@trac3er/oh-my-god 2.0.0 → 2.0.2

package/lab/policies.py

@@ -0,0 +1,52 @@
+"""Policy checks for OMG lab train/eval pipeline."""
+from __future__ import annotations
+
+from typing import Any
+
+
+ALLOWED_LICENSES = {"apache-2.0", "mit", "bsd-3-clause", "cc-by-4.0"}
+BLOCKED_SOURCE_TOKENS = {"unknown", "leaked", "stolen", "unauthorized", "pirated"}
+
+
+def validate_dataset_source(dataset: dict[str, Any]) -> tuple[bool, str]:
+    license_name = str(dataset.get("license", "")).lower()
+    source = str(dataset.get("source", "")).lower()
+
+    if not license_name:
+        return False, "dataset license missing"
+    if license_name not in ALLOWED_LICENSES:
+        return False, f"dataset license not allowed: {license_name}"
+    if any(token in source for token in BLOCKED_SOURCE_TOKENS):
+        return False, "dataset source violates policy"
+    return True, "ok"
+
+
+def validate_model_source(model: dict[str, Any]) -> tuple[bool, str]:
+    source = str(model.get("source", "")).lower()
+    allow_distill = bool(model.get("allow_distill", False))
+
+    if any(token in source for token in BLOCKED_SOURCE_TOKENS):
+        return False, "model source violates policy"
+    if not allow_distill:
+        return False, "model source disallows distillation"
+    return True, "ok"
+
+
+def validate_job_request(job: dict[str, Any]) -> tuple[bool, str]:
+    dataset = job.get("dataset")
+    model = job.get("base_model")
+
+    if not isinstance(dataset, dict):
+        return False, "dataset block missing"
+    if not isinstance(model, dict):
+        return False, "base_model block missing"
+
+    ok, reason = validate_dataset_source(dataset)
+    if not ok:
+        return False, reason
+
+    ok, reason = validate_model_source(model)
+    if not ok:
+        return False, reason
+
+    return True, "ok"

package/package.json

@@ -1,18 +1,13 @@
 {
   "name": "@trac3er/oh-my-god",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "OMG (Oh My God) — Multi-agent orchestration, intelligent model routing, and durable session state for Claude Code",
-  "bin": {
-    "omg": "scripts/omg.ts"
-  },
-  "main": "scripts/omg.ts",
+  "main": "OMG-setup.sh",
   "scripts": {
-    "postinstall": "bash ./OMG-setup.sh install --non-interactive",
-    "update": "bash ./OMG-setup.sh update",
-    "uninstall": "bash ./OMG-setup.sh uninstall",
-    "test": "bun test",
-    "typecheck": "bunx tsc --noEmit",
-    "check:runtime-clean": "bun scripts/check-runtime-clean.ts"
+    "postinstall": "./OMG-setup.sh install --non-interactive",
+    "update": "./OMG-setup.sh update",
+    "uninstall": "./OMG-setup.sh uninstall",
+    "test": "python3 -m pytest tests/ -x -q"
   },
   "keywords": [
     "claude",
@@ -35,12 +30,6 @@
   },
   "homepage": "https://github.com/trac3er00/OMG#readme",
   "engines": {
-    "bun": ">=1.3.0"
-  },
-  "packageManager": "bun@1.3.9",
-  "devDependencies": {
-    "@types/node": "^25.3.5",
-    "bun-types": "^1.3.10",
-    "typescript": "^5.9.2"
+    "node": ">=14"
   }
 }

package/plugins/README.md

@@ -1,82 +1,54 @@
 # OMG Commands
 
-OMG provides two tiers of commands:
+OMG exposes a small native front door and keeps the rest of the surface available as advanced plugins.
 
-## Core Commands (`commands/`)
+## Native Entry Points
 
-Essential functionality available in all OMG installations:
+| Command | Description |
+|---------|-------------|
+| `/OMG:setup` | Native setup and adoption flow for supported hosts |
+| `/OMG:crazy` | Default OMG orchestration flow |
+
+## Core Commands
 
 | Command | Description |
 |---------|-------------|
 | `/OMG:init` | Initialize project or domain |
-| `/OMG:escalate` | Route to Codex/Gemini/CCG |
-| `/OMG:teams` | Team routing (standalone) |
-| `/OMG:ccg` | Tri-track synthesis (Claude+Codex+Gemini) |
-| `/OMG:crazy` | Parallel multi-agent orchestration |
-| `/OMG:compat` | Legacy compatibility dispatcher |
-| `/OMG:health-check` | Verify setup and tools |
-| `/OMG:mode` | Set cognitive mode |
-
-## Advanced Commands (`plugins/advanced/`)
+| `/OMG:escalate` | Route to Codex, Gemini, or CCG |
+| `/OMG:teams` | Team routing for internal OMG execution |
+| `/OMG:ccg` | Tri-track synthesis |
+| `/OMG:compat` | Legacy compatibility routing |
+| `/OMG:health-check` | Verify setup and tool integration |
+| `/OMG:mode` | Set cognitive mode for the session |
 
-Extended functionality for specialized workflows:
+## Advanced Commands
 
 | Command | Category | Description |
 |---------|----------|-------------|
 | `/OMG:deep-plan` | Planning | Strategic planning with domain awareness |
-| `/OMG:learn` | Knowledge | Create skills from patterns |
-| `/OMG:code-review` | Quality | Deep code review |
-| `/OMG:security-review` | Security | Security vulnerability scanning |
-| `/OMG:ship` | Delivery | Ship pipeline (idea → PR) |
-| `/OMG:handoff` | Collaboration | Session transfer |
-| `/OMG:maintainer` | OSS | Open-source maintainer tools |
-| `/OMG:sequential-thinking` | Thinking | Structured reasoning |
-| `/OMG:ralph-start` | Automation | Start Ralph loop |
-| `/OMG:ralph-stop` | Automation | Stop Ralph loop |
+| `/OMG:learn` | Knowledge | Convert patterns into OMG-native instincts and skills |
+| `/OMG:code-review` | Quality | Deep review flow |
+| `/OMG:security-review` | Security | Security-focused review |
+| `/OMG:ship` | Delivery | Idea to evidence to release |
+| `/OMG:handoff` | Collaboration | Session transfer and continuity |
 
-## Plugin Architecture
+## Plugin Layout
 
-Commands are organized as plugins:
-
-```
+```text
 plugins/
-├── core/           # Essential commands
-│   ├── commands/   # Command definitions
-│   └── plugin.json # Plugin manifest
-└── advanced/       # Extended commands
-    ├── commands/
-    └── plugin.json
-```
-
-### Using Advanced Commands
-
-Advanced commands work the same as core commands:
-
-```
-/OMG:deep-plan implement OAuth2 flow
-/OMG:learn from this session
-/OMG:code-review src/auth.ts
+  core/
+    commands/
+    plugin.json
+  advanced/
+    commands/
+    plugin.json
 ```
 
-### Creating Custom Plugins
-
-1. Create `plugins/my-plugin/plugin.json`
-2. Add commands to `plugins/my-plugin/commands/`
-3. OMG auto-discovers plugins on startup
-
-See `plugins/advanced/` for examples.
-
-## Migration from Legacy Plugins
+## Adoption Notes
 
-Advanced commands are OMG-native equivalents of legacy plugin capabilities:
+Public migration commands are intentionally avoided. OMG uses `/OMG:setup` and `OMG-setup.sh` to detect and adopt older ecosystems internally, while `compat` remains focused on legacy skill routing.
 
-| Legacy Plugin | OMG Advanced |
-|-------------|--------------|
-| `writing-plans` | `/OMG:deep-plan` |
-| `learner` | `/OMG:learn` |
-| `requesting-code-review` | `/OMG:code-review` |
-| `security-review` | `/OMG:security-review` |
-| `finishing-a-development-branch` | `/OMG:ship` |
-| `handoff` | `/OMG:handoff` |
+## Public Docs
 
-OMG advanced commands are designed for OMG standalone mode without requiring external plugins.
+- Install guides live in [docs/install/claude-code.md](../docs/install/claude-code.md), [docs/install/codex.md](../docs/install/codex.md), and [docs/install/opencode.md](../docs/install/opencode.md).
+- Proof surface lives in [docs/proof.md](../docs/proof.md).

package/plugins/advanced/commands/OMG:deep-plan.md

@@ -37,10 +37,10 @@ Examples of GOOD questions:
 Read the codebase to understand the CURRENT state:
 ```bash
 # Directory structure
-find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" -o -name "*.go" \) | head -50
+find . -type f -name "*.ts" -o -name "*.py" -o -name "*.go" | head -50
 
 # Key architectural patterns
-grep -rn "export class\|export function\|function \|const .*=\|func \|struct " src/ --include="*.{ts,tsx,js,jsx,go}" | head -30
+grep -rn "export class\|export function\|def \|func \|struct " src/ --include="*.{ts,py,go}" | head -30
 
 # Existing domain boundaries
 ls -la src/*/  # or app/*/ or packages/*/
@@ -140,7 +140,7 @@ After validation, launch exactly 5 planning tracks with mixed-model intent using
 
 Dispatch pattern is mandatory: all 5 tracks launch in parallel as background sub-agents.
 
-```text
+```python
 task(subagent_type="explore", run_in_background=true, load_skills=[], description="Architect planning track", prompt="...")
 task(subagent_type="explore", run_in_background=true, load_skills=[], description="Backend planning track", prompt="...")
 task(subagent_type="explore", run_in_background=true, load_skills=[], description="Frontend planning track", prompt="...")

package/plugins/advanced/commands/OMG:learn.md

@@ -99,7 +99,7 @@ When detecting patterns, especially look for:
 ## Aggregated Patterns (Auto)
 When you run `/OMG:learn auto`, OMG reads all learning files from `.omg/state/learnings/` and generates `.omg/knowledge/critical-patterns.md` with your top tool and file patterns.
 
-Regenerate by rerunning `/OMG:learn auto` after a representative session.
+Run: `python3 -c "import sys; sys.path.insert(0,'hooks'); from _learnings import save_critical_patterns; save_critical_patterns('.')"`
 ## File Write Fallback
 If `Write` fails (file exists), use `Edit` or Bash heredoc:
 ```bash

package/plugins/advanced/commands/OMG:security-review.md

@@ -16,13 +16,13 @@ Determine what to scan:
 Identify security-critical files automatically:
 ```bash
 # Auth/session
-find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" -o -name "*.go" -o -name "*.rs" \) | xargs grep -li "auth\|login\|session\|token\|password\|jwt\|oauth" 2>/dev/null
+find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" -o -name "*.rs" \) | xargs grep -li "auth\|login\|session\|token\|password\|jwt\|oauth" 2>/dev/null
 
 # Payment
-find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" -o -name "*.go" \) | xargs grep -li "payment\|billing\|stripe\|checkout\|card\|price" 2>/dev/null
+find . -type f -name "*.{ts,js,py,go}" | xargs grep -li "payment\|billing\|stripe\|checkout\|card\|price" 2>/dev/null
 
 # Database
-find . -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" -o -name "*.go" \) | xargs grep -li "query\|SELECT\|INSERT\|UPDATE\|DELETE\|migration\|schema" 2>/dev/null
+find . -type f -name "*.{ts,js,py,go}" | xargs grep -li "query\|SELECT\|INSERT\|UPDATE\|DELETE\|migration\|schema" 2>/dev/null
 ```
 
 ## Step 2: Automated Vulnerability Scan

package/plugins/advanced/commands/OMG:ship.md

@@ -1,6 +1,6 @@
 ---
 description: Ship pipeline — Idea -> Plan -> Execute -> Evidence -> PR-ready summary
-allowed-tools: Read, Write, Edit, MultiEdit, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*), Bash(bun:*), Bash(npm test:*), Bash(go test:*), Bash(cargo test:*), Bash(jest:*), Bash(vitest:*)
+allowed-tools: Read, Write, Edit, MultiEdit, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*), Bash(python3:*), Bash(pytest:*), Bash(npm test:*), Bash(go test:*), Bash(cargo test:*), Bash(jest:*), Bash(vitest:*)
 argument-hint: "[goal or optional path to .omg/idea.yml]"
 ---
 

package/plugins/advanced/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "omg-advanced",
-  "version": "2.0.0",
+  "version": "1.0.5",
   "description": "Advanced OMG commands - deep planning, learning, code review, security review, and specialized workflows",
   "type": "omg-plugin",
   "commands": {

package/plugins/core/plugin.json

@@ -1,9 +1,14 @@
 {
   "name": "omg-core",
-  "version": "2.0.0",
-  "description": "Core OMG commands - essential functionality for routing, initialization, and multi-agent orchestration",
+  "version": "2.0.2",
+  "description": "Core OMG commands - native setup, routing, orchestration, and verification surfaces",
   "type": "omg-plugin",
   "commands": {
+    "setup": {
+      "path": "commands/OMG:setup.md",
+      "description": "Native OMG setup and adoption flow for supported hosts",
+      "category": "setup"
+    },
     "init": {
       "path": "commands/OMG:init.md",
       "description": "Unified initializer for project setup and domain scaffolding",
@@ -81,7 +86,7 @@
   "categories": {
     "setup": {
       "description": "Project initialization and setup",
-      "commands": ["init", "health-check"]
+      "commands": ["setup", "init", "health-check"]
     },
     "routing": {
       "description": "Model routing and escalation",

package/plugins/dephealth/cve_scanner.py

@@ -0,0 +1,188 @@
+from __future__ import annotations
+
+import json
+import os
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Any
+import urllib.error
+import urllib.request
+
+
+OSV_BATCH_URL = "https://api.osv.dev/v1/querybatch"
+CACHE_REL_PATH = Path(".omg") / "state" / "cve-cache.json"
+CACHE_TTL_HOURS = 24
+
+
+def _dep_health_enabled() -> bool:
+    env_val = os.environ.get("OMG_DEP_HEALTH_ENABLED", "").lower()
+    if env_val in ("1", "true", "yes"):
+        return True
+    if env_val in ("0", "false", "no"):
+        return False
+    try:
+        import sys
+        sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
+        from hooks._common import get_feature_flag
+        return get_feature_flag("DEP_HEALTH", default=False)
+    except Exception:
+        return False
+
+
+def scan_for_cves(dependency_list: list[dict[str, str]], project_dir: str = ".") -> dict[str, Any]:
+    if not _dep_health_enabled():
+        return {"results": {}, "cached": False, "scan_ts": datetime.now(timezone.utc).isoformat()}
+    
+    now = datetime.now(timezone.utc)
+    cache_path = Path(project_dir) / CACHE_REL_PATH
+    cached_payload = _load_cache(cache_path)
+
+    if not dependency_list:
+        return {
+            "results": {},
+            "cached": False,
+            "scan_ts": now.isoformat(),
+        }
+
+    if cached_payload and _is_cache_fresh(cached_payload.get("scan_ts")):
+        return {
+            "results": cached_payload.get("results", {}),
+            "cached": True,
+            "scan_ts": cached_payload.get("scan_ts", now.isoformat()),
+        }
+
+    try:
+        osv_response = _query_osv_batch(dependency_list)
+    except urllib.error.URLError:
+        if cached_payload:
+            return {
+                "results": cached_payload.get("results", {}),
+                "cached": True,
+                "scan_ts": cached_payload.get("scan_ts", now.isoformat()),
+            }
+        return {"status": "offline", "results": {}, "cached": False}
+
+    structured_results = _normalize_results(dependency_list, osv_response)
+    scan_result = {
+        "results": structured_results,
+        "cached": False,
+        "scan_ts": now.isoformat(),
+    }
+    _save_cache(cache_path, scan_result)
+    return scan_result
+
+
+def _query_osv_batch(dependency_list: list[dict[str, str]]) -> dict[str, Any]:
+    payload = {
+        "queries": [
+            {
+                "package": {
+                    "name": dependency["name"],
+                    "ecosystem": dependency["ecosystem"],
+                },
+                "version": dependency["version"],
+            }
+            for dependency in dependency_list
+        ]
+    }
+
+    request = urllib.request.Request(
+        OSV_BATCH_URL,
+        data=json.dumps(payload).encode("utf-8"),
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
+
+    with urllib.request.urlopen(request) as response:
+        body = response.read().decode("utf-8")
+    return json.loads(body)
+
+
+def _normalize_results(
+    dependency_list: list[dict[str, str]], osv_response: dict[str, Any]
+) -> dict[str, list[dict[str, Any]]]:
+    output: dict[str, list[dict[str, Any]]] = {}
+    response_results = osv_response.get("results", [])
+
+    for index, dependency in enumerate(dependency_list):
+        pkg_name = dependency.get("name", "")
+        query_result = response_results[index] if index < len(response_results) else {}
+        vulns = query_result.get("vulns", [])
+
+        normalized_vulns: list[dict[str, Any]] = []
+        for vuln in vulns:
+            affected_versions, fixed_version = _extract_affected(vuln)
+            normalized_vulns.append(
+                {
+                    "id": vuln.get("id", ""),
+                    "severity": _extract_severity(vuln),
+                    "summary": vuln.get("summary", ""),
+                    "affected_versions": affected_versions,
+                    "fixed_version": fixed_version,
+                }
+            )
+
+        output[pkg_name] = normalized_vulns
+
+    return output
+
+
+def _extract_severity(vuln: dict[str, Any]) -> str:
+    severities = vuln.get("severity") or []
+    if severities and isinstance(severities[0], dict):
+        score = severities[0].get("score")
+        if score:
+            return str(score)
+    return "UNKNOWN"
+
+
+def _extract_affected(vuln: dict[str, Any]) -> tuple[list[str], str]:
+    affected_versions: list[str] = []
+    fixed_version = ""
+
+    for affected in vuln.get("affected", []) or []:
+        for version in affected.get("versions", []) or []:
+            affected_versions.append(str(version))
+
+        for version_range in affected.get("ranges", []) or []:
+            for event in version_range.get("events", []) or []:
+                introduced = event.get("introduced")
+                fixed = event.get("fixed")
+                if introduced:
+                    affected_versions.append(str(introduced))
+                if fixed and not fixed_version:
+                    fixed_version = str(fixed)
+
+    deduped_versions = list(dict.fromkeys(affected_versions))
+    return deduped_versions, fixed_version
+
+
+def _load_cache(cache_path: Path) -> dict[str, Any] | None:
+    if not cache_path.exists():
+        return None
+    try:
+        return json.loads(cache_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return None
+
+
+def _save_cache(cache_path: Path, payload: dict[str, Any]) -> None:
+    try:
+        cache_path.parent.mkdir(parents=True, exist_ok=True)
+        cache_path.write_text(json.dumps(payload, separators=(",", ":")), encoding="utf-8")
+    except OSError:
+        return
+
+
+def _is_cache_fresh(scan_ts: str | None) -> bool:
+    if not scan_ts:
+        return False
+    try:
+        scanned_at = datetime.fromisoformat(scan_ts)
+    except ValueError:
+        return False
+
+    if scanned_at.tzinfo is None:
+        scanned_at = scanned_at.replace(tzinfo=timezone.utc)
+
+    return datetime.now(timezone.utc) - scanned_at < timedelta(hours=CACHE_TTL_HOURS)

package/plugins/dephealth/license_checker.py

@@ -0,0 +1,135 @@
+"""License compatibility checker for dependency health analysis.
+
+Checks whether project dependencies have licenses compatible with
+the project's own license using a static compatibility matrix.
+No network access required.
+"""
+
+from __future__ import annotations
+import os
+from typing import Any
+
+# License categories (restrictiveness increases top to bottom)
+_PERMISSIVE = frozenset({
+    "MIT", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unlicense", "CC0-1.0",
+})
+
+_WEAK_COPYLEFT = frozenset({
+    "Apache-2.0", "LGPL-2.1", "LGPL-3.0", "MPL-2.0",
+})
+
+_STRONG_COPYLEFT = frozenset({
+    "GPL-2.0", "GPL-3.0",
+})
+
+_NETWORK_COPYLEFT = frozenset({
+    "AGPL-3.0",
+})
+
+_ALL_KNOWN = _PERMISSIVE | _WEAK_COPYLEFT | _STRONG_COPYLEFT | _NETWORK_COPYLEFT
+
+
+def _dep_health_enabled() -> bool:
+    env_val = os.environ.get("OMG_DEP_HEALTH_ENABLED", "").lower()
+    if env_val in ("1", "true", "yes"):
+        return True
+    if env_val in ("0", "false", "no"):
+        return False
+    try:
+        import sys
+        sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
+        from hooks._common import get_feature_flag
+        return get_feature_flag("DEP_HEALTH", default=False)
+    except Exception:
+        return False
+
+
+def _license_tier(license_id: str) -> int:
+    """Return restrictiveness tier: 0=permissive, 1=weak, 2=strong, 3=network."""
+    if license_id in _PERMISSIVE:
+        return 0
+    if license_id in _WEAK_COPYLEFT:
+        return 1
+    if license_id in _STRONG_COPYLEFT:
+        return 2
+    if license_id in _NETWORK_COPYLEFT:
+        return 3
+    return -1  # unknown
+
+
+def check_license_compatibility(
+    project_license: str,
+    dependencies: list[dict[str, Any]],
+) -> dict[str, list[dict[str, str]]]:
+    """Check license compatibility between project and its dependencies.
+
+    Args:
+        project_license: SPDX identifier for the project license (e.g. "MIT").
+        dependencies: List of dicts with "name" and "license" keys.
+            License may be None or "UNKNOWN".
+
+    Returns:
+        Dict with three lists:
+            compatible: [{"pkg": str, "license": str}]
+            incompatible: [{"pkg": str, "license": str, "reason": str}]
+            unknown: [{"pkg": str}]
+    """
+    if not _dep_health_enabled():
+        return {"compatible": [], "incompatible": [], "unknown": []}
+    
+    compatible: list[dict[str, str]] = []
+    incompatible: list[dict[str, str]] = []
+    unknown: list[dict[str, str]] = []
+
+    project_tier = _license_tier(project_license)
+
+    for dep in dependencies:
+        name = dep.get("name", "")
+        dep_license = dep.get("license")
+
+        # Unknown / missing license
+        if not dep_license or dep_license == "UNKNOWN":
+            unknown.append({"pkg": name})
+            continue
+
+        dep_tier = _license_tier(dep_license)
+
+        # Unrecognized license string
+        if dep_tier == -1:
+            unknown.append({"pkg": name})
+            continue
+
+        # AGPL dep in non-AGPL project is always incompatible
+        if dep_tier == 3 and project_tier != 3:
+            incompatible.append({
+                "pkg": name,
+                "license": dep_license,
+                "reason": (
+                    f"AGPL-3.0 dependency in {project_license} project: "
+                    f"network copyleft requires entire project to be AGPL-3.0"
+                ),
+            })
+            continue
+
+        # Strong copyleft dep in permissive/weak-copyleft project
+        if dep_tier == 2 and project_tier < 2:
+            incompatible.append({
+                "pkg": name,
+                "license": dep_license,
+                "reason": (
+                    f"{dep_license} dependency in {project_license} project: "
+                    f"copyleft contamination requires project to adopt {dep_license}"
+                ),
+            })
+            continue
+
+        # Everything else: permissive deps are always OK,
+        # weak copyleft in permissive is OK (dynamic linking),
+        # same-tier or higher-tier project can use lower-tier deps
+        compatible.append({"pkg": name, "license": dep_license})
+
+    return {
+        "compatible": compatible,
+        "incompatible": incompatible,
+        "unknown": unknown,
+    }