godpowers 1.6.4 → 1.6.5

package/CHANGELOG.md

@@ -5,6 +5,33 @@ All notable changes to Godpowers will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.6.5] - 2026-05-16
+
+God Mode handoff privacy patch. Keeps the 1.6 command surface stable while
+making Codex-spawned `god-orchestrator` runs display a small safe pointer
+instead of detailed orchestration payloads.
+
+### Added
+- Added a private `.godpowers/runs/<run-id>/ORCHESTRATOR-HANDOFF.md` handoff
+  pattern for `/god-mode` orchestration context.
+- Added `god-orchestrator` instructions to read handoff files before planning
+  or mutation and keep handoff contents out of the visible transcript.
+- Added regression coverage proving agent validation ignores non-specialist
+  Pillars files under `agents/`.
+
+### Changed
+- `/god-mode` now spawns `god-orchestrator` with only a display-safe project
+  root, flags, and handoff file path.
+- Agent validation and smoke tests now inspect `agents/god-*.md` specialist
+  files while allowing Pillars context files like `agents/context.md` and
+  `agents/repo.md` to coexist.
+
+### Guardrails
+- This patch does not add slash commands, agents, workflows, recipes, schemas,
+  or public artifact formats.
+- `--yolo` still respects safe-sync and Critical harden blockers. The handoff
+  change affects transcript hygiene, not gate policy.
+
 ## [1.6.4] - 2026-05-16
 
 Release gate propagation patch. Keeps the 1.6 command surface stable while

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-1.6.4-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-1.6.5-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -12,10 +12,11 @@ idea to hardened production. It runs as **slash commands inside your AI coding
 tool** (Claude Code, Codex, Cursor, etc.) that orchestrate **specialist agents**
 in fresh contexts to do the work.
 
-Version 1.6.4 hardens Godpowers routing around release truth: safe-sync
-blockers and unresolved Critical harden findings now gate direct Tier 3
-commands, `/god-mode`, and `/god-mode --yolo`, while Codex installs keep
-per-agent TOML metadata for all 39 specialist agents.
+Version 1.6.5 keeps the stable Godpowers surface while making Codex
+`god-orchestrator` spawns transcript-safe: `/god-mode` now writes detailed
+orchestration context to a private handoff file and spawns with only a small
+display-safe pointer. Safe-sync and unresolved Critical harden findings still
+gate direct Tier 3 commands, `/god-mode`, and `/god-mode --yolo`.
 
 It fuses four disciplines into one unified workflow:
 

package/RELEASE.md

@@ -1,11 +1,11 @@
-# Godpowers 1.6.4 Release
+# Godpowers 1.6.5 Release
 
 Date: 2026-05-16
 
-Godpowers 1.6.4 hardens release-truth routing around the stable 1.6 surface.
-The goal of this patch is to make safe sync and unresolved Critical harden
-findings block direct Tier 3 commands, `/god-mode`, and `/god-mode --yolo`,
-without changing the public command surface.
+Godpowers 1.6.5 keeps the stable 1.6 surface while fixing Codex God Mode
+transcript hygiene. The goal of this patch is to make `god-orchestrator`
+spawn correctly from `/god-mode` and `/god-mode --yolo` without exposing the
+detailed orchestration payload in the visible transcript.
 
 ## What is stable
 
@@ -27,33 +27,35 @@ without changing the public command surface.
 
 ## What is new
 
-- `/god-next` detects `.godpowers/sync/SAFE-SYNC-PLAN.md` and routes to
-  `/god-reconcile Release Truth And Safe Sync` before `/god-deploy`.
-- Direct `/god-observe`, `/god-harden`, `/god-launch`, and `/god-mode`
-  invocations also require `safe-sync-clear`.
-- `/god-launch` now executes the `no-critical-findings` prerequisite instead
-  of treating it as an unknown pass-through check.
-- `god-orchestrator` now checks router prerequisites before command dispatch,
-  including under `--yolo`.
-- Router tests cover unresolved safe sync plans, checkpoint blockers, direct
-  Tier 3 gates, `/god-mode`, unresolved Critical findings, and resolved gates.
+- `/god-mode` now writes detailed orchestration context to
+  `.godpowers/runs/<run-id>/ORCHESTRATOR-HANDOFF.md`.
+- `/god-mode` now spawns `god-orchestrator` with only a display-safe project
+  root, flags, and handoff file path.
+- `god-orchestrator` now knows to read the handoff file before planning,
+  spawning, or mutating project state.
+- `god-orchestrator` now treats handoff contents as private orchestration
+  context and keeps them out of the visible transcript.
+- Agent validation and smoke tests now inspect `agents/god-*.md` specialist
+  files while allowing Pillars context files like `agents/context.md` and
+  `agents/repo.md` to coexist.
 
-## What 1.6.4 means
+## What 1.6.5 means
 
-Godpowers 1.6.4 does not expand the public command surface. It tightens the
-runtime decision path so project truth can override structural tier order for
-safe sync and harden Critical gates.
+Godpowers 1.6.5 does not expand the public command surface. It fixes the Codex
+spawn integration path so the right specialist agent is still started, but the
+host UI only sees a small pointer to disk state instead of raw checkpoint,
+routing, and local-file details.
 
-The domain glossary remains preparation context. PRD, ARCH, ROADMAP, STACK,
-docs, and Pillars files still carry durable decisions for their own domains.
+Safe sync and unresolved Critical harden findings remain release-truth gates.
+`--yolo` can still auto-pick defaults, but it cannot bypass those blockers.
 
 ## Stability policy
 
 During the 1.x stability window, do not add broad new command families, change
 schema formats, or rename public artifacts without evidence from real use.
 
-The `v1.6.4` git tag points to the release commit that matches the npm
-`godpowers@1.6.4` package. Public publishes should prefer the tag-triggered
+The `v1.6.5` git tag points to the release commit that matches the npm
+`godpowers@1.6.5` package. Public publishes should prefer the tag-triggered
 GitHub workflow so npm provenance, git history, and release notes stay aligned.
 
 Allowed changes:

package/agents/god-orchestrator.md

@@ -21,6 +21,24 @@ You orchestrate the full Godpowers arc. You DO NOT do the heavy lifting yourself
 Your job is to spawn the right specialist agent for each sub-step, verify their
 output passes the gate, update PROGRESS.md, and move to the next step.
 
+## God Mode Handoff
+
+When spawned by `/god-mode`, the visible spawn message may include only a
+display-safe summary plus a path like
+`.godpowers/runs/<run-id>/ORCHESTRATOR-HANDOFF.md`.
+
+If a handoff path is provided:
+1. Read the handoff file before any planning, spawning, or state mutation.
+2. Treat the handoff as private orchestration context and disk evidence.
+3. Do not quote, summarize, or expose the full handoff in the user-visible
+   transcript.
+4. If the handoff conflicts with durable artifacts, prefer disk artifacts and
+   record the conflict as an open question or repair target.
+
+If no handoff path is provided, recover from durable disk state. Do not ask the
+user to restate the project when `.godpowers` artifacts, Pillars files, or
+repository evidence identify the work.
+
 ## Quarterback responsibilities (Tier 0 ownership)
 
 You and only you are responsible for:

package/lib/agent-validator.js

@@ -230,14 +230,18 @@ function crossValidate(agents, opts = {}) {
 }
 
 /**
- * Walk agents/ and audit all.
+ * Walk agents/ and audit all shipped specialist agents.
+ *
+ * Godpowers projects may also have Pillars files under agents/ (for example
+ * agents/context.md and agents/repo.md). Those are project context, not
+ * specialist agent specs, so they are intentionally excluded here.
  */
 function auditAll(projectRoot, opts = {}) {
   const agentsDir = path.join(projectRoot, 'agents');
   if (!fs.existsSync(agentsDir)) {
     return { results: [], summary: { errors: 0, warnings: 0, infos: 0 } };
   }
-  const files = fs.readdirSync(agentsDir).filter(f => f.endsWith('.md'));
+  const files = fs.readdirSync(agentsDir).filter(f => /^god-.*\.md$/.test(f));
   const agents = files.map(f => parseAgentFile(path.join(agentsDir, f)));
 
   const allFindings = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "godpowers",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "AI-powered development system: 106 slash commands and 39 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
   "bin": {
     "godpowers": "./bin/install.js"

package/skills/god-doctor.md

@@ -48,7 +48,7 @@ GODPOWERS DOCTOR
 Install: claude (~/.claude/)
   [OK] 106 skills installed
   [OK] 39 agents installed
-  [OK] VERSION matches (1.6.4)
+  [OK] VERSION matches (1.6.5)
   [WARN] routing/god-doctor.yaml exists but skill file did not until now
 
 Project: /Users/.../my-project/.godpowers/

package/skills/god-mode.md

@@ -69,75 +69,94 @@ You are receiving a /god-mode invocation. Your job is to spawn the
    - `--bluefield` (force bluefield path)
    - `--greenfield` (force greenfield, skip archaeology even if code exists)
 
-5. Spawn the **god-orchestrator** agent via Task tool with:
-   - The user's project description, or durable intent recovered from disk
-   - The detected mode (A/B/C/E)
-   - The active flags
-   - Instruction that existing `.godpowers` state means resume, not prompt
-   - Instruction to read `.godpowers/PROGRESS.md` from disk if it exists
-   - Instruction to read `.godpowers/prep/INITIAL-FINDINGS.md` and
-     `.godpowers/prep/IMPORTED-CONTEXT.md` if present before choosing the
-     first planning or build step
-   - Instruction to read `.godpowers/preflight/PREFLIGHT.md` if present before
-     choosing the first brownfield or bluefield action
-   - Instruction to compute and load the Pillars load set before every major
-     command, because Pillars is the native project context layer
-   - Instruction to run `/god-design` after `/god-prd` and before `/god-arch`
-     when initial findings, imported planning context, the PRD, or the
-     codebase show UI or product-experience signals
-   - Instruction that a red test, typecheck, lint, build, or check command is
-     not a completed arc. It must enter the autonomous repair loop and continue
-     the same `/god-mode` run until green, except for Critical security or a
-     genuine human-only decision.
-   - Instruction that deploy, observe, harden, and launch must follow the
-     Shipping Closure Protocol: verify a real environment when available,
-     otherwise create local/CI-verifiable deploy automation and pause only for
-     one exact external access bundle.
-   - Instruction that keys, API tokens, dashboards, admin consoles, and
-     provider-specific access are last-mile inputs. The first external pause
-     should ask only for the smallest next item needed by a concrete command,
-     usually `STAGING_APP_URL=<staging-origin>`. Ask for additional provider
-     access only after a named check proves it is needed.
-   - Instruction that staging, preview, and production URLs must come from
-     direct evidence. Never infer or invent a domain from project name, package
-     name, repo name, README title, or brand name. If no deployed origin is
-     evidenced, pause for `STAGING_APP_URL=<deployed staging origin>`.
-   - Instruction that brownfield and bluefield greenfield simulation audits
-     must be acted on by god-greenfieldifier. The greenfieldifier writes
-     `.godpowers/audit/GREENFIELDIFY-PLAN.md`, pauses before risky canonical
-     artifact rewrites, and updates every affected artifact after approval.
-   - Instruction that brownfield and bluefield arcs run `/god-preflight`
-     automatically when `.godpowers/preflight/PREFLIGHT.md` is absent.
-     Greenfield arcs skip preflight unless the user explicitly requests it.
-   - Instruction to run routing prerequisites through `lib/router.js`
-     `checkPrerequisites` before every direct command dispatch. If
-     `safe-sync-clear` fails, run
-     `/god-reconcile Release Truth And Safe Sync` before deploy, observe,
-     harden, launch, broad migration, or resume work.
-   - Instruction that `--yolo` cannot bypass safe sync blockers or unresolved
-     Critical harden findings. These are release-truth gates, not preference
-     pauses.
-
-6. Keep the spawn payload private. Do not echo or summarize raw Task input,
+5. Create a private disk handoff before spawning the orchestrator:
+   - Path: `.godpowers/runs/<run-id>/ORCHESTRATOR-HANDOFF.md`
+   - Create parent directories if needed.
+   - Put all detailed orchestration context in this file, including:
+     - The user's project description, or durable intent recovered from disk
+     - The detected mode (A/B/C/E)
+     - The active flags
+     - Instruction that existing `.godpowers` state means resume, not prompt
+     - Instruction to read `.godpowers/PROGRESS.md` from disk if it exists
+     - Instruction to read `.godpowers/prep/INITIAL-FINDINGS.md` and
+       `.godpowers/prep/IMPORTED-CONTEXT.md` if present before choosing the
+       first planning or build step
+     - Instruction to read `.godpowers/preflight/PREFLIGHT.md` if present
+       before choosing the first brownfield or bluefield action
+     - Instruction to compute and load the Pillars load set before every major
+       command, because Pillars is the native project context layer
+     - Instruction to run `/god-design` after `/god-prd` and before
+       `/god-arch` when initial findings, imported planning context, the PRD,
+       or the codebase show UI or product-experience signals
+     - Instruction that a red test, typecheck, lint, build, or check command
+       is not a completed arc. It must enter the autonomous repair loop and
+       continue the same `/god-mode` run until green, except for Critical
+       security or a genuine human-only decision.
+     - Instruction that deploy, observe, harden, and launch must follow the
+       Shipping Closure Protocol: verify a real environment when available,
+       otherwise create local/CI-verifiable deploy automation and pause only
+       for one exact external access bundle.
+     - Instruction that keys, API tokens, dashboards, admin consoles, and
+       provider-specific access are last-mile inputs. The first external pause
+       should ask only for the smallest next item needed by a concrete command,
+       usually `STAGING_APP_URL=<staging-origin>`. Ask for additional provider
+       access only after a named check proves it is needed.
+     - Instruction that staging, preview, and production URLs must come from
+       direct evidence. Never infer or invent a domain from project name,
+       package name, repo name, README title, or brand name. If no deployed
+       origin is evidenced, pause for
+       `STAGING_APP_URL=<deployed staging origin>`.
+     - Instruction that brownfield and bluefield greenfield simulation audits
+       must be acted on by god-greenfieldifier. The greenfieldifier writes
+       `.godpowers/audit/GREENFIELDIFY-PLAN.md`, pauses before risky canonical
+       artifact rewrites, and updates every affected artifact after approval.
+     - Instruction that brownfield and bluefield arcs run `/god-preflight`
+       automatically when `.godpowers/preflight/PREFLIGHT.md` is absent.
+       Greenfield arcs skip preflight unless the user explicitly requests it.
+     - Instruction to run routing prerequisites through `lib/router.js`
+       `checkPrerequisites` before every direct command dispatch. If
+       `safe-sync-clear` fails, run
+       `/god-reconcile Release Truth And Safe Sync` before deploy, observe,
+       harden, launch, broad migration, or resume work.
+     - Instruction that `--yolo` cannot bypass safe sync blockers or
+       unresolved Critical harden findings. These are release-truth gates, not
+       preference pauses.
+
+6. Spawn the **god-orchestrator** agent via Task tool with only a
+   display-safe payload:
+   - Name the project root.
+   - Name the invocation flags.
+   - Name the handoff file path.
+   - Say: "Read the handoff file first, then run the autonomous arc from disk
+     state. Return only user-facing progress and final status."
+
+   Do not put recovered checkpoint facts, safe-sync plans, local file lists,
+   hidden routing rules, or detailed instructions in the spawn message.
+   Assume the host UI may display the raw spawn message to the user.
+
+7. Keep the spawn payload display-safe. Do not echo or summarize raw Task input,
    "Hard instructions", hidden orchestration rules, agent prompts, file
    loadout lists, or internal routing payloads into the user-visible transcript.
    The visible transcript may say only what phase is running, what durable state
    was detected, what commands are running, what changed, and the final
    `Arc complete` or `PAUSE: external access required` block.
 
-7. Orchestrator runs the appropriate workflow:
+8. Orchestrator runs the appropriate workflow:
    - Greenfield -> full-arc
    - Brownfield -> brownfield-arc (preflight -> archaeology -> reconstruct -> debt-assess -> greenfield simulation audit -> greenfieldify plan and approved artifact updates -> proceed)
    - Bluefield -> bluefield-arc (org-context -> preflight -> greenfield simulation audit -> greenfieldify plan and approved artifact updates -> arc with constraints)
 
-8. Relay only the orchestrator's user-facing output to the user. If the
-   platform displays raw spawn details automatically, immediately follow with a
-   clean public summary and never repeat the leaked payload.
+9. Relay only the orchestrator's user-facing output to the user. If the
+   platform displays raw spawn details automatically, the displayed payload
+   should already be safe. Immediately follow with a clean public summary and
+   never repeat detailed handoff contents.
 
-9. When the orchestrator pauses, present the question to the user using the
+10. When the orchestrator pauses, present the question to the user using the
    pause format (What / Why / Options / Default).
 
-10. When the user answers, re-spawn god-orchestrator with the answer.
+11. When the user answers, append the answer to the existing handoff file or
+    create a new handoff file, then re-spawn god-orchestrator with only the
+    display-safe pointer.
 
 ## User-Visible Transcript Contract
 
@@ -153,6 +172,7 @@ Hide:
 - raw Task input
 - "Hard instructions" sections
 - spawned-agent prompt text
+- detailed handoff file contents
 - system, developer, or AGENTS.md rule recitations
 - complete file loadout lists
 - internal routing metadata unless it directly affects a user decision

package/skills/god-version.md

@@ -14,7 +14,7 @@ Print version and a short capability summary.
 ## Output
 
 ```
-Godpowers v1.6.4
+Godpowers v1.6.5
 Install: /Users/.../.claude/  (matches package.json)
 Surface: 106 skills, 39 agents, 13 workflows, 36 recipes
 Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1