godpowers 3.0.2 → 3.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -7,6 +7,289 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [3.13.0] - 2026-06-16
11
+
12
+ ### Changed
13
+ - The default greenfield workflow (`full-arc`, run by `/god-mode`) now runs two
14
+ more steps so the one-shot product ships audited and documented. A `code-audit`
15
+ job (`god-debt-assessor`) runs after the build and before deploy/harden, giving
16
+ the whole AI-generated codebase a scored audit that catches what the per-slice
17
+ reviews could not see across files. A `docs` job (`god-docs-writer`) runs after
18
+ harden and before launch, writing the project documentation and verifying every
19
+ claim against the code (drift detected) before the product ships. `deploy` and
20
+ `harden` now need `code-audit`; `launch` now needs `docs`. The plan goes from
21
+ 11 to 13 steps. No new skill, agent, workflow, or recipe surface: both jobs
22
+ reuse agents that already exist.
23
+ - `GOD-ORCHESTRATOR-RUNBOOK` documents the new audit and docs positions in the
24
+ greenfield arc.
25
+
26
+ ## [3.12.1] - 2026-06-16
27
+
28
+ ### Changed
29
+ - De-duplicated the audit lanes in `god-debt-assessor`. Its Security dimension
30
+ now defers to `god-harden-auditor`: when `.godpowers/harden/FINDINGS.md`
31
+ exists, score Security from harden's verdict and cite its finding IDs instead
32
+ of re-running the OWASP walkthrough, recording a security finding only for
33
+ something harden did not cover. Its Code Quality dimension is explicitly the
34
+ whole-repo point-in-time read that complements, not duplicates,
35
+ `god-quality-reviewer`'s per-slice diff review.
36
+
37
+ ## [3.12.0] - 2026-06-16
38
+
39
+ ### Changed
40
+ - Upgraded `god-debt-assessor` (`/god-tech-debt`) to a codeauditor-grade,
41
+ read-only source-code audit: nine weighted dimensions scored 0-100 with grade
42
+ bands and risk-capping, per-finding Severity/Confidence/Effort, adversarial
43
+ verification with Suspected marking, paper-construct/theater hunting,
44
+ root-not-leaves systemic clustering, a strengths-to-preserve section,
45
+ calibration to maturity, a file:line + substitution evidence gate, and a
46
+ self-contained "how to use this report" protocol for an acting agent. Keeps
47
+ Godpowers' broader operational/knowledge debt categories as extra lenses.
48
+ Output stays `.godpowers/tech-debt/REPORT.md`.
49
+
50
+ ### Added
51
+ - Added the audit-remediation loop: a new `audit-remediate` recipe routes
52
+ "audit and fix until clean" intent, and a `GOD-ORCHESTRATOR-RUNBOOK` section
53
+ defines the bounded drive-to-zero loop (audit, select worst-first, fix with
54
+ `god-debugger`, verify with an independent reviewer, bound the retries with
55
+ `evidence.outcome`, re-audit until no Confirmed Critical/High remains). The
56
+ can't-fake-done gate makes "clean" an evidence-backed re-audit; un-fixable
57
+ findings pause as precise blockers instead of silent skips.
58
+
59
+ ### Notes
60
+ - No new skill or agent (god-debt-assessor enhanced in place). Recipe surface
61
+ count moves 43 to 44. The audit-remediation loop is opt-in (intent/recipe or
62
+ an end-of-arc pass); it is not wired into the default greenfield `full-arc`.
63
+
64
+ ## [3.11.0] - 2026-06-15
65
+
66
+ ### Added
67
+ - Added `lib/evidence-import.js` and the `npx godpowers import-ledger [--from
68
+ <path>]` CLI: a one-time, best-effort importer that copies an existing Mythify
69
+ `.mythify/` ledger into `.godpowers/ledger/` (verifications rebinding
70
+ plan/step to arc/substep, reflections, memory merged by key, lessons, and
71
+ outcomes). Records are appended; no state rollup and no gate events.
72
+ - Exported `readJsonl` and `appendJsonlAtomic` from `lib/evidence.js` for reuse.
73
+
74
+ ### Notes
75
+ - This is the final item in `docs/FUSION-ARCHITECTURE.md`. With it, the native
76
+ fusion of Mythify's evidence engine and quarterback into Godpowers (Phases 0-3
77
+ plus the optional importer) is complete.
78
+
79
+ ## [3.10.0] - 2026-06-15
80
+
81
+ ### Added
82
+ - Added three read-only MCP tools to `@godpowers/mcp` (Phase 3, the final fusion
83
+ slice): `work_report` (wraps `lib/work-report.js`, forced peek so it never
84
+ advances the cursor), `route` (wraps `lib/quarterback.js`, never mutates
85
+ state), and `verification_history` (wraps `lib/evidence.js` history). All
86
+ carry `readOnlyHint:true` via the same `requireRuntime` bridge. The companion
87
+ now exposes eight read-only tools.
88
+
89
+ ### Notes
90
+ - This release completes the native fusion of Mythify's evidence engine and
91
+ quarterback into Godpowers across Phases 0-3 (`docs/FUSION-ARCHITECTURE.md`):
92
+ the evidence producer, enforced close-on-evidence on the build and harden
93
+ gates, the quarterback entry router, the work report, reflections, memory,
94
+ lessons, outcome loops, and now the MCP read tools. Mutating verification stays
95
+ on the CLI and orchestrator path.
96
+
97
+ ## [3.9.0] - 2026-06-15
98
+
99
+ ### Added
100
+ - Added `evidence.outcome.start/check/stop/status` (Phase 3), rebound from
101
+ Mythify's `outcomes/<slug>/` store: a bounded retry loop with `goal.json` and
102
+ `iterations.jsonl` at `.godpowers/ledger/outcomes/<slug>/`. `check` runs the
103
+ verifier through `evidence.verify` (so the executed verdict is also written to
104
+ the main verifications ledger and rolled up), appends an iteration, and marks
105
+ the outcome succeeded, failed when the budget is exhausted, or still active.
106
+ - Added the `npx godpowers outcome start|check|stop|status <name> [--goal ...]
107
+ [--verify "<cmd>"] [--budget N] [--substep <id>] [--reason ...]` CLI subcommand.
108
+
109
+ ### Notes
110
+ - Outcome state lives under the ledger; `check` is the only path that mutates
111
+ shared state, and it does so through the existing `evidence.verify` rollup. No
112
+ existing command behavior changed.
113
+
114
+ ## [3.8.0] - 2026-06-15
115
+
116
+ ### Added
117
+ - Added `evidence.lesson.add/list` (Phase 3), rebound from Mythify's lessons
118
+ store: append tagged lessons with project or global scope to
119
+ `.godpowers/ledger/lessons.jsonl` (or `~/.godpowers/lessons.jsonl` for global).
120
+ - Added the `npx godpowers lesson add|list "<lesson>" [--tags a,b] [--scope
121
+ project|global]` CLI subcommand.
122
+
123
+ ### Changed
124
+ - `evidence.reflect()` now auto-records a project lesson tagged `auto-reflected`
125
+ when a reflection carries a lesson, matching the upstream reflect tool. The
126
+ reflection record itself is unchanged.
127
+
128
+ ### Notes
129
+ - The lessons store is isolated: it never touches `state.json`, the
130
+ verifications ledger, or the event stream.
131
+
132
+ ## [3.7.0] - 2026-06-15
133
+
134
+ ### Added
135
+ - Added `evidence.memory.set/get/list/clear` (Phase 3), rebound from Mythify's
136
+ memory.json: a durable key/value store with categories fact, decision,
137
+ discovery, and state at `.godpowers/ledger/memory.json`. `set` upserts by key
138
+ and defaults the category to fact; `clear` removes one key or all entries;
139
+ writes go through `lib/atomic-write.js`.
140
+ - Added the `npx godpowers memory set|get|list|clear [<key>] [<value>]
141
+ [--category ...]` CLI subcommand.
142
+
143
+ ### Notes
144
+ - The memory store is isolated: it never touches `state.json`, the verifications
145
+ ledger, or the event stream. No existing command behavior changed.
146
+
147
+ ## [3.6.0] - 2026-06-15
148
+
149
+ ### Added
150
+ - Added `evidence.reflect()` and `evidence.reflections()` (Phase 3), rebound from
151
+ Mythify's reflect tool: record action, outcome (success/partial/failure),
152
+ observation, root cause, next action, and an optional lesson to
153
+ `.godpowers/ledger/reflections.jsonl` with substep context.
154
+ - Added the `npx godpowers reflect --action "<...>" --outcome <...> --next "<...>"`
155
+ CLI subcommand (`--observation`, `--root-cause`, `--lesson`, `--substep`
156
+ optional).
157
+
158
+ ### Changed
159
+ - Generalized the ledger jsonl append/read into shared `appendJsonlAtomic` and
160
+ `readJsonl` helpers in `lib/evidence.js` so verifications and reflections share
161
+ one atomic path. No change to the verifications record shape or behavior.
162
+
163
+ ### Notes
164
+ - `reflect` is isolated: it never touches `state.json`, the verifications ledger,
165
+ or the event stream. No existing command behavior changed.
166
+
167
+ ## [3.5.0] - 2026-06-15
168
+
169
+ ### Added
170
+ - Added `lib/work-report.js`, the chat play-by-play (Phase 3) rebound from
171
+ Mythify's build_work_report. It reads the evidence ledger, surfaces an
172
+ Attention section for unverified records, summarizes passed/failed/attested,
173
+ and advances a report cursor at `.godpowers/ledger/reports/cursor.json` so a
174
+ fresh session emits only what is new.
175
+ - Added the read-only `npx godpowers report --since last` CLI subcommand
176
+ (`--since all` for full history, `--peek` to show without advancing the
177
+ cursor).
178
+
179
+ ### Notes
180
+ - `report` is read-only beyond the report cursor and never mutates `state.json`;
181
+ no existing command behavior changed. This is the first Phase 3 slice; outcome
182
+ loops, memory, lessons, reflections, and MCP read tools remain to come.
183
+
184
+ ## [3.4.0] - 2026-06-15
185
+
186
+ ### Added
187
+ - Added `lib/quarterback.js`, the entry-level two-layer router (Phase 2 of the
188
+ fusion design). It composes `router.suggestNext` and `recipes.matchIntent` and
189
+ adds the two genes Godpowers lacked at entry: refuse-on-red (never start new
190
+ work when the latest executed verdict is red or harden findings carry an
191
+ unresolved Critical) and proportional ceremony (a one-line fix routes to
192
+ `/god-fast`, not an arc). The priority ladder is recover, resume, recovery,
193
+ brownfield, research, review, full, feature, trivial; first match wins.
194
+ - Added the read-only `npx godpowers route "<prompt>"` CLI subcommand, which
195
+ returns the chosen play with its next command, ceremony level, verification
196
+ strategy, and an evidence block (classification, latest verdict, active arc,
197
+ open findings). `route` never mutates state.
198
+
199
+ ### Notes
200
+ - `route` is read-only and additive; no existing command behavior changed. The
201
+ quarterback reads the evidence ledger and harden findings to decide refuse-on-red.
202
+
203
+ ## [3.3.0] - 2026-06-15
204
+
205
+ ### Added
206
+ - Added the `npx godpowers can-close --substep <id>` CLI subcommand, a read-only
207
+ face over `evidence.canClose`. It exits zero only when the substep has the
208
+ evidence to close (executable-gated tiers need a passing executed record since
209
+ they went in-flight; other tiers accept an attested record), so skills and the
210
+ orchestrator can shell into the strict close gate the way they already shell
211
+ `gate` and `state advance`.
212
+
213
+ ### Changed
214
+ - Wired the `GOD-ORCHESTRATOR-RUNBOOK` close loop to record executed evidence and
215
+ confirm `can-close` is green before advancing an executable-gated sub-step to
216
+ done. This completes the orchestrator side of the Phase 1 close-on-evidence
217
+ path (`docs/FUSION-ARCHITECTURE.md`). No existing command behavior changed; the
218
+ CLI addition is additive and the runbook change is prompt-level guidance.
219
+
220
+ ## [3.2.0] - 2026-06-15
221
+
222
+ ### Changed
223
+ - BEHAVIOR CHANGE: the `harden` gate now requires executed verification
224
+ evidence. `lib/gate.js`'s build-only executed-evidence requirement is
225
+ generalized to every executable-gated tier, driven by
226
+ `evidence.EXECUTED_REQUIRED_SUBSTEPS` (`build`, `deploy`, `harden`). The
227
+ harden gate now requires at least one passed and zero failed verification
228
+ commands in `state.json` `verification.commands[]`, in addition to its
229
+ no-Critical-findings check. A security tier can no longer close "done" without
230
+ an exit-code-backed passing record. Finding ids are tier-prefixed, so the
231
+ build tier keeps its `build-verification-*` contract and harden gains
232
+ `harden-verification-*`.
233
+ - Updated the `god-harden` skill to record the executed security check
234
+ (for example `npx godpowers verify "npm audit --omit=dev" --substep
235
+ tier-3.harden`) before running the harden gate.
236
+
237
+ ### Added
238
+ - Added the `tier-3.harden` state-step mapping in `lib/artifact-map.js` so the
239
+ harden gate reads structured state evidence (matching `build`).
240
+
241
+ ### Notes
242
+ - This is the first enforced close-on-evidence behavior change from the Phase 1
243
+ fusion design (`docs/FUSION-ARCHITECTURE.md`). Projects that closed a harden
244
+ step without a verification record must now run `godpowers verify` (or record
245
+ an attested record where no executable check applies) before the harden gate
246
+ passes. The build gate behavior is unchanged.
247
+
248
+ ## [3.1.1] - 2026-06-15
249
+
250
+ ### Added
251
+ - Added `evidence.canClose(substep)` to `lib/evidence.js`, the read-only strict
252
+ close-gate primitive rebound from Mythify's completion rule: a substep may
253
+ close only when evidence bound to it since it went in-flight supports the
254
+ close. Tier-appropriate per `docs/FUSION-ARCHITECTURE.md` section 4.2:
255
+ `build`/`deploy`/`harden` require the latest executed record to be
256
+ `verified:true`; other substeps accept an executed pass or an attested record,
257
+ and a failed executed record always blocks.
258
+
259
+ ### Notes
260
+ - `canClose` is additive and read-only. It does not mutate state and is not yet
261
+ wired into `gate.js` or the close path; wiring it in (the deliberate
262
+ behavior change) is the remaining Phase 1 work tracked in
263
+ `docs/FUSION-ARCHITECTURE.md`. No existing behavior changed in this release.
264
+
265
+ ## [3.1.0] - 2026-06-15
266
+
267
+ ### Added
268
+ - Added the evidence producer in `lib/evidence.js`, vendored from the Mythify
269
+ Node engine (`mythify-mcp@3.6.3`, `verify_run`/`verify_claim`). `evidence.verify()`
270
+ executes a command, appends an exit-code-backed record to the new append-only
271
+ `.godpowers/ledger/verifications.jsonl`, rolls the latest verdict per command
272
+ into `state.json` `verification.commands[]` through `lib/state.js`, and emits
273
+ `gate.pass`/`gate.fail` to the hash-chained `runs/<id>/events.jsonl` stream.
274
+ `evidence.verifyClaim()` records a second-class attested record that never
275
+ rolls up.
276
+ - Added the `npx godpowers verify "<cmd>" --substep <id> --claim "<text>"` CLI
277
+ subcommand (with `--timeout`, and `--attest`/`--evidence` for attestations),
278
+ wired through `lib/cli-dispatch.js`.
279
+ - Added `lib/evidence/.provenance.json` recording the vendored engine's source,
280
+ version, commit, and adaptations, plus `scripts/sync-evidence-engine.js` to
281
+ re-pull the upstream engine, re-state the adaptations, and flag any upstream
282
+ record-shape drift for review.
283
+ - Added `docs/FUSION-ARCHITECTURE.md`, the canonical design for transplanting
284
+ Mythify's evidence engine and quarterback into Godpowers (Phases 0-3; this
285
+ release lands Phase 0).
286
+
287
+ ### Changed
288
+ - `state.json` `verification.commands[]` is now reliably populated by the
289
+ evidence producer (previously specified in the schema but never written).
290
+ This is additive: the build gate reads the same shape, no gate behavior or
291
+ close-on-evidence logic changed (that is Phase 1).
292
+
10
293
  ## [3.0.2] - 2026-06-11
11
294
 
12
295
  ### Added
package/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
5
- [![Version](https://img.shields.io/badge/version-3.0.2-blue)](CHANGELOG.md)
5
+ [![Version](https://img.shields.io/badge/version-3.13.0-blue)](CHANGELOG.md)
6
6
  [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
7
7
 
8
8
  **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -30,13 +30,27 @@ Godpowers makes AI coding accountable: every serious run should leave disk
30
30
  state, artifacts, validation gates, host guarantees, and a next action. Code is
31
31
  only one output. The project memory and proof trail matter too.
32
32
 
33
- Version 3.0.2 is a concierge surface patch on top of the 3.0.0 surface
34
- contraction release. The current 3.x line keeps the omitted installer profile
35
- on `core`, adds first-run, demo, and surface-control entry points, preserves
36
- `--profile=full` for compatibility, keeps locate and lifecycle views under
37
- `/god-status`, ships the optional `@godpowers/mcp` companion package, and
38
- verifies docs, package contents, npm metadata, GitHub release state, and
39
- published install behavior before public release.
33
+ Version 3.13.0 makes the default greenfield arc (`/god-mode`) miss less. The
34
+ one-shot `full-arc` workflow now runs a whole-codebase code audit after the
35
+ build (so it catches what the per-slice reviews missed in AI-generated code) and
36
+ a documentation pass after harden (so the shipped product has docs verified
37
+ against the code, not vibes). The arc goes build, code-audit, deploy, observe,
38
+ harden, docs, launch, final-sync: per-slice review, whole-codebase audit plus
39
+ remediation, a security gate, and verified docs before launch. This builds on
40
+ 3.12.x, which made that code audit codeauditor-grade: `god-debt-assessor`
41
+ (`/god-tech-debt`) produces a scored, prioritized, self-contained source-code
42
+ audit across nine weighted dimensions, and the `audit-remediate` recipe drives
43
+ the findings to zero (audit, fix worst-first with an independent reviewer,
44
+ re-audit, bounded by an outcome budget, with the can't-fake-done gate ensuring
45
+ "clean" is evidence-backed). It all sits on top of the completed Mythify fusion
46
+ (the evidence producer, enforced close-on-evidence, the quarterback, work report,
47
+ reflections, memory, lessons, outcome loops, MCP read tools, and ledger importer). The current 3.x line keeps
48
+ the omitted installer profile on `core`, keeps first-run, demo, and
49
+ surface-control entry points, preserves `--profile=full` for compatibility,
50
+ keeps locate and lifecycle views under `/god-status`, ships the optional
51
+ `@godpowers/mcp` companion package, and verifies docs, package contents, npm
52
+ metadata, GitHub release state, and published install behavior before public
53
+ release.
40
54
 
41
55
  Maintainer hardening continues on the 3.x line with small, audited public
42
56
  surface updates when they close real workflow gaps. Historical release details
@@ -315,14 +329,14 @@ dependency to the main `godpowers` package:
315
329
 
316
330
  ```bash
317
331
  npx godpowers mcp-info --project=.
318
- npx -y -p godpowers@3.0.2 -p @godpowers/mcp@3.0.2 godpowers-mcp serve --project=.
332
+ npx -y -p godpowers@3.13.0 -p @godpowers/mcp@3.13.0 godpowers-mcp serve --project=.
319
333
  ```
320
334
 
321
335
  The companion exposes `status`, `next`, `gate_check`, `lint_artifact`, and
322
336
  `trace_requirement`. Host registration is opt-in:
323
337
 
324
338
  ```bash
325
- npx -y -p godpowers@3.0.2 -p @godpowers/mcp@3.0.2 godpowers-mcp setup --host=codex --project=. --write
339
+ npx -y -p godpowers@3.13.0 -p @godpowers/mcp@3.13.0 godpowers-mcp setup --host=codex --project=. --write
326
340
  ```
327
341
 
328
342
  See [MCP Companion](docs/mcp.md) for package boundaries and setup details.
package/RELEASE.md CHANGED
@@ -1,53 +1,41 @@
1
- # Godpowers 3.0.2 Release
1
+ # Godpowers 3.13.0 Release
2
2
 
3
- > Status: Published
4
- > Date: 2026-06-11
3
+ > Status: Prepared
4
+ > Date: 2026-06-16
5
5
 
6
- [DECISION] Godpowers 3.0.2 is a concierge surface patch on top of the 3.0.0 surface contraction release and the 3.0.1 release-surface cleanup.
7
- [DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and adds first-run, demo, and surface-control entry points for safer onboarding.
8
- [DECISION] This release changes default guidance from catalog-first and dashboard-first output to compact recommendations with `Next commands:` blocks.
9
- [DECISION] This release keeps `@godpowers/mcp` as the optional read-only companion package.
6
+ [DECISION] Godpowers 3.13.0 is a minor release that hardens the default greenfield arc. The one-shot `full-arc` workflow run by `/god-mode` now audits the whole codebase after the build and writes verified documentation after harden, so a long-running idea-to-production run ships audited and documented without a separate manual pass.
7
+ [DECISION] No new skill, agent, workflow, or recipe surface is added: both new steps reuse existing agents (`god-debt-assessor`, `god-docs-writer`). Surface counts are unchanged from 3.12.1.
8
+ [DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and keeps the full 3.1.0-3.12.1 surface (fusion + codeauditor-grade audit + remediation loop).
10
9
 
11
10
  ## What's in this release
12
11
 
13
- - [DECISION] 120 slash commands.
14
- - [DECISION] 40 specialist agents.
15
- - [DECISION] 13 executable workflows.
16
- - [DECISION] 43 intent recipes.
17
- - [DECISION] Three concierge entry points are now shipped: `/god-first-run`, `/god-demo`, and `/god-surface`.
18
- - [DECISION] Five thin verb dispatch commands remain shipped: `/god-plan`, `/god-fix`, `/god-ship`, `/god-capture`, and `/god-extend`.
19
- - [DECISION] Five read-only MCP tools remain available in `@godpowers/mcp`: `status`, `next`, `gate_check`, `lint_artifact`, and `trace_requirement`.
12
+ - [DECISION] `full-arc` gains a `code-audit` job (`god-debt-assessor`, `mode: post-build-audit`) that runs after `build` and before `deploy`/`harden`. It gives the whole AI-generated codebase a scored, prioritized audit that catches issues the per-slice `god-spec-reviewer` + `god-quality-reviewer` reviews cannot see across files.
13
+ - [DECISION] `full-arc` gains a `docs` job (`god-docs-writer`, `mode: product-docs-verify`) that runs after `harden` and before `launch`. It writes the project documentation and verifies every claim against the code (drift detected) before the product ships.
14
+ - [DECISION] Dependencies were rewired: `deploy` and `harden` now `need` `code-audit`; `launch` now `needs` `docs`. The greenfield arc is build, code-audit, deploy, observe, harden, docs, launch, final-sync. The `full-arc` plan goes from 11 to 13 steps.
15
+ - [DECISION] `GOD-ORCHESTRATOR-RUNBOOK` documents the audit and docs positions in the greenfield arc.
16
+ - [DECISION] 120 slash commands, 40 specialist agents, 13 executable workflows, 44 intent recipes, and the full fusion + audit surface remain available.
20
17
 
21
18
  ## Changes
22
19
 
23
- - [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.0.2 patch version.
24
- - [DECISION] `/god-help` now starts with contextual next moves, while `/god-help all` remains the full installed catalog.
25
- - [DECISION] `/god`, `/god-next`, `/god-status`, and the shared dashboard contract now prefer concise action briefs and explicit `Next commands:` blocks.
26
- - [DECISION] `godpowers demo` exposes the shipped sandbox proof from the CLI without modifying the current project.
27
- - [DECISION] `godpowers surface --profile=<name> --dry-run` previews runtime profile changes, and `--apply` writes the selected installed surface.
28
- - [DECISION] README, roadmap, reference, architecture, release notes, and Pillar context now describe the 3.0.2 concierge surface.
20
+ - [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.13.0 version.
21
+ - [DECISION] `workflows/full-arc.yaml` adds the `code-audit` and `docs` jobs and rewires `deploy`/`harden`/`launch` dependencies. No lib change.
22
+ - [DECISION] CHANGELOG, RELEASE notes, README, roadmap, reference, architecture, and the MCP docs now reflect 3.13.0. SECURITY supported-version table adds the `3.13.x` row and moves `3.12.x` to security fixes only.
29
23
 
30
24
  ## Validation
31
25
 
32
- - [DECISION] `npm run test:quick-proof` passed with 22 tests.
33
- - [DECISION] `npm run lint` passed with 29 static checks.
34
- - [DECISION] `npm run release:check` passed with `coverage:lib` at 92.69 percent line coverage.
26
+ - [DECISION] `npm run lint` passed with 29 static checks (agent contract + size + refs intact).
27
+ - [DECISION] `node tests/integration/full-arc.test.js`, `node scripts/test-workflow-runner.js`, and `node scripts/test-agent-refs.js` passed: `full-arc` plans to 13 steps with a valid DAG and both `god-debt-assessor` and `god-docs-writer` are real agents.
28
+ - [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor for `lib/**/*.js`.
35
29
  - [DECISION] `npm run release:check` passed `npm audit --omit=dev` with 0 vulnerabilities.
36
- - [DECISION] `npm run release:check` passed public surface docs for version 3.0.2 with 120 skills, 40 agents, 13 workflows, and 43 recipes.
37
- - [DECISION] `npm run release:check` passed root package contents with 556 files.
38
- - [DECISION] `npm run release:check` passed `@godpowers/mcp` package contents with 8 files.
39
- - [DECISION] `npm pack --pack-destination /tmp/godpowers-release-3.0.2` produced `godpowers-3.0.2.tgz` with 556 files.
40
- - [DECISION] `npm pack --workspace @godpowers/mcp --pack-destination /tmp/godpowers-release-3.0.2` produced `godpowers-mcp-3.0.2.tgz` with 8 files.
30
+ - [DECISION] `npm run release:check` passed public surface docs for version 3.13.0 with 120 skills, 40 agents, 13 workflows, and 44 recipes.
31
+ - [DECISION] `npm run release:check` passed root and `@godpowers/mcp` package contents.
41
32
 
42
33
  ## Upgrade
43
34
 
44
- - [DECISION] Use `npm install -g godpowers@3.0.2` or `npx godpowers@3.0.2`.
45
- - [DECISION] Use `npx godpowers --profile=full` when the complete pre-3.0 command surface should be installed.
46
- - [DECISION] Use `npx godpowers --profile=core` or omit `--profile` for the contracted default surface.
47
- - [DECISION] Use optional MCP package install `npm install -g godpowers @godpowers/mcp` when the host can register MCP servers.
48
- - [DECISION] Re-run `/god-context` in each project to refresh installed runtime metadata.
35
+ - [DECISION] Use `npm install -g godpowers@3.13.0` or `npx godpowers@3.13.0`.
36
+ - [DECISION] No migration is required. Existing projects are unaffected; the change only adds steps to the greenfield one-shot arc, which now takes longer in exchange for an audited and documented product.
49
37
 
50
38
  ## Notes
51
39
 
52
- - [DECISION] The publish targets are npm `godpowers@3.0.2`, npm `@godpowers/mcp@3.0.2`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.0.2`.
53
- - [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance.
40
+ - [DECISION] The publish targets are npm `godpowers@3.13.0`, npm `@godpowers/mcp@3.13.0`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.13.0`.
41
+ - [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance. This release has not been tagged or published to npm yet.