godpowers 3.0.2 → 3.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -367,6 +367,46 @@ after tests pass. If a git remote exists and the user passed an explicit push
367
367
  flag or the project intent says pushing is allowed, push after the green commit
368
368
  and then continue the project run. Pushing is not a terminal state.
369
369
 
370
+ ## Audit-Remediation Loop
371
+
372
+ Run a bounded audit-then-remediate loop in three cases: the `full-arc`
373
+ **`code-audit` step** (it runs `god-debt-assessor` after build and before the
374
+ shipping tier, because AI-generated code can miss things a per-slice review and
375
+ the security gate do not); intent like "audit and fix until clean" (the
376
+ `audit-remediate` recipe); and any standalone `/god-tech-debt` follow-up. In
377
+ `full-arc` the loop must drive Confirmed Critical and High findings to closure
378
+ (or pause them as blockers) before `deploy`, `harden`, and `launch` proceed. The
379
+ maker that fixes is never the checker that grades.
380
+
381
+ 1. **Audit (read-only).** Spawn `god-debt-assessor` in a fresh context. It writes
382
+ the scored, self-contained report to `.godpowers/tech-debt/REPORT.md` with
383
+ stable finding IDs (SEC-001, etc.), each carrying Severity, Confidence, Effort,
384
+ `file:line`, and a "Verify the fix" step.
385
+ 2. **Select.** Take the "What to fix first" list: Confirmed Critical and High,
386
+ worst-first, root causes (systemic patterns) before leaves. Re-verify any
387
+ Suspected finding against the cited code before touching it; never act on an
388
+ unconfirmed claim.
389
+ 3. **Drive each finding to closure** with an outcome loop so the loop is bounded
390
+ and self-arresting:
391
+ - `npx godpowers outcome start fix-<ID> --verify "<the finding's verify command>" --substep <tier.substep> --project=.`
392
+ - Spawn `god-debugger` (or the owning specialist) in a fresh context with only
393
+ that finding's evidence and touched files to draft the fix.
394
+ - Spawn an **independent** reviewer (`god-quality-reviewer`, or
395
+ `god-harden-auditor` for a SEC finding) in a fresh context to verify the fix
396
+ against the cited evidence and the project's tests. The maker does not grade
397
+ its own work.
398
+ - `npx godpowers outcome check fix-<ID> --project=.` runs the finding's verify
399
+ command and records the iteration. Repeat until the outcome succeeds or the
400
+ budget is exhausted.
401
+ - Never mark a finding resolved while `can-close` for its substep is red.
402
+ 4. **Re-audit.** Re-run `god-debt-assessor` and confirm findings are resolved,
403
+ not relocated, and that no Strength regressed. The loop is done when no
404
+ Confirmed Critical or High remains (or the agreed bucket is empty).
405
+ 5. **Pause, do not fake.** Anything that cannot be fixed within budget, or that
406
+ is `human-only` (scope, credentials, vendor/legal/Critical-security
407
+ acceptance), lands as a precise paused blocker with the finding ID, not a
408
+ silent skip. "Clean" is an evidence-backed re-audit, never a claim.
409
+
370
410
  ## Shipping Closure Protocol
371
411
 
372
412
  The shipping tier must not end by listing a broad provider checklist. God Mode
@@ -487,12 +527,17 @@ requested or final sign-off begins.
487
527
  5. Spawn the appropriate specialist agent in a fresh context
488
528
  6. Verify their output exists on disk
489
529
  7. Run have-nots check on the artifact and run `standards.gate-command` when configured
490
- 8. If pass: update PROGRESS.md, sync CHECKPOINT.md, run the proactive
530
+ 8. For an executable-gated sub-step (build, deploy, harden), record executed
531
+ evidence with `npx godpowers verify "<cmd>" --substep <tier.substep>` and then
532
+ confirm `npx godpowers can-close --substep <tier.substep> --project=.` exits
533
+ zero before closing. Never advance the sub-step to done while can-close is red.
534
+ 9. If pass and can-close is green: advance the sub-step to done via
535
+ `npx godpowers state advance`, sync CHECKPOINT.md, run the proactive
491
536
  auto-invoke sweep, print the "Step result" card, then move to next sub-step
492
- 9. If fail and repairable: print the failed result card, then enter the
537
+ 10. If fail and repairable: print the failed result card, then enter the
493
538
  autonomous repair loop
494
- 10. If fail and human-only: pause with the smallest needed question
495
- 11. Repeat until all tiers complete and verification is green
539
+ 11. If fail and human-only: pause with the smallest needed question
540
+ 12. Repeat until all tiers complete and verification is green
496
541
  ```
497
542
 
498
543
  ## Specialist Agent Routing
@@ -0,0 +1,30 @@
1
+ apiVersion: godpowers/v1
2
+ kind: Recipe
3
+ metadata:
4
+ name: audit-remediate
5
+ category: maintaining
6
+ description: "Audit the codebase, then drive the findings to zero"
7
+
8
+ triggers:
9
+ intent-keywords:
10
+ - "audit and fix"
11
+ - "fix all the audit findings"
12
+ - "drive the audit to clean"
13
+ - "remediate tech debt"
14
+ - "fix the codebase until clean"
15
+ - "pay down tech debt"
16
+ - "address all the findings"
17
+ - "code audit and fix"
18
+
19
+ sequences:
20
+ default:
21
+ description: "Audit the codebase, then drive the findings to zero"
22
+ steps:
23
+ - command: "/god-tech-debt"
24
+ why: "Score the codebase and write the prioritized, self-contained audit report (god-debt-assessor)"
25
+ - command: "/god-debug"
26
+ why: "Fix each Confirmed Critical/High finding worst-first; an independent reviewer verifies each fix against the cited evidence"
27
+ - command: "/god-tech-debt"
28
+ why: "Re-audit to confirm findings are resolved not relocated and no strength regressed; the orchestrator loops this under an outcome budget until clean"
29
+
30
+ default-sequence: default
@@ -21,8 +21,11 @@ Spawn the **god-harden-auditor** agent in a fresh context via the host platform'
21
21
 
22
22
  After god-harden-auditor returns:
23
23
  1. Verify FINDINGS.md exists on disk
24
- 2. Run `npx godpowers gate --tier=harden --project=.` and do not proceed on a non-zero exit
25
- 3. Read findings classification:
24
+ 2. Record the executed security check as evidence so the gate has a passing
25
+ verification record, for example:
26
+ `npx godpowers verify "npm audit --omit=dev" --substep tier-3.harden --claim "dependency audit clean" --project=.`
27
+ 3. Run `npx godpowers gate --tier=harden --project=.` and do not proceed on a non-zero exit
28
+ 4. Read findings classification:
26
29
  - If any Critical: run `npx godpowers state advance --step=harden --status=failed --project=.` and keep launch BLOCKED
27
30
  - If only High/Medium/Low: run `npx godpowers state advance --step=harden --status=done --project=.`
28
31
 
@@ -16,7 +16,7 @@ Print version and a short capability summary.
16
16
  ```
17
17
  Godpowers v2.3.1
18
18
  Install: /Users/.../.claude/ (matches package.json)
19
- Surface: 120 skills, 40 agents, 13 workflows, 43 recipes
19
+ Surface: 120 skills, 40 agents, 13 workflows, 44 recipes
20
20
  Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1
21
21
  External integrations available: impeccable, agent-browser (others lazy)
22
22
  Feature awareness: planning-system migration, source-system sync-back, context refresh, dashboard status labels, repo documentation sync, repo surface sync, quick proof, request trace, release hardening, maintenance hardening
@@ -62,9 +62,16 @@ jobs:
62
62
  verification:
63
63
  required: [test, lint, typecheck-or-check]
64
64
 
65
+ code-audit:
66
+ tier: 2
67
+ needs: build
68
+ uses: god-debt-assessor@^1.0.0
69
+ with:
70
+ mode: post-build-audit
71
+
65
72
  deploy:
66
73
  tier: 3
67
- needs: build
74
+ needs: code-audit
68
75
  uses: god-deploy-engineer@^1.0.0
69
76
  closure:
70
77
  on-missing-external-access: create-waiting-access-bundle
@@ -84,14 +91,21 @@ jobs:
84
91
 
85
92
  harden:
86
93
  tier: 3
87
- needs: build
94
+ needs: code-audit
88
95
  uses: god-harden-auditor@^1.0.0
89
96
  blocks-on:
90
97
  - critical-finding: pause
91
98
 
92
- launch:
99
+ docs:
93
100
  tier: 3
94
101
  needs: harden
102
+ uses: god-docs-writer@^1.0.0
103
+ with:
104
+ mode: product-docs-verify
105
+
106
+ launch:
107
+ tier: 3
108
+ needs: docs
95
109
  uses: god-launch-strategist@^1.0.0
96
110
  with:
97
111
  template: HARDEN-FINDINGS.md