@trac3er/oh-my-god 2.0.0 → 2.0.2

package/hooks/trust_review.ts

@@ -1,175 +0,0 @@
-import { createHash } from "node:crypto";
-import { join } from "node:path";
-import { ensureDir, writeJsonFile } from "./_common.ts";
-
-type RecordShape = Record<string, unknown>;
-
-function safeRecord(value: unknown): RecordShape {
-  return value && typeof value === "object" && !Array.isArray(value) ? (value as RecordShape) : {};
-}
-
-function safeList(value: unknown): unknown[] {
-  return Array.isArray(value) ? value : [];
-}
-
-function collectMcpChanges(oldCfg: RecordShape, newCfg: RecordShape) {
-  const oldServers = safeRecord(oldCfg.mcpServers);
-  const newServers = safeRecord(newCfg.mcpServers);
-  const names = new Set([...Object.keys(oldServers), ...Object.keys(newServers)]);
-  const changes: RecordShape[] = [];
-  for (const name of [...names].sort()) {
-    const before = oldServers[name];
-    const after = newServers[name];
-    if (before === undefined) {
-      changes.push({ type: "added", server: name, new: after });
-    } else if (after === undefined) {
-      changes.push({ type: "removed", server: name, old: before });
-    } else if (JSON.stringify(before) !== JSON.stringify(after)) {
-      changes.push({ type: "modified", server: name, old: before, new: after });
-    }
-  }
-  return changes;
-}
-
-function countHooks(cfg: RecordShape): number {
-  const hooks = safeRecord(cfg.hooks);
-  let total = 0;
-  for (const entries of Object.values(hooks)) {
-    for (const entry of safeList(entries)) {
-      if (entry && typeof entry === "object" && !Array.isArray(entry)) {
-        const nested = safeList((entry as RecordShape).hooks);
-        total += nested.length || 1;
-      } else {
-        total += 1;
-      }
-    }
-  }
-  return total;
-}
-
-function collectHookChanges(oldCfg: RecordShape, newCfg: RecordShape) {
-  const oldHooks = safeRecord(oldCfg.hooks);
-  const newHooks = safeRecord(newCfg.hooks);
-  const oldEvents = Object.keys(oldHooks);
-  const newEvents = Object.keys(newHooks);
-  return {
-    old_hook_count: countHooks(oldCfg),
-    new_hook_count: countHooks(newCfg),
-    removed_events: oldEvents.filter((event) => !newEvents.includes(event)).sort(),
-    added_events: newEvents.filter((event) => !oldEvents.includes(event)).sort(),
-    modified_events: oldEvents
-      .filter((event) => newEvents.includes(event) && JSON.stringify(oldHooks[event]) !== JSON.stringify(newHooks[event]))
-      .sort()
-  };
-}
-
-function collectEnvChanges(oldCfg: RecordShape, newCfg: RecordShape) {
-  const oldEnv = safeRecord(oldCfg.env);
-  const newEnv = safeRecord(newCfg.env);
-  const keys = new Set([...Object.keys(oldEnv), ...Object.keys(newEnv)]);
-  return [...keys]
-    .sort()
-    .flatMap((key) =>
-      JSON.stringify(oldEnv[key]) === JSON.stringify(newEnv[key]) ? [] : [{ key, old: oldEnv[key], new: newEnv[key] }]
-    );
-}
-
-function scoreToVerdict(score: number) {
-  if (score >= 80) {
-    return { verdict: "deny", risk_level: "critical" };
-  }
-  if (score >= 45) {
-    return { verdict: "ask", risk_level: "high" };
-  }
-  if (score >= 20) {
-    return { verdict: "ask", risk_level: "med" };
-  }
-  return { verdict: "allow", risk_level: "low" };
-}
-
-export function reviewConfigChange(filePath: string, oldConfig: RecordShape = {}, newConfig: RecordShape = {}) {
-  const reasons: string[] = [];
-  const controls: string[] = [];
-  let risk_score = 0;
-
-  const oldAllow = new Set(safeList(safeRecord(oldConfig.permissions).allow).map(String));
-  const newAllow = new Set(safeList(safeRecord(newConfig.permissions).allow).map(String));
-  for (const pattern of ["Bash(rm:*)", "Bash(sudo:*)", "Bash(curl:*)", "Bash(wget:*)", "Bash(ssh:*)"]) {
-    if (!oldAllow.has(pattern) && newAllow.has(pattern)) {
-      risk_score += 80;
-      reasons.push(`Dangerous allow pattern added: ${pattern}`);
-      controls.push("manual-trust-review", "deny-by-default");
-    }
-  }
-
-  const mcp_changes = collectMcpChanges(oldConfig, newConfig);
-  for (const change of mcp_changes) {
-    if (change.type === "added") {
-      risk_score += 30;
-      reasons.push(`New MCP server added: ${change.server}`);
-      controls.push("mcp-endpoint-review");
-    } else if (change.type === "modified") {
-      risk_score += 35;
-      reasons.push(`MCP server modified: ${change.server}`);
-      controls.push("mcp-diff-review");
-    }
-  }
-
-  const hook_changes = collectHookChanges(oldConfig, newConfig);
-  if (hook_changes.new_hook_count < Math.max(1, hook_changes.old_hook_count - 2)) {
-    risk_score += 35;
-    reasons.push(`Hook count reduced significantly (${hook_changes.old_hook_count} -> ${hook_changes.new_hook_count})`);
-    controls.push("require-hook-audit");
-  }
-  if (hook_changes.removed_events.length > 0) {
-    risk_score += 25;
-    reasons.push(`Hook events removed: ${hook_changes.removed_events.join(", ")}`);
-    controls.push("event-removal-review");
-  }
-  if (hook_changes.modified_events.length > 0) {
-    risk_score += 20;
-    reasons.push(`Hook definitions modified: ${hook_changes.modified_events.join(", ")}`);
-    controls.push("hook-diff-review");
-  }
-
-  const env_changes = collectEnvChanges(oldConfig, newConfig);
-  for (const change of env_changes) {
-    if (String(change.key).match(/key|token|secret|password|credential/i)) {
-      risk_score += 20;
-      reasons.push(`Sensitive environment key modified: ${change.key}`);
-      controls.push("secret-env-review");
-    } else {
-      risk_score += 5;
-      reasons.push(`Environment key modified: ${change.key}`);
-    }
-  }
-
-  return {
-    ts: new Date().toISOString(),
-    changed_files: filePath ? [filePath] : [],
-    mcp_changes,
-    hook_changes,
-    env_changes,
-    risk_score,
-    ...scoreToVerdict(risk_score),
-    reasons,
-    controls: [...new Set(controls)].sort()
-  };
-}
-
-export function writeTrustManifest(projectDir: string, review: RecordShape): string {
-  const trustDir = join(projectDir, ".omg", "trust");
-  ensureDir(trustDir);
-  const manifestPath = join(trustDir, "manifest.lock.json");
-  const payload: RecordShape = {
-    version: "omg-v2-bun",
-    updated_at: new Date().toISOString(),
-    last_review: review
-  };
-  const digest = createHash("sha256")
-    .update(JSON.stringify(payload, Object.keys(payload).sort()))
-    .digest("hex");
-  payload.signature = digest;
-  writeJsonFile(manifestPath, payload);
-  return manifestPath;
-}

package/lab/pipeline.ts

@@ -1,75 +0,0 @@
-import { nowIso } from "../runtime/common.ts";
-import { validateJobRequest } from "./policies.ts";
-
-export function runPipeline(job: Record<string, unknown>) {
-  const validation = validateJobRequest(job);
-  if (!validation.ok) {
-    return {
-      status: "blocked",
-      stage: "policy",
-      reason: validation.reason,
-      published: false,
-      evaluation_report: null
-    };
-  }
-
-  const targetMetric = Number(job.target_metric ?? 0.8);
-  const simulatedMetric = Number(job.simulated_metric ?? targetMetric);
-  const passed = simulatedMetric >= targetMetric;
-
-  const stages = [
-    { name: "data_prepare", status: "ok" },
-    { name: "synthetic_refine", status: "ok" },
-    { name: "train_distill", status: "ok" },
-    { name: "evaluate", status: passed ? "ok" : "fail" },
-    { name: "regression_test", status: passed ? "ok" : "fail" }
-  ];
-
-  const evaluation_report = {
-    created_at: nowIso(),
-    metric: simulatedMetric,
-    target_metric: targetMetric,
-    passed,
-    notes: String(job.evaluation_notes || "")
-  };
-
-  if (!passed) {
-    return {
-      status: "failed_evaluation",
-      stage: "evaluate",
-      stages,
-      published: false,
-      evaluation_report
-    };
-  }
-
-  return {
-    status: "ready",
-    stage: "complete",
-    stages,
-    published: false,
-    evaluation_report
-  };
-}
-
-export function publishArtifact(result: Record<string, unknown>) {
-  const report =
-    result.evaluation_report && typeof result.evaluation_report === "object" && !Array.isArray(result.evaluation_report)
-      ? (result.evaluation_report as Record<string, unknown>)
-      : null;
-
-  if (!report || report.passed !== true) {
-    return {
-      status: "blocked",
-      reason: "evaluation report missing or not passed",
-      published: false
-    };
-  }
-
-  return {
-    ...result,
-    status: "published",
-    published: true,
-    published_at: nowIso()
-  };
-}

package/lab/policies.ts

@@ -1,68 +0,0 @@
-type ValidationResult = {
-  ok: boolean;
-  reason: string;
-};
-
-const ALLOWED_LICENSES = new Set(["apache-2.0", "mit", "bsd-3-clause", "cc-by-4.0"]);
-const BLOCKED_SOURCE_TOKENS = ["unknown", "leaked", "stolen", "unauthorized", "pirated"];
-
-function fail(reason: string): ValidationResult {
-  return { ok: false, reason };
-}
-
-function pass(): ValidationResult {
-  return { ok: true, reason: "ok" };
-}
-
-export function validateDatasetSource(dataset: Record<string, unknown>): ValidationResult {
-  const license = String(dataset.license || "").toLowerCase();
-  const source = String(dataset.source || "").toLowerCase();
-
-  if (!license) {
-    return fail("dataset license missing");
-  }
-  if (!ALLOWED_LICENSES.has(license)) {
-    return fail(`dataset license not allowed: ${license}`);
-  }
-  if (BLOCKED_SOURCE_TOKENS.some((token) => source.includes(token))) {
-    return fail("dataset source violates policy");
-  }
-  return pass();
-}
-
-export function validateModelSource(model: Record<string, unknown>): ValidationResult {
-  const source = String(model.source || "").toLowerCase();
-  const allowDistill = Boolean(model.allow_distill);
-
-  if (BLOCKED_SOURCE_TOKENS.some((token) => source.includes(token))) {
-    return fail("model source violates policy");
-  }
-  if (!allowDistill) {
-    return fail("model source disallows distillation");
-  }
-  return pass();
-}
-
-export function validateJobRequest(job: Record<string, unknown>): ValidationResult {
-  const dataset = job.dataset;
-  const baseModel = job.base_model;
-
-  if (!dataset || typeof dataset !== "object" || Array.isArray(dataset)) {
-    return fail("dataset block missing");
-  }
-  if (!baseModel || typeof baseModel !== "object" || Array.isArray(baseModel)) {
-    return fail("base_model block missing");
-  }
-
-  const datasetResult = validateDatasetSource(dataset as Record<string, unknown>);
-  if (!datasetResult.ok) {
-    return datasetResult;
-  }
-
-  const modelResult = validateModelSource(baseModel as Record<string, unknown>);
-  if (!modelResult.ok) {
-    return modelResult;
-  }
-
-  return pass();
-}

package/runtime/common.ts

@@ -1,111 +0,0 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { dirname, resolve, relative } from "node:path";
-import { fileURLToPath } from "node:url";
-
-export const ROOT_DIR = resolve(dirname(fileURLToPath(import.meta.url)), "..");
-
-export function ensureDir(path: string): void {
-  mkdirSync(path, { recursive: true });
-}
-
-export function ensureParent(path: string): void {
-  ensureDir(dirname(path));
-}
-
-export function readJsonFile<T>(path: string, fallback: T): T {
-  try {
-    if (!existsSync(path)) {
-      return fallback;
-    }
-    const raw = readFileSync(path, "utf8");
-    return JSON.parse(raw) as T;
-  } catch {
-    return fallback;
-  }
-}
-
-export function writeJsonFile(path: string, value: unknown): void {
-  ensureParent(path);
-  writeFileSync(path, `${JSON.stringify(value, null, 2)}\n`, "utf8");
-}
-
-export function printJson(value: unknown): void {
-  process.stdout.write(`${JSON.stringify(value, null, 2)}\n`);
-}
-
-export function ensureProjectDir(): string {
-  return process.env.CLAUDE_PROJECT_DIR || process.cwd();
-}
-
-export function nowIso(): string {
-  return new Date().toISOString();
-}
-
-export function nowRunId(): string {
-  return nowIso().replace(/[-:.]/g, "").replace("T", "T").replace("Z", "Z");
-}
-
-export function relativeToProject(projectDir: string, path: string): string {
-  return relative(projectDir, path) || ".";
-}
-
-type IdeaShape = {
-  goal: string;
-  constraints: string[];
-  acceptance: string[];
-  risk: Record<string, string[]>;
-  evidence_required: Record<string, string[]>;
-};
-
-export function parseSimpleIdeaYaml(path: string): IdeaShape {
-  const idea: IdeaShape = {
-    goal: "",
-    constraints: [],
-    acceptance: [],
-    risk: { security: [], performance: [], compatibility: [] },
-    evidence_required: { tests: [], security_scans: [], reproducibility: [], artifacts: [] }
-  };
-
-  let section = "";
-  let subsection = "";
-  const raw = readFileSync(path, "utf8");
-  for (const line of raw.split(/\r?\n/)) {
-    const stripped = line.trim();
-    if (!stripped || stripped.startsWith("#")) {
-      continue;
-    }
-    if (stripped.startsWith("goal:")) {
-      idea.goal = stripped.slice(5).trim().replace(/^["']|["']$/g, "");
-      section = "";
-      subsection = "";
-      continue;
-    }
-    if (["constraints:", "acceptance:", "risk:", "evidence_required:"].includes(stripped)) {
-      section = stripped.slice(0, -1);
-      subsection = "";
-      continue;
-    }
-    if ((section === "risk" || section === "evidence_required") && stripped.endsWith(":") && !stripped.startsWith("- ")) {
-      subsection = stripped.slice(0, -1);
-      continue;
-    }
-    if (stripped.startsWith("- ")) {
-      const value = stripped.slice(2).trim().replace(/^["']|["']$/g, "");
-      if (section === "constraints" || section === "acceptance") {
-        (idea[section] as string[]).push(value);
-      } else if ((section === "risk" || section === "evidence_required") && subsection) {
-        idea[section][subsection] ??= [];
-        idea[section][subsection].push(value);
-      }
-    }
-  }
-  return idea;
-}
-
-export function unique<T>(items: T[]): T[] {
-  return [...new Set(items)];
-}
-
-export function normalizeWhitespace(value: string): string {
-  return value.trim().replace(/\s+/g, " ");
-}

package/runtime/compat.ts

@@ -1,174 +0,0 @@
-import { existsSync, readFileSync, writeFileSync } from "node:fs";
-import { dirname, join, resolve } from "node:path";
-import { ensureDir, ensureParent, nowIso, ROOT_DIR } from "./common.ts";
-import { dispatchTeam, executeCcgMode } from "./team_router.ts";
-
-export const DEFAULT_CONTRACT_SNAPSHOT_PATH = "runtime/omg_compat_contract_snapshot.json";
-export const DEFAULT_GAP_REPORT_PATH = ".omg/evidence/omg-compat-gap.json";
-
-type CompatContract = {
-  skill: string;
-  route: string;
-  maturity: string;
-  [key: string]: unknown;
-};
-
-function snapshotPath(): string {
-  return resolve(ROOT_DIR, DEFAULT_CONTRACT_SNAPSHOT_PATH);
-}
-
-function loadContracts(): CompatContract[] {
-  const raw = JSON.parse(readFileSync(snapshotPath(), "utf8")) as { contracts?: CompatContract[] };
-  return Array.isArray(raw.contracts) ? raw.contracts : [];
-}
-
-const CONTRACTS = loadContracts();
-const CONTRACT_MAP = new Map(CONTRACTS.map((contract) => [contract.skill.toLowerCase(), contract]));
-const ALIAS_MAP = new Map<string, string>([
-  ["team", "omg-teams"],
-  ["teams", "omg-teams"],
-  ["release", "release"],
-  ["ship", "release"],
-  ["plan", "plan"],
-  ["ccg", "ccg"]
-]);
-
-function normalizeSkill(skill: string): string {
-  const lowered = skill.trim().toLowerCase();
-  return ALIAS_MAP.get(lowered) || lowered;
-}
-
-export function listCompatSkills(): string[] {
-  return CONTRACTS.map((contract) => contract.skill).sort();
-}
-
-export function listCompatSkillContracts(): CompatContract[] {
-  return [...CONTRACTS].sort((left, right) => left.skill.localeCompare(right.skill));
-}
-
-export function getCompatSkillContract(skill: string): CompatContract | null {
-  return CONTRACT_MAP.get(normalizeSkill(skill)) || null;
-}
-
-export function buildContractSnapshotPayload(options: { includeGeneratedAt?: boolean } = {}) {
-  const payload: Record<string, unknown> = {
-    schema: "OmgCompatContractSnapshot",
-    contract_version: "2.0.0",
-    count: CONTRACTS.length,
-    contracts: listCompatSkillContracts()
-  };
-  if (options.includeGeneratedAt) {
-    payload.generated_at = nowIso();
-  }
-  return payload;
-}
-
-export function buildCompatGapReport(projectDir?: string) {
-  const maturity_counts: Record<string, number> = {};
-  for (const contract of CONTRACTS) {
-    const maturity = String(contract.maturity || "unknown");
-    maturity_counts[maturity] = (maturity_counts[maturity] || 0) + 1;
-  }
-  return {
-    schema: "OmgCompatGapReport",
-    generated_at: nowIso(),
-    project_dir: projectDir || "",
-    total_skills: CONTRACTS.length,
-    maturity_counts,
-    missing_routes: CONTRACTS.filter((contract) => !contract.route).map((contract) => contract.skill)
-  };
-}
-
-function writeArtifact(path: string, payload: unknown): string {
-  ensureParent(path);
-  writeFileSync(path, `${typeof payload === "string" ? payload : JSON.stringify(payload, null, 2)}\n`, "utf8");
-  return path;
-}
-
-export function dispatchCompatSkill(input: {
-  skill: string;
-  problem?: string;
-  context?: string;
-  files?: string[];
-  expected_outcome?: string;
-  project_dir?: string;
-}) {
-  const normalized = normalizeSkill(input.skill);
-  const contract = getCompatSkillContract(normalized);
-  if (!contract) {
-    return {
-      schema: "OmgCompatResult",
-      status: "error",
-      message: `Unknown skill: ${input.skill}`,
-      supported_skills: listCompatSkills()
-    };
-  }
-
-  const route = String(contract.route || "");
-  if (route === "teams") {
-    return {
-      schema: "OmgCompatResult",
-      status: "ok",
-      skill: normalized,
-      routed_to: "teams",
-      route,
-      result: dispatchTeam({
-        target: "auto",
-        problem: input.problem || `compat route for ${normalized}`,
-        context: input.context || "",
-        files: input.files || [],
-        expected_outcome: input.expected_outcome || ""
-      })
-    };
-  }
-
-  if (route === "ccg") {
-    return {
-      schema: "OmgCompatResult",
-      status: "ok",
-      skill: normalized,
-      routed_to: "ccg",
-      route,
-      result: executeCcgMode({
-        problem: input.problem || `compat route for ${normalized}`,
-        context: input.context || "",
-        files: input.files || []
-      })
-    };
-  }
-
-  if (route === "runtime_ship" || normalized === "release") {
-    const projectDir = input.project_dir || process.cwd();
-    const artifact = join(projectDir, ".omg", "evidence", "release-draft.md");
-    writeArtifact(
-      artifact,
-      `# OMG Release Draft\n\n- Skill: \`${normalized}\`\n- Problem: ${input.problem || "n/a"}\n- Generated: ${nowIso()}\n`
-    );
-    return {
-      schema: "OmgCompatResult",
-      status: "ok",
-      skill: normalized,
-      routed_to: "runtime_ship",
-      route,
-      artifacts: [artifact]
-    };
-  }
-
-  const projectDir = input.project_dir || process.cwd();
-  const artifact = join(projectDir, ".omg", "evidence", `compat-${normalized}.json`);
-  writeArtifact(artifact, {
-    schema: "OmgCompatArtifact",
-    generated_at: nowIso(),
-    skill: normalized,
-    route,
-    problem: input.problem || ""
-  });
-  return {
-    schema: "OmgCompatResult",
-    status: "ok",
-    skill: normalized,
-    routed_to: route || "native",
-    route,
-    artifacts: [artifact]
-  };
-}

package/runtime/dispatcher.ts

@@ -1,25 +0,0 @@
-export type RuntimeIdea = Record<string, unknown>;
-
-export function dispatchRuntime(runtime: string, idea: RuntimeIdea) {
-  const goal = typeof idea.goal === "string" ? idea.goal : "unspecified";
-  return {
-    status: "ok",
-    schema: "RuntimeDispatchResult",
-    runtime,
-    goal,
-    acceptance: Array.isArray(idea.acceptance) ? idea.acceptance : [],
-    verification: {
-      checks: [
-        {
-          name: "runtime-contract",
-          status: "unverified",
-          command: `omg runtime dispatch --runtime ${runtime}`
-        }
-      ]
-    },
-    plan: {
-      route: runtime,
-      summary: `Dispatch ${runtime} runtime for "${goal}".`
-    }
-  };
-}