godpowers 3.11.0 → 3.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/README.md +18 -10
- package/RELEASE.md +21 -21
- package/agents/god-debt-assessor.md +179 -99
- package/package.json +1 -1
- package/references/orchestration/GOD-ORCHESTRATOR-RUNBOOK.md +40 -0
- package/routing/recipes/audit-remediate.yaml +30 -0
- package/skills/god-version.md +1 -1
- package/workflows/full-arc.yaml +17 -3
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,60 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [3.13.0] - 2026-06-16
|
|
11
|
+
|
|
12
|
+
### Changed
|
|
13
|
+
- The default greenfield workflow (`full-arc`, run by `/god-mode`) now runs two
|
|
14
|
+
more steps so the one-shot product ships audited and documented. A `code-audit`
|
|
15
|
+
job (`god-debt-assessor`) runs after the build and before deploy/harden, giving
|
|
16
|
+
the whole AI-generated codebase a scored audit that catches what the per-slice
|
|
17
|
+
reviews could not see across files. A `docs` job (`god-docs-writer`) runs after
|
|
18
|
+
harden and before launch, writing the project documentation and verifying every
|
|
19
|
+
claim against the code (drift detected) before the product ships. `deploy` and
|
|
20
|
+
`harden` now need `code-audit`; `launch` now needs `docs`. The plan goes from
|
|
21
|
+
11 to 13 steps. No new skill, agent, workflow, or recipe surface: both jobs
|
|
22
|
+
reuse agents that already exist.
|
|
23
|
+
- `GOD-ORCHESTRATOR-RUNBOOK` documents the new audit and docs positions in the
|
|
24
|
+
greenfield arc.
|
|
25
|
+
|
|
26
|
+
## [3.12.1] - 2026-06-16
|
|
27
|
+
|
|
28
|
+
### Changed
|
|
29
|
+
- De-duplicated the audit lanes in `god-debt-assessor`. Its Security dimension
|
|
30
|
+
now defers to `god-harden-auditor`: when `.godpowers/harden/FINDINGS.md`
|
|
31
|
+
exists, score Security from harden's verdict and cite its finding IDs instead
|
|
32
|
+
of re-running the OWASP walkthrough, recording a security finding only for
|
|
33
|
+
something harden did not cover. Its Code Quality dimension is explicitly the
|
|
34
|
+
whole-repo point-in-time read that complements, not duplicates,
|
|
35
|
+
`god-quality-reviewer`'s per-slice diff review.
|
|
36
|
+
|
|
37
|
+
## [3.12.0] - 2026-06-16
|
|
38
|
+
|
|
39
|
+
### Changed
|
|
40
|
+
- Upgraded `god-debt-assessor` (`/god-tech-debt`) to a codeauditor-grade,
|
|
41
|
+
read-only source-code audit: nine weighted dimensions scored 0-100 with grade
|
|
42
|
+
bands and risk-capping, per-finding Severity/Confidence/Effort, adversarial
|
|
43
|
+
verification with Suspected marking, paper-construct/theater hunting,
|
|
44
|
+
root-not-leaves systemic clustering, a strengths-to-preserve section,
|
|
45
|
+
calibration to maturity, a file:line + substitution evidence gate, and a
|
|
46
|
+
self-contained "how to use this report" protocol for an acting agent. Keeps
|
|
47
|
+
Godpowers' broader operational/knowledge debt categories as extra lenses.
|
|
48
|
+
Output stays `.godpowers/tech-debt/REPORT.md`.
|
|
49
|
+
|
|
50
|
+
### Added
|
|
51
|
+
- Added the audit-remediation loop: a new `audit-remediate` recipe routes
|
|
52
|
+
"audit and fix until clean" intent, and a `GOD-ORCHESTRATOR-RUNBOOK` section
|
|
53
|
+
defines the bounded drive-to-zero loop (audit, select worst-first, fix with
|
|
54
|
+
`god-debugger`, verify with an independent reviewer, bound the retries with
|
|
55
|
+
`evidence.outcome`, re-audit until no Confirmed Critical/High remains). The
|
|
56
|
+
can't-fake-done gate makes "clean" an evidence-backed re-audit; un-fixable
|
|
57
|
+
findings pause as precise blockers instead of silent skips.
|
|
58
|
+
|
|
59
|
+
### Notes
|
|
60
|
+
- No new skill or agent (god-debt-assessor enhanced in place). Recipe surface
|
|
61
|
+
count moves 43 to 44. The audit-remediation loop is opt-in (intent/recipe or
|
|
62
|
+
an end-of-arc pass); it is not wired into the default greenfield `full-arc`.
|
|
63
|
+
|
|
10
64
|
## [3.11.0] - 2026-06-15
|
|
11
65
|
|
|
12
66
|
### Added
|
package/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
[](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
|
|
4
4
|
[](LICENSE)
|
|
5
|
-
[](CHANGELOG.md)
|
|
6
6
|
[](https://www.npmjs.com/package/godpowers)
|
|
7
7
|
|
|
8
8
|
**Ship fast. Ship right. Ship everything. Ship accountably.**
|
|
@@ -30,13 +30,21 @@ Godpowers makes AI coding accountable: every serious run should leave disk
|
|
|
30
30
|
state, artifacts, validation gates, host guarantees, and a next action. Code is
|
|
31
31
|
only one output. The project memory and proof trail matter too.
|
|
32
32
|
|
|
33
|
-
Version 3.
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
33
|
+
Version 3.13.0 makes the default greenfield arc (`/god-mode`) miss less. The
|
|
34
|
+
one-shot `full-arc` workflow now runs a whole-codebase code audit after the
|
|
35
|
+
build (so it catches what the per-slice reviews missed in AI-generated code) and
|
|
36
|
+
a documentation pass after harden (so the shipped product has docs verified
|
|
37
|
+
against the code, not vibes). The arc goes build, code-audit, deploy, observe,
|
|
38
|
+
harden, docs, launch, final-sync: per-slice review, whole-codebase audit plus
|
|
39
|
+
remediation, a security gate, and verified docs before launch. This builds on
|
|
40
|
+
3.12.x, which made that code audit codeauditor-grade: `god-debt-assessor`
|
|
41
|
+
(`/god-tech-debt`) produces a scored, prioritized, self-contained source-code
|
|
42
|
+
audit across nine weighted dimensions, and the `audit-remediate` recipe drives
|
|
43
|
+
the findings to zero (audit, fix worst-first with an independent reviewer,
|
|
44
|
+
re-audit, bounded by an outcome budget, with the can't-fake-done gate ensuring
|
|
45
|
+
"clean" is evidence-backed). It all sits on top of the completed Mythify fusion
|
|
46
|
+
(the evidence producer, enforced close-on-evidence, the quarterback, work report,
|
|
47
|
+
reflections, memory, lessons, outcome loops, MCP read tools, and ledger importer). The current 3.x line keeps
|
|
40
48
|
the omitted installer profile on `core`, keeps first-run, demo, and
|
|
41
49
|
surface-control entry points, preserves `--profile=full` for compatibility,
|
|
42
50
|
keeps locate and lifecycle views under `/god-status`, ships the optional
|
|
@@ -321,14 +329,14 @@ dependency to the main `godpowers` package:
|
|
|
321
329
|
|
|
322
330
|
```bash
|
|
323
331
|
npx godpowers mcp-info --project=.
|
|
324
|
-
npx -y -p godpowers@3.
|
|
332
|
+
npx -y -p godpowers@3.13.0 -p @godpowers/mcp@3.13.0 godpowers-mcp serve --project=.
|
|
325
333
|
```
|
|
326
334
|
|
|
327
335
|
The companion exposes `status`, `next`, `gate_check`, `lint_artifact`, and
|
|
328
336
|
`trace_requirement`. Host registration is opt-in:
|
|
329
337
|
|
|
330
338
|
```bash
|
|
331
|
-
npx -y -p godpowers@3.
|
|
339
|
+
npx -y -p godpowers@3.13.0 -p @godpowers/mcp@3.13.0 godpowers-mcp setup --host=codex --project=. --write
|
|
332
340
|
```
|
|
333
341
|
|
|
334
342
|
See [MCP Companion](docs/mcp.md) for package boundaries and setup details.
|
package/RELEASE.md
CHANGED
|
@@ -1,41 +1,41 @@
|
|
|
1
|
-
# Godpowers 3.
|
|
1
|
+
# Godpowers 3.13.0 Release
|
|
2
2
|
|
|
3
3
|
> Status: Prepared
|
|
4
|
-
> Date: 2026-06-
|
|
4
|
+
> Date: 2026-06-16
|
|
5
5
|
|
|
6
|
-
[DECISION] Godpowers 3.
|
|
7
|
-
[DECISION]
|
|
8
|
-
[DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and keeps the 3.1.0-3.
|
|
6
|
+
[DECISION] Godpowers 3.13.0 is a minor release that hardens the default greenfield arc. The one-shot `full-arc` workflow run by `/god-mode` now audits the whole codebase after the build and writes verified documentation after harden, so a long-running idea-to-production run ships audited and documented without a separate manual pass.
|
|
7
|
+
[DECISION] No new skill, agent, workflow, or recipe surface is added: both new steps reuse existing agents (`god-debt-assessor`, `god-docs-writer`). Surface counts are unchanged from 3.12.1.
|
|
8
|
+
[DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and keeps the full 3.1.0-3.12.1 surface (fusion + codeauditor-grade audit + remediation loop).
|
|
9
9
|
|
|
10
10
|
## What's in this release
|
|
11
11
|
|
|
12
|
-
- [DECISION]
|
|
13
|
-
- [DECISION]
|
|
14
|
-
- [DECISION]
|
|
15
|
-
- [DECISION]
|
|
12
|
+
- [DECISION] `full-arc` gains a `code-audit` job (`god-debt-assessor`, `mode: post-build-audit`) that runs after `build` and before `deploy`/`harden`. It gives the whole AI-generated codebase a scored, prioritized audit that catches issues the per-slice `god-spec-reviewer` + `god-quality-reviewer` reviews cannot see across files.
|
|
13
|
+
- [DECISION] `full-arc` gains a `docs` job (`god-docs-writer`, `mode: product-docs-verify`) that runs after `harden` and before `launch`. It writes the project documentation and verifies every claim against the code (drift detected) before the product ships.
|
|
14
|
+
- [DECISION] Dependencies were rewired: `deploy` and `harden` now `need` `code-audit`; `launch` now `needs` `docs`. The greenfield arc is build, code-audit, deploy, observe, harden, docs, launch, final-sync. The `full-arc` plan goes from 11 to 13 steps.
|
|
15
|
+
- [DECISION] `GOD-ORCHESTRATOR-RUNBOOK` documents the audit and docs positions in the greenfield arc.
|
|
16
|
+
- [DECISION] 120 slash commands, 40 specialist agents, 13 executable workflows, 44 intent recipes, and the full fusion + audit surface remain available.
|
|
16
17
|
|
|
17
18
|
## Changes
|
|
18
19
|
|
|
19
|
-
- [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.
|
|
20
|
-
- [DECISION]
|
|
20
|
+
- [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.13.0 version.
|
|
21
|
+
- [DECISION] `workflows/full-arc.yaml` adds the `code-audit` and `docs` jobs and rewires `deploy`/`harden`/`launch` dependencies. No lib change.
|
|
22
|
+
- [DECISION] CHANGELOG, RELEASE notes, README, roadmap, reference, architecture, and the MCP docs now reflect 3.13.0. SECURITY supported-version table adds the `3.13.x` row and moves `3.12.x` to security fixes only.
|
|
21
23
|
|
|
22
24
|
## Validation
|
|
23
25
|
|
|
24
|
-
- [DECISION] `npm run lint` passed with 29 static checks.
|
|
25
|
-
- [DECISION] `node scripts/test-
|
|
26
|
-
- [DECISION] `
|
|
27
|
-
- [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor for `lib/**/*.js` (evidence-import.js at 97 percent lines).
|
|
26
|
+
- [DECISION] `npm run lint` passed with 29 static checks (agent contract + size + refs intact).
|
|
27
|
+
- [DECISION] `node tests/integration/full-arc.test.js`, `node scripts/test-workflow-runner.js`, and `node scripts/test-agent-refs.js` passed: `full-arc` plans to 13 steps with a valid DAG and both `god-debt-assessor` and `god-docs-writer` are real agents.
|
|
28
|
+
- [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor for `lib/**/*.js`.
|
|
28
29
|
- [DECISION] `npm run release:check` passed `npm audit --omit=dev` with 0 vulnerabilities.
|
|
29
|
-
- [DECISION] `npm run release:check` passed public surface docs for version 3.
|
|
30
|
+
- [DECISION] `npm run release:check` passed public surface docs for version 3.13.0 with 120 skills, 40 agents, 13 workflows, and 44 recipes.
|
|
30
31
|
- [DECISION] `npm run release:check` passed root and `@godpowers/mcp` package contents.
|
|
31
32
|
|
|
32
33
|
## Upgrade
|
|
33
34
|
|
|
34
|
-
- [DECISION] Use `npm install -g godpowers@3.
|
|
35
|
-
- [DECISION] No migration is required.
|
|
35
|
+
- [DECISION] Use `npm install -g godpowers@3.13.0` or `npx godpowers@3.13.0`.
|
|
36
|
+
- [DECISION] No migration is required. Existing projects are unaffected; the change only adds steps to the greenfield one-shot arc, which now takes longer in exchange for an audited and documented product.
|
|
36
37
|
|
|
37
38
|
## Notes
|
|
38
39
|
|
|
39
|
-
- [DECISION] The publish targets are npm `godpowers@3.
|
|
40
|
-
- [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance.
|
|
41
|
-
- [DECISION] This is the final planned release of the fusion design. Every phase (0-3) and the optional importer are implemented and shipped to main across 3.1.0-3.11.0.
|
|
40
|
+
- [DECISION] The publish targets are npm `godpowers@3.13.0`, npm `@godpowers/mcp@3.13.0`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.13.0`.
|
|
41
|
+
- [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance. This release has not been tagged or published to npm yet.
|
|
@@ -3,7 +3,8 @@ name: god-debt-assessor
|
|
|
3
3
|
description: |
|
|
4
4
|
Assess and prioritize technical debt in an existing codebase. Categorizes
|
|
5
5
|
by type (code, design, dependency, security, test, doc), estimates cost
|
|
6
|
-
to fix, ranks by priority. Outputs prioritized
|
|
6
|
+
to fix, ranks by priority. Outputs a scored, prioritized, self-contained
|
|
7
|
+
remediation plan.
|
|
7
8
|
|
|
8
9
|
Spawned by: /god-tech-debt, brownfield-arc workflow
|
|
9
10
|
tools: Read, Bash, Grep, Glob, WebSearch
|
|
@@ -22,122 +23,201 @@ handoff:
|
|
|
22
23
|
|
|
23
24
|
# God Debt Assessor
|
|
24
25
|
|
|
25
|
-
Tech debt is real. Classify it, prioritize it, plan remediation.
|
|
26
|
+
Tech debt is real. Classify it, prioritize it, plan remediation. This is a
|
|
27
|
+
**read-only** code audit: read the code, score it, and write a self-contained
|
|
28
|
+
report. Do not edit source. Remediation is a separate, gated step (god-debugger
|
|
29
|
+
and the orchestrator audit-remediation loop) that consumes this report.
|
|
26
30
|
|
|
27
31
|
## When to use
|
|
28
32
|
|
|
29
33
|
- Before /god-upgrade or /god-refactor on legacy code
|
|
30
34
|
- Quarterly health check on a brownfield project
|
|
31
35
|
- After /god-archaeology surfaced concerns
|
|
36
|
+
- As the end-of-arc audit before a remediation loop drives findings to zero
|
|
32
37
|
- Before promising a feature that might require debt paydown first
|
|
33
38
|
|
|
34
|
-
##
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
39
|
+
## Operating principles (non-negotiable)
|
|
40
|
+
|
|
41
|
+
1. **Evidence over assertion.** No claim without a concrete `file:line`. Apply
|
|
42
|
+
the substitution test to every finding: if the same sentence would read true
|
|
43
|
+
for a different repo, it is filler. "Error handling is weak" fails;
|
|
44
|
+
"`api/users.ts:88` returns 200 on a validation failure so callers cannot
|
|
45
|
+
detect bad input" passes.
|
|
46
|
+
2. **Verify against reality.** Read the code, not the names, comments, or docs.
|
|
47
|
+
When a doc or comment claims one thing and the code does another, that gap is
|
|
48
|
+
itself a finding.
|
|
49
|
+
3. **Refuse theater. Hunt paper constructs.** The most dangerous defects look
|
|
50
|
+
robust but carry no weight: a try/catch that swallows the error, a validator
|
|
51
|
+
defined but never called, middleware registered but not applied to the routes
|
|
52
|
+
it should guard, a test that asserts nothing, a health check that returns 200
|
|
53
|
+
without checking a dependency, a rate limiter that does not limit. Flag
|
|
54
|
+
anything that exists for appearance but does not do its job.
|
|
55
|
+
4. **Find the root, not the leaves.** If one mistake appears in twelve places,
|
|
56
|
+
that is one systemic finding, not twelve. Cluster instances; name the cause.
|
|
57
|
+
5. **Verify adversarially.** For every candidate finding, try to refute it
|
|
58
|
+
before keeping it (is there a guard, a test, a deliberate trade-off?). If you
|
|
59
|
+
cannot confirm by reading, mark it Suspected so the acting agent re-checks.
|
|
60
|
+
6. **Calibrate to the project.** Grade against the project's evident ambition
|
|
61
|
+
and maturity, not an absolute ideal. State your calibration.
|
|
62
|
+
7. **Name the strengths.** Record what the codebase does well, with evidence,
|
|
63
|
+
so remediation does not refactor those away.
|
|
64
|
+
|
|
65
|
+
## Dimensions (score each 0-100, weighted)
|
|
66
|
+
|
|
67
|
+
The debt categories map onto nine scored dimensions. Score each against its
|
|
68
|
+
findings, with a one-line justification. No number without a reason.
|
|
69
|
+
|
|
70
|
+
| Dimension | Weight | Covers (debt categories) |
|
|
71
|
+
|---|---|---|
|
|
72
|
+
| Security | 20% | security debt: authn/authz, injection, secrets, crypto, exposure, paper trust boundaries, LLM/tool surfaces |
|
|
73
|
+
| Architecture and Design | 15% | design debt: boundaries, coupling, cohesion, abstraction fit, drift |
|
|
74
|
+
| Code Quality and Maintainability | 15% | code debt: complexity, size, duplication, naming, dead code, magic values, TODO/FIXME/HACK markers, type-safety escape hatches |
|
|
75
|
+
| Testing and Verification | 15% | test debt: critical-path coverage, assertion quality, determinism, tests that never run |
|
|
76
|
+
| Error Handling and Resilience | 10% | swallowed errors, lost context, I/O timeouts/retries, transactional integrity, resource cleanup |
|
|
77
|
+
| Performance and Efficiency | 8% | algorithmic hot paths, N+1, caching, blocking work, memory (mark Suspected without a profiler) |
|
|
78
|
+
| Dependencies and Supply Chain | 7% | dependency debt: CVEs, staleness, deprecated APIs, bloat, pinning, licensing |
|
|
79
|
+
| Documentation and Drift | 5% | doc debt: README/API accuracy, phantom/missing docs, stale comments |
|
|
80
|
+
| Observability and Operability | 5% | operational debt: logging, metrics/tracing, paper health checks, config/secrets, deployability |
|
|
81
|
+
|
|
82
|
+
Carry Godpowers' extra lenses where they apply: **operational debt** (manual
|
|
83
|
+
deploys, missing runbooks, paper SLOs) folds into Observability; **knowledge
|
|
84
|
+
debt** (tribal knowledge, single-points-of-failure people) is reported as a
|
|
85
|
+
systemic note.
|
|
86
|
+
|
|
87
|
+
### Lane discipline (do not re-derive what another auditor owns)
|
|
88
|
+
|
|
89
|
+
This audit is the **point-in-time, whole-repo** read. Two dimensions overlap
|
|
90
|
+
other auditors; defer to them rather than duplicate their work:
|
|
91
|
+
|
|
92
|
+
- **Security** is owned by `god-harden-auditor` (the gating OWASP walkthrough at
|
|
93
|
+
`.godpowers/harden/FINDINGS.md`). When that file exists, score the Security
|
|
94
|
+
dimension from its verdict and **cite its finding IDs** (for example
|
|
95
|
+
"Security 72 - see harden CRITICAL-001/002") instead of re-running the
|
|
96
|
+
walkthrough. Record a Security finding here only for something harden did not
|
|
97
|
+
cover, and tag it for harden to re-check. If FINDINGS.md is absent, do a
|
|
98
|
+
lightweight security read and say so plainly - it is not a substitute for
|
|
99
|
+
`/god-harden`.
|
|
100
|
+
- **Code Quality** at the *diff* level is owned by `god-quality-reviewer` during
|
|
101
|
+
build. This dimension is the *whole-codebase* health read: report systemic
|
|
102
|
+
quality debt, not a line-by-line review of recent changes, and point to the
|
|
103
|
+
reviewer for per-slice concerns.
|
|
104
|
+
|
|
105
|
+
Bands: 90-100 A, 80-89 B, 70-79 C, 60-69 D, 0-59 F. Risk does not average away:
|
|
106
|
+
one Confirmed Critical caps its dimension at 69 and the overall at 79 until
|
|
107
|
+
resolved.
|
|
46
108
|
|
|
47
109
|
## Process
|
|
48
110
|
|
|
49
|
-
### 1.
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
-
|
|
59
|
-
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
-
|
|
65
|
-
-
|
|
66
|
-
-
|
|
67
|
-
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
### 4.
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
| **P0** | High impact + S/M cost. Do this sprint. |
|
|
83
|
-
| **P1** | High impact + L cost OR Medium impact + S cost. Do this quarter. |
|
|
84
|
-
| **P2** | Medium impact + M cost. Do when convenient. |
|
|
85
|
-
| **P3** | Low impact OR XL cost without clear benefit. Backlog or ignore. |
|
|
111
|
+
### 1. Orient and map
|
|
112
|
+
Detect languages/frameworks/build system from manifests; measure size and decide
|
|
113
|
+
exhaustive vs sampled (declare which). Locate entry points. Read the README to
|
|
114
|
+
learn intended behavior and maturity. Trace two or three primary flows end to
|
|
115
|
+
end. Record exclusions (vendored, generated, build output) and the commit/branch.
|
|
116
|
+
|
|
117
|
+
### 2. Inventory across every dimension
|
|
118
|
+
Use search to find candidates, then **read the cited code to confirm** before
|
|
119
|
+
recording. A search hit is a lead, not a finding. Per dimension's indicators:
|
|
120
|
+
- Code: grep TODO/FIXME/HACK; complexity; duplication; long functions; dead code
|
|
121
|
+
- Design: god files; circular deps; mixed concerns; structure-vs-docs drift
|
|
122
|
+
- Security: read `.godpowers/harden/FINDINGS.md` first and cite it; only if it
|
|
123
|
+
is absent, do a lightweight read for untrusted input into queries/shell/paths/
|
|
124
|
+
HTML, secrets, weak crypto, and declared-but-unenforced guards
|
|
125
|
+
- Test: critical-path coverage; assertion-free or over-mocked tests; `.skip`
|
|
126
|
+
- Dependency: `npm audit` / equivalent; staleness; deprecations; pinning
|
|
127
|
+
- Error handling: empty catches; lost cause; missing timeouts; partial commits
|
|
128
|
+
- Performance: nested loops on large inputs; N+1; sync I/O on hot paths
|
|
129
|
+
- Docs: setup steps vs scripts; documented endpoints that do not exist
|
|
130
|
+
- Observability: structured logging; real vs paper health checks; config/secrets
|
|
131
|
+
|
|
132
|
+
### 3. Verify adversarially and cluster
|
|
133
|
+
Try to refute each candidate. Assign **Severity** (Critical/High/Medium/Low),
|
|
134
|
+
**Confidence** (Confirmed/Likely/Suspected), and **Effort** (S under 1 day /
|
|
135
|
+
M 1-3 days / L 1-2 weeks / XL weeks). Cluster repeated instances into one
|
|
136
|
+
systemic finding, keeping the member IDs.
|
|
137
|
+
|
|
138
|
+
### 4. Score and prioritize
|
|
139
|
+
Score each dimension 0-100 with its justification; the overall is the weighted
|
|
140
|
+
average with risk-capping. Bucket findings: **Quick wins** (High/Critical,
|
|
141
|
+
Confirmed, S), **Plan now** (High/Critical, M or L), **Verify first** (any
|
|
142
|
+
Suspected), **Backlog** (Low). Map to P0-P3: P0 = High impact + S/M; P1 = High
|
|
143
|
+
impact + L or Medium + S; P2 = Medium + M; P3 = Low or XL without clear benefit.
|
|
86
144
|
|
|
87
145
|
### 5. Output
|
|
88
146
|
|
|
89
|
-
Write `.godpowers/tech-debt/REPORT.md
|
|
147
|
+
Write `.godpowers/tech-debt/REPORT.md`, self-contained for an acting agent with
|
|
148
|
+
no memory of the audit:
|
|
90
149
|
|
|
91
150
|
```markdown
|
|
92
|
-
# Tech Debt Assessment
|
|
93
|
-
|
|
94
|
-
Date: [ISO 8601]
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
##
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
##
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
[
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
151
|
+
# Code Audit and Tech Debt Assessment
|
|
152
|
+
|
|
153
|
+
Date: [ISO 8601] | Scope: [path or "entire codebase"] | State: [commit/branch]
|
|
154
|
+
Read-only audit. Self-contained: every finding cites file:line and how to verify.
|
|
155
|
+
|
|
156
|
+
## Snapshot
|
|
157
|
+
Languages, size, frameworks, entry points, evident maturity, coverage
|
|
158
|
+
(exhaustive or sampled, say what was sampled), exclusions.
|
|
159
|
+
|
|
160
|
+
## Overall score
|
|
161
|
+
NN/100 - Grade X (label). Two-to-four sentence verdict. One-line calibration.
|
|
162
|
+
|
|
163
|
+
| Dimension | Score | Grade | Weight | Verdict |
|
|
164
|
+
|---|---|---|---|---|
|
|
165
|
+
| Security | NN | X | 20% | one-line specific verdict |
|
|
166
|
+
| ... | | | | |
|
|
167
|
+
| Overall | NN | X | 100% | weighted |
|
|
168
|
+
|
|
169
|
+
## What to fix first
|
|
170
|
+
Ordered union of Quick wins + Plan now, Critical before High.
|
|
171
|
+
`[ID] title - severity, effort - one-line why`
|
|
172
|
+
|
|
173
|
+
## Strengths (preserve these)
|
|
174
|
+
What the codebase does well, each with evidence. Do not refactor these away.
|
|
175
|
+
|
|
176
|
+
## Systemic patterns (root causes)
|
|
177
|
+
One entry per recurring cause: what it is, member IDs, the one root fix.
|
|
178
|
+
|
|
179
|
+
## Findings
|
|
180
|
+
Sorted by severity then dimension. Each finding:
|
|
181
|
+
|
|
182
|
+
### [SEC-001] <title>
|
|
183
|
+
- Severity: <C/H/M/L> | Confidence: <Confirmed/Likely/Suspected> | Effort: <S/M/L/XL> | Dimension: <name>
|
|
184
|
+
- Location: `file:line` (+ others)
|
|
185
|
+
- Evidence: <what the code does now, precisely>
|
|
186
|
+
- Impact: <concrete consequence>
|
|
187
|
+
- Recommendation: <specific change and where; not a platitude>
|
|
188
|
+
- Verify the fix: <test to add / behavior to check / command to run>
|
|
189
|
+
- Related: <systemic pattern or finding IDs, or "none">
|
|
190
|
+
|
|
191
|
+
## Remediation plan
|
|
192
|
+
Quick wins / Plan now (suggested order) / Verify first / Backlog, by ID. Map to
|
|
193
|
+
P0-P3. For each P0/P1, name the Godpowers command (for example /god-hotfix,
|
|
194
|
+
/god-debug, /god-add-tests, /god-update-deps).
|
|
195
|
+
|
|
196
|
+
## Scope and limitations
|
|
197
|
+
What was and was not examined; sampling; assumptions that would change conclusions.
|
|
198
|
+
|
|
199
|
+
## How to use this report (for the acting agent)
|
|
200
|
+
1. Triage by severity and confidence. Confirmed Critical/High are safe to act on
|
|
201
|
+
now, in "What to fix first" order. Re-verify any Suspected finding first.
|
|
202
|
+
2. Fix root causes (systemic patterns) before individual leaves.
|
|
203
|
+
3. Preserve the strengths; do not refactor them away.
|
|
204
|
+
4. One finding, one change, verified: run its "Verify the fix" after each fix;
|
|
205
|
+
keep changes atomic and traceable to the finding ID.
|
|
206
|
+
5. Do not widen scope silently. Re-run the audit to confirm findings are
|
|
207
|
+
resolved, not relocated, and that no strength regressed.
|
|
133
208
|
```
|
|
134
209
|
|
|
210
|
+
ID prefixes by dimension: SEC, ARC, QUAL, TEST, ERR, PERF, DEP, DOC, OBS. Keep
|
|
211
|
+
IDs stable so a remediation loop can track each finding to closure.
|
|
212
|
+
|
|
135
213
|
## Have-Nots
|
|
136
214
|
|
|
137
215
|
Debt assessment FAILS if:
|
|
138
|
-
-
|
|
139
|
-
-
|
|
140
|
-
-
|
|
141
|
-
-
|
|
142
|
-
-
|
|
143
|
-
-
|
|
216
|
+
- A dimension score has no justification tied to specific findings
|
|
217
|
+
- Any finding lacks a `file:line`, or a Severity/Confidence/Effort
|
|
218
|
+
- A recommendation is a platitude ("improve error handling", "add more tests")
|
|
219
|
+
- Repeated issues are left loose instead of clustered into a systemic pattern
|
|
220
|
+
- The Strengths section is missing
|
|
221
|
+
- "Comprehensive coverage" is claimed without grep evidence or a stated sample
|
|
222
|
+
- A Critical finding does not cap its dimension and the overall score
|
|
223
|
+
- Obvious categories are missed (security debt with known CVEs)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "godpowers",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.13.0",
|
|
4
4
|
"description": "AI-powered development system: 120 slash commands and 40 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
|
|
5
5
|
"bin": {
|
|
6
6
|
"godpowers": "./bin/install.js"
|
|
@@ -367,6 +367,46 @@ after tests pass. If a git remote exists and the user passed an explicit push
|
|
|
367
367
|
flag or the project intent says pushing is allowed, push after the green commit
|
|
368
368
|
and then continue the project run. Pushing is not a terminal state.
|
|
369
369
|
|
|
370
|
+
## Audit-Remediation Loop
|
|
371
|
+
|
|
372
|
+
Run a bounded audit-then-remediate loop in three cases: the `full-arc`
|
|
373
|
+
**`code-audit` step** (it runs `god-debt-assessor` after build and before the
|
|
374
|
+
shipping tier, because AI-generated code can miss things a per-slice review and
|
|
375
|
+
the security gate do not); intent like "audit and fix until clean" (the
|
|
376
|
+
`audit-remediate` recipe); and any standalone `/god-tech-debt` follow-up. In
|
|
377
|
+
`full-arc` the loop must drive Confirmed Critical and High findings to closure
|
|
378
|
+
(or pause them as blockers) before `deploy`, `harden`, and `launch` proceed. The
|
|
379
|
+
maker that fixes is never the checker that grades.
|
|
380
|
+
|
|
381
|
+
1. **Audit (read-only).** Spawn `god-debt-assessor` in a fresh context. It writes
|
|
382
|
+
the scored, self-contained report to `.godpowers/tech-debt/REPORT.md` with
|
|
383
|
+
stable finding IDs (SEC-001, etc.), each carrying Severity, Confidence, Effort,
|
|
384
|
+
`file:line`, and a "Verify the fix" step.
|
|
385
|
+
2. **Select.** Take the "What to fix first" list: Confirmed Critical and High,
|
|
386
|
+
worst-first, root causes (systemic patterns) before leaves. Re-verify any
|
|
387
|
+
Suspected finding against the cited code before touching it; never act on an
|
|
388
|
+
unconfirmed claim.
|
|
389
|
+
3. **Drive each finding to closure** with an outcome loop so the loop is bounded
|
|
390
|
+
and self-arresting:
|
|
391
|
+
- `npx godpowers outcome start fix-<ID> --verify "<the finding's verify command>" --substep <tier.substep> --project=.`
|
|
392
|
+
- Spawn `god-debugger` (or the owning specialist) in a fresh context with only
|
|
393
|
+
that finding's evidence and touched files to draft the fix.
|
|
394
|
+
- Spawn an **independent** reviewer (`god-quality-reviewer`, or
|
|
395
|
+
`god-harden-auditor` for a SEC finding) in a fresh context to verify the fix
|
|
396
|
+
against the cited evidence and the project's tests. The maker does not grade
|
|
397
|
+
its own work.
|
|
398
|
+
- `npx godpowers outcome check fix-<ID> --project=.` runs the finding's verify
|
|
399
|
+
command and records the iteration. Repeat until the outcome succeeds or the
|
|
400
|
+
budget is exhausted.
|
|
401
|
+
- Never mark a finding resolved while `can-close` for its substep is red.
|
|
402
|
+
4. **Re-audit.** Re-run `god-debt-assessor` and confirm findings are resolved,
|
|
403
|
+
not relocated, and that no Strength regressed. The loop is done when no
|
|
404
|
+
Confirmed Critical or High remains (or the agreed bucket is empty).
|
|
405
|
+
5. **Pause, do not fake.** Anything that cannot be fixed within budget, or that
|
|
406
|
+
is `human-only` (scope, credentials, vendor/legal/Critical-security
|
|
407
|
+
acceptance), lands as a precise paused blocker with the finding ID, not a
|
|
408
|
+
silent skip. "Clean" is an evidence-backed re-audit, never a claim.
|
|
409
|
+
|
|
370
410
|
## Shipping Closure Protocol
|
|
371
411
|
|
|
372
412
|
The shipping tier must not end by listing a broad provider checklist. God Mode
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
apiVersion: godpowers/v1
|
|
2
|
+
kind: Recipe
|
|
3
|
+
metadata:
|
|
4
|
+
name: audit-remediate
|
|
5
|
+
category: maintaining
|
|
6
|
+
description: "Audit the codebase, then drive the findings to zero"
|
|
7
|
+
|
|
8
|
+
triggers:
|
|
9
|
+
intent-keywords:
|
|
10
|
+
- "audit and fix"
|
|
11
|
+
- "fix all the audit findings"
|
|
12
|
+
- "drive the audit to clean"
|
|
13
|
+
- "remediate tech debt"
|
|
14
|
+
- "fix the codebase until clean"
|
|
15
|
+
- "pay down tech debt"
|
|
16
|
+
- "address all the findings"
|
|
17
|
+
- "code audit and fix"
|
|
18
|
+
|
|
19
|
+
sequences:
|
|
20
|
+
default:
|
|
21
|
+
description: "Audit the codebase, then drive the findings to zero"
|
|
22
|
+
steps:
|
|
23
|
+
- command: "/god-tech-debt"
|
|
24
|
+
why: "Score the codebase and write the prioritized, self-contained audit report (god-debt-assessor)"
|
|
25
|
+
- command: "/god-debug"
|
|
26
|
+
why: "Fix each Confirmed Critical/High finding worst-first; an independent reviewer verifies each fix against the cited evidence"
|
|
27
|
+
- command: "/god-tech-debt"
|
|
28
|
+
why: "Re-audit to confirm findings are resolved not relocated and no strength regressed; the orchestrator loops this under an outcome budget until clean"
|
|
29
|
+
|
|
30
|
+
default-sequence: default
|
package/skills/god-version.md
CHANGED
|
@@ -16,7 +16,7 @@ Print version and a short capability summary.
|
|
|
16
16
|
```
|
|
17
17
|
Godpowers v2.3.1
|
|
18
18
|
Install: /Users/.../.claude/ (matches package.json)
|
|
19
|
-
Surface: 120 skills, 40 agents, 13 workflows,
|
|
19
|
+
Surface: 120 skills, 40 agents, 13 workflows, 44 recipes
|
|
20
20
|
Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1
|
|
21
21
|
External integrations available: impeccable, agent-browser (others lazy)
|
|
22
22
|
Feature awareness: planning-system migration, source-system sync-back, context refresh, dashboard status labels, repo documentation sync, repo surface sync, quick proof, request trace, release hardening, maintenance hardening
|
package/workflows/full-arc.yaml
CHANGED
|
@@ -62,9 +62,16 @@ jobs:
|
|
|
62
62
|
verification:
|
|
63
63
|
required: [test, lint, typecheck-or-check]
|
|
64
64
|
|
|
65
|
+
code-audit:
|
|
66
|
+
tier: 2
|
|
67
|
+
needs: build
|
|
68
|
+
uses: god-debt-assessor@^1.0.0
|
|
69
|
+
with:
|
|
70
|
+
mode: post-build-audit
|
|
71
|
+
|
|
65
72
|
deploy:
|
|
66
73
|
tier: 3
|
|
67
|
-
needs:
|
|
74
|
+
needs: code-audit
|
|
68
75
|
uses: god-deploy-engineer@^1.0.0
|
|
69
76
|
closure:
|
|
70
77
|
on-missing-external-access: create-waiting-access-bundle
|
|
@@ -84,14 +91,21 @@ jobs:
|
|
|
84
91
|
|
|
85
92
|
harden:
|
|
86
93
|
tier: 3
|
|
87
|
-
needs:
|
|
94
|
+
needs: code-audit
|
|
88
95
|
uses: god-harden-auditor@^1.0.0
|
|
89
96
|
blocks-on:
|
|
90
97
|
- critical-finding: pause
|
|
91
98
|
|
|
92
|
-
|
|
99
|
+
docs:
|
|
93
100
|
tier: 3
|
|
94
101
|
needs: harden
|
|
102
|
+
uses: god-docs-writer@^1.0.0
|
|
103
|
+
with:
|
|
104
|
+
mode: product-docs-verify
|
|
105
|
+
|
|
106
|
+
launch:
|
|
107
|
+
tier: 3
|
|
108
|
+
needs: docs
|
|
95
109
|
uses: god-launch-strategist@^1.0.0
|
|
96
110
|
with:
|
|
97
111
|
template: HARDEN-FINDINGS.md
|