@agentikos/omega-os 0.1.0 → 0.19.5

package/bootstrap/lib/steps.sh

@@ -7,9 +7,10 @@ Agentik_Coding Agentik_Tools Agentik_Runtime Agentik_Extra"
 
 # --- 00 -----------------------------------------------------------------------
 step_preflight() {
-  info "OS=$OMEGA_OS  pkg=$OMEGA_PKG  OMEGA_HOME=$OMEGA_HOME"
-  if [ "$(id -u)" -eq 0 ]; then
-    err "do not run as root — create and use a non-root user with sudo"
+  info "OS=$OMEGA_OS  pkg=$OMEGA_PKG  user=$OMEGA_USER  OMEGA_HOME=$OMEGA_HOME"
+  if [ "$(id -u)" -eq 0 ] && [ "${OMEGA_ALLOW_ROOT:-0}" != "1" ]; then
+    err "still running as root after user resolution — refusing"
+    err "use --create-user or --user, or set OMEGA_ALLOW_ROOT=1 explicitly"
     return 1
   fi
   have git || { err "git is required"; return 1; }
@@ -20,27 +21,145 @@ step_preflight() {
 
 # --- 10 -----------------------------------------------------------------------
 step_system_deps() {
+  # `whiptail` powers `omega` (the interactive menu — the post-install entry
+  # point). On Debian/Ubuntu it lives in the `whiptail` package, on RHEL/Fedora
+  # in `newt`, on macOS in `newt` via Homebrew. We add it to the base set so a
+  # fresh Mac doesn't end up with a silent `omega` command.
   local pkgs="python3 git tmux sqlite3 jq curl"
   case "$OMEGA_PKG" in
-    apt)  sudo apt-get update -qq && sudo apt-get install -y -qq $pkgs python3-venv ;;
-    dnf)  sudo dnf install -y -q $pkgs ;;
-    brew) brew install $pkgs 2>/dev/null || true ;;
-    *)    err "install manually: $pkgs"; return 1 ;;
+    apt)  sudo apt-get update -qq && sudo apt-get install -y -qq $pkgs whiptail python3-venv python3-yaml ;;
+    dnf)  sudo dnf install -y -q $pkgs newt python3-pyyaml ;;
+    brew) brew install $pkgs newt 2>/dev/null || true ;;
+    *)    err "install manually: $pkgs (and whiptail/newt for the menu)"; return 1 ;;
   esac
+  # age (optional, non-fatal) — powers the encrypted vault. If missing, the
+  # vault transparently falls back to chmod 600 plaintext and the doctor
+  # flags it.
+  if ! have age; then
+    info "installing age (powers the encrypted secrets vault)"
+    case "$OMEGA_PKG" in
+      apt)  sudo apt-get install -y -qq age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      dnf)  sudo dnf install -y -q age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      brew) brew install age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+    esac
+  fi
   if ! have uv && [ ! -x "$HOME/.local/bin/uv" ]; then
     info "installing uv (Python package/venv manager)"
     curl -LsSf https://astral.sh/uv/install.sh | sh || { err "uv install failed"; return 1; }
   fi
+  # graphify (optional) — a Claude Code skill that turns any folder into a
+  # knowledge graph (graphify-out/graph.json). We install BOTH the CLI and
+  # the skill so the /graphify slash command is available in Claude Code.
+  # All failures here are non-fatal — the engine works without graphify.
+  local uv_bin; uv_bin="$(command -v uv || echo "$HOME/.local/bin/uv")"
+  if [ -x "$uv_bin" ] && ! have graphify; then
+    info "installing graphifyy CLI (optional — provides the /graphify Claude Code skill)"
+    if "$uv_bin" tool install graphifyy >>"$LOG_FILE" 2>&1; then
+      ok "graphifyy CLI installed"
+    else
+      info "graphifyy install failed (non-fatal); install later: uv tool install graphifyy"
+    fi
+  fi
+  if have graphify; then
+    info "registering /graphify skill into Claude Code"
+    if graphify install --platform claude >>"$LOG_FILE" 2>&1; then
+      ok "/graphify skill registered"
+    else
+      info "graphify install failed (non-fatal); run \`graphify install\` later"
+    fi
+  fi
   return 0
 }
 
 # --- 20 -----------------------------------------------------------------------
+# --- 15 -----------------------------------------------------------------------
+#
+# step_llm_clis — install the agentic LLM CLIs the operator picked.
+#
+# Catalog (see bootstrap/lib/llm-clis.py): Claude Code, Gemini CLI, Codex,
+# GLM SDK, Aider. Each installs via npm-global or uv-tool. The step is
+# additive: an already-installed CLI is detected via shutil.which() and
+# left alone unless the manifest says `force: true`.
+#
+# Manifest block:
+#
+#   llm_clis:
+#     - claude_code
+#     - gemini_cli
+#     - codex
+#     # - glm_sdk
+#     # - aider
+#
+# Or the long form: `claude_code: true` etc.
+step_llm_clis() {
+  local helper="$OMEGA_REPO/bootstrap/lib/llm-clis.py"
+  if [ ! -f "$helper" ]; then
+    info "llm-clis helper missing — skipping"
+    return 0
+  fi
+  if ! have npm; then
+    info "npm not on PATH — Node-based LLM CLIs will be skipped"
+  fi
+
+  local selection
+  if [ "${NONINTERACTIVE:-0}" = "1" ]; then
+    if [ -n "${MANIFEST:-}" ] && [ -f "$MANIFEST" ]; then
+      info "installing LLM CLIs from manifest"
+      python3 "$helper" install "$MANIFEST" | sed 's/^/    /'
+      return 0
+    fi
+    info "headless + no manifest llm_clis — skipping (run omega upgrade later)"
+    return 0
+  fi
+
+  # Interactive — whiptail checklist.
+  if ! have whiptail; then
+    info "no whiptail — falling back to plain y/n prompts for LLM CLIs"
+    selection=""
+    local ans
+    for id in claude_code gemini_cli codex glm_sdk aider; do
+      printf '  install %s? [n] ' "$id" >&2
+      read -r ans || ans=""
+      case "${ans:-n}" in y|Y|yes|YES) selection="$selection $id" ;; esac
+    done
+    if [ -n "$selection" ]; then
+      python3 "$helper" install $selection | sed 's/^/    /'
+    fi
+    return 0
+  fi
+
+  selection="$(whiptail --title "OmegaOS — LLM CLI installation" \
+    --checklist "Select agentic LLM CLIs to install (recommended pre-ticked):" \
+    16 70 6 \
+    claude_code "Claude Code (Anthropic — \`claude\`)" ON \
+    gemini_cli  "Gemini CLI (Google — \`gemini\`)" ON \
+    codex       "Codex CLI (OpenAI — \`codex\`)" OFF \
+    glm_sdk     "GLM / ZhipuAI Python SDK" OFF \
+    aider       "Aider (community — \`aider\`)" OFF \
+    3>&1 1>&2 2>&3 || true)"
+  if [ -z "$selection" ]; then
+    info "no LLM CLIs selected — skipping"
+    return 0
+  fi
+  # whiptail returns "id1" "id2" ... — strip quotes.
+  selection="$(printf '%s\n' $selection | tr -d '"' | tr '\n' ' ')"
+  python3 "$helper" install $selection | sed 's/^/    /'
+  return 0
+}
+
 step_structure() {
   local b
   for b in $OMEGA_BLOCKS; do mkdir -p "$OMEGA_HOME/$b"; done
   mkdir -p "$OMEGA_HOME/Agentik_Runtime"/{eventlog,sessions,verdicts,memory,locks,snapshots}
   mkdir -p "$OMEGA_HOME/Agentik_Extra"/{var/cache,var/tmp,var/logs,staging/promotion,etc/secrets}
   chmod 700 "$OMEGA_HOME/Agentik_Extra/etc/secrets" 2>/dev/null || true
+  # Don't ever commit the runtime tree.
+  cat > "$OMEGA_HOME/Agentik_Extra/.gitignore" <<'EOF'
+# Omega OS — these directories are runtime-only.
+etc/secrets/
+var/
+staging/
+EOF
   # deploy the repo's source blocks into the live tree
   if [ -d "${OMEGA_REPO:-}/omega" ]; then
     cp -R "$OMEGA_REPO/omega/." "$OMEGA_HOME/"
@@ -53,6 +172,85 @@ step_structure() {
 }
 
 # --- 30 -----------------------------------------------------------------------
+# --- 25 -----------------------------------------------------------------------
+#
+# step_aisb_suite — ship the 13 AISB agent prompts into the SSOT.
+#
+# Without this, every role (oracle/worker/architect/keymaker/...) talks to
+# the provider with a generic stub. With it, each role boots from the same
+# rich agent definitions Gareth's home system uses — agents now have real
+# identity, the LMC protocol, and the verified-completion contract.
+step_aisb_suite() {
+  local src="$OMEGA_REPO/bootstrap/templates/aisb"
+  local dst="$OMEGA_HOME/Agentik_SSOT/agents/aisb"
+  if [ ! -d "$src" ]; then
+    info "no AISB templates at $src — skipping (system will use generic prompts)"
+    return 0
+  fi
+  mkdir -p "$dst" "$dst/checkers" "$dst/protocols"
+  # We use cp -R; the SSOT tree is operator-editable after install.
+  cp -R "$src/." "$dst/"
+  local count
+  count=$(find "$dst" -name "*.md" | wc -l | tr -d ' ')
+  ok "AISB suite installed: $count agent files at $dst"
+  return 0
+}
+
+# --- 27 -----------------------------------------------------------------------
+#
+# step_audit_skills — generate Claude Code SKILL.md for every audit.yaml.
+#
+# Each forensic audit (codeaudit, flowaudit, ...) becomes a first-class
+# Claude Code skill at `Agentik_SSOT/skills/<id>/SKILL.md`, derived from
+# the structured definition at `Agentik_SSOT/audits/<id>.yaml`. `omega sync`
+# then projects each skill into the provider's native tree (~/.claude/skills/).
+#
+# Runs AFTER 25-aisb-suite (which deploys the SSOT tree) but BEFORE the
+# engine venv (the generator only needs PyYAML which step 10 installed).
+step_audit_skills() {
+  local generator="$OMEGA_REPO/omega/Agentik_Engine/omega_engine/audits/generator.py"
+  local audits_dir="$OMEGA_HOME/Agentik_SSOT/audits"
+  if [ ! -d "$audits_dir" ]; then
+    info "no audits dir at $audits_dir — skipping (step 20 incomplete?)"
+    return 0
+  fi
+  if [ ! -f "$generator" ]; then
+    info "audit skill generator missing — skipping"
+    return 0
+  fi
+  PYTHONPATH="$OMEGA_REPO/omega/Agentik_Engine" python3 - "$audits_dir" <<'PY'
+import sys
+from omega_engine.audits.generator import write_all
+result = write_all(sys.argv[1])
+print(f"audit SKILL.md: {result['written']} written, {result['skipped']} unchanged")
+PY
+}
+
+# --- 33 -----------------------------------------------------------------------
+#
+# step_claude_code_settings — merge OmegaOS-driven settings into
+# ~/.claude/settings.json.
+#
+# We enable the experimental Agent Teams flag, set the default
+# permission mode to `bypassPermissions` (configurable in the manifest),
+# and wire the Stop hook so `omega audit gate` blocks "I'm done"
+# completion claims when an audit verdict is failing.
+#
+# Manifest block:
+#   claude_code_settings:
+#     experimental_agent_teams: true
+#     bypass_permissions: true
+#     audit_gate: true
+step_claude_code_settings() {
+  local helper="$OMEGA_REPO/bootstrap/lib/claude-code-settings.py"
+  if [ ! -f "$helper" ]; then
+    info "claude-code-settings helper missing — skipping"
+    return 0
+  fi
+  python3 "$helper" "${MANIFEST:-/dev/null}" "$OMEGA_HOME" | sed 's/^/    /'
+  return 0
+}
+
 step_engine() {
   local uv_bin; uv_bin="$(command -v uv || echo "$HOME/.local/bin/uv")"
   [ -x "$uv_bin" ] || { err "uv not found after step 10"; return 1; }
@@ -62,28 +260,513 @@ step_engine() {
   mkdir -p "$OMEGA_HOME/Agentik_Tools/bin"
   ln -sf "$OMEGA_HOME/Agentik_Engine/.venv/bin/omega" "$OMEGA_HOME/Agentik_Tools/bin/omega"
   ok "engine installed — omega CLI at Agentik_Tools/bin/omega"
+  # The engine is now importable — initialise the vault while we're here.
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" init-vault "$OMEGA_HOME" \
+    | sed 's/^/    /' || true
+  # tmux config is installed by step_tmux_config (separate step now so the
+  # "pro" profile + ~/.tmux.conf wire-up live in one place and can be reviewed
+  # on their own line in plan mode).
   return 0
 }
 
+# --- 36 -----------------------------------------------------------------------
+#
+# step_tmux_config — install the "pro" tmux profile and wire ~/.tmux.conf.
+#
+# Writes two files:
+#   1. $OMEGA_HOME/Agentik_Tools/tmux.conf       (bundled, single source of truth)
+#   2. ~/.tmux.conf                              (the user's live config)
+#
+# (2) gets a timestamped .bak.<ts> sibling whenever the existing content
+# differs — re-runs that produce identical content are silent no-ops, so the
+# step is fully idempotent without leaving piles of backups behind.
+#
+# Why "pro" by default: Termius paste-fix, session-kill forensics log, smart
+# scroll in alt-screen panes (Claude Code TUI), extended keys, OSC 52
+# clipboard. This matches the live OmegaVPS UX the operator already uses.
+step_tmux_config() {
+  if ! have tmux; then
+    err "tmux not installed — step_system_deps should have caught this"
+    return 1
+  fi
+  PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE"
+import os
+os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
+from pathlib import Path
+from omega_engine.tmux import write_default_config, install_into_home_tmux_conf
+
+# 1. Always write the bundled "pro" config — single source of truth.
+bundled = write_default_config(profile="pro")
+print(f"  tmux bundled config: {bundled}  (pro profile)")
+
+# 2. Skip ~/.tmux.conf rewrite when it already matches the bundled content
+#    (otherwise re-runs spam timestamped backups for no reason).
+home_conf = Path.home() / ".tmux.conf"
+bundled_content = Path(bundled).read_text()
+existing = home_conf.read_text() if home_conf.exists() else ""
+if existing == bundled_content:
+    print(f"  ~/.tmux.conf already matches pro profile — nothing to do")
+else:
+    res = install_into_home_tmux_conf(profile="pro", backup=True)
+    if res["backup_path"]:
+        print(f"  backed up previous ~/.tmux.conf -> {res['backup_path']}")
+    print(f"  wrote pro profile to {res['written']}")
+    print(f"  reload in-session: tmux source-file ~/.tmux.conf")
+PY
+  return $?
+}
+
+# --- 37 -----------------------------------------------------------------------
+#
+# step_hermes_brief — seed Hermès with knowledge of OmegaOS.
+#
+# Writes ~/.hermes/skills/omega/SKILL.md so the Layer-2 Hermès companion
+# understands what OmegaOS is, the L1-L5 architecture, the no-API-key
+# principle, and the canonical engine commands. Without this seed, Hermès
+# boots blind and the user has to teach it everything from scratch.
+#
+# Idempotent — write_brief() does an atomic write of the same content,
+# so re-runs are quiet.
+step_hermes_brief() {
+  PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE"
+import os
+os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
+from omega_engine import hermes_bootstrap as HB
+res = HB.write_brief()
+print(f"  Hermes brief: {res.path}")
+print(f"  bytes written: {res.bytes_written}")
+print(f"  memory log: {HB.memory_log_path()}")
+PY
+  return $?
+}
+
 # --- 40 -----------------------------------------------------------------------
+#
+# step_mcp — present the MCP/plugin catalog as a checklist (interactive) or
+# apply the manifest's `mcp:` list (headless). For each selected entry:
+#   1. install the server binary into Agentik_Tools/<id>/
+#   2. read any declared secrets from env or prompt; write them chmod 600 into
+#      Agentik_Extra/etc/secrets/mcp-<id>.env
+#   3. add a `{id, secret_refs, enabled: true}` row to mcp-config.yaml
+# Then call `omega sync` to project the config into each provider's native shape.
+#
+# Failures on individual MCPs are recorded but do not abort the step.
 step_mcp() {
   local catalog="$OMEGA_HOME/Agentik_SSOT/mcp/mcp-catalog.yaml"
   [ -f "$catalog" ] || { err "MCP catalog missing: $catalog"; return 1; }
   info "MCP catalog present ($(grep -c '^- id:' "$catalog" 2>/dev/null || echo '?') entries)"
+
+  # Collect the selection into newline-separated $selected.
+  local selected=""
   if [ "${NONINTERACTIVE:-0}" = "1" ]; then
-    info "headless — MCP selection comes from the manifest (\`mcp:\` list)"
+    if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
+      info "headless but no manifest provided — selecting recommended MCPs only"
+      selected="$(_mcp_recommended "$catalog")"
+    else
+      selected="$(_mcp_from_manifest "$MANIFEST")"
+      if [ -z "$selected" ]; then
+        info "manifest has no \`mcp:\` list — selecting recommended MCPs only"
+        selected="$(_mcp_recommended "$catalog")"
+      fi
+    fi
   else
-    info "interactive — the MCP/plugin checklist reads $catalog"
+    selected="$(_mcp_prompt_checklist "$catalog")"
+  fi
+
+  if [ -z "$selected" ]; then
+    info "no MCPs selected — skipping install (you can run \`omega tool install <id>\` later)"
+    return 0
+  fi
+
+  local omega="$OMEGA_HOME/Agentik_Tools/bin/omega"
+  [ -x "$omega" ] || { err "omega CLI not found at $omega — step 30 incomplete"; return 1; }
+
+  local failed=""
+  local id
+  while IFS= read -r id; do
+    [ -z "$id" ] && continue
+    info "MCP: installing $id"
+    if OMEGA_HOME="$OMEGA_HOME" "$omega" tool install "$id" >>"$LOG_FILE" 2>&1; then
+      _mcp_collect_secrets "$catalog" "$id" || true
+      _mcp_register_in_config "$id"
+      ok "MCP $id installed and registered"
+    else
+      err "MCP $id failed to install — see $LOG_FILE; continuing"
+      failed="$failed $id"
+    fi
+  done <<< "$selected"
+
+  info "running \`omega sync\` to project the canonical config to each provider"
+  if OMEGA_HOME="$OMEGA_HOME" "$omega" sync >>"$LOG_FILE" 2>&1; then
+    ok "omega sync completed"
+  else
+    err "omega sync exited non-zero — see $LOG_FILE"
+  fi
+
+  if [ -n "$failed" ]; then
+    err "MCPs that failed to install:$failed (the rest were registered)"
   fi
-  # Build-out: render the checklist, install selected servers into
-  # Agentik_Tools/<id>/, write Agentik_SSOT/mcp/mcp-config.yaml, run `omega sync`.
-  # See docs/MCP-AND-PLUGINS.md.
   return 0
 }
 
+# ----- step_mcp helpers ------------------------------------------------------
+
+# _mcp_recommended <catalog> → newline-separated ids with `recommended: true`
+_mcp_recommended() {
+  local catalog="$1"
+  python3 - "$catalog" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    if e.get("recommended"):
+        print(e["id"])
+PY
+}
+
+# _mcp_from_manifest <manifest> → newline-separated ids in the `mcp:` block
+_mcp_from_manifest() {
+  local manifest="$1"
+  python3 - "$manifest" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for entry in data.get("mcp") or []:
+    if isinstance(entry, dict):
+        print(entry.get("id", "").strip())
+    else:
+        print(str(entry).strip())
+PY
+}
+
+# _mcp_catalog_ids <catalog> → newline-separated all ids
+_mcp_catalog_ids() {
+  python3 - "$1" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    print(e["id"])
+PY
+}
+
+# _mcp_recommended_set <catalog> → newline-separated recommended ids (alias)
+# (declared separately so the prompt code reads cleanly)
+
+# _mcp_secret_refs <catalog> <id> → space-separated secret refs for that id
+_mcp_secret_refs() {
+  python3 - "$1" "$2" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    if e.get("id") == sys.argv[2]:
+        for s in e.get("secrets") or []:
+            print(s)
+        break
+PY
+}
+
+# _mcp_prompt_checklist <catalog> → newline-separated selected ids (interactive)
+_mcp_prompt_checklist() {
+  local catalog="$1" id recommended_set picks="" reply
+  recommended_set=" $(_mcp_recommended "$catalog" | tr '\n' ' ')"
+  if have whiptail; then
+    # Build the whiptail args dynamically. Each tuple is: <id> <description> <ON|OFF>
+    local args=()
+    while IFS= read -r id; do
+      [ -z "$id" ] && continue
+      local pre="OFF"
+      case "$recommended_set" in *" $id "*) pre="ON" ;; esac
+      args+=("$id" "$id" "$pre")
+    done < <(_mcp_catalog_ids "$catalog")
+    if [ "${#args[@]}" -eq 0 ]; then
+      printf ''
+      return 0
+    fi
+    # capture whiptail's stderr (the selection) — quotes around each picked id
+    picks="$(whiptail --title "Omega OS — MCP / plugin checklist" \
+      --checklist "Select MCP servers to install (space toggles, enter confirms):" \
+      20 70 12 "${args[@]}" 3>&1 1>&2 2>&3 || true)"
+    # whiptail returns: "id1" "id2" "id3" — strip quotes and split on whitespace
+    printf '%s\n' $picks | tr -d '"'
+  else
+    info "(no whiptail — falling back to a plain prompt)"
+    while IFS= read -r id; do
+      [ -z "$id" ] && continue
+      local default="n" pre=""
+      case "$recommended_set" in *" $id "*) default="y"; pre=" (recommended)" ;; esac
+      printf '  install %s%s? [%s] ' "$id" "$pre" "$default" >&2
+      read -r reply || reply=""
+      reply="${reply:-$default}"
+      case "$reply" in y|Y|yes|YES) picks="$picks $id" ;; esac
+    done < <(_mcp_catalog_ids "$catalog")
+    printf '%s\n' $picks
+  fi
+}
+
+# _mcp_collect_secrets <catalog> <id> — for each declared secret, read value from
+# env or prompt, then write to Agentik_Extra/etc/secrets/mcp-<id>.env (chmod 600).
+_mcp_collect_secrets() {
+  local catalog="$1" id="$2" refs ref value
+  refs="$(_mcp_secret_refs "$catalog" "$id")"
+  [ -z "$refs" ] && return 0
+  local secdir="$OMEGA_HOME/Agentik_Extra/etc/secrets"
+  local secfile="$secdir/mcp-${id}.env"
+  mkdir -p "$secdir"
+  chmod 700 "$secdir" 2>/dev/null || true
+  : > "$secfile"
+  chmod 600 "$secfile"
+  while IFS= read -r ref; do
+    [ -z "$ref" ] && continue
+    # Prefer an env var of the same name; otherwise ask (skip prompt when headless).
+    value="${!ref:-}"
+    if [ -z "$value" ] && [ "${NONINTERACTIVE:-0}" != "1" ]; then
+      printf '  secret needed for %s: %s (paste or leave blank to set later): ' "$id" "$ref" >&2
+      read -r value || value=""
+    fi
+    if [ -n "$value" ]; then
+      printf '%s=%s\n' "$ref" "$value" >> "$secfile"
+    else
+      # store a placeholder reference so the operator can fill it in later
+      printf '# %s=  # set this when ready\n' "$ref" >> "$secfile"
+    fi
+  done <<< "$refs"
+  chmod 600 "$secfile"
+  # Migrate to the encrypted vault when age is active. Skipped silently when
+  # the vault is in plain mode or the file holds only placeholders.
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" encrypt-mcp-env \
+    "$OMEGA_HOME" "$id" 2>>"$LOG_FILE" | sed 's/^/      /' || true
+}
+
+# _mcp_register_in_config <id> — append/replace a row in mcp-config.yaml.
+_mcp_register_in_config() {
+  python3 - "$OMEGA_HOME" "$1" <<'PY' || true
+import sys
+from pathlib import Path
+sys.path.insert(0, str(Path(sys.argv[1]) / "Agentik_Engine"))
+import yaml
+from omega_engine.tools import merge_mcp_config  # noqa: E402
+
+home = Path(sys.argv[1])
+mcp_id = sys.argv[2]
+
+# Pull the declared secret refs from the catalog for this id.
+catalog_path = home / "Agentik_SSOT" / "mcp" / "mcp-catalog.yaml"
+secret_refs = []
+if catalog_path.exists():
+    data = yaml.safe_load(catalog_path.read_text()) or {}
+    for e in data.get("catalog") or []:
+        if e.get("id") == mcp_id:
+            secret_refs = list(e.get("secrets") or [])
+            break
+
+merge_mcp_config(home, {"id": mcp_id, "secret_refs": secret_refs, "enabled": True})
+PY
+}
+
+# --- 45 -----------------------------------------------------------------------
+#
+# step_claude_plugins — install Claude Code plugins from the SSOT catalog.
+#
+# Reads Agentik_SSOT/claude-plugins/claude-plugins.yaml:
+#   1. registers each non-builtin marketplace via `claude plugin marketplace add`
+#   2. installs each selected plugin via `claude plugin install <name>@<mkt> -s <scope>`
+#
+# Selection comes from the manifest's `claude_plugins:` list (headless) or a
+# whiptail checklist (interactive). Failures on individual plugins are
+# recorded but do not abort the step — Claude plugins are nice-to-have.
+step_claude_plugins() {
+  local catalog="$OMEGA_HOME/Agentik_SSOT/claude-plugins/claude-plugins.yaml"
+  if [ ! -f "$catalog" ]; then
+    info "no Claude plugin catalog — skipping (step 20 should have deployed it)"
+    return 0
+  fi
+  if ! have claude; then
+    info "claude CLI not on PATH — skipping plugin install (install Claude Code first)"
+    return 0
+  fi
+
+  local selected=""
+  if [ "${NONINTERACTIVE:-0}" = "1" ]; then
+    if [ -n "${MANIFEST:-}" ] && [ -f "$MANIFEST" ]; then
+      selected="$(_claude_plugins_from_manifest "$MANIFEST")"
+    fi
+    if [ -z "$selected" ]; then
+      info "headless + no claude_plugins list — selecting recommended only"
+      selected="$(_claude_plugins_recommended "$catalog")"
+    fi
+  else
+    selected="$(_claude_plugins_prompt_checklist "$catalog")"
+  fi
+
+  if [ -z "$selected" ]; then
+    info "no Claude plugins selected — skipping (you can run \`claude plugin install\` later)"
+    return 0
+  fi
+
+  # Register every marketplace referenced by the selected plugins (excluding
+  # those marked `builtin: true`).
+  while IFS= read -r src; do
+    [ -z "$src" ] && continue
+    info "registering marketplace: $src"
+    if claude plugin marketplace add "$src" >>"$LOG_FILE" 2>&1; then
+      ok "marketplace ok: $src"
+    else
+      # Already registered or other non-fatal; log only.
+      info "marketplace add returned non-zero (may already be registered): $src"
+    fi
+  done < <(_claude_plugins_marketplaces_for "$catalog" "$selected")
+
+  local failed=""
+  local id
+  while IFS= read -r id; do
+    [ -z "$id" ] && continue
+    local spec scope
+    spec="$(_claude_plugins_install_spec "$catalog" "$id")"
+    scope="$(_claude_plugins_scope_for "$catalog" "$id")"
+    [ -z "$spec" ] && { info "no install spec for $id — skipping"; continue; }
+    info "installing claude plugin: $spec (scope=$scope)"
+    if claude plugin install "$spec" -s "$scope" >>"$LOG_FILE" 2>&1; then
+      ok "claude plugin installed: $id"
+    else
+      err "claude plugin $id failed to install — see $LOG_FILE; continuing"
+      failed="$failed $id"
+    fi
+  done <<< "$selected"
+
+  if [ -n "$failed" ]; then
+    err "Claude plugins that failed:$failed (the rest were installed)"
+  fi
+  return 0
+}
+
+# ----- step_claude_plugins helpers ------------------------------------------
+
+_claude_plugins_recommended() {
+  python3 - "$1" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    if e.get("recommended"):
+        print(e["id"])
+PY
+}
+
+_claude_plugins_catalog_ids() {
+  python3 - "$1" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    print(e["id"])
+PY
+}
+
+_claude_plugins_from_manifest() {
+  python3 - "$1" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for entry in data.get("claude_plugins") or []:
+    if isinstance(entry, dict):
+        print(entry.get("id", "").strip())
+    else:
+        print(str(entry).strip())
+PY
+}
+
+# _claude_plugins_install_spec <catalog> <id> → "<name>@<marketplace>" string
+_claude_plugins_install_spec() {
+  python3 - "$1" "$2" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    if e.get("id") == sys.argv[2]:
+        name = e.get("name") or e["id"]
+        mkt = e.get("marketplace") or ""
+        print(f"{name}@{mkt}" if mkt else name)
+        break
+PY
+}
+
+# _claude_plugins_scope_for <catalog> <id> → user|project|local (defaults user)
+_claude_plugins_scope_for() {
+  python3 - "$1" "$2" <<'PY' || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+for e in data.get("catalog") or []:
+    if e.get("id") == sys.argv[2]:
+        print(e.get("scope") or "user")
+        break
+PY
+}
+
+# _claude_plugins_marketplaces_for <catalog> <selected-newline-ids> →
+#   newline-separated marketplace source strings (excluding builtin ones)
+_claude_plugins_marketplaces_for() {
+  local catalog="$1" ids="$2"
+  python3 - "$catalog" <<PY || true
+import sys, yaml
+with open(sys.argv[1]) as f:
+    data = yaml.safe_load(f) or {}
+selected = set("""${ids}""".strip().splitlines())
+selected.discard("")
+plugin_to_mkt = {
+    e["id"]: e.get("marketplace") for e in data.get("catalog") or []
+}
+needed_mkts = {plugin_to_mkt.get(p) for p in selected}
+needed_mkts.discard(None)
+seen = set()
+for m in data.get("marketplaces") or []:
+    if m.get("id") in needed_mkts and not m.get("builtin"):
+        src = m.get("source") or ""
+        if src and src not in seen:
+            print(src)
+            seen.add(src)
+PY
+}
+
+_claude_plugins_prompt_checklist() {
+  local catalog="$1" id recommended_set picks="" reply
+  recommended_set=" $(_claude_plugins_recommended "$catalog" | tr '\n' ' ')"
+  if have whiptail; then
+    local args=()
+    while IFS= read -r id; do
+      [ -z "$id" ] && continue
+      local pre="OFF"
+      case "$recommended_set" in *" $id "*) pre="ON" ;; esac
+      args+=("$id" "$id" "$pre")
+    done < <(_claude_plugins_catalog_ids "$catalog")
+    if [ "${#args[@]}" -eq 0 ]; then
+      printf ''
+      return 0
+    fi
+    picks="$(whiptail --title "Omega OS — Claude plugin checklist" \
+      --checklist "Select Claude Code plugins to install:" \
+      18 70 10 "${args[@]}" 3>&1 1>&2 2>&3 || true)"
+    printf '%s\n' $picks | tr -d '"'
+  else
+    info "(no whiptail — falling back to a plain prompt)"
+    while IFS= read -r id; do
+      [ -z "$id" ] && continue
+      local default="n" pre=""
+      case "$recommended_set" in *" $id "*) default="y"; pre=" (recommended)" ;; esac
+      printf '  install %s%s? [%s] ' "$id" "$pre" "$default" >&2
+      read -r reply || reply=""
+      reply="${reply:-$default}"
+      case "$reply" in y|Y|yes|YES) picks="$picks $id" ;; esac
+    done < <(_claude_plugins_catalog_ids "$catalog")
+    printf '%s\n' $picks
+  fi
+}
+
 # --- 50 -----------------------------------------------------------------------
 step_telegram() {
-  local token
+  local token chat_id
   ask token "Telegram bot token (from @BotFather)" "${TELEGRAM_TOKEN:-}"
   if [ -z "$token" ]; then
     err "a Telegram bot token is required (or install with --profile minimal)"
@@ -99,34 +782,288 @@ step_telegram() {
   mkdir -p "$sec"
   printf 'TELEGRAM_TOKEN=%s\n' "$token" > "$sec/telegram.env"
   chmod 600 "$sec/telegram.env"
-  ok "Telegram bot validated and wired (secret stored in the vault)"
+  # Also write the token into the encrypted vault for the new code path.
+  python3 - "$OMEGA_HOME" "$token" <<'PY' || true
+import sys
+from pathlib import Path
+home = Path(sys.argv[1])
+sys.path.insert(0, str(home / "Agentik_Engine"))
+try:
+    from omega_engine.vault import vault_write
+    vault_write(home, "TELEGRAM_TOKEN", sys.argv[2])
+except Exception as exc:
+    print(f"(vault write skipped: {exc})")
+PY
+  ok "Telegram bot validated and wired"
+
+  # Capture the forum group chat id — manifest first, then prompt.
+  chat_id="$(python3 - "$MANIFEST" <<'PY' 2>/dev/null || true
+import sys, yaml
+try:
+    with open(sys.argv[1]) as f:
+        data = yaml.safe_load(f) or {}
+    print((data.get('telegram') or {}).get('group_chat_id', '') or '')
+except Exception:
+    print('')
+PY
+)"
+  chat_id="${chat_id//$'\n'/}"
+  if [ -z "$chat_id" ]; then
+    ask chat_id "Telegram forum group chat id (e.g. -1001234567890; blank to set later)" ""
+  fi
+  if [ -n "$chat_id" ]; then
+    python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" telegram-chat-id \
+      "$MANIFEST" "$OMEGA_HOME" 2>/dev/null | sed 's/^/    /' || true
+    # When chat_id came from the prompt (not the manifest), persist directly.
+    python3 - "$OMEGA_HOME" "$chat_id" <<'PY' || true
+import sys
+from pathlib import Path
+home = Path(sys.argv[1])
+sys.path.insert(0, str(home / "Agentik_Engine"))
+try:
+    from omega_engine.vault import vault_write
+    vault_write(home, "TELEGRAM_GROUP_ID", sys.argv[2])
+    print(f"Telegram group_chat_id stored: {sys.argv[2]}")
+except Exception as exc:
+    print(f"(vault write skipped: {exc})")
+PY
+  else
+    info "no Telegram group_chat_id captured — set later with \`omega telegram set-group <id>\`"
+  fi
   return 0
 }
 
+# --- 32 -----------------------------------------------------------------------
+#
+# step_accounts — populate the Claude Max pool from the manifest.
+#
+# For each entry under `accounts:`, add the account to the pool. If its
+# `token_env` env var is set (e.g. `CLAUDE_OAUTH_max_primary`), write the
+# token through the encrypted vault. Otherwise the account is added in
+# `resting` state so `omega account login --id <id>` can finish the setup
+# later — the engine sees the account but never assigns work to it until
+# it has a token.
+step_accounts() {
+  if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
+    info "no manifest accounts — skipping (run \`omega account login\` later)"
+    return 0
+  fi
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" accounts \
+    "$MANIFEST" "$OMEGA_HOME" | sed 's/^/    /'
+  return 0
+}
+
+# --- 35 -----------------------------------------------------------------------
+#
+# step_providers — project the manifest's `providers:` list into the SSOT.
+#
+# The runtime ModelRouter reads `Agentik_SSOT/providers/router.yaml`; this
+# step makes that file mirror the install manifest. Credentials are NEVER
+# written here — they are env vars / vault refs. If no manifest is present
+# we skip and the operator wires providers later via env or `omega account`.
+step_providers() {
+  if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
+    info "no manifest providers — skipping (set env vars or run \`omega account login\` later)"
+    return 0
+  fi
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" providers "$MANIFEST" "$OMEGA_HOME" \
+    >>"$LOG_FILE" 2>&1 || info "providers helper exited non-zero (non-fatal); see $LOG_FILE"
+  # Show the result on stdout for the operator.
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" providers "$MANIFEST" "$OMEGA_HOME" \
+    | sed 's/^/    /'
+  return 0
+}
+
+# --- 55 -----------------------------------------------------------------------
+#
+# step_autonomous — register charters listed under `autonomous_agents:`.
+#
+# Charters live in `Agentik_Orchestration/autonomous/<id>.yaml`. The
+# AutonomousSupervisor (`omega daemon autonomous`) loads them at start. This
+# step copies any selected template charter from `bootstrap/templates/
+# autonomous/<id>.yaml` into the live tree. Charters not in the templates
+# directory must be authored manually — we just log the gap.
+step_autonomous() {
+  if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
+    info "no manifest autonomous_agents — skipping (drop charter YAMLs later)"
+    return 0
+  fi
+  local templates="$OMEGA_REPO/bootstrap/templates/autonomous"
+  local target="$OMEGA_HOME/Agentik_Orchestration/autonomous"
+  mkdir -p "$target"
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" autonomous \
+    "$MANIFEST" "$templates" "$target" | sed 's/^/    /'
+  return 0
+}
+
+# --- 57 -----------------------------------------------------------------------
+#
+# step_rag — project `options.rag.{envelope,strategies}` from the manifest
+# into `Agentik_SSOT/rag/config.yaml`. The multi-RAG router reads this at
+# runtime to pick its envelope + which strategies to enable.
+step_rag() {
+  if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
+    info "no manifest RAG config — leaving defaults (Corrective + Hybrid)"
+    return 0
+  fi
+  python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" rag \
+    "$MANIFEST" "$OMEGA_HOME" | sed 's/^/    /'
+  return 0
+}
+
+# --- 58 -----------------------------------------------------------------------
+#
+# step_first_project — create the project listed under `first_project:`.
+#
+# Idempotent: re-running an install that already created the project is a
+# no-op. If a Telegram bridge is wired we bind a topic; otherwise the
+# project is created without a topic and `omega project bind-topic` can
+# attach one later.
+step_first_project() {
+  if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
+    info "no manifest first_project — skipping (run \`omega project <name>\` later)"
+    return 0
+  fi
+  OMEGA_HOME="$OMEGA_HOME" python3 \
+    "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" first-project \
+    "$MANIFEST" "$OMEGA_HOME" | sed 's/^/    /'
+  return 0
+}
+
+# --- 59 -----------------------------------------------------------------------
+#
+# step_hermes_session — guarantee one always-on Hermès chat session.
+#
+# Spawns the persistent `AISB-chat` tmux session running `omega aisb chat-loop`.
+# This is the operator's terminal-side conversation entry point — critical
+# when Telegram isn't wired (minimal profile, or chat_id not yet set), and
+# still useful when it IS wired (an always-attached local fallback that does
+# not need internet).
+#
+# Idempotent: if `AISB-chat` is already alive, we just print attach
+# instructions.
+step_hermes_session() {
+  if ! have tmux; then
+    err "tmux not installed — step_system_deps should have caught this"
+    return 1
+  fi
+  local omega="$OMEGA_HOME/Agentik_Tools/bin/omega"
+  [ -x "$omega" ] || { err "omega CLI not found at $omega — step_engine incomplete"; return 1; }
+
+  PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE"
+import os
+os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
+from omega_engine import tmux
+name = "AISB-chat"
+if tmux.is_alive(name):
+    print(f"  session already running: {name}")
+else:
+    tmux.spawn_aisb_chat("$OMEGA_HOME")
+    print(f"  spawned: {name}  (always-on Hermès conversation)")
+print(f"  attach:  {tmux.attach_command(name)}")
+print(f"  detach:  Ctrl-b d  (session keeps running)")
+PY
+  return $?
+}
+
 # --- 60 -----------------------------------------------------------------------
+#
+# step_services — install the 24/7 service layer.
+#
+# Linux: write 3 systemd user units, `daemon-reload`, then `enable --now`.
+#        Also enable `loginctl linger` so the units stay up when the operator
+#        is not logged in (the VPS case).
+# macOS: write 3 launchd LaunchAgent plists into ~/Library/LaunchAgents/
+#        and `launchctl load` each. RunAtLoad + KeepAlive give the same
+#        24/7 semantics as systemd.
 step_services() {
   if [ "${PROFILE:-vps}" = "minimal" ]; then
     info "minimal profile — no services installed"
     return 0
   fi
+  local omegabin="$OMEGA_HOME/Agentik_Tools/bin/omega"
+  [ -x "$omegabin" ] || { err "omega CLI not found at $omegabin — step 30 incomplete"; return 1; }
+
   if [ "$OMEGA_OS" = "linux" ]; then
-    local unitdir="$HOME/.config/systemd/user"
-    mkdir -p "$unitdir"
-    _systemd_unit "Omega OS engine"               "$OMEGA_HOME/Agentik_Tools/bin/omega status" \
-      > "$unitdir/omega-engine.service"
-    _systemd_unit "Omega OS Telegram bridge"      "$OMEGA_HOME/Agentik_Tools/bin/omega status" \
-      > "$unitdir/omega-telegram.service"
-    _systemd_unit "Omega OS autonomous supervisor" "$OMEGA_HOME/Agentik_Tools/bin/omega status" \
-      > "$unitdir/omega-autonomous.service"
-    info "systemd user units written to $unitdir"
-    info "the 24/7 layer: \`systemctl --user enable --now omega-engine omega-telegram omega-autonomous\`"
-    info "(enable once the engine daemon / bridge build-out is complete — see docs/ENGINE-SPEC.md)"
+    _services_linux "$omegabin"
   else
-    info "macOS — launchd plists for the workstation profile go here (build-out)"
+    _services_macos "$omegabin"
   fi
   return 0
 }
 
+_services_linux() {
+  local omegabin="$1"
+  local unitdir="$HOME/.config/systemd/user"
+  mkdir -p "$unitdir"
+  _systemd_unit "Omega OS engine"                "$omegabin daemon engine" \
+    > "$unitdir/omega-engine.service"
+  _systemd_unit "Omega OS Telegram bridge"       "$omegabin daemon telegram" \
+    > "$unitdir/omega-telegram.service"
+  _systemd_unit "Omega OS autonomous supervisor" "$omegabin daemon autonomous" \
+    > "$unitdir/omega-autonomous.service"
+  info "systemd user units written to $unitdir"
+
+  # Enable linger so services survive logout (the VPS case).
+  if have loginctl; then
+    if sudo -n loginctl enable-linger "$OMEGA_USER" >>"$LOG_FILE" 2>&1; then
+      ok "loginctl enable-linger $OMEGA_USER"
+    else
+      info "could not enable linger (sudo password required) — run later: sudo loginctl enable-linger $OMEGA_USER"
+    fi
+  fi
+
+  # systemctl --user needs a running user manager. Try; fall back to a hint.
+  if systemctl --user daemon-reload >>"$LOG_FILE" 2>&1; then
+    if systemctl --user enable --now \
+         omega-engine.service omega-telegram.service omega-autonomous.service \
+         >>"$LOG_FILE" 2>&1; then
+      ok "systemd user services enabled and started (omega-engine, omega-telegram, omega-autonomous)"
+    else
+      err "systemctl --user enable failed — see $LOG_FILE; start manually with:"
+      err "    systemctl --user enable --now omega-engine omega-telegram omega-autonomous"
+    fi
+  else
+    info "systemd --user not available in this session (no D-Bus / login session)"
+    info "after first login: \`systemctl --user enable --now omega-engine omega-telegram omega-autonomous\`"
+  fi
+}
+
+_services_macos() {
+  local omegabin="$1"
+  local agentdir="$HOME/Library/LaunchAgents"
+  local logdir="$OMEGA_HOME/Agentik_Extra/var/logs"
+  mkdir -p "$agentdir" "$logdir"
+
+  _launchd_plist "com.agentikos.omega.engine"     "$omegabin" "engine" \
+    "$logdir/engine.log"     "$logdir/engine.err.log" \
+    > "$agentdir/com.agentikos.omega.engine.plist"
+  _launchd_plist "com.agentikos.omega.telegram"   "$omegabin" "telegram" \
+    "$logdir/telegram.log"   "$logdir/telegram.err.log" \
+    > "$agentdir/com.agentikos.omega.telegram.plist"
+  _launchd_plist "com.agentikos.omega.autonomous" "$omegabin" "autonomous" \
+    "$logdir/autonomous.log" "$logdir/autonomous.err.log" \
+    > "$agentdir/com.agentikos.omega.autonomous.plist"
+
+  info "launchd LaunchAgent plists written to $agentdir"
+
+  local label rc=0
+  for label in com.agentikos.omega.engine com.agentikos.omega.telegram com.agentikos.omega.autonomous; do
+    # `launchctl bootstrap` is the modern command; `load` works on every
+    # supported macOS version. Try bootstrap first, fall back to load.
+    if launchctl bootstrap "gui/$(id -u)" "$agentdir/$label.plist" >>"$LOG_FILE" 2>&1; then
+      ok "launchd loaded: $label"
+    elif launchctl load -w "$agentdir/$label.plist" >>"$LOG_FILE" 2>&1; then
+      ok "launchd loaded (legacy): $label"
+    else
+      err "launchctl load failed for $label — start manually:"
+      err "    launchctl bootstrap gui/\$(id -u) $agentdir/$label.plist"
+      rc=1
+    fi
+  done
+  return $rc
+}
+
 _systemd_unit() {  # _systemd_unit <description> <execstart>
   cat <<EOF
 [Unit]
@@ -145,6 +1082,43 @@ WantedBy=default.target
 EOF
 }
 
+# _launchd_plist <label> <omegabin> <daemon> <stdout-log> <stderr-log>
+_launchd_plist() {
+  cat <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>$1</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>$2</string>
+    <string>daemon</string>
+    <string>$3</string>
+  </array>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>OMEGA_HOME</key>
+    <string>$OMEGA_HOME</string>
+    <key>PATH</key>
+    <string>$PATH</string>
+  </dict>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>$4</string>
+  <key>StandardErrorPath</key>
+  <string>$5</string>
+  <key>ThrottleInterval</key>
+  <integer>10</integer>
+</dict>
+</plist>
+EOF
+}
+
 # --- 70 -----------------------------------------------------------------------
 step_doctor() {
   local omega="$OMEGA_HOME/Agentik_Tools/bin/omega"