godpowers 0.15.12 → 0.15.14

package/CHANGELOG.md

@@ -5,6 +5,37 @@ All notable changes to Godpowers will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.15.14] - 2026-05-11
+
+Origin evidence release. Prevents `/god-mode --yolo` from inventing staging,
+preview, or production domains during shipping closure.
+
+### Changed
+- Added an Origin Evidence Rule to the Shipping Closure Protocol: deployed
+  origins must come from user input, env/config, deployment config, CI variable
+  references, IaC output, hosting CLI output, or deployment docs that explicitly
+  label the URL as owned and current.
+- Deploy and launch instructions now forbid guessing domains from product name,
+  repo name, package name, README title, brand name, or common TLDs.
+- Full-arc workflow metadata now marks deploy and launch closure as requiring
+  evidence-backed origins and forbidding inferred domains.
+
+## [0.15.13] - 2026-05-11
+
+Access ladder release. Tightens `/god-mode --yolo` shipping closure so keys,
+API tokens, dashboards, admin consoles, and provider access are requested only
+when a concrete check proves they are needed.
+
+### Changed
+- Added an External Access Ladder to the Shipping Closure Protocol: ask first
+  for the deployed staging origin, run the real staging smoke command, then ask
+  for one additional access item only when the next named check requires it.
+- Deploy, observability, launch, and full-arc instructions now cap blocked
+  shipping pauses to one new external access item unless a single command
+  genuinely requires several values together.
+- God Mode now treats provider keys and API tokens as last-mile inputs, not
+  upfront rollout prerequisites.
+
 ## [0.15.12] - 2026-05-11
 
 Shipping closure release. Prevents `/god-mode --yolo` from stopping with broad

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-0.15.12-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.15.14-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**

package/agents/god-deploy-engineer.md

@@ -61,9 +61,26 @@ Build is complete. All tests pass. `.godpowers/build/STATE.md` shows green.
   run the same smoke command against it.
 - If provider credentials, DNS, TLS, dashboard access, or production secrets are
   missing, write `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md`.
-- That file must contain one smallest access bundle, exact env var names,
-  exact dashboard/provider links or placeholders, and the command Godpowers will
-  run after access exists.
+- That file must contain the smallest next access item, exact env var names
+  only when needed by the next command, exact provider links only when a failed
+  check proves they are needed, and the command Godpowers will run after access
+  exists.
+- Default first pause: ask only for `STAGING_APP_URL=<staging-origin>` so the
+  real smoke command can run. Do not ask for provider keys, API tokens,
+  dashboards, DNS tokens, production secrets, admin consoles, or test users
+  until a named deploy, smoke, rollback, health, callback, webhook, export, or
+  observability check cannot run without that exact item.
+- Treat a staging or production origin as known only when it appears in direct
+  evidence: current user input, env/config values, deployment config, CI
+  variable references, IaC output, hosting CLI output, or deployment docs that
+  explicitly label the URL as owned and current. Never guess domains from the
+  product name, package name, repo name, README title, brand name, or common
+  TLDs.
+- If only localhost or `127.0.0.1` exists, run local smoke only. If only
+  production is known, do not call it staging and do not use it as a yolo
+  default for staging smoke.
+- Add at most one new external access item per pause unless one command
+  invocation genuinely requires several values together.
 - Do not return a broad checklist as the final answer. Either return tested
   deploy readiness or the one access bundle.
 
@@ -105,3 +122,6 @@ Write `.godpowers/deploy/STATE.md`:
 - Paper canary (label without traffic split)
 - Broad provider checklist with no scripts or exact access bundle
 - Marks deploy done when the only verified target is missing
+- Requests all provider keys before the staging URL smoke check has run
+- Invents or guesses a staging or production domain
+- Treats production as staging without explicit user approval

package/agents/god-launch-strategist.md

@@ -70,12 +70,22 @@ For each channel:
   `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md` if present, and
   `.godpowers/observe/STATE.md`.
 - If deploy or observe is waiting on external access, do not create a broad
-  dashboard checklist. Reference the single waiting access bundle and write
-  launch state as `waiting-for-external-access`.
+  dashboard checklist. Reference only the smallest next access item from the
+  waiting bundle and write launch state as `waiting-for-external-access`.
 - If a staging or production URL is available, run or specify the exact smoke
   command and record the result.
 - If only local staging is available, run local launch-readiness checks and
   clearly label scope as local readiness, not live launch.
+- Do not ask for launch-channel accounts, analytics dashboards, provider
+  dashboards, API keys, or admin consoles until a named launch-readiness or
+  smoke check cannot run without that exact access.
+- A URL is available only when it comes from direct evidence: current user
+  input, env/config, deployment config, CI variable references, IaC output,
+  hosting CLI output, or deployment docs that explicitly label it as owned and
+  current. Never infer a launch URL from product name, repo name, package name,
+  README title, brand name, or common TLDs.
+- If only production is known, do not treat it as staging. If no deployed
+  origin is known, pause for `STAGING_APP_URL=<deployed staging origin>`.
 
 ## Output
 
@@ -92,6 +102,9 @@ Write `.godpowers/launch/STATE.md` with all artifacts.
 - "We'll figure out marketing later"
 - Broad provider checklist instead of one exact external access bundle
 - Declares live launch without a verified live target
+- Requests launch or provider credentials before the live staging smoke check
+  proves they are needed
+- Invents or guesses launch, staging, or production domains
 
 ## Pause Conditions
 

package/agents/god-observability-engineer.md

@@ -64,8 +64,12 @@ For each PRD success metric, define an SLO:
   dashboards, and runbooks.
 - If the provider is not reachable, create provider-neutral dashboard and alert
   definitions as code when possible.
-- If dashboard/API credentials are missing, append them to the single waiting
-  access bundle instead of returning a broad checklist.
+- If dashboard/API credentials are missing, do not request them until the next
+  executable observability check specifically requires that provider access.
+  Prefer local definitions as code, runbook dry-runs, log-shape checks, and CI
+  verification first.
+- If a credential is truly required, append one exact access item to the single
+  waiting access bundle, with the command that will run next.
 - Under `/god-mode --yolo`, continue through every local or CI-verifiable
   observability check before pausing for external access.
 
@@ -88,3 +92,5 @@ Write `.godpowers/observe/STATE.md` with:
 - Alert with no runbook
 - Broad dashboard checklist instead of definitions as code or one exact access
   bundle
+- Requests dashboards or API keys before local observability definitions are
+  created and checked

package/agents/god-orchestrator.md

@@ -348,13 +348,50 @@ For deploy, observe, harden, and launch:
 5. Under `--yolo`, auto-pick safe defaults for provider-neutral choices and
    continue through every local and CI-verifiable gate.
 6. Only pause when real external access is required and absent. The pause must
-   ask for one concrete thing, such as "provide STAGING_URL and these 5 secrets"
-   or "confirm production DNS host and token." Do not output a long checklist
-   as the stopping condition.
+   ask for the smallest next input needed to run the next concrete check. The
+   first pause should usually ask only for the deployed staging origin, for
+   example `STAGING_APP_URL=<staging-origin>`. Do not ask for API keys,
+   provider dashboards, DNS tokens, production secrets, or admin consoles until
+   a specific scripted check cannot run without that exact access.
 7. Do not say "Suggested next" for a blocked shipping tier. Say either
    `Arc complete` or `PAUSE: external access required`, with the exact artifact
    that lists the required bundle.
 
+### External Access Ladder
+
+Use this order when external access is missing:
+
+1. Ask for the deployed staging origin only if no live target URL is known from
+   explicit evidence.
+2. Run the real staging smoke command against that origin.
+3. Ask for a provider key, dashboard, admin console, or test user only when a
+   named smoke, callback, webhook, export, observability, or rollback check
+   fails or cannot execute without that exact item.
+4. Add at most one new access item per pause unless several items are required
+   by the same command invocation.
+5. Every access request must include the command that will run next and the
+   artifact that will be updated after it runs.
+
+Never request every possible key or API at the start of shipping. Keys and API
+tokens are last-mile inputs.
+
+### Origin Evidence Rule
+
+A staging, production, or preview origin is known only when it appears in direct
+evidence:
+
+- user-provided value in the current session
+- `STAGING_APP_URL`, `PUBLIC_APP_URL`, `APP_URL`, or equivalent env/config value
+- deployment config, CI variable reference, IaC output, hosting CLI output, or
+  checked-in deployment docs that explicitly label the URL as owned and current
+- an existing Godpowers artifact that cites one of the sources above
+
+Never invent domains from the product name, package name, repo name, README
+title, brand name, or common TLDs. Never turn `scriven` into
+`https://scriven.app`, or any similar guessed URL. If only production is known,
+do not call it staging. If only local URLs exist, run local smoke only and pause
+for `STAGING_APP_URL=<deployed staging origin>` before deployed staging smoke.
+
 ## YOLO Behavior with Design + Linkage
 
 | Concern | Default | --yolo |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "godpowers",
-  "version": "0.15.12",
+  "version": "0.15.14",
   "description": "AI-powered development system: 104 slash commands and 38 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
   "bin": {
     "godpowers": "./bin/install.js"

package/skills/god-deploy.md

@@ -47,6 +47,21 @@ env manifest, and local staging harness first. If real external access is still
 required, pause on the single access bundle in
 `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md`.
 
+The single access bundle must be incremental. Ask for the smallest next item
+needed to run the next command. If no live target URL is known, ask only for
+`STAGING_APP_URL=<staging-origin>` and the exact smoke command that will run.
+Do not ask for provider keys, API tokens, dashboards, DNS tokens, production
+secrets, admin consoles, or test users until a specific scripted check proves
+that exact item is required.
+
+Live target URLs must be evidence-backed. Accept current user input, env/config
+values, deployment config, CI variable references, IaC output, hosting CLI
+output, or deployment docs that explicitly label the URL as owned and current.
+Never invent a domain from the product name, repo name, package name, README
+title, brand name, or common TLDs. If only local URLs exist, run local smoke
+only and pause for `STAGING_APP_URL=<deployed staging origin>`. If only
+production is known, do not use it as staging without explicit user approval.
+
 
 ## Re-invocation contract
 

package/skills/god-launch.md

@@ -54,6 +54,17 @@ the launch runbook, smoke command, source attribution plan, and local
 launch-readiness checks. If real launch is blocked by missing external access,
 pause on the single access bundle from deploy or launch state.
 
+The launch pause must not expand into every possible channel, analytics, or
+provider credential. Ask only for the next missing access item needed to run a
+named live smoke, launch-readiness, attribution, or monitoring check. If no
+live target URL is known, ask only for `STAGING_APP_URL=<staging-origin>`.
+
+Live target URLs must be evidence-backed. Never invent a domain from the
+product name, repo name, package name, README title, brand name, or common TLDs.
+If only localhost or `127.0.0.1` exists, launch can only mark local readiness.
+If only production is known, do not treat it as staging without explicit user
+approval.
+
 
 ## Re-invocation contract
 

package/skills/god-mode.md

@@ -85,6 +85,15 @@ You are receiving a /god-mode invocation. Your job is to spawn the
      Shipping Closure Protocol: verify a real environment when available,
      otherwise create local/CI-verifiable deploy automation and pause only for
      one exact external access bundle.
+   - Instruction that keys, API tokens, dashboards, admin consoles, and
+     provider-specific access are last-mile inputs. The first external pause
+     should ask only for the smallest next item needed by a concrete command,
+     usually `STAGING_APP_URL=<staging-origin>`. Ask for additional provider
+     access only after a named check proves it is needed.
+   - Instruction that staging, preview, and production URLs must come from
+     direct evidence. Never infer or invent a domain from project name, package
+     name, repo name, README title, or brand name. If no deployed origin is
+     evidenced, pause for `STAGING_APP_URL=<deployed staging origin>`.
 
 6. Orchestrator runs the appropriate workflow:
    - Greenfield -> full-arc

package/skills/god-observe.md

@@ -45,6 +45,11 @@ update alert definitions, dashboard definitions, runbooks, and local checks
 first. If real provider access is still required, append the exact missing
 credentials to `.godpowers/deploy/WAITING-FOR-EXTERNAL-ACCESS.md`.
 
+Provider credentials are last-mile inputs. Do not ask for dashboard access,
+API keys, or observability admin consoles until the local definitions, runbook
+dry-runs, log-shape checks, and CI-verifiable checks are done and the next
+named command cannot run without one exact credential.
+
 
 ## Re-invocation contract
 

package/workflows/full-arc.yaml

@@ -69,11 +69,18 @@ jobs:
     closure:
       on-missing-external-access: create-waiting-access-bundle
       local-verification-required: true
+      access-order: ask-for-staging-url-before-provider-keys
+      max-new-access-items-per-pause: 1
+      origin-evidence-required: true
+      no-inferred-domains: true
 
   observe:
     tier: 3
     needs: deploy
     uses: god-observability-engineer@^1.0.0
+    closure:
+      access-order: ask-for-local-definitions-before-provider-keys
+      max-new-access-items-per-pause: 1
 
   harden:
     tier: 3
@@ -91,3 +98,7 @@ jobs:
     closure:
       no-broad-checklists: true
       on-missing-external-access: pause-with-single-access-bundle
+      access-order: ask-for-staging-url-before-provider-keys
+      max-new-access-items-per-pause: 1
+      origin-evidence-required: true
+      no-inferred-domains: true