2-arc
+  version: 1.0.0
+  description: |
+    SOC 2 Common Criteria audit. Extension workflow.
+    Run by /god-soc2-audit.
+
+on: [/god-soc2-audit]
+
+jobs:
+  soc2-audit:
+    tier: 3
+    uses: god-soc2-auditor@^1.0.0

package/hooks/pre-tool-use.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# Godpowers PreToolUse Safety Hook
+# Runs before destructive tool calls in a Godpowers project.
+# Warns on: rm -rf, git reset --hard, force push to main, deleting .godpowers/
+
+set -euo pipefail
+
+TOOL_NAME="${CLAUDE_TOOL_NAME:-}"
+TOOL_INPUT="${CLAUDE_TOOL_INPUT:-}"
+
+if [ ! -d ".godpowers" ]; then
+  exit 0
+fi
+
+# Pattern matches that should warn
+case "$TOOL_INPUT" in
+  *"rm -rf .godpowers"*)
+    echo "WARNING: About to delete the .godpowers/ directory."
+    echo "This destroys all PROGRESS, PRD, ARCH, ROADMAP, and other artifacts."
+    echo "If this is intentional, confirm in chat before proceeding."
+    exit 1
+    ;;
+  *"git reset --hard"*)
+    echo "WARNING: git reset --hard discards uncommitted work."
+    echo "If you have artifacts not yet committed, they will be lost."
+    echo "Consider git stash first."
+    exit 1
+    ;;
+  *"git push --force"*)
+    echo "WARNING: Force pushing. If pushing to main/master, this can"
+    echo "destroy collaborators' work."
+    exit 1
+    ;;
+  *"rm -rf node_modules"*)
+    # Allowed: this is just cache
+    exit 0
+    ;;
+esac
+
+exit 0

package/hooks/session-start.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# Godpowers SessionStart Hook
+#
+# Runs when an AI session begins. Detects a Godpowers project and emits
+# a short context block. Defers all routing logic to /god-next so this
+# hook stays a single source of truth: "if you see a Godpowers project,
+# ask /god-next for the next step."
+#
+# The hook intentionally does NOT do its own sub-step -> command
+# mapping. That logic lives in lib/recipes.js + /god-next + the
+# orchestrator. Keeping it out of the hook prevents three independent
+# copies of the routing knowledge drifting apart (a real risk
+# identified in the 2026-05-10 deep audit).
+
+set -euo pipefail
+
+PROGRESS_FILE=".godpowers/PROGRESS.md"
+STATE_FILE=".godpowers/state.json"
+CHECKPOINT_FILE=".godpowers/CHECKPOINT.md"
+
+# Exit silently if not in a Godpowers project
+if [ ! -f "$PROGRESS_FILE" ] && [ ! -f "$STATE_FILE" ] && [ ! -f "$CHECKPOINT_FILE" ]; then
+  exit 0
+fi
+
+# Print a short context banner
+cat <<'EOF'
+[Godpowers Project Detected]
+
+A Godpowers project is active in this directory.
+EOF
+
+# Prefer CHECKPOINT.md (the orient-a-new-session pin) when present
+if [ -f "$CHECKPOINT_FILE" ]; then
+  echo ""
+  echo "Checkpoint ($CHECKPOINT_FILE) - read this FIRST:"
+  echo ""
+  # Print the "Where you are" section + Next suggested command
+  sed -n '/^## Where you are/,/^## Last actions/p' "$CHECKPOINT_FILE" | head -20
+  sed -n '/^## Next suggested command/,/^##/p' "$CHECKPOINT_FILE" | head -6
+  echo ""
+  echo "Run /god-locate for full orientation."
+  echo ""
+fi
+
+# Show the state summary, preferring state.json (authoritative)
+if [ -f "$STATE_FILE" ]; then
+  echo ""
+  echo "State snapshot ($STATE_FILE):"
+  # Extract just project/mode/phase if jq is available; otherwise tail
+  if command -v jq >/dev/null 2>&1; then
+    jq -r '
+      "  project: " + (.project.name // "(unnamed)"),
+      "  mode: " + (.mode // "?") + (if ."mode-d-suite" then " (in suite)" else "" end),
+      "  lifecycle: " + (."lifecycle-phase" // "in-arc")
+    ' "$STATE_FILE" 2>/dev/null || head -20 "$STATE_FILE"
+  else
+    head -20 "$STATE_FILE"
+  fi
+elif [ -f "$PROGRESS_FILE" ]; then
+  echo ""
+  echo "Progress ($PROGRESS_FILE):"
+  cat "$PROGRESS_FILE"
+fi
+
+cat <<'EOF'
+
+Next step: run /god-next  (it inspects disk state and proposes the next command)
+Or:       /god-mode for the full autonomous arc
+Or:       /god-help to see the catalog
+Or:       /god-status for the full project snapshot
+
+Disk state is authoritative. Conversation memory is not.
+EOF

package/lib/README.md

@@ -0,0 +1,28 @@
+# lib/ - Runtime Library (placeholder)
+
+This directory is reserved for v0.5+ runtime modules. v0.4 has the schemas
+defined; v0.5 implements them.
+
+## Planned modules
+
+| Module | Purpose | Target version |
+|--------|---------|----------------|
+| `state.js` | Read/write `.godpowers/state.json` with schema validation | v0.5 |
+| `events.js` | Append OpenTelemetry-shape events to events.jsonl | v0.5 |
+| `intent.js` | Read/validate `intent.yaml` (or `.godpowers/intent.yaml`) | v0.5 |
+| `workflow-runtime.js` | Parse and execute workflow YAML | v0.5 |
+| `reflog.js` | Append to `.godpowers/log` and rewind state | v0.6 |
+| `trash.js` | Recoverable deletion to `.godpowers/.trash/` | v0.6 |
+| `metrics.js` | Compute per-tier stats from events.jsonl | v0.7 |
+| `extension-loader.js` | Lazy-activate skill packs | v0.8 |
+
+## Why placeholder
+
+In v0.4 (current), Godpowers is markdown skills + agent prose. There's no
+runtime that needs these modules; agents read/write artifacts directly.
+
+In v0.5+, the workflow runtime needs structured access to state. That's when
+these modules ship.
+
+See `../ARCHITECTURE.md` for the design and `../docs/ROADMAP.md` for the
+sequencing.