godpowers 0.15.11 → 0.15.13

package/CHANGELOG.md

@@ -5,6 +5,38 @@ All notable changes to Godpowers will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.15.13] - 2026-05-11
+
+Access ladder release. Tightens `/god-mode --yolo` shipping closure so keys,
+API tokens, dashboards, admin consoles, and provider access are requested only
+when a concrete check proves they are needed.
+
+### Changed
+- Added an External Access Ladder to the Shipping Closure Protocol: ask first
+  for the deployed staging origin, run the real staging smoke command, then ask
+  for one additional access item only when the next named check requires it.
+- Deploy, observability, launch, and full-arc instructions now cap blocked
+  shipping pauses to one new external access item unless a single command
+  genuinely requires several values together.
+- God Mode now treats provider keys and API tokens as last-mile inputs, not
+  upfront rollout prerequisites.
+
+## [0.15.12] - 2026-05-11
+
+Shipping closure release. Prevents `/god-mode --yolo` from stopping with broad
+staging/provider checklists.
+
+### Changed
+- Added a Shipping Closure Protocol for deploy, observe, harden, and launch:
+  verify a real environment when reachable, otherwise create local or
+  CI-verifiable automation, then pause only for one exact external access
+  bundle.
+- Deploy, observability, and launch agents now treat missing provider access as
+  `waiting-for-external-access` with a concrete artifact instead of a generic
+  next-step checklist.
+- Full-arc workflow metadata now records closure behavior for missing external
+  access.
+
 ## [0.15.11] - 2026-05-11
 
 God Mode resume release. Fixes `/god-mode --yolo` prompting for a project

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-0.15.11-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.15.13-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**

package/agents/god-deploy-engineer.md

@@ -20,7 +20,13 @@ Build is complete. All tests pass. `.godpowers/build/STATE.md` shows green.
 
 1. Read ARCH for deployment topology
 2. Read stack DECISION for hosting/CI choices
-3. Configure pipeline:
+3. Detect what can be verified now:
+   - real staging or production URL and credentials
+   - local staging harness or mock provider harness
+   - CI provider and deploy scripts
+   - provider CLIs, env files, Docker files, reverse proxy config, database,
+     backup, and restore scripts
+4. Configure pipeline:
 
 ### Same-Artifact Promotion
 - Build the artifact ONCE (Docker image, binary, bundle)
@@ -49,6 +55,26 @@ Build is complete. All tests pass. `.godpowers/build/STATE.md` shows green.
 - Post-deploy smoke test that hits real endpoints
 - Fails the deploy if smoke test fails (auto-rollback)
 
+### External Access Closure
+- If real staging is reachable, run the real smoke and rollback checks.
+- If real staging is not reachable, build the closest local staging harness and
+  run the same smoke command against it.
+- If provider credentials, DNS, TLS, dashboard access, or production secrets are
+  missing, write `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md`.
+- That file must contain the smallest next access item, exact env var names
+  only when needed by the next command, exact provider links only when a failed
+  check proves they are needed, and the command Godpowers will run after access
+  exists.
+- Default first pause: ask only for `STAGING_APP_URL=<staging-origin>` so the
+  real smoke command can run. Do not ask for provider keys, API tokens,
+  dashboards, DNS tokens, production secrets, admin consoles, or test users
+  until a named deploy, smoke, rollback, health, callback, webhook, export, or
+  observability check cannot run without that exact item.
+- Add at most one new external access item per pause unless one command
+  invocation genuinely requires several values together.
+- Do not return a broad checklist as the final answer. Either return tested
+  deploy readiness or the one access bundle.
+
 ## Output
 
 Write `.godpowers/deploy/STATE.md`:
@@ -85,3 +111,6 @@ Write `.godpowers/deploy/STATE.md`:
 - Health check is TCP-only
 - No smoke tests
 - Paper canary (label without traffic split)
+- Broad provider checklist with no scripts or exact access bundle
+- Marks deploy done when the only verified target is missing
+- Requests all provider keys before the staging URL smoke check has run

package/agents/god-launch-strategist.md

@@ -65,6 +65,21 @@ For each channel:
 - D+1 to D+3: respond to all comments, gather feedback
 - D+7: post-launch retrospective
 
+### 6. Shipping Closure
+- Read `.godpowers/deploy/STATE.md`,
+  `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md` if present, and
+  `.godpowers/observe/STATE.md`.
+- If deploy or observe is waiting on external access, do not create a broad
+  dashboard checklist. Reference only the smallest next access item from the
+  waiting bundle and write launch state as `waiting-for-external-access`.
+- If a staging or production URL is available, run or specify the exact smoke
+  command and record the result.
+- If only local staging is available, run local launch-readiness checks and
+  clearly label scope as local readiness, not live launch.
+- Do not ask for launch-channel accounts, analytics dashboards, provider
+  dashboards, API keys, or admin consoles until a named launch-readiness or
+  smoke check cannot run without that exact access.
+
 ## Output
 
 Write `.godpowers/launch/STATE.md` with all artifacts.
@@ -78,6 +93,10 @@ Write `.godpowers/launch/STATE.md` with all artifacts.
 - Launch with no source attribution
 - No D+1 to D+7 follow-up plan
 - "We'll figure out marketing later"
+- Broad provider checklist instead of one exact external access bundle
+- Declares live launch without a verified live target
+- Requests launch or provider credentials before the live staging smoke check
+  proves they are needed
 
 ## Pause Conditions
 

package/agents/god-observability-engineer.md

@@ -15,7 +15,9 @@ Wire observability.
 
 ## Gate Check
 
-`.godpowers/deploy/STATE.md` exists. App is deployed and reachable.
+`.godpowers/deploy/STATE.md` exists. App is deployed and reachable, or deploy
+state documents a tested local staging harness plus a single external access
+bundle.
 
 ## Process
 
@@ -57,6 +59,20 @@ For each PRD success metric, define an SLO:
 - No "vanity metrics" dashboards
 - Top-level dashboard shows SLO status at a glance
 
+### 7. External Access Closure
+- If the observability provider is reachable, create or verify the real alerts,
+  dashboards, and runbooks.
+- If the provider is not reachable, create provider-neutral dashboard and alert
+  definitions as code when possible.
+- If dashboard/API credentials are missing, do not request them until the next
+  executable observability check specifically requires that provider access.
+  Prefer local definitions as code, runbook dry-runs, log-shape checks, and CI
+  verification first.
+- If a credential is truly required, append one exact access item to the single
+  waiting access bundle, with the command that will run next.
+- Under `/god-mode --yolo`, continue through every local or CI-verifiable
+  observability check before pausing for external access.
+
 ## Output
 
 Write `.godpowers/observe/STATE.md` with:
@@ -74,3 +90,7 @@ Write `.godpowers/observe/STATE.md` with:
 - Dashboard not tied to an SLO
 - Sensitive data in log output
 - Alert with no runbook
+- Broad dashboard checklist instead of definitions as code or one exact access
+  bundle
+- Requests dashboards or API keys before local observability definitions are
+  created and checked

package/agents/god-orchestrator.md

@@ -324,6 +324,56 @@ after tests pass. If a git remote exists and the user passed an explicit push
 flag or the project intent says pushing is allowed, push after the green commit
 and then continue the arc. Pushing is not a terminal state.
 
+## Shipping Closure Protocol
+
+The shipping tier must not end by listing a broad provider checklist. God Mode
+either ships, creates the automation needed to ship, or pauses on one precise
+external access bundle.
+
+For deploy, observe, harden, and launch:
+1. Detect the target environment from deploy config, org context, env files,
+   CI config, README, existing scripts, and provider CLIs.
+2. If a real staging or production target is reachable, run the real smoke,
+   rollback, health, observability, and launch checks against it.
+3. If no real target is reachable but the stack can run locally, create or
+   update a local staging harness that exercises the same routes, health
+   checks, smoke checks, and launch gates. Run it.
+4. If provider credentials, DNS, TLS, dashboards, or production secrets are
+   missing, create the missing automation and documentation first:
+   - scripts for deploy, smoke, rollback, health, backup, and restore
+   - env var manifest with exact variable names
+   - CI jobs or documented commands that call those scripts
+   - `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md` with the smallest
+     access bundle needed
+5. Under `--yolo`, auto-pick safe defaults for provider-neutral choices and
+   continue through every local and CI-verifiable gate.
+6. Only pause when real external access is required and absent. The pause must
+   ask for the smallest next input needed to run the next concrete check. The
+   first pause should usually ask only for the deployed staging origin, for
+   example `STAGING_APP_URL=<staging-origin>`. Do not ask for API keys,
+   provider dashboards, DNS tokens, production secrets, or admin consoles until
+   a specific scripted check cannot run without that exact access.
+7. Do not say "Suggested next" for a blocked shipping tier. Say either
+   `Arc complete` or `PAUSE: external access required`, with the exact artifact
+   that lists the required bundle.
+
+### External Access Ladder
+
+Use this order when external access is missing:
+
+1. Ask for the deployed staging origin only if no live target URL is known.
+2. Run the real staging smoke command against that origin.
+3. Ask for a provider key, dashboard, admin console, or test user only when a
+   named smoke, callback, webhook, export, observability, or rollback check
+   fails or cannot execute without that exact item.
+4. Add at most one new access item per pause unless several items are required
+   by the same command invocation.
+5. Every access request must include the command that will run next and the
+   artifact that will be updated after it runs.
+
+Never request every possible key or API at the start of shipping. Keys and API
+tokens are last-mile inputs.
+
 ## YOLO Behavior with Design + Linkage
 
 | Concern | Default | --yolo |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "godpowers",
-  "version": "0.15.11",
+  "version": "0.15.13",
   "description": "AI-powered development system: 104 slash commands and 38 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
   "bin": {
     "godpowers": "./bin/install.js"

package/skills/god-deploy.md

@@ -23,7 +23,15 @@ Spawn the **god-deploy-engineer** agent in a fresh context via Task tool.
 After god-deploy-engineer returns:
 1. Verify STATE.md exists on disk
 2. Verify rollback procedure has been tested (not paper-only)
-3. Update `.godpowers/PROGRESS.md`: Deploy status = done
+3. Verify the deploy path is one of:
+   - real staging or production target tested
+   - local staging harness tested with equivalent health, smoke, and rollback
+     commands
+   - paused on `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md` with one
+     exact missing access bundle
+4. Update `.godpowers/PROGRESS.md`: Deploy status = done only for a tested real
+   target or tested local staging harness. If external access is missing, mark
+   Deploy = waiting-for-external-access, not done.
 
 ## On Completion
 
@@ -33,6 +41,19 @@ Deploy pipeline complete: .godpowers/deploy/STATE.md
 Suggested next: /god-observe (wire SLOs, alerts, runbooks)
 ```
 
+Under `/god-mode --yolo`, do not stop with a provider checklist. Create or
+update the deploy scripts, smoke command, rollback command, health endpoints,
+env manifest, and local staging harness first. If real external access is still
+required, pause on the single access bundle in
+`.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md`.
+
+The single access bundle must be incremental. Ask for the smallest next item
+needed to run the next command. If no live target URL is known, ask only for
+`STAGING_APP_URL=<staging-origin>` and the exact smoke command that will run.
+Do not ask for provider keys, API tokens, dashboards, DNS tokens, production
+secrets, admin consoles, or test users until a specific scripted check proves
+that exact item is required.
+
 
 ## Re-invocation contract
 

package/skills/god-launch.md

@@ -25,7 +25,13 @@ After god-launch-strategist returns:
 1. Verify STATE.md exists on disk
 2. Verify landing copy passes substitution test
 3. Verify OG cards rendered (not just meta tags)
-4. Update `.godpowers/PROGRESS.md`: Launch status = done
+4. Verify one of:
+   - launch target is live and smoke checked
+   - local launch-readiness harness passed and external access bundle is the
+     only missing item
+5. Update `.godpowers/PROGRESS.md`: Launch status = done only when live launch
+   or explicit local launch-readiness scope is complete. If external access is
+   missing, mark Launch = waiting-for-external-access.
 
 ## Pause Conditions
 
@@ -43,6 +49,16 @@ Suggested next: /god-audit (score all artifacts retrospectively)
 Or: /god-status (see the final state)
 ```
 
+Under `/god-mode --yolo`, do not stop by listing provider dashboards. Create
+the launch runbook, smoke command, source attribution plan, and local
+launch-readiness checks. If real launch is blocked by missing external access,
+pause on the single access bundle from deploy or launch state.
+
+The launch pause must not expand into every possible channel, analytics, or
+provider credential. Ask only for the next missing access item needed to run a
+named live smoke, launch-readiness, attribution, or monitoring check. If no
+live target URL is known, ask only for `STAGING_APP_URL=<staging-origin>`.
+
 
 ## Re-invocation contract
 

package/skills/god-mode.md

@@ -81,6 +81,15 @@ You are receiving a /god-mode invocation. Your job is to spawn the
      not a completed arc. It must enter the autonomous repair loop and continue
      the same `/god-mode` run until green, except for Critical security or a
      genuine human-only decision.
+   - Instruction that deploy, observe, harden, and launch must follow the
+     Shipping Closure Protocol: verify a real environment when available,
+     otherwise create local/CI-verifiable deploy automation and pause only for
+     one exact external access bundle.
+   - Instruction that keys, API tokens, dashboards, admin consoles, and
+     provider-specific access are last-mile inputs. The first external pause
+     should ask only for the smallest next item needed by a concrete command,
+     usually `STAGING_APP_URL=<staging-origin>`. Ask for additional provider
+     access only after a named check proves it is needed.
 
 6. Orchestrator runs the appropriate workflow:
    - Greenfield -> full-arc

package/skills/god-observe.md

@@ -23,7 +23,14 @@ After god-observability-engineer returns:
 1. Verify STATE.md exists on disk
 2. Verify each SLO has an error budget policy
 3. Verify each alert has a runbook
-4. Update `.godpowers/PROGRESS.md`: Observe status = done
+4. Verify provider work is one of:
+   - real provider alerts and dashboards verified
+   - provider-neutral definitions as code created and locally checked
+   - missing dashboard/API credentials appended to the single external access
+     bundle
+5. Update `.godpowers/PROGRESS.md`: Observe status = done only for verified
+   real provider config or local definitions as code. If external access is
+   missing, mark Observe = waiting-for-external-access.
 
 ## On Completion
 
@@ -33,6 +40,16 @@ Observability complete: .godpowers/observe/STATE.md
 Suggested next: /god-harden (adversarial security review, gates Launch)
 ```
 
+Under `/god-mode --yolo`, do not stop with a dashboard checklist. Create or
+update alert definitions, dashboard definitions, runbooks, and local checks
+first. If real provider access is still required, append the exact missing
+credentials to `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md`.
+
+Provider credentials are last-mile inputs. Do not ask for dashboard access,
+API keys, or observability admin consoles until the local definitions, runbook
+dry-runs, log-shape checks, and CI-verifiable checks are done and the next
+named command cannot run without one exact credential.
+
 
 ## Re-invocation contract
 

package/workflows/full-arc.yaml

@@ -66,11 +66,19 @@ jobs:
     tier: 3
     needs: build
     uses: god-deploy-engineer@^1.0.0
+    closure:
+      on-missing-external-access: create-waiting-access-bundle
+      local-verification-required: true
+      access-order: ask-for-staging-url-before-provider-keys
+      max-new-access-items-per-pause: 1
 
   observe:
     tier: 3
     needs: deploy
     uses: god-observability-engineer@^1.0.0
+    closure:
+      access-order: ask-for-local-definitions-before-provider-keys
+      max-new-access-items-per-pause: 1
 
   harden:
     tier: 3
@@ -85,3 +93,8 @@ jobs:
     uses: god-launch-strategist@^1.0.0
     with:
       template: HARDEN-FINDINGS.md
+    closure:
+      no-broad-checklists: true
+      on-missing-external-access: pause-with-single-access-bundle
+      access-order: ask-for-staging-url-before-provider-keys
+      max-new-access-items-per-pause: 1