@agentikos/omega-os 0.19.42 → 0.19.44

package/bootstrap/lib/common.sh

@@ -37,8 +37,14 @@ detect_os() {
     *)      die "unsupported OS: $(uname -s)" ;;
   esac
   if [ "$OMEGA_OS" = "linux" ]; then
+    # Order matters: prefer the manager actually managing the distro.
+    # apt (Debian/Ubuntu) → dnf (RHEL/Fedora) → pacman (Arch/Manjaro)
+    # → apk (Alpine) → zypper (openSUSE/SLES) → unknown.
     if   have apt-get; then OMEGA_PKG="apt"
     elif have dnf;     then OMEGA_PKG="dnf"
+    elif have pacman;  then OMEGA_PKG="pacman"
+    elif have apk;     then OMEGA_PKG="apk"
+    elif have zypper;  then OMEGA_PKG="zypper"
     else                    OMEGA_PKG="unknown"; fi
   else
     OMEGA_PKG="brew"
@@ -89,7 +95,25 @@ record_state_version() {
 # card prints normally.
 run_step() {
   local name="$1" fn="$2"
-  if step_done "$name" && [ "${FORCE:-0}" != "1" ]; then
+  # v0.19.44 — code-deploy steps NEVER skip when the bundled version
+  # differs from the installed version, even if state file marks done.
+  # Without this, a stale `.install-state` entry blocks step_structure
+  # from refreshing cli.py — the bug the user hit on v0.19.43.
+  local _force_step=0
+  case "$name" in
+    *structure*|*aisb-suite*|*audit-skills*|*engine*|*personas*)
+      local _installed_v=""
+      [ -f "$OMEGA_HOME/Agentik_SSOT/VERSION" ] \
+        && _installed_v="$(cat "$OMEGA_HOME/Agentik_SSOT/VERSION" 2>/dev/null || echo '')"
+      if [ -n "$_installed_v" ] \
+          && [ "$_installed_v" != "${OMEGA_BUNDLED_VERSION:-}" ]; then
+        _force_step=1
+      fi
+      ;;
+  esac
+  if step_done "$name" \
+      && [ "${FORCE:-0}" != "1" ] \
+      && [ "$_force_step" != "1" ]; then
     if [ "${INSTALL_FULL:-0}" = "1" ]; then
       _full_progress "$name" "skip"
       return 0
@@ -97,6 +121,9 @@ run_step() {
     log "${C_DIM}-- skip $name (already done)${C_RST}"
     return 0
   fi
+  if [ "$_force_step" = "1" ]; then
+    log "${C_YELLOW}!${C_RST} force-rerun $name (installed v${_installed_v} ≠ bundled v${OMEGA_BUNDLED_VERSION:-?})"
+  fi
 
   if [ "${INSTALL_FULL:-0}" = "1" ]; then
     # Redirect step output to the log; only the progress bar stays on screen.
@@ -423,14 +450,17 @@ omega_version() {
 install_banner() {
   local v; v="$(omega_version)"
   printf '\n'
-  printf '%s  ▄██████▄   ▄▄▄▄███▄▄▄▄      ▄████████    ▄██████▄     ▄████████%s\n' "$C_ORANGE" "$C_RST"
-  printf '%s ███    ███ ▄██▀▀▀███▀▀▀██▄   ███    ███   ███    ███   ███    ███%s\n' "$C_ORANGE" "$C_RST"
-  printf '%s ███    ███ ███   ███   ███   ███    █▀    ███          ███    ███%s\n' "$C_ORANGE" "$C_RST"
-  printf '%s ███    ███ ███   ███   ███  ▄███▄▄▄      ▄███         ▄███▄▄▄▄██▀%s\n' "$C_ORANGE" "$C_RST"
-  printf '%s ███    ███ ███   ███   ███ ▀▀███▀▀▀     ▀▀███ ████▄  ▀▀███▀▀▀▀▀  %s\n' "$C_ORANGE" "$C_RST"
-  printf '%s ███    ███ ███   ███   ███   ███    █▄    ███    ███ ▀███████████%s\n' "$C_ORANGE" "$C_RST"
-  printf '%s ███    ███ ███   ███   ███   ███    ███   ███    ███   ███    ███%s\n' "$C_ORANGE" "$C_RST"
-  printf '%s  ▀██████▀   ▀█   ███   █▀    ██████████    ▀██████▀    ███    ███%s\n' "$C_ORANGE" "$C_RST"
+  # v0.19.44 — clean blocky A consistent with O/M/E/G shapes. The old A
+  # used half-diagonal characters (▄███▄▄▄▄██▀ / ▀▀███▀▀▀▀▀ / ▀███████████)
+  # that looked like noise — the new A has a clean horizontal crossbar.
+  printf '%s  ▄██████▄   ▄▄▄▄███▄▄▄▄      ▄████████    ▄██████▄    ▄████████ %s\n' "$C_ORANGE" "$C_RST"
+  printf '%s ███    ███ ▄██▀▀▀███▀▀▀██▄   ███    ███   ███    ███  ███    ███%s\n' "$C_ORANGE" "$C_RST"
+  printf '%s ███    ███ ███   ███   ███   ███    █▀    ███         ███    ███%s\n' "$C_ORANGE" "$C_RST"
+  printf '%s ███    ███ ███   ███   ███  ▄███▄▄▄      ▄███         ███    ███%s\n' "$C_ORANGE" "$C_RST"
+  printf '%s ███    ███ ███   ███   ███ ▀▀███▀▀▀     ▀▀███ ████▄   ██████████%s\n' "$C_ORANGE" "$C_RST"
+  printf '%s ███    ███ ███   ███   ███   ███    █▄    ███    ███  ███    ███%s\n' "$C_ORANGE" "$C_RST"
+  printf '%s ███    ███ ███   ███   ███   ███    ███   ███    ███  ███    ███%s\n' "$C_ORANGE" "$C_RST"
+  printf '%s  ▀██████▀   ▀█   ███   █▀    ██████████    ▀██████▀   ███    ███%s\n' "$C_ORANGE" "$C_RST"
   printf '\n'
   printf '   %sOmega OS%s  %sv%s%s  ·  %sagentik-os/OmegaOS%s\n' \
          "$C_BOLD" "$C_RST" "$C_DIM" "$v" "$C_RST" "$C_DIM" "$C_RST"

package/bootstrap/lib/llm-clis.py

@@ -219,6 +219,12 @@ def _resolve_install_cmd(spec: CliSpec) -> list[str] | None:
         if _have("pip"):
             return ["pip", "install", "--user", "aider-chat"]
         return None
+    if spec.id == "ollama":
+        # Ollama's official installer is a curl-piped shell script —
+        # the only supported install path on Linux/macOS. v0.19.43 fix:
+        # previously returned None, so the --full installer would refuse
+        # to install ollama at all.
+        return ["bash", "-c", "curl -fsSL https://ollama.com/install.sh | sh"]
     return None
 
 

package/bootstrap/lib/manifest-helpers.py

@@ -36,6 +36,12 @@ Subcommands
     telegram-chat-id <manifest> <omega_home>
         Read ``telegram.group_chat_id`` from the manifest (if set) and
         persist it through the vault. Returns the resolved id on stdout.
+
+    providers-from-catalog <omega_home>
+        --full mode fallback. Discover available providers from
+        Agentik_SSOT/llm-providers/providers-catalog.yaml — include any
+        whose first env var is set in the environment OR whose secret
+        already exists in the vault. Writes a default router.yaml.
 """
 from __future__ import annotations
 
@@ -100,6 +106,108 @@ def cmd_providers(manifest: str, omega_home: str) -> int:
     return 0
 
 
+def _roles_for_cli(cli: str) -> list[str]:
+    """Map an LLM CLI to default ModelRouter roles.
+
+    Reasoning:
+      * claude_code = Anthropic Claude — the canonical executor/dispatcher.
+      * gemini_cli  = Google Gemini    — strong general executor.
+      * codex       = OpenAI Codex     — executor (paid OpenAI API).
+      * opencode    = multi-provider community CLI — anything goes.
+      * Others fall back to a generic "executor" role.
+    """
+    cli = (cli or "").strip()
+    if cli == "claude_code":
+        return ["executor", "dispatcher"]
+    if cli == "opencode":
+        return ["executor", "worker"]
+    return ["executor"]
+
+
+def cmd_providers_from_catalog(omega_home: str) -> int:
+    """--full mode fallback: auto-generate router.yaml from the catalog.
+
+    For every provider in
+    ``Agentik_SSOT/llm-providers/providers-catalog.yaml`` whose first
+    secret_ref env var is present (in the live env or in the vault),
+    write a corresponding entry to ``Agentik_SSOT/providers/router.yaml``.
+    Providers with ``secret_refs: []`` (oauth / local) are always
+    eligible because they don't need an api key.
+    """
+    home = Path(omega_home)
+    catalog_path = home / "Agentik_SSOT" / "llm-providers" / "providers-catalog.yaml"
+    if not catalog_path.exists():
+        print(f"no providers catalog at {catalog_path} — skipping")
+        return 0
+    try:
+        catalog = yaml.safe_load(catalog_path.read_text()) or {}
+    except yaml.YAMLError as exc:
+        print(f"catalog YAML error: {exc}")
+        return 0
+    entries = catalog.get("providers") or []
+    if not entries:
+        print(f"catalog at {catalog_path} has no `providers:` block")
+        return 0
+
+    # Vault is best-effort — if the engine isn't importable yet we just
+    # rely on os.environ.
+    _engine_on_path(home)
+    vault_read = None
+    try:
+        from omega_engine.vault import vault_read as _vr  # type: ignore
+        vault_read = _vr
+    except Exception:
+        vault_read = None
+
+    def _has_secret(env_name: str) -> bool:
+        if os.environ.get(env_name):
+            return True
+        if vault_read is None:
+            return False
+        try:
+            v = vault_read(home, env_name)
+            return bool(v and v.strip())
+        except Exception:
+            return False
+
+    router: dict = {"providers": []}
+    discovered: list[str] = []
+    for entry in entries:
+        if not isinstance(entry, dict):
+            continue
+        pid = (entry.get("id") or "").strip()
+        if not pid:
+            continue
+        cli = (entry.get("cli") or "").strip()
+        refs = entry.get("secret_refs") or []
+        # Providers with no secret_refs at all (oauth / local — ollama,
+        # lm_studio, github_copilot, chatgpt_subscription) are eligible
+        # without a key check.
+        primary = refs[0] if refs else None
+        eligible = (primary is None) or _has_secret(primary)
+        if not eligible:
+            continue
+        router["providers"].append({
+            "id": pid,
+            "roles": _roles_for_cli(cli),
+            "enabled": True,
+            "secret_ref": primary or "",
+            "cli": cli,
+        })
+        discovered.append(pid)
+
+    out_dir = home / "Agentik_SSOT" / "providers"
+    out_dir.mkdir(parents=True, exist_ok=True)
+    target = out_dir / "router.yaml"
+    target.write_text(yaml.safe_dump(router, sort_keys=False, default_flow_style=False))
+    if discovered:
+        print(f"discovered providers from catalog: {discovered}")
+    else:
+        print("no providers discovered (no env vars / vault secrets set yet)")
+    print(f"wrote {target}")
+    return 0
+
+
 def cmd_autonomous(manifest: str, templates_dir: str, target_dir: str) -> int:
     data = _load_manifest(manifest)
     agents = data.get("autonomous_agents") or []
@@ -362,6 +470,8 @@ def main(argv: list[str]) -> int:
     rest = argv[2:]
     if cmd == "providers" and len(rest) == 2:
         return cmd_providers(*rest)
+    if cmd == "providers-from-catalog" and len(rest) == 1:
+        return cmd_providers_from_catalog(*rest)
     if cmd == "autonomous" and len(rest) == 3:
         return cmd_autonomous(*rest)
     if cmd == "rag" and len(rest) == 2:

package/bootstrap/lib/steps.sh

@@ -14,7 +14,7 @@ step_preflight() {
     return 1
   fi
   have git || { err "git is required"; return 1; }
-  [ "$OMEGA_PKG" = "unknown" ] && { err "no supported package manager (apt/dnf/brew)"; return 1; }
+  [ "$OMEGA_PKG" = "unknown" ] && { err "no supported package manager (apt/dnf/brew/pacman/apk/zypper)"; return 1; }
   mkdir -p "$STATE_DIR/logs"
   return 0
 }
@@ -26,15 +26,64 @@ step_system_deps() {
   #   - fzf           — primary picker for the new session manager (`omega`)
   #                     and required by the tmux-claude install script too
   # whiptail lives in `whiptail` (Debian/Ubuntu), `newt` (RHEL/Fedora),
-  # `newt` (Homebrew). fzf is `fzf` on every platform.
+  # `libnewt` (Arch), `newt` (Alpine/SUSE), `newt` (Homebrew). fzf is `fzf`
+  # on every platform. nodejs+npm are required because 7 of 13 LLM CLIs
+  # (claude_code, gemini_cli, codex, opencode, qwen_code, continue_dev,
+  # gh_copilot) install via `npm -g`. Without npm at this step the LLM
+  # CLI installer (step 15) silently skips every Node-based CLI.
   local pkgs="python3 git tmux sqlite3 jq curl"
   case "$OMEGA_PKG" in
-    apt)  sudo apt-get update -qq && sudo apt-get install -y -qq $pkgs whiptail fzf python3-venv python3-yaml ;;
-    dnf)  sudo dnf install -y -q $pkgs newt fzf python3-pyyaml ;;
-    brew) brew install $pkgs newt fzf 2>/dev/null || true ;;
-    *)    err "install manually: $pkgs (and whiptail/newt + fzf for the menu)"; return 1 ;;
+    apt)    sudo apt-get update -qq \
+            && sudo apt-get install -y -qq $pkgs whiptail fzf python3-venv python3-yaml nodejs npm ;;
+    dnf)    sudo dnf install -y -q $pkgs newt fzf python3-pyyaml nodejs npm ;;
+    brew)   brew install $pkgs newt fzf node 2>/dev/null || true ;;
+    pacman) sudo pacman -S --noconfirm --needed $pkgs libnewt fzf python-yaml nodejs npm ;;
+    apk)    sudo apk add --no-cache $pkgs newt fzf py3-yaml nodejs npm ;;
+    zypper) sudo zypper --non-interactive install -y $pkgs newt fzf python3-PyYAML nodejs npm ;;
+    *)      err "install manually: $pkgs (and whiptail/newt + fzf + nodejs/npm for the menu and LLM CLIs)"; return 1 ;;
   esac
 
+  # npm version check — 7 of 13 LLM CLIs (claude_code, gemini_cli, codex,
+  # opencode, qwen_code, continue_dev, gh_copilot) require npm >= 9 for
+  # the agentic CLI install to be reliable. Older npm still works for
+  # plain installs; we warn but never fail.
+  if have npm; then
+    local _npm_v _npm_major
+    _npm_v="$(npm --version 2>/dev/null || echo 0)"
+    _npm_major="$(printf '%s' "$_npm_v" | cut -d. -f1)"
+    case "$_npm_major" in
+      ''|*[!0-9]*) _npm_major=0 ;;
+    esac
+    if [ "$_npm_major" -lt 9 ]; then
+      info "warn: npm $_npm_v detected — LLM CLI install (step 15) recommends npm >= 9"
+      info "      upgrade: npm install -g npm@latest  (or use your OS package manager)"
+    fi
+  fi
+
+  # tmux version check — the bundled pro config uses allow-passthrough,
+  # buffer-limit, and the modern hook syntax which require tmux >= 3.3.
+  # Older tmux still works (omega itself only needs basic features), but
+  # the pro profile emits errors on those config lines at load time.
+  if have tmux; then
+    local _tmux_v _tmux_major _tmux_minor
+    _tmux_v="$(tmux -V 2>/dev/null | awk '{print $2}' | tr -d -c '0-9.')"
+    if [ -n "$_tmux_v" ]; then
+      _tmux_major="$(printf '%s' "$_tmux_v" | cut -d. -f1)"
+      _tmux_minor="$(printf '%s' "$_tmux_v" | cut -d. -f2 | tr -d -c '0-9')"
+      case "$_tmux_major" in
+        ''|*[!0-9]*) _tmux_major=0 ;;
+      esac
+      case "$_tmux_minor" in
+        ''|*[!0-9]*) _tmux_minor=0 ;;
+      esac
+      if [ "$_tmux_major" -lt 3 ] || { [ "$_tmux_major" = "3" ] && [ "$_tmux_minor" -lt 3 ]; }; then
+        info "warn: tmux $_tmux_v detected — pro config requires >= 3.3"
+        info "      some bindings (allow-passthrough, buffer-limit) may error at load"
+        info "      upgrade via your OS package manager ($OMEGA_PKG) and reinstall tmux"
+      fi
+    fi
+  fi
+
   # PyYAML — required by every install-side helper that reads the manifest
   # or audit YAMLs (bootstrap/lib/llm-clis.py, manifest-helpers.py, audit
   # generator). apt/dnf already deliver it via the system package above.
@@ -134,9 +183,12 @@ step_system_deps() {
   if ! have age; then
     info "installing age (powers the encrypted secrets vault)"
     case "$OMEGA_PKG" in
-      apt)  sudo apt-get install -y -qq age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
-      dnf)  sudo dnf install -y -q age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
-      brew) brew install age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      apt)    sudo apt-get install -y -qq age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      dnf)    sudo dnf install -y -q age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      brew)   brew install age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      pacman) sudo pacman -S --noconfirm --needed age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      apk)    sudo apk add --no-cache age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
+      zypper) sudo zypper --non-interactive install -y age 2>>"$LOG_FILE" || info "age install failed (non-fatal)" ;;
     esac
   fi
   if ! have uv && [ ! -x "$HOME/.local/bin/uv" ]; then
@@ -204,7 +256,13 @@ step_llm_clis() {
       python3 "$helper" install "$MANIFEST" | sed 's/^/    /'
       return 0
     fi
-    info "headless + no manifest llm_clis — skipping (run omega upgrade later)"
+    # v0.19.43 — --full mode (NONINTERACTIVE=1 + no MANIFEST) used to skip
+    # silently, leaving the operator with zero LLM CLIs after `npx ... --full`.
+    # Install the recommended set instead. install_cli is idempotent (skips
+    # already-installed CLIs), so this is safe on every entry.
+    info "headless --full mode: installing recommended LLM CLI set (claude_code + gemini_cli + opencode)"
+    python3 "$helper" install claude_code gemini_cli opencode | sed 's/^/    /' || \
+      warn "recommended LLM CLI install returned non-zero (non-fatal)"
     return 0
   fi
 
@@ -257,9 +315,30 @@ var/
 staging/
 EOF
   # deploy the repo's source blocks into the live tree
+  #
+  # v0.19.44 — explicit `/bin/cp -Rf` (not bare `cp`) for two reasons:
+  #   1. Bypass any `alias cp='cp -i'` on macOS — interactive cp fails
+  #      SILENTLY when stdin is piped (the --full case via npx). The user
+  #      hit this on v0.19.43: re-install showed success but cli.py was
+  #      never refreshed → bare `omega` kept printing the v0.19.40 message.
+  #   2. `-f` forces overwrite even when the destination is read-only or
+  #      a stale immutable bit lingers from a previous install.
   if [ -d "${OMEGA_REPO:-}/omega" ]; then
-    cp -R "$OMEGA_REPO/omega/." "$OMEGA_HOME/"
-    ok "deployed source blocks from $OMEGA_REPO/omega"
+    local prev_v=""
+    [ -f "$OMEGA_HOME/Agentik_SSOT/VERSION" ] \
+      && prev_v="$(cat "$OMEGA_HOME/Agentik_SSOT/VERSION" 2>/dev/null || echo '')"
+    /bin/cp -Rf "$OMEGA_REPO/omega/." "$OMEGA_HOME/" || {
+      err "cp -Rf failed deploying $OMEGA_REPO/omega → $OMEGA_HOME/"
+      return 1
+    }
+    local new_v=""
+    [ -f "$OMEGA_HOME/Agentik_SSOT/VERSION" ] \
+      && new_v="$(cat "$OMEGA_HOME/Agentik_SSOT/VERSION" 2>/dev/null || echo '')"
+    if [ -n "$prev_v" ] && [ "$prev_v" != "$new_v" ]; then
+      ok "code refreshed: ${prev_v} → ${new_v}"
+    else
+      ok "deployed source blocks from \$OMEGA_REPO/omega (v${new_v:-?})"
+    fi
   else
     err "repo source not found at \$OMEGA_REPO/omega"; return 1
   fi
@@ -351,7 +430,16 @@ step_engine() {
   local uv_bin; uv_bin="$(command -v uv || echo "$HOME/.local/bin/uv")"
   [ -x "$uv_bin" ] || { err "uv not found after step 10"; return 1; }
   cd "$OMEGA_HOME/Agentik_Engine" || { err "engine block missing"; return 1; }
-  "$uv_bin" venv >/dev/null 2>&1     || { err "uv venv failed"; return 1; }
+  # Pin engine venv to Python 3.13 — uv will download an Astral-managed
+  # build if the host's python3 is broken or unavailable. This sidesteps
+  # the macOS Tahoe brew Python 3.14 libexpat ABI mismatch and any other
+  # "system python3 silently inherited" failure mode. Fall back to a
+  # bare `uv venv` (uses whatever python3 is on PATH) so the install
+  # still succeeds on hosts where Python 3.13 cannot be procured.
+  if ! "$uv_bin" venv --python 3.13 >/dev/null 2>&1; then
+    info "engine venv: uv venv --python 3.13 failed, falling back to system python3"
+    "$uv_bin" venv >/dev/null 2>&1 || { err "uv venv failed"; return 1; }
+  fi
   "$uv_bin" pip install -e . >/dev/null 2>&1 || { err "engine install failed"; return 1; }
   mkdir -p "$OMEGA_HOME/Agentik_Tools/bin"
   ln -sf "$OMEGA_HOME/Agentik_Engine/.venv/bin/omega" "$OMEGA_HOME/Agentik_Tools/bin/omega"
@@ -387,9 +475,16 @@ step_tmux_config() {
   fi
   local marker="$HOME/.tmux/scripts/session-manager.sh"
   local installer_url="https://raw.githubusercontent.com/agentik-os/tmux-claude/main/install.sh"
+  # v0.19.43 — track whether ~/.tmux.conf is a tmux-claude install (either
+  # already present OR freshly installed by the curl pipe). When it is, we
+  # MUST also wire the Omega add-on (Alt+O bind) via
+  # install_into_home_tmux_conf — otherwise the user has tmux-claude but
+  # no way to reach the Omega menu from tmux.
+  local upstream_present=0
 
   if [ -f "$marker" ]; then
-    info "tmux-claude already installed at $marker — skipping"
+    info "tmux-claude already installed at $marker — skipping curl"
+    upstream_present=1
   elif have curl; then
     info "installing canonical tmux-claude setup (agentik-os/tmux-claude)…"
     # We pipe through `bash -s -- --no-prompt` so the install doesn't ask
@@ -398,6 +493,7 @@ step_tmux_config() {
     if curl -fsSL "$installer_url" 2>>"$LOG_FILE" \
          | bash -s -- --no-prompt >>"$LOG_FILE" 2>&1; then
       ok "tmux-claude installed (~/.tmux/scripts/, ~/.tmux.conf)"
+      upstream_present=1
     else
       err "tmux-claude install failed — falling back to bundled pro profile"
       _tmux_fallback_pro_config
@@ -407,6 +503,28 @@ step_tmux_config() {
     _tmux_fallback_pro_config
   fi
 
+  # v0.19.43 — wire the Omega add-on AFTER an upstream tmux-claude install
+  # succeeds (or was already present). Without this step the upstream
+  # ~/.tmux.conf has NO `source-file` line for the OmegaOS add-on, so the
+  # Alt+O / Ctrl-b o binds never get sourced. install_into_home_tmux_conf
+  # detects the tmux-claude markers and falls into the
+  # preserved-tmux-claude branch — drops omega-tmux-add.conf and appends
+  # the source-file line at the end of ~/.tmux.conf.
+  # The fallback path already wires the add-on via _tmux_fallback_pro_config
+  # → install_into_home_tmux_conf, so we only need to do it here for the
+  # happy path.
+  if [ "$upstream_present" = "1" ]; then
+    PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE" || warn "Omega tmux add-on wire failed (non-fatal)"
+import os
+os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
+from omega_engine.tmux import install_into_home_tmux_conf
+result = install_into_home_tmux_conf(profile="pro")
+print(f"  Omega tmux wired: mode={result['mode']}")
+print(f"  written:          {result['written']}")
+print(f"  bundled copy:     {result['bundled_copy']}")
+PY
+  fi
+
   # Always also drop the bundled config under $OMEGA_HOME so `omega tmux
   # install --profile pro` later remains a working manual recovery path.
   PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE"
@@ -585,6 +703,15 @@ for entry in missing:
         elif pkg == "dnf":
             rc, out = _run(["sudo", "dnf", "install", "-y", "-q", install[pkg]])
             attempt = f"dnf install {install[pkg]}"
+        elif pkg == "pacman":
+            rc, out = _run(["sudo", "pacman", "-S", "--noconfirm", "--needed", install[pkg]])
+            attempt = f"pacman -S {install[pkg]}"
+        elif pkg == "apk":
+            rc, out = _run(["sudo", "apk", "add", "--no-cache", install[pkg]])
+            attempt = f"apk add {install[pkg]}"
+        elif pkg == "zypper":
+            rc, out = _run(["sudo", "zypper", "--non-interactive", "install", "-y", install[pkg]])
+            attempt = f"zypper install {install[pkg]}"
     elif "npm_global" in install and shutil.which("npm"):
         rc, out = _run(["npm", "install", "-g", "--silent", install["npm_global"]])
         attempt = f"npm install -g {install['npm_global']}"
@@ -1107,6 +1234,32 @@ _claude_plugins_prompt_checklist() {
   fi
 }
 
+# --- 47 -----------------------------------------------------------------------
+#
+# step_paperclip — register OmegaOS as the "omegaos" company with Paperclip.
+#
+# v0.19.43 — auto-runs at install time so the user doesn't have to type
+# `omega paperclip register` manually. Idempotent: if the 14 agents are
+# already registered, re-runs are a no-op content-equality check.
+#
+# This step does NOT install the Paperclip dashboard binary itself — that
+# remains opt-in via `omega tool install paperclipai`. It only writes the
+# company.json + per-agent JSON files at ~/.paperclip/companies/omegaos/
+# so Paperclip can SEE OmegaOS as soon as the operator starts the daemon.
+step_paperclip() {
+  PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE"
+import os
+os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
+from omega_engine import paperclip_bridge as PB
+result = PB.register()
+print(f"  Paperclip company registered: omegaos")
+print(f"  agents written:     {result.get('agents_written', 0)}")
+print(f"  workspaces written: {result.get('workspaces_written', 0)}")
+print(f"  paperclip_home:     {result.get('paperclip_home', '?')}")
+PY
+  return $?
+}
+
 # --- 50 -----------------------------------------------------------------------
 step_telegram() {
   # Two distinct bots in the corrected v0.19.14 model:
@@ -1268,7 +1421,14 @@ step_accounts() {
 # we skip and the operator wires providers later via env or `omega account`.
 step_providers() {
   if [ -z "${MANIFEST:-}" ] || [ ! -f "$MANIFEST" ]; then
-    info "no manifest providers — skipping (set env vars or run \`omega account login\` later)"
+    # v0.19.43 — used to skip silently, leaving the runtime ModelRouter
+    # with no router.yaml. Now auto-generate one from the live providers
+    # catalog: any provider whose primary env var is set OR whose vault
+    # secret exists is included. Oauth/local providers are always
+    # included (no key needed).
+    info "no manifest providers — auto-discovering from catalog"
+    python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" providers-from-catalog "$OMEGA_HOME" \
+      | sed 's/^/    /'
     return 0
   fi
   python3 "$OMEGA_REPO/bootstrap/lib/manifest-helpers.py" providers "$MANIFEST" "$OMEGA_HOME" \
@@ -1337,17 +1497,22 @@ step_first_project() {
 
 # --- 59 -----------------------------------------------------------------------
 #
-# step_hermes_session — guarantee one always-on Hermès chat session.
+# step_aisb_session — guarantee one always-on AISB master chat window.
 #
-# Spawns the persistent `AISB-chat` tmux session running `omega aisb chat-loop`.
-# This is the operator's terminal-side conversation entry point — critical
-# when Telegram isn't wired (minimal profile, or chat_id not yet set), and
-# still useful when it IS wired (an always-attached local fallback that does
-# not need internet).
+# v0.19.43 — RENAMED from step_hermes_session (which was a misnomer: it
+# spawned the AISB master chat, not Hermès). v0.19.43 also moved the
+# chat from a standalone tmux session to a WINDOW inside the Omega
+# master session (Omega:aisb). spawn_aisb_chat now returns "Omega:aisb"
+# and spawns the Omega master if needed.
 #
-# Idempotent: if `AISB-chat` is already alive, we just print attach
+# This is the operator's terminal-side conversation entry point —
+# critical when Telegram isn't wired (minimal profile, or chat_id not
+# yet set), and still useful when it IS wired (an always-attached local
+# fallback that does not need internet).
+#
+# Idempotent: if the aisb window already exists, we just print attach
 # instructions.
-step_hermes_session() {
+step_aisb_session() {
   if ! have tmux; then
     err "tmux not installed — step_system_deps should have caught this"
     return 1
@@ -1359,13 +1524,16 @@ step_hermes_session() {
 import os
 os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
 from omega_engine import tmux
-name = "AISB-chat"
-if tmux.is_alive(name):
-    print(f"  session already running: {name}")
+# v0.19.43 — AISB master chat is now a WINDOW under the Omega master
+# session. omega_window_alive() checks the aisb window specifically;
+# attach_command() returns the right `tmux attach -t Omega:aisb` form.
+target = "Omega:aisb"
+if tmux.omega_window_alive("aisb"):
+    print(f"  AISB chat window already running: {target}")
 else:
     tmux.spawn_aisb_chat("$OMEGA_HOME")
-    print(f"  spawned: {name}  (always-on Hermès conversation)")
-print(f"  attach:  {tmux.attach_command(name)}")
+    print(f"  spawned: {target}  (always-on AISB master conversation)")
+print(f"  attach:  {tmux.attach_command(target)}")
 print(f"  detach:  Ctrl-b d  (session keeps running)")
 PY
   return $?
@@ -1373,6 +1541,63 @@ PY
 
 # --- 60 -----------------------------------------------------------------------
 #
+# step_hermes_session — spawn the always-on Hermès chat window, IF the
+# vault key is present.
+#
+# v0.19.43 — separate step from step_aisb_session (which was previously
+# misnamed step_hermes_session but spawned AISB). Hermès has its own
+# credential isolation contract (ANTHROPIC_API_KEY_HERMES from the
+# vault — see omega_engine/hermes.py for the resolution chain). If the
+# vault key is missing we SKIP this step instead of falling back to Max
+# OAuth — operators who want Hermès running 24/7 must wire the key
+# explicitly. (Interactive `omega hermes` still falls through to Max
+# OAuth as a last resort so users can experiment without a paid key.)
+step_hermes_session() {
+  if ! have tmux; then
+    err "tmux not installed — step_system_deps should have caught this"
+    return 1
+  fi
+  local omega="$OMEGA_HOME/Agentik_Tools/bin/omega"
+  [ -x "$omega" ] || { err "omega CLI not found at $omega — step_engine incomplete"; return 1; }
+
+  local key_present=0
+  if PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>/dev/null
+from pathlib import Path
+import os, sys
+home = Path(os.environ.get("OMEGA_HOME", str(Path.home() / "Omega")))
+try:
+    from omega_engine.vault import vault_read
+    k = vault_read(home, "ANTHROPIC_API_KEY_HERMES")
+    sys.exit(0 if (k and k.strip()) else 1)
+except Exception:
+    sys.exit(1)
+PY
+  then
+    key_present=1
+  fi
+
+  if [ "$key_present" = "1" ]; then
+    PYTHONPATH="$OMEGA_HOME/Agentik_Engine" python3 - <<PY 2>>"$LOG_FILE"
+import os
+os.environ["OMEGA_HOME"] = "$OMEGA_HOME"
+from omega_engine import tmux
+target = "Omega:hermes"
+if tmux.omega_window_alive("hermes"):
+    print(f"  Hermès chat window already running: {target}")
+else:
+    tmux.spawn_hermes_chat("$OMEGA_HOME")
+    print(f"  spawned: {target}  (always-on Hermès conversation)")
+print(f"  attach:  {tmux.attach_command(target)}")
+PY
+  else
+    info "  Hermès vault key (ANTHROPIC_API_KEY_HERMES) absent — skipping persistent session"
+    info "  wire it with: omega vault write ANTHROPIC_API_KEY_HERMES sk-ant-..."
+  fi
+  return 0
+}
+
+# --- 65 -----------------------------------------------------------------------
+#
 # step_services — install the 24/7 service layer.
 #
 # Linux: write 3 systemd user units, `daemon-reload`, then `enable --now`.

package/bootstrap/templates/aisb/CLAUDE.md

@@ -38,6 +38,15 @@ v7.0 adds R-XX ownership and updated tooling without renaming any agent.
 
 ## Architecture
 
+> **L0 Paperclip governance.** OmegaOS is registered as the "omegaos"
+> company at `~/.paperclip/companies/omegaos/` with 14 agents (Hermès +
+> 13 AISB). Each agent has a fixed reporting line (Hermès → top; Niobe
+> → Hermès; Oracle/Construct/Morpheus/Architect → Oracle's chain).
+> Agents should call `paperclip_bridge.send_heartbeat()` at meaningful
+> lifecycle events (spawn / mission complete / blocked) so the
+> Paperclip dashboard surfaces live status to the operator. This is
+> additive — no AISB agent depends on Paperclip being running.
+
 ```
                        USER (Telegram)
                             |
@@ -274,6 +283,10 @@ Handoff templates: `protocols/handoff-templates.md`
 Shared protocol: `protocols/shared-protocol.md`
 LMC (Lead-Manager-Checker) protocol: `protocols/lmc-protocol.md` for SERAPH-grade audits.
 
+**Fresh context handoff** — every brief dispatched downstream MUST be self-contained:
+Mission / Purpose / Context / Done Criteria / Verify Command. The receiving agent
+never sees this conversation; if it isn't written into the brief, it does not exist.
+
 ---
 
 ## AISB Nerve (v2.0, Omega-aware)