@agentikos/omega-os 0.1.0

package/omega/Agentik_SSOT/audits/apiaudit.yaml

@@ -0,0 +1,71 @@
+# apiaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: apiaudit
+domain: api
+question: "Does the API work CORRECTLY, CONSISTENTLY and SAFELY for every caller?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["**/api/**", "**/routes/**", "**/resolvers/**", "**/handlers/**", "*.openapi.yaml", "openapi.yaml", "swagger.json", "schema.graphql", "convex/**"]
+
+# GATHER — deterministic API/contract tools, run first, no LLM.
+gather:
+  - name: openapi-validate
+    cmd: "npx --no-install @redocly/cli lint {path} --format json || npx --no-install swagger-cli validate {path} || true"
+    when: "openapi.yaml,*.openapi.yaml,swagger.json"
+  - name: spectral-lint
+    cmd: "npx --no-install spectral lint {path} -f json || true"
+    when: "openapi.yaml,*.openapi.yaml,swagger.json,schema.graphql"
+  - name: route-grep
+    cmd: "grep -rnE \"(app|router)\\.(get|post|put|patch|delete)|export (async )?function (GET|POST|PUT|PATCH|DELETE)|@(app\\.)?(route|get|post)\" {path} || true"
+    when: "*.ts,*.tsx,*.js,*.py,*.go"
+  - name: auth-import-scan
+    cmd: "grep -rnE \"(getAuth|auth\\(\\)|requireAuth|withAuth|verifyToken|ctx\\.auth|passport|clerkMiddleware)\" {path} || true"
+    when: "*.ts,*.tsx,*.js,*.py"
+  - name: tsc
+    cmd: "npx --no-install tsc --noEmit || true"
+    when: "*.ts,*.tsx"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: endpoint-inventory
+    checks: "Enumerate every route with its HTTP method; classify public vs authenticated vs admin; flag debug/test routes live in prod, duplicate routes, and verbs-in-paths breaking REST nouns."
+  - id: hinge-authentication
+    checks: "HINGE — for EVERY endpoint verify auth is enforced BEFORE any data access; send no-token / expired / malformed / other-user's-token; any 200 with data instead of 401/403 is a critical breach. Catch routes accidentally public via missing middleware."
+  - id: hinge-authorization
+    checks: "HINGE — test every endpoint with every role; admin routes reject regular users, user routes reject guests; resource-level ownership enforced (no IDOR); no privilege escalation via body params; field-level authz on sensitive fields; no mass assignment."
+  - id: input-validation
+    checks: "Every parameter on every endpoint — type, boundary (min/max length, range, array size, nesting depth), format (email/url/uuid), enum whitelist; Content-Type matches body; injection chars (SQL, NoSQL $ops, ../, shell) rejected."
+  - id: contract-compliance
+    checks: "Response envelope identical across endpoints (data/errors/meta); ISO-8601 dates; consistent null-vs-missing handling; no breaking changes (field removal, type change, new required field); GraphQL depth/complexity limits, introspection off in prod."
+  - id: status-codes
+    checks: "Correct codes per outcome — 201+Location on create, 204 on delete, 400 validation, 401 unauthenticated, 403 unauthorised, 404 missing, 409 conflict, 422 semantic, 429 rate-limited; never 200 for errors, never 500 for client mistakes."
+  - id: error-format
+    checks: "Every error has status + machine-parseable code + message; validation errors list ALL invalid fields; no stack traces / DB errors / internal paths leaked; no user enumeration (same error for existing vs non-existing); Retry-After on 429."
+  - id: rate-limiting
+    checks: "Global per-IP/user limit plus per-endpoint limits on expensive and auth operations; X-RateLimit-* and Retry-After headers present; tiered fairness for authenticated/paid callers; limits not bypassable via header spoofing."
+  - id: pagination
+    checks: "Every list endpoint paginated with a sane default and enforced max page size; cursor- or offset-based consistently; page metadata (cursor/total/hasNext) returned; empty page returns [] not 404."
+  - id: idempotency
+    checks: "GET/HEAD/OPTIONS truly side-effect free; PUT and DELETE idempotent on repeat; POST supports idempotency keys for money/critical ops; timeout+retry never creates duplicates or corrupts state."
+  - id: n-plus-one-perf
+    checks: "Count DB queries per API call — find N+1 (list endpoint issuing one query per row); dataloader/batching for GraphQL, eager loading for ORM relations; no SELECT *; response times within p95<1s budget."
+  - id: cors-webhooks
+    checks: "CORS Allow-Origin is a specific allowlist (no wildcard with credentials), only needed methods/headers; webhooks verify HMAC signature, enforce HTTPS, include event type + timestamp, retry with backoff."
+  - id: versioning-deprecation
+    checks: "API version communicated consistently; backward compatibility preserved or sunset announced; deprecated endpoints emit Deprecation/Sunset headers, still function during the window, and point callers to the replacement."
+
+falsification: >
+  "It works in Postman" proves nothing — Postman has the token, correct headers
+  and the happy path. Every PASS must cite >=3 concrete requests run (no auth,
+  wrong role, malformed body, boundary value, concurrent calls) with verbatim
+  status + body. Categorise findings as HAPPY-vs-EDGE, ADMIN-vs-USER,
+  SINGLE-vs-CONCURRENT, SPEC-vs-REALITY or POSTMAN-vs-PRODUCTION. A static scan
+  reporting an "unauthenticated endpoint" must be confirmed by reading the
+  handler — auth may live in middleware the scan cannot see. Bias toward FAIL.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/automationaudit.yaml

@@ -0,0 +1,77 @@
+# automationaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: automationaudit
+domain: automation
+question: "Every cron is a promise, every script a liability, every daemon a lie — do they hold?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.sh", "*.py", "*.service", "*.timer", "Dockerfile", "*.yml", "*.yaml", "crontab", "*cron*"]
+
+# GATHER — deterministic tools, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: shellcheck
+    cmd: "shellcheck -f json {path} 2>/dev/null || true"
+    when: "*.sh"
+  - name: bash-syntax
+    cmd: "bash -n {path} 2>&1 || true"
+    when: "*.sh"
+  - name: crontab-dump
+    cmd: "crontab -l 2>/dev/null || true"
+    when: "*"
+  - name: systemd-timers
+    cmd: "systemctl list-timers --all --no-pager 2>/dev/null || true"
+    when: "*.service,*.timer"
+  - name: secret-scan
+    cmd: "gitleaks detect --no-git --no-banner --report-format json --source {path} 2>/dev/null || grep -rnEi '(api[_-]?key|secret|password|passwd|token)[\"'\\'' ]*[:=][\"'\\'' ]*[A-Za-z0-9/+_-]{12,}' {path} || true"
+    when: "*.sh,*.py,*.yml,*.yaml"
+  - name: silenced-output
+    cmd: "grep -nE '>\\s*/dev/null\\s+2>&1|2>&1\\s*>\\s*/dev/null' {path} || true"
+    when: "*.sh"
+  - name: missing-strict-mode
+    cmd: "for f in {path}; do grep -q 'set -[a-z]*e' \"$f\" 2>/dev/null || echo \"$f: no 'set -e' strict mode\"; done || true"
+    when: "*.sh"
+
+# PHASES — the agentic falsification pass investigates each, domain-specific.
+phases:
+  - id: cron-health
+    checks: "Cron expressions valid; DST/timezone traps; journalctl proves actual run count matches schedule (gaps = silent failures); output captured not '>/dev/null'; overlap-locked; failure alerts wired."
+  - id: script-quality
+    checks: "Shebang correct; 'set -euo pipefail' present; passes shellcheck; variables quoted; 'cd' guarded with '|| exit'; Python venv + imports valid; bare-except swallows nothing."
+  - id: dependency-order
+    checks: "Map the timeline — script B reading A's output must have an EXPLICIT dependency (not 'scheduled 5min later'); pipeline stages gate on SUCCESS not just completion; clock-skew safe."
+  - id: error-recovery
+    checks: "Transient failures retried with bounded exponential backoff; partial failures logged-and-continued not aborted; killed mid-run can resume from checkpoint; timeouts set on curl/ssh; reboot survival."
+  - id: idempotency
+    checks: "Running twice produces no duplicates / double notifications / lock-collision crash; catch-up after downtime is safe (24 missed runs ≠ 24 simultaneous API calls); INSERT vs UPSERT correct."
+  - id: logging-monitoring
+    checks: "Every automation writes a timestamped structured log; log rotation configured (no unbounded disk bomb); failure escalates log→monitor→alert→human; dead-man's-switch alerts on non-execution."
+  - id: secret-exposure
+    checks: "No hardcoded keys/passwords/connection-strings in scripts; gitleaks clean on history; secrets not echoed in logs or 'set -x' traces; .env files chmod 600 and gitignored; rotation plan exists."
+  - id: daemon-health
+    checks: "Daemon actually running and systemd-enabled; CPU/RSS/FD not leaking; output/heartbeat fresh; Restart=on-failure policy; SIGTERM flushes buffers and releases locks; no OOM-kill history."
+  - id: race-conditions
+    checks: "Automations sharing files/APIs/tables/repos are flock-protected; atomic write (.tmp then mv); concurrent git access locked; API schedules staggered to avoid combined rate-limit breach."
+  - id: dead-automations
+    checks: "Cron entries point to existing scripts; no scripts that never ran (no log, stale mtime); commented-out crons explained; no orphaned log files; no deprecated automation still running alongside its replacement."
+  - id: dispatch-chains
+    checks: "Every dispatch chain (trigger→worker→completion) verifies completion via done-signal/exit-code; failure propagates not fire-and-forget; backpressure caps concurrency; orphaned workers detected."
+  - id: failure-cascade
+    checks: "Build the dependency graph; identify SPOFs and blast radius; disk-full/network-down/token-expired common failure modes; circuit breakers back off instead of hammering; global freeze switch exists."
+  - id: lock-management
+    checks: "Lock files have a max-age/staleness check (PID alive via 'kill -0'); cleanup trap on EXIT and crash; reboot clears stale locks; granularity avoids deadlock between mutually-waiting scripts."
+  - id: backup-portability
+    checks: "Backups exist, offsite, integrity-verified, restore actually tested with documented RTO/RPO; scripts use full tool paths (cron's minimal PATH); correct shebang vs syntax; tool availability checked."
+
+falsification: >
+  Every automation lies — the cron says "every 5min" (prove it with journalctl), the log
+  says "completed successfully" (prove the output file is stale/empty), the daemon "is alive"
+  (prove the heartbeat is stale). Exit code 0 is NOT success. Categorise findings as
+  SCHEDULE-vs-REALITY, LOG-vs-TRUTH, DEPENDENCY-vs-ORDER, IDEMPOTENT-vs-DESTRUCTIVE,
+  ALIVE-vs-ZOMBIE, or SECRET-vs-EXPOSED. Every PASS cites ≥3 concrete commands with output.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/codeaudit.yaml

@@ -0,0 +1,63 @@
+# codeaudit — the reference Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: codeaudit
+domain: code
+question: "Is the code SOLID — does every claim the code makes hold at runtime?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.py", "*.ts", "*.tsx", "*.js", "*.jsx", "*.go", "*.rs"]
+
+# GATHER — deterministic tools, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: ruff
+    cmd: "ruff check --output-format=json {path} || true"
+    when: "*.py"
+  - name: py-compile
+    cmd: "python3 -m compileall -q {path} || true"
+    when: "*.py"
+  - name: eslint
+    cmd: "npx --no-install eslint -f json {path} || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+  - name: tsc
+    cmd: "npx --no-install tsc --noEmit || true"
+    when: "*.ts,*.tsx"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: phantoms
+    checks: "Dead code, unreachable branches, unused exports, orphan files, commented-out blocks."
+  - id: contracts
+    checks: "Names vs behaviour — does `validate` validate? does `save` persist? does `delete` remove?"
+  - id: data-flow
+    checks: "Trace every external input to its sink — find untrusted data reaching a query, shell, path or render unguarded."
+  - id: state-mutation
+    checks: "Shared mutable state, hidden globals, mutation through aliases, unenforced ordering assumptions."
+  - id: concurrency
+    checks: "Races, missing locks/awaits, parent finishing before children, double-execution, lost updates."
+  - id: error-propagation
+    checks: "Swallowed exceptions, errors logged but not handled, failure paths that silently succeed."
+  - id: blast-radius
+    checks: "If this module breaks, what else dies? Identify the hinge point; prove its defenses exist."
+  - id: time-bombs
+    checks: "Hardcoded dates, expiring tokens, size limits, retry loops with no ceiling, resources never released."
+  - id: contract-vs-type
+    checks: "Type annotations vs runtime reality — a `str` param that receives `None`; a return shape the type denies."
+  - id: feature-verification
+    checks: "Does the feature the code claims actually work end to end, or is it a stub wired to nothing?"
+  - id: test-coverage
+    checks: "Are failure modes tested, or only the happy path? Do tests assert behaviour or merely run it?"
+  - id: resilience
+    checks: "Behaviour under bad input, network failure, empty data, concurrent callers — what breaks first?"
+
+falsification: >
+  Every PASS must cite at least 3 concrete checks with their actual output.
+  Categorise every finding as CLAIM-vs-REALITY, PROMISE-vs-DELIVERY, or
+  CONTRACT-vs-BEHAVIOUR. Bias toward FAIL — a 100 is earned by finding zero
+  falsifiable claims, never assumed.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/copyaudit.yaml

@@ -0,0 +1,68 @@
+# copyaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: copyaudit
+domain: copy
+question: "Is the copy CLEAR — does every word earn its place and every claim hold?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*.tsx", "*.jsx", "*.html", "*.md", "*.mdx", "*.json"]
+
+# GATHER — deterministic copy detectors, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: hardcoded-strings
+    cmd: "grep -rnE '>[A-Z][a-z]+[ A-Za-z]{6,}<|placeholder=\"[A-Z]' {path} || true"
+    when: "*.tsx,*.jsx"
+  - name: i18n-wrappers
+    cmd: "grep -rnE 't\\(|i18n|<Trans|useTranslation|__\\(' {path} || true"
+    when: "*.tsx,*.jsx,*.ts,*.js"
+  - name: banned-marketing-phrases
+    cmd: "grep -rniE 'something went wrong|click here|learn more|cutting-edge|revolutionary|blazing fast|world.?class|game.?changer' {path} || true"
+    when: "*"
+  - name: generic-cta-labels
+    cmd: "grep -rnE '>(Submit|Click here|Learn more|Get Started|Continue|OK)<' {path} || true"
+    when: "*.tsx,*.jsx,*.html"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: headline-clarity
+    checks: "The 5-second test on every H1 — can a stranger answer what/who/why in 5 seconds? No 'Welcome to' or 'About Us' as H1."
+  - id: value-proposition
+    checks: "Is the value prop stated, consistent across pages, differentiated, and ACTUALLY deliverable in a new user's first session?"
+  - id: claim-verification
+    checks: "THE HINGE — every factual/subjective/social-proof/comparison claim falsified; PROMISE-vs-REALITY. 'fast' must be fast, 'secure' must have security."
+  - id: cta-effectiveness
+    checks: "Action+benefit labels not 'Submit'; CTA destination matches the label ('Get Started' goes to getting started, not pricing); one primary CTA per section."
+  - id: tone-consistency
+    checks: "One brand voice across marketing, product, errors, email — no 'fun and casual' marketing with 'cold and corporate' product copy."
+  - id: technical-accuracy
+    checks: "Every described feature exists and behaves as described; screenshots show current UI; comparison tables fair and current."
+  - id: grammar-spelling
+    checks: "Zero typos and grammatical errors in user-facing copy; consistent punctuation, capitalization, number and date formats; product name spelled correctly."
+  - id: reading-level
+    checks: "Flesch-Kincaid grade <=8 marketing / <=10 product; sentences <20 words; active voice; jargon simplified or explained; acronyms expanded on first use."
+  - id: microcopy
+    checks: "Button labels describe their action; error messages say what went wrong AND how to fix it; empty states teach; success states confirm and suggest next step."
+  - id: social-proof
+    checks: "Testimonials from real identifiable people; user counts and ratings accurate and current; 'as seen in' logos correspond to actual coverage."
+  - id: legal-compliance
+    checks: "Required disclaimers (pricing taxes/billing, trial auto-renewal); no deceptive dark patterns in copy; no false competitor claims; unsubscribe instructions clear."
+  - id: copy-accessibility
+    checks: "Link text makes sense out of context; inclusive non-ableist gender-neutral language; instructions simple and direct; diverse names in examples."
+  - id: brand-voice
+    checks: "Voice recognizable without seeing the brand, appropriate for the audience, never sacrificing clarity for personality."
+  - id: i18n-readiness
+    checks: "User-facing strings extractable via t()/_()/<Trans> when the project has i18n infrastructure; hardcoded English strings flagged."
+
+falsification: >
+  Every claim is a hypothesis — attempt to disprove it. Every PASS must cite at
+  least 3 concrete checks with actual output. Categorise findings as
+  PROMISE-vs-REALITY, CLARITY-vs-CONFUSION, TONE-vs-AUDIENCE, CLAIM-vs-EVIDENCE,
+  or CTA-vs-ACTION. "Nobody reads the copy" is never the user's fault — it means
+  the copy failed. Bias toward FAIL — a claim without evidence is a lie until proven.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/dataaudit.yaml

@@ -0,0 +1,76 @@
+# dataaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+# DESTRUCTIVE-AWARE: any fix that mutates data must snapshot/backup first.
+
+id: dataaudit
+domain: data
+question: "Is the data TRUTHFUL — every reference valid, every type correct, every transaction whole?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["**/schema.ts", "**/schema.prisma", "prisma/**", "**/migrations/**", "*.sql", "**/db/**", "convex/schema.ts", "**/models/**"]
+
+# GATHER — deterministic schema/migration tools, run first, no LLM.
+gather:
+  - name: prisma-validate
+    cmd: "npx --no-install prisma validate --schema {path} || true"
+    when: "schema.prisma,**/schema.prisma"
+  - name: drizzle-check
+    cmd: "npx --no-install drizzle-kit check || true"
+    when: "**/db/**,drizzle.config.ts"
+  - name: convex-schema-check
+    cmd: "npx --no-install convex dev --once --skip-push || true"
+    when: "convex/schema.ts"
+  - name: sql-ddl-scan
+    cmd: "grep -rncE \"CREATE TABLE|CREATE INDEX|FOREIGN KEY|REFERENCES|NOT NULL|ON DELETE\" {path} || true"
+    when: "*.sql"
+  - name: migration-inventory
+    cmd: "ls -la {path} 2>/dev/null || true"
+    when: "**/migrations/**"
+  - name: sqlite-integrity
+    cmd: "for f in $(find {path} -name '*.db' -o -name '*.sqlite' 2>/dev/null); do sqlite3 \"$f\" 'PRAGMA integrity_check; PRAGMA foreign_key_check;'; done || true"
+    when: "*"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: schema-validation
+    checks: "Schema definitions match the TypeScript/Python types and the columns the code references; NOT NULL / UNIQUE / CHECK / DEFAULT constraints present where business logic demands; consistent naming; enums in schema match enums in code."
+  - id: migration-status
+    checks: "All migrations applied in order, none pending/failed/stuck; new columns backfilled for existing rows; renamed columns migrated; destructive migrations have a rollback path and were batched for large tables."
+  - id: hinge-orphaned-records
+    checks: "HINGE — for every foreign key/reference run the LEFT JOIN where the referenced row is NULL; count orphans, date when they appeared, find root cause (missing cascade, race, bug); include file/storage refs pointing to nothing and soft-delete orphans."
+  - id: hinge-referential-integrity
+    checks: "HINGE — FK constraints enforced at DB level not just app; cross-table aggregates match details (order_total = SUM(items)); temporal sanity (created_at <= updated_at, child not before parent); every business invariant holds in actual data."
+  - id: type-safety
+    checks: "Runtime values match declared types — string columns holding JSON/numbers, number columns holding strings, booleans as 0/1, dates as strings; Convex v.* validators and v.optional() match reality; coercion risks (string sort on numeric column)."
+  - id: null-handling
+    checks: "Null percentage per column; required fields containing nulls; nullable fields that should be required; consistent null semantics (not-set vs N/A vs unknown); empty-string-vs-null and 0-vs-null picked consistently; null behaviour in aggregates and joins."
+  - id: data-consistency
+    checks: "Denormalised/cached values match source of truth (full_name vs first+last, post_count vs COUNT); cross-service data matches (auth provider, payment provider, search index); enum values current, no deprecated values lingering; format consistency."
+  - id: duplicate-detection
+    checks: "Exact duplicates (same entity, different IDs), near-duplicates (casing/formatting differences in email/phone); unique indexes on natural keys; idempotency keys on writes; a defined merge strategy when duplicates exist."
+  - id: cascade-behavior
+    checks: "Parent deletion cascades correctly without creating orphans and without cascading too broadly; status/key changes propagate; RESTRICT/SET NULL/SET DEFAULT chosen deliberately per relationship; soft-delete cascade respected."
+  - id: transaction-integrity
+    checks: "Multi-step operations (payment+order, user+profile) wrapped in transactions; optimistic locking prevents lost updates; counter increments and inventory decrements atomic; failed transactions fully rolled back; webhook/import handlers idempotent."
+  - id: index-and-query
+    checks: "Columns in WHERE/JOIN/ORDER BY and all FK columns indexed; no unused or duplicate indexes; composite index column order matches query patterns; full table scans and N+1 query patterns identified."
+  - id: pii-lifecycle-backup
+    checks: "Inventory every PII column; PII encrypted at rest and masked in non-prod, not leaking into logs/errors/search indexes; TTL on sessions/tokens/logs; retention policy and GDPR right-to-deletion implemented; automated backups exist and a restore was actually tested."
+  - id: seed-data-separation
+    checks: "No seed/test data in production (test@example.com accounts, Lorem ipsum, default passwords); production data absent from dev DBs or anonymised; no production credentials in test fixtures."
+
+falsification: >
+  "No errors in production" means nobody counted. Every PASS must cite >=3
+  concrete queries run (the orphan LEFT JOIN with row count, the invariant
+  check, the type cast attempt) with verbatim output — never assume integrity.
+  Categorise findings as SCHEMA-vs-REALITY, REFERENCE-vs-EXISTENCE,
+  TYPE-vs-VALUE, MIGRATION-vs-STATE or DEV-vs-PROD. A reported orphan must be
+  verified: confirm the FK was meant to cascade or that an actual user action
+  deleted the parent. Any data-mutating fix MUST snapshot the DB first; restore
+  on any post-fix check failure. Bias toward FAIL — data loss is permanent.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/debugaudit.yaml

@@ -0,0 +1,75 @@
+# debugaudit — OmegaOS Quality Arsenal definition.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: debugaudit
+domain: runtime
+question: "What is already BROKEN right now — and nobody noticed because it failed silently?"
+weight: 1.0
+threshold: 85
+
+# Runtime bugs can hide behind any change — always run this audit.
+applies_to:
+  roles: [worker]
+  changed: ["*"]
+
+# GATHER — deterministic tools, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: tsc
+    cmd: "npx --no-install tsc --noEmit 2>&1 || true"
+    when: "*.ts,*.tsx"
+  - name: build
+    cmd: "npm run build 2>&1 | tail -60 || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+  - name: py-syntax
+    cmd: "python3 -m compileall -q {path} 2>&1 || true"
+    when: "*.py"
+  - name: dep-vulns
+    cmd: "npm audit --json 2>/dev/null || true"
+    when: "package.json,*.ts,*.tsx,*.js,*.jsx"
+  - name: env-placeholders
+    cmd: "grep -rnEi '(TODO|change-?me|xxx+|your-?key-?here|placeholder)' .env .env.local .env.production 2>/dev/null || true"
+    when: "*"
+  - name: swallowed-errors
+    cmd: "grep -rnE 'catch *\\([a-zA-Z_]*\\) *\\{ *\\}|\\.catch\\(\\(\\) *=> *(null|undefined|\\{\\}|\\[\\])\\)' --include='*.ts' --include='*.tsx' --include='*.js' --include='*.jsx' {path} || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+
+# PHASES — the agentic falsification pass investigates each, domain-specific.
+phases:
+  - id: console-errors
+    checks: "Load every page; capture console errors, warnings, unhandled rejections, framework errors (hydration, key warnings); separate load-time from interaction-time failures."
+  - id: network-failures
+    checks: "Capture all requests; flag 4xx/5xx, requests >3s, hung requests, duplicate fetches, CORS errors, mixed content, expected API calls that never fire."
+  - id: visual-regressions
+    checks: "Screenshot each page; detect horizontal overflow, overlapping elements, cut-off text, broken images, stuck loading states, misaligned/off-grid elements, FOUC."
+  - id: responsive-breakage
+    checks: "Test 320/375/768/1024/1440/1920; flag horizontal overflow, touch targets <44px, unreadable text, broken hamburger nav, modals overflowing the viewport."
+  - id: dead-features
+    checks: "Click every button/link — does the expected thing happen with feedback? Forms submit, validate, reset; nav links lead somewhere; no handlers wired to nothing."
+  - id: state-corruption
+    checks: "Create/update then refresh — does data persist? Two tabs stay consistent? Optimistic updates actually committed and reverted on failure? Sessions survive reload."
+  - id: race-conditions
+    checks: "Double-click submit/delete; rapid navigation; concurrent edits in two tabs; interrupt async ops mid-flight — find duplicate creation, stale data, orphan state."
+  - id: security-injection
+    checks: "XSS payloads in every input/param/hash (script, img onerror, template {{7*7}}); SQL/NoSQL injection in filters; IDOR via predictable IDs; CSRF token presence; open redirects."
+  - id: auth-bypass
+    checks: "Protected routes redirect unauthenticated; expired/tampered tokens rejected; role escalation blocked at API not just UI; sessions rotate on login and die on logout."
+  - id: api-contract-drift
+    checks: "Frontend types vs actual response shape; null/undefined/missing-field inconsistency; error format consistency across endpoints; HTTP status correctness (200-on-error is a lie)."
+  - id: data-integrity
+    checks: "Roundtrip: create then read back — special chars, unicode, numbers preserved exactly? Delete-parent cascade behaviour; created items immediately searchable."
+  - id: error-handling
+    checks: "Kill an API mid-request, return malformed JSON, force 500 — does the app degrade gracefully or white-screen? Error boundaries show recoverable messages? Offline handled?"
+  - id: log-forensics
+    checks: "Read the last 1000 log lines; repeated identical errors = systemic; retry storms; OOM/connection-pool warnings; verify logger level is INFO+ (WARNING-only = 80% blind)."
+  - id: chaos-edge-cases
+    checks: "Max file upload, 10k-char input, 1000 items; throttled 3G; empty strings and NULL in every field; epoch/far-future dates; 0.00 and MAX currency values — what crashes?"
+
+falsification: >
+  The system lies — "no console errors" means errors are swallowed, "all green" means
+  monitoring missed the silent failure. Categorise findings as HEALTH-vs-REALITY,
+  LOG-vs-TRUTH, UI-vs-DATA, RESPONSE-vs-EXPECTATION, or SPEED-vs-ACCEPTABLE. For every
+  "healthy" claim construct a falsification test that COULD fail; if it cannot fail it is
+  useless. Bias toward finding the silent failure — loud failures were already caught.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/dxaudit.yaml

@@ -0,0 +1,78 @@
+# dxaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: dxaudit
+domain: dx
+question: "Is the DX SMOOTH — can a new developer go from git clone to first contribution within a day?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*"]
+
+# GATHER — deterministic DX-surface detectors, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: readme-present
+    cmd: "ls -1 README.md README.rst readme.md 2>/dev/null && wc -l README.md 2>/dev/null || true"
+    when: "*"
+  - name: dx-docs
+    cmd: "ls -1 CONTRIBUTING.md CHANGELOG.md SECURITY.md CODE_OF_CONDUCT.md .env.example .env.template .editorconfig 2>/dev/null || true"
+    when: "*"
+  - name: tsconfig-strict
+    cmd: "grep -nE 'strict|noImplicitAny|strictNullChecks|noUncheckedIndexedAccess' tsconfig.json 2>/dev/null || true"
+    when: "*.ts,*.tsx"
+  - name: type-escape-hatches
+    cmd: "grep -rnE ': any\\b|@ts-ignore|@ts-nocheck|# type: ignore' {path} || true"
+    when: "*.ts,*.tsx,*.py"
+  - name: ci-config
+    cmd: "ls -1 .github/workflows/ .gitlab-ci.yml .circleci/ 2>/dev/null || true"
+    when: "*"
+  - name: lockfile-and-hooks
+    cmd: "ls -1 package-lock.json pnpm-lock.yaml bun.lockb yarn.lock poetry.lock .husky/ .pre-commit-config.yaml 2>/dev/null || true"
+    when: "*"
+  - name: dep-audit
+    cmd: "npm audit --json 2>/dev/null || true"
+    when: "*.ts,*.tsx,*.js,*.jsx"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: readme-quality
+    checks: "THE HINGE — README has description, prerequisites, copy-pasteable install/run, env vars, architecture, troubleshooting; can a dev reach a running app in <10 min?"
+  - id: setup-complexity
+    checks: "THE HINGE — count manual steps from clone to running (target <5); .env.example exists with every var documented; Docker Compose for local services; one-command setup."
+  - id: error-messages
+    checks: "Build/runtime errors give actionable guidance — name the missing var/service/dependency and how to fix it, not 'ENOENT' or a raw stack trace."
+  - id: typescript-strictness
+    checks: "tsconfig strict:true (or mypy/clippy strict); no widespread 'any'; no @ts-ignore without a comment; explicit return types on exported functions."
+  - id: code-documentation
+    checks: "Exported functions have JSDoc/docstrings with params and returns; architecture documented; 'why' comments on non-obvious logic; docs match current code."
+  - id: testing-infrastructure
+    checks: "Test runner works with one command; coverage reported; tests deterministic, fast (<5min), independent; watch mode and single-test runnable."
+  - id: ci-cd-pipeline
+    checks: "All PRs run CI (lint+typecheck+test+build); CI <10min; CD automated on merge; main branch protected; no flaky CI."
+  - id: dependency-management
+    checks: "Lock file committed; no critical vulnerabilities; no abandoned deps (last release >2y); Renovate/Dependabot configured; pinning strategy defined."
+  - id: dev-tooling
+    checks: "Linter and formatter configured and run automatically; pre-commit hooks fast (<10s); .editorconfig present; recommended editor extensions documented."
+  - id: environment-parity
+    checks: "Dev/staging/prod differences documented; same runtime and DB versions; no hardcoded URLs/ports/credentials; config validated on startup (fail fast)."
+  - id: debug-tooling
+    checks: "Structured logging with levels; debugger config (launch.json) checked in; source maps work; DB queries and API requests visible in dev."
+  - id: monorepo-structure
+    checks: "Workspace config if monorepo with clear package boundaries and build cache; logical feature-organized directory structure; no circular deps; no utils dumping ground."
+  - id: migration-changelog
+    checks: "Major-version upgrade guides with breaking changes and fixes; CHANGELOG maintained in Keep-a-Changelog format; reversible versioned DB migrations."
+  - id: contribution-guide
+    checks: "CONTRIBUTING.md with bug/feature/PR process, branch and commit conventions; 'good first issue' path; architecture overview for newcomers."
+
+falsification: >
+  The README lies until proven true — follow every setup instruction LITERALLY
+  on a fresh clone; any step that fails, is unclear, or is missing means the
+  README failed. Every PASS must cite at least 3 concrete checks with actual
+  output. Categorise findings as README-vs-REALITY, LOCAL-vs-CI, FIRST-vs-REPEAT,
+  HAPPY-vs-ERROR, or EXPERT-vs-NEWCOMER. "Ask in Slack" is not documentation —
+  if knowledge is not in the repo it does not exist. Bias toward FAIL.
+
+fix_loop: true

package/omega/Agentik_SSOT/audits/featureaudit.yaml

@@ -0,0 +1,73 @@
+# featureaudit — Quality Arsenal definition for OmegaOS.
+# Compact + structured: the Gestalt-Popper shell lives in omega_engine.audit_arsenal;
+# this file supplies only the domain — gather tools, phases, falsification rules.
+
+id: featureaudit
+domain: features
+question: "Is the product COMPLETE — does everything that SHOULD exist actually exist and run deep?"
+weight: 1.0
+threshold: 85
+
+applies_to:
+  roles: [worker]
+  changed: ["*"]
+
+# GATHER — deterministic stub/gap detectors, run first, no LLM. Machine-checkable findings.
+gather:
+  - name: stub-markers
+    cmd: "grep -rnE 'coming soon|not implemented|not yet|placeholder|TODO|FIXME|XXX|HACK|WIP' {path} || true"
+    when: "*"
+  - name: noop-handlers
+    cmd: "grep -rnE 'on[A-Z][A-Za-z]+=\\{?\\(\\s*\\)\\s*=>\\s*\\{?\\s*\\}|return null|return NextResponse.json\\(\\{\\}\\)|return new Response\\(\\)' {path} || true"
+    when: "*.tsx,*.jsx,*.ts,*.js"
+  - name: mock-data
+    cmd: "grep -rnE 'mockData|fakeData|dummyData|MOCK_|FAKE_|TEST_DATA|lorem ipsum|hardcoded' {path} || true"
+    when: "*"
+  - name: feature-flags
+    cmd: "grep -rnE 'featureFlag|FEATURE_|isEnabled|flags\\.' {path} || true"
+    when: "*.ts,*.tsx,*.js,*.jsx,*.py"
+  - name: prd-sources
+    cmd: "ls -1 VISION.md PRD.md docs/PRD.md docs/prd.md README.md 2>/dev/null || true"
+    when: "*"
+
+# PHASES — the agentic falsification pass investigates each.
+phases:
+  - id: hinge-capability
+    checks: "Identify the ONE capability this product must do better than anything else; is it implemented end-to-end and deep, or shallow?"
+  - id: prd-compliance
+    checks: "For every feature promised in PRD/VISION/README, find a code trace; PROMISED-vs-BUILT — does it work AS described, not a different interpretation?"
+  - id: empty-implementation
+    checks: "Stub routes, no-op handlers, buttons that do nothing, handlers returning success but persisting nothing — visible but non-functional."
+  - id: feature-depth
+    checks: "For each feature score depth: happy path, edge cases, error handling, configuration, integration — SHALLOW-vs-DEEP."
+  - id: edge-case-coverage
+    checks: "The Universal 10 per feature — zero/one/many/overflow states, special chars, long text, concurrent, mobile, offline; does each non-happy input survive?"
+  - id: partial-crud
+    checks: "For each entity, do all of Create/Read/Update/Delete exist? Partial CRUD, partial export/import, partial search are LABELED-vs-CAPABLE gaps."
+  - id: competitive-parity
+    checks: "Table-stakes features all competitors have but this product lacks; differentiators hidden from the UI — MARKETED-vs-DELIVERED."
+  - id: discoverability
+    checks: "Clicks from main page to each feature, primary-nav presence, search/command-palette access, onboarding mention — a feature nobody finds is unused."
+  - id: feature-coherence
+    checks: "Do features share data and patterns, or are they silos with duplicate data entry and inconsistent interactions?"
+  - id: api-surface
+    checks: "CRUD coverage, query/filter/sort capability, bulk ops, webhook/event emission — if it is not in the API it does not exist for power users."
+  - id: permission-matrix
+    checks: "For every entity x operation x role, is access enforced? Missing permission checks, over-permissive defaults, missing role tiers."
+  - id: data-model-gaps
+    checks: "Schema gaps — missing tenancy field, audit trail, soft-delete, version field, indexes on filtered columns."
+  - id: scaling-readiness
+    checks: "Features that work now but break at 10x — unpaginated lists, full-table scans, sync ops that should be async, no rate limiting."
+  - id: feature-entropy
+    checks: "Terminology drift, verb drift, inconsistent confirm/save patterns, mixed modal/drawer/route for the same flow."
+
+falsification: >
+  The product claims to be ready/launched/v1 — DISPROVE it. Every PASS must
+  cite at least 3 concrete checks with actual output (route renders non-placeholder
+  content, handler persists to real backend, sub-requirements have code branches).
+  Categorise findings as PROMISED-vs-BUILT, VISIBLE-vs-FUNCTIONAL, SHALLOW-vs-DEEP,
+  or LABELED-vs-CAPABLE. TODO comments, "coming soon" strings, permanently-off flags,
+  and routes returning 404/501 are NOT evidence of a feature. Bias toward FAIL —
+  the product is incomplete until proven complete.
+
+fix_loop: true