godpowers 1.6.24 → 2.1.0

package/extensions/data-pack/manifest.yaml

@@ -9,7 +9,7 @@ metadata:
     without SLOs, ETL without idempotency.
 
 engines:
-  godpowers: ">=0.14.0 <2.0.0"
+  godpowers: ">=2.0.0 <3.0.0"
 
 provides:
   agents:

package/extensions/data-pack/package.json

@@ -37,6 +37,6 @@
     "README.md"
   ],
   "peerDependencies": {
-    "godpowers": ">=0.14.0 <2.0.0"
+    "godpowers": ">=2.0.0 <3.0.0"
   }
 }

package/extensions/launch-pack/README.md

@@ -11,7 +11,7 @@ Channel-specific launch strategists for Godpowers.
 | `/god-indie-hackers` | god-indie-hackers-strategist | Numbers-first, mistakes, real questions |
 | `/god-oss-release` | god-oss-release-strategist | README, SemVer, examples that run |
 
-Plus 4 workflows and 22 channel-specific have-nots.
+Plus 4 workflows and 23 channel-specific have-nots.
 
 ## When to use
 

package/extensions/launch-pack/manifest.yaml

@@ -9,7 +9,7 @@ metadata:
     god-launch-strategist with channel expertise.
 
 engines:
-  godpowers: ">=0.14.0 <2.0.0"
+  godpowers: ">=2.0.0 <3.0.0"
 
 provides:
   agents:

package/extensions/launch-pack/package.json

@@ -36,6 +36,6 @@
     "README.md"
   ],
   "peerDependencies": {
-    "godpowers": ">=0.14.0 <2.0.0"
+    "godpowers": ">=2.0.0 <3.0.0"
   }
 }

package/extensions/security-pack/manifest.yaml

@@ -8,7 +8,7 @@ metadata:
     Layers on top of god-harden-auditor with regulation-specific checks.
 
 engines:
-  godpowers: ">=0.14.0 <2.0.0"
+  godpowers: ">=2.0.0 <3.0.0"
 
 provides:
   agents:

package/extensions/security-pack/package.json

@@ -37,6 +37,6 @@
     "README.md"
   ],
   "peerDependencies": {
-    "godpowers": ">=0.14.0 <2.0.0"
+    "godpowers": ">=2.0.0 <3.0.0"
   }
 }

package/fixtures/quick-proof/manifest.json

@@ -0,0 +1,19 @@
+{
+  "name": "quick-proof",
+  "description": "Deterministic fixture for the Godpowers quick proof CLI command.",
+  "project": "quick-proof-saas",
+  "proves": [
+    "state on disk",
+    "missing artifacts",
+    "next command",
+    "host guarantees"
+  ],
+  "expected": {
+    "state": "in progress",
+    "next": "/god-prd",
+    "missing": [
+      ".godpowers/prd/PRD.md",
+      ".godpowers/roadmap/ROADMAP.md"
+    ]
+  }
+}

package/fixtures/quick-proof/project/.godpowers/prep/INITIAL-FINDINGS.md

@@ -0,0 +1,5 @@
+# Initial Findings
+
+- [DECISION] This quick-proof fixture represents a project that has been initialized but does not have a PRD yet.
+- [DECISION] The expected next command is `/god-prd`.
+- [HYPOTHESIS] A first-time user can understand the Godpowers proof loop by seeing state, missing artifacts, host guarantees, and a next action together.

package/fixtures/quick-proof/project/.godpowers/state.json

@@ -0,0 +1,69 @@
+{
+  "$schema": "https://godpowers.dev/schema/state.v1.json",
+  "version": "1.0.0",
+  "project": {
+    "name": "quick-proof-saas",
+    "started": "2026-05-16T00:00:00.000Z"
+  },
+  "active-workstream": "main",
+  "tiers": {
+    "tier-0": {
+      "orchestration": {
+        "status": "done",
+        "updated": "2026-05-16T00:00:00.000Z"
+      }
+    },
+    "tier-1": {
+      "prd": {
+        "status": "pending"
+      },
+      "arch": {
+        "status": "pending"
+      },
+      "roadmap": {
+        "status": "pending"
+      },
+      "stack": {
+        "status": "pending"
+      },
+      "design": {
+        "status": "not-required",
+        "reason": "Fixture is focused on state and routing proof."
+      },
+      "product": {
+        "status": "not-required",
+        "reason": "Fixture is focused on state and routing proof."
+      }
+    },
+    "tier-2": {
+      "repo": {
+        "status": "pending"
+      },
+      "build": {
+        "status": "pending"
+      }
+    },
+    "tier-3": {
+      "deploy": {
+        "status": "pending"
+      },
+      "observe": {
+        "status": "pending"
+      },
+      "launch": {
+        "status": "pending"
+      },
+      "harden": {
+        "status": "pending"
+      }
+    }
+  },
+  "lifecycle-phase": "in-arc",
+  "linkage": {
+    "coverage-pct": 0,
+    "orphan-count": 0,
+    "drift-count": 0,
+    "review-required-items": 0
+  },
+  "yolo-decisions": []
+}

package/fixtures/quick-proof/project/README.md

@@ -0,0 +1,5 @@
+# Quick Proof Fixture
+
+This fixture is intentionally small. It has Godpowers state on disk, but it
+does not include completed PRD or roadmap artifacts. The expected next command
+is `/god-prd`.

package/fixtures/quick-proof/project/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "quick-proof-saas",
+  "version": "0.0.0",
+  "private": true,
+  "description": "Tiny project fixture used by godpowers quick-proof."
+}

package/lib/agent-browser-driver.js

@@ -30,7 +30,7 @@
  *   isInstalled() -> bool
  */
 
-const { execSync } = require('child_process');
+const { execFileSync } = require('child_process');
 const path = require('path');
 
 /**
@@ -38,14 +38,14 @@ const path = require('path');
  */
 function isInstalled() {
   try {
-    execSync('agent-browser --version', {
+    execFileSync('agent-browser', ['--version'], {
       stdio: ['ignore', 'pipe', 'pipe'],
       timeout: 5000
     });
     return true;
   } catch (e1) {
     try {
-      execSync('npx --no-install agent-browser --version', {
+      execFileSync('npx', ['--no-install', 'agent-browser', '--version'], {
         stdio: ['ignore', 'pipe', 'pipe'],
         timeout: 5000
       });
@@ -59,21 +59,21 @@ function isInstalled() {
 /**
  * Run an agent-browser CLI command and return stdout.
  * Throws on non-zero exit. Times out after 30s default.
+ *
+ * Arguments are passed as an argv array with the shell disabled. URLs,
+ * selectors, and eval expressions can originate from project content
+ * (PRD/DESIGN acceptance criteria, CLI flags), so they must never be
+ * concatenated into a shell command string where metacharacters like
+ * `;`, `&&`, `$()`, or backticks could trigger command injection.
  */
 function run(args, opts = {}) {
-  const cmd = Array.isArray(args) ? args : [args];
-  // Quote arguments containing spaces (best-effort)
-  const argString = cmd.map(a => {
-    const s = String(a);
-    if (/\s/.test(s) && !s.startsWith('"')) return `"${s.replace(/"/g, '\\"')}"`;
-    return s;
-  }).join(' ');
-  const fullCmd = `agent-browser ${argString}`;
-  return execSync(fullCmd, {
+  const cmd = (Array.isArray(args) ? args : [args]).map(String);
+  return execFileSync('agent-browser', cmd, {
     stdio: ['ignore', 'pipe', 'pipe'],
     timeout: opts.timeout || 30000,
     cwd: opts.cwd || process.cwd(),
-    encoding: 'utf8'
+    encoding: 'utf8',
+    shell: false
   });
 }
 

package/lib/agent-cache.js

@@ -139,7 +139,14 @@ function clear(projectRoot, opts = {}) {
       const fpath = path.join(shardPath, fname);
       let entry;
       try { entry = JSON.parse(fs.readFileSync(fpath, 'utf8')); }
-      catch (e) { fs.unlinkSync(fpath); removed++; continue; }
+      catch (e) {
+        // Corrupt or non-JSON entry: prune it only on an explicit full clear.
+        // A narrow clear (by agent, expiry, or age) must not delete unrelated
+        // unparseable files it was never asked to touch.
+        if (opts.all) { fs.unlinkSync(fpath); removed++; }
+        else { kept++; }
+        continue;
+      }
       let shouldRemove = false;
       if (opts.all) shouldRemove = true;
       else if (opts.agent && entry.agent === opts.agent) shouldRemove = true;

package/lib/agent-refs.js

@@ -0,0 +1,161 @@
+const fs = require('fs');
+const path = require('path');
+const { isCompatible, parseManifest } = require('./extensions');
+
+const AGENT_CONTRACT_VERSION = '1.0.0';
+
+/**
+ * @typedef {Object} AgentRef
+ * @property {string|null} agent Agent name without the range suffix.
+ * @property {string|null} range SemVer range declared after the final at sign.
+ * @property {string} raw Original workflow `uses` value.
+ */
+
+/**
+ * @typedef {AgentRef & { contractVersion: string, valid: boolean, errors: string[] }} AgentRefValidation
+ */
+
+/**
+ * @param {string} ref
+ * @returns {AgentRef}
+ */
+function parseAgentRef(ref) {
+  if (!ref) return { agent: null, range: null, raw: ref };
+  const raw = String(ref).trim();
+  const at = raw.lastIndexOf('@');
+  if (at <= 0) {
+    return { agent: raw, range: null, raw };
+  }
+  return {
+    agent: raw.slice(0, at),
+    range: raw.slice(at + 1),
+    raw
+  };
+}
+
+/**
+ * @param {string} ref
+ * @param {string} [contractVersion]
+ * @returns {AgentRefValidation}
+ */
+function validateAgentRef(ref, contractVersion = AGENT_CONTRACT_VERSION) {
+  const parsed = parseAgentRef(ref);
+  const errors = [];
+
+  if (!parsed.agent || !/^[a-z][a-z0-9-]*$/.test(parsed.agent)) {
+    errors.push(`invalid agent name in uses: ${ref}`);
+  }
+  if (!parsed.range) {
+    errors.push(`agent ref must include a semver range: ${ref}`);
+  } else if (!isCompatible(parsed.range, contractVersion)) {
+    errors.push(`agent ref ${ref} does not satisfy agent contract ${contractVersion}`);
+  }
+
+  return { ...parsed, contractVersion, valid: errors.length === 0, errors };
+}
+
+/**
+ * @param {string} ref
+ * @param {string} [contractVersion]
+ * @returns {AgentRefValidation}
+ */
+function assertAgentRef(ref, contractVersion = AGENT_CONTRACT_VERSION) {
+  const result = validateAgentRef(ref, contractVersion);
+  if (!result.valid) {
+    throw new Error(result.errors.join('; '));
+  }
+  return result;
+}
+
+/**
+ * @typedef {Object} ProseRef
+ * @property {string} token Unresolved god-* token (leading slash stripped).
+ * @property {string} file Repo-relative path where the token was found.
+ * @property {number} count Occurrences of that token in that file.
+ */
+
+const PROSE_TOKEN = /(?<![A-Za-z0-9_])\/?god-[a-z0-9]+(?:-[a-z0-9]+)*/g;
+
+/**
+ * Collect the set of every god-* command/agent name that legitimately exists:
+ * core skills, core agents, and the skills/agents provided by first-party
+ * extension packs. {god, godpowers} are always valid (front door + binary).
+ *
+ * @param {string} rootDir Repository root.
+ * @returns {Set<string>}
+ */
+function knownGodNames(rootDir) {
+  const valid = new Set(['god', 'godpowers']);
+
+  for (const f of fs.readdirSync(path.join(rootDir, 'skills'))) {
+    if (f.endsWith('.md')) valid.add(f.replace(/\.md$/, ''));
+  }
+  for (const f of fs.readdirSync(path.join(rootDir, 'agents'))) {
+    if (/^god-.*\.md$/.test(f)) valid.add(f.replace(/\.md$/, ''));
+  }
+
+  const extDir = path.join(rootDir, 'extensions');
+  if (fs.existsSync(extDir)) {
+    for (const pack of fs.readdirSync(extDir)) {
+      const manifestPath = path.join(extDir, pack, 'manifest.yaml');
+      if (!fs.existsSync(manifestPath)) continue;
+      let provides = {};
+      try {
+        const parsed = parseManifest(fs.readFileSync(manifestPath, 'utf8'));
+        provides = (parsed && parsed.manifest && parsed.manifest.provides) || {};
+      } catch (e) {
+        continue;
+      }
+      for (const list of [provides.skills, provides.agents]) {
+        if (Array.isArray(list)) {
+          for (const name of list) valid.add(String(name).trim());
+        }
+      }
+    }
+  }
+
+  return valid;
+}
+
+/**
+ * Scan skill and agent prose for `god-*` references that do not resolve to a
+ * real core skill, core agent, or extension-provided skill/agent. Catches
+ * phantom references that the workflow `uses:` validator cannot see because
+ * they live in markdown bodies rather than YAML.
+ *
+ * @param {string} rootDir Repository root.
+ * @returns {ProseRef[]} Unresolved references (empty when everything resolves).
+ */
+function findUnresolvedProseRefs(rootDir) {
+  const valid = knownGodNames(rootDir);
+  const unresolved = [];
+
+  for (const dir of ['skills', 'agents']) {
+    const dirPath = path.join(rootDir, dir);
+    for (const f of fs.readdirSync(dirPath)) {
+      if (!f.endsWith('.md')) continue;
+      const text = fs.readFileSync(path.join(dirPath, f), 'utf8');
+      const counts = new Map();
+      let m;
+      while ((m = PROSE_TOKEN.exec(text)) !== null) {
+        const token = m[0].replace(/^\//, '');
+        if (valid.has(token)) continue;
+        counts.set(token, (counts.get(token) || 0) + 1);
+      }
+      for (const [token, count] of counts) {
+        unresolved.push({ token, file: `${dir}/${f}`, count });
+      }
+    }
+  }
+
+  return unresolved;
+}
+
+module.exports = {
+  AGENT_CONTRACT_VERSION,
+  parseAgentRef,
+  validateAgentRef,
+  assertAgentRef,
+  knownGodNames,
+  findUnresolvedProseRefs
+};

package/lib/budget.js

@@ -75,19 +75,32 @@ function writeBlock(projectRoot, newBudgets) {
  */
 function stripBudgets(raw) {
   const lines = raw.split('\n');
-  const out = [];
-  let inBudgets = false;
-  for (const line of lines) {
-    if (/^budgets\s*:/.test(line)) { inBudgets = true; continue; }
-    if (inBudgets) {
-      // End of block when we hit a non-indented non-empty line
-      if (/^\S/.test(line)) { inBudgets = false; out.push(line); continue; }
-      // Skip block lines
-      continue;
+  const range = findTopLevelBlock(lines, 'budgets');
+  if (!range) return raw;
+  const out = lines.slice(0, range.start).concat(lines.slice(range.end));
+  return out.join('\n').replace(/\n{3,}/g, '\n\n');
+}
+
+function findTopLevelBlock(lines, key) {
+  const header = new RegExp(`^${key}\\s*:(?:\\s*(?:#.*)?)?$`);
+  let start = -1;
+  for (let i = 0; i < lines.length; i++) {
+    if (header.test(lines[i])) {
+      start = i;
+      break;
     }
-    out.push(line);
   }
-  return out.join('\n').replace(/\n{3,}/g, '\n\n');
+  if (start === -1) return null;
+
+  let end = lines.length;
+  for (let i = start + 1; i < lines.length; i++) {
+    if (!lines[i].trim()) continue;
+    if (/^\S/.test(lines[i])) {
+      end = i;
+      break;
+    }
+  }
+  return { start, end };
 }
 
 /**
@@ -211,5 +224,6 @@ module.exports = {
   writeBlock,
   stripBudgets,
   renderBudgets,
+  findTopLevelBlock,
   DEFAULTS
 };

package/lib/events.js

@@ -161,10 +161,17 @@ function verifyChain(file) {
 function readRun(projectRoot, runId) {
   const file = eventsPath(projectRoot, runId);
   if (!fs.existsSync(file)) return [];
-  return fs.readFileSync(file, 'utf8')
-    .split('\n')
-    .filter(Boolean)
-    .map(line => JSON.parse(line));
+  const out = [];
+  for (const line of fs.readFileSync(file, 'utf8').split('\n')) {
+    if (!line) continue;
+    try {
+      out.push(JSON.parse(line));
+    } catch (e) {
+      // Skip a torn or partial line (e.g. the process was killed mid-append).
+      // Hash-chain integrity is verified separately by verifyChain.
+    }
+  }
+  return out;
 }
 
 /**

package/lib/extension-authoring.js

@@ -26,6 +26,24 @@ function packageFolderName(name) {
   return name.replace(/^@/, '').replace(/\//g, '-');
 }
 
+function assertSafePackageName(value) {
+  if (!/^@?[a-z0-9][a-z0-9-]*(\/[a-z0-9][a-z0-9-]*)?$/.test(value)) {
+    throw new Error(
+      `Invalid extension name "${value}": expected a package name like ` +
+      `"@scope/pack" or "pack" using lowercase letters, digits, and dashes.`
+    );
+  }
+}
+
+function assertSafeSegment(value, label) {
+  if (!/^[a-z0-9][a-z0-9-]*$/.test(value)) {
+    throw new Error(
+      `Invalid ${label} "${value}": use lowercase letters, digits, and dashes ` +
+      `only. Slashes, dots, and ".." are rejected to prevent path traversal.`
+    );
+  }
+}
+
 function scaffold(outputRoot, opts = {}) {
   const name = opts.name || '@godpowers/custom-pack';
   const version = opts.version || '0.1.0';
@@ -34,6 +52,15 @@ function scaffold(outputRoot, opts = {}) {
   const workflow = opts.workflow || null;
   const range = opts.godpowersRange || '>=1.6.0';
   const folder = opts.folder || packageFolderName(name);
+
+  // Validate all user-supplied names before they reach a filesystem path, so a
+  // value like "../../escape" can never write outside the output folder.
+  assertSafePackageName(name);
+  assertSafeSegment(skill, 'skill');
+  if (agent) assertSafeSegment(agent, 'agent');
+  if (workflow) assertSafeSegment(workflow, 'workflow');
+  assertSafeSegment(folder, 'folder');
+
   const root = path.join(outputRoot, folder);
   const written = [];
 

package/lib/feature-awareness.js

@@ -83,6 +83,30 @@ const FEATURES = [
     commands: ['/god-status', '/god-next'],
     description: 'Report full, degraded, or unknown host guarantees in dashboard output.'
   },
+  {
+    id: 'quick-proof',
+    since: '2.0.0',
+    commands: ['godpowers quick-proof'],
+    description: 'Render a shipped proof fixture with computed next action and host guarantees.'
+  },
+  {
+    id: 'request-trace-review',
+    since: '2.0.1',
+    commands: ['/god-build', '/god-review', '/god-feature', '/god-refactor'],
+    description: 'Keep implementation diffs narrow by requiring request-trace evidence and reviewer checks for scope, simplicity, and surgicality.'
+  },
+  {
+    id: 'release-hardening',
+    since: '2.0.2',
+    commands: ['npm test', 'npm run lint', 'npm run release:check'],
+    description: 'Maintain release validation through a delegated test runner, static checks, parser coverage, and hardened package and runtime checks.'
+  },
+  {
+    id: 'maintenance-hardening',
+    since: '2.0.3',
+    commands: ['npm test', 'npm run lint', 'npm run release:check'],
+    description: 'Track installer decomposition, shared test harness adoption, executable agent refs, skill metadata sync, God Mode runbook delegation, and async runtime APIs.'
+  },
   {
     id: 'extension-authoring',
     since: '1.6.22',

package/lib/fs-async.js

@@ -0,0 +1,28 @@
+const fs = require('fs/promises');
+const path = require('path');
+
+async function exists(filePath) {
+  try {
+    await fs.access(filePath);
+    return true;
+  } catch (_) {
+    return false;
+  }
+}
+
+async function readJson(filePath) {
+  return JSON.parse(await fs.readFile(filePath, 'utf8'));
+}
+
+async function writeJson(filePath, value) {
+  await fs.mkdir(path.dirname(filePath), { recursive: true });
+  await fs.writeFile(filePath, JSON.stringify(value, null, 2) + '\n');
+  return value;
+}
+
+module.exports = {
+  exists,
+  readJson,
+  writeJson,
+  fs
+};