godpowers 3.11.0 → 3.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -7,6 +7,113 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [3.13.1] - 2026-06-16
11
+
12
+ Maintenance release that drives a full self-audit (`codeaudit.md`) to zero: one
13
+ High finding, plus the Medium and Low findings, fixed across runtime correctness,
14
+ security hardening, the test gate, documentation, and de-duplication. No public
15
+ command, agent, workflow, or recipe surface changes (counts stay 120 / 40 / 13 / 44).
16
+
17
+ ### Fixed
18
+ - **Ledger record loss under concurrency (ERR-001):** `lib/evidence.js`
19
+ `appendJsonlAtomic` did a read-modify-write of the whole ledger, so two
20
+ concurrent `verify`/`outcome check` processes lost each other's records and
21
+ every append was O(n). It now uses `fs.appendFileSync` (O_APPEND), mirroring
22
+ `lib/events.js`; a concurrency regression test asserts 8 writers x 25 records
23
+ all survive.
24
+ - **Buffer-overflow verdicts (ERR-003):** a `maxBuffer` (ENOBUFS) overflow was
25
+ recorded as a plain command failure; it is now surfaced distinctly. The 16 MB
26
+ cap is the named constant `MAX_OUTPUT_BYTES`.
27
+ - **Doc accuracy:** `SECURITY.md` no longer recommends the non-existent
28
+ `npm install --verify` (use `npm audit signatures`); the stale
29
+ `ARCHITECTURE-MAP.md` counts are regenerated and now machine-guarded.
30
+
31
+ ### Security
32
+ - **Advisory hook (SEC-001):** `hooks/pre-tool-use.sh` is reframed as a
33
+ best-effort typo guard (not a security boundary) and now normalizes whitespace
34
+ and matches common destructive-command variants (`rm -fr`, `-r -f`, `./`
35
+ prefix, `git push -f`/`--force-with-lease`). Covered by `scripts/test-hooks.js`.
36
+ - **Disk-sourced verifier (SEC-002):** `outcome check` now announces the verifier
37
+ command and its `goal.json` source path before executing, so running it in an
38
+ untrusted cloned repo cannot silently run a planted command.
39
+ - **Ledger secrets (SEC-003):** the human-readable `LEDGER-LOG.md` command echo
40
+ masks obvious secret shapes; `SECURITY.md` documents that `.godpowers/ledger/`
41
+ may capture command output.
42
+ - **Codex sandbox (SEC-004):** `SECURITY.md` documents the Codex
43
+ `sandbox_mode = "workspace-write"` install default.
44
+
45
+ ### Changed
46
+ - **Test gate (TEST-001/002/003):** `coverage:lib` now enforces `--branches 75`;
47
+ new `scripts/test-runtime-audit.js` raises `runtime-audit.js` line coverage
48
+ 68.8% -> 77.8%; `scripts/test-router.js` no longer shares cumulative state and
49
+ cleans up its temp dirs.
50
+ - **De-duplication (ARC-001/002, QUAL-001/002):** the five `*-sync` modules share
51
+ `lib/sync-fs.js`; the ANSI logger moves to `lib/cli-log.js` and `slugify` to
52
+ `lib/text-util.js`; `installer-args.parseArgs` is now table-driven (was a
53
+ 358-line function); `state.STATE_FILE` is the canonical state-file constant and
54
+ `artifact-map.js`'s scope is documented accurately.
55
+ - **Re-audit follow-ups (ARC-003, QUAL-003, DOC-004/005, ERR-004, TEST-005):** a
56
+ fresh self-audit of the above confirmed no regressions and closed the residual
57
+ gaps: `installer-core.js` now imports the shared logger; `dashboard.js`/
58
+ `planning-systems.js` use `sync-fs`; the `lib/README` module catalog is complete
59
+ and guarded by a completeness check; the corrupt-state error is typed
60
+ (`err.code = 'CORRUPT_STATE'`) instead of message-matched; and the hook tests
61
+ assert each warning's text, not just its exit code.
62
+
63
+ ## [3.13.0] - 2026-06-16
64
+
65
+ ### Changed
66
+ - The default greenfield workflow (`full-arc`, run by `/god-mode`) now runs two
67
+ more steps so the one-shot product ships audited and documented. A `code-audit`
68
+ job (`god-debt-assessor`) runs after the build and before deploy/harden, giving
69
+ the whole AI-generated codebase a scored audit that catches what the per-slice
70
+ reviews could not see across files. A `docs` job (`god-docs-writer`) runs after
71
+ harden and before launch, writing the project documentation and verifying every
72
+ claim against the code (drift detected) before the product ships. `deploy` and
73
+ `harden` now need `code-audit`; `launch` now needs `docs`. The plan goes from
74
+ 11 to 13 steps. No new skill, agent, workflow, or recipe surface: both jobs
75
+ reuse agents that already exist.
76
+ - `GOD-ORCHESTRATOR-RUNBOOK` documents the new audit and docs positions in the
77
+ greenfield arc.
78
+
79
+ ## [3.12.1] - 2026-06-16
80
+
81
+ ### Changed
82
+ - De-duplicated the audit lanes in `god-debt-assessor`. Its Security dimension
83
+ now defers to `god-harden-auditor`: when `.godpowers/harden/FINDINGS.md`
84
+ exists, score Security from harden's verdict and cite its finding IDs instead
85
+ of re-running the OWASP walkthrough, recording a security finding only for
86
+ something harden did not cover. Its Code Quality dimension is explicitly the
87
+ whole-repo point-in-time read that complements, not duplicates,
88
+ `god-quality-reviewer`'s per-slice diff review.
89
+
90
+ ## [3.12.0] - 2026-06-16
91
+
92
+ ### Changed
93
+ - Upgraded `god-debt-assessor` (`/god-tech-debt`) to a codeauditor-grade,
94
+ read-only source-code audit: nine weighted dimensions scored 0-100 with grade
95
+ bands and risk-capping, per-finding Severity/Confidence/Effort, adversarial
96
+ verification with Suspected marking, paper-construct/theater hunting,
97
+ root-not-leaves systemic clustering, a strengths-to-preserve section,
98
+ calibration to maturity, a file:line + substitution evidence gate, and a
99
+ self-contained "how to use this report" protocol for an acting agent. Keeps
100
+ Godpowers' broader operational/knowledge debt categories as extra lenses.
101
+ Output stays `.godpowers/tech-debt/REPORT.md`.
102
+
103
+ ### Added
104
+ - Added the audit-remediation loop: a new `audit-remediate` recipe routes
105
+ "audit and fix until clean" intent, and a `GOD-ORCHESTRATOR-RUNBOOK` section
106
+ defines the bounded drive-to-zero loop (audit, select worst-first, fix with
107
+ `god-debugger`, verify with an independent reviewer, bound the retries with
108
+ `evidence.outcome`, re-audit until no Confirmed Critical/High remains). The
109
+ can't-fake-done gate makes "clean" an evidence-backed re-audit; un-fixable
110
+ findings pause as precise blockers instead of silent skips.
111
+
112
+ ### Notes
113
+ - No new skill or agent (god-debt-assessor enhanced in place). Recipe surface
114
+ count moves 43 to 44. The audit-remediation loop is opt-in (intent/recipe or
115
+ an end-of-arc pass); it is not wired into the default greenfield `full-arc`.
116
+
10
117
  ## [3.11.0] - 2026-06-15
11
118
 
12
119
  ### Added
package/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
5
- [![Version](https://img.shields.io/badge/version-3.11.0-blue)](CHANGELOG.md)
5
+ [![Version](https://img.shields.io/badge/version-3.13.1-blue)](CHANGELOG.md)
6
6
  [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
7
7
 
8
8
  **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -30,13 +30,26 @@ Godpowers makes AI coding accountable: every serious run should leave disk
30
30
  state, artifacts, validation gates, host guarantees, and a next action. Code is
31
31
  only one output. The project memory and proof trail matter too.
32
32
 
33
- Version 3.11.0 adds the optional one-time `.mythify/` ledger importer (`npx
34
- godpowers import-ledger`), the final piece of the native fusion of Mythify's
35
- evidence engine and quarterback into Godpowers. The fusion is now complete end
36
- to end: the evidence producer, enforced close-on-evidence on the build and
37
- harden gates, the quarterback entry router, the work report, reflections,
38
- memory, lessons, outcome loops, the read-only MCP tools, and now a path to bring
39
- existing Mythify ledgers along. The current 3.x line keeps
33
+ Version 3.13.1 is a maintenance release that drives a full self-audit to zero:
34
+ the runtime ledger no longer loses verification records under concurrent writes,
35
+ the `outcome check` verifier and the pre-tool-use hook are hardened, the
36
+ `*-sync` modules share one filesystem helper, the argument parser is table-driven,
37
+ branch coverage is now gated, and the architecture map is kept in lockstep by a
38
+ machine guard. Version 3.13.0 makes the default greenfield arc (`/god-mode`) miss
39
+ less. The one-shot `full-arc` workflow now runs a whole-codebase code audit after the
40
+ build (so it catches what the per-slice reviews missed in AI-generated code) and
41
+ a documentation pass after harden (so the shipped product has docs verified
42
+ against the code, not vibes). The arc goes build, code-audit, deploy, observe,
43
+ harden, docs, launch, final-sync: per-slice review, whole-codebase audit plus
44
+ remediation, a security gate, and verified docs before launch. This builds on
45
+ 3.12.x, which made that code audit codeauditor-grade: `god-debt-assessor`
46
+ (`/god-tech-debt`) produces a scored, prioritized, self-contained source-code
47
+ audit across nine weighted dimensions, and the `audit-remediate` recipe drives
48
+ the findings to zero (audit, fix worst-first with an independent reviewer,
49
+ re-audit, bounded by an outcome budget, with the can't-fake-done gate ensuring
50
+ "clean" is evidence-backed). It all sits on top of the completed Mythify fusion
51
+ (the evidence producer, enforced close-on-evidence, the quarterback, work report,
52
+ reflections, memory, lessons, outcome loops, MCP read tools, and ledger importer). The current 3.x line keeps
40
53
  the omitted installer profile on `core`, keeps first-run, demo, and
41
54
  surface-control entry points, preserves `--profile=full` for compatibility,
42
55
  keeps locate and lifecycle views under `/god-status`, ships the optional
@@ -321,14 +334,14 @@ dependency to the main `godpowers` package:
321
334
 
322
335
  ```bash
323
336
  npx godpowers mcp-info --project=.
324
- npx -y -p godpowers@3.11.0 -p @godpowers/mcp@3.11.0 godpowers-mcp serve --project=.
337
+ npx -y -p godpowers@3.13.1 -p @godpowers/mcp@3.13.1 godpowers-mcp serve --project=.
325
338
  ```
326
339
 
327
340
  The companion exposes `status`, `next`, `gate_check`, `lint_artifact`, and
328
341
  `trace_requirement`. Host registration is opt-in:
329
342
 
330
343
  ```bash
331
- npx -y -p godpowers@3.11.0 -p @godpowers/mcp@3.11.0 godpowers-mcp setup --host=codex --project=. --write
344
+ npx -y -p godpowers@3.13.1 -p @godpowers/mcp@3.13.1 godpowers-mcp setup --host=codex --project=. --write
332
345
  ```
333
346
 
334
347
  See [MCP Companion](docs/mcp.md) for package boundaries and setup details.
package/RELEASE.md CHANGED
@@ -1,41 +1,41 @@
1
- # Godpowers 3.11.0 Release
1
+ # Godpowers 3.13.1 Release
2
2
 
3
3
  > Status: Prepared
4
- > Date: 2026-06-15
4
+ > Date: 2026-06-16
5
5
 
6
- [DECISION] Godpowers 3.11.0 adds the optional one-time `.mythify/` ledger importer, the final item in the fusion design. With it, the native fusion of Mythify's evidence engine and quarterback into Godpowers (Phases 0-3 plus the optional importer) is complete.
7
- [DECISION] The importer is optional, one-time, and additive: it appends imported records to the Godpowers ledger and does not roll up into `state.json` or emit gate events. No existing command behavior changes.
8
- [DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and keeps the 3.1.0-3.10.0 evidence, close-gate, quarterback, work-report, reflections, memory, lessons, outcome, and MCP surface.
6
+ [DECISION] Godpowers 3.13.1 is a maintenance release that drives a full self-audit (`codeaudit.md`, codeauditor-grade, nine weighted dimensions) to zero. It fixes one High finding plus the Medium and Low findings across runtime correctness, security hardening, the test gate, documentation, and de-duplication.
7
+ [DECISION] No new skill, agent, workflow, or recipe surface is added or removed. Surface counts are unchanged from 3.13.0: 120 slash commands, 40 specialist agents, 13 workflows, 44 recipes.
8
+ [DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and keeps the full 3.1.0-3.13.0 surface (fusion + codeauditor-grade audit + remediation loop + audited/documented greenfield arc).
9
9
 
10
10
  ## What's in this release
11
11
 
12
- - [DECISION] New `lib/evidence-import.js` and `npx godpowers import-ledger [--from <path>]`.
13
- - [DECISION] It copies an existing Mythify `.mythify/` ledger into `.godpowers/ledger/`: verifications (rebinding plan/step_id/step_title/step_status to arc/substep/substep_status), reflections, memory (merged by key), lessons (lessons/*.json to lessons.jsonl), and outcomes (goal.json + iterations.jsonl per slug).
14
- - [DECISION] Records are appended; the import does not roll up into `state.json` or emit gate events.
15
- - [DECISION] 120 slash commands, 40 specialist agents, 13 executable workflows, 43 intent recipes, and the 3.1.0-3.10.0 evidence, close-gate, quarterback, work-report, reflections, memory, lessons, outcome, and eight-tool MCP surface remain available.
12
+ - [DECISION] Runtime correctness: `lib/evidence.js` `appendJsonlAtomic` now appends with `fs.appendFileSync` (O_APPEND) instead of a read-modify-write, so concurrent `verify`/`outcome check` processes no longer lose ledger records and the append is no longer O(n) (ERR-001). A `maxBuffer` overflow is surfaced distinctly instead of as a plain failure (ERR-003).
13
+ - [DECISION] Security hardening: the pre-tool-use hook is reframed as a best-effort advisory typo guard and matches more destructive-command variants (SEC-001); `outcome check` announces a disk-sourced verifier before running it (SEC-002); the `LEDGER-LOG.md` command echo masks obvious secret shapes and `SECURITY.md` documents the ledger and Codex-sandbox trust boundaries (SEC-003, SEC-004); `SECURITY.md` replaces the non-existent `npm install --verify` with `npm audit signatures` (DOC-002).
14
+ - [DECISION] Test gate: `coverage:lib` now enforces `--branches 75` (TEST-001); a new `scripts/test-runtime-audit.js` raises `lib/runtime-audit.js` line coverage from 68.8% to 77.8% (TEST-002); `scripts/test-router.js` no longer shares cumulative state across tests and cleans up its temp dirs (TEST-003); new `scripts/test-hooks.js`, `scripts/test-cli-log.js`, and `scripts/test-text-util.js` cover the new code.
15
+ - [DECISION] De-duplication: the five `*-sync` modules share `lib/sync-fs.js`; the ANSI logger moves to `lib/cli-log.js` and `slugify` to `lib/text-util.js`; `installer-args.parseArgs` is now table-driven (ARC-001, QUAL-001, QUAL-002).
16
+ - [DECISION] Documentation: `ARCHITECTURE-MAP.md` counts are regenerated and now machine-guarded by `scripts/test-doc-surface-counts.js`; `state.STATE_FILE` is the canonical state-file constant and `artifact-map.js`'s scope is documented accurately (DOC-001, DOC-003, ARC-002).
17
+ - [DECISION] Re-audit follow-ups: a fresh self-audit confirmed no regressions and closed the residual gaps it found - `installer-core.js` imports the shared logger (QUAL-003); `dashboard.js`/`planning-systems.js` consume `sync-fs` (ARC-003); the `lib/README` module catalog is complete and now guarded by a completeness check (DOC-004); the ledger-append comment is corrected (DOC-005); the corrupt-state error is typed rather than message-matched (ERR-004); and the hook tests assert each warning's text (TEST-005).
16
18
 
17
19
  ## Changes
18
20
 
19
- - [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.11.0 minor version.
20
- - [DECISION] CHANGELOG, RELEASE notes, README, roadmap, reference, architecture, and the SECURITY supported-version series now describe the 3.11.0 importer and the completed fusion.
21
+ - [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.13.1 version.
22
+ - [DECISION] New runtime modules `lib/sync-fs.js`, `lib/cli-log.js`, and `lib/text-util.js` (lib module count 87 -> 90). No public command/agent/workflow/recipe surface change.
23
+ - [DECISION] CHANGELOG, RELEASE notes, README, roadmap, reference, architecture, and the architecture map now reflect 3.13.1. The SECURITY supported-version table already carries the `3.13.x` row.
21
24
 
22
25
  ## Validation
23
26
 
24
- - [DECISION] `npm run lint` passed with 29 static checks.
25
- - [DECISION] `node scripts/test-evidence-import.js` passed with 4 importer tests, including the plan/step to arc/substep rebind.
26
- - [DECISION] `node scripts/test-cli-dispatch.js` passed with 48 CLI dispatch tests, including the new `import-ledger` tests.
27
- - [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor for `lib/**/*.js` (evidence-import.js at 97 percent lines).
28
- - [DECISION] `npm run release:check` passed `npm audit --omit=dev` with 0 vulnerabilities.
29
- - [DECISION] `npm run release:check` passed public surface docs for version 3.11.0 with 120 skills, 40 agents, 13 workflows, and 43 recipes.
27
+ - [DECISION] `npm test` passed all command groups.
28
+ - [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor and the new 75 percent branch floor for `lib/**/*.js`.
29
+ - [DECISION] `npm run release:check` passed `npm audit --omit=dev` with 0 vulnerabilities and `git diff --check`.
30
+ - [DECISION] `npm run release:check` passed public surface docs for version 3.13.1 with 120 skills, 40 agents, 13 workflows, and 44 recipes.
30
31
  - [DECISION] `npm run release:check` passed root and `@godpowers/mcp` package contents.
31
32
 
32
33
  ## Upgrade
33
34
 
34
- - [DECISION] Use `npm install -g godpowers@3.11.0` or `npx godpowers@3.11.0`.
35
- - [DECISION] No migration is required. The importer is optional and additive; no other behavior changed.
35
+ - [DECISION] Use `npm install -g godpowers@3.13.1` or `npx godpowers@3.13.1`.
36
+ - [DECISION] No migration is required. Existing projects are unaffected; the changes are internal correctness, security, test-gate, and maintainability fixes with no surface change.
36
37
 
37
38
  ## Notes
38
39
 
39
- - [DECISION] The publish targets are npm `godpowers@3.11.0`, npm `@godpowers/mcp@3.11.0`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.11.0`.
40
- - [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance.
41
- - [DECISION] This is the final planned release of the fusion design. Every phase (0-3) and the optional importer are implemented and shipped to main across 3.1.0-3.11.0.
40
+ - [DECISION] The publish targets are npm `godpowers@3.13.1`, npm `@godpowers/mcp@3.13.1`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.13.1`.
41
+ - [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance. This release has not been tagged or published to npm yet.
@@ -3,7 +3,8 @@ name: god-debt-assessor
3
3
  description: |
4
4
  Assess and prioritize technical debt in an existing codebase. Categorizes
5
5
  by type (code, design, dependency, security, test, doc), estimates cost
6
- to fix, ranks by priority. Outputs prioritized remediation plan.
6
+ to fix, ranks by priority. Outputs a scored, prioritized, self-contained
7
+ remediation plan.
7
8
 
8
9
  Spawned by: /god-tech-debt, brownfield-arc workflow
9
10
  tools: Read, Bash, Grep, Glob, WebSearch
@@ -22,122 +23,201 @@ handoff:
22
23
 
23
24
  # God Debt Assessor
24
25
 
25
- Tech debt is real. Classify it, prioritize it, plan remediation.
26
+ Tech debt is real. Classify it, prioritize it, plan remediation. This is a
27
+ **read-only** code audit: read the code, score it, and write a self-contained
28
+ report. Do not edit source. Remediation is a separate, gated step (god-debugger
29
+ and the orchestrator audit-remediation loop) that consumes this report.
26
30
 
27
31
  ## When to use
28
32
 
29
33
  - Before /god-upgrade or /god-refactor on legacy code
30
34
  - Quarterly health check on a brownfield project
31
35
  - After /god-archaeology surfaced concerns
36
+ - As the end-of-arc audit before a remediation loop drives findings to zero
32
37
  - Before promising a feature that might require debt paydown first
33
38
 
34
- ## Categories
35
-
36
- | Category | Examples |
37
- |----------|----------|
38
- | **Code debt** | TODO/FIXME comments, dead code, copy-paste, complex functions |
39
- | **Design debt** | Wrong abstractions, missing abstractions, architectural drift |
40
- | **Dependency debt** | Outdated packages, deprecated libraries, security CVEs |
41
- | **Test debt** | Missing tests, flaky tests, slow tests, low coverage |
42
- | **Doc debt** | Stale docs, missing API docs, drift from code |
43
- | **Security debt** | Known vulnerabilities, weak auth, missing validation |
44
- | **Operational debt** | Manual deploys, missing runbooks, paper SLOs |
45
- | **Knowledge debt** | Tribal knowledge with no docs, single point of failure people |
39
+ ## Operating principles (non-negotiable)
40
+
41
+ 1. **Evidence over assertion.** No claim without a concrete `file:line`. Apply
42
+ the substitution test to every finding: if the same sentence would read true
43
+ for a different repo, it is filler. "Error handling is weak" fails;
44
+ "`api/users.ts:88` returns 200 on a validation failure so callers cannot
45
+ detect bad input" passes.
46
+ 2. **Verify against reality.** Read the code, not the names, comments, or docs.
47
+ When a doc or comment claims one thing and the code does another, that gap is
48
+ itself a finding.
49
+ 3. **Refuse theater. Hunt paper constructs.** The most dangerous defects look
50
+ robust but carry no weight: a try/catch that swallows the error, a validator
51
+ defined but never called, middleware registered but not applied to the routes
52
+ it should guard, a test that asserts nothing, a health check that returns 200
53
+ without checking a dependency, a rate limiter that does not limit. Flag
54
+ anything that exists for appearance but does not do its job.
55
+ 4. **Find the root, not the leaves.** If one mistake appears in twelve places,
56
+ that is one systemic finding, not twelve. Cluster instances; name the cause.
57
+ 5. **Verify adversarially.** For every candidate finding, try to refute it
58
+ before keeping it (is there a guard, a test, a deliberate trade-off?). If you
59
+ cannot confirm by reading, mark it Suspected so the acting agent re-checks.
60
+ 6. **Calibrate to the project.** Grade against the project's evident ambition
61
+ and maturity, not an absolute ideal. State your calibration.
62
+ 7. **Name the strengths.** Record what the codebase does well, with evidence,
63
+ so remediation does not refactor those away.
64
+
65
+ ## Dimensions (score each 0-100, weighted)
66
+
67
+ The debt categories map onto nine scored dimensions. Score each against its
68
+ findings, with a one-line justification. No number without a reason.
69
+
70
+ | Dimension | Weight | Covers (debt categories) |
71
+ |---|---|---|
72
+ | Security | 20% | security debt: authn/authz, injection, secrets, crypto, exposure, paper trust boundaries, LLM/tool surfaces |
73
+ | Architecture and Design | 15% | design debt: boundaries, coupling, cohesion, abstraction fit, drift |
74
+ | Code Quality and Maintainability | 15% | code debt: complexity, size, duplication, naming, dead code, magic values, TODO/FIXME/HACK markers, type-safety escape hatches |
75
+ | Testing and Verification | 15% | test debt: critical-path coverage, assertion quality, determinism, tests that never run |
76
+ | Error Handling and Resilience | 10% | swallowed errors, lost context, I/O timeouts/retries, transactional integrity, resource cleanup |
77
+ | Performance and Efficiency | 8% | algorithmic hot paths, N+1, caching, blocking work, memory (mark Suspected without a profiler) |
78
+ | Dependencies and Supply Chain | 7% | dependency debt: CVEs, staleness, deprecated APIs, bloat, pinning, licensing |
79
+ | Documentation and Drift | 5% | doc debt: README/API accuracy, phantom/missing docs, stale comments |
80
+ | Observability and Operability | 5% | operational debt: logging, metrics/tracing, paper health checks, config/secrets, deployability |
81
+
82
+ Carry Godpowers' extra lenses where they apply: **operational debt** (manual
83
+ deploys, missing runbooks, paper SLOs) folds into Observability; **knowledge
84
+ debt** (tribal knowledge, single-points-of-failure people) is reported as a
85
+ systemic note.
86
+
87
+ ### Lane discipline (do not re-derive what another auditor owns)
88
+
89
+ This audit is the **point-in-time, whole-repo** read. Two dimensions overlap
90
+ other auditors; defer to them rather than duplicate their work:
91
+
92
+ - **Security** is owned by `god-harden-auditor` (the gating OWASP walkthrough at
93
+ `.godpowers/harden/FINDINGS.md`). When that file exists, score the Security
94
+ dimension from its verdict and **cite its finding IDs** (for example
95
+ "Security 72 - see harden CRITICAL-001/002") instead of re-running the
96
+ walkthrough. Record a Security finding here only for something harden did not
97
+ cover, and tag it for harden to re-check. If FINDINGS.md is absent, do a
98
+ lightweight security read and say so plainly - it is not a substitute for
99
+ `/god-harden`.
100
+ - **Code Quality** at the *diff* level is owned by `god-quality-reviewer` during
101
+ build. This dimension is the *whole-codebase* health read: report systemic
102
+ quality debt, not a line-by-line review of recent changes, and point to the
103
+ reviewer for per-slice concerns.
104
+
105
+ Bands: 90-100 A, 80-89 B, 70-79 C, 60-69 D, 0-59 F. Risk does not average away:
106
+ one Confirmed Critical caps its dimension at 69 and the overall at 79 until
107
+ resolved.
46
108
 
47
109
  ## Process
48
110
 
49
- ### 1. Inventory
50
-
51
- Walk the codebase looking for indicators per category:
52
- - Code: grep TODO/FIXME/HACK; cyclomatic complexity; duplicate code; long functions
53
- - Design: god classes; circular dependencies; mixed concerns
54
- - Dependency: `npm audit` / equivalent; date of last update; deprecation warnings
55
- - Test: coverage report; tests marked .skip; flaky test history; CI duration
56
- - Doc: comments referencing old code; README age; broken links
57
- - Security: SAST findings; missing input validation; hardcoded secrets
58
- - Operational: manual steps in deploy; runbooks not updated; alerts without runbooks
59
- - Knowledge: single contributors to critical code; no comments on complex algorithms
60
-
61
- ### 2. Estimate cost to fix
62
-
63
- Per debt item, classify:
64
- - **S (small)**: <1 day, no behavior change
65
- - **M (medium)**: 1-3 days, possibly small behavior change
66
- - **L (large)**: 1-2 weeks, requires planning
67
- - **XL**: weeks-months, requires migration
68
-
69
- ### 3. Estimate impact of NOT fixing
70
-
71
- Per item:
72
- - **HIGH**: blocks a planned feature, security risk, customer pain
73
- - **MEDIUM**: slows team, occasional bugs, maintenance burden
74
- - **LOW**: cosmetic, no observable impact
75
-
76
- ### 4. Prioritize
77
-
78
- Priority = Impact × (1 / Cost). High-impact + small cost = top of list.
79
-
80
- | Priority | Definition |
81
- |----------|-----------|
82
- | **P0** | High impact + S/M cost. Do this sprint. |
83
- | **P1** | High impact + L cost OR Medium impact + S cost. Do this quarter. |
84
- | **P2** | Medium impact + M cost. Do when convenient. |
85
- | **P3** | Low impact OR XL cost without clear benefit. Backlog or ignore. |
111
+ ### 1. Orient and map
112
+ Detect languages/frameworks/build system from manifests; measure size and decide
113
+ exhaustive vs sampled (declare which). Locate entry points. Read the README to
114
+ learn intended behavior and maturity. Trace two or three primary flows end to
115
+ end. Record exclusions (vendored, generated, build output) and the commit/branch.
116
+
117
+ ### 2. Inventory across every dimension
118
+ Use search to find candidates, then **read the cited code to confirm** before
119
+ recording. A search hit is a lead, not a finding. Per dimension's indicators:
120
+ - Code: grep TODO/FIXME/HACK; complexity; duplication; long functions; dead code
121
+ - Design: god files; circular deps; mixed concerns; structure-vs-docs drift
122
+ - Security: read `.godpowers/harden/FINDINGS.md` first and cite it; only if it
123
+ is absent, do a lightweight read for untrusted input into queries/shell/paths/
124
+ HTML, secrets, weak crypto, and declared-but-unenforced guards
125
+ - Test: critical-path coverage; assertion-free or over-mocked tests; `.skip`
126
+ - Dependency: `npm audit` / equivalent; staleness; deprecations; pinning
127
+ - Error handling: empty catches; lost cause; missing timeouts; partial commits
128
+ - Performance: nested loops on large inputs; N+1; sync I/O on hot paths
129
+ - Docs: setup steps vs scripts; documented endpoints that do not exist
130
+ - Observability: structured logging; real vs paper health checks; config/secrets
131
+
132
+ ### 3. Verify adversarially and cluster
133
+ Try to refute each candidate. Assign **Severity** (Critical/High/Medium/Low),
134
+ **Confidence** (Confirmed/Likely/Suspected), and **Effort** (S under 1 day /
135
+ M 1-3 days / L 1-2 weeks / XL weeks). Cluster repeated instances into one
136
+ systemic finding, keeping the member IDs.
137
+
138
+ ### 4. Score and prioritize
139
+ Score each dimension 0-100 with its justification; the overall is the weighted
140
+ average with risk-capping. Bucket findings: **Quick wins** (High/Critical,
141
+ Confirmed, S), **Plan now** (High/Critical, M or L), **Verify first** (any
142
+ Suspected), **Backlog** (Low). Map to P0-P3: P0 = High impact + S/M; P1 = High
143
+ impact + L or Medium + S; P2 = Medium + M; P3 = Low or XL without clear benefit.
86
144
 
87
145
  ### 5. Output
88
146
 
89
- Write `.godpowers/tech-debt/REPORT.md`:
147
+ Write `.godpowers/tech-debt/REPORT.md`, self-contained for an acting agent with
148
+ no memory of the audit:
90
149
 
91
150
  ```markdown
92
- # Tech Debt Assessment
93
-
94
- Date: [ISO 8601]
95
- Scope: [path or "entire codebase"]
96
-
97
- ## Summary
98
-
99
- | Category | P0 | P1 | P2 | P3 | Total |
100
- |----------|----|----|----|----|-------|
101
- | Code | 3 | 5 | 12 | 8 | 28 |
102
- | Design | 1 | 2 | 4 | 1 | 8 |
103
- | Dependency | 0 | 1 | 3 | 7 | 11 |
104
- | ... | | | | | |
105
-
106
- Estimated debt: [N] person-weeks total
107
- P0+P1 paydown: [N] weeks (recommended next 1-2 sprints)
108
-
109
- ## P0 - Do this sprint
110
-
111
- | ID | Category | Description | Cost | Impact | Recommendation |
112
- |----|----------|-------------|------|--------|----------------|
113
- | D-001 | Security | SQL injection in /api/search | S | HIGH | Fix immediately; route to /god-hotfix |
114
- | D-002 | Test | Auth module has 0% coverage | M | HIGH | Add tests via /god-add-tests before any auth changes |
115
- | D-003 | Operational | Deploy script has manual step | S | MEDIUM | Automate; route to /god-deploy revisit |
116
-
117
- ## P1 - Do this quarter
118
-
119
- [Same structure]
120
-
121
- ## P2 - When convenient
122
-
123
- [Same structure]
124
-
125
- ## P3 - Backlog or ignore
126
-
127
- [Same structure; explanation if "ignore"]
128
-
129
- ## Recommended next steps
130
-
131
- 1. [Specific action with command, e.g., /god-hotfix for D-001]
132
- 2. [Specific action]
151
+ # Code Audit and Tech Debt Assessment
152
+
153
+ Date: [ISO 8601] | Scope: [path or "entire codebase"] | State: [commit/branch]
154
+ Read-only audit. Self-contained: every finding cites file:line and how to verify.
155
+
156
+ ## Snapshot
157
+ Languages, size, frameworks, entry points, evident maturity, coverage
158
+ (exhaustive or sampled, say what was sampled), exclusions.
159
+
160
+ ## Overall score
161
+ NN/100 - Grade X (label). Two-to-four sentence verdict. One-line calibration.
162
+
163
+ | Dimension | Score | Grade | Weight | Verdict |
164
+ |---|---|---|---|---|
165
+ | Security | NN | X | 20% | one-line specific verdict |
166
+ | ... | | | | |
167
+ | Overall | NN | X | 100% | weighted |
168
+
169
+ ## What to fix first
170
+ Ordered union of Quick wins + Plan now, Critical before High.
171
+ `[ID] title - severity, effort - one-line why`
172
+
173
+ ## Strengths (preserve these)
174
+ What the codebase does well, each with evidence. Do not refactor these away.
175
+
176
+ ## Systemic patterns (root causes)
177
+ One entry per recurring cause: what it is, member IDs, the one root fix.
178
+
179
+ ## Findings
180
+ Sorted by severity then dimension. Each finding:
181
+
182
+ ### [SEC-001] <title>
183
+ - Severity: <C/H/M/L> | Confidence: <Confirmed/Likely/Suspected> | Effort: <S/M/L/XL> | Dimension: <name>
184
+ - Location: `file:line` (+ others)
185
+ - Evidence: <what the code does now, precisely>
186
+ - Impact: <concrete consequence>
187
+ - Recommendation: <specific change and where; not a platitude>
188
+ - Verify the fix: <test to add / behavior to check / command to run>
189
+ - Related: <systemic pattern or finding IDs, or "none">
190
+
191
+ ## Remediation plan
192
+ Quick wins / Plan now (suggested order) / Verify first / Backlog, by ID. Map to
193
+ P0-P3. For each P0/P1, name the Godpowers command (for example /god-hotfix,
194
+ /god-debug, /god-add-tests, /god-update-deps).
195
+
196
+ ## Scope and limitations
197
+ What was and was not examined; sampling; assumptions that would change conclusions.
198
+
199
+ ## How to use this report (for the acting agent)
200
+ 1. Triage by severity and confidence. Confirmed Critical/High are safe to act on
201
+ now, in "What to fix first" order. Re-verify any Suspected finding first.
202
+ 2. Fix root causes (systemic patterns) before individual leaves.
203
+ 3. Preserve the strengths; do not refactor them away.
204
+ 4. One finding, one change, verified: run its "Verify the fix" after each fix;
205
+ keep changes atomic and traceable to the finding ID.
206
+ 5. Do not widen scope silently. Re-run the audit to confirm findings are
207
+ resolved, not relocated, and that no strength regressed.
133
208
  ```
134
209
 
210
+ ID prefixes by dimension: SEC, ARC, QUAL, TEST, ERR, PERF, DEP, DOC, OBS. Keep
211
+ IDs stable so a remediation loop can track each finding to closure.
212
+
135
213
  ## Have-Nots
136
214
 
137
215
  Debt assessment FAILS if:
138
- - All items in one priority bucket (no real prioritization)
139
- - Cost estimates without rationale
140
- - Impact estimates without specific consequences ("makes code messy" is not impact)
141
- - Recommendations without specific commands or workflows
142
- - "Comprehensive coverage" claim without grep evidence
143
- - Misses obvious categories (security debt with known CVEs)
216
+ - A dimension score has no justification tied to specific findings
217
+ - Any finding lacks a `file:line`, or a Severity/Confidence/Effort
218
+ - A recommendation is a platitude ("improve error handling", "add more tests")
219
+ - Repeated issues are left loose instead of clustered into a systemic pattern
220
+ - The Strengths section is missing
221
+ - "Comprehensive coverage" is claimed without grep evidence or a stated sample
222
+ - A Critical finding does not cap its dimension and the overall score
223
+ - Obvious categories are missed (security debt with known CVEs)
package/bin/install.js CHANGED
@@ -21,6 +21,7 @@ const { describeProfiles } = require('../lib/install-profiles');
21
21
  const commandFamilies = require('../lib/command-families');
22
22
  const identity = require('../lib/package-identity');
23
23
  const cliDispatch = require('../lib/cli-dispatch');
24
+ const { log, success, warn, error } = require('../lib/cli-log');
24
25
 
25
26
  const VERSION = identity.PACKAGE_VERSION;
26
27
 
@@ -29,22 +30,6 @@ const BANNER = `
29
30
  Ship fast. Ship right. Ship everything.
30
31
  `;
31
32
 
32
- function log(msg) {
33
- console.log(` ${msg}`);
34
- }
35
-
36
- function success(msg) {
37
- console.log(` \x1b[32m+\x1b[0m ${msg}`);
38
- }
39
-
40
- function warn(msg) {
41
- console.log(` \x1b[33m!\x1b[0m ${msg}`);
42
- }
43
-
44
- function error(msg) {
45
- console.error(` \x1b[31mx\x1b[0m ${msg}`);
46
- }
47
-
48
33
  function showHelp() {
49
34
  console.log(BANNER);
50
35
  log('Usage: npx godpowers [command] [options]\n');