godpowers 3.13.1 → 3.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -7,6 +7,108 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [3.14.0] - 2026-06-17
11
+
12
+ UX-audit remediation release. Drives the Godpowers UX audit (`uxaudit.md`, 11
13
+ weighted experience lenses) to zero: all 20 findings across usability, content,
14
+ information architecture, interaction, process, journeys, and trust. The changes
15
+ are backward compatible and add no new commands; they tighten the install and
16
+ dashboard surfaces, broaden the free-text router, and rewrite the front-door
17
+ docs. No public command/agent/workflow/recipe surface change (counts stay
18
+ 120 / 40 / 13 / 44); lib module count unchanged at 91.
19
+
20
+ ### Added
21
+ - **`docs/README.md` documentation index (IA-004):** a "Start here" section
22
+ linking every user-facing doc and a separate "Internal and maintainer" section
23
+ for the rest, so a reader landing in `docs/` can tell which is which.
24
+ - **`--help` "Start here" group (CNT-004):** `npx godpowers --help` now leads
25
+ with a 6-item common-command group above two labelled advanced groups
26
+ (ledger/evidence, workflow/tooling), mirroring the install-success copy.
27
+
28
+ ### Changed
29
+ - **Install/surface argument validation (USE-001, USE-002, USE-003):** a typo'd
30
+ bare subcommand now errors instead of silently starting a global install; an
31
+ unknown `--profile` is a clean one-line error before any filesystem write, not
32
+ a mid-install stack trace; `surface --runtime=<bad>` is rejected instead of
33
+ planning an apply to a nonexistent runtime.
34
+ - **Dashboard and report display honesty (USE-004, CNT-005, CNT-006, IXD-001):**
35
+ `status --full` shows `Phase/Step: not initialized` (not `Complete`) on an
36
+ uninitialized project; the readiness headline reads `no blockers` instead of
37
+ the overloaded `ready`; the empty `report` names the commands that populate
38
+ the ledger; `next` no longer prints the recommended command a third time.
39
+ - **Free-text router accuracy (IA-001, IA-002):** broadened `intent-keywords`
40
+ for the highest-traffic recipes so common verbs match a topical recipe (fix a
41
+ bug, ship it, deploy, release, check progress); `classifyWorkSize` returns
42
+ null when no small-task signal is present instead of confidently mis-sizing an
43
+ unrelated intent as `/god-quick`.
44
+ - **Skipped-step progress honesty (JRN-002):** `progressSummary` exposes a
45
+ `skipped` count and the dashboard progress line annotates it
46
+ (`... 2 of 13 complete, 2 skipped`) so a run that skipped tiers no longer
47
+ shows a silently inflated percent.
48
+ - **Close-gate honesty (PROC-001):** `can-close` output, the `canClose`
49
+ docstring, and the orchestrator runbook now state that `can-close` is the
50
+ advisory since-in-flight freshness check and `npx godpowers gate` is the
51
+ mechanically enforced boundary, closing the described-gate vs gate-that-runs
52
+ gap.
53
+ - **README front door (CNT-001, CNT-002, CNT-003):** the top fold is now
54
+ tagline -> what/who -> Quick start (install + `/god-mode`) -> inline glossary
55
+ -> why it exists; version-history prose moved to a one-line CHANGELOG/RELEASE
56
+ pointer; dense proof prose became a scannable list.
57
+ - **Command descriptions (IA-003):** the worst offenders lead with the
58
+ user-intent verb (`/god-smite` -> "Clear the dependency cache"; `/god-org-context`
59
+ -> "Set up or read organization-level context"); the `/god-reconcile` (before,
60
+ read-only) vs `/god-sync` (after, write-back) overlap is disambiguated.
61
+ - **Resume clarity (JRN-001):** the README states that plain `/god-mode` resumes
62
+ from disk (no `--yolo` needed) and distinguishes `/god-resume-work`; the
63
+ generated CHECKPOINT new-session block names the canonical arc-resume command.
64
+ - **Trust claims (TRU-001, TRU-002):** SECURITY.md softens the 7/14-day SLA to
65
+ best-effort targets; the runtime headline no longer implies 15-way parity and
66
+ points to the honest Runtime Expectations table.
67
+
68
+ ## [3.13.2] - 2026-06-17
69
+
70
+ Maintenance release that drives a third self-audit (`codeaudit.md`) to zero: one
71
+ Medium and twelve Low findings across de-duplication, error handling, security
72
+ hardening, the test gate, and docs. No public command/agent/workflow/recipe
73
+ surface change (counts stay 120 / 40 / 13 / 44); lib module count 90 -> 91.
74
+
75
+ ### Changed
76
+ - **Shared sync check-builder (ARC-001):** the four `*-sync` modules no longer
77
+ copy-paste `addCheck`/`listFiles`; they share `lib/sync-check.js` (full
78
+ `addCheck` for the aggregator, area-bound `makeAddCheck` for the rest).
79
+ - **Per-file coverage floor (TEST-001):** `coverage:lib` now emits a json-summary
80
+ and `scripts/check-per-file-coverage.js` (in `release:check`) fails any lib
81
+ module below 70% lines (excluding the two environment-bound browser drivers),
82
+ so a single file can no longer rot while the aggregate stays green.
83
+ - **De-duplication and cleanup (QUAL-001/002/003):** removed dead helpers
84
+ (two unused `rel()`, an unused `sha`), added `sync-fs.readTextOrNull` adopted by
85
+ `requirements.js` (which now sources PRD/ROADMAP paths from `artifact-map`), and
86
+ fixed a boolean/string status wart in `repo-surface-sync`.
87
+ - **Pillars delineation (ARC-002):** `pillars.js` now has section dividers
88
+ separating the model and artifact-sync halves (a full split was deferred; the
89
+ halves share construction functions that are public API).
90
+
91
+ ### Fixed
92
+ - **Reverse-sync error visibility (ERR-001):** the requirements step now writes
93
+ state before the ledger and surfaces a caught error as `requirementsError`
94
+ instead of silently nulling it.
95
+
96
+ ### Security
97
+ - **MCP module-name guard (SEC-001):** `requireRuntime` rejects any name that is
98
+ not a plain lib basename (defense-in-depth).
99
+ - **YAML recursion cap (SEC-002):** `intent.cleanArrays` caps recursion depth so a
100
+ pathologically deep file cannot overflow the stack.
101
+
102
+ ### Performance
103
+ - **have-nots regex (PERF-001):** `findPositions` compiles its regex once instead
104
+ of per line. The whole-ledger read in `evidence.readJsonl` is documented as
105
+ bounded/acceptable with an opt-in prune noted for the future (PERF-002).
106
+
107
+ ### Docs
108
+ - **Absolute README doc links (DOC-001):** `docs/` is deliberately excluded from
109
+ the package, so the README's `docs/*` links are now absolute GitHub URLs that
110
+ resolve on the npm page and in the tarball.
111
+
10
112
  ## [3.13.1] - 2026-06-16
11
113
 
12
114
  Maintenance release that drives a full self-audit (`codeaudit.md`) to zero: one
package/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  [![CI](https://github.com/aihxp/godpowers/actions/workflows/ci.yml/badge.svg)](https://github.com/aihxp/godpowers/actions/workflows/ci.yml)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
5
- [![Version](https://img.shields.io/badge/version-3.13.1-blue)](CHANGELOG.md)
5
+ [![Version](https://img.shields.io/badge/version-3.14.0-blue)](CHANGELOG.md)
6
6
  [![npm](https://img.shields.io/npm/v/godpowers.svg)](https://www.npmjs.com/package/godpowers)
7
7
 
8
8
  **Ship fast. Ship right. Ship everything. Ship accountably.**
@@ -12,66 +12,53 @@ idea to hardened production. It runs as **slash commands inside your AI coding
12
12
  tool** (Claude Code, Codex, Cursor, etc.) that orchestrate **specialist agents**
13
13
  in fresh contexts to do the work.
14
14
 
15
- Want the short proof first? Start with [Quick Proof](docs/quick-proof.md) to
16
- run `npx godpowers quick-proof --project=. --brief`, see outcome metrics, pick
17
- a starter command set, and understand runtime expectations before reading the
18
- full reference. The [First 10 Minute Proof Case Study](docs/case-studies/first-10-minute-proof.md)
19
- shows the same evidence as a before-and-after adoption story. External
20
- CLI-verifiable canaries now cover [sindresorhus/is](docs/case-studies/sindresorhus-is-adoption-canary.md),
21
- [expressjs/cors](docs/case-studies/expressjs-cors-adoption-canary.md), and
22
- [tinyhttp/tinyhttp](docs/case-studies/tinyhttp-adoption-canary.md), with host
23
- slash-command gaps called out rather than hidden.
24
- Host-run proof studies now cover [slugify-cli](docs/case-studies/run-a.md),
25
- [Countdown](docs/case-studies/run-b.md), and
26
- [react-github-readme-button](docs/case-studies/run-c.md), including one
27
- blocked harden run recorded as evidence instead of hidden as success.
15
+ ## Quick start
16
+
17
+ ```bash
18
+ # 1. Install for your AI coding tool (Claude Code shown; other tools under Install)
19
+ npx godpowers --claude --global --profile=core
20
+ ```
21
+
22
+ Then, inside your AI tool:
23
+
24
+ ```
25
+ /god # describe what you want in plain language; it routes you
26
+ /god-mode # run the full arc from idea to hardened production, autonomously
27
+ ```
28
+
29
+ Prefer to try before installing? `npx godpowers quick-proof --project=. --brief`
30
+ prints disk-state evidence, missing-artifact visibility, a next command, and
31
+ host guarantees against a shipped fixture, no install required.
32
+
33
+ New to the vocabulary? Quick glosses: `arc` (a full project run from idea to
34
+ launch), `tier` (a phase of that run), `have-nots` (the artifact-quality checks
35
+ every output must pass), `quarterback` (the single orchestrator that routes each
36
+ step), `Pillars` (the durable project-context files), `bluefield` (a new project
37
+ inside an established org). Full definitions are in
38
+ [docs/concepts.md](https://github.com/aihxp/godpowers/blob/main/docs/concepts.md).
39
+
40
+ ## Why it exists
28
41
 
29
42
  Godpowers makes AI coding accountable: every serious run should leave disk
30
43
  state, artifacts, validation gates, host guarantees, and a next action. Code is
31
- only one output. The project memory and proof trail matter too.
32
-
33
- Version 3.13.1 is a maintenance release that drives a full self-audit to zero:
34
- the runtime ledger no longer loses verification records under concurrent writes,
35
- the `outcome check` verifier and the pre-tool-use hook are hardened, the
36
- `*-sync` modules share one filesystem helper, the argument parser is table-driven,
37
- branch coverage is now gated, and the architecture map is kept in lockstep by a
38
- machine guard. Version 3.13.0 makes the default greenfield arc (`/god-mode`) miss
39
- less. The one-shot `full-arc` workflow now runs a whole-codebase code audit after the
40
- build (so it catches what the per-slice reviews missed in AI-generated code) and
41
- a documentation pass after harden (so the shipped product has docs verified
42
- against the code, not vibes). The arc goes build, code-audit, deploy, observe,
43
- harden, docs, launch, final-sync: per-slice review, whole-codebase audit plus
44
- remediation, a security gate, and verified docs before launch. This builds on
45
- 3.12.x, which made that code audit codeauditor-grade: `god-debt-assessor`
46
- (`/god-tech-debt`) produces a scored, prioritized, self-contained source-code
47
- audit across nine weighted dimensions, and the `audit-remediate` recipe drives
48
- the findings to zero (audit, fix worst-first with an independent reviewer,
49
- re-audit, bounded by an outcome budget, with the can't-fake-done gate ensuring
50
- "clean" is evidence-backed). It all sits on top of the completed Mythify fusion
51
- (the evidence producer, enforced close-on-evidence, the quarterback, work report,
52
- reflections, memory, lessons, outcome loops, MCP read tools, and ledger importer). The current 3.x line keeps
53
- the omitted installer profile on `core`, keeps first-run, demo, and
54
- surface-control entry points, preserves `--profile=full` for compatibility,
55
- keeps locate and lifecycle views under `/god-status`, ships the optional
56
- `@godpowers/mcp` companion package, and verifies docs, package contents, npm
57
- metadata, GitHub release state, and published install behavior before public
58
- release.
59
-
60
- Maintainer hardening continues on the 3.x line with small, audited public
61
- surface updates when they close real workflow gaps. Historical release details
62
- live in [CHANGELOG.md](CHANGELOG.md), while the current release status lives in
63
- [RELEASE.md](RELEASE.md).
64
-
65
- Strict release readiness remains fail-closed. Godpowers requires delegated
66
- release checks to cover root docs, docs, agents, skills, routing, workflows,
67
- schema, templates, references, hooks, lib, scripts, tests, fixtures, GitHub
68
- workflows, package metadata, npm, GitHub release, CI, publish workflow, and
69
- local install state before a human-approved release executor can run.
70
-
71
- The dashboard now starts with an action brief and a host guarantee line: the
72
- next command, why it is recommended, whether the project is ready, the first
73
- blockers that need attention, and whether the current host can provide full,
74
- degraded, or unknown runtime guarantees.
44
+ only one output; the project memory and proof trail matter too.
45
+
46
+ ### See it work
47
+
48
+ - [Quick Proof](https://github.com/aihxp/godpowers/blob/main/docs/quick-proof.md): run `npx godpowers quick-proof --project=. --brief` for outcome metrics, a starter command set, and runtime expectations.
49
+ - [First 10 Minute Proof Case Study](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/first-10-minute-proof.md): the same evidence as a before-and-after adoption story.
50
+ - Independent, CLI-verifiable canaries: [sindresorhus/is](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/sindresorhus-is-adoption-canary.md), [expressjs/cors](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/expressjs-cors-adoption-canary.md), [tinyhttp/tinyhttp](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/tinyhttp-adoption-canary.md). Host slash-command gaps are called out, not hidden.
51
+ - Host-run proof studies: [slugify-cli](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/run-a.md), [Countdown](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/run-b.md), [react-github-readme-button](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/run-c.md), including one blocked harden run kept as evidence.
52
+
53
+ The dashboard leads with an action brief and a host guarantee line: the next
54
+ command, why it is recommended, whether the project is ready, the first blockers
55
+ that need attention, and whether the host can provide full, degraded, or unknown
56
+ runtime guarantees.
57
+
58
+ **What's new:** [CHANGELOG.md](CHANGELOG.md) holds release history and
59
+ [RELEASE.md](RELEASE.md) the current release status. Strict release readiness is
60
+ fail-closed: a human-approved release executor runs only after delegated checks
61
+ cover docs, package metadata, npm, GitHub release, CI, and local install state.
75
62
 
76
63
  ### Ten Minute Proof Path
77
64
 
@@ -183,7 +170,7 @@ instead of pretending a background agent ran.
183
170
  | Other install targets | Skills and agent contracts install, while host-native spawning depends on the tool. |
184
171
  | Degraded hosts | Godpowers must report local-only or simulated agent behavior instead of hiding the limitation. |
185
172
 
186
- See [Host capabilities](docs/host-capabilities.md) for the detailed guarantee
173
+ See [Host capabilities](https://github.com/aihxp/godpowers/blob/main/docs/host-capabilities.md) for the detailed guarantee
187
174
  model.
188
175
 
189
176
  ## Usage
@@ -334,17 +321,17 @@ dependency to the main `godpowers` package:
334
321
 
335
322
  ```bash
336
323
  npx godpowers mcp-info --project=.
337
- npx -y -p godpowers@3.13.1 -p @godpowers/mcp@3.13.1 godpowers-mcp serve --project=.
324
+ npx -y -p godpowers@3.14.0 -p @godpowers/mcp@3.14.0 godpowers-mcp serve --project=.
338
325
  ```
339
326
 
340
327
  The companion exposes `status`, `next`, `gate_check`, `lint_artifact`, and
341
328
  `trace_requirement`. Host registration is opt-in:
342
329
 
343
330
  ```bash
344
- npx -y -p godpowers@3.13.1 -p @godpowers/mcp@3.13.1 godpowers-mcp setup --host=codex --project=. --write
331
+ npx -y -p godpowers@3.14.0 -p @godpowers/mcp@3.14.0 godpowers-mcp setup --host=codex --project=. --write
345
332
  ```
346
333
 
347
- See [MCP Companion](docs/mcp.md) for package boundaries and setup details.
334
+ See [MCP Companion](https://github.com/aihxp/godpowers/blob/main/docs/mcp.md) for package boundaries and setup details.
348
335
 
349
336
  ### Slash Commands
350
337
 
@@ -377,10 +364,10 @@ See [MCP Companion](docs/mcp.md) for package boundaries and setup details.
377
364
  | `/god-dogfood` | Run messy-repo dogfood scenarios for release and autonomy readiness | (built-in) |
378
365
  | `/god-migrate` | Detect legacy planning, BMAD, and Superpowers context; import and sync back | god-greenfieldifier when needed |
379
366
  | `/god-preflight` | Read-only intake audit before project-run readiness and pillars | god-auditor |
380
- | `/god-audit` | Score artifacts against have-nots | god-auditor |
367
+ | `/god-audit` | Score artifacts against the have-nots quality checklist | god-auditor |
381
368
  | `/god-debug` | 4-phase systematic debug | god-debugger |
382
369
  | `/god-review` | Two-stage code review | god-spec-reviewer + god-quality-reviewer |
383
- | `/god-lint` | Mechanically validate artifacts against have-nots | (built-in) |
370
+ | `/god-lint` | Mechanically validate artifacts against the have-nots checklist | (built-in) |
384
371
  | `/god-scan` | Rebuild linkage map from code; run reverse-sync | (built-in) |
385
372
  | `/god-link` | Manually add or remove a code-artifact link | (built-in) |
386
373
  | `/god-design-impact` | What-if analysis on DESIGN.md changes | (built-in) |
@@ -424,8 +411,12 @@ files, changed public behavior, and verification before editing. Reviewers
424
411
  block speculative flexibility, unrelated cleanup, and any touched file that
425
412
  does not trace back to the request or slice plan.
426
413
 
427
- If `.godpowers` state already exists, `/god-mode --yolo` resumes from disk
428
- instead of asking for the project description again.
414
+ If `.godpowers` state already exists, plain `/god-mode` resumes the arc from
415
+ disk (it reads `CHECKPOINT.md`) instead of asking for the project description
416
+ again; `--yolo` is not required to resume, it only changes how many pauses the
417
+ run takes. To resume a manual handoff created by `/god-pause-work`, use
418
+ `/god-resume-work` (it reads `HANDOFF.md`). Either way, `/god-status` and
419
+ `/god-next` are always safe re-entry points that report where the run stands.
429
420
 
430
421
  Under `--yolo`, Godpowers also auto-applies Pillars sync proposals when
431
422
  durable `.godpowers` artifacts change project truth. The decision is logged to
@@ -612,22 +603,25 @@ options with tradeoffs, and a default if the user just says "go".
612
603
 
613
604
  ## Supported Tools
614
605
 
615
- 15 first-class runtimes: Claude Code, Codex, Cursor, Windsurf, Gemini CLI,
606
+ Installs for 15 runtimes: Claude Code, Codex, Cursor, Windsurf, Gemini CLI,
616
607
  OpenCode, Copilot, Augment, Trae, Cline, Kilo, Antigravity, Qwen, CodeBuddy,
617
608
  Pi. T3 Code inherits from the underlying agent (Codex / Claude / OpenCode).
609
+ Support is not uniform: Claude Code and Codex are the reference-grade paths; on
610
+ the other targets the skills and agent contracts install but host-native agent
611
+ spawning depends on the tool. See the Runtime Expectations table above.
618
612
 
619
613
  ## Full reference
620
614
 
621
- - [Getting Started](docs/getting-started.md)
622
- - [Quick Proof](docs/quick-proof.md)
623
- - [First 10 Minute Proof Case Study](docs/case-studies/first-10-minute-proof.md)
624
- - [Concepts](docs/concepts.md)
625
- - [Command reference (all 120 skills + 40 agents)](docs/reference.md)
626
- - [Feature awareness](docs/feature-awareness.md)
627
- - [Adoption Canary](docs/adoption-canary.md)
628
- - [Repository documentation sync](docs/repo-doc-sync.md)
629
- - [Repository surface sync](docs/repo-surface-sync.md)
630
- - [Roadmap](docs/ROADMAP.md)
615
+ - [Getting Started](https://github.com/aihxp/godpowers/blob/main/docs/getting-started.md)
616
+ - [Quick Proof](https://github.com/aihxp/godpowers/blob/main/docs/quick-proof.md)
617
+ - [First 10 Minute Proof Case Study](https://github.com/aihxp/godpowers/blob/main/docs/case-studies/first-10-minute-proof.md)
618
+ - [Concepts](https://github.com/aihxp/godpowers/blob/main/docs/concepts.md)
619
+ - [Command reference (all 120 skills + 40 agents)](https://github.com/aihxp/godpowers/blob/main/docs/reference.md)
620
+ - [Feature awareness](https://github.com/aihxp/godpowers/blob/main/docs/feature-awareness.md)
621
+ - [Adoption Canary](https://github.com/aihxp/godpowers/blob/main/docs/adoption-canary.md)
622
+ - [Repository documentation sync](https://github.com/aihxp/godpowers/blob/main/docs/repo-doc-sync.md)
623
+ - [Repository surface sync](https://github.com/aihxp/godpowers/blob/main/docs/repo-surface-sync.md)
624
+ - [Roadmap](https://github.com/aihxp/godpowers/blob/main/docs/ROADMAP.md)
631
625
  - [Release Notes](RELEASE.md)
632
626
  - [Changelog](CHANGELOG.md)
633
627
  - [Inspiration](INSPIRATION.md)
package/RELEASE.md CHANGED
@@ -1,41 +1,41 @@
1
- # Godpowers 3.13.1 Release
1
+ # Godpowers 3.14.0 Release
2
2
 
3
- > Status: Prepared
4
- > Date: 2026-06-16
3
+ > Status: Pending
4
+ > Date: 2026-06-17
5
5
 
6
- [DECISION] Godpowers 3.13.1 is a maintenance release that drives a full self-audit (`codeaudit.md`, codeauditor-grade, nine weighted dimensions) to zero. It fixes one High finding plus the Medium and Low findings across runtime correctness, security hardening, the test gate, documentation, and de-duplication.
7
- [DECISION] No new skill, agent, workflow, or recipe surface is added or removed. Surface counts are unchanged from 3.13.0: 120 slash commands, 40 specialist agents, 13 workflows, 44 recipes.
8
- [DECISION] This release keeps `core` as the omitted installer profile, keeps `--profile=full` as the complete compatibility surface, and keeps the full 3.1.0-3.13.0 surface (fusion + codeauditor-grade audit + remediation loop + audited/documented greenfield arc).
6
+ [DECISION] Godpowers 3.14.0 is a UX-audit remediation release that drives the Godpowers UX audit (`uxaudit.md`, 11 weighted experience lenses) to zero: all 20 findings across usability, content, information architecture, interaction, process, journeys, and trust.
7
+ [DECISION] The changes are backward compatible and add no new commands. They tighten the install and dashboard surfaces, broaden the free-text router, restructure `--help`, add a docs index, and rewrite the front-door documentation. This is a minor bump because it adds backward-compatible user-facing functionality.
8
+ [DECISION] No new skill, agent, workflow, or recipe surface is added or removed. Surface counts are unchanged: 120 slash commands, 40 specialist agents, 13 workflows, 44 recipes. The lib module count is unchanged at 91.
9
9
 
10
10
  ## What's in this release
11
11
 
12
- - [DECISION] Runtime correctness: `lib/evidence.js` `appendJsonlAtomic` now appends with `fs.appendFileSync` (O_APPEND) instead of a read-modify-write, so concurrent `verify`/`outcome check` processes no longer lose ledger records and the append is no longer O(n) (ERR-001). A `maxBuffer` overflow is surfaced distinctly instead of as a plain failure (ERR-003).
13
- - [DECISION] Security hardening: the pre-tool-use hook is reframed as a best-effort advisory typo guard and matches more destructive-command variants (SEC-001); `outcome check` announces a disk-sourced verifier before running it (SEC-002); the `LEDGER-LOG.md` command echo masks obvious secret shapes and `SECURITY.md` documents the ledger and Codex-sandbox trust boundaries (SEC-003, SEC-004); `SECURITY.md` replaces the non-existent `npm install --verify` with `npm audit signatures` (DOC-002).
14
- - [DECISION] Test gate: `coverage:lib` now enforces `--branches 75` (TEST-001); a new `scripts/test-runtime-audit.js` raises `lib/runtime-audit.js` line coverage from 68.8% to 77.8% (TEST-002); `scripts/test-router.js` no longer shares cumulative state across tests and cleans up its temp dirs (TEST-003); new `scripts/test-hooks.js`, `scripts/test-cli-log.js`, and `scripts/test-text-util.js` cover the new code.
15
- - [DECISION] De-duplication: the five `*-sync` modules share `lib/sync-fs.js`; the ANSI logger moves to `lib/cli-log.js` and `slugify` to `lib/text-util.js`; `installer-args.parseArgs` is now table-driven (ARC-001, QUAL-001, QUAL-002).
16
- - [DECISION] Documentation: `ARCHITECTURE-MAP.md` counts are regenerated and now machine-guarded by `scripts/test-doc-surface-counts.js`; `state.STATE_FILE` is the canonical state-file constant and `artifact-map.js`'s scope is documented accurately (DOC-001, DOC-003, ARC-002).
17
- - [DECISION] Re-audit follow-ups: a fresh self-audit confirmed no regressions and closed the residual gaps it found - `installer-core.js` imports the shared logger (QUAL-003); `dashboard.js`/`planning-systems.js` consume `sync-fs` (ARC-003); the `lib/README` module catalog is complete and now guarded by a completeness check (DOC-004); the ledger-append comment is corrected (DOC-005); the corrupt-state error is typed rather than message-matched (ERR-004); and the hook tests assert each warning's text (TEST-005).
12
+ - [DECISION] Install and surface validation (USE-001, USE-002, USE-003): a typo'd bare subcommand errors instead of silently starting a global install; an unknown `--profile` is a clean one-line error before any filesystem write; `surface --runtime=<bad>` is rejected instead of planning an apply to a nonexistent runtime.
13
+ - [DECISION] Dashboard and report display honesty (USE-004, CNT-005, CNT-006, IXD-001): `status --full` shows `Phase/Step: not initialized` instead of `Complete` on an uninitialized project; the readiness headline reads `no blockers` instead of the overloaded `ready`; the empty `report` names the commands that populate the ledger; `next` no longer prints the recommended command a third time.
14
+ - [DECISION] Free-text router accuracy (IA-001, IA-002): broadened `intent-keywords` so common verbs match a topical recipe (fix a bug, ship it, deploy, release, check progress); `classifyWorkSize` returns null when no small-task signal is present instead of mis-sizing an unrelated intent as `/god-quick`.
15
+ - [DECISION] Process and journey honesty (PROC-001, JRN-002): `can-close` output, its docstring, and the orchestrator runbook now state that `can-close` is the advisory freshness check and `npx godpowers gate` is the enforced boundary; the dashboard progress line annotates skipped steps so a skipped-tier run no longer shows an inflated percent.
16
+ - [DECISION] Help and docs prioritization (CNT-004, IA-004): `--help` leads with a 6-item "Start here" group above two labelled advanced groups; a new `docs/README.md` indexes user-facing docs under "Start here" and separates internal/maintainer docs.
17
+ - [DECISION] Front-door content, vocabulary, and trust (CNT-001, CNT-002, CNT-003, IA-003, JRN-001, TRU-001, TRU-002): the README top fold leads with a runnable Quick start and an inline glossary, version archaeology moved to a CHANGELOG/RELEASE pointer; the worst command descriptions lead with the user-intent verb and the `/god-reconcile` vs `/god-sync` overlap is disambiguated; the README clarifies that plain `/god-mode` resumes from disk; SECURITY.md softens its SLA to best-effort; the runtime headline no longer implies 15-way parity.
18
18
 
19
19
  ## Changes
20
20
 
21
- - [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.13.1 version.
22
- - [DECISION] New runtime modules `lib/sync-fs.js`, `lib/cli-log.js`, and `lib/text-util.js` (lib module count 87 -> 90). No public command/agent/workflow/recipe surface change.
23
- - [DECISION] CHANGELOG, RELEASE notes, README, roadmap, reference, architecture, and the architecture map now reflect 3.13.1. The SECURITY supported-version table already carries the `3.13.x` row.
21
+ - [DECISION] `package.json`, `package-lock.json`, and `packages/mcp/package.json` now publish the 3.14.0 version.
22
+ - [DECISION] No new runtime module (lib module count unchanged at 91). No public command/agent/workflow/recipe surface change.
23
+ - [DECISION] CHANGELOG, RELEASE notes, README, roadmap, reference, architecture, the architecture map, and `agents/context.md` now reflect 3.14.0. The SECURITY supported-version table now carries the `3.14.x` row.
24
24
 
25
25
  ## Validation
26
26
 
27
27
  - [DECISION] `npm test` passed all command groups.
28
- - [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor and the new 75 percent branch floor for `lib/**/*.js`.
28
+ - [DECISION] `npm run release:check` passed `coverage:lib` above the 90 percent line floor and the 75 percent branch floor, and the per-file floor (>= 70 percent lines across the lib modules).
29
29
  - [DECISION] `npm run release:check` passed `npm audit --omit=dev` with 0 vulnerabilities and `git diff --check`.
30
- - [DECISION] `npm run release:check` passed public surface docs for version 3.13.1 with 120 skills, 40 agents, 13 workflows, and 44 recipes.
30
+ - [DECISION] `npm run release:check` passed public surface docs for version 3.14.0 with 120 skills, 40 agents, 13 workflows, and 44 recipes.
31
31
  - [DECISION] `npm run release:check` passed root and `@godpowers/mcp` package contents.
32
32
 
33
33
  ## Upgrade
34
34
 
35
- - [DECISION] Use `npm install -g godpowers@3.13.1` or `npx godpowers@3.13.1`.
36
- - [DECISION] No migration is required. Existing projects are unaffected; the changes are internal correctness, security, test-gate, and maintainability fixes with no surface change.
35
+ - [DECISION] Use `npm install -g godpowers@3.14.0` or `npx godpowers@3.14.0`.
36
+ - [DECISION] No migration is required. The changes are install-surface validation, dashboard/router honesty, and documentation improvements with no breaking surface change.
37
37
 
38
38
  ## Notes
39
39
 
40
- - [DECISION] The publish targets are npm `godpowers@3.13.1`, npm `@godpowers/mcp@3.13.1`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.13.1`.
41
- - [DECISION] The tag-triggered GitHub publish workflow remains the preferred npm path because it publishes with provenance. This release has not been tagged or published to npm yet.
40
+ - [DECISION] The publish targets are npm `godpowers@3.14.0`, npm `@godpowers/mcp@3.14.0`, and GitHub release `https://github.com/aihxp/godpowers/releases/tag/v3.14.0`.
41
+ - [DECISION] Not tagged or published yet. Tagging `v3.14.0` triggers the GitHub publish workflow (`.github/workflows/publish.yml`), which publishes `godpowers@3.14.0` and `@godpowers/mcp@3.14.0` to npm with provenance.
package/bin/install.js CHANGED
@@ -10,14 +10,14 @@
10
10
 
11
11
  const path = require('path');
12
12
 
13
- const { parseArgs } = require('../lib/installer-args');
13
+ const { parseArgs, COMMANDS } = require('../lib/installer-args');
14
14
  const { RUNTIMES, runtimeKeys } = require('../lib/installer-runtimes');
15
15
  const {
16
16
  installForRuntime,
17
17
  uninstallForRuntime,
18
18
  countInstalledSurface
19
19
  } = require('../lib/installer-core');
20
- const { describeProfiles } = require('../lib/install-profiles');
20
+ const { describeProfiles, normalizeProfiles } = require('../lib/install-profiles');
21
21
  const commandFamilies = require('../lib/command-families');
22
22
  const identity = require('../lib/package-identity');
23
23
  const cliDispatch = require('../lib/cli-dispatch');
@@ -33,11 +33,15 @@ const BANNER = `
33
33
  function showHelp() {
34
34
  console.log(BANNER);
35
35
  log('Usage: npx godpowers [command] [options]\n');
36
- log('Commands:');
36
+ log('Start here (most common):');
37
+ log(' (install) npx godpowers --claude --global Install for your AI tool');
37
38
  log(' status Show the Godpowers Dashboard for a project');
38
39
  log(' next Show the dashboard and recommended next command');
39
- log(' state advance Update one tracked Godpowers state step');
40
- log(' gate Check a tier artifact gate');
40
+ log(' quick-proof Run a proof from the shipped fixture (no install)');
41
+ log(' demo Show the shipped sandbox proof');
42
+ log(' surface Preview or apply an installed command profile');
43
+ log('');
44
+ log('Advanced - ledger and evidence:');
41
45
  log(' verify Run a command as executed verification evidence');
42
46
  log(' can-close Check whether a substep has the evidence to close');
43
47
  log(' route Classify a prompt into an entry play (quarterback)');
@@ -47,13 +51,14 @@ function showHelp() {
47
51
  log(' lesson Add or list reusable lessons in the ledger');
48
52
  log(' outcome Start, check, stop, or inspect a bounded retry loop');
49
53
  log(' import-ledger Import an existing .mythify/ ledger into .godpowers/ledger/');
54
+ log('');
55
+ log('Advanced - workflow and tooling:');
56
+ log(' state advance Update one tracked Godpowers state step');
57
+ log(' gate Check a tier artifact gate');
50
58
  log(' mcp-info Show read-only MCP companion setup instructions');
51
- log(' quick-proof Show a runnable proof from the shipped fixture');
52
59
  log(' automation-status Show host automation provider support');
53
60
  log(' automation-setup Show an opt-in automation setup plan');
54
61
  log(' dogfood Run built-in messy-repo dogfood scenarios');
55
- log(' demo Show the shipped sandbox proof');
56
- log(' surface Preview or apply an installed command profile');
57
62
  log(' extension-scaffold Create a publishable extension pack skeleton');
58
63
  log('');
59
64
  log('Command families:');
@@ -208,6 +213,25 @@ function main() {
208
213
 
209
214
  if (cliDispatch.runCommand(opts)) return;
210
215
 
216
+ // USE-001: a bare leading token that is not a known command is a typo'd
217
+ // subcommand, not an install target (runtimes are passed as --flags). Reject
218
+ // it instead of silently starting a global install.
219
+ const firstToken = process.argv[2];
220
+ if (!opts.command && firstToken && !firstToken.startsWith('-') && !COMMANDS.has(firstToken)) {
221
+ error(`Unknown command: ${firstToken}`);
222
+ log('Run "npx godpowers --help" for usage.');
223
+ process.exit(1);
224
+ }
225
+
226
+ // USE-002: validate the install profile before any filesystem writes, so a bad
227
+ // value is a clean one-line error rather than a stack trace mid-install.
228
+ try {
229
+ normalizeProfiles(opts.profile);
230
+ } catch (_) {
231
+ error(`Unknown install profile: ${opts.profile}. Valid: core, builder, maintainer, suite, full`);
232
+ process.exit(1);
233
+ }
234
+
211
235
  console.log(BANNER);
212
236
  const srcDir = path.resolve(__dirname, '..');
213
237
 
package/lib/README.md CHANGED
@@ -29,6 +29,7 @@ package-level integrations.
29
29
  | `atomic-write.js` | Write load-bearing files through temp-file validation and atomic rename. |
30
30
  | `fs-async.js` | Promise-based file read/write helpers for non-blocking runtime paths. |
31
31
  | `sync-fs.js` | Shared project-relative read/write/exists/readJson helpers for the `*-sync` modules. |
32
+ | `sync-check.js` | Shared check-builder (`addCheck`/`makeAddCheck`) and file-lister for the `*-sync` modules. |
32
33
 
33
34
  ## Events and observability
34
35
 
package/lib/checkpoint.js CHANGED
@@ -198,7 +198,11 @@ function write(projectRoot, state) {
198
198
  ' diff and recent events.',
199
199
  '3. Run `/god-status` to verify disk reality.',
200
200
  '4. Run `/god-next` for the next suggested command.',
201
- '5. If anything in this file feels inconsistent with what you',
201
+ '5. To resume the autonomous arc, run `/god-mode` (plain, no `--yolo`',
202
+ ' needed): it reads this checkpoint and continues from disk. Use',
203
+ ' `/god-resume-work` only for a manual `/god-pause-work` handoff',
204
+ ' (it reads HANDOFF.md, not this file).',
205
+ '6. If anything in this file feels inconsistent with what you',
202
206
  ' know, run `/god-context-scan` to surface drift.',
203
207
  '',
204
208
  '## Provenance',
@@ -31,12 +31,9 @@ function runDashboardCommand(opts) {
31
31
  return;
32
32
  }
33
33
 
34
+ // IXD-001: the rendered dashboard already states the recommendation under
35
+ // "Action brief: Next" and "Next: Recommended"; do not print it a third time.
34
36
  console.log(dashboard.render(result, { brief: opts.brief || !opts.full }));
35
- if (opts.command === 'next') {
36
- console.log('');
37
- console.log('Suggested next command:');
38
- console.log(` ${result.next && result.next.command ? result.next.command : 'describe the next intent'}`);
39
- }
40
37
  }
41
38
 
42
39
  function runDogfoodCommand(opts) {
@@ -67,6 +64,19 @@ function runQuickProofCommand(opts) {
67
64
  function runSurfaceCommand(opts) {
68
65
  const path = require('path');
69
66
  const surfaceProfile = require('./surface-profile');
67
+ const { runtimeKeys } = require('./installer-runtimes');
68
+ // USE-003: reject a surface --runtime target that does not exist, the same way
69
+ // the installer rejects an unknown runtime, instead of rendering a plan with a
70
+ // null path and recommending an --apply to a nonexistent target.
71
+ const validRuntimes = new Set(runtimeKeys());
72
+ const unknownRuntimes = (opts.runtimes || []).filter((name) => !validRuntimes.has(name));
73
+ if (unknownRuntimes.length > 0) {
74
+ const message = `Unknown runtime: ${unknownRuntimes.join(', ')}`;
75
+ if (opts.json) console.log(JSON.stringify({ command: 'surface', error: message }, null, 2));
76
+ else error(message);
77
+ process.exitCode = 1;
78
+ return;
79
+ }
70
80
  const srcDir = path.resolve(__dirname, '..');
71
81
  let applied = [];
72
82
 
@@ -283,6 +293,11 @@ function renderCanClose(result) {
283
293
  lines.push(`Reason: ${result.reason}`);
284
294
  if (result.strategy) lines.push(`Strategy: ${result.strategy}`);
285
295
  if (result.wentInFlightAt) lines.push(`In-flight since: ${result.wentInFlightAt}`);
296
+ // PROC-001: be honest about what enforces what. can-close is the advisory
297
+ // freshness check the orchestrator runs before closing a substep; the
298
+ // mechanically enforced gate is `npx godpowers gate`. Stating this here
299
+ // closes the "described gate vs gate that runs" gap.
300
+ lines.push('Note: advisory freshness check; the enforced gate is "npx godpowers gate".');
286
301
  return lines.join('\n');
287
302
  }
288
303
 
@@ -365,7 +365,14 @@ function classifyWorkSize(text = '') {
365
365
  if (/\b(feature|new capability|enhancement)\b/i.test(text)) return WORK_SIZE_LADDER.find((item) => item.id === 'feature');
366
366
  if (/\b(milestone|roadmap|increment)\b/i.test(text)) return WORK_SIZE_LADDER.find((item) => item.id === 'build');
367
367
  if (/\b(tiny|typo|one-line|config tweak|trivial)\b/i.test(text)) return WORK_SIZE_LADDER.find((item) => item.id === 'fast');
368
- return WORK_SIZE_LADDER.find((item) => item.id === 'quick');
368
+ // IA-002: only return the small-task default when there is an actual
369
+ // small-coding-task signal. Otherwise return null so callers (the /god
370
+ // router) fall back to the state-driven /god-next instead of confidently
371
+ // mis-sizing an unrelated intent ("ship it", "check progress", "deploy") as
372
+ // a /god-quick TDD coding task. A confident-but-wrong route is worse than a
373
+ // no-match.
374
+ if (/\b(quick|small|tdd|slice|minor|chore|refactor)\b/i.test(text)) return WORK_SIZE_LADDER.find((item) => item.id === 'quick');
375
+ return null;
369
376
  }
370
377
 
371
378
  function classifyVerification(text = '') {
package/lib/dashboard.js CHANGED
@@ -366,13 +366,13 @@ function render(dashboard, opts = {}) {
366
366
  'Action brief:',
367
367
  ` Next: ${brief.recommended}`,
368
368
  ` Why: ${brief.reason}`,
369
- ` Readiness: ${brief.confidence}`,
369
+ ` Readiness: ${brief.confidence === 'ready' ? 'no blockers' : brief.confidence}`,
370
370
  ` Attention: ${brief.blockers && brief.blockers.length > 0 ? brief.blockers.join('; ') : 'none'}${brief.overflow ? `; ${brief.overflow} more` : ''}`,
371
371
  ` Host guarantees: ${dashboard.host ? hostCapabilities.summary(dashboard.host) : proactive.host || 'unknown'}`,
372
372
  '',
373
373
  'Current status:',
374
374
  ` State: ${dashboard.state}`,
375
- ` Progress: ${progress.percent || 0}% workflow progress (${progress.completed || 0} of ${progress.total || 0} tracked steps complete)`,
375
+ ` Progress: ${progress.percent || 0}% workflow progress (${progress.completed || 0} of ${progress.total || 0} tracked steps complete${progress.skipped ? `, ${progress.skipped} skipped` : ''})`,
376
376
  ...(deliverableBrief ? [deliverableBrief] : []),
377
377
  '',
378
378
  'Next:',
@@ -388,9 +388,9 @@ function render(dashboard, opts = {}) {
388
388
  '',
389
389
  'Current status:',
390
390
  ` State: ${dashboard.state}`,
391
- ` Phase: ${current.phase || 'unknown'}${current.tierNumber !== null && current.tierNumber !== undefined ? ` (tier ${current.tierOrdinal} of ${current.tierCount}, internal ${current.tierKey || `tier-${current.tierNumber}`})` : ''}`,
392
- ` Step: ${current.stepLabel || 'unknown'}${current.stepNumber ? ` (step ${current.stepNumber} of ${current.totalSteps})` : ''}`,
393
- ` Progress: ${progress.percent || 0}% workflow progress (${progress.completed || 0} of ${progress.total || 0} tracked steps complete)`,
391
+ ` Phase: ${dashboard.state === 'not initialized' ? 'not initialized' : (current.phase || 'unknown')}${dashboard.state !== 'not initialized' && current.tierNumber !== null && current.tierNumber !== undefined ? ` (tier ${current.tierOrdinal} of ${current.tierCount}, internal ${current.tierKey || `tier-${current.tierNumber}`})` : ''}`,
392
+ ` Step: ${dashboard.state === 'not initialized' ? 'not initialized' : (current.stepLabel || 'unknown')}${dashboard.state !== 'not initialized' && current.stepNumber ? ` (step ${current.stepNumber} of ${current.totalSteps})` : ''}`,
393
+ ` Progress: ${progress.percent || 0}% workflow progress (${progress.completed || 0} of ${progress.total || 0} tracked steps complete${progress.skipped ? `, ${progress.skipped} skipped` : ''})`,
394
394
  ` Worktree: ${dashboard.worktree}`,
395
395
  ` Index: ${dashboard.index}`,
396
396
  '',