godpowers 0.15.13 → 0.15.14

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to Godpowers will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.15.14] - 2026-05-11
+
+Origin evidence release. Prevents `/god-mode --yolo` from inventing staging,
+preview, or production domains during shipping closure.
+
+### Changed
+- Added an Origin Evidence Rule to the Shipping Closure Protocol: deployed
+  origins must come from user input, env/config, deployment config, CI variable
+  references, IaC output, hosting CLI output, or deployment docs that explicitly
+  label the URL as owned and current.
+- Deploy and launch instructions now forbid guessing domains from product name,
+  repo name, package name, README title, brand name, or common TLDs.
+- Full-arc workflow metadata now marks deploy and launch closure as requiring
+  evidence-backed origins and forbidding inferred domains.
+
 ## [0.15.13] - 2026-05-11
 
 Access ladder release. Tightens `/god-mode --yolo` shipping closure so keys,

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-0.15.13-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.15.14-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**

package/agents/god-deploy-engineer.md

@@ -70,6 +70,15 @@ Build is complete. All tests pass. `.godpowers/build/STATE.md` shows green.
   dashboards, DNS tokens, production secrets, admin consoles, or test users
   until a named deploy, smoke, rollback, health, callback, webhook, export, or
   observability check cannot run without that exact item.
+- Treat a staging or production origin as known only when it appears in direct
+  evidence: current user input, env/config values, deployment config, CI
+  variable references, IaC output, hosting CLI output, or deployment docs that
+  explicitly label the URL as owned and current. Never guess domains from the
+  product name, package name, repo name, README title, brand name, or common
+  TLDs.
+- If only localhost or `127.0.0.1` exists, run local smoke only. If only
+  production is known, do not call it staging and do not use it as a yolo
+  default for staging smoke.
 - Add at most one new external access item per pause unless one command
   invocation genuinely requires several values together.
 - Do not return a broad checklist as the final answer. Either return tested
@@ -114,3 +123,5 @@ Write `.godpowers/deploy/STATE.md`:
 - Broad provider checklist with no scripts or exact access bundle
 - Marks deploy done when the only verified target is missing
 - Requests all provider keys before the staging URL smoke check has run
+- Invents or guesses a staging or production domain
+- Treats production as staging without explicit user approval

package/agents/god-launch-strategist.md

@@ -79,6 +79,13 @@ For each channel:
 - Do not ask for launch-channel accounts, analytics dashboards, provider
   dashboards, API keys, or admin consoles until a named launch-readiness or
   smoke check cannot run without that exact access.
+- A URL is available only when it comes from direct evidence: current user
+  input, env/config, deployment config, CI variable references, IaC output,
+  hosting CLI output, or deployment docs that explicitly label it as owned and
+  current. Never infer a launch URL from product name, repo name, package name,
+  README title, brand name, or common TLDs.
+- If only production is known, do not treat it as staging. If no deployed
+  origin is known, pause for `STAGING_APP_URL=<deployed staging origin>`.
 
 ## Output
 
@@ -97,6 +104,7 @@ Write `.godpowers/launch/STATE.md` with all artifacts.
 - Declares live launch without a verified live target
 - Requests launch or provider credentials before the live staging smoke check
   proves they are needed
+- Invents or guesses launch, staging, or production domains
 
 ## Pause Conditions
 

package/agents/god-orchestrator.md

@@ -361,7 +361,8 @@ For deploy, observe, harden, and launch:
 
 Use this order when external access is missing:
 
-1. Ask for the deployed staging origin only if no live target URL is known.
+1. Ask for the deployed staging origin only if no live target URL is known from
+   explicit evidence.
 2. Run the real staging smoke command against that origin.
 3. Ask for a provider key, dashboard, admin console, or test user only when a
    named smoke, callback, webhook, export, observability, or rollback check
@@ -374,6 +375,23 @@ Use this order when external access is missing:
 Never request every possible key or API at the start of shipping. Keys and API
 tokens are last-mile inputs.
 
+### Origin Evidence Rule
+
+A staging, production, or preview origin is known only when it appears in direct
+evidence:
+
+- user-provided value in the current session
+- `STAGING_APP_URL`, `PUBLIC_APP_URL`, `APP_URL`, or equivalent env/config value
+- deployment config, CI variable reference, IaC output, hosting CLI output, or
+  checked-in deployment docs that explicitly label the URL as owned and current
+- an existing Godpowers artifact that cites one of the sources above
+
+Never invent domains from the product name, package name, repo name, README
+title, brand name, or common TLDs. Never turn `scriven` into
+`https://scriven.app`, or any similar guessed URL. If only production is known,
+do not call it staging. If only local URLs exist, run local smoke only and pause
+for `STAGING_APP_URL=<deployed staging origin>` before deployed staging smoke.
+
 ## YOLO Behavior with Design + Linkage
 
 | Concern | Default | --yolo |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "godpowers",
-  "version": "0.15.13",
+  "version": "0.15.14",
   "description": "AI-powered development system: 104 slash commands and 38 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
   "bin": {
     "godpowers": "./bin/install.js"

package/skills/god-deploy.md

@@ -54,6 +54,14 @@ Do not ask for provider keys, API tokens, dashboards, DNS tokens, production
 secrets, admin consoles, or test users until a specific scripted check proves
 that exact item is required.
 
+Live target URLs must be evidence-backed. Accept current user input, env/config
+values, deployment config, CI variable references, IaC output, hosting CLI
+output, or deployment docs that explicitly label the URL as owned and current.
+Never invent a domain from the product name, repo name, package name, README
+title, brand name, or common TLDs. If only local URLs exist, run local smoke
+only and pause for `STAGING_APP_URL=<deployed staging origin>`. If only
+production is known, do not use it as staging without explicit user approval.
+
 
 ## Re-invocation contract
 

package/skills/god-launch.md

@@ -59,6 +59,12 @@ provider credential. Ask only for the next missing access item needed to run a
 named live smoke, launch-readiness, attribution, or monitoring check. If no
 live target URL is known, ask only for `STAGING_APP_URL=<staging-origin>`.
 
+Live target URLs must be evidence-backed. Never invent a domain from the
+product name, repo name, package name, README title, brand name, or common TLDs.
+If only localhost or `127.0.0.1` exists, launch can only mark local readiness.
+If only production is known, do not treat it as staging without explicit user
+approval.
+
 
 ## Re-invocation contract
 

package/skills/god-mode.md

@@ -90,6 +90,10 @@ You are receiving a /god-mode invocation. Your job is to spawn the
      should ask only for the smallest next item needed by a concrete command,
      usually `STAGING_APP_URL=<staging-origin>`. Ask for additional provider
      access only after a named check proves it is needed.
+   - Instruction that staging, preview, and production URLs must come from
+     direct evidence. Never infer or invent a domain from project name, package
+     name, repo name, README title, or brand name. If no deployed origin is
+     evidenced, pause for `STAGING_APP_URL=<deployed staging origin>`.
 
 6. Orchestrator runs the appropriate workflow:
    - Greenfield -> full-arc

package/workflows/full-arc.yaml

@@ -71,6 +71,8 @@ jobs:
       local-verification-required: true
       access-order: ask-for-staging-url-before-provider-keys
       max-new-access-items-per-pause: 1
+      origin-evidence-required: true
+      no-inferred-domains: true
 
   observe:
     tier: 3
@@ -98,3 +100,5 @@ jobs:
       on-missing-external-access: pause-with-single-access-bundle
       access-order: ask-for-staging-url-before-provider-keys
       max-new-access-items-per-pause: 1
+      origin-evidence-required: true
+      no-inferred-domains: true