godpowers 3.0.2 → 3.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +283 -0
- package/README.md +24 -10
- package/RELEASE.md +23 -35
- package/agents/god-debt-assessor.md +179 -99
- package/bin/install.js +34 -0
- package/fixtures/gate/harden-pass/.godpowers/state.json +26 -0
- package/lib/artifact-map.js +2 -1
- package/lib/cli-dispatch.js +409 -2
- package/lib/evidence/.provenance.json +45 -0
- package/lib/evidence-import.js +147 -0
- package/lib/evidence.js +908 -0
- package/lib/gate.js +26 -15
- package/lib/installer-args.js +219 -1
- package/lib/quarterback.js +183 -0
- package/lib/work-report.js +137 -0
- package/package.json +1 -1
- package/references/orchestration/GOD-ORCHESTRATOR-RUNBOOK.md +49 -4
- package/routing/recipes/audit-remediate.yaml +30 -0
- package/skills/god-harden.md +5 -2
- package/skills/god-version.md +1 -1
- package/workflows/full-arc.yaml +17 -3
|
@@ -367,6 +367,46 @@ after tests pass. If a git remote exists and the user passed an explicit push
|
|
|
367
367
|
flag or the project intent says pushing is allowed, push after the green commit
|
|
368
368
|
and then continue the project run. Pushing is not a terminal state.
|
|
369
369
|
|
|
370
|
+
## Audit-Remediation Loop
|
|
371
|
+
|
|
372
|
+
Run a bounded audit-then-remediate loop in three cases: the `full-arc`
|
|
373
|
+
**`code-audit` step** (it runs `god-debt-assessor` after build and before the
|
|
374
|
+
shipping tier, because AI-generated code can miss things a per-slice review and
|
|
375
|
+
the security gate do not); intent like "audit and fix until clean" (the
|
|
376
|
+
`audit-remediate` recipe); and any standalone `/god-tech-debt` follow-up. In
|
|
377
|
+
`full-arc` the loop must drive Confirmed Critical and High findings to closure
|
|
378
|
+
(or pause them as blockers) before `deploy`, `harden`, and `launch` proceed. The
|
|
379
|
+
maker that fixes is never the checker that grades.
|
|
380
|
+
|
|
381
|
+
1. **Audit (read-only).** Spawn `god-debt-assessor` in a fresh context. It writes
|
|
382
|
+
the scored, self-contained report to `.godpowers/tech-debt/REPORT.md` with
|
|
383
|
+
stable finding IDs (SEC-001, etc.), each carrying Severity, Confidence, Effort,
|
|
384
|
+
`file:line`, and a "Verify the fix" step.
|
|
385
|
+
2. **Select.** Take the "What to fix first" list: Confirmed Critical and High,
|
|
386
|
+
worst-first, root causes (systemic patterns) before leaves. Re-verify any
|
|
387
|
+
Suspected finding against the cited code before touching it; never act on an
|
|
388
|
+
unconfirmed claim.
|
|
389
|
+
3. **Drive each finding to closure** with an outcome loop so the loop is bounded
|
|
390
|
+
and self-arresting:
|
|
391
|
+
- `npx godpowers outcome start fix-<ID> --verify "<the finding's verify command>" --substep <tier.substep> --project=.`
|
|
392
|
+
- Spawn `god-debugger` (or the owning specialist) in a fresh context with only
|
|
393
|
+
that finding's evidence and touched files to draft the fix.
|
|
394
|
+
- Spawn an **independent** reviewer (`god-quality-reviewer`, or
|
|
395
|
+
`god-harden-auditor` for a SEC finding) in a fresh context to verify the fix
|
|
396
|
+
against the cited evidence and the project's tests. The maker does not grade
|
|
397
|
+
its own work.
|
|
398
|
+
- `npx godpowers outcome check fix-<ID> --project=.` runs the finding's verify
|
|
399
|
+
command and records the iteration. Repeat until the outcome succeeds or the
|
|
400
|
+
budget is exhausted.
|
|
401
|
+
- Never mark a finding resolved while `can-close` for its substep is red.
|
|
402
|
+
4. **Re-audit.** Re-run `god-debt-assessor` and confirm findings are resolved,
|
|
403
|
+
not relocated, and that no Strength regressed. The loop is done when no
|
|
404
|
+
Confirmed Critical or High remains (or the agreed bucket is empty).
|
|
405
|
+
5. **Pause, do not fake.** Anything that cannot be fixed within budget, or that
|
|
406
|
+
is `human-only` (scope, credentials, vendor/legal/Critical-security
|
|
407
|
+
acceptance), lands as a precise paused blocker with the finding ID, not a
|
|
408
|
+
silent skip. "Clean" is an evidence-backed re-audit, never a claim.
|
|
409
|
+
|
|
370
410
|
## Shipping Closure Protocol
|
|
371
411
|
|
|
372
412
|
The shipping tier must not end by listing a broad provider checklist. God Mode
|
|
@@ -487,12 +527,17 @@ requested or final sign-off begins.
|
|
|
487
527
|
5. Spawn the appropriate specialist agent in a fresh context
|
|
488
528
|
6. Verify their output exists on disk
|
|
489
529
|
7. Run have-nots check on the artifact and run `standards.gate-command` when configured
|
|
490
|
-
8.
|
|
530
|
+
8. For an executable-gated sub-step (build, deploy, harden), record executed
|
|
531
|
+
evidence with `npx godpowers verify "<cmd>" --substep <tier.substep>` and then
|
|
532
|
+
confirm `npx godpowers can-close --substep <tier.substep> --project=.` exits
|
|
533
|
+
zero before closing. Never advance the sub-step to done while can-close is red.
|
|
534
|
+
9. If pass and can-close is green: advance the sub-step to done via
|
|
535
|
+
`npx godpowers state advance`, sync CHECKPOINT.md, run the proactive
|
|
491
536
|
auto-invoke sweep, print the "Step result" card, then move to next sub-step
|
|
492
|
-
|
|
537
|
+
10. If fail and repairable: print the failed result card, then enter the
|
|
493
538
|
autonomous repair loop
|
|
494
|
-
|
|
495
|
-
|
|
539
|
+
11. If fail and human-only: pause with the smallest needed question
|
|
540
|
+
12. Repeat until all tiers complete and verification is green
|
|
496
541
|
```
|
|
497
542
|
|
|
498
543
|
## Specialist Agent Routing
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
apiVersion: godpowers/v1
|
|
2
|
+
kind: Recipe
|
|
3
|
+
metadata:
|
|
4
|
+
name: audit-remediate
|
|
5
|
+
category: maintaining
|
|
6
|
+
description: "Audit the codebase, then drive the findings to zero"
|
|
7
|
+
|
|
8
|
+
triggers:
|
|
9
|
+
intent-keywords:
|
|
10
|
+
- "audit and fix"
|
|
11
|
+
- "fix all the audit findings"
|
|
12
|
+
- "drive the audit to clean"
|
|
13
|
+
- "remediate tech debt"
|
|
14
|
+
- "fix the codebase until clean"
|
|
15
|
+
- "pay down tech debt"
|
|
16
|
+
- "address all the findings"
|
|
17
|
+
- "code audit and fix"
|
|
18
|
+
|
|
19
|
+
sequences:
|
|
20
|
+
default:
|
|
21
|
+
description: "Audit the codebase, then drive the findings to zero"
|
|
22
|
+
steps:
|
|
23
|
+
- command: "/god-tech-debt"
|
|
24
|
+
why: "Score the codebase and write the prioritized, self-contained audit report (god-debt-assessor)"
|
|
25
|
+
- command: "/god-debug"
|
|
26
|
+
why: "Fix each Confirmed Critical/High finding worst-first; an independent reviewer verifies each fix against the cited evidence"
|
|
27
|
+
- command: "/god-tech-debt"
|
|
28
|
+
why: "Re-audit to confirm findings are resolved not relocated and no strength regressed; the orchestrator loops this under an outcome budget until clean"
|
|
29
|
+
|
|
30
|
+
default-sequence: default
|
package/skills/god-harden.md
CHANGED
|
@@ -21,8 +21,11 @@ Spawn the **god-harden-auditor** agent in a fresh context via the host platform'
|
|
|
21
21
|
|
|
22
22
|
After god-harden-auditor returns:
|
|
23
23
|
1. Verify FINDINGS.md exists on disk
|
|
24
|
-
2.
|
|
25
|
-
|
|
24
|
+
2. Record the executed security check as evidence so the gate has a passing
|
|
25
|
+
verification record, for example:
|
|
26
|
+
`npx godpowers verify "npm audit --omit=dev" --substep tier-3.harden --claim "dependency audit clean" --project=.`
|
|
27
|
+
3. Run `npx godpowers gate --tier=harden --project=.` and do not proceed on a non-zero exit
|
|
28
|
+
4. Read findings classification:
|
|
26
29
|
- If any Critical: run `npx godpowers state advance --step=harden --status=failed --project=.` and keep launch BLOCKED
|
|
27
30
|
- If only High/Medium/Low: run `npx godpowers state advance --step=harden --status=done --project=.`
|
|
28
31
|
|
package/skills/god-version.md
CHANGED
|
@@ -16,7 +16,7 @@ Print version and a short capability summary.
|
|
|
16
16
|
```
|
|
17
17
|
Godpowers v2.3.1
|
|
18
18
|
Install: /Users/.../.claude/ (matches package.json)
|
|
19
|
-
Surface: 120 skills, 40 agents, 13 workflows,
|
|
19
|
+
Surface: 120 skills, 40 agents, 13 workflows, 44 recipes
|
|
20
20
|
Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1
|
|
21
21
|
External integrations available: impeccable, agent-browser (others lazy)
|
|
22
22
|
Feature awareness: planning-system migration, source-system sync-back, context refresh, dashboard status labels, repo documentation sync, repo surface sync, quick proof, request trace, release hardening, maintenance hardening
|
package/workflows/full-arc.yaml
CHANGED
|
@@ -62,9 +62,16 @@ jobs:
|
|
|
62
62
|
verification:
|
|
63
63
|
required: [test, lint, typecheck-or-check]
|
|
64
64
|
|
|
65
|
+
code-audit:
|
|
66
|
+
tier: 2
|
|
67
|
+
needs: build
|
|
68
|
+
uses: god-debt-assessor@^1.0.0
|
|
69
|
+
with:
|
|
70
|
+
mode: post-build-audit
|
|
71
|
+
|
|
65
72
|
deploy:
|
|
66
73
|
tier: 3
|
|
67
|
-
needs:
|
|
74
|
+
needs: code-audit
|
|
68
75
|
uses: god-deploy-engineer@^1.0.0
|
|
69
76
|
closure:
|
|
70
77
|
on-missing-external-access: create-waiting-access-bundle
|
|
@@ -84,14 +91,21 @@ jobs:
|
|
|
84
91
|
|
|
85
92
|
harden:
|
|
86
93
|
tier: 3
|
|
87
|
-
needs:
|
|
94
|
+
needs: code-audit
|
|
88
95
|
uses: god-harden-auditor@^1.0.0
|
|
89
96
|
blocks-on:
|
|
90
97
|
- critical-finding: pause
|
|
91
98
|
|
|
92
|
-
|
|
99
|
+
docs:
|
|
93
100
|
tier: 3
|
|
94
101
|
needs: harden
|
|
102
|
+
uses: god-docs-writer@^1.0.0
|
|
103
|
+
with:
|
|
104
|
+
mode: product-docs-verify
|
|
105
|
+
|
|
106
|
+
launch:
|
|
107
|
+
tier: 3
|
|
108
|
+
needs: docs
|
|
95
109
|
uses: god-launch-strategist@^1.0.0
|
|
96
110
|
with:
|
|
97
111
|
template: HARDEN-FINDINGS.md
|