godpowers 2.1.0 → 2.1.1

package/CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.1.1] - 2026-05-30
+
+### Changed
+- The context off-switch now empties the canonical `AGENTS.md` instead of
+  deleting it; auto-generated pointer files (`CLAUDE.md`, `.cursorrules`, etc.)
+  are still removed when only the Godpowers fence remains
+  (`lib/context-writer.js`).
+
+### Fixed
+- Documentation: dropped unverifiable external impeccable rule/finding counts;
+  reconciled the project-mode taxonomy (A/B/C/E primary modes, with D as the
+  orthogonal multi-repo suite overlay) in `concepts.md` and `ROADMAP.md`;
+  documented all `lib/` modules in `lib/README.md`; and clarified how the
+  artifact-category counts relate in `greenfield-coverage.md`.
+
 ## [2.1.0] - 2026-05-30
 
 ### Security

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-2.1.0-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-2.1.1-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -21,7 +21,7 @@ Godpowers makes AI coding accountable: every serious run should leave disk
 state, artifacts, validation gates, host guarantees, and a next action. Code is
 only one output. The project memory and proof trail matter too.
 
-Version 2.1.0 keeps the proof loop executable. `npx godpowers quick-proof
+Version 2.1.1 keeps the proof loop executable. `npx godpowers quick-proof
 --project=.` now renders a shipped fixture with real `.godpowers/state.json`,
 computed next action, missing-artifact visibility, and host guarantees. The
 2.0 line also ships a proof transcript, adoption canary harness, published npm

package/RELEASE.md

@@ -1,11 +1,11 @@
-# Godpowers 2.1.0 Release
+# Godpowers 2.1.1 Release
 
 Date: 2026-05-30
 
-Godpowers 2.1.0 is the security and drift hardening release. It keeps the 2.0
-proof, request-trace, and command surfaces stable while closing a
-command-injection vector, hardening runtime file handling and the installer,
-and reconciling documentation drift across the repository.
+Godpowers 2.1.1 is a documentation and off-switch safety patch on top of the
+2.1.0 security release. The public slash-command surface, runtime behavior, and
+artifact layout are unchanged except for one safety improvement to the context
+off-switch.
 
 ## What is stable
 
@@ -15,45 +15,25 @@ and reconciling documentation drift across the repository.
 - 40 intent recipes
 - 15-runtime installer
 - Codex installs with generated `god-*.toml` agent metadata files
-- Markdown specialist agent contracts at `<runtime>/agents/god-*.md`
 - Shared runtime bundle at `<runtime>/godpowers-runtime`
 - Native Pillars project context through `AGENTS.md` and `agents/*.md`
 - `.godpowers/` workflow state and artifact layout
-- Dashboard action briefs for next-step compression
-- Dashboard host guarantees for full, degraded, and unknown runtime capability
-- `godpowers status --project .` and `godpowers next --project .`
-- `godpowers quick-proof --project .`
-- Planning-system migration for GSD, BMAD, and Superpowers
-- Repository documentation, repository surface, route quality, recipe coverage,
-  and release surface sync checks
-- Messy-repo dogfood scenarios
-- Extension authoring scaffold helper
-- Mode D suite release dry-run planner
+- `godpowers status --project .`, `godpowers next --project .`, and
+  `godpowers quick-proof --project .`
 - Release gate enforcement through `npm run release:check`
+- The 2.1.0 security hardening (argv-only browser exec, corrupt-file parse
+  guards, clean-replace installs, prototype-pollution guards)
 
 ## What is new
 
-- Closed a command-injection vector in `lib/agent-browser-driver.js`. CLI
-  arguments now flow through an argv array with the shell disabled, so URLs,
-  selectors, and eval expressions sourced from project content or CLI flags
-  cannot be interpreted as shell syntax.
-- Guarded runtime JSON parsing of `state.json` and `events.jsonl` against
-  corrupt or partially-written files, replacing uncaught crashes with clear
-  errors or skipped torn lines.
-- Corrected the review registry path to `.godpowers/REVIEW-REQUIRED.md` so the
-  dashboard and automation see review items and the off-switch no longer
-  deletes a repo-root file.
-- Made data-directory and runtime-bundle installs a clean replace so version
-  upgrades never leave behind files that no longer ship.
-- Narrowed `agent-cache` deletion scope, added extension-scaffold name
-  validation, added prototype-pollution guards to the YAML/manifest parser and
-  router, and limited installer symlink reproduction to the source tree.
-- Added a skill/agent prose reference validator wired into the agent-ref test
-  gate, wired have-not `A-13` into the architecture gate, and softened brittle
-  exact-count tests to floors.
-- Reconciled documentation drift across README, ARCHITECTURE, ARCHITECTURE-MAP,
-  docs, references, and skills (counts, linkage paths, HAVE-NOTS tally, stale
-  sample output).
+- The context off-switch now empties the canonical `AGENTS.md` instead of
+  deleting it; auto-generated pointer files (`CLAUDE.md`, `.cursorrules`, etc.)
+  are still removed when only the Godpowers fence remains.
+- Documentation reconciliation: removed unverifiable external impeccable
+  rule/finding counts; aligned the project-mode taxonomy with the runtime
+  (A/B/C/E primary modes, with D as the orthogonal multi-repo suite overlay);
+  documented every `lib/` module; and clarified how the artifact-category counts
+  relate.
 
 ## Guardrails
 
@@ -61,10 +41,6 @@ and reconciling documentation drift across the repository.
 - The runtime remains dependency-free.
 - `bin/install.js` stays a thin CLI entry point and delegates install behavior
   to `lib/installer-core.js`.
-- Every `child_process` call site uses an argv array with the shell disabled.
-- `scripts/static-check.js` continues to verify async APIs, JSDoc typedefs,
-  agent-ref test coverage, shared harness adoption, skill metadata source
-  parsing, and God Mode runbook delegation.
 
 ## Validation
 
@@ -77,7 +53,7 @@ Release validation includes:
 - `npm pack --json`
 - local install smoke tests across supported runtime shapes
 - npm publish when registry credentials are available
-- GitHub release creation for `v2.1.0`
+- GitHub release creation for `v2.1.1`
 
-The `v2.1.0` tag should point to the release commit that matches the npm
-`godpowers@2.1.0` package.
+The `v2.1.1` tag should point to the release commit that matches the npm
+`godpowers@2.1.1` package.

package/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: godpowers
-version: 2.1.0
+version: 2.1.1
 description: |
   AI-powered development system that takes a project from raw idea to hardened
   production. Fuses artifact discipline, execution engine, quality enforcement,

package/lib/README.md

@@ -22,6 +22,7 @@ package-level integrations.
 | `dogfood-runner.js` | Run deterministic messy-repo scenarios against migration, host, extension, and suite release behavior. |
 | `budget.js` | Read and enforce configured budget controls. |
 | `cost-tracker.js` | Track token and cost estimates from event streams. |
+| `fs-async.js` | Promise-based file read/write helpers for non-blocking runtime paths. |
 
 ## Events and observability
 
@@ -43,6 +44,8 @@ package-level integrations.
 | `workflow-runner.js` | Execute workflow steps with validation hooks. |
 | `agent-cache.js` | Cache agent metadata for faster routing. |
 | `agent-validator.js` | Validate agent frontmatter and contracts. |
+| `agent-refs.js` | Validate workflow agent references and scan skill/agent prose for phantom references. |
+| `skill-surface.js` | Derive slash-command metadata from the individual `skills/` files. |
 
 ## Artifact quality
 
@@ -71,6 +74,7 @@ package-level integrations.
 | `impeccable-bridge.js` | Bridge runtime checks into impeccable quality workflows. |
 | `extensions.js` | Load and validate extension packs. |
 | `extension-authoring.js` | Scaffold publishable extension packs with manifest, package, README, skill, agent, and workflow files. |
+| `pillars.js` | Manage the Pillars project-context layer (`AGENTS.md` plus routed `agents/*.md`). |
 
 ## Repository and graph helpers
 
@@ -87,5 +91,17 @@ package-level integrations.
 | `review-required.js` | Decide when review gates should block progress. |
 | `suite-state.js` | Manage state across registered project suites. |
 
+## Installer, dashboard, and CLI helpers
+
+| Module | Purpose |
+|--------|---------|
+| `installer-core.js` | Install and uninstall the Godpowers surface for each runtime. |
+| `installer-files.js` | File-copy helpers shared by the installer and its tests. |
+| `installer-args.js` | Parse `bin/install.js` arguments and subcommands. |
+| `installer-runtimes.js` | Map supported runtimes to their config directories. |
+| `automation-providers.js` | Detect and configure host-native automation providers. |
+| `dashboard.js` | Compute the next-step action brief and host guarantee line. |
+| `quick-proof.js` | Render the shipped proof fixture for `godpowers quick-proof`. |
+
 See `../ARCHITECTURE.md` for system design and `../docs/ROADMAP.md` for planned
 runtime work.

package/lib/context-writer.js

@@ -216,15 +216,21 @@ function writeFenced(filePath, sectionContent) {
 }
 
 /**
- * Remove the Godpowers fence from a file. Leaves the rest untouched. If the
- * file becomes empty (whitespace only), removes it.
+ * Remove the Godpowers fence from a file. Leaves the rest untouched. If only
+ * the fence remained, an auto-generated pointer file is deleted; with
+ * { preserveFile: true } the file is emptied instead of deleted (used for the
+ * canonical AGENTS.md so the off-switch never removes the user's primary file).
  */
-function removeFenced(filePath) {
+function removeFenced(filePath, opts = {}) {
   if (!fs.existsSync(filePath)) return { removed: false, reason: 'missing' };
   const parsed = readFenced(filePath);
   if (parsed.fenced === '') return { removed: false, reason: 'no-fence' };
   let remaining = `${parsed.before}${parsed.after}`.replace(/\n{3,}/g, '\n\n').trim();
   if (remaining === '') {
+    if (opts.preserveFile) {
+      fs.writeFileSync(filePath, '');
+      return { removed: true, fileDeleted: false, emptied: true };
+    }
     fs.unlinkSync(filePath);
     return { removed: true, fileDeleted: true };
   }
@@ -284,8 +290,11 @@ function apply(projectRoot, state, opts = {}) {
  * Remove all Godpowers fences from canonical + pointers (off-switch).
  */
 function clearAll(projectRoot) {
-  const targets = [
-    path.join(projectRoot, 'AGENTS.md'),
+  // The canonical AGENTS.md is the user's primary context file: empty it rather
+  // than delete it. The remaining targets are auto-generated pointer files that
+  // Godpowers owns outright, so they are deleted when only the fence remains.
+  const canonical = path.join(projectRoot, 'AGENTS.md');
+  const pointers = [
     path.join(projectRoot, 'CLAUDE.md'),
     path.join(projectRoot, 'GEMINI.md'),
     path.join(projectRoot, '.cursorrules'),
@@ -300,7 +309,9 @@ function clearAll(projectRoot) {
     path.join(projectRoot, '.agents', 'skills', 'godpowers.md')
   ];
   const results = [];
-  for (const t of targets) {
+  const rc = removeFenced(canonical, { preserveFile: true });
+  if (rc.removed) results.push({ path: canonical, ...rc });
+  for (const t of pointers) {
     const r = removeFenced(t);
     if (r.removed) results.push({ path: t, ...r });
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "godpowers",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "AI-powered development system: 110 slash commands and 40 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
   "bin": {
     "godpowers": "./bin/install.js"

package/skills/god-doctor.md

@@ -50,7 +50,7 @@ GODPOWERS DOCTOR
 Install: claude (~/.claude/)
   [OK] 110 skills installed
   [OK] 40 agents installed
-  [OK] VERSION matches (2.1.0)
+  [OK] VERSION matches (2.1.1)
   [WARN] routing/god-doctor.yaml exists but skill file did not until now
 
 Project: /Users/.../my-project/.godpowers/

package/skills/god-version.md

@@ -14,7 +14,7 @@ Print version and a short capability summary.
 ## Output
 
 ```
-Godpowers v2.1.0
+Godpowers v2.1.1
 Install: /Users/.../.claude/  (matches package.json)
 Surface: 110 skills, 40 agents, 13 workflows, 40 recipes
 Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1