@agentikos/omega-os 0.1.0

package/omega/Agentik_SSOT/audits/flowaudit.yaml

@@ -0,0 +1,72 @@
+# flowaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: flowaudit
+domain: flows
+question: "Does the experience WORK — can a user complete every journey without getting lost or stuck?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*"]
+
+# GATHER — deterministic flow-shape detectors, run first, no LLM. Machine-checkable signals.
+gather:
+  - name: routes
+    cmd: "find {path} -type f \\( -path '*app/*page.tsx' -o -path '*app/*page.jsx' -o -path '*pages/*' \\) 2>/dev/null || true"
+    when: "*.tsx,*.jsx,*.ts,*.js"
+  - name: noop-handlers
+    cmd: "grep -rnE 'on(Click|Submit)=\\{?\\(\\s*\\)\\s*=>\\s*\\{?\\s*\\}|href=[\"'\\'']#[\"'\\'']' {path} || true"
+    when: "*.tsx,*.jsx"
+  - name: empty-state-markers
+    cmd: "grep -rnE 'No items|No results|Nothing (here|found)|empty|Empty' {path} || true"
+    when: "*.tsx,*.jsx"
+  - name: error-boundaries
+    cmd: "grep -rnE 'ErrorBoundary|error\\.tsx|not-found\\.tsx|catch\\s*\\(' {path} || true"
+    when: "*.tsx,*.jsx,*.ts"
+
+# PHASES — the agentic falsification pass investigates each. Flow-prosecutor scrutiny.
+phases:
+  - id: hinge-flow
+    checks: "Identify the ONE journey that — if broken — makes the product worthless (signup->activation, purchase->delivery); audit it with 10x scrutiny end-to-end."
+  - id: flow-completeness
+    checks: "Every flow has a reachable entry, every step a clear single CTA and visible progress, a confirmed success state, and a sane next action — no flow that starts but cannot finish."
+  - id: state-machines
+    checks: "Every entity's lifecycle states are explicit, transitions guarded (no draft->completed skip), invalid transitions rejected not silently corrupting, no entity can get permanently stuck."
+  - id: happy-path
+    checks: "Walk each primary journey — data entered in step 1 survives to step 5, every action acknowledged under 100ms, the result is visible afterward in the dashboard/list."
+  - id: error-paths
+    checks: "For every flow exercise the dark paths — empty/invalid/boundary input, API failure mid-flow, slow/garbage responses, permission loss, double-submit; each handled gracefully."
+  - id: dead-ends
+    checks: "No state with no way out — unclosable modals, error pages with no home link, success pages with no next step, 'Processing...' that never resolves, empty results with no guidance."
+  - id: permission-auth-gaps
+    checks: "Every protected route redirects unauthenticated users and denies wrong roles; no IDOR via URL ID tampering; admin checks enforced server-side not just hidden in UI; session expiry handled."
+  - id: onboarding
+    checks: "First-run shows a guided path not an empty dashboard; the shortest path to the activation 'aha' action; empty states teach the user to create their first item."
+  - id: data-integrity
+    checks: "Input -> storage -> display roundtrip is identical (special chars, emoji, numbers, timezones); data created in flow A visible in flow B; deletes clean up all references."
+  - id: cross-session-continuity
+    checks: "Close/reopen browser preserves state, long flows resume rather than restart, real-time sync across tabs/users, active flows survive a deploy or migration."
+  - id: error-recovery
+    checks: "After a validation/network/payment error — form values preserved, focus on the errored field, actionable message, retry without double-charge; destructive actions undoable."
+  - id: notification-feedback
+    checks: "Every action gets a proportional reaction — no silent success, no silent failure, no state change without notice; progress communicated for long/background operations."
+  - id: empty-and-loading-states
+    checks: "Every list/table/dashboard has a designed zero-data state with a CTA, a layout-shaped loading skeleton, a styled error state with retry — never a blank or collapsed layout."
+  - id: destructive-actions
+    checks: "Delete/cancel/disconnect have a consequence-explaining confirmation, the confirm button is not the default, reversibility or clear irreversible warning, cascade effects disclosed."
+  - id: flow-entropy
+    checks: "Similar flows structured alike, same action same verb everywhere, back always means back, one consistent pattern for success/error/loading, no terminology drift."
+
+falsification: >
+  The user is always lost; every button is a promise — FALSIFY each. Click
+  "Save": was data actually persisted? "Cancel anytime": can you cancel at every
+  point? Every PASS must cite at least 3 concrete checks (the route walked, the
+  state in the DB, the screenshot of the step). Categorise findings as
+  LABEL-vs-ACTION, PROMISE-vs-EXPERIENCE, STATE-vs-DISPLAY, or FEEDBACK-vs-TRUTH.
+  Happy paths are marketing; error paths, edge cases and permission denials are
+  reality — an untested dark path is an untested flow. Bias toward FAIL.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/logicaudit.yaml

@@ -0,0 +1,75 @@
+# logicaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: logicaudit
+domain: logic
+question: "Where is the system fighting itself — wasted computation, redundant paths, the wrong amount of engineering?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.ts", "*.tsx", "*.js", "*.jsx", "*.py", "*.go", "*.rs", "*.sh"]
+
+# GATHER — deterministic tools, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: complexity-census
+    cmd: "for f in {path}; do c=$(grep -cE '(if |else|switch|case |for |while |&&|\\|\\||try|catch|\\?)' \"$f\" 2>/dev/null); echo \"$c $f\"; done | sort -rn | head -30 || true"
+    when: "*.ts,*.tsx,*.js,*.jsx,*.py,*.sh"
+  - name: monster-files
+    cmd: "wc -l {path} 2>/dev/null | sort -rn | awk '$1>500' || true"
+    when: "*.ts,*.tsx,*.js,*.jsx,*.py,*.go,*.rs,*.sh"
+  - name: deep-nesting
+    cmd: "grep -nE '^[[:space:]]{20,}[^[:space:]]' {path} 2>/dev/null | head -25 || true"
+    when: "*.ts,*.tsx,*.js,*.jsx,*.py"
+  - name: dead-exports
+    cmd: "npx --no-install ts-prune 2>/dev/null || true"
+    when: "*.ts,*.tsx"
+  - name: deep-clone-misuse
+    cmd: "grep -rnE 'JSON\\.parse\\(JSON\\.stringify\\(' --include='*.ts' --include='*.tsx' --include='*.js' --include='*.jsx' {path} || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+
+# PHASES — the agentic falsification pass investigates each, domain-specific.
+phases:
+  - id: redundant-logic
+    checks: "Semantically identical logic in 3+ places; checks repeated across middleware/handler/service (blurs who owns validation); overlapping modules; chained data transforms; self-defeating logic (cache invalidated before read)."
+  - id: algorithmic-efficiency
+    checks: "Real Big-O of every loop/recursion; O(n^2) hidden as Array.find inside Array.map; N+1 query/fetch patterns; unnecessary computation (sort just to test existence); string concat / regex compile in loops."
+  - id: pipeline-efficiency
+    checks: "Sum of step times vs total pipeline time — overhead >50% means the pipeline design IS the bug; sequential steps with no data dependency; stages producing output nobody reads; restart-from-stage-1 vs checkpoint."
+  - id: orchestration-overhead
+    checks: "Hop count user→result — which hops are essential vs ceremony; dispatch overhead vs task size (task < dispatch cost → do it in-place); intent preserved or diluted per hop; coordination tax in multi-agent work."
+  - id: abstraction-fit
+    checks: "Over-abstraction (factory with one type, plugin system with one plugin, GenericHandler<T> always string); under-abstraction (15 lines copy-pasted 8×); wrong abstraction (UserService doing auth+billing+notifications)."
+  - id: state-machines
+    checks: "Implicit state from combined booleans (isLoading+hasError+isReady = impossible combos); states that CAN be represented but are impossible WILL be reached; missing transitions (Loading with no path to Error)."
+  - id: data-flow-entropy
+    checks: "Single source of truth per datum (same data in DB + local state + URL = 3 truths); transformation chain length; data duplication without sync; prop drilling through components that never use it; stale-data patterns."
+  - id: caching-intelligence
+    checks: "Missing caches (pure function re-called with same inputs, static reference data re-queried); ineffective caches (2% hit rate = wrong key granularity); invalidation correctness; caching at the right layer."
+  - id: parallelization-gaps
+    checks: "Independent ops awaited serially instead of Promise.all; N individual calls that should be one batch; load-everything-then-process instead of streaming; worker pool sized wrong for wait/compute ratio."
+  - id: config-complexity
+    checks: "Total config surface vs how many values are EVER changed from default; same value defined in .env AND config AND CLI AND default with undocumented precedence; invalid config caught at startup not first request."
+  - id: error-logic
+    checks: "Swallowed errors (empty catch, .catch(()=>null)); error info loss (rethrow as generic 'something went wrong', logged at INFO); retry on non-transient 4xx; retry without backoff/idempotency/ceiling; wrong fallback values."
+  - id: decision-tree-pruning
+    checks: "Arrow anti-pattern (if→if→if→if→logic) — flatten with guard clauses; 40-case switch that should be a lookup map; feature flags always-ON or always-OFF; routing that could be a simple table."
+  - id: over-engineering
+    checks: "Unused flexibility (EventEmitter with one listener, strategy pattern with one strategy); premature optimization; architecture astronautics (microservices for one dev, event sourcing for CRUD); speculative generality."
+  - id: under-engineering
+    checks: "Missing validation at boundaries (user input reaches DB unsanitized); missing error boundaries (one component crash kills the page); missing observability on critical paths; complex algorithm with zero comments."
+  - id: dead-logic
+    checks: "Unreachable code after return/throw; branches guarded by always-true/false conditions; functions defined-never-called-not-exported; dead feature flags; commented-out code blocks; unused imports/variables."
+
+falsification: >
+  Complexity is guilt until proven innocent — every abstraction, config layer and
+  indirection must justify its existence with measurement or be eliminated. Every
+  optimization claim is a hypothesis: "this cache speeds it up" → prove it with hit-rate
+  numbers; "this abstraction reduces complexity" → count lines/branches before and after.
+  Categorise findings as CLAIM-vs-MEASUREMENT, ABSTRACTION-vs-USAGE, CACHE-vs-FRESHNESS,
+  PARALLEL-vs-SEQUENTIAL, RETRY-vs-IDEMPOTENT, or CONFIG-vs-HARDCODE. An optimization with
+  no measurable improvement is a failed hypothesis — revert it.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/motionaudit.yaml

@@ -0,0 +1,67 @@
+# motionaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: motionaudit
+domain: motion
+question: "Does it MOVE with purpose — does every animation earn its place and run at 60fps?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.tsx", "*.jsx", "*.css", "*.ts"]
+
+# GATHER — one cheap deterministic signal: properties animated. The compositor rule
+# (only transform/opacity are free) IS machine-checkable. Everything else needs the LLM.
+gather:
+  - name: layout-paint-animation
+    cmd: "grep -rnE 'transition[^;]*(width|height|margin|padding|top|left|right|bottom|font-size|box-shadow|background-color)|animation:[^;]*(width|height|margin|padding|top|left)' {path} || true"
+    when: "*.css,*.tsx,*.jsx"
+  - name: reduced-motion
+    cmd: "grep -rn 'prefers-reduced-motion' {path} || true"
+    when: "*.css,*.tsx,*.jsx,*.ts"
+
+# PHASES — the agentic falsification pass investigates each. Motion-designer scrutiny.
+phases:
+  - id: motion-inventory
+    checks: "Catalog every animation — CSS transitions/keyframes, JS-driven (rAF, Web Animations API, GSAP, Framer Motion), scroll-driven, canvas/WebGL — with element, trigger, properties, duration, easing."
+  - id: purpose-verification
+    checks: "The hinge — apply the Purpose Test to each animation: does it COMMUNICATE state/causality, ORIENT the user, or CREATE meaning? Remove it mentally — if nothing is lost, it is PURPOSELESS."
+  - id: easing-system
+    checks: "Easing as a vocabulary — enters decelerate (ease-out), exits accelerate (ease-in); count unique curves; are they named tokens or arbitrary per-component cubic-beziers?"
+  - id: duration-consistency
+    checks: "Durations on a systematic scale (tokens), each in its appropriate range — micro 80-150ms, entrances 200-400ms, exits faster than entrances; total entry choreography under 800ms."
+  - id: choreography
+    checks: "Page entrances introduce themselves as a sequence following content hierarchy with consistent stagger; exits are swift and directional; state transitions communicate spatial relationships."
+  - id: scroll-animations
+    checks: "No scroll hijacking, user controls pace, gentle parallax (10-30%), progress-linked not fire-and-forget, passive listeners, IntersectionObserver unobserved after firing."
+  - id: page-transitions
+    checks: "Route changes animate with directional logic rather than hard-cut, shared-element continuity where possible, View Transitions API where supported, no long blank screens."
+  - id: micro-interactions
+    checks: "Every interactive element responds to hover/focus/press with physical feedback (translate/scale, not color-only), consistent timing, popovers appear FROM their trigger."
+  - id: loading-skeleton
+    checks: "Loading states are skeletons matching final layout (not bare spinners), shimmer is CSS-only, progressive reveal, smooth skeleton-to-content transition."
+  - id: webgl-canvas
+    checks: "WebGL/P5 justified over CSS, 60fps desktop / 30fps mobile, tiered fallback (WebGL2/WebGL1/static), lazy-loaded, geometries/textures disposed on unmount, paused when off-screen."
+  - id: css-performance
+    checks: "Animations use ONLY transform and opacity — animating width/height/margin/box-shadow triggers layout or paint; will-change used sparingly; no read-write-read forced reflow in loops."
+  - id: reduced-motion
+    checks: "prefers-reduced-motion is a designed alternative not a nuclear kill-all — state changes still visible (modal still opens instantly), ambient motion pausable, interaction never blocked."
+  - id: mobile-motion
+    checks: "Touch-specific :active feedback (not repurposed hover), gesture physics with momentum, safe-area respect, rAF paused when hidden, 30fps minimum under 4x CPU throttle."
+  - id: motion-meaning-gap
+    checks: "The absence of motion is a finding — list added/removed, counter updates, tab switches, accordions, filtering, sorting that hard-cut where a transition should communicate the change."
+  - id: motion-excess
+    checks: "Animations that harm — competing simultaneous motion, entrances over 600ms, distracting loops near text, redundant nested animations, gratuitous WebGL that could be CSS."
+
+falsification: >
+  Every animation is guilty until proven purposeful. "It looks cool" is not a
+  reason — FALSIFY each animation's justification: what does the user understand
+  faster because of this motion? Every PASS must cite at least 3 concrete checks
+  (the grepped property, the measured duration, the frame trace). Categorise
+  findings as PURPOSE-vs-DECORATION, SYSTEM-vs-RANDOM, COMPOSITED-vs-EXPENSIVE,
+  or PRESENT-vs-MISSING. A page with one perfectly timed animation beats a page
+  with twelve good ones. Bias toward FAIL.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/perfaudit.yaml

@@ -0,0 +1,71 @@
+# perfaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: perfaudit
+domain: performance
+question: "Is it FAST ENOUGH for humans to care — or does it bleed milliseconds nobody measured?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.ts", "*.tsx", "*.js", "*.jsx", "*.css", "*.scss", "*.html", "*.py", "*.sql", "*.png", "*.jpg", "*.jpeg", "*.svg"]
+
+# GATHER — deterministic tools, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: lighthouse
+    cmd: "npx --no-install lighthouse {path} --only-categories=performance --output=json --quiet --chrome-flags='--headless --no-sandbox' || true"
+    when: "*.html,*.tsx,*.jsx"
+  - name: build-size
+    cmd: "du -sh .next dist build out 2>/dev/null | sort -rh || true"
+    when: "*"
+  - name: largest-bundles
+    cmd: "find .next dist build out -name '*.js' -type f 2>/dev/null -exec du -h {} + | sort -rh | head -25 || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+  - name: heavy-assets
+    cmd: "find . -path ./node_modules -prune -o -type f \\( -name '*.png' -o -name '*.jpg' -o -name '*.jpeg' -o -name '*.gif' \\) -size +200k -print -exec du -h {} + 2>/dev/null | sort -rh | head -25 || true"
+    when: "*.png,*.jpg,*.jpeg,*.svg,*.tsx,*.jsx"
+  - name: barrel-imports
+    cmd: "grep -rnE \"import +(\\* as )?[A-Za-z_]+ +from +['\\\"](lodash|moment|date-fns|rxjs|@mui/material|antd)['\\\"]\" --include='*.ts' --include='*.tsx' --include='*.js' --include='*.jsx' {path} || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+
+# PHASES — the agentic falsification pass investigates each, domain-specific.
+phases:
+  - id: core-web-vitals
+    checks: "Measure LCP (<2.5s), INP (<200ms), CLS (<0.1), TTFB (<800ms), FCP (<1.8s) on the hinge page; re-run throttled at 3G + 4x CPU and watch the score collapse."
+  - id: bundle-bloat
+    checks: "Total initial JS compressed (<200KB target); barrel imports pulling whole libraries; duplicate deps at multiple versions; source maps shipped to prod."
+  - id: render-path
+    checks: "Render-blocking CSS/scripts in the critical path; unnecessary React re-renders; layout thrashing (read-write-read); long tasks >50ms blocking interactivity."
+  - id: js-execution
+    checks: "Parse cost per bundle; hydration time and mismatch errors; un-throttled scroll/resize handlers; async waterfalls that should be Promise.all."
+  - id: image-optimization
+    checks: "PNG/JPEG where WebP/AVIF saves 60-80%; images larger than display size; missing width/height (CLS); missing lazy-loading below the fold; missing fetchpriority on the LCP image."
+  - id: font-loading
+    checks: "WOFF2 used and subset to used glyphs; font-display:swap to prevent FOIT; critical fonts preloaded; layout shift when the web font swaps in."
+  - id: caching-strategy
+    checks: "Cache-Control + immutable on fingerprinted assets; repeated identical API calls that should be memoized/SWR-cached; deploy invalidates stale CSS/JS hashes."
+  - id: ssr-ssg-strategy
+    checks: "Each route uses the right rendering mode (SSR/SSG/ISR/CSR); static pages wrongly rendered per-request; SSR data fetching serial instead of parallel; streaming used for TTFB."
+  - id: code-splitting
+    checks: "Route-based and component-based splitting working; vendor/framework chunks separated; heavy components (charts, editors, maps) lazy-loaded behind dynamic import."
+  - id: api-response-times
+    checks: "Per-endpoint average <200ms and P95 <1s; over-fetching unused fields; sequential dependent calls on page load; missing pagination on list endpoints."
+  - id: n-plus-one
+    checks: "Same query template fired in a loop with different params; ORM relationships lacking eager loading; SELECT * where columns suffice; total queries per page load >10."
+  - id: db-query-performance
+    checks: "Queries >100ms; full table scans from missing indexes; joins/sorts without supporting indexes; large result sets without LIMIT; connection pool sized for concurrency."
+  - id: memory-leaks
+    checks: "Heap growth over time; detached DOM nodes; event listeners/timers/intervals/sockets never cleaned on unmount; unbounded caches and history stacks."
+  - id: resource-hints-third-party
+    checks: "LCP image and critical fonts preloaded; preconnect/dns-prefetch for third-party origins; render-blocking third-party scripts that could be deferred or facade-loaded."
+
+falsification: >
+  Lighthouse scores lie — every green score must be re-verified throttled (3G + 4x CPU,
+  cold cache) and twice to rule out a one-off blip. Categorise findings as SCORE-vs-REALITY,
+  LAB-vs-FIELD, FIRST-vs-REPEAT, or AVERAGE-vs-P95. Every PASS cites ≥3 concrete
+  measurements with actual numbers. "It's fast for me" (warm cache, fast machine) is not
+  evidence. Bias toward FAIL — a 100 is earned, never assumed.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/refontaudit.yaml

@@ -0,0 +1,77 @@
+# refontaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+#
+# Note: refontaudit is a senior REDESIGN engine, not a defect hunter. It observes
+# what exists, classifies every screen KEEP/IMPROVE/RETHINK/KILL, and proposes the
+# 3-5 evolution changes that resolve 80% of friction. Evolution beats revolution —
+# touch the least, impact the most. "PASS" here means a ship-ready, data-grounded,
+# confidence-scored refonte plan, not zero findings.
+
+id: refontaudit
+domain: redesign
+question: "Is there a ship-ready refonte plan — does it preserve what works and fix only what data proves broken?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.tsx", "*.jsx", "*.css", "*.html", "*.vue"]
+
+# GATHER — git churn is a real deterministic hotspot signal (files changed most = most problematic).
+# Component/route inventory grounds the Keep Audit. No tool can decide KEEP vs RETHINK — the LLM does.
+gather:
+  - name: churn-hotspots
+    cmd: "git -C {path} log --since='6 months ago' --pretty=format: --name-only --diff-filter=M 2>/dev/null | grep -E 'app/|pages/|components/' | sort | uniq -c | sort -rn | head -30 || true"
+    when: "*"
+  - name: shadcn-usage
+    cmd: "grep -rl '@/components/ui' {path} 2>/dev/null || true"
+    when: "*.tsx,*.jsx"
+  - name: routes
+    cmd: "find {path} -type f \\( -path '*app/*page.tsx' -o -path '*pages/*' \\) 2>/dev/null || true"
+    when: "*.tsx,*.jsx,*.ts,*.js"
+
+# PHASES — the agentic pass works each. Senior lead-dev + UX-designer judgment.
+phases:
+  - id: inventory
+    checks: "Crawl every route in scope, screenshot at 1440/1024/375px, map shadcn usage, extract font stack and palette; under 3 routes or no shadcn means wrong project — abort."
+  - id: current-ia
+    checks: "Build the IA tree (sidebar -> pages -> sub-pages -> modals), classify each screen (list/detail/form/overview/settings/empty), flag orphaned screens and nav-to-nothing stubs."
+  - id: current-flows
+    checks: "Trace the top 5 user intents from dashboard to completed action; count clicks to primary action, context switches, waiting states; mark friction (>3 clicks, modal-in-modal, full reloads)."
+  - id: density-hierarchy
+    checks: "Per top-level screen measure items-per-viewport, visual hierarchy depth, primary-action clarity (yes/no/ambiguous), whitespace ratio — density is a feature only with clear hierarchy."
+  - id: data-collection
+    checks: "Read real data before redesigning — Linear ticket hotspots per page, console-error hotspots, analytics if configured, git-churn hotspots; the top 3 pages are the priority targets."
+  - id: user-story-mining
+    checks: "Extract 10 user stories (as-a/I-want/so-that) with frequency and friction; prioritize by frequency x friction into P1/P2/P3; this list drives every later proposal."
+  - id: keep-audit
+    checks: "The hinge of restraint — classify EVERY screen KEEP (works, untouchable) / IMPROVE (good bones, targeted change) / RETHINK (wrong approach) / KILL (no story, no traffic, orphan)."
+  - id: clarity-gate
+    checks: "5-second Gestalt test per screen — can the user answer 'what is this page for?' and 'what is the primary action?'; score pass/partial/fail; compute current clarity percentage."
+  - id: hypothesis-falsification
+    checks: "Generate 3 data-grounded hypotheses for why the design fails (worst ticket-hotspot page, worst-friction P1 story, worst clarity screen); only hypotheses that survive falsification become rationale."
+  - id: pattern-mapping
+    checks: "For each high-friction P1/P2 story match a proven pattern from real reference products (Linear/Vercel/Stripe), grounded in the user story it serves — not 'it looks nice'; flag gaps needing custom solutions."
+  - id: ia-proposal
+    checks: "The hinge — name the 3-5 specific evolution changes resolving 80% of friction (each citing a user story + data + reference); never change the nav model unless >50% of screens are RETHINK."
+  - id: workflow-redesign
+    checks: "For each P1 story show before/after click count and context switches with happy path plus 2 edge cases; redesign only flows touching IMPROVE/RETHINK screens, never KEEP screens."
+  - id: component-composition
+    checks: "Map each new/improved page to a real shadcn component tree with typed composite interfaces; KEEP screens get no new components — this prevents 'while we're here' scope creep."
+  - id: interaction-state-model
+    checks: "Define keyboard grammar, hover/focus rules, empty/loading/error patterns, and the state architecture (URL vs server vs UI vs selection) so shared links and the back button restore exact state."
+  - id: hinge-stress-test
+    checks: "Stress the top 3 proposed changes against 10 scenarios — new user/0 data, power user/10k items keyboard-only, mobile 375px, dark mode, long names, RTL, offline, interruption, screen reader, 1000-item lists."
+
+falsification: >
+  A refonte without user stories is decoration; without data is guessing;
+  without a Keep Audit is vandalism. FALSIFY every proposal — it must trace to a
+  P1/P2 user story AND a measured hotspot, or its confidence collapses. Evolution
+  beats revolution: a senior never reaches for revolution first. Categorise gaps
+  as KEEP-TOUCHED (a working screen was redesigned — automatic fail),
+  STORYLESS-PROPOSAL (change serving no user story), or HINGE-UNPROVEN (the
+  3-5 changes failed 2+ of the 10 scenarios). Every proposal carries an honest
+  confidence score — nothing is 100%, senior humility. Bias toward FAIL.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/retentionaudit.yaml

@@ -0,0 +1,84 @@
+# retentionaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+#
+# READ-ONLY: this audit PROPOSES retention opportunities (RICE x Fogg scored),
+# it never edits source. fix_loop is false — output hands off to /planner.
+
+id: retentionaudit
+domain: retention
+question: "What would the CPO of a $1B SaaS find that we MISSED to make users stay 3x longer?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*"]
+
+# GATHER — deterministic retention-surface detectors, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: routes
+    cmd: "find {path} -path '*/node_modules' -prune -o -type f \\( -name 'page.tsx' -o -name 'route.ts' -o -name '+page.svelte' \\) -print || true"
+    when: "*"
+  - name: empty-states
+    cmd: "grep -rnE 'isEmpty|hasNoData|emptyState|EmptyState|no items|nothing yet|aucun' {path} || true"
+    when: "*.tsx,*.jsx,*.vue,*.svelte"
+  - name: notification-triggers
+    cmd: "grep -rniE 'resend|sendgrid|onesignal|postmark|trigger\\.dev|sendNotification|sendEmail' {path} || true"
+    when: "*"
+  - name: hooked-mechanisms
+    cmd: "grep -rniE 'streak|achievement|milestone|reward|badge|digest|weekly report' {path} || true"
+    when: "*"
+  - name: invite-share
+    cmd: "grep -rniE 'invite|share|inviteLink|shareUrl|copyLink|referral' {path} || true"
+    when: "*"
+  - name: keyboard-shortcuts
+    cmd: "grep -rniE 'useHotkeys|cmdK|cmd\\+k|ctrl\\+|<kbd' {path} || true"
+    when: "*"
+
+# PHASES — the agentic falsification pass investigates each.
+# Four expert lenses are applied across the phases: Hooked (Eyal), JTBD
+# (Christensen), Power of Moments (Heath), Fogg B=MAT.
+phases:
+  - id: hinge-capability
+    checks: "THE HINGE — identify the ONE experience that must be world-class for users to stay; compare STATED hinge (copy) vs OBSERVED hinge (where code/commits invest); a divergence is the single most damaging retention bug."
+  - id: user-journey
+    checks: "Trace every screen from sign-up to power-user; map transitions, entry and exit conditions; this journey feeds the drop-off forensics."
+  - id: drop-off-forensics
+    checks: "Per screen identify likely churn triggers — unvalidated forms, loaders without progress, blank empty states, blocking modals, auth/pricing walls before perceived value."
+  - id: aha-moment-latency
+    checks: "Identify the moment a new user goes 'now I get it'; how many steps from signup to aha; what blocks the users who never reach it."
+  - id: hooked-loops
+    checks: "Eyal lens — for each retention-driving feature score the 4 elements Trigger/Action/Variable-Reward/Investment; 4/4 strong, <=2/4 no loop."
+  - id: jobs-to-be-done
+    checks: "Christensen lens — per persona surface 3-5 jobs ('When [situation] I want to [job] so I can [outcome]'); does the product serve each job, or does the user hire a competitor/workaround?"
+  - id: personalization-debt
+    checks: "Per screen/feed/list — is order user-specific or global, are recommendations history-based, are defaults adapted (timezone, recently-used); generic feed = anyone could leave."
+  - id: onboarding-completeness
+    checks: "The first 7 days set LTV — welcome/checklist, first-task guidance, teaching empty states, day-1/3/7 nudges, measurable activation criteria; onboarding must DELIVER value not teach the UI."
+  - id: empty-states
+    checks: "Every component that renders with no data must teach + invite + commit (3 elements); a blank rectangle is malpractice; empty-state CTAs must reach value in one step."
+  - id: power-of-moments
+    checks: "Heath lens — audit peaks (amplify), pits (fix/remove), transitions (mark with ceremony), plateaus (interrupt with surprise); 'fine but never memorable' products churn."
+  - id: network-effects
+    checks: "One-click invite of a teammate/friend; does the product get MORE valuable as N users join; public shareable artifacts/embeds; compounding UGC."
+  - id: monetization-hooks
+    checks: "Value-gate placed after aha and before commitment; upgrade trigger contextual (limit reached) not nag-banner; price anchor visible early; clear team-plan path."
+  - id: reactivation-flows
+    checks: "Win-back for dormant users — D3/D7/D14/D30/D90 email cadence, 'what you missed' digest, value-first re-engagement (never dark-pattern FOMO)."
+  - id: discoverability-and-power-user
+    checks: "Are powerful features hidden — command-palette completeness, settings organization, changelog visibility; for the top 1% propose keyboard shortcuts, bulk ops, API/export."
+  - id: prioritized-roadmap
+    checks: "Synthesise all proposals into a RICE-scored list, then Fogg B=MAT (M x A x T) on the top 15; priority = RICE_normalized x (1 + Fogg/27); flag high-RICE/low-Fogg ideas and anti-patterns (vanity hooks, dark patterns, shallow personalization, feature bloat)."
+
+falsification: >
+  The product implicitly claims users will stick — DISPROVE it. Find every reason
+  a smart user would churn after week 1, month 1, month 3. Every claim and every
+  proposed opportunity must cite at least 3 concrete checks with actual output
+  (grep proving a drop-off friction exists, a competitor URL proving a parity gap).
+  "Probably broken" / "competitors all" / "users likely" without evidence is an
+  automatic FAIL of the finding. Engagement is not retention — score every proposal
+  against month-3 retention, not DAU. This audit is READ-ONLY: it proposes and
+  ranks, it never codes — implementation is a separate authorized mission.
+
+fix_loop: false

package/omega/Agentik_SSOT/audits/secaudit.yaml

@@ -0,0 +1,73 @@
+# secaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: secaudit
+domain: security
+question: "Can an attacker make this system work AGAINST its users?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.py", "*.ts", "*.tsx", "*.js", "*.jsx", "*.go", "*.rs", "*.env*", "*.yml", "*.yaml", "Dockerfile", "package.json"]
+
+# GATHER — deterministic security scanners, run first, no LLM.
+gather:
+  - name: gitleaks
+    cmd: "gitleaks detect --source {path} --no-banner --redact -f json --report-path /dev/stdout || true"
+    when: "*"
+  - name: semgrep
+    cmd: "semgrep --config=p/security-audit --config=p/owasp-top-ten --json --quiet {path} || true"
+    when: "*.py,*.ts,*.tsx,*.js,*.jsx,*.go"
+  - name: npm-audit
+    cmd: "npm audit --json --prefix {path} || true"
+    when: "package.json"
+  - name: pip-audit
+    cmd: "pip-audit -f json --progress-spinner off || true"
+    when: "*.py"
+  - name: bandit
+    cmd: "bandit -r {path} -f json -q || true"
+    when: "*.py"
+  - name: trufflehog
+    cmd: "trufflehog filesystem {path} --json --no-update --fail || true"
+    when: "*"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: hinge-auth-boundary
+    checks: "Identify THE auth/authz boundary gating every protected resource; prove it cannot be bypassed by direct URL, HTTP method switch, header injection (X-Forwarded-For, X-Original-URL), path normalisation or case variation."
+  - id: injection
+    checks: "Trace every user input to a SQL/NoSQL query, shell exec, template, LDAP or eval sink — find string-concatenated queries, missing parameterisation, unvalidated $ne/$gt operators, command injection via child_process."
+  - id: xss-output-encoding
+    checks: "Every input reflected or stored that reaches HTML/JS/URL/CSS output — find unescaped sinks: innerHTML, dangerouslySetInnerHTML, document.write, v-html; verify context-correct encoding and CSP without unsafe-inline/unsafe-eval."
+  - id: broken-access-control
+    checks: "IDOR — can user A reach user B's resource by changing an ID? Vertical escalation — can a regular user hit admin routes or self-promote via isAdmin/role params? Sequential IDs, mass assignment, missing per-mutation authz checks."
+  - id: secrets-exposure
+    checks: "Active secrets in repo, git history, CI config, client bundles or NEXT_PUBLIC_ vars; .env actually gitignored; high-entropy strings and known key prefixes (sk_live_, AKIA, AIza, ghp_); measure blast radius of each leaked secret."
+  - id: authn-session-jwt
+    checks: "Password hashing (bcrypt/argon2 cost), reset-token entropy and single-use, account enumeration, MFA bypass; JWT alg:none accepted, alg confusion RS256->HS256, weak secret, missing exp/iss/aud validation, tokens in localStorage/URL."
+  - id: session-cookies-csrf
+    checks: "Session cookies HttpOnly+Secure+SameSite; session rotation on login/privilege change, server-side invalidation on logout; CSRF protection (synchroniser token or SameSite) on every state-changing request."
+  - id: ssrf-open-redirect
+    checks: "User-controlled URLs reaching server-side fetches — can they hit 127.0.0.1, cloud metadata 169.254.169.254, internal services? Redirect params (next, returnUrl, redirect_uri) — protocol-relative // and @-host bypasses enabling phishing/token theft."
+  - id: cors-headers
+    checks: "Access-Control-Allow-Origin not wildcard (especially with credentials) and not blindly reflecting Origin; security headers present — HSTS, CSP, X-Frame-Options/frame-ancestors, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy."
+  - id: input-validation-uploads
+    checks: "Server-side type/length/range/format validation on every endpoint param (schema like Zod/Convex validators); file uploads validate magic bytes not just extension/MIME, store outside web root, block SVG-with-script and path traversal."
+  - id: rate-limit-bruteforce
+    checks: "Login, registration, password-reset and MFA-code endpoints rate-limited with account lockout; limits not bypassable via X-Forwarded-For rotation or endpoint case/method variation; ReDoS and unbounded pagination/batch as DoS vectors."
+  - id: dependency-cve
+    checks: "Critical/high CVEs in dependencies from npm/pip audit — verify the vulnerable code path is actually reachable; lockfile committed with integrity hashes; postinstall scripts, typosquats, missing SRI on CDN scripts."
+  - id: insecure-design-logging
+    checks: "Business-logic flaws (negative price, integer overflow, payment race conditions); insecure deserialization; auth/access failures logged without leaking PII or secrets; stack traces and DB errors not exposed to clients."
+
+falsification: >
+  Do not check that a defense EXISTS — prove it can be BYPASSED. Every PASS must
+  cite >=3 concrete commands run (curl with the attack payload, grep for the sink,
+  the scanner finding) with verbatim output. Categorise each finding as
+  CLAIM-vs-REALITY, CLIENT-vs-SERVER, AUTH-vs-AUTHZ, CONFIG-vs-RUNTIME or
+  FRAMEWORK-vs-APPLICATION. A 401/403 from a probe is evidence of a defense, not
+  a failure to investigate. Bias hard toward FAIL — the attacker needs only one path.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/seoaudit.yaml

@@ -0,0 +1,75 @@
+# seoaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: seoaudit
+domain: seo
+question: "Is the site DISCOVERABLE — can search engines crawl, understand, and rank it?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.tsx", "*.jsx", "*.html", "*.astro", "*.vue", "*.svelte", "robots.txt", "sitemap.xml", "next.config.*"]
+
+# GATHER — deterministic SEO-signal detectors, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: robots-sitemap
+    cmd: "ls -1 public/robots.txt public/sitemap.xml app/robots.ts app/sitemap.ts robots.txt sitemap.xml 2>/dev/null || true"
+    when: "*"
+  - name: meta-tags
+    cmd: "grep -rnE '<title>|name=\"description\"|property=\"og:|name=\"twitter:|rel=\"canonical\"|name=\"robots\"' {path} || true"
+    when: "*.tsx,*.jsx,*.html,*.astro,*.vue,*.svelte"
+  - name: schema-markup
+    cmd: "grep -rnE 'application/ld\\+json|schema.org|@type|JsonLd|itemtype' {path} || true"
+    when: "*.tsx,*.jsx,*.html,*.astro"
+  - name: heading-structure
+    cmd: "grep -rcnE '<h1|<h2|<h3' {path} || true"
+    when: "*.tsx,*.jsx,*.html"
+  - name: images-alt
+    cmd: "grep -rnE '<img|<Image' {path} | grep -vE 'alt=' || true"
+    when: "*.tsx,*.jsx,*.html"
+  - name: lighthouse-seo
+    cmd: "npx --no-install lighthouse {url} --only-categories=seo --quiet --chrome-flags='--headless' --output=json 2>/dev/null || true"
+    when: "*"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: crawlability
+    checks: "robots.txt valid with no critical pages blocked; meta robots not accidentally noindex; X-Robots-Tag headers; crawl budget not wasted on filter/search URLs."
+  - id: indexability
+    checks: "THE HINGE — XML sitemap contains only indexable canonical pages; no orphan pages; no index bloat; duplicate content (HTTP/HTTPS, www, trailing slash) collapsed."
+  - id: canonical-tags
+    checks: "Every page has a self-referencing canonical; no canonical to non-existent URLs; no chain canonicals A->B->C; consistent across HTTP/HTTPS and www/non-www."
+  - id: core-web-vitals
+    checks: "THE HINGE — LCP <2.5s, INP <200ms, CLS <0.1 on every template; field (CrUX) data not worse than lab; tested on throttled mobile."
+  - id: schema-markup
+    checks: "Correct Schema.org JSON-LD per page type (Organization/WebSite homepage, Article blog, Product, FAQPage); validates with no missing required properties; matches visible content."
+  - id: meta-tags
+    checks: "Unique title 50-60 chars with keyword near start; unique meta description 150-160 chars; complete Open Graph (og:image 1200x630) and Twitter Card tags."
+  - id: heading-hierarchy
+    checks: "Exactly one H1 per page containing the primary keyword; H2s for sections; no skipped heading levels; headings reflect content hierarchy not styling."
+  - id: js-rendering
+    checks: "View-source vs rendered DOM contain the same content; critical content and meta tags in initial HTML; internal links as <a href> not onClick routers; SSR/SSG for key pages."
+  - id: mobile-friendliness
+    checks: "Responsive design with viewport meta; no horizontal scroll; text >=16px; touch targets >=48px; no mobile/desktop content divergence (mobile-first indexing)."
+  - id: image-and-url-seo
+    checks: "Alt text on every informative image; descriptive file names; WebP/AVIF; lazy-load below fold; short lowercase hyphenated keyword-containing URLs; no session IDs."
+  - id: content-quality-eeat
+    checks: "Experience/Expertise/Authoritativeness/Trust — author credentials visible, topical depth, external citations, HTTPS, privacy policy, unique value over SERP rivals."
+  - id: internal-external-links
+    checks: "Every page within 3 clicks of homepage; descriptive anchor text; breadcrumbs; no broken internal/external links; nofollow on sponsored/untrusted links."
+  - id: redirects-and-errors
+    checks: "No redirect chains or loops; 301 for permanent and 302 only for temporary; custom 404 returning real 404 status (not soft 404); 410 for removed content."
+  - id: geo-aeo
+    checks: "AI-search readiness — question-answer format, machine-parseable lists/tables, cited factual claims, llms.txt, entity optimization, passage-level citability."
+
+falsification: >
+  A green Lighthouse SEO score lies — it passes 14 basic checks and says nothing
+  about indexation, content authority, or competitive position. Every PASS must
+  cite at least 3 concrete checks with actual output (fetch as Googlebot, view-source
+  vs rendered DOM, exact-phrase SERP search). Categorise findings as LAB-vs-FIELD,
+  DESKTOP-vs-MOBILE, CACHED-vs-RENDERED, TODAY-vs-TREND, or TECHNICAL-vs-CONTENT.
+  If Googlebot cannot reach or render a page, it does not exist. Bias toward FAIL.
+
+fix_loop: true