god-code 0.9.2__tar.gz → 1.0.0rc1__tar.gz

{god_code-0.9.2 → god_code-1.0.0rc1}/.gitignore

@@ -14,3 +14,4 @@ auth.json
 .codetape/drift.json
 site/
 .audit/
+.worktrees/

god_code-1.0.0rc1/.gitleaks.toml

@@ -0,0 +1,30 @@
+# Gitleaks config for god-code
+#
+# Purpose: local pre-commit regression prevention against accidental
+# secret commits. Extends gitleaks default ruleset, plus allowlists
+# for known false positives (docs with example tokens, tests of the
+# secret-masking utility).
+#
+# See https://github.com/gitleaks/gitleaks for config reference.
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "god-code global allowlist"
+
+paths = [
+  # Audit artifacts (local only, gitignored)
+  '''\.audit/''',
+
+  # Design docs may contain example API keys in code blocks
+  # (e.g. "backend_api_key=gc_live_testkey123" as documentation).
+  # Reviewers must still visually scan any new docs/plans/ additions.
+  '''docs/plans/.*\.md''',
+
+  # Tests for the secret-masking utility. These files exist to verify
+  # that secret-shaped strings are properly masked for display, so
+  # they intentionally contain fake-but-realistic token literals.
+  # If you add NEW files that test masking, extend this list.
+  '''tests/test_runtime_switch_commands\.py''',
+]

god_code-1.0.0rc1/CHANGELOG.md

@@ -0,0 +1,125 @@
+# Changelog
+
+All notable changes to God Code will be documented in this file.
+
+## [1.0.0rc1] — 2026-04-07
+
+**v1.0 is the first release where god-code is comfortable to use day-to-day without needing to know its quirks.** This is a coordinated UX overhaul. No new features, no breaking API changes — every change makes the existing tool feel less broken in everyday use.
+
+This release closes 27 of 28 UX issues identified in the v1.0 audit (see `docs/plans/2026-04-07-v1.0.0-ux-upgrade-design.md`). The 28th was already fixed in v0.9.2.
+
+### Headline fixes
+
+- **Streaming "thinking" indicator** — gpt-5.4 with `reasoning_effort=high` has a 30-60s silent reasoning phase before any token streams. Previously you saw an empty cyan panel and assumed god-code was frozen. Now you see a `thinking…` spinner that animates until the first token arrives. (A1)
+- **`max_tokens` default raised from 16384 → 65536** — long technical reports were silently truncated mid-section because the cap was way below gpt-5.4's 128K output capability. Override with `/set max_tokens 16384` if you prefer the old conservative limit. (B1)
+- **Token count works in backend mode** — `_stream_via_backend` was missing `stream_options.include_usage`, so backend-mode users (anyone with `backend_url` + `gc_live_*`) saw `0 tokens / $0.00` after every turn. Now matches direct-mode behaviour. (B5)
+- **Real Ctrl+C cleanup** — cancelled turns no longer leave their partial messages polluting the next turn's context. New `engine.rollback_current_turn()` drops everything appended since the most recent `submit()` began. (C2)
+- **Tool progress spinner** — long-running tools (validation, sprite generation, screenshot — typically 10-60s) now show an auto-animating spinner via `rich.console.status` instead of going silent between `tool: started` and `tool: ok`. (A2)
+- **Planner agent stops claiming "I'm in PLAN mode"** — the planner sub-agent system prompt was triggering an LLM hallucination where the model would announce "我目前是 PLAN 模式" / "I am in plan mode" in its response, confusing users into thinking the CLI was stuck in plan interaction mode. Prompt rewritten to explicitly disavow that wording and clarify the planner is a sub-agent inside god-code. (F1)
+
+### Fixed (full list — 27 issues across 11 commits)
+
+- **A1** Streaming thinking spinner (`tui/display.py`)
+- **A2** Tool execution status spinner
+- **A3** Blank line between successive streamed turns
+- **A4** Planner sub-agent output bracketed with `Rule` separators
+- **A5** Autosave success/failure events + activity log entries
+- **B1** `max_tokens` default 16384 → 65536
+- **B2 / G2** `tool_result_truncated` event when tool output is silently capped
+- **B3** API error detail bumped 200 → 500 chars with `[…truncated]` marker
+- **B4** Tool args truncated at 100 chars to prevent terminal overflow
+- **B5** Backend streaming now sends `stream_options.include_usage`
+- **C1** Diff read failures emit `diff_failed` event instead of `except: pass`
+- **C2** `rollback_current_turn()` cleans message state after Ctrl+C
+- **C4** Version check offline state surfaced as dim activity line
+- **C5** `is_known_model_pricing()` helper; usage line shows `~$unknown` for unknown models
+- **C6** `/resume <invalid_id>` now actionable error
+- **D1** `god-code setup` confirmation prompt before overwriting existing config
+- **D2** Loud yellow warning when Godot binary auto-detection fails
+- **D3** Welcome panel reduced to 4 essential fields
+- **D4** Multiline continuation prompt cancel hint
+- **E1** `/help` table reorganized into 6 sections
+- **E2** Activity log slice mismatch (10 vs 8) fixed
+- **E4** Mode embedded in input prompt with mode-specific colour
+- **F1** Planner prompt rewrite — disavows "PLAN mode" wording
+- **F2** Planner prompt enforces structured output format
+- **G3** New events: `session_autosaved`, `session_autosave_failed`, `diff_failed`, `version_check_offline`, `turn_cancelled`
+- **H2** Tab-completion hint added to welcome banner
+
+### Test count
+
+665 → 681 (+16 regression tests across 5 test files)
+
+### Known scope notes
+
+- **C2 partial implementation** — `rollback_current_turn()` cleans up message state but the full `asyncio.create_task` cancellation pattern (true task termination of in-flight HTTP streams and subprocess tools) is deferred to v1.0.1. The existing CLI flow tests depend on the simpler synchronous-await pattern. In practice CPython's signal handling unwinds the await stack on Ctrl+C correctly, so the user-visible behaviour is fixed even without true task termination.
+- **A2 layer 2 deferred** — universal spinner (Layer 1) ships in v1.0.0; per-tool `tool_progress` events for finer-grained reporting (Layer 2) deferred since they require per-tool instrumentation.
+- **Subprocess termination on cancel deferred** — if a tool has already spawned a subprocess (Godot validation, sprite generation), cancelling the Python coroutine doesn't kill the subprocess. v1.0.1 will add per-tool subprocess registration + termination.
+
+### What changed since v0.6.1 (the last PyPI release before v0.9.2)
+
+> **PyPI was stuck at v0.6.1 from early April 2026 until v0.9.2 in this same release cycle.** Anyone who installed god-code via `pipx install god-code` between v0.6.1 and v0.9.2 was on a version that predates everything below. v1.0.0rc1 is the first PyPI release that includes all v0.7 / v0.8 / v0.9 / v1.0 work.
+
+- **v0.7** — Demo-ready foundation: genre detection (`runtime/intent_resolver.py`), sprite QA pipeline (`tools/sprite_qa.py`), polish rubric, scenario engine (`testing/scenario_runner.py`)
+- **v0.8** — Vision iteration loop (screenshot → analyze → fix → score), live runtime bridge to Godot 4.4 over TCP 9394, backend dual-path LLM client, platform API key auth (`gc_live_*`), CLI package split, ImageChops perf, ValidationSuite
+- **v0.9** — Pre-launch security audit (shell hardening, session paths, MCP path containment, log redaction), OpenAI strict-mode pydantic compatibility, hatch wheel cleanup
+- **v0.9.1** — `assistant_preview` extraction guard against empty LLM responses (was crashing the planner pass)
+- **v0.9.2** — `AgentDispatcher` propagates streaming callbacks to sub-engines (planner pass now streams to TUI instead of blocking 60-120s)
+- **v1.0.0rc1** — this release; the full 27-fix UX overhaul above
+
+## [Unreleased]
+
+### Security
+- **run_shell hardened** against credential exfiltration: subprocess environment is now filtered to drop any variable whose name contains KEY/TOKEN/SECRET/PASSWORD/PASSWD/CREDENTIAL/AUTH/PRIVATE/CERT, and `env`, `printenv`, `set`, `export`, and reads of `.config/god-code`, `.codex/auth`, `.aws/credentials`, `.ssh/id_*`, `.ssh/authorized_keys`, `.netrc`, `.npmrc`, `.pypirc` are now blocked at all safety levels.
+- **Session files** (`~/.agent_sessions/*.json`) are now `chmod 0o600` on write so tool outputs captured in conversation history are not world-readable.
+- **Atomic secure writes** for `~/.config/god-code/config.json` and `~/.config/god-code/auth.json`: files are created via `tempfile` + `os.fchmod(0o600)` + `os.replace`, eliminating the TOCTOU window where an earlier `write_text` produced a briefly 0o644 file.
+- **MCP server path containment**: every `file_path` argument to MCP tools is validated against the active project root with `Path.relative_to`, and a `.gd/.tscn/.tres/.cfg/.gdshader/.json/.md/.txt/.import` extension allowlist, preventing a misbehaving MCP client from reading or writing arbitrary files such as `~/.config/god-code/config.json`.
+- **Prefix confusion fix** in `file_ops._validate_path`: `startswith` replaced with `Path.relative_to`, so a project rooted at `/proj/my-game` no longer accidentally permits access to `/proj/my-game-secrets/`.
+- **Log redaction** (`godot_agent/llm/redact.py`): a new `redact_secrets` helper masks Bearer tokens, `sk-*` keys, `gc_live_*` keys, and JWT triples in any error string before it is handed to `log.error`/`log.warning`. Applied to backend, streaming, and computer-use error paths in `llm/client.py` and `llm/streaming.py`.
+
+### Added
+- Workspace-style chat TUI with session snapshot, recent activity, and live streaming panels
+- Interaction modes (`apply`, `plan`, `explain`, `review`, `fix`) with mode-aware tool availability
+- Autosaved session metadata with `/sessions`, `/resume`, `/new`, and project-aware restore flow
+- Gameplay intent resolver with persistent profile storage in design memory
+- `/intent` commands and TUI intent panel for confirming genre/combat/enemy direction
+- Genre-aware internal skills: `bullet_hell`, `topdown_shooter`, `platformer_enemy`, `tower_defense`, `stealth_guard`
+- Profile-aware playtest selection and report context
+- MkDocs documentation site skeleton with getting-started, TUI, validation, provider, and MCP guides
+
+### Changed
+- Unified `ask` and `chat` rendering pipeline, including tool progress and validation feedback
+- Improved post-tool validation visibility and tool result summaries in interactive sessions
+- Session persistence now preserves assistant tool calls and richer metadata for restore
+- Prompt assembly, skill routing, planner/reviewer/playtest flows, and workspace state now consume shared gameplay intent
+
+## [0.1.0] - 2026-04-02
+
+### Added
+- CLI with `ask`, `chat`, `info`, `login`, `logout`, `status` commands
+- 10 tools: read_file, write_file, edit_file, list_dir, grep, glob, git, run_shell, run_godot, screenshot_scene
+- OpenAI-compatible API client with streaming and vision support
+- OAuth login via Codex CLI refresh token
+- Godot project parser (project.godot, autoloads, resolution)
+- .tscn scene parser, writer, and format validator with auto-fix
+- GDScript linter (naming, ordering, type annotations, anti-patterns)
+- Collision layer planner (standard 8-layer scheme)
+- Cross-file consistency checker (collision, signals, resource paths, groups)
+- Project dependency graph builder
+- Design pattern advisor (object pool, component, state machine)
+- Godot Playbook knowledge system (17 sections, context-aware injection)
+- Build discipline rules (incremental build-and-verify)
+- Error detection loop with Godot output parsing and fix suggestions
+- Conversation context compaction for long sessions
+- Path containment security (file ops restricted to project root)
+- Shell command sandboxing (dangerous pattern blocking)
+- API retry with exponential backoff (429 rate limits)
+- Content filter graceful handling (400 errors)
+- Session persistence to JSON
+
+### Security
+- File operations restricted to project root directory
+- Shell commands blocked for dangerous patterns (rm -rf /, sudo, etc.)
+- Git argument parsing via shlex.split()
+- OAuth tokens stored with 600 permissions
+- API key/token masked in status output

{god_code-0.9.2 → god_code-1.0.0rc1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: god-code
-Version: 0.9.2
+Version: 1.0.0rc1
 Summary: AI coding agent specialized for Godot game development
 Project-URL: Homepage, https://github.com/888wing/god-code
 Project-URL: Repository, https://github.com/888wing/god-code

god_code-1.0.0rc1/docs/plans/2026-04-07-god-code-prelaunch-security-audit-report.md

@@ -0,0 +1,242 @@
+# God Code Pre-launch Security Audit Report
+
+**Date completed:** 2026-04-07
+**Auditor:** Claude (Opus 4.6) with user-in-loop decisions
+**Design doc:** [`2026-04-07-god-code-prelaunch-security-audit-design.md`](./2026-04-07-god-code-prelaunch-security-audit-design.md) (`95aef4f`)
+**Plan doc:** [`2026-04-07-god-code-prelaunch-security-audit.md`](./2026-04-07-god-code-prelaunch-security-audit.md) (`b4a4f87`)
+
+## Summary
+
+**Launch decision: READY.**
+
+Three-track audit of `god-code`, `god-code-api`, and `god-code-site` found **zero active security risks**. All three repositories and their published/deployed artifacts are clean of secrets, the backend does not store user content, and the landing page has no tracking or analytics. Pre-launch hardening is complete.
+
+**Findings statistics:**
+
+| Severity | Count | Status |
+|----------|-------|--------|
+| 🔴 Active leak | 0 | — |
+| 🟠 Serious risk | 0 | — |
+| 🟡 Hygiene | 1 | Corrected (see Audit Correction below) |
+| ℹ️ Informational | 2 | Documented, out of security scope |
+
+## Scope
+
+Three audit tracks per the design document:
+
+- **Track A** — Secrets in repos and published artifacts
+- **Track B** — Deployment secrets and runtime log hygiene
+- **Track C** — User data handling (CLI, backend, waitlist)
+
+The following were explicitly out of scope and deferred to post-launch hardening:
+
+- CLI local storage upgrade to OS Keychain
+- OAuth device flow between CLI and godcode.dev
+- Website self-serve key issuance
+- CI integration of `gitleaks` (GitHub Actions)
+- Dependency vulnerability scanning (`pip-audit`, `npm audit`)
+- Rate limiting on `/v1/admin/keys`
+- Responsible disclosure program beyond email contact
+
+## Track A — Repo and published artifact secrets
+
+### A.1 Full-history secret scans (gitleaks)
+
+| Repo | Commits scanned | Raw findings | Actionable |
+|------|-----------------|--------------|------------|
+| `god-code` | 110 | 3 | 0 |
+| `god-code-api` | 25 | 1 | 0 |
+| `god-code-site` | 2 | 0 | 0 |
+
+All 4 raw findings triaged to false positive:
+
+1. `god-code/docs/plans/2026-04-05-v08-impl.md:761` — `gc_live_testkey123` (design doc example)
+2. `god-code/docs/plans/2026-04-05-v08-impl.md:809` — `gc_live_xxx` (curl example)
+3. `god-code/tests/test_runtime_switch_commands.py:108` — `sk-1234567890` (test fixture for the secret-masking function `_format_setting_display_value`)
+4. `god-code-api/tests/util/redact.test.ts:11,16,22,44` — fake JWT/Bearer/sk-/gc_live_ tokens (test fixtures for the `redactSecrets()` utility)
+
+All 4 are intentional test fixtures or documentation examples for security-utility code paths. They cannot be removed without breaking the tests that validate the masking/redaction features. They are allowlisted in the per-repo `.gitleaks.toml` files added in Phase 7.
+
+### A.2 PyPI wheel inspection
+
+- **Published version audited:** 0.6.1 (users currently install this via `pipx install god-code`)
+- **Local repo version at audit time:** 0.9.1 (not yet on PyPI)
+- **Files in 0.6.1 wheel:** 91 (86 under `godot_agent/` package + 5 dist-info)
+- **Sensitive file scan (config.json / auth.json / .env / .key / .pem / agent_sessions / .codetape):** 0 matches
+- **Decision:** Pass. Belt-and-suspenders exclude list added to `pyproject.toml` for future releases (commit `f34b716`).
+
+### A.3 Test fixture credential scan
+
+- `god-code/tests/`: 0 matches
+- `god-code-api/tests/`: 3 matches (all in `redact.test.ts`, same false-positive pattern as A.1)
+- `god-code-site`: no tests directory
+
+### A.4 Environment template files
+
+- All 3 repos: **0 `.env.example` / template files found**. Cleanest possible outcome — no risk of a template accidentally containing real values.
+
+**Track A verdict:** PASS
+
+## Track B — Deployment secrets and log hygiene
+
+### B.1 god-code-api secret inventory
+
+Deployed secrets (per `wrangler secret list`, post-correction):
+
+| Secret | Referenced in source | Status |
+|--------|---------------------|--------|
+| `ADMIN_SECRET` | Yes (admin auth) | OK |
+| `OPENAI_API_KEY` | Yes (provider pool) | OK |
+| `SCORING_API_KEY` | No direct reference | **Reserved** — planned scoring feature (see Audit Correction) |
+
+Source-referenced but not currently deployed (functional gap, not security issue):
+
+- `ANTHROPIC_API_KEY` — declared in provider pool, not deployed
+- `GEMINI_API_KEY` — declared in provider pool, not deployed
+- `XAI_API_KEY` — declared in provider pool, not deployed
+
+Impact: platform-mode callers selecting Claude/Gemini/xAI will receive upstream 401/403 until these are deployed. **Not a security issue** (missing keys = less to leak). Deploy before launch only if the landing page promises those providers in platform mode.
+
+### B.2 Workers log hygiene
+
+- **`console.*` calls in `src/`:** **0**
+- **`redactSecrets()` utility wired into error paths:** Yes, 4 call sites (lines 305, 338, 358, 369 of `src/index.ts`)
+- **Live `wrangler tail` review:** Not performed. Justification: source audit already confirms zero application logs possible; tail would only capture Cloudflare platform logs outside our control.
+
+### B.3 god-code-site Pages env vars
+
+- **`import.meta.env.*` references in `src/`:** 0
+- **`process.env.*` references in `src/`:** 0
+- **Secrets embedded in built `dist/`:** 0
+- **Source file count in `src/`:** 1 (`src/pages/index.astro`)
+
+Pages dashboard env vars were not inspected via CLI (not possible for CF Pages via wrangler). Not a blocker because source has zero env-var ingestion points.
+
+**Track B verdict:** PASS
+
+## Track C — User data handling
+
+### C.1 D1 schema — content storage check
+
+- **Tables defined in schema/:** 5 (`route_decisions`, `quality_alerts`, `quality_scores`, `api_keys`, `usage_log`)
+- **Tables with actual `INSERT INTO` statements in `src/`:** 2 (`api_keys`, `usage_log`)
+- **Tables that store user content:** **0**
+
+`api_keys` stores key hashes (not plaintext). `usage_log` stores token counts and metadata (not content). The other three tables are orphan — defined in schema but not written to by current code (informational finding, not security).
+
+### C.2 CLI session upload audit
+
+- **Network calls in `godot_agent/runtime/session.py`:** 0
+- **`chmod 0o600` on session files:** Yes, already present (pre-existing hardening in v0.9)
+- **What `godot_agent/llm/client.py` sends upstream:** Current-turn messages only. Never reads or uploads the saved session file.
+
+### C.3 Waitlist PII minimization
+
+- **Before:** KV entries stored `{email, joined_at, source: referer}`. `referer` could contain tracking parameters and campaign IDs.
+- **After:** KV entries store `{email, joined_at}` only.
+- **Implementation:** `src/index.ts` waitlist handler edited to remove `referer` field (commit `4cfcb21`). 152/152 tests pass. Deployed to production.
+- **Historical data cleanup:** No-op. KV was empty at audit time (pre-launch, no real signups yet).
+- **Retention policy:** Until public launch concludes, then purged. Purge procedure documented in `god-code-api/docs/DEPLOYMENT.md`.
+
+### C.4 Data flow table
+
+Produced in `.audit/data-flow-table.md` and embedded into `god-code/PRIVACY.md`. Covers every data point from CLI to backend to provider, including what is stored where and for how long.
+
+**Track C verdict:** PASS
+
+## Audit Correction — Finding B1 methodology flaw
+
+**What happened**
+
+During Phase 3.1, `SCORING_API_KEY` was flagged as an "orphan secret" and a recommendation to delete was made to the user. The recommendation was based on a grep that found zero references to the secret name across `src/`, `tests/`, `wrangler.toml`, and `docs/`. The user approved deletion. After deletion, the user noted that `SCORING_API_KEY` was in fact **reserved for a planned scoring feature** that is not yet wired up in the main branch. The user immediately re-set the secret via `wrangler secret put`. No production code path depended on it during the ~2-minute window of absence, so there was no outage.
+
+**Root cause**
+
+The audit equated "zero references in current source" with "orphan, safe to delete". These are not the same. A secret with no source references can also mean:
+
+- A feature that is planned but not yet implemented
+- A feature that is implemented in a branch or PR but not yet merged
+- A dependency injection pattern where the secret is passed via a different identifier
+- A debugging secret held in reserve for emergency access
+
+**Correction applied**
+
+- `SCORING_API_KEY` restored by the user
+- `god-code-api/docs/DEPLOYMENT.md` updated to mark the secret as "Reserved for the scoring feature (planned). Do not delete." (commit `f39c65c`)
+- `.audit/track-b-secrets.md` updated with the full incident record and methodology correction
+
+**Methodology improvement for future audits**
+
+Before recommending deletion of any secret, the auditor must answer all three of the following with "no":
+
+1. Is the secret referenced in the current source tree?
+2. Is the secret referenced in any open branch, PR, or design document describing a planned feature?
+3. Does the feature owner confirm that the secret is not reserved for planned work?
+
+Only if all three answers are "no" should a secret be flagged for deletion. The default posture should be **conservative retention** — it is cheaper to keep an unused secret than to accidentally remove a reserved one.
+
+## Remediation actions applied
+
+| Repo | Commit | What |
+|------|--------|------|
+| god-code | `f34b716` | Added hatch wheel exclude list to `pyproject.toml` |
+| god-code-api | `4cfcb21` | Removed `referer` field from waitlist handler |
+| god-code-api | (user) | `wrangler deploy` for the waitlist handler change |
+| god-code-api | `f39c65c` | Corrected `SCORING_API_KEY` classification in `DEPLOYMENT.md` |
+
+No git history was rewritten (per design policy: revoke only).
+
+## Documentation published
+
+| Repo | Artifact | Commit |
+|------|----------|--------|
+| god-code | `SECURITY.md` | `19a7335` |
+| god-code | `PRIVACY.md` | `fd2baab` |
+| god-code-api | `SECURITY.md` | `36a7f03` |
+| god-code-api | `docs/DEPLOYMENT.md` | `c48ddc1` (+ `f39c65c` correction) |
+| god-code-site | `SECURITY.md` | `5dd48b2` |
+| god-code-site | `PRIVACY.md` | `a69a01c` |
+| god-code-site | `docs/DEPLOYMENT.md` | `364e9ed` |
+
+## Local regression prevention installed
+
+| Repo | `.gitleaks.toml` | `scripts/install-hooks.sh` | Commit |
+|------|------------------|---------------------------|--------|
+| god-code | Yes | Yes | `5589622` |
+| god-code-api | Yes | Yes | `b094e81` |
+| god-code-site | Yes | Yes | `1824ba8` |
+
+Each repo's pre-commit hook scans staged changes with `gitleaks protect --staged --config .gitleaks.toml`. Verified live on the initial commit that installed it — zero findings. Any future contributor running `./scripts/install-hooks.sh` after cloning gets the same protection.
+
+## Non-goals (deferred to post-launch hardening sprint)
+
+- **CLI Keychain storage** — `~/.config/god-code/config.json` remains plain JSON with `chmod 0o600`. Adequate for Level A+B threat model but not Level C (local malware).
+- **OAuth device flow** — replace manual copy-paste key entry with a device-flow authentication between CLI and godcode.dev.
+- **Website self-serve key issuance** — landing page currently only has waitlist, no signup/dashboard for creating `gc_live_*` keys.
+- **CI `gitleaks` integration** — add GitHub Actions workflow to all 3 repos for regression prevention beyond local pre-commit hooks.
+- **Dependency vulnerability scanning** — `pip-audit` for god-code, `npm audit` for god-code-api and god-code-site.
+- **Rate limiting** — `/v1/admin/keys` and other public endpoints currently have no explicit rate limiting beyond Cloudflare's platform defaults.
+- **SCORING_API_KEY full wire-up** — the scoring feature that reserves this secret still needs to be implemented end-to-end.
+- **Missing platform pool keys** — deploy `ANTHROPIC_API_KEY`, `GEMINI_API_KEY`, `XAI_API_KEY` if the landing page advertises Claude/Gemini/xAI in platform mode.
+
+## Success criteria (from design doc)
+
+| Criterion | Met? |
+|-----------|------|
+| Gitleaks full-history scan zero actionable findings | ✅ |
+| PyPI wheel audited, no sensitive files | ✅ |
+| `pyproject.toml` has explicit exclude list, local build clean | ✅ |
+| `wrangler secret list` inspected | ✅ |
+| 3 × SECURITY.md published | ✅ |
+| 2 × PRIVACY.md published with data-flow table | ✅ |
+| 2 × DEPLOYMENT.md published | ✅ |
+| Waitlist PII decision made and applied | ✅ |
+| Local `.gitleaks.toml` + pre-commit hook in all 3 repos | ✅ |
+
+All 9 success criteria met.
+
+## Final verdict
+
+**Pre-launch security audit complete. Launch-ready from a security and privacy standpoint.**
+
+Remaining work is product / marketing / release logistics, not security. The audit's posture is **conservative**: zero active risks were found, but the audit explicitly notes what is out of scope so the next security review knows where to dig deeper.