godpowers 2.5.0 → 2.5.2

package/CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.5.2] - 2026-06-10
+
+### Added
+- Added regression coverage proving an installed `godpowers-runtime` bundle can
+  be used as a local npm package for `godpowers gate`.
+- Added regression coverage proving build gates fail when build state records a
+  failed verification command.
+
+### Fixed
+- Fixed installed runtime bundles so `godpowers-runtime` includes `bin/` next
+  to `package.json`, allowing host workflows to call the documented
+  `godpowers gate` command from the installed runtime package.
+- Fixed the build gate so `.godpowers/build/STATE.md` fails closed when any
+  verification command is recorded as failed, instead of passing because a
+  different command passed.
+
+## [2.5.1] - 2026-06-10
+
+### Added
+- Added three Codex host-run proof case studies for slugify-cli, Countdown, and
+  react-github-readme-button.
+- Added Phase 2 proof evidence for successful CLI and web app runs plus one
+  blocked harden run with Critical dev-tooling findings preserved as a public
+  blocker.
+
+### Changed
+- Updated USERS, README, roadmap, reference, architecture, release notes, and
+  bridge-plan status for the Phase 2 host proof campaign.
+
 ## [2.5.0] - 2026-06-10
 
 ### Added

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-2.5.0-blue)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-2.5.2-blue)](CHANGELOG.md)
 [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
 
 **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -21,15 +21,18 @@ CLI-verifiable canaries now cover [sindresorhus/is](docs/case-studies/sindresorh
 [expressjs/cors](docs/case-studies/expressjs-cors-adoption-canary.md), and
 [tinyhttp/tinyhttp](docs/case-studies/tinyhttp-adoption-canary.md), with host
 slash-command gaps called out rather than hidden.
+Host-run proof studies now cover [slugify-cli](docs/case-studies/run-a.md),
+[Countdown](docs/case-studies/run-b.md), and
+[react-github-readme-button](docs/case-studies/run-c.md), including one
+blocked harden run recorded as evidence instead of hidden as success.
 
 Godpowers makes AI coding accountable: every serious run should leave disk
 state, artifacts, validation gates, host guarantees, and a next action. Code is
 only one output. The project memory and proof trail matter too.
 
-Version 2.5.0 adds executable tier gates through `npx godpowers gate` while
-keeping the 2.4 command-family UX, external CLI canary evidence, prompt-size
-guardrails, legacy command quarantine, lib coverage gating, and package
-verification before publish.
+Version 2.5.2 keeps the 2.5.1 Codex host-run proof studies and patches two
+Phase 2 blocker defects: installed runtime gate command access and build-gate
+false passes when verification evidence is red.
 
 Maintainer hardening continues on the 2.x line with small, audited public
 surface updates when they close real workflow gaps. The 2.1.0 patch closes a command-injection vector in the

package/RELEASE.md

@@ -1,52 +1,51 @@
-# Godpowers 2.5.0 Release
+# Godpowers 2.5.2 Release
 
-> Status: Ready for package verification
+> Status: Ready for protected merge
 > Date: 2026-06-10
 
-Godpowers 2.5.0 ships executable tier gates for the code-first kernel
-migration. It keeps the slash-command workflow intact while giving command
-capable hosts a stable JSON gate contract and non-zero exit codes for blocked
-tier transitions.
+[DECISION] Godpowers 2.5.2 is a Phase 2 blocker patch after the 2.5.1 host-proof docs release.
+[DECISION] This release fixes the installed-runtime gate command gap and build-gate false-pass gap captured during Phase 2 proof work.
+[DECISION] This release does not change the 2.5.1 host-proof case-study claims.
 
 ## What's in this release
 
-- 112 slash commands
-- 40 specialist agents
-- 13 executable workflows
-- 42 intent recipes
-- 8 installer CLI helpers
+- [DECISION] 112 slash commands.
+- [DECISION] 40 specialist agents.
+- [DECISION] 13 executable workflows.
+- [DECISION] 42 intent recipes.
+- [DECISION] 8 installer CLI helpers.
 
 ## Highlights
 
-- `npx godpowers gate --tier=<tier> --project=.` checks PRD, design,
-  architecture, roadmap, stack, repo, build, and harden artifacts.
-- Gate JSON returns `{tier, verdict, artifacts, checks, findings, summary}` for
-  host-visible evidence.
-- Build gates require `.godpowers/build/STATE.md` to record exact verification
-  commands that passed.
-- Harden gates fail unresolved Critical findings and blocked launch gates.
-- `/god-mode` now runs executable gates between tier transitions.
-- Tier routes declare `standards.gate-command`, and static checks enforce the
-  skill and route metadata.
-- CLI command dispatch now lives in `lib/cli-dispatch.js`, keeping
-  `bin/install.js` thin.
+- [DECISION] `godpowers-runtime` now includes `bin/` next to `package.json`, so host workflows can run `npm exec --package <runtime> -- godpowers gate`.
+- [DECISION] Build gates now fail closed when `.godpowers/build/STATE.md` records any failed verification command.
+- [DECISION] Slot A, Slot B, and Slot C evidence remains the repository state shipped in 2.5.1.
 
 ## Validation
 
-- `node scripts/test-gate.js` green
-- `node scripts/test-cli-dispatch.js` green
-- `node scripts/static-check.js` green
-- `npm run release:check` required before publish
+- [DECISION] `node scripts/test-gate.js` passed before the latest `main` merge.
+- [DECISION] `node scripts/test-install-smoke.js` passed before the latest `main` merge.
+- [DECISION] `npm run test:e2e` passed before the latest `main` merge.
+- [DECISION] `node scripts/test-runtime-verification.js` passed before the latest `main` merge.
+- [DECISION] `node scripts/test-agent-browser.js` passed before the latest `main` merge.
+- [DECISION] `node scripts/static-check.js` passed before the latest `main` merge.
+- [DECISION] `npm run release:check` passed before the latest `main` merge with `coverage:lib` at 92.9 percent line coverage, `npm audit --omit=dev` reporting 0 vulnerabilities, public surface docs matching version 2.5.1, and package contents verified at 534 files.
+- [DECISION] Post-merge 2.5.2 `npm run test:surface` passed.
+- [DECISION] Post-merge 2.5.2 `node scripts/test-gate.js` passed.
+- [DECISION] Post-merge 2.5.2 `node scripts/test-install-smoke.js` passed.
+- [DECISION] Post-merge 2.5.2 `node scripts/static-check.js` passed.
+- [DECISION] Post-merge 2.5.2 `npm run test:e2e` passed.
+- [DECISION] Post-merge 2.5.2 `node scripts/test-runtime-verification.js` passed.
+- [DECISION] Post-merge 2.5.2 `node scripts/test-agent-browser.js` passed.
+- [DECISION] Post-merge 2.5.2 `npm run release:check` passed with `coverage:lib` at 92.9 percent line coverage, `npm audit --omit=dev` reporting 0 vulnerabilities, public surface docs matching version 2.5.2, and package contents verified at 534 files.
 
 ## Upgrade
 
-- `npm install -g godpowers@2.5.0` or `npx godpowers@2.5.0`
-- Re-run `/god-context` in each project to refresh installed runtime metadata.
-- Existing `.godpowers/` state remains compatible.
+- [DECISION] Use `npm install -g godpowers@2.5.2` or `npx godpowers@2.5.2` after the package is published.
+- [DECISION] Reinstall Godpowers in host runtimes to refresh the installed runtime bundle.
+- [DECISION] Existing `.godpowers/` state remains compatible.
 
 ## Notes
 
-- GitHub release creation for `v2.5.0`.
-- The tag should match the npm package version.
-- The `v2.5.0` tag should point to the release commit that matches the npm
-  `godpowers@2.5.0` package.
+- [DECISION] The npm `godpowers@2.5.1` package is already published.
+- [DECISION] Publishing 2.5.2 remains pending until protected merge, tag, and npm provenance publish complete.

package/lib/gate.js

@@ -115,17 +115,57 @@ function checkArtifacts(projectRoot, tier, artifacts, opts, result) {
 }
 
 function extractPassedCommands(text) {
-  const commands = [];
+  return extractCommandStatuses(text)
+    .filter((entry) => entry.status === 'pass')
+    .map((entry) => entry.command)
+    .filter((command, index, commands) => commands.indexOf(command) === index);
+}
+
+function extractFailedCommands(text) {
+  return extractCommandStatuses(text)
+    .filter((entry) => entry.status === 'fail')
+    .map((entry) => entry.command)
+    .filter((command, index, commands) => commands.indexOf(command) === index);
+}
+
+function extractCommand(line) {
+  const exact = line.match(/\b(?:exact\s+executed\s+command|verification\s+command|command)\s*:\s*`([^`\n]+)`/i);
+  if (exact) return exact[1].trim();
+  const backtickWithStatus = line.match(/`([^`\n]+)`\s*:\s*(pass|passed|green|success|succeeded|ok|fail|failed|red|error)\b/i);
+  if (backtickWithStatus) return backtickWithStatus[1].trim();
+  const labeled = line.match(/\bcommand\s*:\s*([^;]+?)(?:\s{2,}|\s+status\s*:|\s+result\s*:|$)/i);
+  return labeled ? labeled[1].trim() : null;
+}
+
+function explicitStatus(line) {
+  const status = line.match(/\b(?:status|result|gate status)\s*:\s*(pass|passed|green|success|succeeded|ok|fail|failed|red|error)\b/i);
+  if (!status) return null;
+  return /fail|red|error/i.test(status[1]) ? 'fail' : 'pass';
+}
+
+function inlineCommandStatus(line) {
+  if (/\b(fail|failed|red|error)\b/i.test(line)) return 'fail';
+  if (/\b(pass|passed|green|success|succeeded|ok)\b/i.test(line)) return 'pass';
+  return null;
+}
+
+function extractCommandStatuses(text) {
+  const entries = [];
+  let currentCommand = null;
   for (const line of text.split(/\r?\n/)) {
-    const backtick = line.match(/`([^`\n]+)`/);
-    const labeled = line.match(/\bcommand\s*:\s*([^;]+?)(?:\s{2,}|\s+status\s*:|\s+result\s*:|$)/i);
-    const command = backtick ? backtick[1].trim() : (labeled ? labeled[1].trim() : null);
-    if (!command) continue;
-    if (/\b(pass|passed|green|success|succeeded|ok)\b/i.test(line)) {
-      commands.push(command);
+    const command = extractCommand(line);
+    if (command) {
+      currentCommand = command;
+      const status = explicitStatus(line) || inlineCommandStatus(line);
+      if (status) entries.push({ command, status });
+      continue;
     }
+
+    if (!currentCommand) continue;
+    const status = explicitStatus(line);
+    if (status) entries.push({ command: currentCommand, status });
   }
-  return [...new Set(commands)];
+  return entries;
 }
 
 function checkBuildEvidence(projectRoot, result) {
@@ -133,6 +173,25 @@ function checkBuildEvidence(projectRoot, result) {
   const file = relToAbs(projectRoot, relPath);
   if (!fs.existsSync(file)) return;
   const text = fs.readFileSync(file, 'utf8');
+  const failedCommands = extractFailedCommands(text);
+  if (failedCommands.length > 0) {
+    const finding = makeFinding(
+      'build-verification-failed-command',
+      'error',
+      relPath,
+      `Build state records failed verification command(s): ${failedCommands.join(', ')}.`
+    );
+    result.findings.push(finding);
+    addFindingSummary(result.summary, finding.severity);
+    result.checks.push(makeCheck(
+      'build-verification-failed-command',
+      'fail',
+      relPath,
+      finding.reason
+    ));
+    result.summary.buildVerificationFailedCommands = failedCommands;
+    return;
+  }
   const passedCommands = extractPassedCommands(text);
   if (passedCommands.length === 0) {
     const finding = makeFinding(
@@ -265,6 +324,8 @@ function render(result) {
 module.exports = {
   check,
   checkAsync,
+  extractCommandStatuses,
+  extractFailedCommands,
   extractPassedCommands,
   exitCode,
   render

package/lib/installer-files.js

@@ -65,7 +65,7 @@ function copyRecursive(src, dest, root) {
 
 function copyRuntimeBundle(srcDir, destDir) {
   ensureDir(destDir);
-  for (const dir of ['lib', 'routing', 'workflows', 'schema', 'templates', 'references']) {
+  for (const dir of ['bin', 'lib', 'routing', 'workflows', 'schema', 'templates', 'references']) {
     const src = path.join(srcDir, dir);
     if (fs.existsSync(src)) {
       copyRecursive(src, path.join(destDir, dir));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "godpowers",
-  "version": "2.5.0",
+  "version": "2.5.2",
   "description": "AI-powered development system: 112 slash commands and 40 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
   "bin": {
     "godpowers": "./bin/install.js"