godpowers 3.11.0 → 3.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/state.js CHANGED
@@ -53,10 +53,26 @@ const SUBSTEP_LABELS = {
53
53
  * @property {number} ordinal One-based step position.
54
54
  */
55
55
 
56
+ // Canonical project-relative location of the state file. Other modules that
57
+ // need to name state.json (gates, dispatch findings, audits) import this rather
58
+ // than re-typing the literal (ARC-002).
59
+ const STATE_FILE = '.godpowers/state.json';
60
+
56
61
  function statePath(projectRoot) {
57
62
  return path.join(projectRoot, '.godpowers', 'state.json');
58
63
  }
59
64
 
65
+ // A typed error so callers (e.g. the CLI dispatcher) can detect corrupt state
66
+ // by `err.code === 'CORRUPT_STATE'` instead of matching the message prose.
67
+ function corruptStateError(file, cause) {
68
+ const err = new Error(
69
+ `Corrupt state file at ${file}: ${cause.message}. ` +
70
+ `Fix the JSON or remove the file to let Godpowers reinitialize it.`
71
+ );
72
+ err.code = 'CORRUPT_STATE';
73
+ return err;
74
+ }
75
+
60
76
  function tierNumber(tierKey) {
61
77
  const match = String(tierKey).match(/^tier-(\d+)$/);
62
78
  return match ? Number(match[1]) : Number.MAX_SAFE_INTEGER;
@@ -88,10 +104,7 @@ function read(projectRoot) {
88
104
  try {
89
105
  return JSON.parse(raw);
90
106
  } catch (e) {
91
- throw new Error(
92
- `Corrupt state file at ${file}: ${e.message}. ` +
93
- `Fix the JSON or remove the file to let Godpowers reinitialize it.`
94
- );
107
+ throw corruptStateError(file, e);
95
108
  }
96
109
  }
97
110
 
@@ -144,10 +157,7 @@ async function readAsync(projectRoot) {
144
157
  try {
145
158
  return JSON.parse(raw);
146
159
  } catch (e) {
147
- throw new Error(
148
- `Corrupt state file at ${file}: ${e.message}. ` +
149
- `Fix the JSON or remove the file to let Godpowers reinitialize it.`
150
- );
160
+ throw corruptStateError(file, e);
151
161
  }
152
162
  }
153
163
 
@@ -421,6 +431,7 @@ module.exports = {
421
431
  updateSubStepAsync,
422
432
  hashFile,
423
433
  detectDrift,
434
+ STATE_FILE,
424
435
  statePath,
425
436
  isInitialized,
426
437
  isInitializedState,
package/lib/sync-fs.js ADDED
@@ -0,0 +1,37 @@
1
+ /**
2
+ * Shared filesystem helpers for the lib/*-sync.js family.
3
+ *
4
+ * Every sync module used to redefine its own byte-identical read/write/exists/
5
+ * readJson against a project root (ARC-001). They now share these so a change
6
+ * to path handling or read semantics lives in one place. Module-specific log
7
+ * writers (appendLog) stay per-module because their headers and formats differ.
8
+ */
9
+
10
+ const fs = require('fs');
11
+ const path = require('path');
12
+
13
+ function read(projectRoot, relPath) {
14
+ const file = path.join(projectRoot, relPath);
15
+ if (!fs.existsSync(file)) return '';
16
+ return fs.readFileSync(file, 'utf8');
17
+ }
18
+
19
+ function write(projectRoot, relPath, content) {
20
+ const file = path.join(projectRoot, relPath);
21
+ fs.mkdirSync(path.dirname(file), { recursive: true });
22
+ fs.writeFileSync(file, content);
23
+ }
24
+
25
+ function exists(projectRoot, relPath) {
26
+ return fs.existsSync(path.join(projectRoot, relPath));
27
+ }
28
+
29
+ function readJson(projectRoot, relPath) {
30
+ try {
31
+ return JSON.parse(read(projectRoot, relPath));
32
+ } catch (err) {
33
+ return null;
34
+ }
35
+ }
36
+
37
+ module.exports = { read, write, exists, readJson };
@@ -0,0 +1,19 @@
1
+ /**
2
+ * Small shared string helpers (QUAL-002).
3
+ *
4
+ * slugify is the canonical home for the "lowercase, collapse non-alphanumerics
5
+ * to '-', strip edge '-', truncate to 40 chars" contract. lib/evidence.js keeps
6
+ * its own copy on purpose: that module is vendored from the upstream engine and
7
+ * its helpers are provenance-tracked, so it must not import first-party code.
8
+ */
9
+
10
+ function slugify(text, fallback = '') {
11
+ const slug = String(text == null ? '' : text)
12
+ .toLowerCase()
13
+ .replace(/[^a-z0-9]+/g, '-')
14
+ .replace(/^-+|-+$/g, '')
15
+ .slice(0, 40);
16
+ return slug || fallback;
17
+ }
18
+
19
+ module.exports = { slugify };
@@ -6,6 +6,10 @@
6
6
  */
7
7
 
8
8
  const HELPER_GROUPS = {
9
+ 'context-bootstrap': [
10
+ 'pillars-detect',
11
+ 'pillars-init'
12
+ ],
9
13
  'standard-closeout': [
10
14
  'repo-doc-sync',
11
15
  'repo-surface-sync',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "godpowers",
3
- "version": "3.11.0",
3
+ "version": "3.13.1",
4
4
  "description": "AI-powered development system: 120 slash commands and 40 specialist agents that take a project from raw idea to hardened production. Runs inside Claude Code, Codex, Cursor, Windsurf, Gemini, and 10+ other AI coding tools.",
5
5
  "bin": {
6
6
  "godpowers": "./bin/install.js"
@@ -24,7 +24,7 @@
24
24
  "test:e2e": "node tests/integration/full-arc.test.js",
25
25
  "test:mcp": "npm --workspace @godpowers/mcp test",
26
26
  "coverage": "c8 --reporter=text --reporter=lcov node scripts/run-tests.js",
27
- "coverage:lib": "c8 --include=lib/**/*.js --check-coverage --lines 90 --reporter=text node scripts/run-tests.js",
27
+ "coverage:lib": "c8 --include=lib/**/*.js --check-coverage --lines 90 --branches 75 --reporter=text node scripts/run-tests.js",
28
28
  "test:audit": "npm audit --omit=dev && git diff --check && npm run test:surface",
29
29
  "pack:check": "node scripts/check-package-contents.js",
30
30
  "pack:mcp:check": "npm --workspace @godpowers/mcp run pack:check",
@@ -115,6 +115,13 @@ This converts existing Godpowers artifacts into managed source references in
115
115
  the relevant pillar files, so old projects are Pillar-ized as part of being
116
116
  Godpower-ized.
117
117
 
118
+ In the greenfield `full-arc` workflow this start-of-arc step is surfaced as the
119
+ tier-0 `context` job, whose `context-bootstrap` helper group expands to
120
+ `pillars-detect` (`lib/pillars.detect`) and `pillars-init` (`lib/pillars.init`).
121
+ The job uses `god-orchestrator` as a local runtime call, not a `god-context-writer`
122
+ spawn, so it changes nothing about the behavior described above; it only makes the
123
+ init visible in `/god-mode --plan` alongside the closeout `pillars-sync-plan`.
124
+
118
125
  Before each major command, compute the task-specific Pillars load set with
119
126
  `lib/pillars.computeLoadSet(projectRoot, taskText)`. Load `agents/context.md`
120
127
  and `agents/repo.md` first, then the routed primary pillars and their direct
@@ -367,6 +374,46 @@ after tests pass. If a git remote exists and the user passed an explicit push
367
374
  flag or the project intent says pushing is allowed, push after the green commit
368
375
  and then continue the project run. Pushing is not a terminal state.
369
376
 
377
+ ## Audit-Remediation Loop
378
+
379
+ Run a bounded audit-then-remediate loop in three cases: the `full-arc`
380
+ **`code-audit` step** (it runs `god-debt-assessor` after build and before the
381
+ shipping tier, because AI-generated code can miss things a per-slice review and
382
+ the security gate do not); intent like "audit and fix until clean" (the
383
+ `audit-remediate` recipe); and any standalone `/god-tech-debt` follow-up. In
384
+ `full-arc` the loop must drive Confirmed Critical and High findings to closure
385
+ (or pause them as blockers) before `deploy`, `harden`, and `launch` proceed. The
386
+ maker that fixes is never the checker that grades.
387
+
388
+ 1. **Audit (read-only).** Spawn `god-debt-assessor` in a fresh context. It writes
389
+ the scored, self-contained report to `.godpowers/tech-debt/REPORT.md` with
390
+ stable finding IDs (SEC-001, etc.), each carrying Severity, Confidence, Effort,
391
+ `file:line`, and a "Verify the fix" step.
392
+ 2. **Select.** Take the "What to fix first" list: Confirmed Critical and High,
393
+ worst-first, root causes (systemic patterns) before leaves. Re-verify any
394
+ Suspected finding against the cited code before touching it; never act on an
395
+ unconfirmed claim.
396
+ 3. **Drive each finding to closure** with an outcome loop so the loop is bounded
397
+ and self-arresting:
398
+ - `npx godpowers outcome start fix-<ID> --verify "<the finding's verify command>" --substep <tier.substep> --project=.`
399
+ - Spawn `god-debugger` (or the owning specialist) in a fresh context with only
400
+ that finding's evidence and touched files to draft the fix.
401
+ - Spawn an **independent** reviewer (`god-quality-reviewer`, or
402
+ `god-harden-auditor` for a SEC finding) in a fresh context to verify the fix
403
+ against the cited evidence and the project's tests. The maker does not grade
404
+ its own work.
405
+ - `npx godpowers outcome check fix-<ID> --project=.` runs the finding's verify
406
+ command and records the iteration. Repeat until the outcome succeeds or the
407
+ budget is exhausted.
408
+ - Never mark a finding resolved while `can-close` for its substep is red.
409
+ 4. **Re-audit.** Re-run `god-debt-assessor` and confirm findings are resolved,
410
+ not relocated, and that no Strength regressed. The loop is done when no
411
+ Confirmed Critical or High remains (or the agreed bucket is empty).
412
+ 5. **Pause, do not fake.** Anything that cannot be fixed within budget, or that
413
+ is `human-only` (scope, credentials, vendor/legal/Critical-security
414
+ acceptance), lands as a precise paused blocker with the finding ID, not a
415
+ silent skip. "Clean" is an evidence-backed re-audit, never a claim.
416
+
370
417
  ## Shipping Closure Protocol
371
418
 
372
419
  The shipping tier must not end by listing a broad provider checklist. God Mode
@@ -0,0 +1,30 @@
1
+ apiVersion: godpowers/v1
2
+ kind: Recipe
3
+ metadata:
4
+ name: audit-remediate
5
+ category: maintaining
6
+ description: "Audit the codebase, then drive the findings to zero"
7
+
8
+ triggers:
9
+ intent-keywords:
10
+ - "audit and fix"
11
+ - "fix all the audit findings"
12
+ - "drive the audit to clean"
13
+ - "remediate tech debt"
14
+ - "fix the codebase until clean"
15
+ - "pay down tech debt"
16
+ - "address all the findings"
17
+ - "code audit and fix"
18
+
19
+ sequences:
20
+ default:
21
+ description: "Audit the codebase, then drive the findings to zero"
22
+ steps:
23
+ - command: "/god-tech-debt"
24
+ why: "Score the codebase and write the prioritized, self-contained audit report (god-debt-assessor)"
25
+ - command: "/god-debug"
26
+ why: "Fix each Confirmed Critical/High finding worst-first; an independent reviewer verifies each fix against the cited evidence"
27
+ - command: "/god-tech-debt"
28
+ why: "Re-audit to confirm findings are resolved not relocated and no strength regressed; the orchestrator loops this under an outcome budget until clean"
29
+
30
+ default-sequence: default
@@ -16,7 +16,7 @@ Print version and a short capability summary.
16
16
  ```
17
17
  Godpowers v2.3.1
18
18
  Install: /Users/.../.claude/ (matches package.json)
19
- Surface: 120 skills, 40 agents, 13 workflows, 43 recipes
19
+ Surface: 120 skills, 40 agents, 13 workflows, 44 recipes
20
20
  Schema: intent.v1, state.v1, events.v1, workflow.v1, routing.v1, recipe.v1
21
21
  External integrations available: impeccable, agent-browser (others lazy)
22
22
  Feature awareness: planning-system migration, source-system sync-back, context refresh, dashboard status labels, repo documentation sync, repo surface sync, quick proof, request trace, release hardening, maintenance hardening
@@ -3,6 +3,15 @@
3
3
  # the agents in the order this file specifies. To preview without running,
4
4
  # use `/god-mode --workflow=<name> --plan`.
5
5
  #
6
+ # Native Pillars context (AGENTS.md + agents/context.md + agents/repo.md) is
7
+ # woven through this arc by the orchestrator's local runtime, not a specialist
8
+ # agent. It is now visible at both ends: the tier-0 `context` preamble runs
9
+ # context-bootstrap (lib/pillars.detect then lib/pillars.init) so a greenfield
10
+ # project is Pillar-ized before planning, and the `final-sync` standard-closeout
11
+ # runs pillars-sync-plan (lib/pillars.planArtifactSync) so the pillars reflect
12
+ # the artifacts the arc produced. Both are local runtime calls; see
13
+ # references/orchestration/GOD-ORCHESTRATOR-RUNBOOK.md "Native Pillars context".
14
+ #
6
15
  apiVersion: godpowers/v1
7
16
  kind: Workflow
8
17
  metadata:
@@ -15,8 +24,17 @@ metadata:
15
24
  on: [/god-mode]
16
25
 
17
26
  jobs:
27
+ context:
28
+ tier: 0
29
+ uses: god-orchestrator@^1.0.0
30
+ local-helper-groups:
31
+ - context-bootstrap
32
+ with:
33
+ action: pillars-bootstrap
34
+
18
35
  prd:
19
36
  tier: 1
37
+ needs: context
20
38
  uses: god-pm@^1.0.0
21
39
  with:
22
40
  template: PRD.md
@@ -62,9 +80,16 @@ jobs:
62
80
  verification:
63
81
  required: [test, lint, typecheck-or-check]
64
82
 
83
+ code-audit:
84
+ tier: 2
85
+ needs: build
86
+ uses: god-debt-assessor@^1.0.0
87
+ with:
88
+ mode: post-build-audit
89
+
65
90
  deploy:
66
91
  tier: 3
67
- needs: build
92
+ needs: code-audit
68
93
  uses: god-deploy-engineer@^1.0.0
69
94
  closure:
70
95
  on-missing-external-access: create-waiting-access-bundle
@@ -84,14 +109,21 @@ jobs:
84
109
 
85
110
  harden:
86
111
  tier: 3
87
- needs: build
112
+ needs: code-audit
88
113
  uses: god-harden-auditor@^1.0.0
89
114
  blocks-on:
90
115
  - critical-finding: pause
91
116
 
92
- launch:
117
+ docs:
93
118
  tier: 3
94
119
  needs: harden
120
+ uses: god-docs-writer@^1.0.0
121
+ with:
122
+ mode: product-docs-verify
123
+
124
+ launch:
125
+ tier: 3
126
+ needs: docs
95
127
  uses: god-launch-strategist@^1.0.0
96
128
  with:
97
129
  template: HARDEN-FINDINGS.md