godpowers 2.0.0 → 2.1.1

package/AGENTS.md

@@ -18,7 +18,7 @@ projects from raw idea to hardened production.
 - `routing/` contains command routing metadata and intent recipes
 - `workflows/` contains executable workflow YAML
 - `references/` contains per-tier reference material (antipatterns, examples)
-- `bin/` contains the CLI installer and `god` command
+- `bin/` contains the CLI installer (`npx godpowers`)
 - `lib/` contains executable runtime helpers, sync checks, dogfood, dashboard, and release logic
 - `scripts/` contains validation and testing scripts
 - `templates/` contains artifact templates

package/CHANGELOG.md

@@ -7,6 +7,147 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.1.1] - 2026-05-30
+
+### Changed
+- The context off-switch now empties the canonical `AGENTS.md` instead of
+  deleting it; auto-generated pointer files (`CLAUDE.md`, `.cursorrules`, etc.)
+  are still removed when only the Godpowers fence remains
+  (`lib/context-writer.js`).
+
+### Fixed
+- Documentation: dropped unverifiable external impeccable rule/finding counts;
+  reconciled the project-mode taxonomy (A/B/C/E primary modes, with D as the
+  orthogonal multi-repo suite overlay) in `concepts.md` and `ROADMAP.md`;
+  documented all `lib/` modules in `lib/README.md`; and clarified how the
+  artifact-category counts relate in `greenfield-coverage.md`.
+
+## [2.1.0] - 2026-05-30
+
+### Security
+- Fixed a command-injection vector in `lib/agent-browser-driver.js`: CLI
+  arguments are now passed as an argv array with the shell disabled
+  (`execFileSync`), so URLs, selectors, and eval expressions sourced from
+  project content (`PRD.md`/`DESIGN.md`) or CLI flags can no longer be
+  interpreted as shell syntax.
+- Added prototype-pollution guards to the `intent.yaml`/manifest parser
+  (`lib/intent.js`) and the router state-path reader (`lib/router.js`).
+- Hardened the non-interactive installer: `npx godpowers` with no target in a
+  non-TTY shell now refuses and prints guidance instead of performing a silent
+  global install.
+- Added path-traversal validation to `extension-scaffold` names
+  (`lib/extension-authoring.js`).
+- `installer-files.copyRecursive` now only reproduces symlinks that stay within
+  the source tree.
+
+### Fixed
+- Guarded JSON parsing of `state.json` (`lib/state.js`) and `events.jsonl`
+  (`lib/events.js`) against corrupt or partially-written files: a clear,
+  actionable error or a skipped torn line instead of an uncaught crash on the
+  `status`/`next`/checkpoint paths.
+- Corrected the review registry path to `.godpowers/REVIEW-REQUIRED.md`
+  (`lib/review-required.js`) so the dashboard and automation count review items,
+  and so the off-switch no longer deletes a repo-root file.
+- `agent-cache.clear` no longer deletes unparseable entries during a narrow
+  (by-agent, expiry, or age) clear (`lib/agent-cache.js`).
+- Reconciled documentation drift: JS-module and script counts, the
+  `HAVE-NOTS.md` reference tally (now 156), linkage path naming
+  (`.godpowers/links/`), phantom command/agent references in skill and agent
+  prose, and stale sample output across docs and skills.
+
+### Changed
+- Data-directory and runtime-bundle installs are now a clean replace
+  (`lib/installer-core.js`), so a version upgrade never leaves behind files that
+  no longer ship.
+- Documented the state lock's advisory, single-process semantics
+  (`lib/state-lock.js`).
+- Softened brittle exact-count test assertions (full-arc step/wave counts,
+  core workflow count) to floors so valid workflow edits no longer break the
+  gate for non-bug reasons.
+
+### Added
+- A skill/agent prose reference validator
+  (`lib/agent-refs.findUnresolvedProseRefs`) wired into the agent-ref test gate,
+  catching phantom `/god-*` and agent references in markdown bodies that the
+  workflow `uses:` check cannot see.
+- Wired have-not `A-13` (ADR inflation) into the architecture gate
+  (`routing/god-arch.yaml`).
+
+## [2.0.3] - 2026-05-26
+
+### Added
+- Added async state, intent, and workflow plan APIs as the first supported path
+  away from synchronous-only runtime file I/O.
+- Added executable workflow agent reference validation so `uses:
+  god-agent@range` entries are checked against the current agent contract.
+- Added `lib/skill-surface.js` and source-sync tests so individual skill files
+  are the source of truth for slash-command metadata.
+
+### Changed
+- Migrated test files to the shared test harness and made static checks reject
+  new copied harness boilerplate.
+- Split installer runtime definitions, argument parsing, and install core logic
+  out of `bin/install.js`.
+- Moved long-form `/god-mode` operator templates into
+  `references/orchestration/GOD-MODE-RUNBOOK.md`.
+- Added JSDoc typedef contracts to load-bearing runtime modules.
+
+## [2.0.2] - 2026-05-26
+
+### Added
+- Added `scripts/run-tests.js` as the maintained full-suite runner behind
+  `npm test`.
+- Added `scripts/static-check.js` and `npm run lint` for dependency-free
+  JavaScript syntax and release-gate structure checks.
+- Added dedicated YAML parser coverage for the supported dependency-free YAML
+  subset.
+
+### Changed
+- Hardened `lib/intent.parseSimpleYaml` for quoted colons, quoted hashes,
+  quoted commas in inline arrays, scalar arrays, object arrays, and folded
+  block scalars.
+- Moved installer copy helpers into `lib/installer-files.js` and preserved
+  symlinks during recursive copies.
+- Updated release and repo surface sync detectors to recognize delegated test
+  runners instead of requiring every test filename inside `package.json`.
+- Tightened budget block removal so only the top-level `budgets` block is
+  removed.
+
+### Fixed
+- Rejected router `file:` checks that point outside the project root.
+- Corrected the `/god-build` repository prerequisite auto-complete route from
+  `/god-roadmap` to `/god-repo`.
+- Aligned `SKILL.md` frontmatter version with package version `2.0.2`.
+
+## [2.0.1] - 2026-05-22
+
+Request-trace review guardrails.
+
+### Added
+- Added request-trace discipline to `god-executor`: assumptions, public
+  behavior, expected files, and verification command must be explicit before
+  implementation.
+- Added scope and request-trace review checks to `god-spec-reviewer` so
+  unplanned touched files, speculative flexibility, and unrelated churn block
+  review before quality review begins.
+- Added a simplicity and surgicality dimension to `god-quality-reviewer` so
+  overcomplicated but technically correct code does not pass review.
+- Added `request-trace-review` to runtime feature awareness for upgraded
+  projects.
+
+### Changed
+- `/god-build` and `/god-review` docs now describe the narrow-diff guardrails
+  as part of existing workflows instead of introducing a new command.
+- README, reference docs, roadmap, architecture, quality pillar, release notes,
+  package metadata, and lockfile now align to `2.0.1`.
+
+### Guardrails
+- The public command surface stays frozen; the change strengthens existing
+  executor and reviewer contracts.
+- Reviewers now reject speculative abstraction, unrelated cleanup, and diff
+  churn that cannot be traced to the user request, slice plan, failing test, or
+  implementation-caused cleanup.
+
 ## [2.0.0] - 2026-05-16
 
 Executable proof release.

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-2.0.0-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-2.1.1-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -21,11 +21,24 @@ Godpowers makes AI coding accountable: every serious run should leave disk
 state, artifacts, validation gates, host guarantees, and a next action. Code is
 only one output. The project memory and proof trail matter too.
 
-Version 2.0.0 makes the proof loop executable. `npx godpowers quick-proof
+Version 2.1.1 keeps the proof loop executable. `npx godpowers quick-proof
 --project=.` now renders a shipped fixture with real `.godpowers/state.json`,
 computed next action, missing-artifact visibility, and host guarantees. The
-release also ships a proof transcript, adoption canary harness, published npm
-install verifier, and package checks that require the proof fixture to ship.
+2.0 line also ships a proof transcript, adoption canary harness, published npm
+install verifier, package checks that require the proof fixture to ship, and
+request-trace review guardrails for narrower implementation diffs. The 2.0.2
+release also hardens the dependency-free YAML subset, route file checks,
+installer file copying, and maintainer release gates.
+
+Maintainer hardening continues on the 2.x line without expanding the public
+command surface. The 2.1.0 patch closes a command-injection vector in the
+agent-browser driver, guards runtime file parsing against corrupt state,
+makes data-directory installs a clean replace, and reconciles documentation
+drift. The 2.0.3 patch range-checks workflow agent references,
+derives command metadata from the individual files in `skills/`, delegates
+installer runtime logic to `lib/`, moves the detailed God Mode runbook into
+`references/`, and exposes async file APIs for incremental migration away from
+synchronous-only internals.
 
 Strict release readiness remains fail-closed. Godpowers requires delegated
 release checks to cover root docs, docs, agents, skills, routing, workflows,
@@ -50,7 +63,8 @@ It fuses four disciplines into one unified workflow:
 - **Execution engine** - fresh-context agents in parallel waves with atomic
   commits. No context rot. No sequential bottlenecks.
 - **Quality immune system** - TDD enforcement, two-stage code review (spec
-  compliance + code quality), verification before completion.
+  compliance + code quality), request-trace discipline, surgical diffs, and
+  verification before completion.
 - **Team intelligence** - scale-adaptive complexity, specialized agent personas
   (PM, Architect, Executor, Reviewer, Harden Auditor, etc.).
 
@@ -182,6 +196,26 @@ npx godpowers dogfood
 npx godpowers extension-scaffold --name=@godpowers/my-pack --output=.
 ```
 
+### Maintainer Validation
+
+Godpowers keeps the public release gate behind one command:
+
+```bash
+npm run release:check
+```
+
+That command runs the maintained full-suite runner, audit checks, and package
+contents verification. `npm test` delegates to `scripts/run-tests.js`, so the
+test order is maintained as a readable list instead of a long package script.
+`npm run lint` runs dependency-free static checks through
+`scripts/static-check.js`, including shared test harness adoption, installer
+decomposition, async runtime APIs, agent reference validation coverage, and God
+Mode runbook delegation.
+
+The runtime remains dependency-free. YAML parsing is intentionally limited to
+the documented Godpowers subset used by intent, routing, workflow, and
+extension files, with parser coverage in `scripts/test-yaml-parser.js`.
+
 ### Slash Commands
 
 | Command | What it does | Spawns agent |
@@ -249,6 +283,11 @@ going through build, verification, repair, launch, and final sync. Red tests,
 typecheck, lint, build, or check output enter the repair loop instead of being
 reported as the final result.
 
+Build execution also keeps diffs narrow. Executors state assumptions, expected
+files, changed public behavior, and verification before editing. Reviewers
+block speculative flexibility, unrelated cleanup, and any touched file that
+does not trace back to the request or slice plan.
+
 If `.godpowers` state already exists, `/god-mode --yolo` resumes from disk
 instead of asking for the project description again.
 
@@ -388,6 +427,7 @@ Every artifact passes these mechanical checks before it is treated as complete:
 | Artifact-on-disk | Phantom resume (agent claims done, file does not exist) |
 | Critical-finding gate | Shipping with known security holes |
 | TDD enforcement | Code without tests |
+| Request-trace review | Scope creep, unrelated cleanup, speculative abstraction |
 | Two-stage review | Code that passes tests but violates spec or quality |
 
 These checks are guardrails, not proof that the product is right. A PRD can

package/RELEASE.md

@@ -1,12 +1,11 @@
-# Godpowers 2.0.0 Release
+# Godpowers 2.1.1 Release
 
-Date: 2026-05-16
+Date: 2026-05-30
 
-Godpowers 2.0.0 is the executable proof release. It turns the first-user trust
-loop from documentation into a packaged command: `npx godpowers quick-proof
---project=.`. The command renders a shipped fixture with real
-`.godpowers/state.json`, computed next action, missing-artifact visibility, and
-host guarantees from the caller's environment.
+Godpowers 2.1.1 is a documentation and off-switch safety patch on top of the
+2.1.0 security release. The public slash-command surface, runtime behavior, and
+artifact layout are unchanged except for one safety improvement to the context
+off-switch.
 
 ## What is stable
 
@@ -16,62 +15,45 @@ host guarantees from the caller's environment.
 - 40 intent recipes
 - 15-runtime installer
 - Codex installs with generated `god-*.toml` agent metadata files
-- Markdown specialist agent contracts at `<runtime>/agents/god-*.md`
 - Shared runtime bundle at `<runtime>/godpowers-runtime`
 - Native Pillars project context through `AGENTS.md` and `agents/*.md`
 - `.godpowers/` workflow state and artifact layout
-- Dashboard action briefs for next-step compression
-- Dashboard host guarantees for full, degraded, and unknown runtime capability
-- `godpowers status --project .` and `godpowers next --project .`
-- `godpowers quick-proof --project .`
-- Planning-system migration for GSD, BMAD, and Superpowers
-- Repository documentation sync checks
-- Repository surface sync checks
-- Route quality, recipe coverage, and release surface sync checks
-- Messy-repo dogfood scenarios
-- Extension authoring scaffold helper
-- Mode D suite release dry-run planner
+- `godpowers status --project .`, `godpowers next --project .`, and
+  `godpowers quick-proof --project .`
 - Release gate enforcement through `npm run release:check`
+- The 2.1.0 security hardening (argv-only browser exec, corrupt-file parse
+  guards, clean-replace installs, prototype-pollution guards)
 
 ## What is new
 
-- Added `lib/quick-proof.js` and the packaged `fixtures/quick-proof/` project.
-- Added the `quick-proof` CLI command as the first executable proof path.
-- Added `docs/quick-proof.md` to make the first 10 minutes concrete.
-- Added `docs/proof-transcript.md` with captured command output.
-- Added `docs/adoption-canary.md` with pass/fail criteria and feedback routing.
-- Added `scripts/run-adoption-canary.js` to clone an external repo and capture
-  quick proof, dashboard status, and next-route output.
-- Added `scripts/verify-published-install.js` to verify the npm registry
-  artifact after publish.
-- Updated README, getting started, reference, release checklist, and Pillars
-  context so executable proof is part of the product surface.
+- The context off-switch now empties the canonical `AGENTS.md` instead of
+  deleting it; auto-generated pointer files (`CLAUDE.md`, `.cursorrules`, etc.)
+  are still removed when only the Godpowers fence remains.
+- Documentation reconciliation: removed unverifiable external impeccable
+  rule/finding counts; aligned the project-mode taxonomy with the runtime
+  (A/B/C/E primary modes, with D as the orthogonal multi-repo suite overlay);
+  documented every `lib/` module; and clarified how the artifact-category counts
+  relate.
 
 ## Guardrails
 
-- Quick proof is read-only and deterministic.
-- Quick proof reports the user's current host guarantees separately from the
-  shipped fixture state.
-- Package contents checks require the quick-proof module and fixture state.
-- Published install verification checks quick proof, status, next, Claude
-  install, and Codex metadata install against the registry artifact.
-- The adoption canary harness captures CLI-verifiable signals only. Host slash
-  commands such as `/god-preflight`, `/god-audit`, and `/god-reconstruct` still
-  require an AI coding host.
+- The public slash-command surface remains frozen.
+- The runtime remains dependency-free.
+- `bin/install.js` stays a thin CLI entry point and delegates install behavior
+  to `lib/installer-core.js`.
 
 ## Validation
 
 Release validation includes:
 
-- `npm run test:quick-proof`
-- `node scripts/run-adoption-canary.js <repo> --output=<report>`
+- `npm test`
+- `npm run test:audit`
+- `npm run pack:check`
 - `npm run release:check`
 - `npm pack --json`
-- local uninstall of previous runtime installs
-- local reinstall from the generated tarball
-- npm publish with provenance when available
-- `node scripts/verify-published-install.js godpowers@latest`
-- GitHub release creation for `v2.0.0`
+- local install smoke tests across supported runtime shapes
+- npm publish when registry credentials are available
+- GitHub release creation for `v2.1.1`
 
-The `v2.0.0` tag should point to the release commit that matches the npm
-`godpowers@2.0.0` package.
+The `v2.1.1` tag should point to the release commit that matches the npm
+`godpowers@2.1.1` package.

package/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: godpowers
-version: 0.1.0
+version: 2.1.1
 description: |
   AI-powered development system that takes a project from raw idea to hardened
   production. Fuses artifact discipline, execution engine, quality enforcement,
@@ -21,6 +21,14 @@ hardened production. You enforce mechanical quality at every step. You never
 produce AI-slop. You never skip a gate. You never claim done without an artifact
 on disk.
 
+## Command Source Of Truth
+
+Individual command files in `skills/` are the source of truth for slash-command
+metadata and command behavior. `SKILL.md` carries the global operating contract
+only. When a command name, trigger, or description is needed programmatically,
+read it through `lib/skill-surface.js` instead of duplicating a hand-maintained
+command table here.
+
 ## Core Principles
 
 ### 1. The Three-Label Rule

package/agents/god-design-reviewer.md

@@ -4,10 +4,10 @@ description: |
   Two-stage review gate for DESIGN.md and PRODUCT.md changes. Mirrors
   the existing god-spec-reviewer + god-quality-reviewer pattern from
   code review, combined into one agent because design intent and design
-  quality are tightly coupled. Spawned by god-design-updater BEFORE
+  quality are tightly coupled. Spawned by /god-design BEFORE
   impact analysis runs.
 
-  Spawned by: god-design-updater, god-orchestrator (mid-arc DESIGN/PRODUCT changes)
+  Spawned by: /god-design, god-orchestrator (mid-arc DESIGN/PRODUCT changes)
 tools: Read, Bash, Grep, Glob
 ---
 
@@ -112,10 +112,10 @@ Emit event:
 
 ## Handoff
 
-- **PASS**: return verdict to god-design-updater; impact analysis can run
+- **PASS**: return verdict to god-designer; impact analysis can run
 - **WARN**: return verdict + warnings; impact analysis runs; warnings
   flow to REVIEW-REQUIRED.md alongside affected files
-- **BLOCK**: return verdict + REJECTED.md path; god-design-updater aborts
+- **BLOCK**: return verdict + REJECTED.md path; god-designer aborts
   propagation; god-orchestrator pauses (default + --yolo) per the
   critical-finding gate
 
@@ -131,7 +131,7 @@ You fail (and the BLOCK becomes a critical-finding gate trigger) if:
 
 ## What you do NOT do
 
-- Apply the change yourself (god-design-updater applies after PASS/WARN)
-- Compute downstream impact (god-impact-analyzer runs after PASS/WARN)
+- Apply the change yourself (god-designer applies after PASS/WARN)
+- Compute downstream impact (/god-design-impact runs after PASS/WARN)
 - Touch PRODUCT.md (god-designer owns it)
 - Run reverse-sync (god-updater)

package/agents/god-designer.md

@@ -176,5 +176,5 @@ implementing files.
 
 - Reimplement impeccable's typography / color / motion design intelligence
 - Run reverse-sync (that's god-updater)
-- Compute change impact (that's god-impact-analyzer)
+- Compute change impact (that's /god-design-impact)
 - Review your own changes (that's god-design-reviewer)

package/agents/god-executor.md

@@ -51,6 +51,24 @@ For every behavior in this slice:
 - **"I'll add tests after"**: VIOLATION. Stop. Write the test now.
 - **Skipping refactor**: allowed only if the GREEN code is already clean.
 - **Multiple slices in one commit**: VIOLATION. One slice = one commit.
+- **Speculative flexibility**: VIOLATION. Do not add configuration,
+  extension points, generalized helpers, or future-proof branches unless the
+  slice plan requires them.
+- **Unrelated cleanup**: VIOLATION. Do not reformat, rename, refactor, or
+  delete adjacent code that is not required for this slice. Mention it as a
+  follow-up instead.
+
+## Request Trace Discipline
+
+Before editing, convert the slice into a short execution contract:
+- Assumptions you are making
+- The public behavior that will change
+- The smallest files you expect to touch
+- The verification command that proves success
+
+Every changed line must trace back to that contract, the failing test, or a
+cleanup created by your own change. If you cannot explain the trace, revert
+that line before returning control to the orchestrator.
 
 ## After All Behaviors Complete
 
@@ -63,6 +81,7 @@ For every behavior in this slice:
    - Test results
    - Typecheck/check results
    - Files changed
+   - Any unrelated improvement you noticed but intentionally left untouched
    - Ready for two-stage review
 
 DO NOT commit yet. The orchestrator will spawn god-spec-reviewer and
@@ -79,6 +98,10 @@ happen.
 - Test suite failing (any test, not just yours)
 - Typecheck/check command failing
 - Stub/placeholder code in the implementation
+- Speculative abstraction, unused configurability, or generalized plumbing not
+  demanded by the slice
+- Drive-by formatting, renaming, refactoring, or dead-code deletion unrelated
+  to the slice
 
 ## Repair Mode
 

package/agents/god-quality-reviewer.md

@@ -47,6 +47,16 @@ Your job: would you ship this code in production?
 - No premature abstraction either
 - Comments explain WHY, not WHAT (the code shows what)
 
+### 6. Simplicity and Surgicality
+- The solution is the minimum code that satisfies the verified behavior
+- No single-use abstraction replaces clearer direct code
+- No options, settings, adapters, or extension points exist for hypothetical
+  future needs
+- No adjacent cleanup, formatting churn, renames, or dead-code deletion appears
+  unless it was required by the request
+- Any follow-up cleanup is reported separately instead of being smuggled into
+  the diff
+
 ## Output
 
 Return verdict to orchestrator:
@@ -60,6 +70,7 @@ Return verdict to orchestrator:
 - [PASS/FAIL] Error handling: [evidence]
 - [PASS/FAIL] Performance: [evidence]
 - [PASS/FAIL] Maintainability: [evidence]
+- [PASS/FAIL] Simplicity and surgicality: [evidence]
 
 ### Verdict: PASS / FAIL
 
@@ -68,7 +79,7 @@ Return verdict to orchestrator:
 
 ## Pass Criteria
 
-ALL five dimensions must PASS. Any FAIL blocks the commit.
+ALL six dimensions must PASS. Any FAIL blocks the commit.
 
 If FAIL: orchestrator returns the slice to god-executor.
 If PASS: orchestrator commits the slice atomically.

package/agents/god-spec-reviewer.md

@@ -42,6 +42,14 @@ Answer each with EVIDENCE from the code:
    - Anything in the code that wasn't in the plan?
    - If yes: was it necessary, or is it scope creep?
 
+5. **Can every changed line trace to the request?**
+   - Does each file touched map to a plan item, acceptance criterion, failing
+     test, or cleanup caused by the implementation?
+   - Were unrelated comments, formatting, names, or neighboring abstractions
+     changed without a plan-backed reason?
+   - Did the executor add future options, broad configurability, or generic
+     interfaces that the current slice does not need?
+
 ## Output
 
 Return verdict to orchestrator:
@@ -65,6 +73,8 @@ Return verdict to orchestrator:
 - Every acceptance criterion has a corresponding test
 - All edge cases from the plan are covered
 - No scope creep without justification
+- Every touched file has request-trace evidence
+- No speculative flexibility or unrelated cleanup entered the diff
 
 If FAIL: orchestrator returns the slice to god-executor with the failures.
 If PASS: orchestrator spawns god-quality-reviewer next.