@trac3er/oh-my-god 2.0.0 → 2.0.2

package/commands/OMG:create-agent.md

@@ -1,33 +1,183 @@
 ---
-description: "Create a new OMG markdown agent definition that matches the Bun runtime conventions."
-allowed-tools: Read, Write, Edit, Grep, Glob
-argument-hint: "<agent-name>"
+description: "Wizard command for creating new custom agents in ~/.omg/agents/ or .omg/agents/."
+allowed-tools: Read, Write, Edit, Bash
+argument-hint: "[agent-name]"
 ---
 
-# /OMG:create-agent
+# /OMG:create-agent — Custom Agent Creation Wizard
 
-Create a new markdown agent under `agents/` with:
+Create a custom agent for your project or user-level configuration.
 
-- a clear role
-- scope boundaries
-- inputs and outputs
-- success criteria
-- any required `.omg/` artifacts
+## Prerequisites
 
-## Template
+Enable the custom agents feature:
 
-```md
-# <agent-name>
+```bash
+export OMG_CUSTOM_AGENTS_ENABLED=1
+```
+
+Or add to your project's `settings.json`:
+
+```json
+{
+  "_omg": {
+    "features": {
+      "CUSTOM_AGENTS": true
+    }
+  }
+}
+```
+
+## Agent Locations
+
+- **User-level**: `~/.omg/agents/<name>.md` — available in all projects
+- **Project-level**: `.omg/agents/<name>.md` — available in this project only
+
+Project-level agents override user-level agents with the same name.
+
+## Quick Start
+
+1. Create the agents directory:
+
+```bash
+# For project-level agents:
+mkdir -p .omg/agents
+
+# For user-level agents:
+mkdir -p ~/.omg/agents
+```
+
+2. Create your agent file (e.g., `.omg/agents/my-agent.md`):
+
+```markdown
+---
+name: my-agent
+description: Brief description of what this agent does
+model: claude-sonnet-4-5
+tools: Read, Grep, Glob, Edit, Write
+bundled: false
+---
+
+# Agent: My Agent
 
 ## Role
-- One sentence describing what the agent owns.
 
-## Inputs
-- Required files, context, or commands.
+Describe the agent's primary role and responsibilities here.
+This should be a clear, concise statement of what the agent does.
+
+## Model
+
+`default` (claude-sonnet-4-5) — general-purpose model for this agent.
+
+Available roles: `smol` (haiku, fast), `default` (sonnet), `slow` (opus, deep reasoning).
+
+## Capabilities
+
+- List specific capabilities here
+- What tools does this agent use?
+- What domains does it specialize in?
+
+## Instructions
+
+Detailed behavioral instructions for the agent.
+
+**Core rules:**
+- Rule 1
+- Rule 2
+- Rule 3
+
+**Strategy:**
+1. Step 1
+2. Step 2
+3. Step 3
+
+## Example Prompts
+
+- "Example prompt 1"
+- "Example prompt 2"
+- "Example prompt 3"
+```
+
+## Required Sections
+
+Your agent **must** include these sections to pass validation:
+
+| Section | Required | Description |
+|---------|----------|-------------|
+| `# Agent: <name>` | ✅ Yes | Agent header with name |
+| `## Role` | ✅ Yes | Primary role description |
+| `## Model` | Optional | Model preference (smol/default/slow) |
+| `## Capabilities` | Optional | List of capabilities |
+| `## Instructions` | Optional | Behavioral instructions |
+
+## Validation
+
+Custom agents are validated on load. Invalid agents (missing required sections) are skipped with warnings.
+
+To verify your agent is valid:
+
+```bash
+export OMG_CUSTOM_AGENTS_ENABLED=1
+python3 -c "
+from runtime.custom_agent_loader import load_custom_agents
+agents = load_custom_agents('.')
+for a in agents:
+    status = '✅' if a['validated'] else '❌'
+    print(f\"{status} {a['name']} ({a['level']}) — {a['description'][:60]}\")
+    if a.get('issues'):
+        for issue in a['issues']:
+            print(f\"   ⚠️  {issue}\")
+"
+```
+
+## Examples
+
+### Minimal Valid Agent
+
+```markdown
+# Agent: Greeter
+
+## Role
+
+Simple greeting agent that welcomes users.
+```
+
+### Full Agent with All Sections
+
+See the template in Quick Start above.
+
+### Specialized Domain Agent
+
+```markdown
+# Agent: Data Pipeline
+
+## Role
+
+ETL pipeline specialist. Designs and optimizes data transformation workflows.
+
+## Model
+
+`slow` (claude-opus-4-5) — deep reasoning for complex pipeline design.
+
+## Capabilities
+
+- Design ETL pipelines with error handling and retry logic
+- Optimize SQL queries for large datasets
+- Schema migration planning
+- Data quality validation rules
+
+## Instructions
+
+You are a data engineering specialist.
 
-## Outputs
-- Expected edits, reports, or evidence artifacts.
+**Core rules:**
+- Always consider idempotency in pipeline design
+- Prefer incremental processing over full reloads
+- Include monitoring and alerting in every pipeline
 
-## Guardrails
-- Things the agent must not change or assume.
+**Strategy:**
+1. Understand the data sources and sinks
+2. Design the transformation logic
+3. Add error handling and retry mechanisms
+4. Plan for monitoring and observability
 ```

package/commands/OMG:deps.md

@@ -1,30 +1,248 @@
 ---
 description: "Scan project dependencies for CVEs, license issues, and outdated packages."
-allowed-tools: Read, Bash(bun:*), Grep
+allowed-tools: Read, Bash(python*:*), Grep
 argument-hint: "[cves|licenses|outdated]"
 ---
 
-# /OMG:deps
+# /OMG:deps — Dependency Health
 
-Run a dependency-health pass against the manifests that still exist in the Bun-era repo.
+Scan project dependencies for CVEs, license compatibility issues, and outdated packages.
 
-## Suggested checks
+## Usage
 
-- `package.json` and `bun.lock`
-- `Cargo.toml` in `crates/`
-- any additional manifest files still committed in the workspace
+```
+/OMG:deps
+/OMG:deps cves
+/OMG:deps licenses
+/OMG:deps outdated
+```
+
+## Sub-Commands
+
+### `/OMG:deps` (default)
+
+Full dependency health report combining CVE scan, license check, and outdated package detection.
+
+Detects manifest files (package.json, requirements.txt, Cargo.toml, go.mod, Gemfile, pyproject.toml), then runs all three checks and prints a unified summary.
+
+```python
+from plugins.dephealth.manifest_detector import detect_manifests
+from plugins.dephealth.cve_scanner import scan_for_cves
+from plugins.dephealth.license_checker import check_license_compatibility
+from plugins.dephealth.vuln_analyzer import analyze_reachability
+
+deps = detect_manifests(".")
+dep_dicts = [{"name": p.name, "version": p.version, "ecosystem": p.ecosystem} for p in deps.packages]
+
+# CVE scan
+cve_result = scan_for_cves(dep_dicts, ".")
+reachability = analyze_reachability(cve_result, ".")
+
+# License check
+license_result = check_license_compatibility(dep_dicts, ".")
+
+# Summary
+print(f"Manifests:     {len(deps.manifests)} detected")
+print(f"Packages:      {len(deps.packages)} total")
+print(f"CVEs found:    {cve_result.get('total_vulns', 0)}")
+print(f"  Critical:    {cve_result.get('by_severity', {}).get('CRITICAL', 0)}")
+print(f"  High:        {cve_result.get('by_severity', {}).get('HIGH', 0)}")
+print(f"Reachable:     {sum(1 for v in reachability.get('results', []) if v.get('reachability') == 'direct')}")
+print(f"License issues: {license_result.get('issue_count', 0)}")
+```
+
+### `/OMG:deps cves`
+
+CVE scan results only. Queries the OSV batch API for known vulnerabilities in project dependencies.
+
+Results include severity classification (CRITICAL/HIGH/MODERATE/LOW) and reachability analysis showing whether vulnerable code paths are actually imported.
+
+```python
+from plugins.dephealth.manifest_detector import detect_manifests
+from plugins.dephealth.cve_scanner import scan_for_cves
+from plugins.dephealth.vuln_analyzer import analyze_reachability
+
+deps = detect_manifests(".")
+dep_dicts = [{"name": p.name, "version": p.version, "ecosystem": p.ecosystem} for p in deps.packages]
+
+cve_result = scan_for_cves(dep_dicts, ".")
+reachability = analyze_reachability(cve_result, ".")
+
+print(f"Packages scanned: {len(dep_dicts)}")
+print(f"Vulnerabilities:  {cve_result.get('total_vulns', 0)}")
+print()
+
+for vuln in cve_result.get("vulnerabilities", []):
+    reach = next((r for r in reachability.get("results", []) if r.get("cve_id") == vuln.get("id")), {})
+    reach_label = reach.get("reachability", "unknown")
+    risk = reach.get("risk", "unknown")
+    print(f"  [{vuln.get('severity', 'UNKNOWN')}] {vuln.get('id')}")
+    print(f"    Package:      {vuln.get('package')}")
+    print(f"    Fixed in:     {vuln.get('fixed_version', 'N/A')}")
+    print(f"    Reachability: {reach_label}")
+    print(f"    Risk:         {risk}")
+    if reach.get("recommendation"):
+        print(f"    Action:       {reach['recommendation']}")
+    print()
+```
+
+### `/OMG:deps licenses`
+
+License compatibility report only. Checks each dependency's license against a tiered compatibility model.
+
+Tiers: permissive (MIT, Apache-2.0, BSD) > weak-copyleft (LGPL, MPL) > copyleft (GPL, AGPL). Flags packages with copyleft or unknown licenses.
+
+```python
+from plugins.dephealth.manifest_detector import detect_manifests
+from plugins.dephealth.license_checker import check_license_compatibility
+
+deps = detect_manifests(".")
+dep_dicts = [{"name": p.name, "version": p.version, "ecosystem": p.ecosystem} for p in deps.packages]
+
+result = check_license_compatibility(dep_dicts, ".")
+
+print(f"Packages checked: {len(dep_dicts)}")
+print(f"License issues:   {result.get('issue_count', 0)}")
+print()
+
+for pkg in result.get("packages", []):
+    tier = pkg.get("tier", "unknown")
+    marker = "!!" if tier in ("copyleft", "unknown") else "  "
+    print(f"  {marker} {pkg.get('name')}: {pkg.get('license', 'UNKNOWN')} ({tier})")
+
+if result.get("issues"):
+    print()
+    print("Issues:")
+    for issue in result["issues"]:
+        print(f"  - {issue}")
+```
+
+### `/OMG:deps outdated`
 
-## Example flow
+List packages with newer versions available. Compares locked versions against latest published versions.
 
-```bash
-bun scripts/omg.ts providers status
-bun run typecheck
-bun test
+```python
+from plugins.dephealth.manifest_detector import detect_manifests
+
+deps = detect_manifests(".")
+
+print(f"Manifests: {len(deps.manifests)}")
+print(f"Packages:  {len(deps.packages)}")
+print()
+
+print(f"{'Package':<40} {'Current':>12} {'Ecosystem':<12}")
+print("-" * 66)
+for pkg in deps.packages:
+    version = pkg.version or "unpinned"
+    print(f"  {pkg.name:<38} {version:>12} {pkg.ecosystem:<12}")
+
+print()
+print("Note: Outdated detection requires network access to registry APIs.")
+print("Packages listed above are from detected manifests.")
+```
+
+## Feature Flag
+
+- **Flag name**: `OMG_DEP_HEALTH_ENABLED`
+- **Default**: `False` (disabled)
+- **Enable**: `export OMG_DEP_HEALTH_ENABLED=1`
+
+Or set in `settings.json`:
+
+```json
+{
+  "_omg": {
+    "features": {
+      "DEP_HEALTH": true
+    }
+  }
+}
+```
+
+## Output Example
+
+```
+============================================================
+  OMG Dependency Health Report
+============================================================
+
+  Manifests:      3 detected
+    - package.json (npm)
+    - requirements.txt (pip)
+    - pyproject.toml (pip)
+
+  Packages:       87 total
+
+  CVEs found:     4
+    Critical:     1
+    High:         2
+    Moderate:     1
+    Low:          0
+
+  Reachable:      2 of 4 (direct import detected)
+
+  License issues: 1
+    !! node-ipc: UNKNOWN (unknown)
+
+============================================================
+
+  [CRITICAL] GHSA-xxxx-yyyy-zzzz
+    Package:      lodash@4.17.20
+    Fixed in:     4.17.21
+    Reachability: direct
+    Risk:         high
+    Action:       Upgrade lodash to >=4.17.21
+
+  [HIGH] GHSA-aaaa-bbbb-cccc
+    Package:      requests@2.25.0
+    Fixed in:     2.31.0
+    Reachability: transitive
+    Risk:         medium
+    Action:       Upgrade requests to >=2.31.0
+
+============================================================
 ```
 
-When reporting dependency health, include:
+## Supported Manifests
+
+| Manifest | Ecosystem | Parser |
+|----------|-----------|--------|
+| `package.json` | npm | JSON dependencies + devDependencies |
+| `requirements.txt` | pip | PEP 508 lines |
+| `pyproject.toml` | pip | `[project.dependencies]` + `[tool.poetry.dependencies]` |
+| `Cargo.toml` | crates.io | `[dependencies]` + `[dev-dependencies]` |
+| `go.mod` | Go | `require` directives |
+| `Gemfile` | RubyGems | `gem` declarations |
+
+## Safety
 
-- manifest files inspected
-- known vulnerable or high-risk packages
-- license compatibility concerns
-- stale packages worth updating before release
+- **Read-only**: All sub-commands only read manifest files and query external APIs
+- **Feature-gated**: Requires `DEP_HEALTH` flag enabled
+- **No mutations**: Never modifies dependency files, lock files, or project code
+- **Crash-isolated**: All operations exit 0 on failure (graceful error handling)
+- **Cache**: CVE scan results cached to `.omg/state/dephealth/cve-cache.json` (1-hour TTL)
+- **Network**: `/deps cves` requires internet access for OSV API queries
+
+## API
+
+```python
+from plugins.dephealth.manifest_detector import detect_manifests, DependencyList
+from plugins.dephealth.cve_scanner import scan_for_cves
+from plugins.dephealth.license_checker import check_license_compatibility
+from plugins.dephealth.vuln_analyzer import analyze_reachability
+
+# Detect all manifest files and parse dependencies
+deps: DependencyList = detect_manifests(".")
+
+# Convert to dicts for scanner/checker APIs
+dep_dicts = [{"name": p.name, "version": p.version, "ecosystem": p.ecosystem} for p in deps.packages]
+
+# CVE scan via OSV batch API
+cve_result = scan_for_cves(dep_dicts, ".")
+
+# Reachability analysis (import tracing)
+reachability = analyze_reachability(cve_result, ".")
+
+# License compatibility check
+license_result = check_license_compatibility(dep_dicts, ".")
+```

package/commands/OMG:domain-init.md

@@ -1,6 +1,6 @@
 ---
 description: "Alias for /OMG:init [domain-name]. Use /OMG:init instead."
-allowed-tools: Read, Write, Edit, MultiEdit, Bash(mkdir:*), Bash(cat:*), Bash(find:*), Bash(ls:*), Bash(head:*), Bash(grep:*), Bash(tree:*), Bash(bun:*), Bash(tee:*), Grep, Glob
+allowed-tools: Read, Write, Edit, MultiEdit, Bash(mkdir:*), Bash(cat:*), Bash(find:*), Bash(ls:*), Bash(head:*), Bash(grep:*), Bash(tree:*), Bash(node:*), Bash(python*:*), Bash(tee:*), Grep, Glob
 argument-hint: "[domain name, e.g. 'payment' or 'user-profile']"
 ---
 

package/commands/OMG:escalate.md

@@ -1,23 +1,52 @@
 ---
-description: OMG routing escalation in standalone Bun runtime.
-allowed-tools: Read, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*), Bash(bun:*)
-argument-hint: "[codex|gemini|ccg|auto] 'problem statement'"
+description: Auto-route to Codex or Gemini using OMG standalone internal router.
+allowed-tools: Read, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*), Bash(python3:*)
+argument-hint: "[codex|gemini|ccg|auto] 'task description' or just 'problem'"
 ---
 
-# /OMG:escalate
+# /OMG:escalate — Standalone Smart Escalation
 
-Use the portable runtime installed by `OMG-setup.sh`.
+## Auto-Routing
+If no model specified:
+- backend/security/debug/performance → `codex`
+- ui/ux/layout/responsive → `gemini`
+- full-stack/architecture/review-all → `ccg`
+
+## Context package
+Build from OMG canonical state:
+- `.omg/state/profile.yaml`
+- `.omg/state/ledger/failure-tracker.json`
+- relevant files (`git diff --name-only`)
+
+## Runtime entrypoint
+Use the portable runtime installed by `OMG-setup.sh` (`~/.claude/omg-runtime/scripts/omg.py`).
 
 ```bash
-OMG_CLI="${OMG_CLI_PATH:-$HOME/.claude/omg-runtime/scripts/omg.ts}"
-if [ ! -f "$OMG_CLI" ] && [ -f "scripts/omg.ts" ]; then OMG_CLI="scripts/omg.ts"; fi
+OMG_CLI="${OMG_CLI_PATH:-$HOME/.claude/omg-runtime/scripts/omg.py}"
+if [ ! -f "$OMG_CLI" ] && [ -f "scripts/omg.py" ]; then OMG_CLI="scripts/omg.py"; fi
 ```
 
-Examples:
+## Execute
+```bash
+python3 "$OMG_CLI" teams --target auto --problem "[problem]"
+```
 
+Explicit target:
 ```bash
-bun "$OMG_CLI" teams --target auto --problem "[problem]"
-bun "$OMG_CLI" teams --target codex --problem "[problem]"
-bun "$OMG_CLI" teams --target gemini --problem "[problem]"
-bun "$OMG_CLI" ccg --problem "[problem]"
+python3 "$OMG_CLI" teams --target codex --problem "[problem]"
+python3 "$OMG_CLI" teams --target gemini --problem "[problem]"
+python3 "$OMG_CLI" ccg --problem "[problem]"
 ```
+
+## Output
+Returns `TeamDispatchResult` with:
+- findings
+- action plan
+- evidence metadata
+
+Evidence now includes provider health details (`cli_health`) with:
+- binary availability
+- auth readiness (`auth status` probe)
+- `live_connection` boolean per provider
+
+No external legacy plugin is required.

package/commands/OMG:health-check.md

@@ -1,21 +1,45 @@
 ---
-description: "Run Bun-era repository health checks."
-allowed-tools: Bash(ls:*), Bash(cat:*), Bash(find:*), Bash(grep:*), Bash(git:*), Bash(which:*), Bash(head:*), Bash(wc:*), Bash(stat:*), Bash(bun:*), Read, Grep, Glob
-argument-hint: "[quick|full]"
+description: Verify project setup, context health, and tool integration
+allowed-tools: Bash(ls:*), Bash(cat:*), Bash(find:*), Bash(grep:*), Bash(git:*), Bash(which:*), Bash(head:*), Bash(wc:*), Bash(stat:*), Bash(npm run:*), Bash(npx:*), Bash(pnpm run:*), Bash(yarn run:*), Bash(pytest:*), Bash(python3:*), Read, Grep, Glob
 ---
 
 # /OMG:health-check
 
-Run the standard Bun verification stack for OMG:
+Run all checks silently, report only issues:
 
-```bash
-bun run typecheck
-bun test
-bun scripts/check-runtime-clean.ts
-```
+1. **Profile**: .omg/state/profile.yaml exists and has required fields (name, language, framework)?
+   - FAIL if missing. WARN if key fields empty.
+
+2. **Knowledge**: .omg/knowledge/ has content? Any decision files older than 30 days?
+   - WARN if empty. WARN if stale files (suggest review).
+
+3. **Quality Gate**: .omg/state/quality-gate.json exists and configured commands are runnable?
+   - Check each command with `which` or `--version` where possible.
+   - If execution is restricted, report WARN (not FAIL) with "cannot verify — restricted permissions".
+   - If command found but fails: report FAIL with exit code.
+
+4. **Secrets**: No .env committed to git? No API keys in tracked files?
+   - `git ls-files | grep -i '\.env'` (exclude .env.example/.sample/.template).
+   - FAIL if real .env files tracked.
+
+5. **Tools**: Hooks installed? OMG team aliases available? MCP servers listed?
+   - Check ~/.claude/hooks/.omg-version exists.
+   - Check if `~/.claude/commands/OMG:teams.md` and `OMG:ccg.md` exist (WARN if missing, not FAIL).
+   - List MCP servers from .mcp.json (informational).
 
-Quick review points:
+6. **Failures**: Stale failure patterns in failure-tracker.json?
+   - WARN if any pattern older than 24h. Suggest `/OMG:handoff` or manual reset.
 
-- installed Bun version matches the repo requirement
-- hook and runtime entrypoints in `settings.json` point at `.ts` files
-- no retired runtime files remain under `hooks/`, `runtime/`, `scripts/`, `tools/`, `control_plane/`, or `omg_natives/`
+7. **Context Size**: Estimate total injection from session-start + prompt-enhancer.
+   - Sum: profile.yaml lines + working-memory.md lines + handoff.md lines.
+   - WARN if >80 lines total.
+
+**Report format:**
+```
+PASS [N] | WARN [N] | FAIL [N]
+
+  FAIL profile: .omg/state/profile.yaml not found → run /OMG:init
+  WARN quality: prettier not found → install or remove from quality-gate.json
+  PASS secrets: no .env files tracked
+  ...
+```