godpowers 3.11.0 → 3.13.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +107 -0
- package/README.md +23 -10
- package/RELEASE.md +22 -22
- package/agents/god-debt-assessor.md +179 -99
- package/bin/install.js +1 -16
- package/hooks/pre-tool-use.sh +52 -40
- package/lib/README.md +11 -1
- package/lib/artifact-map.js +6 -0
- package/lib/cli-dispatch.js +29 -20
- package/lib/cli-log.js +24 -0
- package/lib/dashboard.js +1 -10
- package/lib/evidence.js +50 -13
- package/lib/gate.js +2 -2
- package/lib/installer-args.js +140 -290
- package/lib/installer-core.js +1 -12
- package/lib/planning-systems.js +1 -4
- package/lib/recipe-coverage-sync.js +1 -11
- package/lib/release-surface-sync.js +2 -20
- package/lib/repo-doc-sync.js +1 -16
- package/lib/repo-surface-sync.js +1 -24
- package/lib/requirements.js +2 -5
- package/lib/route-quality-sync.js +1 -12
- package/lib/state.js +19 -8
- package/lib/sync-fs.js +37 -0
- package/lib/text-util.js +19 -0
- package/lib/workflow-helper-groups.js +4 -0
- package/package.json +2 -2
- package/references/orchestration/GOD-ORCHESTRATOR-RUNBOOK.md +47 -0
- package/routing/recipes/audit-remediate.yaml +30 -0
- package/skills/god-version.md +1 -1
- package/workflows/full-arc.yaml +35 -3
package/lib/state.js
CHANGED
|
@@ -53,10 +53,26 @@ const SUBSTEP_LABELS = {
|
|
|
53
53
|
* @property {number} ordinal One-based step position.
|
|
54
54
|
*/
|
|
55
55
|
|
|
56
|
+
// Canonical project-relative location of the state file. Other modules that
|
|
57
|
+
// need to name state.json (gates, dispatch findings, audits) import this rather
|
|
58
|
+
// than re-typing the literal (ARC-002).
|
|
59
|
+
const STATE_FILE = '.godpowers/state.json';
|
|
60
|
+
|
|
56
61
|
function statePath(projectRoot) {
|
|
57
62
|
return path.join(projectRoot, '.godpowers', 'state.json');
|
|
58
63
|
}
|
|
59
64
|
|
|
65
|
+
// A typed error so callers (e.g. the CLI dispatcher) can detect corrupt state
|
|
66
|
+
// by `err.code === 'CORRUPT_STATE'` instead of matching the message prose.
|
|
67
|
+
function corruptStateError(file, cause) {
|
|
68
|
+
const err = new Error(
|
|
69
|
+
`Corrupt state file at ${file}: ${cause.message}. ` +
|
|
70
|
+
`Fix the JSON or remove the file to let Godpowers reinitialize it.`
|
|
71
|
+
);
|
|
72
|
+
err.code = 'CORRUPT_STATE';
|
|
73
|
+
return err;
|
|
74
|
+
}
|
|
75
|
+
|
|
60
76
|
function tierNumber(tierKey) {
|
|
61
77
|
const match = String(tierKey).match(/^tier-(\d+)$/);
|
|
62
78
|
return match ? Number(match[1]) : Number.MAX_SAFE_INTEGER;
|
|
@@ -88,10 +104,7 @@ function read(projectRoot) {
|
|
|
88
104
|
try {
|
|
89
105
|
return JSON.parse(raw);
|
|
90
106
|
} catch (e) {
|
|
91
|
-
throw
|
|
92
|
-
`Corrupt state file at ${file}: ${e.message}. ` +
|
|
93
|
-
`Fix the JSON or remove the file to let Godpowers reinitialize it.`
|
|
94
|
-
);
|
|
107
|
+
throw corruptStateError(file, e);
|
|
95
108
|
}
|
|
96
109
|
}
|
|
97
110
|
|
|
@@ -144,10 +157,7 @@ async function readAsync(projectRoot) {
|
|
|
144
157
|
try {
|
|
145
158
|
return JSON.parse(raw);
|
|
146
159
|
} catch (e) {
|
|
147
|
-
throw
|
|
148
|
-
`Corrupt state file at ${file}: ${e.message}. ` +
|
|
149
|
-
`Fix the JSON or remove the file to let Godpowers reinitialize it.`
|
|
150
|
-
);
|
|
160
|
+
throw corruptStateError(file, e);
|
|
151
161
|
}
|
|
152
162
|
}
|
|
153
163
|
|
|
@@ -421,6 +431,7 @@ module.exports = {
|
|
|
421
431
|
updateSubStepAsync,
|
|
422
432
|
hashFile,
|
|
423
433
|
detectDrift,
|
|
434
|
+
STATE_FILE,
|
|
424
435
|
statePath,
|
|
425
436
|
isInitialized,
|
|
426
437
|
isInitializedState,
|
package/lib/sync-fs.js
ADDED
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared filesystem helpers for the lib/*-sync.js family.
|
|
3
|
+
*
|
|
4
|
+
* Every sync module used to redefine its own byte-identical read/write/exists/
|
|
5
|
+
* readJson against a project root (ARC-001). They now share these so a change
|
|
6
|
+
* to path handling or read semantics lives in one place. Module-specific log
|
|
7
|
+
* writers (appendLog) stay per-module because their headers and formats differ.
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
const fs = require('fs');
|
|
11
|
+
const path = require('path');
|
|
12
|
+
|
|
13
|
+
function read(projectRoot, relPath) {
|
|
14
|
+
const file = path.join(projectRoot, relPath);
|
|
15
|
+
if (!fs.existsSync(file)) return '';
|
|
16
|
+
return fs.readFileSync(file, 'utf8');
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
function write(projectRoot, relPath, content) {
|
|
20
|
+
const file = path.join(projectRoot, relPath);
|
|
21
|
+
fs.mkdirSync(path.dirname(file), { recursive: true });
|
|
22
|
+
fs.writeFileSync(file, content);
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
function exists(projectRoot, relPath) {
|
|
26
|
+
return fs.existsSync(path.join(projectRoot, relPath));
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
function readJson(projectRoot, relPath) {
|
|
30
|
+
try {
|
|
31
|
+
return JSON.parse(read(projectRoot, relPath));
|
|
32
|
+
} catch (err) {
|
|
33
|
+
return null;
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
module.exports = { read, write, exists, readJson };
|
package/lib/text-util.js
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Small shared string helpers (QUAL-002).
|
|
3
|
+
*
|
|
4
|
+
* slugify is the canonical home for the "lowercase, collapse non-alphanumerics
|
|
5
|
+
* to '-', strip edge '-', truncate to 40 chars" contract. lib/evidence.js keeps
|
|
6
|
+
* its own copy on purpose: that module is vendored from the upstream engine and
|
|
7
|
+
* its helpers are provenance-tracked, so it must not import first-party code.
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
function slugify(text, fallback = '') {
|
|
11
|
+
const slug = String(text == null ? '' : text)
|
|
12
|
+
.toLowerCase()
|
|
13
|
+
.replace(/[^a-z0-9]+/g, '-')
|
|
14
|
+
.replace(/^-+|-+$/g, '')
|
|
15
|
+
.slice(0, 40);
|
|
16
|
+
return slug || fallback;
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
module.exports = { slugify };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "godpowers",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.13.1",
|
|
4
4
|
"description": "AI-powered development system: 120 slash commands and 40 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
|
|
5
5
|
"bin": {
|
|
6
6
|
"godpowers": "./bin/install.js"
|
|
@@ -24,7 +24,7 @@
|
|
|
24
24
|
"test:e2e": "node tests/integration/full-arc.test.js",
|
|
25
25
|
"test:mcp": "npm --workspace @godpowers/mcp test",
|
|
26
26
|
"coverage": "c8 --reporter=text --reporter=lcov node scripts/run-tests.js",
|
|
27
|
-
"coverage:lib": "c8 --include=lib/**/*.js --check-coverage --lines 90 --reporter=text node scripts/run-tests.js",
|
|
27
|
+
"coverage:lib": "c8 --include=lib/**/*.js --check-coverage --lines 90 --branches 75 --reporter=text node scripts/run-tests.js",
|
|
28
28
|
"test:audit": "npm audit --omit=dev && git diff --check && npm run test:surface",
|
|
29
29
|
"pack:check": "node scripts/check-package-contents.js",
|
|
30
30
|
"pack:mcp:check": "npm --workspace @godpowers/mcp run pack:check",
|
|
@@ -115,6 +115,13 @@ This converts existing Godpowers artifacts into managed source references in
|
|
|
115
115
|
the relevant pillar files, so old projects are Pillar-ized as part of being
|
|
116
116
|
Godpower-ized.
|
|
117
117
|
|
|
118
|
+
In the greenfield `full-arc` workflow this start-of-arc step is surfaced as the
|
|
119
|
+
tier-0 `context` job, whose `context-bootstrap` helper group expands to
|
|
120
|
+
`pillars-detect` (`lib/pillars.detect`) and `pillars-init` (`lib/pillars.init`).
|
|
121
|
+
The job uses `god-orchestrator` as a local runtime call, not a `god-context-writer`
|
|
122
|
+
spawn, so it changes nothing about the behavior described above; it only makes the
|
|
123
|
+
init visible in `/god-mode --plan` alongside the closeout `pillars-sync-plan`.
|
|
124
|
+
|
|
118
125
|
Before each major command, compute the task-specific Pillars load set with
|
|
119
126
|
`lib/pillars.computeLoadSet(projectRoot, taskText)`. Load `agents/context.md`
|
|
120
127
|
and `agents/repo.md` first, then the routed primary pillars and their direct
|
|
@@ -367,6 +374,46 @@ after tests pass. If a git remote exists and the user passed an explicit push
|
|
|
367
374
|
flag or the project intent says pushing is allowed, push after the green commit
|
|
368
375
|
and then continue the project run. Pushing is not a terminal state.
|
|
369
376
|
|
|
377
|
+
## Audit-Remediation Loop
|
|
378
|
+
|
|
379
|
+
Run a bounded audit-then-remediate loop in three cases: the `full-arc`
|
|
380
|
+
**`code-audit` step** (it runs `god-debt-assessor` after build and before the
|
|
381
|
+
shipping tier, because AI-generated code can miss things a per-slice review and
|
|
382
|
+
the security gate do not); intent like "audit and fix until clean" (the
|
|
383
|
+
`audit-remediate` recipe); and any standalone `/god-tech-debt` follow-up. In
|
|
384
|
+
`full-arc` the loop must drive Confirmed Critical and High findings to closure
|
|
385
|
+
(or pause them as blockers) before `deploy`, `harden`, and `launch` proceed. The
|
|
386
|
+
maker that fixes is never the checker that grades.
|
|
387
|
+
|
|
388
|
+
1. **Audit (read-only).** Spawn `god-debt-assessor` in a fresh context. It writes
|
|
389
|
+
the scored, self-contained report to `.godpowers/tech-debt/REPORT.md` with
|
|
390
|
+
stable finding IDs (SEC-001, etc.), each carrying Severity, Confidence, Effort,
|
|
391
|
+
`file:line`, and a "Verify the fix" step.
|
|
392
|
+
2. **Select.** Take the "What to fix first" list: Confirmed Critical and High,
|
|
393
|
+
worst-first, root causes (systemic patterns) before leaves. Re-verify any
|
|
394
|
+
Suspected finding against the cited code before touching it; never act on an
|
|
395
|
+
unconfirmed claim.
|
|
396
|
+
3. **Drive each finding to closure** with an outcome loop so the loop is bounded
|
|
397
|
+
and self-arresting:
|
|
398
|
+
- `npx godpowers outcome start fix-<ID> --verify "<the finding's verify command>" --substep <tier.substep> --project=.`
|
|
399
|
+
- Spawn `god-debugger` (or the owning specialist) in a fresh context with only
|
|
400
|
+
that finding's evidence and touched files to draft the fix.
|
|
401
|
+
- Spawn an **independent** reviewer (`god-quality-reviewer`, or
|
|
402
|
+
`god-harden-auditor` for a SEC finding) in a fresh context to verify the fix
|
|
403
|
+
against the cited evidence and the project's tests. The maker does not grade
|
|
404
|
+
its own work.
|
|
405
|
+
- `npx godpowers outcome check fix-<ID> --project=.` runs the finding's verify
|
|
406
|
+
command and records the iteration. Repeat until the outcome succeeds or the
|
|
407
|
+
budget is exhausted.
|
|
408
|
+
- Never mark a finding resolved while `can-close` for its substep is red.
|
|
409
|
+
4. **Re-audit.** Re-run `god-debt-assessor` and confirm findings are resolved,
|
|
410
|
+
not relocated, and that no Strength regressed. The loop is done when no
|
|
411
|
+
Confirmed Critical or High remains (or the agreed bucket is empty).
|
|
412
|
+
5. **Pause, do not fake.** Anything that cannot be fixed within budget, or that
|
|
413
|
+
is `human-only` (scope, credentials, vendor/legal/Critical-security
|
|
414
|
+
acceptance), lands as a precise paused blocker with the finding ID, not a
|
|
415
|
+
silent skip. "Clean" is an evidence-backed re-audit, never a claim.
|
|
416
|
+
|
|
370
417
|
## Shipping Closure Protocol
|
|
371
418
|
|
|
372
419
|
The shipping tier must not end by listing a broad provider checklist. God Mode
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
apiVersion: godpowers/v1
|
|
2
|
+
kind: Recipe
|
|
3
|
+
metadata:
|
|
4
|
+
name: audit-remediate
|
|
5
|
+
category: maintaining
|
|
6
|
+
description: "Audit the codebase, then drive the findings to zero"
|
|
7
|
+
|
|
8
|
+
triggers:
|
|
9
|
+
intent-keywords:
|
|
10
|
+
- "audit and fix"
|
|
11
|
+
- "fix all the audit findings"
|
|
12
|
+
- "drive the audit to clean"
|
|
13
|
+
- "remediate tech debt"
|
|
14
|
+
- "fix the codebase until clean"
|
|
15
|
+
- "pay down tech debt"
|
|
16
|
+
- "address all the findings"
|
|
17
|
+
- "code audit and fix"
|
|
18
|
+
|
|
19
|
+
sequences:
|
|
20
|
+
default:
|
|
21
|
+
description: "Audit the codebase, then drive the findings to zero"
|
|
22
|
+
steps:
|
|
23
|
+
- command: "/god-tech-debt"
|
|
24
|
+
why: "Score the codebase and write the prioritized, self-contained audit report (god-debt-assessor)"
|
|
25
|
+
- command: "/god-debug"
|
|
26
|
+
why: "Fix each Confirmed Critical/High finding worst-first; an independent reviewer verifies each fix against the cited evidence"
|
|
27
|
+
- command: "/god-tech-debt"
|
|
28
|
+
why: "Re-audit to confirm findings are resolved not relocated and no strength regressed; the orchestrator loops this under an outcome budget until clean"
|
|
29
|
+
|
|
30
|
+
default-sequence: default
|
package/skills/god-version.md
CHANGED
|
@@ -16,7 +16,7 @@ Print version and a short capability summary.
|
|
|
16
16
|
```
|
|
17
17
|
Godpowers v2.3.1
|
|
18
18
|
Install: /Users/.../.claude/ (matches package.json)
|
|
19
|
-
Surface: 120 skills, 40 agents, 13 workflows,
|
|
19
|
+
Surface: 120 skills, 40 agents, 13 workflows, 44 recipes
|
|
20
20
|
Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1
|
|
21
21
|
External integrations available: impeccable, agent-browser (others lazy)
|
|
22
22
|
Feature awareness: planning-system migration, source-system sync-back, context refresh, dashboard status labels, repo documentation sync, repo surface sync, quick proof, request trace, release hardening, maintenance hardening
|
package/workflows/full-arc.yaml
CHANGED
|
@@ -3,6 +3,15 @@
|
|
|
3
3
|
# the agents in the order this file specifies. To preview without running,
|
|
4
4
|
# use `/god-mode --workflow=<name> --plan`.
|
|
5
5
|
#
|
|
6
|
+
# Native Pillars context (AGENTS.md + agents/context.md + agents/repo.md) is
|
|
7
|
+
# woven through this arc by the orchestrator's local runtime, not a specialist
|
|
8
|
+
# agent. It is now visible at both ends: the tier-0 `context` preamble runs
|
|
9
|
+
# context-bootstrap (lib/pillars.detect then lib/pillars.init) so a greenfield
|
|
10
|
+
# project is Pillar-ized before planning, and the `final-sync` standard-closeout
|
|
11
|
+
# runs pillars-sync-plan (lib/pillars.planArtifactSync) so the pillars reflect
|
|
12
|
+
# the artifacts the arc produced. Both are local runtime calls; see
|
|
13
|
+
# references/orchestration/GOD-ORCHESTRATOR-RUNBOOK.md "Native Pillars context".
|
|
14
|
+
#
|
|
6
15
|
apiVersion: godpowers/v1
|
|
7
16
|
kind: Workflow
|
|
8
17
|
metadata:
|
|
@@ -15,8 +24,17 @@ metadata:
|
|
|
15
24
|
on: [/god-mode]
|
|
16
25
|
|
|
17
26
|
jobs:
|
|
27
|
+
context:
|
|
28
|
+
tier: 0
|
|
29
|
+
uses: god-orchestrator@^1.0.0
|
|
30
|
+
local-helper-groups:
|
|
31
|
+
- context-bootstrap
|
|
32
|
+
with:
|
|
33
|
+
action: pillars-bootstrap
|
|
34
|
+
|
|
18
35
|
prd:
|
|
19
36
|
tier: 1
|
|
37
|
+
needs: context
|
|
20
38
|
uses: god-pm@^1.0.0
|
|
21
39
|
with:
|
|
22
40
|
template: PRD.md
|
|
@@ -62,9 +80,16 @@ jobs:
|
|
|
62
80
|
verification:
|
|
63
81
|
required: [test, lint, typecheck-or-check]
|
|
64
82
|
|
|
83
|
+
code-audit:
|
|
84
|
+
tier: 2
|
|
85
|
+
needs: build
|
|
86
|
+
uses: god-debt-assessor@^1.0.0
|
|
87
|
+
with:
|
|
88
|
+
mode: post-build-audit
|
|
89
|
+
|
|
65
90
|
deploy:
|
|
66
91
|
tier: 3
|
|
67
|
-
needs:
|
|
92
|
+
needs: code-audit
|
|
68
93
|
uses: god-deploy-engineer@^1.0.0
|
|
69
94
|
closure:
|
|
70
95
|
on-missing-external-access: create-waiting-access-bundle
|
|
@@ -84,14 +109,21 @@ jobs:
|
|
|
84
109
|
|
|
85
110
|
harden:
|
|
86
111
|
tier: 3
|
|
87
|
-
needs:
|
|
112
|
+
needs: code-audit
|
|
88
113
|
uses: god-harden-auditor@^1.0.0
|
|
89
114
|
blocks-on:
|
|
90
115
|
- critical-finding: pause
|
|
91
116
|
|
|
92
|
-
|
|
117
|
+
docs:
|
|
93
118
|
tier: 3
|
|
94
119
|
needs: harden
|
|
120
|
+
uses: god-docs-writer@^1.0.0
|
|
121
|
+
with:
|
|
122
|
+
mode: product-docs-verify
|
|
123
|
+
|
|
124
|
+
launch:
|
|
125
|
+
tier: 3
|
|
126
|
+
needs: docs
|
|
95
127
|
uses: god-launch-strategist@^1.0.0
|
|
96
128
|
with:
|
|
97
129
|
template: HARDEN-FINDINGS.md
|